Overview
overview
10Static
static
3Engine.js
windows7-x64
3Engine.js
windows10-2004-x64
3Setup.exe
windows7-x64
10Setup.exe
windows10-2004-x64
10bin/UbuilderB.exe
windows7-x64
1bin/UbuilderB.exe
windows10-2004-x64
7bin/scv.jar
windows7-x64
1bin/scv.jar
windows10-2004-x64
1cutline.ppt
windows7-x64
1cutline.ppt
windows10-2004-x64
1d3dx9_43.dll
windows7-x64
1d3dx9_43.dll
windows10-2004-x64
1packages/D...1].exe
windows7-x64
1packages/D...1].exe
windows10-2004-x64
1xNet.dll
windows7-x64
1xNet.dll
windows10-2004-x64
1Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 01:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Engine.js
Resource
win7-20240220-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral2
Sample
Engine.js
Resource
win10v2004-20240508-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral3
Sample
Setup.exe
Resource
win7-20240221-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral4
Sample
Setup.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
8 signatures
150 seconds
Behavioral task
behavioral5
Sample
bin/UbuilderB.exe
Resource
win7-20240508-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral6
Sample
bin/UbuilderB.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral7
Sample
bin/scv.jar
Resource
win7-20231129-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral8
Sample
bin/scv.jar
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral9
Sample
cutline.ppt
Resource
win7-20240508-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral10
Sample
cutline.ppt
Resource
win10v2004-20240508-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral11
Sample
d3dx9_43.dll
Resource
win7-20240508-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral12
Sample
d3dx9_43.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral13
Sample
packages/DirectoryMonitor_[1MB]_[1].exe
Resource
win7-20240508-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral14
Sample
packages/DirectoryMonitor_[1MB]_[1].exe
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral15
Sample
xNet.dll
Resource
win7-20240611-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral16
Sample
xNet.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
cutline.ppt
-
Size
835KB
-
MD5
5dd713fe5df9331f0641fa850abd5d61
-
SHA1
f66c08e26599d860cf645e8b8a828ef1660e3b1e
-
SHA256
dbdf13e4851001e8cde22e81bd498b97a684038ea4e67851f2888aff9ada6ced
-
SHA512
b835e99c3b4c25602af3d02796f66eb5cf8d32c165d274bfe8c667bc4113a10a8813af4f44adaa66f0ba11fb810530f978c88d8e58e4132ec7969a02c9a61064
-
SSDEEP
24576:vKf/UKv/Z+fuolHM6VHBFXFKVJfiJC8iXhlrXAE5R:v6cKX0ukhHzQVJY8rjA+R
Score
1/10
Malware Config
Signatures
-
Processes:
POWERPNT.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote POWERPNT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" POWERPNT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" POWERPNT.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit POWERPNT.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND POWERPNT.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel POWERPNT.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" POWERPNT.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" POWERPNT.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit POWERPNT.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 POWERPNT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" POWERPNT.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor POWERPNT.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell POWERPNT.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit POWERPNT.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" POWERPNT.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar POWERPNT.EXE -
Modifies registry class 64 IoCs
Processes:
POWERPNT.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit POWERPNT.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" POWERPNT.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx POWERPNT.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" POWERPNT.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile POWERPNT.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" POWERPNT.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel POWERPNT.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application POWERPNT.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print POWERPNT.EXE -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2212 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
POWERPNT.EXEpid process 2240 POWERPNT.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
POWERPNT.EXEpid process 2240 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
POWERPNT.EXEwmplayer.exedescription pid process target process PID 2240 wrote to memory of 2032 2240 POWERPNT.EXE splwow64.exe PID 2240 wrote to memory of 2032 2240 POWERPNT.EXE splwow64.exe PID 2240 wrote to memory of 2032 2240 POWERPNT.EXE splwow64.exe PID 2240 wrote to memory of 2032 2240 POWERPNT.EXE splwow64.exe PID 2200 wrote to memory of 1748 2200 wmplayer.exe setup_wm.exe PID 2200 wrote to memory of 1748 2200 wmplayer.exe setup_wm.exe PID 2200 wrote to memory of 1748 2200 wmplayer.exe setup_wm.exe PID 2200 wrote to memory of 1748 2200 wmplayer.exe setup_wm.exe PID 2200 wrote to memory of 1748 2200 wmplayer.exe setup_wm.exe PID 2200 wrote to memory of 1748 2200 wmplayer.exe setup_wm.exe PID 2200 wrote to memory of 1748 2200 wmplayer.exe setup_wm.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\cutline.ppt"1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding2⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\NewSend.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2240-0-0x000000002DC01000-0x000000002DC02000-memory.dmpFilesize
4KB
-
memory/2240-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2240-2-0x000000007219D000-0x00000000721A8000-memory.dmpFilesize
44KB
-
memory/2240-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2240-5-0x000000007219D000-0x00000000721A8000-memory.dmpFilesize
44KB